Our Privacy & Security Policy

This policy will apply to activities and operations of CBM Australia, at all times. 

Introduction

CBM Australia is committed to responsible and respectful use and protection of personal information, in compliance with the Australian Privacy Principles of the Privacy Act 1988 (Cth) and all Codes that apply to CBM Australia.

Applicable Codes include the Australian Council for International Development (ACFID) Code of Conduct, the Fundraising Institute of Australia (FIA) Code of Conduct, and the Association for Data-Driven Marketing & Advertising (ADMA) Code of Practice.

CBM Australia does not sell or rent personal data to third parties. Infrequently, CBM Australia may obtain personal data, which is not publically available, from third parties; CBM Australia will then take reasonable steps to advise of that collection, acting always in accordance with the Australian Privacy Principles.

Personal identity is kept confidential, and any personal information an individual or organisation chooses to provide to CBM Australia is only used for the purposes outlined in this policy.

What personal information is held?

Personal information held by CBM Australia may include:
• Contact information (such as name or pseudonym, date of birth, phone number/s, mailing address and email address);
• Supporter number (each CBM Australia supporter is allocated a number to assist CBM Australia in the processing of contact and donation information and to enhance confidentiality);
• Payment information (as needed to securely process donations and issue receipts and to answer queries from supporters about their own donation history);
• Supporter preferences (such as communication preferences or areas of special interest);
• Communications with supporters which contain personal information.


What does CBM Australia do with personal information?

CBM Australia holds personal information in order to engage and raise awareness with the public. CBM Australia uses personal information primarily to:
• Communicate with supporters;
• Process donations;
• Record non-financial support/contributions; 
• Analyse our effectiveness; and to
• Recruit and relate to staff, volunteers, partners and contractors

Where personal data is used to communicate by post, email or phone, CBM Australia will maintain awareness of the opportunity to opt-out of receiving such communications. Every contact with a prospective supporter will include information on how to opt out. Information is also provided to existing supporters as to how to change frequency of communications/updates received from CBM Australia.  

If a person does not opt-out, CBM Australia will assume their implied consent to receiving further communications.

From time to time, CBM Australia may allow like minded organisations in Australia to contact consenting CBM Australia supporters with information that may be of interest. Those organisations allow CBM Australia to do the same in relation to their consenting supporters. In this way, CBM Australia can reach more people with vital information about CBM Australia's work.

CBM Australia requires all third party suppliers (for example, telemarketers, printers, or analysts) engaged by CBM Australia to also look after personal data with the upmost care, and they are bound by CBM Australia’s privacy policy as well as the Privacy Act 1988.

Occasionally, CBM Australia works with overseas suppliers to reduce overhead costs. This can include activities such as printing, data analysis and electronic communications. Where such activities require disclosure of personal information, CBM Australia takes all reasonable steps to safeguard that personal information in compliance with Australian law.



How is access to personal information provided?

CBM Australia takes all reasonable steps to ensure that personal information held and used by CBM Australia is accurate, relevant and up-to-date. 

CBM Australia does not disclose personal information to other organisations or other individuals (except in limited, consenting or legally required, circumstances).

CBM Australia does not charge for access to personal information. Any request for access, or to seek to correct information can be made to CBM Australia via phone (free call), post (CBM Australia registered office) or email (cbm@cbm.org.au). A request may reasonably be required to be in writing, both for security reasons and to enable sufficient confirmed detail for CBM Australia to process a request. On request, CBM Australia will also disclose the source of personal information held. All requests are subject to any applicable legal restraints.


How are privacy complaints handled?

CBM Australia maintains a designated Privacy Officer who is responsible for investigating any complaints or concerns any person may have about CBM Australia’s protection of their privacy. 

CBM Australia does not charge for any complaint lodgement.  

If a complainant is not satisfied with CBM Australia’s response, the complainant may refer the matter to the Australian Privacy Commissioner and CBM Australia will co-operate fully with any resulting process.


Data security assurance

CBM Australia is fully committed to the sustained security of personal, including financial, data entrusted by stakeholders. CBM Australia's internal ICT systems are fully compliant with the security requirements of the Payment Card Industry Data Security Standard (PCI DSS). Online donations to CBM Australia are processed in real time using a secure and compliant payment gateway. 

As part of CBM Australia's commitment to openness about privacy practices, and in accordance with the Privacy Act, CBM Australia maintains a data breach response plan. This plan covers how CBM Australia will detect and notify (both affected persons and the Australian Privacy Commissioner) regarding any serious data breaches, regardless of cause. CBM Australia will carry out reasonable, fair, and prompt assessment of whether an incident is a reportable data breach. This careful management has an important preventative aim as well as maintaining the highest standards of care in response should CBM Australia experience successful cyber attack or other misuse of or interference with CBM Australia's secured data.

This policy is implemented through Board and staff management processes and regular self assessment review. 

The Board and management of CBM Australia are fully committed to the principles of this policy. Any breach of strategic significance or any material risk associated with this policy will be reported to the Board in a timely manner.