Please change your location to view this page.
This page contains content that does not match your current location
Some community organisations, including those with revenue over $3mil, and those that have contractual arrangements with government (eg. funding agreements) may be required to comply with privacy laws.
It is best practice to assume that all privacy laws apply to your group. It is also important to note that there are privacy laws at both state and federal levels.
We've received many questions from not-for-profit organisations about whether the European Union General Data Protection Regulation (EU GDPR), effective from 25 May 2018, applies to their Australian-based organisation. Click here to read general legal information on this topic.
Notifiable Data Breach reforms
In 2018 important amendments to the Privacy Act 1988 (Cth) changed the legal requirements for how organisations deal with a serious data breach. These changes apply to all organisations already bound by the Privacy Act, and commenced on 22 February 2018.
The Office of the Australian Information Commissioner has updated its website to reflect the new laws, and we have a fact sheet to help you navigate the system. You can download this for free below.
National Privacy Guide
The Not-for-profit Law Privacy Guide has been updated to reflect the new federal privacy laws. You can download the guide below which includes information about:
- what is covered by privacy law, sources of privacy laws and exemptions
- obligations under privacy law including consent, notification and storing personal information and compliance, and
- privacy policies
- fundraising and privacy
- private ancillary funds, and
- state and territory privacy principles.
Notifiable Data Breaches scheme
The Notifiable Data Breaches scheme fact sheet supplements the Privacy Guide. It explains your organisation's obligations if there is a data breach and how to comply with the Notifiable Data Breaches scheme.
There are legal issues that cross-over with privacy that are not addressed in the Privacy Guide, including:
- Cyber Security - Regardless of the industry your organisation operates in, your organisation probably collects and stores a huge amount of information and uses many different kinds of technology in its daily operations. This factsheet contains information about cyber security - the practice of protecting this information, your organisation’s electronic systems and digital information and reducing the likelihood of a breach.
- Confidentiality - In some circumstances you may have an obligation to keep certain information confidential. This can be because of:
- an agreement containing confidentiality obligation
- the commercial or secret nature of the information itself, or
- the circumstances in which the information was obtained.
- Surveillance - Federal and Victorian State laws regulate surveillance, recording, monitoring and interception of communications, including when these are done in the workplace. The laws cover video, audio, computer, telephone and tracking (eg. GPS) surveillance. For information go to the Office of the Australian Information Commissioner.
- Direct marketing and research - The Spam Act 2003 (Cth) regulates how you send promotional emails and other commercial electronic messages, while the Do Not Call Register Act 2006 (Cth) and related industry standards regulate telemarketing and telephone research. For information go to the Australian Communications and Media Authority (ACMA) and/or the Do Not Call Register website.
- Freedom of information (FOI) - If someone has asked to access their information or told you they have a right to it under FOI laws, you will need to consider if that legislation applies to your organisation (eg. if your organisation holds personal information as a result of a contract between it and the government). For information go to the Victorian Government's Freedom of Information online and/or the Australian Government's Office of the Australian Information Commissioner.