Privacy policy

1.1  MSBase Foundation Ltd (ABN 23 109 714 310), (“Foundation”) is committed to protecting the privacy of personal information which the organisation collects, holds, and administers. Personal information is information which directly or indirectly identifies a person. This privacy notice (“Privacy Notice”) explains how we ensure that the personal data of MSBase Registry Members and people applying for membership of the MSBase Registry, is handled in compliance with applicable legislation, and sets out the principles governing our use of your personal information.

1.2  By using the MSBase Registry Website Membership Sign Up function to become an MSBase Member and therefore register as a User of the services which we provide, you agree to the use of your data according to this Privacy Notice. We ask you to read this Privacy Notice carefully.

1.3  We need to use your personal data to be able to operate the MSBase Registry and MSBase Registry Observational Study and meet our obligations and responsibilities in relation to the MSBase Registry Members, applicable legislation, and good industry practice.

2.1  This Privacy Notice is written in relation to the privacy of the personal information of MSBase Members and people applying for membership of the MSBase Registry. It does not relate in any way to the codified information of patients who have been consented by participating MSBase Members to participate in the MSBase Registry Observational
Study, which is controlled by the hospital or clinic at which they were consented.

2.2  The personal information we collect is kept to a minimum of your title, full name, birth year, gender, profession, professional email address, name of the hospital or clinic and department at which you work, the street address, city, country, postcode and phone number of the hospital department or clinic at which you work and EDSS certification information, so that we can deliver our services to you. 

3.1  The Foundation is the data controller for the processing of your personal data and is responsible for ensuring that the processing is carried out in accordance with applicable legislation. If you have any questions regarding the processing of your personal data, you will find our contact details at the end of this Privacy Notice.

3.2  We have designated a data protection officer (“DPO”) who will monitor our compliance with applicable data protection legislation. You can contact the DPO on the contact details provided at the end of this Privacy Notice.

We use your personal data for the following purposes:

Membership management:

• Membership request verification procedures
• General membership support and maintenance
• Membership communications
• Information storage
• Auditing purposes

Science:

• Statistical analysis by approved MSBase contractors
• Collaborative research and authorship, including the submission of abstracts to scientific journals and meetings

IT services:

• Operating and maintaining the MSBase Registry Website Platform
• General IT support relating to the MSBase Registry or the MSBase Software Tools
• Software installation support
• Software maintenance and support
• Queries and bug resolution

Below you can find more information about our processing of your personal data.

5.1  The personal data that we process about you are data that you have provided us with or that we have otherwise acquired during our business relationship. We may collect data by way of:

• the MSBase Registry Website Membership Sign Up forms
• emails sent to and from the Foundation
• documentation such as letters, contracts, and agreements
• meetings, conversations, social media, events, or online forms

5.2  We may also collect or receive information about you from other sources, such as:

• internet searches performed to verify the legitimacy of membership requests submitted through the MSBase Registry Website Membership Sign Up forms
• communications with MSBase Registry Members
• public registers
• other third-party service providers.

6.1  We retain your personal data only for as long as is necessary for the purposes for which we originally collected the data in accordance with this Privacy Notice. When we no longer need to save your data, we will remove it from our systems. The retention time depends on the context and cannot in all cases be specified in advance.

6.2  Data processed as part of MSBase Registry operations is stored for the duration of membership; or, until such time the Foundation performs a membership audit and may remove archived membership applications, inactive user and centre profiles, or duplicated or erroneous profiles, or until such time that the Foundation receives a request for removal of personal data under your right to erasure.

7.1  We may share your personal data with third parties that are trusted recipients and with whom we have an agreement ensuring that your personal data is processed in accordance with this Privacy Notice. We may therefore share data with:

• MSBase Operations staff
• Registered MSBase Members
• MSBase contractors, namely statisticians and data scientists
• Contracted IT companies
• Regulatory bodies
• Contracted data processing organisations strictly for the purposes of collaborative research and only when a Member has given permission
• Data sharing initiatives including other registries strictly for the purposes of collaborative research and only when a Member has given permission
• Pharmaceutical companies strictly for the purpose of collaborative authorship and only when a Member has given permission

7.2  In certain circumstances, we may also need to disclose data upon the request from authorities or to third parties in connection with court proceedings or business acquisition or a combination of processes or other similar processes.

7.3  We will never sell your personal data

8.1  The Foundation will mostly only process your personal data in Australia and Europe.
However, as part of our performance of client matters, we may in individual cases need to transfer personal data to third countries. If we engage in such transfer, we will ensure that there is a legal basis for the transfer and that the level of protection is equivalent to that applicable within Australia and the EU/EEA, either by ensuring that the country has an adequate level of protection, that we have taken adequate protective measures, that you have given your explicit consent or that the transfer is necessary with regards to the purposes set out in article 49 of the GDPR.

