Trust first: Privacy reform and responsible data behaviour for not-for-profits


Published: 

For not-for-profits (NFP), trust is built not only on mission, but on how personal information is handled. As privacy expectations rise and AI becomes part of daily operations, data stewardship is now a governance issue as much as an operational one.

Regulators and the Australian Charities and Not-for-profits Commission (ACNC) have increasingly emphasised the importance of sound privacy and governance practices, and many organisations are adopting a staged approach to strengthen these capabilities without over-engineering. 

Why expectations have shifted

The Australian Privacy Principles (APPs) under the Privacy Act 1988 establish obligations around governance, collection, use, disclosure, security and lifecycle management of personal information.

Australia’s privacy framework has long been principles based, with the way regulators and stakeholders interpret those principles evolving over time. Three shifts are particularly relevant for NFPs:

  • Regulators increasingly focus on whether practices are fair, reasonable and proportionate, not just whether a policy exists. Over-collection, unnecessary retention and broad access are scrutinised even where no malicious intent exists
  • Accountability sits with the organisation, not the tool. The Office of the Australian Information Commissioner (OAIC) has clarified that privacy obligations apply to personal information entered into AI systems and to output containing personal information. Using a third-party platform or AI tool does not displace accountability
  • Most data incidents come from everyday behaviour: unmanaged shared drives, information copied into emails, or data kept long after it serves a purpose. AI does not create these risks, but it can expose and amplify them.

Why this is also an ACNC governance issue

Under the ACNC Governance Standards, charities are required to operate lawfully and run in an accountable and responsible way. Governance Standard 5 requires Responsible People to act with reasonable care and diligence, manage conflicts appropriately, not misuse information or position, and manage organisational affairs responsibly.

While the Governance Standards do not specifically refer to privacy or AI, the expectations are clear:

  • Data is an organisational asset
  • Mishandling data can damage public confidence
  • Boards and executives are expected to oversee material risks, even where day-to-day responsibility is delegated.

In practical terms, this means privacy and AI related risks should be considered alongside financial, operational, and reputational risks.

What responsible data behaviour looks like in practice

Responsible data behaviour does not require heavy compliance programs. It requires clear, intentional choices that can be explained and defended.

At an operational level, this means the organisation can answer, with confidence:

  • What personal and sensitive data do we hold?
  • Why do we need to hold it?
  • Who can access it, and is that access still appropriate?
  • How long should we retain it?
  • How do new tools (including AI) change our exposure?

At a governance level, leaders must understand how these practices align with the organisation’s purpose, risk appetite, and obligations.

Why trust now depends on data behaviour

Trust is built through consistent, defensible behaviour in how people’s information is handled, protected and respected. As AI and digital tools continue to evolve, organisations that treat privacy and data stewardship as core governance responsibilities will be better placed to sustain confidence and deliver on their mission.

A practical starting approach

Many NFPs benefit from a staged approach:

  • Establish visibility: Identify where personal and sensitive information sits across systems, shared drives, and email. Focus on awareness of higher-risk areas first
  • Reduce unnecessary exposure: Remove ‘just-in-case’ data collection and apply retention decisions so information is not kept indefinitely without purpose
  • Tighten access and accountability: Align access to roles, remove legacy permissions, and assign owners for key datasets and repositories
  • Formalise expectations for AI use: Document where AI can be used, where it cannot, and how use will be monitored and reviewed.

How BDO can help

NFP organisations often tell us the challenge is not understanding that privacy matters. It is translating regulatory expectations into practical behaviours that staff, leaders and boards can consistently apply.

BDO helps not-for-profits turn privacy, data governance and AI risk into practical action, helping organisations respond to Privacy Act reform, OAIC expectations and ACNC governance obligations in a practical and proportionate way. Our support commonly includes:

  • Board and executive education on privacy, AI and data stewardship, focused on governance obligations, risk oversight and decision‑making rather than technical detail
  • Designing privacy and data governance frameworks that align with the Australian Privacy Principles and ACNC Governance Standards, without over‑engineering policy
  • Reviewing data handling practices to identify over‑collection, retention risk and access weaknesses that can undermine trust
  • Supporting leadership teams to embed privacy as a behavioural expectation, not just a compliance requirement, through clear accountability and escalation pathways.

Our focus is on helping organisations demonstrate intentional, defensible data behaviour that sustains trust with communities, funders and regulators. If you would like to discuss how this approach could apply to your organisation, contact our cyber security, data advisory, and not-for-profit specialists.

Key takeaways

Privacy and data stewardship are becoming core governance responsibilities for not-for-profits
  • As privacy expectations evolve and AI adoption increases, not-for-profits are expected to manage personal information as a governance issue, with oversight extending beyond operational compliance to broader organisational accountability.
Responsible data behaviour depends on visibility, access control and accountability
  • Organisations need a clear understanding of what personal information they hold, why they hold it, who can access it and how long it should be retained to support defensible and well-governed data practices.
Trust is strengthened through intentional and defensible data practices
  • Consistent management of personal information, including privacy, retention and AI-related decisions, helps not-for-profits sustain confidence with communities, funders and regulators.

Authors

Subscribe to receive the latest insights.