Corporate Policy: ACNC Privacy Policy

This Corporate Policy is issued under the authority of the Commissioner and should be read together with the ACNC Policy Framework, which sets out the scope, context and definitions common to our policies.

Policy Statement

1. This policy sets out how the ACNC will comply with the Australian Privacy Principles (APPs) contained in Schedule 1 to the Privacy Act 1988 (Cth) (the Privacy Act), and the Privacy (Australian Government Agencies – Governance) APP Code 2017 (the Code)
2. The APPs are legally binding on the ACNC and regulate the way in which government agencies and large organisations can collect, store, use and disclose personal information and how that information can be accessed and corrected.
3. The Code is a legally binding instrument which requires Australian Government agencies, including the ACNC, to take specific steps to ensure their compliance with APP 1.2. The ACNC must:
   1. have a Privacy Management Plan;
   2. appoint a Privacy Officer, and designate a Senior Executive Service officer as the Privacy Champion;
   3. undertake a Privacy Impact Assessment (PIA) for all high privacy risks projects;
   4. keep, and publish, a register of all PIAs; and
   5. commit to enhancing internal privacy capability by providing training and education to staff.
4. Detailed information on the APPs can be found on the Office of the Australian Information Commissioner’s (OAIC) website www.oaic.gov.au.

Principles

• Principle 1: The ACNC will be open about how it manages personal information.
  • This policy details the most common ways that we manage personal information.
• Principle 2: The ACNC will comply with the APPs in the way it collects, holds, uses and discloses personal information.
  • We will only collect and use personal information when it is lawful and necessary to do so. We will promptly rectify any errors, and securely store any personal information that we hold.
• Principle 3: The ACNC will comply with the Code.
  • We will take steps to ensure compliance with our obligations under the Code, including in the completion of Privacy Impact Assessments and ensuring all staff are adequately trained in their privacy obligations.

Background

5. The ACNC is established under the Australian Charities and Not-for-profits Commission Act 2012 (Cth) (ACNC Act) as the independent national regulator of charities. The objects of the ACNC Act are to:
   1. maintain, protect and enhance public trust and confidence in the sector through increased accountability and transparency,
   2. support and sustain a robust, vibrant, independent and innovative not-for-profit sector,and
   3. promote the reduction of unnecessary regulatory obligations on the sector.
6. The ACNC furthers these objects by:
   1. registering entities as charities,
   2. helping charities to understand and meet their obligations through information, guidance, and other support,
   3. improving public understanding of the work of charities by collating and publishing sector research,
   4. maintaining a public register so that anyone can look up information about registered charities,
   5. working with other government agencies to develop a ‘report-once, use-often’ reporting framework for charities,
   6. investigating complaints about potentially non-compliant charities, and taking enforcement action to address serious non-compliance by charities, and
   7. other activities as deemed necessary.

What is personal information?

7. Personal information is information or an opinion about an individual:
   1. whether the information or opinion is true or not; and
   2. whether the information or opinion is recorded in a material form or not.

8. The APPs apply only to information about individuals. The APPs do not cover information about charitable entities. Information about charitable entities may be protected by the secrecy provisions of the ACNC Act. For further information on the ACNC secrecy provisions see Operational Procedure: Protected ACNC Information (OP 2015/01).

Who should read this Privacy Policy?

9. You should read this Privacy Policy if you are:
   1. a responsible person of a charity,
   2. a contact person for a charity,
   3. an agent for a charity,
   4. an individual whose personal information may be given to, or held by, the ACNC,
   5. a contractor, consultant or supplier of goods or services to the ACNC,
   6. a person seeking employment with the ACNC, or
   7. a person employed by the ACNC.

The ACNC Register

10. The ACNC Act requires the ACNC to collect and publish information about charities and their responsible people on the ACNC Register. The ACNC Register allows members of the public to access and view information about registered charities. Subject to limited withholding provisions, the ACNC must publish this information in accordance with section 40-5 of the ACNC Act. The publication of certain personal information onto the ACNC Register is permitted under the Privacy Act.

Principle 1: The ACNC will be open about how it manages personal information

Collection of personal information

11. The ACNC will always endeavour to collect any required personal information from the person directly. However sometimes we may ask for personal information from a person’s agent (i.e. a lawyer or an accountant) or from a third party. A common example will be responsible people for a charity. Another person acting on the authority of the charity may supply us with the personal information of a charity’s responsible people that we require.
12. As detailed at paragraphs 25 to 28 below, we may also collect personal information from another government agency.
13. The personal information we collect is generally limited to details such as names, contact details, dates of birth and relationships to charities. We may need other personal information from time to time.

Common ways we collect and use personal information

Registration

14. When applying to register a charity, we will ask for personal information about the charity’s responsible people. We are required to collect this information under subsection 40-5(c) of the ACNC Act. We must collect the name and position of the charity’s responsible persons and publish this information on the ACNC Register (publication will only occur if the registration of the charity is approved).
15. We may also use the information provided to us in the registration form to undertake preliminary checks to ensure that a charity is entitled to registration and that all responsible people are entitled to hold such a position within the charity.
16. If a responsible person wants to contact the ACNC to discuss confidential matters relating to their charity, we need to have enough information in our records to conduct a Proof of Identity (POI) check. Only the name and position of the responsible person are published on the ACNC Register, but we will also ask for some additional information at the registration stage to enable us to conduct POI checks at a later date. This additional information will not be published on the ACNC Register. We may also use or disclose this information to otherwise administer the ACNC Act, when authorised to do so. For further information on the ACNC POI process see Operational Procedure: Proof of identity procedure (OP 2015/02).

17. If the person who is completing the registration form is not a responsible person, we will also ask for personal information about that person. We ask for this information so that we can conduct a POI check if this person wants to contact us to discuss the registration application or any other confidential information.

Compliance and Investigations

18. We may need to collect personal information when investigating whether a registered charity is complying with the ACNC Act and the Australian Charities and Not-for-profits Commission Regulation 2013 (Cth) (ACNC Regulation). This may include collecting information to verify that the personal information that we already hold is correct, or was correct at a specific point in time.
19. While conducting compliance investigations, we may collect other personal information about responsible people or staff of a registered charity or other people, where that information is relevant to the matters under investigation. Personal information collected during an investigation may be obtained either voluntarily, or by using a formal information gathering power under the ACNC Act.
20. Charities can choose to provide a ‘compliance contact’ with whom we may communicate on compliance matters. If a charity provides a compliance contact, we will need their contact details, which will involve providing personal information.

Completing forms or meeting reporting obligations

21. Any time someone completes a form on behalf of a charity, we will request some personal information so that we can conduct a POI check if that person needs to contact us to discuss the form or any other confidential details. We may also use or disclose this information to otherwise administer the ACNC Act, when authorised to do so.
22. We may also request the details of an alternative contact if a charity asks us contact someone else if we have any follow up questions about the form or report. Providing this personal information is voluntary, however it enables us to conduct a POI check so that we can discuss the content of the form or report with the alternative contact.

The ACNC Charity Portal

23. The ACNC Charity Portal is a way for charities to update information about charities and their responsible people. The sort of information we collect about responsible people is the same, regardless of whether changes are made using the portal or a paper form. We must collect the name and position of the responsible person and publish that information on the ACNC Register. We will also collect additional personal information so that we can conduct a POI check if that person needs to contact us and discuss their information or their charity’s information. We may also use or disclose this information to otherwise administer the ACNC Act, and to promote the objects of this Act when authorised to do so.
24. If someone forgets their password to the ACNC Charity Portal, we may need to ask them a series of security questions to verify their identity.

Advice Services

25. We will need to conduct a POI check to ensure that we are speaking with an authorised person before discussing any confidential matters about a charity. When conducting a POI check over the phone, we will ask several questions (generally three) that relate to information we hold about a person. If a person contacts us by email or post and requests access to personal information or charity information, we will first conduct a POI check to ensure that they are authorised to access that information. For further information on the ACNC proof of identity process see Operational Procedure: Proof of identity procedure (OP 2015/02)

Charity Passport

26. The Charity Passport is used to reduce reporting duplication. It is an electronic way for government agencies to share charity information. All Australian government agencies can become authorised Charity Passport Partners.
27. The Charity Passport contains information that charities have provided to us and that has been published on the ACNC Register. This means that it is only publicly available information that is shared between Charity Passport Partners. Some of this information includes personal information, such as responsible person details.
28. Use of the Charity Passport is subject to both the Privacy Act and the secrecy provisions contained in Part 7-1 of the ACNC Act. This means the ACNC will only disclose your information where it is lawfully able to, and Charity Passport Partners can only access and use your information in accordance with those laws.

