Privacy Policy

Purpose

The Privacy Policy outlines in detail the processes and guidelines that Brave Foundation (Brave) has designed and implemented to ensure the personal information of those we engage with is respected, protected, and handled in accordance with all relevant Acts and Regulations, and the Australian Privacy Principles.

To the extent of an inconsistency between the terms of this Policy and any relevant Federal, State or Territory privacy laws, regulations or guidelines, the conditions more favourable to the person whose personal or sensitive information is being handled will prevail.

Privacy Statement

Brave values and respects the privacy of the those the organisation engages with – staff members, program participants, organisational supporters and partners, and volunteers – as well as the children and communities the organisation seeks to serve. Protecting the privacy of everyone that engages with the organisation is of vital importance to Brave.

Brave is committed to collecting, storing, and using personal or sensitive information responsibly, and in accordance with the Privacy Act 1988, the Australian Privacy Principles (APPS) and the Payment Card Industry Data Security Standard (PCI DSS).

This Policy describes how Brave collects, holds, uses and discloses personal information, how Brave maintains the quality and security of personal information, and how to make an enquiry or complaint about how Brave has handled personal information.

Brave is committed to ensuring policies are reflective of the diversity of the communities the organisation engages and works with.

Scope

This policy applies to the Board of Directors and all employees of Brave Foundation (including casual/seconded/contractual staff/apprentices/interns), program participants, organisational partners, all individuals or businesses that engage with Brave, and volunteers.

Definitions

PCI DSS

 

Payment Card Industry Data Security Standard: a widely accepted set of policies and procedures intended to optimise the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.

Further information can be found at: https://listings.pcisecuritystandards.org/pci_security/

APPs Australian Privacy Principles; 13 Principles governing standards, rights and obligations around:

  • the collection, use and disclosure of personal information
  • an organisation or agency’s governance and accountability
  • integrity and correction of personal information
  • the rights of individuals to access their personal information.

Further information can be found at: https://www.oaic.gov.au/privacy/australian-privacy-principles

Redacting, redacted Edited in order to obscure or remove sensitive information
De-identified A person’s identity is no longer apparent or cannot be reasonably ascertained from the information or data.
Personal information, sensitive information Personal information includes a broad range of information, or an opinion, that could identify an individual. What is personal information will vary, depending on whether a person can be identified or is reasonably identifiable in the circumstances (OAIC, 2023)

Sensitive information is personal information that includes information or an opinion about an individual’s:

  • racial or ethnic origin
  • political opinions or associations
  • religious or philosophical beliefs
  • trade union membership or associations
  • sexual orientation or practices
  • criminal record
  • health or genetic information (including any disabilities)
  • some aspects of biometric information.

Generally, sensitive information has a higher level of privacy protection than other personal information(OAIC, 2023).

For the purposes of this Policy, personal and sensitive information will use the same definition, and be referred to under the umbrella term ‘personal information’, except where otherwise indicated.

(web) Cookie A cookie is a piece of data from a website that is stored within a web browser that the website can retrieve at a later time.

Cookies are used to tell the server that users have returned to a particular website.

Web beacons

 

A web beacon is a technique used on web pages and emails to unobtrusively check that a user has accessed some content.

Web beacons are used to help the website owner track the journey of the user navigating through the website or a series of websites. Web beacons are often used in conjunction with cookies.

Virtual IT Department Brave’s contracted information technology support service
Employment Hero Brave’s contracted human resource information system (HRIS)
WEEL Brave’s virtual Mastercard debit card merchant
DEXT Brave’s expense management system
DriversNote Drivers Note is an application that records business trips
automatically, manually or with a motion detecting device. Brave uses this application for recording km’s travelled for work related purposes where reimbursement is sought.
Penelope/InfoXChange Brave’s contracted customer management software (CMS). Penelope is scheduled to be replaced with InfoXchange in late 2023.
Outcome Stars Validated measurement tool completed by mentors with their participants to identify and track goals.
 Brave, the organisation Brave Foundation
Staff, Brave staff, staff member All employees of Brave Foundation (including the Board/casual/seconded/contractual staff/apprentices/interns) and volunteers

Authorities & responsibilities

Title Authorities  Responsibilities
Board of Directors To approve the Privacy Policy Receive and respond to serious breaches of the Privacy Policy as they arise within the organisation, as brought via the Strategy and Governance Committee, and CEO.
Strategy and Governance Committee To endorse the Privacy Policy Receive and respond to serious breaches of the Privacy Policy as they arise within the organisation, as brought via the CEO.
Chief Executive Officer To authorise relationships relevant to the Privacy Policy, such as the contractual agreement with the Virtual IT Department

 

Comply with and ensure oversight of Privacy Policy within the organisation.

To receive reports and manage breaches of the Privacy Policy, as brought via the Senior Leadership Team and other staff, and report to the Strategy and Governance and Committee and Board, where required.

Senior Leadership Team (SLT) (including CEO) Comply with and ensure staff are aware of and comply with the Privacy Policy.

To receive reports and manage breaches of the Privacy Policy, as brought via their direct reports, and report to the CEO.

Employees (Board, CEO, SLT, SEEA/SEED team, volunteers and contractors) Comply with the Privacy Policy

To report any breaches of the Privacy Policy to their direct manager.

Procedure

1. Brave’s Privacy Commitment

Brave is bound by laws which impose specific obligations when it comes to handling personal information. The organisation has adopted the following principles contained as minimum standards in relation to handling personal information.

Brave will:

  • Collect only information which the organisation requires for its business function;
  • Ensure that all parties are informed as to why the information is collected and how the information gathered is administered;
  • Use and disclose personal information only for business functions or a directly related purpose, or for another purpose with the individual’s consent;
  • Store personal information securely, protecting it from unauthorised access;
  • Provide all parties with access to their own information, and the right to seek its correction.
  • Provide all parties with the right to withdraw their consent to share their information at any time, even if prior consent has been given.

In addition to the Privacy Policy, Brave has several further policies and procedures that specify the security measures and protocols the organisation has in place to protect the information and data the organisation handles. These are:

  • Information Technology and Security Policy
  • Data Breach Policy

2. What is personal, or sensitive, information?

‘Personal information’ means any information or opinion, whether true or not, and whether recorded in a material form or not, about an identified individual or an individual who is reasonably identifiable.

In general terms, this includes information or an opinion that personally identifies them either directly (e.g., by name) or indirectly.

Sensitive information is a sub-set of personal information, more specifically relating to an individual’s racial or ethnic origins, sexual preferences or practises, criminal record, health-related information (including disabilities), or other sensitive details. Brave will ensure that any sensitive information is afforded a higher level of privacy protection than other personal information because its inappropriate use or disclosure could have adverse consequences for the individual involved.

3. What personal information does Brave collect?

The personal information Brave collects about individuals depends on the nature of their dealings with Brave, and what the individual chooses to share with the organisation. Brave will only collect personal information if consent to the collection of this information is received and the information is reasonably necessary for one or more of the organisation’s business functions or activities.

Brave asks for and collects information that helps the organisation engage with an individual, or to assist the organisation in completing its work. For example:

  • to assist an individual in engaging with our programs
  • to apply for or complete a contracted, volunteer or other role with Brave
  • to process a donation or purchase from our website and provide a receipt
  • to engage with a request for organisational support
  • to evaluate, assess or report upon the impact of Brave’s programs
  • to distribute newsletters or other communications that have been subscribed to
  • to record support of a petition or letter as part of Brave’s advocacy work.

