Data Privacy, Storage and Retention Policy

1. Introduction

1.1. Preamble

At Catalpa International, we are committed to safeguarding the dignity, privacy, and rights of all individuals whose data we collect and store. As a trusted international development NGO, we recognise our responsibility we hold in managing information ethically, securely, and transparently. This Data, Storage and Retention Policy ensures that we uphold best practices in protecting sensitive data, minimising harm, and maintaining trust with communities, partners, and staff.

This policy helps protect Catalpa from significant data security risks that could have serious consequences for both the organization and the individuals whose data we hold. Breaches of confidentiality can occur when information is inappropriately shared or disclosed without proper authorization. All people should be free to decide how organizations use data relating to them, and failing to offer choice undermines individual autonomy. Perhaps most seriously, reputational damage could result if hackers successfully gained access to sensitive data, potentially destroying trust with beneficiaries, partners, and donors while compromising our mission effectiveness.

1.2. Statement of Commitment

This data protection policy ensures Catalpa complies with data protection law and follows best practice while protecting the rights of staff, customers, beneficiaries, and partners. The policy promotes transparency about how we store, process, and retain individuals' data, and protects the organization from the risks of a data breach by clearly articulating our response procedures should one occur.

Catalpa International is an Australian registered organisation and therefore must comply with Australian law, including the Australian Privacy Act 1988. Australia's Privacy Act 1988 (as amended) describes how organisations — including Catalpa — must collect, handle and store personal information. Personal information being information about an identified individual, or an individual who is reasonably identifiable. These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

Catalpa also operates in multiple countries and must comply with the laws and regulations of the host countries where our programs are implemented.

In addition to legal requirements in Australia and the countries Catalpa operates in, Catalpa must comply with:

• Country-specific data protection requirements

• Cross-border transfer protocols as required by local jurisdictions

• Data sharing and retention policies of our partners and donors as outlined in our contractual agreements

Where local regulations are less developed, Catalpa will maintain compliance with Australian Privacy Act 1988 standards and international best practice.

1.3. Policy review and ratification

This Policy has been reviewed and formally ratified by Catalpa’s Senior Leadership team. It is subject to review every three years or more often as necessary.

1.4 Policy Linkages

This Data Privacy, Storage and Retention Policy should be read in conjunction with the following Catalpa International policies:

• AI Policy - Governing the use of artificial intelligence in our programs and operations (coming soon)

• ​Child Protection Policy​

• ​Prevention of Sexual Exploitation, Abuse and Harassment (PSEAH) Policy​

• ​Code of Conduct​

• ​Fraud and Corruption Policy​

• ​Whistleblower Policy​

All Catalpa staff and consultants must ensure compliance with this policy alongside these related policies. In case of conflicts between policies, staff should consult with the Data Security Team for guidance - section 6.2 outlines membership of the Data Security Team. Additionally, feedback or complaints or Whistleblower complaints can be made via https://catalpa.stoplinereport.com/

If at any point you have a question or concern regarding this policy, you can alway reach out via the #help_data_policy_support Slack channel.

2. Purpose and Scope

2.1 Purpose

The purpose of this document is to articulate Catalpa's policy for data collection and retention, and to ensure that any information is collected lawfully and in line with our organisation's purpose. This policy describes how this personal information must be collected, handled and stored.

2.2 Scope

This policy applies comprehensively across all of Catalpa's operations, and extends to all personnel including staff and consultants. The scope also encompasses contractors, suppliers, and other people working on behalf of Catalpa in any capacity.

The policy governs all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Australian Privacy Act 1988, ensuring comprehensive protection regardless of legal requirements.

3. Policy Principles

Catalpa commits to the following principles regarding data privacy, storage and retention:

• Personal or Sensitive Information will only be collected and stored if absolutely necessary and directly related to program outcomes. These may include project data on beneficiaries, partners, program contacts, employees and other people that we have a relationship with or we may need to contact.

