Privacy Governance Guide for Charities

Protecting Personal Data. Strengthening Trust. Supporting Good Governance.

Every charity is entrusted with personal information. Whether it belongs to beneficiaries, donors, volunteers, employees, board members or members of the public, that information deserves to be managed responsibly.

Privacy governance is more than complying with the Personal Data Protection Act (PDPA). It is about demonstrating accountability, protecting the people your charity serves, and maintaining the confidence of donors, partners, regulators and the community.

This guide has been developed by Integrative Learning Corporation (ILC) to help charities understand the practical governance measures needed to manage personal data throughout its lifecycle, from collection and storage to use, sharing, retention and secure disposal.

Why Privacy Governance Matters

Charities often handle some of the most sensitive personal information in society. Depending on your services, this may include:

  • Beneficiary and client records
  • Medical or disability-related information
  • Financial assistance records
  • Donor information
  • Volunteer records
  • Employee information
  • Board member information
  • Event registrations
  • Photographs and videos
  • Children’s personal information
  • Case management records

A privacy incident can have serious consequences beyond regulatory compliance. It can:

  • Damage public confidence
  • Harm vulnerable individuals
  • Affect fundraising efforts
  • Disrupt service delivery
  • Result in financial and reputational costs
  • Reduce stakeholder trust

Good privacy governance helps charities reduce these risks while demonstrating responsible stewardship.

The Privacy Governance Framework

Strong privacy governance begins with leadership and extends across the entire organisation.

1. Leadership and Accountability

Privacy is a governance responsibility. Your charity should:

  • Appoint a Data Protection Officer (DPO)
  • Clearly define management responsibilities
  • Ensure the Board receives regular privacy updates
  • Approve privacy-related policies
  • Allocate sufficient resources for data protection

Questions to ask:

  • Does the Board understand the charity’s privacy risks?
  • Does management review privacy incidents?
  • Is someone accountable for implementing privacy controls?

2. Know What Personal Data You Hold

You cannot protect information if you do not know where it exists.

Identify:

  • What personal data you collect
  • Why you collect it
  • Where it is stored
  • Who has access
  • Who it is shared with
  • How long it is retained

Examples included

  • Microsoft 365
  • Google Workspace
  • Shared network folders
  • HR systems
  • CRM databases
  • Donation platforms
  • Website forms
  • Paper files
  • Portable devices

3. Collect Only What You Need

Before collecting personal information, consider:

  • Is the information necessary?
  • Have individuals been informed why it is collected?
  • Is consent required?
  • Is there another lawful basis for collection?
  • Are you collecting more information than necessary?

Good privacy governance starts with collecting only information that serves a legitimate organisational purpose.

4. Control Access

Not everyone needs access to every record.

Implement controls such as:

  • Role-based permissions
  • Strong passwords
  • Multi-factor authentication
  • Regular access reviews
  • Immediate removal of access when staff leave
  • Restricted access for volunteers and temporary staff

Access should always follow the principle of “need to know.”

5. Protect Personal Data

Security involves both people and technology.

Consider whether your charity has:

  • Antivirus protection
  • Device encryption
  • Secure backups
  • Password management
  • Secure cloud storage
  • Email security controls
  • Locked storage for physical files
  • Clear desk practices

Technology alone is not enough.

Regular staff awareness is equally important.

6. Manage Third-Party Vendors

Many charities rely on external service providers.

Examples include:

  • Payroll providers
  • IT support companies
  • Fundraising platforms
  • Learning management systems
  • CRM systems
  • Event registration platforms
  • Website developers
  • Cloud storage providers

Before sharing personal data, ask:

  • Does the contract contain data protection obligations?
  • Are security expectations documented?
  • Is overseas data transfer involved?
  • Who is responsible if an incident occurs?

7. Retain and Dispose of Data Properly

Personal data should not be kept forever.

Develop a retention schedule covering:

  • Employee records
  • Volunteer records
  • Beneficiary records
  • Financial records
  • CCTV footage
  • Recruitment records
  • Event registrations

When records are no longer required:

  • Delete electronic files securely
  • Destroy paper documents appropriately
  • Remove archived copies where required
  • Ensure backups follow retention requirements

8. Prepare for Data Breaches

Despite good controls, incidents can still occur.

Examples include:

  • Sending personal information to the wrong recipient
  • Lost laptops
  • Stolen mobile devices
  • Ransomware attacks
  • Unauthorised system access
  • Lost paper files

Every charity should have a documented response process.

A basic response includes:

  • Contain the incident.
  • Assess what information is affected.
  • Notify internal management.
  • Determine whether notification obligations apply.
  • Learn from the incident and improve controls.

Responding quickly can significantly reduce harm.

Common Privacy Risks in Charities

Emailing confidential information to the wrong recipient

Always verify recipients before sending.

Using personal messaging apps for case discussions

Avoid discussing confidential information using unauthorised communication channels.

Sharing donor lists

Personal information should never be shared without appropriate authority and purpose.

Posting photographs on social media

Ensure appropriate consent has been obtained before publishing identifiable photographs.

Excessive staff access

Only provide access necessary for an individual’s role.

Forgotten former employee accounts

Disable accounts promptly after employment ends.

Weak passwords

Require strong passwords and enable multi-factor authentication wherever possible.

AI and Personal Data

Generative AI tools can improve productivity, but they should be used responsibly.

Do not upload:

  • Beneficiary information
  • Employee records
  • Donor information
  • Medical information
  • Confidential organisational documents
  • Board papers
  • Sensitive financial information

Your charity should establish clear guidelines governing the responsible use of AI.

Privacy Governance Checklist

Use the checklist below to assess your current practices.

The more “Yes” responses you achieve, the stronger your charity’s privacy governance foundation is likely to be.

Free Downloadable Resources

To help charities strengthen their privacy governance, ILC provides practical templates and checklists.

Available resources include:

  • Privacy Governance Checklist
  • Personal Data Inventory Template
  • Data Retention Schedule
  • Vendor Assessment Checklist
  • Privacy Risk Register
  • Data Breach Response Checklist
  • Staff Exit Access Checklist
  • Board Privacy Oversight Checklist
  • AI Use Guidance for Charities
  • Annual Privacy Governance Review Checklist

These templates are designed to help charities establish consistent governance practices and support continuous improvement.

Frequently Asked Questions

  • Is privacy governance only the responsibility of the Data Protection Officer?

No. While the DPO coordinates privacy efforts, the Board, senior management and every employee have responsibilities for protecting personal data.

  • Does every charity need a Data Protection Officer?

Yes. Under Singapore’s Personal Data Protection Act, every organisation is required to designate at least one individual to be responsible for ensuring compliance with the Act.

  • Does good cybersecurity automatically mean good privacy governance?

No. Cybersecurity protects systems and information from technical threats. Privacy governance ensures personal data is collected, used, disclosed, retained and managed responsibly throughout its lifecycle.

Both are essential and complement one another.

  • Our charity is small. Do these requirements still apply?

Yes. Every organisation, regardless of size, should implement privacy governance measures that are appropriate to its operations and the personal data it handles.

Need Assistance?

Privacy governance should not be viewed as a one-time compliance exercise.

It is an ongoing organisational responsibility that evolves alongside technology, regulations and operational risks.

If your charity would like independent guidance, contact ILC at learn@integrative.com.sg

Whether your charity is establishing its privacy framework or strengthening existing practices, our consultants can help you develop practical, proportionate and sustainable governance solutions.

🍜