Operational Procedure: Proof of identity procedure

This Operational Procedure is issued under the authority of the Commissioner and should be read together with the ACNC Policy Framework, which sets out the scope, context and definitions common to our policies.

Context statement

1. The aim of this Operational Procedure is to achieve a balance between:
   1. protecting the confidentiality of information required by the Privacy Act 1988 (Cth) (Privacy Act),
   2. upholding the secrecy provisions required by Part 7-1 of the Australian Charities and Not-for-profits Commission (ACNC) Act 2012 (Cth) (ACNC Act)),
   3. the importance of providing information to support and sustain the Australian not-for-profit sector (ACNC Act s 15-5(1)(b)), and
   4. easing the administrative burden for charities, by allowing people associated with charities and applicants to fulfil their obligations as seamlessly as possible.
2. This Operational Procedure applies to all external communications conducted by Australian Charities and Not-for-Profits Commission (ACNC) officers, in the performance of their duties, both verbal and written. This Operational Procedure explains:
   1. when a Proof of Identity (POI) check is required, and
   2. the procedure for conducting POI checks.

Is a POI check required?

General information and advice

3. A POI check is not required where the information requested is of a general nature and is not specific to a person or a particular charity. Examples include information that is available on our website, about our legislation, or about another organisation or agency (such as Justice Connect, the Australian Taxation Office, or a state revenue office).

Publicly available information

4. A POI check is not required where the information requested has already lawfully been made publicly available. Examples include information:
   1. that is on the ACNC Register, and
   2. that is on the Australian Business Register.
5. ACNC officers must retrieve the publicly available information from the public source, and never retrieve it from a non-public source, such as internal ACNC records. Some caution should be exercised when disclosing publicly available information – the relevant exception to the ACNC secrecy provisions only allows the disclosure of protected ACNC information when it has already lawfully been made public and the disclosure is for the purposes of the Act. Seek advice from the Legal and Policy team if unsure about how the secrecy provisions in the ACNC Act operate.

Personal and charity information not publicly available

6. A POI check is required where the information is about
   1. a person and is not publicly available (‘personal information’),
   2. a charity and is not publicly available ('charity information'), or
   3. an entity that is applying for registration, and is not publicly available (for the purposes of this procedure, information about these entities should be treated the same as charity information).

Conducting POI checks

Step 1: Is the person seeking personal information or charity information?

7. ACNC officers must first determine whether the person with whom they are communicating is requesting personal information or charity information. This distinction is important. Personal information can usually only be disclosed to that person; charity information can be disclosed to anyone authorised to act for that charity (a Responsible Person or Authorised Person).

Personal information

8. According to the Privacy Act, ‘personal information’ means information or opinions about an identified individual, or an individual who is reasonably identifiable, (whether the information or opinion is true or not, and whether it is recorded in a material form or not). The words ‘individual’ and ‘person’ are interchangeable.
9. ACNC officers can lawfully disclose personal information to the person to whom that information relates. This means that if the information is about a person, then the information can be disclosed:
   1. to that person, or
   2. to someone else with that person's consent.
10. ACNC officers must verify that the person to whom the information relates is who they claim to be by conducting a POI check before releasing personal information.

Charity information

11. ‘Charity information’ means any information that the ACNC holds about a charity. Charity information will also almost always be ‘protected information’, and the secrecy provisions of the ACNC Act will apply.
12. ACNC officers may face significant penalties (up to 2 years’ imprisonment) if protected information is disclosed to an unauthorised person. Please refer to our Protected ACNC Information Operational Procedure for more information.
13. ACNC officers can disclose charity information to:
    1. a Responsible Person of the charity,
    2. an agent for the charity (for example, a tax agent or a lawyer), or
    3. a person who is authorised to act on behalf of the charity (for example a CEO, CFO or company secretary, or an employee who is authorised to speak to the ACNC on behalf of the charity).
14. ACNC officers must confirm that the person fits one of these categories before releasing charity information.

Information that is both personal information and charity information

15. Information may be both personal information and charity information. For example, a person’s home address may also be the charity’s Address For Service. If the information is publicly available on the Register, it can be disclosed without a POI check. Otherwise, such information can usually be disclosed, after a POI check, to someone who is authorised to receive charity information. This is because, under the Privacy Act, personal information can be disclosed for a purpose for which it was collected, which in this case would include meeting a charity’s obligations and managing its administrative affairs.

Disclosing personal or charity information to a third party

16. ACNC officers may speak to third parties with the original party's consent. A third party is any person who is not authorised to act on behalf of the charity.
17. When responding to an enquiry from a third party, before disclosing personal information, ACNC officers must:
    1. determine the persons and/or entities that the information is about, and
    2. obtain that person or entity’s consent to disclose the information and record this contact in the ACNC records.
18. When obtaining consent to share information with a third party, ACNC officers must be transparent about what information they are seeking to disclose, and who they are seeking to disclose it to.
19. If consent is not provided, staff should assume – unless advised otherwise by Legal and Policy – that personal or charity information is protected ACNC information which should only be disclosed to a third party if an exception to the secrecy provisions in the ACNC Act applies.

