This policy sets how the Clean Energy Regulator (the Agency) complies with its obligations under the
Privacy Act 1988 (Cth). The agency is bound by the Australian Privacy Principles, which set out how Australian Government agencies may collect, hold, use, and disclose personal information. Officials of the Agency are also bound by the secrecy provisions in Part 3 of the
Clean Energy Regulator Act 2011 (Clean Energy Regulator Act).
This policy sets out, among other things, the kinds of personal information that the Agency collects and holds, how that information is handled, and how that information is likely to be used and disclosed, including to overseas recipients. It also sets out how you can access and correct your personal information, and how you can make a complaint.
It applies to all personal information collected, held and disclosed by the Clean Energy Regulator. The Agency, its employees and consultants must have regard to this policy in their dealings with personal information on behalf of the Agency.
In some circumstances, depending on the terms of the contractual arrangement, it also applies to third parties that are contracted to perform services on behalf of the Agency.
When disclosing information under the Clean Energy Regulator Act, the Agency may also place conditions on the use and disclosure of information.
Includes any consent given by an individual and may be express consent or implied consent. There are four key elements to consent:
Consent may be given orally or in writing.
(i) whether the information or opinion is true or not, and(ii) whether the information or opinion is recorded in a material form or not.
(i) whether the information or opinion is true or not, and
(ii) whether the information or opinion is recorded in a material form or not.
1. information or opinion about an individual's:
that is also personal information; or
2. health information about an individual; or
3. genetic information about an individual, that is not otherwise health information; or
4. biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
5. biometric templates.
Top of page
The Clean Energy Regulator (the Agency) is an independent statutory authority established by the
Clean Energy Regulator Act 2011. The Clean Energy Regulator administers schemes legislated by the Australian Government for measuring, managing, reducing or offsetting Australia's carbon emissions.
The Agency stores data in databases and registers as part of administering its functions as a regulator of schemes, as described in the following Acts:
We track the ownership and location of units or certificates issued under these schemes, and under international agreements.
The responsibilities of the Clean Energy Regulator include:
Top of page
We respect an individual's right to privacy under the
Privacy Act 1988 (the Privacy Act) and we comply with the Privacy Act's requirements in respect of the management of personal information.
In general terms, "personal information" means any information or an opinion about an identified individual, or an individual who is reasonably identifiable, regardless of whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.
We collect, use, store and disclose information (including personal information) for purposes directly related to our statutory functions and activities, including the administration of the legislative schemes and monitoring compliance with the laws we administer (refer to section 2. “The Agency”). We also deal with personal information in the performance of corporate operations related to those functions (including recruitment, workplace health and safety, contracts and tenders and other activities).
We mainly deal with the following types of personal information:
The term 'sensitive information' refers to a particular kind of personal information. We may collect sensitive information about individuals including:
that is also personal information, and
An individual may choose to deal with us anonymously by or using a pseudonym. However, this principle does not apply if:
If an individual chooses to deal with us anonymously or by using a pseudonym, some or all of the following may happen:
Top of page
The Clean Energy Regulator only collects personal information where the individual consents, or the information is reasonably necessary for, or directly related to, one or more of the Agency's functions or activities.
Usually we collect personal information directly from the individual(s) to whom the personal information relates and/or their authorised representative (an agent). In some circumstances, we collect personal information from third parties. We collect personal information only by lawful and fair means.
We collect solicited personal information in a number ways that include:
We collect personal information from third parties in the following circumstances:
These third parties may include:
There are also laws under which the Agency can require individuals to provide information or allow access to certain premises, for the purposes of our investigative and compliance functions. If the Agency requires an individual to provide information or allow access under one of these laws (for example, using the information-gathering power contained in section 125A of the Renewable Energy (Electricity) Act 2000 (Cth)), we will give that person formal notice of the law the Agency is relying on. We will also notify that person of the potential consequences such as penalties for failure to comply.
Cookies are pieces of information that websites and applications can transfer to the device that the reader is using. Cookies perform essential functions in the modern web, including proof of user authentication after logging in to a system, and enabling anonymous usage tracking to help inform website owners how their websites or applications are being used. This information may remain on the computer after the user closes the browser.
At or before the time we collect personal information (or as soon as practicable afterwards), we will usually provide the individual concerned with a notice (also known as a 'Privacy Notice' or an 'APP Notice') containing the following information:
From time to time, we receive personal information that we have not requested. This is known as 'unsolicited personal information' and includes:
If we receive unsolicited personal information and we decide that we would not have been permitted to collect it under the Australian Privacy Principles, we will take reasonable steps to destroy or de-identify the information as soon as practicable, unless it is contained in a 'Commonwealth record' (as defined in the
Archives Act 1983) or it is unlawful or unreasonable to do so. The Australian Privacy Principles set out how we should deal with the personal information in these circumstances.
We collect personal information so that we can perform our functions and activities.
We collect personal information for the following purposes:
Top of page
The Clean Energy Regulator is bound by the secrecy provisions in Part 3 of the
Clean Energy Regulator Act 2011 (Clean Energy Regulator Act). Part 3 of the Clean Energy Regulator Act prohibits the disclosure and use of information that was obtained by a person in the person's capacity as an official of the Clean Energy Regulator and relates to the affairs of a person other than an official of the Regulator. This prohibition does not apply where:
For information held by the CER and collected before 2 April 2012 under either the
National Greenhouse Energy and Reporting Act 2007 or the
Renewable Energy (Electricity) Act 2000, the CER is bound by the preserved secrecy provision of those Acts.
We use and disclose personal information for the primary purpose for which it was collected. For example, we primarily use personal information when assessing eligibility to participate in one of the schemes we administer.
