Board papers, policies and donor records: a document management blueprint for NFPs

Jun 2, 2026

TL;DR

NFPs sit on three high-stakes document categories: board papers (governance), policies and procedures (compliance), and donor and beneficiary records (privacy). Each has different retention, access and audit needs.
You’re legally on the hook for more than you think. The ACNC requires charities to keep records for at least 7 years. The Privacy Act and the 13 Australian Privacy Principles apply to many NFPs (and to all health-service providers, regardless of size).
“Document management” is a governance issue, not an IT one. The AICD’s Not-for-Profit Governance Principles explicitly link information management to board accountability.
A shared drive isn’t a document management system. You need version control, role-based permissions, audit trails, lifecycle workflows, and a way to prove who read what and when.
SharePoint Online is the natural home for most Australian NFPs. Microsoft 365 nonprofit grants make it genuinely affordable, and tools like Injio Docs and the Injio Intranet add the structure and workflows on top.
Start small. This post includes a 1-week / 1-month / 1-year checklist so you can make meaningful progress without a big-bang project.

If your filing system is “the shared drive, Trish’s laptop, and three different versions of the same policy emailed around in 2022”, you are not alone. Most not-for-profits we talk to are doing extraordinary work with lean teams. And document management is usually the thing that gets a “we’ll fix it next quarter” sticker on it. Until an audit, a board change, or a privacy complaint forces the issue.

This is a practical blueprint for getting your three biggest document headaches (board papers, policies, and donor records) into one calm, governed, audit-ready place.

Why document management is a governance issue, not just an IT one

Here’s the uncomfortable truth: when something goes wrong at an NFP (a privacy breach, a regulator query, a board dispute, a funder audit), the first thing anyone asks for is documents. The minutes from that meeting. The version of the safeguarding policy that was in force at the time. The consent form the donor signed in 2021.

If those documents are scattered, undated, or in someone’s personal OneDrive who’s since left, you have a governance problem, not a filing problem.

The regulators back this up. The Australian Charities and Not-for-profits Commission (ACNC) expects charities to keep records (operational and financial) for at least seven years, and to keep them in good enough shape to explain what happened and prove you’ve met your obligations.

The Australian Institute of Company Directors (AICD) picks up the same thread from the boardroom. Its Not-for-Profit Governance Principles lean on the assumption that directors can actually find and trust the documents in front of them, whether they’re talking about strategy, risk, accountability or culture.

Put together: if your records are scattered or unreliable, your board can’t govern properly and your charity can’t prove it’s doing the right thing. That’s a governance problem dressed up as a filing one.

The three document categories every NFP has to get right

Most NFP document chaos comes from treating every file the same way. It isn’t, and that’s where categories start to matter in practice.

Most teams already understand that document categories matter. The problem isn’t awareness. It’s what happens when they’re not there.

Without clear categories, permissions sprawl, retention becomes inconsistent, and reporting turns into guesswork, which is where document management stops being helpful and starts being risky.

1. Board papers. The governance backbone

Board papers are the formal record of how your organisation is led. They include:

Constitution, rules or articles of association
Board and sub-committee minutes
Board packs (agendas, papers, resolutions)
Conflict-of-interest registers, declarations and policy
Whistleblower protections policy
Document retention and destruction policy
Delegations of authority
Risk and compliance registers
Strategic plans

The risk pattern we see most often: board papers stored in personal inboxes or shared drives with no version control, so when someone asks, “what did we approve in March?” the answer is a forensic email hunt.

2. Policies and procedures. Your compliance spine

Policies are the rules of the road. Procedures are how you drive. Both need to be:

Current (last reviewed within their stated review cycle)
Approved (with a clear approver and date)
Findable (one canonical version, not seven)
Acknowledged (staff and volunteers can demonstrate they’ve read it)

This last point, attestation, is where most NFPs come unstuck.

Saying “the policy was on the intranet” isn’t the same as proving Bob in fundraising read and acknowledged version 3.2 before he started doorknocking. A good document system records that attestation automatically.

3. Donor and beneficiary records. Your privacy frontline

This is the category with the sharpest legal teeth. The Privacy Act 1988 (Cth) applies to most NFPs with annual turnover over $3 million, and to all health-service providers regardless of size.

A few specifics that catch NFPs out:

APP 11 requires you to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. And to destroy or de-identify it when no longer needed.
Notifiable Data Breach obligations mean you must notify the OAIC and affected individuals of eligible breaches. Penalties for serious or repeated interference with privacy now top out at the greater of $50 million, three times the benefit gained, or 30% of adjusted turnover for body corporates.
The ACNC’s updated guidance on managing data and privacy makes clear that even small charities below the $3M threshold are expected to handle personal data responsibly as a matter of good governance.

