Privacy Policy 2026
Privacy Policy Introduction
At the Y NSW, we are committed to respecting and protecting the privacy of everyone we work
with and support, including children, young people, families, staff, volunteers, members and
community partners. When people share their personal information with us, they place trust in our
organisation, and we take that responsibility seriously across all our services, programs and
locations.
Our approach to privacy is guided by our values of SAFE, CONNECT and THRIVE.
We keep people SAFE by safeguarding personal information, applying strong security controls and
responding appropriately to privacy risks or data breaches. We CONNECT by being open and
transparent about how information is collected, used and shared, and by treating people’s
information with dignity, respect and care. We THRIVE by using information responsibly to deliver
quality services, meet our legal obligations and continuously improve the way we work.
This Privacy Policy explains how Y NSW collects, uses, stores and protects personal information,
and the rights individuals have in relation to their information. It’s purpose is simple: to ensure
personal information is handled lawfully, fairly and respectfully, and in a way that supports safe,
trusted and high‑quality services for our communities.
3
Y NSW Privacy Policy
1. Policy statement
1.1. The Young Men’s Christian Association of Sydney (ARBN 067 150 010) (Y NSW, or we,
us, our) is bound by the Privacy Act 1988 (Cth) (Privacy Act), the Australian Privacy
Principles (APPs) and other applicable privacy legislation (Privacy Laws).
1.2. The Y NSW respects the right of privacy of all individuals, including children and young
people. We are committed to safeguarding any information or opinion which identifies (or
can reasonably identify) any person (Personal Information).
1.3. This Privacy Policy sets out how we collect, store, use, disclose or otherwise handle
Personal Information that comes into our possession or control.
1.4. This Privacy Policy may be updated or replaced from time to time. To access our current
Privacy Policy at any time, please visit our website at: www.ymcansw.org.au/privacypolicy/
2. Purpose and scope
2.1. This Privacy Policy applies to:
(a) children, young people and their family or carer who use our services or participate
in our programs;
(b) current or prospective employees, contractors and volunteers of Y NSW;
(c) visitors of Y NSW premises;
(d) customers of Y NSW; and
(e) persons who interact, engage or communicate with us in any way – including via
telephone, website, e-mail, in-person, participation in our survey, or through our
website or social media,
(you, your, yours).
2.2. By providing your Personal Information to us, you consent to us handling your Personal
Information in accordance with this Privacy Policy and any other arrangements between
us.
2.3. We are committed to handling your Personal Information as follows:
(a) we collect, store, use, disclose, modify and destroy your Personal Information in
accordance with the Privacy Laws;
(b) we adopt and implement appropriate systems and processes to keep your Personal
Information secure; and
(c) we will manage any incident of data breach in accordance with the Privacy Act.
3. Collection of Personal Information
Collection purpose
3.1. We collect Personal Information as reasonably necessary for us to carry out our functions
and deliver our services to you, including:
(a) to provide you with the services requested by you;
(b) to facilitate or enable you to access and use our services;
(c) to operate and administer our functions or service delivery;
(d) to protect you and our service recipients and communities;
(e) to assess your needs and to provide you with the appropriate care, support and
assistance relevant to your participation in our programs, including to develop
4
personalised plans (e.g. Individual Care Plans, Positive Behaviour Support Plans,
and Fitness, Aquatic and Recreation plans);
(f) to communicate with you in relation to our functions, services, or sites, including to
provide you with administrative or technical messages, reminders, notices, updates,
alerts or other information about our functions, services, or sites, that is relevant to
you;
(g) to administer surveys or other promotional activities or events by us;
(h) to comply with our legal obligations, including our record-keeping and reporting
obligations;
(i) to resolve any disputes;
(j) to protect our legal interests, including to enforce our rights with third parties;
(k) to improve and optimise our functions, services and your experience, including:
(i) to conduct research for service or program development;
(ii) to perform analytics;
(iii) for marketing and advertising;
(l) to consider your prospective employment, contracting, or volunteering application
with us, and to administer human resource management function in relation to your
employment, contracting or volunteering arrangement with us; and
(m) to investigate and respond to feedback, concerns or complaints from you.
