1. About This Policy
This document sets out how Craniofacial Australia (CA) safeguards user privacy. Privacy compliance is a business critical issue – not just a formality. CA is cognisant of and applies legislative amendments as established in the:

Privacy Act 1988 (Cth) (Privacy Act), and through the
Privacy and Other Legislation Amendment Act 2024 (Cth) (Amendment Act).

Recent 2024 reforms have modernised the legislation and compels CA to be mindful of how we collect, store and use personal data.
The updated Privacy Act introduces stricter consent rules, new data rights, including the right to request deletion or amendment, and significantly higher penalties for violations of these regulatory changes. Accordingly, CA believes that consent requirements must be freely given, specific, informed, and unambiguous. Our policy steers our procedures away from consents that include tick-boxes, vague wording, and bundled consent.

The failure to comply with legislative updates, may lead to investigations by the Office of the Australian Information Commissioner (OAIC) and could significantly damage the reputation and trust CA has built over decades with our external and internal clients.
This policy outlines the updates for 2024. It is expected to change again shortly when the next round of modernisation takes place in response to increasingly sophisticated social media breaches related to crime.

2. Our Privacy Policy
CA recognises the importance of protecting individual’s privacy. We are committed to ensuring the continued integrity and security of the personal information entrusted to us.
We appreciate that the success of our operations is largely dependent upon a relationship of trust being established and maintained with past, current and prospective patients and their families, supporters, consumers of our services, stakeholders, sponsors and other individuals with whom we conduct business. We will, therefore, continue to collect and manage personal information with a high degree of due diligence and care.
Our aim is to always comply with the privacy laws that apply to us, including the Australian Privacy Principles, (APPs) while implementing and maintaining best practice standards of transparency, security, and accountability. Comments, queries or complaints regarding a privacy matter are encouraged to be discussed directly with us.
3. Collection Reasons
Personal Information we collect from You
We generally collect personal information directly from those with whom we conduct business. Sometimes we may collect or confirm this information from a third party such as a credit reporting body. We will use reasonable efforts to obtain consent prior to contacting a third party for this purpose.
We collect personal information that includes details such as:
 Name;
 Address;
 Date of birth;
 Contact details (such as phone and e-mail addresses);
 Financial information such as information to assist with funding applications;
 Information we collect automatically from you, including data collected using cookies and other device-identifying technologies (‘Cookies and Tracking Technologies’).

Information we collect about you from other Sources
In some cases, we may need to collect sensitive information pertaining to an individual (such as health-related information). We will first seek consent to collect such information where we are required to do so. When personal health data, such as that found in funding applications, must be referred for approval, e.g., to our Board of Management (BOM), we will de-identify the patient’s identifying information in a way that makes their identity retrievable for future communication with them.
Personal information collected from other individuals such as stakeholders, treating physicians (GPs), clinical specialists or other medical entities are examples of health-specific data.
We may collect information about you from your employer or other organisations The categories of information we collect from other sources may include:
 Personal details (e.g. name, title, employer or organisation)
 Contact details (e.g. phone number, email address, postal address or phone number)
 Additional information about your role or relationship with another organisation (e.g. position, organisation structure)
 Referee information if you are a job applicant.

We may collect personal information from commercially available third-party databases.
When individuals visit our website, apps or other web-based content and services (“Websites”), either we or our service provider will record information (such as the computer’s IP address and top-level domain name, the type of browser being used, the date, time and pages accessed) in relation to the visit.

4. Use and disclosure
How we use your personal information and the basis for use
 Identify and authenticate you: We use your identification information to verify your identity when you access and use our services and to ensure the security of your personal information.
 Provide you with services: We process your personal information to provide the services you or your organisation have requested.
 Improve our services: We analyse information about your use of our services to enhance the experience for all our customers, including product testing and site analytics. It is in our legitimate interest to utilise the information provided to us for this purpose, allowing us to identify any issues with our services and improve them.
 Communicate with you: We may use your personal information to communicate with you, for instance, when we provide updates on changes to our terms and conditions, to keep you informed about the progress of matters you’re waiting for a reply on, or if you reach out to us with queries. It is in our legitimate interest to ensure you receive appropriate responses and notifications regarding our services.
 Market our services: We may use your personal information to create a profile about you and place you in specific marketing segments, allowing us to better understand your preferences and personalise the marketing messages we send to you. It is in our legitimate interest to provide more relevant and interesting advertising messages. Where necessary, we will obtain your consent before sending such marketing messages.
 Customer Testimonials: We may post customer testimonials on our websites that could include personal information. We obtain the customer’s consent via email before posting the testimonial, which includes their name, title, and organisation name along with their testimonial. If you would like to update or delete your testimonial, please contact us at CA – the details provided at the end of this Privacy Policy.
 Exercise our rights: We may use your personal information to exercise our legal rights when necessary, such as to detect, prevent, and address claims of fraud, work health and safety issues, intellectual property infringements, or violations of the law and our applicable contract terms and conditions.
 Comply with our obligations: We may process your personal information to, for example, carry out fraud prevention checks or comply with other legal or regulatory requirements as explicitly required by law.
 Customise your experience: When you use the services, we may use your personal information to improve your experience of the services, such as by providing interactive or personalised elements on the services and providing you with content based on your interests.
If we request your consent to process your personal information, you may withdraw it at any time by contacting us using the CA details provided at the end of this Privacy Policy. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
5. Disclosure to Overseas Recipients
In some cases, we may need to share some information with organisations outside Australia. For example, when we use service providers located overseas to perform a function on our behalf such as online processing or to discuss clinical information to inform best practice in patient care.
When we share information with organisations overseas, we ensure appropriate data handling and security measures are in place as per the Australian Privacy Principles (Cth). APP 8.1

