Understanding data protection and privacy laws is crucial for board members of a charity. Knowing these rules and safeguarding personal information benefits you, as it builds trust with the community and regulators. When your charity can show that it prioritises compliance, this is likely to inspire support from donors and volunteers. In particular, a charity should be compliant in its collection and use of information. This article explores the key issues of data protection and privacy laws in your charity.
What Does Data Privacy Cover?
Data privacy involves protecting individuals from unwarranted intrusions on their autonomy. For you, as a charity owner, privacy is an essential consideration because of the personal information you hold about your:
- clients;
- donors;
- members; and
- staff.
For example, charities often collect information for promotional purposes, such as:
- names,
- signatures,
- contact details,
- financial details from members and donors and
- photographs to document events.
Sharing this information without consent could lead to legal consequences, as you are obligated to safeguard personal data.
Which Charities Are Included?
In general, the Privacy Act applies to your charity if its annual turnover exceeds $3 million. Annual turnover includes income from all sources, excluding:
- assets held;
- capital gains; or
- proceeds of capital sales.
Charities will also need to adhere to privacy laws if they are:
- a contracted service provider for an Australian Government contract;
- providing health services (even if it is not their primary activity); or
- trading personal information for benefits
- related to a larger corporation that is subject to privacy law.
A charity can opt into the Australian Privacy Principles (APPs) in the Privacy Act as a show of good faith and to improve its reputation.
Continue reading this article below the formWhat Are Your Responsibilities?
A charity is responsible for taking reasonable steps to protect personal information. While there are 13 APPs, six of these are worth noting:
- Your organisation must have a privacy policy and take reasonable steps to deal with personal information in an open and transparent way (APP 1)
- You must only collect personal information that is reasonably necessary for the charity’s activities (APP 3)
- You must not disclose personal information except with individual consent (APP6). There are exceptions, such as when another law authorises disclosure.
- You must protect personal information with reasonable security safeguards against loss or misuse (APP 11)
- Ensure personal information is up-to-date (APP 10) and allow individuals to correct their personal information (APP 13)
Tips to Reduce Legal Risk
To lower your risk of breaching data protection laws, you can take practical steps. These steps are not necessarily costly to put into practice.
The first step is simple: always get consent before collecting or using personal information. When it comes to sensitive data, individuals should expressly and clearly give consent. To reduce risk, it is important that:
- people are well-informed before giving consent;
- consent is given willingly; and
- individuals have the ability to understand and communicate their consent.
Moreover, the consent you receive should be current and specific, not outdated and unclear. For instance, if there’s an ongoing agreement for using personal data, make sure to renew it at reasonable intervals.
Imagine that you work at a charity and someone from the media contacts you to enquire about a celebrity member of your organisation. Should you share personal information? No, because that would violate purpose and disclosure restrictions. You should only use information for its intended purpose unless there is a valid exception. Sharing information with the media breaches privacy.
Another crucial step is to conduct regular staff training on data protection and privacy responsibilities. This training will help your team apply these practices in their daily work. For best results, consider using videos, modules, and quizzes to reinforce their understanding.
Thirdly, it is essential to have a privacy management and data breach response plan in place. Developing such a plan is often most effective when done with the guidance of a legal professional.
Breach Consequences
When you breach data protection and privacy obligations, it can have significant consequences, both for individuals and entities. Apart from legal consequences, the adverse impact can lead to a substantial loss of income.
If you breach privacy laws, a court could make you pay civil penalties. The Australian Information Commissioner has the authority to request the Federal Court or Federal Circuit Court to order your company to pay fines to the Australian Government if you are found guilty of breaking penalty provisions. The penalties for serious or repeated privacy breaches are substantial and could amount to millions of dollars, depending on the situation.

The Australian Government is changing the law to protect consumer privacy after a series of high-profile data breaches and to bring the law into line with the safer and more protective laws in other regions. This fact sheet outlines what is expected in 2024.
Key Takeaways
In a non-profit charitable setting, compliance with data protection laws is essential to maintain trust. An ethical approach involves ensuring that you use personal information for the purpose for which you collect it and that information is adequately secured. You should train your staff to respect privacy in their everyday activities. Remember, data integrity is a commitment to the well-being of those you serve.
If you have any questions about data protection and privacy laws, our experienced charity lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.