This article will count 0.25 units (15 minutes) of unverifiable CPD. Remember to log these units under your membership profile.

Your client runs a small nonprofit. They do good work. Their donors give quietly, trusting that the information stays private. Then one day, a letter arrives from the tax authority. Their donor list has been leaked by a rogue contractor.

This is not a hypothetical. As reported in Accounting Today, it happened in the United States, and the legal fallout is still playing out.

What happened in the US

The National Taxpayers Union Foundation recently filed a lawsuit against the Internal Revenue Service (IRS) on behalf of Young America's Foundation, a US-based nonprofit. The case follows a serious data breach. A former IRS contractor illegally leaked confidential tax return information, including donor details, from hundreds of organisations. That contractor is now in prison.

The nonprofit's argument comes down to this: the IRS collects donor details on a standard tax form, but never actually uses that information to enforce tax law. So why collect it at all, especially when it clearly cannot be kept safe? The lawsuit asks the court to stop the IRS from collecting donor information in future.

There is also a legal principle at stake. US courts have long held that any government demand for a donor or membership list must pass a high test. The government must show a clear and important reason for needing the information. This rule goes back to the Civil Rights era, when Southern US states tried to force the National Association for the Advancement of Colored Peopl (NAACP) to hand over its donor lists in order to intimidate supporters of the movement. The courts blocked it then, and the same principle is being tested again now.

Why this matters for South African accountants

The South African context is different in structure, but the core risk is the same. Data held by a government body can be breached. And when it involves donors to civil society organisations, the consequences go beyond compliance. South African nonprofits registered as Public Benefit Organisations (PBOs) submit financial information to SARS, including details relevant to section 18A donation receipts. That information sits in a government system. What we should be asking is: what happens if it gets out?

POPIA, South Africa's data protection law, places legal obligations on any organisation that holds personal information, including SARS and the Department of Social Development. As covered in Two Enforcement Notices, One Message: POPIA and PAIA Are Real, enforcement is no longer theoretical. The Information Regulator has issued enforcement notices. Fines of up to R10 million are possible for serious breaches. And critically, POPIA does not only require you to protect data. It requires you to report a breach when one happens.

If you advise nonprofit clients, this case is a useful prompt to review what data your clients are submitting to SARS and the NPO Directorate, who has access to it, and whether your clients have a data breach response plan in place.

The data security risk is not just a government problem

Accountants hold donor and beneficiary information in their own systems too. Client files, spreadsheets, email threads with donation schedules, and section 18A receipt records all carry personal information that is regulated under POPIA.

As outlined in Cybersecurity for the Small Practice, small practices are not exempt from POPIA obligations. Every individual client you have ever held information for is a data subject. If that information is compromised, and you cannot show you had reasonable safeguards in place, you carry both legal and professional risk.

What you can do now

If you work with nonprofit clients, here are three practical steps worth taking:

  1. First, review what information is being collected and why. If you are gathering donor details beyond what SARS actually requires for section 18A purposes, that is unnecessary risk.

  2. Second, check that your nonprofit clients have appointed an Information Officer and drafted a PAIA manual (refer to the requirements of the Information Regulator ). This is a legal requirement, not optional. It is also a service you can provide.

  3. Third, make sure your own practice has a documented data breach response plan. If personal information you hold is compromised, POPIA requires you to notify the Information Regulator and affected individuals. You need to know exactly what you would do before it happens.

The US case may be decided by American courts under American law. But the principle is universal: data that governments and accountants collect must be necessary, proportionate, and properly protected. If it is not, someone pays the price. And in the case of nonprofit donors, that price can include more than a fine.

Previous
Previous

The Big 4 Are Burning Down Their Own House

Next
Next

The FSCA Just Mapped the Next Three Years. Are You Ready?