Information to, and from, other agencies and departments

29. In line with the ACNC’s objective of reducing unnecessary regulatory burden for charities, where it is practicable, we will collect your personal information from other agencies and government departments. We do this so that people do not need to repeat the same information to several agencies.
30. We may also disclose information we collect about people to other government agencies where the person would ordinarily be required to provide that information to that other agency. Where reasonable, we will inform you of this fact at the time we collect the information. This type of disclosure may occur outside the Charity Passport framework either because the government agency is not a Charity Passport Partner, or the information is not available in the Charity Passport.
31. We have agreements with several government agencies regarding the sharing of information, which may include personal information. These agreements are in the form of a Memorandum of Understanding and are subject to the Privacy Act. This means information will not be shared where doing so would result in a breach of your privacy. All Commonwealth government agencies are subject to the Privacy Act. They can only collect, store, use and disclose your information in accordance with the Privacy Act.

32. The ACNC Legislative Review and the Government’s response identified that the ACNC needed access to criminal intelligence information to prevent the use of registered charities for criminal purposes, the ACNC engages in data exchange and matching activities with other government departments and law enforcement agencies. This may include sharing charity and responsible person information in accordance with relevant legislation, ACNC policies and IT security and data protections to ensure data remains secure. Disclosure of this information is authorised under s 150-40 of the ACNC Act and such disclosure complies with the Privacy Act 1988.
33. We also have agreements with State and Territory government agencies regarding the sharing of some personal information. While the State and Territory agencies are not subject to the Privacy Act (there are different state and territory privacy laws that apply to those organisations), this does not affect the ACNC’s obligations under the Privacy Act. We will only collect, store, use or disclose personal information in accordance with the Privacy Act.

Research

34. The ACNC produces research based on the information provided by charities when they fulfil their reporting obligations. This research is de-identified and only discusses general statistics and trends.
35. The ACNC also works with the community to support research into charities. We may: collaborate on research projects; identify areas where research is needed; and build and strengthen links between researchers, the charitable sector and government agencies. The ACNC will usually only disclose to researchers de-identified data or information that is already available on the ACNC Register. We will only disclose identifiable or withheld information when there is an agreement in place that ensures that the information is handled confidentially and in accordance with the ACNC secrecy provisions and the Privacy Act.

Data.gov.au

36. The ACNC discloses information that has been published on the ACNC Register, including information in the Annul Information Statement, for publication on data.gov.au. Data.gov.au provides an easy way to find, access and reuse public datasets from Government. Only publicly available information is disclosed to, and published on, data.gov.au (information that is ordinarily published on the ACNC Register).

Consultations and education

37. The ACNC regularly meets with the sector and other stakeholders, and occasionally runs consultation processes about specific issues. To enable the organisation of these events and processes, and to facilitate any required follow up enquiries, the name, workplace, and contact details of participants are voluntarily collected. This information may be shared amongst others attending the event, (for example, when an invitation is sent, or the minutes of a meeting are circulated).
38. The ACNC also conducts online education, such as webinars. Names, email addresses, charity details and role descriptions are collected from participants in webinars, as well as an indication from the registrant that they would like to be contacted about future webinars. We use this information to send a follow-up email at the conclusion of the webinar with links to relevant resources and additional information, and to send information about future webinars where this is agreed to. Follow-up emails include unsubscribe options.

Employee information

39. ACNC staff are Australian Taxation Office (ATO) employees who are made available to assist the ACNC Commissioner. As such, all ACNC staff are covered by, and required to comply with, the ATO employment policies and procedures.
40. This means that when an ACNC officer commences employment with the ATO, the ATO will collect the information it needs from them for human resource purposes. This information is stored in an electronic database called the ATO SAP system. This information is kept confidential - ACNC human resource officers have access to a limited amount of information held on ATO SAP, which they can access in certain, prescribed situations.
41. If ACNC staff or managers want access to information contained in the ATO SAP system, they must contact the ATO People Helpline. The information will only be divulged by ATO People to other ATO and ACNC staff in limited circumstances and only where it is related to the person’s employment.
42. In addition to the employee information held by the ATO, ACNC managers may hold personal information about the staff reporting directly to them. This information may relate to matters such as health, leave requests, or an employee’s performance, and must be handled in accordance with the ATO employment policies and procedures.

