Privacy Act reforms - What NFPs and Charities Need to Know

The Privacy Act 1988 (Cth) (Privacy Act) has undergone its most significant reform since 2014, with the Privacy and Other Legislation Amendment Act 2024 receiving Royal Assent in December 2024. These changes, inspired by international privacy benchmarks such as the European Union’s General Data Protection Regulation (GDPR), aim to strengthen individual rights and impose clearer obligations on entities that handle personal information - including not-for-profits (NFPs) and charities.

Why it Matters to Your Organisation

Although NFPs, charities, and small organisations have historically operated under less scrutiny of their privacy obligations, the landscape is shifting. Increased regulatory powers, tougher penalties, and the expansion of responsibilities under the Australian Privacy Principles (APPs) mean that your organisation’s privacy practices must now meet a higher standard.

Our Quick Tips

Consider: 

• Data minimisation -collecting only information necessary for your purposes,
• Purpose limitation -only using personal information for the purpose which it was collected or a directly related purpose,
• Restricting access to personal information only to authorised personnel, and
• Property destroying data when it is no longer needed.

Actions you could take include: 

• Increasing training and compliance measures to educate personnel on privacy obligations, practices and data security awareness,
• Doing due diligence regarding third-parties you engage with, including: 
  
  • assessing how key third-party providers handle personal information, and
  • requiring contracts to have clear data security obligations,
• Assessing whether you use automated decisions in your business processes,
• Regularly reviewing privacy policy and procedures to adapt to changes in technology and regulations,
• Conducting privacy impact assessments to regularly assess the privacy risks of new projects and systems,
• Considering developing an internal data security policy that outlines how information is collected, used, and stored, as well as how to respond to a data breach, and
• Considering possible controls under the Children's Online Privacy (COP) Code.

Key reforms

Some of the key reforms most relevant to NFPs and charities include:

1. Stronger obligations on automated decision-making

If your organisation uses software or algorithms to make decisions that affect individuals, such as eligibility assessments, resource allocation, or even targeted communications, these processes must now be disclosed in your privacy policy. This includes detailing how personal information is used in the decision making and the impact of such decisions.

2. Mandatory technical and organisational measures

It is no longer enough to vaguely commit to taking “reasonable steps” to protect data. The revised Privacy Act now specifies that entities must take both technical (e.g. encryption, anti-virus software) and organisational (e.g. staff training, access controls) safeguards. NFPs dealing with sensitive information- such as health information, criminal records, or political data - must ensure their privacy procedures consider these technical and organisational aspects of protection.  

3. New statutory tort for serious invasions of privacy

Individuals can now sue for serious invasions of privacy, even without demonstrating harm. If your organisation recklessly or intentionally misuses personal information or intrudes on an individual’s privacy, you could face a claim. A public interest test will consider the balance between the public interest in protecting a person’s privacy with wider public interests and the organisation’s objectives.

4. Increased penalties and enforcement

The Office of the Australian Information Commissioner now has broader investigative powers under the new amendments, with penalties for breaches of the Privacy Act also increasing substantially. For example, entities may face fines up to $3.3 million for significant privacy breaches, even if unintentional.

5. Children’s Online Privacy Code

If your services include digital platforms likely to be accessed by children - such as youth programs, education resources, or social campaigns - you may be subject to the upcoming COP Code. This code will introduce stricter consent and communication standards tailored to children’s comprehension levels. This will be an important space to watch as the code is finalised and implemented.

Our recommendations: next steps for your organisation

NFPs and charities should act now to prepare for these changes, many of which are already in effect or will be binding in the coming year. We recommend:

• Reviewing or creating your privacy policy,
• Conducting a privacy impact assessment for new and existing projects,
• Assessing  how your organisation collects, stores, and uses personal information,
• Ensuring your staff and systems are equipped to meet new obligations,
• Ensuring your service providers are not placing your organisation at risk of non-compliance, and
• Auditing your data handling, especially regarding children or vulnerable groups.

‍

Need help navigating these reforms?

We exclusively support charities and NFPs and as such have a specialised and in-depth knowledge of the practical legal, regulatory, and governance needs of charities and NFP organisations.

Contact us today to review your privacy compliance and ensure you are up to date.  

Call us on 07 3160 0010, email reception@nfplawyers.com.au, or submit a contact form to arrange a consultation.