Action on Poverty (AOP) is committed to using the information you provide to us responsibly. Our actions are guided by the Privacy Act 1998 (Cth), as amended in 2012 and 2017, and by the Australian Privacy Principles as well as the other codes of conduct to which we adhere.
We are also guided by the individual requirements of various grantmakers, many of which are based on non-Australian legal frameworks, on a project-to-project basis.
We value your privacy and are committed to the highest levels of professional service. This includes protecting the privacy of people who support us and protecting the privacy of those with whom we work with in developing countries.
If you wish to deal with us while not identifying yourself (such as using a pseudonym or anonymously), we will make this option available where it is practicable to do. However, if you choose not to provide your personal information, we may not be able to provide you with something you require (e.g. a tax receipt).
1. Types of personal information we collect and hold
The types of personal information we collect and hold depends on the nature of your dealings with us. In general, we collect personal information:
- in order to provide services to you, or because you are one of our supporters
- so we can share the impact of our work in order to gain more support and optimise benefits to communities overseas
- because you are our employee or volunteer
- because you are one of our suppliers or contractors or employed by them
- because you are one of our partners or employed by them
- because you are a participant in our overseas projects.
We will only use your personal information for the purposes of our activities when:
- we have your express (or implied) consent to do so
- its use is otherwise required or permitted by law
The personal information we typically collect is provided by you and includes:
- contact details (name, address, email, phone numbers)
- your position if you are employed by one of our partners, suppliers or contractors or employed by them
- payment details (credit card, debit card, bank account)
- transaction details/history
- records of your communications and interactions with us
- skills or connections that you might have that can assist us in our work
2. How we collect personal information
We may collect personal information about you in various ways including:
- directly from you
- in person including at our offices or during field visits
- in writing, including via paper forms
- over the internet, including via our website, emails, online surveys and forms
- publicly available sources of information (such as phone books or public websites)
- from third parties, including:
- fundraising organisations such as ‘Inspired Adventures’ or ‘Everyday Hero’
- your employer
- third parties to whom you have given consent to share your personal information.
3. How we hold personal information
We hold personal information electronically and in paper form.
We take reasonable security measures to protect your personal information from misuse, loss, unauthorised access, modification or disclosure using industry standard technology and processes including access controlled premises, encryption of electronic data and databases requiring logins and passwords. Data is backed up on a regular basis and is sometimes stored “on the cloud”. We use service providers based in Australia and the USA where this is the case.
For credit card information, we use eTapestry secure payment gateway service. All eTapestry services are fully PCI compliant. PCI compliance is a set of security requirements endorsed by the PCI Security Standards Council, founded by a consortium of major credit card brands to enhance credit and debit card data security. The consortium includes Visa Inc., MasterCard Worldwide, American Express, Discover Financial Services and JCB. All organisations that process, store, or transmit payment card data must comply with PCI standards. All existing merchant organisations must comply with PCI standards or risk losing their ability to process credit card payments. eTapestry is a Blackbaud product.
Blackbaud has validated compliance with the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS).
For further information please go to https://www.blackbaud.com/pci-compliance
Our website may contain links to other sites. These other sites may also have links to our site. In either case, we are not responsible for the content, privacy practices or business practices of any website or company except our own.
4. The purposes for which we collect, hold, use and disclose personal information
We collect, hold, use and disclose your personal information for the purposes of being able to fulfill our core work. In doing so we need to provide services, such as:
- processing donations and providing tax receipts
- working with our partners
- reporting to our donors and other stakeholders
- sending mail, emails or newsletters with details of opportunities you may be interested in, in order to assist people in need
- raising awareness of issues that we are involved with
- dealing with enquiries
- dealing with complaints
For employment applications, if you apply for a job with us, we will hold, use and disclose that information solely for the purpose of considering your application. In particular, in considering your application, it may be necessary for us to disclose some of that information to third parties to verify the accuracy of that information. In such circumstances, we will disclose only such information as is necessary. In considering your application, we may also collect personal information about you from any third parties that you nominate as your referees in your application.
We use Google Analytics to track visits to our website and compile general statistical information about the use of our website so that we can constantly improve our services to you. We also use tools that tell us when a computer or device has visited or accessed our content, and allow us to tailor advertising both on our websites and through advertising networks on other websites based on your visits or behaviour through cookies on your device. If you prefer not to allow the use of these tracking technologies you may adjust your browser to either turn them off or to notify you when they are being used. We use the tracking information only for the purpose of improving our web site and do not disclose this information to any third party.
Similarly, you can also engage with us through our social media such as Facebook, Instagram and Twitter. You can opt in or out of these websites and can control how you receive content from us through each website’s setting page. We only use data collected in an anonymous and aggregated form for statistical purposes only.
You can contact us at any time if you do not wish to receive any of our marketing material. All electronic means of marketing include an unsubscribe button, which will permanently remove you from all future communications.
5. Who we share personal information with
For the purposes outlined above, we may disclose your personal information to:
- our related entities or third-party service providers and contractors who assist us in our internal business and administrative operations
- our partners if the information relates to the programs we run with them
- other approved Australian fundraising partners
- the Department of Foreign Affairs and Trade (DFAT) or the Australian Tax Office (ATO), in order to comply with accreditation criteria or where required under applicable law.
