Corporate Policy: ACNC Privacy Policy

This Corporate Policy is issued under the authority of the Commissioner and should be read together with the ACNC Policy Framework, which sets out the scope, context and definitions common to our policies.

Policy Statement

1. This policy sets out how the ACNC will comply with the Australian Privacy Principles (APPs) contained in Schedule 1 to the Privacy Act 1988 (Cth) (the Privacy Act), and the Privacy (Australian Government Agencies – Governance) APP Code 2017 (the Code)
2. The APPs are legally binding on the ACNC and regulate the way in which Australian government agencies can collect, store, use and disclose personal information. They also regulate how that information can be accessed and corrected.
3. The Code is a legally binding instrument which requires Australian Government agencies, including the ACNC, to take specific steps to ensure their compliance with APP 1.2. The ACNC must:
   1. have a Privacy Management Plan
   2. appoint a Privacy Officer, and designate a Senior Executive Service officer as the Privacy Champion
   3. undertake a Privacy Impact Assessment (PIA) for all high privacy risk projects
   4. keep and publish a register of all PIAs
   5. commit to enhancing internal privacy capability by providing staff with training and education, and
   6. regularly review its privacy practices, procedures and systems, to ensure their currency and adequacy for complying with the APPs.
4. Detailed information on the APPs can be found on the Office of the Australian Information Commissioner’s (OAIC) website www.oaic.gov.au.

Principles

5. The ACNC will comply with the following principles:

• Principle 1: The ACNC will be open about how it manages personal information.
  • This policy details the most common methods we use to manage personal information.
• Principle 2: The ACNC will comply with the APPs in the way it collects, holds, uses and discloses personal information.
  • We will only collect and use personal information when it is lawful and necessary to do so. We will promptly rectify any errors, and securely store any personal information that we hold.
• Principle 3: The ACNC will comply with the Code.
  • We will take steps to ensure compliance with our obligations under the Code. This includes:
    • Privacy Impact Assessment (PIA) compliance
    • ensuring all staff are trained in their privacy obligations annually
    • having a dedicated Privacy Champion and Privacy Contact Officer, and
    • having a Privacy Management Plan (PMP) and assessing our performance annually.

Background

6. The ACNC is established under the Australian Charities and Not-for-profits Commission Act 2012 (Cth) (ACNC Act) as the independent national regulator of charities. The objects of the ACNC Act are to:
   1. maintain, protect and enhance public trust and confidence in the Australian not-for-profit sector through increased accountability and transparency
   2. support and sustain a robust, vibrant, independent and innovative not-for-profit sector, and
   3. promote the reduction of unnecessary regulatory obligations on the sector.
7. For more information about the ACNC’s role and its functions see www.acnc.gov.au.

What is personal information?

8. Personal information is information or an opinion about an individual, regardless of
   1. whether the information or opinion is true, and
   2. whether the information or opinion is recorded in a material form.
9. The APPs apply only to information about individuals, and do not cover information about charities. Information about charities may be protected by the secrecy provisions contained in Part 7-1 of the ACNC Act. For further information on the ACNC secrecy provisions see Operational Procedure: Protected ACNC Information (OP 2015/01).

Who should read this Privacy Policy?

10. You should read this Privacy Policy if you are:
    1. a person responsible for the governance of a registered charity or of an organisation that has applied to be a registered charity (Responsible Person)
    2. a contact person for a registered charity or of an organisation that has applied to be a registered charity
    3. an agent for a charity or of an organisation that has applied to be a registered charity
    4. an individual whose personal information may be given to, or held by, the ACNC
    5. a contractor, consultant or supplier of goods or services to the ACNC
    6. a person seeking employment with the ACNC, or
    7. an ACNC employee.

The ACNC Charity Register

11. The ACNC Act requires the ACNC to collect and publish information about registered charities and their Responsible People on the Charity Register. The Charity Register allows the public to access and view information about registered charities. Subject to limited withholding provisions, the ACNC must publish this information in accordance with section 40-5 of the ACNC Act. The publication of certain personal information on the Charity Register is therefore permitted under the Privacy Act.

Principle 1: The ACNC will be open about how it manages personal information

Collection of personal information

12. The ACNC will always endeavour to collect any required personal information directly from the individual in question. However, we may sometimes ask for personal information from a person’s agent – a lawyer or accountant – or from a third party – for example, another person acting on the authority of a charity or organisation that has applied to be registered as a charity.
13. As detailed at paragraphs 31 to 36, we may also collect personal information from other government agencies.
14. The personal information we collect is generally limited to details such as names, contact details, dates of birth and relationships to charities.

Common ways we collect and use personal information

Registration

15. When an organisation applies for charity registration, the ACNC will ask for personal information about its Responsible People – the people responsible for the organisation’s governance. Some of this information – consisting of the name of each Responsible Person and the role they occupy within the organisation – must be collected under paragraph 40-5(1)(c) of the ACNC Act. We must publish this information on the Charity Register if we register the organisation as a charity.
16. We also use the personal information provided in the registration application to undertake preliminary checks that ensure an organisation is entitled to charity registration, and that all Responsible People are entitled to serve as Responsible People in a registered charity.
17. If a Responsible Person wants to contact the ACNC to discuss confidential matters relating to their organisation, we need to have enough information in our records to conduct a Proof of Identity (POI) check.
18. While only each Responsible Person’s name and position are published on the Charity Register, we will also request additional personal information in the registration application that allows us to conduct POI checks at a later date. This additional information will not be published on the Charity Register, although we may also use or disclose this information to otherwise administer the ACNC Act when authorised to do so. For further information on the ACNC POI process, see Operational Procedure: Proof of identity procedure (OP 2015/02).
19. If the person who completes a charity registration application is not a Responsible Person, we will also ask for personal information about that person. We request this information so we can conduct a POI check if this person contacts us again to discuss the registration application or any other confidential information.

Compliance and investigations

20. We may need to collect personal information when investigating if a registered charity is complying with the ACNC Act and the Australian Charities and Not-for-profits Commission Regulations 2022 (Cth) (ACNC Regulations). This may include collecting information to verify that personal information we already hold is correct, or was correct at a specific point in time.
21. While conducting compliance investigations, we may collect other personal information about a registered charity’s Responsible People or staff, where that information is relevant to the matters under investigation. Personal information collected during an investigation may either be obtained voluntarily, or by using a formal information gathering power under the ACNC Act.

Completing forms or meeting reporting obligations

22. Any time someone completes a form or submits a report on behalf of a charity, we will request some personal information so we can conduct a POI check if that person needs to contact us at a later date to discuss their submission or any other confidential details. When authorised to do so, we may also use or disclose this information to otherwise administer the ACNC Act.
23. If a charity asks us to contact someone else if we have any follow up questions about a form or report, we will also ask for some personal information about that person. While providing this personal information is voluntary, doing so enables us to conduct a POI check so we can discuss the content of the form or report with the alternative contact.

The ACNC Charity Portal

24. Registered charities can use the Charity Portal to update information about themselves and their Responsible People. The information we collect about Responsible People is the same, regardless of whether changes are made using the Charity Portal or a paper form. We must collect the name and position of each Responsible Person, and publish that information on the Charity Register.
25. We will also collect additional personal information so we can conduct a POI check if that person needs to contact us at a later date to discuss their information or their charity’s information. When authorised to do so, we may also use or disclose this information to otherwise administer the ACNC Act, and to promote the objects of this Act.
26. A Responsible Person or authorised person can update or make a correction to their charity’s information online via the Charity Portal using their portal account. If someone forgets their Charity Portal password, we will ask them a series of security questions to verify their identity.

Advice Services

27. We will need to conduct a POI check to ensure we are speaking with an authorised person before discussing with them any confidential matters about a registered charity. When conducting a POI check over the phone, we will ask several questions that relate to information we hold about a person. If a person contacts us by email or post and requests access to personal or charity information, we will first conduct a POI check to ensure they are authorised to access the information. For more detail on the ACNC proof of identity process, see Operational Procedure: Proof of identity procedure (OP 2015/02).

