This Operational Procedure is issued under the authority of the Assistant Commissioner General Counsel and should be read together with the ACNC Policy Framework, which sets out the scope, context and definitions common to our policies.

Operational Procedure Statement

This Operational Procedure sets out the procedure for dealing with protected ACNC information. This procedure is to be read in conjunction with the ACNC Privacy Policy which sets out the principles and established good practices of the ACNC when handling both personal and protected ACNC information. The procedure should also be read in conduction with the ACNC Operational Procedure: Records management – Disposal of ACNC records (OP 2014.05), which covers the issue of disposing protected ACNC information.

Overview

  1. The ACNC secrecy provisions contained in Part 7-1 of the ACNC Act protect the confidentiality of 'protected ACNC information' and apply to all ACNC officers and the following entities: 
  • an entity engaged to provide services relating to the ACNC (for example, an IT contractor engaged by the ACNC);
  • an individual employed by, or otherwise performing services for an entity mentioned in the dot point above (for example, a sub-contractor who is working for the IT contractor engaged by the ACNC);
  • an individual:
    • appointed or employed by, or performing services for, the Commonwealth or an authority of the Commonwealth; and
    • performing functions or exercising powers under or for the purposes of the ACNC Act e.g. a person on a secondment program working for the ACNC;
  • a member of the Advisory Board.
  1. Any reference to 'ACNC officer' in this procedure applies to the entities listed in paragraph 1 in the same way.
  1. The concept of protected ACNC information is not the same as the security classification of ‘protected’ that may be given to the information.  It is defined in the ACNC Act as information that:
  • was disclosed or obtained under or for the purposes of the ACNC Act; and
  • relates to the affairs of an entity; and
  • identifies, or is reasonably capable of being used to identify the entity.
  1. An 'entity' is defined in the ACNC Act as:
  • an individual;
  • a body corporate;
  • a body politic;
  • any other unincorporated association or body of persons; and
  • a trust. 
  1. The definition of protected ACNC information is therefore very wide. It includes information about charities and individuals and includes information both received and generated by ACNC officers. Importantly, the fact that information is in the public arena does not exclude it from this definition (see discussion at paragraph 46 on the application of section 150-50 exception - disclosure of information lawfully made available to the public). 
  1. This procedure is designed to provide staff with certainty when handling protected ACNC information. It sets out the types of use and disclosures that clearly fall within or outside the scope of the secrecy provisions. There are of course cases that are not so clear. If an ACNC officer is unsure as to whether the secrecy provisions allow them to use or disclose protected ACNC information, they should escalate the matter to their manager in the first instance. If the matter is complex, it may need to be referred to the Executive who can make a risk based assessment of the situation.

Collecting 'protected ACNC information'

  1. ACNC officers must only collect 'protected ACNC information' for lawful purposes.
  1. Many functions and powers under the ACNC Act require the collection of protected ACNC information. For example, when an organisation applies for registration under Part 2-1 of the ACNC Act, the organisation must supply sufficient information to enable the ACNC to make a decision whether to register the applicant. Compliance staff may also need to collect protected ACNC information in the course of carrying out the information gathering and monitoring powers in Part 4-1 of the ACNC Act.

Common examples of protected ACNC information include:

  • Charity registration applications;
  • Information gathered about a charity or an individual through compliance activity;
  • Case finalisation reports written by ACNC staff;
  • The fact that the ACNC has commenced or finalised an investigation of a charity;
  • Completed and signed ACNC forms; and 
  • Legal advice provided in relation to a particular charity’s situation.

