Why does a not-for-profit or charity need a privacy policy?

With the prevalence of cyber attacks are on the rise, ensuring that your organisation's data and customer information protected has become a critical aspect of standard business operations. This article explores when you need privacy policy and the detail that should be included.

In a rapidly developing digital world where cyberattacks are commonplace, data protection and privacy policies are becoming increasingly important. Many organisations holding highly sensitive information, such as Charities and Not-for-Profits ('NFPs'), must now consider whether they require a privacy policy and, if so, what should be included in such policy.

When do you need a privacy policy?

If your charity or NFP meets the definition of an Australian Privacy Principles ('APP') entity under the Privacy Act 1988 (Cth) ('the Act'), then it requires a privacy policy.

An APP entity is generally either an agency or organisation. This includes:

  • partnerships
  • body corporates
  • individuals
  • any other unincorporated association, or
  • a trust.

Agencies and organisations that do not fall under the APP entity classification include:

  • registered political parties
  • small business operators (an annual turnover of $3,000,000 or less in the preceding financial year), and
  • State or Territory authorities, agencies, or a prescribed instrumentality of a State or Territory.

Even if you are not legally obliged to have a privacy policy, it is still beneficial to have one in place. Many people like to know how organisations utilise their personal information, and what steps they have in place to protect such information.

Recent Changes

There have been recent changes surrounding NFPs and Charities, and the use of private information. Amendments to the Act include introducing the Notifiable Data Breach ('NDB') scheme, which commenced on 22 February 2018.

If your organisation is currently required to secure personal information under the Act (as above), then it will need to comply with the NDB scheme. The NDB scheme applies to data breaches of personal information likely to result in serious harm to individuals affected. In short, you should consider the following three questions when assessing a data breach:

  1. Has there been unauthorised access to or unauthorised disclosure of personal information?
  2. Is this likely to result in serious harm to one or more individuals?
  3. Were you unable to prevent the likely risk of serious harm with any remedial action?

If you answered “yes” to all of the above, then a notifiable data breach has occurred.

If a notifiable data breach has occurred, you are required to notify the affected individual(s) and the Office of the Australian Information Commissioner. If you fail to comply with the NDB scheme, then significant legal penalties of up to $1.8 million may apply.

What should be included in a privacy policy?

Your privacy policy should inform people as to how your Charity or NFP protects and safeguards its data. To ensure you comply with the NDB scheme, you should also outline how and when individuals are to be notified in the event of a data breach.

Other information to be addressed in your privacy policy should include:

  • how you identify possible risks, and
  • what is done with information that is no longer required.

People should also be informed of:

  • how they can access their data
  • who else can access their data, and
  • how you handle questions/complaints about the handling of personal information.

How can Sharrock Pitman Legal help?

We can assist Charities and NFPs to implement necessary privacy policies such as to mitigate legal and financial risk, ensuring your organisation is protected in a pragmatic and pro-active way. If you have any queries, please contact us on 1300 205 506 or alternatively complete the form below.

The information contained in this article is intended to be of a general nature only and should not be relied upon as legal advice. Any legal matters should be discussed specifically with one of our lawyers.

Liability limited by a scheme approved under Professional Standards Legislation.

For further information contact  
Mitchell Zadow

Mitchell is the Managing Principal of our law practice.

He is an Accredited Specialist in Commercial Law (accredited by the Law Institute of Victoria). He also deals with areas of Employment Law, Wills & Estate Planning and Probate. For further information, contact Mitchell on his direct line (03) 8561 3318.

Download our FREE legal guide to starting a charity in Australia

Get your free download
Get your download

Enter your details

Thanks for your interest! 

Here's your download:
Oops! Something went wrong while submitting the form.

For fifty years Sharrock Pitman Legal has made a significant and long term contribution to meeting the legal needs of business owners and residents in the City of Monash and greater Melbourne area.

Get in touch

When you contact us you will soon discover that we really are caring lawyers who will always be ‘on your side®’.

Thank you, your form has been received.

We'll be in touch shortly.
Oops! Something went wrong while submitting the form.