Pollination Foundation is the trading name of Pollination Foundation Limited (ABN 29 633 992 604), an Australian public company limited by guarantee with registered office at Level 10, 185 Clarence Street, Sydney NSW 2000, Australia.

1. Purpose

Pollination Foundation (“we”, “us”, “our”, “Foundation”) is committed to protecting the privacy and confidentiality of personal information of individuals with whom we deal – including donors, program participants, website visitors, employees, contractors, volunteers and other stakeholders.

This Policy describes how we collect, use, store, and disclose personal information and outlines our legal obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and, where relevant, our limited commitments under the EU or UK General Data Protection Regulation (GDPR). Our approach to information stewardship is also guided by our Information and Data Governance (ICIP and Indigenous Data) Values Statement, which outlines the values and principles that inform how we manage and protect Indigenous Cultural and Intellectual Property (ICIP) and Indigenous Data.

We are the data controller for the personal information we collect. For individuals located in the European Union or United Kingdom, we do not currently have an appointed local representative. Until such time as a representative is designated, all privacy or matters relating to the GDPR should be directed to our Privacy Officer (see Section 13).

If you have any questions about this Policy, please contact our Privacy Officer (see Section 13).

2. Scope

This Policy applies to all individuals whose personal information we collect or hold in connection with our activities, including:

• People who engage with us through our programs, initiatives, events, surveys, or website;
• Donors, partners, and members of the public who interact with us; and
• Our employees, contractors, volunteers, and job applicants.

Personal information relating to our workforce is generally handled in accordance with this Policy, except where the information forms part of an employee record handled directly in connection with the employment relationship, in which case it is governed by workplace relations laws rather than the Privacy Act 1988 (Cth).

3. What personal information we collect

We may collect the following categories of personal information:

• Identifiers and contact details (e.g., name, postal address, email address, telephone number
• Demographic details (e.g., date of birth, gender, organisation, cultural or community background, and any information you choose to share about your identify or heritage);
• Program or service‐related information (e.g., participation records, feedback, surveys, event attendance);
• Financial information (e.g., donation details, payment details, bank account or credit card information where applicable);
• Employment/contractor/volunteer information (e.g., CV, referee details, contract information, bank payment details, tax file number where required, performance records, disciplinary records);
• Digital and technical information (e.g., IP address, browser type, device identifier, cookies, analytics data);
• Sensitive information (in limited circumstances, with consent), e.g., information about Indigenous cultural heritage, images, recordings, stories (ICIP), health information required for workplace health and safety purposes, referral or support information.
• We may also collect personal information indirectly from third parties or publicly available sources (e.g., social media, referral organisations).

4. What personal information we collect

We collect personal information in the following ways:

• Directly from you when you provide it to us (e.g. forms, applications, email, telephone, in-person);
• Via our website (e.g. newsletter sign-up, event registration, service providers);
• From third parties (e.g. partner organisations, referrers, service providers, publicly available sources);
• From overseas cloud or IT services providers which stores or process your personal information on your behalf.

Where we rely on consent, we will ensure it is freely given, informed, specific, and unambiguous. Individuals may withdraw consent at any time by contacting us. We do not knowingly collect personal information from children under 16 without parental or guardian consent, where required by applicable law.

Where our activities involve ICIP or Indigenous Data, we also apply Information and Data Governance (ICIP and Indigenous Data) Policy, which includes principles such as Free, Prior and Informed Consent.

Where practicable we provide for anonymous or pseudonymous interactions (for example in some surveys), unless identification is required for the service or obliged by law.

5. Why we collect and use personal information

We collect, hold, use and disclose personal information for purposes including:

• Delivering our programs, services, events and research;
• Managing relationships with donors, supporters, partners and participants;
• Recruiting and managing employees, contractors and volunteers;
• Communicating with you about our work and opportunities to get involved;
• Meeting our legal, contractual and reporting obligations; and
• Improving our operations and ensuring the health, safety and wellbeing of people we work with.

We only collect and use personal information that is reasonably necessary for our activities, or otherwise permitted by law.

Where the EU or UK GDPR applies, we process personal data only where we have a lawful basis, for example because:

• you have given your consent;
• it is needed to perform a contract with you or take steps you have requested;
• we have a legal obligation;
• it is necessary to protect someone’s vital interests; or
• it is in our legitimate interests, provided your rights are not overridden.

You can withdraw your consent at any time by contacting us (see Section 13).

6. Use and disclosure of personal information

We will only use or disclose personal information for the purposes for which it was collected (or a directly related purpose), unless otherwise permitted by law or with your consent.

We may disclose personal information to:

• Our employees, contractors, or service providers (e.g., IT, payroll, cloud, or communications providers);
• Funders, insurers, auditors, and legal advisors;
• Government agencies or regulators as required by law; or
• Overseas service providers when using secure cloud platforms.

