RCPA Quality Assurance Programs Pty Ltd (RCPAQAP) is a global provider of external quality assurance, training and education programs to pathology laboratories and practitioners.
Your privacy is important to RCPAQAP and this Policy represents our commitment to protect your personal information. It explains how and why we gather, store, share and use your personal data – as well as outlines the controls and choices you have around how and when you choose to share your personal data.
About this Policy
From time to time, we may develop new or offer additional Services. If the introduction of these new or additional Services results in any change to the way we collect or process your personal data we will provide you with more information and additional terms or policies. Unless stated otherwise when we introduce these new or additional Services, they will be subject to this Policy.
The aim of this Policy is to:
Ensure that you understand what personal data we collect about you, the reasons we collect and use it, and with whom we share it;
Explain the way we use the personal data that you share with us in order to give you a great experience when you are using RCPAQAP Services; and
Explain your rights and choices in relation to the personal data we collect and process about you and how we will protect your privacy.
How do we Collect Personal Information?
We collect your data in the following ways:
- Directly when information is provided in person, by telephone, email or in documents such as enrolment or application forms;
- When information is collected about you via questionnaires and surveys;
- When the RCPAQAP website is used for enrolment, result entry, report review and for general information content; and
- From publicly available sources of information.
The RCPAQAP website offers a number of interactive facilities including search engines, enrolment, result entry and report review, as well as online enquiry forms. Other than from enrolment and enquiry forms, RCPAQAP generally does not capture any personal information that you may enter when using these tools. If you complete an online enrolment or enquiry form, we will only collect the information that you enter in the online form.
We use anonymised and aggregated information for purposes that include testing our IT systems, research, data analysis, and developing new features and functionality within myQAP and other RCPAQAP Services.
What Personal Information do we collect from you?
The types of personal information collected by RCPAQAP will vary depending on an individual’s relationship with RCPAQAP.
For customers and external collaborators, it may include the following:
- Name; position; professional qualifications
- Business address and contact details (including phone, fax, mobile, email)
- Business ABN
- Memberships of professional associations
- Sales history
- Credit references
- Survey/questionnaire results
- Records of complaints and enquiries
- Key performance indicator metrics
For donors of survey material including body tissues and body fluids it may include the following:
- Treating clinician’s name
- Address/phone number
- Hospital accession (UR) number
- Test results
- Limited medical notes
- Donor’s consent form
For employees, board members, contractors, directors, advisory/ technical committee members and providers of quality assurance materials, it may include the following:
- Address / phone number
- Date of birth
- Educational/employment history
- Job performance metrics
- Bank details and rates of pay
- Tax file number
- Next of kin
- Curricula vitae
- Confidentiality agreements
- Work Health and Safety (WHS), workers compensation and vaccination status
- NATA accreditation status
This information is required to assist in the selection process for job suitability, for payment of wages, superannuation and taxes, and for workers compensation claims. Employee data may also be disclosed to third party certification bodies during audits for the purpose of validation of the Quality Management System and Work Health and Safety and Environmental (WHSE) Management Systems.
RCPAQAP complies with the General Data Protection Regulation.
Additional information about our Data Protection Officer, information we collect, the purpose of collection and your rights are provided in detail within this Policy.
Personal Information provided to RCPAQAP in connection with the Services or otherwise is controlled and processed by RCPA Quality Assurance Programs Pty Ltd, Suite 201, 8 Herbert St, St. Leonards, NSW, 2065, Australia email@example.com.
Data Protection Officer
Our Data Protection Officer (DPO) is Jennifer Ross. The DPO is responsible for ensuring compliance with privacy requirements. Our Data Protection Officer can be contacted at firstname.lastname@example.org.
Collection of Personal Information
Information We Store When You Access the Services
- We retain your Personal Information only as long as needed to provide you the Services. Except as otherwise provided by this Policy, or when deleted or destroyed at your request, we typically maintain data and communications for an indefinite period. We may keep the minimal necessary data on you after you have deactivated your account for the period of time needed for us to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with legal and accreditation obligations, resolve disputes and enforce our agreements.
