Why does a not-for-profit or charity need a privacy policy?

In a rapidly developing digital world where cyberattacks are commonplace, data protection and privacy policies are becoming increasingly important. Many organisations holding highly sensitive information, such as Charities and Not-for-Profits ('NFPs'), must now consider whether they require a privacy policy and, if so, what should be included in such policy.

When do you need a privacy policy?

If your charity or NFP meets the definition of an Australian Privacy Principles ('APP') entity under the Privacy Act 1988 (Cth) ('the Act'), then it requires a privacy policy.

An APP entity is generally either an agency or organisation. This includes:

• partnerships
• body corporates
• individuals
• any other unincorporated association, or
• a trust.

Agencies and organisations that do not fall under the APP entity classification include:

• registered political parties
• small business operators (an annual turnover of $3,000,000 or less in the preceding financial year), and
• State or Territory authorities, agencies, or a prescribed instrumentality of a State or Territory.

Even if you are not legally obliged to have a privacy policy, it is still beneficial to have one in place. Many people like to know how organisations utilise their personal information, and what steps they have in place to protect such information.

Recent Changes

There have been recent changes surrounding NFPs and Charities, and the use of private information. Amendments to the Act include introducing the Notifiable Data Breach ('NDB') scheme, which commenced on 22 February 2018.

If your organisation is currently required to secure personal information under the Act (as above), then it will need to comply with the NDB scheme. The NDB scheme applies to data breaches of personal information likely to result in serious harm to individuals affected. In short, you should consider the following three questions when assessing a data breach:

1. Has there been unauthorised access to or unauthorised disclosure of personal information?
2. Is this likely to result in serious harm to one or more individuals?
3. Were you unable to prevent the likely risk of serious harm with any remedial action?

If you answered “yes” to all of the above, then a notifiable data breach has occurred.

If a notifiable data breach has occurred, you are required to notify the affected individual(s) and the Office of the Australian Information Commissioner. If you fail to comply with the NDB scheme, then significant legal penalties of up to $1.8 million may apply.

What should be included in a privacy policy?

Your privacy policy should inform people as to how your Charity or NFP protects and safeguards its data. To ensure you comply with the NDB scheme, you should also outline how and when individuals are to be notified in the event of a data breach.

Other information to be addressed in your privacy policy should include:

• how you identify possible risks, and
• what is done with information that is no longer required.

People should also be informed of:

• how they can access their data
• who else can access their data, and
• how you handle questions/complaints about the handling of personal information.

How can Sharrock Pitman Legal help?

We can assist Charities and NFPs to implement necessary privacy policies such as to mitigate legal and financial risk, ensuring your organisation is protected in a pragmatic and pro-active way. If you have any queries, please contact us on 1300 205 506 or alternatively complete the form below.

‍

The information contained in this article is intended to be of a general nature only and should not be relied upon as legal advice. Any legal matters should be discussed specifically with one of our lawyers.

‍

Liability limited by a scheme approved under Professional Standards Legislation.