Skip Ribbon Commands
Skip to main content

Skip Navigation LinksPrivacy-policy

CER branding swish

Privacy policy

Suggested Reading Suggested Reading

12 July 2021


What is this policy about?

This policy sets out the Clean Energy Regulator (the agency) Privacy Policy. It explains what kinds of personal information we collected and why. It outlines how that information is handled. It provides guidance on how you can access and correct your personal information. Lastly, it provides advice on how you can make a complaint about the the agency's handling of your personal information.

For definitions of key terms, see Table of definitions. For details of the legislation that governs the agency, see The legislation.

Top of page

The Clean Energy Regulator: Who we are

The Clean Energy Regulator is an independent statutory authority established by the Clean Energy Regulator Act 2011. The agency administers schemes for measuring, managing, reducing or offsetting Australia's carbon emissions.

To be able to do its job the agency needs to collect, use and disclose personal information about its clients and staff. It does so in a way that ensures compliance with the Privacy Act 1988 (Cth), the Privacy Code (the Code) and the Australian Privacy Principles (APPs).

Top of page

What is personal information?

Personal information is any information, or an opinion, about an individual, or reasonably identifiable individual, whether the information is true or not, and whether the information or opinion is recorded in a material form or not.

We only collect, use, store or disclose personal information for purposes directly related to our statutory functions and activities, including:

  • to process and assess applications under the schemes we administer
  • to assist scheme participants (our clients) to manage reporting obligations and acquittal of liabilities
  • to conduct administrative functions such as recruitment
  • to conduct enforcement-related activities.

The most common types of personal information we handle are:

  • name
  • mailing or street address
  • e-mail address
  • telephone contact number
  • age or birth date
  • gender
  • profession, occupation or job title
  • employment, curriculum vitae and education information.

Top of page

What is sensitive information?

Refer to Table of definitions for a more detailed definition of 'sensitive information'.

The term 'sensitive information' refers to particular kinds of personal information. We collect sensitive information about our clients and our staff, such as:

  • photographs of people
  • insurance details
  • financial details and information about assets and liabilities
  • emergency details including next of kin
  • information about a person's:
    • racial or ethnic origin (for agency staff)
    • membership of a professional or trade association
    • criminal record
  • health information (for agency staff).

Top of page

How we collect personal information

We collect personal information directly from the individual(s) to whom the personal information relates and/or their authorised representative (an agent). We also collect personal information from various third parties, including other government agencies. We collect personal information only by lawful and fair means.

We collect personal information in a number ways including:

  • when an individual provides information to us using our web-based systems (including the client portal(s) and online forms)
  • when we receive application forms, mail or email correspondence, and other documents
  • telephone contact with our call centre
  • when we conduct criminal record checks.

We may collect personal information from third parties in the following circumstances:

  • if an individual consents to the agency collecting the information from someone other than the individual
  • if we are required or authorised by or under an Australian law, or a court/tribunal order, to collect the information from someone other than the individual to whom the information relates
  • if it is unreasonable or impracticable for us to collect the information from the individual directly.

Top of page

When will you be notified of the collection of personal information?

The agency notifies stakeholders (clients and staff) at or before the time we collect personal information. We usually do through a notice (also known as a 'Privacy Notice' or an 'APP Notice'). See Sample privacy notice for an example of the agency's privacy notice.

Top of page

Why we need to collect and use personal information

We primarily collect and use personal information to:

  • assess eligibility to participate in one of the schemes we administer
  • determine suitability for employment in the agency.

We may use personal information for other purposes. Before doing so we will ensure that the individual has consented to the use of the information, unless:

  • it is reasonable to expect us to use the information for a secondary purpose (for example, when performing audit and compliance functions and activities)
  • the use is required by law or a court/tribunal order.

Top of page

How do we handle unsolicited personal information?

From time to time, we receive personal information that we have not requested. This is known as 'unsolicited personal information'.

If we receive unsolicited personal information we will take reasonable steps to destroy or de-identify the information as soon as practicable, unless it is contained in a Commonwealth record, as defined in the Archives Act 1983 or it is unlawful or unreasonable to do so.

Top of page

You can deal with us anonymously or by using a pseudonym

You can deal with us anonymously, however, there are exceptions, for example:

  • when we are required or authorised by or under an Australian law, or an order of a court/tribunal
  • when it is impracticable for the agency to deal with people who have not identified themselves or used a pseudonym.

What amounts to ‘impracticable’ will depend on the circumstances. For example, where a person applies under the schemes that the agency administers, we may not be able to pay the appropriate benefit without knowing their identity.

Top of page

How do we protect your personal information?

The agency takes such steps as are reasonable to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. Personal information that is contained in electronic form or hard copy is secured in accordance with our information handling practices. These practices include access restrictions, auditing and managing the storage of information in general, and personal information specifically.

Access to information is audited to ensure only staff with a need to know have actually been accessing relevant information. Lastly, storage of electronic information is subject to additional processes to prevent loss and to ensure retention for the required periods. This includes:

  • regular backup routines
  • offsite backup storage
  • maintenance processes such as copying or migration to prevent data erosion, or to counter software or hardware obsolescence.

Top of page

Who do we disclose personal information to?

The agency is required to publish information, including some personal information. This information is available to the general public.

We may also disclose personal information to other entities. For example:

  • other Commonwealth or state/territory government bodies for the purposes of investigating and prosecuting compliance breaches, legal actions, and insurance claims
  • enforcement bodies (such as the Australian Federal Police, a police force of a state or territory, the Office of the Director of Public Prosecutions, and the Australian Securities and Investments Commission)
  • a Committee of the Parliament of the Commonwealth of Australia
  • applicants under the Freedom of Information Act 1982 (Cth).

Top of page

Protection of information under the Clean Energy Regulator Act 2011

The agency is bound by the secrecy provisions in Part 3 of the Clean Energy Regulator Act 2011 (Clean Energy Regulator Act). Part 3 of the Clean Energy Regulator Act prohibits the disclosure and use of information that was obtained by a person in the person’s capacity as an official of the agency and relates to the affairs of a person other than an official of the Regulator. This prohibition does not apply where:

  • the disclosure or use is authorised by a provision of Part 3 of the Clean Energy Regulator Act
  • the disclosure or use is in compliance with a requirement under a law of the Commonwealth or a prescribed law of a state or a territory.

For information held by the agency and collected before 2 April 2012 under either the National Greenhouse Energy and Reporting Act 2007 or the Renewable Energy (Electricity) Act 2000, the agency is bound by the preserved secrecy provision of those Acts.

Top of page

Do we disclose personal information to anyone overseas?

We may disclose personal information to third parties who are not located in Australia or an external territory. We usually take such reasonable steps as are necessary in the circumstances to ensure that the overseas recipients of personal information do not breach the APPs.

Top of page

How do we deal with data breaches?

The agency is obliged to take reasonable steps to handle personal information in accordance with the APPs. This includes protecting personal information from misuse, unauthorised access, modification or unintentional disclosure.

However, if a data breach occurs, there are steps staff must quickly take to identify, contain and report the incident. 

We will provide timely advice to affected parties to ensure they are able to manage any loss – financial or otherwise – that could result from the breach.

Top of page

How can you access and correct your personal information?

An individual (or an authorised representative, such as a lawyer or person exercising a power of attorney) may request access to their personal information by contacting the agency's Privacy Contact Officer (see below for Privacy Contact Officer details). The request does not have to be made in writing or by using a designated form. We aim to give access to your personal information within 30 days of receiving the request and in the manner requested (if it is reasonable and practicable to provide it that way).

We will need to verify the person's identity (or that of another person authorised to make the request) before providing access. We will not charge for making the request or for giving access to the personal information.

Even if an individual does not ask us to correct personal information, we are required to take such steps (if any) as are reasonable in the circumstances to correct personal information if we are satisfied that, having regard to the purpose for which the information is held, the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.

Top of page

How can you make a complaint about the agency's handling of your personal information?

Complaints about the treatment of personal information (including a possible breach of privacy) must be made in writing (a letter or email), addressed to the Privacy Contact Officer (see below). We will treat complaints confidentially. We will respond within a reasonable time after receipt of the complaint (usually 30 days).

Top of page

How can you contact the agency’s Privacy Officer?

Individuals can obtain further information in relation to this privacy policy, or provide any comments, by contacting our Privacy Contact Officer as follows:

By phone

  • Within Australia: 1300 553 542
  • Outside Australia: +61 2 6159 3100

By email

By post

  • Privacy Contact Officer
    Clean Energy Regulator
    GPO Box 621
    Canberra ACT 2601

Top of page

Table of definitions




Includes any consent given by an individual and may be express consent or implied consent. There are four key elements to consent:

  • the individual must be adequately informed of what they are consenting to before giving consent

  • it must be provided voluntarily

  • it must be current and specific

  • the individual must have the capacity to understand and communicate their consent.

