Search Brave foundation
Privacy Policy
Purpose
The Privacy Policy outlines in detail the processes and guidelines that Brave Foundation (Brave) has designed and implemented to ensure the personal information of those we engage with is respected, protected, and handled in accordance with all relevant Acts and Regulations, and the Australian Privacy Principles.
To the extent of an inconsistency between the terms of this Policy and any relevant Federal, State or Territory privacy laws, regulations or guidelines, the conditions more favourable to the person whose personal or sensitive information is being handled will prevail.
Policy Statement
Brave values and respects the privacy of the those the organisation engages with – staff members, program participants, organisational supporters and partners, and volunteers – as well as the children and communities the organisation seeks to serve. Protecting the privacy of everyone that engages with the organisation is of vital importance to Brave.
Brave is committed to collecting, storing, and using personal or sensitive information responsibly, and in accordance with the Privacy Act 1988, the Australian Privacy Principles (APPs), and the Payment Card Industry Data Security Standard (PCI DSS).
This Policy describes how Brave collects, holds, uses and discloses personal information, how Brave maintains the quality and security of personal information, and how to make an enquiry or complaint about how Brave has handled personal information.
Brave is committed to ensuring policies are reflective of the diversity of the communities the organisation engages and works with.
Scope
This policy applies to the Board of Directors and all employees of Brave Foundation (including casual/seconded/contractual staff/apprentices/interns), program participants, organisational partners, all individuals or businesses that engage with Brave, and volunteers.
Definitions
Senior Privacy Officer (SPO) | The SPO is responsible for overseeing privacy compliance, managing data protection policies, and ensuring Brave adheres to the Australian Privacy Principles (APPs). Required to be appointed in small not for profit organisations where turnover exceeds $3m per annum. |
PCI DSS
|
Payment Card Industry Data Security Standard: a widely accepted set of policies and procedures intended to optimise the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. Further information can be found at: https://listings.pcisecuritystandards.org/pci_security/ |
APPs | Australian Privacy Principles; 13 Principles governing standards, rights and obligations around:
Further information can be found at: https://www.oaic.gov.au/privacy/australian-privacy-principles |
Redacting, redacted | Edited to obscure or remove sensitive information. |
De-identified | A person’s identity is no longer apparent or cannot be reasonably ascertained from the information or data. |
Personal information, sensitive information | Personal information includes a broad range of information, or an opinion, that could identify an individual. What is personal information will vary, depending on whether a person can be identified or is reasonably identifiable in the circumstances (OAIC, 2023). Sensitive information is personal information that includes information or an opinion about an individual’s:
Generally, sensitive information has a higher level of privacy protection than other personal information (OAIC, 2023). For the purposes of this Policy, personal and sensitive information will use the same definition, and be referred to under the umbrella term ‘personal information’, except where otherwise indicated. |
(web) Cookie | A cookie is a piece of data from a website that is stored within a web browser that the website can retrieve later. Cookies are used to tell the server that users have returned to a particular website. |
Virtual IT Department | Brave’s contracted information technology support service. |
Employment Hero | Brave’s contracted human resource information system (HRIS). |
WEEL | Brave’s virtual debit card merchant. |
DEXT | Brave’s expense management system. |
DriversNote | Drivers Note is an application that records business trips automatically, manually or with a motion detecting device. Brave uses this application for recording km’s travelled for work related purposes where reimbursement is sought. |
InfoXChange | Brave’s contracted customer management software (CMS). |
Brave, the organisation | Brave Foundation |
Staff, Brave staff, staff member | All employees of Brave Foundation (including the Board/casual/seconded/contractual staff/apprentices/interns) and volunteers. |
Authorities & responsibilities
Title | Authorities | Responsibilities |
Board of Directors | To approve the Privacy Policy | Receive and respond to serious breaches of the Privacy Policy as they arise within the organisation, as brought via the Strategy and Governance Committee, and CEO. |
Risk, Audit and Finance Committee | To endorse the Privacy Policy for Board approval. | Receive and respond to serious breaches of the Privacy Policy as they arise within the organisation, as brought via the CEO. |
Chief Executive Officer | To authorise relationships relevant to the Privacy Policy, such as the contractual agreement with the Virtual IT Department | Comply with and ensure oversight of Privacy Policy within the organisation. To receive reports and manage breaches of the Privacy Policy, as brought via the Senior Leadership Team and other staff, and report to the Risk, Audit and Finance Committee and Board, where required. |
Head of Corporate Services | To act as Senior Privacy Officer and oversee privacy compliance with Brave Foundation. Ensure Brave adheres to the Australian Privacy Principles (APPs). | |
Senior Leadership Team (SLT) (including CEO) | Comply with and ensure staff are aware of and comply with the Privacy Policy. To receive reports and manage breaches of the Privacy Policy, as brought via their direct reports, and report to the CEO. | |
Employees (Board, CEO, SLT, SEEA/SEED team, volunteers and contractors) | Comply with the Privacy Policy. To report any breaches of the Privacy Policy to their direct manager as soon as they become aware. |
Procedure
1. Brave’s Privacy Commitment
Brave is bound by laws which impose specific obligations when it comes to handling personal information. The organisation has adopted the following principles contained as minimum standards in relation to handling personal information:
- Data minimisation – Collect only information which the organisation requires for its business function.
- Transparency – Ensure that all parties are informed as to why the information is collected and how the information gathered is administered.
- Use and disclose personal information only for business functions or a directly related purpose, or for another purpose with the individual’s consent.
- Data security – Store personal information securely, protecting it from unauthorised access.
- Provide all parties with access to their own information, and the right to seek its correction.
- Consent – Obtain explicit consent from individuals before collecting or processing their personal data, especially for sensitive information. Provide all parties with the right to withdraw their consent to share their information at any time, even if prior consent has been given.
- Data Breach notification – In the event of a notifiable data breach, notify affected individuals and the OAIC within 72 hours
- Grant defined critical incidents – in the event of a critical incident defined under specific grants, the funder directed reporting processes will be followed
- Data Retention and Deletion – Retain personal data for as long as necessary and for the purpose it was collected. Refer to the records management policy for further information
In addition to the Privacy Policy, Brave has several further policies and procedures that specify the security measures and protocols the organisation has in place to protect the information and data the organisation handles. These are:
- Code of Conduct
- Information Technology and Security Policy
- Data Breach Policy
- Records Management Policy
2. What is personal, or sensitive, information?
‘Personal information’ means any information or opinion, whether true or not, and whether recorded in a material form or not, about an identified individual or an individual who is reasonably identifiable.
In general terms, this includes information or an opinion that personally identifies them either directly (e.g., by name) or indirectly.
Sensitive information is a sub-set of personal information, more specifically relating to an individual’s racial or ethnic origins, sexual preferences or practises, criminal record, health-related information (including disabilities), or other sensitive details. Brave will ensure that any sensitive information is afforded a higher level of privacy protection than other personal information because its inappropriate use or disclosure could have adverse consequences for the individual involved.
3. What personal information does Brave collect?
The personal information Brave collects about individuals depends on the nature of their dealings with Brave, and what the individual chooses to share with the organisation. Brave will only collect personal information if consent to the collection of this information is received, and the information is reasonably necessary for one or more of the organisation’s business functions or activities.
Brave asks for and collects information that helps the organisation engage with an individual, or to assist the organisation in completing its work. For example:
- to assist an individual in engaging with our programs
- to apply for or complete a contracted, volunteer or other role with Brave
- to process a donation or purchase from our website and provide a receipt
- to engage with a request for organisational support
- to evaluate, assess or report upon the impact of Brave’s programs
- to distribute newsletters or other communications that have been subscribed to
- to record support of a petition or letter as part of Brave’s advocacy work.