Use and disclose protected ACNC information lawfully - Determine whether an exception applies

  1. Protected ACNC information can only be used or disclosed where an exception contained in Subdivision 150-C of the ACNC Act applies. 
  1. Use or disclosure where no exception applies is an offence under section 150-25 of the ACNC Act. The penalty for an offence under section 150-25 is two years’ imprisonment and/or 120 penalty units.
  1. Using information includes situations where an ACNC officer has access to the protected ACNC information and records the information, takes the information or recalls the information and takes advantage of the information or exploits it for some kind of outcome (As outlined in the Explanatory Memorandum, Australian Charities and Not-for-profits Commission Bill 2012 and Australian Charities and Not-for-profits Commission (Consequential and Transitional) Bill 2012 (EM), paragraph 11.35).
  1. Disclosing information includes situations where an ACNC officer has access to the protected ACNC information and then divulges or releases that information to another entity (EM, paragraph 11.36). Information may be disclosed by publishing, writing, speaking, transmitting or conveying it in any form that enables the other entity to identify the entity to which the information relates (EM, paragraph 11.37).
  1. The exceptions contained in Subdivision 150-C of the ACNC Act are explored in detail below. An ACNC officer must be confident that an exception applies before using or disclosing protected ACNC information. Further, the ACNC officer must document the reasons underlying the decision to rely on the exception.
Subsection 150-25(2) Disclosure to the entity to whom the information relates
  1. It is not an offence to disclose protected ACNC information to the entity to whom the information relates.
  1. This means that information about a person can be disclosed to that person. Information may also be disclosed to the person's agent such as a lawyer or accountant.
  1. When dealing with charities, information may be disclosed to:
  • a Responsible Person;
  • an authorised person who holds a position in the charity that gives them authority to act on behalf of the charity (for example a CEO, CFO or company secretary); and
  • an agent authorised by the charity (for example a lawyer or accountant).
  1. Before disclosing protected ACNC information to an individual or charity under this exception, the ACNC officer must verify the person's identity in accordance with ACNC Operational Procedure 2015.02: Proof of identity.

Example A

Mr Smith is a responsible person for charity Benevolent Care. He telephones Advice Services and speaks with Sarah. He wants to know whether the ACNC has received the charity’s Annual Information Statement (AIS) as it is not currently displayed on the Charity Register. Sarah confirms that he is a responsible person listed on Benevolent Care’s file. She then uses the ACNC proof of identity procedure and the information on the ACNC database to verify Mr Smith is who he purports to be. Now that she is confident that Mr Smith is a responsible person for Benevolent Care and has verified his identity, she can disclose to him the fact that the ACNC has received the charity’s AIS.

Example B

Roger makes a complaint about a charity. The concerns raised in Roger's complaint are quite serious and after an initial review, Michael, the ACNC compliance officer assigned to the case, makes the decision to escalate the matter to an investigation. Michael sends a letter to Roger setting out the nature of the complaint made and confirming that the matters raised appear to be within the ACNC's jurisdiction. The information disclosed in the letter is in relation to Roger's complaint. It does not divulge any information that the ACNC holds about the charity under investigation or the fact that an investigation has commenced. Therefore Michael has not breached the secrecy provisions.

Three weeks later, Roger telephones Michael and wants to know the outcome of the investigation. Michael tells Roger that the matter has been escalated to an investigation as the ACNC have reason to believe that the charity has breached the governance standards. Michael has gone beyond discussing Roger's complaint. He has now disclosed protected ACNC information about the charity to Roger. Michael has breached the secrecy provisions.

Section 150-30 Exception - disclosure in the performance of duties
  1. An ACNC officer may use or disclose protected ACNC information where the use or disclosure is in the ordinary course of performing duties under the ACNC Act. This exception allows ACNC officers to disclose information amongst each other within the ACNC or to use information to perform the powers or functions that are detailed in the ACNC Act (EM, paragraph 11.43).

Example C

Simon is a compliance officer. He has been working on a matter involving Charity Green. Simon has completed his review and now needs to determine whether to proceed to an investigation. He discusses the case details with members of his team and his director during a case meeting. Simon's purpose for discussing the matter is to determine the most appropriate course of action under the ACNC Act. As Simon is disclosing the case details for the purpose of performing his duties as a compliance officer, the disclosure during the case meeting is lawful under section 150-30.