Principle 2: The ACNC will comply with APPs in the way it collects, holds, uses, and discloses personal information

Use and disclosure of personal information

43. Generally, we will only use or disclose personal information for the purpose for which it was collected, and when it is lawful to do so. We will notify the person of that purpose at the time we collect the information.

Disclosing personal information to overseas recipients

44. Almost all the personal information that the ACNC collects is retained in Australia and will not be disclosed overseas by the ACNC. The only exception to this is that the given name, email address and login details of ACNC Charity Portal users may also be electronically stored on servers in the United States of America, owned by our Information Technology service provider. Information stored on those servers is only used for accessing the ACNC Charity Portal.

Accidental or unauthorised use or disclosure

45. The ACNC will act quickly to rectify and remedy any accidental or unauthorised uses or disclosures of personal information. The ACNC has a Data Breach Response Plan Procedure (OP 2015/03) in place to deal with suspected privacy breaches. ACNC will notify the affected individual, as well as any appropriate third parties (e.g. the OAIC) if there is a real risk of serious harm to a person as a result of a breach.
46. Potential accidental or unauthorised use or disclosure of information, including personal information, is also covered by the following:
    1. The ACNC secrecy provisions contained in Division 150 of the ACNC Act. When an ACNC officer unlawfully discloses protected ACNC information, they may be subject to penalties including, in the most serious cases, up to two years imprisonment.
    2. All ACNC staff are covered by the Public Service Act 1999 (Cth), the Public Service Regulations 1999 (Cth) and the Australian Public Service (APS) Values and Code of Conduct. If employees disclose official information without authority, they may face disciplinary sanctions including, in the most serious cases, termination of employment.
    3. Current and former employees and service providers are generally covered by the Crimes Act 1914 (Cth) which provides criminal penalties for unauthorised disclosure of official information.
    4. The Criminal Code Act 1995 (Cth) provides similar penalties if former employees dishonestly use official information gained during their employment to benefit themselves or others or to cause harm to another person.

Storage and data security

47. We take reasonable steps to protect the personal information we hold from misuse, loss, or unauthorised access. We do this by ensuring that:
    1. Personal information collected by the ACNC is collected and stored in accordance with Australian Government security policies. All paper files are secured in locked cabinets, Australian Government approved security containers, or secure rooms with restricted access.
    2. Information that has been stored electronically can, in most instances, only be accessed by ACNC staff and, in the case of the Charity Passport and ACNC Charity Portal, only by those with appropriate authorisation.
    3. Our internal network and databases are protected using firewall, intrusion detection, and other technologies.
    4. The ACNC’s premises are under 24-hour surveillance and access is via security pass only, with all access and attempted access logged electronically. Visitors to our premises must be accompanied, at all times, by an ACNC officer.
    5. All ACNC staff and service providers are made aware of their obligations under the Privacy Act during the induction stage of their employment. Ongoing training is provided to ensure that we adhere to our established security practices.

Records management

48. All Commonwealth agencies, including the ACNC, are bound by the Archives Act 1983 (Cth). All our records management policies, including storage and destruction of information, accord with any Records Authorities, and General Disposal Authorities made pursuant to that Act.
49. Section 27 of the Archives Act requires the ACNC transfer certain records and information to the National Archives of Australia. This may include personal information if it is captured within information that must be transferred. Some personal information may also be released upon request under section 31 of the Archives Act.
50. Other Acts which affect our records management policies and procedures are:
    1. Evidence Act 1995 (Cth)
    2. Electronic Transactions Act 1999 (Cth)
    3. Public Governance, Performance and Accountability Act 2013 (Cth)
    4. Crimes Act 1914 (Cth)
    5. Archives Act 1983 (Cth)

Access to your personal information

51. A person has a right under APP 12 to access the personal information we hold about them. There is no charge for making a request. They can make a request for access to the personal information we hold about them by contacting us at advice@acnc.gov.au, phone 13 22 62 or GPO Box 5108 Melbourne Victoria 3001. They will need to include the following details in your request:
    1. That they are making a request for access to the personal information we hold about them under the Privacy Act.
    2. Their full name, date of birth and contact details (phone number, address, or email address that we will have on our systems). We ask for this information so that we can verify their identity.
    3. An address (email or postal address) that they would like a copy of the information they have requested sent to.
    4. A contact phone number so that we can speak with them if we need any further details about their request.
    5. Any relevant details regarding the information they are requesting.
    6. We will respond to their request within 30 calendar days from the date of receipt of the request.
52. In rare circumstances, the ACNC may refuse to give access to personal information or refuse to give the information in the manner requested on the basis that Commonwealth legislation, including the Freedom of Information Act 1982 (Cth), requires or authorises us to refuse access.
53. We will be as transparent as possible, and we will not make it more difficult than necessary to access personal information, nor will we refuse access to personal information unless there is a valid reason for doing so. If we decide to refuse to give access or refuse to give access in the manner a person has requested, we will send a written notice to the person, outlining our reasons for refusal. We will also let the person know how they can object to the refusal.

Correction of personal information

54. A person can request that we correct personal information we hold about them when they believe that information is out of date, inaccurate, incomplete, irrelevant, or misleading. There is no charge for making the request.
55. They can make a correction to the personal information we hold about them by changing their details via the ACNC Charity Portal at: https://charity.acnc.gov.au. They may also contact us at advice@acnc.gov.au, phone 13 22 62 or GPO Box 5108 Melbourne Victoria 3001 for assistance.
56. The ACNC Charity Portal allows a person to view and make corrections and updates to information we hold about their charity and its responsible people. The ACNC Charity Portal privacy notice on the ACNC website contains privacy information specific to the ACNC Charity Portal. Additional information is also provided within the portal.

Anonymity and use of a pseudonym

57. A person can elect to not identify themselves, or to use a pseudonym, when dealing with the ACNC. However, in some instances it will be impracticable for the ACNC to deal with a person anonymously. We may also be required by law to deal with identified individuals, in which case there is no discretion to grant anonymity or allow the use of a pseudonym.
58. For example, responsible people of a charity must be identified to the ACNC because Division 40 of the ACNC Act requires the ACNC to publish responsible person details on the ACNC Register. However, an example where a person may be able to remain anonymous or use a pseudonym is when they would like to make a complaint about a charity or when they would like to provide the ACNC with feedback.
59. Whether a person can use a pseudonym or remain anonymous will be decided by the ACNC on a case-by-case basis in accordance with APP 2.

Data quality

60. The ACNC is committed to monitoring, maintaining, and improving the quality of our products and services. If we become aware that our data is inaccurate, out of date, misleading or incorrect, we will take proactive steps to correct the information.

Email communication

61. We will generally use email to correspond with people when they have indicated that this is their preferred mode of communication.
62. However, there are risks to the security of information transmitted over the internet. If we consider that the risks are unacceptable, having regard to the nature of the information to be communicated, we will use another method of communication.
63. People should also be aware of these risks when sending personal information to us via email. If this is a concern for them, then we encourage the use of other methods of communication with the ACNC such as post, fax or phone. Unfortunately, for security reasons, the ACNC office is not open to the public, however, if documents are especially sensitive, we may be able to arrange for them to be physically transferred at the building’s concierge desk.

How to make a complaint

64. If an individual thinks that the ACNC has breached their privacy rights, they should mark any correspondence “Attention: Privacy Contact Officer”, and contact us by:
    1. Phone: 13 ACNC (13 22 62) weekdays 9:00 am to 5:00 pm AEST
    2. Email: advice@acnc.gov.au
    3. Write to:
       Advice Services
       Australian Charities and Not-for-Profits Commission
       GPO Box 5108
       Melbourne Victoria 3001
65. We will respond to privacy complaints within a reasonable time. This will usually be within 30 days. If for any reason we need additional time to provide a considered response to your complaint, we will contact the complainant to explain the delay and let them know an expected timeframe.

How to make a complaint to the Privacy Commissioner

66. If an individual is not happy with the way the ACNC handles their privacy complaint, they may contact the Australian Privacy Commissioner. While they may complain directly the Privacy Commissioner before contacting us, the Privacy Commissioner will generally recommend that they try to resolve the complaint by contacting us in the first instance.
67. The Privacy Commissioner can be contacted by:
    1. Phone: 1300 363 992
    2. Email: privacy@privacy.gov.au
    3. Write to:
       The Privacy Commissioner
       The Office of the Australian Information Commissioner
       GPO Box 5218
       Sydney NSW 2001

Updates to this privacy policy

68. This policy will be reviewed at least every three years to ensure the ACNC’s compliance with all relevant privacy laws and policies.

