Collecting personal information
We only collect personal information for purposes reasonably necessary for, or directly related to our purpose, functions or activities.
Our purpose is to:
- review the findings of the Inspector-General of the Australian Defence Force Afghanistan Inquiry
- work with the Australian Federal Police (AFP) to investigate the commission of criminal offences under Australian law arising from or related to any breaches of the Laws of Armed Conflict by members of the Australian Defence Force in Afghanistan from 2005 to 2016
- develop briefs of evidence in respect of any offences that are established, for referral to the Commonwealth Director of Public Prosecutions
- undertake other relevant tasks the Prime Minister and the Minister require from time to time.
How we collect information
We may collect personal information directly from you or your authorised representative. We do this through a variety of channels including our Contact Us webpage, correspondence, and face-to-face or over the telephone.
We may collect personal and sensitive information without your consent, such as when collection is required or authorised by law, or court or tribunal order. We will not collect personal information about you if we do not need it.
We may collect personal information from other sources, including third parties or publicly available sources. Third parties may include other Australian Government agencies such as the Department of Defence, Commonwealth, state or territory law enforcement agencies, foreign governments, and members of the public who contact us with information.
When we collect personal information, consistent with the requirements under the Privacy Act, we will notify you using a privacy collection notice, unless it would be unreasonable and impracticable to do so.
When interacting with us you can, generally, remain anonymous or use a pseudonym. However, it may not always be possible to remain anonymous or use a pseudonym – we will tell you if it is not.
Collecting information though this website
Access our Web privacy statement for further information about the information we might collect through our website.
We collect certain information when you visit this site. However, you can generally visit this site without telling us who you are unless you choose to provide this information to us.
Types of personal information we may hold
We may collect personal information in records relating to:
- contract management, funding agreements and memoranda of understanding
- employment and personnel matters for staff, contractors and people deployed or seconded to the OSI
- correspondence from members of the public or organisations to us, our Minister, or other Australian Government ministers and agencies
- correspondence from, or on behalf of, foreign organisations or governments to us
- complaints (including privacy complaints) and feedback provided to us
- requests for access or annotation or amendment under the Freedom of Information Act 1982 or the Privacy Act
- legal advice provided by internal and external lawyers
- the performance of our functions
- records that assist in the enforcement of the law and the investigation of criminal allegations relevant to our mandate.
The personal information we collect and hold may vary depending on what we require to perform our functions. It may include:
- your contact details, such as name, phone numbers and postal and email addresses
- your identity information, such as date of birth, country of birth, passport details and driver's licence
- information about your personal circumstances, such as gender, marital status and occupation
- personnel information about current, former and prospective OSI employees and contractors.
We may also collect or hold sensitive information. This may include information about your:
- racial or ethnic origin
- political opinions or associations
- religious or philosophical beliefs
- criminal record or criminal activities you may have been involved in.
Use and disclosure of personal information
We will only use or disclose personal information, including sensitive personal information, about you for the purpose for which it was collected, unless the law requires or permits use or disclosure for another purpose, or if you give permission for us to use or disclose the information for another purpose.
We will not disclose your personal information to other government agencies, private sector organisations, or anyone else unless you consent or:
- you would reasonably expect us to use the information for another purpose
- it is legally required or authorised, such as by a law, or court or tribunal order (thisincludes express statutory provisions, as well as the more general application of the common law and the exercise of the Australian Government’s executive authority)
- it is reasonably necessary for an enforcement-related activity
- we reasonably believe that it is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety
- we have reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to our functions or activities has been, is being, or may be engaged in and we reasonably believe that it is necessary in order for us to take appropriate action in relation to the matter
- we reasonably believe that it is necessary to help locate a person who has been reported as missing
- it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim
- it is reasonably necessary for the purposes of a confidential alternative dispute resolution process.
The third parties to whom we may disclose personal information, or who may collect personal information on our behalf, include but are not limited to:
- suppliers and other third parties, including other government agencies and authorities with whom we have commercial or other arrangements
- any organisations or government agencies and authorities for any authorised purpose that relates to one of our functions.
We will ensure that appropriate protections of your personal information are in place with these third parties, in accordance with our obligations under the Privacy Act.
Disclosure to overseas recipients
We may disclose personal information to recipients overseas as part of our work. This may occur, for example, in relation to a law enforcement matter. If overseas disclosure is necessary, we will either seek your consent to disclose the information or amend it so that you are not reasonably identifiable, unless an exception applies.
Maintaining personal information
We take reasonable steps to ensure the personal information we collect is accurate, up-to-date, and complete.
Security of personal information
We take reasonable steps to secure the personal information we hold to prevent misuse, interference and loss, as well as unauthorised access, modification or disclosure.
Personal information we collect is stored in compliance with Australian Government security requirements and is held in electronic databases. The databases maintain audit trails whenever personal information in electronic records is accessed, added, amended or deleted on the database. We conduct regular audits of the database where the majority of our records are stored to ensure that personal information is appropriately managed and accessible only to staff who need it for their work.
Records which contain personal information can only be destroyed after they have reached the relevant destruction date identified in a general or agency-specific records authority issued by the National Archives of Australia. We also comply with disposal freezes and retention notices which may prohibit destruction of certain records we hold.
Data breach response plan
We have a data breach response plan which sets out procedures and clear lines of authority for our staff if there is an actual or suspected eligible data breach involving personal information. Our privacy data breach response plan incorporates the requirements of the Notifiable Data Breaches scheme that commenced on 22 February 2018.
Our response plan ensures we are able to promptly contain and assess data breaches and, if required, notify affected individuals at risk of serious harm whose personal information was involved in a data breach incident.
Privacy Impact Assessments
The Australian Government Agencies Privacy Code 2017 (APP Code) requires all agencies to conduct a Privacy Impact Assessment (PIA) for all high risk privacy projects. The OSI was established on 4 January 2021 and has not yet conducted a PIA. As we complete PIAs we will publish information about them on this website
Privacy Management Plan
The APP Code requires agencies to have a Privacy Management Plan (PMP). In our PMP we:
- identify our privacy goals and targets
- set out how we will meet our compliance obligations under the Australian Privacy Principles.
Our first PMP came into effect on 9 July 2021. Since that time, we have regularly reviewed our plan to measure progress and to set goals for continuous improvement.