As the year races to a close, many charities are preparing festive season fundraising campaigns. Australians are generous and often this means there is a surge in giving at this time.
With news reports of cyberattacks on a third-party telemarketing firm (with well-known charities affected), concern about the impact of cybercrime and the need for support to help charities protect their donors’ data and privacy has been heightened. Certainly, when breaches occur, they can have a significant impact on a charity’s reputation and the sector more broadly.
While charities cannot fully control the actions of any company they contract with to do fundraising on their behalf (such as to run a national raffle or calling campaign), it is essential they undertake due diligence of a prospective fundraising agency’s track record, experience, and policies and practices before signing a contract. This includes both the fundraising strategies used and the way data is collected and managed.
Charities also need to protect the data they collect directly. There is much your charity can do to protect your donors’ data and privacy; it really is critical. Managing cyber security risks doesn’t necessarily involve expensive, high-tech solutions. It starts with understanding what information you are holding and why, so you can understand what risks are present, and plan strategies to mitigate them.
As a matter of good practice (and, for many, also because of legal requirements), charities should have a policy that outlines the way they collect, store and use people’s data. The policy will help determine what approach your charity takes to managing information, guide your staff and volunteers, and provide assurances to your donors, supporters and members.
Our ACNC Cyber Security Governance Toolkit has tips and various resources for every charity to help protect against threats. It also has useful links to guidance such as that provided by the Office of the Australian Information Commissioner. We have tried to provide practical support especially for smaller charities, so our kit also has a template plan for responding to a data breach.
A key tip is only collecting the minimum amount of information about a person required for a particular purpose, and then only store it for as long as required for that purpose.
It’s important that all staff and volunteers who have access to people’s information understand your charity’s policies and are properly trained. If your charity is using an external provider to manage information and data, then make sure their policies and practices meet the legal requirements and expectations of your charity and the wider community. Put yourself in the shoes of a donor and think about what you would expect.
Also, as I have written about before, a set of national fundraising principles are going to be implemented across Australia in the coming months. One of these principles requires charities to act in accordance with privacy laws, so yet another reason to think about what your charity has in place.
When it comes to what the ACNC does with the data we collect, we have several cyber security measures in place. For example, staff do mandatory cybersecurity training and use multi-factor authentication (MFA) to access our systems. We are in the process of planning the implementation of MFA more widely and will be consulting the sector on our proposed approach early next year.
I would encourage you to develop your charity’s strategy to reduce the risk and impact of a data breach by having a plan of action if there is an attack on the data of your charity, or that held by a third-party provider you have used. Hopefully, that plan will never be needed.
Warm regards,
Sue Woodward AM