Skip to main content

Please be advised that our office will be closed from 5pm – Tuesday, 24 December, and will reopen on Thursday, 2 January 2025.

Privacy
  • On this page

Published:  
Last updated:  

If you run a not-for-profit (NFP) organisation, such as a charity, it is critical that you understand the importance of good privacy practice and the obligations that may apply to your NFP under the Privacy Act 1988.

Key points

  • NFPs may have obligations under the Privacy Act and Australian Privacy Principles when collecting and handling personal information.
  • Regardless of whether the Privacy Act applies to your NFP, good privacy practice can enable you to build trust and maintain stronger relationships with the community and reduce the risk of harm to your entity, staff and supporters which may result from a data breach.
  • It is important to ensure your NFP only collects personal information you need, stores that information securely and deletes the information when it is no longer required.
  • Your NFP should only retain personal information where there is an ongoing need to hold this information. You should make sure that your NFP has systems and processes in place for regularly reviewing whether the retention of information is still required, and destroying or de-identifying personal information that is no longer required.
  • Part of good privacy practice also means being prepared in case things go wrong. Ensuring you have a data breach response plan in place and are familiar with it, will enable you to respond quickly to a data breach.
  • When entering into arrangements with third parties, your NFP should take reasonable steps to ensure that the third party’s privacy practices meet the expectations of both your NFP and the wider community. Read the terms of your agreement carefully, conduct periodic reviews of arrangements, and ensure the third party deletes any personal information at the end of the contract term.

NFPs and the Privacy Act

NFPs may have obligations under the Privacy Act and Australian Privacy Principles (APPs) when collecting and handling personal information. This could include information collected in relation to employees and/or volunteers, a database of member or donor contact and financial details, or information collected in connection with the delivery of services to clients.

Whether your NFP is required to comply with the Privacy Act will depend on the type and scale of the organisation and the activities conducted.

The Privacy Act will apply to an NFP if its annual turnover is greater than $3 million. Annual turnover for the purposes of the Privacy Act includes all income from all sources. It does not include assets held, capital gains or proceeds of capital sales.

NFPs will also need to comply with the Privacy Act in certain other circumstances. For example, if they are:

  • a contracted service provider, including a subcontractor, for an Australian Government contract (for example, providing aged care or disability services under a contract with a Commonwealth agency. Check your contract for more information about your privacy obligations.)
  • an organisation that provides a health service even if the service is not the NFP’s primary activity (for example, where a club has a program to assist members with injuries or improve fitness or health)
  • a business that sells or purchases personal information or trades it for a benefit (for example, where a charity sells customer lists in exchange for sponsorship benefits or purchases customer lists)
  • related to a larger body corporate that is subject to the Privacy Act (for example, where the NFP is part of a global network and the parent organisation has an annual turnover of greater than $3 million).

Your NFP may also choose to opt in to be covered by the Privacy Act. NFPs opting in to be covered by the Privacy Act are making a public commitment to good privacy practice.

To see if your NFP needs to comply with the Privacy Act, complete our privacy checklist for small business, or seek advice from your industry association or lawyer.

The importance of good privacy practice for NFPs

Regardless of whether the Privacy Act applies, there are significant benefits that flow from good privacy practice. The applicability of the Privacy Act to a NFP may also change over time, particularly if the NFP grows or changes its services.

Strong privacy protections can enable better services and stronger relationships between NFPs and the community. When the public is confident that your NFP will collect and handle their personal information appropriately, they are more likely to engage with your organisation. This is particularly important where your NFP relies on sustained support from donors, members or volunteers.

Conversely, there are a number of risks associated with privacy practices that do not meet community expectations. These risks include:

  • emotional and financial harm to clients, members, supporters, staff or volunteers through the misuse or unauthorised disclosure of personal information, which may include sensitive information
  • reputational damage, which can jeopardise funding and public support
  • regulatory action and penalties for breaching the Privacy Act (including mandatory data breach obligations), which may be made public.

Practising ‘privacy by design’ is the best way to ‘future proof’ yourself from additional costs and redevelopment work. This means building the management of privacy risks into your NFP’s systems and processes from the beginning, rather than at the end.

Completing a privacy impact assessment will help you to understand the impact that your NFP’s practices might have on the privacy of individuals and identify ways to manage, minimise or eliminate those impacts.

For more information, see our Guide to undertaking privacy impact assessments and our Undertaking a privacy impact assessment e‑learning course.

Obligations under the APPs

Privacy obligations mean being transparent about how your NFP handles personal information, and giving individuals confidence that their information will be managed securely and appropriately.

