Data privacy is a growing concern for all types of organisations in Australia, including charities. Charities frequently collect personal information to fulfil their objectives and comply with regulatory obligations. Such personal information can come from multiple sources, including donors, volunteers and beneficiaries. It is essential that charities, whilst focused on creating positive change, also comply with their privacy obligations. This article will discuss whether a charity needs to comply with the Australian Privacy Principles (APPs) and key steps to ensure compliance.

This fact sheet outlines the changes to data and privacy protection in 2023.
Understanding the Australian Privacy Principles
The Australian Privacy Principles (APPS), enshrined in the Privacy Act 1988 (Cth), lay out a comprehensive framework for collecting, storing, and disclosing personal information. The 13 APPs form the basis for how Australian organisations handle personal data.
The APPs address key privacy aspects, such as:
- open and transparent information management;
- individuals’ rights to access and correct their data; and
- the protection of sensitive information like health records.
Charities and APPs: The Applicability
Charities in Australia are subject to the same privacy laws as any other organisation. Whether or not the APPs apply to a charity depends on its size, revenue and activities.
A charity may also choose to ‘opt in’ to the Privacy Act and comply with the APPs voluntarily. This may be out of best practice, future expansion plans, or to increase community and stakeholder confidence and trust.
Continue reading this article below the formCollection of Personal Information
Charities collect and store a range of information during their ordinary operations. Information can come from:
- donors;
- volunteers; and
- beneficiaries.
Under the Privacy Act, personal information includes a broad range of information, or an opinion, that could identify an individual. The Privacy Act has a range of obligations around collecting, using and disclosing personal information. For example, under APP 3, an organisation must only collect personal information if it is reasonably necessary for its functions. A charity should consider whether the information it collects, such as a donor’s or a volunteer’s email address, is actually necessary.
Sensitive information is a subcategory of personal information. The law holds sensitive information to a higher level of privacy protection. Some examples of sensitive information include details about an individual’s racial/ethnic origin, health, religious beliefs or sexual orientation.
Under APP 3, you can only collect sensitive information with express consent. A charity, especially in the health space, may regularly come across sensitive information, such as the blood type of a blood donor.
Key Steps to Take
If your charity needs to comply with the APPs, or if you are volunteering to do so, there are key steps to take.
- Conduct a privacy audit to assess your current privacy framework. Some considerations are:
- what personal information your organisation is collecting;
- how your organisation uses, discloses and stores personal information; and
- how you address complaints.
- Draft or update your privacy policy. Your privacy policy should comply with the APPs and accurately reflect your business’ current practices. It should cover the information you collect, why you collect it and how you disclose it.
- Provide a privacy collection notice to individuals. You should provide notice as soon as, or as soon as reasonably practicable after, you collect their personal information. It should cover why you are collecting the information and how you will use and disclose it.
- Draft an internal privacy manual. This should outline your internal procedures and steps being taken to comply with APP requirements. You can include, amongst other things:
- how your organisation is collecting, using and disclosing personal information;
- how you will deal with a privacy complaint;
- disclosure of information overseas; and
- names of key staff responsible for privacy compliance.
Key Takeaways
Privacy compliance for charities is essential. It is a legal requirement and also demonstrates a commitment to ethical and responsible operations. Complying with the Australian Privacy Principles can build your charity’s rapport within the community.
If you want to understand whether your organisation needs to comply with the APPs, our experienced charity lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.