New privacy guidance for not-for-profits issued by the OAIC

On 22 October 2024, the Office of the Australian Information Commissioner (OAIC) published updated guidance for charities and not-for-profit (NFP) organisations relating to compliance with the Australian Privacy Principles (APPs).

While the APPs themselves have not changed, updates to official guidance offer a fantastic opportunity for organisations to review their privacy policies and practices. We know that official guidance offers a valuable insight into the mind of the regulator – it tells us how the regulator interprets regulatory obligations, and what they expect from regulated entities. When you implement recommendations contained in official guidance, you are putting yourself on the same page as the OAIC – which can only be a good thing!

What are the updates?

This recent guidance update deals predominantly with considerations for engaging third-party providers, such as for fundraising, or software vendors.

When you engage a third party to fundraise for you, or you install new software, you need to take steps to be satisfied that the third party, or third party software system is protecting personal information in line with all relevant privacy obligations. It can be dangerous to assume that other parties will be as privacy-minded as you are – such assumptions could result in data breaches and bad publicity for your organisation (even if it wasn’t technically your organisation that had the data breach).

In releasing the updated guidance, the OAIC noted the issue is “topical in the wake of high-profile data-breaches affecting charities and NFPs”. You may have seen recent news reports about a cybersecurity breach involving Pareto Phone and a number of Australian charities. According to reports, Pareto Phone was contracted by numerous Australian charities to conduct fundraising on their behalf and as such, was provided with personal information of thousands of donors. When Pareto Phone subsequently had a data breach, it was the donors whose personal information was subsequently published on the dark web. This kind of event can be devastating: not just to the individuals whose data has been compromised, but also to the charities, and the very deserving beneficiaries of charity efforts.

Charities and NFPs are right to be concerned about these privacy risks; and we are here to tell you that there are things you can do right now to help safeguard personal information held by your organisation. A great place to start is to familiarise yourself with the APPs, and the OAIC’s guidance on how to implement good privacy practices.

There’s a wealth of NFP-specific and general privacy guidance at the OAIC’s website. The APP guidance is a great place to start if you’re unsure about what the APPs are, and what they require.

Do I have to follow this guidance?

If you are a charity of NFP, the APPs may or may not apply to your organisation – there are a number of threshold requirements to determine who is (or is not) an ‘APP entity’ (i.e. an entity that must comply with the APPs). If you’re not sure whether the APPs apply to you, you can reach out to one of our privacy experts, who can provide you with tailored advice on this issue.

Regardless of whether or not you meet that threshold, it is just good practice to develop sound privacy practices, supported by thorough policies and staff training. It will also help you to build upon your relationship of trust with your members and donors, who will appreciate knowing you take their privacy seriously.

How we can help

If you are a charity or NFP looking to review, improve or develop your privacy compliance, we can help. We have dedicated privacy specialists who can work with you to design tailored policies, plans and procedures; train your staff; and help set you apart as a best-practice organisation, committed to the privacy of its valued community. 

We can also draft tailored contracts for you to engage third parties in a way that aligns with and protects your commercial interests, while also prioritising the privacy of your members and donors.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.

Authors