Privacy Impact Assessments Register

All OAIC Privacy Impact Assessments required under the Australian Government Agencies Privacy Code will be listed in this register.

Reference number

Date PTA completed

Title

Outcome – PIA required?

D2021/010985

9/07/2021

Mandatory Check-in at the OAIC and QR codes

No

D2021/013971

26/08/2021

International Access to Information Day/ICON  webinar

No

D2021/015143

30/08/2021

Use of the Document Verification Service (DVS) for verification of personal identity information.

No

D2021/015101

14/09/2021

ICT Hardware Replacement

No

D2022/004943

22/03/2022

OCT Migration to DESE

No

D2022/021522

11/10/2022

OAIC and ACCC Coordinated Compliance Monitoring Plan of financial services entities receiving Optus Customer Data

No

D2022/025364

27/10/2022

APSC Analysis of OAIC’s 2022 APS Employee Census Results

No

D2022/026115

28/11/2022

MicrOPay payroll, HR and ERP system

No

Reference number Date postedTitle
D2020/022528 24/02/2021

Joint OAIC ACCC Complaint Handling System for the Consumer Data Right: PIA Summary

This PIA considers privacy risks associated with the new joint OAIC and Australian Competition and Consumer Commission (ACCC) Complaint handling system for the Consumer Data right (CDR) (the joint system).

The OAIC and the ACCC are co-regulators of the CDR. The OAIC enforces the Privacy Safeguards and privacy and confidentiality-related rules, and can investigate consumer complaints regarding the handling of their CDR-data. The ACCC enforces the CDR Rules and data standards and carries out strategic enforcement.

To ensure the effective operation of the CDR and provide seamless handling of enquiries, reports and complaints between the agencies involved, the OAIC and ACCC apply a ‘no wrong door’ approach. To enable this approach, the OAIC has developed a joint complaint handling system, so that consumer enquiries, reports and complaints can be submitted through one channel, and then triaged appropriately to either the OAIC, the ACCC, or an external dispute resolution (EDR) scheme. Part IVD of the Competition and Consumer Act 2010 (Cth) and the Competition and Consumer (Consumer Data Right) Rules 2020 (Cth), together with amendments to the Australian Information Commissioner Act 2010 (Cth), provide information sharing powers for this purpose.

The PIA assesses any risks to individual privacy presented by the implementation of the joint system and makes recommendations to mitigate those risks.

Topics addressed in this PIA include how personal information will flow through the system, an assessment of compliance with the APPs and how consistent the system is with community expectations about privacy.

D2020/005283 29 May 2020

Working remotely in response to COVID-19

This PIA considers privacy risks associated with changes to working arrangements at the OAIC in response to the COVID-19 pandemic.

The PIA considers whether changes to physical working arrangements will impact on the handling of personal information, assesses potential privacy risks, and makes recommendations to mitigate those risks.

It addresses key topics including governance, culture and training, internal practices, procedures and systems, ICT security, access security, data breaches, physical security and stakeholder considerations.

D2022/021932

24 Nov 2022

OpenText RightFax Integration (Project)

This PIA considers privacy risks associated with the use of RightFax, a centralised, computer-based fax server solution that provides enterprise-grade faxing capabilities across an entire organization. RightFax integrates fax and document distribution with email, desktop, and enterprise applications, enabling secure fax exchange from customer relationship management (CRM), enterprise resource planning (ERP), electronic

medical record (EMR), document management, and other business applications.

RightFax will replace the Office of the Australian Information Commissioner’s (OAIC) use of traditional faxes for sending and receiving information related to the OAIC’s work. RightFax will integrate with the OAIC’s existing email servers, active directories, network folders and multi-functional devices (MFD)/printers. RightFax utilises on premises storage with storage of faxes received and sent, activity and audit logs, and any associated metadata this is on the OAIC IT infrastructure.

The OAIC will use RightFax to send and receive documents to and from complainants, respondents, third party advisors to the OAIC or either party, and other government agencies or

departments (the Project). This may include sensitive information.

The OAIC’s Director of Corporate who oversees the ICT shared services arrangement is responsible for the Project’s implementation.

The PIA assesses any privacy risks posed by the use of the OpenText RightFax by the OAIC to the OAIC, and any risks associated with the handling of personal and sensitive information by the OAIC for the Project.

Topics addressed in this PIA include how personal information will flow through the system and an assessment of compliance with the APPs.

D2022/026103

2 Dec 2022

Use of closed-circuit television cameras

This PIA assesses the privacy impacts of using closed-circuit television (CCTV) cameras in the OAIC’s Sydney office.

This PIA assists in identifying privacy issues associated with using CCTV in the workplace, and proposes recommendations to minimise or eradicate any privacy impacts. This PIA considers the OAIC’s privacy policy, the OAIC’s internal practices policies and procedures regarding the CCTV footage, and the management of the relevant CCTV footage.

Topics covered in this PIA include how personal information will flow through the CCTV system, an assessment of compliance with the APPs, and recommendations to mitigate any privacy impacts.

Last updated 2 December 2022