The Growing Importance of Data Privacy for Queensland NFPs

Every hour, 10 cyber-crime reports are received by the Australian Cyber Security Centre (ACSC) – and nonprofits are not exempted from these attacks:

• Over 70 charities were affected by last year’s data breach on Pareto Phone, a firm that collects donations from nonprofit supporters. Credit card and other personal information of at least 50,000 individuals were published on the dark web.
• Attackers targeted children’s charity The Smith Family, exposing around 80,000 details – including names, addresses, phone numbers, email addresses, donation records, and the first and last four digits of credit or debit cards.
• A cyber incident also happened at the not-for-profit (NFP) provider of health and aged care services, St. Vincent’s Health Australia, with 4.3 gigabytes of data reportedly stolen from their network.

Why Cyber-Attacks on NFPs are Rising

At least three reasons are behind the increasing cyber incidents experienced by NFPs:

1. More and more nonprofits are embracing digitisation and automation. This trend is expected to increase their exposure to cyber risk.
2. NFPs are easy targets because cyber criminals assume that they lack sufficient cyber security resources and expertise.
3. Many nonprofit organisations handle sensitive information, which are attractive to cybercriminals.

Donor data and client records represent goodwill and trust. For donors, it’s a testament to their belief in the mission of the NFP. For clients, these records represent their personal journeys, often shared in confidence. As data custodians, nonprofits must keep fortifying their digital defences.

Data Privacy Regulations

The Australian Charities and Not-for-profits Commission (ACNC) emphasises the legal obligation for nonprofits to comply with requirements concerning people’s information and data, as outlined in the Privacy Act 1988.

The Privacy Act 1988

Nonprofits in Queensland may be subject to the Privacy Act 1988 if they collect and store people’s information and data, or their annual turnover exceeds $3 million, or if a nonprofit opts in, or in certain other circumstances as described in our article Understanding the Privacy Act Review: Its Impact on Nonprofits, Medical, and Education Sectors.

Here’s how they are to comply:

• Develop a Privacy Policy that outlines how the organisation collects, stores, and uses people’s information and data
• Manage information and data in accordance with all legal and ethical responsibilities
• Implement security measures for storing personal information
• Obtain consent when collecting sensitive and health information
• Inform individuals about the collection of their personal information and its purpose

A good rule of thumb is to consider that all privacy laws apply to your organisation, especially following the recent updates. Data privacy compliance can also:

• Build trust with donors, supporters, and members
• Ensure that a nonprofit meets their legal obligations
• Improve the reputation and community support to an NFP

Health Services Act 1991 (Qld)

For nonprofits in the health sector, the Health Services Act 1991 (Qld) provides the framework for the organisation, management, and delivery of health services in Queensland.

The Act prohibits health staff from disclosing confidential information about a person who is receiving, or who has received, a public sector health service if the person could be identified from the information.

It’s important for health organisations to understand these provisions and ensure they are complying with them. Non-compliance could lead to legal consequences and damage to the organisation’s reputation, so it is best to consult with a compliance professional and stay updated with any changes to the Act.

Data Breach Risks Faced by Nonprofits

Data breaches are a constant threat to nonprofit organisations with consequences potentially undermining their mission. They’re facing digital risks as well as personal, financial, and reputational.

Immediate Risks

When sensitive information is compromised, it can lead to identity theft, financial loss, and fraud. For instance, the Pareto Phone breach highlights the vulnerability of nonprofits to cyber-attacks and the importance of strong cyber security measures.

Damaged Trust

The ramifications are not limited to the immediate financial impact. They can erode the hard-earned trust between nonprofits and their supporters, potentially leading to a decline in donations and volunteer engagement.

Harm to Reputation

The reputational damage can be long-lasting and more costly than the initial data loss. The risks also include legal consequences, especially with the mandatory data breach notification schemes in Queensland.

Far-reaching Impact

A breach on one organisation can affect individuals, but it can also lead to a loss of confidence in the nonprofit sector. NFPs thus need more stringent data protection and compliance practices.

What NFPs can Do for Data Protection

Just like any other sector, Nonprofits must invest in cyber security, educate their staff and volunteers about cyber threats, and establish clear protocols for data management and breach response.

Here are some best practices for data security and privacy you can quickly implement:

• Multi-factor authentication (MFA), as a barrier against unauthorised access
• Regularly updating your systems, which is a key to cyber resilience
• Maintaining backups, which can be your lifeline in case of a disaster

It can be critical for nonprofit organisations to implement data management protocols and prepare for potential breaches with clear response strategies. Every NFP must have clear procedures for a rapid breach response, transparent communication, remediation steps, and an IT disaster recovery plan.

The Importance of NFP-specific Cyber Security Expertise

NFPs have to level up their cyber security expertise, now more than ever before. One way to do it is via a cyber security services provider with significant experience in the Not-For-Profit sector.

ADITS have been supporting NFPs for a number of years as we align with your values of community impact and positive change. We are committed to empowering your organisation to advance your mission with technology operating seamlessly behind the scenes.

Why is it important to have IT and cyber security services that are specially designed for nonprofits?

• Customised Solutions: Nonprofits have distinct needs and missions. When IT services are customised and technology aligned with their specific goals, NFPs are enabled to create a stronger impact efficiently.
• Proactive Monitoring: With dedicated monitoring of systems and software, potential issues in the sector can be detected early, minimising disruptions, and maintaining operational continuity for nonprofits.
• Cyber Security: Protecting sensitive data should be a top priority for any NFP. Tailored cyber security measures will safeguard your mission against increasing cyber threats, ensuring trust, and compliance.
• Strategic Support: Access to experienced IT professionals who understand the nonprofit sector can simplify technology management and reduce costs, allowing organisations to focus on their core mission without tech-related distractions.

In essence, specialised IT and cyber security services will empower you to navigate the complexities of technology with confidence, ensuring donor data security for non-profits and that you remain focused on making the world a better place.

Did you know ADITS can help you with your application for discounted Microsoft licences too? Simply book a consultation and we’ll guide you through the process.

Cyber Security and Data Privacy for the NFP Sector

As much as board members have an obligation to protect their donor and volunteer data, we also understand that you don’t all have to be tech savvy. Keeping up-to-date with the state of cyber security in Australia, and learning more about your liability as well as understanding the difference between security and compliance, can be overwhelming.

As it is your role as a board member to instil a cyber security and data privacy culture from the top throughout your organisation, enquire about our tailored cyber security training to receive the knowledge that will make you confidently lead your organisation: