Corporate Policy: ACNC Information Management

This corporate policy is issued under the authority of the Commissioner and should be read together with the ACNC Policy Framework which sets out the scope, context and definitions common to our policies.

Policy statement

The ACNC is committed to creating, keeping, and providing accurate and reliable information. It is vital for achieving our objectives, for the provision of trusted charity information, and for providing evidence of our business decisions and activities.

This Corporate Policy provides fit-for-purpose and accountable information management practices and systems to ensure the creation, maintenance, and protection of reliable information. It defines the requirements for managing all formats of ACNC data, information, and records in line with business needs, legislative obligations, and whole-of-government policy.

Context

1. All business information the ACNC creates, sends, and receives is considered Commonwealth records requiring proper management. This includes the data and information we:
   • collect and share for charity registration, compliance, and reporting purposes, and
   • provide in a public register, where information about charities may be added, removed, withheld, or reinstated.
2. Well-managed business information is an asset that contributes to good government by:
   • supporting efficient business and informed decision-making
   • demonstrating government accountability and transparency
   • assisting risk mitigation, and
   • protecting rights and entitlements.
3. Poorly managed information can adversely affect decision making, negatively impact reputation, result in costs and inefficiencies including storing unnecessary information, and undermine rights and entitlements.
4. This policy is written within the context of the ACNC Information Governance Framework and whole-of-government information management policies. It supports the ACNC’s information being managed and protected as an asset of the agency and nation.
5. This Corporate Policy applies to the ACNC Commissioner, all ACNC staff, Advisory Board members, and external service providers that are contracted to assist with aspects of the ACNC’s business. All agency practices involving information are to adhere to this policy and its supporting documentation.

Overview

6. The National Archives of Australia’s (NAA) Information Management Standard for Australian Government states that business information must be created, adequately described, appropriately systemically governed and managed, and available for use and reuse. The preamble of most general records authorities includes the statement “Records in the care of agencies should be appropriately stored and preserved. Agencies need to meet this obligation to ensure that the records remain authentic and accessible over time.”
7. The ACNC’s information management policy will foster an environment that values the integrity and accessibility of the agency’s information and supports the efficient delivery of business outcomes. It:
   • establishes principles for the creation, titling, classification, access, security, storage, retention, and disposal of the agency’s information that address business needs, accountability requirements, and stakeholder expectations
   • provides guidance on information management practices, processes, and systems based on legislative and regulatory requirements, and
   • assigns information management responsibilities across the agency.
8. This policy applies to all formats of information and systems and applications used to create, capture, manage, and store ACNC information regardless of where it is held. This includes, but is not limited to: documents, email messages, telephone calls and voice messages, minutes, posts, podcasts, drafts, and business data. It applies to information in files, notebooks, diaries, email systems, agency websites, collaborative and social media applications, personal and shared drives, servers and file stores, registers, databases, mobile devices, official information management systems, and business information systems.
9. The concepts underpinning the management of our information are explained below. The legislation, procedures, and policies that support this Corporate Policy are listed in the References section.

Definitions

10. The following terms are used throughout this document. For ease of reference, they have been defined below and any reference to them should be read with the following meaning:

    • Access - the right, opportunity, means of finding, using, or retrieving information.

    • Accessible/accessibility - information can be identified, located, and accessed as required.

    • ACNC Commissioner - a statutory officer holder appointed to administer the Australian Charities and Not-for-profits Commission Act 2012 (Cth) (ACNC Act).

    • ACNC staff - are defined in s 120-5 of the ACNC Act.

    • Advisory Board - established under Part 6-1 of the ACNC Act, they provide advice and make recommendations to the ACNC Commissioner.

    • Business activities - activities that support the purposes of the organisation's existence.

    • Business information - all information the Australian Government creates, sends, and receives; also considered a Commonwealth record.

    • Business information systems - systems that create, keep, and manage business information, such as Dynamics, finance systems, personnel systems, and workflow systems.

    • Classification - systematic identification and/or arrangement of business activities and/or records into categories according to logically structured conventions, methods, and procedural rules.

    • Commonwealth record - all information in digital and non-digital formats that is created, used, or received as part of Government business.

    • Destruction - the complete and irreversible process of erasing information so it cannot be reconstituted or reconstructed.

    • Digital information - a record produced, stored, or transmitted by digital means rather than physical means. May be born digital or be digitised.

    • Digitisation - the process of creating digital files by scanning or otherwise converting analogue materials.

    • Disposal - the destruction, custody or ownership transfer, or damage or alteration of Commonwealth records.

    • Disposal Freeze/Records Retention Notice - a legal notice issued by the National Archives of Australia prohibiting the disposal of certain records.

    • External service providers - service providers outside of the ACNC that are contracted to assist with the performance of the ACNC’s functions. This includes consultants defined in s 120-10 of the ACNC Act.

    • Information asset register - a register of agency information assets and their locations, particularly noting long term, high value, and high-risk information.

    • Information governance - complete and consistent management of all information assets regardless of format, location, type, or value.

    • (ACNC) metadata standard - a minimum dataset for all information captured in/across the agency.

    • National Archives of Australia (NAA) - the agency responsible for government information management policy.

    • Normal Administrative Practice (NAP) - a process used to destroy certain low-value records that are not and do not need to be covered by a records authority.

    • Open access period - Commonwealth records are subject to public release upon request when they enter the ‘open access period’. The open access period is determined by the Archives Act 1983 (Cth) (Archives Act).

    • Record - a document or an object in any form (including any electronic form) that is, or has been, kept by reason of: (a) any information or matter that it contains or that can be obtained from it; or (b) its connection with any event, person, circumstance or thing.

    • Records authority (RA) - an instrument issued under the Archives Act that defines legal retention requirements for Commonwealth records.

    • Retain as National Archives (RNA) - the retention period and disposal action for records deemed to be of permanent (archival) value.

    • Retention period - the amount of time records must be kept. Records authorities define the legal minimum retention period for the records they cover. Retention periods vary depending on the value of the records, from short term to permanent retention (i.e. RNA).

    • Sentence/sentencing of records - the process of identifying and classifying information to determine: (a) the value, or significance, of the records; and (b) the appropriate management of the records (by assigning a records authority class).

    • Titling - a standard set of terminology or protocols that provides consistency for all users.

11. For the purposes of this document, the terms records, information, and data may be read to mean the same thing, unless stated otherwise.

Principles

• Principle 1: Mature information management practices and capabilities support the ACNC’s business activities.
• Principle 2: The ACNC will utilise information management practices that align with our obligations as an Australian Government agency.
• Principle 3: The ACNC will retain and dispose of information in a legal and accountable manner.
• Principle 4: The ACNC will support its staff to meet their information management responsibilities.

Principle 1: Mature information management practices and capabilities support the ACNC’s business activities

12. The ACNC will maintain information that is well-described, stored in known locations, and appropriately accessible to staff and clients to ensure it:
    • provides a reliable account of business decisions and actions
    • can be found, retrieved, and interpreted when needed
    • can be trusted as complete and accurate, and
    • is kept for as long as it is needed and no longer.
13. The ACNC will utilise mature policies, systems, and processes for managing its business information to:
    • document all required information about a charity, decision, fact, or event
    • provide the highest quality data to the greatest number of people
    • provide meaningful datasets and information to the Australian Government
    • make sound decisions, based on timely access to reliable information
    • retain trust by being able to account for actions, advice, and decisions made
    • share corporate knowledge and avoid duplicated effort
    • know who has seen, changed, or removed business information, when required
    • protect and secure information, and
    • retain and dispose of information in a legal and compliant manner.

Principle 2: The ACNC will utilise information management practices that align with our obligations as an Australian Government agency

