For NFP leaders, the most critical asset isn’t just funding; it’s the profound public trust that enables your mission. Maintaining excellent data governance isn’t just about operational compliance – it is the strategic cornerstone that protects your hard-earned reputation, mitigates legal risk, and secures the foundation of all your digital fundraising and service delivery. We’ve broken down the key areas you need to be across.
The Office of the Australian Information Commissioner (OAIC) has released updated guidance, “Privacy for not-for-profits, including charities,” which serves as a timely and practical reminder of your obligations when handling supporter data. This isn’t breaking news, but a crucial call for all NFP Marketing Managers to re-audit their digital collection practices.
This updated guidance includes expanded advice on the security of information and detailed steps that NFPs must put in place to ensure compliance with their data retention and destruction obligations.
In particular, the guidance includes specific discussion on what to consider when engaging third-party providers, such as fundraising platforms or software vendors. This area is particularly topical and critical in the wake of high-profile data breaches affecting various charities and NFPs.
Here’s our practical guide to the areas in digital marketing that you should consider reviewing:
1. Consent is King – and it Must Be Specific
Digital marketing relies on consent for eDMs, retargeting, and personalised appeals. The APPs demand that consent for using personal information must be voluntary, informed, specific, and current.
What NFPs Need to Check:
- Opt-in vs. Opt-out: Are your website forms and donation pages using pre-ticked boxes for email subscriptions or future contact? If so, this is generally considered a red flag. Consent should be a clear, unambiguous, opt-in action.
- Transparency: When collecting information (APP 5), is your Collection Notice linked to the form? Does it clearly explain, in plain English, how you will use their data? (e.g., “We will use your phone number for fundraising calls” vs. “We may contact you”).
- Unbundled Consent: Are you providing separate, clear options for different channels (Email, SMS, Post, Phone) and different purposes (Newsletters, Appeals, Volunteer Requests)? Supporters should be able to consent to one, but not the others.
2. Data Minimisation and Retention (APP 3 & 11)
We are data nerds, but there’s no place for hoarding data you don’t need. Collecting and retaining more personal information than is reasonably necessary for your function is a key area of OAIC focus.
What NFPs Need to Check:
- Collection Audits: Go through your online forms (event sign-ups, lead magnets, job applications). Are you asking for fields that you genuinely don’t need for the stated purpose? If it’s not necessary, remove it.
- Retention Policies: Do you have clear policies and procedures for destroying or de-identifying supporter data that you no longer require? Indefinite retention creates significant risk. Make sure your CRM data and backups are part of this review.
3. Third-Party Vendor Management (Data Security)
Many NFPs rely on third-party digital providers for their essential functions (CRM platforms, marketing automation tools, cloud storage, payment gateways). The OAIC has specifically highlighted the need for due diligence here, particularly in the wake of high-profile data breaches in the sector.
What NFPs Need to Check:
- Contract Review: Review the terms of service and contracts for all your key digital vendors. Are they clear on their privacy obligations? Do they specify the location of data storage? Do they commit to deleting personal information at the end of the contract term?
- Security Checks: Does the provider demonstrate adequate security practices (e.g., MFA, encryption)? Even if they cause a breach, the reputational damage is ultimately yours.
This OAIC guidance is about providing clarity so you can better protect your community and maintain their trust. For a detailed breakdown of your obligations under the Australian Privacy Principles, you can refer to the official resource directly here: OAIC’s Privacy Guidance for Not-for-profits, including charities.
Need a clear, practical roadmap to audit your current digital practices against these principles? That’s exactly where our consultative approach comes in. Get in touch if you want to ensure your data hygiene is set up for success! We’re here to help you get organised.
