Privacy Policy
1. Policy Statement and Purpose
This policy governs the responsible use of data for marketing and foundation purposes within Chris O’Brien Lifehouse (Foundation), referred to in this policy as “The Foundation”, to protect our donors, patients, the Organisation and staff from risks associated with incorrect use of data.
2. Policy Scope
This policy applies to all authorised staff members involved in “The Foundation” inclusive of full-time, part-time, contract, casual employees or volunteers, as well as any external consultants, suppliers or third parties who have access to “Foundation” systems and data. In this policy, all of the above are referred to as “staff”.
3. Policy Statement
We collect personal identifiable information (PII) to raise funds and awareness of the work at Chris O’Brien Lifehouse. We are committed to protecting the privacy of our donors and comply with the Australian Privacy Principles in the Privacy Act. PII remains confidential and is used for the purposes in accordance with this Policy.
Patient information:
“The Foundation” may collect basic contact details (name, address, email address, phone numbers, date of birth, gender) from Chris O’Brien Lifehouse patients who provide their consent through individual patient admission forms or if making the decision to donate to Chris O’Brien Lifehouse.
The Foundation does not deal directly with health information. All contact information is kept separate from the medical database, in the Salesforce
CRM which can only be accessed by authorised members of the Development team. Separate policies are in place to support the privacy of all other interactions with Chris O’Brien Lifehouse that do not relate to The Foundation.
Data collection:
Personal information collected by The Foundation may include:
• PII - name, address, email address, phone number, mobile phone number
• Date of birth – in order to help with identifying the donor in data cleansing activities such as locating deceased records or acknowledging Gift in Will donors
• If relevant, gender, income, occupation
• Donation and payment details
• If relevant, employer details (for example, the donor participates in workplace giving or a corporate fundraiser)
• A history of transactions, correspondences and interactions with “The Foundation”
• If relevant, details about a donor’s personal interests and reasons behind their motivation to support “The Foundation”
How we collect information:
There are a number of ways we collect information. These include:
• Directly from the donor when they provide information by phone, in person, via our website, or response forms
• From our own records of a donor’s transactions and interaction with “The Foundation”
• From publicly available sources of information
• From third parties who organise fundraising activities on our behalf who are also bound by the Australian Privacy Principles
• From a third party known to an individual who makes a donation and nominates said individual as the recipient of communication regarding that donation
• Face to face or when a donor speaks with us directly
• Via email
• Via supporter surveys
• Via social media messages or conversations
• In voice or image recordings
• Via photography (We may feature photographs of various individuals on our website, social media and advertising material. We will seek permission in writing via a consent form to take, publish and/or display any photograph that features on our website, social media or within any of our marketing or development communications materials such as brochures or newsletters.)
How we store donor information:
We keep donor personal information secure in our Salesforce CRM supporter database. All credit card information is tokenised so it is PCI compliant and once entered cannot be viewed or updated.
Physical copies of donation forms sent in the post are processed within 48 hours of receiving and are then held in locked cabinets. Forms are held for 7 years, as per ACNC requirements, and are then destroyed through secure documentation destruction. Surveys are held securely in locked cabinets. As part of the onboarding process, staff and volunteers are required to sign our policies relating to privacy. Police checks are conducted on all potential staff and volunteers as part of our recruitment process.
Sometimes we may need to store or use donor information in a country other than Australia, usually because one of our technical systems is located or needs to process data overseas (for instance, social media channels). Further, the information that The Foundation collects for safeguarding and fraud reporting purposes may be stored on cloud services including services
provided by third party service providers, which may be hosted overseas.
As of the last update of this policy, the countries in which we store data include Australia and the United States of America.
Storage and security of personal information
“The Foundation” will endeavour to take all reasonable steps to keep any information we hold about donors and patients (whether electronic or in hard copy) secure, accurate and up-to-date. This includes complying with the Payment Card Industry Data Security Standard, which covers security of
payment card information. As per the Standard, information is encrypted and stored on secure servers that are protected in controlled facilities. We require our staff to respect the confidentiality of any personal information held by us and that they abide by our confidentiality policy and procedures.
It is our policy to:
• Permanently de-identify personal information where reasonable and possible
• Destroy personal information once there is no longer a legal or business need for us to retain it
• Ensure that any external suppliers or organisations permanently and securely dispose of any personal information within 6 months
Disclosure of donor information:
We may disclose donor PII to external suppliers or organisations that help facilitate our correspondence and fundraising activities such as printing of our newsletters, appeals or surveys.
When sharing information with external suppliers or organisations, we ensure this is done securely, in compliance with the Privacy Act and for the purposes outlined in this policy.
Privacy and the internet
We use third-party tracking cookies and similar technologies to collect and use data about user activities on our sites. The third-party vendors, such as Meta Platforms and Google, whose services we use, place these cookies and similar technologies on web browsers to help us tailor advertising that may be of interest to users based on their past visits to our site.
We do not collect any identifiable information through these services. Cookies and similar technologies do not in any way give access to individual computers.
4. Risks Addressed
This policy addresses the risk of non-compliance with the Australian Privacy Principles and the Privacy Act, as well as the inadvertent disclosure of donor information.
5. Definitions
“The Foundation”: The Chris O’Brien Lifehouse Foundation is the arm of the hospital that raises funds sourced through donations made by individuals, Trusts and Foundations, PAFs and companies.
The Development Team: staff who work in the Development Team are raising funds for “The Foundation”.
Personal Identifiable Information (PII): Data that can be used to uniquely identify, contact, or locate a single person, or can be used with other sources to uniquely identify an individual.
6. Related Documents
6.1 Data Classification Policy
6.2 Data Classification Standard
6.3 Information Security Policy
7. References
The Privacy Act: https://www.oaic.gov.au/privacy/privacy-legislation/the-privacy-act
PCI Security Standards: https://docsprv.pcisecuritystandards.org/PCI%20DSS/Supporting%20Document/PCI_DSSQRG-v4_0.pdf
Digital Advertising Alliance Consumer Choice: Digital Advertising Alliance Consumer Choice opt-out tool.
ACNC Record-Keeping obligations: https://www.acnc.gov.au/for-charities/manageyour-charity/obligations-acnc/keeping-charity-records