The Privacy Act 1988(Privacy Act) requires entities bound by the Australian Privacy Principles (APPs) to have a privacy policy. This privacy policy outlines the personal information handling practices of the Office of the Australian Information Commissioner (OAIC). The OAIC also has a summary privacy policy.
This policy is written in simple language. The legal obligations of the OAIC as an Australian Government agency in respect of collecting and handling personal information are outlined in the Privacy Act and, in particular in the Australian Privacy Principles (APPs), found in Schedule 1 of that Act. The OAIC as an Australian Government agency, also has privacy obligations under the Privacy (Australian Government Agencies – Governance) APP Code 2017 (the Privacy Code).
The OAIC will update this privacy policy when its information handling practices change. Updates will be publicised on the OAIC website and to staff through its ‘all staff’ email communications.
Some of these powers, functions and duties include:
The OAIC also collects, uses and discloses and holds personal information to carry out certain business functions, such as assessing suitable candidates for career opportunities within the OAIC.
The OAIC also collects sensitive information. The Privacy Act defines ‘sensitive information’ as:
that is also personal information; or
Sometimes the OAIC may need to collect sensitive information about you to, for example, handle a complaint.
The OAIC aims to only collect the personal or sensitive information it requires to carry out its powers, functions, and duties in any given instance.
The main way the OAIC collects personal information about you is when you provide it. For example, the OAIC collects personal information such as contact details, when you make a complaint or request an Information Commissioner (IC) review, make an information access request or a data breach notification, respond to a survey response, or make a job vacancy application or lodge a report.:
The OAIC may also collect information from you when it investigates or reviews a privacy, FOI or CDR matter.
The OAIC may also collect your contact details and other personal information, where relevant, if you are on an OAIC committee or are participating in a meeting or in consultation with it.
The OAIC may collect personal information about you, including sensitive information, indirectly from publicly available sources or from third parties such as:
The OAIC would ordinarily collect your personal information in this way to, for example:
Individuals have the option, to interact with the OAIC anonymously or using a pseudonym. where reasonably possible. For example, if you contact the OAIC enquiries line with a general question, you will not be asked for your name unless it is required to adequately handle your enquiry.
However, for most of your interactions with the OAIC your name, contact information and enough information about the particular matter will be required to enable the OAIC to deal with the matter fairly and efficiently.
The OAIC’s public website, www.oaic.gov.au, is hosted in Australia. There are a number of ways in which the OAIC collects information though its website, including via numerous online tools:
The OAIC uses Google Analytics as a website analytics tool to collect data about how you interact with the OAIC website, including:
This information will not ordinarily be personal information, because you will not be identified, or reasonably identifiable from it.
The OAIC uses Google reCAPTCHA (version 2) as a means to eliminate spam attacks and to be able to distinguish users from bots. The tool may collect data about how you interact with the website’s smart forms, including:
This information will be stored on Google’s servers outside of Australia. Content that you enter in the OAIC’s web forms will not be collected through the use of this tool.
The OAIC uses Vision6 to manage its mailing lists and event registrations. View Vision6’s privacy policy.
The OAIC collects personal information, such as contact details, that you provide to it when signing up to the OAIC’s mailing lists. registering events or when submitting feedback on your experience with the OAIC website.
Information about you is also collected by the OAIC when you open, click on links or download any image in an email sent to you via an OAIC mailing list. The information collected includes:
The OAIC collects information, including personal information such as contact information, that you provide to it when registering to attend its events.
The OAIC uses TryBooking to manage event registrations. You can access TryBooking’s privacy policy here. When registering for an event, you may be required to give TryBooking personal information including your name, address, telephone number and email address. You may also be required to provide financial information, including credit card number and expiration date, if you make a payment for an event. TryBooking may share with the OAIC some of your personal information, including information about whether a particular registered individual has made payment. The OAIC does not receive, collect or hold any of your financial information via TryBooking.
The OAIC uses Qualtrics XM to conduct surveys and may collect certain personal information you provide in your survey responses, such as your name, email, job role, place of work and other information that may be relevant in the context of particular surveys. Qualtrics XM’s privacy statement is available here.
The OAIC uses YouTube to host videos which are embedded on its website. Such embedded videos ordinarily use YouTube’s Privacy Enhanced Mode, which prevents the use of views of embedded video content from influencing your browsing experience in general, or from personalising your YouTube browsing experience specifically. Additionally, if ads are served on a video, those ads will be non-personalised, and the view of that video will not be used to personalise advertising shown to you outside of the site.
When you play an embedded video from the OAIC’s website, the video and associated assets will load from the domain www.youtube-nocookie.com, and other domains associated with the YouTube player.
