Starting 1 July 2026, more than 100,000 Australian small businesses will lose their longstanding exemption from the Privacy Act — and most of them don’t know it yet. As reported by Helios Salinger, changes to the Anti-Money Laundering and Counter-Terrorism Financing (AML-CTF) Act will drag lawyers, conveyancers, accountants, real estate agents, and dealers in high-value goods into full Privacy Act compliance for the first time.

For not-for-profit organisations, this matters more than you might think. If your NFP works with accountants, lawyers, or real estate professionals — and nearly all do — those service providers will soon be required to handle your donor data, financial records, and operational information under stricter rules. That’s a good thing, but it also means your data-sharing agreements and privacy expectations need to match. If your accountant now has formal obligations under the Privacy Act, your own data governance should be up to the same standard. The OAIC has already shown it’s willing to enforce, having launched its first-ever compliance sweep earlier this year targeting businesses that collect personal information in person. Penalties for non-compliant privacy policies can reach $66,000 per contravention.

If you’re an NFP with turnover under $3 million, you’re still technically exempt — for now. But the direction of travel is clear: the small business exemption is shrinking, and the regulator is getting more active. Now is the time to audit your data collection practices, draft or update your privacy policy, and make sure your staff understand what personal information you hold and why. Don’t wait for the OAIC to come knocking.

All IT Services helps not-for-profit organisations build practical, compliant IT environments — including privacy policy support, data governance, and staff training. Learn more about our NFP IT services.