New OAIC Guidance On Privacy For Not-For-Profits

In October 2024, Australia’s OAIC released updated privacy guidance for charities and other not-for-profit organisations. 

This guidance includes expanded advice on security of information, and steps that not-for-profits can put in place to ensure compliance with their retention and destruction obligations. It also includes consideration when engaging third-party providers.

Guidance Key Points

Some of the key points highlighted in the Guidance include:

• good privacy practice can enable NFPs to build trust and maintain stronger relationships with the community and reduce the risk of harm to the entity, staff and supporters which may result from a data breach;
• organisations should only collect the personal information they need, store that information securely and delete the information when it is no  longer required;
• organisations should also take care when engaging third parties.

Why Comply With The APPs?

The Privacy Act may not apply to all NFPs (there is a $3m per annum revenue threshold for applicability) but the OAIC makes the case that complying with the Privacy Act and APPs in any case is good for all NFPs, their donors and people they support, and reduces risk of harm.

Risks identified by the OAIC as associated with poor privacy practices include:

• emotional and financial harm to clients, members, supporters, staff or volunteers through the misuse or unauthorised disclosure of personal information 
• reputational damage, which can jeopardise funding and public support
• regulatory action and penalties for breaching the Privacy Act (including mandatory data breach obligations), which may be made public.

Important Privacy Principles

The guidance focuses on:

• Developing a privacy policy
• Collection of personal information
• Using or disclosing personal information
• Security of information
• Retention and deletion of information
• Data breach preparation and response
• Considerations when engaging third parties

Developing a Privacy Policy

If you’re covered by the Privacy Act – you have to have a Privacy Policy, and even if you aren’t – it’s a good idea to have one.  Make sure it’s up to date and it covers all the things you need to. See APP 1 and the OAIC’s  Guide to developing an APP privacy policy for more information on what you need to include.

Collection of Personal Information

Organisations should only collect the personal information they need – and no more.  The Guidance specifically refers to maintaining a database of sponsors or donors and limiting the information held to that reasonably necessary to achieve this purpose.  Otherwise, you need consent.  And don’t forget to provide Notice of Collection – in addition to having a publicly available Privacy Policy.

Using or Disclosing Personal Information

Personal information should generally only be used or disclosed for the purpose for which it was collected (unless an exception applies).

If you want to use personal information you have collected for an unrelated purpose, such as sharing a list of donors with another NFP, you must obtain the individual’s consent to do so.

The Privacy Act places restrictions on using or disclosing personal information for direct marketing, such as fundraising, or to facilitate direct marketing by other organisations.

Although the Privacy Act does not apply to direct marketing communications that are covered by the Do Not Call Register Act 2006 (NCR Act) or the Spam Act 2003 – other direct marketing activities will be covered. 

As a matter of good practice, where NFPs  do fundraising, provide a simple means of opting out of future direct marketing communications, comply with any opt-out request and, if requested, tell a person where you got their personal information from

Retention and Deletion of Information

The Guideline reiterates that personal information must only be retained for as long as necessary. Indefinite retention of information is unlikely to be compliant with obligations under the APPs. 

If there is no requirement or justification for retaining the information, organisatons must take reasonable steps to destroy or de-identify the information.

Reasonable steps to ensure proper retention and destruction include:

• having policies and procedures that specify the maximum retention periods for different type of data (for example, recent and recurring donors, non-donating individuals who have supported other aspects of the NFP’s work, non-donors who had no other engagement with the NFP, and individuals who had made a full or partial do not contact (DNC) request).
• ensuring that processes for the retention and destruction of personal information are well known to all staff, and regular training and monitoring to ensure compliance is conducted.
• retaining clear records of the date of last engagement with a donor, including any DNC requests.
• consider implementing an alert system to notify staff when a significant time period has passed since the donor has made a donation or had any other engagement with the NFP.

Data Breach Preparation and Response

A data breach response plan is important for when things go wrong (and they will …). A plan supports quicker and more efficient response that can minimise the risk of harm and decrease the impact on affected individuals. It will also ensure any NFP meets it mandatory data breach reporting obligations under the Privacy Act.

Security of Information

The guidance reminds organisations of the need to take reasonable steps to secure personal information.  Steps might include:

• Staff awareness and training;
• Implementing software and network security measures;
• Implementing strong passwords;
• Using MFA;
• Not using shared accounts (like administration accounts);
• Strong access controls;
• Patching systems and enabling anti-virus protection.

Engaging Third Parties

When you engage a third party to fundraise for you, or you install new software, it is important to ensure that the third party, or third party software system is protecting personal information in line with all relevant privacy obligations. Things to consider include:

• Are there contractual provisions that properly limit the way personal information is collected, handled and stored by the third party;
• Does the vendor have the appropriate processes in place to protect your personal information;
• How are you going to monitor the vendor’s performance;
• What happens with your personal information at the end of the contract.

Other Resources

The OAIC guidance also points to other resources that might be helpful.  These include:

• The DNCR Act and Spam Act may apply if your NFP markets directly to the public and is not captured by an exemption under those Acts. For more information, visit the Australian Communications and Media Authority website.
• State and territory laws may apply to the information held by your NFP. For more information about state and territory privacy laws, see Privacy in your state.
• You should be aware of cyber security threats and measures that can be taken to protect your NFP against these threats. For more information, visit the Australian Cyber Security Centre website.
• For more information about other applicable requirements, see the Australian Charities and Not-for-profits Commission website.

Conclusion

The message from the OAIC is timely and important.

The Guidance is a really good starting point for any not for profit interested in ensuring they are compliant with relevant privacy obligations, even if a little high level.

Boiling it down, as the OAIC itself says in the guidance: when it comes to protecting personal information, there are 3 key things to keep in mind:

• Only collect personal information you need.
• Store that information securely.
• Delete the information when no longer required

Access the Guidance here.