6. Access and Correction
In most cases, individuals can access their own personal information that we hold at any time. If it is believed that the personal information held is inaccurate, out of date or incomplete, contact with CA should be made directly (see ‘Contacting us’ below).
We will promptly update any personal information that is inaccurate, outdated, incomplete or collected without lawful consent. In some instances, we may request supporting documentation to amend the personal information we hold.
If we disagree that the information held is inaccurate, outdated, or incomplete, we will provide a written notice detailing our reasons and outlining our complaints process.If an issue cannot be resolved, the complainant may lodge a complaint directly with the OAIC.
7. Opting out of Product Promotions
Individuals can opt out of receiving direct marketing material at any time by contacting us (see ‘Contacting us’ below).
If an individual does opt out, we will continue to provide information in relation to existing accounts or facilities only (including new features or products related to these accounts/facilities).

8. Storage and Security of Personal Information
We will take reasonable steps to keep the personal information that we hold secure to ensure that it is protected from loss, unauthorised access, use, modification or disclosure.
Personal information is stored within secure systems that are protected in controlled facilities. Our employees and authorised agents are obliged to respect the confidentiality of any personal information held by us.

9. Our Websites and the Use of Cookies
We use our best efforts to ensure that information received via our Websites remains secured within our systems. We are regularly reviewing developments in online security; however, users should be aware that there are inherent risks in transmitting information across the internet.
We use cookies on our Websites. Cookies can make using our Websites easier by storing information about user preferences and enabling users to take full advantage of our services. Cookies are very small text files that a Website can transfer to a user’s computer’s hard drive or portable electronic device’s memory for record-keeping.

We may also use cookies to determine which parts of our Websites are visited most frequently, whether our site was accessed through a banner advertisement for one of our products and services on another party’s website, and which other sites may be visited from our Websites.
Sometimes cookies are used by a third party service provider with whom we have an agreement to monitor the success of our marketing campaigns. The third-party service provider uses cookies to collect information, such as when a user visited our site, the browser type, and the server used to log in to the computer.
The information is used in an aggregate form and generally no personal information is collected by the third party service provider. Our agreements with third parties ensure this information is only used to carry out functions on our behalf, and if any personal information is collected the confidentiality of that information is maintained.
We may also use cookies so that we can see which parts of our Websites are visited when accessing those Websites. We may use this information for marketing products and services. We keep this information confidential and we do not disclose it to third parties.
Most internet web browsers are pre-set to accept cookies to enable full use of websites that employ them. However, if an individual does not wish to receive any cookies on an internet web browser, settings may be configured in the browser to reject them or receive a warning when cookies are being used. In some instances, this may mean that users will not be able to use some or all of the services provided on our Websites.

10. Credit Card Storage
When sensitive information is entered (such as credit card numbers) on our website, we encrypt that information using secure socket layer technology (SSL). When credit card details are collected, we simply pass them on in order to be processed as required. We never permanently store complete credit card details. We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it.
CA also uses PayPal for its online credit card transactions. PayPal processes online credit card transactions for over 100,000 businesses, providing a safe and secure means of collecting payments via the Internet. When payment information is provided, we transmit it via an encrypted connection to PayPal. PayPal uses and processes the payment information in accordance with their Privacy Policy. All online credit card transactions performed on this site using the PayPal gateway are secured payments. Payments are fully automated with an immediate response. Complete credit card numbers cannot be viewed by CA or any outside party.
Credit card details that are provided over physical donation slips are used for the purpose of processing the donation, and then destroyed immediately via the number being made illegible, and then placed into a secure confidential bin for shredding.

11. Changes to This Policy
From time to time, it may be necessary for us to review our Privacy Policy and the information contained in this document. Notification of any changes will be made by posting an updated version on our Websites.

12. Privacy Concerns or Complaints
If there are concerns or complaints regarding the handling of personal information by us, please contact our Operations Manager on +61 08 8267 4128 or info@acmff.org.au. We will promptly investigate the complaint and provide notification of the outcome.
If this is not satisfactory, the matter may be referred to the Board of Management who will impartially assess the complaint, provide information on the progress and provide a response.
The Board of Management can be contacted by:
• Email – Chairman@acmff.org.au
• Mail – write to Craniofacial Australia, PO Box 1138 North Adelaide SA 5006.
Alternatively (or following consideration by the Customer Advocate) the matter may be referred directly to:
Australian Financial Complaints Authority
GPO Box 3
Melbourne VIC 3001
Phone: 1800 931 678
Fax: 03 9613 6399
Email: info@afca.org.au
www.afca.org.au
Office of the Australian Information Commissioner (OAIC)
GPO Box 5218
Sydney NSW 2001
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
www.oaic.gov.au

13. Contacting Us
For questions about our Privacy Policy, what personal information we may hold, or about the way we manage personal information, Craniofacial Australia can be contacted as follows:
Craniofacial Australia
PO Box 1138
North Adelaide SA 5006
Email: info@acmff.org.au
www.craniofacial.com.au
More information about privacy (including information about specific issues, answers to frequently asked questions and links to the 13 Australian Privacy Principles) can be found on the Office of the Privacy Commissioner’s website at http://www.oaic.gov.au/