For program participants, this may include (but is not limited to):
- Personal details, child/ren and family details, such as name, pronouns, date of birth, gender, age, race, religious beliefs, disabilities, languages spoken, and medical conditions
- Contact details such as postal addresses, email address and phone numbers
- Information related to areas of the organisation a participant might be interested in engaging with or supporting
- Information related to personal goals and desired program outcomes
- Other information about life and social support networks that will assist staff with delivering Brave’s support programs
- Information relating to other support services and organisations that have been engaged
- Feedback and experiences with Brave staff and other service providers
- Conversations by phone, email, social media, webchat, post or in person, with Brave staff and volunteers: this might include additional information communicated to the organisation about family or information related to personal circumstances or interests
In accordance with the Privacy Act 1988, Brave may also collect information from third parties when it is both appropriate and necessary for organisational functions or activities. For instance, for those under 18, this information may be sourced from a parent or guardian with informed consent from both parties.
Brave also utilises several consent forms in the process of collecting personal information that relates to program participants. To support understanding of a participant’s rights regarding the collection and use of their information, at the commencement of the program a mentor will provide their participants with a Welcome Pack. This pack includes copies of the Participant Consent Form, the Consent to Share Information Form, and the Information about Consent Handout.
From time to time, Brave may create and circulate additional consent forms – for example, when conducting a particular research or consultation project, an event or media opportunity, or a series of interviews, focus groups or workshops. These documents will be made available, and the opportunity to discuss the details with Brave staff will be offered, prior to any personal information being collected. An example of this is Participant Media Consent Form.
For Brave staff members or volunteers (or for those applying for a position), this may include (but is not limited to):
- Personal details, such as name, pronouns, date of birth, gender, age, race, languages spoken, and medical conditions (including disabilities)
- Contact details such as postal addresses, email address and phone numbers
- Identification documents
- Educational or professional credentials
- Vaccination records
- Working With Vulnerable People/Children Checks (or their relevant equivalent) in the State or Territory where the volunteer/employee is based
- National Police Checks
- Time and wage records
- Financial records, such as details of bank accounts
- Contract of work, including commencement date, if the staff member is full, part time or casual, and permanent or temporary.
- Leave records
- Superannuation and tax details
- Individual flexibility arrangements (please see: Flexible Working Arrangements Policy for further information)
- Details of travel arrangements made when travelling for work-related purposes
- Other information to help Brave ensure that all policies and procedures are adhered to, such as driving records through DriversNote and financial records through WEEL and/or Dext.
Brave may also complete, and store the results of, a psychological screening prior to employment.
For those that donate to Brave, purchase a product from the website, subscribe to a newsletter, engage with the organisation on social media, as a service provider, or otherwise, this may include (but is not limited to):
- Personal details, like name, pronouns, date of birth, gender and age
- Contact details such as postal addresses, email address and phone numbers
- Payment details (including transaction details/payment history) or other banking or financial information (note credit card details are not kept on file)
- Records of communication and interactions with us and details/history of preferences.
- Conversations by phone, email, social media, webchat, post or in person, with Brave staff and volunteers: this might include additional information if shared about family or information related to particular circumstances or interests
Individuals are in control of the personal information provided to Brave. Most personal information collected by Brave comes from the individual. The individual can request to change or access their details at any time.
4. Collecting information through Brave’s website, online activity cookies & social media
Brave may collect information about how its digital services are used to tailor services to the individual and ensure the organisation is providing the best experience to those that interact with Brave. For example, Brave may do this when links are clicked on emails or the Brave website, when an individual visits another website which displays one of Brave’s advertisements, or when an individual engages with the organisation online via social media platforms like Facebook. Usually, the information Brave collects in this way is only general information, such as user statistics. However, some information may be able to identify individuals.
Brave may also use advertising companies (e.g., Google and Facebook) to place ads on third party websites. When an individual views a Brave advertisement on a third-party website, the advertising company uses cookies and, in some cases, ‘web beacons’ to collect information about:
- the server the device is logged onto;
- the web browser type;
- the date and time of the visit; and
- the performance of Brave’s marketing efforts.
When an individual visits and interacts with a third-party website, Brave suggests reviewing the third party’s privacy policy as any of the personal information provided and interactions with that page are outside Brave’s control.
