1.    Purpose

Atmo Biosciences Limited (ACN 626 053 183) (“Atmo”, “we”, “our” or “us”) values privacy and is committed to the appropriate handling and protection of personal information consistent with relevant privacy law. This Policy describes how we collect, hold, use and disclose personal information.

This policy also explains our commitment to data management in general, our approach and responsibilities to support the compliant handling of business information.

2.    Overview

We are a digital health business commercializing a world-first ingestible gas-sensing capsule for gut health (Atmo Capsule). As a clinical stage business, our information processing activities are related to advancing product development of the Atmo Capsule.

At the time of writing this Policy, Atmo does not fall within the meaning of an “APP entity” for the purposes of the Australian Privacy Act (Cth) and the Australian Privacy Principles (APPs). However, we acknowledge that our business and work in digital health must be pursued with regard for and in alignment with privacy law, appropriate information handling and data protection practices. This Policy is therefore modelled on the APPs and applicable privacy requirements that we are subject to through our contractual relationships.

3.    Scope

This policy applies to Atmo and our employees and contractors working for or on our behalf, regardless of location.

4.    Definitions

Data includes business information in any format created, received and maintained, including (but not limited to) emails, documents, web pages, software applications, digital recordings.

Health information is any ‘personal information’ about an individual’s health or disability.

Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable.

Sensitive information is information or an opinion that is also personal information about an individual’s race or ethnicity, political beliefs, political, trade or professional memberships or associations, religious beliefs or affiliations, sexuality, criminal record, ‘health information’ and genetic information.

5.    Our Policy

Information we collect

 
5.1    In the course of undertaking and completing our business functions and activities, the type of personal information we collect may vary depending on how individuals engage with us. We may collect and hold personal information about current and prospective investors, shareholders, suppliers, clients, contracted services providers, candidates for employment and employees.

5.2    The type of personal information we collect may include:

1. name
2. personal contact details including email, address and phone number
3. business contact details including email, job title and company
4. date of birth
5. tax file number (TFN)
6. banking details.

5.3    We will always collect information directly from the individual where it is reasonable and practicable to do so.

5.4    We may also collect information about individuals from other sources such as contracted service providers who assist us to operate our business, or when the individual has consented to sharing information with us through a third party.

5.5    Where Atmo receives personal information about an individual that is unsolicited or not reasonably necessary for one or more of our functions or activities, it will be deleted or de-identified.

Sensitive information

5.6    Atmo generally only collects sensitive information if it is required by law.

5.7    If Atmo requires sensitive information for one or more of our functions or activities, we will only collect it where we have consent from the individual.

Use of Information

5.8    Our position is that we work with anonymised or de-identified data wherever possible and in pursuit of the principle of data minimisation.

5.9    Atmo will use and share personal information for the purpose for which we have collected it. This includes:

1. to perform the functions and activities related to advancing product development of our Atmo Capsule
2. establishing and managing the relationship with our employees and contractors
3. administering our relationship with our shareholders
4. responding to expressions of interest and inquiries
5. managing our contracted service providers
6. to comply with industry standards, our legal and regulatory requirements.

5.10    We may also use and share personal information for a related secondary purpose where the individual reasonable expects, as required by law, or other lawful basis for processing under applicable privacy laws.

5.11    Atmo does not sell, rent or trade personal information to, or with, third parties.

5.12    Where necessary, we share personal information with third parties including:

1. financial institutions
2. regulatory agencies or government bodies (such as the Therapeutic Goods Administration in Australia or the Australian Tax Office)
3. our contracted service providers
4. our affiliate Planet Innovation Pty Ltd (Planet Innovation), who we partner with to provide us with a range of professional and business services
5. information technology service providers
6. professional advisers (such as recruitment advisers, auditors, accountants, insurers, and lawyers)
7. externally hosted applications and software subscriptions (for example, for recruitment and onboarding of employees)
8. as required or authorised by law
9. or, otherwise where we have consent from individuals.

Rights of individuals

5.13    Individuals have a right to contact us about their privacy concerns or about personal information we may hold about them, including to access and correct their personal information. All privacy related inquiries should be directed to the contact details below:

Privacy Officer
Atmo Biosciences Ltd
Ground Floor, 436 Elgar Road, Box Hill
Victoria, 3128

Email: info@atmobiosciences.com

5.14    Employees have direct access to their personal information via our human resources platform and can contact the Chief Financial Officer for advice on how to access and correct their personal information.

Storage and protection

5.15    Atmo holds and stores data in hard copy documents or as electronic data in our software or systems, including cloud or other types of electronic storage.

5.16    We use physical and technical safeguards to protect data from interference or unauthorised access, modification, use or disclosure. These include managed access controls to our systems and network, and security measures for access to premises.

5.17    Personal information may be disclosed to third parties in Australia and overseas (such as the United States, New Zealand and countries in the European Economic Area) where it is necessary to perform our core business functions and administer services consistent with this Policy. We take reasonable steps to maintain the security of any data and personal information to prevent misuse and unauthorised access such as entering into contractual arrangements with third parties that cover data processing, including any cross-border transfer of data.

Website

5.18    Our website (https://atmobiosciences.com) is managed by Planet Innovation for us. We will only collect personal information through our website if it is provided by an individual to respond to an information request or inquiry.

6.    Data management approach

6.1    As a clinical stage business, we take a risk and value-based approach to data management to direct our resources and attention. Our high-value business information includes any data that:

1. is critical to product development of our Atmo Capsule
2. affects the rights and entitlements of our employees and stakeholders
3. is subject to a high level of scrutiny or has a high likelihood of legal action if not appropriately handled (e.g. data privacy)
4. involves funding.

6.2    Any compromise of high-value business information will be taken seriously.

7.    Responsibilities

7.1    Atmo employees and contractors are required to be familiar with and comply with this Policy, and relevant IT security and data management policies provided. Any questions or inquiries about this Policy should be directed to the Privacy Officer.

7.2    The Quality and Regulatory Affairs Manager is responsible for reviewing this Policy and developing related procedures and processes to support and give effect to its implementation.

7.3    Data security concerns must be directed to our IT department for first response and reported to the Quality and Regulatory Affairs Manager.

8.    Review

8.1    This policy will be reviewed annually, or more frequently if operational changes impact privacy and data management compliance and updates may be published without notice. This policy was last updated on 4 March 2022.