As a not-for-profit organisation, you will inevitably collect personal information about donors. Donors usually trust charities and not-for-profits due to their role in addressing societal issues and championing causes close to their hearts. As such, you must handle this trust with great care. In addition, charities and not-for-profits are subject to stringent compliance measures, and privacy compliance is one aspect of this compliance architecture. In this article, we will explore the privacy obligations that your not-for-profit must adhere to while fulfilling your charitable purpose.

This fact sheet outlines the changes to data and privacy protection in 2023.
What is Personal Information?
Before diving into the obligations, it is essential to understand what personal information is. In Australia, the law defines personal information as any information that can reasonably identify an individual. This includes:
- names;
- addresses;
- phone numbers;
- email addresses; and
- financial information.
A further category of information is called sensitive information, like:
- health records; or
- information about an individual’s racial or ethnic origin, political association or religious or philosophical beliefs.
What Privacy Principles Apply to Not-For-Profits?
The main framework for privacy compliance in Australia is the Privacy Act 1988, which sets out 13 Australian Privacy Principles (‘APPs’). These principles are relevant for all organisations, including not-for-profits, to know how to handle personal information. We explain the APPs and how they affect your not-for-profit in the table below.
Privacy Principles | Explanation |
1. Open and Transparent Management of Personal Information | Your not-for-profit should have a clear and easily accessible privacy policy that outlines how you collect, store, use, and disclose personal information. It should also inform donors about their rights regarding their data, including their right to access or correct their information. |
2. Anonymity and Pseudonymity | Wherever possible, you must allow the option for people to interact with your organisation anonymously or using a pseudonym. This encourages trust and ensures that donors have some control over their personal information. |
3. Collection of Solicited Personal Information | You must only collect personal information if it is reasonably necessary for your functions or activities. Be clear about why you need the information and ensure you collect it by fair and lawful means. |
4. Dealing with Unsolicited Personal Information | If your not-for-profit receives unsolicited personal information, you should determine whether it could have been collected under Principle 3. If not, you must destroy or de-identify the information as soon as practicable. |
5. Notification of the Collection of Personal Information | If your not-for-profit engages in direct marketing, individuals must have the option to opt-out. Ensure that your marketing materials provide clear information about how to do so. |
6. Use or Disclosure of Personal Information | You should only use or disclose personal information for the primary purpose of collection or for a secondary purpose that is directly related unless an exception applies. Obtain consent if necessary, and consider the individual’s reasonable expectations. |
7. Direct Marketing | If your not-for-profit engages in direct marketing, individuals must have the option to opt-out. Ensure that your marketing materials provide clear information about how to do so. |
8. Cross-Border Disclosure of Personal Information | If your organisation transfers personal information overseas, you must take reasonable steps to ensure the recipient complies with Australian privacy laws. This will also be a consideration for any cloud storage you may use. |
9. Adoption, Use, or Disclosure of Government-Related Identifiers | Avoid using government-related identifiers (e.g., tax file numbers) unless the law permits. |
10. Quality of Personal Information | Ensure that the personal information you collect is accurate, up-to-date, and relevant to your purposes. Make necessary corrections when errors are identified. |
11. Security of Personal Information | You must take reasonable steps to protect personal information from unauthorised access, disclosure, alteration, or destruction. This may include implementing technical measures to ensure data encryption and access controls. |
12. Access to Personal Information | Except in certain circumstances, individuals are entitled to have access to their personal information upon request. You should ensure that the process for requesting and providing access is clearly outlined in your privacy policy. |
13. Correction of Personal Information | If a donor believes the personal information you hold about them is incorrect, you must take reasonable steps to correct it and promptly update any other organisation that has received the information. |
What Are the Consequences of Non-Compliance?
Failing to meet your privacy obligations as a not-for-profit can have serious consequences. The Office of the Australian Information Commissioner (OAIC) is responsible for overseeing privacy compliance and can take various actions in response to breaches, including issuing fines and requiring corrective actions. More importantly, non-compliance can damage the trust and reputation of your not-for-profit, which is an essential currency in this sector.
What Steps Can Not-For-Profits Take to Comply With Privacy Laws?
Here are some practical steps your not-for-profit can take:
1. Conduct a Privacy Impact Assessment
You should regularly assess your data handling practices to identify potential privacy risks. This can help you proactively address issues and ensure compliance.
2. Develop a Robust Privacy Policy
Draft a comprehensive privacy policy that explains how your organisation collects, uses, and discloses personal information. Regularly update this policy to ensure it reflects your actual processes and, of course, any updates to the law.
3. Educate Your Team
Everyone involved in your not-for-profit must be equally committed to privacy protection. Therefore, you should train your staff and volunteers on privacy obligations and the importance of data protection. You should also encourage a culture of privacy awareness within your organisation.
4. Implement Strong Data Security Measures
You should also invest in robust data security measures to protect personal information from breaches or unauthorised access. You should:
- regularly update your security protocols to stay ahead of emerging threats; and
- consider obtaining cyber liability insurance to protect your business in the event of a breach.
5. Appoint a Privacy Officer
Consider appointing a dedicated privacy officer or designate an existing team member to oversee privacy compliance and handle inquiries from individuals.
Key Takeaways
As a not-for-profit organisation in Australia, your commitment to privacy is essential to maintaining trust and fulfilling your charitable purpose. Understanding and adhering to the Australian Privacy Principles is a fundamental aspect of your privacy obligations. By taking proactive steps to protect personal information, your not-for-profit can continue to make a positive impact on society while respecting the privacy rights of individuals.
If you have any questions about your not-for-profit’s or charity’s privacy obligations, our experienced charity lawyers can assist you as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.