YouTube collects information about user activity including videos watched and interactions with content and ads. This information is not made available to the OAIC and is instead handled in accordance with the YouTube privacy policy.
Cookies are small data files transferred onto computers or devices by websites for record-keeping purposes and to improve your website user experience.
Most browsers allow you to choose whether to accept cookies or not. If you do not wish to have cookies placed on your computer, please set your browser preferences to reject all cookies before accessing the OAIC website. Please note however, that some data may still be collected separately by tools such as Google Analytics, even though you may have set your browser preferences to reject all cookies.
The information collected about you using cookies will not ordinarily be your personal information, because you will not be identified or reasonably identifiable to the OAIC from it.
The OAIC uses Twitter, Facebook, Instagram, YouTube and LinkedIn to communicate with the public about its work. When you communicate with the OAIC using these services, the OAIC collects the personal information you provide to it by engaging in that communication.
Twitter, Facebook, Instagram, YouTube and LinkedIn each have their own privacy policies.
The OAIC uses the Australian Government’s SmartForm service to enable you to, for example, lodge a privacy complaint, application, data breach notification, enquiry or apply for a job. The OAIC collects personal information that you provide to it in the course of using SmartForms.
The SmartForm service is currently provided by the Department of Industry, Science and Resources (and up to 15 July 2024). Further information about the SmartForms services can be found here.
The OAIC uses web forms to enable you to, for example, lodge a privacy, Digital ID or FOI complaint, application, review, data breach notification, enquiry or request to opt-in to the Privacy Act. The OAIC collects personal information that you provide to it in the course of using web forms.
Web Forms are hosted under MOU by Department of Education and Workplace Relations on behalf of the OAIC.
The OAIC collects the information you provide to it, including your personal information, using the webforms made available on the CDR website for CDR enquiries, reports and complaints. When you save and submit these forms, the user credentials are encrypted and stored in a secure server located in Australia and controlled by the OAIC.
The OAIC usually uses your personal information for the purpose for which it was collected.
This ordinarily includes to:
Some examples of where the OAIC uses your personal information for the purpose of exercising its powers or performing its functions or duties are as follows:
The OAIC collects your information using its various analytics tools and survey platforms, namely:
This information will not ordinarily be your personal information, because you will not generally be identified or reasonably identifiable to the OAIC from it.
To the extent that information collected by those tools is personal information. It will be de-identified and used for analytics, business improvement and reporting purposes. This information needs to be collected in order to communicate with you regarding events, services or content you subscribe to, as well as to be able to improve our services and content for you.
The OAIC collects your personal information when you provide it via a job application including, where relevant, your:
This personal information will ordinarily be used to assess your job application. This assessment process may include the use of the Document Verification Service (DVS) through the Attorney-General’s Department (AGD) user interface to electronically verify proof of identity (POI) documents, such as a birth certificates or passports, provided by you during the recruitment process.
The Document Verification Process involves checking via a secure communications pathway, whether the identification information you have provided matches the original record.
The OAIC will only disclose identity documents to the DVS where you have provided your written consent for this to occur. The AGD will not retain any documents provided to it by the OAIC once the verification process is complete. The DVS process does not involve facial recognition technology.
The OAIC is required to report DVS related security incidents to the DVS Operations Manager at the AGD. Personal information may be used and disclosed for this purpose only where necessary, including where there has been a suspected or actual security breach.
The OAIC collects information about your interactions with the OAIC website using cookies.
Information collected about your interactions with the OAIC website via cookies is used by the OAIC to improve your website user experience.
The OAIC may, in certain circumstances, use your personal and sensitive information for a different purpose to that for which it was collected.
One secondary use of your personal information by the OAIC is report generation by way of the OAIC Data Warehouse.
The OAIC Data Warehouse is part of the OAIC business intelligence system, which is a technology-driven framework that analyses data for the purposes of delivering actionable reports and information to help executives make informed decisions. It draws information, including personal information, from the OAIC’s various information repositories to a single database and arranges the information in such a way that it is readily usable for several business intelligence functions, including the creation of internal reports and internal alerts. and external reports.
Internal reports usually utilise case attributes (e.g. type of interaction, date of interaction being made and date of interaction being resolved) about your interactions with the OAIC (e.g. making a report or enquiry) to produce statistical reports about how the OAIC operates. These reports are usually then used for business improvement.
Where appropriate, the OAIC may use personal information it holds to generate internal alerts using the OAIC Data Warehouse and its business intelligence system. These alerts may take a number of forms, including text messages to staff phones and emails, however they are ordinarily generated for staff safety. The alerts may concern notifications on office closure, Information and Communications Technology power outages, office evacuations, and health and safety concerns.
