Privacy Policy

Privacy Policy Update Aug 2022: updated to allow the disclosure of information to IT contractors providing technical support to CMAX. See section 4.4 below

1. Policy
CMAX Clinical Research Pty Ltd (CMAX) ABN 69 615 726 004 is an “organisation” for the purposes of the Privacy Act 1988 (“Act”), and is subject to the Australian Privacy Principles contained in the Act. Fusion Clinical Research is a division of CMAX Clinical Research Pty Ltd. All future references to CMAX pertain to the entire CMAX Clinical Research business, inclusive of Fusion Clinical Research.

This Privacy Policy is intended to provide a general overview of our policies in respect to our collection and handling of your personal information and, in particular, sensitive information. Your “personal information” is any information or opinion about you that is reasonably capable of identifying you. Your “sensitive information” will include any of your health information such as medical records. This Privacy Policy applies to all individuals with whom we have dealings.

This Policy is intended to apply to most personal information handled by us, but is not exhaustive. If you have any queries about our management of your personal information, you should contact the CMAX Privacy Coordinator for further information.


2. Policy Jurisdiction
This policy applies to all CMAX employees, contractors and participants.


3. Exemptions
No general exemptions under the Act apply to us or to any of our acts or practices in respect of personal information.


4. Application of Policy for Participants

4.1. How We Collect, Hold, Use and Disclose Personal Information


4.1.1. Collection
We will collect your personal information directly from you whenever reasonable and practicable, and will limit the personal information we collect to that which is necessary for our functions and conduct of clinical trials. Common methods of collection are when you enquire about applying for entry into a clinical trial or complete a form on our website. We will, as soon as practicable, inform you of the purposes for which personal information is being collected by us, the organisations to which we would usually disclose that information, and any consequences if you fail to provide any information that is requested by us, when we collect personal information from you.4.1.2. Storage
We store your personal information securely and have policies and practices intended to ensure that your personal information is not misplaced or misused, and that unauthorised access to, or modification or disclosure of, your personal information does not occur.Security measures we employ include building security to protect physical information held by us; restricted access to electronic records for authorised individuals only; secure archival of material; secure document disposal and regular monitoring of our practices to ensure the effectiveness of our practices in this regard.We may refuse to provide you with further information about our security practices if doing so might compromise these practices.We will endeavour to destroy your personal information as soon as it is no longer required by us, or if you instruct us to remove your details and its’ destruction is permitted by law. 4.1.3. Use and Disclosure
CMAX is a drug testing facility, which carries out research on a variety of drugs for the pharmaceutical and biotechnology industries. We service the needs of pharmaceutical manufacturers and researchers.

We will only use your personal information for the purposes of: Initially determining whether you are a suitable candidate to participate in a study; Undertaking research for the particular Company that we are undertaking the study for (“the Sponsor”); any information we, obtain from you on our data base(s); Preparing a report on the information we obtain from the study and our research and any subsequent findings based on that research and; For related purposes we consider are within your reasonable expectations.

Otherwise, we will seek your consent prior to using or disclosing your personal information for another purpose, unless the use or disclosure is required or permitted by law.

Further information about our use and disclosure of personal information is set out below.

We comply with the principles of ICH Good Clinical Practice (“GCP”) and local regulatory requirements. We are also internally audited, undergo independent Quality Assurance reviews in order to ensure GCP compliance and have been audited by the US Food and Drug Administration (FDA). These requirements and audits are in addition to and may at times prevail over any requirements to comply with the Australian Privacy Principles.


4.2. Access to Personal Information
You may contact the CMAX Privacy Coordinator to request access to your personal information.We may permit you to access your personal information in any of a number of ways, including, for example, supplying you with a copy or summary of your personal information, or providing you with the opportunity to view our records.A health service provider can refuse to give you access to your health information in some situations, such as if:• It may threaten your or someone else’s life, health or safety;
• It may impact someone else’s privacy;
• Giving access would be unlawful.If giving you certain information would impact someone else’s privacy, a health service provider could block out that part and give you the rest of the information. If it is not possible to give information directly to you because of a concern for your health or safety, then they might give access through an agreed third party (ie your General Practitioner).If your health service provider refuses to give you access they must give you a written notice telling you why and how you can complain about their refusal.

If you notify us that any personal information about you that we have on file is not accurate, complete and up-to-date, we will amend our records accordingly.

Please notify us if any of your personal details change or if our records need to be updated.


4.3 Kinds of Personal Information We Hold
In general, the personal information about you we commonly hold includes your name, sex, date of birth, race, eye colour, height, weight, your address, telephone number, email address and details of your next of kin.

We will also collect health information from you. This health information is sensitive information and will be subject to greater regulation under the Australian Privacy Principles. The health information we will collect will include (but not be limited to) details regarding smoking habits, dietary preferences, alcohol consumption, sexual preferences, the types of medication you take on a regular basis, the type of pre-existing medical conditions you may have and results of any physical examinations, electrocardiograms, x-rays and pathology results of blood and urine samples.

There may be circumstances in which we collect information about you from other sources (such as your general practitioner) as part of the undertaking of a particular study. We hold this information securely and use the data to effectively undertake the studies.

We may also use your personal information for purposes relating to the undertaking of further studies, such as to use the medical information we receive from you for follow up studies (which are related to the same study) or for other future research on other issues.


4.4. Disclosure of Personal Information to Others
We may disclose your personal information to individuals or organisations in the course of undertaking the study. We will only disclose your personal information to: 1.  A representative(s) of the Company who has contracted CMAX to conduct a study (“Sponsor Representative(s)”);
2. Agents or consultants of CMAX involved in a study;
3. Regulatory authorities and administrative bodies;
4. The Research Ethics Committee appointed to a study; and related parties we consider are within your reasonable expectations and
5. An IT contractor providing technical support, in the case of database migration or routine maintenance to ensure that security of your personal information and the integrity of data is safeguarded.

