Corporate Policy Statement
This policy sets out how the ACNC will comply with the Australian Privacy Principles (APPs) contained in Schedule 1 to the Privacy Act 1988 (Cth) (the Privacy Act). In particular, this policy demonstrates the ACNC's compliance with APP 1 - Open and transparent management of personal information.
The APPs are legally binding on the ACNC and regulate the way in which organisations and government agencies can collect, store, use and disclose personal information and how you can access and correct that information.
Detailed information on the APPs can be found on the Office of the Australian Information Commissioner’s (OAIC) website www.oaic.gov.au.
Principle 1: The ACNC will manage personal information in an open and transparent way.
Principle 2: The ACNC will comply with the Australian Privacy Principles in the way it collects, holds, uses and discloses personal information.
About the ACNC
- The ACNC is established under the Australian Not-for-profits Commission Act 2012 (Cth) (ACNC Act) as the independent national regulator of charities. The objects of the ACNC Act are to:
- Maintain, protect and enhance public trust and confidence in the sector through increased accountability and transparency.
- Support and sustain a robust, vibrant, independent and innovative not-for-profit sector.
- Promote the reduction of unnecessary regulatory obligations on the sector.
- The ACNC furthers these objects by:
- Registering organisations as charities.
- Helping charities to understand and meet their obligations through information, guidance, advice and other support.
- Improving public understanding of the work of charities and other not-for-profits through making information available that we regularly collect from registered charities in the form of sector research.
- Maintaining a free and searchable public register so that anyone can look up information about registered charities.
- Working with state and territory governments (as well as individual federal, state and territory government agencies) to develop a ‘report-once, use-often’ reporting framework for charities.
- Investigating complaints about potentially non-compliant charities.
- Taking enforcement action to address serious non-compliance.
For more information about the ACNC’s role and its functions see www.acnc.gov.au
What is personal information?
- Personal information is information or an opinion about an individual:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
- The APPs apply only to information about individuals. The APPs do not cover information about charitable entities. Information about charitable entities is protected under the secrecy provisions of the ACNC Act. For further information on the ACNC secrecy provisions see Operational Procedure: ACNC Protected Information Procedure (OP 2015/01).
- If the ACNC does not collect personal information about you, the Privacy Act will not apply.
- An individual who is a responsible person of a charity (i.e. a director of a company or a trustee of a trust that is a registered charity);
- A contact person for a charity;
- An agent for a charity;
- An individual whose personal information may be given to or held by the ACNC;
- A contractor, consultant or supplier or vendor of goods or services to the ACNC;
- A person seeking employment with the ACNC; or
- A person employed by the ACNC.
The ACNC Register
- The ACNC Act requires the ACNC to collect and publish information about charities and their responsible persons on the ACNC Register. The ACNC Register allows members of the public to access and view information about registered charities. Subject to limited withholding provisions, the ACNC must publish this information in accordance with section 40-5 of the ACNC Act. See Appendix 1 for a full list of the information published on the ACNC Register under section 40-5.
- The publication of certain personal information onto our Register is permitted under the Privacy Act.
The ACNC's personal information handling practices
Collection of personal information
- The ACNC will always endeavour to collect any required personal information from you directly. However sometimes we may ask for your personal information from your agent (i.e. a lawyer or an accountant) or from a third party. A common example will be where you are a responsible person for a charity. As we are required to collect personal information including name and position of all responsible persons, another person acting on the authority of the charity may supply your personal information to us.
- As detailed at paragraphs 32 to 36 below, we may also collect personal information about you from another government agency.
- In general, the personal information we collect is limited to details such as:
- contact details (such as email, phone number, residential address)
- date of birth
- position held at charity or relationship with charity
- cultural and language information.
- In the course of conducting compliance investigations, we may collect other personal information about responsible persons or staff of a registered charity or other persons, where that information is relevant to the matters under investigation.
Common ways we collect and use personal information
At the registration stage
- When applying to register your charity, we will ask for personal information about the charity’s responsible persons.
- We are required to collect this information under subsection 40-5(c) of the ACNC Act. This section of the ACNC Act requires us to collect the name and position of the charity’s responsible persons and to publish this information on the ACNC Register (publication will only occur if the registration of the charity is approved).
- We may also use the information provided to us in the registration form to undertake preliminary checks to ensure that your charity is entitled to registration and that all responsible persons are entitled to hold such a position within the charity.
- If the responsible person wants to contact the ACNC to discuss confidential matters relating to the charity, we need to have enough information in our records to conduct a Proof of Identity (POI) check. Only the name and position of the responsible person are published on the ACNC Register, but we also ask on the registration form that you provide some additional information to enable us to verify your identity when you contact us. We may also use or disclose this information to otherwise administer the ACNC Act, and to promote the objects of this Act when authorised to do so. This additional identifying information will not be published on the ACNC Register. For further information on the ACNC proof of identity process see Operational Procedure: Proof of identity procedure (OP 2015/02).
- If the person who is completing the registration form is not a responsible person, we will also ask for personal information about that person. We ask for this information so that we can conduct a POI check if this person wants to contact us to discuss the registration application or any other confidential information.
Compliance and investigations
- The ACNC may need to collect personal information when undertaking an investigation into whether or not a registered charity is complying with the ACNC Act and ACNC Regulation. This may include collecting information to verify that the personal information that the ACNC already holds is correct, or was correct at a specific point in time.
- Personal information collected during an investigation may be obtained either voluntarily, or by using a formal information gathering power under the ACNC Act.
- Charities have the option of providing details of a ‘compliance contact’ with whom we may communicate on compliance matters relating to the charity. If a charity wishes to provide a compliance contact that is different from other contact persons for the charity, we ask for contact details, which will likely involve providing personal information.
Completing forms (i.e. updates to charity or responsible person details) or reports (such as the Annual Information Statement (AIS))
- Anytime you complete a form on behalf of your charity, we will ask you for some personal information. We ask for this information so that we can conduct a POI check if you need to contact us to discuss the form or any other confidential details belonging to your charity. We may also use or disclose this information to otherwise administer the ACNC Act, and to promote the objects of this Act when authorised to do so.
- We may also request the details of an alternative contact if you would like us to contact someone else should we have any follow up questions with regard to the particular form or report. Providing this personal information is voluntary, however it enables us to conduct a POI check so that we can discuss the content of the particular form with the alternative contact.
The ACNC Charity Portal
- The ACNC Charity Portal is a way for charities to log in and update information we hold about them electronically. Updates to responsible persons can be made through the ACNC Charity Portal. Updates to the responsible persons via the portal require us to collect the same information as if we were collecting the information on a paper form. This means we must collect the name and position of the responsible person and publish that information on the ACNC Register in accordance with our obligations under the ACNC Act. We will also collect additional personal information so that we can conduct a POI check should you need to contact us and discuss your information or your charity’s information. We may also use or disclose this information to otherwise administer the ACNC Act, and to promote the objects of this Act when authorised to do so.
- If you forget your password to the ACNC Charity Portal, we may need to ask you a series of security questions in order to verify your identity so that we can send you a new password. When you provide these details they are used for the password reset only and a new record of them is not saved or stored for later use.
You can make a correction or update to your charity’s information online via the ACNC Charity Portal at: charity.acnc.gov.au
- The Charity Passport is used by the ACNC to reduce reporting duplication. It is an electronic way for government agencies to share and use charity information and is in line with the development of our 'report once, use often' reporting framework.
- The Charity Passport contains information that you have reported to us (in your registration application, AIS, annual financial reports and updates that have been made to your information) that we have published on the ACNC Register. This means that it is only publicly available information that is shared between Charity Passport Partners.
- Some of this information includes personal information, such as responsible person details (only those details that have been published on the ACNC Register).
- All Australian government agencies, both Commonwealth and state and territory, can access the Charity Passport data by becoming an authorised Charity Passport Partner.
- Use of the Charity Passport is subject to both the Privacy Act and the secrecy provisions contained in Part 7-1 of the ACNC Act. This means the ACNC will only disclose your information where lawful, and Charity Passport Partners can only access and use your information in accordance with those laws.
- If you contact us to discuss your charity’s details, we will need to conduct a POI check to ensure that you are a person authorised to discuss the confidential matters of the charity. When conducting a POI check over the phone, we will ask you a number of questions (generally three) that relate to information we hold about you on our system. We ask you for this information so that we can verify your identity. If you contact us by email or post and request access to personal information or charity information, we will first conduct a POI check to ensure that you are authorised to access that information. For further information on the ACNC proof of identity process see Operational Procedure: Proof of identity procedure (OP 2015/02).
Information to and from other agencies and departments
- In line with the ACNC’s objective of reducing unnecessary regulatory burden for charities, where it is practicable, we will collect your personal information from other agencies and government departments to whom you have reported. We do this so that you do not need to report the same information to a number of agencies and departments.
- We may also disclose information we collect about you to other government agencies where you would ordinarily be required to provide that information to that other agency. Where reasonable, we will inform you of this fact at the time we collect the information. This type of disclosure may occur outside the Charity Passport framework either because the government agency is not a Charity Passport Partner, or the information is not available in the Charity Passport.
- We have agreements with a number of Commonwealth government agencies and departments regarding the sharing of information, which may include personal information. These agreements are in the form of a Memorandum of Understanding (MOU) and are subject to the Privacy Act. This means information will not be shared where doing so would result in a breach of your privacy.
Visit the ACNCs MOU page on our website.
- All Commonwealth government agencies and departments are subject to the Privacy Act. This means that they can only collect, store, use and disclose your information in accordance with the Privacy Act.
- We also have agreements with State and Territory government departments and agencies regarding the sharing of some personal information. Whilst the State and Territory departments and agencies are not subject to the Commonwealth privacy laws (there are different state and territory privacy laws that apply to those organisations), this does not affect the ACNC’s obligations under those laws. This means we will only collect your information from these organisations, store, use or disclose your information in accordance with the Privacy Act.
For more information on State and Territory privacy laws go to the OAIC’s page on State and territory privacy law.
- The ACNC produces research based on the information we collect regularly. Whilst this research is based on information collected from charities, it is de-identified and largely focuses on statistics and trends.
- The ACNC also works with the research community to support research into not-for-profits and charities. This may include collaborating or assisting on research projects; identifying areas of research need; and building and strengthening links between researchers, the charitable sector and Australian government agencies. Usually, the ACNC will only disclose de-identified data or information that is lawfully publicly available on the ACNC Register to researchers. In some instances, the ACNC may disclose identifiable or withheld information. We will only do this where there is a contractual arrangement in place that ensures confidential handling of the information in accordance with the ACNC secrecy provisions and the Privacy Act.
- The ACNC discloses information that has been published on the ACNC Register, including information in the AIS, to data.gov.au. This information is then published on data.gov.au.
- Data.gov.au provides an easy way to find, access and reuse public datasets from Government. It is only publicly available information that is disclosed to and published on data.gov.au (information that is ordinarily published on the ACNC Register).
Consultations and education
- The ACNC conducts regular meetings with the sector and other stakeholders, and runs ad hoc consultation processes on specific issues. To enable the organisation of these events and processes, and to facilitate any required follow up enquiries, the name, workplace, and contact details of participants are voluntarily collected. This information may be shared amongst others attending the meeting or event, for example, when an invitation is sent or the minutes of a meeting are circulated.
