Skip Ribbon Commands
Skip to main content

Full privacy policy

Suggested Reading Suggested Reading

17 February 2020

Contents

Summary

This policy sets how the Clean Energy Regulator (the Agency) complies with its obligations under the Privacy Act 1988 (Cth). The agency is bound by the Australian Privacy Principles, which set out how Australian Government agencies may collect, hold, use, and disclose personal information. Officials of the Agency are also bound by the secrecy provisions in Part 3 of the Clean Energy Regulator Act 2011 (Clean Energy Regulator Act).

This policy sets out, among other things, the kinds of personal information that the Agency collects and holds, how that information is handled, and how that information is likely to be used and disclosed, including to overseas recipients. It also sets out how you can access and correct your personal information, and how you can make a complaint.

It applies to all personal information collected, held and disclosed by the Clean Energy Regulator. The Agency, its employees and consultants must have regard to this policy in their dealings with personal information on behalf of the Agency.

In some circumstances, depending on the terms of the contractual arrangement, it also applies to third parties that are contracted to perform services on behalf of the Agency.

When disclosing information under the Clean Energy Regulator Act, the Agency may also place conditions on the use and disclosure of information.

Policy

 

1. Definitions

Term Definition
Consent

Includes any consent given by an individual and may be express consent or implied consent. There are four key elements to consent:

  • the individual must be adequately informed of what they are consenting to before giving consent
  • it must be provided voluntarily
  • it must be current and specific, and
  • the individual must have the capacity to understand and communicate their consent.

Consent may be given orally or in writing.

Commonwealth record Means a record that is the property of the Commonwealth or a Commonwealth institution, or a record that is deemed to be a Commonwealth record under the Archives Act 1983.
Collect We collect personal information only if we collect it for inclusion in a Commonwealth record or generally available publication (that is a magazine, book, article, newspaper, guidance or other publication available to members of the public).
Disclosure A release from our effective control is generally a disclosure, irrespective of our reason for releasing the information. It includes proactive release, release in response to a specific request and accidental release.
Holds We hold personal information if we have possession or control of a record that contains the personal information.
Personal information Means any information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(i) whether the information or opinion is true or not, and

(ii) whether the information or opinion is recorded in a material form or not.

Privacy Act Means the Privacy Act 1988 (Cth)
Sensitive information

Means:

1. information or opinion about an individual's:

  • racial or ethnic origin; or
  • political opinions; or
  • membership of a political association; or
  • religious beliefs or affiliations; or
  • philosophical beliefs; or
  • membership of a professional or trade association; or
  • membership of a trade union; or
  • sexual orientation or practices; or
  • criminal record;

that is also personal information; or

2. health information about an individual; or

3. genetic information about an individual, that is not otherwise health information; or

4. biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or

5. biometric templates.

Use We use personal information when we handle and manage that information within the Agency's effective control. We also use personal information for the purposes of administering legislative schemes.

Top of page

Background

2. The Agency

The Clean Energy Regulator (the Agency) is an independent statutory authority established by the Clean Energy Regulator Act 2011. The Clean Energy Regulator administers schemes legislated by the Australian Government for measuring, managing, reducing or offsetting Australia's carbon emissions.

The Agency stores data in databases and registers as part of administering its functions as a regulator of schemes, as described in the following Acts:

We track the ownership and location of units or certificates issued under these schemes, and under international agreements.

The responsibilities of the Clean Energy Regulator include:

  • providing education and information on the schemes that we administer
  • monitoring, facilitating and enforcing compliance with each scheme
  • collecting, analysing, assessing, providing and publishing information and data
  • accrediting auditors for the schemes we administer, and
  • working with other law enforcement and regulatory bodies.
  • Top of page

Privacy obligations

3. The Privacy Act 1988

The Clean Energy Regulator recognises the importance of protecting the privacy and the rights of individuals in relation to their personal information. This document is our Privacy Policy and it describes how we manage personal information.

We respect an individual's right to privacy under the Privacy Act 1988 (the Privacy Act) and we comply with the Privacy Act's requirements in respect of the management of personal information.

4. Personal information

When used in this Privacy Policy, the term "personal information" has the meaning given to it in the Privacy Act.