• Catalpa is committed to keeping information collected through its services and applications safe and secure. In addition to the high standards of data protection Catalpa are committed to across the organisation, Catalpa implements specific, enhanced safeguards to ensure the protection of data of vulnerable and underserved populations including program beneficiaries.

• Catalpa will never rent or sell data or permit advertising based on personal information collected through our programs.

• In certain circumstances, governing law may allow personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, Catalpa will disclose requested data. However, the Catalpa’s senior leadership will ensure the request is legitimate, seeking assistance from the company's legal advisers where necessary.

4. Organisation-wide processes related to data security, data storage, retention and use

4.1 Requirements regarding Data Collection

Catalpa is committed to transparency in data collection and processing, including ensuring that individuals are fully aware when their data is being collected and processed, through the following requirements:

• Catalpa personnel must provide clear information about how personal data is being used, enabling people to make informed decisions about their participation in our programs.

• Individuals are informed about their rights regarding their personal data, including how to access, correct, or request deletion of their information. We also ensure that people understand they have the option of dealing with Catalpa anonymously or by pseudonym where this is practical and does not compromise program effectiveness or legal requirements.

Catalpa is particularly concerned with protecting the data of vulnerable populations and the underserved communities we work with. Special considerations are outlined in section 5 - Project Specific Risk Assessment and Policies.

4.2 Requirements regarding Data Security

The following Catalpa's security protocols must be implemented across all stages of data collection, transmission, and storage to protect against unauthorized access, accidental destruction, and modification of program data:

• Data protection is achieved through strong encryption whenever possible, with public key encryption favored over password-based systems. Both encryption keys and passwords must be updated regularly and never shared between employees to maintain security integrity.

• Any data stored on removable media be kept locked away securely when not in use. Data storage is strictly controlled, with information only permitted on designated drives and servers, and uploads restricted to pre-approved cloud computing services that meet our security standards.

• All data transmissions must be conducted through end-to-end encryption to protect information during transfer. Additionally, servers containing personal data are located in secure facilities with restricted physical access to prevent unauthorized tampering or theft.

4.3 Regulations regarding Data Storage and Retention

These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the Senior Technical Engineer. These rules also apply to data that is usually stored electronically but has been printed out for operational reasons:

• When physical documents are not required, paper files must be kept in locked drawers or filing cabinets to prevent unauthorized access. Employees must ensure that printed materials are not left in areas where unauthorized people could view them, such as on printers or in open workspaces. When data printouts are no longer needed, they must be shredded and disposed of securely to prevent information recovery.

• Electronic data storage requires robust protection against unauthorized access, accidental deletion, and malicious attacks. Catalpa ensures comprehensive data backup procedures are performed frequently to prevent data loss and maintain business continuity. Personal information is retained for 5 years post-project completion unless contractual obligations with partners or donors demand otherwise, or as required by applicable law and best practice standards. Once retention requirements are met, data is permanently deleted from all storage systems to minimize privacy risks.

• When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

• Catalpa ensures that data will be backed up frequently

• Personal information will only be kept for 5 years post-project completion unless contractual obligations with partners or donors demand otherwise, or as required by applicable law and best practice standards, after which it shall be deleted from all means of storage

4.4 Regulations regarding Data Use

Regulations regarding data use include:

• Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets

• When working with personal data, employees should ensure the screens of their computers are always locked when left unattended

• The use of encryption and/or pseudonymisation of personal information should be used whenever feasible

• Personal data will not be shared informally. In particular, it should never be sent by email or any other means that does not use strong end-to-end encryption

• Data must be encrypted before being transferred. The Senior Technical Engineer can explain how to send data to authorised external contacts

• All cross-border data transfers must comply with applicable local data protection laws and any required transfer mechanisms

• Employees should not save copies of personal data to their own computers unless specifically authorised do so by the Director or Senior Technical Engineer

Additionally it is important to note that Catalpa maintains strict prohibitions on certain data uses to protect individual privacy and maintain ethical standards, which includes:

• All data analysis must be conducted using aggregated data, identification of individual children strictly forbidden to prevent potential harm.

• As stated in Section 3 - Policy Principles, Catalpa will never rent or sell data to third parties, nor permit advertising based on personal information collected through our programs. This ensures that beneficiary data is used solely for legitimate program purposes and cannot be exploited for commercial gain.

5. Project-level Data Privacy, Storage and Retention Policies

In addition to the organisation-wide requirements outlined in Section 4 of this Policy, there are project specific requirements outlined below:

5.1. Project level Risk assessment

It is a requirement of this Policy that the Risk Assessment of each project includes an assessment of the risks related to that project’s data privacy, storage and retention that is appropriate to the project's geographic, technical, and beneficiary context. If the project involves a subcontracting partner, the risk assessment should also include any risks identified in the Partnership Assessment as outlined in section 5.3 below.

5.2. Project-level Data Privacy, Storage and Retention Policies

It is a requirement of this policy that each project develops and maintains its own comprehensive Data Privacy, Security, Storage and Retention policy that addresses the specific requirements, risks, and regulatory context of that project. These project-specific policies are informed by the aforementioned project-specific risk assessment and required to include:

• Detailed data inventories cataloguing all personal and sensitive data collected, processed, and stored

• Specific data retention schedules tailored to project requirements and local legal obligations

• Consent mechanisms and procedures adapted to local cultural and linguistic requirements

• Technical security measures specific to the project's infrastructure and data flows

Project-specific policies must comply with this organizational policy while providing the additional detail and context-specific guidance necessary for effective implementation. Where conflicts arise between organizational and project policies, the more restrictive requirements apply, and guidance should be sought from the Data Security Team.

As outlined in Section 3 - Policy Principles, Catalpa recognises its duty of care to external third parties especially vulnerable and underserved communities such as the beneficiaries of Catalpa programming, and therefore each project is required to ensure that the following enhanced safeguards for beneficiaries are in place:

• Consent Mechanisms: Consent procedures are carefully designed to account for literacy, linguistic differences, and cultural sensitivities that may affect an individual's ability to provide truly informed consent. Where written consent is not feasible due to literacy barriers, visual and verbal consent methods are employed to ensure understanding. Interpreters and cultural mediators are utilized to bridge communication gaps and ensure that consent is genuinely informed rather than merely obtained through formality. Detailed consent procedures are outlined in Catalpa's Procedures for the Collection, Storage and Use of Stories, Photos and Video.

• Vulnerable Population Protections: Enhanced privacy protections are implemented for particularly vulnerable groups including children, elderly individuals, disabled persons, and marginalized communities who may face additional risks from data misuse. Additional safeguards, such as encrypting data in place, should be applied to sensitive data categories including health information, financial records, and identity documents that could cause significant harm if compromised. Consent is regularly reviewed to ensure ongoing agreement to data use, recognizing that circumstances and individual preferences may change over time.

• Compliance with Related Policies: All beneficiary data storage and handling must comply with Catalpa's other protective policies (see Linked Polices above).

5.3 Local partner data sharing

Catalpa frequently collaborates with local implementing partners, government agencies, and community organizations. Data sharing with local partners must follow these best practices:

Partnership Assessment:

• Evaluate partner's data protection capabilities and legal obligations

• Assess local regulatory environment and compliance requirements

• Document partner's existing data protection policies and procedures

Data Sharing Agreements:

• Establish clear data sharing practices before any data transfer

• Define specific purposes for data sharing and use limitations

• Specify data security requirements and breach notification procedures

• Include provisions for data return or deletion at project completion

Capacity Building:

• When needed, provide data protection training to local partner staff

• Monitoring and support for compliance with data sharing agreements

Technical Safeguards:

• Use secure channels for all data transfers to local partners (e.g. Secured access to Google Drive or Slack, encrypting data for transfer of sensitive material on USB Drives, etc.

