Oxfam enforceable undertaking instructive for not-for-profit sector

Introduction

Just like any other organisation in the digital economy today, charities and not-for-profits (NFPs) regularly collect and handle large amounts of personal information, ranging from contact details to financial information of their supporters.

However, as the Privacy Commissioner recently noted in a blog post, many NFPs are under-supported when it comes to investment in IT systems and data security. This has led to, among other data privacy concerns, NFPs handling excessive amounts of personal information long past when it could be deemed necessary, which not only fails the “sensible” test but also the test of lawfulness.  

The recent Oxfam enforceable undertaking highlights privacy risks facing NFPs and sets expectations for how to comply with the Privacy Act 1988 (Cth) (Privacy Act) and Australian Privacy Principles.

Oxfam data breach and enforceable undertaking

In January 2021, Oxfam Australia (Oxfam) experienced a data breach of 1.7 million records. The stolen data, which were eventually posted on the dark web, included some of their supporters’ names, addresses, dates of birth, donation histories and financial information.

After three years of investigation, on 20 December 2024, the Privacy Commissioner accepted Oxfam’s enforceable undertaking which included to:

• not store certain personal information longer than seven years;
• avoid the use of shared credentials;
• implement password security controls;
• share staff guidance, procedures and training; and
• use privacy threshold assessments in relation to any project that involves handling personal information for testing purposes.

Details of the Oxfam data breach investigation and enforceable undertaking were published in a media release on 20 February 2025.

Takeaways

The Privacy Commissioner targeted NFPs in commentary surrounding the Oxfam data breach and used its investigations into Oxfam’s experience to clarify its privacy guidance for not-for-profits, which was last updated in October 2024. The guidance now includes expanded advice on security of information, and steps that NFPs can put in place to ensure compliance with their retention and destruction obligations.

These are the key lessons for NFPs arising from the enforceable undertaking and subsequent commentary.

Data retention: systems, processes and a seven-year baseline

Overdue data should be viewed as a liability amidst rampant data breaches and entities should scrutinise whether requirements to destroy or de-identify data are being adhered to. Personal information should only be collected when necessary. That information should be stored securely and deleted when no longer required. NFPs should have systems and processes to regularly review whether information is still required, and to destroy or de-identify information when redundant.

The Privacy Commissioner has commented that the Oxfam enforceable undertaking establishes a seven-year baseline for NFPs to assess their own data retention policies. Privacy Act compliance may be scrutinised if an NFP retains personal information beyond this seven-year threshold for no reason.

Privacy compliance integral to charitable revenue

NFPs with an annual turnover of $3 million or less are not regulated entities under the Privacy Act. However, building a relationship of trust is fundamental to encouraging donations. Hence, bad publicity from a data breach can stunt NFP revenue.

Data breach response plan

NFPs should have a data breach response plan which staff are familiar with. Being able to act quickly mitigates damage – including damage to affected individuals – and reduces the risk of being penalised by the OAIC.

Third parties falling foul

NFPs should take reasonable steps to ensure that the privacy practices of third-party providers, for example software vendors or fundraising partners, meet expectations of the NFP and wider community. To do so, NFPs should carefully read terms of agreements, conduct periodic reviews of arrangements and ensure third parties delete any personal information once a contract ends.

Proactive and cooperative data breach response

The Privacy Commissioner expressly said that in accepting the enforceable undertaking, she was “conscious of the impressive work Oxfam ha[d] done to overhaul its security systems and processes already since the regrettable breach.”

She also noted that since the breach, Oxfam worked “collaboratively” with her across the investigation and even contributed to an awareness raising campaign directed at NFPs to avoid similar breaches.

While the appropriate response to each data breach is case specific, Oxfam’s proactive and cooperative approach is a valuable case study for how a party may engage with the Privacy Commissioner and other regulators with similar investigation and enforcement powers. 

Bird & Bird pro-bono offering

The Oxfam data breach and Privacy Commissioner’s commentary should sound alarms for NFPs.

Committed staff tend to dedicate resources to beneficiaries and programs rather than operational infrastructure. Despite best intentions, skimping on data security has left the NFP sector unprepared for the risk of data breach – endangering and dissuading donors.

The Bird & Bird Australian Data Protection team pro-bono offering makes data security overhaul accessible for NFPs. Good privacy practices, policies and procedures are integral to privacy compliance and building trust. Privacy threshold assessments and privacy impact assessments cannot be neglected for projects dealing with personal information.

If a data breach does occur, Bird & Bird offers its Breach Counsel Platform project management tool to mitigate harm to NFPs and their donors.

To access the Bird & Bird pro bono offering, contact Commercial – Tech Transactions partner Nick Boyle or Pro Bono Committee head and Intellectual Property partner Rebecca Currey.

This article was written with the assistance of Jonathan Wong and Gianluca Pecora.