Privacy Policy

Roche Products Pty Limited, Roche Diagnostics Australia Pty Limited and Roche Diabetes Care Australia Pty Limited (together “Roche”) is committed to protecting your privacy by collecting, storing, using and disclosing your personal information in accordance with the Australian Privacy Principles in the Privacy Act 1988 (Cth) (together “the Act”).

This Privacy Policy may be amended from time to time. Your continued engagement with us and use of our products and services after any amendments are made indicates that you accept the amendments. You should check this Privacy Policy regularly to ensure you are aware of any changes, and only provide further personal information to us if you accept the changes.

In this Privacy Policy, the terms “personal information” and “sensitive information” have the same meaning as in the Act. “Affiliates” means the companies in the global Roche Group of companies.

Information Collected

1. How Roche will collect your personal information

Wherever possible, Roche will collect your personal information directly from you. However, Roche may also collect personal information from other sources including:

• agents and service providers such as customer relationship management service providers and third party service providers;
• healthcare professionals or carers;
• reporters and subjects of adverse events;
• clinical trials investigators and staff engaged to conduct clinical research;
• publicly available sources including directories, listings and the internet;
• newspapers, magazines, professional journals and the electronic media;
• information automatically obtained when you access Roche’s website, use our internal or external applications or send us emails, as detailed in section 8;
• personal interactions and/or communications with Roche employees and/or contractors; and
• databases purchased from an external provider.

If Roche receives unsolicited personal information about you that it is not otherwise permitted by the Act to collect, it will, as soon as practicable (if lawful and reasonable to do so), destroy the information or ensure that it is de-identified and in the case of a misdirection, Roche will endeavour to promptly forward the information on to the correct recipient. Your contact details such as your email address may be retained in order that Roche can communicate with you.

2. Personal information collected by Roche

The personal information Roche collects will vary depending on your relationship and interaction with Roche. However, Roche will only collect and retain information that is necessary for Roche to track and manage its interaction with you or for purposes set out in this Policy. For example, the information may include:

• your contact details and other information collected when you register with Roche;
• any messages or comments you submit to us through email; or
• any other information you provide to Roche during your interaction with Roche.

3. Applicants for employment, contract roles or consultancy services

The types of personal information Roche and/or its third party service providers collect from applicants for employment positions, contract roles and consulting projects may include, for example:

• name, business address, business and mobile telephone number(s) and email address
• employment and/or professional history
• education, credentials and qualifications
• background checks
• opinions about suitability for employment from referees and previous employers
• taxation, superannuation and banking details
• information from public domain and social media websites
• information obtained when you access Roche’s website, as detailed in section 8
• residential address
• copies of identification documents – drivers licence and/or passport
• name and contact information for next of kin

Applicants for employment and/or contract roles have the right to not disclose personal information, however Roche may not be able to assess a candidate’s suitability for a role when it does not receive all necessary information.  The personal information of applicants will only be disclosed to third parties with the consent of the applicant, or as otherwise permitted in limited circumstances by law.

Once a position has been filled, all applications received by Roche are filed and kept by the recruitment manager in the human resources team.

4. Business contacts

The types of personal information Roche collects from business contacts may include, for example:

• name, business address, business and mobile telephone number(s) and email address
• dealings with Roche in respect of general business relationships
• work, professional and employment references, reports and assessments
• employment and/or professional history
• education, credentials and qualifications
• information from public domain and social media websites
• information obtained when you access Roche’s website, as detailed in section 8
• banking details

5. Healthcare professionals

The types of personal information Roche collects from healthcare professionals may include, for example:

• name, business address, business and mobile telephone number(s) and email address
• professional credentials and other details, including AHPRA numbers and College CPD number, and years in practice
• practice specialty including areas of interest
• treatment site affiliation (hospital) and contact information
• membership of professional associations
• practice and/or business information including, where applicable, interest in Roche products
• information relating to your patients, following adverse event reporting, product complaints or medical information line enquiries
• information relating to your participation in Roche sponsored or supported clinical trials, conferences or other educational events
• information from public domain and social media websites
• information obtained when you access Roche’s website, as detailed in section 8
• survey and demographic information
• survey and aggregate clinical practice information (e.g. number and type of patients treated)
• standard sales call information – who we connected with, date of the call, the call outcome, call duration and call notes
• sales data from sources such as IMS Health, wholesalers, or a pharmacy point-of-sale system
• banking details
• details of patient starter pack or sample products provided to you
• details of your involvement in patient familiarisation or patient support programs
• details of sponsorship or educational support provided to you

6. Patients

Roche, and third parties that Roche contracts with collect a variety of personal information from patients in the course of its operations, for example in running patient advisory boards, clinical trials, market research, access programs and other patient programs, (for example to provide educational or therapeutic support to patients using Roche products). Data collected will vary but may include, for example:

• name, home address, home and mobile telephone number(s) and email address
• age, gender and diagnosis
• treatment information (drug, date of initiation, dose, duration/discontinuation)
• other sensitive information including health information

7. Adverse event reporting

Roche, its Affiliates, and its third party contractors are required by the Therapeutic Goods Act 1989 (Cth) to record, analyse and report adverse events and special situations (together, “adverse event reports”) relating to Roche products that they receive, regardless of the source of the report.

Reports may be received from individuals or healthcare professionals but also via other channels such as social media. Some adverse event reports are required to be transmitted in a de-identified manner to regulatory authorities. If an adverse event report is made by any individual, their contact details are retained by Roche and may be used by Roche to contact them for more information unless they opt out from contact from Roche.

Other personal information collected and used to fulfil adverse event reporting requirements may include, for example:

• personal information such as patient name, home address, home and mobile telephone number(s), email address, age, ethnicity, weight, height etc
• suspect drug information (name, strength, dosage, route of administration, therapy start and end date, indications for use)
• event or situation details (date started/ended, outcome, causality)
• concomitant medications (if any)
• medical conditions and history, including family history
• results of diagnostic tests, including therapeutic range
• name, profession, institution name and contact details of person reporting the adverse event or situation, and that of the treating healthcare professional(s) if reported

8. Automatically collected information

Roche may automatically receive certain types of information whenever you interact with us on our websites and internal and external applications and through emails we may send each other. Automatic technologies we use may include, for example, web server logs/IP addresses, cookies and web beacons.

• Web server logs/lP addresses. An IP address is a number assigned to your computer whenever you access the Internet. All computer identification on the Internet is conducted with IP addresses, which allow computers and servers to recognize and communicate with each other. Roche collects IP addresses to conduct system administration and report aggregate information to Affiliates, business partners and/or vendors to conduct site analysis and website performance review.
• Cookies. Cookies are text files that are placed on your computer’s hard drive by your web browser when you access certain websites. The cookie uniquely identifies your browser to the server. Cookies allow us to store information on the server to help make the user experience better for you and to conduct site analysis and website performance review. Most web browsers are set up to accept cookies, although you can reset your browser to refuse all cookies or to indicate when a cookie is being sent. Note, however, that some portions of our websites may not work properly if you refuse cookies. Cookies do not tell us your email address. They do, however, allow third parties such as Google and Facebook to cause advertisements to appear on your online feeds, and if you choose to provide us with information through our websites, this may be linked to data stored in a cookie.
• Web beacons. On certain web pages or emails, Roche may utilize a common internet technology called a web beacon (also known as an “action tag” or “clear GIF technology”). Web beacons, which are small pieces of code placed on the web page or email, help analyse the effectiveness of websites by measuring, for example, the number of visitors to a site or how many visitors clicked on key elements of a site. They may also be used to deliver a cookie to the visitor’s browser. Web beacons, cookies and other tracking technologies do not automatically obtain personal information about you other than IP addresses. Only if you voluntarily submit personal information, such as by registering or sending emails, or by using our internal business applications, can these automatic tracking technologies be used to provide us with further personal information about your use of our websites and applications. We use this information to improve the usefulness of our websites and applications to you.

