Skip to main content


Privacy policy

This privacy policy applies to personal information that we handle. This Privacy Policy will be reviewed and may change as our work progresses or when our information handling practices change. 

We are bound by the provisions of the Privacy Act 1988 (the Privacy Act), including the Australian Privacy Principles. These principles set out standards, rights and obligations for how to handle and maintain people's personal information. The Australian Privacy Principles also set out individuals’ right to access or correct their own personal information.

​​​This privacy policy applies to personal information that we handle. This Privacy Policy will be reviewed and may change as our work progresses or when our information handling practices change.

We are bound by the provisions of the Privacy Act 1988 (the Privacy Act), including the Australian Privacy Principles. These principles set out standards, rights and obligations for how to handle and maintain people's personal information. The Australian Privacy Principles also set out individuals’ right to access or correct their own personal information.

Collecting personal information

We only collect personal information for purposes reasonably necessary for, or directly related to our purpose, functions or activities.

Our purpose is to:

  • review the findings of the Inspector-General of the Australian Defence Force Afghanistan Inquiry
  • work with the Australian Federal Police (AFP) to investigate the commission of criminal offences under Australian law arising from or related to any breaches of the Laws of Armed Conflict by members of the Australian Defence Force in Afghanistan from 2005 to 2016
  • develop briefs of evidence in respect of any offences that are established, for referral to the Commonwealth Director of Public Prosecutions, and
  • undertake other relevant tasks the Prime Minister and the Minister require from time to time.

We may collect personal information in records relating to:

  • contract management, funding agreements and memoranda of understanding
  • employment and personnel matters for staff, deployees, contractors and people deployed to the joint AFP-OSI investigation
  • correspondence from members of the public or organisations to us, our Minister, or other Australian Government ministers and agencies
  • correspondence from, or on behalf of, foreign organisations or governments to us
  • complaints (including privacy complaints) and feedback provided to us
  • requests for access or annotation or amendment under the Freedom of Information Act 1982 (the FOI Act) or the Privacy Act
  • legal advice provided by internal and external lawyers
  • the performance of our functions
  • records that assist in the enforcement of the criminal law, and the investigation of criminal incidents.

We will only use or disclose personal information, including sensitive personal information, about you for the purpose for which it was collected, unless the law requires or permits use or disclosure for another purpose, or if you give permission for us to use or disclose the information for another purpose.

Sometimes we may collect sensitive personal information without your consent, such as when collection is required or authorised by law, or court or tribunal order. We will not collect personal information about you if we do not need it.

We may also collect personal information from other sources, including third parties or publicly available sources. Third parties may include other Australian Government agencies such as the Department of Defence, Commonwealth, State or Territory law enforcement agencies, foreign governments, and members of the public who contact us with information.

When we collect personal information, consistent with the requirements under the Privacy Act, we will notify you using a privacy collection notice, if it is reasonable to do so.

Collecting information though our website

We outsource the maintenance and operation of our website to the Attorney-General's Department (the Department).

The Department logs a record of each visit to the OSI website and records information for statistical purposes and to make the site more useful to users.

The information the Department logs when users access our website includes the:

  • person’s IP or server address
  • date and time of the visit to the site
  • pages accessed
  • person’s operating system
  • person’s web browser version and type
  • time taken to transmit information to the person
  • previous internet address from which the person came directly to this website.

This information is analysed to show broken links on our website, bottlenecks, and other site problems to generally make our website more efficient.

No attempt is made to identify the person through browsing activities except in the event of an investigation into the improper use of our internet facility or alleged interference with privacy, or where an enforcement body exercises a warrant to inspect the Internet Service Provider's logs.

Types of personal information we may hold

The personal information we collect and hold may vary depending on what we require to perform our functions. It may include:

  • your name, address and contact details (for example your phone number or email address)
  • information about your identity (such as date of birth, country of birth, passport details and driver's licence)
  • information about your personal circumstances (for example age, gender, marital status and occupation)
  • personnel information about current, former and prospective OSI employees and contractors.

We may also collect or hold sensitive information. This could include information about your:

  • racial or ethnic origin
  • political opinions or associations
  • religious or philosophical beliefs
  • criminal record or criminal activities you may have been involved in.

How we collect information

We may collect personal information directly from you or your authorised representative. We do this through a variety of channels including our Contact Us page, correspondence, and face-to-face or over the telephone.

Remaining anonymous

When interacting with us you can, generally, remain anonymous or use a pseudonym. However, it may not always be possible to remain anonymous or use a pseudonym when dealing with us – we will tell you if it is not.

Use and disclosure of personal information

We will not provide your personal information to other government agencies, private sector organisations, or anyone else unless you consent or one of the following exceptions applies:

  • you would reasonably expect us to use the information for that other purpose
  • it is legally required or authorised, such as by an Australian law, or court or tribunal order. This includes express statutory provisions, as well as the more general application of the common law and the exercise of the Australian Government’s executive authority
  • it is reasonably necessary for an enforcement-related activity
  • we reasonably believe that it is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety
  • we have reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to our functions or activities has been, is being, or may be engaged in and we reasonably believe that it is necessary in order for us to take appropriate action in relation to the matter
  • we reasonably believe that it is necessary to help locate a person who has been reported as missing
  • it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim
  • it is reasonably necessary for the purposes of a confidential alternative dispute resolution process.

The third parties we may disclose your personal information to, or who may collect personal information on our behalf, include but are not limited to:

  • suppliers and other third parties, including other government agencies and authorities with whom we have commercial or shared arrangement relationships
  • any organisations or government agencies and authorities for any authorised purpose that directly relates to one of our functions, with your express consent, unless one of the exceptions listed above applies.

