Privacy policy

Last updated: 21 March 2024

About this policy

The Privacy Act 1988(Privacy Act) requires entities bound by the Australian Privacy Principles (APPs) to have a privacy policy. This privacy policy outlines the personal information handling practices of the Office of the Australian Information Commissioner (OAIC). The OAIC also has a summary privacy policy.

This policy is written in simple language. The legal obligations of the OAIC as an Australian Government agency in respect of collecting and handling personal information are outlined in the Privacy Act and, in particular in the Australian Privacy Principles (APPs), found in Schedule 1 of that Act. The OAIC as an Australian Government agency, also has privacy obligations under the Privacy (Australian Government Agencies – Governance) APP Code 2017 (the Privacy Code).

The OAIC will update this privacy policy when its information handling practices change. Updates will be publicised on the OAIC website and to staff through its ‘all staff’ email communications.

Overview

The OAIC collects, uses and discloses and holds personal information to exercise its powers and perform its functions under the Australian Information Commissioner Act 2010,  Privacy Act,  Freedom of Information Act 1982 (FOI Act), My Health Records Act 2012 (My Health Records Act), Competition and Consumer Act 2010 (CC Act) and other legislation that confer powers, functions or duties on the OAIC.

Some of these powers, functions and duties include:

• handling privacy and freedom of information (FOI) complaints, FOI reviews, and Consumer Data Right (CDR) complaints;
• taking regulatory action under the Privacy Act, FOI Act, and CC Act;
• providing advice on privacy, FOI, CDR and information policy issues;
• consulting with stakeholders, for example, on privacy, FOI or CDR guidance;
• maintaining registers, such as organisations that have opted-in to Privacy Act coverage;
• responding to access to information requests;
• communicating with the public, stakeholders and the media including through websites and social media; and
• information sharing with other entities or the public where it is lawful to do so.

The OAIC also collects, uses and discloses and holds personal information to carry out certain business functions, such as assessing suitable candidates for career opportunities within the OAIC.

Collection of sensitive information

The OAIC also collects sensitive information. The Privacy Act defines ‘sensitive information’ as:

1. information or an opinion about an individual’s:
   1. racial or ethnic origin; or
   2. political opinions; or
   3. membership of a political association; or
   4. religious beliefs or affiliations; or
   5. philosophical beliefs; or
   6. membership of a professional or trade association; or
   7. membership of a trade union; or
   8. sexual orientation or practices; or
   9. criminal record;

that is also personal information; or

2. health information about an individual; or
3. genetic information about an individual that is not otherwise health information; or
4. biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
5. biometric templates.

Sometimes the OAIC may need to collect sensitive information about you to, for example, handle a complaint.

Collection of your personal information

The OAIC aims to only collect the personal or sensitive information it requires to carry out its powers, functions, and duties in any given instance.

The main way the OAIC collects personal information about you is when you provide it. For example, the OAIC collects personal information such as contact details, when you make a complaint or request an Information Commissioner (IC) review,  make an information access request or a data breach notification,  respond to a survey response, or make a job vacancy application or lodge a report.:

• contact the OAIC to ask for information;
• make a complaint about a privacy breach to the OAIC;
• make a complaint about the way an agency has handled an FOI request or seek a review of an FOI;
• make a complaint about the way an entity has handled your CDR data under the CDR scheme;
• ask for access to information the OAIC holds about you or other information about the OAIC’s operation;
• notify the OAIC about a data breach;
• complete an OAIC survey;
• apply for a job vacancy at the OAIC; or
• report a matter for investigation.

The OAIC may also collect information from you when it investigates or reviews a privacy, FOI or CDR matter.

The OAIC may also collect your contact details and other personal information, where relevant, if you are on an OAIC committee or are participating in a meeting or in consultation with it.

Indirect collection

The OAIC may collect personal information about you, including sensitive information, indirectly from publicly available sources or from third parties such as:

• your authorised representative, if you have one;
• applicants, complainants, respondents to a complaint, investigation, application or data breach notification or the third parties’ employees and witnesses; or
• other government agencies, including State or Territory authorities, and alternative complaint bodies, where information sharing is permitted.