Before using personal information for any other purposes (known as 'secondary purposes'), we will ensure that the individual has consented to the use or disclosure of the information, or that one of the following circumstances applies:
We may disclose personal information to the following types of entities:
In addition, the Agency is required by certain laws (including
Clean Energy Regulator Act 2011,
Clean Energy Act 2011,
Renewable Energy (Electricity) Act 2000,
National Greenhouse and Energy Reporting Act 2007,
Carbon Credits (Carbon Farming) Act 2011,
Australian National Registry of Emissions Units Act 2011) to publish certain information, including some personal information, on our website. This information is available to the general public.
An applicant under the
Freedom of Information Act 1982 (Cth) may seek access to a document that contains another individual’s personal information. If the Agency considers that the other individual might reasonably wish to object to the document’s production on the basis that it would be an unreasonable disclosure of their personal information, the Agency will allow the individual a reasonable opportunity to argue why the document should not be produced. The Agency will consider whatever arguments are made before making a decision about whether to grant access to the document.
The Agency takes such steps as are reasonable in the circumstances to protect personal information from misuse, interference and loss and from unauthorised access, modification or disclosure. We may hold personal information in either electronic or hard copy form.
Personal information that is contained in electronic form or hard copy is secured in accordance with our information handling practices.
However, as our website, systems, and registers are linked to the internet, and the internet is an insecure environment, we cannot provide any assurance regarding the security of transmission of information communicated with us, or that such information will not be intercepted while being transmitted over the internet.
Enforcement-related personal information is usually held in a restricted database. Appropriate security clearances and authorisation (i.e. a need to know) are required to access such information.
If a data breach occurs, such as if personal information that we hold is subject to unauthorised loss, use or disclosure, we will respond in line with the Office of the Australian Information Commissioner’s guidelines on responding to data breaches. This includes complying with our obligations under the Notifiable Data Breaches scheme. We will aim to provide timely advice to affected parties to ensure they are able to manage any loss—financial or otherwise—that could result from the breach.
We take such steps as are reasonable in the circumstances to delete or de-identify (sanitise) personal information that is no longer required for any permitted purpose, unless the personal information is contained in a 'Commonwealth record' or it is unlawful to do so.
We destroy hard copy documents containing personal information (of the sort we are permitted to destroy) by shredding them or by disposing of them in a security classified waste bin.
Personal information contained in undelivered emails or returned post is deleted or otherwise put beyond use.
We may disclose personal information to third parties who are not located in Australia or an external territory for some of the purposes listed in paragraph 13 of this Policy.
We usually take such reasonable steps as are necessary in the circumstances to ensure that the overseas recipients of personal information do not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) relating to personal information.
However, we are not required to take such steps in the following situations:
Top of page
We take reasonable steps to ensure that access to personal information both within the Agency and by third parties is permitted only for legitimate purposes and on a 'need to know' basis.
An individual (or an authorised representative, such as a lawyer or person exercising a power of attorney) may request access to any personal information by contacting the Agency's Privacy Contact Officer (refer to
22. Privacy Contact Officer for details. The request does not have to be made in writing or by using a designated form.
Generally speaking, we will give access to personal information within 30 days of receiving the request and in the manner requested (if it is reasonable and practicable to provide it that way). We will need to verify the person's identity (or that of another person authorised to make the request) before providing access. We will not charge for making the request or for giving access to the personal information.
In some circumstances it may be more appropriate for a person to make a formal request for access to the personal information under the
Freedom of Information Act 1982. For example, where a document is likely to contain personal or business information about a person other than the requestor.
In any event, there may be instances where we must refuse to give access to the personal information. For example, we may be required or authorised to refuse access by or under the
Freedom of Information Act 1982 or another Act of the Commonwealth that provides for access by persons to documents. In this case, we will give the requestor a written notice, within 30 days of receipt of the request, setting out the reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so. We will also provide information about how to complain about the refusal, should the requestor wish to do so.
If an individual believes that the personal information we hold is incorrect, incomplete or inaccurate, the individual may ask us to correct the information. However, if we decide not to correct the information, we will give the individual a written notice, within 30 days of receipt of the request to correct the information, setting out the reasons for the refusal, except to the extent it would be unreasonable to do so. We will also provide information about how to complain about the refusal to correct the information, should the requestor wish to do so.
Even if an individual does not ask us to correct personal information, we are required to take such steps (if any) as are reasonable in the circumstances to correct personal information if we are satisfied that, having regard to the purpose for which the information is held, the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
Top of page
Complaints about the treatment of personal information (including a possible breach of privacy) by the Agency must be made in writing (a letter or email), addressed to the Privacy Contact Officer. We will treat complaints confidentially. We will respond within a reasonable time after receipt of the complaint (usually 30 days).
If an individual is not satisfied with our response, they may make a further complaint to the Australian Information Commissioner. Details of how to make a complaint are available on the
Office of the Australian Information Commissioner website.
Top of page
Privacy Contact Officer Clean Energy Regulator GPO Box 621 CANBERRA ACT 2601
Phone within Australia:
1300 553 542
Phone outside Australia:
+61 2 6159 3100
About The Clean Energy Regulator
Carbon Farming Initiative
Carbon Pricing Mechanism
National Greenhouse And Energy Reporting
Renewable Energy Target
Emissions Reduction Fund
Our Systems And Their Resources
Clean Energy Markets
Data and information
Emissions Reduction Assurance Committee
Subscribe to email updates
Information Publication Scheme
Freedom of Information
The Clean Energy Regulator is a Government body responsible for accelerating carbon abatement for Australia.