Genomics for Life Pty Ltd, including its businesses DNAQ and Genomics for Life (collectively referred to as “GFL”, “us” or “we”) is committed to respecting your rights to privacy in accordance with all relevant legislation.
If you have any questions about how we use or collect your data, please contact us using any of the methods set out at the end of this policy.
What types of personal information do we collect?
The personal information that we may collect includes your:
- date of birth;
- residential or postal address;
- email address;
- telephone number;
- any “additional information” provided directly by you via our application form;
- health care related information such as Medicare details;
- payment details;
- medical information including genetic data relating directly to a requested test; and
- any information gathered from requests, feedback or complaints you may make.
How do we collect your personal information?
We may collect personal information from you directly by telephone, facsimile, email, post or via our website. We may also receive information via an intermediary we have a relationship with such as a doctor, healthcare provider or other service provider.
How do we use your personal information?
If you consent to us processing your personal information, we will not collect, use or disclose your personal information for any purposes other than those identified below except with your consent.
We may process your personal information for the following purposes:
- to process, analyse and deliver the services requested directly by you, or by your agent (including but not limited to a doctor, consultant or healthcare provider);
- to communicate the outcome of the services (including but not limited to the results of any tests undertaken);
- to process any required payments;
- to communicate information about our products and services to you;
- to keep your records up to date;
- to identify you (generally and including to identify whether you have requested for your data to be destroyed);
- to confirm whether your personal information has been destroyed; and
- to comply with any of our legal requirements.
You have the right to withdraw your consent at any time but it will not affect the lawfulness of processing based on consent before its withdrawal. This withdrawal may also impact on our ability to provide our services to you and may result in us cancelling the request for services.
In order to protect the privacy of children, we require parental or guardian consent for all children under the age of 18 for testing purposes and to be able to use their personal information. No sample or information will be handled without this explicit consent. If this consent is not provided, we will promptly remove any personal information provided from our database.
Sample and Data Retention Policy
DNAQ complies with our privacy obligations as set out under the Privacy Act (1988), the Australian Privacy Principles (APP) and the General Data Protection Regulation (GDPR) and other relevant regulatory bodies. Samples submitted to DNAQ for the purposes of DNA testing are stored and retained in accordance with NPAAC guidelines.
Non-Legal (Peace of Mind) Cases
DNA samples may be securely disposed of by DNAQ 3 months after the date of collection. Collection paperwork, profiles and reports associated with non-legal cases will be stored indefinitely by DNAQ.
Where samples have been collected for Non-Legal purposes, the tested parties’ (or their legal guardian) can request to have their samples securely destroyed by DNAQ once testing has concluded. Tested parties may also elect to have their samples returned to them once testing has concluded, for an additional fee.
Where written consent is received from all tested parties’, all records (including profiles and final reports) from a non-legal testing case may be destroyed by DNAQ. Where such consent is received, DNAQ will retain only a relevant case number and the completed Authority to Destroy paperwork received in their records.
In accordance with NPAAC guidelines, samples from Legal case are retained for a minimum period of 2 years. Collection paperwork, profiles and reports associated with legally admissible testing will be stored indefinitely.
Do we process any anonymised or de-identified information?
We sometimes anonymise or de-identify information by removing all of the personally-identifiable information such as your name, date of birth and address. We may then use this de-identified information for the purpose of auditing, quality assurance and research on the basis that they are anonymous and unidentifiable. This data analysis helps the quality of information to comply with our regulatory requirements and improve the understanding of genetic variants.
None of your personally-identifiable information will ever be used in any reports or publications.
Do we ever disclose your personal information to third parties?
In order to deliver our services, we may need to disclose your personal information to the following entities:
- Our genetic testing lab. DNA samples provided to us are sent to our third party laboratory.
- Consultants, doctors and other healthcare providers. We disclose your personal data to consultants, doctors and healthcare providers if they are the ones who provide the referral for our services.
- Credit reporting agencies. In certain circumstances we may disclose your personal information to a credit reporting agency in order to determine your creditability.
- Government and other regulatory authorities. We may be required by law to disclose your personal information to national security or law enforcement agencies.
Do we transmit your personal information internationally?
In order to provide our services to you, we may transfer, process or store personal information in countries outside where you are located.
In these cases, we have strict contractual requirements with our third parties and appropriate safeguards as to how they are able to collect, use, maintain, secure and disclose information.
If you do not consent to your personal information being stored or processed internationally, you should not use our services.
How is your personal information kept secure?
We take the security of your personal information seriously. In order to do so, we have implemented the following protocols:
- Password Policy. Strong and unique passwords are required for each staff member and must be changed regularly.
- Active Directory. Microsoft Active Directory with domain connected PCs to manage security and policies.
- File Shares. All file sharing between us and third parties is password protected.
- Antivirus. Market leading antivirus software is installed on each PC and is constantly monitored.
- Firewall. Sonic Wall Firewall is setup with protection policies put in place, limited NAT rules, multiple subsets and firewall rules to segregate and secure the network.
- Backups. Backup software is used to store regular incremental backups of the domain controller server (which contains critical data shares) to password protected NAS drives on the network.
- Static IP. A Static IP is used on the network to allow external providers to authenticate requests based on IP.
- File Transfer Protocol. FTP is used to transfer data to external data-providers.
- Encryption. All purchases made through us are passed through a secure server using the latest 128-bit Secure Sockets Layer (SSL) encryption technology.
How long do we hold onto your personal information?
We store your personal information:
- for as long as reasonably needed in order to respond to any queries you may have;
- for as long as you might legally bring claims against us; or
- for as long as the law requires in order to satisfy our legal, audit and compliance requirements.
Generally this means we will generally only hold your personal information for one to seven years.
You are able to request us to destroy to your personal information at any time, but you acknowledge that this may impact on our ability to provide services to you. Your personal information will then be destroyed, with the exception of your deletion request, a confirmation that the information was deleted and any data required in order for us to meet our legal obligations.
Are you able to request information or make changes?
You may ask us at any time to provide you with a list of the personal information we hold about you, and for copies of that personal information. We will endeavour to provide you with the data within 30 days of receiving your request. For more complicated matters, we may need to extend this deadline to 60 days.
We will endeavour to provide these requests free of charge. However, if a request is manifestly unfounded or excessive, we reserve the right to charge a reasonable fee to cover our administrative costs or refuse to act on the request.
If you believe for any reason that we are holding inaccurate or incomplete data about you, you may ask us to correct it. We will consider if the information requires amendment. If we do not agree that there are grounds for amendment, then we will add a note to the personal information stating that you disagree with it.
Our ability to effectively process your data is reliant on true, complete and accurate information provided by you at the time that you engage us to provide the services. We will not update your information or release your results:
- unless we are able to verify your identify through your name, date of birth and email address; or
- if you have previously knowingly provided us with false information regarding your identity.
Members in “Designated Countries”
The following section only applies to individuals located within the European Economic Area, United Kingdom or Switzerland (collectively referred to as “Designated Countries”).
What is our relationship to you?
We will generally act as the Data Controller of your personal information. Sometimes we will also be given personal data under contract with third parties. In this case, it is likely we will be acting as a Data Processor or as Joint Controllers.
What are your rights under current data protection laws?
The following is a summary of your rights given under the General Data Protection Regulation, noting that these rights are subject to certain exceptions:
- The right to withdraw consent. We rely on your explicit consent to process your personal information. You have the right to withdraw this consent at any time but it will not affect the lawfulness of processing based on consent before its withdrawal. This withdrawal may also impact on our ability to provide services to you.
- The right to access. You have the right to obtain confirmation as to whether or not we are processing your personal information. If we are, you have the right to request access to what personal information we possess and how we process it. We may reject part or all of your request if responding would adversely affect the rights or freedoms of others.
- The right to rectification. You have the right to have any inaccurate or incomplete personal information rectified unless the change would adversely affect the rights or freedoms of others.
- The right to erasure (the ‘right to be forgotten’). You have the right to have your personal information erased if:
- that data is no longer necessary for the purposes for which it was collected or processed;
- that data is based on consent that you have since withdrawn; or
- you object to the processing of your personal information and there are no overriding legitimate grounds for our processing.
- The right to data portability. If we process your personal information based on a contract with you based on your consent, or the processing is carried out by automated means, you have the right to request your personal information in a structured, commonly used and machine-readable format, and have us directly transfer your personal information to another controller where technically feasible. We may reject part or all of your request if responding would adversely affect the rights or freedoms of others.
- The right to restriction of processing. You have the right to restrict the processing of your personal information in the following cases:
- the accuracy of your personal information is contested. We will then restrict the processing for a period to enable us to verify the accuracy;
- the processing of your personal information is unlawful and you request the restriction of processing opposed to erasure;
- the personal data is no longer needed for the purposes of processing, but is required by you for the establishment, exercise or defence of legal claims;
- you object to the processing of your personal information, pending the verification whether the legitimate grounds of our processing override your rights;
- Notification of erasure, rectification and restriction. We will communicate any requests made by you for the rectification, erasure or restriction of your personal information to each third party we have disclosed your information to, unless this proves impossible or involves disproportionate effort.
- The right to object to processing. If we process your personal information based on consent, contract or legitimate interest, you have the right to object to our processing at any time and as permitted by applicable law.
- The right to lodge a complaint. If you believe we have infringed on your privacy rights, please contact us using the details provided below and we will work with you to try and resolve the issue. You also have the right to lodge a complaint with a competent supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement.
To request any of your above rights, please contact us using any of the methods provided at the end of this policy.
How can we be contacted? (DNAQ)
You can exercise your rights or make a complaint by contacting us using the below information.
1300 172 837
Sending a fax to:
07 3054 4363
Emailing us at:
PO Box 1201
Milton, QLD, 4064, AUSTRALIA
Each request or complaint will be dealt with confidentiality and we will be in contact with you within a reasonable time.