Introduction
For any charity, managing the personal information of donors, volunteers, and beneficiaries is a core responsibility that brings significant legal and ethical duties. Compliance with the requirements set by the Australian Charities and Not-for-profits Commission (ACNC) and the federal Privacy Act 1988 (Cth) is essential for good governance and maintaining public trust, especially in an environment of increasing data breach risks.
Understanding the complex landscape of data and privacy obligations can be challenging, particularly with evolving legal standards. This guide provides practical, updated guidance for charities on meeting their compliance duties, from fundamental ACNC record-keeping obligations to the principles of the Privacy Act. Furthermore, it offers a step-by-step approach to implementing good privacy practice and explains recent privacy reforms, including new requirements under Australian Privacy Principle 11.
Understanding Your Charity’s Core Obligations
ACNC Record-Keeping Requirements
All charities registered with the Australian Charities and Not-for-profits Commission (ACNC) must maintain written records for a minimum of seven years. These records are essential for demonstrating good governance and ensuring transparency.
Records can be kept in any format, including electronically, provided they meet these basic requirements:
- They are in English or can be easily translated
- They are simple to find when needed
Good record-keeping is a cornerstone of effective charity management and helps your organisation meet its obligations. The ACNC requires charities to keep two main types of records:
| Record Type | Description |
|---|---|
| Financial Records | Must accurately explain the charity’s transactions, how it receives and spends money or assets, and clarify its financial position and performance for financial statements. |
| Operational Records | Must demonstrate how the charity is entitled to be registered and how it complies with its obligations under the ACNC Act and relevant tax laws. |
Proper record-keeping supports good decision-making, financial management, and risk management. It also helps your charity show that it is operating as a not-for-profit and working towards its charitable purposes.
Complying with the Privacy Act & Australian Privacy Principles
A charity may be subject to the Privacy Act 1988 (Cth), which governs how organisations handle personal information. Compliance is mandatory for any charity that meets specific criteria. Even if not legally required, adhering to the Act is considered good practice and demonstrates a commitment to accountability.
A charity must comply with the Privacy Act 1988 (Cth) if it:
- Has an annual turnover of more than $3 million
- Provides a health service to individuals
- Sells or purchases personal information
- Is a Commonwealth-contracted service provider
- Is related to a larger organisation that is covered by the Act
Charities that do not meet these criteria can voluntarily ‘opt-in’ to comply with the Privacy Act 1988 (Cth). This can help build trust with donors and the community.
The cornerstone of the Act is the 13 Australian Privacy Principles (APPs), which outline how personal information must be managed throughout its lifecycle. These principles provide a framework for handling data, covering everything from collection to destruction. They include:
| Principle (APP) | Description |
|---|---|
| APP 1 | Open and transparent management of personal information |
| APP 2 | Anonymity and pseudonymity |
| APP 3 | Collection of solicited personal information |
| APP 4 | Dealing with unsolicited personal information |
| APP 5 | Notification of the collection of personal information |
| APP 6 | Use or disclosure of personal information |
| APP 7 | Direct marketing |
| APP 8 | Cross-border disclosure of personal information |
| APP 9 | Adoption, use or disclosure of government-related identifiers |
| APP 10 | Quality of personal information |
| APP 11 | Security of personal information |
| APP 12 | Access to personal information |
| APP 13 | Correction of personal information |
Request a Free Consultation with one of our experienced Lawyers today.
Get Your Free Initial Consultation
Why Compliance with Privacy & Data Laws Is Essential
Building & Maintaining Donor Trust & Public Confidence
For any charity, strong privacy practices are a key factor in building and maintaining its reputation. Donors, supporters, and the general public have clear expectations about how their personal information is managed, and meeting these expectations is crucial for protecting public support for your work.
Investing in good privacy practice helps foster trusted relationships, which are often essential to a charity’s long-term sustainability. When the public is confident that a charity will handle their personal information appropriately and ethically, they are more likely to engage with that organisation.
A positive relationship with supporters can take years to build but can be damaged very quickly if data is mismanaged. Demonstrating a commitment to data and privacy shows respect for your community and can strengthen the bond between your charity and its supporters.
Upholding Good Governance & Meeting ACNC Standards
Responsible data management is a core component of good governance and is directly linked to the duties of a charity’s Responsible People. Under ACNC Governance Standard 5, Responsible People must act with reasonable care and diligence and in the best interests of the charity.
Setting and following clear policies for managing people’s information is a practical way to meet these obligations. Effective record-keeping and data protection are reflective of sound governance, financial management, and risk management.
The ACNC encourages all charities to comply with the obligations under the Privacy Act 1988 (Cth) as a way to demonstrate a commitment to transparency, accountability, and good governance. Adhering to this privacy guidance helps ensure your charity meets its compliance duties under multiple ACNC Governance Standards.
Mitigating Financial & Reputational Risks from Data Breaches
Charities are increasingly becoming a target for cybercriminals, making robust cyber security practices essential. A data breach, where personal information is lost or accessed without authorisation, can have severe consequences, including significant financial loss and lasting damage to your organisation’s reputation.
The threat of cyber-attacks is a significant risk for charities of all sizes. If a data breach occurs, donors and beneficiaries can lose trust in the charity, which can impact public confidence in the wider not-for-profit sector.
The risks associated with poor data management include:
- The theft of personal information for fraudulent purposes
- Financial losses resulting from the attack
- Privacy issues for affected individuals
- Serious and long-term reputational damage
Having a plan to manage these risks is a critical aspect of a charity’s governance and operational responsibilities.
