Summary
- Not-for-profit organisations (NFPs) using client management systems (CRMs) must comply with Australian Privacy Principles, including obtaining consent before using personal data in AI tools and disclosing overseas data storage in their privacy policy.
- Charities registered with the ACNC must meet governance standards, and NFPs handling donations must comply with state-based fundraising regulations, including financial reporting obligations.
- Internal policies, such as a privacy policy, data breach response plan, and complaints handling policy, are essential for managing the legal risks of using a CRM.
- This article explains the legal obligations for Australian NFPs using client management systems, covering privacy, governance, and fundraising compliance.
- This article is written by LegalVision, a commercial law firm that specialises in advising clients on not-for-profit law.
Tips for Businesses
Check that your CRM provider has a data processing agreement in place. Restrict volunteer access to only what their role requires. If using AI features, obtain express consent before processing personal data. Maintain internal policies covering privacy, data retention, and complaint handling.
Client management systems (CRMs) help not-for-profit organisations (NFPs) organise donor, volunteer, and member data in one place. Using them comes with real legal obligations around privacy, governance, and fundraising compliance. This article explains the legal obligations for Australian NFPs using client management systems, covering privacy, governance, and fundraising compliance.
Understanding Client Management Systems
You can use client management systems to centralise information about your donors, volunteers, members, and other stakeholders, such as:
- contact information, relationship history, engagement preferences;
- information relating to volunteer training and community programs;
- internal notes;
- registration for events;
- member surveys; and
- financial records, including donation history.
Your NFP can also use them in connection with the particular goods or services it offers.
Privacy
When choosing a client management system, you should check that it has appropriate data security protections to avoid any unlawful disclosures of personal information you may hold. You should also ensure that anyone using your client management system receives privacy and data security training, understands their obligations, and is covered by appropriate agreements addressing confidentiality and data handling. If you are an APP entity and experience a data breach likely to cause substantial harm to the affected individual, you must notify the Office of the Australian Information Commissioner within 30 days.
If you are storing data overseas through your client management system, you will need to clearly disclose this in your privacy policy and ensure that the overseas client management system provider complies with Australian privacy laws.
This factsheet explains what a data breach is and when one is serious, your reporting obligations, and limiting an NDB’s impact.
Call 1300 544 755 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.
AI and Automated Decision Making
There are additional privacy implications to consider if your client management system allows you to use AI.
Under privacy law, you can only use personal information for the primary purpose for which it was collected or for a secondary purpose that the individual either consents to or would reasonably expect. In most cases, a person will not expect their information to be used in AI, and you will need to get their express consent to do so.
Your privacy policy should disclose your use of AI. If the client management system allows you to use AI or automated decision-making tools to make decisions or help you make decisions that significantly affect people’s rights or interests, you should also disclose this in your privacy policy.
Another consideration is whether the AI model will use input data to train itself. If you are an APP entity, you are required to take reasonable steps to ensure that anyone you share personal information with complies with Australian privacy law. If the AI model trains itself on the input data, it can be difficult to ensure that the personal information contained in the inputs will be handled according to privacy law, particularly where many AI technology providers are located overseas. To help you comply with your privacy obligations, the client management system should integrate only private AI models that do not train on input data.
Financial and Fundraising Compliance
If you will be using the client management system to handle donations, you will need to comply with fundraising regulations, which may vary across different state jurisdictions. In New South Wales, for example, you need to apply for an authority to fundraise with NSW Fair Trading. You also have annual financial reporting obligations. Your client management system should track your donations, the purpose for which you received them, and how you used them to comply with your fundraising obligations.
ACNC Governance Standards
If you are a charity, the Australian Charities and Not-for-profits Commission (ACNC) has a set of six governance standards that you must meet in order to become registered. Once registered with the ACNC, you must continue to comply with the governance standards.
These governance standards are important to consider when using client management systems. For example, Standard 2 requires charities to be accountable to their members and ensure that members can make complaints about the charity’s management or governance. To help you comply with this standard, you could use a client management system that has a mechanism for members to make complaints. The client management system should also allow you to manage these complaints.
Policy Framework and Documentation
A good way to ensure that the way you are using client management systems is legally compliant is to implement internal policies, including:
- a privacy policy;
- a data breach response plan;
- a document and data retention policy; and
- a complaints handling policy.
Key Takeaways
Client management systems offer significant benefits for NFPs and can be useful for complying with legal obligations, particularly any record-keeping and reporting requirements. However, they also introduce new privacy, employment, and fundraising risks, and it is best to have policies in place to help you manage these risks.
LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced Contract Lawyers help businesses manage privacy obligations, governance requirements, fundraising compliance, data use risks, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 1300 544 755 or visit our membership page.
Frequently Asked Questions
Generally, records should be kept for at least seven years, but the length that you are required to keep them for can vary based on the type of record and the jurisdiction you are in. Your document and data retention policy can set out the different records and retention periods.
Volunteers can access your client management systems, but you need appropriate access controls and training in place. You should consider the volunteer’s role requirements and restrict their access to only the information that is necessary for their role, and ensure they have appropriate privacy and security training.
Yes. A data processing agreement should outline how the provider handles personal information, their security measures, and their obligations under Australian privacy law.
Only if the individual consented to marketing when you collected their data, or would reasonably expect it. You must also comply with the Spam Act 2003.
We appreciate your feedback! Request your free consultation now.
