Privacy Management Policy


1. Introduction

The Australian War Memorial (the ‘Memorial’) is a memorial, archive and museum commemorating the sacrifice of those Australians who have died in war or on operational service and those who have served our nation in times of conflict. The Memorial is a living, breathing record of our nation’s military history – a place where people are drawn to reflect on the past and gain a deeper understanding of military service during numerous conflicts, which have helped shape our history, our country and our way of life. 

The Memorial assists audiences both physically and digitally to remember and understand the Australian experience of war through;

  • Sharing veterans’ stories through participation in commemorations, activities, and the recording and collecting of records and objects that reflect their war experience; 
  • Engaging stakeholders and visitors through the interpretation and understanding of Australia’s military history and its impact on Australian society.

2. Purpose

The purpose of this policy is to outline the Memorial’s obligations for managing personal information in accordance with the Privacy Act 1988, the Australian Privacy Principles (APPs) and the APP Code for Australian Government Agencies. Certain types of information will be managed in accordance with the Health Records (Privacy and Access) Act 1997.

This policy describes the types of personal information we collect and hold, and how and why we collect that information.  It also provides details of how an individual can access their personal information and seek its correction, including our complaint handling process.

3. Why the Memorial collects personal information

The Memorial will collect personal information where it is necessary or directly related to our functions or activities in accordance with the powers and functions of the Australian War Memorial Act 1980.

The personal information we collect typically includes name, phone number, email address and postal address. We also collect and hold information about how you have engaged with us. For example, we capture and store information about previous tour bookings you have made, donations you have provided, purchases you have made and correspondence we have exchanged.

The main way we collect personal information is when it is provided to us, for example, when people engage with us through:

  • subscribing to our newsletter
  • applying for employment or becoming a volunteer
  • invitations or bookings to exhibitions, commemorative events and some ceremonies, as well as school and guided tours of the Memorial or its collection;
  • communication activities to promote and build an awareness of the Memorial, its collection, special exhibits and future opportunities for you to engage with the Memorial;
  • providing and soliciting financial donations or items for inclusion in the collection, to ensure we can continue our mission to commemorate and honour the sacrifice of Australians who have died in war or on operational service.
  • the purchase of, or subscription to,  memorabilia and merchandise that is relevant to the Memorial, its collection or its mission of commemoration
  • writing to us, making an enquiry or complaint or providing feedback on our services
  • interacting with us via our website and social media channels>
  • providing goods and services to us through contractual supplier arrangements.

We will only collect personal information by lawful and fair means and will generally collect the information from the individual personally, although in some cases we may receive information from third parties. Where necessary for the delivery of a function under the Australian War Memorial Act, we will capture and store (un)solicited personal information provided by third parties securely in our stakeholder database. The information will not be used without the consent of the stakeholder, unless it is assessed that the stakeholder would reasonably expect that we do so.

4. How personal information is held and protected

The Memorial is committed to taking all reasonable steps to protect personal information from misuse and loss.  Strict procedures and standards are followed to prevent unauthorised access to, modification, and disclosure of personal information in our possession and control. 

5. What categories of information are collected

Personnel and employment records

We collect a range of personal information from employees, prospective employees and Council members.  This information, which may include the Working with Vulnerable People registration card and relevant medical restrictions, is  only accessed with the individual’s permission and if granted is then used to administer matters relating to a person’s employment or duties with the Memorial.  The information is generally collected directly from each individual.  Personal information may also be collected from an employee’s supervisor, other employees, recruitment agents and personnel providers, and from previous employers when it is relevant to a selection process.

Volunteer records

Volunteers play an important role in the Memorial’s function.  The majority of volunteers work as guides, in the family history area or on collection management tasks. Volunteers help us to share the story of Australia’s military history with our visitors and maintain the National Collection. Information is collected directly from each individual and usually includes personal and contact details including any medical restrictions.  Health or medical information is collected to assess a volunteers’ physical ability to perform their role. The Memorial also collects a copy of each volunteers’ Working with Vulnerable People registration card. This information is used to maintain a current contact list to manage and administer the Annual Volunteer Agreement.

Contractor and supplier information

Personal information relating to all contractors to the Memorial is also collected. This may include personal and contact information from visitor services, security, catering and cleaning staff employed under contract with the service provider, along with other contractors and product suppliers.  The personal information is collected and used for the purposes of managing the Memorial’s relationship with the contractor and for security.

Program, Event, Ceremony and Bookings information

The Memorial offers and holds a range of events, ceremonies and public programs, some of which are ticketed. If you are a key contact or attendee and have provided information for this purpose, we will hold your personal information. The event or booking Terms and Conditions are published on our website or the third-party booking website along with Privacy Notices that advise whether your information is being used by the Memorial. Contact and preference information provided may be used to approach for survey, market research or generate broad statistical and demographic data. Once initially contacted by the Memorial, event or booking ticket holders will have an opportunity to opt out if they do not wish to receive news from the Memorial – see Email marketing.