We use the Personal Information We collect to:
- Provide the requested Services, such as contributing information to the database or allowing enrolment and purchase of our products.
- Personalise the Services for you and to communicate with you.
- Send you emails from RCPAQAP and its affiliated websites (including, but not limited to myQAP.rcpaqap.com.au) which may include newsletters, relationship and transactional messages, and marketing promotions. If you have previously consented to receive newsletters or other commercial emails, then you may opt out in your notification preferences or from within the email messages themselves.
- We do not participate in any automated decision making, such as profiling, with regards to the Services and your Personal Information.
- We share information with third parties (processors) that act as an agent to perform tasks on our behalf and under our instructions. Examples include third parties that assist with payment processing (i.e., Eventbrite) or third parties that we contract with to send emails on our behalf (i.e., Campaign Monitor, SendGrid, Salesforce).
Additional information about the processors we use to support delivery of our Services is set forth in RCPAQAP Processors.
- We may share information with domestic and foreign affiliates including the Royal College of Pathologists of Australasia or our general sales agents in countries around the world. Our affiliates are subject to the terms of this Policy and follow the same privacy practices as us. We are the primary Data Controller for Personal Information collected and processed through our and our affiliates’ sites and Services.
- We may share information in order to investigate, prevent, or act regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Trade, or as otherwise required by law enforcement or national security requirements. We may also disclose information when requested to comply with a court order, investigation, or governmental request.
- We do not otherwise share your information with any third parties.
- We do not provide or sell email addresses or collection/want list data to any third party without your consent.
- We do not provide or sell your Personal Information or any other information you have provided to us to any third party for direct marketing or advertising purposes without your consent.
Limiting the Use and Disclosure of Your Personal Information
RCPAQAP will provide you with notice in the event it intends to share your information with a third party (other than as described above) or for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by you. Prior to sharing such information, you will be provided with clear, conspicuous, and readily available mechanisms to opt in to such sharing, as required by applicable laws and regulations.
In the event we decide to collect sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), we will first obtain affirmative express consent (opt in) from you if we intend such information to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorised by you through the exercise of an opt-in choice.
You may choose not to allow cookies. Information on cookie settings can generally be found through the help feature of your browser. If you block or otherwise disable our cookies, certain Services may not be available. Please see the Cookies Policy for additional information.
You may choose not to provide information related to your mobile devices. Information on disabling device location permissions can generally be found in your device settings or by contacting your carrier or device manufacturer.
If you withdraw your consent to this Policy (by closing your account), then you may not have access to certain Services, including portal Services and reports. In certain cases, we may continue to process your Personal Information, but only if we have a legal basis to do so.
We use the following security measures and technologies to protect your data:
- Physical access controls, including secured premises to prevent unauthorised persons from gaining access to Personal Information, and ensuring that off-site data centres and server facilities adhere to similar appropriate controls;
- System access controls to prevent unauthorised access and use of Personal Information, which vary based on the nature of information processing, but may include: industry standard firewalls, authentication via hashed and salted passwords;
- Data access controls to ensure Personal Information is accessible and manageable only by properly authorised staff;
- Transmission controls, including encrypted data transfer over SSL and other controls to ensure that Personal Information cannot be read, copied, modified or removed without authorisation during electronic transmission or transport;
- Input controls to ensure that any Personal Information is provided and edited by you or by us at your direction;
- Data backups are taken on a regular basis, and are secured and encrypted;
- Despite our efforts, no security measure can be absolute, and there can be no guarantee that your Personal Information will not be accessed through malicious means, inadvertent disclosure, or mistake. If RCPAQAP is the source of a breach, we will contact you and describe the breach, along with RCPAQAP’ mitigation actions. Where applicable, we will provide appropriate identity theft prevention and mitigation Services at no cost to the affected person for not less than 12 months.
