Privacy Governance Guide for Charities
Protecting Personal Data. Strengthening Trust. Supporting Good Governance.
Every charity is entrusted with personal information. Whether it belongs to beneficiaries, donors, volunteers, employees, board members or members of the public, that information deserves to be managed responsibly.
Privacy governance is more than complying with the Personal Data Protection Act (PDPA). It is about demonstrating accountability, protecting the people your charity serves, and maintaining the confidence of donors, partners, regulators and the community.
This guide has been developed by Integrative Learning Corporation (ILC) to help charities understand the practical governance measures needed to manage personal data throughout its lifecycle, from collection and storage to use, sharing, retention and secure disposal.
Why Privacy Governance Matters
Charities often handle some of the most sensitive personal information in society. Depending on your services, this may include:
- Beneficiary and client records
- Medical or disability-related information
- Financial assistance records
- Donor information
- Volunteer records
- Employee information
- Board member information
- Event registrations
- Photographs and videos
- Children’s personal information
- Case management records
A privacy incident can have serious consequences beyond regulatory compliance. It can:
- Damage public confidence
- Harm vulnerable individuals
- Affect fundraising efforts
- Disrupt service delivery
- Result in financial and reputational costs
- Reduce stakeholder trust
Good privacy governance helps charities reduce these risks while demonstrating responsible stewardship.
The Privacy Governance Framework
Strong privacy governance begins with leadership and extends across the entire organisation.
1. Leadership and Accountability
Privacy is a governance responsibility. Your charity should:
- Appoint a Data Protection Officer (DPO)
- Clearly define management responsibilities
- Ensure the Board receives regular privacy updates
- Approve privacy-related policies
- Allocate sufficient resources for data protection
Questions to ask:
2. Know What Personal Data You Hold
You cannot protect information if you do not know where it exists.
Identify:
- What personal data you collect
- Why you collect it
- Where it is stored
- Who has access
- Who it is shared with
- How long it is retained
Examples included
- Microsoft 365
- Google Workspace
- Shared network folders
- HR systems
- CRM databases
- Donation platforms
- Website forms
- Paper files
- Portable devices
3. Collect Only What You Need
Before collecting personal information, consider:
- Is the information necessary?
- Have individuals been informed why it is collected?
- Is consent required?
- Is there another lawful basis for collection?
- Are you collecting more information than necessary?
Good privacy governance starts with collecting only information that serves a legitimate organisational purpose.
4. Control Access
Not everyone needs access to every record.
Implement controls such as:
- Role-based permissions
- Strong passwords
- Multi-factor authentication
- Regular access reviews
- Immediate removal of access when staff leave
- Restricted access for volunteers and temporary staff
Access should always follow the principle of “need to know.”
5. Protect Personal Data
Security involves both people and technology.
Consider whether your charity has:
- Antivirus protection
- Device encryption
- Secure backups
- Password management
- Secure cloud storage
- Email security controls
- Locked storage for physical files
- Clear desk practices
Technology alone is not enough.
Regular staff awareness is equally important.
6. Manage Third-Party Vendors
Many charities rely on external service providers.
Examples include:
- Payroll providers
- IT support companies
- Fundraising platforms
- Learning management systems
- CRM systems
- Event registration platforms
- Website developers
- Cloud storage providers
Before sharing personal data, ask:
- Does the contract contain data protection obligations?
- Are security expectations documented?
- Is overseas data transfer involved?
- Who is responsible if an incident occurs?
7. Retain and Dispose of Data Properly
Personal data should not be kept forever.
Develop a retention schedule covering:
- Employee records
- Volunteer records
- Beneficiary records
- Financial records
- CCTV footage
- Recruitment records
- Event registrations
When records are no longer required:
- Delete electronic files securely
- Destroy paper documents appropriately
- Remove archived copies where required
- Ensure backups follow retention requirements
8. Prepare for Data Breaches
Despite good controls, incidents can still occur.
Examples include:
- Sending personal information to the wrong recipient
- Lost laptops
- Stolen mobile devices
- Ransomware attacks
- Unauthorised system access
- Lost paper files
Every charity should have a documented response process.
A basic response includes:
- Contain the incident.
- Assess what information is affected.
- Notify internal management.
- Determine whether notification obligations apply.
- Learn from the incident and improve controls.
Responding quickly can significantly reduce harm.
Common Privacy Risks in Charities
Emailing confidential information to the wrong recipient
Always verify recipients before sending.
Using personal messaging apps for case discussions
Avoid discussing confidential information using unauthorised communication channels.
Sharing donor lists
Personal information should never be shared without appropriate authority and purpose.
Posting photographs on social media
Ensure appropriate consent has been obtained before publishing identifiable photographs.
Excessive staff access
Only provide access necessary for an individual’s role.
Forgotten former employee accounts
Disable accounts promptly after employment ends.
Weak passwords
Require strong passwords and enable multi-factor authentication wherever possible.
AI and Personal Data
Generative AI tools can improve productivity, but they should be used responsibly.
Do not upload:
- Beneficiary information
- Employee records
- Donor information
- Medical information
- Confidential organisational documents
- Board papers
- Sensitive financial information
Your charity should establish clear guidelines governing the responsible use of AI.
Privacy Governance Checklist
Use the checklist below to assess your current practices.

The more “Yes” responses you achieve, the stronger your charity’s privacy governance foundation is likely to be.
Free Downloadable Resources
To help charities strengthen their privacy governance, ILC provides practical templates and checklists.
Available resources include:
- Privacy Governance Checklist
- Personal Data Inventory Template
- Data Retention Schedule
- Vendor Assessment Checklist
- Privacy Risk Register
- Data Breach Response Checklist
- Staff Exit Access Checklist
- Board Privacy Oversight Checklist
- AI Use Guidance for Charities
- Annual Privacy Governance Review Checklist
These templates are designed to help charities establish consistent governance practices and support continuous improvement.
Frequently Asked Questions
No. While the DPO coordinates privacy efforts, the Board, senior management and every employee have responsibilities for protecting personal data.
Yes. Under Singapore’s Personal Data Protection Act, every organisation is required to designate at least one individual to be responsible for ensuring compliance with the Act.
No. Cybersecurity protects systems and information from technical threats. Privacy governance ensures personal data is collected, used, disclosed, retained and managed responsibly throughout its lifecycle.
Both are essential and complement one another.
Yes. Every organisation, regardless of size, should implement privacy governance measures that are appropriate to its operations and the personal data it handles.
Need Assistance?
Privacy governance should not be viewed as a one-time compliance exercise.
It is an ongoing organisational responsibility that evolves alongside technology, regulations and operational risks.
If your charity would like independent guidance, contact ILC at learn@integrative.com.sg
Whether your charity is establishing its privacy framework or strengthening existing practices, our consultants can help you develop practical, proportionate and sustainable governance solutions.

