Operational Procedure: Protected ACNC Information

This Operational Procedure is issued under the authority of the Assistant Commissioner General Counsel and should be read together with the ACNC Policy Framework, which sets out the scope, context and definitions common to our policies.

Context Statement

1. The secrecy provisions in Part 7-1 of the Australian Charities and Not-for-profits Commission Act 2012 (Cth) (ACNC Act) protect the confidentiality of 'protected ACNC information'. These apply to all ACNC officers, contractors and subcontractors performing services for the ACNC, any individual working for the Commonwealth or a Commonwealth agency or authority, and members of the Advisory Board. Although the ACNC Act defines ‘ACNC officer’ to mean the Commissioner and staff working for the ACNC, for the purpose of this procedure, ‘ACNC officer’ means any person to whom the ACNC secrecy provisions apply.
2. Protected ACNC information is information that:
   • was disclosed or obtained under, or for the purposes of, the ACNC Act; and
   • relates to the affairs of an entity; and
   • identifies the entity, or is reasonably capable of being used to identify the entity.

The definition of protected ACNC information is wide and includes information about charities and individuals. It includes information that ACNC officers receive, as well as information they generate.

3. An 'entity' is defined in the ACNC Act as: an individual; a body corporate; a body politic; any other unincorporated association or body of persons; and a trust.
4. This procedure is designed to guide staff when handling protected ACNC information.

Collecting protected ACNC information

5. Many functions and powers under the ACNC Act require the collection of protected ACNC information. Information we receive which is not related to performing a function or exercising a power under the ACNC Act is not protected ACNC information. There may be other rules, however, about whether the ACNC can collect, use, or disclose such information (for example, the Privacy Act 1988 (Cth)).
6. Common examples of protected ACNC information include:
   1. charity registration applications,
   2. information gathered about a charity or an individual through compliance activities,
   3. case finalisation reports written by ACNC staff,
   4. confirming that the ACNC is investigating a charity,
   5. completed ACNC forms, and
   6. legal advice provided in relation to a charity’s situation.

Use and disclosure of protected ACNC information

7. Protected ACNC information can only be used or disclosed when an exception in subdivision 150-C of the ACNC Act applies. Using or disclosing protected ACNC information when no exception applies is an offence under section 150-25 of the ACNC Act. The ACNC officer who unlawfully uses or discloses the protected ACNC information commits an offence and is liable for a penalty of up to two years’ imprisonment and/or a fine of 120 penalty units.
8. ‘Using’ information includes accessing, reading, recording, or recalling the information. It also includes being aware of the information and seeking to achieve a particular outcome based on the information (as outlined in the Explanatory Memorandum to the ACNC Act (EM), paragraph 11.35).
9. ‘Disclosing’ information includes divulging or releasing the information to any other entity (EM, paragraph 11.36). Information may be ‘disclosed’ by publishing, writing, speaking, transmitting or conveying it in any form that enables the other entity to identify the entity to which the information relates (EM, paragraph 11.37).
10. An ACNC officer must be confident that an exception applies before using or disclosing protected ACNC information. The ACNC officer must make a record of the reasons that an exception applies.
11. If an ACNC officer is unsure whether an exception applies, they should seek advice from Legal. If the circumstances are sensitive, complex, or high-risk, the Executive may need to decide whether to disclose the information. While it is an offence to unlawfully disclose protected ACNC information, it is generally not an offence to withhold it; it will be safer to not disclose the information until there is an assurance that an exception applies. An entity that seeks information has other options, such as a Freedom of Information request.

Disclosure to the entity to whom the information relates (subsection 150-25(2))

12. An ACNC officer can disclose protected ACNC information about a person, charity, or other organisation to that person, charity, or other organisation. They may also disclose the information to the entity's agent, such as a lawyer or accountant.
13. When dealing with charities, an ACNC officer may disclose protected ACNC information to:
    1. the charity’s Responsible Persons,
    2. an authorised person who holds a position in the charity that gives them authority to act on behalf of the charity (for example a CEO, CFO or company secretary), and/or
    3. an agent authorised by the charity (for example a lawyer or accountant).
14. Before disclosing protected ACNC information to an individual or charity under this exception, the ACNC officer must verify the person's identity in accordance with the ACNC Proof of Identity Procedure.

Example A

Sam is a Responsible Person for the charity Benevolent Care and they noticed that the charity’s latest AIS is not displayed on the Charity Register.

They call Advice Services to check whether the ACNC has received it, and speak with Sarah. She confirms that Sam is listed as a Responsible Person for Benevolent Care and she uses the ACNC proof of identity procedure and the information in the ACNC database to verify Sam’s identity.

Sam passes the identity checks and Sarah knows she can disclose to them that the ACNC has received their charity’s AIS.

Example B

Roger makes a complaint about a charity. It is reviewed by Michael, an ACNC compliance officer, who escalates it to an investigation. Michael sends a letter to Roger setting out the nature of the complaint he made and confirms that it appears to be within the ACNC's jurisdiction.

Because the letter contains only information about Roger's complaint and does not divulge any information that the ACNC holds about the charity under investigation, or the fact that an investigation has commenced, Michael has not breached the secrecy provisions.

Three weeks later, Roger telephones Michael and wants to know the outcome of the investigation. Michael tells Roger that the matter is still being investigated and the ACNC has reason to believe that the charity has breached the Governance Standards.

On the phone, Michael has gone beyond discussing Roger's complaint. He has now disclosed protected ACNC information about the charity to Roger. Michael has now breached the secrecy provisions.

Disclosure in the performance of duties (section 150-30)

15. An ACNC officer may use or disclose protected ACNC information if it is in the ordinary course of performing duties under the ACNC Act. This exception allows an ACNC officer to disclose information to ACNC colleagues when it is necessary in order to do something that the ACNC Act empowers the ACNC to do (EM, paragraph 11.43). If an ACNC officer is authorised to perform a certain function or duty, then it will be lawful to use or disclose as much information as necessary to properly perform that function of duty.
16. As part of the general administration of the Act, ACNC officers may also have to do things that are not explicitly covered by a provision of the ACNC Act, but which must be done so that the ACNC can properly function and administer the Act. Using or disclosing protected ACNC information in order to complete these tasks is also lawful.

Example C

Viraj is a Compliance Officer and needs to determine whether to proceed to an investigation of a charity. He discusses the case details with members of his team and his director during a case meeting to determine the most appropriate course of action. Because Viraj is disclosing the case details for the purpose of performing his duties, it is lawful under section 150-30.

Example D

Tanya is a Compliance Officer who discovers that a high-profile celebrity is involved with a charity under review. She shares this information with her colleague Rebecca from Advice Services over morning tea because she thinks Rebecca might find this interesting. Although Rebecca is an ACNC officer, section 150-30 does not apply. Tanya has not disclosed the information to Rebecca in the course of her duties because Rebecca’s input is not needed for Tanya to do her work. Tanya has breached the secrecy provisions.

Example E

The ACNC revoked the registration of Charity Relief Army. Ms Yang, a Responsible Person of the charity, is quoted in a media article stating: “I heard nothing from the ACNC until I got a call from you guys in the media telling me that my charity’s registration had been revoked.”

Ms Yang’s comments imply that the ACNC did not follow its processes and failed in its duty to administer the ACNC Act.

An ACNC Communications Officer believes responding to correct this statement in the media may be connected to the ACNC’s general administration of the Act. They gather details (which include protected ACNC information) from the relevant Compliance Officer and then speak to an ACNC Lawyer.

Neither the lawyer nor the Communications Officer are performing a specific function under the ACNC Act, but they are considering how to administer the Act, so their use of the protected ACNC information is lawful.

The Communications Officer contacts the media outlet to correct the statement. There is no express power in the ACNC Act to do this, but doing so is a reasonable way of administering the Act. However, this comes with risk and the ACNC Executive should endorse such action.

Disclosure on the Register to achieve the objects of the ACNC Act (section 150-35)

17. The Commissioner’s maintenance of a Charity Register would be impossible without the use of protected ACNC information. The ACNC Act requires the Commissioner to publish certain information about registered charities and former registered charities on the Charity Register (section 40-5). An ACNC officer may disclose protected ACNC information to the public on the Charity Register in accordance with Division 40 of the ACNC Act.
18. When an ACNC officer collects protected ACNC information that will be published on the Charity Register, the ACNC officer must inform the entity that it will be published.
19. In certain circumstances, the Commissioner may withhold or remove information from the Charity Register (section 40-10). If the Commissioner decides to withhold or remove information, ACNC officers must ensure that the information does not appear on the Charity Register because any disclosure will not be covered by section 150-35.

Disclosure to an Australian government agency (section 150-40)

20. An ACNC officer may disclose protected information if:
    1. the disclosure is to an Australian government agency; and
    2. the ACNC officer is satisfied that the information will enable or assist the Australian government agency to perform or exercise any of its functions or powers; and
    3. the disclosure is for the purpose of enabling or assisting the Australian government agency to perform or exercise any of its functions or powers; and
    4. the disclosure is reasonably necessary to promote the objects of the ACNC Act.
21. Before making a disclosure, the ACNC officer must be satisfied of all four conditions that are contained in section 150-40. If all four conditions are not satisfied, a disclosure will be unlawful.
22. When applying this exemption, an ACNC officer must document their decision. The officer will need evidence, such as a document or email, that shows the disclosure is lawful (EM, paragraphs 11.16, 11.19). The evidence that shows section 150-40 applies must be stored in the case file.
23. An ACNC officer must alert the agency that receives protected ACNC information to the on-disclosure provisions in the ACNC Act.

Condition 1: the information can only be provided to an ‘Australian government agency’

24. In the ACNC Act, ‘Australian government agency’ is defined as the Commonwealth, a State or a Territory, or an authority of the Commonwealth or of a State or a Territory (section 300-5). This condition is not likely to be contentious where the ACNC officer is disclosing to a well-known and established agency such as, the Australian Taxation Office (ATO), the Australian Securities and Investment Commission (ASIC), or a state or territory police force. If the ACNC officer is unsure whether the agency or department is an ‘Australian government agency’ for the purposes of the ACNC Act, they should speak with an ACNC Lawyer.

Condition 2: the information will enable or assist the other agency to perform its functions or exercise its powers

25. An ACNC staff member must identify the functions or powers of the receiving agency, and be satisfied that the information the officer discloses will enable or assist the agency to perform those functions or exercise those powers.
26. When another agency requests information from the ACNC, their request should set out the powers and functions of the agency, and explain how the information requested will assist the agency to perform those functions or powers. Requests from law enforcement agencies (including state police forces) should be sighted and approved by Legal, given the potential for information we disclose to be used as evidence in criminal proceedings.
27. The ACNC can disclose information under section 150-40 without a request from the receiving agency. There may be a Memorandum of Understanding (MOU) which sets out they type of information that may be proactively shared, and how it should be shared. However, an MOU does not have the force of law, and a proactive disclosure is not lawful just because there is an MOU. If an ACNC staff member has identified certain information that would help another agency, all four conditions must still be satisfied, the relevant director must approve the disclosure, and assistance from Legal may be required.

Condition 3: the disclosure is for the purpose of enabling or assisting the other agency to perform or exercise any of its powers or functions

28. Once the ACNC officer has identified the powers and functions of the receiving agency and is satisfied that the information will enable the agency to perform its functions and exercise its powers, the disclosure must be made for that purpose only and not for an ulterior purpose.

Condition 4: the disclosure is reasonably necessary to promote the objects of the ACNC Act

29. The objects of the ACNC Act (section 15-5) are:
    1. to maintain, protect and enhance public trust and confidence in the Australian not-for-profit sector; and
    2. to support and sustain a robust, vibrant, independent and innovative Australian not-for-profit sector; and
    3. to promote the reduction of unnecessary regulatory obligations on the Australian not-for-profit sector.
30. The disclosure must be reasonably necessary to promote one or more of these objects.

Disclosure or use with consent (section 150-45)

31. An ACNC member may use or disclose protected ACNC information if the entity to whom that information relates has consented to the information being used or disclosed for a particular purpose and the use or disclosure is for that purpose. Consent should be explicit, and, preferably, in writing. The ACNC officer must keep a record of the consent prior to disclosing or using the protected ACNC information.

Example F

Rochelle is a Responsible Person for Charity Family Centre and calls the ACNC to find out what personal details we have on file for her. She is not feeling well and is having difficulty hearing over the phone, so she asks the ACNC officer to speak with her partner.

Rochelle has verified her identity in accordance with the ACNC Proof of Identity procedure and gives consent to the ACNC officer to disclose her personal information to her partner.

The ACNC officer makes a note of the details of Rochelle’s consent and saves it in the case file. Because Rochelle provided express consent, the ACNC officer can disclose the information to Rochelle’s partner.

Disclosure of information lawfully made available to the public (section 150-50)

32. An ACNC officer may disclose protected ACNC information if the information has already been lawfully made available to the public, and the disclosure is for the purposes of the ACNC Act.
33. ACNC staff can assume that information that has been published on government websites such as the Charity Register, the Australian Business Register, or the ASIC Register has been published lawfully. ACNC staff may also assume that information that has been published in open court records, on the electoral roll, and information that the public may access by paying a fee has also been made lawfully available to the public.
34. Some caution should be exercised, however, with information published on the internet (including social media), or in the media. A common-sense approach should be taken when assessing whether such information has been published lawfully.

