Download the Office of the Information Commissioner's Privacy Policy PDF.
Privacy at the Office of the Information Commissioner WA
About this privacy policy
The Privacy and Responsible Information Sharing Act 2024 (PRIS Act) contains the Information Privacy Principles (IPPs), a set of principles regulated entities must follow when handling personal information.
The IPPs include a requirement to publish an up-to-date privacy policy that is clear, concise, and written in plain language.
Our functions involving personal information
At the OIC, we handle personal information when performing our functions and delivering our services. These include:
- Providing assistance to members of the public and regulated entities on matters relevant to the PRIS Act and Freedom of Information Act 1992 (WA) (FOI Act)
- Undertaking external review of decisions State and local government agencies make under the FOI Act
- Conciliating, investigating and determining privacy complaints made in relation to alleged interferences with the privacy of an individual under the PRIS Act and other enforcement and compliance activities under the PRIS Act
- Raising public awareness of rights and obligations under the PRIS Act and FOI Act, including through the provision of training and awareness materials on our website, in our newsletter and in presentations and webinars we deliver.
We also handle personal information when performing activities necessary to run our operations – such as management of facilities, information technology services, staff and contractors.
Community privacy expectations
Show moreThe Information Privacy Principles in practice
The OIC is not required to comply with the PRIS Act, including the IPPs. However, as a matter of best practice (to support the community) and leadership (to support regulated entities), we apply the IPPs when we handle personal information.
We explain here how our practices reflect key requirements of the IPPs.
Personal information collection, use and disclosure
Show morePersonal information is defined in the PRIS Act as "information or an opinion, whether true or not, and whether recorded in a material form or not, that relates to an individual, whether living or dead, whose identity is apparent or can reasonably be ascertained from the information or opinion". The PRIS Act sets out a non-exhaustive list of examples of different types of personal information.
Put simply, if your identity can be reasonably ‘worked out’ from the information or an opinion, it is your personal information. Importantly, personal information:
- Does not have to be true
- Does not have to be written down or recorded
- Can be related to you directly or indirectly
- Can relate to a person who is alive or deceased.
A subset of personal information can be sensitive. Sensitive personal information includes information about your race or ethnic origin, gender identity, sexuality, political opinions or association, religious or philosophical beliefs, professional or trade union memberships, criminal record, and health, genetic, genomic or biometric information.
The PRIS Act contains additional rules that apply to regulated entities when they handle sensitive personal information. If you are unsure whether information is personal information or sensitive personal information, our website resources may assist you.
When we collect personal information (and what we collect)
As shown in the snapshot below, the types of personal information we collect depends on our relationship with you and the functions or services you engage with. Below are some key examples
When you… | We collect… |
Because…
|
|---|---|---|
Engage with our Office through the formal mechanisms in the FOI Act and the PRIS Act
| Name and contact details. Details of your application, complaint or other request made through our formal mechanisms. This may include documents detailing your interactions with regulated entities (such as another WA government agency) or third parties. In some matters, these documents may contain large volumes of personal information and sensitive personal information about you or other individuals. Confirmation of your identity, if required. | To know who you are and how to get in touch with you. To understand your application, complaint or other request, and to ensure we have all the relevant information required to review your matter and make a decision.
To verify you are the person to whom we should direct our correspondence and decision. |
Visit our website or comment on our social media pages
| Website visit data – IP address; type of device, browser or operating system; previous site visited; date/ time of site access; pages accessed and documents downloaded. Please see A note about website privacy.
Your comments or requests made on our social media pages, and the profile you used. Please see A note about social media. | For statistical and website management purposes of the WA.gov.au website, which hosts our website.
To allow us to respond to your comment or request. |
Visit our office at Albert Facey House
| Name and any contact details you provide at the building security check-in point.
| To verify with building security that you have checked-in with them.
