22 May 2024

Address to the Fundraising Institute of Australia

Note

Guardians of generosity: privacy and philanthropy in Australia

Thank you to the Fundraising Institute of Australia for inviting me to address your annual Essential Member Update, and for bringing together this group of people with such an important role in the viability of our charity sector.

I am speaking to you from Brisbane, where I have just addressed the Queensland Volunteering Awards. I acknowledge the Jagera people and the Turrbal people as the Traditional Custodians of Meanjin, and pay my respects to all First Nations people present.

Labor governments are reforming governments, and in 2 spaces that have key significance to charitable fundraising there are some meaningful changes underway.

At the state and territory level, fundraising regulations are being updated to reflect the agreed National Fundraising Principles and to provide charities, fundraisers and donors with consistent regulation across jurisdictions. And at the federal level, the Attorney General is in the process of reforming the Privacy Act.

That second, far reaching reform is the key backdrop to the remarks I’ll make today. There are meaningful, constructive conversations we need to have to settle the shape of those reforms and I want share some touchstones that I hope will be useful as you think about how best to further the interest of your sector in those future conversations.

Some starting presumptions. If you’ve joined this forum, you’re a friend to charities and a friend to the Australians whose donations support them. We have that in common.

I’m going to also presume that you are partners to our government’s commitment to double giving by 2030 and to harmonise fundraising laws across our state and territory jurisdictions.

So we are all allies in working to provide the best possible foundation for Australian charities and their amazing workforce to give the best possible service to our communities.

And as friends of the charity sector, we have some challenges ahead.

These are challenges we’ll need to navigate together – so I want to share some of our established principles, and also some of our anxieties.

I’ll start with our anxieties because they will tend to shape how we pursue our principles.

Last year, Brisbane‑based telemarketer Pareto Phone was hacked. Tens of thousands of donors to dozens of charities — including the Fred Hollows Foundation and the Cancer Council — had personal details such as their birthdates and address published on the dark web. Two months later, Pareto Phone collapsed. More than 100 people lost their jobs.

Pareto Phone was well respected in the industry. It was trusted by major brand‑name charities. It was playing an advisory role in the sector, helping peers interpret industry codes. Pareto Phone was not an outlier, not a cowboy outfit.

But the hack exposed problematic data management practices. Staff spoke of client data that was 15 years old, suggesting systems that had rolled over year‑on‑year having been established in a time when lax practice was less likely to lead to system‑wide leaks.

To be clear, based on what’s reported of Pareto Phone’s practices, their observance of relevant acts and codes was less diligent than it should have been. Guardrails and safety nets existed, but they chose to work around them.

The episode was a prompt for fundraisers and their clients to do their own health and hygiene checks. Ultimately, I hope that benefits donors. But Pareto Phone’s collapse also highlighted how drastically different the terrain has become over a decade of radical change.

The risks aren’t just high‑tech hacks.

A week before Christmas 2023, the ABC ran a story about John Carter – a generous 73 year old from Bendigo.[1] Mr Carter ‘nearly drained his savings giving to charity’ and ‘his family say those who targeted him need to be put on notice.’

Mr Carter’s donations were set up through inbound telemarketing, and whether it was his generosity or vulnerability, the calls saw him donating $18,000 to support 22 different charities over a 5‑year period.

Mr Carter recounted pushy calls, he recalled how he mentioned his pension to operators who sought to persuade him to support urgent campaigns.

His family became concerned that Mr Carter was drawing down on his savings to keep up with his monthly commitments.

The family now want the story – which Mr Carter believes would ultimately have ended with his bankruptcy – to serve as a caution to fundraisers.

Mr Carter’s nephew recounted ‘The lady in the bank, she said she’s seeing it more and more. The elderly come in and they don’t know how to cancel them.’

That question of what real donor consent looks like and how to pitch opt‑out settings appropriately will be key in forthcoming conversations about how Privacy Act reform should be calibrated against the needs of small business and charities.

But I need to sound another note of caution.

Another story of financial misadventure, with its origins in a direct mail deluge of charitable fundraising requests.

Last year, a fellow member of parliament passed on the story of Joline, a teacher in Mount Mee, a small town 15 kilometres west of Caboolture. Joline’s elderly uncle had found himself in difficulties with his bank after his account had been overdrawn by his regular giving arrangements. Joline wrote:

Recently, my uncle who has just turned 79 years of age in June, was contacted by his bank due to fraudulent payments taken from his account. This required the issuance of new cards for his account. The bank also printed a few pages of his latest statement and highlighted where consistent amounts were being deducted from his account by several not‑for‑profit organisations.

