The below is a summary version of Brave’s privacy policy.  A full version is available on request to Brave’s head office on 0448 088 380 or

Privacy Policy

Purpose

The Privacy Policy outlines in detail the processes and guidelines that Brave Foundation (Brave) has designed and implemented to ensure the personal information of those we engage with is respected, protected, and handled in accordance with all relevant Acts and Regulations, and the Australian Privacy Principles.

To the extent of an inconsistency between the terms of this Policy and any relevant Federal, State or Territory privacy laws, regulations or guidelines, the conditions more favourable to the person whose personal or sensitive information is being handled will prevail.

Policy Statement

Brave values and respects the privacy of the those the organisation engages with – staff members, program participants, organisational supporters and partners, and volunteers – as well as the children and communities the organisation seeks to serve. Protecting the privacy of everyone that engages with the organisation is of vital importance to Brave.

Brave is committed to collecting, storing, and using personal or sensitive information responsibly, and in accordance with the Privacy Act 1988, the Australian Privacy Principles (APPs), and the Payment Card Industry Data Security Standard (PCI DSS).

This Policy describes how Brave collects, holds, uses and discloses personal information, how Brave maintains the quality and security of personal information, and how to make an enquiry or complaint about how Brave has handled personal information.

Brave is committed to ensuring policies are reflective of the diversity of the communities the organisation engages and works with.

Brave’s Privacy Commitment

Brave is bound by laws which impose specific obligations when it comes to handling personal information. The organisation has adopted the following principles contained as minimum standards in relation to handling personal information:

  • Data minimisation – Collect only information which the organisation requires for its business function.
  • Transparency – Ensure that all parties are informed as to why the information is collected and how the information gathered is administered.
  • Use and disclose personal information only for business functions or a directly related purpose, or for another purpose with the individual’s consent.
  • Data security – Store personal information securely, protecting it from unauthorised access.
  • Provide all parties with access to their own information, and the right to seek its correction.
  • Consent – Obtain explicit consent from individuals before collecting or processing their personal data, especially for sensitive information. Provide all parties with the right to withdraw their consent to share their information at any time, even if prior consent has been given.
  • Data Breach notification – In the event of a notifiable data breach, notify affected individuals and the OAIC within 72 hours
  • Grant defined critical incidents – in the event of a critical incident defined under specific grants, the funder directed reporting processes will be followed
  • Data Retention and Deletion – Retain personal data for as long as necessary and for the purpose it was collected. Refer to the records management policy for further information

In addition to the Privacy Policy, Brave has several further policies and procedures that specify the security measures and protocols the organisation has in place to protect the information and data the organisation handles.

What is personal, or sensitive, information?

‘Personal information’ means any information or opinion, whether true or not, and whether recorded in a material form or not, about an identified individual or an individual who is reasonably identifiable.

In general terms, this includes information or an opinion that personally identifies them either directly (e.g., by name) or indirectly.

Sensitive information is a sub-set of personal information, more specifically relating to an individual’s racial or ethnic origins, sexual preferences or practises, criminal record, health-related information (including disabilities), or other sensitive details. Brave will ensure that any sensitive information is afforded a higher level of privacy protection than other personal information because its inappropriate use or disclosure could have adverse consequences for the individual involved.

What personal information does Brave collect?

The personal information Brave collects about individuals depends on the nature of their dealings with Brave, and what the individual chooses to share with the organisation. Brave will only collect personal information if consent to the collection of this information is received, and the information is reasonably necessary for one or more of the organisation’s business functions or activities.

In accordance with the Privacy Act 1988, Brave may also collect information from third parties when it is both appropriate and necessary for organisational functions or activities. For instance, for those under 18, this information may be sourced from a parent or guardian with informed consent from both parties.

Brave also utilises several consent forms in the process of collecting personal information that relates to program participants. To support understanding of a participant’s rights regarding the collection and use of their information, at the commencement of the program a mentor will provide their participants with a Welcome Pack. This pack includes copies of the Participant Consent Form, the Consent to Share Information Form, and the Information about Consent Handout.

From time to time, Brave may create and circulate additional consent forms – for example, when conducting a particular research or consultation project, an event or media opportunity, or a series of interviews, focus groups or workshops. These documents will be made available, and the opportunity to discuss the details with Brave staff will be offered, prior to any personal information being collected. An example of this is Participant Media Consent Form.

Individuals are in control of the personal information provided to Brave. Most personal information collected by Brave comes from the individual.  The individual can request to change or access their details at any time.

