If you run a not-for-profit (NFP) organisation, such as a charity, it is critical that you understand the importance of good privacy practice and the obligations that may apply to your NFP under the Privacy Act 1988.
NFPs and the Privacy Act
NFPs may have obligations under the Privacy Act and Australian Privacy Principles (APPs) when collecting and handling personal information. This could include information collected in relation to employees and/or volunteers, a database of member or donor contact and financial details, or information collected in connection with the delivery of services to clients.
Whether your NFP is required to comply with the Privacy Act will depend on the type and scale of the organisation and the activities conducted.
The Privacy Act will apply to an NFP if its annual turnover is greater than $3 million. Annual turnover for the purposes of the Privacy Act includes all income from all sources. It does not include assets held, capital gains or proceeds of capital sales.
NFPs will also need to comply with the Privacy Act in certain other circumstances. For example, if they are:
- a contracted service provider, including a subcontractor, for an Australian Government contract (for example, providing aged care or disability services under a contract with a Commonwealth agency. Check your contract for more information about your privacy obligations.)
- an organisation that provides a health service even if the service is not the NFP’s primary activity (for example, where a club has a program to assist members with injuries or improve fitness or health)
- a business that sells or purchases personal information or trades it for a benefit (for example, where a charity sells customer lists in exchange for sponsorship benefits or purchases customer lists)
- related to a larger body corporate that is subject to the Privacy Act (for example, where the NFP is part of a global network and the parent organisation has an annual turnover of greater than $3 million).
Your NFP may also choose to opt in to be covered by the Privacy Act. NFPs opting in to be covered by the Privacy Act are making a public commitment to good privacy practice.
To see if your NFP needs to comply with the Privacy Act, complete our privacy checklist for small business, or seek advice from your industry association or lawyer.
The importance of good privacy practice for NFPs
Regardless of whether the Privacy Act applies, there are significant benefits that flow from good privacy practice. The applicability of the Privacy Act to a NFP may also change over time, particularly if the NFP grows or changes its services.
Strong privacy protections can enable better services and stronger relationships between NFPs and the community. When the public is confident that your NFP will collect and handle their personal information appropriately, they are more likely to engage with your organisation. This is particularly important where your NFP relies on sustained support from donors, members or volunteers.
Conversely, there are a number of risks associated with privacy practices that do not meet community expectations. These risks include:
- emotional and financial harm to clients, members, supporters, staff or volunteers through the misuse or unauthorised disclosure of personal information, which may include sensitive information
- reputational damage, which can jeopardise funding and public support
- regulatory action and penalties for breaching the Privacy Act (including mandatory data breach obligations), which may be made public.
Practising ‘privacy by design’ is the best way to ‘future proof’ yourself from additional costs and redevelopment work. This means building the management of privacy risks into your NFP’s systems and processes from the beginning, rather than at the end.
Completing a privacy impact assessment will help you to understand the impact that your NFP’s practices might have on the privacy of individuals and identify ways to manage, minimise or eliminate those impacts.
For more information, see our Guide to undertaking privacy impact assessments and our Undertaking a privacy impact assessment e‑learning course.
Obligations under the APPs
Privacy obligations mean being transparent about how your NFP handles personal information, and giving individuals confidence that their information will be managed securely and appropriately.
The 13 APPs in the Privacy Act set out the minimum expectations of the community in relation to how you handle their personal information and/or sensitive information. If your NFP is covered by the Privacy Act, the APPs are legally binding.
‘Personal information’ is any information or an opinion about an individual who can be reasonably identified from that information or opinion, such as a person’s name, date of birth and phone number.
'Sensitive information' is a subset of personal information and includes health information and information about an individual’s political opinions and religious or philosophical beliefs. The Privacy Act generally affords a higher level of privacy protection to sensitive information than to other personal information.
The standards in the APPs are generally framed as requiring organisations to do what is ‘reasonable’ in the circumstances. This means they are flexible and can be tailored to your NFP’s business model and activities.
When it comes to protecting personal information, there are 3 key things to keep in mind:
- Only collect personal information you need.
- Store that information securely.
- Delete the information when no longer required.
Developing a privacy policy
If your NFP is covered by the Privacy Act you must have a privacy policy. This is a statement that explains in simple language how your organisation handles personal information.
A privacy policy is a key tool for ensuring that your organisation manages personal information in an open and transparent way.
For more information, see our Guide to developing an APP privacy policy.
Collection of personal information
You should ensure your NFP only collects personal information that you need. Do not collect personal information just because it may become necessary or useful at a later date. Your NFP should generally also only collect information directly from the individual.
When collecting sensitive information, your NFP must get the person’s consent, unless an exception applies.
If you maintain a database of supporters or donors, it is important to ensure the collection of personal information, including sensitive information, should always be limited to the minimum information reasonably necessary to achieve this purpose.
