Data security for charities – what are your legal obligations?

In recent months, a significant number of high-profile cybersecurity incidents have affected prominent Australian companies. While cyber-crime is by no means a new phenomenon, the size, effect and targeted nature of recent attacks is concerning.

Australian charities and not-for-profits are no less vulnerable to attack. Cyber-criminals do not hesitate to extort funds from charities or not-for-profits. Indeed, a number of recent media reports indicate that large Australian charities have also been victims of hacking.

Why do charities need to turn their mind to data security?

Charities and not-for-profits are usually highly trusted and may hold sensitive information about vulnerable beneficiaries (including health information) and their members. Unfortunately, many charities and not-for-profits are susceptible to cybersecurity attacks due to low levels of cyber resilience. For a charity or not-for-profit, failing to take appropriate action to secure data could mean:

  • the exposure of sensitive information of beneficiaries, donors or members;
  • the loss of charity funds and resources;
  • reputational damage; and
  • breach of legal obligations (including privacy laws and the ACNC Governance Standards).

This article examines the legal obligations of the directors of charities (we will use the term ‘director’ in this article for committee member, board member, trustee or responsible person depending on the structure of the entity) registered with the Australian Charities and Not-for-profits Commission (ACNC) with a focus on data security. The article includes information about what a director can and should be doing to put appropriate cybersecurity protections in place, and the legal consequences if they fail to do so.

What rules should you be aware of?

  1. Privacy Act

The Privacy Act 1988 (Cth) (Privacy Act) is the national law which regulates how private organisations in Australia must collect, use, disclose, secure and dispose of personal information. These information handling standards are set by the Australian Privacy Principles (APPs). In relation to data security, directors of charities should reflect on:

  • APP 11 which requires an organisation to take active steps to protect and secure the personal information it holds; and
  • the Notifiable Data Breach scheme which requires an organisation to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) following an eligible data breach.

Some states also have privacy laws, which can be imposed on charities through state funding agreements. We wrote about these laws in Beyond the Privacy Act: Does your not-for-profit collect health information or receive state funding?

  1. Security of Critical Infrastructure Act

Charities involved in the supply or provision of critical infrastructure, which includes matters such as health, transport, energy, communications, food and water, are regulated by the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act). The SOCI Act includes significant cyber risk management and reporting obligations.

Among other matters, these organisations must annually attest to the Commonwealth Department of Home Affairs’ Cyber and Infrastructure Security Centre that their risk management practices and procedures are suitable and up to date with best practice standards. Government intervention is possible if an organisation’s responses are ineffective.

  1. ACNC Governance Standards

Directors of charities will know the ACNC Governance Standards – a set of core, minimum standards for how charities are to be governed. The Governance Standards are another form of “principle-based regulation”, like the APPs. Relevant to directors developing data security policies and procedures for a charity are:

  • Governance Standard 3, which requires a charity to comply with Australian laws; and
  • Governance Standard 5, which outlines the duties of a charity’s directors, including the requirement to act:
    • with reasonable care and diligence; and
    • honestly and fairly in the best interests of the charity and for its charitable purposes.

The obligation to act with reasonable care and diligence requires that a charity takes steps to mitigate significant risks to its operations. In today’s climate, this includes ensuring appropriate systems and safeguards are in place to improve a charity’s cyber resilience and effectively respond to hacking and cyber incidents if they occur.

The required standard of care is not reduced if a director does not have specialised knowledge in IT or data security. Instead, directors without specialised knowledge should consider whether expert advice or assistance is required to effectively mitigate risk.

Remember: even with expert advice, the directors are still ultimately responsible for the decisions made and steps taken to ensure cyber resilience.

Separately, to act in the best interests of the charity, directors are required to analyse and consider the impact their data protection decisions could have on the charity’s beneficiaries, members, stakeholders and employees.

  1. ACNC External Conduct Standards

Charities that operate overseas, including charities that just send money overseas, are required to take reasonable steps to comply with the ACNC’s External Conduct Standards (ECS). For charities operating overseas, cybersecurity risks particular to the local environment should be taken into account when assessing ECS risks.

What steps should you take?

There is no one-size fits all approach to cybersecurity. Each charity must develop and implement data security strategies that are appropriate to their particular context and operations. Helpful materials published by key institutions to assist with this process are summarised below.

AICD Cyber Security Governance Principles

The Australian Institute of Company Directors has recently released its Cyber Security Governance Principles. The Principles aim to provide a clear and practical framework for organisations to implement more resilient data security strategies with a focus on achieving better practices and procedures at the board level.

Set clear roles and responsibilities – the directors need to be at the forefront of the strategy with regular engagement with management and channels put in place to report development and updates to the directors. While external experts can be engaged to help where required, the directors need to retain a working knowledge of what data is being held by the charity, how and where it is being stored and who has access. directors should have oversight of all systems and processes, which should also be reviewed and audited regularly.
Develop, implement and evaluate a comprehensive cyber strategy – a robust strategy will consider the potential risks for charity beneficiaries and stakeholders as well as the sensitivity of data being held. The directors must implement regular internal and external evaluation of the strategy.
Embed cybersecurity in existing risk management practices – cyber risk should be considered as an operational risk and should be managed consistently with other charity risks. Controls should be analysed, implemented and regularly assessed in order to mitigate the effects of the risk. Directors should actively consider the benefits of obtaining insurance that provides coverage from losses due to cyber incidents.
Promote a culture of cyber resilience – training is a key tool, including specific training for directors, to promote a resilient culture. Strong practices should be incentivised and rewarded. All persons involved in the operation of the charity should be made aware of the importance of any data that they are using and storing, as well as the practices necessary to be implemented in order to protect these materials.
Plan for a significant cybersecurity incident – directors should actively prepare for and test strategies that respond to cyber incidents, including the development of a clear and transparent communications strategy with all key stakeholders if an incident occurs.

Australian Cyber Security Centre Essential Eight Mitigation Strategy

The Australian Cyber Security Centre (ACSC) has developed eight recommended cyber risk mitigation strategies. The suggested strategies are different and more complex depending on the ‘maturity level’ of the organisation. Further details on the suggested ACSC approach is here.

What are the consequences if you don’t comply?

In addition to the potential harm to beneficiaries, members and donors, reputational damage and loss of funds, charities face regulatory and civil action in the event of a cybersecurity breach.

Regulatory action

Regulators globally are increasingly taking action against organisations for failing to appropriately protect data and information. For example, in 2021 the UK Information Commissioner’s Office (the equivalent of the OAIC) imposed a significant penalty on a prominent Scottish health charity for failing to put in place appropriate internal measures to prevent the disclosure of sensitive beneficiary data. The OAIC is currently investigating Optus’ personal information handling practices.

In Australia, the OAIC has the regulatory power to investigate alleged breaches of the Privacy Act. If the OAIC finds non-compliance, enforcement action can include making determinations, issuing enforceable undertakings, seeking injunctions and seeking to impose penalty orders on organisations.

A Bill was introduced to Parliament on 26 October 2022 to significantly increase the penalties that can be imposed on organisations (including charities) for serious and repeated interferences with privacy. If the bill is passed the maximum penalty will increase from $2.2 million to the greater of:

  • $50 million;
  • three times the value of the benefit obtained attributable to the breach; or
  • if the Court cannot determine the value of the benefit, 30% of the adjusted turnover of the organisation during the breach turnover period for the contravention.

Non-compliance may also lead to ACNC investigations which can be long, arduous and resource draining. The ACNC has the power to issue directions and enforceable undertakings and, in extreme cases, deregister charities if it is found their directors have not complied with the Governance Standards. The ACNC currently has a targeted focus on reviewing the activities of charities that deal with vulnerable beneficiaries overseas.

Civil action and complaints

In addition to regulatory action, members of charities may also commence litigation against directors if the directors have failed to fulfil their duties and adhere to the ACNC Governance Standards. Similarly, beneficiaries of the charity’s services who are affected by data breaches or cyber-attacks may have grounds to either:

  • sue the directors for breach of their duties, including by commencing class actions if appropriate; or
  • make complaints to the OAIC alleging the charity has not complied with the APPs.

Directors can be personally liable if their breach of duty has caused the personal injury or harm (including if the breach of duty has been caused by an inaction or failure to take appropriate and reasonable steps).

What should you do

Moores is here to help to guide you and your charity on the right path. Please contact our corporate advisory team if you would like assistance in preparing a data security policy or strategy, or if you would like to discuss your legal duties and obligations.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.