Types of Personal Information
3.2. We may collect the following types of Personal Information from you:
(a) your name, gender, contact details and address;
(b) date and place of birth;
(c) bank account and credit card details;
(d) emergency contact details;
(e) occupation;
(f) government-related identifiers, such as Tax File Number or driver's licence number,
Centrelink reference number;
(g) custody order information;
(h) details of Y NSW services used;
(i) research data (such as surveys and testimonials); and
(j) if you are a current or prospective employee, contractor or volunteer:
(i) employment or volunteer information, such as qualifications, background
checks and work history; and
(ii) information related to right-to work, payroll, performance, training, wellbeing
and workplace health and safety.
Sensitive Information
3.3. We may also collect sensitive information with your consent, where the information is
necessary for us to carry out our functions or services, and where we are required by law
to collect such information.
3.4. Sensitive information is a special type of Personal Information and is subject to a higher level
of privacy, which may include:
5
(a) health information (e.g. medical history, disabilities, medical practitioner details,
Medicare or health fund details);
(b) racial or ethnic background;
(c) religious or philosophical beliefs;
(d) sexual orientation;
(e) membership of a political party or trade union; and
(f) criminal record.
Personal Information about children and young person
3.5. We collect Personal Information in relation to children and young person as reasonably
necessary for us to discharge our functions and services delivery outlined in paragraph 3.1
of this policy.
3.6. We only collect Personal Information about children and young person through the following
means:
(a) with the express and informed consent of:
(i) the child or young person directly – if they have capacity; or
(ii) a person authorised to act on behalf of the child or young person, such as:
(A) their parent;
(B) their guardian;
(C) a person with enduring power of attorney;
(D) a ‘responsible person’ under the Guardianship Act 1987 (NSW) or an
equivalent person by operations of a corresponding law; or
(E) a person nominated by that child or young person when they had
capacity; or
(b) a third party pursuant to the information exchange framework under Chapter 16A
of the Children and Young Persons (Care and Protection) Act 1998 (NSW))
(CYPCP Act) as detailed in paragraphs 7.9 – 7.11 of this policy.
Anonymity and pseudonymity
3.7. Generally, you must provide us with your Personal Information in order for us to carry out
our functions or for us to allow you to use or access our services.
3.8. However, in some instances, you may interact with us anonymously or by using a
pseudonym provided that it is lawful or practical to do so.
3.9. This Privacy Policy does not apply where we have collected information on an anonymous
basis or under a pseudonym, unless the information could identify you or a person.
4. How we collect your Personal Information
4.1. We will generally collect Personal Information directly from you unless it is unreasonable
or impracticable for us to do so.
4.2. We may collect Personal Information from you, through others, or through our digital
platforms (website or social media), including where:
(a) you, or your parent or guardian, complete a form, online portal, or other electronic
and paper correspondence that is submitted to us;
(b) you communicate with us in-person, or by telephone, mail, email, fax or other
means;
(c) you attend our premises or facilities;
6
(d) you attend a program or event that we are hosting, facilitating, or collaborating in;
(e) you interact with us on our website or social media (e.g. Facebook, Instagram,
LinkedIn, or X);
(f) you apply for a role with us and we collect your Personal Information from a third
party (e.g. recruitment consultant, former employers, government agency or
qualification body) to inform our decision about your recruitment and/or verify your
background and qualifications;
(g) we are required or have duty to obtain your Personal Information from a third party
by operation of the laws (e.g. the information exchange scheme under Chapter 16A
of Children and Young Persons (Care and Protection) Act 1998 (NSW)).
Third party services
4.3. This Privacy Policy applies to Personal Information that we collect only, and does not
govern third parties’ collection of your Personal Information, including where:
(a) in the context of your recruitment, we obtain your Personal Information collected
from a third party; or
(b) where you interact with us via our website and social media operated by third party
hosts and/or service operators, and such third parties collect Personal Information
about you separately.
We encourage you to review the privacy policy of any such third party if you have any
concerns about how your Personal Information is handled by them.
Unsolicited information
4.4. If we receive your Personal Information on an unsolicited basis, we will use or disclose
such information only to the extent necessary to determine whether it is reasonably
necessary for us to collect such information to carry out our functions or deliver our
services/programs. We will securely destroy or de-identify the information as soon as
practicable if we do not have legal basis to collect such Personal Information.
5. Photographs, video and/or visual images
5.1. We may collect your photographs, video recordings or other visual images through our
use of security cameras and other surveillance monitoring systems on our premises
when you:
(a) attend our premises; and/or
(b) participate in certain programs (e.g. early learning centres, recreation and aquatic
centres, OHSC programs or Y Space programs),
which can be Personal Information and/or sensitive information for the purposes of
Privacy Laws.
5.2. We only collect photographs, video recordings or other visual images for security-related
purposes, including to:
(a) protect the safety of our service recipients or program participants, personnel,
visitors and property;
(b) deter, detect and investigate security incidents, unlawful activity and misconduct;
(c) respond to or assist in incident management or insurance claims; and
(d) comply with our legal obligations.
5.3. We store any photograph, video recording or other visual image that we collect securely
at all times. In addition, access to such information is restricted to our authorised
personnel or service provider who have need to know and whom are subject to
appropriate security and confidentiality obligations.
7
5.4. We only use and disclose photographs, video recordings and/or other visual images
where reasonably necessary for the security purposes outlined in paragraph 5.2 of this
policy, or where otherwise required or authorised by law.
5.5. To the extent that we need to collect any photograph, video recording or other visual
image for any other purpose (e.g. for use in marketing and promotional content), we will
first seek your express consent by way of a Talent Consent Form before we collect, use
or disclose such content.
6. Storage of Personal Information
6.1. Y NSW implements appropriate safeguards and measures to protect your Personal
Information from unauthorised access, misuse, interference, loss, modification or
disclosure, including:
(a) storing your Personal Information on secure electronic databases;
(b) restricting access to Personal Information to authorised personnel;
(c) regularly reviewing our record keeping and maintenance systems and procedures
to ensure that they are consistent with industry best practice standards;
(d) implementing appropriate procedures for handling and reporting privacy breaches.
6.2. We may hold your Personal Information in either hard-copy or electronic formats, including
on encrypted cloud servers. In either circumstance, access to Personal Information is
restricted to authorised personnel.
6.3. Generally, we store your Personal Information in Australia.
6.4. However, our external service providers may store your Personal Information in facilities
outside of Australia. In such circumstances, we take reasonable steps to implement
appropriate safeguards with those service providers to ensure that Personal Information
disclosed to them are handled securely and confidentially in accordance with the APPs.
7. Use and disclosure of Personal Information
7.1. Generally, unless a permitted disclosure applies, we only use and disclose your Personal
Information with your express consent.
7.2. We will only use or disclose your Personal Information as follows:
(a) where reasonably necessary for us to discharge the purpose for which it is
collected (as detailed in paragraph 3.1 of this policy); and/or
(b) where we are required or authorised to do so by operation of the laws.
7.3. We may also disclose your Personal Information to the following persons and service
providers who perform outsourced functions on our behalf:
(a) our IT and technology service providers (e.g. cloud host, data and records storage
providers, software-as-a-service platform licensors, cybersecurity providers and
external IT support);
(b) our professional advisers (e.g. external legal counsel, accountants, auditor,
financial advisers, consultants, insurers);
(c) our financiers or grant providers;
(d) other business and operational service providers (e.g. payment processors, payroll
providers, recruitment partners, workplace, health and safety consultants or
investigators, employee assistance program providers, benefit providers);
(e) The National Council of the Young Men’s Christian Associations of Australia
(trading as YMCA Australia) (Y Australia), the national body of the global YMCA
network of which Y NSW is member to in connection with:
8
(i) an information exchange under the CYPCP Act (detailed in paragraphs 7.9
– 7.11 of this policy); and
(ii) our reporting obligations to Y Australia as detailed in paragraphs 7.5 – 7.8;
and
(f) regulators, government bodies and other authorities (e.g. NSW Police Force, NSW
Department of Education, NSW Early Learning Commission, courts and tribunals,
ATO, ACNC, ASIC), including as in accordance with the information exchange
framework detailed in paragraphs 7.9 – 7.11 of this policy.
7.4. Where we disclose your Personal Information to our service providers, we will ensure
that such service providers are bound by confidentiality and security obligations and
implement appropriate safeguards in connection with handling your Personal
Information.
Y Australia
7.5. Y NSW is a member association of Y Australia and has reporting obligations to Y
Australia as part of our governance, compliance and membership obligations.
7.6. Accordingly, we may disclose your Personal Information to Y Australia in connection with
our reporting obligations in relation to, among others, the following matters:
(a) Y NSW's operations and activities;
(b) Y NSW's compliance under relevant laws and policies which it is subject to;
(c) any matter relating to child safety and National Redress Scheme;
(d) Y NSW's financial accounts; and
(e) any matter relating to Y NSW's risk management, which may include risk registers,
incident reports, work, health and safety reports.
7.7. Disclosure of your Personal Information to Y Australia is reasonably necessary for the
purposes of our reporting obligations so that we can:
(a) maintain our national membership, which imposes a national operating standard to
us;
(b) meet our requisite operating standards;
(c) satisfy legal, governance, audit and compliance requirements;
(d) administer programs and services delivered or supported by Y Australia;
(e) access insurance and risk mitigation cover from Y Australia; and
(f) assist Y Australia with any strategic and operational review, and improve our
functions.
7.8. Personal Information that is disclosed to Y Australia will be governed by Y Australia's
privacy policy found in: https://ymca.org.au/privacy-policy
Information exchange framework
7.9. Y NSW is a “prescribed body” under the CYPCP Act, and participates in information
exchange with other prescribed bodies where the protection of a child or young person is
concerned – i.e., where relevant to the safety, welfare, or wellbeing of a child or young
person.
7.10. Accordingly, Y NSW may share or request Personal Information about a child or young
person with another prescribed body including for the following purposes in relation to the
protection of a child or young person:
(a) to support decision-making, assessment or plan;
(b) to understand, assess and manage risks;
9
(c) to initiate or inform an investigation; and
(d) to assist with coordinated service planning and delivery.
7.11. The prescribed bodies with whom Y NSW may share or request information include:
(a) NSW Policy Force;
(b) NSW Department of Education;
(c) NSW Early Learning Commission; and
(d) Y Australia, as in accordance with paragraph 7.3(e) of this policy.
8. Direct marketing to you
8.1. If you opt-in to receive marketing communications from us, we may store your Personal
Information on our internal marketing database and communicate with you to promote
our products, services, programs and events that we provide.
8.2. You may opt-out from receiving marketing communications from us at any time by:
(a) clicking on the ‘unsubscribe’ link in our email communications and following the
instructions from that link; and
(b) notifying us by email: communications.nsw@ymcansw.org.au.
