By John Vaughan-Williams, Lawyer
CPA Australia’s recent, legally mandated, release of its member register has gained significant news coverage. As a result, your not-for-profit organisation may be wondering what its obligations are regarding the release of its member register.
If your not-for-profit organisation is a public company limited by guarantee, then it has specific obligations under the Corporations Act 2001 (Cth) (Corporations Act) regarding the disclosure of its member register. However, there are only some scenarios in which the register can and should be released, and it is important that the correct process is followed.
Releasing the member register, when not required to by law, may be a breach of the Privacy Act 1988 (Cth) (Privacy Act).
Public companies limited by guarantee must keep a register of members pursuant to the Corporations Act. Under section 169, the register must include the name and address of all members, as well as the date on which each member was entered onto the register.
Section 173 governs the right of anyone to inspect, and in some circumstances, to obtain copies of the register.
Anyone (including non-members) is allowed to inspect the register without providing reasons, but the requirements surrounding obtaining copies of the register are more subtle.
Members and other individuals may be permitted under section 173 to obtain copies of the register. The person wishing to obtain a copy must first submit an application to the company to do so.
A company must allow a person to obtain copies of the register if:
After obtaining a request, the organisation has seven days to decide how to respond.
In summary, the following purposes are deemed at law to be “prescribed purposes”:
These scenarios may be rare in the context of a not-for-profit organisation. However, it is important that, if a request for the member register is made, the organisation obtains sufficient information regarding the purpose in order to be certain it is not a prescribed purpose.
If the person provides an evasive or overly general response regarding the purpose (for example, for the person’s records, or out of curiosity), then the organisation will not be able to satisfy itself that the purpose is not a prescribed purpose, and should not disclose the register.
If, however, the person does provide a specific reason, which is not one of the prescribed purposes, then the organisation will generally be obliged to disclose the register, even if it is against the organisation’s wishes.
The organisation can request fees for the inspection and/or obtaining copies of the register.
Members of the organisation are allowed to inspect the register for free, but other persons may be required by the organisation to pay a prescribed fee, depending on whether the register is kept on a computer.
If copies of the register are to be provided, then fees can be charged to both members and other persons. The amount of the fee is dependent upon the number of members of the company.
If a fee is requested, and the member or other individual refuses to pay, then this can be a ground for refusing to disclose the register.
The Privacy Act governs the collection and disclosure of personal information and sensitive information, for some organisations.
The information contained in the member register of a public company limited by guarantee does not come under the definition of sensitive information, but does come under the definition of personal information. Personal information is broadly defined as any information which identifies an individual.
The Privacy Act imposes requirements on an organisation surrounding when it is permitted to disclose personal information that it holds on individuals. Generally, information can only be disclosed for the purpose for which it was collected, unless an exception applies.
One of the exceptions is when an organisation is required or authorised, under Australian law, to disclose the information to a third party.
This means that disclosing the member register to a member will generally come under this exception, as long as the organisation actually was required under section 173 to disclose the information.
If the organisation discloses copies of the member register without first satisfying itself that the member did not have an improper, “prescribed purpose”, then the organisation may not be meeting its obligations under the Privacy Act.
If your organisation is an incorporated association, then the law regarding the member register is significantly less settled. In some (but not all) jurisdictions, the associations legislation deals with the release of the member register.
If your organisation has never considered its member register obligations before, you should consider developing a policy regarding how member register requests will be handled.
Requests to view the member register are not as rare as they may appear, and in light of the recent CPA Australia events, they may occur more frequently.