By Alec Christie, Partner, and James Wong, Associate
Digital technologies – whether your online presence, information systems, impact measurement tools or communication channels – are now mission-critical for NFPs and social enterprises. Are you on top of your associated legal risks?
1. Whistleblowing and integrity
2019 saw the introduction of a significantly expanded whistleblower protection regime, which applies to a broad range of organisations including many not-for-profits (NFPs) (but generally not those with less than $1 million in annual consolidated revenue).
Staff of relevant NFPs who report a broad range of conduct (including ‘misconduct’ and an ‘improper state of affairs’, whether or not the whistleblower reveals their identity and whether or not they act in ‘good faith’) must now be protected in ways specified in the law.
If the updated regime applies to you, a compliant whistleblowing policy must have been implemented by 1 January 2020. This policy must include certain mandatory content. The maximum penalty for not having a compliant policy is $126,000.
2. Does GDPR apply to you?
The EU General Data Protection Regulation (GDPR) introduced major new privacy, security and marketing obligations and rights from 25 May 2018. It also has a much wider application outside of the EU and to non-EU companies than the previous EU privacy laws and covers charities and NFPs. Generally, the GDPR may apply if you seek donors in, provide goods/services into and/or monitor/track individuals in the EU (including the UK). However, there is much ‘folklore’ and thus confusion around when the GDPR may or may not apply to Australian NFPs.
Failure to comply with the provisions of the GDPR, where applicable, may result in fines of up to the greater of €20m or 4% of annual global turnover. GDPR compliance programs are expensive (average US company spend has been around US$1-2m) and often requires new technology in order to comply with GDPR requirements. If you’re unsure (as many clients are), the first step is to obtain advice as to whether or not GDPR actually applies to your NFP (before embarking on an expensive GDPR compliance program).
3. Consumer expectations around privacy
The expectations of supporters, clients and communities are changing and, for better or worse, this raises the bar when it comes to managing their personal information. Boards and NFP leaders need to adapt to the new paradigm. Key challenges for NFPs and social enterprises include:
- on-boarding – what information do you collect when new donors, volunteers, clients or stakeholders register with you?
- health information – if you are providing community, child or aged care services or your work touches on public/global health or development issues, you’re very likely to be collecting and holding health/medical data. Special legal requirements apply and the public will hold you to a higher standard. Are you managing health information properly?
- data retention and record-keeping – if you open up your donor/support database, you are likely to find a lot of records relating to people who haven’t engaged with you in many years. Keeping this information is likely to be unlawful. Furthermore, with a ‘right be forgotten’ in other jurisdictions, consumers’ expectations around how long you keep their data are changing. When did you last check your data retention policy?
- data breach readiness – see 7 below.
- third party providers – consumers understand that NFPs use third party providers but now expect that you will be transparent about which providers you use and how you manage privacy (e.g. through contractual requirements) and that you are responsible/liable for them. Is privacy compliance addressed in all your third party contracts?
As for your projects/programs, the Australian Privacy Principles (APPs) encourage privacy-by-design. Whenever you initiate a new project involving personal information (including a technology implementation), you need to be planning it with privacy compliance in mind from day one, not as a bolt-on at the end. We recommend formalising this by, at least, integrating your privacy impact assessment (PIA) process into your project methodology.
A PIA provides a systematic approach to assessing any changes to data flows understanding the impact on privacy and identifying options for mitigating any negative impacts. Dealing with these issues upfront almost always saves significant expenditure later while building trust in your organisation. Best practice is to have a privacy management framework in place.
4. Moving systems to the cloud
The majority of NFPs are taking advantage of the cost savings and convenience of cloud-based services as part of day-to-day operations. That could be in the form of CRM/marketing, communications, accounting, payments, ERP, human resources, project management and collaboration, fundraising, volunteer management, graphic design or file storage/backup.
What you may not be aware of is that, depending on your arrangements, using these services can amount to ‘disclosures’ of personal information potentially in breach of privacy laws. In other words, the data that individuals entrust to your care could be shared in ways you have limited visibility over. If a cloud service provider were to mishandle personal information or become the subject of a data breach (whether malicious or accidental), this is going to damage goodwill and your public reputation. It’s also important to make sure any contracts for cloud services work for you.
It’s also important to make sure any contracts for cloud services work for you. In a resource-constrained environment, it’s important to check that agreements you enter into (including for the delivery of cloud services) give you exactly the benefits you need and no more (i.e. no ‘gold-plating’) and address all the potential digital risk issues (e.g. privacy and security obligations). It’s often worth getting your lawyers to review a cloud contract along with privacy and security arrangements before signing up to a new cloud service or renewing a contract.
