The Public Fundraising Regulatory Association (PFRA) and its employees will respect the privacy of its members and other individuals. The PFRA voluntarily complies with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (Privacy Act) in the way that it handles the personal information it collects. This Privacy and Data Protection Policy explains how the PFRA handles your personal information in accordance with the Privacy Act.
Privacy and Data Protection Policy
This policy outlines the requirements to identify and protect sensitive and/or personal identifiable information which includes but may not be limited PII as identified by ISO/IEC 27001 by restricting the collection of data and the retention of such data to that which is required to perform the PFRA’s work.
This policy will affect all staff, members, directors, and any others involved in data collection.
For the purposes of data security this policy considers all data which is categorized as sensitive or restricted to be in scope however specific attention to that data which is identified to contain personal identifiable information. The types of personal information collected and maintained by the PFRA, and the purposes for which the PFRA will handle the personal information it collects, will depend on the PFRA’s interaction with you.
For the purpose of this policy, the following definitions apply to this document:
PII – means Personal Identifiable Information as defined by ISO/IEC 27001
Document – means original electronic or physical file(s) which contain information that supports the business. This may include (but not limited to) policy, procedure, plans and reports.
Record – means original electronic or physical files(s) which contain evidential information. This may include (but not limited to) meeting minutes, audits, quality reports and other results. It most cases, it is not appropriate for records to be modified once they are complete.
Data – means collection of electronic information regardless of method of storage, content, classification, or version unless prefixed for context.
Hardware or Physical Media – means a physical device which stores data and may include but not limited to USB flash drives, hard disk drives, compact discs or virtualised versions of such.
The contents of this policy are guided by data protection laws under the Privacy Act 1988 (Cth) as well as the relevant legislation in each jurisdiction in which data is collected, stored, processed, and transmitted.
This policy does not replace government legislation. All government legislative requirements must be met when creating, modifying, storing, or deleting records. Generally, at time of writing records should be kept for a minimum of five years however there are exceptions to this. It is up to the Chief Executive Officer to ensure that government and company requirements are met. Where there is a conflict between government retention requirements vs company retention schedule, the schedule with the longest retention time should be applied.
Personal Identifiable Information (PII) will always be classified as restricted in that only staff that need to access the data to perform their jobs will have access to this data.
How the PFRA uses data:
The PFRA collects personal information about you when you join and renew your membership to the PFRA to enable it to process your application, and to maintain your membership registration. The types of personal information collected for this purpose may include your name and contact details. The personal information collected will also be used to ensure that the PFRA can provide you with information and services relevant to your membership, including, for example, where the PFRA may reasonably receive feedback and complaints by third parties, including regulatory bodies and members of the public.
The PFRA may collect personal information about you, such as name and contact details, for the purpose of:
promoting and discharging the objects of the PFRA;
promoting the interests of the face-to-face fundraising in Australia;
representing its members in connection with fundraising regulation and dealings with government regulators, including where appropriate to facilitate the resolution of complaints; and
providing individuals and government regulators with information about the PFRA activities and other matters of interest.
Third party feedback and complaints
The PFRA may collect personal information about you such as name and contact details, for the purpose of:
enabling you to provide feedback or make a complaint about the PFRA or one of its members, whether online or by telephone; and
supporting the appropriate resolution of any complaint/s the PFRA receives, which may include passing your contact details to a PFRA member or government regulator where it is reasonable to do so.
You consent to a further use or disclosure of your personal information to members and anyone else who you authorise us to disclose it to, or where the use or disclosure is otherwise permitted by the Privacy Act.
A copy of the PFRA’s Constitution, which sets out the objects of the PFRA, may be obtained on request.
Employees and contractors
If you apply for employment with the PFRA, the PFRA may collect and hold information about you, including your name, address, contact details, current and past employment information, and educational qualifications. The PFRA may also collect and hold information about its contractors, such as name, contact details, ABN, and bank account details for payment. The PFRA will use this information for the purpose it was provided and for the PFRA’s other internal business purposes.
The handling of employee records is exempt from the Privacy Act if it is directly related to the current or former employment relationship. The Privacy Act only applies to an employee record if the information is used for a purpose not directly related to the employment relationship. However, workplace laws require a range of information to be made and kept for each employee. If you are an employee or former employee, you can request access to these records under workplace laws.
