Stroke Foundation respects the privacy rights of all individuals and is committed to ensuring that we comply at all times with our obligations under the Privacy Act 1988 (Cth), the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), including the Australian Privacy Principles and the Privacy Amendment (Notifiable Breaches) Act 2017 (Cth).
The core purpose and associated activities of Stroke Foundation.
Personally Identifiable Information (PII)
PII includes a broad range of information and/or opinions that could identify an individual. Examples of PII include but are not limited to:
- An individual’s name, signature, address, phone number or date of birth
- An individual’s image or likeness
- Information obtained through digital channels (e.g., Stroke Foundation websites, related online communities, and social media channels)
- Sensitive Information
- Credit information
- Workforce Member record information, including but not limited to
- Candidate information submitted and obtained from the Candidate and other sources in connection with applications for employment and volunteering at Stroke Foundation
- Employment performance information
- PII (e.g., home address and contact details, gender, date of birth, next of kin)
- Information regarding issues and incidents in the workplace
- Information obtained to assist in managing stakeholder and business relationships, and
- Information documenting the work history of workforce members (e.g., letter of appointment and bank account details including records of salary adjustments)
- Contact and Relationship Management information, including but not limited to
- Products and services offered/provided by third parties
- Current and historical interactions between Stroke Foundation and its donors, consumers and stakeholders
- Contact details of Employees who provide specialised donor, consumer and stakeholder services
- Feedback gathered from Stroke Foundation products and services
- Stroke Experience and Fundraising Web Contents
- Internet protocol (IP) addresses
- Voice print (e.g., audio recording)
- Location information from a mobile device.
PII that captures a person’s experience in the stroke community, images/photographs and/or video/audio recordings.
A person who actively shares their Stroke Experience with Stroke Foundation. A Contributor could also be someone who hasn't had a stroke but linked to the community or our cause in some way.
Sensitive Information is Personal Information that includes information or an opinion about an individual’s:
- racial or ethnic origin
- political opinions or associations
- religious or philosophical beliefs
- trade union membership or associations
- sexual orientation or practices
- criminal record
- health or genetic information.
It may also include some elements of biometric information.
Consent is defined as:
- Express Consent – given explicitly, either orally or in writing, or
- Implied Consent – arises where Consent may reasonably be inferred in the circumstances from the conduct of the individual and Stroke Foundation. Inference of an individual’s Consent will only be appropriate where the Stakeholders could reasonably expect the shared content to be used to further Stroke Foundation's Mission and the ability to opt out was clearly communicated and easy to access.
All Consent must be informed. The four key elements of Consent are:
- the individual is adequately informed before giving Consent
- the individual gives Consent voluntarily
- the Consent is current and specific, and
- the individual has the capacity to understand and communicate their Consent.
Express Consent is given explicitly, either orally or in writing.
Data from a website that is stored within a web browser that the website can retrieve later.
Implied Consent arises where Consent may reasonably be inferred in the circumstances from the conduct of the individual and Stroke Foundation. Inference of an individual’s Consent will only be appropriate where the Contributor could reasonably expect the shared content to be used to further Stroke Foundation's Mission and the ability to opt out was clearly communicated and easy to access.
Australian Privacy Principles (APP)
The Australian Privacy Principles (APP) established by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) as it applies to Organisations and Government agencies.
Australian Privacy Principles (APP)
Stroke Foundation adheres to the principles set out in the APP in the way it collects, manages and uses Personal Information.
Open & Transparent Management of Information
Stroke Foundation will take reasonable steps (in accordance with applicable Law, in particular Chapter 5: APP 5 — Notification of the collection of personal information — OAIC) to inform the individual of the type of Personal Information held and how it collects, holds, uses and discloses that Personal Information.
Collection of Information
Stroke Foundation collects Personal Information that it requires to carry out its work. Wherever practicable, Personal Information is collected directly from the individual. Information may also be collected if publicly available but only where that collecting and holding information is necessary to carry out Stroke Foundation’s Mission.
Stroke Foundation has implemented procedures and systems to obtain and record Consent.
Stroke Foundation collects Sensitive Information where Express Consent has been provided and it is relevant to Stroke Foundation’s Mission.
Individuals may be photographed when attending Stroke Foundation events. Stroke Foundation will seek Express Consent through completion of sign off forms for the use of any images obtained. These images will only be utilised for the event where it was taken and must not be used for other purposes. Photographs are kept in the Digital Asset Management database for three years, then deleted.