For program participants, this may include (but is not limited to):

  • Personal details, child/ren and family details, such as name, pronouns, date of birth, gender, age, race, religious beliefs, disabilities, languages spoken, and medical conditions
  • Contact details such as postal addresses, email address and phone numbers
  • Information related to areas of the organisation a participant might be interested in engaging with or supporting
  • Information related to personal goals and desired program outcomes
  • Other information about life and social support networks that will assist staff with delivering Brave’s support programs
  • Information relating to other support services and organisations that have been engaged
  • Feedback and experiences with Brave staff and other service providers
  • Conversations by phone, email, social media, webchat, post or in person, with Brave staff and volunteers: this might include additional information communicated to the organisation about family or information related to personal circumstances or interests

In accordance with the Privacy Act 1988, Brave may also collect information from third parties when it is both appropriate and necessary for organisational functions or activities. For instance, for those under 18, this information may be sourced from a parent or guardian with informed consent from both parties.

Brave also utilises several consent forms in the process of collecting personal information that relates to program participants. To support understanding of a participant’s rights regarding the collection and use of their information, at the commencement of the program a mentor will provide their participants with a Welcome Pack. This pack includes copies of the Participant Consent Form, the Consent to Share Information Form, and the Information about Consent Handout.

From time to time, Brave may create and circulate additional consent forms – for example, when conducting a particular research or consultation project, an event or media opportunity, or a series of interviews, focus groups or workshops. These documents will be made available, and the opportunity to discuss the details with Brave staff will be offered, prior to any personal information being collected. An example of this is Participant Media Consent Form.

For Brave staff members or volunteers (or for those applying for a position), this may include (but is not limited to):

  • Personal details, such as name, pronouns, date of birth, gender, age, race, languages spoken, and medical conditions (including disabilities)
  • Contact details such as postal addresses, email address and phone numbers
  • Identification documents
  • Educational or professional credentials
  • Vaccination records
  • Working With Vulnerable People/Children Checks (or their relevant equivalent) in the State or Territory where the volunteer/employee is based
  • National Police Checks
  • Time and wage records
  • Financial records, such as details of bank accounts
  • Contract of work, including commencement date, if the staff member is full, part time or casual, and permanent or temporary.
  • Leave records
  • Superannuation and tax details
  • Individual flexibility arrangements (please see: Flexible Working Arrangements Policy for further information)
  • Details of travel arrangements made when travelling for work-related purposes
  • Other information to help Brave ensure that all policies and procedures are adhered to, such as driving records through DriversNote and financial records through WEEL and/or Dext.

Brave may also complete, and store the results of, a psychological screening prior to employment.

For those that donate to Brave, purchase a product from the website, subscribe to a newsletter, engage with the organisation on social media, as a service provider, or otherwise, this may include (but is not limited to):

  • Personal details, like name, pronouns, date of birth, gender and age
  • Contact details such as postal addresses, email address and phone numbers
  • Payment card details (including transaction details/payment history) or other banking or financial information
  • Records of communication and interactions with us and details/history of preferences.
  • Conversations by phone, email, social media, webchat, post or in person, with Brave staff and volunteers: this might include additional information if shared about family or information related to particular circumstances or interests

Individuals are in control of the personal information provided to Brave. Most personal information collected by Brave comes from the individual.  The individual can request to change or access their details at any time.

4. Collecting information through Brave’s website, online activity cookies & social media

Brave may collect information about how its digital services are used to tailor services to the individual and ensure the organisation is providing the best experience to those that interact with Brave. For example, Brave may do this when links are clicked on emails or the Brave website, when an individual visits another website which displays one of Brave’s advertisements, or when an individual engages with the organisation online via social media platforms like Facebook. Usually, the information Brave collects in this way is only general information, such as user statistics. However, some information may be able to identify individuals.

Brave may also use advertising companies (e.g., Google and Facebook) to place ads on third party websites. When an individual views a Brave advertisement on a third-party website, the advertising company uses cookies and, in some cases, ‘web beacons’ to collect information about:

  • the server the device is logged onto;
  • the web browser type;
  • the date and time of the visit; and
  • the performance of Brave’s marketing efforts.

When an individual visits and interacts with a third-party website, Brave suggests reviewing the third party’s privacy policy as any of the personal information provided and interactions with that page are outside Brave’s control.

If Brave does associate information about users of our website or digital services with personal information Brave holds, any use or disclosure of that information will be in accordance with this Privacy Policy.

Individuals can also engage with Brave via social media platforms like Facebook, Twitter, Instagram, etc. and can always control of how content is received through each platform’s settings. Any information posted to social media will be managed in accordance with the platform’s specific policies.

5. How is personal information be used and shared?

Brave will use an individual’s personal information for the purpose it was collected, and where appropriate, for the purpose of continuing and improving the organisation’s work of supporting expecting and parenting young Australians. Importantly, Brave never rents, sells, or exchanges personal information without prior consent.

The only exception to this is where Brave is compelled to disclose personal information to prevent a serious and imminent threat to life or health, or as otherwise required or authorised by law.

For program participants, this may include (but is not limited to):

  • Collecting, storing and reviewing personal information of participants and/or their children for the purpose of providing support during or after engagement with our programs
  • Where Brave has a participant’s permission, sharing personal information with a community service provider, or organisational partner or stakeholder, for the purposes of seeking additional support for that participant and/or their family members (such as a financial assistance program or housing provider)
  • Where Brave has permission to share personal information with relevant law professionals or law enforcement officials (such as for the purpose of assisting a participant in a legal matter or court case)

For Brave staff members or volunteers, this may include (but is not limited to) collecting, storing, and reviewing personal information for the purpose of fulfilling the contractual agreement made with Brave, such as:

  • For internal organisational and administrative purposes (for example, storing bank details to pay salary, or an address for the purpose of sending work related materials)
  • For the purpose of fulfilling obligations under Brave’s organisational policies and procedures (for example, storing vaccination records, a copy of a pre-employment psychological screening, or a copy of educational or professional credentials)
  • For the purpose of ensuring adherence to Brave’s organisational policies and procedures (for example, tracking usage and storage of data on a Brave owned electronic device – please see ‘Information Technology and Security’ Policy for further information)

For individuals that donate to Brave, purchase a product from the Brave website, engage with Brave as a service provider, or otherwise engage with Brave, this may include (but is not limited to) collecting, storing, and reviewing personal information for the purpose of:

  • processing donations or payments, and provision of receipts and/or refunds;
  • completing purchase orders;
  • administering, improving and personalising communications (including direct and digital marketing)
  • addressing service enquiries
  • maintaining and updating Brave records

Brave may also, where provided, request, collect, store, and review feedback, experiences, and support of the organisation’s program for the purpose of providing reports to funders, supporting Brave’s approach to seek and secure further/additional funding and to improve the quality of the service Brave offers.

5.1 Deidentified information

Where possible and appropriate, Brave may de-identify the information that is held, so that an individual’s identify is not made known by the sharing of this information.

Examples of this include, but are not limited to:

  • redacting names, ages or locations in a testimonial or feedback supplied to Brave about services provided, which are used for the purpose of reporting the impact of the program to Brave’s funders or organisational partners, research outlets, or as an advertisement of services offered.
  • Using statistical information as part of a larger report or body of work that demonstrates evidence related to our program; for example, indicating the overall number of program participants engaged with Brave that identify as Aboriginal or Torres Strait Islander.
5.2 Using images

As part of Brave’s ongoing commitment to documenting and the sharing transformative experiences of those engaged with Brave’s programs, there might be occasions when an individual and/or their children are photographed. These instances primarily include capturing moments for Brave’s website, promotional materials, reports, and other relevant documentation.

