Alcon is bound in Australia by the Australian Privacy Principles ("Principles") contained in the Commonwealth Privacy Amendment (Enhancing Privacy Protection) Act 2012 and Privacy Act 1988 (Cwth), as amended from time to time, and in New Zealand, by the Privacy Act 1993 together with the Health Information Privacy Code 1994, as amended from time to time, and complies with these to the extent required by the relevant privacy laws applying in Australia and New Zealand.
Before collecting any information about individuals outside of the company, Alcon must obtain the consent of each individual prior to that information being provided.
Aggregated information in a de-identified form may be used for the purpose of data analysis in relation to the business of Alcon solely.
6.1. Privacy and collection of Personal and Sensitive Information
Personal information, where collected, is handled by Alcon in an open and transparent way. Alcon collects, stores, manages and uses personal and health information for specific and limited purposes which we will inform you about when we ask you for information or for secondary purposes which are related to those purposes and are therefore purposes for which you would reasonably expect the information to be used. Alcon only collects information that is reasonably necessary for Alcon to carry out business functions or actions, and thus will depend on what type of interaction you have with us. Personal information is only used for the primary purpose for which it was collected or for purposes (secondary) which are related to the primary purpose. If this information includes a person’s state of health and/or medical history then it is considered ‘sensitive information’ and can only be used for the primary purpose for which it was collected or for purposes (secondary) which are related to the primary purpose, unless consent is given otherwise or if this information is required by law or to prevent a serious and imminent threat to the life or health of an individual.
Personal information we may collect from you includes, among other things:
- identity particulars – such as your name, address, date of birth, occupation, telephone numbers, e- mail address and hobbies and interests
- information we collect from you when assessing, processing and managing an application by you for commercial credit
- information (health) including current and past medical history
- information you provide to us when you participate in a promotion, competition, promotional activity, survey, market research, subscribe to our mailing list
- your, bank, credit or debit account details when you make a purchase
- your records of communication with us
- if you visit an Alcon website, your website usage information such as your IP address
Generally, Alcon may keep a record of your name, contact details (address, telephone including mobile number, and fax number, email address etc.) and, where relevant your date of birth and your professional details (e.g. qualifications, specialty, areas of interest), details of your practice/business (e.g. size, use of products and services) and details of your dealings with Alcon.
Other information may be collected from other sources but those sources will provide details of what personal information is being collected and why.
Alcon will collect information with an option that it be provided anonymously or under a pseudonym, unless it is impracticable to do so or there are legal obligations for identification. Additionally, information collection will include full disclosure of the purpose and use of the information being collected.
Alcon does not use government identifiers (e.g. tax file numbers or Medicare numbers) to identify individuals.
6.1.1. Financial Information and Credit Applications
Financial information is collected so that Alcon can successfully complete a financial transaction. Where you have applied for a commercial credit account with us, we may also make enquiries in respect of commercial credit with third parties with your consent. This could include persons nominated by you astrade references, credit reporting bodies (“CRBs”) and your bankers.
Where the Privacy Act permits us to do so, Alcon may also disclose your credit related information (in respect of commercial credit) to CRBs such as Veda or Dunn & Bradstreet, if you apply for commercial credit or request to increase in your commercial credit limit with Alcon.
Where Alcon collects personal credit information that we are likely to disclose to a CRB, please note:
- the CRBs may include that information in reports provided to Alcon to assist it to assess your creditworthiness
- if you fail to meet payment obligations in relation to commercial credit or commits a serious credit infringement, Alcon may be entitled to disclose this to the CRB
Alcon will only disclose personal information to CRBs where Alcon is member of a recognised External Dispute Resolution Scheme (‘EDR Scheme’). If Alcon disclosing your personal information to CRBs, we will provide you written notice prior to that disclosure, as well as the details of the recognised EDR Scheme.
6.2. Use of Personal Information
Alcon will generally only collect and use your personal information for the primary purposes of:
- our general business operations
- effectively providing you with our goods and services
- where applicable, assessing and processing an application for commercial credit, and for administrative purposes in relation to the ongoing management of your commercial credit arrangement
- communicating with you
- responding to your inquires or complaints
- meeting our legal and regulatory obligations, particularly regarding the collection of health information
- conducting, improving and developing a relationship with you
- direct marketing (such as providing you with information about our products and promotional notices and offers) and
- improving our websites
Your personal information is only collected with your consent and by lawful and fair means; and where practicable, only from you or from a person acting or authorised to act on your behalf. Where you have applied for commercial credit account with us, we may also make enquiries in respect of commercial credit with third parties with your consent. This could include persons nominated by you as trade references, credit reporting bodies (“CRBs”) and your bankers.
