After the highly publicised data breaches that have occurred in the Australian market recently, the spotlight on privacy obligations is brighter than ever. For charities and not-for-profit organisations, non-compliance with privacy obligations can erode trust and reputation, as well as expose the organisation to significant financial penalty.

While adherence to privacy laws is necessary from a compliance perspective, a focus on privacy protections can also enable better services and stronger relationships between your charity and the community it serves, fostering public trust and confidence. It can support charities in meeting community expectations when handling personal and sensitive information, where they rely on sustained support from donors, members or volunteers.

In this article we discuss seven basic questions all charities should be asking when thinking about their privacy obligations.

1. Is your charity obligated to comply with the Privacy Act?

For most charity organisations, regulatory obligations regarding privacy are predominantly based in the federal Privacy Act 1988 (Cth) (Privacy Act), although there are also some state-based privacy laws which may apply to some charities who handle health information (we do not cover the state-based laws in this article). Obligations under the Privacy Act apply to Commonwealth Government agencies and most organisations with an annual turnover of over $3 million. This means if your charity is registered with the Australian Charities and Not-for-profits Commission (ACNC) as large, it must comply with the Privacy Act.

However, there are scenarios where your organisation will be captured by the obligations under the Privacy Act even if its turnover is less than $3 million. They are:

• if your organisation is a Commonwealth-contracted service provider and provides services to, or on behalf of, Commonwealth Government agencies under a Commonwealth contract or subcontract;
• if your organisation provides a health service to individuals and holds health information about individuals (other than in an employee record), whether a primary activity of the organisation, or not. For example, a youth mental health community organisation which has a program which assists people with their fitness and health to promote wellbeing;
• if your organisation sells or purchases personal information or trades it for a benefit. For example, a charity which sells customer lists in exchange for sponsorship benefits or purchases customer lists to undertake fundraising campaigns;
• if your organisation chooses to ‘opt-in’ to the Privacy Act and voluntarily comply with the requirements under the Privacy Act, generally to increase community and stakeholder confidence and trust; and/or
• your organisation is a subsidiary or related body corporate of an organisation with an annual turnover of over $3 million, or which has been captured by the scenarios above.

If your charity is captured by the requirements under the Privacy Act, either by choice or by legislation, it is considered an ‘Australian Privacy Principles Entity’ (APP Entity) and must comply with the Australian Privacy Principles (APPs). The APPs apply to the handling of personal information and follow the personal information lifecycle from collection, to use, to disclosure, to retention, to destruction or de-identification.

A more detailed look at all 13 APPs can be found in our previous article, ‘Guide to Privacy and Data Protection, Direct Marketing, Spam and Do Not Call’.

2. What information is your charity collecting?

Charities commonly collect and store a range of personal information, including information on staff, clients, donors and beneficiaries. For all APP Entities, identifying whether the type of information collected is ‘personal information’, as well as whether the information is ‘sensitive information’ (being a subcategory of personal information), under the Privacy Act is an important initial step in understanding the applicable privacy obligations.

Personal information

Generally, personal information is information or an opinion about an identified individual or a reasonably identifiable individual. This may include a range of information, such as:

• a person’s name or signature;
• address, phone number or date of birth;
• financial/credit information; and
• photographs.

The Privacy Act imposes several obligations on APP Entities which collect personal information relating to collection, use, disclosure and protection. For instance, under APP 3, any personal information collected by an APP Entity must only be collected if it is reasonably necessary for its functions or activities.

For your charity, this may mean the email address of a donor is necessary if the charity wishes to communicate with the donor regarding their donation or to provide a tax deductible receipt, but it may not be necessary to collect and keep photographs or biometric data of that same donor. It is a matter for your charity to determine and demonstrate what is reasonably necessary.

Sensitive information

Sensitive information is a subcategory of personal information and includes a range of personal information which is considered sensitive. Under the Privacy Act this is information in relation to an individual’s:

• racial or ethnic origin;
• political opinions or associations;
• religious or philosophical beliefs;
• trade union membership or associations;
• sexual orientation or practices;
• criminal record;
• health or genetic information; and
• biometric information (e.g. face, fingerprints, iris, signature and voice).

Sensitive information is subject to higher levels of regulatory protection. Under APP 3, an APP Entity’s collection of sensitive information about an individual is generally contingent on the individual providing express or implied consent to the collection of the information. An APP Entity should also only collect sensitive information when it is reasonably necessary for one of the organisation’s functions or activities.

