Privacy

Privacy Policy

Iona Presentation Foundation is committed to protecting the privacy of all of its stakeholders, including staff, board members, partners, project beneficiaries, donors and any other associates who otherwise interact with The Foundation or its programs. We ensure that our methods of private information management are transparent at all stages of the information collection, usage and storage process. The information contained within this policy is in accordance with the Australian Privacy Act (1988) and the Australian Privacy Principles (APPs) enclosed within the Act. This policy indicates sections where conditions of one of the 13 APPs are satisfied.

Purpose

The purpose of this policy is to provide a framework for the Iona Presentation Foundation in dealing with privacy considerations. The Foundation’s Privacy Policy is based on the principles of free, prior and informed consent.

Free, prior and informed consent

Iona Presentation Foundation definition of consent:

Free: the contributor experiences no coercion or manipulation in providing consent for the collection, storage and disclosure of their personal information. The most appropriate form of consent (i.e., written, vocal) commensurate to the context is solicited from the contributor. The contributor is in a position to comprehend the process and understand their rights in approving or refusing consent. If consent is being provided by a guardian on behalf of a contributor, the guardian can be reasonably deemed as having the contributor’s safety and wellbeing at heart.

Prior: consent is sought sufficiently in advance of authorisations or disclosures of personal information. Sufficient time is provided between a contributor providing their consent and the disclosure of their personal information to allow them to withdraw their consent.

Informed: the contributor is provided with all information relevant to their disclosure. They are not deceived by the information collector either deliberately or by omitting pertinent information. The contributor is informed of their ability to remain anonymous if they prefer. The contributor is provided with a reasonable account of the purposes of disclosing their personal information. The contributor is provided with a reasonable account of the audience profile who may be privy to their personal information.

Scope

This policy makes a distinction between Iona Presentation Foundation’s stakeholder categories of: staff, board members, partners, program beneficiaries and donors. The organisational relationship that The Foundation maintains with its staff, board members and partners, including matters of information collection and privacy protection, is made explicit to them. The information collected from these stakeholders is critical to the functioning of a secure and honest workplace; as such, staff, board members and partners are unable to refuse the collection of certain personal information such as criminal record checks and employment history.

Precautions are taken to secure personal information: but are entitled to refuse the collection of their personal information of any kind. The information collected from a select few of these stakeholders is typically statistical, used to provide insight into the impact of The Foundation’s programs, or of an anecdotal nature, used for marketing communications.

Compared to other stakeholders, donors maintain a more customer-oriented relationship with The Foundation; as such, donors might interact without knowledge of our organisation’s specific privacy policies.

Collection and usage of information

Soliciting of personal information

Iona Presentation Foundation collects solicited personal information directly from our stakeholders when they make contact with us through various channels, including in-person, online, over the phone or in written form. As part of these channels stakeholders acknowledge that their information is being solicited, collected, used and stored in accordance with this Privacy Policy (APP 3).

The Foundation takes reasonable steps to ensure that stakeholders are informed when their information is being collected (APP 5). In these instances, stakeholders are provided with the following information from The Foundation:

the Foundation’s contact details;

the nature of the information and the manner in which it was collected;

whether the Foundation’s collection of information is authorised by law;

the reasons the Foundation collected personal information;

the consequences for the Foundation if personal information is not collected;

the Foundation’s usual disclosure procedures of collected information;

reference to the Foundation’s Privacy Policy; and

whether the Foundation is likely to disclose personal information to overseas recipients.

Foundation Clause for Collection of Personal Information

Such information is consolidated into a clause visible in the footer of the Foundation website. The clause is included below:

“Iona Presentation Foundation is committed to the lawful collection of personal information under the Australian Privacy Act (1988). We collect personal information for marketing and communications purposes. Without such information, we are unable to conduct stakeholder engagement and fundraising activities to the best of our ability. By visiting our website, making a donation, filling out a survey, applying for employment, or providing us with your information by any other means, you agree to the collection, usage, disclosure and storage of, and access to your personal information, as contained in our Privacy Policy. The Foundation does not disclose personal information to any overseas recipients. For further enquiries regarding our privacy measures or to update your personal information please contact us at +61 8 9384 0066 or foundation@iona.wa.edu.au.”

