Managing people’s information and data

It is common for charities to collect and store:

• names, addresses and phone numbers
• ages or dates of birth
• email addresses
• bank account or credit card details (for donors)
• signatures
• employment details
• details of service and product purchases and preferences.

However, some charities may also need to collect more detailed information and data. One example might be information contained in health or education records.

Often charities need to collect and store information and data to:

• provide effective services to clients
• maintain membership lists
• manage donor and supporter lists
• co-ordinate and manage volunteers
• send newsletters or updates to donors, supporters and members
• account for activities or expenses, and
• provide supporting evidence when seeking grants or other funding.

Charities should be clear about the purposes for which it is collecting a person’s information and data, and should be careful to only collect, store or use the information and data for those purposes. Charities should also ensure they only collect information if it is reasonably necessary for their functions or activities.

They also should ensure that consent has been given to collect, store and use the information. This is particularly important when the information belongs to charity beneficiaries, and/or when the information is sensitive information for the purposes of the Privacy Act.

Whatever the purposes for data collection may be, Responsible People should consider the need for the information and data their charity is collecting about people, and the obligations that come with its collection, storage and use. Charities should only retain personal information where there is an ongoing need to hold that information.

And it is important for charities and their Responsible People to remember that not all information and data are subject to the same laws.

Collecting, storing and using people’s information and data comes with risks. Knowing the risks and taking steps to mitigate them are important elements of good charity governance.

The risks that come with information and data management include:

• inappropriate use or disclosure of a person’s information or data
• inadequate processes or training for staff handling people’s information or data
• loss of a person’s information or data, either physical or digital
• information or data about a person stolen, either physically or digitally
• questions over policies and practices of external service providers used to manage people’s information or data
• failure to comply with applicable laws
• failure of physical management systems
• malicious external cyber-attacks (for example, hacking or malware).

A charity’s reputation is particularly vulnerable to the consequences of failing to mitigate the risks with information and data management.

Importantly, management includes the oversight of any external service providers a charity contracts to manage people’s information and data. While a charity can outsource this work, it cannot outsource the responsibilities that come with it.

A charity's Responsible People should be aware of the risks of their particular practices – including any outsourced to an external service provider – and should have processes in place to protect their charity from those risks.

Charities must comply with the ACNC Governance Standards.

Governance Standard 5 outlines the duties of a charity’s Responsible People. Charities are required to ensure their Responsible People are meeting their duties, including:

• acting with reasonable care and diligence
• acting honestly and fairly in the best interests of the charity for its charitable purposes.

Charities should keep the Governance Standards in mind – particularly Governance Standard 5 – when setting policies and processes for managing people’s information and data.

Community members have clear expectations about the way a charity manages information and data, and understanding and meeting these expectations is crucial for protecting a charity’s reputation and public support for its work.

A good relationship with the public and a committed supporter base can take years – even decades – to build, but can take a fraction of that time to fall apart.

People are increasingly aware of the importance of privacy and information and data protection, and simply complying with all the base requirements of the law may not necessarily meet reasonable community expectations of responsible, honest and ethical practice. Aspiring to best practice should be the aim.

A charity’s positive relationship with donors, supporters, members and the public may be at risk if it does not have adequate policies and processes to safeguard people’s information and data.

Responsible People should ensure there are good policies and processes for information and data management which mitigate risks and protect a charity’s reputation. Doing so is vital to charity good governance.

Managing people’s information and data poorly leaves a charity vulnerable to outcomes which are likely to have a detrimental effect on its reputation and public support.

There are federal and state laws that may apply to the way a charity collects, stores and uses information and data about people.

Responsible People should be aware of the laws that apply to their charity, and ensure their charity’s staff and volunteers follow processes that comply with these laws.

State and territory level

Laws at state and territory level differ in each jurisdiction and, as such, may apply to the information and data that a charity holds in different ways, and may result in different requirements for their management.

It is up to a charity’s Responsible People to be aware of state or territory laws that apply to their charity.

For a list of laws and other regulatory agencies in state and territory jurisdictions, please see the Office of the Australian Information Commissioner website.

Federal level

A charity that collects and stores people’s information and data may be subject to the Privacy Act 1988 (Cth) (the Privacy Act). The Privacy Act applies to organisations based on several criteria, some of which may be charities.