- The ACNC also conducts online education, such as webinars. Name, email address, charity details and role descriptions are collected from participants in webinars, as well as an indication from the registrant as to whether they would like to be contacted in relation to future webinars. The ACNC uses this information to send a follow up email at the conclusion of the webinar with links to relevant resources and additional information, and to send information about future webinars where this is agreed to. Follow-up and other emails include easy unsubscribe options.
- ACNC staff are Australian Taxation Office (ATO) employees who are made available to assist the Commissioner. As such, all ACNC staff are covered by, and required to comply with, the ATO employment policies and procedures.
- This means that when you commence employment with the ATO, the ATO will collect the information it needs from you for human resource purposes. This information is stored in an electronic database called the ATO SAP system. This information is kept confidential and only a select number of ACNC human resource officers have access to the ATO SAP system.
- If ACNC staff or managers want access to information contained in the ATO database, they must contact the ATO People Helpline.
- In addition to the employee information held in the ATO system, ACNC managers may hold personal information about the staff reporting directly to them. This information may relate to matters such as health, leave requests, or an employee’s performance, and must be handled in accordance with the ATO employment policies and procedures.
- Employee information is kept confidential by both the ATO and the ACNC, and is used for employment related purposes only.
Use and disclosure of personal information
- Generally, we will only use or disclose your personal information for the purpose for which it was collected. We will notify you of that purpose at the time we collect the information.
- We will only use and disclose your information where the use or disclosure is lawful.
- The most common ways we collect personal information and the reasons we collect it are explained in detail at paragraphs 10-47.
Disclosing personal information to overseas recipients
- The vast majority of personal information the ACNC collects is retained in Australia and will not be disclosed overseas by the ACNC.
- The only exception to this is that the given name, email address and login details of ACNC Charity Portal users may also be electronically stored on servers in the United States of America, owned by our Information Technology service provider. Information stored on those servers is only used for accessing the ACNC Charity Portal.
Accidental or unauthorised use or disclosure
- All ACNC staff are made aware of their obligations to handle personal information in accordance with the Privacy Act. External service providers contracted by the ACNC are bound contractually to comply with the requirements of the Privacy Act.
- Our practices and procedures are regularly reviewed to ensure ongoing compliance with the Privacy Act.
- Where an accidental or unauthorised use or disclosure occurs, the ACNC will act quickly to rectify and remedy the situation. The ACNC has a Data Breach Response Plan Procedure (OP 2015/03) in place to deal with any suspected breaches of privacy. The data breach response plan ensures the ACNC will act swiftly to contain any potential breach and mitigate any harm that may be caused to an individual. The ACNC will notify the affected individual, as well as any appropriate third parties (eg. the OAIC) if is there is a real risk of serious harm to the person as a result of a breach.
- Potential accidental or unauthorised use or disclosure of information, including personal information, is also covered by the following:
- The ACNC secrecy provisions contained in Division 150 of the ACNC Act. Where an employee discloses personal information that is also protected ACNC information unlawfully, may be subject to penalties including, in the most serious cases, up to two years imprisonment.
- All ACNC staff are covered by the Public Service Act 1999 (Cth), the Public Service Regulations 1999 (Cth) and the Australian Public Service (APS) Values and Code of Conduct. If employees disclose official information without authority they may face disciplinary sanctions including, in the most serious cases, termination of employment.
- Current and former employees and service providers are generally covered by the Crimes Act 1914 (Cth) which provides for criminal penalties for unauthorised disclosure of official information.
- The Criminal Code Act 1995 (Cth) provides for similar penalties if former employees dishonestly use official information gained during their employment to benefit themselves or others or to cause harm to another person.
Storage and data security
- We take reasonable steps to protect the personal information we hold from misuse, interference, loss, unauthorised access, modification or disclosure. We do this by ensuring that:
- Personal information collected by the ACNC is collected and stored in accordance with Australian Government security policies. All paper files are secured in locked cabinets, Australian Government approved security containers, or Secure Rooms with restricted access.
- Information that has been stored electronically can in most instances only be accessed by ACNC staff and, in the case of the Charity Passport and ACNC Charity Portal, only by those with appropriate authorisation.
- Our internal network and databases are protected using firewall, intrusion detection and other technologies.
- The ACNC’s premises are under 24 hour surveillance and access is via security pass only, with all access and attempted access logged electronically.
- All ACNC staff and service providers are made aware of their obligations under the Privacy Act during the induction stage of their employment. Ongoing training is provided to ensure that we adhere to our established security practices.
- All Commonwealth agencies, including the ACNC, are bound by the Archives Act 1983 (Cth). This means that all our records management policies, including storage and destruction of information, are in accordance with the Archives Act 1983 (Cth), Records Authorities, and General Disposal Authorities made pursuant to that Act.
- Other Acts which impact on our records management policies are:
- The ACNC Act
- The Freedom of Information Act 1982 (Cth)
- The Australian Information Commissioner Act 2010 (Cth)
- The Privacy Act
- The Evidence Act 1995 (Cth)
- The Electronic Transactions Act 1999 (Cth)
- The Public Governance, Performance and Accountability Act 2013 (Cth)
- The Crimes Act 1914 (Cth).
Access to and correction of personal information
Access to your personal information
- You have a right under APP 12 to access the personal information we hold about you.
- There is no charge for making a request.
- You can make a request for access to the personal information we hold about you by contacting us at firstname.lastname@example.org, phone 13 22 62 or GPO Box 5108 Melbourne Victoria 3001.
- You will need to include the following details in your request:
- That you are making a request for access to the personal information we hold about you under the Privacy Act.
- Your full name, date of birth and contact details (phone number, address or email address that we will have on our systems). We ask for this information so that we can verify your identity.
- An address (email or postal address) that you would like the information you have requested forwarded to.
- A contact phone number so that we can speak with you if we need any further details regarding your request.
- Any relevant details regarding the information you are requesting.
- We will respond to your request within 30 calendar days from the date of receipt of the request.
- Note that the ACNC may refuse to give access to personal information or refuse to give the information in the manner requested where we are required or authorised to refuse access under the Freedom of Information Act 1982 (Cth) or another Act of the Commonwealth or a Norfolk Island enactment that provides for access by persons to documents.
- If we make a decision to refuse to give access or refuse to give access in the manner you have requested we will send a written notice to the address you have provided to us, outlining our reasons for refusal (except to the extent that having regard to the grounds for the refusal, it would be unreasonable to do so).
- We will also let you know the mechanisms available to you to complain about the refusal.
You may also request access to information we hold about you under the Freedom of Information Act 1982 (Cth). For further information on how to make a request for information, visit our website: www.acnc.gov.au/foi.
Correction of personal information
- You can make a request for us to correct personal information we hold about you where you believe that information is out of date, inaccurate, incomplete, irrelevant or misleading.
- There is no charge for making the request.
- You can make a correction to the personal information we hold about you by changing your details via the ACNC Charity Portal at: charity.acnc.gov.au. You may also contact us at email@example.com, phone 13 22 62 or GPO Box 5108 Melbourne Victoria 3001 for assistance.
Anonymity and use of a pseudonym
- In some instances, you will have the right to not identify yourself or to use a pseudonym when dealing with the ACNC.
- However, in some instances it will be impracticable for the ACNC to deal with you without identifying you. Alternatively, we may be required by law to deal with identified individuals, in which case there is no discretion to grant the right to anonymity or the use of a pseudonym.
- For example, responsible persons of a charity must be identified to the ACNC because Division 40 of the ACNC Act requires the ACNC to publish responsible person details on the ACNC Register. However, an example where you may be entitled to remain anonymous or to use a pseudonym is where you would like to make a complaint about a charity or where you would like to provide the ACNC with feedback.
- The right to anonymity and the use of a pseudonym will be decided on a case by case basis in accordance with APP 2.