Shortened Foundation Clause for Collection of Personal Information

A shortened version of this clause, including a link to the Foundation’s full Privacy Policy, is included within all communications distributed to stakeholders where it is reasonable to do so, such as within online and written communications. The shortened clause is provided below:

“Iona Presentation Foundation is committed to the lawful collection of personal information under the Australian Privacy Act (1988). For further enquiries regarding our privacy measures or to update your personal information please see our Privacy Policy or contact us at +61 8 9384 0066 or foundation@iona.wa.edu.au.”

Stakeholders who contact a Foundation representative in-person or over the phone will be directed to the Privacy Policy on the website if they have enquiries relating to the collection of personal information.

Staff, Board Members and Partners

Personal information that the Foundation may collect from staff, board members and partners includes:

personal details such as name, signature, or date of birth;

contact details; and

employment history, educational qualifications, tax file numbers and volunteering history –
with respect to prospective employees and volunteers.

Such information is reasonably necessary for the Foundation to liaise with and to assess the employment credentials of its staff, board members and partners. The Foundation does not collect sensitive information from any of its stakeholders, except staff, board members and partners who are subject to a criminal record check (APP 3). All staff, board members and partners are asked for their consent before conducting a criminal record check (APP 3). Parties that refuse the collection of this information will not be permitted to work for or alongside the Foundation.

Project Beneficiaries

Personal information that the Foundation may collect from project beneficiaries includes:

personal details such as name;

on a limited basis, contact details such as phone number or email address;

the location and nature of the Foundation-affiliated project the beneficiary is engaged in;

images and video footage of project beneficiaries;

‘stories’: personal accounts of a project beneficiary’s experience with a Foundation-affiliated project;

sensitive information such as a Beneficiary’s health status. The Foundation ensures that the express consent of a Beneficiary is obtained when collecting such sensitive information (APP 3).

Such information is reasonably necessary for the Foundation to conduct impact reporting and fundraising activities. Impact reports are necessary to monitor the success of Foundation projects. On occasion, surveys of project beneficiaries are necessary to gauge the reception of our projects and identify areas for improvement. Likewise, impact reports are critical to communicate our efforts to donors and maintain transparency. In particular, anecdotal impact evaluations, the type we obtain by collecting images of and individual ‘stories’ from our project beneficiaries, are the most successful at spurring Donor engagement.

A child or their guardian must give their free, prior and informed consent for the Foundation to collect and publish their personal information and identifying images for communications purposes. They can do this:

by signing a copy of the Foundation Story & Image Use Consent Form which permits the Foundation to use their personal information (unless consent is withdrawn) and
without compensation.

When soliciting consent to use a beneficiary’s image, video or story, details should be provided as to how and where their image, video or story might be used, such as in social media posts, supporter newsletters, quarterly impact publications and annual impact publications. The beneficiary must also be informed of their ability to decline consent without negative impacts and use a pseudonym when filling out surveys, providing a ‘story’ or otherwise engaging us in one-off correspondence.

Donors

Personal information that the Foundation may collect from donors includes:

personal details such as name, signature, or date of birth;

contact details;

payment details; and

donation history.

Such information is reasonably necessary for the Foundation to process donations and to send relevant information to donors such as tax-deductible receipts and remittance advices. The Foundation has limited access to donors’ payment details, restricted to information necessary for identification purposes, such as the last 4 digits of a donor’s payment card; the remainder of a donor’s payment details are encrypted. The Foundation maintains a register of the personal, contact and payment details of its historical donors. Donors have the option to deal with the Foundation on an anonymous basis or to use a pseudonym when making a donation or otherwise engaging us in one-off correspondence (APP 2). Donors are entitled to decline the collection of their personal information by contacting the Foundation directly. The Foundation’s contact details are clearly displayed in the Foundation Clause for Collection of Personal Information and on the website. However, donors that wish to initiate an ongoing relationship with the Foundation or to receive payment information such as tax-deductible receipts may have to provide us with their personal details. The Foundation does not collect sensitive information from any of its donors (APP 3).