A charity must comply with the Privacy Act if it meets any of the following criteria:

• has an annual turnover of more than $3 million
• provides a health service to a person
• sells or purchases personal information
• is required to comply with the Privacy Act under a contract (for example, an aged-care provider or a disability services provider under a Commonwealth agreement)
• is related to a body corporate (for example, it is a subsidiary) that meets any of the above criteria (even if the charity alone does not).

If a charity meets any of these criteria, it must comply with the Privacy Act and the Australian Privacy Principles contained within. Charities that do not fit any of the criteria can opt in to comply with the Privacy Act.

Opting in to compliance with the Privacy Act may be a good way for a charity to demonstrate its commitment to transparency, accountability and good governance.

How the Privacy Act applies to a charity may also change over time, particularly if the charity grows or changes its services. Regardless of whether the Privacy Act applies, there are significant benefits to good privacy practice that come from complying with it.

Strong privacy protections can enable better services and stronger relationships between charities and the community. When the public is confident that a charity will collect and handle their personal information appropriately, they are more likely to engage with that organisation. This is particularly important where a charity relies on sustained support from donors, members or volunteers.

More information about opting in to the Privacy Act can be found on the OAIC website.

The Australian Privacy Principles (APPs) are the cornerstone of the Privacy Act’s privacy protection framework.

The APPs apply to any organisation or agency the Privacy Act covers, and comprise 13 principles that govern how personal information must be managed. Personal information is information that can be used to identify or reasonably identify a person, such as a name, date of birth, email address, bank account or address.

If a charity manages sensitive information, there are stricter provisions within the APPs that also apply. This includes information about a person’s religious, political or philosophical beliefs, membership of associations or trade unions, racial background, sexuality or health.

Overall, the Privacy Act requires organisations to be clear about:

• when they collect personal information
• why they are collecting personal information, and what they will do with personal information, and
• how people can gain access to the personal information an organisation holds about them, as well as correct that information if required.

Responsible People should be aware of all the APP requirements, including those for storing people’s information overseas, when considering their charity’s information and data management processes.

See the OAIC website for more information about the Australian Privacy Principles, including definitions of key terms and details on each of the principles.

Charities can often use the information and data they hold for direct marketing when contacting people by mail, email or phone to promote their services, or solicit donations or support.

For charities that are required to comply with, or opt in to comply with, the Privacy Act, Responsible People need to understand APP 7, which sets requirements for direct marketing.

For charities not required to comply with the Privacy Act, following APP 7 is still a good idea when considering using people’s information and data for direct marketing.

Doing so is good practice and sends a message to donors, supporters and the public that the charity manages people’s information and data responsibly.

In short, APP 7 says that a charity must not use or disclose a person’s personal information for the purpose of direct marketing unless it satisfies all of the following criteria:

• the charity collected the information from the person
• the person would reasonably expect the charity to use or disclose their information and data for the purpose of direct marketing
• the charity provides a simple means by which the person may easily request not to receive direct marketing communications from the charity, and
• the person has not made a request to not receive direct marketing communications from the charity.

An exception to this principle may apply in instances where a person would not reasonably expect a charity to use their information for direct marketing.

In such instances, a charity may still use the person’s information for direct marketing purposes, but only if it meets all of these criteria:

• the person has given consent for their information to be used for this purpose (or it is not practical for the charity to obtain the consent)
• the charity provides a simple means by which the person may easily request not to receive direct marketing communications from the charity
• the charity provides a prominent statement that the person may make such a request each time that it contacts the person for a direct marketing purpose (or the charity otherwise draws the person’s attention to this option), and
• the person has not made a request not to receive direct marketing communications from the charity.

These criteria also apply in situations where a charity collects the person’s information from a source other than the person in question – for example, if it collects the information from another charity.

Under APP 7, the use of sensitive information is treated differently to personal information.

For a charity to use a person’s sensitive information for direct marketing purposes, it must first receive the person’s consent.

Consent may be express or implied. As set out in the APP Guidelines, the four key elements of consent are:

• the individual is adequately informed before giving consent
• the individual gives consent voluntarily
• the consent is current and specific, and
• the individual has the capacity to understand and communicate their consent.

Importantly, APP 7 requires a charity to act on a person’s request to not receive direct marketing communications. If a charity uses a person’s information for direct marketing (or for facilitating direct marketing by other organisations), the person may request:

• not to receive direct marketing communications from the charity
• not to have their information used for the purposes of facilitating direct marketing communications, and
• that the charity provide the source of its information.

Once a charity receives such a request, it must act on the request within a reasonable time period. The OAIC’s APP Guidelines indicate that this is usually no more than 30 days.

