Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy policy

pdfPrintable version290.69 KB

About this policy

Version 1.01, April 2017

The Privacy Act 1988 requires entities bound by the Australian Privacy Principles to have a privacy policy. This privacy policy outlines the personal information handling practices of the Office of the Australian Information Commissioner (OAIC). OAIC employees and prospective employees should also refer to our Human resources privacy policy. The OAIC also has a summary privacy policy.

This policy is written in simple language. The specific legal obligations of the OAIC when collecting and handling your personal information are outlined in the Privacy Act 1988 and in particular in the Australian Privacy Principles found in that Act. We will update this privacy policy when our information handling practices change. Updates will be publicised on our website and through our email lists.

Back to Contents


We collect, hold, use and disclose personal information to carry out functions or activities under the Australian Information Commissioner Act 2010 (AIC Act), the Privacy Act 1988 (Privacy Act) and the Freedom of Information Act 1982 (FOI Act).

These functions and activities include:

  • handling privacy and freedom of information (FOI) complaints and FOI reviews
  • taking other regulatory action under the Privacy and FOI Acts
  • providing advice on privacy, FOI, and information policy issues
  • consulting with stakeholders, for example, on privacy or FOI guidance
  • maintaining registers, such as organisations that have opted-in to Privacy Act coverage
  • responding to access to information requests
  • communicating with the public, stakeholders and the media including through websites and social media.

Back to Contents

Collection of your personal information

At all times we try to only collect the information we need for the particular function or activity we are carrying out.

The main way we collect personal information about you is when you give it to us, for example, we collect personal information such as contact details and complaint , review, request or report details when you:

  • contact us to ask for information (but only if we need it)
  • make a complaint about a privacy breach to us
  • make a complaint about the way an agency has handled an FOI request or seek a review of an FOI decision
  • ask for access to information the OAIC holds about you or other information about the OAIC’s operation
  • report a matter for investigation.

We may also collect information from you when we investigate or review a privacy or FOI matter. If we open a file about your matter, it will often include our opinion on your matter.

We may also collect contact details and some other personal information if you are on our committees or participating in a meeting or consultation with us.

Collecting sensitive information

Sometimes we may need to collect sensitive information about you, for example, to handle a complaint. This might include information about your health, racial or ethnic origin, political opinions, association memberships, religious beliefs, sexual orientation, criminal history, genetic or biometric information.

Indirect collection

In the course of handling and resolving a complaint, review or an investigation, we may collect personal information (including sensitive information) about you indirectly from publicly available sources or from third parties such as:

  • your authorised representative, if you have one
  • applicants, complainants, respondents to a complaint or application or the third parties’ employees and witnesses.

We also collect personal information from publicly available sources to enable us to contact stakeholders who may be interested in our work or in participating in our consultations


Where possible, we will allow you to interact with us anonymously or using a pseudonym. For example, if you contact our Enquiries line with a general question we will not ask for your name unless we need it to adequately handle your question.

However, for most of our functions and activities we usually need your name and contact information and enough information about the particular matter to enable us to fairly and efficiently handle your inquiry, request, complaint or application, or to act on your report.

Collecting through our websites

The OAIC has its own public website — — and we manage the APPA and PAW websites on behalf of Asia Pacific Privacy Authorities. We also have a separate web blog where we allow comments.

Where our websites allow you to make comments or give feedback we collect your email address and sometimes other contact details. We may use your email address to respond to your feedback. We store this personal information on servers located in Australia.

We also utilise the services of Hotjar to collect voluntary feedback on your experience with our website. You can view Hotjar’s privacy and data collection policies here.

Analytic, session and cookie tools

We use a range of tools provided by third parties, including Google, Bing and our web hosting company Anchor, to collect or view website traffic information. These sites have their own privacy policies. We also use cookies and session tools to improve your experience when accessing our websites.

The information collected by these tools may include the IP address of the device you are using and information about sites that IP address has come from, the pages accessed on our site and the next site visited. We use the information to maintain, secure and improve our websites and to enhance your experience when using them. In relation to Google Analytics you can opt out of the collection of this information using the Google Analytics Opt-out Browser Add-on.

Social Networking Services

We use social networking services such as Twitter, Facebook and YouTube to communicate with the public about our work. When you communicate with us using these services we may collect your personal information, but we only use it to help us to communicate with you and the public. The social networking service will also handle your personal information for its own purposes. These sites have their own privacy policies.

Email lists

We collect your email and, if you provide it, other contact details when you subscribe to our email lists. We only use this information for the purpose of sending you regular updates on the activities of the OAIC, and to administer the lists.

Electronic forms

The OAIC uses the Australian Government’s SmartForms service to enable you to lodge a complaint, application or enquiry online. When you submit one of these forms it is sent to an Australian location managed by the Department of Industry where it is encrypted and stored in a secure environment until we download it. Once we download the form, it is deleted from that location.

Back to Contents


Common situations in which we disclose information are detailed below.

Complaints and reviews

If you make a privacy or FOI complaint, or apply for an FOI review, we will usually give a copy of the complaint or application to the respondent and, where relevant, affected third parties.

If a complainant or applicant requests that only limited information is disclosed to the respondent, we may not have enough information to be able to fairly proceed with the matter. The respondent must have sufficient information to respond to the matter in a meaningful way.

Review of OAIC decisions

We may disclose personal information to another review body if a complainant, applicant or respondent seeks an external review of the OAIC’s decision or makes a complaint to the Commonwealth Ombudsman.

Publication of decisions and reports

Generally, before we publish decisions, determinations or reports (on the OAIC website and on the Australasian Legal Information Institute website) we will ask if you do not want your name published.

Disclosure to the media

We only provide the media with personal information relating to a complaint if you have consented, or where the issue is already publically available.

Disclosure to service providers

The OAIC uses a number of service providers to whom we disclose personal information. These include providers that host our website servers, manage our IT and manage our human resources information.

To protect the personal information we disclose we:

  • enter into a contract or MOU which requires the service provider to only use or disclose the information for the purposes of the contract or MOU
  • include special privacy requirements in the contract or MOU, where necessary.

Disclosure of sensitive information

We only disclose your sensitive information for the purposes for which you gave it to us or for directly related purposes you would reasonably expect or if you agree.

Disclosure of personal information overseas

Generally we only disclose personal information overseas so that we can properly handle the complaint or application. For example, if:

  • the respondent to a complaint is based overseas
  • an Australian-based respondent is a related body corporate to an overseas company
  • you have complained to an overseas entity and the OAIC about the same or a related matter.

Web traffic information is disclosed to Google Analytics when you visit our websites. Google stores information across multiple countries. For further information see Google Data Centers and Google Locations.

When you communicate with us through a social network service such as Facebook or Twitter, the social network provider and its partners may collect and hold your personal information overseas.

Back to Contents

Quality of personal information

To ensure that the personal information we collect is accurate, up-to-date and complete we:

  • record information in a consistent format
  • where necessary, confirm the accuracy of information we collect from a third party or a public source
  • promptly add updated or new personal information to existing records
  • regularly audit our contact lists to check their accuracy.

We also review the quality of personal information before we use or disclose it.

Back to Contents

Storage and security of personal information

We take steps to protect the security of the personal information we hold from both internal and external threats by:

  • regularly assessing the risk of misuse, interference, loss, and unauthorised access, modification or disclosure that information
  • taking measures to address those risks, for example, we keep a record (audit trail) of when someone has added, changed or deleted personal information held in our electronic databases and regularly check that staff only access those records when they need to
  • conducting regular internal and external audits to assess whether we have adequately complied with or implemented these measures.

For further information on the way we manage security risks in relation to personal information we hold see our supplementary material on information technology security practices, below.

We destroy personal information in a secure manner when we no longer need it. For example, we generally destroy complaint records after three years, in accordance with the OAIC’s Records Disposal Authority.

Back to Contents

Accessing and correcting your personal information

Under the Privacy Act (Australian Privacy Principles 12 and 13) you have the right to ask for access to personal information that we hold about you, and ask that we correct that personal information. You can ask for access or correction by contacting us and we must respond within 30 days. If you ask, we must give you access to your personal information, and take reasonable steps to correct it if we consider it is incorrect, unless there is a law that allows or requires us not to.

We will ask you to verify your identity before we give you access to your information or correct it, and we will try to make the process as simple as possible. If we refuse to give you access to, or correct, your personal information, we must notify you in writing setting out the reasons.

If we make a correction and we have disclosed the incorrect information to others, you can ask us to tell them about the correction. We must do so unless there is a valid reason not to.

If we refuse to correct your personal information, you can ask us to associate with it (for example, attach or link) a statement that you believe the information is incorrect and why.

You also have the right under the FOI Act to request access to documents that we hold and ask for information that we hold about you to be changed or annotated if it is incomplete, incorrect, out-of-date or misleading. For further information see Freedom of information requests to the OAIC.

Back to Contents

How to make a complaint

If you wish to complain to us about how we have handled your personal information you should complain in writing. If you need help lodging a complaint, you can contact us.

If we receive a complaint from you about how we have handled your personal information we will determine what (if any) action we should take to resolve the complaint.

If we decide that a complaint should be investigated further, the complaint will usually be handled by a more senior officer than the officer whose actions you are complaining about.

We will assess and handle complaints about the conduct of an OAIC officer using the APS Values and Code of Conduct and the guidelines issued by the Australian Public Service Commission.

We will tell you promptly that we have received your complaint and then respond to the complaint within 30 days.

If you are not satisfied with our response you may ask for a review by a more senior officer within the OAIC (if that has not already happened) or you can complain to the Commonwealth Ombudsman. For further information see our Internal complaint handling and reconsideration of decisions policy.

Back to Contents

How to contact us

You can contact us by:


Telephone: 1300 363 992 (from overseas +61 2 9284 9749)

Assisted Contact:

National Relay Service:

  • TTY users phone 133 677 then ask for 1300 363 992.
  • Speak and Listen users phone 1300 555 727 then ask for 1300 363 992.
  • Internet relay users connect to the NRS then ask for 1300 363 992.

Translating and Interpreting Service: 131 450 then ask for 1300 363 992.

Apart from the local call cost these are free services for you.

Post: GPO Box 5218, Sydney NSW 2001.

Facsimile: +61 2 9284 9666.

Back to Contents

Supplementary material

OAIC information technology security practices

Under a Memorandum of Understanding (MOU) the Australian Human Rights Commission (the AHRC) provides information technology services to the OAIC. The AHRC is responsible for the safe keeping and maintenance of OAIC material in its custody and control. All of this material is stored in Australia.

In providing information technology services to the OAIC, the AHRC follows Commonwealth and industry best practice in ICT Security Management, including:

Commonwealth Protective Security Policy Framework , V1.2, January 2011

Defence Signals Directorate Information Security Manual, June 2011

ISO/AS/NZS 31000: 2009 – Risk Management – Principles and Guidelines

ISO/IEC 27001:2005 – Information Technology – Security Techniques – Information Security Management Systems – Requirements.

Back to Contents

This page makes up a part of the OAIC Information Publication Scheme IPS