5. Digital marketing
Marketing and communications are an essential business function for many NFPs and social enterprises. Digital marketing tools and services offer new and more effective ways of managing engagement with donors, clients, supporters, customers, philanthropists, local communities and peak bodies. However, we still see breaches of marketing and spam laws by NFPs based on common misunderstandings of such laws. Registered charities are among the few organisations exempt from some of the digital marketing rules that would otherwise apply. However, many NFPs see this as a ‘get out of jail’ card for all marketing activities. Unfortunately, it’s not!
Common pitfalls are permitted times for phone calls and failing to include sender information in an email/SMS message. Surprisingly, including a lawyer in the planning of your next digital marketing strategy will help you to design a more effective and compliant campaign or initiative.
6. Photography, media content and ‘free’ software
It goes without saying but wherever you use freely available resources (e.g. stock photos, sound/video clips, open source software) you need to check whether you have a licence (i.e. permission) to use them and confirm the scope of that licence. While most NFPs and social enterprises are on top of this, an uninformed staff member can trip you up and expose the organisation to hefty copyright infringement claims.
Additional requirements apply if you use photos that depict children. Here, training and awareness of an organisational IP strategy/policy is key (see 10 below).
7. Data breach readiness
You could be hit with a data breach at any moment. It could be something as simple as an email with the wrong attachment, a box of documents left by a courier outside reception or a phone slipping out of someone’s bag on the bus. When it hits, NFPs must be able to respond like clockwork using muscle memory from drills.
It is an expectation of the Privacy Commissioner that organisations have a data breach response plan to meet their obligations to notify all ‘eligible data breaches’. Putting the hefty penalties aside, effective data breach response is about protecting your donors, customers and your reputation. There are prescribed elements that every data breach response plan should feature but, importantly, it must be tailored to your NFP.
8. Process automation
If you are not employing robotic process automation to decrease workload, you probably should be. A variety of cheap and easy-to-use software packages are now available that can help you give time back to your employees and volunteers so they can focus on making an impact in the community. With significant advancements in machine learning, automated decision-making is moving well beyond simple automation. You may be able to take advantage of AI technologies in your NFP.
Ensure, whatever automation initiatives you undertake you are compliant-by-design and that you have accounted for all potential sources of risk.
9. Governance, risk and privacy audits
Contending with a constellation of stakeholders, limited resources and elevated levels of public scrutiny, NFPs and social enterprises already have it tough when it comes to good governance and managing risk. With recent media and government attention on parts of these sectors, governance is more in the spotlight than ever. Noting Principle 5 (Risk Management) of the AICD’s NFP Governance Principles and the ACNC’s Governance Standard 3 (Compliance with Australian Laws) in particular, it’s becoming an expectation within the sector and of the public that you have in place a robust risk management framework that covers privacy, security and the management of information.
A privacy and security audit (where performed as part of your organisation’s internal audit program) or review (where performed outside of your internal audit program) is an incredibly powerful tool to determine your organisation’s current level of privacy and information security compliance. This details where your NFP is, not where you think you are or where management hopes you are. It delivers independent assurance as to where your NFP truly is at when it comes to privacy and information security compliance. A privacy audit/review can be comprehensive (covering your entire organisation and all privacy obligations) or targeted (covering specific business units and/or high-risk areas of compliance). When determining the scope of your next privacy audit/review, also consider including a review of contractual arrangements with third parties – this is a risk area often overlooked.
10. Managing your intellectual property
In the digital age your NFP’s IP can be among your most important assets, eg. your ‘brand’. However, you may not even have a record of what IP you own or use. Current and future revenue streams or campaigns likely have an IP component behind them.
It is also important that you do not infringe the IP rights of other individuals and organisations. This could easily occur if, for example, a junior staff member uses a picture found online in an NFP campaign publication.
Most NFPs should have an IP management handbook (including a IP management policy) that covers both protection and non-infringement of IP. This can be straightforward for some NFPs but may need to be quite comprehensive if your NFP has, for example:
- training materials, reports or other print publications;
- distinctive branding;
- computer/mobile apps; and/or
- patentable innovations/inventions.
Your handbook should also cover how you manage confidential information, moral rights, training and awareness for your people, use of open source and Creative Commons-licensed materials and licensing-in and licensing-out of IP in your dealings with suppliers, partners and customers.
Please do not hesitate to contact us if you have any questions or if we can assist you on any of these (or your other digital law) matters.
Get the latest news insights and articles straight to your inbox, simply enter your details.