Skip to main content


Privacy policy

This privacy policy applies to personal information that we handle and will be reviewed and may change as our work progresses or when our information handling practices change.

We are bound by the provisions of the Privacy Act 1988, including the Australian Privacy Principles. These principles set out standards, rights and obligations for how to handle and maintain people's personal information. The Australian Privacy Principles also set out individuals’ right to access or correct their own personal information.

Collecting personal information

We only collect personal information for purposes reasonably necessary for, or directly related to our purpose, functions or activities.

Our purpose is to:

  • review the findings of the Inspector-General of the Australian Defence Force Afghanistan Inquiry
  • work with the Australian Federal Police (AFP) to investigate the commission of criminal offences under Australian law arising from or related to any breaches of the Laws of Armed Conflict by members of the Australian Defence Force in Afghanistan from 2005 to 2016
  • develop briefs of evidence in respect of any offences that are established, for referral to the Commonwealth Director of Public Prosecutions
  • undertake other relevant tasks the Prime Minister and the Minister require from time to time.

How we collect information

We may collect personal information directly from you or your authorised representative. We do this through a variety of channels including our Contact Us webpage, correspondence, and face-to-face or over the telephone.

We may collect personal and sensitive information without your consent, such as when collection is required or authorised by law, or court or tribunal order. We will not collect personal information about you if we do not need it.

We may collect personal information from other sources, including third parties or publicly available sources. Third parties may include other Australian Government agencies such as the Department of Defence, Commonwealth, state or territory law enforcement agencies, foreign governments, and members of the public who contact us with information.

When we collect personal information, consistent with the requirements under the Privacy Act, we will notify you using a privacy collection notice, unless it would be unreasonable and impracticable to do so.

Remaining anonymous

When interacting with us you can, generally, remain anonymous or use a pseudonym. However, it may not always be possible to remain anonymous or use a pseudonym – we will tell you if it is not.

Collecting information though this website

Access our Web privacy statement for further information about the information we might collect through our website.

We collect certain information when you visit this site. However, you can generally visit this site without telling us who you are unless you choose to provide this information to us.

Types of personal information we may hold

We may collect personal information in records relating to:

  • contract management, funding agreements and memoranda of understanding
  • employment and personnel matters for staff, contractors and people deployed or seconded to the OSI
  • correspondence from members of the public or organisations to us, our Minister, or other Australian Government ministers and agencies
  • correspondence from, or on behalf of, foreign organisations or governments to us
  • complaints (including privacy complaints) and feedback provided to us
  • requests for access or annotation or amendment under the Freedom of Information Act 1982 or the Privacy Act
  • legal advice provided by internal and external lawyers
  • the performance of our functions
  • records that assist in the enforcement of the law and the investigation of criminal allegations relevant to our mandate.

The personal information we collect and hold may vary depending on what we require to perform our functions. It may include:

  • your contact details, such as name, phone numbers and postal and email addresses
  • your identity information, such as date of birth, country of birth, passport details and driver's licence
  • information about your personal circumstances, such as gender, marital status and occupation
  • personnel information about current, former and prospective OSI employees and contractors.

We may also collect or hold sensitive information. This may include information about your:

  • racial or ethnic origin
  • political opinions or associations
  • religious or philosophical beliefs
  • criminal record or criminal activities you may have been involved in.

Use and disclosure of personal information

We will only use or disclose personal information, including sensitive personal information, about you for the purpose for which it was collected, unless the law requires or permits use or disclosure for another purpose, or if you give permission for us to use or disclose the information for another purpose.

We will not disclose your personal information to other government agencies, private sector organisations, or anyone else unless you consent or:

  • you would reasonably expect us to use the information for another purpose
  • it is legally required or authorised, such as by a law, or court or tribunal order (thisincludes express statutory provisions, as well as the more general application of the common law and the exercise of the Australian Government’s executive authority)
  • it is reasonably necessary for an enforcement-related activity
  • we reasonably believe that it is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety
  • we have reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to our functions or activities has been, is being, or may be engaged in and we reasonably believe that it is necessary in order for us to take appropriate action in relation to the matter
  • we reasonably believe that it is necessary to help locate a person who has been reported as missing
  • it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim
  • it is reasonably necessary for the purposes of a confidential alternative dispute resolution process.

The third parties to whom we may disclose personal information, or who may collect personal information on our behalf, include but are not limited to:

  • suppliers and other third parties, including other government agencies and authorities with whom we have commercial or other arrangements
  • any organisations or government agencies and authorities for any authorised purpose that relates to one of our functions.

We will ensure that appropriate protections of your personal information are in place with these third parties, in accordance with our obligations under the Privacy Act.

Disclosure to overseas recipients

We may disclose personal information to recipients overseas as part of our work. This may occur, for example, in relation to a law enforcement matter. If overseas disclosure is necessary, we will either seek your consent to disclose the information or amend it so that you are not reasonably identifiable, unless an exception applies.

Maintaining personal information

We take reasonable steps to ensure the personal information we collect is accurate, up-to-date, and complete.

Security of personal information

We take reasonable steps to secure the personal information we hold to prevent misuse, interference and loss, as well as unauthorised access, modification or disclosure.

Personal information we collect is stored in compliance with Australian Government security requirements and is held in electronic databases. The databases maintain audit trails whenever personal information in electronic records is accessed, added, amended or deleted on the database. We conduct regular audits of the database where the majority of our records are stored to ensure that personal information is appropriately managed and accessible only to staff who need it for their work.