The OAIC would ordinarily collect your personal information in this way to, for example:

• handle a complaint, data breach notification, review or investigation; or
• contact stakeholders who may be interested in the work of the OAIC or participating in OAIC consultations.

Anonymity

Individuals have the option, to interact with the OAIC anonymously or using a pseudonym. where reasonably possible. For example, if you contact the OAIC enquiries line with a general question, you will not be asked for your name unless it is required to adequately handle your enquiry.

However, for most of your interactions with the OAIC your name, contact information and enough information about the particular matter will be required to enable the OAIC to deal with the matter fairly and efficiently .

Collecting through the OAIC website

The OAIC’s public website, www.oaic.gov.au, is hosted in Australia. There are a number of ways in which the OAIC collects information though its website, including via numerous online tools:

• Google Analytics, a website analytics tool;
• Vision6, a mailing list tool; and
• TryBooking, an event management tool

Google Analytics

The OAIC uses Google Analytics as a website analytics tool to collect data about how you interact with the OAIC website, including:

• device IP address (collected and stored in an anonymized format);
• search terms and pages visited on the OAIC website;
• date and time when pages were accessed;
• downloads, time spent on page and bounce rate;
• referring domain and out link if applicable;
• device type, operating system and browser information;
• device screen size; and
• geographic location (city).

This information will not ordinarily be personal information, because you will not be identified, or reasonably identifiable from it.

View Google Analytics privacy policy.

Mailing lists

The OAIC uses Vision6 to manage its mailing lists and event registrations. View Vision6’s privacy policy.

The OAIC collects personal information, such as contact details, that you provide to it when signing up to the OAIC’s mailing lists. registering events or when submitting feedback on your experience with the OAIC website.

Information about you is also collected by the OAIC when you open, click on links or download any image in an email sent to you via an OAIC mailing list. The information collected includes:

• whether you opened an email sent to you via an OAIC mailing list;
• which links you click in those emails;
• your mail client (e.g. ‘Outlook 2016’ or ‘iPhone’);
• if interactions with those emails occurred on a mobile or desktop environment; and
• the country geolocation of your IP address (the IP address itself is not stored).

Event registrations

The OAIC collects information, including personal information such as contact information, that you provide to it when registering to attend its events.

The OAIC uses TryBooking to manage event registrations. You can access TryBooking’s privacy policy here. When registering for an event, you may be required to give TryBooking personal information including your name, address, telephone number and email address. You may also be required to provide financial information, including credit card number and expiration date, if you make a payment for an event. TryBooking may share with the OAIC some of your personal information, including information about whether a particular registered individual has made payment. The OAIC does not receive, collect or hold any of your financial information via TryBooking.

Surveys

The OAIC uses Qualtrics XM to conduct surveys and may collect certain personal information you provide in your survey responses, such as your name, email, job role, place of work and other information that may be relevant in the context of particular surveys. Qualtrics XM’s privacy statement is available here.

Embedded YouTube videos

The OAIC uses YouTube to host videos which are embedded on its website. Such embedded videos ordinarily use YouTube’s Privacy Enhanced Mode,  which prevents the use of views of embedded video content from influencing your browsing experience in general, or from personalising your YouTube browsing experience specifically. Additionally, if ads are served on a video, those ads will be non-personalised, and the view of that video will not be used to personalise advertising shown to you outside of the site.

When you play an embedded video from the OAIC’s website, the video and associated assets will load from the domain www.youtube-nocookie.com, and other domains associated with the YouTube player.

YouTube collects information about user activity including videos watched and interactions with content and ads. This information is not made available to the OAIC and is instead handled in accordance with the YouTube privacy policy.

Cookies

Cookies are small data files transferred onto computers or devices by websites for record-keeping purposes and to improve your website user experience.

Most browsers allow you to choose whether to accept cookies or not. If you do not wish to have cookies placed on your computer, please set your browser preferences to reject all cookies before accessing the OAIC website. Please note however, that some data may still be collected separately by tools such as Google Analytics, even though you may have set your browser preferences to reject all cookies.

