本文目前仅提供英文版本。
AI Governance for Australian Not-for-Profits and Charities: What the ACNC and Privacy Act Require
NFPs and charities using AI for fundraising, service delivery, and administration face the same Privacy Act obligations as commercial organisations — plus ACNC accountability requirements and donor trust considerations that make governance especially important.
Key Takeaways
The Privacy Act small business exemption does not apply to most charities and NFPs. If your organisation handles health information, provides services to children, receives government grants with privacy conditions, or collects sensitive information from vulnerable people, the Australian Privacy Principles apply in full.
The ACNC's governance standards — particularly Standard 2 (accountability to members) and Standard 5 (duties of responsible persons) — create an obligation for charity boards to understand and oversee material risks, including AI governance. AI in service delivery or fundraising is a material risk for most charities.
AI in fundraising creates specific risks: donor profiling and targeting using AI may require specific consent if it involves sensitive information; AI-generated fundraising communications must not be misleading; and AI-driven major donor identification involves processing personal financial information that triggers Privacy Act obligations.
AI in service delivery to vulnerable people — disability services, aged care, mental health services, family violence services — creates heightened obligations. Services funded through the NDIS are subject to NDIS Quality and Safeguarding Commission requirements that apply to algorithmic and AI-assisted service decisions.
The AI6 Foundations tier — the baseline six essential practices — is explicitly designed for smaller organisations and is free. The NAIC's AI policy template and AI system register are the right starting point for a charity with limited resources.
Donor and community trust is a major asset for NFPs. Being able to demonstrate responsible AI governance — explaining what AI you use, why, and how you protect beneficiary data — builds that trust. AI governance for NFPs is not just about compliance; it is about mission alignment.
"仅供参考。本文不构成法律、监管、财务或专业建议。如需具体指导,请咨询合格专家。"
Why the NFP exemption does not mean no obligations
Many not-for-profit and charity leaders assume they are exempt from significant AI governance requirements because they are not a commercial enterprise. This assumption is often wrong — and specifically wrong about the Privacy Act.
The Privacy Act's small business exemption — the AUD $3 million annual turnover threshold — does not apply to organisations that collect sensitive information, provide health services, operate under government contracts with privacy conditions, or serve children. Most charities and NFPs in service delivery collect health information, sensitive personal information about vulnerable people, or operate under government funding contracts that impose Privacy Act requirements. The exemption may also not apply to your fundraising function if it involves processing sensitive financial or lifestyle information.
The ACNC's governance standards add a second layer. Governance Standard 5 requires responsible persons to act in the charity's best interests with reasonable care and diligence — which courts and the ACNC have interpreted to include understanding and managing material risks. AI used in service delivery, fundraising, or administration is a material operational risk for most charities, and responsible persons who are not engaging with it are not meeting their governance obligations.
AI in fundraising: what to know
Fundraising is one of the most active areas of AI adoption in the NFP sector — AI-assisted donor segmentation, AI-generated appeal letters, AI-powered major donor identification, and AI-driven digital fundraising campaigns are all in use. Each creates specific governance considerations.
Donor profiling and segmentation using AI involves processing personal information — potentially including inferred income, lifestyle, and giving capacity data. If the profiling uses sensitive information (health status, ethnic background, political views), the APPs require a lawful purpose and appropriate consent. APP 6 restricts using donor information for purposes beyond what the donor reasonably expected when they gave it.
AI-generated fundraising communications — including personalised appeal letters generated from donor data — must comply with Australian Consumer Law's prohibition on misleading conduct, even in the charity context. AI hallucinations that produce inaccurate impact statistics or fabricated beneficiary stories are both a compliance risk and a reputational one.
Service delivery AI and NDIS obligations
AI in service delivery to people with disability through NDIS-funded services is subject to the NDIS Quality and Safeguarding Commission's requirements on participant rights and provider obligations. Decisions that significantly affect a participant's supports, living arrangements, or care plan — including decisions assisted by AI — must respect participant choice and control, be explainable, and have a human review pathway. AI that allocates support hours, recommends care interventions, or influences case management without meaningful human oversight raises compliance concerns under the NDIS practice standards.
The right approach for resource-constrained NFPs
For most Australian NFPs, the right starting point is the AI6 Foundations tier — six essential practices implemented at a basic level with the free NAIC templates. A one-page AI use policy, an AI tool register covering what AI your organisation uses, who is responsible, and whether each tool has been assessed against Privacy Act requirements — and a named board or senior staff member responsible for AI governance — represents a defensible baseline that is proportionate to the resources of most charities.
The NAIC's free tools at industry.gov.au include an AI policy template, an AI system register template, and an AI screening tool. These are practical starting points that do not require external consultants to implement. The AI6 guidance also explicitly addresses smaller organisations in its Foundations tier.