100% Obligation-Free
Speak to one of our Experienced Lawyers Today
A Practical Guide to Implementing Data Compliance
Develop a Clear & Compliant Privacy Policy
For any charity required to comply with the Privacy Act 1988 (Cth), having a compliant Australian Privacy Principles (APP) privacy policy is a mandatory requirement. Even for charities not covered by the Act, developing such a policy is considered good practice to demonstrate a commitment to transparency, accountability, and good governance.
This document should be easily accessible and clearly explain how your organisation manages personal information. A comprehensive privacy policy should be tailored to your charity’s specific operations but generally includes key details about your data and privacy practices.
Your policy should outline:
- The types of personal and sensitive information your charity collects and holds
- The methods by which your charity collects this information
- The specific purposes for which the information is collected, stored, and used
- How and where data is securely stored, including whether it is held on servers overseas
- The circumstances under which your charity might disclose personal information to other parties
- The process for individuals to access and correct the information held about them
- How your charity handles complaints or potential breaches of privacy
Establish Secure Data Handling & Storage Procedures
Implementing robust security measures is essential for protecting the personal information your charity holds from misuse, interference, loss, and unauthorised access. These procedures should cover both digital and physical records and address the entire information lifecycle.
Good governance in this area involves a combination of technical safeguards and clear internal processes. Charities can significantly strengthen their data security by taking several practical steps.
Key measures include:
| Security Measure | Description |
|---|---|
| Implement access controls | Ensure that staff and volunteers can only access the information they specifically need to perform their duties. |
| Ensure network security | Use effective software and network security measures and avoid the use of shared accounts where possible. |
| Conduct regular training | All staff and volunteers who handle personal data should understand the charity’s policies and their privacy obligations. |
| Manage remote work risks | Establish clear processes for how records are managed when staff work from home, addressing risks of private networks and personal devices. |
| Use multi-factor authentication | Require individuals to provide multiple forms of identification before gaining access to accounts and systems. |
Implement a Data Retention & Destruction Schedule
Under APP 11.2, a charity must take reasonable steps to destroy or de-identify personal information once it is no longer needed for the purpose for which it was collected. The practice of retaining data indefinitely is not compliant with good privacy practice and creates unnecessary risks, as you cannot lose information that you no longer hold.
To effectively manage the data lifecycle, charities should establish a formal retention and destruction schedule. This involves:
| Action | Details |
|---|---|
| Create a retention policy | Develop procedures that specify maximum retention periods for different categories of supporter data (e.g., active donors, non-donors). |
| Set retention benchmarks | Use a de-facto benchmark, such as seven years after the last valid engagement, as a useful guide for donor information. |
| Track engagement | Keep clear records of the last date of engagement with an individual to signal when retention thresholds have been met. |
| Establish destruction processes | Ensure procedures for secure destruction or de-identification are well-known to all staff and that compliance is monitored through regular training. |
Create a Data Breach Response Plan
A data breach occurs when personal information held by a charity is lost or subjected to unauthorised access or disclosure. Given the increasing threat of cyber-attacks, being prepared for such an incident is a critical component of good privacy practice and governance.
Having a documented data breach response plan is essential for a timely and effective response. This plan acts as a guide to help your charity manage the situation effectively, minimise harm, and protect your reputation.
The plan should outline the necessary steps to take in the event of a breach, including how to:
- Contain the breach to prevent further compromise of data
- Assess the nature and extent of the breach and the potential harm to affected individuals
- Notify the appropriate parties, which may include the Office of the Australian Information Commissioner (OAIC) and the individuals whose information was compromised
Request a Free Consultation with one of our experienced Lawyers today.
Get Your Free Initial Consultation
Recent Privacy Reforms & APP 11
New Requirements for Technical & Organisational Measures
Recent reforms to the Privacy Act 1988 (Cth) have clarified the steps charities must take to protect personal information. A new subclause, APP 11.3, now specifies that taking ‘reasonable steps’ to secure data involves implementing both technical and organisational measures. This updated guidance creates a clearer compliance obligation for any charity handling data and privacy.
These measures provide a more holistic approach to data security and governance. They ensure that protections are built into a charity’s daily operations, rather than relying solely on technological safeguards.
The two types of required measures are:
| Measure Type | Examples |
|---|---|
| Technical Measures | Using effective software and network security, implementing multi-factor authentication, and utilising secure cloud services. |
| Organisational Measures | Developing a clear privacy policy, providing regular staff training on security obligations, and establishing data retention schedules. |
Increased Risks from New Penalties & a Tort of Privacy
The privacy reforms have also introduced significantly higher risks for non-compliance, strengthening the enforcement powers of the Office of the Australian Information Commissioner (OAIC). Charities that experience a serious or repeated interference with privacy can now face substantial financial penalties.
Maximum penalties for a body corporate have increased to whichever is the greater amount of:
- $50 million
- Three times the value of any benefit obtained from the contravention
- 30% of the organisation’s adjusted turnover during the relevant period
Furthermore, a statutory tort for serious invasions of privacy has been introduced. This grants individuals a personal right of action, allowing them to bring a claim or disputes and litigation, directly against a charity for misusing their personal information or intruding on their seclusion. This development increases the legal and financial risks for any charity that fails to meet its privacy obligations.
Conclusion
Managing personal information is a core responsibility for charities, requiring compliance with ACNC record-keeping obligations and the Privacy Act 1988 (Cth). Implementing robust data and privacy practices, from developing clear policies to understanding recent reforms, is essential for upholding good governance and protecting your organisation from significant risks.
Addressing the complexities of data and privacy law requires careful attention to ensure your charity is fully compliant. For trusted expertise in not-for-profit law, contact LawBridge, our specialist not-for-profit law firm, today to receive practical guidance and protect your organisation’s operational integrity.ur investment and achieve peace of mind.