The intention behind these images is manifold:

  • To genuinely portray the bond between Brave program participants and their child/ren
  • To highlight the diligent work of Brave’s staff
  • To underscore the overarching positive influence Brave and its initiatives have on young Australians and the broader communities they are part of

Prioritising Consent and Privacy when collecting and using images:

  • Consent First: Brave is steadfast in its commitment to respect privacy. Brave will always seek explicit written consent before using or sharing any photographs where an individual and/or their children are recognisable.
  • Opting Out: If an individual is uncomfortable with being photographed or having their child/ren photographed, they have complete freedom to decline. This decision will have no bearing on an individual’s involvement or their child/ren’s involvement with Brave’s programs.
  • Reassessing Consent: Individuals are empowered to withdraw consent, should they change their mind. On such occasions, Brave will act promptly to discontinue the use of the associated images in materials and platforms.

6. How is personal information stored?

Brave engages third parties, including digital services, software, cloud-based storage systems, research and analytics services, and other specialists to help the organisation provide the best possible services, operate with efficiency and better serve the communities it supports. These partners may be located or have data centres outside of Australia. Brave may also use, and/or store information overseas, or use cloud service providers where  technical systems may be located or processed overseas (for example, social media platforms).

In all cases, this does not change Brave’s commitment to safeguarding privacy.

Brave requires external service providers to handle personal information carefully, lawfully, and, where possible, in accordance with this Privacy Policy. Brave also receives ongoing advice regarding best practise security and digital information handling from its specialised IT support service, the Virtual IT Department, to ensure practises are up to date with the latest developments and are fit for purpose.

7. How is personal information kept secure?

Brave stores and manages personal information in accordance with the Privacy Act, and the Australian Privacy Principles. Brave takes the security of personal information seriously and will take all reasonable steps to ensure safe systems, processes, and training in place to protect personal information, including by:

  • Ensuring any third party program or service Brave uses to store, review, transmit or disseminate data is appropriately secure and meets all of the obligations and guidelines under the Privacy Act 1988, and the Australian Privacy Principles,
  • Using secure response forms when requesting personal and payment card details on the Brave website.
  • Taking reasonable steps to preserve the security of cookie and personal information in accordance with this Privacy Policy, including using secure encryption where possible.
  • Taking reasonable steps to ensure any physical information, such as printed documentation, is kept appropriately, securely, and not left unattended at any time (for example, maintaining a clean and tidy working area and locked storage cupboards)
  • Taking reasonable steps to ensure the privacy of those that are engaged with Brave in public (for example, a participant meeting a mentor at a public location)
  • Complying with the Payment Card Industry Data Security Standard (PCI DSS) to ensure all credit card information is securely transmitted, processed and stored.
  • Keeping updated of developments in security and encryption technologies and reviewing and updating relevant internal policies and procedures as needed.

Unfortunately, no data transmission over the internet can be guaranteed as secure. Although Brave strives to protect personal information, Brave cannot ensure or warrant the security of any information transmitted online, and individuals do so at their own risk. However, once transmission is received, we will take all reasonable steps to preserve the security of the information in Brave’s systems.

7.1  Third party software security

Where Brave has contracted a third-party provider to supply software or a program that holds sensitive personal or organisational information (for example, Employment Hero to record information on staff, or a client management system to record information relating to program participants), Brave will take measures to ensure the service provider meets all the security obligations outlined by relevant laws and regulations, and any internal organisational policies.

This will include, but is not limited to, requesting The Virtual IT Department review all contracts, and completing a security questionnaire prior to their confirmation to ensure the correct security standards are met.

8. How long does Brave keep information?

The period for which Brave holds information depends on the type of information being held and is governed by the relevant law or regulation.

For Financial and Wage records:

In line with the requirements set forth by the Fair Work Act 2009 and the Fair Work Regulations 2009, Brave will retain employee financial and wage records for a duration of seven (7) years. Additionally, as prescribed by the Income Tax Assessment Act 1997, Brave is committed to preserving pertinent financial records for a period of five (5) years. All these records will be securely stored within Brave’s designated financial accounting and payroll systems, ensuring their legibility and ready accessibility for any inspection as per Fair Work requirements.

For credit card information:

In accordance with the Payment Card Industry Data Security Standards (PCI DSS), any credit card information must be securely destroyed as soon as its intended purpose has been fulfilled. Consistent with PCI DSS requirement 10.7, Brave will retain audit logs of all credit card transactions for a minimum period of one year.

For all other personal information:

No data retention period is established under the Privacy Act. However, Australian Privacy Principle 11 provides that ‘an entity must take reasonable steps to destroy or de-identify the personal information it holds once it no longer needed for the purpose for which the personal information may be used or disclosed under the APPs’.

9. How can an individual request access to personal information, or request it be corrected or updated?

If an individual wishes to update, change, withdraw, or request access to personal information Brave holds, they should contact the person to whom they originally gave the information.

For program participants, this will be their Mentor. For Brave staff, this will be their direct manager, or the Head of Operations.

If an individual is unable to get in contact with the person they gave the information, or wishes to contact a different member of Brave staff to make a request, they can contact Brave Head Office on:

Email:

Phone: 0448 088 380

Brave will aim to respond to enquiries within 10 business days of the enquiry being received.

10. How to make a query or complaint

For queries or concerns about the way Brave has handled personal information, please contact the relevant person outlined below.

Brave will treat all such discussions with the utmost respect and confidentiality, in line with all applicable laws and this Policy.

For Program participants: Their Mentor, or Brave Head Office on 0448 088 380 or .

For Brave staff members: Their direct manager, the Head of Operations, or the CEO.

For external stakeholders, supporters of Brave, or other third parties: Brave Head Office on 0448 088 380 or

Brave will seek to understand, investigate, and resolve all instances of query or complaint in a timely manner and ensure a mutually beneficially outcome is obtained for all parties.

If a resolution is unable to be sought, the person making the enquiry may wish to take the matter further and lodge formal feedback or a complaint. Brave has a number of policies and procedures that outline the specific practises that are to be followed in the event of feedback or a complaint being made, and the nature of the concern will decide which procedure is to be followed:

External Complaints and Feedback Policy and Procedure: for complaints and feedback made by an individual or organisation external to Brave, such as an organisational partner or program participant

Internal Complaints and Feedback Policy: for complaints and feedback made by an individual employed by Brave

Protected Disclosure (Whistleblower) Policy: for serious matters regarding Reportable Conduct or other behaviours that may fall within the remit of Whistleblower Protection laws; this policy also provides an anonymous reporting mechanism and reports can be made from both internally and externally to the organisation.

If, after the complaint or feedback process has been followed, an individual is still not happy with the way that Brave has handled their concerns, they can raise the matter with the Office of the Australian Information Commissioner at https://www.oaic.gov.au/.

11. Child Safe Organisation: Protecting children & young people

As a Child Safe organisation, Brave recognises the responsibility for children’s safety and protection is embedded within the organisation culture including governance, and organisational policies and practices.

Brave will ensure that, as a child safe organisation, it will maintain all expectations of the 10 National Principles for Child Safe Organisations and obligations of state and territory child safe standards.

Brave is committed to providing environments where children and young people are respected, listened to, and their rights observed. Maintaining the privacy and confidentiality of any young person engaged in our programs is paramount to ensuring safety and wellbeing.

Please refer to the ‘Child Safe Organisation’ Statement of Commitment and ‘Child Safety – Keeping young people and children safe from harm’ Policy for further information on Brave’s commitments and obligations as a Child Safe organisation.

12. References

Privacy Act 1988

Australian Privacy Principles

Payment Card Industry Data Security Standard (PCI DSS)

Income Tax Assessment Act 1997

FairWork Act 2009

Workplace Ombudsman

Subscribe to our Newsletter

Name
I’m interested in…
This field is for validation purposes and should be left unchanged.