Step 2: Notify of rights under the Privacy Act

20. As verifying identity requires collecting personal information, ACNC officers are required to take reasonable steps to notify the person of the matters listed in Australian Privacy Principle 5 (a privacy notice) prior to asking any POI questions. What is reasonable will depend upon the circumstances, including the sensitivity of the personal information collected, any possible adverse consequences for an individual because of collection, and the special needs of the individual.
21. An individual may be made aware of the privacy notice through a variety of formats, provided that the content is clearly expressed. A privacy notice may range in detail from a full explanation to a brief refresher on how the ACNC handles personal information. Brief privacy notices (especially on forms or signs) may be supplemented by longer notices made available online.
22. When personal information is collected by telephone, the privacy notice must be explained at the commencement of the call. If this is not practicable, it should be given as soon as possible afterwards, either over the phone or through another format.
23. When a person elects to hear the privacy notice, the following must be read out:

24. Australian Privacy Principle 5 recognises that in some instances it may be unreasonable to provide a privacy notice in every circumstance. It is the responsibility of the ACNC officer to justify not taking steps to provide a privacy notice. A situation where it may be unreasonable to provide a privacy notice is where the individual is already aware that personal information is being collected and the purpose of that collection.
25. Callers to the ACNC’s Advice Services line can elect to hear the Privacy Notice prior to their call being answered. These callers do not need to be given the option hearing the privacy notice again, although they should be prompted to listen to it if they have not already, or offered a brief explanation as to why we are taking their personal information to conduct a POI.
26. The approved form, from which the personal information that we hold solely for POI purposes is collected, advises individuals that providing this information is voluntary, but it will enable us to verify their identity when necessary so that we can administer the ACNC Act. Therefore, the information is being used directly for the purpose for which it was collected, which is permissible under the Privacy Act.

Step 3: Conduct POI checks

27. In some cases, it can be difficult to ascertain whether a person is authorised to act on behalf of a charity. ACNC officers should work through the POI and security check procedure steps below and if unsure, seek assistance from a manager before releasing information.

Inbound contact - match three details

28. To prove their identity, the person must provide information that matches three details held in the ACNC records that are not publicly available. If the information is charity information, the person must be listed as a Responsible or Authorised Person.
29. Examples of information held in the ACNC records that may be used to verify a person’s identity include:
    1. full name (if not published on the ACNC Charity Register)
    2. personal address
    3. personal phone number
    4. personal email address
    5. date of birth.
30. For charity information, the following details can also be used to confirm a person’s authority to act on behalf of a charity. These are known internally at the ACNC as ‘security questions’:
    1. date and title of an ACNC-generated notice or letter,
    2. correspondence reference number of an ACNC-generated letter, and
    3. date on which a complaint or enquiry was made.
31. If the person cannot provide three details to prove their identity, then the person fails the POI check and the requested information cannot be disclosed to them. If the person fails the POI check but the request is for charity information (not personal information), the information can be sent to the charity’s Address For Service (AFS).
32. When a person is seeking to update information or make general, low-risk, enquiries about charity information ACNC officers can ask two security questions about the charity that only someone closely associated with the charity would know. For example, whether the ACNC has received an approved form from the charity.
33. Where a person is seeking to update someone’s personal information (such as a Responsible Person’s address), the request should, as far as practicable, be made by the person the information relates to. If this is not practicable, then the request needs to be in writing and sent from the relevant charity’s AFS.

Outbound contact - match two details

34. Where an ACNC officer makes an outbound call, the person receiving the call is required to match two details held in the ACNC records that are not publicly available.
35. Where an ACNC officer is responding to correspondence requesting charity information, the ACNC officer must check whether the address is listed in the ACNC records for the relevant charity. If the request is not from an address listed in the ACNC records, the ACNC officer must:
    1. send the response to the AFS, or
    2. advise that the ACNC cannot release the information to an address not listed in the ACNC records, and for the person to contact the ACNC to complete a POI check.
36. Where an ACNC officer is responding to correspondence from a person requesting their own personal information, the address used must be listed in the ACNC records against that person’s record. If the request is not from the person’s address as listed in the ACNC records, the ACNC officer must respond to advise that the ACNC cannot release the information to an address not listed in the ACNC records, and for the person to contact the ACNC to complete a POI check.

Manager's discretion

37. Given the nature of the charity sector, the ACNC should adopt a common-sense approach to dealing with enquiries. For example, many Parents and Friends Associations will change Responsible People every year and so enquiries will often be made by people who are not yet Responsible People or who are unable to pass the POI check. In such instances, manager's discretion may be exercised.
38. For the purposes of this Operational Procedure, ‘manager’s discretion’ can only be exercised by an ACNC employee classified at APS6 or above.