The information collected about you using cookies will not ordinarily be your personal information, because you will not be identified or reasonably identifiable to the OAIC from it.

Social networking services

The OAIC uses Twitter, Facebook, Instagram, YouTube and LinkedIn to communicate with the public about its work. When you communicate with the OAIC using these services, the OAIC collects the personal information you provide to it by engaging in that communication.

Twitter, Facebook, Instagram, YouTube and LinkedIn each have their own privacy policies.

SmartForm service

The OAIC uses the Australian Government’s SmartForm service to enable you to, for example, lodge a privacy complaint, application, data breach notification, enquiry or apply for a job. The OAIC collects personal information that you provide to it in the course of using SmartForms.

The SmartForm service is currently provided by the Department of Industry, Science and Resources (and up to 30 June 2024). Further information about the SmartForms services can be found here.

CDR forms

The OAIC collects the information you provide to it, including your personal information, using the webforms made available on the CDR website for CDR enquiries, reports and complaints. When you save and submit these forms, the user credentials are encrypted and stored in a secure server located in Australia and controlled by the OAIC.

Use

Primary purpose uses

The OAIC usually uses your personal information for the purpose for which it was collected.

This ordinarily includes to:

• exercise its powers or perform its functions and duties;
• carry out analytics, business improvement and reporting; and
• process job applications.

Powers, functions and duties of the OAIC

Some examples of where the OAIC uses your personal information for the purpose of exercising its powers or performing its functions or duties are as follows:

• using information you provide in privacy and FOI complaints, IC reviews, and CDR complaints;
• using your contact details to respond to you about your enquiries and access to information requests;
• consulting with stakeholders, for example, on privacy, FOI or CDR guidance; and
• communicating with the public, stakeholders and the media including through its website and social media.

Analytics, business improvement and reporting

The OAIC collects your information using its various analytics tools and survey platforms, namely:

• Google Analytics;
• Vision6; and
• Trybooking.

This information will not ordinarily be your personal information, because you will not generally be identified or reasonably identifiable to the OAIC from it.

To the extent that information collected by those tools is personal information. It will be de-identified and used for analytics, business improvement and reporting purposes. This information needs to be collected in order to communicate with you regarding events, services or content you subscribe to, as well as to be able to improve our services and content for you.

Job applications

The OAIC collects your personal information when you provide it via a job application including, where relevant, your:

• name;
• address;
• contact details; and
• application documentation, including identification information.

This personal information will ordinarily be used to assess your job application. This assessment process may include the use of the Document Verification Service (DVS) through the Attorney-General’s Department (AGD) user interface to electronically verify proof of identity (POI) documents, such as a birth certificates or passports, provided by you during the recruitment process.

DVS

The Document Verification Process involves checking via a secure communications pathway, whether the identification information you have provided matches the original record.

The OAIC will only disclose identity documents to the DVS where you have provided your written consent for this to occur. The AGD will not retain any documents provided to it by the OAIC once the verification process is complete. The DVS process does not involve facial recognition technology.

The OAIC is required to report DVS related security incidents to the DVS Operations Manager at the AGD. Personal information may be used and disclosed for this purpose only where necessary, including where there has been a suspected or actual security breach.

Cookies

The OAIC collects information about your interactions with the OAIC website using cookies.

Information collected about your interactions with the OAIC website via cookies is used by the OAIC to improve your website user experience.

Secondary purpose uses

The OAIC may, in certain circumstances, use your personal and sensitive information for a different purpose to that for which it was collected.

One secondary use of your personal information by the OAIC is report generation by way of the OAIC Data Warehouse.

The OAIC Data Warehouse is part of the OAIC business intelligence system, which is a technology-driven framework that analyses data for the purposes of delivering actionable reports and information to help executives make informed decisions. It draws information, including personal information, from the OAIC’s various information repositories to a single database and arranges the information in such a way that it is readily usable for several business intelligence functions, including the creation of internal reports and internal alerts. and external reports.