Charity Passport

28. The Charity Passport is a way for government agencies to share information electronically, and is used to reduce reporting duplication. All Australian government agencies can become authorised Charity Passport Partners.
29. The Charity Passport contains information that charities have provided to us, and that has been published on the Charity Register. This means that only publicly available information is shared between Charity Passport Partners. Some of this information includes personal information, such as Responsible People’s details.
30. Use of the Charity Passport is subject to both the Privacy Act, and the secrecy provisions contained in Part 7-1 of the ACNC Act. The ACNC will only disclose personal information where it is lawfully able to, and Charity Passport Partners can only access and use personal information in accordance with those laws.

Information exchanged with other agencies and departments

31. Where practicable, and in line with the ACNC’s objective of reducing unnecessary regulatory burden for charities, we will collect information from other agencies and government departments. Doing so means that people do not need to supply the same information to several government agencies.
32. We may also disclose information we collect about people to other government agencies in situations where that person would ordinarily be required to provide that information to the other agency.
33. Where reasonable, we will inform affected individuals that this may happen at the time we collect the information. This type of disclosure may occur outside the Charity Passport framework either because the government agency is not a Charity Passport Partner, or because the information is not available in the Charity Passport.
34. We have agreements with several government agencies regarding the sharing of information, which may include personal information. These agreements are in the form of a Memorandum of Understanding (MOU) and are subject to the secrecy provisions contained in Part 7-1 of the ACNC Act and the Privacy Act, meaning that information will only be shared where doing so would be authorised by law and not a breach of privacy. All Commonwealth government agencies are subject to the Privacy Act, and can only collect, store, use and disclose personal information in accordance with the Privacy Act.

35. The ACNC engages in data exchange and matching activities with other government departments and law enforcement agencies as part of our work to combat serious compliance concerns. These activities may include sharing charity and Responsible Person information in accordance with relevant legislation. ACNC policies and IT security and data protections ensure the security of this data. Disclosure of this information is authorised under section 150-40 of the ACNC Act and permitted under the Privacy Act.
36. We also have agreements with State and Territory government agencies regarding the sharing of some personal information. While these State and Territory agencies are not subject to the Privacy Act (there are different state and territory privacy laws that apply to them), this does not affect the ACNC’s obligations under section 150-40 of the ACNC Act and the Privacy Act. We will only collect, store, use or disclose personal information in accordance with the Privacy Act.

Research

37. The ACNC produces research based on the information registered charities provide when they fulfil their reporting obligations. This research is de-identified and only encompasses general statistics and trends.
38. We also work with the community to support research into charities. We may:

• collaborate on research projects
• identify areas where research is needed, and
• build and strengthen links between researchers, the charity sector and government agencies.

The ACNC will usually only disclose to researchers de-identified data or information already available on the Charity Register. We will only disclose identifiable information or information that is not published on the Charity Register when there is an agreement in place that ensures the information is handled confidentially and in accordance with the ACNC secrecy provisions and the Privacy Act.

Data.gov.au

39. The ACNC discloses information that has been published on the Charity Register – including information in charities’ Annual Information Statements – for publication on data.gov.au.
40. Data.gov.au is the central source of Australian open government data, and provides an easy way to find, access and reuse anonymised public datasets produced by government. Only publicly available information is disclosed to, and published on, data.gov.au (for example, information that is ordinarily published on the Charity Register).

Consultations and education

41. The ACNC regularly meets with stakeholders from within and outside the charity sector, and occasionally runs consultation processes about specific issues. To enable these events and processes – and to allow for responses to any required follow up enquiries – participants’ names, workplaces and contact details are collected.
42. The ACNC also conducts online education, such as webinars. Names, email addresses, charity details and role descriptions are collected from webinar registrants and attendees. Registrants are also asked for their consent to be contacted about future ACNC webinars or other ACNC initiatives after the webinar. Follow-up emails include unsubscribe options.
43. The ACNC occasionally uses surveys to obtain feedback. For example, we have issued surveys to seek feedback from users of our online education resources. We may use or seek personal information in relation to our surveys. We will not publish any personal information that we obtain through a survey.

Employee information

44. ACNC staff are Australian Taxation Office (ATO) employees who are made available to help the ACNC Commissioner. As such, all ACNC staff are covered by, and are required to comply with, ATO employment chief executive instructions, directions, policies and procedures.
45. This means that when an ACNC officer begins employment with the ATO, the ATO will collect the information it needs from them for human resources purposes. This information is stored in the ATO’s internal systems and is kept confidential. ACNC human resources officers have access to a limited amount of information about ACNC officers held in ATO systems, which they can access in certain, prescribed situations.
46. If ACNC staff or managers want access to information contained in ATO systems, they must contact the ATO People Helpline. The information will only be disclosed by ATO People to other ATO and ACNC staff in limited lawful circumstances and only where it is related to the person’s employment.
47. In addition to the ACNC employee information the ATO holds, ACNC managers may hold personal information about the staff reporting directly to them. This information may relate to matters such as health, leave requests, or an employee’s performance, and must be handled in accordance with ATO employment instructions, policies and procedures.

Principle 2: The ACNC will comply with APPs in the way it collects, holds, uses, and discloses personal information

Use and disclosure of personal information

48. Generally, we will only use or disclose personal information for the purpose for which it was collected, and when it is lawful to do so. We will notify the person of that purpose at the time we collect the information.

Disclosing personal information to overseas recipients

49. Almost all the personal information that the ACNC collects is retained in Australia and will not be disclosed overseas by the ACNC. Exceptions to this include the following where we have contracted vendors to perform services on our behalf:
    1. the given name, email address and login details of Charity Portal users, which may also be electronically stored on servers in the United States of America that are owned by our information technology service providers contracted to perform services on our behalf. Information stored on those servers is subject to confidentiality only used for matters relating to the Charity Portal.
    2. when we send email correspondence via a third-party bulk mail email platform, email addresses may be electronically stored on servers in the United States of America, the United Kingdom and Germany. The email addresses are used for ACNC communications made through the platform. Currently, this is limited to sending out The Charitable Purpose newsletter, and to issuing reminders to charities that have not filed their Annual Information Statements on time.
    3. any personal information the ACNC collects via third-party survey platforms, which will be electronically stored on servers overseas if these platforms do not have data centres within Australia.

Accidental or unauthorised access, use or disclosure

50. The ACNC will act quickly to rectify and remedy any suspected privacy breaches including unauthorised use or disclosure of personal information. The ACNC has a Data Breach Response Plan Procedure (OP 2015/03) in place to deal with suspected privacy breaches. The ACNC will notify the affected individual, as well as any appropriate third parties (for example, the OAIC) if there is a real risk of serious harm to a person due to a breach and we have not been able to undertake remedial steps to prevent the harm.
51. There are other laws in place to manage incidents involving unauthorised uses and disclosures of information held by the ACNC, including:
    1. The ACNC secrecy provisions contained in Part 7-1 of the ACNC Act. When an ACNC officer unlawfully uses or discloses protected ACNC information, they may be subject to penalties including, in the most serious cases, up to two years’ imprisonment.
    2. All ACNC staff are covered by the Public Service Act 1999 (Cth), the Public Service Regulations 1999 (Cth) and the Australian Public Service (APS) Values and Code of Conduct. If employees disclose official information without authority, they may face disciplinary sanctions including, in the most serious cases, termination of employment.
    3. Current and former APS employees and service providers are generally covered by the Crimes Act 1914 (Cth) which provides criminal penalties for unauthorised disclosure of official information.
    4. The Criminal Code Act 1995 (Cth) provides similar penalties if former APS employees dishonestly use official information gained during their employment to benefit themselves or others, or to harm another person.

Storage and data security

52. We take reasonable steps to protect the personal information we hold from misuse, interference, loss, unauthorised access, modification or disclosure. We do this by ensuring that:
    1. personal information collected by the ACNC is collected and stored in accordance with Australian Government security policies.
    2. information that has been stored electronically can, in most instances, only be accessed by ACNC staff. Information in the Charity Passport and on the Charity Portal can be accessed only by those we have allowed authorised access.
    3. our internal network and databases are protected using sophisticated security technologies.
    4. the ACNC’s premises is under 24-hour surveillance and access is via security pass only.
    5. all ACNC staff and service providers are made aware of their obligations under the ACNC secrecy provisions and Privacy Act during the induction stage of their employment. Ongoing training is provided to ensure we adhere to our established security practices.