Alcon will take reasonable steps to ensure that you are aware of:
- the likely use of the information
- the right of access to the information
- the identity and contact details of the our employee/representative collecting your personal information
- any law requiring collection of the information and
- the main consequences of failure to provide your personal information
Personal and health information is kept by Alcon only for as long as is reasonably needed for such purposes and in accordance with any applicable legal reporting or documentation retention requirements. Alcon will give you the opportunity to tell us if you not want to receive this information.
If you do not provide the personal or health information requested by us, we may not be able to provide you with our products or services or respond to your enquiry.
Alcon recognizes the importance of protecting the privacy of personal information and only processes this information for specific and limited purposes. This information will be limited to that necessary to record and manage our interaction with you.
Alcon may, for example, collect information from:
- Healthcare Professionals (e.g. doctor, nurse, pharmacist, optometrist etc.) in the course of and for the purposes of responding to product and service queries; meetings with our
- sales representatives and members of Scientific Affairs; negotiating and managing contracts and taking orders of products and services; complying with our regulatory obligations (e.g. notification of important product safety information) and codes of conduct/practice; adverse event reporting and product complaints; and participating in Alcon sponsored programs and events (e.g. clinical trials, advisory boards, trade shows, educational programs, research grants, donations and disease management programs);
- Members of the general public in the course of using our customer or product information services, adverse event reporting and product complaints; participating in
- Promotional activities; and participating in Alcon sponsored programs (e.g. clinical trials, educational programs and disease management programs etc.)
- Service providers in the course of providing services to Alcon.
We take reasonable steps to protect your personal information from loss, misuse or unauthorised access by restricting access to the information in electronic format and by appropriate physical and communications security.
If a substantial data breach has or may have occurred (for example, your personal information was shared with unauthorised persons) we will notify you as soon as is practicable (refer to Section 6.7.1).
On receipt of your personal and health information Alcon typically:
- maintains a record locally and provides limited information overseas, if you have requested a product/service so that it can be delivered/billed to a nominated address
- maintains a record locally if your request is a medical/product inquiry or complaint (quality or adverse event) relating to Alcon’s products/services. Where required your personal and/or health information may be reported to a regulatory authority e.g. Therapeutic Goods Administration, MedSafe, FDA
- maintains a record locally and provides limited information overseas, if you have requested a product under a Special Access Scheme/Section 29
- maintains a record locally when administering conferences, symposia, advisory boards, seminars or other similar programs organized by Alcon, which you agree to participate in or be involved with
- maintains a record locally when administering disease awareness/management programs
- or other similar programs organized by Alcon, which you agree to participate in or be involved with
- maintains a record locally and provides limited information overseas, when involving doctors/investigators in clinical trials
- maintains a record locally and provides limited information overseas, when training HCPs on the use of surgical devices and equipment
- maintains a record locally and provides limited information overseas, when training HCPs
- on the use of surgical devices and equipment maintains a record locally to comply with legal obligations such as notifying you of matters that we may be required by law to notify you of (e.g. product recalls)
- maintains a record locally when managing, planning and arranging meetings between you and our sales representatives
- maintains a record locally when monitoring and reviewing our compliance with relevant regulations and codes of conduct/practice in our dealings with you and monitoring quality,
- safety and efficacy of our products
- maintains a record locally when generating customer lists for the purpose of market research
Alcon may communicate with your Customers.
6.2.1. Cross-border data transfer
Alcon may provide some personal/health information overseas in the provision of goods/services to you and such information will be handled as per Australian law to ensure compliance with these Principles. Prior to transfer of information internationally the individual/s will be informed of the transfer, and Alcon ensures that both parties comply with their own privacy policies and the Australian Privacy Principles. Alcon will not provide personal information to an international recipient without compliance to these Principles.
Alcon has adopted Binding Corporate Rules (BCR), a set of principles governing the international transfer of personal information of Novartis associates, customers, business partners and other individuals whose data is collected or processed in the EU and in Switzerland. The approval of the Novartis BCR by EU and Swiss Data protection Authorities also Alcon to transfer your personal information from the EU and Switzerland to Alcon affiliates in other countries in compliance with EU and Swiss data protection laws.
6.2.2. Third Party use of Personal Information
Alcon utilizes global ordering and distribution systems, which mean your personal information, may be transmitted overseas when ordering, and distributes its goods/services via freight/courier companies that operate globally and locally.
Alcon may use your personal information for:
- the primary purposes for which it was collected
- assessing and processing an application for, or administrative and management of, and commercial credit account with us
- administering and responding to your enquiry or feedback about our products and/or services
- conducting, and allowing you to participate in, a promotion, competition, promotional activity, survey, market research or customer behavioural activity
- promoting and marketing our current and future products and services to you, informing you of upcoming events and special promotions and offers and analysing our products and services so as to improve and develop new products and services (but giving you the opportunity to opt out of such direct marketing)
- improving the operation of our websites
Alcon does not disclose your personal information for any secondary purposes unless your consent has been given or as required by law, and we will not sell or license any personal information that we collect from you.
