This summary sets out the key points about how the Office of the Australian Information Commissioner (OAIC) handles personal information.

We collect, hold, use and disclose personal information to carry out our functions or activities under the Australian Information Commissioner Act 2010 (Cth) (AIC Act), the Privacy Act 1988 (Cth) and the Freedom of Information Act 1982 (Cth) (FOI Act), and other legislation that confer powers or functions on the OAIC including the My Health Records Act 2012 (Cth), and the Competition and Consumer Act 2010 (Cth) (CC Act).

More information can be found in our main privacy policy and our human resources privacy policy.

Collection of your personal information

We usually collect personal information (including sensitive information) from you or your authorised representative when we are handling privacy and freedom of information (FOI) complaints, FOI reviews, Consumer Data Right (CDR) complaints, or taking other regulatory action under the Privacy or FOI Acts. We will also collect your personal information when you apply for a job at the OAIC, notify the OAIC about a data breach or report a matter for investigation.

Personal information may include your name, contact details and complaint, review, request, data breach notification or report details.

Sensitive information may include information about your health, racial or ethnic origin, political opinions, association memberships, religious beliefs, sexual orientation, criminal history, genetic or biometric information.

We sometimes collect personal information from a third party or a publicly available source to enable us to deal with a complaint or review application or to communicate with the public and stakeholders.

We also collect personal information through our websites and social networking services such as Facebook, Twitter and YouTube. We use this information to improve our website and receive feedback from the community.

OAIC information technology security practices

All personal information collected is held on our cloud storage, on servers located in Australia. We retain effective control over any personal information held on our cloud, and the information is handled in accordance with the Australian Privacy Principles.

We use Vision6 to manage our mailing lists and event registrations. When subscribing to one of our mailing lists, you will be asked to give your express consent that Vision6 may use your data for analytics purposes. We also use TryBooking to manage our event registrations.

The OAIC uses the Australian Government’s SmartForm service to enable you to lodge a complaint, application, data breach notification, enquiry or apply for a job. When you save or submit a form using this service, the information is encrypted and stored in a secure server controlled by the Department of Industry, Science, Energy and Resources (DISER) until we download it. In very limited circumstances, DISER may be able to view your information when there is a technical issue that requires investigation (DISER must seek our permission to do so).

The OAIC uses separate forms for Consumer Data Right enquiries, reports and complaints, which are available on the CDR website.


To ensure fairness, we disclose relevant information about the details of your complaint or review application to the respondent and, where relevant, affected third parties.

We may also disclose personal information:

  • to another review body if a complainant, applicant or respondent seeks an external review of the OAIC’s decision
  • to the My Health Records Systems Operator if you notify the OAIC about a data breach that relates to the My Health Records Act.
  • to other regulators or external dispute resolution schemes (generally only if you agree and where the information will assist investigation of a matter)
  • to service providers (like those that host our website servers, manage our IT and manage our human resources information)
  • the disclosure is required or authorised by or under an Australian law or a court/tribunal order.

We don’t disclose sensitive information about you unless you agree, or would reasonably expect us to.

Generally, we only disclose personal information overseas so that we can properly handle your complaint or application. As well, web traffic information we collect using Google Analytics may be stored overseas.

Accessing and correcting your personal information

If you ask, in most cases we must give you access to the personal information that we hold about you, and take reasonable steps to correct it if we consider it is incorrect. We will try to make the process as simple as possible.

How to make a complaint

You can complain to us in writing about how we have handled your personal information. We will respond to the complaint within 30 days.

You can find more information on our Privacy complaints web page.

How to contact us

You can:

  • phone our Enquiry Line on 1300 363 992
  • use our online form to make a written enquiry, or
  • send a letter to: GPO Box 5288, Sydney NSW 2001, Australia.

Assisted contact options are also available.