Direct marketing

Such information is also reasonably necessary for the Foundation to perform fundraising and direct marketing activities (APP 3). The Foundation uses donor’s personal information to conduct direct marketing (APP 7). Direct marketing may include contacting our stakeholders via email, postage or phone call. For example, the Foundation may wish to send newsletters, publications and event communications to donors. Donors are able to opt out of receiving direct marketing communications at any time by contacting the Foundation on +61 8 9384 0066 or foundation@iona.wa.edu.au. (APP 7).

Website visitors

Personal information that the Foundation may collect from website visitors includes:

personal details such as name, signature, or date of birth;

contact details; and

statistical data such as IP address, web browser, or website pages visited

The Foundation tracks the traffic patterns of all website visitors through the URL registered to us.
By navigating our website, website visitors’ basic data can be tracked through the use of Cookies. Cookies sent to the Foundation website do not enable us to view a visitor’s personal information. Rather, cookies provide useful aggregate diagnostics such as total website visitors and the most visited pages. Such information is reasonably necessary for the Foundation to perform marketing and communications operations effectively and to continue to optimise our site for the benefit of our stakeholders.

We may provide such information to third parties, but are not permitted to disclose visitors’ personal information without first obtaining their consent. Visitors are able to disable their web browser from accepting cookies, however, certain functions of the Foundation website might become unavailable
as a result.

Disclosure of information

The Foundation does not disclose personal information about its stakeholders to any other entity except in the following circumstances (APP 6):

to disclose a staff or board member’s name, contact or employment details on official the Foundation correspondence;

to disclose a project beneficiary’s name, image, or story to the Foundation’s network of donors for marketing and communications material; and

to disclose a donor’s payment details to their bank or financial institution.

In each of these instances consent to disclose private information is either explicitly, or when reasonable to do so, implicitly obtained from the stakeholder in question.

The Foundation may disclose personal information about its stakeholders, including sensitive information, in the following exceptional circumstances (APP 6):

When it is permitted or required to do so by law such as to avoid an imminent threat to a person’s life or to public safety.

When the Foundation reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.

In these instances, an the Foundation representative must make a written note of the use or disclosure of personal information.

Disclosure of information to an overseas entity

The Foundation will not send personal information about an individual to any location outside Australia without first obtaining the consent of the individual (APP 8).

Disclosure of government-related identifiers

The Foundation will not use or adopt the government related identifiers of its stakeholders to refer to them. The Foundation will not disclose the government related identifiers of its stakeholders, such as Medicare numbers, Australian Passport numbers or driver license numbers, to any entity (APP 9).

Access

Ensuring the quality of personal information

The Foundation takes reasonable steps to ensure that the personal information it collects, uses and discloses is accurate, up-to-date, complete and relevant. Information quality verifications are made at the time information is first collected (APP 10, 13).

Allowing stakeholders to access their personal information

The Foundation maintains an Open Information Policy and will take all necessary steps to respond to stakeholder’s requests for information. Stakeholders have a right to access the personal information that the Foundation holds about them and to advise the Foundation of any perceived inaccuracy. To gain access to their information a stakeholder must verify their identity to the Foundation stakeholder (exceptions where the Foundation is entitled to refuse a stakeholder access to their personal information is outlined in APP 12 under section 12.34). When a stakeholder advises a Foundation representative of a perceived inaccuracy in their stored personal information, the Foundation will correct its records as soon as is practically possible.

Storage and security of personal information

Storage of personal information

The Foundation does not hold personal information longer than necessary: the point when the Foundation no longer has reasonable cause to use or disclose that information. When this point is reached a Foundation representative will take steps to either lawfully destroy of said information or de-identify it as soon as is reasonably possible. The destroys hard-copy information by shredding it. The Foundation destroys electronic information by deleting it from its databases in a way that is irretrievable (APP 11).