- The ACNC is committed to monitoring, maintaining and improving the quality of our products and services.
- In the event that we become aware that data we hold is inaccurate, out of date, misleading or incorrect, we will take proactive steps to correct the information.
The ACNC Charity Portal
- The ACNC Charity Portal allows you to view and make corrections and updates to information we hold about your charity. You can also make updates to responsible person details. In some instances, this will involve the handling of personal information.
- The ACNC Charity Portal privacy notice on the ACNC website contains privacy information specific to the ACNC Charity Portal. Additional information is also provided within the portal.
- We will generally use email to correspond with you where you have indicated that this is your preferred mode of communication.
- However, there are risks to the security of information transmitted over the internet, including via email. In circumstances where we consider that the risks are unacceptable, having regard to the nature of the information to be communicated, we will use another method of communication.
- You should also be aware of these risks when sending personal information to us via email. If this is a concern to you, then we encourage you to use other methods of communication with the ACNC such as post, fax or phone
How to make a complaint
- If you think the ACNC has breached your privacy rights, you may contact us by:
- Phone: 13 ACNC (13 22 62) weekdays 9:00 am to 5:00 pm AEST
- Email: firstname.lastname@example.org
- Write to:
Australian Charities and Not-for-Profits Commission
GPO Box 5108
Melbourne Victoria 3001
- Please mark your feedback “Attention: Privacy Contact Officer” when sending it via any of the above methods.
The ACNC’s complaint handling procedure
- We will respond to your complaint within a reasonable time. This will usually be within 30 days. If for any reason we need additional time to provide a considered response to your complaint, we will contact you to explain the delay and let you know an expected timeframe.
How to make a complaint to the Federal Privacy Commissioner
- If you are not happy with the way the ACNC handles your privacy complaint, you may contact the Australian Privacy Commissioner.
- You may also make a complaint directly to the Privacy Commissioner before contacting us. However, the Privacy Commissioner will generally recommend that you try to resolve your complaint by contacting us in the first instance.
- You can contact the Privacy Commissioner by:
- Phone: 1300 363 992
- Email: email@example.com
- Write to:
The Privacy Commissioner
The Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001
- This policy will be reviewed biennially to ensure the ACNC’s compliance with all relevant privacy laws and policies.
How to contact us
- Most updates or changes to your personal information can be done via the ACNC Charity Portal: charity.acnc.gov.au/
- Email: firstname.lastname@example.org
- Phone: 13 ACNC (13 22 62) weekdays 9.00 am to 5.00 pm AEST
- Write to:
Australian Charities and Not-for-Profits Commission
GPO Box 5108
Melbourne Victoria 3001
Privacy Act 1988 (Cth)
Australian Charities and Not-for-profits Commission Act 2012 (Cth)
Corporate Policy: Freedom of information policy (CP 2012/03)
Corporate Policy: Information handling (CP 2012/02)
Operational Procedure: Records management - disposal of ACNC Records (OP 2014/05)
Operational Procedure: Normal administrative practice (NAP) Disposing of administrative records (OP 2014/06)
Operational Procedure: ACNC Protected Information Procedure (OP 2015/01)
Operational Procedure: Proof of identity procedure (OP 2015/02)
Operational Procedure: Data breach response plan (OP 2015/03)
|Version||Date of effect||Brief summary of change|
|Version 1 - Initial policy||12 March 2014||Initial policy endorsed by Commissioner ACNC on 12 March 2014|
|Version 2 - Revised policy||22 September 2014||Revision to clarify deletion of form information after 8 months|
|Version 3 - Revised policy||4 February 2015||Updates to reflect and reference new ACNC Operational Procedures|
|Version 4 - Revised policy||26 April 2016||Annual review and update 2016|
|Version 5 - Revised policy||13 June 2019||Updated to reflect new template, introduce overarching principles. Numerous minor changes made to reflect ACNC operational processes and new information technology systems.|