In general terms, "personal information" means any information or an opinion about an identified individual, or an individual who is reasonably identifiable, regardless of whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.

5. Types of personal information the Agency collects and uses

We collect, use, store and disclose information (including personal information) for purposes directly related to our statutory functions and activities, including the administration of the legislative schemes and monitoring compliance with the laws we administer (refer to section 2. “The Agency”). We also deal with personal information in the performance of corporate operations related to those functions (including recruitment, workplace health and safety, contracts and tenders and other activities).

We mainly deal with the following types of personal information:

  • name
  • mailing or street address
  • e-mail address
  • telephone contact number
  • age or birth date
  • gender
  • profession, occupation or job title
  • financial details and information about assets and liabilities including bank details and property information
  • insurance details
  • employment, curriculum vitae and education information
  • emergency details including next of kin
  • photographs of people
  • information disclosed to us by the individual or a third party which we believe to be reasonably necessary for the conduct of our compliance and law enforcement related activities
  • other information relating to individuals that they (or their agents) provide to us directly or indirectly through use of our websites
  • information provided to us through our contact centre, customer surveys or visits by our representatives, and/or
  • information sourced from public information sources which we believe to be reasonably necessary for the conduct of our compliance and law enforcement related activities.

We also collect information that is not personal information because it does not identify and/or cannot be used to identify, any particular individual. For example, we may collect anonymous answers to surveys or aggregated information about how members of the public use our website. This Privacy Policy does not apply to that sort of information.

6. Sensitive information the Agency collects and uses

The term 'sensitive information' refers to a particular kind of personal information. We may collect sensitive information about individuals including:

  • information about a person's:
    • racial or ethnic origin (applies to CER staff only)
    • membership of a professional or trade association
    • criminal record

    that is also personal information, and

  • health information (applies to CER staff only)

7. Dealing with us anonymously or by using a pseudonym

An individual may choose to deal with us anonymously by or using a pseudonym. However, this principle does not apply if:

  • we are required or authorised by or under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves, or
  • it is impracticable for us to interact with the person, because they have not identified themselves or used a pseudonym.

If an individual chooses to deal with us anonymously or by using a pseudonym, some or all of the following may happen:

  • we may not be able to provide the requested services to the person, either to the same standard as we might have been able to achieve if the person had chosen to identify themselves, or at all;
  • we may not be able to provide the person with information about services that they may want, or
  • the person may be in breach of an Australian law requiring them to provide such information. However, in this circumstance, we would advise the person about our legal powers to require them to provide such information and the implications of any failure to do so.
  • Top of page

Collection of personal information

8. How we collect personal information

The Clean Energy Regulator only collects personal information where the individual consents, or the information is reasonably necessary for, or directly related to, one or more of the Agency's functions or activities.

Usually we collect personal information directly from the individual(s) to whom the personal information relates and/or their authorised representative (an agent). In some circumstances, we collect personal information from third parties. We collect personal information only by lawful and fair means.

We collect solicited personal information in a number ways that include:

  • when an individual provides information to us using our web-based systems (including the client portals and online forms)
  • when we receive application forms, mail or email correspondence, and other documents
  • telephone contact with our call centre
  • when entities involved in our schemes submit reports or acquit liabilities
  • when members of the public subscribe to information updates relating to our schemes, functions and activities
  • when we undertake our stakeholder engagement processes and events
  • when members of the public (who may be involved in our schemes) complete a survey and/or questionnaire
  • when individuals and other third parties provide services or supply goods to us
  • when we conduct criminal record checks
  • when members of the public access our databases
  • on a voluntary basis from persons who are the subject of a compliance or investigation activity, persons reporting suspected contraventions of the laws we administer, and witnesses to contraventions or suspected contraventions of the laws we administer, and
  • through other lawful processes such as the use of investigative or coercive powers where provided for under legislation.

We do not collect 'sensitive information' about an individual (as described in paragraph 6 of this Privacy Policy) unless the individual consents to the collection of the information and the information is reasonably necessary for, or directly related to one or more of the Agency's functions or activities. There are some exceptions to this general rule (as set out in Australian Privacy Principle 3.4), including:

  • where we are required or authorised by or under an Australian law or a court/tribunal order to collect the information, or
  • a 'permitted general situation' (as defined in section 16A of the Privacy Act) exists. For example, where the Agency has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to our functions or activities has been, is being, or may be engaged in and we reasonably believe that the collection of sensitive information is necessary in order for us to take appropriate action in relation to the matter, or
  • where we believe the collection of the information is reasonably necessary for, or directly related to, administering or performing a function of an enforcement body, under a law that imposes a penalty or sanction.

We collect personal information from third parties in the following circumstances:

  • if an individual consents to the Agency collecting the information from someone other than the individual, or
  • if we are required or authorised by or under an Australian law, or a court/tribunal order, to collect the information from someone other than the individual to whom the information relates, or
  • if it is unreasonable or impracticable for us to collect the information from the individual directly.

These third parties may include:

  • enforcement bodies and other Commonwealth, State, local and international government agencies
  • organisations or individuals with an interest in our business and activities that may be associated with the individual in question (for example, emergency contacts or referees)
  • public information sources (particularly where we believe the collection to be reasonably necessary for the conduct of our compliance and law enforcement-related activities)
  • medical practitioners in relation to health assessments
  • financial institutions
  • legal representatives
  • contracted service providers and consultants, and
  • industry groups.

There are also laws under which the Agency can require individuals to provide information or allow access to certain premises, for the purposes of our investigative and compliance functions. If the Agency requires an individual to provide information or allow access under one of these laws (for example, using the information-gathering power contained in section 125A of the Renewable Energy (Electricity) Act 2000 (Cth)), we will give that person formal notice of the law the Agency is relying on. We will also notify that person of the potential consequences such as penalties for failure to comply.

9. Use of cookies

Cookies are pieces of information that websites and applications can transfer to the device that the reader is using. Cookies perform essential functions in the modern web, including proof of user authentication after logging in to a system, and enabling anonymous usage tracking to help inform website owners how their websites or applications are being used. This information may remain on the computer after the user closes the browser.

The Clean Energy Regulator website and applications do not collect personal information about a person using our systems. We use third-party services such as Google Analytics to track traffic on our website and internet applications. These services also use cookies and do not collect any personal information.

10. Social Media

Information that is provided to us via our social media pages, such as Twitter or LinkedIn, may be collected or used by the social network provider. The Clean Energy Regulator encourages users to review the Privacy Policy of the relevant social network before conveying personal information through those platforms.

11. Notification of the collection of personal information

At or before the time we collect personal information (or as soon as practicable afterwards), we will usually provide the individual concerned with a notice (also known as a 'Privacy Notice' or an 'APP Notice') containing the following information:

  • our identity and contact details
  • if we collect personal information from someone other than the individual, or the individual may not be aware that we have collected the personal information—the fact that we collect, or have collected, the personal information and the circumstances of that collection
  • details of any Australian law or court/tribunal order that requires or authorises the collection of the personal information
  • the purposes for which we collect personal information
  • the main consequences (if any) for an individual if all or some of the personal information is not collected
  • the details of any other person or entity to whom the personal information will usually be disclosed
  • the fact that our Privacy Policy contains information about how a person may access and seek to correct any personal information held by us
  • the fact that our Privacy Policy contains information about how to complain about a possible breach of the Australian Privacy Principles and how we will deal with such a complaint
  • whether we are likely to disclose the personal information to overseas recipients, and
  • if the personal information is likely to be disclosed to overseas recipients—the countries in which those entities are located (if it is practicable to specify those countries in the notice or to otherwise make the individual aware of them).

12. Receiving unsolicited personal information

From time to time, we receive personal information that we have not requested. This is known as 'unsolicited personal information' and includes:

  • misdirected mail received by us
  • correspondence to us, our Minister and Parliamentary Secretary from members of the community, or other unsolicited correspondence
  • a petition sent to us that contains names and addresses
  • employment, internship, work experience or volunteering applications sent to us on an individual's own initiative and not in response to an advertised vacancy
  • a promotional flyer or email containing personal information, sent to us by an individual promoting the individual's business or services
  • court/tribunal documents for proceedings to which we are a party or may have an interest, and
  • information supplied by a third party (such as a member of the public or an enforcement body) which relates to our function as an enforcement body.

If we receive unsolicited personal information and we decide that we would not have been permitted to collect it under the Australian Privacy Principles, we will take reasonable steps to destroy or de-identify the information as soon as practicable, unless it is contained in a 'Commonwealth record' (as defined in the Archives Act 1983) or it is unlawful or unreasonable to do so. The Australian Privacy Principles set out how we should deal with the personal information in these circumstances.

13. Purposes for collecting personal information

We collect personal information so that we can perform our functions and activities.

We collect personal information for the following purposes:

  • to process and assess applications under the schemes we administer and other related activities including procurement and tender processes
  • to assist scheme participants (our clients) to manage reporting obligations and acquittal of liabilities
  • to provide services to members of the public
  • to send communications requested by members of the public
  • to provide information and to seek feedback or advice on matters
  • to answer enquiries and provide information or advice about schemes
  • to conduct administrative functions including recruitment, booking of travel, accommodation and allowance payments, health assessments and workers compensation matters
  • for the administrative, planning, service development and project purposes of the Agency, its contractors and/or service providers
  • where we are required or authorised to collect personal information under an order of a court or tribunal or by or under legislation (including Clean Energy Regulator Act 2011, Clean Energy Act 2011, Renewable Energy (Electricity) Act 2000, National Greenhouse and Energy Reporting Act 2007, Carbon Credits (Carbon Farming) Act 2011, Australian National Registry of Emissions Units Act 2011).
  • to update our records and keep our clients' contact details up to date
  • to provide members of the public with our guidelines, publications and annual reports
  • to process and respond to complaints
  • to comply with any law, rule, regulation, lawful and binding determination, decision or direction of a regulator, or in co-operation with any governmental authority of another country
  • to ensure that we and members of the public comply with laws administered by the Commonwealth, and
  • to conduct enforcement-related activities including for the purposes of law enforcement by another agency.

The Agency will not share or disclose personal information, other than as described in this Privacy Policy. We will never sell or rent personal information.

Top of page

Dealing with personal information

14. Protection of information under the Clean Energy Regulator Act 2011

The Clean Energy Regulator is bound by the secrecy provisions in Part 3 of the Clean Energy Regulator Act 2011 (Clean Energy Regulator Act). Part 3 of the Clean Energy Regulator Act prohibits the disclosure and use of information that was obtained by a person in the person's capacity as an official of the Clean Energy Regulator and relates to the affairs of a person other than an official of the Regulator. This prohibition does not apply where:

  • the disclosure or use is authorised by a provision of Part 3 of the Clean Energy Regulator Act, or
  • the disclosure or use is in compliance with a requirement under a law of the Commonwealth or a prescribed law of a State or a Territory.

For information held by the CER and collected before 2 April 2012 under either the National Greenhouse Energy and Reporting Act 2007 or the Renewable Energy (Electricity) Act 2000, the CER is bound by the preserved secrecy provision of those Acts.

15. Use and disclosure of personal information

We use and disclose personal information for the primary purpose for which it was collected. For example, we primarily use personal information when assessing eligibility to participate in one of the schemes we administer.

Before using personal information for any other purposes (known as 'secondary purposes'), we will ensure that the individual has consented to the use or disclosure of the information, or that one of the following circumstances applies:

  • the individual would reasonably expect us to use or disclose the information for a secondary purpose (for example, when performing audit and compliance functions and activities) and the secondary purpose is:
    • if the information is sensitive information—directly related to the primary purpose, or
    • if the information is not sensitive information—related to the primary purpose
  • the use or disclosure is required by or authorised by or under an Australian law or a court/tribunal order
  • a 'permitted general situation' (as defined in section 16A of the Privacy Act) exists. For example, where the Agency has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to our functions or activities has been, is being, or may be engaged in and we reasonably believe that the use of the information is necessary in order for us to take appropriate action in relation to the matter, or
  • we reasonably believe that the use or disclosure is reasonably necessary for one or more enforcement related activities conducted by us in our capacity as an enforcement body, or on behalf of an enforcement body. If we use or disclose personal information for this purpose, we will make a written note of the use or disclosure.