3. How is your charity collecting, using and protecting individual’s personal information?

According to APP 5, APP Entities must notify an individual of certain matters if they collect personal information. An APP Entity should take reasonable steps to notify individuals of certain prescribed matters when it is collecting personal information, including:

• the name of the organisation;
• the purpose, facts and circumstances of the collection;
• the consequences of the personal information not being collected;
• information about the organisation’s privacy policy; and
• whether the organisation is likely to disclose personal information to overseas recipients.

Once collected, the APP Entity must only use or disclose the personal information for the purposes for which the information was collected (primary purpose). An APP Entity may only use or disclose the personal information for any purpose outside of the primary purpose where:

• the individual has consented;
• the secondary use or disclosure is related (or for sensitive information, directly related) to the primary purpose and the individual would reasonably expect it to be used or disclosed for the secondary purpose;
• the secondary use or disclosure is required or authorised under law or court/tribunal order, or reasonably necessary for enforcement activities conducted by an enforcement body; or
• a ‘permitted general situation’ (e.g., preventing a serious threat to life, action related to unlawful activity or serious misconduct) or a ‘permitted health situation’ exists.

If an APP Entity is holding personal information, under APP 11 it has an obligation to take reasonable steps to protect the personal information from unauthorised access or disclosure. What is ‘reasonable’ will depend on the nature and size of the organisation, as well as the amount and sensitivity of the personal information held. The APP Entity should also only hold the information for so long as it is reasonably necessary. If the information is no longer needed, the APP Entity must take reasonable steps to destroy or de-identify the personal information as soon as possible.

4. Does your charity partake in fundraising activities which involve direct marketing?

Direct marketing (or communicating directly with customers or potential customers) is a commonly used practice when charities are fundraising. As a result, the ACNC recommends all charities, not just APP Entities, comply with the APP 7 requirements.

To comply with APP 7, charities should make sure they only use or disclose personal information for direct marketing purposes when:

• the individual would reasonably expect it;
• the charity provides a statement about a simple way for the individual to opt out; and
• the charity stops sending communications when the individual decides to opt out.

Generally speaking, all APP Entities require consent from the individual before the entity undertakes direct marketing activities. If a charity sends commercial electronic messages to donors either through SMS, email or any other type of means which involves an electronic message, obligations and conditions under the Spam Act 2003 (Cth) also apply.

5. How is your charity obtaining consent?

Where your charity is required to obtain consent from individuals regarding their personal information, it is important the processes for gaining consent are structured and compliant.

Where possible, charities should obtain express consent from individuals. Express consent can be given explicitly, orally or in writing and may include actions like a written or electronic signature, an oral statement or a checked box. Implied consent may also be given. Implied consent occurs when consent can be reasonably inferred from the conduct of the individual and the organisation. At all times, consent will only be given when the consent is voluntary, informed, current and specific and given by someone with capacity to give consent.

6. Does your charity have a privacy policy?

If your charity is an APP Entity, it must have a compliant APP privacy policy. Even if your charity is not an APP Entity it is good practice to have one in any event.

Privacy policies must clearly describe the practice, procedures and systems the APP Entity has in place to ensure compliance with all APPs. Every privacy policy will be different, depending on the charity’s business and operations.

The Office of the Australian Information Commission has some useful guidance on developing a privacy policy which charities should review, particularly if they do not already have a privacy policy in place.

7. What are the implications for non-compliance?

The ACNC encourages all charities (regardless of size) to comply with the obligations under the Privacy Act, as a “good way for a charity to demonstrate its commitment to transparency, accountability and good governance”.

This guide should only serve as a baseline to a broader discussion charities should have about their privacy compliance. Not only are threats to privacy growing stronger from external threats, but all organisations risk fines for serious or repeated interferences with privacy. If found to be in breach, charities can face maximum penalties not more than the greater of:

• $50 million;
• if a court can determine the value of the benefit that the body corporate (and its related bodies corporate) directly or indirectly obtained from the contravention – 3 times the value of that benefit; or
• if a court cannot determine the value of that benefit – 30% of the adjusted turnover of the body corporate during the breach turnover period (minimum 12 months) for the contravention.

How can we help?

If you would like to learn more about the privacy obligations which could apply to your charitable organisation, please get in touch with our specialist Charities + Social Sector Lawyers or our specialist Data + Privacy Lawyers.