Privacy Awareness Week 2026 ends today, with the OAIC running this year under the theme “Trust is built here — in every privacy complaint.” It’s landed at the same moment the regulator’s first proactive privacy compliance sweep is in full swing — about 60 organisations are being reviewed, and entities with non-compliant privacy policies face infringement notices of up to $66,000 per contravention. For not-for-profits, it’s a useful nudge to actually do the work, not just put up a banner.

The shift matters for NFPs more than most. The 2024 Privacy Act reforms removed the historical exemption for organisations under $3 million in turnover, so a lot of mid-sized charities that were previously out of scope now sit squarely under the Notifiable Data Breaches scheme. At the same time, NFPs are an increasingly common target — the LockBit ransomware crew listed the Aeromedical Society of Australasia earlier this year, and Australia’s aged care and disability sectors keep showing up on leak sites. Donor records, volunteer details, grant reporting data and client case notes are all personal information under the Act, and most NFPs are sitting on more of it than they realise.

Use the rest of this week as a small audit. Check that your privacy policy actually reflects what you do with data, and that it’s easy to find from your homepage. Map where personal information lives — CRM, fundraising platform, email lists, shared drives, board portal — and confirm who has access. Make sure your data breach response plan exists, names a person, and has been tested at least once in the last 12 months. None of this is glamorous, but it’s exactly what the OAIC will look at first if something goes wrong.

If you’d like a hand getting a baseline together without burning a week of staff time, our team works with NFPs across the country and can run a focused review — see our not-for-profit IT services for how we usually structure it.