This exemption does not cover contractors and subcontractors when they handle the personal information of the employees of another organisation, notwithstanding their contractual arrangements. For example, the employee records exemption is unlikely to apply to organisations that provide recruitment, human resource management services, or medical, training or superannuation services under contract to an employer. This exemption also does not cover workers compensation insurers that are not the employer of an individual. An organisation that is a contractor or subcontractor that collects employee records about an individual from an employer will have to comply with the Australian Privacy Principles in handling that information, including the notice requirements in APP 5.
Use and Disclosure:
Personal information collected by the PFRA will not be used or disclosed other than for the purpose for which it was collected (as described above) unless the use or disclosure is permitted by the Privacy Act or otherwise as required by law.
The individuals and organisations to which the PFRA would usually disclose your personal information will depend on your interaction with the PFRA. For administering memberships and undertaking its advocacy functions, the PFRA may disclose personal information to its contractors, service providers, government regulators and members of the public as necessary. The PFRA may also access member and fundraising information in order to administer the PFRA’s Quality Assurance Program (including disclosing permit, booking and application information relevant to third parties as required for the effective management of the Program). The PFRA does not ordinarily disclose any personal information to overseas recipients.
If you are a member, Director, or employee of the PFRA, your contact information may be published on the PFRA website or in other PFRA publications.
On occasion, the PFRA may distribute publications, marketing, and related communications for the purpose of informing you of matters relevant to your membership and face to face fundraising, including fundraising regulation. If you do not wish to receive any marketing communications from the PFRA, you should contact the PFRA as detailed at the end of this policy.
The PFRA has appropriate security measures in place to protect personal information for misuse or loss and from unauthorised access, modification, or disclosure.
Data stored must be encrypted at rest to ensure that if a physical storage device is exposed, the risk of data recovery is low. In the event a data storage device is disposed of, data should be erased using secure erasure techniques.
Backups of sensitive or restricted data types should either not be backed up or adhere to the same requirements as the original data for its secure erasure.
All data should be securely erased using best practice secure erasure techniques which may include (but not be limited to) multiple random re-writes, physical media destruction, degaussing or a multiple of these techniques to ensure data cannot be recovered using advanced data recovery techniques.
(NB: deleting a document or piece of data does not remove its contents from physical media)
If a member, employee, or Director suspects that this Policy may have been breached, they should contact their manager, the Chief Executive Officer, or Chair of the Board for guidance.
A breach of Personal Identifiable Information may invoke further legislative action as applicable be the local laws of the person(s) impacted. E.g., Australian Data Breach Notification Laws.
The obligations of disclosure outlined above are in addition to any other disclosure obligation under PFRA Policies, Procedures, Codes or Guidelines.
Consequences for Breach of procedures:
Failure to comply with this Policy is regarded as a serious matter and may result in legal action, financial penalties, disciplinary action, including dismissal from employment or termination of contract/membership.
The PFRA will make all reasonable efforts to ensure that the personal information it collects, uses and discloses is accurate, complete and up to date.
The PFRA may collect information about your visit to its website through cookies to assist the PFRA to measure and improve its website. Examples of information that PFRA may collect include: day and time of your visit, whether you visited the PFRA’s website previously, whether you used a search engine to find the PFRA’s website, and some geographical information about what country and state you are in. You can set your browser to reject cookies, or to notify you when you receive one to accept or reject such receipt in each instance.
Access & Correction:
You may request access to, or the correction of, your personal information held by the PFRA by contacting the PFRA as detailed below. The PFRA may decline to provide you with access to your personal information, or to correct your personal information, where it is permitted to do so under the Privacy Act or otherwise as required by law.
If you notify the PFRA that personal information it holds is inaccurate, out-of-date, incomplete, irrelevant, or misleading, the PFRA will take action to correct the information in accordance with the Privacy Act.
You may complain about a breach of the APPs by the PFRA by contacting the PFRA as detailed below.
Further information and complaints:
If you would like further information about the way that the PFRA handles personal information or wish to make a complaint relating to our handling of your personal information or our compliance with the APPs, you may do so by contacting the PFRA as detailed below.
If you are not satisfied with our response, you may also contact the Office of the Australian Information Commissioner. Further information is available on the Office of the Australian Information Commissioner’s website at http://www.oaic.gov.au/
Chief Executive Officer
Tel: 1300 170 570