Donor records aren’t just spreadsheets of names. They’re consent records, communication preferences, gift histories, sometimes vulnerability flags, and increasingly, integrations into your CRM. They need the strictest access controls of the three categories.

What “good” looks like

You don’t need a six-figure platform. You do need these capabilities; however you assemble them:

Capability	What it means in practice
Single source of truth	One canonical location per document. Not “the version on SharePoint, the one Sarah emailed, and the printout in the binder”.
Version control	Every change tracked, with the option to roll back. Major and minor versions, not just “Final_v7_REAL_FINAL.docx”.
Lifecycle workflows	Documents move through draft → review → approve → publish → review → retire on a schedule, not when someone remembers.
Role-based permissions	Board members see the board papers. Fundraisers see the donor records. Volunteers see what they need and nothing more.
Audit trails	Who opened it, who edited it, who approved it, who acknowledged it. Recorded automatically.
Metadata, not folders	Documents tagged with type, owner, review date, sensitivity. So they’re findable even when filing fails.
Retention and disposal	Records held for the required period (7+ years for charity records) and then defensibly destroyed.
Attestation	Staff can be required to read and acknowledge policies, with the record kept against their name.

If your current setup can’t tick most of those boxes, you don’t have a document management system. You have a folder.

Why SharePoint is the natural home for NFP documents

We’re biased here. WebVine (the team behind Injio) has been building on SharePoint for two decades. But the practical case for Australian NFPs is genuinely strong:

Microsoft 365 nonprofit grants and discounts make SharePoint Online accessible even for small organisations. Many NFPs are already paying for it through Microsoft’s nonprofit program.
Security and compliance are enterprise-grade out of the box: encryption at rest and in transit, role-based access, audit logs, retention policies, and integration with sensitivity labels.
It’s where work already happens (Word, Excel, Teams, Outlook) so adoption is far easier than asking volunteers to log into yet another system.
Power Automate lets you build approval workflows, review reminders, and lifecycle automation without writing code.
Microsoft 365 Copilot can summarise long board papers, draft policy updates against a template, and answer questions across your document library. When the library is well-structured.

The catch: vanilla SharePoint gives you the foundation, not the finished house. Out of the box you get document libraries and permissions; what you don’t get is the NFP-specific structure: a real policy library with attestation, a board pack workflow, a donor records area with the right access model.

That’s the gap Injio Docs is built to close, with a Document Hub, Policy Library with attestation, lifecycle workflows and role-based access already wired up. (And if you’d like to see how it’s configured for charities and member-based organisations, the Injio for Not-for-Profit page is the place to start.) But the principles in this post hold whether you build it yourself or buy something off the shelf.

The blueprint: 1 week, 1 month, 1 year

You don’t need to fix everything at once. Here’s a realistic sequence.

Timeframe	What to do	Why it matters
Within 1 week	Inventory where your board papers, policies and donor records currently live. List every system, shared drive, inbox and filing cabinet.	You can’t govern what you can’t see. Most NFPs are surprised by how many silos surface.
Within 1 week	Identify your “must not lose” documents: constitution, current board minutes, signed agreements, donor consent records, current policies.	These are your minimum viable governance set.
Within 1 week	Confirm who has access to donor data right now and remove anyone who shouldn’t.	APP 11 expects reasonable access controls. Stale access is the most common breach vector.
Within 1 month	Stand up a single SharePoint site as your document home, with three clearly separated areas: Board, Policies, Donor Records.	Structure beats good intentions.
Within 1 month	Migrate the “must not lose” documents first, tagged with owner, type, and review date.	Metadata is what makes search work later.
Within 1 month	Write or refresh three core policies: Privacy, Records Management/Retention, and Conflict of Interest.	These are the three policies regulators and funders ask for most often.
Within 1 month	Set retention to a minimum of 7 years for charity records, longer where funder agreements require it.	Aligns you with ACNC requirements.
Within 1 year	Move all policies into a managed Policy Library with review cycles, approver workflows, and staff attestation.	Demonstrates compliance, not just intent.
Within 1 year	Implement a board pack workflow: agenda → papers → distribution → minutes → action register, all in one place.	Cuts board admin time dramatically and protects directors.
Within 1 year	Tier donor records by sensitivity, apply role-based permissions, and document your data breach response plan.	Meets APP 11 and Notifiable Data Breach expectations.
Within 1 year	Run a “find it in 60 seconds” drill. Can your team locate the current child safeguarding policy, last month’s minutes, and a donor consent record?	If the answer is no, your system isn’t working yet.
Ongoing	Review the framework annually as part of your board’s risk and compliance cycle.	The AICD principles expect this.