On review of the statement pages and collecting together the many letters around my uncle’s home from not‑for‑profits, I have found at least twenty‑6 organisations that have been sending donation requests to him.

They have been taking a minimum of $30, however, usually $60 and at least 2 organisations have been taking $100 monthly. Yes, this was of course with his permission, however, he has been targeted after donating to one organisation and has not kept track of how many he has approved. This is an issue with elderly who are not remembering how they are spending their money.

I know that experiences such as Joline’s likely reflect a small sample of donor experience, but they do resonate. And the questions they beg need good answers. Joline included photographs that showed a removal box full of direct mail appeals from Australia’s best‑known charities, a living room floor thickly carpeted with envelopes holding donation requests.

On one hand, it reflects the calculus behind the important work fundraisers do to support chartable work, on the other, it paints an unlovely picture which, to put it plainly, reasonable people do not see as fair.

I acknowledge that these are unusual cases, I should emphasise that I don’t see them as typical. But I do know that these stories have a heavy impact, which creates ripples that disturb public trust and confidence.

Whether the harm stems from poorly understood opt outs or lax data security, whether it’s traditional direct marketing or digital public trust – when we see supporters and donors let down, it’s natural to take their side.

I think it’s helpful to revisit a few of the principles we agreed with states and territories as the grounding principles for harmonising charitable fundraising regulation.

I think of this as an agreement that all parties with an interest in public support for charities have a stake in – these are the assurances we gladly extend to generous Australians who sustain charities with their giving.

  • Principle 8 – Never exploit the trust, lack of knowledge, lack of capacity, apparent need for care and support, or vulnerable circumstances of any donor.
  • Principle 9 – Always make it clear whether a donation is a one‑off or an ongoing donation, and clearly explain how to end an ongoing donation.
  • Principle 11 – Conduct all reasonable due diligence when engaging third parties to assist, support or deliver fundraising activities on its behalf.
  • Principle 15 – Ensure information covered by the Privacy Act 1998 (the Act) is collected, used and managed in accordance with the Australian Privacy Principles where required under the Act.

You can think of the national fundraising principles as the traits that define the exemplary charitable fundraiser, but also as the minimum necessary standard in maintaining a social license to operate. Importantly, given where we find ourselves in our journey to Privacy Act reform, those principles directly commit fundraisers to close observation of the Privacy Act.

Under that reform program, which is being led by the Attorney General, the government is proposing changes to privacy laws which will likely require some change in the mechanisms that support regular giving and third‑party fundraising.

The reforms seek to:

  1. Bring the Privacy Act into the digital age – by recognising the public interest in protecting privacy and the changing scope of entities and types of information that should be protected;
  2. Improve control and transparency for individuals over their personal information – by creating better notice and consent mechanisms;
  3. Uplift protections – by requiring entities to be accountable for handling individuals’ personal information in keeping with community expectations;
  4. Strengthen enforcement powers of the Information Commissioner; and
  5. Increase clarity and simplicity for entities and individuals.

There will be a conversation about how the government’s priorities are implemented, and I know that many of you have directly or indirectly contributed to that conversation already.

So while the government is still considering the extent of the reforms needed to adapt the Privacy Act to the radically changed ecosystem in which our personal information and data now exist – and how to adapt the Act to the community expectations that are evolving as more and more people experience the vulnerability of their most closely protected data – while those policy questions are still being resolved, there’s a provocation I want to share with all of you who are planning to contribute to that conversation.

Accept that change is necessary and help us shape that change.

Change is necessary for the practical reasons of establishing up to date protocols for managing personal information and for civilising the cyber frontier.

It’s necessary, that is, so that the personal information and the intentions of donors are properly respected and safeguarded, in keeping with their value.

But beyond that responsibility to each donor, fundraisers carry an accountability for the trust and confidence the community invests in the charity sector broadly.

When I talk about charities, I like to focus on their passion, their ingenuity, their hard work and their expertise. I talk about how they create connections, support the vulnerable and build better places to live. But I don’t think you’ll be surprised to learn that when people are writing to me about charities, it’s rarely about that good stuff.

In Australia we have some iconic charity campaigns, there are routine moments in the yearly schedule of public events where charities and their impact are front and centre. But when you look back at the moments where charities loom largest in the mainstream media, the tone of the conversation is often outrage rather than celebration.

