There are significant benefits for charities in taking privacy seriously, including enabling better services and stronger relationships with community, brand and reputation protection and increased public trust. The Office of Australia’s Information Commissioner (OAIC) has made that very clear with its revised privacy guidance for charities.
The guidance covers specific topics of interest for not-for-profits such as engaging third-party providers, fundraising, using third party vendors, sharing donor information, purchasing donor lists and retention of personal information.
Importantly, the new guidance also makes clear that charities cannot retain donor personal information indefinitely – there must be a process for regularly reviewing whether retention of personal information is still required.
Noting the types of sensitive information that some charities collect (which can vary from domestic violence data to mental health data depending on the organisation), a spate of recent high profile data breaches and with Australia currently in the midst of privacy reform, it is an important time to review and uplift your privacy program.
It also really important that charities take into account additional guidance from the OAIC including the recent guidance on AI deployment and use of tracking pixels guidance. While charities will likely have genuine, good faith reasons for using these tools, there are significant risks to individuals from not safeguarding their personal information when using these tools. The OAIC has made clear that charities need to take this into account, just as other APP entities do. Importantly, charities must conduct appropriate due diligence about the way in which they use third-party tracking pixels to ensure the use is compliant with the Australian Privacy Act and APPs.
Some key points for charities to think about in considering privacy compliance:
- Do you take reasonable steps to protect the personal information you hold? E.g. technical and organisational measures
- Do you have a data breach response plan in place?
- Do you have a staff privacy manual accompanied with appropriate implementation and staff training?
- Is your privacy policy up to date?
- Do you obtain consent when collecting any sensitive information?
- Does your direct marketing comply with applicable rules?
- Do you undertake any diligence before using a third party tool?
- Do you have data retention periods or a process for regularly reviewing whether the retention of information is still required?
- Do you use tracking pixels and cookies that collect personal information?
- Do you destroy or de-identify personal information that is no longer required?
AWO has assisted many charities with their data protection and privacy programs. Please get in touch at enquiries@awo.agency if you have any questions or would like assistance.