Records management

53. All Commonwealth agencies, including the ACNC, are bound by the Archives Act 1983 (Cth). All our records management policies – including the storage and destruction of information – accord with any Records Authorities, and General Disposal Authorities made pursuant to that Act.
54. Section 27 of the Archives Act requires the ACNC to transfer certain records and information to the National Archives of Australia. This may include personal information if it forms part of the record of information that must be transferred. Some personal information may also be released upon request under section 31 of the Archives Act.
55. Other Acts which affect our records management policies and procedures are:
    1. Evidence Act 1995 (Cth)
    2. Electronic Transactions Act 1999 (Cth)
    3. Public Governance, Performance and Accountability Act 2013 (Cth)
    4. Crimes Act 1914 (Cth)

Access to personal information

56. A person has a right under APP 12 to access the personal information we hold about them. There is no charge for making a request. Any person can access their personal information via the Charity Portal or make a request for access to the personal information we hold about them by contacting us through the details outlined in paragraph 71.
57. The request will need to include the following details:
    1. That the individual making the request is asking for access to the personal information we hold about them under the Privacy Act.
    2. The individual’s full name, date of birth and contact details (phone number, address, or email address that we will have on our systems). We ask for this information so we can verify their identity.
    3. An email or postal address that the individual would like a copy of the information they have requested sent to.
    4. A contact phone number so that we can speak with the individual if we need further details about their request.
    5. Any relevant details regarding the information the individual is requesting.
58. We will respond to a request for access to personal information under the Privacy Act within 30 calendar days from the date of receipt of the request.
59. In rare circumstances, the ACNC may refuse to provide access to personal information, or refuse to provide the information in the manner requested, on the basis that Commonwealth legislation, including the Freedom of Information Act 1982 (Cth) (FOI Act) requires or authorises us to refuse access.
60. If we refuse to provide access, or refuse to provide access in the manner a person has requested, we will send a written notice to the person that outlines our reasons for refusal. We will also let the person know how they can object to the refusal.
61. A person may also request access to information we hold about them under the FOI Act.

Correction of personal information

62. A person can request that we correct personal information we hold about them when they believe it is out of date, inaccurate, incomplete, irrelevant, or misleading. There is no charge to make a request.
63. A person can correct the personal information we hold about them by changing their details via the ACNC Charity Portal. They may also contact us for help by using the details included in paragraph 71 of this policy.

Anonymity and use of a pseudonym

64. A person can elect to not identify themselves, or to use a pseudonym, when dealing with the ACNC. However, in some instances it will be impracticable for the ACNC to deal with a person anonymously. We may also be required by law to deal with identified individuals, in which case there is no discretion to grant anonymity or allow the use of a pseudonym.
65. For example, a charity’s Responsible People must be identified to the ACNC because Division 40 of the ACNC Act requires the ACNC to publish the name and position of each Responsible Person of a registered charity on the Charity Register. However, examples of where a person may be able to remain anonymous or use a pseudonym are when they would like to make a complaint about a charity, or when they would like to provide the ACNC with feedback or make a general enquiry.
66. The ACNC will decide on a case-by-case basis whether a person can use a pseudonym or remain anonymous in accordance with APP 2.

Data quality

67. The ACNC is committed to monitoring, maintaining, and improving the quality of our products and services. If we become aware that personal information we hold is inaccurate, out of date, irrelevant or incorrect, we will take proactive steps to correct this.

Email communication

68. We will generally use email to correspond with people when they have indicated that it is their preferred mode of communication.
69. However, there are risks to the security of information transmitted over the internet. If we – in the context of the nature of the information to be communicated – consider that the risks are unacceptable, we will raise our concerns and suggest the use of another method of communication.
70. People should also be aware of these risks when emailing us personal information. If doing so is a concern, we encourage them to use other methods like post or phone to communicate with us. Unfortunately, for security reasons, the ACNC office is not open to the public. However, if documents are particularly sensitive, you may be able to arrange to drop them off to us via the concierge desk in our office building by contacting us using the details in paragraph 71 of this policy.

