Wishlist (Sunshine Coast Health Foundation)
Protecting Your Privacy

Last Updated: January 2026

Contents

1. Introduction and Scope
2. Definitions
3. Collection of Personal Information
4. Use and Disclosure
5. Data Security and Storage
6. Digital Privacy and Technology
7. Individual Rights and Access
8. Complaints and Review Process
9. Contact Information
10. Website Privacy Statement
11. Policy Review

1. Introduction and Scope

The Sunshine Coast Health Foundation (known as Wishlist) is committed to providing you the highest levels of service. Protecting your privacy is important to us. Wishlist is a Queensland state statutory body and as such must comply with the Information Privacy Principles (IPPs) contained in the Information Privacy Act 2009.

This policy outlines how we collect, store, use and disclose personal information in accordance with:

• Information Privacy Act 2009 (QLD)
• Right to Information Act 2009 (QLD)
• Privacy Act 1988 (Cth)
• Notifiable Data Breaches Scheme
• Hospital Foundations Act 2018 (QLD)
• Information Privacy Principles (QLD)

2. Definitions

• Personal Information: Any information or opinion about an identified individual, or an individual who is able to be reasonably identified
• Sensitive Information: Information about racial/ethnic origin, political opinions, religious beliefs, sexual orientation, health information, financial, biometric data
• Data Breach: Unauthorised access to, or disclosure of, personal information
• Cookie: A small text file stored on your device that helps websites remember your preferences
• Encryption: The process of converting information into a code to prevent unauthorised access

3. Collection of Personal Information

Types of Information Collected

We collect:

• Contact details (name, address, phone, email)
• Date of birth
• Financial information (donation history, payment details)
• Professional and educational information (for research grant applicants)
• Health information (where relevant to our services)
• Employee information (for staff)
• Digital information (IP addresses, browser data, cookie data)

Collection Methods

Information is collected:

• Directly from you, when you provide us with information by phone, mail, web or email or in person
• Through our website and digital platforms
• From third parties with your consent, such as friends who have referred you to us
• From publicly available sources such as the telephone directory or newspaper etc
• Through automated technologies
• When you make an online donation or register for an event or as a volunteer you are automatically added to our database and mailing list

Use of Personal Information

Your personal information may be used to:

• Thank you for your support
• Survey your experience of Wishlist services
• Market Wishlist activities
• Keep you informed of how community support makes a difference, locally
• Inform you of our upcoming events and appeals

Information Minimisation

We only collect information that is reasonably necessary to perform Wishlist’s organisational functions and activities.

4. Use and Disclosure

Primary Purposes

• Processing donations
• Operating hospital accommodation services
• Operating hospital parking services
• Managing supporter relationships
• Administering research grants
• Employee administration
• Statutory compliance

Secondary Purposes

• Marketing communications
• Event management
• Research and analysis
• Service improvement

Disclosure to Third Parties

• We may share information with:
  Your representatives (eg your authorised representatives or legal advisors) only upon your written authorisation
• Government and regulatory authorities and agencies, as required or authorised by law
• An appeal mailing house
• Telemarketing company (for the purpose of updating our database records)
• Service providers (under strict confidentiality agreements)
• Healthcare providers (where necessary)
• Professional advisers
• Payment processors

5. Information Security and Storage

Wishlist is committed to keeping secure the personal information you provide to us. Wishlist takes all reasonable precautions to protect the personal information it holds from misuse, loss, modification, disclosure, or from unauthorised access.

Security Measures

• Enterprise-grade encryption
• Multi-factor authentication
• Access controls and monitoring
• Regular security audits
• Staff training and confidentiality agreements

Data Retention

• Personal information is retained only as long as necessary
• Secure destruction of personal information when it is no longer required
• Regular review of retention requirements and disposal schedule

• Data Breach Response
  An organisational incident response plan is in place and regularly tested and reviewed by the IT Oversight Committee
• Notification procedures as required by law
• Investigation and remediation processes are in place

6. Digital Privacy and Technology

Website and Cookies

• Essential cookies for website functionality
• Analytics cookies (with consent)
• No third-party tracking occurs without consent

Online Payments

• Processing of payments occurs through a secure payment gateway (Stripe)
• Absolutely no storage of credit card details
• PCI DSS compliance

Digital Communications

• Secure email protocols
• Encrypted file transfers
• Secure portal access

7. Individual Rights and Access

You have the right to:

• Access your personal information
• Request corrections
• Remain anonymous
• Opt-out of communications
• Lodge privacy complaints
• Request information deletion (where practical)

Procedure to Gain Access to Personal Information

Access to your personal information can be made upon request to the Wishlist Privacy Officer by phone on (07) 5202 1777 or email to info@wishlist.org.au

Request corrections

The goal of Wishlist is to ensure that the personal information it holds is accurate, complete and up-to-date. Please contact the Wishlist Privacy Officer if any of the details provided have changed on (07) 5202 1777 or email to info@wishlist.org.au

Anonymous giving

When we receive anonymous donations, we are not able to issue tax receipts. We do not publicly name our donors without permission, so you can be assured of public anonymity if you require it.