To confirm the details you have registered with building security against the details we hold about meeting attendees.
|
Subscribe to our newsletter and other communications
| Name and contact details. Subscription and communications preferences.
| To process your subscription request. To ensure you receive the communications you want from our office.
|
Are an employee or prospective employee of the OIC
| Name and contact details. Role within the OIC, payroll and human resource management details. Prospective role, and details of your application to work with us (e.g., resume, covering letter, referee report).
| To identify you and be able to contact you. To manage your employment with us. To manage the selection process relating to your prospective employment with us.
|
Are a contractor or service provider to the OIC
| Name and contact details.
Details contained in documents associated with your contract or services that may be personal, such as your signature and payment details.
| To identify you and be able to contact you.
To manage your contract with us or the services you provide to us.
|
| Attend our professional, academic or community events | Name and contact details.
Your role within WA government, where applicable.
Your professional or academic role and organisation, or that you are a member of the community.
Confirmation of your payment, via our service provider.
| To register you for the relevant event and be able to contact you. To provide you with content relevant to your work or interest in FOI and privacy.
To understand the audience at our event, if from outside WA government.
For paid events, to confirm you have paid an attendance fee. |
How we collect personal information
There are a few ways we collect personal information, including where we ask you for it (or you give it to us) and where we collect it from someone else. Some scenarios help to illustrate this:
Context | We ask you for your personal information when… | We collect your personal information from someone else when… |
|---|---|---|
| FOI decision external reviews | You apply for external review of an FOI decision made by a WA government agency. | The relevant WA government agency shares copies of their correspondence with you and the documents relevant to your external review application. These documents may contain personal information about you or other individuals.
|
| Employment with us | You apply for a role within our office and provide your resume. | We ask your nominated referee about your work experience and suitability for the role.
|
| Our training programs | You email us to express interest in attending one of our future events.
| Your employer sees our event advertised and completes the registration on your behalf.
|
A note about social media
We use the social media platform LinkedIn to help push messages to regulated entities and the community more broadly, about our functions and services, upcoming events, and topics of interest in the areas of FOI and privacy.
When you comment on or engage with us on a social media platform, it is not just us collecting your personal information. The collection and management of any personal information you share is also governed by that platform’s own terms of service and privacy policy.
Where you wish to engage with us, we encourage you to contact us directly.
Collection notice
We ask you for personal information in several ways, such as over the telephone, via email, through our website, by filling in a form, or when meeting with us in person.
When we ask you directly for personal information, we will give you a collection notice telling you the reason why – including what personal information we are asking for, why we need it, and what will happen to it.
The collection notice will be specific to the circumstance and tailored to suit the method we are using to collect your personal information. You may see it at the top of a form, in a website pop-up, in an email header, at an event entry point or hear it through a recorded telephone message – see, for example, the collection notice when subscribing to the OIC’s newsletter.
Choosing not to identify yourself
In most circumstances we need to know who you are to manage our relationship with you. However, we take steps to ensure we only collect the minimum amount of personal information we need for our functions and services.
Where it is possible to engage with you without identifying you, we will provide you with that option. For example, when you subscribe to our newsletter you do not need to provide your name, only an email address.
In some cases, we may not need to collect personal information at all – for example:
- When we host a public information session that does not require you to register in advance
- If you seek information or advice from us over the phone and we can answer your enquiry without you providing your personal information.
De-identifying personal information we collect
In limited circumstances we de-identify personal information we collect and hold for the purposes of:
- Publishing a decision of the Information Commissioner under the FOI Act or under the PRIS Act
- Reporting or developing training and guidance materials
- Compiling and reporting on data received through surveys we conduct at the end of an FOI or privacy matter or other surveys we use to obtain feedback from our stakeholders about our functions and services.
When we de-identify information for these purposes we take steps to protect the de-identified information from misuse and loss and from unauthorised re-identification, access, modification or disclosure.
Limits on use and disclosure of personal information
There are several purposes for which we may use and disclose personal information, and these are linked directly to our functions and services. These generally include:
- Providing a service or exercising our functions under the FOI Act and PRIS Act
- Providing advisory or other support to you
- Answering a question you have asked, or responding to a complaint you have made
- Managing your employment, prospective employment or other business relationship we have with you
- Promoting awareness of our communications, events and resources that might interest you (where you have subscribed)
- Complying with our legal and regulatory obligations
- Where otherwise permitted or required by law
- For limited other purposes with your consent.
