Secure Data Practices
Privacy Policy
Last updated: May 2026
This Privacy Policy is intended to comply with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (the Privacy Act), the Spam Act 2003 (Cth), the Charities Act 2013 (Cth), and the Australian Charities and Not-for-profits Commission Governance Standards and principles. We follow the Notifiable Data Breaches scheme (the NDB) and follow the advice of the Office of the Australian Information Commissioner (OAIC).
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, service providers, legal obligations, or the broader privacy reform environment.
1. Who this policy applies to
This Privacy Policy applies to personal information collected by or on behalf of A Start in Life to fulfill our role as a not-for-profit charitable entity in connection with our functions and activities:
- student scholarship, support and administration activities;
- education, public awareness and media campaigns;
- communications with students, parents, guardians, schools and other education providers;
- donations, sponsorships, bequests, fundraising appeals and supporter engagement;
- volunteer, contractor and service providers;
- website, social media, email, digital communications and online service use; and
- legal, governance, safeguarding, risk management and compliance functions.
2. Information we collect about you
We only collect personal information that is reasonably necessary for, or directly related to, one or more of our functions and activities above.
Personal information
The personal information we collect may include:
- name, date of birth and gender;
- residential address, postal address, email address, telephone number and other contact details;
- family and household circumstances, including financial circumstances;
- educational records, including school, TAFE or university enrolment details, results, progress reports and related educational information;
- financial information relevant to assessing eligibility for support, hardship, payments, receipting or donations;
- records of communications with us, including enquiries, applications, feedback and correspondence;
- organisation name, role, employer or affiliation details where relevant;
- donation history, sponsorship information and supporter engagement preferences;
- technical and online identifiers, including IP address, browser type, device information and website interaction data; and/or
- any other personal information you provide to us or authorise us to collect.
Sensitive and health information
Sensitive information is a subset of personal information that is given higher protection under Australian privacy law. Depending on the circumstances, and only where relevant to our functions and activities, we may collect sensitive information and will generally only collect this information with your consent, or the consent of a parent, guardian or other authorised person, such as:
- health information relevant to assessing a student’s support needs, wellbeing or participation requirements;
- health information about disability, medical conditions or neurodiversity;
- learning support needs such as adjustment requirements or safeguarding concerns;
- biometric or visual information contained in photographs, videos or audio recordings where those materials reveal sensitive information; and/or
- other sensitive information where relevant and permitted by law.
Financial information
Financial information is not automatically “sensitive information” under the Privacy Act, but it requires careful handling. Depending on the circumstances, we may collect financial information such as:
- bank account details needed to make approved assistance payments or process refunds;
- donation and payment details, including limited payment transaction information;
- documentary evidence of financial hardship or household financial circumstances;
- information obtained from employers, financial institutions, government or semi-government bodies, utilities, welfare agencies, or other referees that you authorise us to contact in support of an application; and/or
- billing, receipting and transaction records.
3. How we collect personal information
We may collect personal information from you, a parent or guardian, a donor or supporter, or from another person acting on your behalf. We may also collect personal information from third parties with your consent, where collection is reasonably necessary for our functions and activities above, or where otherwise permitted or required by law.
Methods of collection may include:
- application forms, scholarship forms and supporting documents;
- donation forms, event registrations and fundraising interactions;
- emails, telephone calls, meetings, interviews and other correspondence;
- our website, online forms, cookies, analytics tools and related technologies;
- schools, tutors, universities, TAFEs, employers, referees, welfare agencies, government bodies, medical providers, or other service providers, where authorised or permitted; and/or
- photographs, video, or audio recordings where express consent has been obtained by you or a parent or guardian, or another lawful basis applies.
4. Anonymity requests
We are committed to APP 2, and you may be able to deal with us anonymously or by pseudonym in some circumstances where it is lawful and practicable. However, if you do not provide required personal information, we may be unable to assess an application, provide services, process a donation, respond to a request, or otherwise deal with you effectively.
5. Why we collect information about you
We may collect, hold, use and disclose personal information in order to fulfill our role as a not-for-profit charitable entity including:
- assessing eligibility for scholarships, grants or other student support;
- administering support programs, payments, mentoring, workshops, education programs and related services;
- communicating with students, parents, guardians, schools, tutors and other education stakeholders;
- processing donations, recurring donations, sponsorships, bequests and issuing receipts;
- engaging with donors, supporters and community stakeholders;
- responding to enquiries, feedback, requests and complaints;
- safeguarding, welfare, risk management and incident management;
- complying with legal, regulatory, tax, accounting, audit and governance obligations; and/or
- improving our services, communications, systems, website performance and reporting.
6. To whom we disclose your personal information
We may disclose your personal information where reasonably necessary to third parties, such as
- schools, tutors, workshop facilitators and educators;
A Start in Life Privacy Policy V2.0 - payment processors, IT service providers, cloud service providers, website hosts and analytics
providers; - professional advisers, insurers, auditors, regulators; and/or
- any other service providers who assist us to operate. We may also disclose personal information with consent or where required or authorised by law.
7. What if we didn't collect this information?
Without your personal information we may not be able to process applications, donations or bequests, or perform other functions and activities or to fulfill our role as a not-for-profit charitable entity.
8. Direct marketing
We may use your information to send fundraising appeals, newsletters, event invitations, campaign updates, and other communications about our work, where permitted by law. This may occur where you have consented, where you would reasonably expect the communication, or where another lawful basis applies.
We are committed to APP 7, and you can opt out of direct marketing by using the unsubscribe function in the communication, contacting us using the details in the “Contact us / Privacy Officer” section, emailing [email protected], or otherwise asking us not to send marketing materials. We will honour opt-out requests within a reasonable period and in compliance with the Spam Act 2003 (Cth).
9. Children and minors
We are committed to children’s privacy and recognise that many of the individuals connected with our services are children or young people. Capacity is assessed on a case-by-case basis on the young person’s maturity and understanding, with the following general principles applying:
- a young person under 15 years of age will generally require a parent, guardian, or other responsible person to give consent; and
- young person aged 15 years or older will generally be assumed to have the capacity to make their own decisions about providing consent
Where a young person has sufficient maturity and understanding to consent, access, correction or deletion requests and other privacy decisions may be dealt with directly with that young person, subject to our legal obligations and the circumstances.
For photographs, videos, audio recordings, collection from schools or health providers, or other handling that may involve heightened privacy risk, we may require express consent from a parent, guardian, mature minor, or other authorised person, depending on the circumstances.
10. Your privacy on our website, cookies and analytics
When you visit our website, we and our service providers may automatically collect technical and usage information such as your IP address, approximate location derived from your IP address and location, browser type, operating system, device identifiers, pages viewed, links clicked, session activity, referring URLs and dates and times of access. This information may be collected through cookies, pixels, tags, SDKs, log files, and similar technologies.
We may use these technologies for website functionality, security, traffic measurement, performance monitoring, user experience improvement, campaign effectiveness and analytics. Third-party tools, such as online analytics tools, hosting, embedded content, donation processing or social media features, may also set cookies or collect usage information in connection with your interaction with our website.
These tools may involve cross-border data flows because providers or their infrastructure may be located outside Australia. You can manage some cookie preferences through your browser settings, device settings, cookie banners or other controls, but disabling cookies may affect website functionality.
This privacy policy does not apply to linked websites.
11. Overseas disclosure
We may disclose personal information to overseas recipients or use service providers that store or process personal information outside Australia, including for cloud hosting, service and technical support, customer relationship management, communications, website hosting, analytics and payment processing. Under APP 1, a privacy policy should explain whether overseas disclosure is likely and, if practicable, identify the countries in which overseas recipients are likely to be located. Based on our current operations those hosting locations may include:
- Australia
- New Zealand
- the United States and
- other countries in which our cloud, software, analytics, communications or payment service providers operate.
Because providers may update their infrastructure and use sub-processors, the countries involved may change from time to time.
We take reasonable steps to ensure overseas service providers with access to your personal information are required by us to keep the information confidential and not to make use of it for any purpose other than to provide services in accordance with their engagement.
12. When you donate or make a payment
Donations and payment transactions are processed through third-party payment providers. For example, online payment providers, for which recurring payment card information is encrypted and not accessible to staff in full form.
When you donate or make a payment, relevant personal information may be collected directly by the payment provider, or shared with the provider, to process the transaction, detect fraud, issue receipts and manage recurring payments. Those providers handle information under their own terms and privacy policies as well as their technical and security arrangements, and they may process or store information outside Australia.
We do not intentionally store full payment card details unless this is genuinely necessary and compliant with applicable legal and security requirements. Where card details are provided by phone or in writing, we take reasonable steps to enter them into secure systems and protect them in accordance with applicable standards and controls.
13. Storage, security and retention
We hold personal information in electronic and physical records and take reasonable steps to protect it from misuse, interference, and loss, and from unauthorised access, modification or disclosure. Our safeguards may include physical security, password protection, access controls, multifactor authentication, staff training, secure service providers and incident response procedures.
We retain personal information only for as long as reasonably necessary for the purposes for which it was collected, and for related permitted purposes such as legal, safeguarding, audit, tax, accounting, disputeresolution, fraud prevention and other recordkeeping requirements. Retention periods will vary depending on the type of information, the nature of the records, operational needs and applicable legal obligations.
When your information is no longer required under this Privacy Policy, we will destroy it in accordance with our legal obligations and in application of the relevant retention period.
14. You can access, correct or delete your information
You may request access to the personal information we hold about you, and you may ask us to correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading, subject to any exceptions permitted by the Privacy Act. You may request that we delete the information that we hold about you, subject to applicable laws.
Requests for access, correction or deletion may be addressed to the Privacy Officer below. We may ask you to verify your identity, and we aim to respond within a reasonable period, usually within 30 calendar days. In certain circumstances it may be appropriate and lawful for us to deny an access request if we reasonably believe that giving access would have an unreasonable impact on the health or safety of any individual or would be better accessed under a process of legal discovery.
We may charge a reasonable administrative fee for providing access, where permitted by law. If we refuse a request, we will provide you with written reasons and, if requested, take reasonable steps to associate a statement with the relevant information.
15. Data breaches
A data breach can occur where personal information we hold is lost, hacked, stolen, or subjected to unauthorised access or disclosure. The Notifiable Data Breaches scheme requires entities covered by the Privacy Act to notify affected individuals and the OAIC where an eligible data breach is likely to result in serious harm.
If we become aware of a suspected or actual data breach, we will assess it promptly and take reasonable steps to contain and remediate the incident. Where required by law, we will notify affected individuals and the OAIC and include information about the breach and recommended protective steps.
16. Privacy complaints
You may make a privacy enquiry or complaint to our Privacy Officer using the contact details below. Please include enough information to help us investigate your complaint, such as your name and contact details, a description of the issue, the relevant dates, any supporting documents, and the outcome you are seeking.
We will acknowledge your complaint and aim to respond within 30 days, although some matters may take longer if they are complex.
If you are dissatisfied with our response, you may escalate the matter to the OAIC at www.oaic.gov.au.
17. Contact us / Privacy Officer
Privacy Officer
A Start in Life
Suite 702, 370 Pitt Street, Sydney NSW 2000 Phone: (02) 9264 3017 Email: [email protected]
18. Recent legal and reform environment
Australian privacy law continues to evolve, and privacy governance expectations are increasing, including in areas such as transparency, consent, online tracking, children’s privacy, data security and data breach preparedness. This policy is intended to reflect current APP and NDB scheme requirements and may be updated further as legislative reform or regulatory guidance develops.