Your Choices

You have several choices when providing your personal information to Roche. You may decide not to provide your personal information at all by electing not to enter it into any forms or data fields on our websites or other forms (such as consent or meeting registration forms) that may be provided to you from time to time. If you choose not to provide your personal information, or provide incomplete or misleading information, Roche may not be able to provide you with information and/or access to services that may be of use or interest to you.

Certain websites may ask for your permission for certain uses of your personal information and you can elect to accept or decline those uses. If you subscribe to particular services or communications, such as an e-newsletter, you will be able to unsubscribe at any time by following the instructions included in each communication.

If you decide to unsubscribe from a service or communication or to update or remove your personal information, we will address your request and amend our records accordingly. We may require some additional information from you before we can process your request.

As described above, if you wish to prevent cookies from tracking you anonymously as you navigate our websites, you can reset your browser to refuse all cookies or to indicate when a cookie is being sent. Note, however, that some portions of our websites may not work properly if you refuse cookies.

Management and use of Personal Information

1. Use of personal information

The purposes for which Roche may collect, hold, use and disclose your personal information will vary, depending on the nature of the relationship you have with Roche, the type of information, and whether the information is personal information or sensitive information. For example, these purposes may include:

i. to contact you or provide information and/or materials to you:

• with respect to Roche products and/or services;
• to administer and conduct consulting and service arrangements with Roche;
• to administer or conduct educational and /or commercial meetings or programs;
• to update you on medical congresses, events and news;
• to process your personal information and manage business relationships with you;
• to optimise and recommend personalised online content, products, progams and services to you based on your preferences and past interactions;
• to maintain your current contact details in our records and
• to conduct relevant market research.

ii. to fulfil obligations under relevant industry codes of conduct, meet regulatory requirements and legal obligations;

iii. to conduct our business:

• for audits;
• to investigate or respond to a complaint or cyber or security threat;
• to register visitors of Roche facilities or Roche organised events;
• to run, maintain and improve our websites, platforms and products;
• to analyse data, for example, to improve our products and/or services offering;
• to develop new products and/or services; and
• to facilitate the provision of products and services to and by Roche.

iv. to monitor and maintain a record of the safety and efficacy of our products;

v. to fulfil your requests;

or as otherwise disclosed to you in this Policy from time to time.

2. Disclosure of your personal information

Roche will not disclose personal information about you to any person except in accordance with the Act and this Privacy Policy, and only where necessary. The circumstances in which we may disclose that information include:

• where Roche notified you at the time of supply of the information to Roche or it is expressly permitted under any agreement with you;
• where it is necessary to provide you with a service or goods that you have requested;
• where it is required for the ordinary operation of our business (for example, sending you information about our goods and services, data processing, medical or scientific research);
• where it is necessary for support services to be provided in relation to our business activities (please note that such disclosures will only be to people and entities required to meet the same standards of data protection and which are prevented from using the information for their own marketing purposes);
• where we consider the law requires it, or it is in response to any demand by law enforcement authorities;
• where Roche is required to provide your personal information to a regulatory authority such as the Therapeutic Goods Administration, or State and Territory drug and health authorities; and
• in the case of healthcare professionals, details of sponsorship or educational support may be provided to Medicines Australia to meet reporting requirements and displayed on the Roche Australia website for 3 years or such other period as required under the Medicines Australia Code of Conduct from time to time.

