Login
Login

Privacy Policy

Westmead Hospital Foundation (ABN 89 050 329 925) values your privacy and is committed to ensuring the privacy and confidentiality of your personal information is maintained in accordance with the relevant laws and regulations that govern New South Wales.

Westmead Hospital Foundation may modify or update this Privacy Policy from time to time by publishing a modified or updated version of it on the Foundation’s website. Westmead Hospital Foundation encourages individuals to check the Foundation’s website periodically to ensure that that they aware of the Foundation’s current Privacy Policy.

By providing personal information to us, you consent to our collection, use and disclosure of that personal information on the terms of this Privacy Policy and any other contractual or other arrangements that apply between us (if any).

1. Purpose

Westmead Hospital Foundation (WHF) respects and protects the privacy of all individuals whose personal information it collects, holds, and manages. This policy outlines how WHF handles personal, sensitive, and health information in accordance with:

  • The Privacy Act 1988.
  • The Australian Privacy Principles (APPs).
  • Any applicable NSW Health privacy regulations and hospital confidentiality obligations.

 

2. Scope

This policy applies to:

  • All WHF staff, Board members, contractors, volunteers, and fundraising partners.
  • All personal information collected by WHF, whether in hard copy or electronic form.
  • All interactions with donors, hospital staff, patients, community partners, suppliers, and members of the public.

 

3. Principles

WHF is committed to ensuring that:

  • Personal information is collected lawfully, fairly, and transparently.
  • Information is used only for the purposes for which it was collected, or as otherwise permitted by law.
  • Individuals are informed about how their information will be used.
  • Data is stored securely and protected from misuse, loss, or unauthorised access.
  • Individuals have the right to access, update, or correct their information.

 

4. Types of Information Collected

WHF may collect the following types of information:

  • Personal information: name, contact details, date of birth, occupation, and communication preferences.
  • Sensitive information: health information, cultural background, or religious beliefs (only with consent and where directly relevant).
  • Donor information: giving history, philanthropic interests, event participation, and recognition preferences.
  • Employee and volunteer records: recruitment information, emergency contacts, and HR details.
  • Financial information: bank or credit card details (processed securely and not stored by WHF).

Where practicable, WHF will collect information directly from individuals. In some cases, information may be received from hospitals, partner organisations, or public sources with appropriate consent. 
 

5. Use and Disclosure of Information

Personal information is used to:

  • Process donations and issue receipts.
  • Acknowledge and steward donors.
  • Communicate updates, invitations, and impact stories.
  • Manage volunteers, staff, and service providers.
  • Meet legal, contractual, or reporting obligations.
  • Conduct marketing, research, and analysis to improve fundraising effectiveness.

WHF may share relevant information with:

  • Westmead Hospital and the Western Sydney Local Health District (WSLHD), where necessary for approved hospital support.
  • Third-party suppliers (e.g. mail houses, payment gateways, IT support) under strict confidentiality agreements.
  • Regulators such as the Australian Charities and Not-for-profits Commission (ACNC) or Australian Taxation Office (ATO), where required by law.

WHF does not sell, rent, or exchange personal information with any other organisation.

 

6. Health and Hospital-Related Information

Given WHF’s relationship with Westmead Hospital, WHF may occasionally receive limited health-related information about patients whose stories are shared (with consent) for fundraising or communications purposes. In these instances:

  • Explicit written consent must be obtained from the individual (or next of kin).
  • Information will be used only for the agreed purpose (e.g. media story, case for support).
  • All identifying information will be securely stored and destroyed when no longer required.

 

7. Fund Information and Departmental Accounts

WHF manages funds established by hospital departments, units, and clinicians (known as “Fund Champions”) to support specific areas of care, research, or patient services. The Foundation acknowledges that information relating to these funds, including donation details, financial balances, donor identities, and intended use is sensitive and confidential. Accordingly:

  • WHF will not disclose any information about these departmental or designated funds to any third party, including donors, staff, or external organisations, without prior written approval from the relevant Fund Champion or authorised hospital representative.
  • Access to fund-related information is strictly limited to WHF staff and Board members who require it for legitimate operational or reporting purposes.
  • WHF will ensure that all disclosures, where approved, are consistent with hospital policies, donor confidentiality requirements, and applicable privacy laws.
  • Aggregate or anonymised data may be used for reporting or marketing purposes only when no individual fund or donor can be identified.

 

8. Data Security and Storage

WHF will take all reasonable steps to protect information from misuse, loss, or unauthorised access. Security measures include:

  • Secure IT systems with access controls and password protection.
  • Encrypted donation platforms and cloud storage.
  • Locked filing systems for hard-copy records.
  • Regular review of data retention and disposal practices.

Personal information will be retained for as long as necessary for its intended purpose or as required by law and securely destroyed thereafter.

 

9. Privacy Breaches and Mandatory Data Breach Protocols

WHF takes privacy breaches seriously and has established procedures to identify, manage, and respond to any actual or suspected breach of personal information.

 

A privacy breach occurs when personal information held by WHF is subject to unauthorised access, disclosure, loss, or misuse, or where such access, disclosure, loss, or misuse is reasonably likely to occur

 
Response to Privacy Breaches

In the event of an actual or suspected privacy breach, WHF will:

  • Immediately take steps to contain and limit the breach, including secure systems and preventing further unauthorised access or disclosure.
  • Conduct a prompt assessment to determine the nature and extent of the breach, the type of information involved, and the likelihood of serious harm to affected individuals.
  • Escalate the matter to the General Manager, and where appropriate, the WHF Board Chair and relevant hospital representatives.
  • Maintain a record of all privacy breaches and near-miss incidents for governance and continuous improvement purposes.
  • Notify affected individuals as soon as practicable, including details of the breach and recommended steps they should take to reduce potential harm.
  • Notify Westmead Hospital and/or Western Sydney Local Health District (WSLHD) in line with hospital policies and contractual obligations.
  • Notify the Office of the Australian Information Commissioner (OAIC) in accordance with statutory requirements.
 
Staff Responsibilities

All WHF staff, Board members, contractors, and volunteers must:

  • Immediately report any actual or suspected privacy breach to the General Manager.
  • Cooperate fully with breach investigations and remediation actions.
  • Complete any required privacy or data protection training as directed by WHF.
 
Failure to comply with this policy or to report a suspected breach may result in disciplinary action.

 

10. Access and Correction

Individuals have the right to request access to, or correction of, their personal information held by WHF. Requests should be made in writing to the General Manager at gm@westmeadhf.org.au or PO BOX 74, Westmead NSW 2145. WHF will respond to all requests within a reasonable timeframe and may require verification of identity before releasing information.

 

11. Direct Marketing and Opt-Out

WHF may send communications about its work, appeals, or events to supporters. All communications will include a clear option to opt out. Supporters can update their preferences or request not to receive future communications at any time by contacting the Foundation.

 

12. Complaints and Enquiries

Any concerns or complaints about WHF’s handling of personal information should be directed to the General Manager at Westmead Hospital Foundation at gm@westmeadhf.org.au or PO BOX 74, Westmead NSW 2145.

13. Review and Approval

This policy will be reviewed every two years or earlier if required by changes in legislation or organisational practice. All amendments must be approved by the WHF Board.

 

Approved by: Westmead Hospital Foundation Board of Directors
Approval Date: 17 December 2025
Next Review Date: 17 December 2027

Version: 2.0