PRIVACY POLICY

Foodbank NSW & ACT

1.    Policy

This Policy sets out how Foodbank NSW & ACT Limited (FBNA) manages privacy obligations and reflects the 13 Australian Privacy Principles (APPs) from Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth). 

2.     Scope

FBNA is subject to the Privacy Act 1988 (Cth) (the Act). The Privacy Amendment (Enhancing Privacy Protection) Act 2012 which commenced in March 2014 made significant changes to the Act. This Policy complies with the new requirements imposed by the Act.

This Policy sets out how FBNA collects, holds, uses and discloses personal information including sensitive information.

3.     Policy Statement

FBNA is committed to the transparent and responsible management of personal information. FBNA is a registered company and is subject to the requirements of the Act. FBNA adheres to the Australian Privacy Principles (APPs) set out in Schedule 1 to the Act. 

This Policy applies to, and is binding on, all Directors, Officers, employees, volunteers, contractors and any other individuals or entities acting on behalf of FBNA. All such persons must comply with this Policy and any associated procedures.

4.     Definitions

Act means the Privacy Act 1988 (Cth). 

Australian Privacy Principles (APPs) means the 13 APPs set out in Schedule 1 of the Act. 

Data breach means unauthorised access to, disclosure of, or loss of personal information that may compromise its security.

Permitted general situation has the same meaning as provided for in section 16A of the Act and referred to in APP 6.2(c). The permitted general situations are: lessening or preventing a serious threat to the life, health or safety of any individual, or to public health or safety; taking appropriate action in relation to suspected unlawful activity or serious misconduct; locating a person reported as missing; asserting a legal or equitable claim; conducting an alternative dispute resolution process. 

Personal information means information or an opinion in any form about an identifiable individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not.

Privacy Officer means the person appointed by FBNA from time-to-time to manage all inquiries and complaints arising under this Policy. The Privacy Officer may delegate the management of any or all inquiries and complaints arising under this Policy to a member of FBNA Management. 

OAIC means the Office of the Australian Information Commissioner. 

Sensitive information as defined in the Act. 

Unauthorised access means personal information accessed by someone who is not permitted to have access. This could include, but not limited to, an employee of FBNA, a contractor or external third party (such as hacking). 

Web Analytics means the measurement collection, analysis and reporting of web data for the purpose of understanding and optimising web usage.

5.     Application of Policy

5.1  Subject to clause 5.2, this Policy applies to all personal information and sensitive information collected and held by FBNA. 

5.2 Despite clause 5.1, any act done or practice engaged in by FBNA directly related to: 

  • (a) a current or former employment relationship between FBNA and an individual, and 
  • (b) a current or historical employee record held by FBNA relating to an individual are exempt from this Policy in accordance with the Act and the APPs. 

5.3 Employee records are governed by the provisions of FBNA’s Disclosure of Personal Information Policy.

5.4 Staff Responsibilities: All staff, volunteers and contractors must: 

  • comply with this Policy and associated procedures; 
  • take reasonable steps to protect personal information in the course of their duties; and
  • immediately report any suspected or actual data
  • 6. Privacy Principles

    6.1 Personal information collected and held by FBNA

    FBNA collects personal information for the purposes of FBNA’s functions and activities. It collects personal information about staff, donors, volunteers and other individuals who have dealings with FBNA for administrative need, to conduct its business, for legislative compliance or for marketing, fundraising and research purposes. 

    The information may include:

    • residence and contact details;
    • date of birth;
    • details of next of kin;
    • identifying information including photographs;
    • records of injuries;
    • criminal checks;
    • qualifications’ and
    • financial information

    Some of the personal information that FBNA collects and holds is sensitive information. FBNA only collects sensitive information where it is necessary for the purpose for which it is being collected and with the individual’s consent unless the collection is required or authorised by law. 

    6.1.1 Automated decision making 

    Automated decision making is an application of generative artificial intelligence (AI). 

    FBNA will not use or disclose any personal information in any open-sourced automated decision making or generative application (eg ChatGPT, Bard). If at any time this changes, FBNA will publish this information as an update to this Policy accordingly.

