Skip to content
LegalVision

Data Protection for Charities: Best Practices

Avatar photo

By Kristine Biason
Practice Leader

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Summarise with: ChatGPT logo ChatGPT Perplexity logo Perplexity Microsoft Copilot logo Microsoft Copilot
Table of Contents

Data protection for charities is an important topic. Charities collect the personal information of their donors, including names, addresses, credit card details and bank account numbers. They use this information to manage members, coordinate fundraising and process payments.

The mismanagement of data and personal information may not only be unlawful, but may reduce the charity’s reputation, and as a consequence, the support they receive from the public or private sector. This article will explain data protection for charities and how a charity can meet its obligations to safeguard the personal information of donors.

Establishing Data Protection Procedures

Charities need to establish good practices around how they collect, store and use personal information. First, the charity should ensure that they have data protection procedures in place to protect personal information. For example, by storing donor information in encrypted databases and keeping antivirus software up to date.

Secondly, the charity should write an organisation-wide privacy policy that outlines how the charity:

  • collects personal information;
  • secures personal information;
  • discloses personal information; and
  • allows donors to view, amend and remove their personal information.

Complying with Direct Marketing Obligations

As many charities raise money through direct marketing, they should consider any obligations imposed by their fundraising authority. Fundraising authorities differ from each state and territory so the charity should first look at any direct agreements they have with their relevant government regulator (for example, the Queensland Office of Fair Trading).

There are, however, general best practices that a charity can implement, including:

  • making people aware that the charity may use their personal information to undertake direct marketing; or
  • letting people request the removal of their personal information from direct marketing communications.
Continue reading this article below the form
Loading form

Sharing Donor Information

Occasionally charities can benefit from sharing their donor information. For example, by swapping information with another charity to expand their audience. However, there is a risk that the other charity will use the information inappropriately, or that people will not want their information shared.

Therefore, a charity should be careful to ensure it follows similar processes discussed above. For example, the charity should make donors aware of:

  • the potential for their information to be shared with other organisations;
  • the specific organisations that their information will be given to;
  • what type of information will be shared; and
  • the purpose for which their information will be shared.

More stringent obligations apply if the charity is sharing personal information with an overseas organisation.

Charities are also subject to legal obligations relating to relating to data protection and privacy. The three big ones are:

Legal Obligation Explanation
Fundraising licence If a charity undertakes fundraising activities, some states and territories will require the charity to obtain a licence. These licences may impose specific obligations about how the charity uses information obtained from fundraising.
Australian Charity and Not-For-Profit Commission (ACNC) The ACNC requires charities to comply with their governance standards. These include a general obligation to act honestly and fairly and within the interests of the charitable purposes. This obligation can extend to the charity’s collection, storage and use of personal or sensitive information and data.
Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles The charity will need to comply with the Privacy Act and Australian Privacy Principles if the charity sells or purchases personal information, provides health services or has an annual turnover of more than $3 million. If so, they will have additional obligations for and have processes in place to ensure personal information and data is protected.

Key Takeaways

Charities routinely collect and handle the personal information of their donors. Some of this information is highly sensitive, such as credit card and bank account details. To protect this information, charities need robust data protection and privacy policies.

If you require further advice on data protection for charities, our experienced charity lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Register for our free webinars

Demystifying M&A: What Every Business Owner Should Know

Online
Understand the essentials of mergers and acquisitions and protect your business value. Register for our free webinar.
Register Now

Social Media Compliance: Safeguard Your Brand and Avoid Common Pitfalls

Online
Avoid legal pitfalls in social media marketing and safeguard your brand. Register for our free webinar.
Register Now

Building a Strong Startup: Ask a Lawyer and Founder Your Tough Questions

Stone & Chalk Tech Central, Level 1 - 477 Pitt St Haymarket 2000
Join LegalVision and Bluebird at the Spark Festival to ask a lawyer and founder your startup questions. Register now.
Register Now

Construction Industry Update: What To Expect in 2026

Online
Stay ahead of major construction regulatory changes. Register for our free webinar.
Register Now
See more webinars >
Kristine Biason

Kristine Biason

Practice Leader | View profile

Kristine is a Practice Leader in LegalVision’s Commercial Contracts team. She drafts and negotiates commercial contracts, in particular, supply, distribution and manufacturing agreements used internationally. She also assists clients with their information technology agreements, often aiding clients on their business journey by determining the relevant agreements needed for their business, whether that be a SaaS agreement, reseller agreement or a managed services agreement. She has previously worked in the Franchising team and has provided clients with advice on setting up franchises and purchasing franchises.

Qualifications: Bachelor of Laws, Graduate Diploma of Legal Practice, Bachelor of Media, Macquarie University.

Read all articles by Kristine

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

Do NFPs and Charities Need a Privacy Policy?

5 Key Steps to Assist With Your Privacy Compliance Obligations

What Constitutes Personal Information?

Demystifying Cross-Border Data Sharing: Your Client’s Privacy Obligations

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards