Skip to content

Does My Charity Need to Comply With the Australian Privacy Principles (APPs)?

Data privacy is a growing concern for all types of organisations in Australia, including charities. Charities frequently collect personal information to fulfil their objectives and comply with regulatory obligations. Such personal information can come from multiple sources, including donors, volunteers and beneficiaries. It is essential that charities, whilst focused on creating positive change, also comply with their privacy obligations. This article will discuss whether a charity needs to comply with the Australian Privacy Principles (APPs) and key steps to ensure compliance. 

Front page of publication
2023 Key Data and Privacy Developments

This fact sheet outlines the changes to data and privacy protection in 2023.

Download Now

Understanding the Australian Privacy Principles 

The Australian Privacy Principles (APPS), enshrined in the Privacy Act 1988 (Cth), lay out a comprehensive framework for collecting, storing, and disclosing personal information. The 13 APPs form the basis for how Australian organisations handle personal data. 

The APPs address key privacy aspects, such as:

  • open and transparent information management; 
  • individuals’ rights to access and correct their data; and 
  • the protection of sensitive information like health records.

Charities and APPs: The Applicability

Charities in Australia are subject to the same privacy laws as any other organisation. Whether or not the APPs apply to a charity depends on its size, revenue and activities. 

Charities with an annual turnover of less than $3 million are generally exempt from the Privacy Act. However, this exemption will not apply if the charity:

  • is a Commonwealth contracted service provider and provides services to or on behalf of any Commonwealth Government agencies;
  • provides a health service and holds health information about individuals;
  • sells or purchases personal information or trades it for a benefit; or
  • is a subsidiary or related body corporate of an organisation with an annual turnover of $3 million or which has been captured by any of the scenarios above.

A charity may also choose to ‘opt in’ to the Privacy Act and comply with the APPs voluntarily. This may be out of best practice, future expansion plans, or to increase community and stakeholder confidence and trust. 

Continue reading this article below the form
Loading form

Collection of Personal Information 

Charities collect and store a range of information during their ordinary operations. Information can come from:

  • donors;
  • volunteers; and 
  • beneficiaries. 

Some of the data collected might include names, contact details, financial information and information relating to the causes they support. It is essential to identify whether the information you collect is ‘personal information’ or ‘sensitive information’.

Under the Privacy Act, personal information includes a broad range of information, or an opinion, that could identify an individual. The Privacy Act has a range of obligations around collecting, using and disclosing personal information. For example, under APP 3, an organisation must only collect personal information if it is reasonably necessary for its functions. A charity should consider whether the information it collects, such as a donor’s or a volunteer’s email address, is actually necessary. 

Sensitive information is a subcategory of personal information. The law holds sensitive information to a higher level of privacy protection. Some examples of sensitive information include details about an individual’s racial/ethnic origin, health, religious beliefs or sexual orientation. 

Under APP 3, you can only collect sensitive information with express consent. A charity, especially in the health space, may regularly come across sensitive information, such as the blood type of a blood donor. 

Key Steps to Take 

If your charity needs to comply with the APPs, or if you are volunteering to do so, there are key steps to take.

  1. Conduct a privacy audit to assess your current privacy framework. Some considerations are:
    • what personal information your organisation is collecting;
    • how your organisation uses, discloses and stores personal information; and 
    • how you address complaints.
  2. Draft or update your privacy policy. Your privacy policy should comply with the APPs and accurately reflect your business’ current practices. It should cover the information you collect, why you collect it and how you disclose it. 
  3. Provide a privacy collection notice to individuals. You should provide notice as soon as, or as soon as reasonably practicable after, you collect their personal information. It should cover why you are collecting the information and how you will use and disclose it. 
  4. Draft an internal privacy manual. This should outline your internal procedures and steps being taken to comply with APP requirements. You can include, amongst other things:
    • how your organisation is collecting, using and disclosing personal information;
    • how you will deal with a privacy complaint; 
    • disclosure of information overseas; and 
    • names of key staff responsible for privacy compliance. 

Key Takeaways

Privacy compliance for charities is essential. It is a legal requirement and also demonstrates a commitment to ethical and responsible operations. Complying with the Australian Privacy Principles can build your charity’s rapport within the community. 

If you want to understand whether your organisation needs to comply with the APPs, our experienced charity lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Ushna Bashir

Ushna Bashir

Senior Lawyer | View profile

With a deep understanding of commercial and regulatory landscapes, Ushna provides guidance to businesses across diverse industries. She drafts and negotiates a wide range of contracts, including in IT, ecommerce and professional services. She also has expertise in assisting businesses with managing their privacy and data obligations in compliance with Australian privacy laws.

Qualifications: Bachelor of Laws, Bachelor of Arts, Graduate Diploma of Legal Practice, University of Technology Sydney.

Read all articles by Ushna

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards