CBM Australia is committed to responsible and respectful use and protection of personal information, in compliance with the Australian Privacy Principles of the Privacy Act 1988 (Cth) and all Codes that apply to CBM Australia.
Applicable Codes include the Australian Council for International Development (ACFID) Code of Conduct, the Fundraising Institute of Australia (FIA) Code of Conduct, and the Association for Data-Driven Marketing & Advertising (ADMA) Code of Practice.
CBM Australia implements practices, procedures and systems to ensure compliance with the APPs, including governance for any internal use of AI systems.
Where CBMA uses AI, we provide clear information about that use, ensure appropriate human oversight, and maintain records that indicate when information has been generated by AI.
Personal information held by CBM Australia is principally provided directly by Australian supporters of CBM’s work or by CBM Australia workplace participants. There may also be limited program participant personal information involved in research conducted or supported by CBM Australia. CBM Australia maintains an Ethical Research and Evaluation Framework that provides for such instances.
CBM Australia does not sell, rent or swap personal data to or from third parties. Infrequently, CBM Australia may obtain personal data, which is not publicly available, from third parties; for example via a third-party survey. CBM Australia will then take reasonable steps to advise of that collection, acting always in accordance with the Australian Privacy Principles.
Regardless of source, personal identity is kept confidential, and any personal information an individual or organisation chooses to provide to CBM Australia is only used for the purposes outlined in this policy.
Personal information held by CBM Australia may include:
- Contact information (such as name or pseudonym, date of birth, phone numbers, mailing addresses and email addresses);
- Supporter number (each CBM Australia supporter is allocated a number to assist CBM Australia in the processing of contact and donation information and to enhance confidentiality);
- Payment information (as needed to securely process donations and issue receipts and to answer queries from supporters about their own donation history);
- Supporter preferences (such as communication preferences or areas of interest);
- Communications with supporters, which may contain further personal information.
CBM Australia may also hold sensitive information which a person chooses to provide to CBM Australia, such as information relating to health, religious affiliation, or ethnicity. For workplace participants, including volunteers, sensitive
CBM Australia holds personal information in order to engage and raise awareness with the public. CBM Australia uses personal information primarily to:
- Provide supporters with a quality experience;
- Communicate with supporters;
- Process donations;
- Record non-financial support/contributions;
- Enable security checks;
- Analyse our effectiveness, including through surveys and market research; and
- Recruit and relate to workplace participants, partners and contractors
Where personal data is used to communicate by post, email or phone, CBM Australia will maintain awareness of the opportunity to opt-out of receiving such communications. Contact with a prospective supporter will include information on how to opt out. Information is also provided to existing supporters as to how to change frequency of communications/updates received from CBM Australia.
If a person does not opt-out, CBM Australia will assume their implied consent to receiving further communications.
CBM Australia requires all third-party service providers (for example, telemarketers, printers, or analysts) engaged by CBM Australia to also look after personal data with the upmost care, and they are bound by CBM Australia’s privacy policy as well as the Privacy Act 1988.
Occasionally, CBM Australia works with overseas suppliers to reduce overhead costs. This can include activities such as printing, data analysis and digital communications. Where such activities require disclosure of personal information, CBM Australia takes all reasonable steps to safeguard that personal information in compliance with Australian law.
CBM Australia does not deploy public-facing AI tools (such as chatbots) and does not enter personal information into publicly available generative AI tools. Where CBM Australia uses secure, enterprise AI capabilities, we limit such use to information already held for a primary purpose, ensure lawful and fair handling, apply data-minimisation, and require human oversight and accuracy checks. Any AI-generated or inferred information relating to an identifiable person is treated as personal information; CBM Australia verifies its accuracy and records its AI provenance.
CBM Australia does not disclose personal information to other organisations or other individuals (except in limited, consenting or legally required, circumstances).
CBM Australia uses tools to better understand how people use its website and social media. Information collected is anonymous unless individuals choose to provide their details, such as through an online form. Some tracking uses cookies, which can be managed through browser or social media settings.
CBM Australia takes all reasonable steps to ensure that personal information held and used by CBM Australia is accurate, relevant and up-to-date.
CBM Australia does not charge for access to personal information. Any request for access to, corrections to, or removal of personal information can be made to CBM Australia via phone (free call 1800 678 069), post (CBM Australia PO Box 196, Richmond, Victoria, 3121) or email (cbm@cbm.org.au). A request may reasonably be required to be in writing, both for security reasons and to enable sufficient confirmed detail for CBM Australia to process a request. On request, CBM Australia will also disclose the source of personal information held. All requests are subject to any applicable legal restraints.
CBM Australia maintains a designated Privacy Officer who is responsible for investigating any complaints or concerns any person may have about CBM Australia’s protection of their privacy.
CBM Australia does not charge for any complaint lodgement.
If a complainant is not satisfied with CBM Australia’s response, the complainant may refer the matter to the Australian Privacy Commissioner and CBM Australia will co-operate fully with any resulting process.
CBM Australia is fully committed to the sustained security of personal, including financial, data entrusted by stakeholders. CBM Australia’s internal ICT systems are fully compliant with the security requirements of the Payment Card Industry Data Security Standard (PCI DSS). Online donations to CBM Australia are processed in real time using a secure and compliant payment gateway.
CBM Australia maintains a data breach response plan. This plan covers how CBM Australia will detect and notify (both affected persons and the Australian Privacy Commissioner) regarding any serious data breaches, regardless of cause. CBM Australia will carry out reasonable, fair, and prompt assessment of whether an incident is a reportable data breach. This careful management has an important preventative aim as well as maintaining the highest standards of care in response should CBM Australia experience successful cyber-attack or other misuse of, or interference with, CBM Australia’s secured data.
CBM Australia takes steps to securely destroy or de-identify information when it is no longer needed. CBM Australia requires its third party providers to follow the same practices.
This policy is implemented through Board and staff management processes and regular self-assessment review.