Privacy Policy

Our Privacy Policy explains how we handle your personal information.

Australia's Privacy Act 1988 (Cth) requires Autism CRC Ltd (Autism CRC, we, our, us) to have a privacy policy. Our Privacy Policy outlines the way we collect, use, store and disclose your personal information (including sensitive information). 

We may update this Privacy Policy from time to time. If practical, we will notify you of any updates to our policy by, for example, pushing notifications within our website or (if you have provided your email address to us) sending you an email.

If you are a resident of the European Union or the United Kingdom, please read our GDPR Addendum together with this Privacy Policy.

  1. What is personal information?

    ‘Personal information’ is information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.

    Personal information includes sensitive information, which is defined under the Privacy Act 1988 (Cth) (Privacy Act) as information or an opinion about a person's race, ethnic origin, political opinions, membership of political associations and trade associations, religious or philosophical beliefs, sexual orientation or practices, criminal record, health information, genetic information about an individual that is not otherwise health information, biometric information that is used for the purpose of automated biometric verification or biometric identification and biometric templates.

  2. What types of personal information do we collect?

    The types of personal information we collect depends on the nature of our relationship with you. For example, if you send us a question through our contact us page; are a user of Autism CRC Best Practice Portal resources, or the inclusionED or myWAY Employability platforms, or the CoLab Community of Practice platform; are a participant in an Autism CRC research study; or apply for a career opportunity with us.

    We collect many types of personal information, including:

    1. name, date of birth, gender, pronouns and occupation or employment status;
    2. if you are under the age of 18, the name of your parent or legal guardian;
    3. email address and other contact details, including mailing address and telephone number;
    4. if you are creating an user account on an Autism CRC platform, login credentials;
    5. if you are making a payment using your personal bank account or credit card, your credit card and banking details;
    6. information relating to your use of our products and services that allow us to improve or personalise your use of our products or services, such as details about your interactions with our products or services and device identifiers (eg IP address);
    7. sensitive information, such as details about your diagnosis, that are relevant to your use of Autism CRC products and services or participation in research;
    8. any information you provide relevant to your use of Autism CRC products and services, or participation in research, such as demographic data, details about your education, skills, employment history.

  3. How we collect personal information

    We collect your personal information through a variety of channels, including:

    1. from you directly or (if it is impracticable or unreasonable to collect information directly from you) your parent or legal guardian, through online forms, paper forms, online portals, face-to-face meetings or over the telephone;
    2. when you interact with us on our social media accounts on Facebook, X, Instagram. LinkedIn and YouTube; and
    3. through public records or other publicly accessible sources.

    We collect sensitive information about you if you provide your consent, when the collection is authorised or required by law, or the collection is otherwise allowed under the Privacy Act.

  4. Anonymity and pseudo-anonymity

    Due to the nature of our products and services, it is not practical for us to interact or communicate with you on an anonymous basis or using a pseudonym. We require your personal information in order to provide you with our products and services, or respond to any questions, concerns or inquiries you may have.

  5. Why do we collect your personal information?

    1. Generally

      We collect, use, hold and disclose your personal information for the following purposes:

      1. to respond to your requests and inquiries;
      2. to conduct research to inform programs, products and services, and policymaking for autistic people, people with disability and their families;
      3. to enable you to register to, and use, our website, and our products and services;
      4. to take and process any payments;
      5. to analyse your use of our products and services to improve the functionality of our products and services or to make our products and services more suitable to your needs;
      6. to comply with a law, regulation, court order or other legal process;
      7. to investigate or report suspected unlawful activity; and
      8. for marketing (including direct marketing) and business development activities.

    2. Direct marketing

      We may use your personal information (but never your sensitive information) to provide you with information about our products or services that we believe may be of interest to you (including any newsletters, updates, offers, promotions or other benefits) via email, post, telephone or other direct contact methods.

      If you do not wish to receive any marketing communications or material from us, or do not want your information used or disclosed for direct marketing purposes, you may opt out at any time by clicking the opt-out button in the marketing material or by contacting us via the details at section 14.

    3. Job application

      If you have applied for a job with us, we collect and process your personal information to assess your suitability for the role, including verification of your identity, qualifications, certifications, entitlement to work), and we may also conduct background or criminal history checks.

  6. Who do we share your personal information with?

    We may share your personal information to other individuals and organisations such as:

    1. our related entities and bodies corporate;
    2. our service providers and partners who help us develop and deliver our products and services, such as our cloud storage service providers and people who may help deliver those products and services to you;
    3. our professional advisers (eg. lawyers and accountants);
    4. law enforcement officers, regulators, courts and government agencies, if permitted or required:
      1. by law, regulation, court order or other legal process;
      2. to assist in the prevention or detection of crime;
      3. to prevent a threat to any person's life, health or safety;
    5. any purchaser or prospective purchaser of our business, including in the case of bankruptcy, a merger, acquisition, reorganisation, sale of assets or assignments, or due diligence in respect of any such transactions.

  7. Do we share your personal information outside of Australia?

    We work with people or companies that are located outside of Australia, who assist us with providing our products and services to you. Those people or companies may accordingly use or store your personal information outside of Australia (such as, in the United States) in the course of providing this assistance. However, they will only do so if you have consented to us sharing your personal information with them to use or store or if we are legally required or authorised to share your personal information with them.

    If you provide us with this consent (for example, by providing us with your personal information or otherwise accepting our privacy collection statement or this Privacy Policy), you understand and acknowledge that:

    1. Australian Privacy Principle 8.1 does not apply to our disclosure of your personal information; and
    2. countries outside of Australia do not always have the same privacy protection obligations as Australia in relation to personal information, and you may not be able to seek redress in an overseas jurisdiction. Additionally, the overseas recipient is subject to foreign law that could compel the disclosure of personal information to a third party, such as an overseas authority. However, we take reasonable steps to ensure that any third parties based outside Australia to whom we disclose or share your personal information, uses and holds your personal information in a secure manner.

  8. Automated decision-making

    We may process your personal information using semi- or fully- automated decision-making systems, being any computer program or artificial intelligence to make, or do something that is substantially and directly related to making a decision that could significantly affect the rights or interests of an individual. For example, providing you with customised content or user experience based on the demographic information you have provided.

    If the GDPR Addendum applies to you, you expressly consent to us Processing your Personal Data using the automated decision-making systems as set out in this section 8.

  9. Third-party websites

    Our website or platforms may include links to other websites or services operated by third parties. This Privacy Policy does not apply to the data processed by such third-party websites or services, and we have no control over the actions of those third parties in respect of your personal information.

    The presence of any third-party links or services on our website does not imply any relationship with, or endorsement of those sites or their content by, Autism CRC.

  10. Cookies

    When you use our website or online platforms, we may use "cookies", traffic measurement software or other similar technologies to personalise or improve your user experience, including:

    1. Functionality. These cookies allow us to recognise you when you access our website or platform and remember your selected preference.
    2. Analytics and customisation. These cookies help us understand how you use our website or platform, how effective our marketing campaigns are, or to help us customise our website or platform for you.
    3. Advertising. These cookies allow us to collect information about your activities on our website or platform (including the content you viewed and links you clicked), so we can present advertisements based on your activities.

    In using cookies, we may collect data including:

    1. pages visits;
    2. interactions;
    3. duration of visit; and
    4. user or device reference.

    If you do not want your information to be collected through the use of cookies or traffic measurement software, your device and/or browser may enable you to delete or "turn off" cookies or some of the measurement software features. However, some or all parts of our platform or website may not function properly if these features are disabled.

  11. How do we store your personal information?

    We will store your personal information for as long as is required to provide you with our products and services or some other purpose for which your information was collected, as set out in this Privacy Policy.

    When we no longer require your personal information to carry out any such purpose or if required by law, we will delete or de-identify your personal information as soon as reasonably possible.

  12. How do we keep your personal information safe?

    We take reasonable steps to protect your personal information against misuse, interference and loss, and from unauthorised access, modification or disclosure, including by implementing and maintaining technical and organisational measures. 

    However, data transfers made over the Internet are never 100% secure and if you send us any information, you acknowledge this is done at your own risk.

  13. How to access your personal information

    You have the right to ask:

    1. for access to personal information that we hold about you, and
    2. that we correct personal information we hold about you.

    You can make these requests by contacting our Privacy Officer whose contact details appear in section 14 below.

    If you ask, subject to verification of your identity, we must generally give you access to your personal information, and take reasonable steps to correct it if we consider it is incorrect, unless an exception applies. We may refuse your request for legitimate reasons, including if we believe that granting you access will endanger the life, health or safety of any person or would adversely impact the privacy of other individuals. In this case, will notify you in writing, and explain our reasons if we refuse to give you access to, or correct, your personal information.

    No fees apply to making a request for access or correction of your personal information, but we may charge for reasonable administrative costs incurred in providing access.

  14. How to make a complaint about privacy

    If you wish to complain about how we’ve handled your personal information, first try to resolve the issue with the person you’ve been dealing with. If you are not satisfied, you can ask to speak to their supervisor.