14. Section 37 of the Public Governance, Performance and Accountability Act 2013 (Cth) (PGPA Act) requires the “accountable authority of a Commonwealth entity” to keep records “that properly record and explain the entity’s performance in achieving its purposes”. The ACNC reports conformance of its information management obligations to the ATO Commissioner of Taxation as the accountable authority.
15. Our information will be retained and disposed of in accordance with the requirements of the PGPA Act, the Archives Act and associated NAA policies. Information will be provided upon request under the public’s legal right of access, although privacy and secrecy provisions in the ACNC Act and the Privacy Act 1988 (Cth) (Privacy Act) may prevent the release of some of it.
16. The ACNC’s processes, policies, procedures, and work instructions address the legal obligations and Government policy relating to the creation, access, disclosure, privacy, accountability, security, retention, and disposal of information, wherever applicable.
17. We have formal policies relating to privacy, freedom of information, information handling, disclosure of information, use of ACNC data and information, records disposal, and disposing of low value records. Operational Procedures cover processes for data breaches, protected ACNC information, information exchanges, freedom of information, privacy, and records disposal. Individual Work Instructions address specific information management requirements as they relate to the task. For example, Advice Services’ instructions for mail, document naming conventions, filing and document management, proof of identity, and working from home all cover the issue.

Everyone in the ACNC has responsibilities relating to the creation, capture, management, privacy, protection, and retention of agency information.

18. The ACNC Commissioner, ACNC staff, Advisory Board members, and external service providers will:
    • create and capture accurate records of what they do now, not in the future
    • maintain appropriate levels of privacy, security, access, and secrecy of information to protect staff and client privacy and sensitive information, such as material that is security classified
    • capture all business information in endorsed corporate information systems
    • not store ACNC information in personal drives, personal OneDrive folders, or personal email accounts
    • capture agency information that is created in or worked on outside corporate systems in endorsed information systems
    • only retain downloaded ACNC information and material in local drives long enough to facilitate current work
    • only destroy or delete information that is covered by the ACNC’s NAP policy and General Records Authority 31. Other Commonwealth records will be disposed of in managed programs and processes, and
    • ensure that required practices are met while working outside the ACNC office environment at home, when travelling for ACNC purposes, and on portable devices.

These points are described in further detail in the sections below.

19. ACNC staff have obligations under the APS Values when handling information. They should also be aware of their responsibilities under the following legislation:
    • The APS Code of Conduct, as outlined in Division 2.1 of the Public Service Regulations 1999 (Cth), says that an APS employee has a duty not to disclose information they obtain in the course of their employment if it is reasonably foreseeable that that information could be damaging to the effective working of government.
    • Part 5.6 of the Criminal Code Act 1995 (Cth) contains offences that apply to Commonwealth officers which includes ACNC staff, the Commissioner and external service providers. It also applies to the Advisory Board.

Creation and capture

20. Everyone subject to this policy is to create and capture appropriate records of, and for, their business activities. This includes all necessary information to support the agency’s business needs, such as names, dates and times, versions, and other key information that captures the business context and addresses our legislated purposes.
21. All information created or received on behalf of the ACNC is to be captured in an endorsed (information) system unless it can be disposed of under a NAP. NAP and endorsed systems are explained below.
22. In keeping with the agency’s digital-by-default philosophy, if possible, all incoming paper correspondence will be converted to digital format and saved to an approved location. In certain circumstances, such as for security reasons, paper files may still be needed. Retention and disposal of material that has been digitised is explained below.

Titling and classification

23. Agency wide metadata standards and conventions for naming and categorising our information will underpin consistency across the ACNC.
24. Processes and procedures will reflect these conventions while also reflecting any specific work area requirements, such as task-based titling protocols, timing of when information is to be captured, and storage locations.

Information security

25. All ACNC information, including email messages, will be managed in line with the Protective Security Policy Framework (PSPF) security classification guidelines. To reduce the risk of unauthorised or inappropriate disclosure, our information will be:
    • marked according to its classification
    • handled and shared appropriately, and
    • stored appropriately for its security classification.
26. The ACNC’s IT systems are rated to hold Unclassified / Official information, suitably rated ATO IT containers are used for anything with a higher security classification. Our security rated physical information is stored in lockable containers, including B and C class safes.

Privacy

27. The ACNC Privacy Policy outlines how we will manage personal information and how the agency complies with the Privacy Act and the Australian Privacy Principles. Supporting policies and procedures, including proof of identify, data breaches, and privacy impact assessments, are available on the ACNC website.

Access to and release of information

28. Our information is a corporate resource to which all staff have access, except if the nature of the material requires restriction. Access restrictions will not be imposed unnecessarily, but the agency will protect:
    • information subject to the secrecy provisions in the ACNC Act
    • staff and client privacy, and
    • sensitive information, such as security classified material and material with dissemination limiting markings.
29. In meeting our obligations under the Information Publication Scheme and in the spirit of open-government policies, we will provide access to publicly available information on our website. We will also provide access to information requested under the Freedom of Information Act 1982 (Cth) (FOI Act) and Archives Act. The access rights provided in legislation apply to all ACNC information, wherever it is held.
30. Applications for access under the FOI Act are the responsibility of the ACNC FOI Officer. Access requests made under the Archives Act are the responsibility of the NAA.
31. The Archives Act requires access arrangements for records that are in the open access period. For the ACNC’s purposes, this means records that are more than twenty years old. This can include material covered by secrecy provisions in the ACNC Act.

Storage and systems used to maintain digital information

32. ACNC information will be kept where it can be appropriately managed, is suitably stored and preserved, and is available for use and reuse. This includes cloud storage and external servers. Our IT systems will protect sensitive and high value information, including RNA records and information subject to disposal freezes.
33. Our primary front-end information stores are Dynamics and SharePoint. External facing systems include the Charity Register, Charity Portal, and Charity Passport.
34. A full register of endorsed systems used to create or manage ACNC information will be maintained by the IT Directorate. Information asset registers will record the locations, value, and risk levels for our information.
35. The following business systems and software applications are currently endorsed for the capture and storage of the agency’s information.
    • Dynamics
    • SharePoint
    • SAP (via the ATO)
    • ATO file shares for security rated digital information.
36. ACNC information in email folders, personal drives, social and collaborative media (X, Facebook, Microsoft Teams), mobile devices, and external storage media must be retained and will be managed as part of the corporate record.
37. Personal ACNC OneDrive stores should only be used for reference copies and work in progress documents. Once material becomes a formal draft it must be moved to an endorsed ACNC system.
38. Work documents created or saved in personal drives will be captured in an endorsed location and appropriately deleted from the personal drive, unless it is publicly available information. Staff are permitted to temporarily save information and documents to personal drives for work purposes; however, this should only be done as a transitory measure. For example, when a process requires a document to be saved locally before it can be uploaded to an endorsed ACNC location. Once uploaded, copies must be deleted from the non-endorsed location - this is permitted under NAP.
39. We will ensure that ACNC information stored in the cloud and in external stores is managed as Commonwealth property. All applicable retention and disposal requirements will be met, copies destroyed, and disposal will be done in line with NAA approved format-appropriate destruction methods. If storage is provided under contract, providers will be made aware of their obligations in relation to Commonwealth records.

Using ACNC information when working remotely

40. The ACNC Commissioner and ACNC staff may be required to operate outside the normal office environment, for example, when working from home. It is vital that actions, deliberations, decisions, and approvals made outside the office settings are properly documented as evidence of business. The rules governing the security, privacy, and appropriate handling of our information still apply.
41. Work practices may need to be adapted and extra care taken to replicate controls and protections provided in the office. This includes ensuring that:
    • appropriate records of business activities are captured, particularly work done outside official systems, during phone calls, and in video chats
    • all new work and updated documents are uploaded to ACNC systems
    • ACNC information, in digital and paper format, is kept securely and protected - any unauthorised access must be reported to the ACNC Privacy Officer
    • personal and local drives are not used to store ACNC information, unless it is publicly available information
    • copies of official documents and information from ACNC systems are properly deleted from home computers when no longer needed
    • disposal of ACNC information is appropriate and accountable, including:
      • regularly emptying home computer and personal device ‘recycle bins’
      • destroying duplicates
      • not disposing of official papers with general household waste, and
    • information is returned or transferred to the office securely.
42. To help staff handle official data and information when working from home, Managers may:
    • control the physical and digital information that is taken from the office, for example, by registering what is sent home
    • remind staff to capture their work in approved ACNC and ATO systems (per paragraph 34 of this policy) and delete official records saved to home systems for reference purposes as soon as they are no longer needed.