We may disclose personal information to the following types of entities:

  • contracted employees and other service providers for the purposes of operating our website, systems, and registers, performing our functions, fulfilling requests by members of the public, and otherwise providing information, products and services to members of the public (including personal information published on our registers)
  • service providers such as cloud providers, hosting providers, IT systems administrators, mailing houses, couriers, payment processors, data entry service providers, electronic network administrators, and debt collectors
  • professional advisors and service providers such as accountants, solicitors, business advisors, consultants, travel providers, and medical practitioners
  • suppliers and other third parties with whom we have commercial relationships for business, marketing, and related purposes
  • any entity (including individuals) for any authorised purpose with an individual's consent
  • applicants under the Freedom of Information Act 1982 (Cth)
  • referees in relation to persons making application for employment with the Agency)
  • other Commonwealth or State/Territory government bodies for the purposes of investigating and prosecuting compliance breaches, legal actions, and insurance claims
  • enforcement bodies (such as the Australian Federal Police, a police force or service of a State or Territory, the Office of the Director of Public Prosecutions, and the Australian Securities and Investments Commission)
  • our Minister and/or Parliamentary Secretary for the purposes of administering the Clean Energy Regulator schemes and related functions and activities, and
  • a Committee of the Parliament of the Commonwealth of Australia.

In addition, the Agency is required by certain laws (including Clean Energy Regulator Act 2011, Clean Energy Act 2011, Renewable Energy (Electricity) Act 2000, National Greenhouse and Energy Reporting Act 2007, Carbon Credits (Carbon Farming) Act 2011, Australian National Registry of Emissions Units Act 2011) to publish certain information, including some personal information, on our website. This information is available to the general public.

An applicant under the Freedom of Information Act 1982 (Cth) may seek access to a document that contains another individual’s personal information. If the Agency considers that the other individual might reasonably wish to object to the document’s production on the basis that it would be an unreasonable disclosure of their personal information, the Agency will allow the individual a reasonable opportunity to argue why the document should not be produced. The Agency will consider whatever arguments are made before making a decision about whether to grant access to the document.

16. Storage of personal information

The Agency takes such steps as are reasonable in the circumstances to protect personal information from misuse, interference and loss and from unauthorised access, modification or disclosure. We may hold personal information in either electronic or hard copy form.

Personal information that is contained in electronic form or hard copy is secured in accordance with our information handling practices.

However, as our website, systems, and registers are linked to the internet, and the internet is an insecure environment, we cannot provide any assurance regarding the security of transmission of information communicated with us, or that such information will not be intercepted while being transmitted over the internet.

Enforcement-related personal information is usually held in a restricted database. Appropriate security clearances and authorisation (i.e. a need to know) are required to access such information.

If a data breach occurs, such as if personal information that we hold is subject to unauthorised loss, use or disclosure, we will respond in line with the Office of the Australian Information Commissioner’s guidelines on responding to data breaches. This includes complying with our obligations under the Notifiable Data Breaches scheme. We will aim to provide timely advice to affected parties to ensure they are able to manage any loss—financial or otherwise—that could result from the breach.

17. Treatment of personal information that is no longer required

We take such steps as are reasonable in the circumstances to delete or de-identify (sanitise) personal information that is no longer required for any permitted purpose, unless the personal information is contained in a 'Commonwealth record' or it is unlawful to do so.

We destroy hard copy documents containing personal information (of the sort we are permitted to destroy) by shredding them or by disposing of them in a security classified waste bin.

Personal information contained in undelivered emails or returned post is deleted or otherwise put beyond use.

18. Do we disclose personal information to anyone overseas?

We may disclose personal information to third parties who are not located in Australia or an external territory for some of the purposes listed in paragraph 13 of this Policy.

We usually take such reasonable steps as are necessary in the circumstances to ensure that the overseas recipients of personal information do not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) relating to personal information.

