This summary sets out the key points about how the Office of the Australian Information Commissioner (OAIC) handles personal information.
We collect, hold, use and disclose personal information to carry out our functions or activities under the Australian Information Commissioner Act 2010 (AIC Act), the Privacy Act 1988 (Privacy Act) and the Freedom of Information Act 1982 (FOI Act).
Collection of your personal information
We usually collect personal information (including sensitive information) from you or your authorised representative when we are handling privacy and freedom of information (FOI) complaints and FOI reviews or taking other regulatory action under the Privacy or FOI Acts. We will also collect your personal information when you apply for a job at the OAIC, notify the OAIC about a data breach or report a matter for investigation.
We sometimes collect personal information from a third party or a publicly available source to enable us to deal with a complaint or review application or to communicate with the public and stakeholders.
We also collect personal information through our websites and social networking services such as Facebook and Twitter. We use this information to improve our website and receive feedback from the community.
We use Vision6 to manage our mailing lists and event registrations. When subscribing to one of our mailing lists, you will be asked to give your express consent that Vision6 may use your data for analytics purposes. We also use TryBooking to manage our event registrations.
The OAIC uses the Australian Government’s SmartForm service to enable you to lodge a complaint, application, data breach notification, enquiry or apply for a job. When you save or submit a form using this service, the information is encrypted and stored in a secure server controlled by the Department of Industry, Innovation and Science (DIIS) until we download it. In very limited circumstances, DIIS may be able to view your information when there is a technical issue that requires investigation (DIIS must seek our permission to do so).
To ensure fairness, we disclose relevant information about the details of your complaint or review application to the respondent and, where relevant, affected third parties.
We may also disclose personal information:
- to another review body if a complainant, applicant or respondent seeks an external review of the OAIC’s decision
- to the My Health Records Systems Operator if you notify the OAIC about a data breach that relates to the My Health Records Act.
- to other regulators or external dispute resolution schemes (generally only if you agree and where the information will assist investigation of a matter)
- to service providers (like those that host our website servers, manage our IT and manage our human resources information)
We don’t disclose sensitive information about you unless you agree, or would reasonably expect us to.
Generally, we only disclose personal information overseas so that we can properly handle your complaint or application. As well, web traffic information we collect using Google Analytics may be stored overseas.
Accessing and correcting your personal information
If you ask, in most cases we must give you access to the personal information that we hold about you, and take reasonable steps to correct it if we consider it is incorrect. We will try to make the process as simple as possible.
How to make a complaint
You can complain to us in writing about how we have handled your personal information. We will respond to the complaint within 30 days.
You can find more information on our Privacy complaints web page.
How to contact us
Assisted contact options are also available.
Was this page helpful?
If you would like to provide more feedback, please email us at email@example.com