Privacy Policy
1. About this policy
CaSR Patient Support (ABN 11 855 673 895) is committed to protecting the privacy of patients, families, donors, supporters, volunteers, Committee members, MAB members, partners, and all visitors to our website. This policy explains what personal information we collect, how we use and disclose it, how we keep it secure, and how you can access or correct it. The policy operates under the Australian Privacy Principles (APPs) set out in Schedule 1 of the Privacy Act 1988 (Cth).
2. Personal information we collect
The personal information we collect depends on how you interact with us.
| When you… | We typically collect |
|---|---|
| Subscribe to updates | Name, email address, the topics you indicated interest in, and any opt-in marketing consents. |
| Make a donation | Name, email, postal address, phone (optional), donation amount and frequency, payment method (processed by GiveWP and the payment processor; we do not store full card numbers), and tax-receipt details. |
| Apply to volunteer | Name, contact details, skills, availability, references, and any disclosures relevant to your volunteer role (per the Volunteer Application form). |
| Submit a patient story | Only what you provide. Your story remains confidential unless you sign the patient story consent form. |
| Register for the patient registry (from Phase 3) | Identity, contact, demographic, condition, treatment, and clinical-encounter information that you voluntarily provide. Sensitive health information is collected only with your express consent under APP 3.3. |
| Visit casr.org.au | Standard log information (IP address, browser, pages requested, referrer) for security and aggregate analytics. Cookies as listed in the Cookies section below. |
3. Sensitive information
We treat health and genetic information as sensitive information under APP 3.3. We will only collect sensitive information from you with your express consent and where it is reasonably necessary for our charitable functions (for example, to support your participation in the patient registry, or to assist with your enquiry about a clinical trial). You are not required to provide sensitive information to receive general updates from us.
4. How we use personal information
- To deliver the service or response you have requested (e.g., send a tax receipt for a donation, respond to an enquiry).
- To provide patient education, advocacy updates, and event communications you have opted in to.
- To administer the patient registry once consented (from Phase 3) and produce de-identified analyses for research and advocacy.
- To meet legal and regulatory obligations (e.g., ACNC reporting, ATO DGR receipting, charitable fundraising registrations).
- To improve our website, programs, and services through aggregate analytics.
5. How we disclose personal information
We do not sell personal information. We disclose personal information only:
- To service providers who help us operate (e.g., WP Engine for hosting; GiveWP and the payment processor for donations; Microsoft 365 for email; FluentCRM for email automation; future Azure services for the registry). These providers are bound by contract to use the information only for our purposes.
- To research collaborators — only after de-identification, with your consent for any use that would re-identify you, and under a written research collaboration agreement.
- To Australian regulators or law enforcement where required by law (e.g., ACNC, ATO, OAIC, courts).
- With your express consent for any other purpose not listed above.
6. Cross-border disclosure (APP 8)
Some of our service providers store data outside Australia. As at the date of this policy:
- WP Engine — website hosting, Sydney (Australia) region.
- Microsoft 365 / Microsoft Azure — mail, identity, and (from Phase 3) patient registry storage, configured to use Australian regions where available; some metadata may transit other Microsoft regions.
- FluentCRM, GiveWP, Yoast SEO and other WordPress plugins — processed within our hosting environment; some plugin updaters may communicate with vendor regions outside Australia.
- Payment processor — the payment processor’s data residency is set out in their own privacy policy.
Where data is transferred outside Australia, we take reasonable steps to ensure the recipient handles it consistently with the APPs.
7. Patient registry — specific commitments (from Phase 3)
Once the patient registry is operational, we will additionally:
- Conduct a Privacy Impact Assessment, signed off by the Governance Committee, before accepting any patient data.
- Operate a two-person rule for any re-identification of registry data.
- Encrypt registry data at rest using customer-managed keys held in Azure Key Vault.
- Maintain an immutable audit log in Azure Log Analytics covering every read and write of patient-identifying fields.
- Allow registrants to withdraw consent at any time, with full deletion of identifying data within 30 days (subject to legal record-keeping obligations).
8. Security
We take reasonable steps under APP 11 to protect personal information from misuse, loss, unauthorised access, modification, or disclosure. Measures include: HTTPS across all CaSR services; multi-factor authentication on administrative accounts; least-privilege access; managed hosting on WP Engine with daily snapshots; member-portal SSO via Microsoft Entra ID with account-mismatch guardrails; periodic security review.
9. Cookies and analytics
- Essential cookies — required for member portal authentication, donation form session state, and security.
- Analytics — we use Google Analytics 4 via MonsterInsights, configured for IP anonymisation. Aggregate data only is reviewed.
- Third-party content — embedded media (e.g., YouTube videos, Google Fonts) may set their own cookies governed by the third party’s privacy policy.
10. Access, correction, and complaints (APPs 12 and 13)
You may at any time:
- Request access to the personal information we hold about you.
- Ask us to correct any information you believe is inaccurate, out-of-date, incomplete, irrelevant, or misleading.
- Withdraw any consent you have given (e.g., unsubscribe from updates, leave the patient registry).
- Make a complaint about how we have handled your personal information.
We will respond to your request within 30 days. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or 1300 363 992.
11. Notifiable data breaches
If a breach of security results in unauthorised access to or disclosure of personal information that is likely to result in serious harm, we will notify affected individuals and the OAIC as required under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act).
12. Changes to this policy
This policy may be updated by Committee resolution to reflect changes in our activities or in privacy law. Material changes will be communicated through the website and to subscribers; the current version is always available at casr.org.au/privacy.
Nicholas Love CPA, Chairman — CaSR Patient Support
Email: nicholas.love@casr.org.au
Postal: PO Box 3322, Belconnen DC ACT 2617
General enquiries: enquiries@casr.org.au