Data minimisation is an important concept that can help reduce privacy and security risks. For example, holding large amounts of personal information may increase the risk of unauthorised access by internal or external sources and could increase the risk of harm to an individual in the event of a data breach.
Make sure you provide privacy notices to individuals when you collect personal information and that you handle their personal information in the way you say you will.
For more information see the chapters of our APP guidelines on collection and notification of the collection of personal information.
Using or disclosing information
Generally, your NFP should only use or disclose personal information for the primary purpose for which it was collected. However, there are exceptions that allow for it to be used or disclosed for another purpose. These exceptions include where:
- the individual has consented to the use or disclosure
- the individual would reasonably expect the use or disclosure and the other purpose relates (or for sensitive information, directly relates) to the primary purpose of collection. In this scenario, your NFP should only use or disclose the minimum amount of personal information sufficient for the other purpose
- the use or disclosure is required or authorised by law.
If you want to use personal information you have collected for an unrelated purpose, such as sharing a list of donors with another NFP, you must obtain the individual’s consent to do so.
The Privacy Act places restrictions on using or disclosing personal information for direct marketing, such as fundraising, or to facilitate direct marketing by other organisations.
Where you do engage in fundraising, you should provide a simple means of opting out of future direct marketing communications, comply with any opt-out request and, if requested, tell a person where you got their personal information from.
The Privacy Act does not apply to direct marketing communications that are covered by the Do Not Call Register Act 2006 (NCR Act) or the Spam Act 2003.
For more information see the chapters of our APP guidelines on use or disclosure of personal information and direct marketing.
Security of information
Your NFP should take reasonable steps to protect the personal information you hold from misuse, interference and loss, as well as unauthorised access, modification or disclosure. It is important to consider the potential physical and digital threats to the security of the personal information you hold and take steps to mitigate these threats. For example:
- ensuring your staff are aware of their privacy and security obligations and the importance of good information handling and security practices
- implementing effective software and network security measures to ensure that all of your systems are secure and provide a safe environment for your employees to carry out their work, and for your clients, donors, members and supporters to interact with your NFP
- implementing strong password protection strategies, including raising staff awareness about the importance of protecting credentials
- using multi-factor authentication at minimum for all remote access to business systems and for all users when they perform a privileged action or access an important data repository
- keeping operating systems, browsers and plugins up-to-date with patches and fixes and enabling anti-virus protections to help guard against malware that steals credentials.
Make sure your staff and volunteers are familiar with and follow your policies on information security, including ICT security, physical security and access security.
See our Guide to securing personal information for further guidance on personal information security practices.
Retention and deletion of information
You should only retain personal information as long as it is needed. If there is no requirement or justification for retaining the information, you must take reasonable steps to destroy or de-identify the information.
See our Guide to securing personal information for detailed guidance on how to securely destroy personal information.
Data breach preparation and response
A data breach occurs when personal information an organisation or agency holds is lost or subjected to unauthorised access or disclosure. For example, when:
- a device with a customer’s personal information is lost or stolen
- a database with personal information is hacked
- personal information is mistakenly given to the wrong person.
Data breaches can cause significant harm in multiple ways. Individuals whose personal information is involved in a data breach, such as clients, donors, volunteers or staff of your NFP, may be at risk of serious harm, whether that is harm to their physical or mental wellbeing, financial loss or damage to their reputation. A data breach can also negatively impact an organisation’s reputation for privacy protection and damage community trust in your NFP.
Part of good privacy practice means being prepared for if things go wrong, by having a data breach response plan. Ensuring your NFP has a data breach response plan in place and that you are familiar with it, will enable you to respond quickly to a data breach. By responding quickly, your NFP can minimise the risk of harm and substantially decrease the impact of a breach on affected individuals, reduce the costs associated with dealing with a breach, and reduce the potential reputational damage that can result.
The Notifiable Data Breaches (NDB) scheme applies to all entities with personal information security obligations under the Privacy Act. The NDB scheme requires entities to notify affected individuals and the OAIC when a data breach is likely to result in serious harm.
If your NFP doesn’t have a data breach response plan, our Data breach preparation and response guide will help you in preparing for and responding to a data breach.
Other resources
Other privacy-related requirements outside the Privacy Act may apply depending on your organisation’s activities:
- The DNCR Act and Spam Act may apply if your NFP markets directly to the public and is not captured by an exemption under those Acts. For more information, visit the Australian Communications and Media Authority website.
- State and territory laws may apply to the information held by your NFP. For more information about state and territory privacy laws, see Privacy in your state.
- You should be aware of cyber security threats and measures that can be taken to protect your NFP against these threats. For more information, visit the Australian Cyber Security Centre website.
- For more information about other applicable requirements, see the Australian Charities and Not-for-profits Commission website.
