Charities and other non-profit organisations rely on the good will and charity of donors. They are also familiar with the challenges of realising bequests that have been made by donors and perhaps less so about how it influences the management of donor records by the organisation.
The recently publicised Oxfam breach, brought to light the privacy risks in retaining donor information and how it is used across the organisation. It also highlighted that most donor information generally has an end-life of about seven (7) years after a valid last engagement with the organisation before it is no longer required and must be destroyed or de-identified.
There are some exceptions, including:
- When an individual has made a bequest to an organisation in their will;
- When an individual has notified the organisation that they no longer wish to be contacted; or
- When the last contact made with the organisation is not validly recorded.
What can we take away from Oxfam?
Oxfam reported an eligible data breach in January 2021 after discovering 1.7m donor records had been stolen by malicious actors. The OAIC commenced an investigation six months later citing concerns about Oxfam privacy practice, in particular, in relation to Australian Privacy Principle (APP) 11.1: security of personal information and APP 11.2: retention. Ultimately, the OAIC accepted an enforceable undertaking from Oxfam in February this year as part of its regulatory response.1
The Oxfam breach provides several learnings:
- Not-for-profit (NFPs) organisations are not immune from threat actors.
- Organisations must have a clear picture of just how far their guardrails extend for protecting the personal information they hold. Testing environments are a red flag for ‘function creep’ and are more vulnerable to interference because they are often siloed, temporary and do not have the same level of security as production environments.
- Retention is one piece of the pie for securing personal information, but poor retention practices can cause the most impact when security is compromised.
- Retention periods for donor information should be clearly defined within the organisation. Whilst the seven (7) year period is specific to Oxfam, this was accepted by the OAIC and can be used as a de-facto benchmark for retention of donor information. Anything beyond that would, arguably, be entering into a territory of being beyond what is necessary under the APPs unless retention can be justified (e.g. it is required or authorised by law).
- Where an organisation has clear and affirmative records of an individual’s intent to leave a bequest in their will, there is a basis for legitimate indefinite retention.
So why does all this matter?
Active donor engagement is a core part of NFP operations who depend on the valuable contributions and support of their donor community. Protecting the personal information of this cohort of stakeholders goes toward building and ensuring trust and continued connection.
Whilst organisations might turn their attention to protecting personal information of active donors, they don’t often turn their minds to what happens when donors have stopped engaging with the organisation and significant time has passed since the original collection of personal information.
Destruction and de-identification of personal information is part and parcel with taking ‘reasonable steps’ to protect personal information. Organisations should have a picture of when personal information is no longer needed by:
- Developing policies and procedures specifying maximum retention periods for different supporter categories—such as active donors, non‑donors, bequest donors and those who have opted-out or no longer wish to be contacted. Consider the de-fact benchmark of seven (7) years;
- Defining mechanisms for and tracking the date of last engagement to provide a signal for when retention thresholds (e.g. seven years) are reached and destruction and de-identification can be enforced;
- Having clear processes for recording and individual’s intention to make a Gift in Will – this should be distinct and separate from other collection purposes and collection points;
- Training staff on the organisation’s retention policies; and
- Conducting periodic audits of retention practices.
Whilst many charities and other NFP organisations may not meet the thresholds for compliance with the Privacy Act 1988 (Cth), implementing these types of controls is simply good practice in an age when organisations are grappling with how to handle large volumes of data. Enhanced data governance is not just strategically important, it gives confidence to supporters that their privacy is being respected. Registered charities must also demonstrate good governance in alignment with requirements under the ACNC Governance Standards.
Read more about the OAIC’s guidance to NFP’s and charities in our article New privacy guidance for not-for-profits issued by the OAIC.
What about the recent privacy reforms?
Retaining data longer than necessary can breach APP 11.2, which requires an organisation (subject to the APPs) to destroy or de-identify the personal information it holds when it no longer needs it for any purpose or is not required to retain it under any Australian law or court/tribunal order.
The recent reforms introduced APP 11.3 which makes clear that ‘reasonable steps’ to protect personal information includes both technical and organisational measures – setting and applying retention policies are such steps.
Organisations are exposed to Notifiable Data Breaches (NDB) scheme triggers if long-held data is compromised leading to both public and regulatory scrutiny. The OAIC’s enhanced enforcement powers will also influence the landscape of how the regulator will respond to notifiable breaches in future.
With the new statutory tort for serious invasions of privacy now in effect, misuse of personal information arising from poor retention practices may also expose organisations to claims being bought by individuals where the individual would have a reasonable expectation of privacy, the invasion of privacy was intentional or reckless, and serious.
How we can help
Moores has dedicated privacy specialists who can work with you and support your organisation’s needs, including:
- compliance reviews and audits of practices;
- IT vendor contract reviews;
- the development of policies and procedures to support data governance and security;
- delivering privacy impact assessments of new systems and processes; and
- offering tailored advice.
Contact us
Please contact us for more detailed and tailored help.
Subscribe to our email updates and receive our articles directly in your inbox.
Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.