Example D

Tanya is also a compliance officer. In the course of her investigation she discovers that a high-profile celebrity is involved with the charity under review. She shares this information with her colleague Rebecca from Advice Services over morning tea as she thinks Rebecca might find this interesting. Although Rebecca is also an ACNC officer, section 150-30 does not apply. Tanya has not disclosed the information to Rebecca in the course of her ordinary duties as Rebecca was not assigned to the case. Tanya has breached the secrecy provisions.

  1. The Commissioner has many powers and functions. Most of these powers and functions are detailed in the ACNC Act and they include the function of maintaining the Charity Register (section 40-5) and the power to revoke a charity’s registration (section 35-10). It is the ACNC’s function to assist the Commissioner in the performance of the Commissioner’s functions (section 105-15). When a particular ACNC officer is authorised to carry out a function or exercise a power under the ACNC Act then this will generally be an act in the performance of their duties.
  1. In addition to the powers and functions that are expressly mentioned in the ACNC Act, the ACNC also has the function of the general administration of the Act. As the powers that are associated with the general administration of the Act are not expressly set out, it may be difficult for officers to know with any degree of certainty whether a use or disclosure is in the performance of the general administration of the Act. 

Example E

The ACNC has revoked the registration of Charity Relief Army. Mr Elliot, the responsible person of the charity is quoted in a media article stating “the ACNC did not communicate with me at all. I heard nothing from them until I got a call from you guys in the media telling me that my charity registration had been revoked.”

There is a process that must be followed under the ACNC Act before a decision to revoke is made. Mr Elliot’s comments imply that the ACNC has not followed this process indicating that the ACNC has failed in its duty to administer the ACNC Act.

John, the ACNC Communications Officer believes responding to this statement in the media may be connected to the ACNC’s administration of the Act – in particular, correcting the record that the ACNC has administered the Act improperly. He speaks to his manager who tells him that the ACNC may be able to respond to media enquiries if: 

  • the disclosure is connected to the administration of the Act; and 
  • that the disclosure of protected ACNC information is necessary and reasonable (where the record can be corrected without disclosing protected ACNC information, this is the preferred course of action).  

As this matter involves a degree of risk in balancing the relevant factors, it should be escalated to the Executive for final decision.  John has done the right thing in referring the matter to his manager.