    6.2 How FBNA collects and holds personal information

    FBNA collects and holds information from a number of sources. Where reasonably practicable, FBNA will only collect information from the individual to whom it relates. Frequently this will be collected through official FBNA administrative processes but it may also be collected from email, letters or other forms of communication or from publicly available sites. 

    Personal information is held in both paper and electronic form, including databases. 

    When an individual accesses the FBNA website, log files (“cookies”) are created by the web server that contain certain information including the Internet Protocol (IP) address of the visitor, the previous site visited (that is, how they have arrived at the website), the time and date of access and pages visited and downloaded. Cookies allow a website, such as the FBNA website, to temporarily store information on an individual’s machine for later use. FBNA’s website uses cookies to identify unique visitors to the site. 

    In order to improve FBNA’s services and assist the user, FBNA may store information about users of its website to create a digital profile and provide them with information specific to them. 

    FBNA also uses web analytics to obtain statistics about how its website is accessed. Web analytics rely upon cookies to gather information for the purpose of providing statistical reports to FBNA. The information generated by the cookie about an individual’s use of the FBNA website is transmitted to and stored by web analytic service providers on servers located within and outside Australia, but it does not include any personally identifying information. 

    Individual users generally have the option of accepting or rejecting cookies by adjusting the settings in their web browsers. However, rejecting cookies may impact upon the functionality of the FBNA website. 

    The FBNA website may contain links to other websites. FBNA cannot control the privacy controls of third party websites. Third party sites are not subject to FBNA’s Privacy Policy or Procedures.

    6.3 The purposes for which FBNA collects, holds, uses and discloses personal information 

    FBNA collects and uses personal information for a variety of different purposes relating to its functions and activities including:

    •  fundraising and marketing;
    • maintaining contact with stakeholders in the community 
    • community engagement; 
    • Government and other reporting;
    • commercial application of its intellectual property and professional expertise;
    • undertaking staff and volunteer recruitment activities • undertaking research;
    • handling complaints; • conducting its business and providing its services
    • improving the way in which it conducts its business; and
    • purposes directly related to the above.

    6.4 Use or disclosure for secondary purposes FBNA does not use or disclose personal information for purposes other than the purpose for which it was collected (the primary purpose) unless: 6.4.1 the individual has consented to a secondary use or disclosure, or 

    6.4.2 the secondary use or disclosure is related to the primary purpose (in the case of personal information that is not sensitive information) or is directly related to the primary purpose (in the case of sensitive information), or 

    6.4.3 it is otherwise required or authorised by or under an Australian law or a court/tribunal order, or 

    6.4.4 a permitted general situation exists (as described in clause 4 of this Policy), or 

    6.4.5 FBNA reasonably believes that it is necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body. 

    In ordinary circumstances, any disclosure of personal information for a secondary purpose under scenarios 6.4.3, 6.4.4 and 6.4.5 must be approved by the Privacy Officer.

    6.5 Security 

    FBNA will take reasonable and practicable steps to ensure the personal information held is protected from misuse, loss, unauthorised access, unwanted alteration or disclosure of information. 

    To achieve this, FBNA applies organisational and technical measures, including information and communications technology (ICT) security systems to protect personal information. 

    Organisational measures include governance and clear allocation of responsibility for privacy and information security, with management oversight and third-party management to ensure adherence to privacy requirements. 

    Technical measures include access controls, with role-based access as well as authentication controls. In relation to electronic records, personal information is collected via FBNA’s systems including web-based systems. FBNA has put in place measures to protect against loss, misuse and alteration of electronic information. Such measures include:

    • regularly assessing the risk of misuse, interference, loss, unauthorised access, modification or disclosure of information;  
    • keeping a record of when someone has added, changed or deleted personal information held in FBNA’s web-based systems and checking that staff only access the records they are permitted to, when they need to; 
    • regularly updating this Policy in accordance with the time frame outlined at clause 9.1 to ensure FBNA is up to date with information handling practices; and 
    • where necessary, using encryption technology to protect certain information and transactions.
    • FBNA will provide appropriate training and awareness programs to staff and relevant personnel to ensure they understand their obligations in relation to privacy and information security.

    6.6 Data Breach Management

    An eligible data breach may arise where there is unauthorised access to, disclosure of, or loss of personal information that is likely to result in serious harm to an individual.

    In the event of a suspected or actual data breach, FBNA will:

    • assess the nature and extent of the breach; 
    • take steps to contain and mitigate any harm; 
    • determine whether notification is required to affected individuals and/or regulators; and 
    • coordinate a response, including escalation to senior management where appropriate.

    6.7 Remaining anonymous or using a pseudonym 

    FBNA understands that anonymity is an important aspect of privacy and that in some circumstances some people may prefer to use a pseudonym when dealing with FBNA. People have the right to remain anonymous or to use a pseudonym when dealing with FBNA. However, for a significant proportion of its activities it is impracticable for FBNA to deal with individuals who have not identified themselves or who have used a pseudonym and those persons may not be able to access goods and services provided by FBNA.

    6.8 Unsolicited personal information 

    When FBNA receives unsolicited personal information, it will assess whether it is personal information that it could legally collect. If it is, it will treat it according to the APPs. If it is not, it will, if lawful to do so, destroy or de-identify it as soon as practicable.

    6.9 Direct marketing – Consent to direct marketing from us and the Charity sector. 

    FBNA may provide your personal information to third parties such as data list providers, and charity related organisations who analyse and swap information between charities. You may receive direct marketing material from other charities as a result. 

    By agreeing to this Privacy Policy, you consent to FBNA using your information in this way and in order to provide you with ongoing information about FBNA’s services, funding needs, programs and activities. You may unsubscribe from any direct marketing material at any time.

    6.10 Destruction of information that does not need to be retained 

    When FBNA no longer needs to retain personal information, and is lawfully able to do so, it will destroy or de-identify that information. FBNA will take all reasonable and practicable steps to ensure the destruction of personal information includes technical and organisational measures, including training and awareness, and use of appropriate third-parties for information destruction.

    6.11 How an individual may access personal information about the individual that is held by FBNA 

    Subject to clause 5.2, anyone has a right under the Act to access personal information that FBNA holds about them.

    An individual who wishes to access personal information held by FBNA can make a request by contacting the Privacy Officer, whose details are outlined at the bottom of this Policy.

    6.12 How an individual may seek the correction of personal information about the individual that is held by FBNA 

    Subject to clause 5.2, anyone has a right under the Act to request corrections to any personal information that FBNA holds about them if they think that the information is inaccurate, out of date, incomplete, irrelevant or misleading.

    An individual who wishes to correct any of their personal information held by FBNA can make a request by contacting the Privacy Officer, whose details are outlined at the bottom of this Policy.

    If FBNA does not agree that the information held is incorrect, it will note the discrepancy on the complainant’s file, but may not remove the existing information.

    6.13 How an individual may make a complaint 

    Subject to clause 5.2, anyone may complain about a suspected breach of an APP, the Privacy Policy, a data breach under this Policy, or any other breach of their privacy rights, by FBNA.

    The individual may choose to inquire or make a complaint anonymously or use a pseudonym in accordance with clause 6.6. This may affect the FBNA’s ability to respond to the individual or prevent or inhibit the FBNA from properly investigating the complaint. An anonymous complaint may be dismissed if investigation into the complaint is not practically possible or feasible. The individual can make a complaint by contacting the Privacy Officer using the contact details below.

    The complaint will be handled in accordance with this Policy and the FBNA Complaint Handling Policy by someone who was not involved in the decision about the complaint. FBNA will endeavour to advise the individual of its response in writing, including any action it proposes to take in relation to the complaint within 30 days.

    If FBNA does not respond to the complaint within 30 days or if the individual is dissatisfied with FBNA’s response to the complaint, the individual may make a complaint to the Office of the Australian Information Commissioner (OAIC). To make a complaint to the OAIC, the individual can refer to the details for making a privacy complaint outlined on the OAIC website.

    Where required by applicable legislation, an individual may request a formal internal review of FBNA’s handling of their personal information.

    Requests for review should:

    •  be made in writing to the Privacy Officer; and 
    • include sufficient detail to identify the matter being reviewed. 

    FBNA will conduct the review in accordance with its internal procedures and may escalate matters to regulatory authorities where required.

    6.14 Disclosure of personal information to overseas recipients by FBNA 

    FBNA may disclose personal information to overseas recipients if it is required to do so to provide its goods or services, if administrative functions are being carried out for FBNA offshore, or if data is being retained by a service provider of FBNA at an offshore facility. In all cases, FBNA will ensure that the party to whom the information is released will comply with all Australian privacy laws, or is subject to a jurisdiction whose privacy laws are more stringent than Australia’s, or in an organisation that has international certifications (eg ISO27001) pertaining to it proper security and use of the data held.

    FBNA may disclose personal information in these circumstances to an overseas recipient in any country. 

    FBNA may also disclose personal information to overseas recipients who are service providers for research or other purposes, including data storage. Australian law may not apply to those recipients. 

    FBNA will ensure that appropriate data handling and security arrangements are in place. Disclosure of personal information to overseas recipients may also be required or authorised by law.

    6.15 Disclosure of personal information to third parties 

    FBNA may disclose information to third parties:

    • to provide services; 
    • for purposes of research to improve its operations and services; 
    • to promote its activities; 
    • if permitted or required by law; or 
    • otherwise with the consent of the individual. 

    Where FBNA discloses personal information to third parties it will require restrictions on the collection and use of personal information equivalent to those required of FBNA by the Privacy Act 1988.

    7. Privacy Management Framework

    FBNA maintains a privacy management framework to support compliance with applicable privacy laws. 

    This framework includes: 

    • this Policy and related procedures (including the Data Breach Procedure and Response Plan); 
    • governance oversight by the Board, CEO and Privacy Officer; 
    • regular monitoring and review of privacy practices and risks; and 
    • internal guidance, tools and training to support staff compliance.
    8. Responsibilities

    8.1 Approval Authority 

    The Board is the Approval Authority for this Policy. 

    8.2 Governing Authority 

    The Chief Executive Officer is the Governing Authority for this Policy. 

    8.3 Responsible Officer 

    The Privacy Officer is the Responsible Officer for this Policy. 

    8.4 People Leaders People 

    Leaders are responsible for ensuring all staff, contractors and consultants are aware of their privacy obligations in relation to their engagement with FBNA. People Leaders must report all data breaches to the Privacy Officer as soon as practicable.

    8.5 Staff

    Staff are responsible for ensuring their own work practices comply with this policy and any associated procedures. Staff must report any data breach to their People Leader or the Privacy Officer as soon as practicable after becoming aware of it.

    Breach of this Policy Failure to comply with this Policy may result in disciplinary action, up to and including termination of employment or engagement.

    9. Further Assistance

    9.1 Alternative formats 

    Access to this Policy in alternative formats (e.g. hard copy) is available through the Privacy Officer whose contact details are listed under “Contact details” in this Policy. 

    9.2 Contact details 

    Contact for all matters related to privacy, including: 

    • general inquiries 
    • accessing personal information held about you 
    • requests to correct personal information held about an individual, and 
    • complaints about breaches of privacy 

    should be directed as follows: 

    Privacy Officer 

    E:  privacy@foodbanknsw.org.au
    W: https://www.foodbanknsw.org.au/privacy-policy/
    T:  02 9756 3099
    P:  PO Box 241 Plumpton NSW 2761

    10. Review

    This Policy is scheduled for review every two (2) years, or sooner in the event that the Approval Authority or Governing Authority determine that a review is warranted. The Policy will initially be reviewed one (1) year following the Effective Date. 

    Unless otherwise indicated, this Policy will still apply beyond the review date.

    11. Related Policies, Procedures, Guidelines and Local Protocols

    Privacy Act 1988 (Cth) 

    Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) 

    Privacy Amendment (Notifiable Data Breaches) Act 2017 

    Health Records and Information Privacy Act 2002 (NSW) 

    Health Records (Privacy and Access) Act 1997 (ACT) 

    FBNA Disclosure of Personal Information Policy 

    FBNA Data Breach Procedure and Response Plan

POLICY VERSION AND REVISION INFORMATION

Policy Authorised by: Foodbank NSW & ACT Board

Current version: Version 4.5 – June 2026

Policy Maintained by: Chief Executive Officer

Review date: June 2028