Principle 3: The ACNC will retain and dispose of information in a legal and accountable manner

43. The ACNC keeps data, information, and records to support, and provide an account of, the agency’s business decisions and actions. Retention of our information will be consistent with these needs and compliant with applicable laws and NAA guidelines. In doing this, we reduce the risks associated with under retention, over retention, and unauthorised destruction, such as:
    • illegal disposal of Commonwealth records
    • penalties under the Archives Act
    • incomplete or inaccurate records
    • unnecessary costs for storage, resourcing, maintenance, and management
    • being required to provide public access to ‘over-retained’ information
    • inability to comply with regulatory and legislative responsibilities under the FOI Act and Privacy Act
    • inability to provide access to information for legal discovery action, and
    • damage to the ACNC’s organisational reputation.
44. Disposal of our information will be timely, authorised, accountable, and in a manner that is:
    • done with permission from or in accordance with a practice or procedure approved by the NAA
    • done in accordance with a NAP that the NAA does not disapprove of, or
    • required by any law.
45. The NAA provides permission to dispose of Commonwealth records in general and agency specific RAs that describe business activities and the records relating to those activities. RA group records by their value in ‘disposal classes’ that take all business, legal, and government requirements into account. The NAA may withdraw this permission and/or temporarily prohibit disposal by issuing a Disposal Freeze or Records Retention Notice for records relating to a major issue, such as the 2019-20 bushfires.
46. We will monitor and engage with the NAA to ensure the ACNC Records Authority covers our business activities and reflects our stakeholders’ needs. It is a living document and will be reviewed regularly to maintain its currency and completeness.
47. Our records disposal and RA administration processes are described in Operational Procedures.

Retention of information

48. The legal retention requirements for the agency’s information are defined in instruments and guidelines issues by the NAA. They contain processes for the identification and accountable disposal of records, which includes the destruction of short-term records and transfer of permanent value records to the NAA. We are permitted to retain short term value records longer than a disposal class requires, but they must remain accessible until they are formally disposed of.
49. Our information will be accessible for the entire period prescribed in applicable disposal classes. The ACNC will ensure that any software, hardware, and documentation required to enable continuing access to the agency’s information is available for the legally required retention periods.

Appropriate disposal of ACNC information

50. The disposal of ACNC information will be done in formal, accountable, managed processes. Apart from the situations described in paragraph 52, which are approved for use by all, the ACNC Commissioner, ACNC staff, members of the Advisory Board and external service providers will not dispose of agency information unless it is part of an authorised formal disposal process. Unauthorised disposal must be reported to the NAA’s Agency Service Centre.
51. Disposal of our records, information, and data will:
    • be compliant with s 24 of the Archives Act
    • be timely, so that it is neither under nor over-retained
    • not contravene or disregard ongoing or pending business needs, Disposal Freezes, Records Retention Notices, access requests, legal discovery, or other legal process
    • be approved by relevant stakeholders
    • result in transfers of RNA material to the NAA or the complete and irreversible destruction or erasure of short-term value records, and
    • be accountably recorded - master control records of disposal activities, including appropriate metadata about information that has been destroyed, will be retained as national archives.
52. General staff are only permitted to destroy agency information in the following circumstances using the relevant procedures:
    • using Normal Administrative Practice to dispose of low-value records, and
    • destroying originals of digitised records, when the digitisation process and scanning specifications meet the requirements of General Records Authority 31.

Disposing of information

53. Before disposing of information, approved staff will ensure the instruments or disposal classes used to sentence the information are still current and appropriate, and that the information has reached required minimum retention periods. Business owners and interested parties (such as Legal and Information Management staff) will be consulted to approve disposal or provide reasons for not approving it. The NAA will be consulted before RNA transfers are actioned.
54. Staff will check that disposal actions are:
    • Authorised - by the NAA through a current records authority and by the agency through an appropriate approval process.
    • Appropriate - the destruction method can't be undone.
    • Secure and confidential - custody transfers and destruction of agency information will be appropriate to its format and with the same level of security that was applied during its use. Destruction done by external service providers also must comply with these requirements.
    • Timely - information will not be kept longer than needed. If it is decided that information is to be retained longer than its minimum retention period, the reasons for the decision to retain it will be documented.
    • Documented - the disposal and destruction of information must be documented in appropriate detail to support accountability and compliance with reg 11 of the Archives Regulations 2018 (Cth) and ACNC policies on records disposal.

