Privacy Act Review: Key changes on the radar for NFPs

To continue our series on the Privacy Act Review, we have summarised the proposed reforms most likely to affect Not-for-profit (NFP) organisations and charities.

Other articles in this series include:

Small business exemption

Currently, the “small business” exemption means organisations with a turnover of less than $3 million annually do not need to comply with the Privacy Act. A limitation on this exception is health service providers. Despite their size, health service providers must comply with the Privacy Act. This may include many NFP organisations and charities.

For NFPs and charities that are not health service providers, the removal of the small business exemption would greatly increase privacy obligations by making them subject to the Privacy Act, including the Australian Privacy Principles and the Notifiable Data Breach Scheme (NDB Scheme). Recognising this, the proposal includes a process of consultation and gradual implementation for “small businesses”.

Right to erasure

This prospective right is far-reaching and would greatly increase the burden on organisations to proactively delete all records relating to an individual, on request by that individual. Currently, there is no such right, although individuals do sometimes ask for it, particularly after a publicised data breach at the organisation or elsewhere.

There is a proposal to introduce this right to erasure where:

  • an individual may seek to exercise the right to erasure for any of their personal information; and
  • an organisation which has collected the information from a third party or disclosed the information to a third party must inform the individual about the third party and notify the third party of the erasure request unless it is impossible or involves disproportionate effort.

In addition to the general exceptions similar to those already existing for access and correction requests, certain limited information should be quarantined rather than erased on request so the information remains available for the purposes of law enforcement. This is particularly important in relation to child safety records, which must, in many instances, be retained permanently or for an extended period of time.

The policy objective behind the right to erasure is to give individuals more control over their personal information. However, practical implementation of this right may be difficult for organisations which do not have strong technological capabilities, or funds to invest in upgrading their technology systems to allow for erasure requests.

A right to erasure was introduced in the European Union in the General Data Protection Regulation (GDPR) in 2017.

Changing the data beach reporting period from 30 days to 3 days

The proposed new data breach reporting obligation would require organisations covered by the NDB Scheme to notifying the Office of the Australian Information Commissioner (OAIC) within 72 hours of becoming aware of a data breach, so that, when a data breach occurs, quick action can be taken to minimise harm to affected individuals.

The current requirement is 30 days. This is a significant change, and will require NFP organisations to upskill in how they respond to data breaches.

This amendment is similar to the GDPR’s 72-hour requirement for breach reporting to national Data Protection Authorities (Article 33).

How we can help

Big or small, we can help NFPs review how they handle personal information, assist with preparing privacy policies, or conduct privacy audits. We understand your data can be incredibly important to your charity, whether you are collecting donations or providing services to your clients. Please contact our privacy lawyers for any assistance.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.