Internal reports

Internal reports usually utilise case attributes (e.g. type of interaction, date of interaction being made and date of interaction being resolved) about your interactions with the OAIC (e.g. making a report or enquiry) to produce statistical reports about how the OAIC operates. These reports are usually then used for business improvement.

Internal alerts

Where appropriate, the OAIC may use personal information it holds to generate internal alerts using the OAIC Data Warehouse and its business intelligence system. These alerts may take a number of forms, including text messages to staff phones and emails, however they are ordinarily generated for staff safety. The alerts may concern notifications on office closure, Information and Communications Technology power outages, office evacuations, and health and safety concerns.

Use of sensitive information

Sometimes the OAIC may need to use your sensitive information. The OAIC will generally only use your sensitive information with your consent.

There are some limited exceptions that permit use of sensitive information for a secondary purpose without your consent, including where it is required or authorised by or under law., or where a permitted general situation exists, like where the entity reasonably believes that the use is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or the public.

Disclosure

The OAIC discloses personal information for purposes other than the purpose for which personal information was collected in certain circumstances. These include:

• where you have provided consent to disclosure for a secondary purpose
• where the secondary disclosure of your personal information is authorised or required by or under law
• where you would reasonably expect the OAIC to use it for that secondary purpose, and the information is related to the primary purpose of collection or, in the case of sensitive information, directly related to the primary purpose
• where a permitted general situation exists in relation to the use or disclosure of the information by the OAIC
• where the OAIC believes the secondary disclosure is reasonably necessary for enforcement-related activities
• to participate in merit or judicial review proceedings in tribunals or courts or to institute proceedings in courts
• where the information is biometric information, or biometric templates, to be disclosed to an enforcement body in accordance with guidelines made by the Information Commissioner for these purposes.

Disclosure as required or authorised by law

External reporting

The OAIC is required by law to produce certain external reports, usually for government oversight of its activities. The OAIC may use your personal information to generate these reports, usually by way of the OAIC Data Warehouse and its business intelligence system, however, your personal information will be in the form of either aggregated data that does not identify you or will be de-identified before release of such reports.

Statutory information sharing

Under the Privacy Act the OAIC may share your personal information in certain circumstances where it has acquired your personal information in the course of exercising powers or performing functions or duties under the Privacy Act (e.g., in response to a request for information under section 44 of the Privacy Act).

The OAIC may share information or documents containing your personal information with another entity (a receiving body) under section 33A of that Act if certain conditions are met. These conditions include where:

• sharing is for the purpose of the OAIC exercising powers, or performing functions or duties under the Privacy Act or for the purpose of the receiving body exercising its powers, or performing its functions or duties; and
• OAIC is satisfied on reasonable grounds that the receiving body has satisfactory arrangements in place for protecting the information or documents.

Sharing under section 33A may occur where the OAIC holds information, including personal information, which could assist another regulatory body in conducting an investigation in the course of performing its functions.

Subject to certain mandatory considerations, the OAIC may share information or documents containing your personal information with other entities or the public under section 33B of that Act if it is in the public interest to do so.

Complaints and reviews

If you make a privacy, FOI, or CDR complaint, or apply for an FOI IC review, the OAIC will usually give a copy of the complaint or application to the respondent and, where relevant, affected third parties, in circumstances where a requirement to afford procedural fairness arises.

Data breach notifications

If you notify the OAIC about a data breach then the OAIC will not disclose personal information about you provided to it via that notification unless you agree, or would reasonably expect,  the OAIC to do so. If the breach relates to the My Health Records Act, the OAIC may disclose your personal information to the My Health Records System Operator under section 73A of that Act.

Review of OAIC decisions

The OAIC may disclose personal information to another review body, if a complainant, applicant or respondent seeks an external review of the OAIC’s decision or makes a complaint about the OAIC’s practices, for example the Commonwealth Ombudsman, or the Australian Human Rights Commission.

Publication of decisions and reports

Generally, when the OAIC publishes decisions, determinations or reports (on the OAIC website and on the Australasian Legal Information Institute website) if you are a party who is an individual then the OAIC will not publish your name unless you ask for it to be published.

The OAIC may also publish other information about cases that it has resolved without a formal decision.

Disclosure to the media

Subject to any circumstances under which the OAIC may disclose information in accordance with its information sharing powers, the OAIC generally only provides the media with personal information relating to a complaint if you have agreed for it to do so.

CDR and EDR schemes

As part of the OAIC’s CDR functions, the OAIC may disclose personal information contained in enquiries or complaints to the ACCC in its capacity as a co-regulator of the CDR Scheme under section 50 of the Privacy Act.

The OAIC may also transfer CDR complaints directly to EDR schemes in accordance with that section. The OAIC will notify you where  this occurs.

Disclosure of personal information overseas

Generally, the OAIC only discloses personal information overseas so that it can properly handle a complaint or application. For example, if:

• the complainant or respondent to a complaint is based overseas;
• an Australian-based respondent is a related body corporate to an overseas company;
• you have complained to an overseas entity and the OAIC about the same or a related matter; or
• the OAIC decides to exercise its statutory information sharing powers with an overseas entity.

When you communicate with the OAIC through a social network service such as Facebook or Twitter, the social network provider and its partners may collect and hold your personal information overseas.

Disclosure of sensitive information

Sometimes the OAIC may need to disclose your sensitive information. The OAIC will generally only disclose your sensitive information with your consent.

There are some limited exceptions that permit disclosure of sensitive information for a secondary purpose without your consent, including where it is required or authorised by or under law, or where a permitted general situation exists, like where the entity reasonably believes that the disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or the public.

Quality of personal information

To ensure that the personal information the OAIC collects is accurate, up-to-date and complete, the OAIC:

• records information in a consistent format;
• where necessary, confirms the accuracy of information its collects from a third party or a public source;
• promptly adds updated or new personal information to existing records; and
• audits its contact lists to check their accuracy from time to time and where necessary.

The OAIC also reviews the quality of personal information before it uses or discloses it.

Storage and security of personal information

General storage and security

All personal information collected digitally by the OAIC is held on servers located in Australia. The OAIC retains effective control over any personal information held on those servers.

Some data collected by tools such as Google Analytics will be stored in cloud-based servers in the United States. Data will be de-identified and anonymised so that individuals cannot be identified or re-identified from the data, before such data is sent overseas for storage.

Hard copy documents are generally held on site, in a mixture of tambours, locked cabinets, and safes, depending on the nature of the document.

OAIC information technology security practices

Department of Employment and Workplace Relations (DEWR) provides information technology services to the OAIC, including the provision of servers on which the OAIC stores much of the personal information it holds.

In providing information technology services to the OAIC, DEWR as well as the OAIC must comply with mandatory security policies which set out the Australian Government’s requirements for protective security and information security practices across government.

For the list of mandatory requirements that cover governance, personnel, information and physical security, please visit the Protective Security Policy Framework website.

Reasonable steps to protect personal information

In addition to Information and Communications Technology (ICT) security and physical security measures,  the OAIC takes reasonable steps to protect the security of the personal information it holds from both internal and external threats through access security and monitoring controls, including :

• regularly assessing the risk of misuse, interference, loss, and unauthorised access, modification or disclosure of that information;
• taking measures to address those risks, for example, by keeping a record (audit trail) of when someone has added, changed or deleted personal information held in the OAIC’s electronic databases and regularly checking that staff only access those records they are permitted to and  when they need to; and
• conducting regular internal and external audits to assess whether the OAIC has adequately complied with or implemented these measures;
• by implementing and regularly updating the OAIC’s data breach response plan to ensure that the OAIC meets its obligations under the notifiable data breach (NDB) scheme under the Privacy Act; and
• by undertaking privacy impact assessments when information handling practices change, or new practices are introduced.

The OAIC is required to maintain a Privacy Impact Assessment Register in accordance with section 15(1) of the Privacy Code. These privacy impact assessments, as well as the OAIC’s privacy threshold assessments can be found on the OAIC’s PIA Register here.

Destruction/deletion of personal information

The OAIC destroys personal information in a secure manner or takes steps to de-identify personal information it holds when it is no longer needed and when it is lawfully authorised or required to do so.

The storage of personal information held by the OAIC which is contained in a Commonwealth record is subject to the requirements of the Archives Act 1983, the OAIC’s Records Disposal Authority and the OAIC’s normal administrative practice (NAP). For example, the OAIC generally destroys complaint records after three years, in accordance with the OAIC’s Records Disposal Authority .

Human resources information

The OAIC stores personal information collected or created for human resources purposes (human resources information,) including:

• job application information
• information it generates about staff performance
• pay, superannuation and tax information
• Australian Public Service (APS) Employment Database data for the APS Commission, and
• diversity information including, age, sexual orientation, ethnicity, employment history information, code and investigation history and medical certificates.

-The OAIC uses a SAP software solution provided by the Shared Delivery Office (SDO) and hosted on DEWR servers within Australia. The SDO is part of the Department of Finance (DOF).

The OAIC has entered memorandums of understanding with both DEWR and DOF to ensure it maintains control of and secures human resources information stored under this arrangement.

Accessing and correcting your personal information

Under APPs 12 and 13, you have the right to ask for access to personal information that the OAIC holds about you, and to ask that it is corrected. You can ask for access or correction by contacting the OAIC. Once contacted, the OAIC must respond to you in relation to your request within 30 days. The OAIC will aim to make its decision about your request as soon as practicable.

If you ask, the OAIC must give you access to your personal information and take reasonable steps to correct it if the OAIC considers it is incorrect, unless there is a law that allows or authorises or requires the OAIC not to.

Upon a request for access or correction being made, the OAIC will ask you to verify your identity before it gives you access to your information or the ability to correct it. The OAIC aims to make the process as simple as possible. If the OAIC refuses your access or correction request, it must notify you in writing setting out its reasons for doing so.

The steps appropriate to verify an individual’s identity will depend on the circumstances. The OAIC will seek the minimum amount of personal information needed to establish an individual’s identity. For example, during a telephone contact it may be adequate for the OAIC to request information like your name and date of birth for that information to be checked against its records.

If the OAIC makes a correction about information it has already disclosed to others, you can ask the OAIC to tell them about the correction. The OAIC must do so unless there is a valid reason not to.

If the OAIC refuses to correct your personal information, you can ask it to associate (for example, attach or link) a statement with your personal information,  to the effect that you believe the information is incorrect and why.

You also have the right under the FOI Act to request access to documents that the OAIC holds and ask for information that the OAIC holds about you to be changed or annotated if it is incomplete, incorrect, out-of- date or misleading. For further information see the Access the OAIC information page on the OAIC website or see the OAIC contact details below.

How to make a complaint

If you wish to complain to the OAIC about how it has handled your personal information you should first complain to the OAIC in writing. If you need help lodging a complaint, you can contact the OAIC for assistance  - see ‘How to contact the OAIC’ below.

If the OAIC receives a complaint from you about how it has handled your personal information, the OAIC will determine what (if any) should be taken to resolve the complaint.

If the OAIC decides that a complaint should be investigated further, the complaint will usually be handled by a more senior officer than the officer whose actions you are complaining about.

The OAIC will assess and handle complaints about the conduct of an OAIC officer using the APS Values, Code of Conduct and the guidelines issued by the Australian Public Service Commission.

If you are dissatisfied with the outcome of the complaint or the way in which the complaint was handled, then you may contact the Commonwealth Ombudsman https://www.ombudsman.gov.au/for advice about your complaint, or lodge a complaint under s 36 of the Privacy Act to the regulatory arm of the OAIC, to complain about the OAIC’s information handling practices as an agency.

Contact the OAIC

If you would like to make an enquiry or complaint about how the OAIC has handled your personal information, or if you wish to request access or correction to your personal information, or you have questions or comments about this privacy policy, please email legal@oaic.gov.au.

You may also write to:

Privacy Officer
Legal Services
Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2000

Privacy Policy Update

The OAIC may update this privacy policy from time to time. Revised versions of the OAIC privacy policy will be posted here. The OAIC will notify you by other means (for example, by placing a notice on its website) if it makes material changes to this policy.

This privacy policy is effective as of 21 March 2024.