Privacy Policy

Effective Date: 05 September 2025
Last Updated: 02 February 2026

Sir Bertram Stevens Institute Limited ABN 61 689 577 400 (SBSI, we, us, our) respects the privacy of individuals and is committed to handling personal information in an open, transparent and lawful manner. This Privacy Policy explains how we collect, hold, use, disclose and otherwise manage personal information in connection with our website, publications, campaigns, petitions, memberships, donations, events, research activities, submissions, recruitment, supplier relationships and general operations.

This Privacy Policy operates alongside any collection notice, website terms, event notice, application form, donation form, membership terms and conditions or other notice we provide at or before the time we collect personal information. To the extent of any inconsistency, the more specific notice or terms applying to the relevant interaction will prevail.

We handle personal information in accordance with applicable Australian law, including the Privacy Act 1988 (Cth), the Australian Privacy Principles, the Spam Act 2003 (Cth), the Do Not Call Register Act 2006 (Cth) and the Notifiable Data Breaches scheme, to the extent they apply to us and to the relevant act or practice.

This Privacy Policy does not form part of any contract except to the extent expressly incorporated into separate contractual terms. To the maximum extent permitted by law, it is a statement of our information-handling practices and does not create rights or obligations beyond those imposed by law or by express written agreement.

1. What is personal information?

“Personal information” means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether or not the information is true and whether or not it is recorded in a material form.

“Sensitive information” includes information such as political opinions, philosophical beliefs, religious beliefs or affiliations, trade union membership, criminal record, health information, biometric information and other categories treated as sensitive information under Australian law.

2. The kinds of personal information we collect

Depending on the nature of your dealings with us, we may collect and hold:

• identity and contact details, including name, title, postal address, email address, telephone number and social media handles;
• account, supporter, member and donor information, including membership tier, subscription status, payment status, renewal history, donation history, communication preferences, attendance history and records of interactions with us;
• transaction and payment information, including billing details, payment confirmations, partial card or bank metadata supplied by payment processors, invoices, refunds and related records;
• campaign, petition and advocacy data, including causes supported, petitions signed, submissions made, survey answers, policy interests, volunteer expressions of interest and engagement history;
• event information, including RSVPs, ticket purchases, dietary requirements, accessibility requirements, guest lists, seating data, attendance records, photographs, audio, video and security or incident records;
• research, publication and application information, including biographical details, CVs, employment history, writing samples, references, correspondence, opinions, submissions and public commentary you provide to us;
• technical and online information, including IP address, browser type, device information, cookies, pixels, online identifiers, pages viewed, clickstream data, referral sources, approximate geolocation, session behaviour and campaign attribution data;
• verification and compliance information, including date of birth, organisation affiliation, identity documents, sanctions or adverse media screening outputs and records needed for fraud prevention, security or legal compliance;
• sensitive information where you choose to provide it, where you consent or where collection is otherwise permitted by law; and
• information we create ourselves, including internal notes, supporter relationship records, service records, preferences, segmentation, analytics, inferred interests and engagement assessments.

3. How we collect personal information

We may collect personal information:

• directly from you, including when you contact us, subscribe, donate, join, apply, register, attend an event, make a submission, sign a petition, answer a survey or otherwise interact with us;
• automatically through our website, emails, online platforms and digital tools, including through cookies, pixels, tags, SDKs, forms, analytics tools and server logs;
• from third parties, including payment processors, ticketing providers, event venues, IT and website providers, CRM providers, fundraising consultants, mailing houses, recruitment providers, referees, public registers, identity verification providers, social media platforms, marketing partners and publicly available sources;
• from people acting on your behalf; and
• by creating records internally as part of our administration, governance, compliance, fundraising, campaigning, communications and relationship management activities.

4. Purposes for which we collect, hold, use and disclose personal information

We may collect, hold, use and disclose personal information for any purpose reasonably necessary for, or directly connected with, our functions and activities, including to:

• establish, administer and improve SBSI’s website, digital infrastructure, database, CRM, campaigns, petitions, publications, memberships, donations and events;
• process payments, renewals, subscriptions, registrations, donations, invoices, refunds and related financial or administrative matters;
• communicate with you about SBSI, including newsletters, policy updates, events, fundraising appeals, membership matters, surveys, campaigns, petitions, publications, media, operational notices and other communications;
• build and manage supporter, member, donor, guest, contributor, volunteer, contractor and supplier relationships;
• conduct research, policy development, submissions, publications, commentary and related intellectual or advocacy work;
• plan, host, record, promote and review events, briefings, dinners, conferences, webinars, meetings and campaign activities;
• verify identity, assess eligibility, consider applications, undertake due diligence and protect against fraud, misconduct, abuse, security risks or unlawful activity;
• understand and improve website performance, campaign effectiveness, donor conversion, supporter growth, communications strategy and organisational performance;
• protect our legal rights and legitimate interests, manage complaints and disputes, obtain advice, comply with insurance requirements and enforce our terms, policies and procedures;
• comply with legal, regulatory, accounting, taxation, audit, governance, electoral, court or law-enforcement requirements; and
• undertake any other use or disclosure that you consent to, that is described in a collection notice, that you would reasonably expect or that is otherwise permitted or required by law.

Where personal information has been collected for a particular purpose, we may also use or disclose it for related secondary purposes that you would reasonably expect, and for other purposes where consent or another lawful basis exists. Sensitive information will only be used or disclosed with consent or as otherwise permitted by law.

5. Sensitive information

Because SBSI operates in policy, civic and public advocacy spaces, individuals may provide sensitive information to us, including political opinions or philosophical views, in submissions, event registrations, surveys, correspondence or applications. We do not seek to collect sensitive information unless it is reasonably necessary for our activities, you consent or the law otherwise permits collection.

If you voluntarily provide sensitive information to us, you consent to our handling of that information for the purposes for which it was provided, any purpose clearly notified to you and any related administrative, compliance or dispute-management purpose. If you do not wish us to handle sensitive information, you should not provide it unless required and specifically requested.

6. Anonymity and pseudonymity

Where lawful and practicable, we may allow you to interact with us anonymously or by pseudonym. However, this will often be impracticable where we need to process payments, register attendance, issue tickets, deliver benefits, consider applications, respond meaningfully, maintain security, comply with law or verify your identity.

7. Consequences of not providing personal information

You are not generally obliged to provide personal information to us. However, if you do not provide information requested by us, we may be unable to:

• process a donation, purchase, subscription or membership;
• register you for an event or grant access to benefits;
• respond to your enquiry or application;
• verify your identity;
• provide publications or communications you have requested;
• consider you for speaking, writing, employment, contractor or volunteer opportunities; or
• otherwise deal with you effectively.

8. Direct marketing, fundraising and communications

We may use your personal information to send you direct marketing and fundraising communications about SBSI and associated matters, including newsletters, event invitations, donation appeals, policy updates, membership offers, campaign material, surveys and other promotional or advocacy communications.

By engaging with us, including by subscribing, donating, registering, joining, attending, corresponding, signing a petition or providing contact details, you acknowledge that we may send you communications of that kind where permitted by law. We may do so by email, SMS, telephone, post, messaging applications, social media, digital advertising or other channels.

You may opt out of direct marketing communications at any time by using the unsubscribe facility, contacting us or following any other opt-out mechanism we provide. We may still send you non-marketing communications that are transactional, administrative, legal, operational or safety-related.

9. Cookies, analytics and digital tools

We and our service providers may use cookies, pixels, tags, SDKs, local storage and similar technologies to recognise devices and users, keep our website and systems secure, measure website traffic and user behaviour, track campaign source and performance, understand supporter and donor acquisition, personalise website content and communications, create or refine audience segments, support digital advertising and retargeting and improve user experience and system performance.

We may combine online usage data with other information we hold about you. Some of these tools may involve third-party providers storing or processing information on our behalf, including offshore.

You can usually control cookies through your browser settings and device controls. However, doing so may limit site functionality.

10. Disclosure of personal information

We may disclose personal information to:

• our directors, officers, employees, contractors and authorised representatives;
• related bodies corporate, associated entities or future group entities;
• website hosts, cloud service providers, CRM providers, database providers, analytics providers, payment processors, email and SMS providers, ticketing platforms, identity verification providers and other IT or operational suppliers;
• consultants, accountants, auditors, lawyers, insurers, bankers and other professional advisers;
• fundraising, digital, campaign, communications or event service providers;
• event venues, speakers, hosts, sponsors, caterers, printers and logistics providers;
• research partners, publication partners, referees and collaborators;
• government agencies, regulators, courts, tribunals, law enforcement bodies and complaint bodies;
• counterparties in any actual or proposed restructure, merger, asset sale, due diligence process or business transition; and
• any other person where you have consented or where disclosure is otherwise permitted or required by law.

We may also disclose personal information where reasonably necessary to protect SBSI’s rights, property, reputation, systems, people or operations, or to investigate suspected misconduct, fraud, abuse, security incidents or legal breaches.

11. Overseas disclosure

Some of our service providers, contractors and technology platforms may be located outside Australia or may store, access, process, back up or support personal information from overseas. Accordingly, personal information may be disclosed to overseas recipients in countries where our providers, contractors or systems operate.