Alcon may disclose personal information we collect from you:
- to our related companies, suppliers, consultants, contractors or agents for the primary proposes for which it was collected or for other purposes directly related to the purpose for which the personal information is collected. For example, your name and telephone number may be disclosed to our supplier to enable that supplier to respond to your request for information about a particular product;
- for direct marketing by us with the express inclusion of our contact details and instructions on how to opt out of further such materials
- to relevant Federal, State, Territory medical, health and safety authorities (as required)
- where the law requires or authorises us to do so
- to others that you have been informed of at the time any personal information is collected from you
- to others that you provide your express or implied consent for provision to when requested
Alcon will not share with any other third parties any personal information or health information about you without your consent. These include contractors who act for or on behalf of Alcon for particular purposes such as fulfilling orders for products or services, and providing marketing and support services, and to related companies of Novartis, including those located outside of Australia and New Zealand. Alcon requires these third parties to use personal information only for the specific purpose for which it is collected and that such third parties provide the same level of protection as Alcon and, where appropriate, we will contractually require them to process personal and health information transferred to them only for the purposes expressly authorised by Alcon.
Alcon will not share with third parties any identifiable health information about you without your consent except to prevent a serious and imminent threat to an individual’s life or health. You may always revoke your consent at a later date. If consent is revoked Alcon may not be able to carry out certain requests made by you. Alcon will, where practicable, inform third parties to whom your information has been transferred of your withdrawal of consent.
Alcon may also disclose your information in circumstances required or authorised under law, in co- operation with any governmental authority or as otherwise permitted under applicable legislation
6.3. Access to Your Personal Information, Change of Details
Alcon takes reasonable steps to ensure that any information we hold about you is up-to-date, accurate, and complete.
You have the right to access and update your personal and health information, if appropriate, unless certain circumstances set out in the Principles apply. If you wish to access or correct this information, please contact the Alcon Privacy Officer. To protect your privacy, Alcon may require proof of identity before processing your request. Your request will be dealt with in a prompt and proper manner. No charge will be levied for requesting access or correction of your information. Alcon may charge a reasonable fee to cover its costs of providing access.
6.4. Marketing and Opting-Out
Where your consent, direct or implied, is given Alcon may use your personal information for:
- promoting and marketing of our current and future products and services;
- informing you of upcoming events and special promotions and offers; and
- analysing our products and services so as to improve and develop new products and services.
We may exchange your personal information between our related entities so they can also assist in the marketing of our products and services to you.
We will only offer you products or services, where we reasonably believe that they could be of interest or benefit to you.
At the point we collect information from you, you may be asked to “opt in” to consent to us using or disclosing your personal information. You will generally be given the opportunity to “opt out” from receiving marketing communications from us. You may “opt out” from receiving these communications by clicking on an unsubscribe link at the end of an email or by contacting us with this request directly.
Personal information may be disclosed as required by law or in special situations where Alcon has reason to believe that doing so is necessary to identify, or bring legal action against anyone damaging, injuring, or interfering with Alcon rights and property, or anyone else who could be harmed by such activities.
6.6. Using our Website and Cookies
As with most websites, when you visit our websites or use an application on our website, we may record anonymous information such as IP address, time, date, referring URL, pages accessed and documents downloaded type of browser and operating system.
We also use “cookies”. A cookie is a small file that stays on your computer until, depending on whether it is a sessional or persistent cookie, you turn your computer off or it expires. Cookies may collect and store your personal information. You may adjust your internet browser to disable cookies. If cookies are disabled you may still use our website, but the website may be limited in the use of some of the features. Cookies do not personally identify users, although they do identify a user's browser. Cookies are used by Alcon to estimate our number of customers and determine overall traffic patterns through this website.
Alcon strives to ensure the security, integrity, confidentiality and privacy of personal information that it collects. We may hold your information in electronic and hard copy form. When information is collected on-line, it is subject to data networks protected internally by firewall and password protection. Alcon takes all reasonable precautions to protect your personal information from loss, misuse or alteration, including unauthorized access. Unfortunately, no data transmission can be guaranteed to be totally secure. Although we aim to protect your personal information, Alcon cannot guarantee the security of any information you may transmit to us, or our transmissions to you.
Where credit card details are submitted to us for a website purchase, we take every precaution to ensure that your transaction is safe and secure. Your credit card details are encrypted automatically with 128 bit SSL (secure socket layer) security after you enter them, and are deleted once the sale has been processed.
