We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our privacy policy.

News Join our team Contact us

Carly Kind

Carly Kind
Privacy Commissioner

Published:  

We’ve become accustomed to hearing and reading about the importance of protecting children’s privacy, especially online.

Less discussed, however, is the data privacy of older generations, who are even more precariously participating in the digital economy. They may be equipped with smart phones and Facebook accounts, but are often less digitally-savvy than their children or grandchildren. As a result, older people face significant risks in seeking to protect or control their personal information, especially when their data may be even more valuable to certain organisations. This is particularly the case when it comes to the world of charitable donations and inheritances.

Australia’s baby boomers are soon to reach their 80s and, having – generally speaking – accumulated much in the way of wealth and property during their lives, are set to make an estimated $3.5 trillion in gifts and inheritance in the next 20 years.

A deserving recipient of a portion of that wealth will hopefully be the charitable sector. Aging Australians lag behind their international peers in making charitable donations in their wills – only 1% of wealth transfer in Australia currently goes to charities – but this is a situation many in the charitable sector hope to change.

However, this well-intentioned hope may be driving practices that put Australians’ privacy at real risk.

Charities, eager to engage donors, are in some cases keeping the personal information of contributors for much longer than is sensible. Based on some cases that have come before the OAIC, a single donation to some charities or fundraisers can lead to your personal information being kept indefinitely, long past when you stop engaging with the charity’s emails, and even after submitting a ‘do not contact’ request.

Charities, many of which are under-supported when it comes to investment in IT systems and data security, are handling excessive amounts of personal information long past when it could be deemed necessary, both failing the “sensible” test, but also, for those charities subject to the Privacy Act – any charity with an annual turnover of more than $3 million – the test of lawfulness.

Having worked in the non-profit sector for much of my professional life, I am sympathetic to the challenging position in which charities are placed. Many run on a shoestring, staffed by committed staff who prioritise spending on beneficiaries and programs rather than operational infrastructure. Their ability to fundraise is a matter of sustainability, and any possibility to raise funds is vigorously pursued.

Nevertheless, good privacy practices are not only important from a legal and ethical perspective, but may also be critical to developing donor relationships. Our research demonstrates that 96% of Australians say that the privacy of their information is important when choosing a product or service. Older Australians are even more concerned about privacy than their younger counterparts. The transfer of wealth from Australia’s elders to charities is likely to occur in the context of a relationship of trust and transparency.

After all, the potential blowback of poor privacy practices is not only a further entrenchment of Australians’ loss of control over their personal information, but also a pronounced risk to the security and safety of that information.

It is not possible for an entity to lose data that they don’t have. Yet with each new data breach that my office investigates, we consistently see that regulated entities are holding onto data without a relevant business need. This practice is by no means confined to charities and non-profits either. Practices around destroying or de-identifying personal information are inconsistent, and in some cases worrying, across corporate Australia.

The risk for charities of holding onto data they no longer need is exemplified in the experience of Oxfam, which in 2021 was subject to a cyber attack that resulted in a loss of up to 1.7 million Oxfam records pertaining to the personal information of donors and supporters. Today we have published an Enforceable Undertaking (EU) offered by Oxfam in response to our concerns about practices that contributed to the data breach and its effects.

A key takeaway from the EU for regulated entities is the need to scrutinise whether requirements to destroy or de-identify data are being adhered to. In the EU, Oxfam undertakes to destroy or de-identify the personal information of donors where they haven’t donated or engaged for more than 7 years. This establishes a baseline for charities to assess their own data policies, and acts as clear threshold beyond which the question of compliance with the Privacy Act will be called into question.

In accepting the EU from Oxfam I was conscious of the impressive work that Oxfam has done to overhaul its security systems and processes already since the regrettable breach. I am hopeful that Oxfam’s experience will be instructive for all charities seeking to demonstrate good privacy practices, whether they’re subject to the Privacy Act or not.

Note: Commissioner Kind wishes to note that she previously undertook consultancy work for Oxfam Great Britain. Oxfam Australia and Oxfam Great Britain are separate legal entities. Commissioner Kind’s consultancy work was undertaken prior to her appointment as Privacy Commissioner.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia