The Stroke Foundation respects the privacy rights of all individuals and is committed to ensuring that we comply at all times with our obligations under the Privacy Act 1988 (Cth), the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), including the Australian Privacy Principles and the Privacy Amendment (Notifiable Breaches) Act 2017 (Cth).
Personal Information includes a broad range of information and/or opinions that could identify an individual. Examples of Personal Information include but is not limited to:
- an individual’s name, signature, address, phone number or date of birth
- Sensitive Information
- credit information
- Employee record information, including but not limited to
- Candidate information submitted and obtained from the Candidate and other sources in connection with applications for employment
- Employment performance information
- Personal information e.g. home address and contact details, gender, date of birth, next of kin
- Information regarding issues and incidents in the workplace
- Information obtained to assist in managing stakeholder and business relationships, and
- Information documenting the work history of workforce members (e.g. letter of appointment and bank account details including records of salary adjustments)
- Contact and Relationship Management information, including but not limited to
- Products and services offered/provided by Third Parties
- Current and historical interactions between Stroke Foundation and its donors, consumer and stakeholder
- Contact details of Employees who provide specialised donor, consumer and stakeholder services
- Storytelling Content
- internet protocol (IP) addresses
- voice print (e.g. audio recording)
- location information from a mobile device.
- racial or ethnic origin
- political opinions or associations
- religious or philosophical beliefs
- trade union membership or associations
- sexual orientation or practices
- criminal record
- health or genetic information.
- the individual is adequately informed before giving Consent
- the individual gives Consent voluntarily
- the Consent is current and specific, and
- the individual has the capacity to understand and communicate their Consent.
- Contact its donors, consumers and Stakeholders;
- Comply with legislative and regulatory requirements;
- Identify donors, consumers and Stakeholders when they request information, change their details or have queries;
- Empower the stroke and wider community through sharing stories, lived experiences and images;
- Ensure the continuous improvement of the Stroke Foundation business, workforce and services;
- Customise advertising and marketing content.
- To related entities;
- To Contractors, Consultants and other service providers appointed by us; including but not limited to website and data hosting providers, technology service providers and advertising and promotional agencies;
- To our professional advisers, including but not limited to accountants, insurers, lawyers and auditors;
- To an attorney, financial advisor, accountant or medical practitioner who certifies in writing on letterhead that he/she acts for an individual and makes a specific request for specific information, with evidence of the appointing instrument provided;
- Otherwise with Consent or as required or permitted by law.
Personal Information that captures a person’s lived experiences, images/photographs and/or video/audio recordings.
A person who actively shares Storytelling Content with Stroke Foundation.
Sensitive Information is Personal Information that includes information or an opinion about an individual’s:
It may also include some elements of biometric information
Consent is defined as ‘Express Consent or Implied Consent’. All Consent must be informed. The four key elements of Consent are:
Express Consent is given explicitly, either orally or in writing.
Implied Consent arises where Consent may reasonably be inferred in the circumstances from the conduct of the individual and Stroke Foundation. Inference of an individual’s Consent will only be appropriate where the Contributor could reasonably expect the shared content to be used to further Stroke Foundation's Mission and the ability to opt out was clearly communicated and easy to access.
Australian Privacy Principles (APP)
The Australian Privacy Principles (APP) established by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) as it applies to Organisations and Government agencies.
3. Australian Privacy Principles (APP)
The Stroke Foundation adheres to the principles set out in the Australian Privacy Principles (APP) in the way it collects, manages and uses Personal Information.
4. Open & Transparent Management of Information
When requested by an individual, the Stroke Foundation will take reasonable steps (in accordance with applicable Law) to inform the individual of the type of Personal Information held and how it collects, holds, uses and discloses that Personal Information.
5. Collection of Information
Stroke Foundation collects Personal Information that is reasonably necessary to carry out its work. Wherever practicable, Personal Information is collected directly from the individual. Information may also be collected if publicly available but only where that collecting and holding information is necessary to carry out Stroke Foundation work.
Stroke Foundation has implemented procedures and systems to obtain and record Consent.
Stroke Foundation collects Sensitive Information where Express Consent has been provided and it is relevant to the work of the Stroke Foundation.
Individuals may be photographed when attending Stroke Foundation events. Wherever practicable, Stroke Foundation will seek Express Consent for the use of any images obtained.
5.1 Storytelling Content Guidelines
Stroke Foundation has developed specific guidelines to make ethically sound decisions in relation to the collection of Storytelling Content that abides by relevant legislation, such as the Privacy Act 1988 (Cth) and the Australian Privacy Principles, and is consistent with Stroke Foundation’s Values and policies. Refer to Appendix 1 below.
Consent for the use of Storytelling Content is required to be recorded using the Storytelling Content Consent Form in Stroke Foundation’s digital asset management database. Where Consent has expired, Stroke Foundation will contact the individual prior to the continued use of the data.
5.2 Opt-out or Withdrawal of Consent
An individual can opt-out of communications or withdraw their Consent to Stroke Foundation handling their Personal Information by contacting Stroke Foundation on 03 9670 1000 or by email: email@example.com
6. Collecting your personal information via Stroke Foundation websites
The Stroke Foundation uses technology such as cookies to gather personal information. We do this for two primary reasons, to ensure our online resources are easier to use and so that we can understand the needs of our users better. When you visit a Stroke Foundation site on your device, you may be sent a file containing unique information based on your use of our sites (this is called a cookie). This allows our sites to recognise your device and whether you have visited our site before. Information that is collected by us may be your IP address, ISP (internet service provider), web browser used (e.g. chrome, internet explorer), operating system you used and which of our website pages you visited.
The information we gather also allows us to better track traffic and engagement. We use the Google Analytics service to gather this information. This provides us an insight into our websites in areas such as demographics, interests, impressions, remarketing, and reporting. With this research and insight we are able to continuously improve our services and understand where there is a need for further resources to be developed for our community. We may also use third party cookies (such as Facebook pixels), so that we can better measure our performance and target sponsored and unsponsored content to you on those third-party party platforms. We also use links in our emails to track open and click-through rates. This helps us learn and ensures we improve the quality of services, programs and resources. We use the Google Analytics service to gather this information.
By using our websites and viewing our emails, you are consenting to this information being gathered by Google Analytics. It is important to note that this information does not identify individual users. If you do not wish to receive cookies, you can go to the settings section of your browser and set this to not receive cookies. You can also opt out from Facebook advertising by going to “Why am I seeing this?” on a specific Stroke Foundation Facebook ad, selecting “Options” and then selecting “Hide all ads from this advertiser.”
7. Data Security & Handling
The Stroke Foundation complies with the Privacy Amendment (Notifiable Data Breaches) Act 2017 and undertakes all reasonable steps to protect Personal Information from loss and unauthorised misuse, access, interference, modification or disclosure, including storing data within Australia.
Stroke Foundation takes all reasonable steps to destroy or permanently de-identify Personal Information for which there is no ongoing business, regulatory, contractual or legal requirement.
Stroke Foundation maintains Data Retention and Data Breach Management Procedures in support of this Policy.
8. Use & Disclosure
The Stroke Foundation will use the Personal Information it collects to:
Stroke Foundation will use the Personal Information it collects for the original purpose for which it was disclosed or for other purposes with Consent or as required or permitted by law.
The organisation may disclose Personal Information it holds where there is a legal obligation to do so, including a lawful duty of care.
Under the APP guidelines, there are ‘special’ situations which allow the use or disclosure of Personal Information, for example where the Stroke Foundation reasonably believes the use or disclosure is necessary to lessen or prevent a serious threat to life, health or safety of an individual or to public health or safety, or an individual may have engaged in unlawful behaviour or serious misconduct that relates to the Stroke Foundation activities.
In such circumstances, the Stroke Foundation is obligated to disclose the Personal Information and take appropriate action.
8.3 Disclosure to Third Parties
The Stroke Foundation may disclose Personal Information to the following Third Parties where there is a business need to do so:
Prior to disclosing Personal Information to Third Parties, The Stroke Foundation will agree upon confidentiality terms binding such Third Parties to the same or greater level as provided for in this Policy.
9. Access & Correction
Stroke Foundation will take all reasonable steps to ensure the Personal Information it collects is accurate, complete, up to date and relevant, having regard to the use or disclosure of the Personal Information it holds.
Subject to the APP guidelines, individuals may gain access to their Personal Information held by the Stroke Foundation if it is reasonable and practical to do so.
The Stroke Foundation will respond to an access request within a reasonable period, 14 days for simple requests and not exceeding 30 calendar days for all requests. Should an access request be refused, Stroke Foundation will provide the requestor with a written notice, including information on how to dispute a refusal.
An individual can request to correct Personal Information held by Stroke Foundation. Stroke Foundation will respond to the request within a reasonable period of time.
Workforce Members will be trained in organisational procedure on how to respond to requests for access to personal information.
10. Information Destruction Policy
Stroke Foundation retains data consistent with Stroke Foundation’s business, legal and regulatory purposes. Data no longer required is securely destroyed in accordance with Stroke Foundation’s Data Retention Policy.
Stroke Foundation welcomes feedback on this Policy which may be provided through Stroke Foundation’s Contact Us page.
Appendix 1: Storytelling Content Guidelines
Stories are the lived experiences, images and digital recordings of the girls, boys, men and women in our stroke community. Sharing these stories is a significant part of Stroke Foundation’s work.
Stroke Foundation understands that mismanaging communications can harm both the people we strive to support, as well as our organisation. We also recognise the opportunity for storytelling to empower Contributors, as well as those who hear it.
Stroke Foundation seeks to establish Express Consent wherever possible for the collection and use of Storytelling Content.
The terms of Consent provide a three-year timeframe for which Consent is given, as we understand that circumstances change and information should not be used indefinitely. Renewing Consent aims to ensure the currency and accuracy of Storytelling Content and provides an opportunity to our Contributors to share new stories.
Stroke Foundation’s digital library collection and review process requires that Consent is recorded for Storytelling Content.
Stroke Foundation’s engagement with Contributors will include, where relevant, discussion of the opportunities and risks associated with sharing Storytelling Content and examples of how that content might be used or published.
Stroke Foundation is proactive in communicating with Contributors about the publication of their Storytelling Content, even with established Consent. This means that Stroke Foundation will take all reasonable steps to engage with Contributors prior to publication and provide them with access to all published material.
Stroke Foundation welcomes engagement with Contributors at all stages in the process. A central contact is available via firstname.lastname@example.org