1. Introduction

The Stroke Foundation respects the privacy rights of all individuals and is committed to ensuring that we comply at all times with our obligations under the Privacy Act 1988 (Cth), the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), including the Australian Privacy Principles and the Privacy Amendment (Notifiable Breaches) Act 2017 (Cth).

We may amend this Privacy Policy at any time and for any reason. The updated version will be available here and will apply whether or not we have given you specific notice of any change.

2. Definitions

Personal Information

Personal Information includes a broad range of information and/or opinions that could identify an individual. Examples of Personal Information include but is not limited to:

  • an individual’s name, signature, address, phone number or date of birth
  • Sensitive Information
  • credit information
  • Employee record information, including but not limited to
    • Candidate information submitted and obtained from the Candidate and other sources in connection with applications for employment
    • Employment performance information
    • Personal information e.g. home address and contact details, gender, date of birth, next of kin
    • Information regarding issues and incidents in the workplace
    • Information obtained to assist in managing stakeholder and business relationships, and
    • Information documenting the work history of workforce members (e.g. letter of appointment and bank account details including records of salary adjustments)

  • Contact and Relationship Management information, including but not limited to
    • Products and services offered/provided by Third Parties
    • Current and historical interactions between Stroke Foundation and its donors, consumer and stakeholder
    • Contact details of Employees who provide specialised donor, consumer and stakeholder services
    • Storytelling Content
    • internet protocol (IP) addresses
    • voice print (e.g. audio recording)
    • location information from a mobile device.

    Storytelling Content

    Personal Information that captures a person’s lived experiences, images/photographs and/or video/audio recordings.


    A person who actively shares Storytelling Content with Stroke Foundation.

    Sensitive Information

    Sensitive Information is Personal Information that includes information or an opinion about an individual’s:

    • racial or ethnic origin
    • political opinions or associations
    • religious or philosophical beliefs
    • trade union membership or associations
    • sexual orientation or practices
    • criminal record
    • health or genetic information.

    It may also include some elements of biometric information


    Consent is defined as ‘Express Consent or Implied Consent’. All Consent must be informed. The four key elements of Consent are:

    • the individual is adequately informed before giving Consent
    • the individual gives Consent voluntarily
    • the Consent is current and specific, and
    • the individual has the capacity to understand and communicate their Consent.

    Express Consent

    Express Consent is given explicitly, either orally or in writing.

    Implied Consent

    Implied Consent arises where Consent may reasonably be inferred in the circumstances from the conduct of the individual and Stroke Foundation. Inference of an individual’s Consent will only be appropriate where the Contributor could reasonably expect the shared content to be used to further Stroke Foundation's Mission and the ability to opt out was clearly communicated and easy to access.

    Australian Privacy Principles (APP)

    The Australian Privacy Principles (APP) established by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) as it applies to Organisations and Government agencies.

    3. Australian Privacy Principles (APP)

    The Stroke Foundation adheres to the principles set out in the Australian Privacy Principles (APP) in the way it collects, manages and uses Personal Information.

    4. Open & Transparent Management of Information

    The Stroke Foundation’s Privacy Policy is publicly available on its website.

    When requested by an individual, the Stroke Foundation will take reasonable steps (in accordance with applicable Law) to inform the individual of the type of Personal Information held and how it collects, holds, uses and discloses that Personal Information.

    5. Collection of Information

    Stroke Foundation collects Personal Information that is reasonably necessary to carry out its work. Wherever practicable, Personal Information is collected directly from the individual. Information may also be collected if publicly available but only where that collecting and holding information is necessary to carry out Stroke Foundation work.

    Stroke Foundation has implemented procedures and systems to obtain and record Consent.

    Stroke Foundation collects Sensitive Information where Express Consent has been provided and it is relevant to the work of the Stroke Foundation.

    Individuals may be photographed when attending Stroke Foundation events. Wherever practicable, Stroke Foundation will seek Express Consent for the use of any images obtained.

    5.1 Storytelling Content Guidelines

    Stroke Foundation has developed specific guidelines to make ethically sound decisions in relation to the collection of Storytelling Content that abides by relevant legislation, such as the Privacy Act 1988 (Cth) and the Australian Privacy Principles, and is consistent with Stroke Foundation’s Values and policies. Refer to Appendix 1 below.

    Consent for the use of Storytelling Content is required to be recorded using the Storytelling Content Consent Form in Stroke Foundation’s digital asset management database. Where Consent has expired, Stroke Foundation will contact the individual prior to the continued use of the data.

    5.2 Opt-out or Withdrawal of Consent

    An individual can opt-out of communications or withdraw their Consent to Stroke Foundation handling their Personal Information by contacting Stroke Foundation on 03 9670 1000 or by email:

    6. Collecting your personal information via Stroke Foundation websites

    The Stroke Foundation uses technology such as cookies to gather personal information. We do this for two primary reasons, to ensure our online resources are easier to use and so that we can understand the needs of our users better.  When you visit a Stroke Foundation site on your device, you may be sent a file containing unique information based on your use of our sites (this is called a cookie). This allows our sites to recognise your device and whether you have visited our site before. Information that is collected by us may be your IP address, ISP (internet service provider), web browser used (e.g. chrome, internet explorer), operating system you used and which of our website pages you visited.

    The information we gather also allows us to better track traffic and engagement. We use the Google Analytics service to gather this information. This provides us an insight into our websites in areas such as demographics, interests, impressions, remarketing, and reporting. With this research and insight we are able to continuously improve our services and understand where there is a need for further resources to be developed for our community. We may also use third party cookies (such as Facebook pixels), so that we can better measure our performance and target sponsored and unsponsored content to you on those third-party party platforms. We also use links in our emails to track open and click-through rates. This helps us learn and ensures we improve the quality of services, programs and resources. We use the Google Analytics service to gather this information.

    By using our websites and viewing our emails, you are consenting to this information being gathered by Google Analytics. It is important to note that this information does not identify individual users. If you do not wish to receive cookies, you can go to the settings section of your browser and set this to not receive cookies. You can also opt out from Facebook advertising by going to “Why am I seeing this?” on a specific Stroke Foundation Facebook ad, selecting “Options” and then selecting “Hide all ads from this advertiser.”

    7. Data Security & Handling

    The Stroke Foundation complies with the Privacy Amendment (Notifiable Data Breaches) Act 2017 and undertakes all reasonable steps to protect Personal Information from loss and unauthorised misuse, access, interference, modification or disclosure, including storing data within Australia.

    Stroke Foundation takes all reasonable steps to destroy or permanently de-identify Personal Information for which there is no ongoing business, regulatory, contractual or legal requirement.

    Stroke Foundation maintains Data Retention and Data Breach Management Procedures in support of this Policy.

    8. Use & Disclosure

    8.1 Use

    The Stroke Foundation will use the Personal Information it collects to:

    • Contact its donors, consumers and Stakeholders;
    • Comply with legislative and regulatory requirements;
    • Identify donors, consumers and Stakeholders when they request information, change their details or have queries;
    • Empower the stroke and wider community through sharing stories, lived experiences and images;
    • Ensure the continuous improvement of the Stroke Foundation business, workforce and services;
    • Customise advertising and marketing content.

    Stroke Foundation will use the Personal Information it collects for the original purpose for which it was disclosed or for other purposes with Consent or as required or permitted by law.

    8.2 Disclosure

    The organisation may disclose Personal Information it holds where there is a legal obligation to do so, including a lawful duty of care.

    Under the APP guidelines, there are ‘special’ situations which allow the use or disclosure of Personal Information, for example where the Stroke Foundation reasonably believes the use or disclosure is necessary to lessen or prevent a serious threat to life, health or safety of an individual or to public health or safety, or an individual may have engaged in unlawful behaviour or serious misconduct that relates to the Stroke Foundation activities.

    In such circumstances, the Stroke Foundation is obligated to disclose the Personal Information and take appropriate action.

    8.3 Disclosure to Third Parties

    The Stroke Foundation may disclose Personal Information to the following Third Parties where there is a business need to do so:

    • To related entities;
    • To Contractors, Consultants and other service providers appointed by us; including but not limited to website and data hosting providers, technology service providers and advertising and promotional agencies;
    • To our professional advisers, including but not limited to accountants, insurers, lawyers and auditors;
    • To an attorney, financial advisor, accountant or medical practitioner who certifies in writing on letterhead that he/she acts for an individual and makes a specific request for specific information, with evidence of the appointing instrument provided;
    • Otherwise with Consent or as required or permitted by law.

    Prior to disclosing Personal Information to Third Parties, The Stroke Foundation will agree upon confidentiality terms binding such Third Parties to the same or greater level as provided for in this Policy.

    9. Access & Correction

    Stroke Foundation will take all reasonable steps to ensure the Personal Information it collects is accurate, complete, up to date and relevant, having regard to the use or disclosure of the Personal Information it holds.

    Subject to the APP guidelines, individuals may gain access to their Personal Information held by the Stroke Foundation if it is reasonable and practical to do so.

    The Stroke Foundation will respond to an access request within a reasonable period, 14 days for simple requests and not exceeding 30 calendar days for all requests. Should an access request be refused, Stroke Foundation will provide the requestor with a written notice, including information on how to dispute a refusal.

    An individual can request to correct Personal Information held by Stroke Foundation. Stroke Foundation will respond to the request within a reasonable period of time.

    Workforce Members will be trained in organisational procedure on how to respond to requests for access to personal information.

    10. Information Destruction Policy

    Stroke Foundation retains data consistent with Stroke Foundation’s business, legal and regulatory purposes. Data no longer required is securely destroyed in accordance with Stroke Foundation’s Data Retention Policy.

    11. Feedback

    Stroke Foundation welcomes feedback on this Policy which may be provided through Stroke Foundation’s Contact Us page.

    Appendix 1: Storytelling Content Guidelines

    Stories are the lived experiences, images and digital recordings of the girls, boys, men and women in our stroke community. Sharing these stories is a significant part of Stroke Foundation’s work.

    Stroke Foundation understands that mismanaging communications can harm both the people we strive to support, as well as our organisation. We also recognise the opportunity for storytelling to empower Contributors, as well as those who hear it.


    Stroke Foundation seeks to establish Express Consent wherever possible for the collection and use of Storytelling Content.

    The terms of Consent provide a three-year timeframe for which Consent is given, as we understand that circumstances change and information should not be used indefinitely. Renewing Consent aims to ensure the currency and accuracy of Storytelling Content and provides an opportunity to our Contributors to share new stories.

    Stroke Foundation’s digital library collection and review process requires that Consent is recorded for Storytelling Content.


    Stroke Foundation’s engagement with Contributors will include, where relevant, discussion of the opportunities and risks associated with sharing Storytelling Content and examples of how that content might be used or published.

    Stroke Foundation is proactive in communicating with Contributors about the publication of their Storytelling Content, even with established Consent. This means that Stroke Foundation will take all reasonable steps to engage with Contributors prior to publication and provide them with access to all published material.

    Stroke Foundation welcomes engagement with Contributors at all stages in the process. A central contact is available via