9. Website
9.1. By accessing our website (https://www.ymcansw.org.au), we will receive the following
information related to your activities on the website – such information does not identify
you and is not Personal Information:
(a) Device information: To enable communication between your device and the server
hosting our website, it is necessary for your web browser to provide your device's
network address. This allows our web server to reply to the correct device. We will
not use this type of information to personally identify you;
(b) Navigation and click-stream data: When you browse our website, you generate a
'footprint' or trail of the pages you have visited, the amount of data transferred and
the time and duration of access. This information is recorded against the network
address supplied by your web browser. We will not use this type of information to
personally identify you;
(c) Cookies: These are very small text file placed on your device when you visit a
website. Cookies are used to enhance our website users’ online experience. The
cookie is not used to collect or store information about you, only to allocate a
temporary identifier to the search session. Most web browsers recognise when a
cookie has been offered or placed on your device and enables you to decide
whether you wish to reject or accept the cookie. Please check with your application
provider if you are not sure how to disable cookies. If cookies are disabled, you may
find that our website provides reduced functionality and speed. We do not use
cookies to identify you personally, to connect your personal identity with your device
address or to track the navigational or browsing habits of identified visitors;
(d) Information logs: These are information that we collect about the use of our
website as recorded in logs, which are then retained and used to manage our
website. We use statistics drawn from these logs to help us to improve our website
and to make it more interesting and relevant to browsers. The statistics also help
us to determine market preferences for the services we offer. We may use statistics
about the use of our website to promote our goods and services or to research
market preferences and trends. No statistical information collected about the use
of our website will be linked to your name, address or other identifier.
10. Accessing, correcting and deleting Personal Information
10
10.1. You have the right under Privacy Laws to:
(a) access your Personal Information; and
(b) ask us to correct your Personal Information so that it is up-to-date, accurate,
complete, relevant or not misleading.
10.2. Generally, unless a valid exception applies under the Privacy Laws, we will attend to a
request under paragraph 10.1(a) by within [30] days.
10.3. You may also put in a request with us if you wish for us to delete your Personal
Information, which we will assess on a case-by-case basis.
10.4. To make a request for accessing, correcting or deleting your Personal Information,
please contact us via the contact details in paragraph 12.2.
11. Complaints
11.1. If you believe that we have breached the Privacy Act, or you wish to raise a complaint
about the way we have handled your Personal Information, you can contact us directly and
in writing addressed to the contact details in paragraph 12.2 of this policy.
11.2. We will seek to investigate and resolve your complaint promptly and fairly. We will keep
you informed throughout the investigation of your complaint and will provide you with a
written response. We will usually provide you with a response within 30 days of receiving
your written complaint.
11.3. If you think we have failed to resolve your complaint satisfactorily, you may also raise a
complaint with the Office of the Australian Information Commissioner (OAIC) for further
investigation at:
Telephone 1300 363 992
Email enquiries@oaic.gov.au
Post GPO Box 5218, Sydney NSW 2001
12. Contact us
12.1. You may contact us to:
(c) request further information about this Privacy Policy and/or our privacy practices;
(d) request a copy of other related policies listed in paragraph 13 of this policy;
(e) request access, correction or erasure of your Personal Information; or
(f) raise a complaint.
12.2. Our contact details are as follows:
Attention: Chief Risk and Innovation Officer, Y NSW
Telephone 02 9687 6233
Email contactus.nsw@ymcansw.org.au
Post 7 City View Road, Pennant Hills, NSW, 2120
13. Related policies
13.1. The following policies must be read in conjunction with this Privacy Policy:
(a) Integrated Media and Communications Policy: Folio
(b) Records Management Policy: Folio
(c) Records Management Procedure: Folio
(d) Whistleblower Policy: Folio
(e) YNSW Code of Conduct: Folio
11
(f) Y NSW Safeguarding Children, Young People and Vulnerable Adults Policy: Folio
(g) Comprehensive IT Usage and AI Policy: Folio
(h) Cyber Security Policy: Folio
Document Control:
13.2. Policy owner 13.3. Chief Risk and Innovation Officer
13.4. Policy issue date 13.5. 18/02/26
13.6. Version number 13.7. 2.0
13.8. Date due for review13.9. 18/02/29
13.10.Policy Approver 13.11.RAFC