Before disclosing personal information to third party suppliers or other Australian fundraising groups, we require them to acknowledge the importance of protecting the privacy of personal information, and an undertaking to comply with the Privacy Act.
6. Disclosure overseas
In some circumstances we may disclose information to our partners located overseas if related to an overseas project in which they are involved. This disclosure is usually apparent at the time that we collect your information.
7. Accessing your personal information
You have the right to request access to personal information we hold about you. Please contact us using the contact details below in the “How to contact us” section.
For security reasons, a written request may be required to access your personal information.
In some circumstances, we may charge a fee for giving you access to the information you require. If this is the case, we will explain the reasons why we propose to charge the fee and give you an estimate of the fee so you can confirm that you still require us to give you access to the information. We do not charge you for lodging a request to access your personal information.
We will not refuse you access unless this is authorised or required by law. In such circumstances, we will explain those reasons to you.
To ensure the personal information we hold about you is accurate, up-to-date and complete, we recommend that you:
- let us know if there are any errors in your personal information
- keep us up to date with changes to personal information such as your name, address, or other contact details
8. Data breaches
AOP regards a breach as being the release of your personal information outside the scope of that which is authorized by this policy.
AOP’s approach to handling data breaches is based on the statutory requirements of the Privacy Amendment (Notifiable Data Breaches) Act 2017, and further informed by guidance provided by the Office of the Australian Information Commissioner’s (OAIC) Notifiable Data Breaches Scheme.
AOP will make every effort to protect your data. However, in the case that we suspect that your data may have been breached, we will undertake a Suspected Data Breach Assessment to verify whether this has occurred, assess the severity of the breach, determine whether the breach is remediable, and chart out an action plan.
This Assessment will be completed by the AOP Senior Management Team within 30 days of the suspicion first arising. In exceptional circumstances where an Assessment cannot be completed within 30 days, we will document: evidence that all reasonable steps were taken to complete the assessment in 30 days, the reasons for the delay, and evidence that the assessment was reasonable and expeditious.
8.1 Verification of breach
AOP will first seek to verify whether a breach has occurred or not. In the case that a data breach has not occurred, the false alarm will be noted and business as usual resumed.
8.2 Severity of breach
If a breach has been verified, the Assessment will seek to determine the severity of the breach. In doing so, it will consider:
- the kind and sensitivity of the information
- whether the information is protected by any security measures, and whether they are likely to be overcome
- who may obtain / has obtained the information and what their intentions may be
- the potential for physical, psychological, emotional, financial, or reputational harm
- any other relevant matters.
The following examples are automatically regarded as serious breaches:
- Financial details (e.g. credit card or bank account numbers)
- Tax File Number (TFN)
- Identity information (e.g. insurance or social security, passport, or driver license numbers)
- Contact information (e.g. home address, phone number, email address)
- Health information (e.g. information about conditions, diseases, or disabilities not in the public domain)
- Other sensitive information (e.g. sexual orientation, political or religious views, passwords or secret question/answer information)
8.3 Remediation of breach
The Assessment will seek to determine whether the breach can be remediated or not. Acceptable remedial action prevents unauthorised access to, or disclosure of personal information.
Examples of remediation include:
- Recovering, containing or destroying the data while preventing downstream breaches
- Establishing that the data is unrecoverable or unreadable to anyone who may receive it
- Remotely encrypting or destroying the data
If remediation is possible, it will be implemented immediately.
8.4 Notification of data breaches
In the unlikely case that there is a breach of your data, and in accordance with the Privacy Amendment (Notifiable Data Breaches) Act 2017, AOP will notify you of:
- the dates or date range of the breach
- a circumstances of the data breach
- the kinds of information concerned
- the severity of the data breach
- whether AOP has been able to remediate the data breach or not
- recommendations about the steps you should take in response to the data breach.
We will continue working with you to reduce the potential harm that may eventuate as a result of the breach. We also work to strengthen our privacy protection capacity, and keep you informed of the measures we have taken.
In the case of a serious breach that cannot be mediated, we will additionally notify the OAIC of the breach using a “Notifiable Data Breach Statement” form. The OAIC will then become involved in harm reduction and privacy protection capacity strengthening measures going forward.
10. How to make further enquiries or make a complaint
If you require further information on how we manage your personal information or wish to make a complaint about a breach of your privacy, please contact us using the contact details in the section “How to contact us” below. We also have a complaints policy and complaints form available on our website. We will acknowledge your enquiry or complaint within a reasonable time and we will advise you if we require further information to provide you with a response or determine your complaint.
For complaints, to assist us in helping you, we ask you to follow a simple three-step process:
- gather all supporting documents about the matter of complaint, think about the questions you want answered and decide on what you want us to do
- telephone us at first instance, and we will review your situation and, if possible, resolve it straight awayif you are not satisfied with our response, we may require you to submit your complaint in writing by email or post with your contact details.
We will then investigate your complaint in line with our complaints policy procedure and endeavour to respond to you in writing within 30 days of receipt of your written complaint being received by us.
If you are not satisfied with our response or determination of your complaint, you may contact the Australian Privacy Commissioner.
Director of Privacy Case Management
Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001
Phone: 1300 363 992
If calling from outside Australia: + 61 2 9284 9749.
11. How to contact us
Please mark your request Attention: Office Manager.
Telephone: +61 2 9906 3792
Post: PO Box 1206, North Sydney NSW 2059, Australia