Privacy 

Data Management & Privacy Policy

1. Policy Statement
First Nations Economics (FNE) is committed to protecting the privacy and security of all data entrusted to us. Our policy ensures that data collection, storage, and usage align with ethical standards and legal requirements. We prioritise transparency, informed consent, and secure management practices to safeguard sensitive information. This policy is directly aligned with the Privacy Impact Assessment (PIA) developed to support our ethical approach to evaluations, which identifies potential risks, compliance requirements under the Australian Privacy Principles (APPs), and the mitigation strategies embedded within this framework.

2. Purpose
This policy applies to all personal information and data collected, stored, used, and disclosed by FNE. It outlines the organisation’s commitment to privacy and compliance with the APPs under the Privacy Act 1988 (Cth) and the Australian Charities and Not-for-Profits Commission (ACNC) Governance Standards. The policy works in conjunction with the PIA to ensure that privacy obligations are translated into clear, operational safeguards.

3. Background
Collecting, storing, and using people’s information and data comes with risks. Knowing the risks and taking steps to mitigate them are essential elements of good governance. The PIA has highlighted the following risks and informed of the mitigation strategies embedded in this policy:
• Inappropriate use or disclosure of information
• Inadequate processes or training for staff handling information
• Loss of information, either physical or digital
• Theft of information, either physically or digitally
• Unclear responsibilities of external service providers
• Failure to comply with applicable laws
• System failures or poor physical safeguards
• Malicious external cyber-attacks (e.g., hacking or malware).
 Importantly, management includes oversight of external service providers. While work can be outsourced, responsibilities for privacy and compliance cannot be outsourced.

4. Types of Information Collected
FNE collects and stores the following types of information:
• Name, address, and contact details (email, phone number, etc.)
• Payment details
• Employment and volunteer records
• Information relevant to programs, initiatives, and services
• Any other information provided voluntarily by individuals engaging with FNE

5. Collection of Personal Information
Personal information is collected through various means, including:
• Online forms, email correspondence, and phone interactions
• In-person and online meetings and events
• Financial transactions
• Surveys, research, and program participation
• Website analytics and social media engagement

6. Purpose of Data Collection
FNE collects, stores, and uses personal information for the following purposes:
• To provide and manage programs and services
• To process invoices and issue receipts.
• To communicate with supporters and members of FNE and partner organisations
• To comply with legal and regulatory requirements
• To conduct research and advocacy for First Nations community initiatives

7. Storage and Security of Information
FNE ensures the security of personal information by:
• Storing digital data on secure Australian-based servers with encryption and restricted access
• Keeping physical records in locked, access-controlled environments
• Implementing data protection measures, including password-protected systems and secure disposal of outdated information
• Conducting regular security audits and staff training
• Applying PIA-informed safeguards, including Indigenous Data Sovereignty (IDS) classification, de-identification processes, and breach response protocols

8. Disclosure
FNE will not disclose personal information without consent, except where required by law or in the following circumstances:
• To service providers who assist in operations (e.g., payment processors, IT services) under strict confidentiality agreements
• To regulatory authorities when legally required
• With consent, partner organisations are collaborating on initiatives.

9. Rights and Choices
Individuals have the right to:
• Access their personal information held by FNE.
• Request corrections if information is inaccurate, incomplete, or outdated
• Withdraw consent for specific uses of their information.
Requests can be made by contacting FNE’s Privacy Officer (the Privacy and Data Lead). Verification of identity may be required before processing requests.

10. How to Make a Complaint
FNE takes data breaches and privacy concerns seriously. If an individual believes their privacy has been breached, they may:
• Contact FNE’s Privacy Officer at info@firstnationseconomics.com
• Lodge a complaint, which will be investigated promptly
• Escalate concerns to the Office of the Australian Information Commissioner (OAIC)

11. Review
This policy will be reviewed annually or whenever significant changes to the workplace or staffing occur. The policy may also be revised following an incident or if provided with new information that necessitates a policy change. The review process will also consider the PIA to ensure continued alignment with identified risks and mitigation strategies.

12. Additional Information
12.1 ACNC Governance Standards
The ACNC Governance Standards are a set of minimum principles relating to charity governance and how a charity is run – including processes, activities, and relationships. Organisations must meet these standards to be registered and must continue to comply to retain registration. Compliance ensures accountability, transparency, and public trust, particularly where vulnerable beneficiaries are involved.
12.2 Privacy Act 1988 (Cth)
A charity must comply with the Privacy Act if it meets specific criteria (e.g., turnover, provision of health services, handling of personal data under contract). Even where not mandatory, opting into the Privacy Act demonstrates a commitment to accountability and governance. Compliance with the Act and APPs supports trust, better services, and stronger community engagement.
12.3 Australian Privacy Principles
The APPs establish standards, rights, and obligations around:
• Collection, use, and disclosure of personal information
• Governance and accountability
• Integrity and correction of personal information
• Rights of individuals to access their information
APP compliance is principles-based and technology neutral, allowing flexibility while requiring accountability. This policy, together with the project’s PIA, ensures that FNE’s practices comply with these principles.

Gurminder Saro

Interim Chair

Associate Professor Rick Macourt is a proud, queer Gumbaynggirr man, lawyer, and economic specialist. He leads First Nations Economics as Managing Director of Strategy and Foundation and serves as Associate Dean of First Nations Strategy and Services at the University of Sydney.

With over 15 years of experience spanning government, corporate, and not-for-profit sectors, Rick is deeply committed to advancing the economic development of First Peoples. As the former Director of First Nations Expenditure and Outcomes at NSW Treasury, he spearheaded the state’s inaugural Indigenous expenditure reporting processes and established the groundbreaking First Nations budget process in 2021/22. Previously, Rick held an executive role at the Westpac Group, overseeing First Nations affairs, and has a rich history in government, monitoring, evaluation, and negotiation, with senior positions at the Department of Foreign Affairs and Trade, City of Sydney, and Standards Australia.

Rick is a published author with Oxford University Press, a member of the First Nations Advisory Board of Siemens Australia, and a Non-Executive Director on the board of Barnardos Australia.