3. Disclosure to unrelated third parties for business purposes

Roche may disclose your personal information to third party service providers that it uses in the ordinary operation of its business. We will only provide your personal information to reputable third parties, on a confidential basis, and where we are satisfied that those third parties have robust information security policies and practices in place and will similarly comply with the Act. Where practicable, we will contractually oblige such third parties working with Roche to comply with the Act and the terms of this Policy. For example, these third parties may include:

• conference organisers that engage in marketing, data processing and associated printing and mailing activities;
• clinical research organisations engaged in medical research;
• healthcare data aggregators that supply syndicated databases of healthcare professionals and their practices;
• customer database providers that assist Roche to provide services to healthcare professionals. To ensure that we have access to the most up to date information, we may disclose some information about healthcare professionals and their practices to our customer database provider(s). The information we disclose is limited to professional information about healthcare professionals and their practices. The information is used for commercial purposes. The customer database provider makes that information available to all parties who also have access to our customer database provider’s database, including other pharmaceutical companies; and
• service providers that assist Roche to supply products and/or services to Roche’s customers.

4. Disclosure to third parties outside of Australia

Roche may transfer your personal information to Affiliates and third party service providers located outside of Australia. The countries in which your personal information may be disclosed include but are not limited to the United States, Singapore, Japan, Switzerland, India, Malaysia, Philippines and countries within the European Union.

Your personal information may be aggregated with data from other Roche sources and stored or processed on computers or web-based database systems located outside Australia where data protection laws may differ from ours. In this event we will make every effort to ensure that aggregated data is de-identified.

Your personal information may be stored, maintained and processed on computers or web-based database systems at Roche in Australia that may be accessed by and shared with Roche Affiliates, third party service providers and/or regulatory authorities located outside of Australia.

Under these circumstances, the Roche Affiliate or third party service provider will be obliged by Roche to comply with the Act.

5. Direct Marketing

At any time, you may opt out of receiving any communications from Roche, other than as required for the operation of our business, such as to facilitate payment of accounts. If you opt out of receiving communications from Roche, we may then be unable to provide you with all of the information regarding our programs, events, services or products that may be of benefit to you. If you decline to provide us with your personal information, or subsequently opt-out, it will likely preclude the provision of relevant services to you by Roche.

Protection of your Personal Information

1. Information security

Roche recognises that protecting our information assets from security threats is an increasingly challenging task due to enhanced connectivity to business partners, cloud services, customers, and suppliers. Information security is a combination of elements such as organisation, people, roles and responsibilities, processes, controls, technologies and practices, that aid in protecting corporate assets and sensitive information, from unauthorised access, use, disclosure, disruption, modification or destruction whether by accidental or intentional means.

In addition to dedicated internal and third party personnel who are tasked with maintaining the confidentiality, integrity and availability of information held by Roche, Roche places the responsibility for protecting your personal information on each individual who deals with information to help protect it against various security threats.

Roche uses and maintains industry standard technology and cybersecurity precautions, rules and other procedures to protect your personal information from unauthorised access, improper use, disclosure, loss, modification, interference or destruction. To ensure the confidentiality, integrity and availability of your personal information is maintained, Roche also uses industry standard firewalls and password protection.

It remains your personal responsibility to ensure that the computer you are using is adequately secured and protected against malicious software, such as trojans, computer viruses and worm programs.  Without adequate security measures (e.g. secure web browser configuration, up-to-date antivirus software, personal firewall software, no usage of software from dubious sources) there is a risk that the data and passwords you use to protect access to your data could be disclosed to unauthorised third parties.

2. Mandatory data breach reporting

Roche recognises that we face daily security-related threats to personal information we hold. For example, these threats may include deliberate attempts by unauthorised individuals to gain physical access to premises or computing devices and extract sensitive information from Roche, attempts to load harmful software onto Roche computing devices, and unintentional vulnerabilities and disruptions.

If, despite our best efforts, the security of your personal information is potentially compromised due to an actual or suspected data breach, Roche will follow the procedures outlined in its data breach response plan, including:

• containing the data breach;
• conducting a risk assessment to assess the severity of a suspected or known data breach; and
• assessing whether an eligible data breach has occurred.

