Skip to content

What Are a Not-For-Profit’s Privacy Obligations When Collecting Personal Information? 

As a not-for-profit organisation, you will inevitably collect personal information about donors. Donors usually trust charities and not-for-profits due to their role in addressing societal issues and championing causes close to their hearts. As such, you must handle this trust with great care. In addition, charities and not-for-profits are subject to stringent compliance measures, and privacy compliance is one aspect of this compliance architecture. In this article, we will explore the privacy obligations that your not-for-profit must adhere to while fulfilling your charitable purpose.

Front page of publication
2023 Key Data and Privacy Developments

This fact sheet outlines the changes to data and privacy protection in 2023.

Download Now

What is Personal Information?

Before diving into the obligations, it is essential to understand what personal information is. In Australia, the law defines personal information as any information that can reasonably identify an individual. This includes:

  • names;
  • addresses; 
  • phone numbers; 
  • email addresses; and 
  • financial information. 

A further category of information is called sensitive information, like: 

  • health records; or 
  • information about an individual’s racial or ethnic origin, political association or religious or philosophical beliefs.

What Privacy Principles Apply to Not-For-Profits?

The main framework for privacy compliance in Australia is the Privacy Act 1988, which sets out 13 Australian Privacy Principles (‘APPs’). These principles are relevant for all organisations, including not-for-profits, to know how to handle personal information. We explain the APPs and how they affect your not-for-profit in the table below. 

Privacy PrinciplesExplanation
1. Open and Transparent Management of Personal InformationYour not-for-profit should have a clear and easily accessible privacy policy that outlines how you collect, store, use, and disclose personal information. It should also inform donors about their rights regarding their data, including their right to access or correct their information.
2. Anonymity and PseudonymityWherever possible, you must allow the option for people to interact with your organisation anonymously or using a pseudonym. This encourages trust and ensures that donors have some control over their personal information.
3. Collection of Solicited Personal InformationYou must only collect personal information if it is reasonably necessary for your functions or activities. Be clear about why you need the information and ensure you collect it by fair and lawful means.
4. Dealing with Unsolicited Personal InformationIf your not-for-profit receives unsolicited personal information, you should determine whether it could have been collected under Principle 3. If not, you must destroy or de-identify the information as soon as practicable.
5. Notification of the Collection of Personal InformationIf your not-for-profit engages in direct marketing, individuals must have the option to opt-out. Ensure that your marketing materials provide clear information about how to do so. 
6. Use or Disclosure of Personal InformationYou should only use or disclose personal information for the primary purpose of collection or for a secondary purpose that is directly related unless an exception applies. Obtain consent if necessary, and consider the individual’s reasonable expectations.
7. Direct MarketingIf your not-for-profit engages in direct marketing, individuals must have the option to opt-out. Ensure that your marketing materials provide clear information about how to do so.
8. Cross-Border Disclosure of Personal InformationIf your organisation transfers personal information overseas, you must take reasonable steps to ensure the recipient complies with Australian privacy laws. This will also be a consideration for any cloud storage you may use. 
9. Adoption, Use, or Disclosure of Government-Related IdentifiersAvoid using government-related identifiers (e.g., tax file numbers) unless the law permits.
10. Quality of Personal InformationEnsure that the personal information you collect is accurate, up-to-date, and relevant to your purposes. Make necessary corrections when errors are identified.
11. Security of Personal InformationYou must take reasonable steps to protect personal information from unauthorised access, disclosure, alteration, or destruction. This may include implementing technical measures to ensure data encryption and access controls.
12. Access to Personal InformationExcept in certain circumstances, individuals are entitled to have access to their personal information upon request. You should ensure that the process for requesting and providing access is clearly outlined in your privacy policy.
13. Correction of Personal InformationIf a donor believes the personal information you hold about them is incorrect, you must take reasonable steps to correct it and promptly update any other organisation that has received the information.
Continue reading this article below the form
Loading form

What Are the Consequences of Non-Compliance?

Failing to meet your privacy obligations as a not-for-profit can have serious consequences. The Office of the Australian Information Commissioner (OAIC) is responsible for overseeing privacy compliance and can take various actions in response to breaches, including issuing fines and requiring corrective actions. More importantly, non-compliance can damage the trust and reputation of your not-for-profit, which is an essential currency in this sector. 

What Steps Can Not-For-Profits Take to Comply With Privacy Laws? 

Here are some practical steps your not-for-profit can take:

1. Conduct a Privacy Impact Assessment

You should regularly assess your data handling practices to identify potential privacy risks. This can help you proactively address issues and ensure compliance.

2. Develop a Robust Privacy Policy

Draft a comprehensive privacy policy that explains how your organisation collects, uses, and discloses personal information. Regularly update this policy to ensure it reflects your actual processes and, of course, any updates to the law. 

3. Educate Your Team

Everyone involved in your not-for-profit must be equally committed to privacy protection. Therefore, you should train your staff and volunteers on privacy obligations and the importance of data protection. You should also encourage a culture of privacy awareness within your organisation.

4. Implement Strong Data Security Measures

You should also invest in robust data security measures to protect personal information from breaches or unauthorised access. You should:

  • regularly update your security protocols to stay ahead of emerging threats; and
  • consider obtaining cyber liability insurance to protect your business in the event of a breach. 

5. Appoint a Privacy Officer

Consider appointing a dedicated privacy officer or designate an existing team member to oversee privacy compliance and handle inquiries from individuals.

Key Takeaways 

As a not-for-profit organisation in Australia, your commitment to privacy is essential to maintaining trust and fulfilling your charitable purpose. Understanding and adhering to the Australian Privacy Principles is a fundamental aspect of your privacy obligations. By taking proactive steps to protect personal information, your not-for-profit can continue to make a positive impact on society while respecting the privacy rights of individuals.

If you have any questions about your not-for-profit’s or charity’s privacy obligations, our experienced charity lawyers can assist you as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Stephanie Long

Stephanie Long

Senior Lawyer | View profile

Stephanie is a Senior Lawyer in LegalVision’s Corporate and Commercial team. She specialises in commercial contracts and business structuring to assist clients in achieving their ambitions with their startups and SMEs.

Qualifications: Bachelor of Laws, Bachelor of Social Sciences, Macquarie University.

Read all articles by Stephanie

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards