Our privacy impact assessment register

Last updated: 10 October 2023

Under the Australian Government Agencies Privacy Code we are required to list our privacy impact assessments (PIAs) in a register.

2023

OpenText RightFax Integration (Project)

Date posted: 20/03/2023

Reference number: D2022/021932

This PIA considers privacy risks associated with the use of RightFax, a centralised, computer-based fax server solution that provides enterprise-grade faxing capabilities across an entire organization. RightFax integrates fax and document distribution with email, desktop, and enterprise applications, enabling secure fax exchange from customer relationship management (CRM), enterprise resource planning (ERP), electronic

medical record (EMR), document management, and other business applications.

RightFax will replace the Office of the Australian Information Commissioner’s (OAIC) use of traditional faxes for sending and receiving information related to the OAIC’s work. RightFax will integrate with the OAIC’s existing email servers, active directories, network folders and multi-functional devices (MFD)/printers. RightFax utilises on premises storage with storage of faxes received and sent, activity and audit logs, and any associated metadata this is on the OAIC IT infrastructure.

The OAIC will use RightFax to send and receive documents to and from complainants, respondents, third party advisors to the OAIC or either party, and other government agencies or

departments (the Project). This may include sensitive information.

The OAIC’s Director of Corporate who oversees the ICT shared services arrangement is responsible for the Project’s implementation.

The PIA assesses any privacy risks posed by the use of the OpenText RightFax by the OAIC to the OAIC, and any risks associated with the handling of personal and sensitive information by the OAIC for the Project.

Topics addressed in this PIA include how personal information will flow through the system and an assessment of compliance with the APPs.

Use of closed-circuit television cameras

Date posted: 20/03/2023

Reference number: D2022/026103

This PIA assesses the privacy impacts of using closed-circuit television (CCTV) cameras in the OAIC’s Sydney office.

This PIA assists in identifying privacy issues associated with using CCTV in the workplace, and proposes recommendations to minimise or eradicate any privacy impacts. This PIA considers the OAIC’s privacy policy, the OAIC’s internal practices policies and procedures regarding the CCTV footage, and the management of the relevant CCTV footage.

Topics covered in this PIA include how personal information will flow through the CCTV system, an assessment of compliance with the APPs, and recommendations to mitigate any privacy impacts.

Business case for the use of Qualtrics XM

Date posted: 31/03/2023

Reference number: D2023/007230

Date privacy threshold assessment completed: 25 January 2023

Outcome – PIA required? No

Instagram Privacy Threshold Assessment

Date posted: 29/08/2023

Reference number: D2023/019291

Date privacy threshold assessment completed: 07/08/2022

Outcome – PIA required? No

Data Warehouse Implementation Project

Date posted: 10/10/2023

Reference: D2023/021802 approved.

The PIA considers privacy risks associated with the implementation and use of the OAIC data warehouse to produce internal and external reports and populate dashboards as part of the proposed use of a business intelligence system.

The PIA was conducted at an early stage of the data warehouse development to assist in identifying privacy issues associated with the transfer of personal information into the data warehouse, and in the data being extracted from the data warehouse. The PIA proposes recommendations to minimise or eradicate privacy impacts, and considers the flow of data, including the various data sources and data models used to organise and extract data, and the use of reporting tools.

Topics covered in this PIA include how personal information will flow through the system, an assessment of compliance with the APPs, and recommendations to mitigate any privacy.

2022

ICT migration to the Department of Education, Skills and Employment

Reference number: D2022/004943

Date privacy threshold assessment completed: 22/03/2022

Outcome – PIA required? No

MicrOPay payroll, HR and ERP system

Reference number: D2022/026115

Date privacy threshold assessment completed: 22/11/2022

Outcome – PIA required? No

APSC Analysis of OAIC’s 2022 APS Employee Census Results

Reference number: D2022/025364

Date privacy threshold assessment completed: 27/10/2022

Outcome – PIA required? No

OAIC and ACCC Coordinated Compliance Monitoring Plan of financial services entities receiving Optus Customer Data

Reference number: D2022/021522

Date privacy threshold assessment completed: 11/10/2022

Outcome – PIA required? No

2021

ICT hardware replacement

Reference number: D2021/015101

Date privacy threshold assessment completed: 14/09/2021

Outcome – PIA required? No

Use of the Document Verification Service (DVS) for verification of personal identity information

Reference number: D2021/015143

Date privacy threshold assessment completed: 30/08/2021

Outcome – PIA required? No

International Access to Information Day/ICON webinar

Reference number: D2021/013971

Date privacy threshold assessment completed: 26/08/2021

Outcome – PIA required? No

Mandatory check-in at the OAIC and QR codes

Reference number: D2021/010985

Date privacy threshold assessment completed: 9/07/2021

Outcome – PIA required? No

Joint OAIC ACCC Complaint Handling System for the Consumer Data Right: PIA Summary

Date posted: 24/02/2021

Reference number: D2020/022528

This PIA considers privacy risks associated with the new joint OAIC and Australian Competition and Consumer Commission (ACCC) Complaint handling system for the Consumer Data Right (CDR) (the joint system).

The OAIC and the ACCC are co-regulators of the CDR. The OAIC enforces the Privacy Safeguards and privacy and confidentiality-related rules, and can investigate consumer complaints regarding the handling of their CDR data. The ACCC enforces the CDR Rules and data standards and carries out strategic enforcement.

To ensure the effective operation of the CDR and provide seamless handling of enquiries, reports and complaints between the agencies involved, the OAIC and ACCC apply a ‘no wrong door’ approach. To enable this approach, the OAIC has developed a joint complaint handling system, so that consumer enquiries, reports and complaints can be submitted through one channel, and then triaged appropriately to either the OAIC, the ACCC, or an external dispute resolution (EDR) scheme. Part IVD of the Competition and Consumer Act 2010 (Cth) and the Competition and Consumer (Consumer Data Right) Rules 2020 (Cth), together with amendments to the Australian Information Commissioner Act 2010 (Cth), provide information sharing powers for this purpose.

The PIA assesses any risks to individual privacy presented by the implementation of the joint system and makes recommendations to mitigate those risks.

Topics addressed in this PIA include how personal information will flow through the system, an assessment of compliance with the APPs and how consistent the system is with community expectations about privacy.

2020

Working remotely in response to COVID-19

Date posted: 29 May 2020

Reference number: D2020/005283

This PIA considers privacy risks associated with changes to working arrangements at the OAIC in response to the COVID-19 pandemic.

The PIA considers whether changes to physical working arrangements will impact on the handling of personal information, assesses potential privacy risks, and makes recommendations to mitigate those risks.

It addresses key topics including governance, culture and training, internal practices, procedures and systems, ICT security, access security, data breaches, physical security and stakeholder considerations.