If an eligible data breach has occurred, Roche may report the data breach to third parties such as:

• Roche’s financial services provider
• police or law enforcement bodies
• the Australian Securities & Investments Commission (ASIC)
• the Australian Taxation Office (ATO)
• the Australian Transaction Reports and Analysis Centre (AUSTRAC)
• the Australian Cyber Security Centre (ACSC)
• the Australian Digital Health Agency (ADHA)
• the Department of Health
• the Office of the Australian Information Commissioner (OAIC)
• State or Territory Privacy and Information Commissioners
• professional associations and regulatory bodies such as Medicines Australia and Pathology Technology Australia
• insurance providers

Provided that Roche has your contact details, Roche will notify you if you have been personally impacted by an eligible data breach.

3. European general data protection regulation (“GDPR”)

Roche’s parent company and many of Roche’s Affiliates are subject to the GDPR. Although many of the privacy principles of the GDPR are similar to the Act and other Australian privacy laws, there are some differences. If you are a European resident, Roche may be subject to GDPR in relation to personal information it holds about you. Accordingly, we request that you notify us if you are a European resident when you transfer your personal information to us or if you are aware that we are collecting your personal information. Your personal information will still be subject to the same information security standards as are applied to all personal information held by Roche and its global Affiliates. However, we may manage your personal information in a different manner to take account of data portability entitlements and other GDPR-specific requirements.

4. Links to other websites

Our website may contain links to a number of other external websites that may offer useful information to you. This Privacy Policy does not apply to those websites, and we recommend communicating with them directly for information on their privacy policies.

Access, Corrections and Further Information

If you would like to:

• request access to your personal information held by Roche;
• request an amendment or correction of your personal information held by Roche;
• ask us to remove your personal information from our system;
• ask us questions about this Privacy Policy; and/or
• request a copy of this Privacy Policy,

Your request should provide as much detail as possible to assist us to identify information relevant to you, such as your name and contact details, any former names and the information you believe Roche may hold about you. You do not have to provide a reason for requesting access. Where Roche holds information that you are entitled to access, we will endeavour to provide you with a suitable range of choices as to how you may access it (e.g. emailing or mailing it to you). In any event Roche will acknowledge receipt of your request within a reasonable period and in any event within 10 working days and endeavour to respond to your request within 30 days.

If you believe that personal information Roche holds about you is incorrect, incomplete or inaccurate, then you may request we amend it. We will consider if the information requires amendment. If Roche does not agree that there are grounds for amendment, then we will add a note to the personal information we hold stating that you disagree with it.

Any questions about this policy, or any complaint regarding treatment of your privacy by Roche, should be made through the contact details below.

Your request should provide as much detail as possible to assist us to identify information relevant to you, such as your name and contact details, any former names and the information you believe Roche may hold about you. You do not have to provide a reason for requesting access. Where Roche holds information that you are entitled to access, we will endeavour to provide you with a suitable range of choices as to how you may access it (e.g. emailing or mailing it to you). Roche will acknowledge receipt of your request within a reasonable period and in any event within 10 working days and endeavour to respond to your request within 30 days.

If you believe that personal information Roche holds about you is incorrect, incomplete or inaccurate, then you may request that we amend it. We will consider if the information requires amendment. If Roche does not agree that there are grounds for amendment, then we will add a note to the personal information we hold stating that you disagree with it.

Contact

We are committed to constantly improving our procedures so that your personal information is treated appropriately.

If you have any questions or would like to know more about our privacy practices, please contact Roche by one of the following means:

Roche Products Pty Limited
By mail to:
Privacy Officer
Roche Products Pty Limited
Level 8, 30-34 Hickson Road
Sydney NSW 2000

By email to:  australia.privacy-request@roche.com

Roche Diagnostics Australia Pty Limited
By mail to:
Privacy Officer
Roche Diagnostics
Australia Pty Limited
Locked Bag 2225,
North Ryde NSW 1670

By email to:  australia.qra@roche.com

Roche Diabetes Care Australia Pty Limited
By mail to:
Privacy Officer
Roche Diabetes Care
Australia Pty Limited
PO Box 955,
Castle Hill NSW 1765

By email to:  australia.dc_privacy-request@roche.com

Last updated: 17th October 2023