It is commonly misunderstood that community organisations and/or non-profits are not encumbered by duties burdening the commercial sector. To an extent, that is true. However, when the question relates to the collection and use of personal information – even the community group is subject to restraints. This article is intended to assist community organisations and non-profits in the basics of Privacy Obligations under the Privacy Act 1988 (Privacy Act), and Privacy Regulations 2013.
Long gone are the days wherein organisational databases could be passed around between members as a benefit of membership. Accordingly, each community and/or non-profit organisation (and each of its members) is obligated to apply the Australian Privacy Principles. We have summarised the relevant Privacy Principles applicable:
- Consideration of Personal Information Privacy. This Principle obligates an organisation to provide an open and transparent privacy system in relation to the holding of personal information, including procedures to ensure the sanctity of the information. To achieve this end, the organisation must develop a Privacy Policy which is available for its members (and other individuals to whom information is collected) that explains the kinds of information collected and held, the manner in which the information is collected, the purpose for which the information is collected, how a member (including executive member) can access the information, how an individual can complain about unauthorised or inappropriate access (such as the private use of personal information by an executive or standard member), whether the information is available for overseas dispersal, and to which countries this access would be granted.
- Anonymity and Pseudonymity. The organisation must also offer members (and individuals to whom personal information is held) the right to be identified by pseudonym, or the option of not identifying themselves generally in such records.
- Collection of Solicited Personal Information. The organisation must also ensure private information is not maintained unless it is reasonably necessary for the objectives of the organisation. Generally, in community organisations, private information relevant to be held would include names, addresses, perhaps employment and/or sector details. However, it might not be relevant to maintain a database of family details, extended business matters, financial information, and alike.
- Dealing with Unsolicited Information. If an organisation obtains personal information which is not relevant or necessary to its objectives or operations, the information must be deleted or destroyed as soon as possible. In other words, unless an individual gives information to the organisation with the intent that it be used and/or held by the organisation – the information should not held. Merely granting access to personal information, does not give an organisation the right to deal with or hold such information.
- Notification of Collection of Personal Information. As soon as reasonably possible, an organisation must take steps to instruct individuals of the manner and type of information held by organisation, including the purpose for which the information is collected.
- Use and Disclosure of Personal Information. An organisation may not distribute, nor may any member (including an executive member) use the personal information held by the organisation for any private. We cannot be explicit enough in the obligations of the organisation to ensure that its members do not obtain access of the membership lists, attendance rolls, or other personal information for their own personal gain or motivations (unless approved by the individuals to whom the information is held).
- Direct Marketing. An organisation may not use personal information for direct marketing, except dissemination of information generally about the matters to be expected generally (i.e. newsletter regarding upcoming events, versus a member’s personal business marketing). This Principle furthers, and builds on, Principle 6 in that equally no member can use a membership list, supplier list and/or personal information data held by the organisation to direct market themselves, their employer, their business, etc.
A violation of the Privacy Act is not to be taken lightly. Organisations can suffer significant pecuniary fines, and individuals can suffer criminal charges.
If your organisation has not already done so, the organisation should formulate a Privacy Policy, and ensure that a copy of the Privacy Policy is attached or incorporated in membership applications (which provides effective notice on acquisition of personal information from an individual). To the extent personal information is collected in another manner, then ensure that the Privacy Policy is somehow made available. Another option which is beneficial (but cannot satisfy organisation’s obligations in isolation) would be a posting of the Policy on organisation’s website and/or printing copies of the Policy for membership meetings.
We strongly urge your organisation to require any member (including executive member) accessing personal information databases to sign a letter acknowledging they understand the Privacy Principles, and agree to use the information strictly for the purposes of the organisation (and as reasonably expected by the individuals providing personal information for this end).
Should you have any questions about Privacy Obligations, please do not hesitate to contact Katrina Brown by emailing her at Katrina@nautiluslaw.com.au.
Nautilus Law Group supports community organisations and is happy to give assistance to further the objectives of organisations assisting the community.
Article submitted by Katrina Brown, Senior Lawyer, Nautilus Law Group.