How to make a complaint

71. If an individual thinks that the ACNC has breached their privacy or not complied with the APPs (including the Code), they can contact us in any of the following ways:
    1. Phone: 13 ACNC (13 22 62) weekdays 1:00 pm to 5:00 pm (Sydney/Melbourne time)
    2. Email: advice@acnc.gov.au
    3. Write to:
       Advice Services
       Australian Charities and Not-for-Profits Commission
       GPO Box 5108
       Melbourne Victoria 3001
72. Any written complaints relating to breaches of privacy rights should be marked: ‘Attention: Privacy Contact Officer’.
73. We will respond to privacy complaints within a reasonable timeframe – usually within 30 days. If for any reason we need extra time to provide a considered response to a complaint, we will contact the complainant to explain the delay and let them know an expected timeframe.

How to make a complaint to the Privacy Commissioner

74. If an individual is not happy with the way the ACNC handles their privacy complaint, they may contact the Australian Privacy Commissioner. While they may complain directly to the Privacy Commissioner before contacting us, the Privacy Commissioner will generally recommend they try to resolve the complaint with us in the first instance.
75. The Privacy Commissioner’s contact details are provided on the website of the Office of the Australian Information Commissioner.

Updates to this privacy policy

76. We will review this policy once every three years to ensure the ACNC’s compliance with all relevant privacy laws and policies and update as required.

Principle 3: The ACNC will comply with the Code

Privacy Contact Officer and Privacy Champion

77. An ACNC officer within the Legal and Policy team will be designated as the Privacy Contact Officer. This designation will be made clear on the home page of the Legal and Policy SharePoint site. The Privacy Contact Officer will be the first point of contact for privacy matters, and have specific responsibility for:
    1. maintaining a template Privacy Impact Threshold Assessment (PITA) and Privacy Impact Assessment (PIA) for staff to use
    2. helping other ACNC officers to complete PITAs
    3. reviewing all PIAs
    4. maintaining the PIA Register, and
    5. annually performing the ACNC’s PMP assessment and preparation of the next .
78. The Assistant Commissioner – General Counsel and Regulatory Services will be the Privacy Champion, and will be responsible for leadership activities and broader strategic oversight of the ACNC’s privacy maturity and practices.

Privacy Impact Threshold Assessments and Privacy Impact Assessments

79. Refer to OP2019/03 Completing a Privacy Impact Assessment for more guidance on PITAs and PIAs. When starting any new piece of work, we will complete a PITA to help determine if a PIA is required. A PIA is required when the new work initiative is considered a high privacy risk (HPR) – which is where any project, initiative, or changed way of handling personal information is likely to have a significant impact on the privacy of individuals.
80. If we determine that a PIA is not required, we will remain alert to the possibility that a project may change or evolve in a way that sees it subsequently meet the HPR threshold for requiring a PIA.

Privacy Impact Assessment Register

81. The ACNC must maintain a PIA Register on the ACNC website. We publish the name of the project, the title of the PIA, and the date it was finalised to the register.
82. We may release a PIA in certain circumstances – e.g. as part of an FOI or as a courtesy during engagement with a stakeholder, but not as a matter of course. These are managed on a case by case basis.

Privacy Management Plan

83. The Code requires the ACNC to have a Privacy Management Plan (PMP) that identifies specific, measurable privacy goals and sets out how the ACNC will meet its compliance obligations under APP 1.2. The ACNC’s PMP is reviewed, assessed and updated annually.

Training and education for staff

84. All new ACNC staff will receive training as part of their induction about their privacy obligations, which will be co-ordinated and delivered by the Privacy Contact Officer, Privacy Champion, or another staff member of Legal and Policy.
85. All ACNC staff who access personal information will be provided with annual training or education on their privacy obligations. This may be in-person training or involve distributing education materials. These efforts will be co-ordinated and delivered by the Privacy Contact Officer, Privacy Champion, or Legal and Policy, and developed in consultation with staff. This education and training will predominantly target those teams that routinely handle personal information (Compliance, Registration, Reporting and Red Tape Reduction and Advice Services).