Privacy policy

The types of personal information that ORIC collects may include:

• contact details (such as name, address, email and telephone numbers)
• biographical data (such as date and place of birth, and gender)
• financial information for the process of verifying expenses and processing reimbursements (such as bank details, insurance documents, and identity documents) 
• professional, occupational and employment histories, as they relate to corporations, and
• professional, occupational and employment histories, as they relate to corporations, as they relate to recruitment of staff.

Collection of your sensitive information

The Privacy Act also defines ‘sensitive information’, which is a sub-category of personal information. The Privacy Act places higher standards on the collection and handling of sensitive information. Sensitive information includes information or an opinion about an individual’s racial or ethnic origins, political opinions, religious or philosophical beliefs, criminal record and health, genetic and biometric information.

An example of ORIC’s collection of sensitive information is the collection of information about racial or ethnic origin. The Indigeneity requirements set out under sections 29‑5 and 141‑10 of the CATSI Act require the Registrar to be satisfied that corporations meet these requirements when applying for registration under the CATSI Act and as long as the corporation is registered under the CATSI Act. 

This means in certain circumstances ORIC is required to collect information about the Indigeneity of a person. The Registrar must ensure that ORIC’s collection of such information is directly related to the Registrar’s regulatory functions and activities, and that the individual to whom the sensitive information relates has either consented to its collection or that it is required or authorised by an Australian law. 

Other sensitive information we may collect is dietary and mobility information of participants attending ORIC training, information about criminal records and professional memberships in the context of investigating wrongdoing under the CATSI Act. 

Why ORIC collects personal information

ORIC collects personal information that is reasonably necessary for, or directly related to, one or more of our functions or activities under the CATSI Act, such as to: 

• handle reports of concerns or complaints about corporations
• handle disputes relating to corporations
• conduct an examination or ‘healthy organisation check’
• conduct a ‘special administration’ process
• monitor individuals’ and corporations’ compliance with the CATSI Act
• identify, investigate and take enforcement action under the CATSI Act
• maintain registers required under the CATSI Act
• deal with property under the CATSI Act
• consult with stakeholders, 
• analyse data and review and consider policy frameworks 
• undertake public education and awareness about the CATSI Act, governance of corporations and ORIC’s regulatory activities
• cooperate with other law enforcement agencies 
• deal with complaints about ORIC, its personnel and its contractors
• organise training and support to corporations and other stakeholders
• manage our employees, contractors and service providers, and 
• provide online services, tools and systems.  

How ORIC collects personal information 

ORIC collects personal information from individuals directly and from third parties. This can be through:

• the receipt of complaints or inquiries (both oral and in writing)
• receiving reports of concern
• carrying out investigations and other specific regulatory functions, including special administration and examinations
• receiving documents and reports
• contractual, procurement and recruitment activities, or
• registering or seeking support to attend training activities.

We only collect personal information from third parties where:

• the individual consents
• we are required or authorised to collect the personal information from third parties by law, or
• it would not be reasonable or practicable for the individual to know that we have collected their personal information (because, for example, it was obtained in the course of an investigation). 

Information about corporations

Information about corporations, where that information does not identify an individual, is not ‘personal information’. Generally, corporations do not have privacy rights because they do not fall within the definition of ‘individual’ in the Privacy Act. Any references to corporations in this document should be taken to be a reference to Aboriginal and Torres Strait Islander corporations under the CATSI Act unless otherwise specified. 

ORIC collects some information about corporations that must be made available to the public on the Register of Aboriginal and Torres Strait Islander Corporations and the Register of Disqualified Persons. Some of that information includes personal information, being names of contact persons/ secretaries, members and directors. The CATSI Act authorises disclosure of this personal information.

How ORIC uses and discloses personal information 

We only use personal information for the purpose for which it was collected, unless one of the following applies:

• we obtain the individual’s consent to use the personal information for a different purpose
• the individual would reasonably expect us to use the personal information for a different but related purpose (and if the personal information is sensitive information, that the purpose is directly related to the collection purpose)
• we are required or authorised by law to use the information (for example, by a court order or subpoena)
• a permitted general situation under the Privacy Act exists – including where we reasonably believe that using the information is necessary to:
  • lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety
  • take appropriate action to correct suspected unlawful activities or serious misconduct in relation to our functions and activities
  • establish a legal or equitable claim, or
  • we reasonably believe that the use is necessary for our enforcement activities (such as to gather intelligence or take enforcement action).

We only disclose information to:

• contractors including external legal services providers who we engage to assist us with our functions and who we ensure are subject to Privacy Act obligations 
• other enforcement bodies (such as state and territory law enforcement entities)
• other government agencies and prescribed entities, where authorised by law , including the National Indigenous Australians Agency (NIAA)
• the public, if the personal information is required by law to be placed on a register that can be searched by the public 
• responsible Ministers and parliamentary committees exercising their oversight functions
• oversight bodies such as the Commonwealth Ombudsman exercising their statutory functions
• applicants whose requests are considered under the Freedom of Information Act 1982 (FOI Act)
• referees and former employers to verify qualifications and experience when assessing certain applications, and
• other entities if required or authorised under the CATSI Act or Australian law.

How ORIC stores and secures personal information

ORIC maintains a register of personal information holdings that records where and in which systems personal information is stored. 

Some information is stored in on-premises systems and some is cloud based. 

Information is stored in:   

• The Electronic Register of Indigenous Corporations under the CATSI Act (ERICCA)
• Management of Interactions and Lodgement Information (MILI)
• Record Management Systems as provided by the Department of Prime Minister and Cabinet, and
• Share+.

We retain all copies or records of personal information we collect and deal with them (including any destruction as per ORIC’s normal administrative practice) in accordance with the Archives Act 1983 (Cth).

Records held by ORIC that contain personal information 

Personnel records

ORIC personnel are employees of the National Indigenous Australians Agency. Personnel records for staff of ORIC are held by the National Indigenous Australians Agency in record management systems and platforms managed by the Department of Prime Minister and Cabinet.   

Operational records

Operational records enable the Registrar to administer the CATSI Act, to maintain statutory registers and to support and regulate corporations registered under the CATSI Act. These records are for the most part stored in Share+ unless another records system is established for a particular purpose (see for example ‘investigations and prosecutions’ below). 

Operational records may include: 

• public and non-public (protected) documents relating to the operations of the corporation
• information relating to the Indigeneity of certain personnel associated with corporations
• incoming and outgoing paper and electronic correspondence with respect to corporations that might include details of complaints or inquiries relating to the corporation
• documents relating to dispute resolution assistance provided to corporations by ORIC
• documents relating to the examination of corporations inclusive of the conduct of corporation personnel
• documents regarding special administration and other forms of external administration of the corporation
• documents relating to handling of property from deregistered corporations, and
• documents relating to regulatory decisions under the CATSI Act. 

The personal information in ORIC’s operational records typically concerns the members, officers, and employees of corporations, and third parties representing or dealing with corporations. 

Websites 

When you visit oric.gov.au, our internet service provider automatically records your visit and logs information such as the following:

• your server address
• date and time of visit
• queries and search terms
• files downloaded
• time spent on individual pages and the overall site
• pages accessed
• previous site visited (if referred), and
• browser type used.   

We do not attempt to identify users or their browsing activities, unless the user has signed up to an online service, or a law enforcement agency or other government agency exercises its legal authority to inspect our internet web server logs for an investigation.

From time to time, we use cookies to streamline or personalise our service to you. Cookies are small pieces of information exchanged between a web browser and a web server. You can set your browsers to notify you before you receive a cookie. You may also be able to turn off or delete cookies by referring to relevant browser ‘add-ons’. 

Online lodgements and webforms

The ORIC website provides a secure portal to lodge corporation forms and reports. 

If you subscribe to our email updates or submit an online form (such as a training course application, or a request to advertise a corporation job) we will only use the information you submit for the purpose for which you provide it. We will not use your personal information from these online requests and forms for any other purpose and will not disclose it to any third party without your consent, unless required by law to do so. 

Online surveys 

From time to time the Registrar conducts online surveys to evaluate ORIC’s services and to obtain feedback from staff and/or directors, officers, members and employees of corporations who have used these services. Data is collected through third-party online tools (such as Microsoft Forms and Mailchimp) and downloaded to ORIC’s servers. 

Survey responses are usually anonymous by default. Respondents to surveys can elect to supply contact details to enable follow-up.

Records of training administration

Applications to participate in governance training may be collected through the content management system for oric.gov.au or through other forms and stored in records management systems. 

Records of training attendance are kept in electronic format in records management systems.

Personal information of training participants may include but is not limited to: contact details, gender, Indigeneity, emergency contact, prior training, and employment roles, as well as dietary and mobility issues and requirements, and self-assessments of training participants’ confidence.

With the consent of the person, the personal information contained in these records may be disclosed to training providers and educational institutions conducting ORIC's training programs. 

Records of consultants and contractors

ORIC holds personal information regarding personnel associated with former and current service providers – for example, trainers, examiners, auditors, special administrators and external legal services providers. 

This information includes responses to requests for tender, deeds of standing offer, official orders, contact details, performance evaluations and correspondence.

The content of these records may include but is not limited to: name, company name, Australian business number, address, telephone number, occupation, gender, referees, employment histories, payment details, vaccination details, financial viability checks undertaken during request for tender/request for quote processes and pricing schedules.

ORIC may disclose information to auditors, parliamentary inquiries and Senate estimates committees if required.

Publications and other content 

The information is generally about corporation officers and members, as well as other interested parties. The content of these records may include: name, address and other contact details, photographs of corporation representatives and quotations attributed to them.

Where a photograph or quotation is attributable to an identifiable person or corporation, they are recorded with consent of the person or corporation.

Communications 

Mailing lists are either derived from the Register or generated through an online opt-in process. 

Investigations, prosecutions, and legal services

ORIC holds personal information regarding the investigation and prosecution of alleged contraventions of the CATSI Act and other laws by individuals and organisations. Personal information may also be included in associated legal files and advice. 

Personal information includes but is not limited to: name, alias, address, telephone numbers, email addresses, date and place of birth, Indigeneity, occupation, gender, qualifications, marital status, next of kin, family details, name and addresses of associates, financial information, employment history, property information, and other third-party personal information.

Sensitive information may include but is not limited to: details of complainants, nature of the contraventions, criminal intelligence, method of detection, employer/employee relationships and activities, physical or mental health, records of interview (with and about the person), witness statements, opinions on the veracity, intent and strength of evidence and possibility of success in prosecution, criminal history, investigation outcome, communications with the prosecuting authority, and any other type of information obtained during the investigation processes and subsequent actions.

The records are stored on classified paper files and managed using secure records management systems, workspaces and/or standalone electronic devices with restricted access.  

Authorised ORIC staff in the investigations and prosecutions section have access to this personal information. It may also be disclosed on a ‘need to know’ basis to the Registrar, ORIC senior managers and selected staff, corporation examiners, special administrators, investigating agencies, police forces, legal advisers, prosecuting authorities and courts.

The legal services business area of ORIC also maintains files for the purpose of:

• recording and handling complaints made against ORIC either from an individual or organisation, or through the Commonwealth Ombudsman or the Australian Human Rights Commission 
• privacy requests, complaints and other privacy activities outlined under this policy (see below), and
• handling freedom of information requests. 

The content of these records may include names, addresses, occupations, gender and details relating to the particular complaint.

The following people have access to these files: the Registrar, legal staff, senior managers on a need‑to‑know basis and records management staff.

This information is not disclosed to other persons or organisations, other than as authorised or required by law.

Law Help

The Registrar collects and holds files for the purpose of recording and processing applications made by corporations for pro bono legal assistance under its LawHelp scheme.

This information may be disclosed to the LawHelp assessment panel and to legal firms providing pro bono legal assistance to a successful applicant. Otherwise, this information is not usually disclosed to other persons or organisations, other than as required by law. 

Corporation job advertisements

The Registrar maintains files for the purpose of recording and processing applications to display corporation job advertisements on the ORIC website.

The advertisement for the vacancy, including the position description and contact information are displayed on the Registrar’s website. Otherwise, this information is not usually disclosed to other persons or organisations, other than as required by law.  

Use and disclosure requirements under the CATSI Act

The Registrar has specific obligations in relation to protected information provisions in the CATSI Act. These provisions prescribe authorised uses and disclosures of ‘protected information’ obtained in connection with the administration of the CATSI Act. They also require all reasonable measures to be taken to protect such information from unauthorised use or disclosure.

Definition of ‘protected information’ in the CATSI Act

Protected information is defined in section 604‑5 of the CATSI Act. Protected information includes all information that is disclosed to the Registrar’s staff or contractors in confidence, in connection with the Registrar’s powers and functions – section 604‑5(1).

Protected information also includes all information either:

• disclosed to, or obtained by, a person, or
• included in a document given or produced to a person,

where that information was provided for the purposes of the CATSI Act and relates to the affairs of a corporation or a person or entity associated with it – section 604‑5(2).

Information that has been lawfully made public from other sources is not protected information – section 604‑5(2).

Authorised uses and disclosures under the CATSI Act

Some uses and disclosures of personal information are excepted from the APP 6 general prohibition on disclosure, including where the use or disclosure is required or authorised by or under an Australian law. The CATSI Act is an example of a relevant authorisation under an Australian law. In other words, if the CATSI Act authorises certain uses and disclosures, ORIC can conduct these without breaching APP 6. 

Authorised uses and disclosures of protected information under the CATSI Act include a use or disclosure that is:

• made for the purposes of the CATSI Act – section 604‑25(1)(a)
• required or authorised by a law of the Commonwealth, a state or territory – section 604‑25(1)(b)
• made by the Registrar or a delegate of the Registrar while performing a duty or the exercise of a power of the Registrar – section 604‑25(2)(a) and (b), or
• made by a special administrator of an Aboriginal and Torres Strait Islander corporation while performing a function or duty or exercising a power as a special administrator of the corporation – section 604‑25(2)(c).

In some circumstances, the Registrar may share protected information with government agencies and certain offices specified in section 604‑25 of the CATSI Act and section 54 of the Corporations (Aboriginal and Torres Strait Islander) Regulations 2017.

General privacy enquiries, requests for access to or correction of personal information 

ORIC’s Chief Privacy Officer is the first point of contact for privacy issues within the Registrar’s office and is responsible for all privacy related matters, including general enquiries, questions about ORIC’s privacy policy and privacy management plan, and requests for access to, or correction of, personal information.

The Chief Privacy Officer's contact details are:

Complaints

ORIC will acknowledge privacy complaints within 14 days of receipt. In that acknowledgement ORIC will give you an indicative timeframe for the resolution of your complaint. ORIC will contact you before that timeframe expires with an explanation if it cannot meet that timeframe.

ORIC will use its best endeavours to resolve complaints within 30 days but may take up to 90 days for complex matters.

Complaints about ORIC’s handling of personal information may also be made to the Office of the Australian Information Commissioner (OAIC). The OAIC can investigate privacy complaints from individuals about Australian, ACT and Norfolk Island government agencies, as well as private sector organisations covered by the Privacy Act. 

Before lodging a complaint with the OAIC, a complainant will generally need to complain directly to ORIC and allow 30 days for a response. If the complainant does not receive a response within the 30-day period, or is dissatisfied with the response, they may then complain to OAIC. 

For more information about making a complaint to the OAIC, you can access the OAIC's website.

Access and correction

You have a right to request access to the personal information ORIC holds about you and to request its correction in accordance with Australian Privacy Principles 12 and 13.

The Privacy Act permits access to be refused in certain cases, including where an exemption under the FOI Act would apply.

To request access or correction to your personal information held by ORIC, you can contact ORIC’s privacy officer at either info@oric.gov.au or 1800 622 431. 

Discussing the nature of your request with the privacy officer will enable ORIC to provide guidance on whether your request is better dealt with under the Privacy Act, the FOI Act or another arrangement.

Requests under ‘freedom of information’ law 

You should be aware that any information you supply to ORIC may be subject to a request under the FOI Act. For example, if your corporation applies for training or pro bono legal assistance, any information you provide to ORIC may be subject to an FOI request.

More information on FOI can be found on ORIC’s website.

Privacy Impact Assessment Register

The ORIC Privacy Impact Assessment (PIA) Register records details of PIAs conducted in accordance with the Privacy (Australian Government Agencies – Governance) APP Code 2017.

More information  

For more:

• contact ORIC's privacy officer via info@oric.gov.au or 1800 622 431, or
• visit the Office of the Australian Information Commissioner’s website.