New privacy guidance released

The Office of the Australian Information Commissioner has updated privacy guidance for not-for-profits.

It includes new advice on security of information and steps to ensure compliance with retention and destruction obligations. The guidance also includes discussion on what to consider when engaging third-party providers, such as fundraisers and software vendors.

Privacy commissioner Carly Kind said that the guidelines aimed to help charities navigate their privacy responsibilities when collecting and handling personal information and understand their obligations under the Privacy Act.

‘One important area we have highlighted […] is that personal information should only be retained as long as it is needed’, said Ms Kind.

‘We understand the desire to retain donor information, but it should not be retained indefinitely.

‘[NFPs should] have policies and procedures that specify the maximum retention periods for each type of supporter data, and ensure that staff know and understand processes for the retention and destruction of personal information.

‘Retaining more personal information than you need creates privacy risks for your organisation, staff and supporters.

‘If you are using a third-party provider, whether that is for fundraising, or a software vendor or other provider, make sure their privacy practices meet the expectations of both your organisation and the wider community.’

Ms Kind said that even if an organisation fails to meet the financial threshold ($3 million) for being covered by the act and does not provide a health service – which brings organisations under the Privacy Act – it should still be looking to apply best practice.

The OAIC’s key privacy points are:

  • NFPs might have obligations under the Privacy Act and privacy principles when collecting and handling personal information
  • Regardless of whether the act applies, good privacy practice can build trust and maintain stronger relationships with the community, reducing the risk of harm to an entity, staff, and supporters that might follow a data breach
  • Only collect personal information that is needed, store it securely and delete it when it is no longer required
  • Retain personal information when it is needed. Regular reviews to ascertain if information is still required and destroy or de-identify personal information that is no longer required
  • Be prepared if things go wrong. Ensure that a data-breach response plan is in place and all are familiar with it, and
  • When entering arrangements with third parties, take reasonable steps to ensure that their privacy practices meet your and the wider community’s expectations. Read carefully terms of agreement, conduct periodic reviews, and ensure that third parties delete personal information at the end of contracts.

 Refer to the OAIC home page Privacy Guidance for Not-for-Profits for advice on security of information and steps to take to ensure compliance with retention and destruction obligations.



General Advice Warning
The information provided in this article is for general information purposes only and is not intended to and does not constitute formal taxation, financial or accounting advice. McConachie Stedman does not give any guarantee, warranty or make any representation that the information is fit for a particular purpose. As such, you should not make any investment or other financial decision in reliance upon the information set out in this correspondence and should seek professional advice on the financial, legal and taxation implications before making any such decisions.