• Implement access controls and user authentication systems

• Regular backups and disaster recovery procedures

• Encryption of sensitive data both in transit and at rest

6. Responsibilities of Catalpa personnel

6.1 General responsibilities of all Catalpa personnel including staff and consultants

• The only people able to access data covered by this policy should be those who need it for their work

• Data may not be shared informally. When access to confidential information is required, employees can request it from their managers

• Catalpa will provide training to all employees to help them understand their responsibilities when handling data

Staff should keep all data secure, by taking sensible precautions and following the guidelines below:

• Strong passwords must be used and they should never be shared

• Personal data may not be disclosed to unauthorised people, either within the organisation or externally

• Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of

• Employees should request help from their manager or Catalpa's Data Security Team via the #help_data_policy_support Slack Channel, if they are unsure about any aspect of data protection

6.2 Responsibilities of specific Catalpa personnel

The Data Security Team is ultimately responsible for ensuring that Catalpa meets its legal obligations. The Data Security Team is composed of the following core personnel as well as other personnel as required.

Project and Program Team Leaders are responsible for working together with members of the Data Security Team to develop their Project-level Data Privacy, Storage and Retention Policies mentioned in Section 5 of this document. Team Leaders are also responsible for alerting the Data Security Team in the event of a suspected breach and working closely to address all concerns and remedies.

The Director & Co-Founder, Anders Hofstee, is responsible for:

• Keeping the board updated about data protection responsibilities, risks and issues

• Reviewing all data protection procedures and related policies, in line with an agreed schedule

• Arranging data protection training and advice for the people covered by this policy

• Handling data protection questions from staff and anyone else covered by this policy

• Dealing with requests from individuals to see the data Catalpa holds about them (also called 'subject access requests')

• Checking and approving any contracts or agreements with third parties that may handle the company's sensitive data

• Approving any data protection statements attached to communications such as emails and letters

• Addressing any data protection queries from journalists or media outlets like newspapers

• Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles

The Senior Technical Engineer, Peter Coward, is responsible for:

• Ensuring all systems, services and equipment used for storing data meet acceptable security standards

• Performing regular checks and scans to ensure security hardware and software is functioning properly

• Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services.

You are encouraged to reach out to members of the team directly or via the #help_data_policy_support in Slack.

7. Data Breach & Response

In the event that there is unauthorised access or unauthorised disclosure of personal information, the Data Security Team should be immediately notified, no longer than an hour of learning about the breach. Catalpa will disclose any breach to its relevant partners.

In the case where a breach meets the following criteria, Catalpa will also report the breach to the Australian Office of the Australian Information Commissioner (OAIC) or other similar body depending on the program's jurisdiction:

• There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds

• This is likely to result in serious harm to one or more individuals, and

• The organisation or agency hasn't been able to prevent the likely risk of serious harm with remedial action

If Catalpa suspects an eligible data breach may have occurred we will quickly assess the incident to determine if it is likely to result in serious harm to any individual and affected individuals will be promptly informed of the nature and extent of the breach.

8. Subject Access Requests

If an individual contacts the company requesting this information, this is called a subject access request.

All individuals who are the subject of personal data held by Catalpa are entitled to:

• Ask what information the company holds about them and why

• Ask how to gain access to it

• Be informed how to keep it up to date

• Be informed how the company is meeting its data protection obligations.

Subject access requests from individuals should be made by email, addressed to the Data Security Team at [email protected].

The Data Security Team will always verify the identity of anyone making a subject access request before handing over any information.

9. Related Links

• Tracker - Data security privacy and storage per project

• Data privacy and storage

• Platform Security Primer

• Privacy, security and storage policy - a session for Team and Product Leads

• Data collected and stored

• Data Privacy, Security and Storage Checklist