Example G

Marcus calls Advice Services and speaks with Charlie. Marcus wants to know whether Charity Red is registered because he wants to make a complaint about it. Charlie checks the ACNC's internal records and notes that Charity Red had recently had its registration revoked because it did not have solely charitable purposes.

Charlie checks the Charity Register and sees that Charity Red's record states 'Revoked.'

Charlie can inform Marcus that Charity Red had its registration revoked because this information is available to the public on the Charity Register, and disclosing it is for the purposes of the ACNC Act.

However, Charlie cannot inform Marcus of the reasons for the revocation because this information has not been lawfully made available to the public and is only available on internal ACNC records.

If Marcus tells Charlie that he saw on Facebook that the charity’s registration was revoked because it did not have solely charitable purposes, Charlie cannot confirm or deny this, even though Charlie can see that it is true, because there is doubt about the information was made public on Facebook lawfully.

On-disclosure provisions

35. Once information has been disclosed lawfully under one of the exceptions contained in Subdivision 150-C of the ACNC Act, it remains protected by the on-disclosure provisions contained in Subdivision 150-D of the ACNC Act.
36. When information is disclosed for a particular purpose, it must only be used and disclosed by the recipient for that original purpose or in connection with that original purpose. ‘In connection with that original purpose’ means the use or on-disclosure is incidental to, or a consequence of, an action that was taken in pursuance of the original purpose (EM, paragraph 11.74).
37. The penalty for breaching the on-disclosure provisions is up to two years’ imprisonment and/or 120 penalty units. Any unlawful on-disclosure may have risks for the reputation of the ACNC, the entity that unlawfully discloses the information, and the entity to whom the information relates. An ACNC officer must inform the recipient of protected ACNC information of the on-disclosure provisions. The on-disclosure provisions do not apply, however, if the protected ACNC has been lawfully made available to the public (section 150-65).
38. The following template paragraph may be used to alert any government agencies that receive protected ACNC information (under section 150-40) of the risks and responsibilities:

Example H

An ACNC officer discloses information to the AFP for the purpose of enabling its criminal investigation functions. In accordance with the on-disclosure provisions, the AFP can only use and disclose that information for the purpose of fulfilling its criminal investigation functions.

If an AFP officer then disclosed the information to the media for a story about charities behaving badly, the disclosure would not be for the purpose of the AFP's investigation functions, and the AFP officer would have breached the secrecy provisions of the ACNC Act.

De-identifying data

39. In some instances, information may be de-identified to allow for a use that would ordinarily be prohibited by the secrecy provisions. However, it is important to note that removing identifying details will not necessarily mean the information is no longer 'protected ACNC information.' If the information identifies an entity or is reasonably capable of being used to identify an entity, it will remain protected ACNC information which can only be used or disclosed if an exception contained in Subdivision 150-C applies.

Example I

The ACNC Executive presents several case examples to the Adviser Forum for the purpose of demonstrating best practice. Some of the case examples are based on real compliance cases that have been de-identified for the purpose of discussion, including the name, size, ABN, and location of the charity.

The Executive should think broadly about how the remaining information could be interpreted. For example, a description of the charity’s activities does not need to be removed if it is so broad that it could apply to several hundred charities (for example ‘animal welfare charity’), but the description should be removed if it is more niche, and could only reasonably apply to a handful of charities (for example. welfare of Tasmanian Devils).

Storing protected ACNC information

40. Protected ACNC information collected by the ACNC must be collected and stored in accordance with Australian Government security policy and the ACNC’s Information Management Policy. The ACNC was established as a ‘digital by default’ agency and it must store electronic information securely. A secure and suitable environment is one that prevents unauthorised access, duplication, alteration, removal and destruction. The information must be stored in a way that ensures only people with the appropriate security clearance who need to know the information can access it. Paper records must be secured in locked cabinets, Australian Government approved security containers, or secure rooms with restricted access.
41. All entities covered by this policy must be made aware of their obligations under Part 7-1 of the ACNC Act during their induction.

Dealing with an unauthorised use or disclosure of protected ACNC information

42. Unauthorised use or disclosure of protected ACNC information must be reported to Legal and Policy immediately. Data breaches must be dealt with in accordance with the Data Breach Response Plan.