We do not use any automated decision-making process when we perform our functions or deliver our services.
Our use of service providers
Show moreSeveral service providers support us, and some collect and handle personal information on our behalf. How they support us can be broken down into functional categories including:
- Corporate services and human resource management
- Technical systems and operations
- Website management
- Facilities and asset management
- Events management
- Training services.
Most of our service provider relationships are part of whole-of-WA-government services, where the OIC is supported as a WA government client. For example, the WA government provides us with essential corporate services and human resource management, including attracting and retaining staff.
Importantly, access to documents and other information (including personal information) associated with our review and decision-making functions under the FOI and PRIS Acts are restricted to OIC officers and managed on a strictly need to know basis.
There are some service providers that we engage directly, such as for sending our newsletter and other communications, event management and ticketing. We assess their suitability, engage and manage them in keeping with whole-of-WA-government policy, including Procurement Guidelines and the Office of Digital Government Information Security Self-Assessment criteria.
Where we engage a service provider directly (i.e. outside of WA government service arrangement), it is the OIC’s policy that personal information must be managed and stored in Australia. Where we propose to use a new service provider, we use whole-of-WA-government policy to inform our decision-making.
A note about website privacy
The WA government manages our website (which you access via WA.gov.au). On a whole-of-WA-government basis, website visit data – which includes IP address, type of device, browser or operating system you are using, the previous site you visited, date/ time you accessed our website, the pages you accessed and documents you downloaded – is collected for statistical and system administration purposes, including:
- Monitoring and protecting WA.gov.au from cyber security threats
- Monitoring website performance to enhance your experience when using WA.gov.au
- Understanding usage trends to make sure WA.gov.au is meeting the needs of its users.
The WA government does not use website visit data to identify you, except in circumstances requiring the involvement of law enforcement. To find out more about the management of WA.gov.au, please review its Terms of Use and Privacy Policy.
Security and retention of personal information
Show moreWe know the importance of keeping personal information safe throughout its lifecycle. At the OIC:
- Staff are trained in, and adhere to, the secrecy and confidentiality obligations required by law and the requirements for handling personal information as set out in the PRIS Act and the IPPs
- Our decisions about information security, procurement, contract management, and service provider risk are informed by whole-of-WA-government policy
- We continue to establish, review and update internal policies and procedures and to comply with relevant legislative requirements and whole-of-WA-government policies. This supports strong privacy management and involves several related management areas, such as information security, risk management, records management and data governance.
We also take steps to ensure personal information is stored securely, not kept longer than necessary, and disposed of appropriately. An example of this in practice is – upon conclusion of an FOI external review – we securely destroy (via shredding or electronic deletion) your personal information that is not strictly necessary to retain as part of our record of review and decision.
Access and correction rights
Show moreThe OIC is not required to comply with the privacy requirements set out in the PRIS Act, including the IPPs. We do, however, support you in seeking access to and correction of your own personal information.
Generally, if you have provided personal information to us, we are happy to tell you what it is. If the personal information is out of date or incorrect, we will assist you to correct it. We do this as an administrative process, not a formal one. There are some limited circumstances where we may not be able to assist you – for example, when:
- Your personal information is mingled with someone else’s, and providing access would impact the other person’s privacy
- A law prevents us from doing so.
To ask us about accessing or correcting your own personal information, please contact us.
Contact Us
Show moreDo you have questions about our privacy policy and our personal information practices, including:
- How to seek access to, or correct, your own personal information?
- A concern or complaint about how we handled your personal information?
Your questions can be directed to our Privacy Officer at the details below:
Address: Albert Facey House, 469 Wellington St, Perth WA 6000, Australia
Telephone: +61 8 6551 7888
Freecall (WA country): 1800 621 244
Email: info@oic.wa.gov.au
Our continued commitment
Show moreAs the independent regulator fostering trust and accountability in WA through privacy and FOI, we will continue to evolve how we handle personal information to align with community expectations, privacy law and best practices. As we evolve, so too will our broader information practices and this privacy policy.
Updates to this privacy policy will be made periodically, so please check back.
Print this page
