It is commonly misunderstood that community organisations and/or non-profits are not encumbered by duties burdening the commercial sector. To an extent, that is true. However, when the question relates to the collection and use of personal information – even the community group is subject to restraints. This article is intended to assist community organisations and non-profits in the basics of Privacy Obligations under the Privacy Act 1988 (Privacy Act), and Privacy Regulations 2013.
Long gone are the days wherein organisational databases could be passed around between members as a benefit of membership. Accordingly, each community and/or non-profit organisation (and each of its members) is obligated to apply the Australian Privacy Principles. We have summarised the relevant Privacy Principles applicable:
- Anonymity and Pseudonymity. The organisation must also offer members (and individuals to whom personal information is held) the right to be identified by pseudonym, or the option of not identifying themselves generally in such records.
- Collection of Solicited Personal Information. The organisation must also ensure private information is not maintained unless it is reasonably necessary for the objectives of the organisation. Generally, in community organisations, private information relevant to be held would include names, addresses, perhaps employment and/or sector details. However, it might not be relevant to maintain a database of family details, extended business matters, financial information, and alike.
- Dealing with Unsolicited Information. If an organisation obtains personal information which is not relevant or necessary to its objectives or operations, the information must be deleted or destroyed as soon as possible. In other words, unless an individual gives information to the organisation with the intent that it be used and/or held by the organisation – the information should not held. Merely granting access to personal information, does not give an organisation the right to deal with or hold such information.
- Notification of Collection of Personal Information. As soon as reasonably possible, an organisation must take steps to instruct individuals of the manner and type of information held by organisation, including the purpose for which the information is collected.
- Use and Disclosure of Personal Information. An organisation may not distribute, nor may any member (including an executive member) use the personal information held by the organisation for any private. We cannot be explicit enough in the obligations of the organisation to ensure that its members do not obtain access of the membership lists, attendance rolls, or other personal information for their own personal gain or motivations (unless approved by the individuals to whom the information is held).
- Direct Marketing. An organisation may not use personal information for direct marketing, except dissemination of information generally about the matters to be expected generally (i.e. newsletter regarding upcoming events, versus a member’s personal business marketing). This Principle furthers, and builds on, Principle 6 in that equally no member can use a membership list, supplier list and/or personal information data held by the organisation to direct market themselves, their employer, their business, etc.
A violation of the Privacy Act is not to be taken lightly. Organisations can suffer significant pecuniary fines, and individuals can suffer criminal charges.
We strongly urge your organisation to require any member (including executive member) accessing personal information databases to sign a letter acknowledging they understand the Privacy Principles, and agree to use the information strictly for the purposes of the organisation (and as reasonably expected by the individuals providing personal information for this end).
Should you have any questions about Privacy Obligations, please do not hesitate to contact Katrina Brown by emailing her at Katrina@nautiluslaw.com.au.
Nautilus Law Group supports community organisations and is happy to give assistance to further the objectives of organisations assisting the community.
Article submitted by Katrina Brown, Senior Lawyer, Nautilus Law Group.