The 13 APPs in the Privacy Act set out the minimum expectations of the community in relation to how you handle their personal information and/or sensitive information. If your NFP is covered by the Privacy Act, the APPs are legally binding.

‘Personal information’ is any information or an opinion about an individual who can be reasonably identified from that information or opinion, such as a person’s name, date of birth and phone number.

'Sensitive information' is a subset of personal information and includes health information and information about an individual’s political opinions and religious or philosophical beliefs. The Privacy Act generally affords a higher level of privacy protection to sensitive information than to other personal information.

The standards in the APPs are generally framed as requiring organisations to do what is ‘reasonable’ in the circumstances. This means they are flexible and can be tailored to your NFP’s business model and activities.

When it comes to protecting personal information, there are 3 key things to keep in mind:

  • Only collect personal information you need.
  • Store that information securely.
  • Delete the information when no longer required.

Developing a privacy policy

If your NFP is covered by the Privacy Act you must have a privacy policy. This is a statement that explains in simple language how your organisation handles personal information.

A privacy policy is a key tool for ensuring that your organisation manages personal information in an open and transparent way.

For more information, see our Guide to developing an APP privacy policy.

Collection of personal information

You should ensure your NFP only collects personal information that you need. Do not collect personal information just because it may become necessary or useful at a later date. Your NFP should generally also only collect information directly from the individual.

When collecting sensitive information, your NFP must get the person’s consent, unless an exception applies.

If you maintain a database of supporters or donors, it is important to ensure the collection of personal information, including sensitive information, should always be limited to the minimum information reasonably necessary to achieve this purpose.

Data minimisation is an important concept that can help reduce privacy and security risks. For example, holding large amounts of personal information may increase the risk of unauthorised access by internal or external sources and could increase the risk of harm to an individual in the event of a data breach.

Make sure you provide privacy notices to individuals when you collect personal information and that you handle their personal information in the way you say you will.

For more information see the chapters of our APP guidelines on collection and notification of the collection of personal information.

Using or disclosing information

Generally, your NFP should only use or disclose personal information for the primary purpose for which it was collected. However, there are exceptions that allow for it to be used or disclosed for another purpose. These exceptions include where:

  • the individual has consented to the use or disclosure
  • the individual would reasonably expect the use or disclosure and the other purpose relates (or for sensitive information, directly relates) to the primary purpose of collection. In this scenario, your NFP should only use or disclose the minimum amount of personal information sufficient for the other purpose
  • the use or disclosure is required or authorised by law.

If you want to use personal information you have collected for an unrelated purpose, such as sharing a list of donors with another NFP, you must obtain the individual’s consent to do so.

The Privacy Act places restrictions on using or disclosing personal information for direct marketing, such as fundraising, or to facilitate direct marketing by other organisations.

Where you do engage in fundraising, you should provide a simple means of opting out of future direct marketing communications, comply with any opt-out request and, if requested, tell a person where you got their personal information from.

The Privacy Act does not apply to direct marketing communications that are covered by the Do Not Call Register Act 2006 (NCR Act) or the Spam Act 2003.

For more information see the chapters of our APP guidelines on use or disclosure of personal information and direct marketing.

Security of information

Your NFP should take reasonable steps to protect the personal information you hold from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Make sure you understand what personal information your NFP holds and in what locations. It is important to consider the potential physical and digital threats to the security of the personal information you hold and take steps to mitigate these threats. For example:

  • ensuring your staff are aware of their privacy and security obligations and the importance of good information handling and security practices
  • implementing effective software and network security measures to ensure that all of your systems are secure and provide a safe environment for your employees to carry out their work, and for your clients, donors, members and supporters to interact with your NFP
  • implementing strong password protection strategies, including using password managers and passphrases, avoiding reusing the same password on multiple accounts, and raising staff awareness about the importance of protecting credentials. These strategies can help to reduce the risk of cyber attacks that may result from poor password behaviours
  • using multi-factor authentication (MFA) wherever possible, including at minimum for your most important accounts (such as email, document storage and banking), all remote access to business systems and for all users when they perform a privileged action or access an important data repository
  • avoiding using shared accounts. If they are unavoidable, ensure that you maintain a list of the shared accounts used in your NFP, record which staff have access and use MFA where possible
  • developing strong access controls so that staff can only access what they need to perform their duties
  • keeping operating systems, browsers and plugins up-to-date with patches and fixes and enabling anti-virus protections to help guard against malware that steals credentials.

Make sure your staff and volunteers are familiar with and follow your policies on information security, including ICT security, physical security and access security.

See our Guide to securing personal information for further guidance on personal information security practices. The ACSC has also produced guidance on Cyber security for charities and not-for-profits.

