Is privacy a priority for your organisation in 2024? On 25 October 2023, more than 25 civil society organisations and individuals signed on to an open letter calling on the Australian Government to act urgently to introduce privacy reforms. This joint statement signals that many organisations in the community sector want the Government to implement privacy reforms, particularly where the proposed changes will better protect those in our community who are most vulnerable even though the reforms will impose greater obligations on those organisations.
The recent release of the Australian Government’s response to the Privacy Act Review Report published in September 2023 means it is now less of a question of what will change in the Privacy Act 1988 (Cth) (Privacy Act) and more about when. The Government has confirmed its commitment to progressing its work to strengthen individual privacy protections. It has ‘agreed’ to 38 of the proposed changes and ‘agreed-in-principle’ to a further 68 proposals. You can read the Review Report here and the Government response is available here.
Meanwhile, the latest Digital Technology in the Not-For-Profit Sector report released by InfoXchange in November 2023 reveals that 25% of not-for-profits and charities are already using artificial intelligence applications and two-thirds plan to implement this technology within the year. A poll conducted by Salinger Privacy in October 2023 found that 86% of respondents did not have effective privacy compliance training in place for their staff.
Your not-for-profit or charity may be supportive of implementing reforms that better protect privacy, but is it across the detail of the proposed changes and is it ready to comply with them? Does your organisation have a plan for how it will ensure privacy compliance while making the most of emerging artificial intelligence tools that increase efficiencies and enhance impact?
Key changes to consider
It is beyond the scope of this article to summarise all the proposed upcoming changes, particularly considering the reforms represent the most significant overhaul of the Australian privacy framework in the last decade. Instead, we will highlight some of the key proposals that we believe not-for-profits and charities should be aware of now.
1. Small not-for-profits and charities will no longer be exempt from the Privacy Act
Currently, most not-for-profits and charities that have an annual turnover of less than $3 million are exempt from the Privacy Act, unless they have opted-in, are subject to Commonwealth funding agreements or hold health information. This is set to change with the proposed removal of the ‘small business exemption’ which will happen after further consultation and impact analysis occurs, a transition period is agreed, and appropriate supports are put in place to promote and support compliance.
The implementation of this proposed change will mean increased privacy obligations for small organisations who will be bound by the Australian Privacy Principles (APP) and the Notifiable Data Breaches Scheme.
2. New ‘fair and reasonable’ test for collection, use and disclosure
The introduction of a new test for the collection, use and disclosure of personal information is a cornerstone of the proposed changes to the Australian privacy framework.
Currently, the test for an organisation to collect, use and disclose personal information is a subjective one. It is therefore open to interpretation and exploitation given the significant discretion that comes with the organisation determining whether an action is ‘reasonably necessary’.
The new test is designed to be more objective, requiring the collection, use and disclosure of personal information to be ‘fair and reasonable’ in the circumstances. For the first time, the perspective of individuals will need to be considered. Even if consent is obtained, a determination will still need to be made and the assessment is to be done from a reasonable person’s point of view.
If your organisation is leveraging data, for example, from social media platforms to target marketing and fundraising communications to acquire or attract new supporters then these changes have the potential to impact significantly on your direct marketing practices.
In the context of this new test, it is important to note that the definition of personal information is also set to change to cover information that is not just ‘about’ but ‘relates to’ an individual. This broadened definition will capture new types of information like IP addresses, location data and data-based behavioural predictions.
3. New penalties
A new tiered approach to penalties for an interference with an individual’s privacy will be implemented in 2024. Importantly, there will be a new low-level civil penalty with attached infringement notice powers. This means your organisation could receive a fine if, for example, it does not:
- give individuals the option of not identifying themselves (APP 2.1); or
- deal with requests to correct information within specified timeframes (APP 13.5).
You do not want your organisation to have to spend money it has raised from donations to pay fines for simple or unintentional mistakes or spend time dealing with the bad publicity that may come with it.
4. New individual rights of action for invasions of privacy
At the moment, there is little an individual can do to seek compensation or relief if they experience an interference with their privacy. This is set to change, and the Government has agreed in principle to implement:
- a direct right of action for individuals to seek compensation for loss or damage suffered as a result of an interference with their privacy. This means that after making a complaint to the OAIC or another recognised External Dispute Resolution scheme affected individuals will have the option of taking their matter to court if there is no reasonable likelihood that their complaint can be resolved by conciliation.
- a new tortious action for serious invasions of privacy that results in harm. This means affected individuals may be able to bring an action and seek a remedy in court, and not be limited by the scope of the Privacy Act.
What to do now to prepare
Considering how integral data is to the running of not-for-profits and charities, it is important to start preparing now before the proposed changes are introduced. A lack of preparation could mean your organisation runs the risk of unintentional breaches, or disruptions to critical service delivery and fundraising initiatives that enable your organisation to pursue its mission while work is done reactively to address the issue.
There are steps your organisation should consider taking to prepare in advance. You should think about:
- What personal information does your organisation collect and hold?
- What are the purposes for which this personal information collected, used and disclosed?
- What policies and practices for protecting personal information held by your organisation are already in place?
- Are these practices for handling personal information ‘fair and reasonable’?
- Who is responsible for privacy in your organisation?
You may like to review and update, or start drafting your:
- Collection Notices
- Retention requirements
It is a good idea to train all staff and volunteers who are handling personal information.
While the focus of this article is on the proposed changes to privacy laws, it is important to remember that the community often places greater expectations on and trust in not-for-profits and charities to protect the interests of the people they serve. This adds an extra layer of importance to ensuring your organisation is complying with current and future privacy laws.
How we can help
HWLE undertakes matters on a pro bono basis for disadvantaged or marginalised people who cannot afford to pay for legal services. We also provide pro bono assistance to not-for-profits and charities who work in the interests of low income or disadvantaged members of the community, or for the public good.
If your not-for-profit or charity needs help reviewing how it handles personal information, preparing privacy policies, collection notices or retention requirements, please contact us. We may be able to assist on a pro bono or discounted basis depending on the size, scale and mission of your organisation.
This article was written by Karen Keogh, Partner, and Laura Kilgour, Associate.