I’ve touched on a few of those stories. There are more, but I know the fundraising profession is acutely aware of them and already take those risks seriously, and I know the codes you observe greatly mitigate those risks.

In spite of these reputational spot fires, the charity sector remains highly trusted – but we all know that every bad news story chips away at that trust. And from a fundraising perspective, that diminishes the returns which the good standing of the sector underwrites.

The value of what the fundraising profession delivers is irrefutable. If the Benchmarking Project’s estimates are accurate, direct marketing activities generate 37 per cent of the more than 10 billion dollars that Australians donate to charities each year.

Your value is not in question, but you must all feel that the jeopardy around how you create this value is intensifying.

My aspiration for the fundraising sector is that its impact builds as our culture of giving grows, and as our goal of doubling giving gets closer. But unless we take this opportunity to manage that jeopardy, that aspiration feels precarious.

Last year, alongside the review of the Privacy Act, the Office of the Australian Information Commissioner conducted a survey to measure community sentiment about the security of personal information.[2]

Keeping in mind the kinds of risks I’ve already signalled, I want to share some of the survey’s findings. Of Australians surveyed:

  • Only 32 per cent feel in control of their data privacy
  • 84 per cent want more control and choice over the collection and use of their personal information.
  • 89 per cent would like the government to provide more legislation in this area.

Those numbers are important because they suggest the anxieties and expectations donors will be bringing to their engagements with charitable fundraisers. The numbers also confirm that Australians are looking to the government to drive changes that will give them more protection and more control.

That’s certainly a signal we need to recognise.

The Privacy Act Review Report contains 116 proposals, across the whole economy, which aim to strengthen the protection of personal information and the control individuals have over their information. The proposals seek to support safe and effective use of digital technologies and to align consent and opt out mechanisms more closely with current public expectations.

Many countries have gone ahead of us on this, meaning that by international standards Australia’s current privacy settings are an anachronism.

In responding to the review’s 116 proposals, the government has agreed to 38 proposals, which are being drafted as legislation, and we’ve agreed in principle to 68.

So, we have agreed in principle to amend the definition of consent, to provide that it must be voluntary, informed, current, specific, and unambiguous (Proposal 11.1).

And we have agreed in principle to introduce a requirement that an individual’s consent must be obtained to trade their personal information (Proposal 20.4).

These are key proposals for direct marketing and for third party data sharing arrangements.

So let me clarify what agreed in principle means. It means the agreement will be subject to further engagement with regulated entities and a comprehensive impact analysis to ensure the right balance can be struck between privacy benefits for Australians and other impacts on regulated entities.

The government’s response to the Privacy Act review is grounded in some basic truths that no organisation can ignore. These include that Australia can no longer afford to have inadequate privacy protections, and that organisations’ sustainability relies on the ability to protect personal information.

I believe this is also true for charities and for fundraisers.

I’m very much aware of the additional degree of difficulty charities face, relative to business, in adapting to the contemporary data ecosystem.

As Chair of the Community Council of Australia, Reverend Tim Costello recently pointed out:

‘Charities are caught between a rock and a hard place trying to balance legitimate community expectations and the soaring cost of keeping data safe.
‘Helping the sector achieve this is vital to ensuring ongoing public confidence in supporting organisations that serve our communities’

The Australian Government knows that we need to understand both the benefits and economic costs of Privacy Act reform. With your help, we’ll work to achieve the right balance.

And we know that for smaller organisations, the investment involved in managing new risks and meeting community expectations on choice and security will create a new claim on scarce resources.

I know fundraisers and charities have already started to make the case that the charities will need the same transitional support as small business. I can promise I will be an ally in making that case.

But these reforms, and the work we’re doing to deliver fundraising harmonisation, will help the sector. They don’t put a handbrake on the value you generate, they are one of the ways we can guarantee it into the future.

This foundational work on the key undertakings that protect public confidence to share their information and share their generosity, is vital to our shared goal of boosting giving and supporting a stronger sector.

The generosity of Australians who give their money to support a cause creates an obligation on government charities and fundraisers to ensure fundraising exchanges are safe and unambiguous.

Working together, we can strengthen the confidence that Australians have in our charities. We can achieve the goal of doubling philanthropy by 2030. And we can shape a kinder, more inclusive and more connected society.


References

[1]John Carter nearly drained his savings giving to charity – his family say those who targeted him need to be put on notice’, Jemima Bury, Sunday 17 December 2023.

[2] The Australian Community Attitudes to Privacy Survey is conducted every 3 years.