Need a hand putting this into practice?

Reading a blueprint is the easy part. Standing it up, across a busy NFP with limited tech resource, a board that wants answers, and a team that just needs the policy library to work, is where most organisations get stuck. That’s exactly the gap Injio is built to close, and where the team behind it can help.

A few of the ways we typically work with NFPs:

Document management health check. A short, structured review of where your board papers, policies and donor records live today, what’s at risk, and the two or three changes that would have the biggest impact in the next 90 days.
SharePoint and Microsoft 365 setup for NFPs. Getting your tenant configured properly (permissions, retention, sensitivity labels) so the foundation is solid before you build on it.
Injio Intranet and Injio Docs rollout. A NFP-ready intranet with a Document Hub, Policy Library with attestation, board workspace patterns, and lifecycle workflows already wired up. You get to “good” in weeks, not quarters.
Policy library uplift. Migrating, restructuring and tagging your existing policies into a managed library with review cycles, owners, and staff attestation built in.
Board portal in SharePoint. Configuring a secure board area with the right permissions, paper workflows, and a clean reading experience for directors, without the cost of a standalone board portal.
Training and adoption support. Because the best document system in the world doesn’t help if your team and volunteers don’t use it.

If any of that sounds like the help you need, the WebVine team (the people who build Injio) would love to have a chat.

You can also explore more on the Injio for Not-for-Profit page or take a closer look at Injio Docs and the broader Injio Intranet features.

Good document management isn’t about being a stickler for filing. It’s about giving your board confidence, your team time back, and your donors and beneficiaries the protection they deserve. Start with one week. The rest gets easier.

FAQ

How long do we have to keep donor and financial records?

The ACNC requires charities to keep operational and financial records for at least seven years. Some funder agreements require longer. Donor consent records should be kept for as long as you’re relying on that consent. And then disposed of in line with APP 11.

Does the Privacy Act apply to us if we’re a small charity?

It depends. The Act generally applies to NFPs with annual turnover over $3 million, but it applies to all health-service providers, organisations that trade in personal information, and certain other categories, regardless of size. Even if you’re not legally captured, the OAIC and ACNC both expect good privacy practice as a matter of governance.

Do we really need a “board portal” or is SharePoint enough?

For most small-to-medium NFPs, a well-configured SharePoint site (especially with an intranet accelerator like Injio sitting on top) does the job of a board portal at a fraction of the cost. Larger or listed-equivalent NFPs sometimes need a dedicated board portal, but it’s not the default answer.

What’s the difference between a document and a record?

A document is anything you create. A record is a document you have to keep, because of law, funder requirements or evidentiary value. The shift to thinking in records is what turns filing into governance.

Can we use Microsoft 365 if we’re a small charity?

Yes. And you should look into the Microsoft nonprofit program, which provides grants and significant discounts on Microsoft 365 licensing for eligible NFPs. It’s one of the highest-leverage moves a small charity can make.

Where does Copilot fit in?

Microsoft 365 Copilot is excellent at summarising long documents (a 60-page board pack in two minutes), drafting policy updates from a template, and answering plain-English questions across your library, provided the library is well-structured and permissions are right. Garbage in, garbage out applies more than ever.

We’ve got the documents but no one reads them. Help?

That’s where attestation matters. A Policy Library that tracks who has read and acknowledged each version turns “we sent it round” into provable evidence, and tends to lift actual reading rates dramatically.

What if our staff are mostly volunteers?

Role-based permissions and attestation become more important, not less. Volunteers should see the policies relevant to their role, acknowledge them, and have their access removed promptly when they leave. The principles don’t change, the lifecycle just runs faster.

About the Author

Chloe Dervin is the Co-Founder and Managing Director of WebVine, where she helps organisations get more value from Microsoft 365 through practical, user-focused digital workplace solutions. With over 20 years’ experience across consulting, project delivery, and business transformation, Chloe focuses on making technology genuinely useful. Not just technically successful.

She has worked with organisations across Australia and globally, guiding teams to build more connected, productive, and sustainable ways of working

Chloe is passionate about simplifying complexity, improving adoption, and helping organisations turn good ideas into practical outcomes through platforms like Injio, which was created, implemented and updated by the WebVine team.

Sources