We will ensure that appropriate protections of your personal information are in place with these third parties in accordance with our obligations under the Privacy Act.

Disclosure to overseas recipients

In some cases, we may have to disclose limited personal information to recipients overseas as part of our work. This may occur, for example, in relation to a law enforcement matter such as a criminal investigation. If necessary, we will either:

  • seek your consent to disclose the information, or
  • amend the information so that you are not identifiable.

Maintaining personal information

We take reasonable steps to ensure the personal information we collect is accurate, up-to-date, and complete.

Data Security

We take reasonable steps to ensure that the personal information we hold is safe and secure. This includes protecting your personal information from:

  • loss
  • unauthorised access
  • misuse
  • modification
  • disclosure unless you provide consent to disclosure or an exception applies.

Personal information we collect is stored in compliance with Australian Government security requirements and is held in electronic databases, or in paper-based files where required. The databases maintain audit trails whenever personal information in electronic records is accessed, added, amended or deleted on the database. The paper-based files are physically secured. We ensure that personal information within our systems and files is only accessible to staff who need to have access to do their work.

Our records which contain personal information can only be destroyed after it has reached its destruction date as identified in an agency records authority issued by the National Archives of Australia. We are working to develop our agency records authority in collaboration with the National Archives of Australia.

Data Breach Response Plan

We are developing a Data Breach Response Plan, setting out procedures and clear lines of authority for our staff if there is a data breach, or if we suspect a data breach has occurred.

The reponse plan will enable us to contain, assess and respond to data breaches quickly, to help mitigate potential harm to affected individuals and to comply with the notifiable data breaches scheme that commenced on 22 February 2018.

Privacy Impact Assessment

The Australian Government Agencies Privacy Code 2017 requires all agencies to conduct a Privacy Impact Assessment (PIA) for all high risk privacy projects. The OSI was established on 4 January 2021 and has not yet conducted a PIA. As we complete PIAs we will publish information about them on this website​.

Privacy Management Plan

The Australian Government Agencies Privacy Code requires agencies to have a privacy management plan. Our privacy management plan is a strategic planning document in which we:

  • identify our privacy goals and targets
  • set out how we will meet our compliance obligations under the Australian Privacy Principles.

Our privacy management plan came into effect on Friday 7 July 2021 ​and will be reviewed annually or if organisational or other changes within the OSI require a review be conducted sooner.

You have the right to access personal information that we hold about you under the Privacy Act or FOI Act. You also have the right under the Privacy Act to request corrections to any personal information that we hold about you if you think the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.

Requests under the Privacy Act

You can seek to obtain copies of records containing your personal information, or request corrections to any of your personal information held by the OSI, by submitting a request to the agency’s Privacy Officer under the Privacy Act through Contact us.

We can decline access to, or to correct, personal information in certain circumstances, as set out in the Privacy Act.

Generally, if we refuse to give you access, we will notify you in writing, including the reasons for refusal and mechanisms available to you to dispute that decision.

Requests under the FOI Act

In some circumstances we will suggest that you make your request for personal information under the FOI Act. This is because:

  • an FOI access request can relate to any document in our possession and is not limited to your personal information
  • the FOI Act contains a consultation process for dealing with requests for documents that contain your personal information, as well as the personal or business information about another person
  • if we refuse to give you access under the FOI Act, you have a right to apply for internal review or Information Commissioner review of that decision.

Further information about how you can make a request under the FOI Act is available on the Freedom of Information page. You can also submit an FOI enquiry to us through Contact us​.

Proof of identity

If you are requesting to access or correct your personal information, you must provide evidence of your identity. This is to ensure that no person’s personal information is unreasonably disclosed, or disclosed without authorisation.

Proof of identity must clearly show that you are the person whose personal information is being requested or corrected. Acceptable identity documents for this purpose include one of the following:

  • a passport
  • a driver’s licence issued by an Australian State or Territory
  • other official identification in the English language that contains your photo, signature and address.

Identity documents must be certified as a true copy of the original by a person having the power to witness a Commonwealth statutory declaration. Further information about statutory declarations, including a list of people who are authorised to witness one, is available on the Statutory declarations page on the Attorney-General’s Department website.

We will tell you if you are required to provide proof of identity and how you can provide this information to us.

If you ask someone else to make a request on your behalf, you need to provide a specific, written authority to send copies of documents to you care of that person, or to allow that person to inspect copies of documents containing information about you.

If you request documents about another person

If you are seeking documents containing personal information about another person, you must provide evidence of both your identities. You must also provide evidence that you have the other person’s consent to represent them and/or receive documents about them. You can do this by asking them to sign a letter of authorisation to allow the OSI to send documents about them to you.

We take all complaints seriously and are committed to a quick and fair resolution. We will respond to your request or complaint promptly if you provide your contact details. If you believe we have wrongly collected or handled your personal information, you can submit a complaint to the OSI Privacy Officer through the Contact us page.

You can also complain to the Office of the Australian Information Commissioner. They may recommend that you try to resolve your complaint directly with us in the first instance.

The Office of the Australian Information Commissioner can be contacted on 1300 363 992 or via their website, Office of the Australian Information Commissioner, which also contains more information about making privacy complaints.

How to contact us

Contact our Privacy Officer through the Contact us page to:

  • ask about our compliance with the Australian Privacy Principles
  • ask about our privacy policy
  • access or correct the personal information we hold about you
  • ask for help with your request for access or correction
  • make a complaint about the way we have handled your personal information.