Likely countries include United States of America, Canada, New Zealand, United Kingdom of Great Britain and Northern Ireland, the Republic of Austria, the Kingdom of Belgium, the Republic of Bulgaria, the Republic of Croatia, the Republic of Cyprus, the Czech Republic, the Kingdom of Denmark, the Republic of Estonia, the Republic of Finland, the French Republic, the Federal Republic of Germany, the Hellenic Republic, Hungary, Ireland, the Italian Republic, the Republic of Latvia, the Republic of Lithuania, the Grand Duchy of Luxembourg, the Republic of Malta, the Kingdom of the Netherlands, the Republic of Poland, the Portuguese Republic, Romania, the Slovak Republic, the Republic of Slovenia, the Kingdom of Spain and the Kingdom of Sweden.

Before disclosing personal information overseas, where required we will take reasonable steps to ensure the overseas recipient handles the information in a manner consistent with applicable Australian privacy requirements, unless an exception applies. However, overseas processing may still expose information to foreign laws and regulators, and the privacy protections in those jurisdictions may differ from those in Australia.

12. Public submissions, publications and event recordings

If you provide a submission, article, paper, comment, testimonial, endorsement, biography, photograph, video, audio recording or similar material to us, you acknowledge that:

• we may review, edit, publish, reproduce, distribute, archive, quote from, adapt or otherwise use that material for SBSI’s activities;
• we may publish your name, title, organisation, town or suburb, biography, image or other identifying details in connection with that material unless we agree otherwise;
• public events may be photographed, filmed or recorded; and
• those recordings may be used for reporting, archival, educational, promotional, fundraising, communications or media purposes.

If you require anonymity or have a genuine objection to publication or recording, you should notify us in advance. We do not guarantee that all material can be withdrawn, anonymised or retrospectively edited once published, distributed, archived or shared.

13. Government identifiers and identity checks

We may collect and use government-related identifiers and identity documents where reasonably necessary to verify identity, prevent fraud, satisfy legal obligations, manage security or otherwise as permitted by law. We will not adopt a government-related identifier as our own identifier of you except as permitted by law.

14. Security of personal information

We take reasonable steps in the circumstances to protect personal information from misuse, interference, loss, unauthorised access, modification and disclosure. Those steps may include access controls, password management, segregation of duties, contractual controls, staff training, secure destruction processes, monitoring, backups and encryption where appropriate.

However, no information-handling environment is completely secure. To the maximum extent permitted by law, we do not warrant or guarantee the security of any information transmitted to us or stored by us, and you provide information at your own risk to that extent.

15. Retention and destruction

We retain personal information for as long as reasonably necessary for our functions and activities, and for any longer period required or permitted by law, regulation, taxation, accounting, insurance, governance, dispute, enforcement, archival, backup or legitimate operational requirements.

When personal information is no longer required, and we are not required or authorised to retain it, we may destroy it or de-identify it. De-identified, aggregated or anonymised information may be retained and used indefinitely for any lawful purpose. Deletion from active systems does not necessarily mean immediate deletion from backups, archives, disaster recovery systems or legal hold repositories.

16. Access to personal information

You may request access to personal information we hold about you by contacting us using the details below. We may require you to verify your identity before providing access.

We will respond within a reasonable time. Where permitted by law, we may refuse access in whole or in part. If we refuse access, we will generally provide written reasons and information about available complaint mechanisms, unless the law allows otherwise. We do not charge for making an access request, but where lawful we may charge a non-excessive fee for providing access.

17. Correction of personal information

If you believe personal information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, you may request correction. We may require evidence reasonably necessary to assess and act on the request.

If we refuse to correct information, we will generally give written reasons and explain available complaint mechanisms.

18. Complaints

If you believe we have handled your personal information in breach of applicable law, you may make a complaint by contacting our Privacy Officer using the details below. Your complaint should identify the relevant facts and the outcome you seek.

We will assess the complaint and respond within a reasonable period, usually within 30 days where practicable. We may request further information from you to investigate and resolve the complaint.

If you are dissatisfied with our response, you may be able to complain to the Office of the Australian Information Commissioner.

19. Data breaches

If a suspected data breach occurs, we may investigate, contain, remediate and notify affected persons, regulators and other parties as required or considered appropriate. Where the Notifiable Data Breaches scheme applies and the breach is likely to result in serious harm, notification may be required to affected individuals and the Office of the Australian Information Commissioner.

20. Recruitment and employment records

This Privacy Policy applies to personal information collected during recruitment and engagement processes. However, to the extent permitted by law, it does not necessarily apply to acts or practices directly related to current or former employment relationships and employee records where an applicable exemption operates.

21. Third-party websites and platforms

Our website, emails and communications may contain links to third-party websites, payment portals, social media platforms or external services. We are not responsible for the privacy practices of those third parties. You should review their privacy policies before providing information to them.

22. Changes to this Privacy Policy

We may amend this Privacy Policy at any time by publishing an updated version on our website or otherwise making it available. The updated version takes effect from the date of publication unless stated otherwise. Your continued dealings with us after publication of an updated version constitute acceptance of the updated policy to the extent permitted by law.

23. Contact details