Sharing donor lists can be an effective way for charities to expand their audience, promote their work, and solicit donations and support. However, charities must be careful to ensure that doing so would meet reasonable community expectations and applicable APPs.

For a charity thinking about sharing a list of donors, it is important it considers how its supporters, donors and the community would view the decision to do so, particularly from a privacy perspective. Before sharing information and data about people, a charity’s Responsible People should consider:

• whether the charity has stated that it might share the information or data it holds about people
• whether the charity has given people the option not to have their information or data shared
• the type of organisation with which the charity intends to share the information or data it holds about people, and
• the risks that sharing people’s information or data may pose for the charity’s reputation and its public support.

A charity must be clear about the purposes for which it collects, stores and uses people’s information and data. A charity must not share a person’s information or data with other charities or organisations unless the person has given consent for the charity to do so, or the person would reasonably expect the charity to do so.

For charities that are required to comply with, or have opted in to comply with, the Privacy Act, the APPs cover such practices.

It is important that Responsible People understand the requirements for using or disclosing personal information set out in APP 6. If a charity uses or discloses personal information for direct marketing purposes, however, APP 7 would apply instead of APP 6.

The requirements of APP 6 mean, in short, a charity must only use a person’s information for the purpose for which it collected the information (the primary purpose), unless it has received consent from the person to do otherwise.

There are exceptions within this principle, though. A charity may use or disclose a person’s information for a purpose other than the primary purpose if it meets these criteria:

• the person would reasonably expect the charity to do so, and
• the information is related to the primary purpose (or directly related to the primary purpose for sensitive information).

Exceptions also exist for when:

• the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order
• a charity reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement-related activities conducted by, or on behalf of, an enforcement body, or
• a permitted general situation or a permitted health situation exists.

Even if a charity is not required to comply with the Privacy Act, following this principle is good practice for managing people’s information and data.

It will ensure that the charity manages the information and data that it holds about people responsibly, honestly and ethically – and in line with reasonable community expectations.

Some charities may want to buy or rent access to donor lists to expand their reach. Some may even want to sell their own list of donors.

Buying, renting and selling lists occurs in the business sector and may provide benefits for charities too.

However, it is important that Responsible People consider the community expectations and privacy impacts of such practices, and the risks that they bring.

To ensure it aligns with practices outlined in APP 6, a charity thinking about selling its donor list must ensure those on the list have:

• consented to having their information and data used in this way, or
• had a reasonable expectation that the charity would do so.

For a charity that is considering buying or renting a list of donors (be it from another charity or a list broker), it is important to consider APP 3, which states that 'an APP entity must collect personal information only by lawful and fair means'.

However, it is also important to note that collecting a person’s information and data by 'lawful and fair means' does not necessarily mean that the charity can be sure that people provided their consent or had a reasonable expectation that their information and data would be used in this way.

It is crucial that a charity’s Responsible People are vigilant in conducting due diligence if they are thinking about buying or renting a list of donors for their own use.

Working with third parties

When entering into arrangements with third parties, charities should take reasonable steps to ensure that the third party’s privacy practices meet the expectations of both the charity and the wider community.

Charities need to read the terms of their agreement carefully, conduct periodic reviews of arrangements, and ensure the third party deletes any personal information at the end of the contract term.

The following recommended actions are suggestions for how a charity can manage information and data.

This is not an exhaustive list, and the suggestions are not specific requirements for registration as a charity with the ACNC. However, they provide a foundation on which good governance practices for information and data management can be built.

• Only collect a person’s information and data by lawful and fair means.
• Do not share or sell people’s information and data without their express recorded permission.
• Be explicitly clear about the purpose for doing so when collecting a person’s information and data.
• Only collect and store the minimum amount of information and data about a person required for a particular purpose.
• Only store a person’s information and data for as long as it is required for the purpose.
• Securely store people’s information and data both physically and digitally.
• Have processes in place to regularly review stored information, and decide if the information should be retained. Delete the information when it is no longer required. Charities should not retain information simply because it may be useful in the future.
• Only disclose a person’s information and data for the purpose for which it was collected and stored.
• Offer people an option to have their information and data changed, corrected or securely removed.
• Allow people to have access to and correct their information and data.
• Accurately record and follow people’s marketing preferences.
• Implement strong security measures, including:
  • access controls, so that staff and volunteers can only access the information they need to perform their duties
  • effective network and software security measures, and
  • avoiding the use of shared accounts where possible.
• Implement a data breach response plan and prepare for the possibility of a data breach.
• Ensure all the staff and volunteers who have access to people’s information and data understand the charity’s policies, as well as their privacy and security obligations.
• Ensure staff and volunteers who have access to people’s information and data are properly trained.
• Implement a clear policy and processes for managing people’s information and data.
• Publish publicly, or make available on request, the charity’s policy for managing people’s information and data.
• If using an external provider to manage information and data, ensure its policies and practices meet legal requirements and the expectations of the charity and the community.
• When entering agreements with third parties:
  • read the terms of the agreement carefully
  • conduct periodic reviews of arrangements, and
  • ensure the third party deletes any personal information at the end of the contract term.

