Three quick privacy facts for Charities and Not-for-Profits (NFPs)


If the Privacy Act 1988 (Cth) applies to your organisation, these three facts should help focus you on your organisation’s compliance. If you are unsure if your organisation is subject to the Privacy Act, please contact us for advice.

  1. NFPs should ensure that any collection of personal information is appropriately notified to individuals in the form of a collection notice. 

NFPs risk non-compliance with Australian Privacy Principle (APP) 5 by failing to notify individuals about certain matters, including: 

  • your organisation’s identity and contact details 
  • the facts, circumstances, and purposes of collection 
  • whether the collection is required or authorised by law 
  • any consequences if the personal information is not collected 
  • any disclosures of the personal information, whether the information is likely to be disclosed to overseas recipients, and if practicable, the countries where they are located 
  • information about your organisation’s Privacy Policy. 

Griffin Legal can assist in preparing collection notices and reviewing your organisation’s privacy policy.

  1. Your NFP should only disclose personal information for the primary purpose for which it was collected unless an exception in the PrivacyAct applies (see Australian Privacy Principle 6).  

These exceptions include where: 

  • the Privacy Act does not apply to your organisation
  • the individual has consented to the disclosure 
  • the individual would reasonably expect the disclosure and the other purpose relates (or for sensitive information, directly relates) to the primary purpose of collection 
  • the disclosure is required or authorised by law. 

APP 7 also places restrictions on sharing personal information for direct marketing, such as fundraising, or to facilitate direct marketing by other organisations. 

Griffin Legal can assist your organisation in data governance reviews and advice.

  1. An APP entity must notify affected individuals of a data breach where the data breach is likely to result in serious harm.  

Serious harm includes but is not limited to: 

  • identity theft, which can affect finances and credit reports 
  • financial loss through fraud 
  • physical harm 
  • psychological and emotional harm 
  • reputational harm. 

Where the APP entity has been able to successfully prevent the likely risk of serious harm with remedial action, notification may not be appropriate. 

It is important to act quickly. Griffin Legal can assist with data breach management.

For NFPs, privacy is about more than compliance with law, it is about stakeholder and public trust. Emerging technologies such as artificial intelligence (AI), machine learning, new surveillance technologies, biometrics, wearable technology and smart devices will have an impact on individuals’ privacy and their level of trust in business.   Other, more traditional projects and services can also have a significant impact on privacy and trust, particularly if the project involves a new or changed way of handling personal information.  Before adopting a new project or technology, consider obtaining privacy advice that will set out all the complexities and identify risks and practical mitigation strategies.  

Parental Leave for Casual Employees

For casual employees the unpredictability of their employment can be a major source of stress as often casual employees miss out on many of the entitlements that full-time and part-time employees enjoy. For many, this concern is further exacerbated when they learn that they are about to become a parent. It should therefore be of …
Read more

Purchasing an Off-the-Plan Property

The interest in “off-the-plan” properties is ever increasing and is becoming more popular for buyers. An off-the-plan purchase is one where the Buyer enters into a contract to purchase a property that has not yet been constructed. Due to the prolonged settlement period for an off-the-plan purchase it is imperative for buyers and sellers to …
Read more