Grant programmes collect significant quantities of personal and organisational information — applicant contact details, financial information, organisational constitutions, project descriptions, and outcome data. Funders have legal obligations under privacy legislation governing how this information is collected, stored, used, and shared.
This guide covers the key privacy obligations for funders in New Zealand and Australia.
The Privacy Act 2020 (effective from December 2020) significantly strengthened New Zealand's privacy framework. Key provisions relevant to grantmakers:
Information privacy principles. The Act sets out 13 information privacy principles covering the collection, storage, use, and disclosure of personal information. Key principles for grantmakers:
Mandatory breach notification. The Privacy Act 2020 introduced mandatory notification requirements — funders must notify the Privacy Commissioner and affected individuals when a privacy breach causes serious harm or is likely to do so.
Individual applicant information. When individual artists, researchers, or practitioners apply for grants (rather than organisations), their application information is personal information subject to the Privacy Act. Funders must handle this information accordingly.
Australian funders are subject to the Privacy Act 1988 (updated by the Privacy Amendment (Enhancing Privacy Protection) Act 2012). Key provisions:
Australian Privacy Principles (APPs). Thirteen principles governing the handling of personal information. For grantmakers, the most relevant:
Notifiable Data Breaches. Australian funders subject to the Act must notify the OAIC and affected individuals of eligible data breaches — breaches that are likely to cause serious harm.
Small business exemption. Australian organisations with annual turnover under $3 million are generally exempt from the Privacy Act. Many smaller foundations and community trusts may be exempt, but should note that the exemption has exceptions and that state privacy laws may apply.
Privacy policy and collection notice. Application portals should include a privacy policy and a collection notice at the point of data collection — explaining what information is collected, why, how it will be used, who it may be shared with, and how applicants can access or correct their information.
Data minimisation. Only collect information that is genuinely necessary for assessment and grant management. Collecting extensive personal information "just in case" is a privacy risk without a corresponding benefit.
Storage and retention. Grant information needs to be retained for accountability purposes — typically 7 years for financial records, potentially longer for grant agreements with ongoing conditions. Privacy law doesn't require deletion of records needed for legitimate business purposes, but funders should have clear retention policies and delete information that's no longer needed.
Third-party disclosure. Sharing applicant information with assessors — who may be external peer reviewers or committee members — is generally permissible under "related purpose" provisions, but funders should be clear about this in their privacy policies. Sharing applicant information beyond the assessment process requires consideration.
Referee and third-party references. When funders contact referees provided by applicants, or seek third-party information about applicants, they should be aware that they're collecting personal information from sources other than the subject — which has specific privacy implications.
Unsuccessful applicants' data. Unsuccessful applicants' data should be retained for the accountability period, then deleted. Keeping unsuccessful application data indefinitely creates privacy risk without benefit.
Some grant applications may involve sensitive information — health information, ethnic origin data, criminal history, financial hardship. Funders collecting sensitive information should apply heightened care:
Tahua's grants management platform is designed with privacy by default — with role-based access controls, secure data storage, and data management features that support funders' obligations under New Zealand's Privacy Act 2020 and Australia's Privacy Act 1988.