Retention and deletion of information

NFPs have a unique need to handle and retain donor information, which can be integral to the sustainability of many organisations. It is important, however, that personal information is only retained as long as it is needed. The indefinite retention of information is unlikely to be compliant with your obligations under the APPs. If there is no requirement or justification for retaining the information, you must take reasonable steps to destroy or de-identify the information.

Retaining more personal information than you need will create privacy risks for your NFP, staff and supporters. You should make sure that your NFP has systems and processes in place for regularly reviewing whether the retention of information is still required, and destroying or de-identifying personal information that is no longer required.  In particular, you should not retain personal information, for example the information of people who were supporters or donors a long time ago, simply because it may be useful to your NFP in the future. Your NFP should only retain personal information where there is an ongoing need to hold this information, such as where you have continuing engagement with these supporters for awareness-raising or volunteering purposes.

Reasonable steps that NFPs could  put in place to ensure compliance with their retention and destruction obligations include:

  • having policies and procedures that specify the maximum retention periods for each type of supporter data (for example, in relation to recent and recurring donors, non-donating individuals who have supported other aspects of the NFP’s work, non-donors who had no other engagement with the NFP, and individuals who had made a full or partial do not contact (DNC) request).
  • ensuring that processes  for the retention and destruction of personal information are well known to all staff, and conduct regular training and monitoring to ensure compliance.
  • retaining clear records of the date of last engagement with a donor, including any DNC requests, and consider implementing an alert system to notify staff when a significant time period has passed since the donor has made a donation or had any other engagement with the NFP.

See our Guide to securing personal information for detailed guidance on how to securely destroy personal information.

Data breach preparation and response

A data breach occurs when personal information an organisation or agency holds is lost or subjected to unauthorised access or disclosure. For example, when:

  • a device with a customer’s personal information is lost or stolen
  • a database with personal information is hacked
  • personal information is mistakenly given to the wrong person.

Data breaches can cause significant harm in multiple ways. Individuals whose personal information is involved in a data breach, such as clients, donors, volunteers or staff of your NFP, may be at risk of serious harm, whether that is harm to their physical or mental wellbeing, financial loss or damage to their reputation. A data breach can also negatively impact an organisation’s reputation for privacy protection and damage community trust in your NFP.

Part of good privacy practice means being prepared for if things go wrong, by having a data breach response plan. Ensuring your NFP has a data breach response plan in place and that you are familiar with it, will enable you to respond quickly to a data breach. By responding quickly, your NFP can minimise the risk of harm and substantially decrease the impact of a breach on affected individuals, reduce the costs associated with dealing with a breach, and reduce the potential reputational damage that can result.

The Notifiable Data Breaches (NDB) scheme applies to all entities with personal information security obligations under the Privacy Act. The NDB scheme requires entities to notify affected individuals and the OAIC when a data breach is likely to result in serious harm.

If your NFP doesn’t have a data breach response plan, our Data breach preparation and response guide will help you in preparing for and responding to a data breach.

Considerations when engaging third parties

If your NFP is using the services or products of a third party, such as a fundraising agency or software vendor, you should take reasonable steps to ensure that the third party is complying with its privacy obligations in handling and protecting personal information and that its privacy policies and practices meet the expectations of both your NFP and the wider community. A data breach affecting a third party has the potential to cause harm to your NFP, staff and supporters and undermine the public’s trust in you.

What is reasonable will depend on circumstances including the size, resources and complexity of your NFP as well as the amount and sensitivity of the personal information involved.

You could consider the following measures to promote good privacy practice when engaging external vendors:

  • Before entering into a contract with a third party, review the terms of the agreement to:
    • understand how personal information is collected, handled and stored
    • make sure you know how the vendor is allowed to use and disclose personal information (including to subcontractors), how the information will be kept secure and how long it can be retained, as well as how it will be provided back to you and deleted by the third party at the end of the contract term
    • check that the contract is clear that your consent is required for the vendor to vary any terms.
  • Make sure you are satisfied the vendor has appropriate processes in place to protect personal information and comply with any obligations it has under the Privacy Act. You could consider:
    • requesting relevant documentation, such as the vendor’s privacy policy, information security policy and data breach response plan
    • carrying out a quick search for any past security incidents associated with the product or service.
  • Once you have a contract in place:
    • conduct periodic reviews of the arrangements
    • keep detailed records of your arrangements with the third party to maintain an audit trail and ensure you know what personal information the party holds on your behalf
    • have processes in place to address any non-compliance.
  • At the end of the contract, ask the party to confirm that they have deleted any personal information in accordance with the contract terms.

Other resources

Other privacy-related requirements outside the Privacy Act may apply depending on your organisation’s activities: