Privacy Check for Non-Profits: Is Your Organisation Up to Date?

Privacy Check: Are Your Systems Up to Date?

Last October, the Australian Privacy Act had its biggest shake-up in decades. If your organisation collects personal data from donors, members, volunteers or program participants, it's time for a system check.

This isn't just about ticking legal boxes. It's about building trust, running tighter operations, and protecting the people who make your mission possible.

Here's a quick refresher on what changed, and a checklist to make sure your organisation is keeping pace.

What Changed in Late 2024?

The Privacy Act reform introduced stronger obligations for how organisations collect, store and use personal data, with a clear focus on transparency, control and security.

Key changes include:

Stronger rights for individuals
Australians can now request to access, correct, or delete their personal information. They can also object to how it's used, especially for profiling or automated decisions.

Clear and specific consent
It's no longer enough to have a vague privacy policy buried in your website footer. You need to be upfront about what data you're collecting, why you're collecting it, and who else might see it. Consent must be informed, freely given, and easy to withdraw.

Accountability for third-party tools
If you're using apps, cloud platforms, or other digital services that handle personal data, you're responsible for managing the risks. Passing the blame after a breach is no longer acceptable. You need to show you've done due diligence and put safeguards in place.

The rules cover more organisations
Even if you're a smaller non-profit under the $3 million revenue threshold, you may still need to comply if you handle sensitive data such as health information, children's details, or services aimed at vulnerable communities.

Fairness and transparency
Any data collection must now be “fair and reasonable” for your purpose. Collecting more data than you need, or using it in unexpected ways, could put you at risk of non-compliance.

Transparency

Do we have an up-to-date Privacy Policy that's easy to find?
Do we clearly explain what personal data we collect and why?
Is our policy written in plain English, with age-appropriate language if needed?
Have we reviewed all forms and online tools for clear consent language?

Security & Access

Do we store personal data securely (password-protected, encrypted, limited access)?
Can we provide individuals access to their data if requested?
Do we have a simple process for correcting or deleting personal information?

Consent & Control

Do we ask for consent in a way that is specific, informed, and optional?
Can people easily opt out of communications or withdraw consent?
Are we collecting only what we need, rather than "just in case" data?

Third-Party Tools

Do we know which platforms (CRMs, cloud storage, email tools) handle personal data?
Have we reviewed their privacy policies and set up available safeguards like access controls?
Do we have agreements or records showing we've assessed the risks?

Sensitive & Special Data

Do we handle children's information, health data, or work with vulnerable groups?
Have we reviewed whether our activities now fall under the Privacy Act, even if we're small?

Governance & Culture

Have staff and volunteers received basic privacy training?
Do we have a plan for how to respond if there's a data breach?
Are privacy checks part of new projects or digital tool rollouts?

Privacy reform is here, and it isn't slowing down. Smart non-profits are using this moment to modernise how they collect, manage, and respect personal data.

If you haven't looked under the hood since last October, now's the time.

Need a hand with your organisation's privacy checklist? Let's talk.
Contact Heaps Smart to explore how we can help your organisation strengthen privacy and data practices.