Privacy Law Not for Profit

3 Simple Privacy Mistakes – Non Compliance and Your Not for Profit

Simple Privacy Mistakes – Does Your Not For Profit Comply? 

The  Australian Information Commissioner recently made determinations against 5 businesses for ‘simple privacy mistakes’.

The Commissioner stated that ‘while many high-tech privacy breaches like internet hacks (and the Red Cross case) attract headlines, it’s important to remember that many privacy breaches are caused by the ‘simplest human error.’ The Commissioner stated that the consequences of these breaches are just as damaging for individuals and businesses alike.’

So what kinds of errors did these businesses make and how could your Not For Profit organisation avoid making similar mistakes? I have highlighted 3 of the 5 cases below.

Simple Privacy Mistake # 1 – Double Locked Storage on Private Land – Is This Enough? 

Mistake #1 – leaving identification documents in a ‘double locked’ container on unfenced, private property. Trespassers broke into the container, leaving documentation such as copies of Drivers Touchpoint Legal Privacy LawLicence and Medicare cards exposed. Upon being alerted to the unauthorised access, one of the owners of the personal information made a complaint to the Commissioner.

The individual complained that the company ‘had not taken reasonable steps to protect their information from interference’ and that the company had failed to destroy or de identify the information given that it was no longer needed by them.

The Commissioner made a determination against the company stating that the personal information was left on ‘unfenced property in a relatively isolated location in bush land’ and as such the information was not adequately monitored and protected.  The Commissioner also found that the company was in breach for failing to destroy or de-identify the documents.

The consequences for the company were an enforceable undertaking, payment of $3,500 in damages, and a requirement to issue an apology. Possibly, the most damaging consequence for the company however, was brand damage when the breach was aired on A Current Affair….

Do you collect hard copy donor information? If so, how do you protect it from unauthorised disclosure?

It is clear that notwithstanding that personal information is kept in locked premises on private land, the Commissioner expects that premises will be monitored and protected by security to prevent unauthorised access to the information.

How does your Not For Profit entity dispose of hard copy personal information when its no longer needed?

The Office of the Australian Information Commissioner suggests that acceptable methods of destruction of hard copy information involves pulping, burning, pulverising, disintegrating or shredding the information. Destroying the information that you no longer use in a manner that ensures that it is irretrievably destroyed or de-identified is imperative - particularly if the information contains sensitive information such as health, religious affiliation, sexual orientation or criminal history information.

Simple Privacy Mistake #2 – Incidental Unauthorised Disclosure of Health Information 

Mistake #2 – assuming consent to disclosure of medical information. In this case, an individual was debating certain theological propositions via email with his Doctor. The individual copied a number of his family and friends into one of the emails. The Doctor responded with a ‘reply all’ and whilst responding to the theological matters raised, noted that the individual had apparently suffered from ‘delusional depression.’

The individual complained to the Information Commissioner, stating that he had not consented to the disclosure of his medical information to his family and friends.

Privacy Not For Profit Touchpoint LegalAmong other things, the Commissioner found that the Doctor’s disclosure of the individual’s information was not made for the primary purpose of provision of health care and accordingly was in breach of the Australian Privacy Principle 6.2. The Doctor was ordered to pay the individual $10,000 in damages.


Not For Profit entities that manage health information (such as Aged Care service providers) are at particular risk of 'incidental' unauthorised disclosure of health information to family and friends and must take particular care in having appropriate privacy policies and procedures in place to protect patient health information.

If you require information about how to make your Not For Profit organisation privacy compliant, please don't hesitate to contact me for an obligation free discussion.

Simple Privacy Mistake # 3 – Providing a Benefit to Family Members, Constituting an Unauthorised Disclosure 

Mistake #3 – disclosing an individual’s car insurance details to his wife, daughter and queuing customers. In this case the individual’s wife and daughter attended an insurance office to discuss obtaining car insurance. During the course of the discussion, a staff member at the insurance office, accessed the individual’s car insurance policy with a view to offering the wife the same no claim bonus discount to that of her husband. The staff member discussed the individual’s insurance policy with his wife and daughter and in addition, turned the computer monitor towards the wife, daughter and queuing customers such that his information was visible to them.

The individual complained to the Information Commissioner that the insurer had ‘interfered’ with his privacy by making unauthorised disclosure to his wife, daughter and queuing customers.

The Information Commissioner found that the insurer had improperly disclosed the individual’s information to his wife and daughter and awarded damages in the sum of $2,000. (Unauthorised disclosure could have been prevented if the insurer had a provision covering disclosure to family members in its Privacy Policy).  The insurer was required to issue an apology to the individual and the Commissioner recommended that the insurer review its staff training procedures.

This mistake was costly to the insurer in terms of brand damage, compliance with enforceable undertakings, money and time. Because some Not For Profit organisations play a large part in Touchpoint Legal Not For Profit Lawmanagement of  interactions between family members, it is imperative that controls are in place to prevent inadvertent unauthorised disclosure of personal information about an individual to other family members without the individual’s consent (even when such a disclosure may ultimately be for the benefit of the individual). In addition, care must be taken to ensure that personal information is not inadvertently disclosed to the general public on computer screens, in files at the front reception desk or in a document left on the front seat of a car (for example).

You can avoid the adverse consequences of privacy breach by getting privacy compliant now.   Contact our Legal Director, Angela Stackelbeck at Touchpoint Legal to arrange a complimentary discussion about how we can help your Not For Profit to comply with its privacy obligations.

This blog is for information purposes only, does not constitute legal advice and should not be relied upon as such. If you require legal advice please contact us or another registered legal practitioner.

About The Author

Angela Stackelbeck

Angela Stackelbeck is a Legal Director at Touchpoint Legal. She has practised law in Sydney in large corporates and private practice, for over 20 years. Angela's broad experience allows her to uniquely offer the dual benefit of practical legal expertise gained in private practice and commercial pragmatism learned from the in-house environment. You can contact Angela at or on 02 8005 0692 or 0404 872 644.