Data security is an increasing issue for Australians today. In a world where individuals increasingly need to share their sensitive personal information with various organisations, many worry that their privacy will suffer. These concerns include the data they give to charities and not-for-profits (NFP) given that such bodies often hold financial information like credit card details. For charities and NFPs to realise their goals then, they need to respond to such concerns. If you run an NFP or charity and need information about how a privacy policy can benefit you, this article discusses why you need one, when you need one and what it should say.

Why Do I Need a Privacy Policy?

Your charity and NFP may need a privacy policy to comply with their legal obligations under the Privacy Act 1988 (Cth) (the Act). Schedule 1 of the Act contains the Australian Privacy Principles (APP). These regulate how businesses, government agencies and organisations handle, use and manage personal information.

Principle 1 seeks to safeguard the open and transparent use of data. APP entities need to take all reasonable steps to implement internal practices such that an organisation complies with the APP and can deal with customer complaints and questions about their compliance with them.

Principle 1.3 requires that all APP entities have a comprehensive, accessible and up to date privacy policy concerning how they manage personal information. As Schedule 1 of the Act (containing the APP) amended the Act itself, the APP are Australian law.

When Do I Need a Privacy Policy?

Your charity or NFP requires a privacy policy if it meets the definition of an APP entity in the Act.

Under the Act, an APP entity is either an agency or organisation.

An agency is a government department or other public position including (among others) ministers, the Australian Federal Police and federal courts.

The Act defines an organisation as:

  • An individual;
  • Body corporate;
  • Partnership;
  • Any other unincorporated association; or
  • Trust.

Unless that organisation is a:

  • Small business operator;
  • Registered political party;
  • A state or territory authority, agency, or a prescribed instrumentality of a state or territory.

A small business operator is an individual, body corporate, partnership, unincorporated association or trust who carries on one or more small businesses with an annual turnover of $3,000,000 or less in the preceding financial year.

In short, the Act requires your charity or NFP to have a privacy policy if your business structure makes you an organisation and your annual turnover exceeds $3,000,000. Note that the Act refers to turnover rather than profit.

However, your charity or NFP should seriously think about having a privacy policy even if you do not need one legally. Many people like to know how a business handles their data, especially if they are giving them financial details.

What Should Your Policy Say?

Your privacy policy needs to tell people how your charity or NFP manages, protects and safeguards its data. Be sure to inform people how you identify possible risks to your information and what you do with the information you no longer need.

Let people know that they can access their data and how to do so. Also, outline your procedures for handling questions and complaints about the handling of personal information.

You might also discuss how you safeguard the quality of your information and your systems vis-à-vis independent contractors who may have access to data.

When you draft your policy, concentrate on the structure as well as the content. Headings can help orient customers. Simple language is best because your policy is then easy to read and understand. If you need to summarise, do so unless it affects the quality of your policy.

Providing a link to the APP (if applicable) is an excellent idea as is giving clear contact details if customers wish to make an inquiry or complaint.

The Office of the Australian Information Commissioner has produced a guide to drafting a legally comprehensive privacy policy. It is available online at no charge and is easy to follow and understand.

However, think carefully about obtaining professional legal assistance to draft your policy. While it may involve cost, it will ensure that it meets any and all of your legal obligations.  You can focus on your work in the community.

***

If you have any questions concerning policy policies or need help to draft one, contact LegalVision’s qualified lawyers to assist you. Call us on 1300 544 755.

Carole Hemingway

Ask Carole a Question

If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.