Collecting information through Brave’s website, online activity cookies and social media

Brave may collect information about how its digital services are used to tailor services to the individual and ensure the organisation is providing the best experience to those that interact with Brave. For example, Brave may do this when links are clicked on emails or the Brave website, when an individual visits another website which displays one of Brave’s advertisements, or when an individual engages with the organisation online via social media platforms like Facebook. Usually, the information Brave collects in this way is only general information, such as user statistics. However, some information may be able to identify individuals.

Brave may also use advertising companies (e.g., Google and Facebook) to place ads on third party websites. When an individual views a Brave advertisement on a third-party website, the advertising company uses cookies and, in some cases, ‘web beacons’ to collect information about:

  • the server the device is logged onto;
  • the web browser type;
  • the date and time of the visit; and
  • the performance of Brave’s marketing efforts.

When an individual visits and interacts with a third-party website, Brave suggests reviewing the third party’s privacy policy as any of the personal information provided and interactions with that page are outside Brave’s control.

If Brave does associate information about users of our website or digital services with personal information Brave holds, any use or disclosure of that information will be in accordance with this Privacy Policy.

Individuals can also engage with Brave via social media platforms and can always control of how content is received through each platform’s settings. Any information posted to social media will be managed in accordance with the platform’s specific policies.

How is personal information be used and shared?

Brave will use an individual’s personal information for the purpose it was collected, and where appropriate, for the purpose of continuing and improving the organisation’s work of supporting expecting and parenting young Australians. Importantly, Brave never rents, sells, or exchanges personal information without prior consent.

The only exception to this is where Brave is compelled to disclose personal information to prevent a serious and imminent threat to life or health, or as otherwise required or authorised by law.

Brave may also, where provided, request, collect, store, and review feedback, experiences, and support of the organisation’s program for the purpose of providing reports to funders, supporting Brave’s approach to seek and secure further/additional funding and to improve the quality of the service Brave offers.

De-identified information

Where possible and appropriate, Brave may de-identify the information that is held, so that an individual’s identity is not made known by the sharing of this information.

Using images

For participants of Brave’s programs:

As part of Brave’s ongoing commitment to documenting and the sharing transformative experiences of those engaged with Brave’s programs, there might be occasions when an individual and/or their children are photographed. These instances primarily include capturing moments for Brave’s website, promotional materials, reports, and other relevant documentation.

Prioritising Consent and Privacy when collecting and using images:

  • Consent First: Brave is steadfast in its commitment to respect privacy and protect safety. Brave will always seek explicit written consent before using or sharing any photographs where an individual and/or their children are recognisable. This consent will be stored in the client management system in the participant’s file.
  • Opting Out: If an individual has concerns about being photographed or having their child/ren photographed, there is no obligation to participate. This decision will have no bearing on an individual’s involvement or their child/ren’s involvement with Brave’s programs.
  • Reassessing Consent: Individuals are empowered to withdraw consent, should they change their mind. On such occasions, Brave will act promptly to discontinue the use of the associated images in materials and platforms.

For staff members:

  • Consent First: Brave is steadfast in its commitment to respect privacy and protect safety. Brave will always seek explicit written consent before using or sharing any photographs of staff members. This consent will be stored in Employment Hero on the employee’s file and will be requested as part of the onboarding process.

How is personal information stored?

Brave engages reputable third parties, including digital services, software, cloud-based storage systems, research and analytics services, and other specialists to help the organisation provide the best possible services, operate with efficiency and better serve the communities it supports. These partners may be located or have data centres outside of Australia. Brave may also use, and/or store information overseas, or use cloud service providers where technical systems may be located or processed overseas (for example, social media platforms).

In all cases, this does not change Brave’s commitment to safeguarding privacy.

Brave requires external service providers to handle personal information carefully, lawfully, and, where possible, in accordance with this Privacy Policy. Brave also receives ongoing advice regarding best practise security and digital information handling from its specialised IT support service, the Virtual IT Department, to ensure practises are up to date with the latest developments and are fit for purpose.

How is personal information kept secure?

Brave stores and manages personal information in accordance with the Privacy Act, and the Australian Privacy Principles. Brave takes the security of personal information seriously and will take all reasonable steps to ensure safe systems, processes, and training in place to protect personal information, including by:

  • Ensuring any third party program or service Brave uses to store, review, transmit or disseminate data is appropriately secure and meets all of the obligations and guidelines under the Privacy Act 1988, and the Australian Privacy Principles,
  • Using third party secure response forms when requesting personal and payment card details on the Brave website.
  • Taking reasonable steps to preserve the security of cookie and personal information in accordance with this Privacy Policy, including using secure encryption where possible.
  • Taking reasonable steps to ensure any physical information, such as printed documentation, is kept appropriately, securely, and not left unattended at any time (for example, maintaining a clean and tidy working area and locked storage cupboards)
  • Taking reasonable steps to ensure the privacy of those that are engaged with Brave in public (for example, a participant meeting a mentor at a public location)
  • Complying with the Payment Card Industry Data Security Standard (PCI DSS) to ensure all credit card information is securely transmitted, processed and stored.
  • Keeping updated of developments in security and encryption technologies and reviewing and updating relevant internal policies and procedures as needed.

Unfortunately, no data transmission over the internet can be guaranteed as secure. Although Brave strives to protect personal information, Brave cannot ensure or warrant the security of any information transmitted online, and individuals do so at their own risk. However, once transmission is received, we will take all reasonable steps to preserve the security of the information in Brave’s systems.

Third party software security

Where Brave has contracted a third-party provider to supply software or a program that holds sensitive personal or organisational information (for example, Employment Hero to record information on staff, or a client management system to record information relating to program participants), Brave will take measures to ensure the service provider meets all the security obligations outlined by relevant laws and regulations, and any internal organisational policies.

This will include, but is not limited to, requesting The Virtual IT Department review all contracts, and completing a security questionnaire prior to their confirmation to ensure the correct security standards are met.

How long does Brave keep information?

The period for which Brave holds information depends on the type of information being held and is governed by the relevant law or regulation.   Australian Privacy Principle 11 provides that ‘an entity must take reasonable steps to destroy or de-identify the personal information it holds once it no longer needed for the purpose for which the personal information may be used or disclosed under the APPs’.

How can an individual request access to personal information, or request it be corrected or updated?

If an individual wishes to update, change, withdraw, or request access to personal information Brave holds, they should contact the person to whom they originally gave the information.  Individuals have a right to access their personal information and can do so through Freedom of Information processes.

For program participants, this will be their Mentor. For Brave staff, this will be their direct manager, or the Head of Corporate Services.

If an individual is unable to get in contact with the person they gave the information, or wishes to contact a different member of Brave staff to make a request, they can contact Brave Head Office on:

Email:

Phone: 0448 088 380

Brave will aim to respond to enquiries within 10 business days of the enquiry being received.

Deletion of personal data

Individuals can request the deletion of their personal data in several specific circumstances when it is no longer necessary or legally required:

  • Data no longer needed – if the personal data is no longer necessary for the purpose for which it was collected or processed
  • Withdrawal of consent – if the individual withdraws their consent on which the data processing is based, and there is no other legal ground for the processing
  • Objection to processing – if the individual objects to the processing of their data and there are no overriding legitimate grounds for processing
  • Unlawful processing – if the personal data has been unlawfully processed
  • Legal obligation – if the personal data must be erased to comply with a legal obligation

How to make a query or complaint

For queries or concerns about the way Brave has handled personal information, please contact the relevant person outlined below. Brave will treat all such discussions with the utmost respect and confidentiality, in line with all applicable laws and this Policy.

For Program participants: Their Mentor, or Brave Head Office on 0448 088 380 or .

For Brave staff members: Their direct manager, the Head of Corporate Services or the CEO.

For external stakeholders, supporters of Brave, or other third parties: Brave Head Office on 0448 088 380 or

Brave will seek to understand, investigate, and resolve all instances of query or complaint in a timely manner and ensure a mutually beneficially outcome is obtained for all parties.

If a resolution is unable to be sought, the person making the enquiry may wish to take the matter further and lodge formal feedback or a complaint. Brave has policies and procedures that outline the specific practises that are to be followed in the event of feedback, or a complaint being made, and the nature of the concern will decide which procedure is to be followed.

If, after the complaint or feedback process has been followed, an individual is still not happy with the way that Brave has handled their concerns, they can raise the matter with the Office of the Australian Information Commissioner at https://www.oaic.gov.au/.

Child Safe Organisation: Protecting children and young people

As a Child Safe organisation, Brave recognises the responsibility for children’s safety and protection is embedded within the organisation culture including governance, and organisational policies and practices.

Brave will ensure that, as a child safe organisation, it will maintain all expectations of the 10 National Principles for Child Safe Organisations and obligations of state and territory child safe standards.

Brave is committed to providing environments where children and young people are respected, listened to, and their rights observed. Maintaining the privacy and confidentiality of any young person engaged in our programs is paramount to ensuring safety and wellbeing.

Please refer to the ‘Child Safe Organisation’ Statement and ‘Child Safety – Keeping young people and children safe from harm’ Policy for further information on Brave’s commitments and obligations as a Child Safe organisation.

Review and Revision

This Policy shall be reviewed yearly to ensure its continued effectiveness and relevance. Any necessary revisions shall be made in consultation with the Board of Directors/senior leadership team and the Strategy and Governance Committee.

Subscribe to our Newsletter

Name
I’m interested in…
This field is for validation purposes and should be left unchanged.