Most Australians (62%) are very concerned about the protection of their personal information, but only a few (32%) feel in control of their data privacy (Office of the Australian Information Commissioner, 2023). As vital partners in supporting vulnerable Australians, NFPs have a strong role to play in managing and sharing data. 

Not-for-profits (NFPs) who seek access to data from governments or other organisations or businesses, or who are approached by agencies or organisations seeking to access their data will need to consider using a data sharing agreement. 

As legal documents, data sharing agreements need to comply with current jurisdictional and Australian laws. They are important for ensuring that individual data sovereignty is respected. This is particularly important when dealing with First Nations data, but is critical for all data sharing to maintain trust and relationships between services, funders and clients. 

Data sharing agreements also form the foundations for AI use policies within NFPs because they help to:  

1. Ensure AI policies and data sharing comply with legal and regulatory frameworks; 
2. Ensure data is of sufficient quality to train AI models; 
3. Protect data from unauthorised access; 
4. Promote transparency and accountability that help build and maintain trust; and  
5. Foster ethical data practices. 

Resources have been developed by various government agencies and universities. Links to the main resource providers are listed below to get you started. 

Note that as legal documents, any agreements should be checked by a legal professional before use. 

The Australian Privacy Principles and The Privacy Act 1988 are the relevant laws covering Data Sharing Agreements. Find more information on the laws here. The Privacy Act is currently under review. More information is found here.

Guideline and Template Resources

First Nations Data Sovereignty 

Advice on First Nations data sharing and data sovereignty can be found here and from the Lowitja Institute here. 

Australian Research Data Commons 

Read Data Sharing Agreement Development Guidelines here.

This is a comprehensive resource including a webinar, guidelines, insights into when a data sharing agreement is needed, and how to establish a data sharing agreement. It also links to guidelines for developing a data sharing policy. 

Commonwealth Government Resources

Office of the National Data Commissioner 

Data Sharing Agreement template can be found here. The ONDC data sharing resources are aimed at government departments, but provide useful templates and guides for NFPs to adapt to their needs.  

Office of the Australian Information Commissioner 

List of all state and territory privacy legislation can be found here. 

State-based Resources

Australian Capital Territory 

The ACT Information Privacy Act 2014-2024 can be found here. 

New South Wales 

Information on laws, guide to data sharing and privacy found here. 

Northern Territory 

Information on laws and resources from the NT Information Commissioner found here. 

Queensland  

Queensland office of the Information Commissioner including laws and resources here.  

South Australia

For data sharing forms and templates for South Australian data shared between government and non-government entities see the relevant link on this page. 

Victoria 

Laws relating to handing personal data in Victoria can be found here.

Informed consent 

As part of ethical practice and supporting Australians to feel in control of the data they provide to NFPs, informed consent practices are central to data collection practices. The key considerations are: 

• Using clear, easy-to-understand language that is free of jargon. Instructions should inform clients why the data is being collected, how it will be used, and with whom their data will be shared. 
• Voluntary consent – that is without any feeling of being influenced or coerced to share information. Most importantly, clients should be able to withdraw their consent at any time without fear of negative consequences. 
• Consent is specific to the data collection and use. This means that for consent to be informed, no requests for a wide range of potential uses can be made or considered valid.  

Personal or Sensitive information 

According to the Office of the Australian Information Commissioner, personal information could identify an individual and may include: 

• an individual’s name, signature, address, phone number or date of birth; 
• sensitive information; 
• credit information; 
• employee record information;  
• photographs; 
• internet protocol (IP) addresses; 
• voice print and facial recognition biometrics (because they collect characteristics that make an individual’s voice or face unique); and 
• location information from a mobile device (because it can reveal user activity patterns and habits). 

Sensitive information usually requires a higher level of privacy protection and covers the following: 

• racial or ethnic origin; 
• political opinions or associations; 
• religious or philosophical beliefs; 
• trade union membership or associations; 
• sexual orientation or practices; 
• criminal record; 
• health or genetic information; and 
• some aspects of biometric information. 

To protect personal and sensitive information NFPs should have:  

• policies and procedures for data management in place;  
• roles and responsibilities for protecting personal and sensitive data; and 
• registers or lists of locations where personal and sensitive data are stored. 

Legal support for NFPs 

Justice Connect provides free legal help for NFPs and social enterprises, including information on Privacy laws, AI and Cyber security.