Subsection 150-35 Exception - disclosure on Register to achieve the objects of this Act
  1. An ACNC officer may disclose protected ACNC information to the public on the Charity Register in accordance with Division 40 of the ACNC Act. 
  1. Section 40-5 of the ACNC Act requires the Commissioner to publish certain information about registered charities and former registered charities on the Charity Register. Disclosing information for the purpose of maintaining the Charity Register in accordance with section 40-5 is a permitted use and disclosure of the information under section 150-35.
  1. When an ACNC officer collects protected ACNC information that is to be published on the Charity Register, the ACNC officer must inform the entity of this fact.
  1. Section 40-10 provides that the Commissioner may in some instances withhold or remove information from the Charity Register. Where the Commissioner makes a decision to withhold or remove information under section 40-10, diligent measures must be taken to ensure that the information does not appear on the Charity Register as any disclosure will not be covered by section 150-35.
Subsection 150-40 Exception - disclosure to an Australian government agency
  1. An ACNC officer may disclose protected information if:
  • the disclosure is to an Australian government agency; and
  • the ACNC officer is satisfied that the information will enable or assist the Australian government agency to perform or exercise any of the functions or powers of the agency; and
  • the disclosure is for the purpose of enabling or assisting the Australian government agency to perform or exercise any of the functions or powers of the agency; and
  • the disclosure is reasonably necessary to promote the objects of the ACNC Act.
  1. When making a disclosure, the ACNC officer needs to be mindful of the fact that section 150-40 is a four-limb test and the ACNC officer must be satisfied that all four limbs of the test apply before the disclosure is made. If all four limbs of the test are not satisfied, a disclosure will be unlawful.
  1. ACNC officers must document their decisions when relying on the application of section 150-40. This is because when an ACNC officer seeks to rely on the exception, the officer will need to point to evidence, such as a document or email, to support the authorised disclosure (EM, paragraphs 11.16, 11.19). The ACNC officer must demonstrate that each limb of the test has been considered and does apply. Once the ACNC officer has made a record demonstrating that section 150-40 applies, the record must be stored in the case file.
  1. The information below provides guidance on applying and working through the four-limb test. The four-limb test must also be applied when dealing with requests for access to information that is not publicly available on the Charity Passport (see ACNC Operational Procedure 2014/02: Charity Passport Phase 1 Access).
LIMB ONE: THE INFORMATION CAN ONLY BE PROVIDED TO AN ‘AUSTRALIAN GOVERNMENT AGENCY’
  1. ‘Australian government agency’ is defined in section 300-5 of the ACNC Act as:
  • the Commonwealth, a State or a Territory; or
  • an authority of the Commonwealth or of a State or a Territory.
  1. Most Commonwealth, State or Territory government departments/agencies are authorities of the Commonwealth, State or relevant Territory.
  1. This limb is not likely to be contentious where the ACNC officer is disclosing to a well-known and established agency for example, the Australian Taxation Office (ATO), Australian Securities and Investment Commission (ASIC), the Australian Federal Police (AFP) etc. However, it might not be so clear where the ACNC officer is making a one-off disclosure to an agency or department the ACNC have not dealt with before. If the ACNC officer is unsure whether the agency or department is an ‘Australian government agency’ for the purposes of the ACNC Act, the officer should speak with an ACNC Legal Counsel for clarification.
LIMB TWO: THE ACNC OFFICER MUST BE SATISFIED THAT THE INFORMATION WILL ENABLE OR ASSIST THE AUSTRALIAN GOVERNMENT AGENCY TO PERFORM OR EXERCISE ANY OF THE FUNCTIONS OR POWERS OF THE AGENCY
  1. To satisfy this limb, an ACNC officer must:
  • identify the functions or powers of the agency; and
  • be satisfied that the information the officer discloses will enable or assist the agency to perform or exercise those functions or powers. 

ACNC initiated disclosures

  1. The ACNC may make the disclosure of information on its own initiative for a number of reasons, for example, there may be a Memorandum of Understanding (MOU) in place with the particular agency to disclose relevant information, or in the course of compliance activities an ACNC officer may come into possession of information that the ACNC believes will assist another agency.

Disclosures at the request of the agency

  1. Where an agency requests information from the ACNC, the request should set out the powers and functions of the agency and explain how the information requested will assist the agency to perform those functions or powers.
  1. The powers and functions of the agency will usually be set out in the Act the agency is administering, for example: 
  • Conducting an investigation under the A New Tax System (Goods and Services Tax) Act 1999 (Cth) (the GST Act) or; 
  • Looking at the fundraising activities of a particular organisation under the Charitable Purposes Act 1939 (SA)).
  1. The agency also needs to set out how the information requested will assist or enable the agency in performing that function or power. For example an agency may state:
  • “The information requested will help us to make an assessment as to whether the charity in question has paid the appropriate amount of GST under the GST Act”; or
  • “We are investigating whether Charity X has complied with the fundraising requirements under section # of the Charitable Purposes Act. The information requested will help us to determine whether those requirements have been complied with.”
  1. If an ACNC officer is unsure as to whether the information will enable or assist the agency to perform or exercise any of the functions or powers of the agency, the ACNC officer must speak with their manager. 
LIMB THREE: THE DISCLOSURE IS FOR THE PURPOSE OF ENABLING OR ASSISTING THE AUSTRALIAN GOVERNMENT AGENCY TO PERFORM OR EXERCISE ANY OF THE FUNCTIONS OR POWERS OF THE AGENCY
  1. Once the ACNC officer has identified the powers and functions of the agency and is satisfied that the information will enable or assist the agency in performing its powers and functions, the disclosure must be made for that purpose (in contrast to making the disclosure for an ulterior purpose).
LIMB FOUR: THE DISCLOSURE IS REASONABLY NECESSARY TO PROMOTE THE OBJECTS OF THE ACNC ACT
  1. The objects of the ACNC Act are contained in section 15-5. The objects of the ACNC Act are:
  • to maintain, protect and enhance public trust and confidence in the Australian not-for-profit sector; and
  • to support and sustain a robust, vibrant, independent and innovative Australian not-for-profit sector; and
  • to promote the reduction of unnecessary regulatory obligations on the Australian not-for-profit sector.
  1. The disclosure must be reasonably necessary to promote one of these objects.

On-disclosures of 'protected ACNC information'

  1. Information that is ‘protected ACNC information’ retains its confidentiality after it has been disclosed. This means that the information remains protected by the on-disclosure provisions that are contained in Subdivision 150-D of the ACNC Act.
  1. The receiving agency of protected ACNC information must be alerted to the on-disclosure provisions contained in the ACNC Act (see ‘On-disclosure provisions’ below at paragraphs 51 to 53 for more detail).

Example F

Michael is a Compliance Officer in the ACNC. Michael is investigating the affairs of Charity Youth Association. Whilst Michael is reviewing the charity's financials for 2017 he identifies that there seems to be some discrepancy in the way that GST has been reported. Michael speaks with his director who informs him that the ATO is the agency responsible for regulating the GST system. Michael works through the four limb test in section 150-40. He is confident that the exception applies. He makes a note on the case file that states:

  • The ATO is an Australian government agency.
  • The financial information will assist the ATO in performing or exercising its functions or powers as the regulator of the GST system.
  • The financial information is disclosed for the purpose of assisting the ATO to perform or exercise its powers of functions as the regulator of the GST system.
  • Public trust and confidence in the not-for-profit sector requires that charities conduct their affairs in a lawful manner. 

The information Michael has indicates that there may be some risk that the charity is not reporting GST as required by law. Thus, the disclosure is reasonably necessary to promote the objects of the ACNC Act as the disclosure is for the purpose of maintaining, protecting and enhancing public trust and confidence in the not-for-profit sector (paragraph 15-5(1)(a) of the ACNC Act).

As Michael has clearly worked through the four-limb test and documented his reasons for relying on the exception, Michael will have a strong argument that the exception applies if his decision is questioned.

Subsection 150-45 Exception - disclosure or use with consent
  1. An ACNC officer may use or disclose protected ACNC information where 
  • the entity to whom that information relates has consented to the particular use or disclosure; and
  • the disclosure or use is for that purpose.
  1. To avoid any doubt, ACNC officers should not rely on implied consent. Consent should always be express. If the ACNC officer is unsure as to whether consent has been provided, the officer should speak with their manager.
  1. The ACNC officer must make a note of the details (and save in the case file) of the consent provided prior to disclosing or using the protected ACNC information.

Example G

Rochelle telephones Advice Services. She wants to find out what personal details the ACNC have on file relating to her as she is a responsible person for Charity Family Centre. Rochelle is not feeling well and is having difficulty hearing over the phone so she asks Mary, the ACNC officer, to speak with her husband Tom. Rochelle has verified her identity in accordance with the ACNC Proof of identity procedure. She tells Mary that she consents to Mary disclosing her personal information to Tom. Mary makes a note of the details of Rochelle’s consent and saves it in the case file. As Rochelle has provided express consent, Mary may disclose Rochelle's information to Tom.