Most often, the information we disclose to a Sponsor Representative(s) would be “de-identified information”. That is, the information will refer to you by reference to a number as opposed to your name.

We may also disclose your personal information to any individuals or organisations to whom you authorise disclosure during the consent process.


4.5. Information Transferred Overseas
We will only transfer your personal information to another individual or organisation located outside of Australia if you have consented, if the recipient is subject to similar privacy regulation as that which applies in Australia, or if we are otherwise legally entitled to do so.

Generally, we will only transfer your personal information outside of Australia if this is required in the course undertaking the study or if the Sponsor or a regulatory authority is located overseas.


4.6. Data Breach Response

4.6.1. What is a Data Breach?
A data breach occurs when personal information that CMAX holds is subject to unauthorised access or disclosure, or is lost.Personal information is information about an identified individual, or an individual who is reasonably identifiable. CMAX should be aware that information that is not about an individual on its own can become personal information when it is combined with other information, if this combination results in an individual becoming ‘reasonably identifiable’ as a result.A data breach may be caused by malicious action (by an external or insider party), human error, or a failure in information handling or security systems. Examples of data breaches include:• Loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information;• Unauthorised access to personal information by an employee;• Inadvertent disclosure of personal information due to ‘human error’, for example an email sent to the wrong person;

• Disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures.

4.6.2. Identifying Eligible Data Breaches as Being Notifiable
The Notifiable Data Breaches (NDB) scheme requires regulated entities (CMAX Clinical Research) to notify particular individuals and the Office of the Australian Information Commissioner (OAIC) about ‘eligible data breaches’.

The first step is to determine whether an eligible data breach has occurred, this is when:

• There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds;

• This is likely to result in serious harm to one or more individuals, and

• The organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.

Whether a data breach is likely to result in serious harm requires an objective assessment, determined from the viewpoint of a reasonable person in CMAX’s position.

Not all data breaches are eligible. For example, if CMAX acts quickly to remediate a data breach, and as a result of this action the data breach is not likely to result in serious harm, there is no requirement to notify any individuals or the Commissioner. Is Serious Harm Likely?
The second step in deciding whether an eligible data breach has occurred involves deciding whether, from the perspective of a reasonable person, the data breach would be likely to result in serious harm to an individual whose personal information was part of the data breach.For the NDB scheme a ‘reasonable person’ means a person in CMAX’s position (rather than the position of an individual whose personal information was part of the data breach or any other person), who is properly informed, based on information immediately available or following reasonable inquiries or an assessment of the data breach. In general, CMAX is not expected to make external enquiries about the circumstances of each individual whose information is involved in the breach.CMAX is required to conduct an assessment of ‘suspected’ eligible data breaches and take reasonable steps to complete this assessment within 30 days.For further guidance and information about the NDB scheme, refer to the OAIC website, specifically: 4.6.3. Data Breach Response Plan
Data breaches can be caused or exacerbated by a variety of factors, involve different types of personal information, and give rise to a range of actual or potential harms to individuals and entities. As such, there is no single way of responding to a data breach. Each breach will need to be dealt with on a case-by-case basis, with an understanding of the risks posed by a breach and the actions that would be most effective in reducing or removing these risks.Responding to a data breach is the responsibility of all staff, who in turn should notify the Privacy Committee, to enable them to respond appropriately as described in CMAX procedures and policies.Generally, the actions taken following a data breach should follow four key steps:Step 1: Contain
Once CMAX has discovered or suspects that a data breach has occurred, it should immediately take action to limit the breach, its’ spread and potential to cause harm. Step 2: Assess
An assessment of the data breach willhelp CMAX understand the risks posed by a data breach and how these risks can be addressed. It should be conducted as expeditiously as possible. Step 3: Notify
Notification can be an important mitigation strategy that has the potential to benefit both CMAX and the individuals affected by a data breach. The challenge is to determine when notification is appropriate. Sometimes, notifying individuals can cause undue stress or harm. For example, notifying individuals about a data breach that poses very little or no risk of harm can cause unnecessary anxiety. It can also de-sensitise individuals so that they don’t take a notification seriously, even when there is a real risk of serious harm. Each incident needs to be considered on a case-by-case basis to determine whether breach notification is required. Step 4: Review
Once steps 1 to 3 have been completed, CMAX should review and learn from the data breach incident to improve its’ personal information handling practices.


4.7. Changes
We reserve the right to amend this Privacy Policy at any time. You may obtain a copy of the current version of this Privacy Policy by contacting the CMAX Privacy Coordinator.4.8. Complaints
If you believe that a breach of your privacy has occurred, we encourage you to contact the CMAX Privacy Coordinator in writing to discuss your concerns.  4.9. Unsolicited Information
Upon receipt of hard copy unsolicited information CMAX will return the package/documents received to its’ original sender. If unsolicited information is received in electronic form, it shall be deleted (in its entirety) from the system. In both cases the sender shall be notified of the breach.


4.10. Further Information
Contact the CMAX Privacy Coordinator if you require further information about the ways we manage your personal information.


4.11. Application of Policy for Employees
The following applies to all CMAX employees:

• All personal data are retained for payroll and HR purposes;

• Emergency contact details are retained for use only in the case of an emergency;

• No personal information will be disclosed to another other party, without your permission;

• All data is stored and retained securely, with access limited to authorised personnel from CMAX, solely for the purpose of completing the obligations of their employment.


Contact Information
Privacy Coordinator
21-24 North Terrace
Adelaide SA 5000
Telephone: +61 8 7088 7900
Facsimile: +61 8 7088 7999
Email: [email protected]