Privacy Policies, Prospect Research and the Case for Greater Transparency

​This article reflects governance observations only. It is not legal advice.

In many organisations, privacy policies are treated as compliance documents. They’re drafted, reviewed when legislation changes, and otherwise left alone. But privacy policies do more than meet regulatory requirements. They say something about how well an organisation understands — and stands behind — its data practices. Prospect research and wealth screening sit squarely in that space.

In Australia, references to prospect research and screening activities are often folded into broad statements about “publicly available information” or “third-party service providers.” Technically, that may meet minimum disclosure standards. Operationally, it can leave things vague. That vagueness may feel comfortable in the short term. I’m not convinced it will age well.

Other jurisdictions provide useful context.

When the General Data Protection Regulation (GDPR) came into force in the European Union, organisations had to be much clearer about how personal data was collected and used. Fundraising activities — including prospect research, profiling and wealth screening — were required to be explicitly described. Lawful basis had to be articulated. Profiling had to be acknowledged where it occurred. That transparency didn’t eliminate prospect research. It professionalised it.

Organisations were required to clarify purpose, document governance controls, assess proportionality and strengthen oversight. In practice, many emerged with stronger internal processes and clearer board engagement.

Importantly, greater transparency did not trigger widespread donor backlash. Where organisations explained that screening supported appropriate fundraising, stewardship and due diligence, it was broadly understood as part of responsible institutional management.

Australia’s privacy framework is structured differently. The Australian Privacy Principles do not adopt GDPR’s lawful basis model. But the direction of reform is increasingly clear: strengthened individual rights, higher penalties, greater regulatory enforcement and rising expectations of organisational accountability. At the same time, public sensitivity to data use — particularly where analysis, profiling or automation is involved — continues to increase.

In that environment, ambiguity becomes a risk factor. APP 1 and APP 5 require organisations to describe the kinds of personal information they collect and the purposes for which it is used. APP 6 limits use to the primary purpose of collection, or a related secondary purpose that would be reasonably expected by the individual.

Where prospect research relies on publicly available information and reputable research providers to support fundraising strategy, stewardship and due diligence, transparent disclosure is not a concession. It is consistent with those principles. It also anticipates the growing regulatory emphasis on transparency, proportionality and reasonable expectations.

Privacy policies are not marketing documents. They do not need to detail every operational step. But they should reflect reality. Organisations that articulate their prospect research practices clearly now will be better positioned if reform narrows interpretations of “reasonably expected” use or strengthens notification obligations. And in the current climate, that is simply prudent risk management.