Last updated: 10 October 2023
Under the Australian Government Agencies Privacy Code we are required to list our privacy impact assessments (PIAs) in a register.
2023
Date posted: 20/03/2023
Reference number: D2022/021932
This PIA considers privacy risks associated with the use of RightFax, a centralised, computer-based fax server solution that provides enterprise-grade faxing capabilities across an entire organization. RightFax integrates fax and document distribution with email, desktop, and enterprise applications, enabling secure fax exchange from customer relationship management (CRM), enterprise resource planning (ERP), electronic
medical record (EMR), document management, and other business applications.
RightFax will replace the Office of the Australian Information Commissioner’s (OAIC) use of traditional faxes for sending and receiving information related to the OAIC’s work. RightFax will integrate with the OAIC’s existing email servers, active directories, network folders and multi-functional devices (MFD)/printers. RightFax utilises on premises storage with storage of faxes received and sent, activity and audit logs, and any associated metadata this is on the OAIC IT infrastructure.
The OAIC will use RightFax to send and receive documents to and from complainants, respondents, third party advisors to the OAIC or either party, and other government agencies or
departments (the Project). This may include sensitive information.
The OAIC’s Director of Corporate who oversees the ICT shared services arrangement is responsible for the Project’s implementation.
The PIA assesses any privacy risks posed by the use of the OpenText RightFax by the OAIC to the OAIC, and any risks associated with the handling of personal and sensitive information by the OAIC for the Project.
Topics addressed in this PIA include how personal information will flow through the system and an assessment of compliance with the APPs.
Date posted: 20/03/2023
Reference number: D2022/026103
This PIA assesses the privacy impacts of using closed-circuit television (CCTV) cameras in the OAIC’s Sydney office.
This PIA assists in identifying privacy issues associated with using CCTV in the workplace, and proposes recommendations to minimise or eradicate any privacy impacts. This PIA considers the OAIC’s privacy policy, the OAIC’s internal practices policies and procedures regarding the CCTV footage, and the management of the relevant CCTV footage.
Topics covered in this PIA include how personal information will flow through the CCTV system, an assessment of compliance with the APPs, and recommendations to mitigate any privacy impacts.
Date posted: 31/03/2023
Reference number: D2023/007230
Date privacy threshold assessment completed: 25 January 2023
Outcome – PIA required? No
Date posted: 29/08/2023
Reference number: D2023/019291
Date privacy threshold assessment completed: 07/08/2022
Outcome – PIA required? No
Date posted: 10/10/2023
Reference: D2023/021802 approved.
The PIA considers privacy risks associated with the implementation and use of the OAIC data warehouse to produce internal and external reports and populate dashboards as part of the proposed use of a business intelligence system.
The PIA was conducted at an early stage of the data warehouse development to assist in identifying privacy issues associated with the transfer of personal information into the data warehouse, and in the data being extracted from the data warehouse. The PIA proposes recommendations to minimise or eradicate privacy impacts, and considers the flow of data, including the various data sources and data models used to organise and extract data, and the use of reporting tools.
Topics covered in this PIA include how personal information will flow through the system, an assessment of compliance with the APPs, and recommendations to mitigate any privacy.
2022
Reference number: D2022/004943
Date privacy threshold assessment completed: 22/03/2022
Outcome – PIA required? No
Reference number: D2022/026115
Date privacy threshold assessment completed: 22/11/2022
Outcome – PIA required? No
Reference number: D2022/025364
Date privacy threshold assessment completed: 27/10/2022
Outcome – PIA required? No
Reference number: D2022/021522
Date privacy threshold assessment completed: 11/10/2022
Outcome – PIA required? No
2021
Reference number: D2021/015101
Date privacy threshold assessment completed: 14/09/2021
Outcome – PIA required? No
Reference number: D2021/015143
Date privacy threshold assessment completed: 30/08/2021
Outcome – PIA required? No
Reference number: D2021/013971
Date privacy threshold assessment completed: 26/08/2021
Outcome – PIA required? No
Reference number: D2021/010985
Date privacy threshold assessment completed: 9/07/2021
Outcome – PIA required? No
Date posted: 24/02/2021
Reference number: D2020/022528
This PIA considers privacy risks associated with the new joint OAIC and Australian Competition and Consumer Commission (ACCC) Complaint handling system for the Consumer Data Right (CDR) (the joint system).
The OAIC and the ACCC are co-regulators of the CDR. The OAIC enforces the Privacy Safeguards and privacy and confidentiality-related rules, and can investigate consumer complaints regarding the handling of their CDR data. The ACCC enforces the CDR Rules and data standards and carries out strategic enforcement.
To ensure the effective operation of the CDR and provide seamless handling of enquiries, reports and complaints between the agencies involved, the OAIC and ACCC apply a ‘no wrong door’ approach. To enable this approach, the OAIC has developed a joint complaint handling system, so that consumer enquiries, reports and complaints can be submitted through one channel, and then triaged appropriately to either the OAIC, the ACCC, or an external dispute resolution (EDR) scheme. Part IVD of the Competition and Consumer Act 2010 (Cth) and the Competition and Consumer (Consumer Data Right) Rules 2020 (Cth), together with amendments to the Australian Information Commissioner Act 2010 (Cth), provide information sharing powers for this purpose.
The PIA assesses any risks to individual privacy presented by the implementation of the joint system and makes recommendations to mitigate those risks.
Topics addressed in this PIA include how personal information will flow through the system, an assessment of compliance with the APPs and how consistent the system is with community expectations about privacy.
2020
Date posted: 29 May 2020
Reference number: D2020/005283
This PIA considers privacy risks associated with changes to working arrangements at the OAIC in response to the COVID-19 pandemic.
The PIA considers whether changes to physical working arrangements will impact on the handling of personal information, assesses potential privacy risks, and makes recommendations to mitigate those risks.
It addresses key topics including governance, culture and training, internal practices, procedures and systems, ICT security, access security, data breaches, physical security and stakeholder considerations.