OAIC privacy guidelines for not-for-profits: essential compliance insights

Understanding how your not-for-profit handles personal information is crucial to maintaining trust and meeting legal obligations. Not-for-profits may be required to comply with the Privacy Act and practical guidance is available on how to protect personal data, manage breaches, and work with third parties to safeguard privacy and strengthen community confidence.

Introduction

The Privacy Act 1988 (Cth) contains 13 Australian Privacy Principles (APP) that set out the minimum requirements for the handling of personal information by organisations subject to the Act.

A not-for-profit (NFP) will be required to comply with the Act if it has an annual turnover of over $3 million. Other NFPs are also subject to the Act, irrespective of turnover, if they:

• are a contracted service provider or subcontractor under an Australian Government contract
• provide a 'health service'
• sell or purchase personal information or trade personal information in exchange for a benefit
• are related to a larger body corporate that is covered by the Act.

As a matter of good privacy practice, NFPs may also opt in to comply with the Act, or informally adopt practices outlined in the APPs and the Act, to bolster public confidence in their offerings and help garner support from donors, volunteers and other people engaged in the NFP sector.

The Office of the Australian Information Commissioner (OAIC) has Guidance on how NFPs can comply with the APPs. It also provides practical advice on how NFPs can comply with the APPs and strengthen their personal information handling practices with a focus on security of personal information, retention and destruction obligations, handling data breaches and managing arrangements with third parties.

We have outlined some of the key points from the Guidance below.

What is personal information?

Personal information is any information or an opinion about an individual who can be reasonably identified from that information or opinion. This information should only be collected when an NFP needs it and should generally be collected directly from the individual concerned.

Sensitive information is a subset of personal information that is afforded a higher level of protection under the Act. This includes health or genetic information, political opinions or associations, racial or ethnic origin, religious or philosophical beliefs, trade union membership or associations, sexual orientation or practices, criminal records and biometric information. NFPs must only collect sensitive information about an individual with their consent.

Summary of the Guidance

NFPs should review the Act (including the APPs) in detail to ensure adequate compliance. We have summarised some of the key points from the Guidance as follows. The list is not exhaustive and the obligations apply to any NFP that is covered by the Act. As discussed above, other NFPs may consider adopting these practices as a matter of good privacy practice.

• Implement a privacy policy in simple language to set out how your NFP manages personal information in an open and transparent manner.
• Limit the personal information (including sensitive information) that your NFP collects to the minimum information reasonably necessary to achieve your purpose for collection and provide adequate privacy notices to individuals at the point of information collection.
• Only use personal information that your NFP collects for the primary purpose for which it was collected and be aware that there are restrictions on direct marketing that may affect your NFPs use of personal information for fundraising.
• Take reasonable steps to protect personal information your NFP holds from misuse, interference, loss, unauthorised access, modification or disclosure. For example, educate employees and volunteers about your information handling practices, use effective software and network security that enable employees, volunteers and other community stakeholders such as donors to interact with your NFP and impose access controls.
• Regularly review the ongoing need to retain personal information such as donor information and implement systems (such as maximum retention periods) for destroying and de-identifying information that is no longer required.
• Implement a data breach response plan to help your NFP effectively respond to the occurrence of a data breach.
• Take reasonable steps to ensure that any third parties your NFP contracts with (such as fundraising agencies or software vendors) comply with Act and implement information handling practices that align with those of your NFP and the community. For example, review the third party's privacy policy, ensure that the relevant contract sets out parameters for compliance with the Act and for dealing with personal information that is to be jointly held and conduct periodic reviews of arrangements.

Conclusion

The Guidance is intended to assist NFPs to comply with their obligations under the Act and the APPs. Good privacy practices can bolster public confidence in your NFPs goods and services and help garner support from the community.

If you would like advice about whether your NFP is required to comply with the Privacy Act or assistance to develop privacy systems for your NFP, please contact Carly Ashwood or Adelaide Hayes.

© Cooper Grace Ward Lawyers

Cooper Grace Ward is a leading Australian law firm based in Brisbane.

This publication is for information only and is not legal advice. You should obtain advice that is specific to your circumstances and not rely on this publication as legal advice. If there are any issues you would like us to advise you on arising from this publication, please contact Cooper Grace Ward Lawyers.