Sometimes the OAIC may need to use your sensitive information. The OAIC will generally only use your sensitive information with your consent.
There are some limited exceptions that permit use of sensitive information for a secondary purpose without your consent, including where it is required or authorised by or under law., or where a permitted general situation exists, like where the entity reasonably believes that the use is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or the public.
The OAIC discloses personal information for purposes other than the purpose for which personal information was collected in certain circumstances. These include:
The OAIC is required by law to produce certain external reports, usually for government oversight of its activities. The OAIC may use your personal information to generate these reports, usually by way of the OAIC Data Warehouse and its business intelligence system, however, your personal information will be in the form of either aggregated data that does not identify you or will be de-identified before release of such reports.
Under the Privacy Act the OAIC may share your personal information in certain circumstances where it has acquired your personal information in the course of exercising powers or performing functions or duties under the Privacy Act (e.g., in response to a request for information under section 44 of the Privacy Act).
The OAIC may share information or documents containing your personal information with another entity (a receiving body) under section 33A of that Act if certain conditions are met. These conditions include where:
Sharing under section 33A may occur where the OAIC holds information, including personal information, which could assist another regulatory body in conducting an investigation in the course of performing its functions.
Subject to certain mandatory considerations, the OAIC may share information or documents containing your personal information with other entities or the public under section 33B of that Act if it is in the public interest to do so.
If you make a privacy, FOI, Digital ID or CDR complaint, or apply for an FOI IC review, the OAIC will usually give a copy of the complaint or application to the respondent and, where relevant, affected third parties, in circumstances where a requirement to afford procedural fairness arises.
If you notify the OAIC about a data breach then the OAIC will not disclose personal information about you provided to it via that notification unless you agree, or would reasonably expect, the OAIC to do so. If the breach relates to the My Health Records Act, the OAIC may disclose your personal information to the My Health Records System Operator under section 73A of that Act.
The OAIC may disclose personal information to another review body, if a complainant, applicant or respondent seeks an external review of the OAIC’s decision or makes a complaint about the OAIC’s practices, for example the Commonwealth Ombudsman, or the Australian Human Rights Commission.
Generally, when the OAIC publishes decisions, determinations or reports (on the OAIC website and on the Australasian Legal Information Institute website) if you are a party who is an individual then the OAIC will not publish your name unless you ask for it to be published.
The OAIC may also publish other information about cases that it has resolved without a formal decision.
Subject to any circumstances under which the OAIC may disclose information in accordance with its information sharing powers, the OAIC generally only provides the media with personal information relating to a complaint if you have agreed for it to do so.
As part of the OAIC’s CDR functions, the OAIC may disclose personal information contained in enquiries or complaints to the ACCC in its capacity as a co-regulator of the CDR Scheme under section 50 of the Privacy Act.
The OAIC may also transfer CDR complaints directly to EDR schemes in accordance with that section. The OAIC will notify you where this occurs.
Generally, the OAIC only discloses personal information overseas so that it can properly handle a complaint or application. For example, if:
When you communicate with the OAIC through a social network service such as Facebook or Twitter, the social network provider and its partners may collect and hold your personal information overseas.
Certain tools, such as Google Analytics and Google reCAPTCHA will require data collected by these tools to be sent overseas and stored on Google’s servers. Google’s Cloud Data Processing Addendum provides that when collecting, using and storing data, it will comply with applicable laws, including Australian privacy laws.
Sometimes the OAIC may need to disclose your sensitive information. The OAIC will generally only disclose your sensitive information with your consent.
There are some limited exceptions that permit disclosure of sensitive information for a secondary purpose without your consent, including where it is required or authorised by or under law, or where a permitted general situation exists, like where the entity reasonably believes that the disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or the public
To ensure that the personal information the OAIC collects is accurate, up-to-date and complete, the OAIC:
The OAIC also reviews the quality of personal information before it uses or discloses it
All personal information collected digitally by the OAIC is held on servers located in Australia. The OAIC retains effective control over any personal information held on those servers.
Some data collected by tools such as Google Analytics and Google reCAPTCHA will be stored in cloud-based servers located across North America, Europe, South America and Asia . Data may be de-identified and anonymised so that individuals cannot be identified or re-identified from the data, before such data is sent overseas for storage. When data is not de-identified or anonymised, it will be stored and handled in a way that complies with Australian privacy laws.
Hard copy documents are generally held on site, in a mixture of tambours, locked cabinets, and safes, depending on the nature of the document.
Department of Employment and Workplace Relations (DEWR) provides information technology services to the OAIC, including the provision of servers on which the OAIC stores much of the personal information it holds.
In providing information technology services to the OAIC, DEWR as well as the OAIC must comply with mandatory security policies which set out the Australian Government’s requirements for protective security and information security practices across government.
For the list of mandatory requirements that cover governance, personnel, information and physical security, please visit the Protective Security Policy Framework website.
In addition to Information and Communications Technology (ICT) security and physical security measures, the OAIC takes reasonable steps to protect the security of the personal information it holds from both internal and external threats through access security and monitoring controls, including :
The OAIC is required to maintain a Privacy Impact Assessment Register in accordance with section 15(1) of the Privacy Code. These privacy impact assessments, as well as the OAIC’s privacy threshold assessments can be found on the OAIC’s PIA Register here.
The OAIC destroys personal information in a secure manner or takes steps to de-identify personal information it holds when it is no longer needed and when it is lawfully authorised or required to do so.
The storage of personal information held by the OAIC which is contained in a Commonwealth record is subject to the requirements of the Archives Act 1983, the OAIC’s Records Disposal Authority and the OAIC’s normal administrative practice (NAP). For example, the OAIC generally destroys complaint records after three years, in accordance with the OAIC’s Records Disposal Authority .
The OAIC stores personal information collected or created for human resources purposes (human resources information,) including:
The OAIC uses a SAP software solution provided by the Shared Delivery Office (SDO) and hosted on DEWR servers within Australia. The SDO is part of the Department of Finance (DOF).
The OAIC has entered memorandums of understanding with both DEWR and DOF to ensure it maintains control of and secures human resources information stored under this arrangement.
Under APPs 12 and 13, you have the right to ask for access to personal information that the OAIC holds about you, and to ask that it is corrected. You can ask for access or correction by contacting the OAIC. Once contacted, the OAIC must respond to you in relation to your request within 30 days. The OAIC will aim to make its decision about your request as soon as practicable.
If you ask, the OAIC must give you access to your personal information and take reasonable steps to correct it if the OAIC considers it is incorrect, unless there is a law that allows or authorises or requires the OAIC not to.
Upon a request for access or correction being made, the OAIC will ask you to verify your identity before it gives you access to your information or the ability to correct it. The OAIC aims to make the process as simple as possible. If the OAIC refuses your access or correction request, it must notify you in writing setting out its reasons for doing so.
The steps appropriate to verify an individual’s identity will depend on the circumstances. The OAIC will seek the minimum amount of personal information needed to establish an individual’s identity. For example, during a telephone contact it may be adequate for the OAIC to request information like your name and date of birth for that information to be checked against its records.
If the OAIC makes a correction about information it has already disclosed to others, you can ask the OAIC to tell them about the correction. The OAIC must do so unless there is a valid reason not to.
If the OAIC refuses to correct your personal information, you can ask it to associate (for example, attach or link) a statement with your personal information, to the effect that you believe the information is incorrect and why.
You may follow the above process if you wish to access or correct personal information about you collected by third party providers, such as Google through use of the reCAPTACHA tool, by sending a request to the OAIC.
You also have the right under the FOI Act to request access to documents that the OAIC holds and ask for information that the OAIC holds about you to be changed or annotated if it is incomplete, incorrect, out-of- date or misleading. For further information see the Access the OAIC information page on the OAIC website or see the OAIC contact details below
If you wish to complain to the OAIC about how it has handled your personal information you should first complain to the OAIC in writing. If you need help lodging a complaint, you can contact the OAIC for assistance - see ‘How to contact the OAIC’ below.
If the OAIC receives a complaint from you about how it has handled your personal information, the OAIC will determine what (if any) should be taken to resolve the complaint.
If the OAIC decides that a complaint should be investigated further, the complaint will usually be handled by a more senior officer than the officer whose actions you are complaining about.
The OAIC will assess and handle complaints about the conduct of an OAIC officer using the APS Values, Code of Conduct and the guidelines issued by the Australian Public Service Commission.
If you are dissatisfied with the outcome of the complaint or the way in which the complaint was handled, then you may contact the Commonwealth Ombudsman https://www.ombudsman.gov.au/for advice about your complaint, or lodge a complaint under s 36 of the Privacy Act to the regulatory arm of the OAIC, to complain about the OAIC’s information handling practices as an agency.
If you would like to make an enquiry or complaint about how the OAIC has handled your personal information, or if you wish to request access or correction to your personal information, or you have questions or comments about this privacy policy, please email legal@oaic.gov.au.
You may also write to:
Privacy Officer
Legal Services
Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2000
The OAIC may update this privacy policy from time to time. Revised versions of the OAIC privacy policy will be posted here. The OAIC will notify you by other means (for example, by placing a notice on its website) if it makes material changes to this policy.
This privacy policy is effective as of 3 July 2024.