If Brave does associate information about users of our website or digital services with personal information Brave holds, any use or disclosure of that information will be in accordance with this Privacy Policy.
Individuals can also engage with Brave via social media platforms and can always control of how content is received through each platform’s settings. Any information posted to social media will be managed in accordance with the platform’s specific policies.
5. How is personal information be used and shared?
Brave will use an individual’s personal information for the purpose it was collected, and where appropriate, for the purpose of continuing and improving the organisation’s work of supporting expecting and parenting young Australians. Importantly, Brave never rents, sells, or exchanges personal information without prior consent.
The only exception to this is where Brave is compelled to disclose personal information to prevent a serious and imminent threat to life or health, or as otherwise required or authorised by law.
For program participants, this may include (but is not limited to):
- Collecting, storing and reviewing personal information of participants and/or their children for the purpose of providing support during or after engagement with our programs. This extends to participation on the Empowering the Voices of Young Parents Advisory Group as either a member or affiliate.
- Where Brave has a participant’s permission, sharing personal information with a community service provider, or organisational partner or stakeholder, for the purposes of seeking additional support for that participant and/or their family members (such as a financial assistance program or housing provider)
- Where Brave has a participant’s permission, sharing personal information with a funding body, other government department, media, or community partner or stakeholder for the purpose of coordinating opportunities for young parents to participate in providing their ‘lived experience’ voice
- Where Brave has permission to share personal information with relevant law professionals or law enforcement officials (such as for the purpose of assisting a participant in a legal matter or court case)
For Brave staff members or volunteers, this may include (but is not limited to) collecting, storing, and reviewing personal information for the purpose of fulfilling the contractual agreement made with Brave, such as:
- For internal organisational and administrative purposes (for example, storing bank details to pay salary, or an address for the purpose of sending work related materials)
- For the purpose of fulfilling obligations under Brave’s organisational policies and procedures (for example, storing vaccination records, a copy of a pre-employment psychological screening, or a copy of educational or professional credentials)
- For the purpose of ensuring adherence to Brave’s organisational policies and procedures (for example, tracking usage and storage of data on a Brave owned electronic device – please see ‘Information Technology and Security’ Policy for further information)
For individuals that donate to Brave, purchase a product from the Brave website, engage with Brave as a service provider, or otherwise engage with Brave, this may include (but is not limited to) collecting, storing, and reviewing personal information for the purpose of:
- processing donations or payments, and provision of receipts and/or refunds;
- administering, improving and personalising communications (including direct and digital marketing)
- addressing service enquiries
- maintaining and updating Brave records
Brave may also, where provided, request, collect, store, and review feedback, experiences, and support of the organisation’s program for the purpose of providing reports to funders, supporting Brave’s approach to seek and secure further/additional funding and to improve the quality of the service Brave offers.
5.1 Deidentified information
Where possible and appropriate, Brave may de-identify the information that is held, so that an individual’s identity is not made known by the sharing of this information.
Examples of this include, but are not limited to:
- redacting names, ages or locations in a testimonial or feedback supplied to Brave about services provided, which are used for the purpose of reporting the impact of the program to Brave’s funders or organisational partners, research outlets, or as an advertisement of services offered.
- Use of pseudonyms to protect from identification
- Using statistical information as part of a larger report or body of work that demonstrates evidence related to our program; for example, indicating the overall number of program participants engaged with Brave that identify as Aboriginal or Torres Strait Islander.
5.2 Using images
For participants of Brave’s programs:
As part of Brave’s ongoing commitment to documenting and the sharing transformative experiences of those engaged with Brave’s programs, there might be occasions when an individual and/or their children are photographed. These instances primarily include capturing moments for Brave’s website, promotional materials, reports, and other relevant documentation.
The intention behind these images is manifold:
- To genuinely portray the bond between Brave program participants and their child/ren
- To highlight the diligent work of Brave’s staff
- To underscore the overarching positive influence Brave and its initiatives have on young Australians and the broader communities they are part of.
Prioritising Consent and Privacy when collecting and using images:
- Consent First: Brave is steadfast in its commitment to respect privacy and protect safety. Brave will always seek explicit written consent before using or sharing any photographs where an individual and/or their children are recognisable. This consent will be stored in the client management system in the participant’s file.
- Opting Out: If an individual has concerns about being photographed or having their child/ren photographed, there is no obligation to participate. This decision will have no bearing on an individual’s involvement or their child/ren’s involvement with Brave’s programs.
- Reassessing Consent: Individuals are empowered to withdraw consent, should they change their mind. On such occasions, Brave will act promptly to discontinue the use of the associated images in materials and platforms.
For staff members:
- Consent First: Brave is steadfast in its commitment to respect privacy and protect safety. Brave will always seek explicit written consent before using or sharing any photographs of staff members. This consent will be stored in Employment Hero on the employee’s file and will be requested as part of the onboarding process.
6. How is personal information stored?
Brave engages reputable third parties, including digital services, software, cloud-based storage systems, research and analytics services, and other specialists to help the organisation provide the best possible services, operate with efficiency and better serve the communities it supports. These partners may be located or have data centres outside of Australia. Brave may also use, and/or store information overseas, or use cloud service providers where technical systems may be located or processed overseas (for example, social media platforms).
In all cases, this does not change Brave’s commitment to safeguarding privacy.
Brave requires external service providers to handle personal information carefully, lawfully, and, where possible, in accordance with this Privacy Policy. Brave also receives ongoing advice regarding best practise security and digital information handling from its specialised IT support service, the Virtual IT Department, to ensure practises are up to date with the latest developments and are fit for purpose.
7. How is personal information kept secure?
Brave stores and manages personal information in accordance with the Privacy Act, and the Australian Privacy Principles. Brave takes the security of personal information seriously and will take all reasonable steps to ensure safe systems, processes, and training in place to protect personal information, including by:
- Ensuring any third party program or service Brave uses to store, review, transmit or disseminate data is appropriately secure and meets all of the obligations and guidelines under the Privacy Act 1988, and the Australian Privacy Principles,
- Using third party secure response forms when requesting personal and payment card details on the Brave website.
- Taking reasonable steps to preserve the security of cookie and personal information in accordance with this Privacy Policy, including using secure encryption where possible.
- Taking reasonable steps to ensure any physical information, such as printed documentation, is kept appropriately, securely, and not left unattended at any time (for example, maintaining a clean and tidy working area and locked storage cupboards)
- Taking reasonable steps to ensure the privacy of those that are engaged with Brave in public (for example, a participant meeting a mentor at a public location)
- Complying with the Payment Card Industry Data Security Standard (PCI DSS) to ensure all credit card information is securely transmitted, processed and stored.
- Keeping updated of developments in security and encryption technologies and reviewing and updating relevant internal policies and procedures as needed.
Unfortunately, no data transmission over the internet can be guaranteed as secure. Although Brave strives to protect personal information, Brave cannot ensure or warrant the security of any information transmitted online, and individuals do so at their own risk. However, once transmission is received, we will take all reasonable steps to preserve the security of the information in Brave’s systems.
7.1 Third party software security
Where Brave has contracted a third-party provider to supply software or a program that holds sensitive personal or organisational information (for example, Employment Hero to record information on staff, or a client management system to record information relating to program participants), Brave will take measures to ensure the service provider meets all the security obligations outlined by relevant laws and regulations, and any internal organisational policies.
This will include, but is not limited to, requesting The Virtual IT Department review all contracts, and completing a security questionnaire prior to their confirmation to ensure the correct security standards are met.
8. How long does Brave keep information?
The period for which Brave holds information depends on the type of information being held and is governed by the relevant law or regulation. Australian Privacy Principle 11 provides that ‘an entity must take reasonable steps to destroy or de-identify the personal information it holds once it no longer needed for the purpose for which the personal information may be used or disclosed under the APPs’.
The Records Management Policy provides further information on the various records Brave holds and their retention periods.
9. How can an individual request access to personal information, or request it be corrected or updated?
If an individual wishes to update, change, withdraw, or request access to personal information Brave holds, they should contact the person to whom they originally gave the information. Individuals have a right to access their personal information and can do so through Freedom of Information processes.
For program participants, this will be their Mentor. For Brave staff, this will be their direct manager, or the Head of Corporate Services.
If an individual is unable to get in contact with the person they gave the information, or wishes to contact a different member of Brave staff to make a request, they can contact Brave Head Office on:
Phone: 0448 088 380
Brave will aim to respond to enquiries within 10 business days of the enquiry being received.
10. Deletion of personal data
Individuals can request the deletion of their personal data in several specific circumstances when it is no longer necessary or legally required:
- Data no longer needed – if the personal data is no longer necessary for the purpose for which it was collected or processed
- Withdrawal of consent – if the individual withdraws their consent on which the data processing is based, and there is no other legal ground for the processing
- Objection to processing – if the individual objects to the processing of their data and there are no overriding legitimate grounds for processing
- Unlawful processing – if the personal data has been unlawfully processed
- Legal obligation – if the personal data must be erased to comply with a legal obligation
11. How to make a query or complaint
For queries or concerns about the way Brave has handled personal information, please contact the relevant person outlined below. Brave will treat all such discussions with the utmost respect and confidentiality, in line with all applicable laws and this Policy.
For Program participants: Their Mentor, or Brave Head Office on 0448 088 380 or .
For Brave staff members: Their direct manager, the Head of Corporate Services or the CEO.
For external stakeholders, supporters of Brave, or other third parties: Brave Head Office on 0448 088 380 or
Brave will seek to understand, investigate, and resolve all instances of query or complaint in a timely manner and ensure a mutually beneficially outcome is obtained for all parties.
If a resolution is unable to be sought, the person making the enquiry may wish to take the matter further and lodge formal feedback or a complaint. Brave has policies and procedures that outline the specific practises that are to be followed in the event of feedback, or a complaint being made, and the nature of the concern will decide which procedure is to be followed:
External Complaints and Feedback Policy and Procedure: for complaints and feedback made by an individual or organisation external to Brave, such as an organisational partner or program participant
Internal Complaints and Feedback Policy: for complaints and feedback made by an individual employed by Brave
Protected Disclosure (Whistleblower) Policy: for serious matters regarding Reportable Conduct or other behaviours that may fall within the remit of Whistleblower Protection laws; this policy also provides an anonymous reporting mechanism and reports can be made from both internally and externally to the organisation.
If, after the complaint or feedback process has been followed, an individual is still not happy with the way that Brave has handled their concerns, they can raise the matter with the Office of the Australian Information Commissioner at https://www.oaic.gov.au/.
11. Child Safe Organisation: Protecting children & young people
As a Child Safe organisation, Brave recognises the responsibility for children’s safety and protection is embedded within the organisation culture including governance, and organisational policies and practices.
Brave will ensure that, as a child safe organisation, it will maintain all expectations of the 10 National Principles for Child Safe Organisations and obligations of state and territory child safe standards.
Brave is committed to providing environments where children and young people are respected, listened to, and their rights observed. Maintaining the privacy and confidentiality of any young person engaged in our programs is paramount to ensuring safety and wellbeing.
Please refer to the ‘Child Safe Organisation’ Statement and ‘Child Safety – Keeping young people and children safe from harm’ Policy for further information on Brave’s commitments and obligations as a Child Safe organisation.
12. References
Payment Card Industry Data Security Standard (PCI DSS)
Income Tax Assessment Act 1997
13. Breach of Policy
Where there are breaches of this Policy, Brave may escalate the breach to management and/or the CEO which may result in disciplinary action, up to and including termination of contract. For volunteers, this may result in cessation of voluntary service.
14. Review and Revision
This Policy shall be reviewed yearly to ensure its continued effectiveness and relevance. Any necessary revisions shall be made in consultation with the Board of Directors/senior leadership team and the Strategy and Governance Committee.