Contents
- Introduction
- What information do we collect and why?
- How do we share your personal information?
- Who may act on a patient’s behalf?
- How secure is your personal information?
- Accessing and correcting your personal information
- Making a complaint
- Data Breach Response
- Contacting Us
Introduction
Sydney Children's Hospitals Foundation Limited (ACN 003 073 185) (the Foundation) values your privacy.
This privacy policy sets out the Foundation's practices in relation to the collection use, storage, and disclosure of personal information. The Foundation is bound by the Privacy Act 1988 (Cth) (the Privacy Act) as well as the Health Records Information & Privacy Act 2002 (NSW) (HRIP Act).
The Foundation may modify or update this privacy policy from time to time by publishing a modified or updated version of it on our website. We encourage you to check the Foundation's website periodically to ensure that you are aware of the Foundation's current privacy policy.
What information do we collect and why?
The Foundation collects personal information from employees, donors, supporters, volunteers, patients, and other contacts that is necessary for us to perform our functions.
Generally, we collect information directly from the relevant individual. Sometimes, we may need to collect information about an individual from third parties including parents, carers, guardians, or other third-party information sources. We will do this if the individual has consented for us to collect the information in this way, or where it is not reasonable or practical for us to collect this information directly from the individual.
The types of personal information we collect, and the purpose of collecting that information varies depending on the context. We have included an overview of the types of personal information we collect, and for what purposes, for a range of circumstances below.
Donors/Fundraisers:
When you donate, including via this website, in person, over the phone, by direct deposit, via email, by post, or through our fundraising personnel or volunteers as part of any of our fundraising events or activities or at our offices, we collect and store a range of information in our database. We use this information to process your donation, complete your tax receipt, and send you further information about the Foundation for promotional purposes. This information also allows us to develop a personalised experience for donors. The personal information we collect includes:
- contact details such as your name, phone number, address, email address,
- demographic information such as date of birth,
- payment and billing details (including credit card details if relevant), and
- other information relevant to your donation and ongoing relationship with The Foundation.
On some occasions, this information may include health or other sensitive information, which we will only collect with your consent. For example, we may ask you if you or your family members have been treated by a service within the Sydney Children's Hospitals Network previously, or we may collect details related to your health or other sensitive information so we can ensure we understand your needs as a donor.
In some instances, we may seek further contextual information to better understand and be sensitive to the circumstances and needs of large-scale donor relationships. This may include accessing news or media articles, or publicly available information on social media platforms.
Supporters and volunteers:
The Foundation may also collect supporters' and volunteers' names, phone numbers, addresses, email addresses, demographic information such as date of birth, and other contact information, records of communication between them and the Foundation and other personal information about our current and potential supporters and volunteers so that we can encourage, record, and acknowledge their support and communicate with them about the Foundation and our activities.
Patients:
The Foundation may receive or request details about individual patients, such as their name, age and with the patient’s consent, their medical condition, medical treatment, and medical history. We may use this information for media purposes and will communicate directly with patients and their families for this purpose. All patient information received and collected by the Foundation will be treated in the strictest confidence and will not be made public or distributed to the media without prior consent from the patient.
Distributing publications:
When individuals contact or interact with us, we collect personal information so that we can distribute newsletters and other communications in print and electronic form. This information includes contact details such as name, phone number, address, email address, and other relevant information. Recipients may choose to no longer receive communications from the Foundation by contacting our Privacy Officer using the contact details at the end of this privacy policy.
Conducting events:
We collect personal information about patients and their family members, donors, volunteers, and other supporters who wish to join or participate in our events and other programs we conduct. The types of personal information we collect includes contact details, donation history and, in some cases, other personal information such as photographs and videos. We use this information to organise, promote, and seek support for these events, and overall to support the fundraising activities of the Foundation. With consent and where relevant, we sometimes also collect health information or other sensitive information.
Applying for a position (as a volunteer or employee) with the Foundation:
If you apply for a position with the Foundation, we collect your personal information to assess your suitability for that position, and if successful, for ongoing employment purposes. The information we collect includes name, contact details, and information about your working history or other relevant details you may share with us. Depending on the position, we require candidates to undergo relevant employment-related checks (including criminal and working with children checks), which will require additional personal information to be collected by the Foundation as well as a third-party record check provider. With your consent, this information may include information or an opinion about your criminal record or other sensitive information.
Suppliers:
The Foundation collects personal information about suppliers, including individuals who are employed by our suppliers (including service and content providers), contractors and agents for our general business operations.
When you contact us or visit our website:
If you contact us or make an enquiry (including when you call us by phone, message us on social media, or write to us), you may choose to provide us with your name or other contact details so that we can respond to your requests, or to provide our newsletter or other information about the Foundation's services or operations. Provision of your personal details is the most effective method for the Foundation to communicate with you, and to assist in the efficient delivery of services.
The Foundation's website may use website tracking pixels and cookies to collect statistics on visitor traffic and to understand how people use our websites. We do not collect personally identifying information, the patterns of usage of visitors to the website may be tracked for the purposes of providing improved service and content based on an aggregate or statistical review of user site traffic patterns.
The Foundation’s website may also use Google Analytics features which allow us to tailor our marketing to better suit your needs. If you prefer not to allow this, you may be able to adjust your browser to turn off the use of “cookies” or notify you when they are being used. However, if you disable cookies, you may not be able to access certain areas or take advantage of certain features of the Foundation’s website; for example, you may need to re-enter your personal information each time that you attempt to access information. You can also opt out of programs like Google Analytics if you wish, by using the following tool: https://tools.google.com/dlpage/gaoptout/.
Credit Card Data:
We collect credit card information to process donation payments. Any credit card transactions information processed via our database is not stored by the Foundation, but with a contracted cloud-based third-party storage provider. Credit card transaction data for recurring donations are stored tokenised in a secure payment gateway that is PCI-DSS compliant. Any manual forms returned to the Foundation with credit card details on them are masked and stored securely.
Donors using Amex Cards may have their your personal information, transaction data and other information provided to American Express Australia Ltd ABN 92 108 952 085 and its affiliates, agents, subcontractors and employees in the course of delivering the Services. Amex will collect, hold and use the Personal Information and transaction data in accordance with Amex’s privacy policy.
How do we share your personal information?
In some instances, we may provide personal information we hold to third parties. We use a range of suppliers, service providers, contractors, and partners to enable us to perform the activities and functions of the Foundation. They include information technology service providers, direct marketing agencies, banks, credit card companies and recruitment agencies.
Examples may include providing personal information to contractors and service providers located outside of Australia, including in the United States of America, Japan, China, Hong Kong, the United Kingdom and Canada. The privacy laws of these countries may not provide the same level of protection as the Australian Privacy Laws; however, we take all reasonable steps to ensure that overseas recipients of personal information handle the information in accordance with the Australian Privacy Principles in the Privacy Act. Also, we generally require contractors and service providers to sign our Supplier Privacy Agreements prior to commencing any work to ensure that they comply with our security guidelines and the Privacy Act.
We may also disclose the personal information of patients to their family members or guardian, for the purpose of discussing stories about their experience with the Sydney Children's Hospitals Network, which the patients, have agreed to share via our publications including our website, or for other fundraising activities. We may, with the permission of the patient, also send the patient stories to third parties to help promote their fundraising efforts for the Foundation. Any personal information disclosed via our website may include disclosure to recipients who access our website in countries outside Australia.
Who may act on a patient’s behalf?
The following responsible persons may, depending on the circumstances of a patient, be treated as being able to act on a patient's behalf for the purposes of this privacy policy and the collection, use and disclosure of personal information:
- a guardian, parent, carer, or other person responsible for the care of the patient.