Transfer of custody

55. Section 27 of the Archives Act requires the ACNC to transfer records of permanent (RNA) value to the NAA when the information is no longer actively used or when it reaches fifteen years of age, whichever is sooner. We will undertake regular RNA transfers and:
    • ensure the scheduling and metadata content of each transfer meets the NAA’s requirements, and
    • review the information to determine if we require a copy for reference purposes (which may be disposed of when reference ceases).
56. The custody of ACNC information may also be transferred on a temporary or permanent basis:
    • For external service providers to conduct work for or on behalf of the ACNC. All Commonwealth records held by the provider are to be transferred back to the ACNC at the cessation of the contract arrangements if it cannot be legally disposed of. Refer to the NAA’s General Records Authority 40: Transfer of custody of records under Australian Government outsourcing arrangements for record-keeping for contracted services.
    • Following legislative or administrative changes. For example, the information transferred from the ATO for the establishment of the ACNC. The ATO also holds some active ACNC information, including personnel and finance records.
    • For ACNC Advisory Board members. The retention periods for advisory body records are significantly longer than the tenure of most ACNC Advisory Board general members. Advisory Board members may transfer certain records back to the ACNC to take on any remaining record-keeping responsibilities.

Principle 4: The ACNC will support its staff to meet their information management obligations

57. The ACNC Commissioner, ACNC staff, Advisory Board members, and external service providers will be advised about this policy and other information management obligations.
58. The agency will provide training and guidance for managing and handling agency information. General and tailored information management material will be provided.
59. The Chief Information Governance Officer and ACNC Information Governance Committee will monitor external polices and legislation to ensure the currency of the agency’s policies. They will also monitor the uptake of and compliance with external obligations to ensure the ACNC’s practices meet the required standards.

Roles and responsibilities

60. All ACNC staff are responsible for the creation and management of the ACNC’s information as defined by this policy.
61. ACNC Commissioner: The Commissioner is responsible for the management of information within the agency and has authorised this policy. The Commissioner will ensure the agency's information is appropriately and adequately managed and resourced.
62. Assistant Commissioner and Directors: The Assistant Commissioner General Counsel and Directors are responsible for the support of and adherence to this policy by promoting a culture of compliant information management. They will contribute to the development and operation of strategic information management mechanisms and documentation. This includes supporting the ACNC Information Governance Committee and ACNC Information Governance Framework.
63. ACNC Information Governance Committee: The Committee is responsible for overseeing the management of information in the agency, consistent with this policy. The Committee and Chief Information Governance Officer are responsible for ensuring the agency and its staff comply with information management responsibilities and obligations. They will do this by:
    • developing or acquiring and implementing information management products and tools, including systems to help create complete and accurate information
    • developing and implementing strategies to enable sound information management
    • coordination and oversight of legal and compliant records disposal
    • providing or procuring information management training, advice, and support for staff
    • monitoring and improving compliance with internal and external information management policies and directives, and
    • advising the Executive of risks associated with agency practices or non-compliance.
64. Chief Information Governance Officer (CIGO): The CIGO is responsible for championing the importance of effective information management and accountable for enterprise wide information governance. The role is responsible for strategic and technical information management, promotion of best practice, and engagement both within and outside the agency.
65. Managers and supervisors: Managers and supervisors are responsible for ensuring their staff are aware of, and are supported to follow, the practices and requirements in this and other ACNC information policies. They will also:
    • encourage consistent practices, such as by creating titling protocols for information specific to their work area, and
    • assign responsibility for managing and capturing records created on their work area’s collaborative and social media sites.
66. Managers will advise the ACNC Information Governance Committee of:
    • any barriers to staff complying with agency information policies, and
    • any changes in the business environment that may impact information management requirements, such as changed or new areas of business that may require records authority coverage.
67. Information Technology (IT): The IT Directorate is responsible for ensuring the ACNC’s systems support accountable and effective information management across the organisation. This includes adequate management and control of information, avoiding loss through systems obsolescence, and ensuring external cloud and storage providers meet their responsibilities in relation to Commonwealth records. In conjunction with the ATO Chief Information Security Officer (CISO), the Directorate is also responsible for IT security issues, including advice and guidelines for the security of the agency’s information.
68. IT staff are responsible for maintaining the technology for the agency’s business information systems, including implementing and maintaining appropriate information management functionality, system accessibility, security, and backup. They manage actions, including data migration, legal disposal of digital information, servers, and systems; and decommissioning of systems, in line with this policy.
69. Contract managers: Staff responsible for entering into and managing contracts and agreements for outsourced services provided to, or on behalf of, the ACNC are responsible for ensuring service providers are aware of, and adhere to, the Commonwealth record-keeping requirements for outsourcing arrangements. This includes the Obligations of Contractors in Australian Government outsourcing arrangements. Our documentation will be updated to reflect these requirements as they apply to the contracted or agreed service.
70. External service providers: Providers of outsourced services, including those holding or hosting information for, or on behalf of, the ACNC are to manage information in line with this policy and any applicable legislation. Any agreement entered into between the ACNC and an external service provider should take the obligations under this Information Management Policy into account. For example, any disposal carried out by the provider will be done with ACNC approval and compliant with requirements for disposal of Commonwealth records. At the conclusion of the agreement, providers will return Commonwealth records within a reasonable timeframe and in a digital format that is accessible to the agency; return or destroy all duplicates; and/or facilitate the transfer of Commonwealth records to a new service provider if the outsourcing contract with the old service provider is not continuing.
71. ACNC Advisory Board members: Members of the ACNC Advisory Board will create and maintain records of work done for and on behalf of the agency, in keeping with Commonwealth record-keeping obligations. Because these responsibilities may extend beyond a Member’s time on the Board, we will assist the Advisory Board with the retention of Commonwealth records.

