Updated privacy guidance for not-for-profits has been released by the Office of the Australian Information Commissioner (OAIC).
The updated guidance includes expanded advice on security of information, and steps that not-for-profits can put in place to ensure compliance with their retention and destruction obligations.
In particular, the updated guidance includes discussion on what to consider when engaging third-party providers, such as for fundraising, or software vendors. This area is particularly topical in the wake of high-profile data breaches affecting charities and NFPs.
Privacy Commissioner Carly Kind said the guidelines aim to help charities navigate their privacy responsibilities when collecting and handling personal information, and understand their obligations under the Privacy Act.
“We know how critical trust is to the work of not-for-profits and charities, and how important good privacy practices are to that trust".
“The sector has a very important role in the community, and that role is underpinned by the support it receives from donors, volunteers, and people who engage with the sector as clients and staff".
“We also know that the sector wants to do the right thing when it comes to privacy. Our guidelines are intended to help charities and other not-for-profit organisations do just that".
“One important area we have highlighted in the new guidance is that personal information should only be retained as long as it is needed. We understand the desire to retain donor information, but it should not be retained indefinitely".
“Have policies and procedures that specify the maximum retention periods for each type of supporter data, and ensure that staff know and understand processes for the retention and destruction of personal information.”
“Retaining more personal information than you need creates privacy risks for your organisation, staff and supporters".
“If you are using a third-party provider, whether that is for fundraising, or a software vendor or other provider, make sure their privacy practices meet the expectations of both your organisation and the wider community.”
“I would urge all charities and other NFPs to read our updated guidance and consider their practices against them".
“Even if your organisation does not meet the current financial threshold for being covered by the Privacy Act ($3 million), and does not provide a health service – which also brings you under the Privacy Act – you should still be looking to apply best practice when it comes to privacy".
"Good data and privacy governance is relevant not only for meeting the Australian Charities and Not-for-profits Commission’s Governance Standards for charities, but meeting the expectations of your supporters, and the community.”
Read the Privacy for not-for-profits, including charities guidance.
Key privacy points for NFPs
- NFPs may have obligations under the Privacy Act and Australian Privacy Principles when collecting and handling personal information.
- Regardless of whether the Privacy Act applies to your NFP, good privacy practice can enable you to build trust and maintain stronger relationships with the community and reduce the risk of harm to your entity, staff and supporters which may result from a data breach.
- It is important to ensure your NFP only collects personal information you need, stores that information securely and deletes the information when it is no longer required.
- Your NFP should only retain personal information where there is an ongoing need to hold this information. You should make sure that your NFP has systems and processes in place for regularly reviewing whether the retention of information is still required, and destroying or de-identifying personal information that is no longer required.
- Part of good privacy practice also means being prepared in case things go wrong. Ensuring you have a data breach response plan in place and are familiar with it, will enable you to respond quickly to a data breach.
- When entering into arrangements with third parties, your NFP should take reasonable steps to ensure that the third party’s privacy practices meet the expectations of both your NFP and the wider community. Read the terms of your agreement carefully, conduct periodic reviews of arrangements, and ensure the third party deletes any personal information at the end of the contract term.
