AChA Knowledge  /  Governance & Policies  /  Privacy Policy
Governance & Policies

Privacy Policy

1.1 This Policy sets out the manner in which Australian Christian Arts Ltd (AChA) collects, holds, uses, discloses, and manages Personal Information in the course of its operations.

Reviewed and Adopted: 13 February 2026

PART A — FOUNDATION

1. PURPOSE AND APPLICATION

1.2 AChA is committed to protecting the privacy of all persons whose Personal Information it handles, in accordance with:

  • the Privacy Act 1988 (Cth) and the Australian Privacy Principles;
  • the PPIP Act (NSW); and
  • any other applicable federal, state, or territory privacy legislation.

1.3 This Policy applies to Personal Information collected through:

  • the AChA website and any associated digital platforms;
  • membership applications and renewals;
  • event registrations, auditions, and applications;
  • forms, enquiries, and correspondence;
  • donations and financial transactions; and
  • any other interaction between AChA and individuals in which Personal Information is collected.

2. GOVERNING AUTHORITY

2.1 The Constitution of Australian Christian Arts Ltd is the supreme governing document of AChA. Where any provision of this Policy is inconsistent with the Constitution, the Constitution prevails to the extent of the inconsistency.

2.2 This Policy is a Board-approved policy made pursuant to the Constitution and may be amended, replaced, or revoked by resolution of the Board from time to time.

3. DEFINITIONS

In this Policy, unless the context otherwise requires:

"AChA" means Australian Christian Arts Ltd.

"Australian Privacy Principles" means the Australian Privacy Principles set out in Schedule 1 of the Privacy Act 1988 (Cth), as amended from time to time.

"Board" means the Board of Directors of AChA as constituted under the Constitution.

"Child" means a person under the age of 18 years.

"Collection" means the gathering, acquiring, or obtaining of Personal Information by any means.

"Consent" means voluntary agreement to the Collection, use, or Disclosure of Personal Information, which may be express or implied depending on the circumstances and the sensitivity of the information.

"Constitution" means the Constitution of Australian Christian Arts Ltd, as amended from time to time.

"Data Breach" means has the meaning given to "eligible data breach" in Part IIIC of the Privacy Act 1988 (Cth), being unauthorised access to, unauthorised disclosure of, or loss of, Personal Information that is likely to result in serious harm to any individual to whom the information relates.

"De-identification" means the process of altering Personal Information so that the individual to whom it relates is no longer reasonably identifiable.

"Disclosure" means the release, transfer, or communication of Personal Information to a third party by any means.

"OAIC" means the Office of the Australian Information Commissioner.

"Overseas Recipient" means a person or entity located outside Australia to whom Personal Information is disclosed.

"Personnel" means all Board members, staff, employees, volunteers, contractors, members, leaders, and any other person engaged by or participating in AChA Activities in any capacity.

"Personal Information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether recorded in a material form or not, as defined in section 6 of the Privacy Act 1988 (Cth).

"PPIP Act" means the Privacy and Personal Information Protection Act 1998 (NSW).

"Privacy Officer" means the person appointed by the Board to oversee compliance with this Policy and applicable privacy legislation.

"Sensitive Information" means a subset of Personal Information that includes information or an opinion about an individual's racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record, health information, genetic information, biometric information, or biometric templates, as defined in section 6 of the Privacy Act 1988 (Cth).

"Third Party" means any person or entity other than AChA and the individual to whom the Personal Information relates.

PART B — COLLECTION OF PERSONAL INFORMATION

4. TYPES OF PERSONAL INFORMATION COLLECTED

4.1 AChA may collect the following categories of Personal Information:

  • identity information: name, date of birth, age, and gender;
  • contact information: postal address, email address, and telephone number;
  • religious affiliation, where directly relevant to AChA's activities as a Christian organisation;
  • event and participation records: registration details, audition materials, performance records, photographs, audio recordings, and video recordings taken at AChA events;
  • financial information: payment details, donation history, billing addresses, and transaction records;
  • membership information: membership status, category, and history;
  • Working With Children Check (WWCC) numbers and verification status, where required under the AChA Child Safe Policy;
  • website usage data: IP addresses, browser type, pages visited, session duration, and other analytical data collected through cookies or similar technologies; and
  • any other information voluntarily provided by the individual in the course of their interaction with AChA.

4.2 AChA collects only Personal Information that is reasonably necessary for, or directly related to, one or more of AChA's functions or activities.

5. SENSITIVE INFORMATION

5.1 Sensitive Information will only be collected where:

  • the individual has provided Consent to the Collection;
  • the Collection is required or authorised by or under an Australian law or a court or tribunal order;
  • the Collection is necessary to prevent or lessen a serious threat to the life, health, or safety of any individual or to public health or safety; or
  • the Collection relates to the activities of AChA as a not-for-profit organisation with religious objectives and the information relates solely to individuals who are members of AChA or who have regular contact with AChA in connection with its activities.

5.2 Where AChA collects religious affiliation, this is done solely in connection with AChA's legitimate activities as an incorporated Christian charity and in accordance with Australian Privacy Principle 3.4.

6. METHODS OF COLLECTION

6.1 AChA collects Personal Information by the following methods:

  • directly from the individual, including through forms, correspondence, emails, telephone calls, event registration, membership applications, and in-person interactions;
  • automatically through the AChA website, including through cookies, web analytics tools, and server logs (see clause 16); and
  • from Third Parties, where the individual has authorised such Collection or where the Collection is required or authorised by law.

6.2 Where AChA receives Personal Information that it did not solicit and did not take active steps to collect, AChA will, within a reasonable period:

  • determine whether the information could have been collected under this Policy; and
  • if the information could not have been so collected, destroy or de-identify the information as soon as practicable, provided it is lawful to do so.

7. NOTICE OF COLLECTION

7.1 At or before the time of Collection (or as soon as practicable thereafter), AChA will take reasonable steps to notify the individual of:

  • the identity and contact details of AChA;
  • the purposes for which the Personal Information is collected;
  • the main consequences (if any) of not providing the Personal Information;
  • any other entities to which the Personal Information is usually disclosed;
  • the individual's right to access and seek correction of their Personal Information; and
  • how the individual may make a privacy complaint and how AChA will deal with it.

PART C — USE AND DISCLOSURE

8. PURPOSES OF USE

8.1 AChA uses Personal Information for purposes that are directly related to its functions and activities, including:

  • providing, administering, and improving AChA's services, programmes, and events;
  • managing memberships, registrations, bookings, and auditions;
  • processing payments, donations, and financial transactions;
  • responding to enquiries, requests, and complaints;
  • communicating with individuals about AChA activities, including newsletters, updates, and programme information;
  • fulfilling child safety obligations under the AChA Child Safe Policy and applicable legislation;
  • maintaining records necessary for operational, legal, and regulatory purposes; and
  • any other purpose for which the individual has provided Consent.

8.2 AChA will not use Personal Information for a purpose other than the purpose for which it was collected (the primary purpose), unless:

  • the individual has provided Consent;
  • the secondary purpose is directly related to the primary purpose and the individual would reasonably expect AChA to use the information for that secondary purpose;
  • the use is required or authorised by or under an Australian law or court or tribunal order; or
  • the use is necessary to prevent or lessen a serious threat to the life, health, or safety of any individual or to public health or safety.

9. DIRECT MARKETING

9.1 AChA may use Personal Information to communicate directly with individuals about AChA's activities, events, and services (including newsletters, event invitations, and promotional materials), provided that:

  • the individual has provided Consent or would reasonably expect to receive such communications;
  • each communication provides a simple means by which the individual may opt out of receiving further marketing communications; and
  • AChA will action an opt-out request without charge and within a reasonable period, and in any event within five (5) business days.

9.2 AChA will not use Sensitive Information for direct marketing purposes without the express Consent of the individual.

10. DISCLOSURE OF PERSONAL INFORMATION

10.1 AChA may disclose Personal Information to:

  • AChA Personnel who require access to the information in order to perform their duties;
  • trusted Third Party service providers engaged by AChA (including IT hosting providers, email service providers, customer relationship management platforms, payment processors, and cloud storage providers), under written agreements that require the Third Party to handle the information in accordance with the Australian Privacy Principles;
  • insurers, legal advisors, auditors, and other professional advisors under a duty of confidentiality;
  • government agencies, regulatory bodies, or law enforcement agencies where required or authorised by law, court order, or regulatory obligation;
  • any person where the Disclosure is necessary to prevent or lessen a serious threat to the life, health, or safety of any individual or to public health or safety; and
  • any other person with the express Consent of the individual.

10.2 AChA does not sell, rent, or trade Personal Information for commercial purposes.

11. CROSS-BORDER DISCLOSURE

11.1 AChA may disclose Personal Information to Overseas Recipients where AChA uses Third Party service providers whose servers or operations are located outside Australia.

11.2 Before disclosing Personal Information to an Overseas Recipient, AChA will take reasonable steps to ensure that:

  • the Overseas Recipient does not breach the Australian Privacy Principles in relation to the information; or
  • the individual has been informed that the overseas privacy protections may not be equivalent to those under Australian law and has provided Consent to the Disclosure.

11.3 AChA will, where practicable, identify the countries in which Overseas Recipients are likely to be located and make this information available to individuals upon request.

PART D — DATA QUALITY, SECURITY, AND RETENTION

12. DATA QUALITY

12.1 AChA takes reasonable steps to ensure that the Personal Information it collects, uses, and discloses is accurate, complete, and up-to-date, relevant to the purpose of the collection, use, or disclosure.

12.2 AChA regularly reviews its data collection and storage processes to identify and implement improvements to data quality.

12.3 If AChA becomes aware that any Personal Information it holds is inaccurate, incomplete, or out-of-date, it will take reasonable steps to correct the information promptly.

13. DATA SECURITY

13.1 AChA takes reasonable steps to protect Personal Information from misuse, interference, loss, unauthorised access, modification, or disclosure.

13.2 These steps include:

  • implementing and maintaining robust physical and electronic security measures (including password protection, encryption, and firewalls);
  • restricting access to Personal Information to AChA Personnel on a 'need-to-know' basis;
  • conducting regular security audits and vulnerability assessments; and
  • ensuring that Third Party service providers that handle Personal Information on behalf of AChA have appropriate security measures in place.

13.3 In the event of a data breach, AChA will respond in accordance with its Data Breach Response Plan and applicable notification obligations under Australian law.

14. DATA RETENTION AND DESTRUCTION

14.1 AChA retains Personal Information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

14.2 When Personal Information is no longer needed, AChA takes reasonable steps to securely destroy or de-identify the information.

14.3 Retention periods are determined based on legal and regulatory requirements, the nature of the information, and business needs.

15. ANONYMITY AND PSEUDONYMITY

15.1 Individuals have the option of dealing with AChA anonymously or pseudonymously where it is lawful and practicable to do so.

15.2 This option may not be available where AChA is required or authorised by law to deal with identified individuals, or where it is impracticable for AChA to provide its services or engage in activities without knowing the individual's identity.

PART E — COOKIES AND DIGITAL TECHNOLOGIES

16. COOKIES AND TRACKING TECHNOLOGIES

16.1 AChA uses cookies and similar tracking technologies on its websites and digital platforms to enhance user experience, analyze site usage, and for marketing purposes.

16.2 These technologies may collect information such as your IP address, browser type, operating system, referring URLs, pages viewed, and the dates/times of your visits.

16.3 You can control the use of cookies at the individual browser level. If you reject cookies, you may still use our site, but your ability to use some features or areas of our site may be limited.

16.4 For more detailed information on how we use cookies and your choices regarding them, please refer to our dedicated Cookie Policy.

17. THIRD-PARTY WEBSITES AND SERVICES

17.1 AChA's websites and digital platforms may contain links to third-party websites or services that are not operated or controlled by AChA.

17.2 This Policy does not apply to the privacy practices of these third parties. AChA encourages you to review the privacy policies of any third-party websites or services you visit.

17.3 AChA is not responsible for the privacy practices or the content of third-party websites or services.

PART F — INDIVIDUAL RIGHTS

18. RIGHT OF ACCESS

18.1 Individuals have the right to request access to their personal information held by AChA. Requests must be made in writing and will be processed in accordance with applicable privacy laws.

18.2 AChA will provide access to personal information unless an exception applies under privacy laws. A reasonable fee may be charged for providing access to information.

19. RIGHT TO RECTIFICATION

19.1 Individuals have the right to request the correction of inaccurate or incomplete personal information held by AChA. Requests must be made in writing and should include details of the inaccuracies and the desired corrections.

19.2 AChA will take reasonable steps to correct personal information upon verification of the inaccuracy, in accordance with applicable privacy laws.

20. RIGHT TO ERASURE (RIGHT TO BE FORGOTTEN)

20.1 In certain circumstances, individuals may have the right to request the deletion or removal of their personal information. This right is not absolute and applies in specific situations, such as when the data is no longer necessary for the purpose for which it was collected or when consent is withdrawn.

20.2 AChA will assess such requests on a case-by-case basis, considering its legal obligations and the necessity of retaining the information, in accordance with applicable privacy laws.

21. RIGHT TO RESTRICTION OF PROCESSING

21.1 Individuals may have the right to request the restriction or suppression of the processing of their personal information. This applies in certain circumstances, such as when the accuracy of the data is contested or when processing is unlawful.

21.2 When processing is restricted, AChA will store the personal information but not further process it without the individual's consent, except for specific legal reasons, in accordance with applicable privacy laws.

22. RIGHT TO DATA PORTABILITY

22.1 Where technically feasible, individuals may have the right to receive their personal information in a structured, commonly used, and machine-readable format and to transmit that data to another controller without hindrance from AChA. This right applies to personal information provided by the individual, where processing is based on consent or a contract, and is carried out by automated means.

22.2 AChA will endeavor to provide personal information in a portable format upon valid request, in accordance with applicable privacy laws.

PART G — COMPLAINTS AND DISPUTE RESOLUTION

23. PRIVACY COMPLAINTS

If you have a complaint regarding how AChA has handled your Personal Information, you may contact our Privacy Officer to discuss your concerns. We take all complaints seriously and will investigate them thoroughly.

  • Initial contact can be made via email or phone, details of which are available on our website.
  • Please provide as much detail as possible about your complaint to assist us in our investigation.
  • We aim to acknowledge your complaint within 5 business days and resolve it within 30 business days.
  • If you are not satisfied with our response, you have the right to seek further assistance from the relevant regulatory body in your jurisdiction.

24. DISPUTE RESOLUTION

24.1 In the event of a dispute concerning the handling of personal information, AChA will first attempt to resolve the dispute internally through its complaints resolution process.

24.2 If the dispute cannot be resolved internally, individuals may have the right to refer the matter to an external dispute resolution scheme or relevant regulatory authority, as provided for under applicable privacy laws.

PART H — ADMINISTRATION

25. PRIVACY OFFICER

25.1 The Board will appoint a Privacy Officer who is responsible for:

  • overseeing compliance with this Policy and applicable privacy legislation;
  • receiving and investigating privacy complaints;
  • managing Data Breach responses and notifications;
  • conducting or coordinating privacy impact assessments where appropriate;
  • providing guidance to Personnel on privacy obligations; and
  • maintaining the Privacy Register referred to in clause 26.

25.2 Contact details for the Privacy Officer:

  • Email: [email protected]
  • Post: Privacy Officer, Australian Christian Arts Ltd, [Insert Address Here]

26. PRIVACY REGISTER

26.1 AChA will maintain a register of:

  • the types of Personal Information held by AChA;
  • the purposes for which each type is held;
  • the categories of Third Parties to whom Personal Information is ordinarily disclosed;
  • any Overseas Recipients and their locations; and
  • the applicable retention periods for each type of Personal Information.

27. TRAINING

27.1 AChA will ensure that all Personnel who handle Personal Information receive appropriate training on:

  • the requirements of this Policy;
  • their obligations under the Australian Privacy Principles and applicable legislation;
  • identifying and reporting Data Breaches; and
  • secure handling, storage, and disposal of Personal Information.

28. AMENDMENT AND REVIEW

28.1 The Board may amend, replace, or revoke this Policy at any time by resolution.

28.2 This Policy will be reviewed by the Board at least once every two (2) years, or more frequently as required by changes in law, technology, or AChA's operations.

28.3 Any material amendments to this Policy will be published on the AChA website with a revised effective date. AChA will take reasonable steps to notify affected individuals of material changes.

29. GENERAL PROVISIONS

29.1 Governing Law. This Policy is governed by and construed in accordance with the laws of New South Wales, Australia.

29.2 Severability. If any provision of this Policy is found to be invalid, illegal, or unenforceable, the remaining provisions continue in full force and effect.

29.3 Waiver. A failure by AChA to enforce any provision of this Policy does not constitute a waiver of that provision or of the right to enforce it at a later time.

29.4 Relationship with Other Policies. This Policy is to be read in conjunction with the AChA Child Safe Policy (NSW Compliant), the AChA Master Member Code of Conduct, and any other Board-approved policies that address the handling of Personal Information.

30. CONTACT INFORMATION

30.1 For privacy inquiries, access or correction requests, or to lodge a privacy complaint:

30.2 For external complaints:

31. COMMENCEMENT

31.1 This Policy commences on the date of adoption by the Board and supersedes any prior privacy policies or privacy statements of AChA.

32. POLICY EVOLUTION CLAUSE

32.1 Members acknowledge that AChA is a developing organisation and that policies may evolve to:

  • reflect legal requirements;
  • improve safeguarding standards; and
  • support organisational growth.

32.2 By becoming or remaining a member, individuals agree to be bound by future policy updates adopted in good faith by the Board, provided such updates remain consistent with the Constitution.

32.3 AChA reserves the right to amend, replace, or withdraw policies from time to time in accordance with the Constitution.

32.4 Amended policies take effect upon publication unless otherwise stated.

32.5 Members agree to be bound by the most current version of all policies as a condition of ongoing membership and participation.

32.6 Failure to comply with updated policies may result in action under the Constitution.