Opting out

You have the option at any time to opt out or unsubscribe from Wishlist mailing lists. If you do not wish to receive letters from us, but are a donor, you can ask to be marked as ‘no mail’ in our database.

8. Complaints and Review Process

If an individual believes that their personal information has not been dealt with in accordance with an IPP they may make a complaint to Wishlist seeking an internal review. A request for an internal review must be made in writing and must be made within six months from the date when the breach was suspected to have occurred.

Internal Review

• Written requests should be made to the Privacy Officer via email to info@wishlist.org.au
• You will receive acknowledgment within 14 days of receipt of your request
• We aim to resolve requests for internal review within 60 days
• A written response to all requests for internal review is provided

External Review

If you subsequently remain dissatisfied with Wishlist’s response to your complaint you may lodge a request for an external review with the Office of the Information Commissioner.

The Information Commissioner in Queensland is an independent body that oversees the state's Right to Information (RTI) and Information Privacy (IP) legislation. Requests can be made directly to the OIC:

Attention: Privacy Team

Office of the Information Commissioner

PO Box 10143

Adelaide Street

BRISBANE QLD 4001

Email: administration@oic.qld.gov.au

Office of the Information Commissioner Queensland | Protecting your right to information and privacy (oic.qld.gov.au)

9. Contact Information

Attention: Wishlist Privacy Officer

6 Doherty Street, Birtinya, Qld. 4575

Email: info@wishlist.org.au

Phone: (07) 5202 1777

10. Website Privacy Statement

Our website privacy statement can be found at Attachment 1. Wishlist’s website privacy practices include:

• Secure socket layer (SSL) encryption
• Regular security updates
• Privacy-preserving analytics
• Transparent cookie usage
• Secure forms and data collection

11. Policy Review

This policy is reviewed annually or when significant changes occur in privacy legislation or our operations. The current version is always available on our website.

Personal Information about supporters, volunteers, donors

The purpose of these records is to enable Wishlist to create a healthier Sunshine Coast community with access to the best possible medical services, equipment, research and advice through donations, sponsorships, and general support.

Content may include:

1. name, address and previous addresses
2. telephone or mobile number and email address
3. date of birth
4. support given
5. credit card payments/details
6. research from public documents
7. contacts made
8. information that is required to be collected for the purpose of Wishlist’s accountability to Government audits.

If you are a research grant applicant, we may also collect information about your career and education.

All Wishlist staff members have access to this information. Wishlist employees are responsible for managing personal information in compliance with the IP Act and the privacy plan. There are strict security procedures in place for the management of information held in the office, and all employees are required to sign an employment contract, which includes a confidentially clause, before gaining access to any information. Employees are given access only to information which is relevant to their duties.

Your personal information may be used to:

1. thank you for your support
2. market Wishlist activities
3. keep you informed of how community support makes a difference, locally
4. inform you of our upcoming events and appeals

This information is obtained:

1. directly from you, when you provide us with information by phone, mail, web or email or in person.
2. when you make an online donation or register for an event or as a volunteer you are automatically added to our database and mailing list.
3. from third parties such as friends who have referred you to us.
4. from publicly available sources such as the telephone directory or newspaper etc.

Anonymous giving

When we receive anonymous donations we are not able to issue tax receipts. We do not publically name our donors without permission, so you can be assured of public anonymity if you require it.

Opting out

You have the option at any time to opt out or unsubscribe from Wishlist mailing lists. If you do not wish to receive letters from us, but are a donor, you can ask to be marked as ‘no mail’ in our database.

Employee Personal Information

Wishlist holds personal information including banking and taxation details for employees. Employee payroll is managed in-house. 

The purpose of employee records is to maintain recruitment and employment history, and payroll and administrative information relating to all permanent, contract and temporary employees of Wishlist. Content may include all matters relating to individual employment, including medical records, disciplinary and/or grievance documentation.

The following staff members have access to this information: CEO and Financial Controller.

Nambour Hospital Staff Parking Records and Complaints

The purpose of these records is to provide a parking service for Health Service staff/customers who have chosen to utilise the parking services of Wishlist at Nambour General Hospital. Content may include all matters relating to billing (including payroll numbers for those utilising payroll deduction schemes), over or under-payment, vehicle identification and contact information, correspondence relating to complaints/accident details.

The following staff members have access to this information: CEO, Financial Controller and the Administration Officers. In addition, the Wishlist accountant and auditor have access.

By agreement with the Sunshine Coast Hospital and Health Service the waiting list of staff seeking access to parking at Nambour Hospital is posted on the SCHHS intranet site and updated regularly.

Personal Information about Vendors

The purpose of these records is to allow normal business processes to take place eg. name, address for payment, contact information, bank account details to allow for electronic payment of accounts, and Australian Business Number.

The following staff members have access to this information: CEO, Financial Controller and Administration Officer. In addition, the Wishlist’s accountant and auditor have access. 

Personal Information of Members of Wishlist Board of Directors

The purpose of these records is to allow Wishlist to meet the governing requirements of the Hospitals Foundation Act. Content may include contact information, previous employment history, personal interests, correspondence from the Minister for Health and Director General of the Health Department, and other personal information needed for Wishlist to hold bank accounts, investments, and trade accounts.

The following staff members have access to this information: Foundation Chairman, Wishlist CEO.

Disclosure of personal information

For the purpose outlined above we may disclose your personal information to organisations outside Wishlist. These organisations to which information is disclosed include:

1. Your representatives (eg your authorised representatives or legal advisors) only upon your written authorisation.
2. Our professional advisers, including our accountants, auditors and lawyers.
3. Government and regulatory authorities and other organisations, as required or authorised by law.
4. An appeal mailing house.
5. Telemarketing company (for the purpose of updating our database records).

Forms and guidelines used by Wishlist that solicit personal information will specify the purpose for which the information is being collected; and to whom the information will be shared. (IPP 2 notice)

Future contracts, licenses and outsourcing arrangements that utilise personal information of Wishlist, if any, will contain the necessary provisions in order to comply with the IPPs.

Personal Information Quality

The goal of Wishlist is to ensure that the personal information it holds is accurate, complete and up-to-date. Please contact Wishlist if any of the details provided have changed. 

Procedure to Gain Access to Personal Information

Access to your personal information is upon request to the Freedom of Information Officer of Wishlist who is the Wishlist CEO (07) 5202 1777 or info@wishlist.org.au

Review Procedure

If an individual believes that their personal information has not been dealt with in accordance with an IPP they may make a complaint to Wishlist seeking an internal review. A request for an internal review must be made in writing and must be made within six months from the date when the breach was suspected to have occurred. Requests should be forwarded to CEO of Wishlist on (07) 5202 1777 or info@wishlist.org.au

Requests for review will be acknowledged in writing within 14 days from the date on which the application was received, and Wishlist will process the request within 60 days from the date on which the application was received. Applicants will be advised in writing of Wishlist’s decision.

If you subsequently remain dissatisfied with Wishlist’s response to your complaint you may lodge your complaint with the Office of the Information Commissioner at the following address:

The Manager, Corporate and Executive Services

Office of the Information Commissioner

PO Box 10143
Adelaide Street
Brisbane Qld 4000

Personal Information Security

Wishlist is committed to keeping secure the personal information you provide to us. Wishlist takes all reasonable precautions to protect the personal information it holds from misuse, loss, modification, disclosure, or from unauthorised access.

Contact Us about Privacy Practices

If you have any further questions or would like further information about Wishlist’s privacy policy and information handling practices, please contact:

CEO
Wishlist
PO Box 5340
SCMC QLD 4560

Phone: (07) 5202 1777
Fax: (07) 5202 0422
Email: info@wishlist.org.au

Attachment I – Privacy Policy and Security Statement for Wishlist Website

Wishlist is committed to protecting your privacy. We understand and appreciate that visitors and users of Wishlist’s website are concerned about their privacy and the confidentiality and security of any information provided to us.

The Queensland Government has established a privacy regime for the Queensland public sector based on 11 Information Privacy Principles (IPP). These are contained in an Information Standard that we are required to adhere to. A copy of this standard can be accessed at http://www.iie.qld.gov.au

This is NOT a cookie-free site. When you look at this website, our Internet Service Provider makes a record of your visit and logs the following information for statistical purposes only – the user’s server address, the user’s top level domain name (for example .com, .gov, .au, etc) the date and time of visit to the site, the pages accessed and documents downloaded, the previous site visited, and the type of browser used. No attempt is or will be made to identify users or their browsing activities except, in the unlikely event of an investigation, where a law enforcement agency may exercise a warrant to inspect activity logs.

Our Internet Service Provider for system trouble shooting and maintenance purposes may monitor e-mail messages.

Right of access and correction is limited to existing rights under the Right to Information Act 2009 (QLD) and Information Privacy Act 2009. If one wishes to obtain access to records under the Right to Information Act 2009 or Information Privacy Act 2009, they should apply to Wishlist’s CEO on (07) 5202 1777 or info@wishlist.org.au.

If you have any queries about our privacy policy and security practices, please contact the Wishlist Chief Executive Officer on (07) 5202 1777.

Join Our Daisy Chain

Keep up to date with our latest funding news, patient stories or upcoming events.