6.7.1 Data Security Incident (Breach Incident) Response Procedure
Alcon takes reports of all data security (breach) incidents seriously. Staff compliance with our policies and procedures is regularly audited and reviewed. While we cannot guarantee against any loss, misuse or alteration to data, Alcon will try to prevent such unfortunate occurrences. If an employee breaches our policies and procedures he/she will be disciplined accordingly.
Examples of Data Security Incidents include but are not limited to:
- Loss of storage devices – loss or theft (even temporary) of a server, desktop, laptop, mobile devise, disk, tape, paper files, USB sticks or other storage device containing Personal Information, even if such information is appropriately protected (i.e. encrypted data or redacted);
- Violations of privacy and information security policies and guidelines – violations of company policies designed to safeguard the privacy and security of Personal Information. For example, the unencrypted transmission of sensitive Personal Information that the company requires to transmit securely, or the violation of an applicable clean desk policy;
- Unauthorized outside access – a successful intrusion of the Company’s Computer Systems containing unencrypted and un-redacted Personal Information or unauthorized access onto Novartis property that enables the intruder to access hard copy files containing personal information;
- Unauthorized internal access – the access or attempt to access Personal Information maintained by the company by individuals within the company who are not authorized to access that information. Access rights should be clearly governed in appropriate access guidelines;
- Inadvertent disclosure – the disclosure of Personal Information to an unauthorized person, via electronic mail, post or otherwise; this includes the situation where emails or paper documents are sent to the wrong recipient.
If an associate, agent or contractor suspects that any Data Security Incident has taken place or is about to take place, they should promptly report this suspicion to an appropriate department / function. This may be their Line Manager, ELT member, IT, Information Security, BPO, Privacy Officer, Compliance or HR.
All incidents are managed following the Novartis Guideline for Data Security Incident Response and Breach Notice. Briefly, the incident response team will conduct an investigation into the allegation/suspicion of a breach. The incident response team will, at minimum, consist of the DPO, Compliance/Legal representative and an IT/Information Security representative. If the breach involves personal or sensitive data the investigation lead will be the DPO, if the breach does not involve personal or sensitive data the investigation lead will be an IT representative. The initial investigation template (Appendix 1) outlines the information to be gathered and assessed. A report of the investigation, including proposed remediation plans, will be presented to the ELT and remediation actions will be determined accordingly.
Alcon complies in Australia with the Spam Act 2003 (Cth) and in New Zealand with the Unsolicited Electronic Messages Act 2007 in its interactions with you. Alcon will not send you a commercial electronic message unless permitted by the Act. If you contact Alcon electronically and Alcon believes that certain product, service, health or other information is of importance to you, we may inform you electronically but will give you the choice to opt out of receiving further communications of this type.
6.9. Customer Service
Alcon collects your name and telephone number for the purpose of enabling Alcon to contact you at a later date about your inquiry. The information may also be used for producing a report if you are calling Alcon to report a product complaint or adverse reaction to one of our products.
6.10. What to do if you have an enquiry?
6.11. Personal and Health Information of Children
Alcon will not knowingly collect, use or disclose personal and health information from a minor without obtaining prior consent from a person with parental responsibility (e.g. parent or guardian). Alcon will provide the parent with (i) notice of the specific types of information being collected from the minor, and (ii) the opportunity to object to any further collection, use, or storage of such information.
6.12. Personal information regarding employees/contractors
Alcon complies with the privacy requirements which apply to personal information supplied by prospective employees, contractors or consultants. In the private sector in Australia, legislation provides an exemption regarding employee records of current and previous employees. In the public sector and in New Zealand, standard privacy laws apply
6.13. Accurate and up-to-date information
We take reasonable steps to ensure your personal information is accurate, up-to-date and not misleading by updating its records whenever true and correct changes to the data come to its attention.
If you believe your information is incorrect, incomplete or not current, you can request that we update this information by contacting the Alcon Privacy Officer (see details below).
We will correct information we hold about you if we discover, or you are able to show to a reasonable standard, the information is incorrect. If you seek correction and we disagree that the information is incorrect, we will provide you with the reasons for taking that view.
We disregard information that seems likely to be inaccurate or out-of-date by reason of the time that has elapsed since it was collected or by reason of any other information in our possession.
6.14. Anonymity when dealing with us
You may deal with us anonymously or using a pseudonym where it is reasonably possible to conduct the relevant interactions.
6.15. Government identifiers
We do not use government identifiers (e.g. tax file numbers or Medicare numbers) to identify individuals.
6.16. Contact information
Alcon acknowledges that you have a general right of access to information concerning you, and to have inaccurate information corrected. You are able to access the personal information we hold about you by contacting our Privacy Officer.
Phone: 02 9452 9200
Postal address: The Privacy Officer
Alcon Laboratories (Australia) Pty Ltd
10/25 Frenchs Forest Road East
Frenchs Forest NSW 2086