However, we are not required to take such steps in the following situations:

  • if we reasonably believe that the overseas recipient is subject to a law or binding scheme that has the effect of protecting the information in a way that overall is at least substantially similar to the way in which the Australian Privacy Principles protect the information, and there are mechanisms that the individual can use to take action to enforce that legal protection or binding scheme
  • the individual expressly consents to the disclosure of personal information to the overseas recipient, having first been informed by us that if they consent to the disclosure, the requirements for us to take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information will not apply to the disclosure
  • the disclosure is required or authorised by or under an Australian law or court/tribunal order
  • a 'permitted general situation' (as defined in section 16A of the Privacy Act) exists
  • the disclosure is required or authorised by or under an international agreement relating to information sharing to which Australia is a party, or
  • we reasonably believe that the disclosure is reasonably necessary for one or more enforcement activities conducted by or on behalf of an enforcement body and the recipient is a body that performs functions (or exercises powers) that are similar to those performed or exercised by an enforcement body.

Top of page

Accessing and correcting personal information

19. Who has access to personal information?

We take reasonable steps to ensure that access to personal information both within the Agency and by third parties is permitted only for legitimate purposes and on a 'need to know' basis.

20. How can an individual access and correct personal information?

An individual (or an authorised representative, such as a lawyer or person exercising a power of attorney) may request access to any personal information by contacting the Agency's Privacy Contact Officer (refer to 22. Privacy Contact Officer for details. The request does not have to be made in writing or by using a designated form.

Generally speaking, we will give access to personal information within 30 days of receiving the request and in the manner requested (if it is reasonable and practicable to provide it that way). We will need to verify the person's identity (or that of another person authorised to make the request) before providing access. We will not charge for making the request or for giving access to the personal information.

In some circumstances it may be more appropriate for a person to make a formal request for access to the personal information under the Freedom of Information Act 1982. For example, where a document is likely to contain personal or business information about a person other than the requestor.

In any event, there may be instances where we must refuse to give access to the personal information. For example, we may be required or authorised to refuse access by or under the Freedom of Information Act 1982 or another Act of the Commonwealth that provides for access by persons to documents. In this case, we will give the requestor a written notice, within 30 days of receipt of the request, setting out the reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so. We will also provide information about how to complain about the refusal, should the requestor wish to do so.

If an individual believes that the personal information we hold is incorrect, incomplete or inaccurate, the individual may ask us to correct the information. However, if we decide not to correct the information, we will give the individual a written notice, within 30 days of receipt of the request to correct the information, setting out the reasons for the refusal, except to the extent it would be unreasonable to do so. We will also provide information about how to complain about the refusal to correct the information, should the requestor wish to do so.

Even if an individual does not ask us to correct personal information, we are required to take such steps (if any) as are reasonable in the circumstances to correct personal information if we are satisfied that, having regard to the purpose for which the information is held, the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.

Top of page

Complaint process

21. The process for complaining about a breach of privacy

Complaints about the treatment of personal information (including a possible breach of privacy) by the Agency must be made in writing (a letter or email), addressed to the Privacy Contact Officer. We will treat complaints confidentially. We will respond within a reasonable time after receipt of the complaint (usually 30 days).

If an individual is not satisfied with our response, they may make a further complaint to the Australian Information Commissioner. Details of how to make a complaint are available on the Office of the Australian Information Commissioner website.

Top of page

Contacting us

22. Privacy Contact Officer

Individuals can obtain further information in relation to this privacy policy, or provide any comments, by contacting our Privacy Contact Officer as follows:

Privacy Contact Officer
Clean Energy Regulator
GPO Box 621
CANBERRA ACT 2601
Phone: 02 6159 3457
Email: CER-Privacy@cleanenergyregulator.gov.au

23. Changes to our Privacy Policy

We may change this Privacy Policy from time to time. Any updated versions of this Privacy Policy will be posted here.

This Privacy Policy was last updated on 24 January 2020.

24. Related policies and references

Chief Executive Instructions

  • Relevant CEI(s)

Policies

  • Relevant policy or policies

Standard operating procedures

  • Relevant SOP(s)

Other references

  • Relevant guides, etc. that do not fit under the other headings

Top of page

Documents on this page Documents on this page

Was this page useful?

LEAVE FEEDBACK
 
 
preload-image-only preload-image-only preload-image-only preload-image-only preload-image-only preload-image-only preload-image-only preload-image-only preload-image-only