The Office of the Australian Information Commissioner (OAIC) and the Australian Charities and Not-for-Profits Commission (ACNC) unveiled new guidance to enhance the management of personal information and data for non-profit organisations, including charities. Recent updates aim to enhance adherence to the Privacy Act 1988 and bolster cybersecurity measures across the sector in response to the increasing frequency of data breaches.
This initiative responds to a significant rise in cybersecurity threats. The OAIC’s report shows a 13% year-over-year increase in data breach notifications for 2023-24, with 67% of these incidents linked to malicious or criminal activities. Recent high-profile incidents, such as the breach involving Pareto Phone, showcase the vulnerabilities that the NFP sector faces.
Securing personal information
The revised guidance provides clear, practical measures to address issues related to data retention, compliance, and the transparent management of personal information. The primary areas of emphasis include:
1. Retention and destruction of personal information
The OAIC underscores the dangers of storing personal data indefinitely, noting that keeping it for too long increases cybersecurity risks. NFPs should consider the following recommendations:
- Establish guidelines that specify the maximum length of time to keep donor and supporter data, categorised by the type of engagement (e.g., ongoing donors versus those who have lapsed).
- Educate personnel consistently on retention and destruction protocols to ensure compliance across the organisation.
- Set up notification systems to track the latest engagement dates and pinpoint data that needs secure disposal.
- Honouring donor preferences is essential, especially for those who indicate “Do Not Contact” (DNC) requests, while ensuring precise documentation of these instructions.
“Retaining unnecessary personal information exposes organisations to greater risks. The most important takeaway is that you can’t lose or have stolen data you don’t hold,” stated the OAIC.
2. Privacy practices and donor trust
Effective privacy governance significantly influences how numerous nonprofit organisations interact with stakeholders, particularly donors. The guidance emphasises:
- Ethical data management builds trust and enhances relationships with donors.
- Entities, including those currently exempt, must align with Privacy Act principles, as upcoming legislative changes may extend regulatory oversight to more not-for-profits.
“Good privacy practice is not only a matter of compliance but also fundamental to building trusted relationships. For donors, seeing ethical handling of their data is paramount,” the OAIC stated.
3. Cybersecurity preparedness
The guidance highlights the link between strong privacy practices and cybersecurity resilience, urging NFPs to:
- Conduct routine evaluations to identify weaknesses in their data management procedures.
- Use multi-factor authentication and encryption to safeguard sensitive information.
- Create thorough incident response strategies to quickly and effectively address breaches while ensuring compliance with the Notifiable Data Breaches scheme.
In the 2023-24 period, over 1,000 data breaches occurred under the scheme, underscoring the urgent need for proactive measures.
Enhancing governance for NFPs
The growing connection between the public sector and NFP operations—exemplified by inclusion programs led by organisations like KU Children’s Services—highlights the importance of this update for leaders managing data protection efforts. Enhanced data governance practices are in harmony with wider governmental objectives of ensuring process transparency, accountability, and protecting public trust.
Effective privacy practices are essential for non-profit organisations to establish and maintain trust with their donors and stakeholders. The revised guidance emphasises that effective data governance not only meets the requirements of the Privacy Act but also strengthens overall cybersecurity measures. Through the adoption of strong data governance practices, NFPs can reduce the risks linked to data breaches and cultivate reliable relationships with their supporters.
The OAIC urges NFPs to adopt privacy practices proactively, as proposed amendments to the Privacy Act 1988 could remove exemptions for small businesses. The OAIC’s revised recommendations provide NFPs with an essential tool to enhance their data privacy and cybersecurity measures. NFPs enhance the protection of personal information, meet legal requirements, and uphold the trust of their supporters by following these guidelines.