Author: Dan Briggs | Published: 16 July 2026 | Reading time: 2 minutes
The Office of the Australian Information Commissioner has closed its preliminary inquiries into the Qantas breach without opening a commissioner-initiated investigation. As Cyber Daily reported today, the regulator found nothing to suggest Qantas had failed to take reasonable steps to protect the personal information it held, or failed to take reasonable steps to ensure its overseas third-party provider complied with the Australian Privacy Principles. Privacy Commissioner Carly Kind put it plainly: “Data breaches are a persistent feature of today’s digital world, and can occur despite organisations taking steps to protect personal information.”
Read that second limb again, because it’s the part that should worry not-for-profits. The 2025 Qantas breach didn’t start in Qantas’s own systems. It came through a call centre’s access to a third-party customer service platform holding service records for six million people. NFPs are wall-to-wall third parties: the donor CRM, the fundraising platform, the outsourced telefundraising crew, the volunteer rostering tool, the grant portal. Every one of them holds supporter data, and under APP 8 you’re still on the hook for it.
The gap we see almost every time
Nearly every not-for-profit we onboard can name its two or three big platforms straight away. Almost none can produce a complete list of every third party holding supporter data — the legacy mail house, the events registration tool a chapter signed up for on someone’s personal credit card, the survey platform left over from a 2023 campaign. That shadow list is exactly where the OAIC’s “reasonable steps” question bites, and you can’t demonstrate reasonable steps over vendors you’ve forgotten you have.
So build the register. Every vendor, what data they hold, where it’s hosted, whether it’s offshore. Check the contracts actually impose APP obligations and a breach notification timeframe you can live with. Then write down what happens in the first hour — the OAIC’s report specifically noted that Qantas’s response time and incident management mitigated the damage. Being breached wasn’t the finding. Being unprepared would have been.
If you’re not sure what’s on your list, that’s the answer to the question. We help Australian not-for-profits map their data, tighten their vendors and document a response plan that holds up — start with our not-for-profit IT services, or have a chat with us.
Related Guide
IT Services for Not-for-Profits
Learn how we help NFPs operate efficiently and stay compliant.