A charity should be transparent about the information and data that it collects, stores and uses.

It should be open about its practices and be prepared to answer questions from donors, members, supporters and the public about the way it manages people’s information and data.

Charities should, as a matter of good practice, have a policy that outlines the way they collect, store and use people’s information and data.

Such a policy will determine the approach that a charity takes to managing information and data, guide the practices of its staff and volunteers, and provide assurances to its donors, supporters and members.

It is also good practice for a charity to have this freely available on its website.

Charities that are required to comply with the Privacy Act, or those that have opted in to comply with it, must have an APP Privacy Policy which covers the management of personal information.

Your charity’s policy needs to cover its specific needs and, as such, there is no single general policy that will be appropriate for all charities. Each charity should have a policy that is tailored to fit its own work.

There are, however, some common aspects of a policy that the Responsible People of a charity should consider when developing their own. The policy may include:

• examples of the type of information and data about people that the charity collects, stores and uses
• the processes by which the charity collects people’s information and data
• the purposes for which the charity collects, stores and uses people’s information and data
• how and where the charity securely stores and protects people’s information and data – for example, digital storage managed locally or held on servers overseas
• an explanation of when the charity will disclose people’s information and data, and to whom
• an explanation of how the charity will use people’s information and data
• the processes for addressing breaches of privacy or complaints about the charity’s management of people’s information and data
• the conditions on which an individual can access their information and data, and the process by which they can do so.

The policy should be reviewed regularly to ensure it is up to date, relevant and meets the requirements of any applicable laws.

All Responsible People, management, staff and volunteers of a charity should be familiar with the processes outlined in the charity’s policy.

Data breaches are a significant risk when handling personal information. A data breach occurs when personal information an organisation holds is lost or subjected to unauthorised access or disclosure. Data breaches can cause considerable harm.

Being prepared for when things go wrong is a part of good privacy practice. This includes having a data breach response plan.

If charities don’t have a data breach response plan, the OAIC’s Data breach preparation and response guide will assist in preparing for and responding to a data breach.

Charities can also complete a privacy impact assessment in relation to any new projects or activities. This will help charities understand the impact their practices might have on the privacy of individuals, and identify ways to manage, minimise or eliminate those impacts.

For more information, see the OAIC’s Guide to undertaking privacy impact assessments and Undertaking a privacy impact assessment e‑learning course.

Charities have a unique need to handle and retain donor information, however it is important that charities are mindful of retaining more personal information than is necessary for their purposes. Indefinite retention of information is unlikely to be compliant with the APPs. If there is no requirement or justification for retaining the information, you must take reasonable steps to destroy or de-identify the information.

Charities should have systems and processes in place for regularly reviewing whether the retention of information is still required, and destroying or de-identifying personal information that is no longer required. For example, the information of people who were supporters or donors a long time ago should not be retained simply because it may be useful to your charity in the future. Charities should only retain personal information where there is an ongoing need to hold this information, such as where they have continuing engagement with these supporters for awareness-raising or volunteering purposes.

Charities should have policies and procedures that expressly cover the maximum retention periods for each type of supporter will be kept in their systems. In particular, charities should have processes that are well known to all staff on the destruction of personal information when it is no longer needed for a permissible purpose under the APPs, and should conduct regular training and monitoring to ensure compliance.

Charities should retain clear records of the date of last engagement with a donor, including any full or partial do not contact requests. Reasonable steps that your charity may wish to implement include having an alert system to notify staff and the donor when a significant time period has passed since the donor has made a donation or had any engagement with the charity, to ensure that your systems are only retaining information for a permissible purpose.

See the OAIC’s Guide to securing personal information for detailed guidance on how to securely destroy personal information.