We are bound by the provisions of the Privacy Act 1988 (the Privacy Act), including the Australian Privacy Principles. These principles set out standards, rights and obligations for how to handle and maintain people's personal information. The Australian Privacy Principles also set out individuals’ right to access or correct their own personal information.
Collecting personal information
We only collect personal information for purposes reasonably necessary for, or directly related to our purpose, functions or activities.
Our purpose is to:
- review the findings of the Inspector-General of the Australian Defence Force Afghanistan Inquiry
- work with the Australian Federal Police (AFP) to investigate the commission of criminal offences under Australian law arising from or related to any breaches of the Laws of Armed Conflict by members of the Australian Defence Force in Afghanistan from 2005 to 2016
- develop briefs of evidence in respect of any offences that are established, for referral to the Commonwealth Director of Public Prosecutions, and
- undertake other relevant tasks the Prime Minister and the Minister require from time to time.
We may collect personal information in records relating to:
- contract management, funding agreements and memoranda of understanding
- employment and personnel matters for staff, deployees, contractors and people deployed to the joint AFP-OSI investigation
- correspondence from members of the public or organisations to us, our Minister, or other Australian Government ministers and agencies
- correspondence from, or on behalf of, foreign organisations or governments to us
- complaints (including privacy complaints) and feedback provided to us
- requests for access or annotation or amendment under the Freedom of Information Act 1982 (the FOI Act) or the Privacy Act
- legal advice provided by internal and external lawyers
- the performance of our functions
- records that assist in the enforcement of the criminal law, and the investigation of criminal incidents.
We will only use or disclose personal information, including sensitive personal information, about you for the purpose for which it was collected, unless the law requires or permits use or disclosure for another purpose, or if you give permission for us to use or disclose the information for another purpose.
Sometimes we may collect sensitive personal information without your consent, such as when collection is required or authorised by law, or court or tribunal order. We will not collect personal information about you if we do not need it.
We may also collect personal information from other sources, including third parties or publicly available sources. Third parties may include other Australian Government agencies such as the Department of Defence, Commonwealth, State or Territory law enforcement agencies, foreign governments, and members of the public who contact us with information.
When we collect personal information, consistent with the requirements under the Privacy Act, we will notify you using a privacy collection notice, if it is reasonable to do so.
Collecting information though our website
We outsource the maintenance and operation of our website to the Attorney-General's Department (the Department).
The Department logs a record of each visit to the OSI website and records information for statistical purposes and to make the site more useful to users.
The information the Department logs when users access our website includes the:
- person’s IP or server address
- date and time of the visit to the site
- pages accessed
- person’s operating system
- person’s web browser version and type
- time taken to transmit information to the person
- previous internet address from which the person came directly to this website.
This information is analysed to show broken links on our website, bottlenecks, and other site problems to generally make our website more efficient.
No attempt is made to identify the person through browsing activities except in the event of an investigation into the improper use of our internet facility or alleged interference with privacy, or where an enforcement body exercises a warrant to inspect the Internet Service Provider's logs.
Types of personal information we may hold
The personal information we collect and hold may vary depending on what we require to perform our functions. It may include:
- your name, address and contact details (for example your phone number or email address)
- information about your identity (such as date of birth, country of birth, passport details and driver's licence)
- information about your personal circumstances (for example age, gender, marital status and occupation)
- personnel information about current, former and prospective OSI employees and contractors.
We may also collect or hold sensitive information. This could include information about your:
- racial or ethnic origin
- political opinions or associations
- religious or philosophical beliefs
- criminal record or criminal activities you may have been involved in.
How we collect information
We may collect personal information directly from you or your authorised representative. We do this through a variety of channels including our Contact Us page, correspondence, and face-to-face or over the telephone.
When interacting with us you can, generally, remain anonymous or use a pseudonym. However, it may not always be possible to remain anonymous or use a pseudonym when dealing with us – we will tell you if it is not.
Use and disclosure of personal information
We will not provide your personal information to other government agencies, private sector organisations, or anyone else unless you consent or one of the following exceptions applies:
- you would reasonably expect us to use the information for that other purpose
- it is legally required or authorised, such as by an Australian law, or court or tribunal order. This includes express statutory provisions, as well as the more general application of the common law and the exercise of the Australian Government’s executive authority
- it is reasonably necessary for an enforcement-related activity
- we reasonably believe that it is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety
- we have reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to our functions or activities has been, is being, or may be engaged in and we reasonably believe that it is necessary in order for us to take appropriate action in relation to the matter
- we reasonably believe that it is necessary to help locate a person who has been reported as missing
- it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim
- it is reasonably necessary for the purposes of a confidential alternative dispute resolution process.
The third parties we may disclose your personal information to, or who may collect personal information on our behalf, include but are not limited to:
- suppliers and other third parties, including other government agencies and authorities with whom we have commercial or shared arrangement relationships
- any organisations or government agencies and authorities for any authorised purpose that directly relates to one of our functions, with your express consent, unless one of the exceptions listed above applies.
We will ensure that appropriate protections of your personal information are in place with these third parties in accordance with our obligations under the Privacy Act.
Disclosure to overseas recipients
In some cases, we may have to disclose limited personal information to recipients overseas as part of our work. This may occur, for example, in relation to a law enforcement matter such as a criminal investigation. If necessary, we will either:
- seek your consent to disclose the information, or
- amend the information so that you are not identifiable.
Maintaining personal information
We take reasonable steps to ensure the personal information we collect is accurate, up-to-date, and complete.
We take reasonable steps to ensure that the personal information we hold is safe and secure. This includes protecting your personal information from:
- unauthorised access
- disclosure unless you provide consent to disclosure or an exception applies.
Personal information we collect is stored in compliance with Australian Government security requirements and is held in electronic databases, or in paper-based files where required. The databases maintain audit trails whenever personal information in electronic records is accessed, added, amended or deleted on the database. The paper-based files are physically secured. We ensure that personal information within our systems and files is only accessible to staff who need to have access to do their work.
Our records which contain personal information can only be destroyed after it has reached its destruction date as identified in an agency records authority issued by the National Archives of Australia. We are working to develop our agency records authority in collaboration with the National Archives of Australia.
Data Breach Response Plan
We are developing a Data Breach Response Plan, setting out procedures and clear lines of authority for our staff if there is a data breach, or if we suspect a data breach has occurred.
The reponse plan will enable us to contain, assess and respond to data breaches quickly, to help mitigate potential harm to affected individuals and to comply with the notifiable data breaches scheme that commenced on 22 February 2018.
Privacy Impact Assessment
The Australian Government Agencies Privacy Code 2017 requires all agencies to conduct a Privacy Impact Assessment (PIA) for all high risk privacy projects. The OSI was established on 4 January 2021 and has not yet conducted a PIA. As we complete PIAs we will publish information about them on this website.
Privacy Management Plan
The Australian Government Agencies Privacy Code requires agencies to have a privacy management plan. Our privacy management plan is a strategic planning document in which we:
- identify our privacy goals and targets
- set out how we will meet our compliance obligations under the Australian Privacy Principles.
Our privacy management plan came into effect on Friday 7 July 2021 and will be reviewed annually or if organisational or other changes within the OSI require a review be conducted sooner.