Principle 3: The ACNC will comply with the Code

Privacy Officer and Privacy Champion

69. An ACNC Officer within the Legal and Policy team will be designated as the Privacy Officer. This designation will be made clear on the home page of the Legal and Policy SharePoint site. The Privacy Officer will be the first point of contact for privacy matters, and have specific responsibility for:
    1. maintaining a template Privacy Impact Threshold Assessment (PITA) and Privacy Impact Assessment (PIA) for staff to use,
    2. assisting other ACNC officers to complete PITAs,
    3. reviewing all PIAs,
    4. maintaining the PIA Register, and
    5. annually reviewing the ACNC’s Privacy Management Plan (PMP)
70. The Assistant Commissioner General Counsel will be the Privacy Champion, and will be responsible for leadership activities and broader strategic oversight of the ACNC’s privacy practices.

Privacy Impact Threshold Assessments and Privacy Impact Assessments

71. Refer to OP2019/03 Completing a Privacy Impact Assessment for more guidance on PITAs and PIAs. When commencing any new piece of work, we will consider whether a PIA is necessary. A PIA may be required for any project, initiative, or changed way of performing our work which involves personal information. The Privacy Officer will maintain a template PITA and PIA. Any staff member may be complete a PITA, which will inform the decision about whether a PIA is required. Completed PITAs should be reviewed by the Privacy Officer.
72. If a PIA is required, they should be completed, as far as possible, by the directorate that is responsible for the project, initiative, or changed work procedure, as they are best placed to know and understand how personal information will be used. However, they should seek assistance from the Privacy Officer throughout this process, and the Privacy Officer must review all finalised PIAs and arrange for details to be published on the PIA Register.
73. There is no ‘sign-off’ process for PIAs, as they are living documents that should be reviewed and updated as a project evolves. However, they will usually be provided to the Executive as part of the approval process for the new project, initiative, or changed work procedure, and therefore, subject to Executive approval. If the new project, initiative, or changed work procedure is not subject to Executive approval, the Privacy Officer may decide that the PIA should be reviewed by the Director of Legal and Policy and/or the Privacy Champion where the matter is sensitive or there is a high degree of risk.
74. Whenever we determine that a PIA is not required, we will be alert to the possibility that a project may subsequently meet the threshold for requiring a PIA as it unfolds, and circumstances change.

Privacy Impact Assessment Register

75. The ACNC must maintain a PIA Register on the ACNC website. The Privacy Officer will ensure each PIA is added to the register as soon as possible after it is completed. The ACNC has some discretion around how much detail to include on the PIA Register. We will provide enough information to alert the audience to the existence and context of each PIA, without jeopardising the effectiveness of our lawful operations. At a minimum, we will publish the name of the project, the title of the PIA, and the date it was finalised. We will only redact, or substitute, any part of that information (such as the name of a project) if it is sensitive and there are serious risks involved in disclosing it. More detailed information can be published where is its appropriate to do so. We will not publish PIAs as a matter of practice unless there are special reasons to do so. However, a PIA may be released, either through FOI or as a courtesy during engagement with a stakeholder, unless there is special sensitivity, or an FOI exception applies. Potential disclosure of a PIA should be discussed with relevant parties first.

Privacy Management Plan

76. Executive endorsed the ACNC’s PMP on 14 December 2019. The Code requires the ACNC to have a PMP that identifies specific, measurable privacy goals and sets out how the ACNC will meet its compliance obligations under APP 1.2. The Policy Officer will be responsible for reviewing it in the period May-June of each financial year and revising the PMP to cover the next financial year. The current financial year’s PMP will be accessible to all staff via the Legal and Policy SharePoint.

Training and education for staff

77. All new ACNC staff will receive privacy training as part of their induction process, which will be co-ordinated and delivered by the Privacy Officer, Privacy Champion, or Legal and Policy.
78. All ACNC staff who access personal information will be provided with annual training or education on their privacy obligations. This may be in-person training or involve disseminating education materials. This will be co-ordinated and delivered by the Privacy Officer, Privacy Champion, or Legal and Policy, and developed in consultation with staff. Education and training will predominantly target those teams that routinely handle personal information (Compliance, Registration, and Advice Services).

References

• Privacy Act 1988 (Cth)
• Australian Charities and Not-for-profits Commission Act 2012 (Cth)
• Corporate Policy: Information handling (CP 2012/02)
• Operational Procedure: ACNC Protected Information Procedure (OP 2015/01)
• Operational Procedure: Proof of identity procedure (OP 2015/02)
• Operational Procedure: Data breach response plan (OP 2015/03)