Security records (including CCTV)

The Memorial maintains security records in order to manage access to our premises, assets or information.  These records relate to staff, volunteers, and contractors; and may include pre-employment checks and Australian Government Security Clearances.  Photographic security identification passes are also used for identification and access control. The information is held in electronic and paper formats and is accessed by the Agency Security Advisor, agency security personnel, and Human Resources staff; and in the case of security ID passes, staff from our contracted guarding service provider.

A series of closed circuit television (CCTV) cameras, to monitor and record activity, are installed throughout the Memorial building and the accompanying grounds. The purpose of this monitoring is to provide a safe and secure environment for staff, visitors and to protect the building, surrounding grounds, our collections and exhibits from damage, theft or loss.

Signs are displayed at all entries to the building and throughout the external precinct to notify individuals of the presence of the cameras. Surveillance footage that is captured by these cameras is considered to be personal information and is held electronically on dedicated secure servers, and is accessible by the Agency Security Advisor and staff from our contracted guarding service provider.  Information is not released to any person or party except for enforcement, official administrative or investigative related activities conducted by, or on behalf of, an enforcement body. CCTV recordings are generally retained for a period of 60 days, and then deleted permanently unless retained as records of an incident. 

Collection Management

This policy applies to personal information held in records that support the National Collection.

Records held by the Memorial in the Official Records Collection that are in the open period (i.e. over 20 years old) are governed by and made available in accordance with the provisions of the Archives Act 1983.  This governance references the release, storage and permission based use of Official Records collection materials. Where an Official Record has entered the open period, the Privacy Act no longer applies to it.

The Memorial details information about objects and materials it holds in its National Collection within a secure, password protected system. See 4. above.  For example:

  • details about an object’s history, including current and previous owners, which are used to assess an object’s ownership and provenance prior to acquisition or loan
  • personal and contact information on donors, lenders and vendors including copyright permissions and licensing
  • personal information required to arrange physical access to the collection by researchers, family members or other interested parties
  • personal information required to manage materials or an object (e.g., transportation or insurance)
  • personal and contact information relating to the management of oral history interviews.

The above information is usually collected directly from an individual, but it may also be collected from other sources. There may also be a need to hold classified or restricted personal information and this is treated in accordance with the associated legal requirements.

6. Sensitive personal information

There is a distinction in the Privacy Act between personal information and ‘sensitive’ personal information.  Sensitive personal information includes information or opinion about an individual including; racial or ethnic origin, political opinions, associations, memberships, religious beliefs, sexual orientation, criminal history, health or genetic information.

We will capture the details of political and trade associations for relevant stakeholders that engage with us in a professional capacity. We will not collect this personal information unless the individual consents and the information is reasonably necessary or directly related to the Memorial’s functions or activities such as;

  • collecting and storing the criminal history information of volunteers and staff engaged at the Memorial as provided by third party National Crime Check bodies; and
  • religious and political affiliations of public office holders that engage with the Memorial in a professional capacity.

Sensitive information will be retained where collection of the information is ;

  • provided with consent as it is necessary for the Memorial to conduct its functions and activities, or  
  • required or authorised by or under an Australian law or a court/tribunal order (e.g. Evidence Act 1995) ; or
  • authorised for other purposes permitted under the Privacy Act where ;
    • the Memorial has a reasonable belief that the information is needed in order to take action of suspected lawful activity of misconduct or a serious nature.
    • it is unreasonable or impractical to obtain consent and the Memorial has a reasonable belief that the information is needed to lessen or prevent serious threat to the life, health and safety of an individual or the public.

7. Online Engagement


Our websites, web measurement tools and internet service providers record information when visiting our website ( We use this information to help us better understand our website visitors and to improve the visitor experience.

The Memorial’s website is hosted by a cloud based provider, Amazon Web Services located on-shore in Australia. For more information on Amazon Web Services privacy policies please refer to their website.

No attempt will be made to identify users or their browsing activities except, in the unlikely event of an investigation, where a law enforcement agency may exercise a warrant to inspect the service provider’s logs.


Our websites put small files (known as ‘cookies’) onto your computer to collect information about how you browse the site. Cookies are used to:

  • measure how you use the website so we can be updated and improve it based on your needs
  • remember the notifications you’ve seen so that we don’t show them to you again
  • remember your recent search parameters and results

Our cookies aren’t used to identify you personally.

Customer and Stakeholder information

Most personal information collected via our website through online forms and purchases is held securely in Our Stakeholder Knowledge Record database using Incorporated multi-tenanted cloud platform.

If users do not wish to provide us with this personal information, you are able to engage with the Memorial anonymously or, where legally permissible, through the use of a pseudonym. However, doing so may limit our ability to deliver you certain services e.g. digital retail sales and tax deductible donation receipts.

Research Centre Help

To manage reference and collection information requests including booking an appointment with our research staff in our Reading Room, we use a web-based third-party database system Ref Tracker by Altarama. The personal information you provide via this system is held in a secure hosted database within Australia and used by the Memorial only for the purposes related to use of the Research Centre facilities.

Credit security

We wish to ensure that you can make donations and purchase online with complete confidence.

Credit card payments are captured and processed by the National Australia Bank's Secure Internet Payment Service.  NAB use a 128-bit SSL Security Certificate to encrypt and protect your credit information.

For more information go to NAB Credit Card Security Statement. Your credit card information is not stored by the Memorial at any time.

Email marketing

We use a permission-based email marketing platform. This means we only send marketing material to those who have signed-up or provided their consent to receive this material. From time to time we use third-party bookings systems which prominently display their Privacy Notice. All of our email marketing material contains an unsubscribe link that allows the user to opt-out of receiving future messages. If we no longer need the personal information of a subscriber we destroy or de-identify the data.

Social media

The Memorial uses social media channels such as blogs, Facebook, Twitter, Instagram and YouTube to increase audience awareness, engagement, and participation in our activities and products.

When individuals communicate with us using these channels, we assume that they do so in the full knowledge that this information is being actively contributed on a public platform. Personal information provided via private message or for the purpose of competition entry is stored securely for financial accountability and auditing purposes.

Wireless network

The Memorial network provides the Wi-Fi, intranet and internet services for exhibitions, events, and for members of the public.

Any information collected as part of the connection process to Wi-Fi services is used only to facilitate delivery of the service and is not used, distributed, or on forwarded for any other purpose.

8. Disclosure of personal information

The Memorial will not disclose personal information to anyone outside our organisation unless the individual concerned has given their consent or disclosure where it is reasonably necessary and expected by stakeholders for the purpose of delivering a function or service. For example, provision of contact or allergy information may be necessary to provide to a third party event organiser for the purpose of facilitating a Memorial event.

Examples of exceptions include disclosure being necessary to prevent a serious threat to a person’s life, health or safety, or for law enforcement purposes.

The Memorial may use or disclose some classified or restricted personal information in accordance with other legal requirements.  Materials or archival records the Memorial holds that pass into the ‘open access’ period become publicly accessible, except for special circumstances.

Personal information held by the Memorial will only be released to contractors where it is necessary for the contractor to perform their job. If personal information is provided to a contractor, the written contract will contain the appropriate privacy clauses as recommended by the Privacy Commissioner.

9. Accessing and correcting your personal information

Under the Privacy Act you (as an individual) have rights to access and correct personal information that we hold about you.

You also have similar rights under the Freedom of Information Act 1982 (Cth).  More information about our FOI procedures can be found on our website.

If you request access to the personal information that we hold about you, or you request we change that personal information because it is incorrect, we will allow access or make the changes unless we consider that there is a sound reason under the Privacy Act or other relevant law to withhold the information or not make the changes. You will be clearly informed of any reasons for not complying with your request.

There are no charges imposed on requests for access to personal information and correction of personal information held by us. We aim to ensure that the personal information we hold is accurate, up-to-date, complete, relevant and not misleading.

We may deny such requests where it is contrary to public interest, or  record keeping or collection management obligations require us to do so. Youwill be clearly informed of the reasons for such denied requests. Please contact the Privacy Officer (see details below) if you would like to seek access to, or correct, the personal information we hold about you.

10. Complaint handling process

All complaints about how we have handled your personal information should be in writing. If you need help lodging a complaint, you can contact us.

The Privacy Contact Officer will investigate all complaints and determine whether the Memorial has breached its privacy obligations.

We will tell you promptly that we have received your complaint and then respond to the complaint within 30 days.  The Memorial will amend records where practicable and reasonable and will notify you when the requested change has been made.

Where your request has been denied, you will be provided with a written response outlining the reason why the request was denied in such circumstances and information on how you can have this decision reviewed.

If you are not satisfied with our response you may ask for a review by the Assistant Director, Corporate Services or you can lodge a complaint with the Office of the Australian Information Commissioner. 

Contact details for the Commissioner are available on their website here

How to make a complaint or contact the Privacy Officer

Written complaints or queries should be addressed to:

Privacy Officer
Australian War Memorial
PO Box 345
Canberra ACT 2601

Phone: 02 6243 4211 (switchboard)  


Back to Policies