Stroke Experience Guidelines
Stroke Foundation has developed specific guidelines to make ethically sound decisions in relation to the collection of Stroke Experiences that abides by relevant legislation, such as the Privacy Act 1988 (Cth) and the Australian Privacy Principles, and is consistent with Stroke Foundation’s Values and policies. Refer Appendix 1.
Consent for the use of a person’s Stroke Experience must be recorded using the Privacy Consent Form in Stroke Foundation’s Digital Asset Management database found in the intranet. There is an online Privacy Consent Form and a PDF Privacy Consent Form. The PDF version is available for people who are unable to access an online version.
If physical forms are used, these must be scanned and stored in the Digital Asset Management database. The physical forms can then be destroyed securely.
Where Consent has expired, Stroke Foundation will contact the individual prior to the continued use of the data.
Opt-out or Withdrawal of Consent
An individual can opt-out of communications or withdraw their Consent to Stroke Foundation handling their Personal Information by contacting Stroke Foundation on 03 9670 1000 or by email: email@example.com
Use of Third-party providers to collect information
Third-party providers may be utilised to collect and report information on behalf of Stroke Foundation. Consent will be asked from stakeholders on this methodology prior to collection of information. Individuals can opt-out by contacting Stroke Foundation on 03 9670 1000 or by email: firstname.lastname@example.org
Collecting your personal information via Stroke Foundation websites
Stroke Foundation uses technology such as ‘cookies’ to gather Personal Information. We do this for two reasons, to ensure our online resources are easier to use and so that we can understand the needs of our users better. When you visit a Stroke Foundation site on your device, you may be sent a file containing unique information based on your use of our sites (this is called a cookie). This allows our sites to recognise your device and whether you have visited our site before. Information that is collected by us may be your IP address, ISP (internet service provider), web browser used (e.g., Chrome, Microsoft Edge), operating system used and which of our website pages you visited.
The information we gather also allows us to better track traffic and engagement. We use the Google Analytics service to gather this information. This provides us an insight into our websites in areas such as demographics, interests, impressions, remarketing, and reporting. With this research and insight we can continuously improve our services and understand where there is a need for further resources to be developed for our community. We may also use third party cookies (such as Facebook pixels), so that we can better measure our performance and target sponsored and unsponsored content to you on those third-party platforms. We also use links in our emails to track open and click-through rates. This helps us learn and ensures we improve the quality of services, programs and resources. We use the Google Analytics service to gather this information.
By using our websites and viewing our emails, you are consenting to this information being gathered by Google Analytics. It is important to note that this information does not identify individual users. If you do not wish to receive cookies, you can go to the settings section of your browser and set this to not receive cookies. You can also opt out from Facebook advertising by going to “Why am I seeing this?” on a specific Stroke Foundation Facebook ad, selecting “Options” and then selecting “Hide all ads from this advertiser.”
Data Security & Handling
Stroke Foundation complies with the Privacy Amendment (Notifiable Data Breaches) Act 2017 and undertakes all reasonable steps to protect Personal Information from loss and unauthorised misuse, access, interference, modification or disclosure, including storing data within Australia.
Stroke Foundation takes all reasonable steps to securely destroy or permanently de-identify Personal Information for which there is no ongoing business, regulatory, contractual or legal requirement, in accordance with our Information and Systems Security Policy.
Stroke Foundation retains data consistent with Stroke Foundation’s business, legal and regulatory purposes:
- APP11.2 requires data to be destroyed or deidentified after it is no longer needed for the purpose for which it was provided.
- an individual can ask for the removal of their Personal Information from Stroke Foundation’s customer relationship management database by contacting Stroke Foundation on 03 9670 1000 or by email: email@example.com. Where possible the information will be removed, however if the record is required to be maintained under legislation, the data will be deidentified, and removed when no longer required to be maintained.
- the Income Tax Assessment Act (1936) requires financial records to be maintained for five years after an income tax assessment was lodged.
When Stroke Foundation data has been provided to a third party:
- the primary purpose of providing that information is the over-riding factor for the third party retaining the data. Therefore, APP11.2 is the applicable standard – data must be destroyed or deidentified by the third party after it is no longer needed for the purpose for which it was provided. This includes deletion from backup sites.
- appropriate handling of shared data is included in all contracts with third party providers.
- for the avoidance of doubt, Stoke Foundation will write to all third parties who have received Stroke Foundation data every 12 months, instructing them to destroy or deidentify that data and to confirm this action has been talking by reply email/mail.
Stroke Foundation maintains Data Retention and Data Breach Management Procedures in support of this Policy.
Use & Disclosure
Stroke Foundation will use the Personal Information it collects to:
- Contact its donors, consumers and Stakeholders;
- Comply with legislative and regulatory requirements;
- Identify donors, consumers and Stakeholders when they request information, change their details or have queries;
- Empower the stroke and wider community through sharing stories, lived experiences and images;
- Ensure the continuous improvement of Stroke Foundation’s business, workforce and services;
- Customise advertising and marketing content.
Stroke Foundation will use the Personal Information it collects for the original purpose for which it was disclosed, a directly related purpose with Consent or as required or permitted by law.
The organisation may disclose Personal Information it holds where there is a legal obligation to do so, including a lawful duty of care.
Under the APP guidelines, there are ‘special’ situations which allow the use or disclosure of Personal Information, for example, where Stroke Foundation reasonably believes:
- the use or disclosure is necessary to lessen or prevent a serious threat to life, health or safety of an individual or to public health or safety, or
- an individual may have engaged in unlawful behaviour or serious misconduct that relates to Stroke Foundation’s activities.
In such circumstances, Stroke Foundation is obligated to disclose the Personal Information and take appropriate action.
Disclosure to Third Parties
Stroke Foundation may disclose Personal Information to the following Third Parties where there is a business need to do so:
- To related entities;
- To Contractors, Consultants and other service providers appointed by us; including but not limited to website and data hosting providers, technology service providers and advertising and promotional agencies;
- To our professional advisers, including but not limited to accountants, insurers, lawyers and auditors;
- To an attorney, financial advisor, accountant or medical practitioner who certifies in writing on letterhead that he/she acts for an individual and makes a specific request for specific information, with evidence of the appointing instrument provided;
- Otherwise with Consent or as required or permitted by law.
Prior to disclosing Personal Information to Third Parties, Stroke Foundation will agree upon confidentiality terms binding such Third Parties to the same or greater level as provided for in this Policy.
Access & Correction
Stroke Foundation will take all reasonable steps to ensure the Personal Information it collects is accurate, complete, up to date and relevant, having regard to the use or disclosure of the Personal Information it holds.
Subject to the APP guidelines, individuals may gain access to their Personal Information held by Stroke Foundation if it is reasonable and practical to do so.
Stroke Foundation will respond to an access request within a reasonable period, 14 days for simple requests and not exceeding 30 calendar days for all requests. Should an access request be refused, Stroke Foundation will provide the requestor with a written notice, including information on how to dispute a refusal.
An individual can request to correct Personal Information held by Stroke Foundation. Stroke Foundation will respond to the request within a reasonable period of time.
Workforce Members will be trained in organisational procedure on how to respond to requests for access to personal information.
Stroke Foundation welcomes feedback on this Policy which may be provided through Stroke Foundation’s Contact Us page.
Appendix 1: Stroke Experience Consent Guidelines
Stroke Experiences are the lived experiences, images and digital recordings of the people in our stroke community. Sharing the experiences of people in our stroke community is an important part of what we do.
Stroke Foundation understands that mismanaging communications can harm both the people we strive to support, as well as our organisation. We also recognise the opportunity for sharing experiences to empower Contributors, as well as those who hear it.
Stroke Foundation seeks to establish Express Consent wherever possible for the collection and use of Stroke Experiences.
The terms of Consent provide a definitive timeframe time frame for which Consent is given. We understand that circumstances change and information should not be used indefinitely. Renewing Consent aims to ensure the currency and accuracy of experiences and/or photographs. It provides an opportunity for our Contributors to share new experiences.
Stroke Foundation’s Digital Asset Management database process requires that Consent is recorded for Stroke Experiences.
Stroke Foundation’s engagement with Contributors will include, where relevant, discussion of the opportunities and risks associated with sharing Stroke Experiences and examples of how that content might be used or published.
Stroke Foundation is proactive in communicating with Contributors about the publication of their Stroke Experiences, even with established Consent. This means that Stroke Foundation will take all reasonable steps to engage with Contributors prior to publication and provide them with access to all published material.
Stroke Foundation welcomes engagement with Contributors at all stages in the process. A central contact is available via firstname.lastname@example.org.