Retention of data: a key compliance issue for not-for profits

The OAIC has updated its guidance for not-for-profits (NFPs), including charities, on managing people’s information and data, helping entities better understand their obligations under the Privacy Act 1988.

This is particularly topical in the wake of recent high-profile data-breaches affecting charities and NFPs, such as the cybersecurity breach involving Pareto Phone and a number of Australian charities.

The updated guidance outlines key obligations for NFPs when collecting and handling personal information, highlighting the benefits of strong compliance and retention practices.

The benefits of good privacy practice

The guidance draws out the importance of good privacy practice for NFPs and simplifies what can appear to be a very technical area of compliance by providing practical examples of what best practice looks like.

Ensuring that your data governance practices are sound is one of the most important things you can do to bolster your cybersecurity overall. Good data governance will set you up for compliance with the Privacy Act and, more generally, is simply good corporate behaviour.

It can sometimes be difficult for NFPs to embrace this issue, not least because resourcing legal and technical expertise is always a challenge. However, the effort that you put in to ensuring good data governance will pay dividends, not only in minimising the risks that you create for your organisation when it comes to things like data breaches, but also in the way you create trusted relationships, including with donors, which is often key to your sustainability as an organisation.

Increasingly we see that for consumers and citizens, good privacy practice is a key factor that influences how they relate to and view a business, a corporate entity or a NFP, and they want to see you handling their information in respectful and ethical ways. Investing in those practices as an organisation will assist in building and fostering trust.

While many NFPs are not yet captured by the Privacy Act because of the small business exemption, trying to understand and embrace the principles which underpin it is a matter of good data governance, and good donor management as well.

It is also likely that the Privacy Act will be amended in the coming months and years, including by removing the current exemptions for small businesses. This will mean that many more entities will come within the purview of the Act and, for those organisations not accustomed to complying with Privacy Act obligations, this will require some uplift. The Office of the Australian Information Commissioner (OAIC), as the regulator of the Commonwealth Privacy Act, is committed to supporting NFPs and other organisations in that uplift process.

Retention

A key area of focus for the OAIC recently has been the retention of personal information. This is an area that can be tricky for NFPs, particularly when it comes to donor information, because there are understandably many strategies at play to re-enliven relationships with lapsed donors or to re-approach people around particular appeals. We are aware that this is important to the sustainability of NFPs.

However, the practice of retaining personal information, including of donors, can create real risks, both for your organisation when it comes to cyber security threats, and to the people whose information you hold. The indefinite retention of personal information is simply not justifiable from a good privacy practice perspective.

The guidance provides specific and actionable examples of steps that NFPs can put in place to ensure compliance with their retention and destruction obligations including:

• having policies and procedures that specify the maximum retention periods for each type of supporter data (for example, in relation to recent and recurring donors; non-donating individuals who have supported other aspects of the NFP’s work; non-donors who have had no other engagement with the NFP; and individuals who had made a full or partial do not contact (DNC) request).
• ensuring that processes for the retention and destruction of personal information are well known to all staff, and conducting regular training and monitoring to ensure compliance.
• retaining clear records of the date of last engagement with a donor, including any DNC requests, and considering use of an alert system to notify staff when a significant time period has passed since the donor has made a donation or had any other engagement with the NFP.

Increasing data breach risks

The OAIC administers the Notifiable Data Breaches scheme, which requires an organisation subject to a data breach that may result in serious harm for individuals to notify the regulator of that fact.

In 2023-24 we saw 1012 data breach notifications come through to our office, which represented a 13% increase on the year prior. That is in keeping with the trend that there are increasing cyber risks to organisations across the economy. In our statistical reporting we can see that 67% of those data breaches are attributable to malicious or criminal attack.

The threats and risks are therefore very present, for organisations everywhere. The most important takeaway from this is that you can’t lose information you don’t hold, and you can’t have data stolen that you don’t hold. Focussing on retention will therefore minimise the risks that NFPs face.

For more information, please see the OAIC’s guidance for NFPs including charities and the Australian Charities and Not-for-profits Commission’ s updated guidance on managing people’s information and data.