Consent may be given orally or in writing.

Commonwealth record

Means a record that is the property of the Commonwealth or a Commonwealth institution, or a record that is deemed to be a Commonwealth record under the Archives Act 1983.

Handling personal information

Means dealing with personal information in any way, including managing, collecting, holding, using or disclosing personal information.


We collect personal information only if we collect it for inclusion in a Commonwealth record or generally available publication (that is a magazine, book, article, newspaper, guidance or other publication available to members of the public).


A release from our effective control is generally a disclosure, irrespective of our reason for releasing the information. It includes proactive release, release in response to a specific request and accidental release.


We hold personal information if we have possession or control of a record that contains the personal information.


We use personal information when we handle and manage that information within the agency's effective control. We also use personal information for the purposes of administering legislative schemes.

Personal information

Means any information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not

  • whether the information or opinion is recorded in a material form or not.

Privacy Act

Means the Privacy Act 1988 (Cth)

Sensitive information


  1. information or opinion about an individual's:

    • racial or ethnic origin

    • political opinions

    • membership of a political association

    • religious beliefs or affiliations

    • philosophical beliefs

    • membership of a professional or trade association

    • membership of a trade union

    • sexual orientation or practices

    • criminal record

that is also personal information, or:

  1. health information about an individual

  2. genetic information about an individual, that is not otherwise health information

  3. biometric information that is to be used for the purpose of automated biometric verification or biometric identification

  4. biometric templates.

Top of page

The legislation

The agency is governed by the following legislation (Acts, regulations and Rules):

As an Australian Government Agency, the agency must also comply with several other Acts, regulations and other legislation, including:

  • Public Governance, Performance and Accountability Act 2013
  • Commonwealth Procurement Rules (CPRs)
  • Public Service Act 1999
  • Public Service Regulations 1999
  • Archives Act 1983
  • Australian Public Service Commissioner’s Directions 2016
  • Crimes Act 1914
  • Freedom of Information Act 1982
  • Freedom of Information (Charges) Regulations 2019
  • Freedom of Information (Disclosure Log – Exempt Documents) Determination 2018
  • Privacy Act 1988
  • Privacy Regulation 2013
  • Legally binding privacy guidelines and rules
  • Evidence Act 1995
  • Fair Work Act 2009
  • Fair Work Regulations 2009
  • Electronic Transactions Act 1999
  • Electronic Transactions Regulations 2000.

Top of page

Sample privacy notice

Preferred wording for the agency’s privacy notice, to be included in all forms and in the Client Portal as follows:

Privacy notice 

(To be adapted and optimised for electronic and hard copy channels, including definition for ‘personal information’ linked to that provided by the OAIC.)

The Clean Energy Regulator is a Government body responsible for accelerating carbon abatement for Australia through the administration of the National Greenhouse and Energy Reporting scheme, Renewable Energy Target and the Emissions Reduction Fund. You can contact us through the channels below.

By phone

  • Within Australia: 1300 553 542
  • Outside Australia: +61 2 6159 3100

By email

By post

  • Clean Energy Regulator
    GPO Box 621
    Canberra ACT 2601

Personal information collected in relation to this application will be used for the purpose of assessing the application, auditing compliance, enforcement of relevant laws and regulations and for related purposes. The collection of personal information is authorised by the Clean Energy Regulator Act 2011 and other relevant Act(s).

We cannot process your application if we do not collect relevant personal information.

We do not give personal information about an individual to other Government agencies, private sector organisations or anyone else unless one of the following applies:

  • the individual has consented
  • the individual would reasonably expect, or has been told, that information of that kind is usually passed to those individuals, bodies or agencies
  • it is otherwise required or authorised by law
  • a 'permitted general situation' exists (such as where a disclosure will prevent or lessen a serious and imminent threat to somebody's life or health)
  • it is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of public revenue.

We may disclose personal information to third parties who are not located in Australia. We will take reasonable steps to ensure that the overseas recipients of personal information do not breach relating to personal information.

The Clean Energy Regulator’s Privacy Policy contains information about the agency’s procedures for handling personal information including how a person can access their personal information held by the agency, and how to seek correction of such information.

The Privacy Policy also contains information about how to complain about a breach of the Australian Privacy Principles.

Top of page

Documents on this page Documents on this page

Was this page useful?

preload-image-only preload-image-only preload-image-only preload-image-only preload-image-only preload-image-only preload-image-only preload-image-only preload-image-only