October is Cyber Security Awareness month and the theme for 2023 is “be cyber wise – don’t compromise”. Small actions can make a big difference. This includes regularly updating your devices, multi-factor authentication, backing up files and using passphrases.

The consequences of a cyber-attack can be significant and damaging for any NFP or charity, resulting in a loss of trust and reputation, costs to restore services, potential claims for damages from misuse of personal information, breaches and possible penalties for failing to comply with legal requirements. 

Data breach – a lesson learnt 

Earlier this year, Pareto Phone, a third-party tele-fundraising service provider for numerous Australian charities, was subject to a cyber-attack that led to the exposure of charity donors’ personal information being released on the dark web. 

Pareto Phone was found to have held data of some donors dating back to 2013 and 2014, without the charity’s knowledge. Charities affected included The Cancer Council, WWF Australia, Australian Conservation Foundation and Plan International Australia. The breach serves as a timely reminder that the digital landscape in which many charities and NFPs operate in is constantly changing and evolving. 

Turn your mind to data security

The Pareto Phone data breach has brought the issue of data retention to the forefront. Pareto Phone continued to hold the personal information of donors, even after the service contract had ended. Organisations need to constantly review and assess the data they are providing to third parties and the data they are holding and ensure contract terms deal with data destruction after termination.

Privacy law reform has been the subject of recent government attention. In February 2023, the Attorney General released the Privacy Act Review Report which put forward 116 proposals for the reform of Australia’s privacy framework, aimed at clarifying the scope of the Privacy Act 1988 (Cth), uplifting protections for individuals, providing clarity to regulated entities and enhancing enforcement mechanisms. Of relevance was the appropriateness of the exemption of the Privacy Act that is currently applicable to small businesses with an annual turnover of up to $3 million.

Regardless of the changes yet to come, there may be a variety of reasons why an NFP needs to comply with the Privacy Act. This includes provision of health services, relations to a larger body corporate or provision of services with the Australian Government. However, it is good practice for NFPs and charities to commit to good privacy practices. This creates good public and consumer confidence that the NFP or charity is taking positive steps towards protecting and implementing responsible handling of personal information collected and handled by the organisation. 

Action from boards

Although cyber security should be at the top of everyone’s priorities, the ultimate responsibility rests with the board or ‘responsible people’. The organisation’s board should check the current cyber security measures and ensure effective data governance practices are in place. A cyber-attack should be acknowledged as a matter of ’when’ not ’if’. 

Boards should have visibility of potential risks and monitor these issues closely and ensure steps are in place to mitigate risks. This includes:

• developing and implementing a cyber strategy such as a data breach response plan; 
• incorporating and assessing cyber risk within the risk register or risk management plan; 
• preparing and implementing policies within the organisation such as data retention policies; and 
• educating and training staff and management on being cyber aware.

It is incredibly important that boards start acting not only to identify where the organisation's cyber security risk is currently sitting but also to set goals to strive to be a resilient organisation. 

Charities registered with the Australian Charities and Not-for-profits Commission (ACNC) are required to comply with the ACNC Governance Standards and should keep them in mind when handling, managing and storing people’s personal information along with any other legal obligations.  

If you have not started becoming cyber security and data protection aware, now is the time. Our Commercial Legal team can assist with introductory data protection and data breach incident response toolkits, as well as reviewing agreements, policies and procedures.  Please contact Cass Wright and Chantelle Mulla at [email protected] or call (08) 9365 7560 for further information.