BlogDigital Strategy

Data Privacy for Aussie Charities and Not-for-Profits: What You Need to Know

Jon Dawson, CEO of Digital Ninjas
Jonathan Dawson
4 minutes

Staying on top of data privacy is becoming more important than ever for not-for-profits (NFPs) in Australia. A recent reminder from the Office of the Australian Information Commissioner (OAIC) has highlighted what good data hygiene should look like – and what can happen if your organisation doesn’t keep up.

Data Privacy for Non Profits

Introduction to our Expert Guest Writer

We’re delighted to welcome Alex Dittel as a guest contributor. Alex is a Principal Solicitor at KHQ Lawyers, leading their Data Privacy, Cyber & Digital practice. With over 15 years of experience across the UK and Australia, he specialises in data protection, information security, and technology law, advising not-for-profits and businesses on navigating complex privacy regulations. As a certified privacy professional with expertise in GDPR and Australian privacy law, Alex brings valuable insights into the evolving landscape of data compliance.

Why Privacy Matters for NFPs Right Now

Back in February 2025, Oxfam Australia entered into an enforceable undertaking with the Privacy Commissioner. The agreement included a promise to:

  • Regularly delete outdated data
  • Provide staff with clear privacy guidelines
  • Run ongoing privacy training for employees

These aren’t just best-practice tips – they’re steps the Commissioner may now expect from any organisation that’s covered by the Privacy Act 1988 (Cth). Even if you’re a smaller charity that doesn’t currently fall under the Act, there’s still a strong case for following this guidance.

The Privacy Commissioner’s New Powers

Thanks to recent reforms passed in late 2024, the Privacy Commissioner has expanded enforcement powers. These include:

  • Entering premises to conduct inspections
  • Seizing materials where needed
  • Issuing financial penalties for non-compliance

There are now two tiers of penalties for breaches of privacy law – including cases that are considered “non-serious”. For example:

  • Not having a privacy policy in place? That could land you with a fine of up to $66,000.
  • Failing to carry out a privacy impact assessment or implement internal compliance systems? You might face up to $660,000 in penalties.

The recent case involving Bunnings and the misuse of facial recognition tech is a good reminder that these compliance processes are indeed required.

It’s Not Just the Regulator You Need to Worry About

In addition to regulatory action, many organisations are facing legal action from individuals whose data has been compromised in a breach. There are dozens of class actions currently underway in Australia, with potential payouts ranging from $1,000 to $5,000+ per affected person.

Thanks to a new “direct right of action” under privacy laws, individuals can now bring compensation claims themselves, meaning that a simple complaint can quickly escalate.

The Double-Edged Sword of Technology

Many charities and NFPs lean on technology to save time and money – and rightly so. But these tools can come with hidden privacy risks, especially if you’re not asking the right questions up front.

Here are some common pitfalls to watch for:

  • Poor default privacy settings or access controls
  • Lack of clear information on how AI or other tools use your data
  • No solid security guarantees in vendor contracts
  • Limited ability to respond to data access or correction requests
  • Unclear data storage and sharing practices
  • Vague or misleading wording on how providers may use your data

Often, these issues are overlooked until it’s too late. But you can avoid most of them by doing your due diligence before signing any contracts – and pushing back if needed. Don’t assume providers will volunteer this info. You have to ask.

Other Data Privacy Risks Facing Charities

Besides tech, here are some other areas where things can go wrong:

  • Mishandling sensitive information about vulnerable people
  • Sharing data too freely with partners or government agencies
  • Failing to define who’s responsible for data governance
  • Not having strong info security practices in place due to lack of dedicated personnel or external support
  • No staff training or awareness on privacy matters
  • Marketing-related risks like data swaps, poor consent practices or shady tracking tools

Where to Start: Practical Steps for Your Organisation

The OAIC’s “Privacy for Not-for-Profits” guide is a helpful starting point. It’s worth noting that smaller NFPs with less than $3 million in annual turnover may be exempt from the Privacy Act – but that doesn’t mean you’re off the hook entirely. As the Commissioner says, “Strong privacy protections can enable better services and stronger relationships between NFPs and the community.”

Here’s where we recommend you begin:

  • Put privacy policies in place and make sure staff know them
  • Train your team to recognise and raise potential privacy issues
  • Be selective with tech suppliers – and manage those relationships well
  • Set up an incident response plan so you’re ready if things go wrong

Need Help with Staff Training?

KHQ Lawyers offer free data privacy training tailored for not-for-profit teams and boards.

Alexander Dittel is a Principal Lawyer in Data Privacy, Cyber and Digital at KHQ Lawyers.

Want an intro to KHQ Lawyers?

Let us know here and we’ll make an introduction to the team at KHQ Lawyers…

    Jon Dawson, CEO of Digital Ninjas
    Jonathan will get back to you soon