Black Deadly Science logo
Donate

Privacy policy

  1. PURPOSE

    This procedure operationalises the Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs) and the Notifiable Data Breaches (NDB) scheme, within the daily activities of Deadly Science Ltd (DS). It sets out step-by-step processes for collecting, using, disclosing, storing, accessing and destroying personal information— especially children’s data and Indigenous Cultural and Intellectual Property (ICIP)—to uphold trust, cultural safety and regulatory compliance.

  2. SCOPE

    Applies to all DS employees, volunteers, contractors and Directors who handle personal information in any form (digital or physical) across programs, fundraising, research, marketing and governance.
  3. KEY DEFINITIONS
    Term  Meaning
    Personal Information (PI) Information about an identified or reasonably identifiable individual (APP 1.4).
    Sensitive Information PI relating to racial or ethnic origin, health, biometrics, etc.; requires higher protection (APP 3.3).
    ICIP Indigenous Cultural and Intellectual Property—traditional knowledge, stories, images.
    Data Inventory Register of all datasets, fields, location, classification, retention.
    PIA Privacy Impact Assessment—risk analysis for new or changed projects.
    Eligible Data Breach Unauthorised access, disclosure or loss likely to result in serious harm and cannot be remediated (s 26WE)

  4. LEGAL &STANDARDS FRAMEWORK

    • Privacy Act 1988 (Cth) – APPs 1–13; NDB scheme. • Spam Act 2003 (Cth) – electronic marketing. • Health Records Acts (NSW, VIC) – program medical data. • AIATSIS Indigenous Data Governance Principles (2020) – ICIP. • ISO/IEC 27701:2019 – PIMS guidance. • OAIC Guide to Securing Personal Information (2023).

  5. PRIVACY MANAGEMENT LIFECYCLE

    5.1 Plan & Governance
    1. Data Inventory maintained by Data Protection Officer (DPO); reviewed quarterly.
    2. Privacy Management Plan (annual) approved by CEO, documenting objectives, training and audits.
    3. Risk Appetite—zero tolerance for unauthorised disclosure of child PI or ICIP.

    5.2 Collect & Consent (APP 3–5)
    Task Responsible  Tool/Form
    Draft collection notice Project Lead & DPO Collection Notice Template
    Obtain consent (guardian for <18)
    		 Field Staff
    		 Digital consent form (DocuSign)
    Limit PI collection
    		 All staff
    		 Data-minimisation checklist
    ICIP FPIC process
    		 Indigenous Engagement Lead
    		 FPIC Record Sheet

    5.3 Use & Disclosure (APP 6–8)

    PIA mandatory for: new app; data sharing outside Australia; AI/analytics processing sensitive data; drone imagery; Indigenous knowledge collection.
    • Use PI only for stated primary purpose; secondary use requires consent or APP exception.
    • Disclosure to overseas cloud providers only if they meet APP 8.1 or binding scheme; list in Privacy Policy.
    • Data-sharing agreements must include encryption, retention and deletion clauses.

    5.4 Storage & Security (APP 11)
    Measure  Standard
    Encryption AES-256 at rest (Azure), TLS 1.2+ in transit
    Access control Role-based; MFA; quarterly review
    Backup Daily incremental; offline copy weekly
    Physical files Locked cabinets, office access card
    Portable media Encrypted; avoid unless essential


    5.5 Access & Correction (APP 12–13)
    1. Request via Privacy Request Form or email privacy@deadlyscience.org.au.
    2. Verify identity (100-point or guardian proof).
    3. Respond within 30 calendar days.
    4. Correct inaccurate PI promptly; notify third parties if practicable.

    5.6 Retention & Destruction
    Data Type Retention  Disposal
    Donor data 7 yrs after last gift Anonymise key metrics
    Child PI 7 yrs after child turns 25 Secure erase / shred
    HR records 7 yrs post-employment Secure erase / shred
    ICIP As per agreement; may require perpetual stewardship Return to community / protocol

    Secure destruction certificate filed in SharePoint.

  6. PRIVACY IMPACT ASSESSMENT (PIA) PROCESS
    Stage Timeline  Responsible
    Initiate PIA for new project At concept stage Project Sponsor
    Complete PIA Template & risk ratings 2 weeks Project Team & DPO
    DPO review & recommendations 1 week DPO
    Executive approval Next EMT meeting EMT
    Implement controls & update Data Inventory Project go-live Project Lead


    PIA mandatory for: new app; data sharing outside Australia; AI/analytics processing sensitive data; drone imagery; Indigenous knowledge collection.

  7. DATA BREACH RESPONSE (NDB SCHEME)

    1. Detect & Escalate – Staff report within 1 h to IT Service Desk & DPO (Teams “Data-Breach-Alert”).
    2. Contain – IT secures system, disables accounts, initiates forensic snapshot.
    3. Assess – 72 h triage (likelihood serious harm, remediate ability).
    4. Notify – If eligible breach, OAIC + affected individuals within 30 days using approved template. 
    5. Review – Post-incident report to ARC, action plan logged.

  8. TRAINING &AWARENESS

    Audience Frequency  Content
    All Staff & Volunteers Induction + annual Privacy basics, breach reporting
    DPO & IT Biennial PIA methodology, encryption best practice
    Field Staff Pre-deployment Guardian consent, ICIP handling

    Staff must score ≥80 % in annual privacy quiz; remediation training scheduled if failed.

  9. ROLES & RESPONSIBILITIES

    Role  Responsibilities
    Board & ARC Oversight of privacy risk, policy approval, breach notifications
    CEO Resource allocation, champion privacy culture
    Data Protection Officer (DPO) Maintain policy, Data Inventory, PIAs, breach response
    CISO/IT Security controls, incident response, logging
    Indigenous Engagement Lead ICIP governance, FPIC processes
    All Staff Follow procedures, report breaches, complete training

  10. MONITORING & METRICS

    • Breaches reported (target 0 eligible).
    • PIA completion rate for new projects (target 100 %).
    • Access-request turnaround (target ≤30 days).
    • Annual privacy training completion (target ≥95 %).
    Dashboard to Executive quarterly; ARC reviews annually.

  11. REVIEW & CONTINUOUS IMPROVEMENT

    Procedure reviewed annually or post-incident/oak legislative update. Feedback loop via privacy@deadlyscience.org.au.
  12. Related Documents

    • Data Governance & Cyber-Security Oversight Policy
    • IT Acceptable Use & Security Policy Page 5 of 5 DS-PAC-1.20.01Privacy & Data Protection Procedure
    • Child Safety & Safeguarding Policy
    • Cultural Safety & Indigenous Engagement Framework
    • Incident Response Plan
    • External Communication & Media Policy
  13. Legislative & Guidance References

    • Privacy Act 1988 (Cth) & APPs; NDB Scheme.
    • Spam Act 2003 (Cth).
    • OAIC Guide to Securing Personal Information (2023).
    • AIATSIS Indigenous Data Governance Principles (2020).
    • ISO/IEC 27701:2019 – Privacy Information Management.

    SEE THE FULL DOCUMENT