Does the Privacy Act apply to your NFP? The answer might surprise you

Introduction

For charities and not-for-profit organisations (NFPs) in Australia, understanding and complying with privacy obligations is important for maintaining trust with donors, beneficiaries and the public. In light of the increasing prevalence of data breaches and cyber threats, putting in place strong privacy practices is vital for NFPs.

This article explains how the Privacy Act 1988 (Cth) (Privacy Act) applies to NFPs, including relevant obligations and exemptions. It also looks at recent reforms and potential changes, such as the possible removal of the small business exemption and the introduction of new privacy rights like the right to erasure. We aim to give NFPs general guidance to help manage privacy effectively.

Does the Privacy Act apply to NFPs?

Currently the Privacy Act is applicable to NFPs if their annual turnover is $3 million or more. In essence, if your NFP is registered with the Australian Charities and Not-for-profits Commission (ACNC) as “large”, you are bound by the Privacy Act.

For NFPs with an annual turnover of less than $3million, the small business exemption may apply, exempting these NFPs from the obligations of the Privacy Act. To determine if the small business exemption is applicable some additional considerations include whether:

• You are a contracted service provider (including as a subcontractor) for an Australian Government contract.
• You provide health services even if this is not your primary activity (e.g. a club that has a program to assist members with injuries or improve fitness or health).
• You sell or purchase personal information (e.g. if you sell customer lists in exchange for sponsorship benefits).
• You are related to a larger body corporate that is subject to the Privacy Act.

If you answer “yes” to any of these questions the Privacy Act will apply to you regardless of your annual turnover. In particular, it is not uncommon for NFPs to purchase or sell customer lists to other entities. If your NFP performs this activity it is important to understand that this in turn means the Privacy Act will apply.

The ACNC encourages NFPs, regardless of size or exemption, to have a robust privacy policy modelled on the obligations imposed by the Privacy Act. NFPs that are not bound by the Privacy Act may choose to ‘opt in’ which can introduce best practices to the organisation and instil confidence in the public that appropriate protections are in place.

If your NFP tends to have large fluctuations in annual turnover, you may find that some years you are required to comply with the Privacy Act and others you are exempt. To avoid confusion amongst staff, instil trust with donors and the public and improve operational efficiencies, opting into the Privacy Act may be more effective in the long term. This approach also ensures continuity and clarity in your NFP’s privacy policy.

This view is reinforced by the recent decision of the regulator of the Privacy Act, the Office of the Australian Information Commissioner (OAIC), in relation to the January 2021 cyber-attack on Oxfam Australia which resulted in the loss of up to 1.7 million Oxfam records. The OAIC commenced a three-year investigation to determine whether Oxfam was meeting its privacy obligations under the Privacy Act. In December 2024, Oxfam presented the OAIC with an enforceable undertaking which the OAIC accepted. The enforceable undertaking does not equate to a finding that Oxfam had breached the Privacy Act, but it is an agreement by Oxfam to change their actions. The various changes Oxfam undertook to implement included reviewing data retention practices, updating staff guidance and training, as well as the use of privacy threshold assessments for projects involving personal information. Privacy Commissioner Carly Kind used this as an opportunity to remind NFPs to remain vigilant of emerging privacy threats and ensure they do not adopt a ‘set and forget’ mindset to privacy practices.

What are the Privacy Act obligations for NFPs?

In the Oxfam case, the OAIC set out that crucial privacy practices NFPs ought to be aware of include:

• Only collecting personal information that is necessary for your functions
• Not storing personal information for longer than needed and appropriately deleting personal information when it is no longer required
• Undertaking regular and systematic reviews of your privacy policy and responses to ensure they remain current in the cyber climate
• Conducting frequent training or reviews with staff on your privacy plan to ensure preparedness to respond quickly and efficiently to a cyber incident
• If contracting with a third party, verifying that their privacy policies meet your expectations and are in compliance with your standards, for example, by reviewing a third party’s privacy policy regularly and ensuring the third party deletes any personal information it holds at the conclusion of the agreement