Personally-Identifiable Information Submitted by Children
Our Services are not intended for use by children under 18 years. Please consult local laws for age restrictions in additional jurisdictions. IF YOU ARE UNDER THE MINIMUM AGE FOR YOUR JURISDICTION, DO NOT USE OR ACCESS THE PROVIDER SERVICES AT ANY TIME OR IN ANY MANNER. If we determine that personally identifiable information of children under the minimum age has been collected, we will remove the information from our Services. If you are a parent or guardian and learn that your child under the minimum age has created an account, you may contact us and request that the information be removed at email@example.com
Notification and other Privacy Preferences
The settings pages for Your account allow You to manage the following information related to Your account:
- Notification Settings: Choose how we communicate with you, including email messaging preferences.
- User profile Settings: Change your personal information displayed in your profile, including adding, rectifying, or removing incorrect data about you, and updating your username and password.
We do not send spam and do not permit spam on RCPAQAP sites.
You have the right to withdraw consent for various Services and related activities at any time and may do by contacting us on firstname.lastname@example.org You may also withdraw consent for marketing emails by selecting the “Unsubscribe From This List” button at the bottom of the email.
Analytics & Display Advertising, Cookies
- RCPAQAP uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses persistent cookies, which are text files placed on your computer, to help RCAPQAP analyse how our users use the site. We use this information to determine things such as the best time to perform site maintenance. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other Services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above. Click here for the RCPAQAP Cookies Policy
Your Right to Access, Alter, or Erase Your Personal Information
You can ask us whether we hold personal information relating to you, by completing the RCPAQAP Data Subject Request and subject to certain exceptions request a copy of it. Examples of such exceptions are if this would have an unreasonable impact on other people’s privacy or if it would interfere with an investigation of unlawful activity or regulatory functions. If permitted, we will respond to your request with 30 days.
If you believe that any information we hold about you is incorrect or incomplete, please contact us at email@example.com. RCPAQAP may ask for additional information to confirm your identity prior to releasing, amending, or erasing your Personal Information.
Your Portability Rights
You have a right to receive the Personal Information concerning you, which you have provided to RCPAQAP, in a structured, commonly used and machine-readable format and you have the right to transmit those data points to another controller where our processing is based on your consent or any contract you have with us and the processing is carried out by automated means. You may submit a request for portability by completing the RCPAQAP Data Subject Request. We will comply with your request within 30 days and if permitted by law. RCPAQAP may ask for additional information to confirm your identity prior to providing you with the requested information.
We hope we can resolve any disputes relating to our data protection practices between us. If you believe that your privacy rights have been breached or that your Personal Information has been compromised as a result of using RCPAQAP services, please contact us at firstname.lastname@example.org. RCPAQAP may ask for additional information to confirm your identity prior to assisting with your complaint. We will respond to your complaint within 30 days of receipt if permitted by law and may request additional information from you to complete our investigation.
You may also contact our Data Protection Officer, Jennifer Ross, directly with any complaints at email@example.com.
For individuals in the EU or EEA, you have additional rights to make a complaint to a competent data protection authority or commence proceedings in a court of competent jurisdiction in accordance with applicable data protection laws. The name and contact details of the Data Protection Authorities in the European Union can be found here.
Use of Data for Publication
De-identified aggregated results submitted to the RCPAQAP may be disseminated via peer-reviewed journals or books and in conference presentation. No individual detail of performance will be used in this manner. This is consistent with the National Health and Medical Research Council (NHMRC) National Statement on Ethical Conduct in Human Research.
We may amend this Policy at any time by posting the amended terms on our website and notifying you of material changes to the Policy along with an opportunity to opt-in to changes that require your consent by law or regulation or to opt-out of any changes that decrease your rights under this Policy. All non-material changes to our terms are effective on the effective date of this Policy. We encourage you to review this Policy from time to time. By continuing to use our Services after non-material changes are effective, or after being notified of a material change, you will be deemed to have accepted the changes.
In the event that RCPAQAP goes through a business transfer such as a consolidation, merger, restructuring, acquisition, or sale of part or all of our assets, we will obtain your consent to the transfer of your information as permitted by law and to the continued use of your information by the recipient following the transfer so long as they comply with this Policy.
You can contact us about this Policy at firstname.lastname@example.org.