Records which contain personal information can only be destroyed after they have reached the relevant destruction date identified in a general or agency-specific records authority issued by the National Archives of Australia. We also comply with disposal freezes and retention notices which may prohibit destruction of certain records we hold.

Data breach response plan

We have a data breach response plan which sets out procedures and clear lines of authority for our staff if there is an actual or suspected eligible data breach involving personal information. Our privacy data breach response plan incorporates the requirements of the Notifiable Data Breaches scheme that commenced on 22 February 2018.

Our response plan ensures we are able to promptly contain and assess data breaches and, if required, notify affected individuals at risk of serious harm whose personal information was involved in a data breach incident.

Privacy Impact Assessments

The Australian Government Agencies Privacy Code 2017 (APP Code) requires all agencies to conduct a Privacy Impact Assessment (PIA) for all high risk privacy projects. The OSI was established on 4 January 2021 and has not yet conducted a PIA. As we complete PIAs we will publish information about them on this website

Privacy Management Plan

The APP Code requires agencies to have a Privacy Management Plan (PMP). In our PMP we:

  • identify our privacy goals and targets
  • set out how we will meet our compliance obligations under the Australian Privacy Principles.

Our first PMP came into effect on 9 July 2021. Since that time, we have regularly reviewed our plan to measure progress and to set goals for continuous improvement.

You have the right to access personal information that we hold about you under the Privacy Act or FOI Act. If you believe that personal information we hold about you is inaccurate, out-of-date, incomplete, irrelevant or misleading. You also have the right to:

  • request that the information be corrected under the Privacy Act, and
  • request that the information be amended or annotated under the FOI Act.

Before making a request for correction or amendment or annotation, you need to request access to your personal information first.

Requests under the Privacy Act

You may request copies of records containing your personal information, or request corrections to any of your personal information held by the OSI, by submitting a request to the agency’s Privacy Officer through the Contact Us page.

In some circumstances, we may decide not to give you access to your personal information or to correct it. This may occur if:

  • we believe that giving you access may endanger the life, health or safety of any individual, or endanger public health or safety
  • giving you access would have an unreasonable impact on the privacy of other individuals
  • your request is frivolous or vexatious
  • your personal information is part of existing or anticipated legal proceedings between you and the organisation
  • one or more of the exemptions in the FOI Act applies.

If we decide to not give you access or correct your personal information, we will tell you in writing and provide you with the reasons for decision. We will also provide you information about how you can make a privacy complaint about the decision.

Requests under the FOI Act

In some circumstances we may suggest that you make your request for access to personal information under the FOI Act instead of the Privacy Act because:

  • you are seeking to access different types of documents in addition to your own personal information. An FOI request can be for any document we hold, but a request under the Privacy Act can only be for your own personal information, or to another person’s personal information if they have authorised you to access it.
  • the FOI Act contains a formal consultation process if documents contain information about other individuals, businesses or a state or territory.
  • if we refuse to give you access under the FOI Act, you have a right to apply for internal review and Information Commissioner review of our decision. Under the Privacy Act, there is no right of review but you can make a privacy complaint to the Information Commissioner.

Further information about how you can make a request under the FOI Act is available on the Freedom of Information page. You can also submit an FOI enquiry to us through the Contact Us page.

Proof of identity

If you are requesting to access or correct your personal information, you must provide evidence of your identity. This ensures that no person’s personal information is disclosed or modified without authorisation.

Proof of identity must clearly show that you are the person whose personal information is being requested or corrected. Acceptable identity documents for this purpose include one of the following:

  • a current passport
  • a current driver’s licence issued by an Australian State or Territory or
  • any other current official identification in the English language that contains your photo, signature and address.

Identity documents must be certified as a true copy of the original by a person having the power to witness a Commonwealth statutory declaration. Access ‘Statutory declarations’ on the Attorney-General’s Department website for further information on who can witness a statutory declaration.

If you are unsure whether you need to provide proof of identity or need help meeting these requirements, Contact Us - we will provide reasonable assistance to help you meet proof of identity requirements.

If your request is for documents about another person or you want someone to represent you

If you want to request access to documents containing personal information about another person, you must provide:

  • proof of identity for yourself and the other person whose personal information is being requested, and
  • evidence that you have the other person’s consent to receive documents containing their personal information.

If you want someone to represent you, you must provide:

  • proof of your identity, and
  • evidence that the person making the request on your behalf is authorised to represent you, and that you consent to us corresponding with your representative about the matter, including sending them documents that may contain your personal information.

If you are unsure which of the above requirements applies to you or you need help meeting them, Contact Us – we will provide you reasonable assistance to help you meet proof of identity and authorisation requirements.

We take all complaints seriously and are committed to a quick and fair resolution. We will respond to your request or complaint promptly, generally within 30 days.

If you believe we have mishandled your personal information or you have a privacy enquiry, you should first contact the OSI’s designated Privacy Officer using the Contact Us page.

You can make a privacy complaint to the Office of the Australian Information Commissioner if we take longer than 30 days to respond to your privacy complaint or request, or if you are not satisfied with our response.

How to contact us

You can contact the OSI’s designated Privacy Officer using the Contact Us page to:

  • ask about our compliance with the Australian Privacy Principles
  • ask about our privacy policy, or ask that we provide it to you in another format
  • request to access or correct personal information we hold about you
  • ask for help with making a request for access or correction
  • make a complaint if you believe the OSI has mishandled your personal information.