The changing landscape of privacy in Australia

Major reforms to the Privacy Act were introduced in late 2024 which constitute the most substantial changes to the Privacy Act since the introduction of the Australian Privacy Principles (APPs) in 2014 and the Notifiable Data Breaches Scheme (NDBS) in 2018. These latest reforms include:

• Introduction of a tort of ‘serious invasions of privacy’
• Expanded regulatory enforcement powers
• Introduction of automated decision-making transparency requirements
• Requirements for additional technical and organisational measures

Please see here to read our full analysis on the impacts of the reforms.

Potential removal of the small business exemption

A ‘second tranche’ of reforms is anticipated and expected to contain further substantial reforms including the removal of the small business exception. If or when this round of reforms is passed, NFPs that currently rely on the small business exemption may be required to comply with the Privacy Act and the NDBS. Further amendments to the NDBS may include shortened reporting periods for a notifiable breach from 30 days to three days. These reforms may require a significant degree of upskilling, remediation and preparation for NFPs.

Tort of serious invasion of privacy

Additionally, should the small business exception be removed, charities and NFPs will be subject to the tort of serious invasion of privacy passed in the first tranche of reforms in December 2024 and effective as early as 10 June 2025 (or another date to be proclaimed). This grants Australians a personal right of action to bring a claim against an NFP if the NFP has invaded their privacy by intruding on their seclusion or misusing personal information relating to them.

Right to erasure

Potentially one of the most impactful proposed amendments in the anticipated second tranche of reforms is the introduction of an EU-inspired ‘right to erasure’. This would significantly increase the burden on NFPs to take proactive steps to delete all personal information relating to an individual upon that individual’s request. If introduced, the right to erasure could extend to personal information an NFP has collected from a third party or vice versa, meaning the NFP would be required to take steps to effect the erasure request unless it is impossible or requires disproportionate effort.

This potential outcome also has a nexus with the existing obligations imposed by the Spam Act 2003 (Cth) (Spam Act), which regulates when and how Australian companies can send electronic messages, and the Do Not Call Register Act 2006 (Cth) (DNCR Act), which prevents companies from making unsolicited phone calls to numbers registered on the Do Not Call Register. Should the small business exception be removed, then along with the Spam and DNCR Acts, the Privacy Act will need to be added to the list of considerations when engaging in the exchange of customer information. Furthermore, if the right to erasure is legislated, this would require an overhaul of administrative processes in many NFPs and ongoing oversight of the flow of an individual’s data in and out of the organisation.

Additional organisational and technical measures

Likewise, the technical and organisational requirements introduced by the most recent reforms would present a significant change for NFPs. The reform requires organisations to take proactive organisational steps such as ongoing staff training on key privacy and security issues so that there are ‘built-in’ defences, rather than being solely reliant on strong technical defences. If NFPs are subject to this requirement, this is likely to impose an increased burden in time and funds to facilitate ongoing staff training and develop and keep various policies up-to-date. Adequate budget allocation for this additional compliance effort will be a further consideration for NFPs governed by the Privacy Act.

What’s next?

Given the temperamental cyber climate, NFPs more than ever need to be aware of their obligations and consider their approach to privacy. If found to be in breach of the Privacy Act, NFPs could face a new tiered system of penalties for interfering with an individual’s privacy. This includes the introduction of civil penalties along with infringement notices which could be issued for failing to have an up-to-date privacy policy or failing to deal with requests to correct information. Additionally, should NFPs be subject to the NDBS, failure to report a breach within the anticipated shortened three days could attract significant penalties along with negative publicity.

It is important for NFPs to stay tuned-in to evolving privacy regulation to ensure they are not caught unprepared by recent and forthcoming reforms. Now is the time to audit your current privacy practices and assess areas for improvement. A proactive approach is essential to ensuring your business reputation and stakeholder trust are as secure as your privacy policy.