This Privacy Policy sets out how Bainbridge Consulting collects, uses, holds, and discloses personal information in the course of its research, evaluation, and advisory services.
This Policy applies to all personnel, contractors, systems, and commissioned activities involving the handling of personal information.
Bainbridge Consulting manages personal information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and, where applicable, the Information Privacy Act 2009 (Qld). Where international privacy obligations apply, including the General Data Protection Regulation (GDPR), we take reasonable steps to align our practices with applicable legal requirements.
For the purposes of this Policy:
Personal Information has the meaning given in the Privacy Act 1988 (Cth).
Sensitive Information includes information such as health information, cultural background, or lived experience.
De-identified Data means data that has been processed to remove or obscure identifiers such that individuals are not reasonably identifiable.
Collection includes the receipt, acquisition, or generation of personal information in any form.
Where ambiguity arises, interpretation will be guided by applicable privacy legislation and the Australian Privacy Principles.
We collect personal information only where it is reasonably necessary for our research, evaluation, advisory, and operational functions.
Information may be collected through:
Direct engagement with individuals, including interviews, surveys, consultations, and correspondence
Commissioned research and evaluation activities conducted on behalf of client organisations
Administrative interactions relating to project delivery, procurement, or stakeholder engagement
Website enquiries and other digital communications
Where information is received from a third party, including government agencies or partner organisations, we take reasonable steps to confirm that the disclosing party has authority to provide that information.
Sensitive information is collected only:
With express consent
Where required or authorised by law
Where otherwise permitted under applicable privacy legislation
Where lawful and practicable, individuals may interact with us anonymously or using a pseudonym.
Personal information is stored in secure systems with access restricted to authorised personnel on a need-to-know basis.
We apply administrative, technical, and organisational safeguards appropriate to the sensitivity of the information held, including:
Encryption and secure network controls
Role-based access restrictions
Secure storage and transfer practices
Staff confidentiality obligations and training
Periodic review of information security practices
We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure.
Personal information is used only for purposes reasonably connected to the functions for which it was collected, including:
Conducting research and evaluation activities
Preparing findings, reports, and advisory outputs
Communicating with participants, stakeholders, and client organisations
Managing administration, procurement, invoicing, and operational obligations
Maintaining the quality, integrity, and security of our services
We do not sell personal information or use personal information for direct marketing or commercial profiling.
Secondary use of personal information is undertaken only where:
Consent has been obtained
The use is permitted or authorised by law
The information has been de-identified
The secondary use is otherwise consistent with applicable privacy obligations
We disclose personal information only where:
Disclosure is necessary for project delivery or operational functions
The individual has consented
Disclosure is required or authorised by law
Disclosure is reasonably necessary to prevent serious harm or unlawful activity
Where third parties, subcontractors, or service providers are engaged, we take reasonable steps to ensure appropriate privacy and confidentiality protections apply.
Bainbridge Consulting does not make decisions with legal or similarly significant effects solely through substantially automated decision-making systems.
Where analytical or automated tools are used to support research or operational processes, they remain subject to human oversight and review.
Should our practices materially change in this area, we will update this Policy accordingly.
We take reasonable steps to ensure personal information is accurate, complete, relevant, and up to date where it is used for decision-making, reporting, or analysis.
Information is retained only for as long as necessary to:
Fulfil the purpose for which it was collected
Comply with legal, contractual, ethical, or recordkeeping obligations
Manage operational and governance requirements
Where information is no longer required, we take reasonable steps to securely destroy or de-identify it.
Individuals may request access to, or correction of, personal information held by Bainbridge Consulting.
Requests will be assessed in accordance with applicable privacy legislation. Where access is refused, reasons will be provided where legally permitted.
Where applicable, individuals may also:
Request that inaccurate or incomplete information be corrected
Request restriction of processing in certain circumstances
Withdraw consent previously provided, subject to legal or contractual limitations
Request deletion of information that is no longer required and is not required to be retained by law or contract
Requests relating to privacy rights may be directed to the Privacy Officer using the contact details below.
Bainbridge Consulting complies with the Notifiable Data Breaches Scheme under the Privacy Act 1988 (Cth).
Where an eligible data breach is assessed as likely to result in serious harm, we will:
Take reasonable steps to contain and assess the incident
Notify affected individuals where required
Notify the Office of the Australian Information Commissioner (OAIC)
Implement remedial measures to reduce ongoing risk
We generally store and process information within Australia.
Where personal information is disclosed to overseas recipients, we take reasonable steps to ensure that appropriate privacy, confidentiality, and security safeguards apply.
Where we process personal information relating to individuals located in the European Union or European Economic Area, we take reasonable steps to handle such information in a manner consistent with the General Data Protection Regulation (GDPR), where applicable.
Bainbridge Consulting is primarily governed by Australian privacy law. Where international privacy obligations apply, we seek to align our practices with applicable legal requirements to the extent required in the circumstances.
Privacy enquiries, access requests, correction requests, or complaints may be directed to:
Privacy Officer
Bainbridge Consulting
PO Box 639
North Lakes QLD 4509
Australia
Phone: +61 7 3040 6100
Email: reception@bainbridge.com.au
We aim to respond to privacy enquiries and complaints within a reasonable timeframe.
If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner at www.oaic.gov.au.
This Policy is reviewed periodically to ensure ongoing alignment with applicable legislation, operational requirements, and research governance standards.
Version: 5.0 - Research Governance Version
Last Updated: 1 May 2026