    You can also make a complaint by contacting us at:

    Address:

    Attn: Privacy Officer
    Long Pocket Precinct, Level 3, Foxtail Building
    80 Meiers Road, Indooroopilly Qld 4068

    Telephone: 07 3377 0600

    Email: info@autismcrc.com.au

    You may also make a complaint, and can find more information about your rights and obligations in respect of privacy, at www.oaic.gov.au or by contacting the Office of the Australian Information Commissioner at:

    Address: GPO Box 5218, Sydney NSW 2001

    Email: enquiries@oaic.gov.au

GDPR Addendum

  1. When does this Addendum apply?

    If you are a resident of the European Union (EU) or United Kingdom (UK), we may be required to comply with the GDPR and the additional provisions in this Addendum, together with our Privacy Policy, will apply to our processing of your Personal Data.

    This section will not apply if you do not live in the European Union or United Kingdom.

  2. Definitions and interpretation

    In this Addendum:

    1. Addendum means this GPDR Addendum;
    2. the terms Controller, Data Subject, Personal Data, Processor, Processing, and Supervisory Authority have the meaning given to those respective terms under the GDPR, and their corresponding terms will be construed accordingly;
    3. GDPR means:
      1. when used in the context of European Union residents, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 for the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC; and
      2. when used in the context of United Kingdom residents, the UK General Data Protection Regulation as implemented by the Data Protection Act 2018 (UK); and
    4. Privacy Policy means our privacy policy available at autismcrc.com.au or to which this addendum is attached.

    If any capitalised term is used in this Addendum and not otherwise defined, it has the meaning given in the Privacy Policy.

    For avoidance of doubt, where this Addendum applies, a reference in the Privacy Policy to personal information is read as a reference to Personal Data.

  3. Our role

    Under the GDPR, we are a Data Controller for Personal Data that we collect about you, for our own use, and this role determines the purposes and means which apply to our processing of your Personal Data.

  4. What are your rights as a Data Subject?

    In addition to your rights of access and correction as set out in our Privacy Policy, as a Data Subject, you have the following additional rights:

    1. Access. You may request access to any Personal Data we hold about you and information regarding our Processing of your Personal Data (including the purpose of processing, data retention period, and categories of data involved).
    2. Rectification. You may ask us to correct or update any of the Personal Data we hold about you.
    3. Erasure. You may request for us to delete your Personal Data if we no longer need it for the purpose for which it was collected, or if you withdraw your consent to Processing of your Personal Data and we have Processed your Personal Data without legitimate grounds.
    4. Restriction. You may ask us to restrict the processing of your Personal Data, if:
      1. you are contesting the accuracy of the Personal Data and you enable the Controller to verify the accuracy of your data;
      2. the Processing of your Personal Data is unlawful and you do not want your data erased, but request a restriction instead;
      3. the Controller no longer needs to process the Personal Data, but you need the Personal Data for legal proceedings; or
      4. you have objected to Processing pursuant to Article 21(1) of the GDPR;
    5. Objection. You may object to our Processing of your Personal Data under certain conditions.
    6. Data Portability. You may request for us to:
      1. provide you your Personal Data in a machine-readable format; or
      2. transfer any Personal Data we hold about you to you or a nominated third party.

  5. Do we share your Personal Data outside of the EU or UK?

    We work with people or companies that are located outside of the EU and UK, who assist us with providing our products and services to you. Those people or companies may accordingly use or store your Personal Data outside of the EU and UK (such as, in Australia and the United States) in the course of providing this assistance. 

    In sharing your Personal Data with people or companies based outside the EU and UK, we take reasonable steps to ensure that those people use and hold your Personal Data in a secure manner, including by ensuring our contracts with third parties require them to protect Personal Data.

  6. Withdrawing consent

    If you have provided us with your consent to Process your Personal Data, you may withdraw that consent at any time by contacting us via the details at section 14 of our Privacy Policy.

  7. How to exercise your Data Subject rights

    If you wish to exercise any of your Data Subject Rights, please contact us using the details set out at section 15 of the Privacy Policy. We endeavour to process your request promptly and within one month of receipt of receiving it.

    Where we are a Data Processor for your Personal Data (meaning we hold your Personal Data only on behalf of our member or another Data Controller), we will redirect your request to the Data Controller for instructions, before we or they may respond to you. Accordingly, it may be more expeditious for you, if you direct your request to the applicable Data Controller in the first instance.

  8. Complaints to a Supervisory Authority

    If you have any concerns or complaints regarding our Processing of your Personal Data or the exercising of your Data Subject Rights, you may contact the Supervisory Authority of your resident country. 

    The United Kingdom's Supervisory Authority is:

    The Information Commissioner's Office

    Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

    Phone: 0303 123 1113

    Website: ico.org.uk

    The Supervisory Authority for the European Union is the relevant authority for the member country in which you reside.