Our privacy impact assessment register

Date posted: 9 April 2024

Reference: D2024/009422

The PIA considers the privacy risks associated with the implementation of eRecruit, an online recruitment application tracking system, that is used to advertise job vacancies and to manage candidate applications. The PIA was conducted at an early stage to assist in identifying privacy issues associated with the collection and storage of personal information in the system. Topics covered in this PIA include the how the personal information will flow through the system, how the information may be updated and accessed by candidates, an assessment of compliance with the APPs, and recommendations to mitigate any privacy risks.

Date posted: 4 April 2024

Reference: D2024/009317

The PIA considers the privacy risks associated with the implementation and use of certain features of the tool, Resolve, as a case management system. The PIA was conducted to identify privacy issues with the ingestion, storage, use and disclosure of personal and sensitive information in connection with the Resolve platform. The PIA proposes recommendations to minimise and eradicate privacy impacts. It considers the flow of information, including access permissions to the data, managing and storing documents, and the use of data for reporting and analysis. Topics covered in this PIA include, what types of information will be stored, how it will flow through the system, the types of users and their access permissions to the platform, an assessment of compliance with the APPs and recommendations to mitigate any privacy risks.

Date posted:  13 May 2024

Reference: D2024/018061

The PIA considers the privacy risks associated with the implementation and use of the analytics tool, that is being used to better understand interactions with the OAIC websites. The PIA was conducted to identify privacy issues associated with the information gathered in the form of metrics and statistics. The PIA proposes recommendations to minimise and eradicate any privacy impacts. It considers the types of information gathered, its use and storage. Topics included in this PIA include, what types of information will be gathered, whether there is any personal information involved, where it will be stored, and an assessment of compliance with the APPs along with recommendations to mitigate any privacy risks.

Date posted:  3 July 2024

Reference: D2024/020607

The PIA considers the privacy risks associated with the implementation and use of the tool, that is being used to safeguard the OAIC from spam attacks through the websites’ forms. The PIA was conducted to identify privacy issues associated with the use the tool. The PIA proposes recommendations to minimise and eradicate any privacy impacts. It considers the information flows and what types of information is gathered if any, its use and storage. Topics included in this PIA include, the information flows, whether there is any personal information involved and storage, and an assessment of compliance with the APPs along with recommendations to mitigate any privacy risks.

Date posted: 2 November 2023

Reference: D2024/000352

The PTA considers privacy risks associated with the implementation and use of the Whispir service provided through Telstra, which is an online short-message-service (SMS) enabling push notifications to mobile phones.

The PTA was conducted to assess any privacy issues associated with the transfer of personal information into the Whispir portal. The PTA proposes including wording in the Privacy Policy on the use of privacy information and the provision of a privacy notice to individuals before their personal information is transferred to the Whispir portal.

Date posted: 8 November 2023

Reference: D2024/000356

The PTA considers privacy risks associated with the use of the web-based app, Infogram, that allows the creation of infographics and data visualisations to be integrated into web pages. The PTA was conducted to assess whether there were any privacy concerns from the use of the Infogram app.

Date posted: 2 November 2023

Reference: D2024/000351

The PTA considers privacy risks associated with the implementation and use of a platform that integrates with an internal learning management system, to create interactive content built in-house for use by staff. The PTA was conducted to assess if any personal information will be shared on the platform and the privacy issues.

Date posted: 21 December 2023

Reference: D2024/000359

The PTA considers privacy risks associated with the use of the CorpVote tools to conduct confidential and format ballot process. The PTA was conducted to assess the risks of sharing personal information via the tool and the privacy issues.

Topics included what personal information will be collected that is not already in the public domain (if any), and any recommendations to mitigate privacy impacts where relevant.

Date posted: 20/03/2023

Reference number: D2022/021932

This PIA considers privacy risks associated with the use of RightFax, a centralised, computer-based fax server solution that provides enterprise-grade faxing capabilities across an entire organization. RightFax integrates fax and document distribution with email, desktop, and enterprise applications, enabling secure fax exchange from customer relationship management (CRM), enterprise resource planning (ERP), electronic medical record (EMR), document management, and other business applications.

RightFax will replace the Office of the Australian Information Commissioner’s (OAIC) use of traditional faxes for sending and receiving information related to the OAIC’s work. RightFax will integrate with the OAIC’s existing email servers, active directories, network folders and multi-functional devices (MFD)/printers. RightFax utilises on premises storage with storage of faxes received and sent, activity and audit logs, and any associated metadata this is on the OAIC IT infrastructure.

The OAIC will use RightFax to send and receive documents to and from complainants, respondents, third party advisors to the OAIC or either party, and other government agencies or departments (the Project). This may include sensitive information.

The OAIC’s Director of Corporate who oversees the ICT shared services arrangement is responsible for the Project’s implementation.

The PIA assesses any privacy risks posed by the use of the OpenText RightFax by the OAIC to the OAIC, and any risks associated with the handling of personal and sensitive information by the OAIC for the Project.

Topics addressed in this PIA include how personal information will flow through the system and an assessment of compliance with the APPs.

Date posted: 20/03/2023

Reference number: D2022/026103

This PIA assesses the privacy impacts of using closed-circuit television (CCTV) cameras in the OAIC’s Sydney office.

This PIA assists in identifying privacy issues associated with using CCTV in the workplace, and proposes recommendations to minimise or eradicate any privacy impacts. This PIA considers the OAIC’s privacy policy, the OAIC’s internal practices policies and procedures regarding the CCTV footage, and the management of the relevant CCTV footage.

Topics covered in this PIA include how personal information will flow through the CCTV system, an assessment of compliance with the APPs, and recommendations to mitigate any privacy impacts.

Date posted: 31/03/2023

Reference number: D2023/007230

Date privacy threshold assessment completed: 25 January 2023

Outcome – PIA required? No

Date posted: 29/08/2023

Reference number: D2023/019291

Date privacy threshold assessment completed: 07/08/2022

Outcome – PIA required? No

Date posted: 10/10/2023

Reference: D2023/021802 approved.

The PIA considers privacy risks associated with the implementation and use of the OAIC data warehouse to produce internal and external reports and populate dashboards as part of the proposed use of a business intelligence system.

The PIA was conducted at an early stage of the data warehouse development to assist in identifying privacy issues associated with the transfer of personal information into the data warehouse, and in the data being extracted from the data warehouse. The PIA proposes recommendations to minimise or eradicate privacy impacts, and considers the flow of data, including the various data sources and data models used to organise and extract data, and the use of reporting tools.

Topics covered in this PIA include how personal information will flow through the system, an assessment of compliance with the APPs, and recommendations to mitigate any privacy.

Reference number: D2022/004943

Date privacy threshold assessment completed: 22/03/2022

Outcome – PIA required? No

Reference number: D2022/026115

Date privacy threshold assessment completed: 22/11/2022

Outcome – PIA required? No

Reference number: D2022/025364

Date privacy threshold assessment completed: 27/10/2022

Outcome – PIA required? No

Reference number: D2022/021522

Date privacy threshold assessment completed: 11/10/2022

Outcome – PIA required? No

Reference number: D2021/015101

Date privacy threshold assessment completed: 14/09/2021

Outcome – PIA required? No

Reference number: D2021/015143

Date privacy threshold assessment completed: 30/08/2021

Outcome – PIA required? No

Reference number: D2021/013971

Date privacy threshold assessment completed: 26/08/2021

Outcome – PIA required? No

Reference number: D2021/010985

Date privacy threshold assessment completed: 9/07/2021

Outcome – PIA required? No

Date posted: 24/02/2021

Reference number: D2020/022528

This PIA considers privacy risks associated with the new joint OAIC and Australian Competition and Consumer Commission (ACCC) Complaint handling system for the Consumer Data Right (CDR) (the joint system).

The OAIC and the ACCC are co-regulators of the CDR. The OAIC enforces the Privacy Safeguards and privacy and confidentiality-related rules, and can investigate consumer complaints regarding the handling of their CDR data. The ACCC enforces the CDR Rules and data standards and carries out strategic enforcement.

To ensure the effective operation of the CDR and provide seamless handling of enquiries, reports and complaints between the agencies involved, the OAIC and ACCC apply a ‘no wrong door’ approach. To enable this approach, the OAIC has developed a joint complaint handling system, so that consumer enquiries, reports and complaints can be submitted through one channel, and then triaged appropriately to either the OAIC, the ACCC, or an external dispute resolution (EDR) scheme. Part IVD of the Competition and Consumer Act 2010 (Cth) and the Competition and Consumer (Consumer Data Right) Rules 2020 (Cth), together with amendments to the Australian Information Commissioner Act 2010 (Cth), provide information sharing powers for this purpose.

The PIA assesses any risks to individual privacy presented by the implementation of the joint system and makes recommendations to mitigate those risks.

Topics addressed in this PIA include how personal information will flow through the system, an assessment of compliance with the APPs and how consistent the system is with community expectations about privacy.

Date posted: 29 May 2020

Reference number: D2020/005283

This PIA considers privacy risks associated with changes to working arrangements at the OAIC in response to the COVID-19 pandemic.

The PIA considers whether changes to physical working arrangements will impact on the handling of personal information, assesses potential privacy risks, and makes recommendations to mitigate those risks.

It addresses key topics including governance, culture and training, internal practices, procedures and systems, ICT security, access security, data breaches, physical security and stakeholder considerations.