Subsection 150-50 Exception - disclosure of information lawfully made available to the public
  1. An ACNC officer may disclose protected ACNC information if the information has already been lawfully made available to the public and the disclosure is for the purposes of the ACNC Act. 
  1. ACNC officers can assume that information that has been published on government websites such as the Charity Register, the Australian Business Register (ABR), the ASIC Register etc. has been published lawfully. 
  1. ACNC officers may also assume that information that has been published on the internet, in newspapers, open court records, the electoral role and information that the public may access through a fee structure has also been made lawfully available to the public. 
  1. If an ACNC officer has any doubt about the authenticity of a website or whether information has been made available to the public lawfully, the ACNC officer should not disclose the information.
  1. A common sense approach should be taken when assessing whether information that has been published on the internet has been published lawfully. For example, staff can assume that information that has been published on sites such as Pro Bono or The Age has been published lawfully. However, there is a degree of risk involved in assuming that information published on a private user’s blog has been published lawfully. If an ACNC officer is unsure about the lawful nature of information that has been published, they must speak with their manager.

Example H

George telephones Advice Services and speaks with Olivia. George asks Olivia to provide him with Charity Blue's ABN for the purpose of completing the ACNC’s Form 3B: Change of charity details. As Charity Blue is a registered charity, this information is available in the ACNC's internal records.

However Olivia cannot be sure that the information is publicly available without referencing a public source. She visits the ABR site and types in the charity’s name. The ABN is displayed on the ABR. Olivia also notes the disclosure of the ABN is for the purposes of the ACNC Act. She discloses the ABR to George and makes a note in relation to the call that the information was obtained from the ABR website. Olivia has disclosed the information lawfully.

Example I

Marcus telephones Advice Services and speaks with Charlie. Marcus wants to know whether Charity Red is a registered charity with the ACNC to determine whether to make a complaint about the charity to the ACNC. Charlie checks the ACNC's internal records and notes that Charity Red has recently had their charity registration revoked as they did not have a solely charitable purpose.

Charlie checks the Charity Register and notes that Charity Red's record states 'Revoked.' Charlie can rely on section 150-50 to inform Marcus that Charity Red has had its charity registration revoked as this information has been lawfully made available to the public on the Charity Register and the disclosure is for the purposes of the ACNC Act.

However, Charlie cannot inform Marcus of the reasons for the revocation as this information has not been lawfully made available to the public and is only available on internal ACNC records. If Charlie informs Marcus of the reasons for the revocation he will be breaching the secrecy provisions.

On-disclosure provisions

  1. Once information has been disclosed lawfully under one of the exceptions contained in Subdivision 150-C of the ACNC Act, it remains protected by the on-disclosure provisions contained in Subdivision 150-D of the ACNC Act.
  1. Where information has been disclosed for a particular purpose, it must only be used and disclosed by the recipient for the original purpose, or in connection with the original purpose. The phrase ‘in connection with the original purpose’, means that the use or on-disclosure is incidental to, or arises as a consequence of, any action taken in pursuance of the original purpose (EM, paragraph 11.74). This includes when the use is by or disclosure is to any entity, court or tribunal and it is for the purpose of criminal, civil or administrative proceedings (including merits review or judicial review) related to the original purpose (subsection 150-60(2) of the ACNC Act).

Example J

An ACNC officer discloses information to the AFP for the purpose of enabling its criminal investigatory functions. In accordance with the on-disclosure provisions the AFP can only use and disclose that information for the purpose of fulfilling its criminal investigatory functions.

If an AFP officer then chose to disclose the information to the media for a story on 'charities behaving badly,' the disclosure would not be for the purpose of the AFP's investigatory functions, and the AFP officer would have breached the on-disclosure provisions.

  1. As the penalty for breaching the on-disclosure provisions is significant (two years’ imprisonment and/or 120 penalty units) and as any unlawful on-disclosure may have reputational risks for the ACNC as the original holder of the information, ACNC officers must inform the recipient of any protected ACNC information of the application of the on-disclosure provisions.
  1. Where the protected ACNC information has already been lawfully made available to the public, the entity that acquired the information may on-disclose it (section 150-65).
De-identifying data
  1. In some instances, information may be de-identified to allow for a use that would not be permitted by the secrecy provisions. It is important to note that removing identifying details will not necessarily mean the information is no longer 'protected ACNC information.' 
  1. Where information identifies or is reasonably capable of being used to identify an entity, it will remain protected ACNC information and can therefore, only be used or disclosed where an exception contained in Subdivision 150-C applies.

Example K

The ACNC Executive presents a number of case examples to the Advisory Board for the purpose of demonstrating best practice. Some of the case examples are based on real compliance cases that have been de-identified for the purpose of discussion. Case Study A is based on a real case but all identifying information has been removed - including the name, size and location of the charity. The information presented to the Advisory Board can in no way identify or reasonably identify a charity. No breach of the secrecy provisions has occurred.

Example L

In the same meeting, Case Study B is presented to the Advisory Board. Whilst the name, size and location of the charity have been removed, the facts of the case are quite unique. This charity has been prominent in the media and based on the facts of the case, some of the Advisory Board members are able to infer who the charity is. The disclosure in this instance may involve a breach of the secrecy provisions as despite the fact that the information has been de-identified, the facts of the case identify or reasonably identify the charity involved in the matter.

While certain facts of the charity’s case are already in the public domain such as the actions which led to compliance concerns, the fact that the ACNC has commenced or finalised an investigation of the charity is not known. Therefore, the information remains protected ACNC information.

Note, however that as the Advisory Board members are treated as ACNC officers for the purposes of Division 150, it may be that the disclosure falls within the exception contained in section 150-30 (disclosure in performance of duties under the Act) if the requirements of that provision are met).

Storing protected ACNC information

  1. Protected ACNC information must be stored securely to mitigate the risk of an unauthorised use or disclosure.
  1. Protected ACNC information collected by the ACNC must be collected and stored in accordance with Australian Government security policy. The ACNC was established as a ‘digital by default’ agency and it must store electronic information securely. A secure and suitable environment is one that prevents unauthorised access, duplication, alteration, removal and destruction. The information must be stored in a way that ensures only those who access the information are appropriately security cleared and need to know that information. Internal electronic systems are to be protected against unauthorised access. Where we have paper records, these are to be secured in locked cabinets, Australian Government approved security containers or Secure Rooms with restricted access.
  1. All ACNC employees and all entities covered by paragraph 1 of this policy must be made aware of their obligations under Part 7-1 of the ACNC Act during the induction stage of their employment. Ongoing training is to be provided to ensure that the ACNC adheres to established security practices.

Dealing with an unauthorised use or disclosure of protected ACNC information

  1. An unauthorised use or disclosure of protected ACNC information must be reported to the ACNC Executive and ACNC Legal Director immediately. The ACNC Executive, in consultation with an ACNC Legal Counsel, will work collectively to stop any ongoing use or disclosure and to mitigate the harm caused.
  1. Data breaches must be dealt with in accordance with the Operational Procedure 2015/03: ACNC data breach response plan. This plan sets out who to talk to and the steps to be followed in the event of a data breach (which includes a beach involving protected ACNC information).

Disposing of protected ACNC information

  1. Protected ACNC information can only be disposed of in accordance with the Archives Act 1983 (Cth) (the Archives Act).
  1. The ACNC's obligations with regard to disposal of records in accordance with the Archives Act are set out in the ACNC Operational Procedure 2014/05: Records management – Disposal of ACNC records. Protected ACNC information can only be disposed of in accordance with the operational procedure.

References

  • Australian Charities and Not-for-profits Commission Act 2012 (Cth)
  • Privacy Act 1988 (Cth)
  • Archives Act 1983 (Cth)
  • ACNC Privacy Policy
  • ACNC Operational Procedure 2015/02: Proof of Identity
  • ACNC Operational Procedure 2014/05: Records management – Disposal of ACNC records 2014/05
  • ACNC Operational Procedure 2015/03: ACNC data breach response plan
  • ACNC Operational Procedure 2014/02: Charity Passport Phase 1 Access

Version Control

VersionDate of effectBrief summary of change
Version 1 – Original document2015 Initial PP endorsed by Executive in August 2015 
Version 2April 20162016 Review. Minor editorial changes
Version 3July 2019Updated for clarity and to ensure consistency with the new format