Monitoring and review

72. In keeping with the ACNC Policy Framework, this policy will be reviewed biennially. Reviews may also be required following changes in the business environment. The Directorate responsible for this policy will initiate these reviews.
73. The Information Governance Committee, Chief Information Governance Officer, and Director of IT will monitor and report on compliance to the Executive through regular reporting cycles. They will use results from information management assessment tools such as the NAA’s annual Check-Up surveys to identify areas for improvement and development.

References

ACNC references

• ACNC Information Governance Committee Terms of Reference
• ACNC Information Governance Framework (to be completed)
• ACNC Information Management Strategy
• ACNC Records Authority Submission for NAA, January 2020 and July 2020
• Advice Services' Work Instructions: Allocation and mail handling; Document naming conventions; Scanning incoming paper mail; Filing and document management in the compactus; Proof of Identity
• Corporate Policy: ACNC Privacy Policy
• Corporate Policy: Information handling
• Corporate Policy: Media
• Corporate Policy: Use of ACNC Data
• Corporate Policy: Use of Normal Administrative Practice (NAP) for disposing of low value records
• Operational Procedure: ACNC data breach response plan
• Operational Procedure: ACNC Information Publication Scheme
• Operational Procedure: Administering the ACNC Records Authority (draft)
• Operational Procedure: Completing a Privacy Impact Assessment
• Operational Procedure: Proof of Identity Procedure
• Operational Procedure: Protected ACNC Information
• Operational Procedure: Records Management - disposal of ACNC information (under review)
• Operational Procedure: Referrals and information exchange
• Operational Procedure: Using Normal Administrative Practice (NAP) for disposing of low value records

External references

• APS Values
• Archives Act 1983 (Cth)
• Archives Regulations 2018 (Cth)
• Australian Charities and Not-for-profits Commission Act 2012 (Cth)
• Australian Charities and Not-for-profits Commission (Consequential and Transitional) Act 2012 (Cth)
• Australian Charities and Not-for-profits Commission Regulation 2013 (Cth)
• Charities (Consequential Amendments and Transitional Provisions) Act 2013 (Cth)
• Crimes Act 1914 (Cth)
• Criminal Code Act 1995 (Cth)
• Freedom of Information Act 1982 (Cth)
• Information Management Standard for Australian Government
• International and Australian Standard / ISO 15489-1:2016 - Records management
• National Archives of Australia
• Introduction to the PGPA Act for officials, Department of Finance
• Privacy Act 1988 (Cth)
• Protective Security Policy Framework (PSPF)
• Public Governance, Performance and Accountability Act 2103 (Cth)
• Public Service Regulations 1999 (Cth)