- someone with a general power of attorney or a power of attorney which includes health-related power.
- a person recognised under a law as responsible for any aspect of the care or welfare of the patient which is relevant to something the Foundation does or intends to do; and
- a person nominated in writing by the patient while the patient is capable of giving consent.
How secure is your personal information?
Your personal information is stored with a third-party storage provider. We regard the security of your personal information as a priority and implement several physical and electronic measures to protect it, including the use of passwords and firewalls. We remind you, however, that the internet is not a secure environment and although all care is taken, we cannot guarantee the security of information you provide to us via electronic means.
Transactional Security:
Only SCHF Staff members are authorised to enter transactions into our Customer Relationship Management (CRM) system using Ezidebit. This ensures that sensitive financial information is handled securely and only by designated personnel.
Credit Card Handling:
All credit card details written on donation forms are securely stored in a locked location. Once entered into our system, the credit card information is immediately blacked out on the form to prevent unauthorised access.
CVV Protection:
For added security, Card Verification Values (CVVs) are not captured or written on any donation forms. This information is never stored or transmitted, ensuring the highest level of protection for donors' financial data.
Password Protection:
Access to our CRM system is protected by individual passwords, and it is strictly prohibited to share these passwords with others. Each staff member is responsible for safeguarding their password to maintain the integrity and security of our data.
Accessing and correcting your personal information
Generally, you have the right to access the personal information we have about you. The Foundation will handle requests for access to personal information in accordance with the Privacy Act and the HRIP Act. To request access to your personal information, please contact our Privacy Officer using the contact details at the end of this privacy policy.
When you request access, we may need to take measures to verify your identity. If you would like a copy of the personal information that we have about you, to verify your identity, please send the request to our Privacy Officer in writing, by mail set out at the end of this privacy policy. In some cases, we may need time to consider and respond to your request for access. If we need time to consider your request, we will acknowledge your request within 14 days and respond within 30 days after your request is made.
Depending on the information you want to access, where it is stored and the time it will take us to respond to your request for access, we may charge you a fee for the administrative cost of providing the information to you. This charge will not be excessive. If for any reason we refuse to give you access to your personal information or do not give you access in the manner in which you have requested, we will provide you with a written notice giving you the reasons for our refusal (unless it would be unreasonable for us to do so).
If you believe that your personal information as held by us is inaccurate, incomplete, or out of date, you may contact our Privacy Officer using the contact details at the end of this privacy policy to request that we correct that information. In most cases, we will amend any inaccurate, incomplete, or out of date information. If we are not able to correct your personal information in the way requested by you, we will notify you of our reasons for refusing your request (unless it would be unreasonable for us to do so) and let you know how you may make a complaint about our decision, should you wish to do so.
Making a complaint
You may make a complaint about our handling of your personal information, including if you think we have breached the Privacy Act or the HRIP Act, by contacting our Privacy Officer in writing, by mail or email set out at the end of this privacy policy. We will generally acknowledge your request within 14 days and respond within 30 days after your request is made or let you know what the next steps are for resolving your complaint. If we are not able to resolve your complaint, you may wish to contact the Office of the Australian Information Commissioner (whose contact details are set out below), who will be able to provide you with information about your other options.
Data Breach Response
In the event of a data breach involving personal information, we have procedures in place to promptly assess and mitigate the breach, notify affected individuals where required by law, and take steps to prevent similar incidents in the future.
Contacting us
If you would like to access or correct your personal information held by us, or wish to make a complaint about the way we have collected, used, held, or disclosed your personal information, please contact our Privacy Officer:
Phone: 1800 770 122
Email: privacyofficer@schf.org.au
Mail: Privacy Officer, Sydney Children's Hospitals Foundation, Locked Bag 9002, WESTMEAD NSW 2145
If you want to obtain additional information about your privacy rights and how you can enforce them, please contact the Office of the Australian Information Commissioner.