This policy will apply to activities and operations of CBM Australia, at all times.

CBM Australia is committed to responsible and respectful use and protection of personal information, in compliance with the Australian Privacy Principles of the Privacy Act 1988 (Cth) and all Codes that apply to CBM Australia.

Applicable Codes include the Australian Council for International Development (ACFID) Code of Conduct, the Fundraising Institute of Australia (FIA) Code of Conduct, and the Association for Data-Driven Marketing & Advertising (ADMA) Code of Practice.

Personal information held by CBM Australia is principally provided directly by Australian supporters of CBM’s work or by CBM Australia workplace participants.

CBM Australia does not sell, rent or swap personal data to or from third parties. Infrequently, CBM Australia may obtain personal data, which is not publicly available, from third parties; for example via a third-party survey. CBM Australia will then take reasonable steps to advise of that collection, acting always in accordance with the Australian Privacy Principles.

Regardless of source, personal identity is kept confidential, and any personal information an individual or organisation chooses to provide to CBM Australia is only used for the purposes outlined in this policy.

Personal information held by CBM Australia may include:

  • Contact information (such as name or pseudonym, date of birth, phone numbers, mailing addresses and email addresses);
  • Supporter number (each CBM Australia supporter is allocated a number to assist CBM Australia in the processing of contact and donation information and to enhance confidentiality);
  • Payment information (as needed to securely process donations and issue receipts and to answer queries from supporters about their own donation history);
  • Supporter preferences (such as communication preferences or areas of interest);
  • Communications with supporters, which may contain further personal information.

CBM Australia may also hold sensitive information which a person chooses to provide to CBM Australia, such as information relating to health, religious affiliation, or ethnicity. For workplace participants, including volunteers, sensitive personal information includes police check records.

CBM Australia holds personal information in order to engage and raise awareness with the public. CBM Australia uses personal information primarily to:

  • Provide supporters with a quality experience;
  • Communicate with supporters;
  • Process donations;
  • Record non-financial support/contributions;
  • Enable security checks;
  • Analyse our effectiveness, including through surveys and market research; and
  • Recruit and relate to workplace participants, partners and contractors

Where personal data is used to communicate by post, email or phone, CBM Australia will maintain awareness of the opportunity to opt-out of receiving such communications. Contact with a prospective supporter will include information on how to opt out. Information is also provided to existing supporters as to how to change frequency of communications/updates received from CBM Australia. 

If a person does not opt-out, CBM Australia will assume their implied consent to receiving further communications.

CBM Australia requires all third-party service providers (for example, telemarketers, printers, or analysts) engaged by CBM Australia to also look after personal data with the upmost care, and they are bound by CBM Australia’s privacy policy as well as the Privacy Act 1988.

Occasionally, CBM Australia works with overseas suppliers to reduce overhead costs. This can include activities such as printing, data analysis and digital communications. Where such activities require disclosure of personal information, CBM Australia takes all reasonable steps to safeguard that personal information in compliance with Australian law.

CBM Australia takes all reasonable steps to ensure that personal information held and used by CBM Australia is accurate, relevant and up-to-date.

CBM Australia does not disclose personal information to other organisations or other individuals (except in limited, consenting or legally required, circumstances).

CBM Australia does not charge for access to personal information. Any request for access, or to seek to correct information can be made to CBM Australia via phone (free call), post (CBM Australia PO Box 196, Richmond, Victoria, 3121) or email (cbm@cbm.org.au). A request may reasonably be required to be in writing, both for security reasons and to enable sufficient confirmed detail for CBM Australia to process a request. On request, CBM Australia will also disclose the source of personal information held. All requests are subject to any applicable legal restraints.

CBM Australia maintains a designated Privacy Officer who is responsible for investigating any complaints or concerns any person may have about CBM Australia’s protection of their privacy.

CBM Australia does not charge for any complaint lodgement. 

If a complainant is not satisfied with CBM Australia’s response, the complainant may refer the matter to the Australian Privacy Commissioner and CBM Australia will co-operate fully with any resulting process.

CBM Australia is fully committed to the sustained security of personal, including financial, data entrusted by stakeholders. CBM Australia’s internal ICT systems are fully compliant with the security requirements of the Payment Card Industry Data Security Standard (PCI DSS). Online donations to CBM Australia are processed in real time using a secure and compliant payment gateway.

As part of CBM Australia’s commitment to openness about privacy practices, and in accordance with the Privacy Act, CBM Australia maintains a data breach response plan. This plan covers how CBM Australia will detect and notify (both affected persons and the Australian Privacy Commissioner) regarding any serious data breaches, regardless of cause. CBM Australia will carry out reasonable, fair, and prompt assessment of whether an incident is a reportable data breach. This careful management has an important preventative aim as well as maintaining the highest standards of care in response should CBM Australia experience successful cyber-attack or other misuse of, or interference with, CBM Australia’s secured data.

This policy is implemented through Board and staff management processes and regular self-assessment review.

The Board and management of CBM Australia are fully committed to the principles of this policy. Any breach of strategic significance or any material risk associated with this policy will be reported to the Board in a timely manner.