Grant programmes collect personal information about applicants — names, contact details, financial information, and sometimes sensitive data about communities, individuals, or organisations. This information must be handled in accordance with applicable data protection legislation. For funders in New Zealand, Australia, the European Union (including the UK post-Brexit), and South Africa, different but overlapping frameworks apply.
This guide covers the key data protection obligations for grantmakers and what to look for in grants management software.
New Zealand — Privacy Act 2020. Applies to all organisations (including government agencies, charitable trusts, and private foundations) that collect, use, or hold personal information about natural persons in New Zealand. Obligations include transparency about collection purposes, security safeguards, access and correction rights, and restrictions on overseas disclosure.
Australia — Privacy Act 1988 (and state/territory equivalents). The federal Privacy Act applies to organisations with annual turnover above AUD $3 million and to all government agencies. Many state and territory equivalents apply to local government and smaller organisations. The Act includes the Australian Privacy Principles (APPs) governing collection, use, disclosure, and storage of personal information.
European Union — General Data Protection Regulation (GDPR). Applies to all organisations that process personal data of EU residents, regardless of where the organisation is based. Includes UK GDPR post-Brexit. Key obligations include lawful basis for processing, data subject rights, data minimisation, security requirements, and restrictions on data transfers outside the EEA.
South Africa — Protection of Personal Information Act (POPIA). Fully in force since July 2021. Applies to responsible parties (those who determine the purpose and means of processing personal information) and operators (those who process on behalf of responsible parties). Includes eight conditions for lawful processing.
From applicants. Name and contact details of applicant organisation and authorised representative. Financial information (organisation accounts, bank details). Information about staff and volunteers. Sometimes sensitive information about the communities being served (demographic data, health information, disability data).
From assessors. Name, contact details, and COI declarations. Assessment scores and comments.
From grantees during post-award management. Progress report content (which may include participant information). Financial acquittal data. Contact and bank account information.
From references. Name and contact details of referees, and their assessments of the applicant.
Transparency (privacy notice). Applicants must be informed about what personal information is collected, why it is collected, who it may be shared with, how long it will be kept, and how to exercise their rights. A privacy notice on the application portal — and in programme guidelines — satisfies this requirement.
Lawful basis for processing. Under GDPR (and similar frameworks), there must be a lawful basis for processing personal information. For grantmakers, the most common bases are: legitimate interests (for charitable foundations), legal obligation (for public bodies), or explicit consent (where other bases don't apply). Processing sensitive data (health information, ethnicity) requires a stricter basis.
Data minimisation. Only collect personal information that is actually needed for the grant process. Collecting extensive personal data about individuals within applicant organisations — beyond what is needed to contact the authorised representative and verify identity — is unlikely to be justified.
Security safeguards. Personal information must be held securely — with access limited to authorised users, with encryption for sensitive data in transit and at rest, and with controls against unauthorised access or disclosure.
Data subject rights. Applicants and grantees have rights to access, correct, and (in some jurisdictions) delete their personal information. Grants management software that supports extraction and deletion of individual records — rather than requiring manual database operations — is practically important.
Retention and disposal. Personal information should not be retained longer than necessary. For grants records, the retention period is governed by the purpose (grant accountability records may need to be kept for 7-10 years for audit purposes) and by legal requirements. Having a defined retention policy — and a process for disposing of records when the retention period ends — is a compliance requirement.
Overseas transfer restrictions. For EU, NZ, and SA funders, transferring personal data to countries without equivalent data protection (including cloud storage or SaaS providers hosted in non-equivalent countries) requires specific safeguards. This is directly relevant to the data residency question for grants management software.
Data residency options. Where is the data hosted? For EU/UK funders under GDPR, NZ and AU government funders with requirements under relevant frameworks, and SA public entities under POPIA, data residency in an appropriate jurisdiction is important. Ask vendors to confirm where data is stored, whether it can be hosted in a specific jurisdiction, and what happens to data when processing occurs.
Access controls. Role-based access control should limit who can see personal information — particularly sensitive information about individuals within applications. Programme staff who need to review scores should not necessarily have access to bank account details.
Data export for access requests. When an applicant or grantee submits a data subject access request, the platform should be able to extract all personal information held about that individual in a portable format. If this requires a manual database query rather than a self-service function, that is important to know.
Deletion capability. For "right to be forgotten" requests (GDPR) or equivalent deletion rights, the platform should support deletion of personal information associated with specific individuals while retaining anonymised grant records for accountability purposes.
Encryption in transit and at rest. Standard security requirement, but verify — particularly for sensitive data like bank account details.
Breach notification support. Data breaches affecting personal information must be reported to relevant regulators within defined timeframes (72 hours under GDPR, for example). Grants management software should provide tools to identify what data was affected and who was impacted, to support the notification process.
Privacy notice templating. Some platforms provide configurable privacy notice templates that can be embedded in application portals, reducing the burden of writing jurisdiction-specific notices from scratch.
Data protection breaches in grants management — exposure of applicant bank details, unauthorised disclosure of sensitive community information, or loss of data due to inadequate security — attract regulatory attention and reputational damage disproportionate to their likelihood. Most significant data protection incidents in grants management involve avoidable failures: inadequate access controls, data shared via unsecured email, or cloud tools used without vendor data processing agreements.
The easiest way to reduce these risks is to use grants management software with strong security architecture, data residency options, and data subject rights support — rather than managing grant data in spreadsheets, email attachments, and unvetted cloud tools.
Tahua provides grants management software with data protection features designed for GDPR, Privacy Act, and POPIA obligations.