NFP Data Governance Basics: What Boards Actually Need

Why boards can't delegate data governance away

When something goes wrong with client data—a breach, unauthorised access, or a privacy complaint—it's the board that carries ultimate accountability. Not the IT manager. Not the operations team. The board.

Under Australian Privacy Principles (APPs), organisations handling personal information must take reasonable steps to protect it. For NFP boards, this creates a governance obligation: you need to be satisfied that your systems and processes actually do what you think they do.

The challenge is that many boards don't know what questions to ask. Data governance can sound technical and intimidating. But the core questions aren't about technology—they're about control, evidence, and accountability.

The four questions every NFP board should ask

1. Who can access what data, and how do we control that?

This is about access control. In a well-governed system, staff only see the data they need to do their jobs. A volunteer coordinator shouldn't have access to financial support records. A case worker in one region shouldn't automatically see cases from another region.

Ask your executive team:

• How do we decide who gets access to sensitive client information?
• Can staff access records from clients they're not working with?
• Do we have different permission levels for staff, managers, and external partners?
• How quickly can we revoke access when someone leaves or changes roles?

In Microsoft Dynamics 365, this is managed through security roles, teams, and record-level permissions. It's not perfect, but it's configurable and auditable—two things boards need.

2. Where is client data actually stored, and is it secure?

Data residency matters in Australia. The Privacy Act doesn't prohibit overseas data storage, but it does require you to take reasonable steps to protect data sent offshore. For NFPs working with vulnerable clients, boards often prefer Australian data storage as a matter of policy.

Ask your team:

• Is our client data stored in Australia or overseas?
• If it's overseas, what protections are in place?
• Is data encrypted at rest and in transit?
• Who owns the infrastructure—us or a third party?

With Dynamics 365, data can be hosted in Microsoft's Australian datacentres (Sydney and Melbourne). This reduces offshore risk and simplifies compliance conversations with funders who ask about data sovereignty.

3. Can we prove who did what and when?

Audit trails aren't just for investigations—they're evidence of good governance. If a client alleges their information was shared without consent, can you show exactly who accessed their record and when?

Ask your team:

• Do we log every access to sensitive client records?
• Can we see a history of changes to client information?
• How long do we keep audit logs, and are they tamper-proof?
• Can we produce an audit report if a regulator or funder requests it?

Modern CRM systems log all changes automatically. In Dynamics 365, you can enable audit logging across all tables or just sensitive ones (like financial support or risk flags). This isn't optional—it's a basic governance control.

4. What happens if something goes wrong?

Data breaches happen. Systems fail. Staff make mistakes. The question isn't whether you'll ever face a data incident—it's whether you have a plan when it happens.

Ask your team:

• Do we have an incident response plan for data breaches?
• Who is responsible for notifying affected clients and the OAIC?
• Can we restore data if it's accidentally deleted?
• How often do we test our backup and recovery processes?

This is where cloud platforms excel. Microsoft handles infrastructure backups, disaster recovery, and security patching. Your organisation still needs a response plan, but you're not managing the underlying resilience.

Building a simple data governance framework

You don't need a 50-page policy document. Start with three practical elements:

1. Data classification

Not all data is equally sensitive. Classify your data into categories:

• Public: Programme descriptions, public reports (no special controls needed)
• Internal: Staff contact details, general client notes (standard access controls)
• Confidential: Client health information, financial records, risk flags (restricted access, field-level security)
• Highly confidential: Legal matters, child protection flags, serious incident reports (manager-only access, full audit logging)

Once you've classified your data, you can align access controls to sensitivity levels.

2. Access policies

Document who should have access to what, based on role:

• Case workers: Full access to clients they're assigned to, read-only for their team's cases
• Team leaders: Full access to all cases in their program or region
• Finance staff: Access to funding and grant records, limited access to case notes
• Volunteers: Access only to specific client records they're supporting, no financial data
• External partners: Shared access to co-managed clients only, time-limited

This isn't about distrust—it's about reducing risk and making it clear what "need to know" actually means.

3. Regular access reviews

Access creep is real. People change roles, take on temporary responsibilities, or leave the organisation—and their permissions don't always get updated.

Set a calendar reminder to review access permissions every 6-12 months. Export a list of users and their roles. Check:

• Are there any former staff still with active access?
• Do people have permissions they no longer need?
• Are contractors or external partners still accessing the system?

This takes 30 minutes twice a year and dramatically reduces exposure.

What to look for in your CRM system

If you're evaluating a CRM (or reviewing your current one), here's what good data governance looks like in practice:

• Role-based access control: Different permission levels for different staff functions
• Record-level permissions: Ability to restrict access to individual client records based on ownership or team
• Field-level security: Hide sensitive fields (like financial data or risk flags) from users who don't need them
• Audit logging: Automatic tracking of who accessed or changed what, with tamper-proof logs
• Data residency controls: Ability to choose where data is stored (Australia preferred)
• Encryption: Data encrypted both at rest and in transit
• Multi-factor authentication: Required for all users, especially remote access
• Automated backups: Daily backups with point-in-time recovery

Microsoft Dynamics 365 provides all of these out of the box. You still need to configure them properly—but the controls exist, and they're enterprise-grade.

Common board concerns (and what to do about them)

"We're too small to have formal data governance"

Size doesn't exempt you from the Privacy Act. Even small NFPs handling personal information need basic controls. The good news: you don't need a dedicated data governance officer. You need clear policies, documented access controls, and someone accountable (usually the CEO or operations manager).

"Our IT person says everything is fine"

Your IT person might be excellent, but they're not the accountable officer—the board is. Ask for evidence. Request an access permissions report. Ask to see audit logs. Good IT professionals welcome governance questions because it gives them executive support for doing the right thing.

"Cloud systems feel risky—we'd rather keep data on our own server"

On-premises servers create different risks: physical security, backup failures, no disaster recovery, patching delays, and single points of failure (often one person who knows how it all works). Cloud platforms like Microsoft Azure have security teams, 24/7 monitoring, and geographic redundancy. For most NFPs, cloud is lower risk—not higher.

"We can't afford enterprise-grade security"

You're already paying for it if you use Microsoft 365 or Dynamics 365. The security controls are built into the platform. The cost is in configuration and training, not in buying additional tools. Start with the basics (role-based access, audit logging, Australian hosting) and build from there.

What boards should do this quarter

Here are three practical actions you can take in your next board meeting:

1. Request an access permissions report. Ask your executive team to provide a list of who has access to what in your CRM. Review it together. Are there surprises? Are permissions aligned with current roles?
2. Confirm data residency. Ask where client data is stored. If it's offshore, understand why and what protections apply. If it's in Australia, document that for funder and regulator conversations.
3. Add data governance to your risk register. Include it as a standing item in your audit and risk committee (or full board if you don't have a committee). Review it twice a year, just like financial controls.

The bottom line

Data governance isn't about technology—it's about control, accountability, and evidence. Boards don't need to become IT experts, but they do need to ask the right questions and be satisfied that the organisation has reasonable protections in place.

Modern CRM platforms like Dynamics 365 make this easier by providing built-in governance controls: access management, audit trails, encryption, and Australian data hosting. But technology alone isn't enough. You need clear policies, regular reviews, and a culture that treats client data as the valuable, sensitive asset it is.

Start with the four questions above. Document what you find. Make a plan to close any gaps. That's data governance—and it's well within reach for every NFP board.