Last month, the Australian government passed amendments to the Privacy Act 1988. With this came more stringent responsibilities and potential penalties for many Not for Profits.
Most notably, organisations with less than $3m in revenue are no longer exempt from meeting these requirements. That means 89% of charities that were below the threshold are now held accountable for abiding by these rules.
What are some questions you should be asking related to the Privacy Act?
To ensure your organisation is compliant with these Privacy Act rules, there are a number of questions you should be asking:
- What data are you collecting? The process of understanding how compliant you are with privacy matters starts with identifying which information you are collecting in all parts of the organisation. Don’t forget those smaller systems that might perform a minor task like a survey.
- Do you really need to collect that information? Even if the individual provides consent, it does not entitle you to collect information if it does not pass the “fair and reasonable” test. Every online field and form should be scrutinised to determine if it’s directly relevant to the service being provided or if it poses a risk to the individual’s privacy without offering significant benefits. For example, birth location is being questioned as “fair and reasonable.”
- Are you storing legacy data that you no longer need? Many Not for Profits have legacy data that is still being stored, even if no longer collected today. For example, I had a client who collected copies of driver’s licenses from their customers. They quit this process years ago because it was deemed unnecessary, but the copies still resided in the CRM, which is a breach of this regulation.
- Are your processes and practices protecting personal information? I often see Not for Profit’s staff sending privacy data via email to external parties. I also see sensitive files (like spreadsheet downloads from the CRM) stored in unprotected folders in SharePoint – all a “No No!”
- Are you collecting information about minors/children? For those dealing with child services, you are already under significant regulations for their protection. However, these new Privacy Act changes can also impact those marketing and providing products or services to children, such as school holiday programs.
- Are your data locations secure? While you may be relying mostly on third-party providers today, do you have any older systems that are no longer supported but still on your network? And are you confident that your suppliers are doing the right thing with appropriate cybersecurity protections? My reviews of Not for Profits regularly find deficiencies here.
What to do if you are not compliant?
If you ask these questions of your organisation and find that you are not fully compliant, it’s important to begin rectifying the issues immediately.
Systems changes could be simple fixes, but getting rid of attachments buried in emails is not.
So, I recommend that you take care of the low-hanging changes first before you progress to harder ones that may require external support, such as the need for a cultural change around privacy.
Final thoughts
The recent changes to the Privacy Act were meant to strengthen the individual’s rights to privacy.
For many Not for Profits, this is the first time these rules apply to them. And so if your organisation falls into this situation, it’s critical that you understand your obligations and take the necessary steps to meet them within your systems, practices and culture.
I regularly help Not for Profits mitigate data strategy and system risks. Let me know if you need some help.
P.S. If you found this article helpful, you might want to read these too:
Tammy Ven Dange is a former charity CEO, Association President, Not for Profit Board Member and IT Executive. Today, she helps NFPs with strategic IT decisions, especially around investments.