Security of personal information

The Foundation holds personal information securely through physical and electronic means and will take all reasonable steps to ensure that personal information is protected from misuse, interference and loss, and from unauthorised access, modification and disclosure. Physical means to secure personal information include locked storage of paper records. Electronic means to secure personal information include password access rights to electronic records. The Foundation stores electronic data in its online database, which is a secure file sharing and transfer service for business. Staff members are granted permission by the Foundation’s administrator to access files according to their individual clearance levels. The Foundation staff are required to respect the confidentiality of personal information and the privacy of stakeholders.

Responding to data breaches

In accordance with the Privacy Act (1988), the Foundation has various strategies in place to respond to a data breach of the personal information of its stakeholders. A data breach occurs when personal information that an entity holds is subject to unauthorised access or disclosure or is lost. By maintaining compliance to all 13 of the APPs the Foundation systematically reduces the risk of a data breach.

Complying with the Notifiable Data Breach (NDB) scheme as contained in Part IIIC of the Privacy Act (1988), the Foundation will notify the individuals affected and the Commission in the event of certain instances of a data breach:

There is unauthorised access to or disclosure of personal information held by an entity (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).

This is likely to result in serious harm to any of the individuals to whom the information relates.

The entity has been unable to prevent the likely risk of serious harm with remedial action.

In the event of uncertainty whether an eligible instance of data breach has occurred, the Foundation will conduct an internal assessment to determine whether the steps of the NDB scheme need be followed.

Transparency

Disclosing information to the public

The Foundation maintains a commitment to transparency in the information it discloses to the public. As a not-for-profit organisation that funds its projects through the benevolent donations of its donor network to assist communities of beneficiaries, the Foundation’s stakeholders have a right to access information regarding the Foundation’s impact and operations. Information that the Foundation publicly discloses to its stakeholders and the wider public includes the following regular publications: Annual Report, and Annual Financial Report. These are accessible from the Foundation’s website.

The Foundation also disseminates information pertaining to its operations in monthly email newsletters, press releases and through its website and social media channels. Within these publications and content updates the Foundation makes regular use of the ‘stories’ provided to it by project beneficiaries. Only when the stipulations set out in this Privacy Policy have been met is the personal information regarding one of the Foundation’s project beneficiaries used and disclosed

Inviting feedback from the public

To aid in its commitment to transparency, the Foundation actively seeks feedback from its stakeholders, recognising the value in all types of feedback from its stakeholders. All of the Foundation’s physical publications include organisational contact details for stakeholders to use if they wish to submit feedback. Depending on the nature of the feedback submitted and the organisational departments it relates to, a Foundation representative will strive to respond to the stakeholder as soon as is reasonably possible.

Payment card security

The Foundation is committed to the ongoing security of cardholder data. The Foundation takes every step to be compliant with the Payment Card Industry Data Security Standards (PCI DSS). Contained below are some recommendations for maintaining PCI DSS compliance.

Develop program, policy and procedures

The Foundation uses payment gateways, Shout for Good or Stripe, to process payment information.

Shout for Good is a solely owned subsidiary of Australia and New Zealand Banking Group Limited (ANZ). While your information may be accessed by a limited number of ANZ employees for the purposes of providing Shout's services and processing your transactions. Your information is quarantined from other information held by ANZ and is not used by or disclosed to ANZ for any purposes other than those disclosed in this Policy. The privacy policy of Shout for Good can be viewed from: https://shoutforgood.com/privacy-policy.

Stripe, Inc. is an Irish American multinational financial services and software as a service company dual-headquartered in South San Francisco, California, United States and Dublin, Ireland.

The privacy policy of Stripe can be viewed from: https://stripe.com/au/privacy

Evolve the compliance program to address changes

Iona Presentation Foundation’s Privacy Policy will be reviewed every two years. The Foundation Board will manage the review and evaluate the relevance and quality of data security measures. Changes to data security will be implemented where the Foundation no longer complies with the PCI DSS.

This policy was last updated 28 April 2025.