Why the NFP exemption does not mean no obligations
Many not-for-profit and charity leaders assume they are exempt from significant AI governance requirements because they are not a commercial enterprise. This assumption is often wrong — and specifically wrong about the Privacy Act.
The Privacy Act's small business exemption — the AUD $3 million annual turnover threshold — does not apply to organisations that collect sensitive information, provide health services, operate under government contracts with privacy conditions, or serve children. Most charities and NFPs in service delivery collect health information, sensitive personal information about vulnerable people, or operate under government funding contracts that impose Privacy Act requirements. The exemption may also not apply to your fundraising function if it involves processing sensitive financial or lifestyle information.
The ACNC's governance standards add a second layer. Governance Standard 5 requires responsible persons to act in the charity's best interests with reasonable care and diligence — which courts and the ACNC have interpreted to include understanding and managing material risks. AI used in service delivery, fundraising, or administration is a material operational risk for most charities, and responsible persons who are not engaging with it are not meeting their governance obligations.
AI in fundraising: what to know
Fundraising is one of the most active areas of AI adoption in the NFP sector — AI-assisted donor segmentation, AI-generated appeal letters, AI-powered major donor identification, and AI-driven digital fundraising campaigns are all in use. Each creates specific governance considerations.
Donor profiling and segmentation using AI involves processing personal information — potentially including inferred income, lifestyle, and giving capacity data. If the profiling uses sensitive information (health status, ethnic background, political views), the APPs require a lawful purpose and appropriate consent. APP 6 restricts using donor information for purposes beyond what the donor reasonably expected when they gave it.
AI-generated fundraising communications — including personalised appeal letters generated from donor data — must comply with Australian Consumer Law's prohibition on misleading conduct, even in the charity context. AI hallucinations that produce inaccurate impact statistics or fabricated beneficiary stories are both a compliance risk and a reputational one.
Service delivery AI and NDIS obligations
AI in service delivery to people with disability through NDIS-funded services is subject to the NDIS Quality and Safeguarding Commission's requirements on participant rights and provider obligations. Decisions that significantly affect a participant's supports, living arrangements, or care plan — including decisions assisted by AI — must respect participant choice and control, be explainable, and have a human review pathway. AI that allocates support hours, recommends care interventions, or influences case management without meaningful human oversight raises compliance concerns under the NDIS practice standards.
The right approach for resource-constrained NFPs
For most Australian NFPs, the right starting point is the AI6 Foundations tier — six essential practices implemented at a basic level with the free NAIC templates. A one-page AI use policy, an AI tool register covering what AI your organisation uses, who is responsible, and whether each tool has been assessed against Privacy Act requirements — and a named board or senior staff member responsible for AI governance — represents a defensible baseline that is proportionate to the resources of most charities.
The NAIC's free tools at industry.gov.au include an AI policy template, an AI system register template, and an AI screening tool. These are practical starting points that do not require external consultants to implement. The AI6 guidance also explicitly addresses smaller organisations in its Foundations tier.