In relation to ICIP or Indigenous Data, we will seek appropriate consent and follow cultural protocols before use or disclosure.

If you choose not to provide certain information, we may be unable to deliver some services or respond to specific requests.

7. Change of purpose

We will only use your personal information for the purposes for which it was collected, unless another use is directly related to the original purpose, you have provided consent, or the use is authorised or required by law.

If we need to use your personal information for an unrelated purpose, we will inform you and explain the legal basis that allows us to do so.

8. Cross-border or overseas disclosure

We use reputable third-party service providers to support our operations, such as platforms for email, human resources and accounting systems, newsletters, online forms, surveys and event registration. These providers may store or process personal information on servers located outside Australia (for example, in the United States, Europe, or Asia).

We take reasonable and proportionate steps to ensure these service providers handle personal information in accordance with the Privacy Act 1988 (Cth) and the APPs, including through contractual obligations appropriate to the nature of the services.

Where the EU or UK GDPR applies, we will only transfer personal data to countries that provide an adequate level of protection or where appropriate safeguards are in place to protect your information in accordance with applicable data protection laws.

All overseas recipients are required to process personal information only for authorised purposes and to apply appropriate confidentiality, privacy and security measures.

9. Data security, retention and breach management

We take reasonable steps to protect personal information from loss, misuse, unauthorised access, modification, or disclosure. This includes secure digital platforms, access controls, encryption, and staff training.

Our protective measures include:

• Secure cloud-based and internal systems protected by encryption, access controls, and multi-factor authentication;
• Limiting access to personal information to authorised staff or contractors who require it for their role;
• Staff training and confidentiality obligations; and
• Secure physical storage for paper records.

Where the GDPR applies, we will, where required, notify the relevant data protection supervisory authority within 72 hours of becoming aware of a personal data breach likely to result in a risk to individuals’ rights and freedoms.

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law, contract, or funding conditions. When information is no longer needed, we take reasonable steps to securely destroy or permanently de-identify it.

If we become aware of a data breach likely to result in serious harm, we will promptly:

• Assess and contain the breach;
• Notify affected individuals and the Office of the Australian Information Commissioner (OAIC); and
• Take remedial steps to reduce potential harm and prevent recurrence.

Any concerns or suspected data breaches can be reported to our Privacy Officer at foundation@pollinationgroup.com.

We maintain proportionate internal records of our personal data processing activities, consistent with the accountability requirements of the EU and UK General Data Protection Regulation (GDPR).

10. Cookies, website use, and third-party links

When you visit our website, we may collect information through cookies, analytics, and other tracking technologies to understand usage and improve functionality. You can disable cookies via your browser settings, though some features may not function properly.

Our website may include links to third-party websites, plug-ins, or applications. Clicking those links or enabling those connections may allow third parties to collect or share information about you. We do not control these third-party websites and are not responsible for their privacy or transparency statements. When you leave our website, we encourage you to read the privacy notice of every site you visit.

If you subscribe to our communications, you can opt out at any time using the unsubscribe link or by contacting us at

11. Accessing and correcting your information

You may request access to the personal information we hold about you, or ask that it be corrected if you believe it is inaccurate, incomplete, out of date, or misleading.

We will respond to your request within a reasonable time (normally within 30 days) and, where reasonable and practicable, provide access in the manner you request. If we refuse access or correction, we will provide written reasons and information on how to make a complaint.

11.1.  Employee Records

As a private-sector employer, the Foundation is not required under the Privacy Act 1988 (Cth) to provide access to information contained in an employee record where that information is handled directly in connection with the employment relationship. Access to these records is governed by workplace relations laws, not privacy legislation.

Current or former employees seeking access to employment records may do so in accordance with their entitlements under Fair Work laws by contacting the Privacy Officer or their Manager / Coach.

Any personal information we hold about an employee, contractor or volunteer that is used for a purpose not directly related to employment will be managed in accordance with this Policy and the APPs.

11.2. Additional Rights Under the GDPR

Where the EU or UK GDPR  applies, individuals also have the right to request erasure of their personal data (“right to be forgotten”), to restrict or object to its processing, to obtain a copy in a portable format, and to not be subject to decisions based solely on automated processing. Requests to exercise these rights can be made to the Privacy Officer (see Section 13).

12. Complaints and contact details

If you believe we have breached this Policy or the APPs, you may make a complaint in writing to our Privacy Officer. Privacy-related complaints will be managed in accordance with our Complaints Management Policy, which outlines how we receive, assess, and respond to concerns in a respectful and proportionate manner.

Privacy Officer
Pollination Foundation
Email: foundation@pollinationgroup.com
Post: Level 10, 185 Clarence Street, Sydney  NSW  2000

We will acknowledge your complaint within 10 business days and aim to resolve it within 30 business days.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):

Website: www.oaic.gov.au
Phone: 1300 363 992
Post: GPO Box 5218, Sydney NSW 2001