9.1  Our responsibility for your rights

9.1.1  In capacity of data controller, we are responsible for ensuring that your personal data is processed in compliance with the law and that you can exercise your rights. You may contact us at any time if you wish to exercise your rights. You will find the contact details at the end of this Privacy Notice.

9.1.2  We have an obligation to respond to your requests to exercise your rights without undue delay and in any event within one month of receiving your request. If your request is complex or if we have received many requests, we have the right to extend this deadline by two more months. If we are unable to take the action you request within one month, we will inform you of the reason for the delay and of your right to lodge a complaint with a supervisory authority and to seek a judicial remedy.

9.1.3  You will not be charged for any information, communication, or measures that we implement. However, if your request is manifestly unfounded or excessive, we may charge an administrative fee for providing the information or taking the action requested or refuse to act on your request altogether.

9.2  Your rights to access, rectification, erasure, and restriction

9.2.1  MSBase Members can independently access and rectify their personal data at any time by logging in to the private-access Membership area of the MSBase Registry Website by using their personal credentials.

9.2.2  You have the right to request:

9.2.2.1  Access to your personal data. This means that you have the right to request access to personal data that we hold about you. You also have the right to be provided, at no cost to yourself, with a copy of the personal data that we are processing. We have the right
to charge a reasonable administration fee if you request further copies. If you make a request in electronic form, e.g. via email, we will provide you with the information in a commonly used electronic format.

9.2.2.2  Rectification of your personal data. At your request or on our own initiative, we will correct, anonymise, delete, or complete data that we know to be inaccurate, incomplete, or misleading. You also have the right to complete any incomplete personal data if something relevant is missing.

9.2.2.3  Erasure of your personal data. You have the right to request that we delete your personal data if there is no compelling reason for us to continue processing the data. Personal data should therefore be erased if: 

a) they are no longer needed for the purpose for which we collected them,

b) we process your data based on consent provided by you and you withdraw your consent,

c) you object to us processing your data after a legitimate interest assessment and we have no compelling interest that overrides your interests and rights,

d) we have processed the personal data unlawfully, or

e) we have a legal obligation to erase the personal data. However, there may be legal requirements or other compelling reasons that prevent us from immediately erasing your personal data. We will then stop processing your personal data for purposes other than compliance with the law or where there are no
compelling legitimate grounds for doing so.

9.2.2.4  Right to restrict processing. This means that we temporarily restrict the processing of your data. You have the right to request restriction when:

a) you consider your data to be inaccurate and you have requested rectification as defined in paragraph 9.2.2.2, while we establish the accuracy of the data,

b) the processing is unlawful, and you do not want the data to be erased,

c) as the personal data controller, we no longer need the personal data for our processing purposes, but you need them to be able to establish, exercise or defend a legal claim, or

d) you have objected to processing as defined in paragraph 9.3.1, while waiting for us to consider whether our legitimate interests override yours.

9.2.3  We will take all reasonable measures possible to notify everyone who has received personal data as stated in Section 7 above if we have rectified, erased or restricted access to your personal data after you have requested us to do so. If you request information on recipients of your personal data, we will inform you about the recipients.

9.3 Your right to object to processing

9.3.1  You have the right to object to the processing of your personal data if our processing is based upon legitimate interests or public task. If you object to such processing, we will only continue to process your data if we have compelling reasons for doing so that override your interests.

9.4 Your right to data portability

You have the right to data portability. This means the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request that these data are transferred to another personal data controller. The right to data portability only applies when the processing is being carried out by automated means and our lawful basis for processing your data is your consent or for the performance of a contract between you and us.

9.5 Your right to object

You have the right to lodge a complaint with your local Data Protection Authority if you are not satisfied with our processing of your personal data.

We want you to feel confident about providing us with your personal data at all times. We have therefore taken appropriate security measures to protect your personal data against unauthorised access, alteration, and erasure. Should a security breach occur that may materially impact you or your personal data, e.g. risk of fraud or identity theft, we will contact you to explain what action you can take to mitigate potential adverse effects of the breach.

Our website may use cookies that may include small amounts of personal information to improve our website and other web services and your experience of them. 

We have the right to make changes to this Privacy Notice at any time. When we make changes that are not purely editorial, such as formatting, typographical error corrections or other changes that do not materially affect you, we will inform you of these changes and what they mean for you before they become effective.

Do not hesitate to contact us if you have any questions about this Privacy Notice, our processing of your personal data or if you wish to exercise your rights.

MSBase Foundation (ABN 23 109 714 310)

Address: The Alfred Centre, Level 6, 99 Commercial Road, Melbourne, VIC 3004, Australia

Telephone: +61 3 9342 8070

General Email Enquiries: info@msbase.org

Data Protection Officer: dpo@msbase.org