Privacy
How eSafety handles, manages and protects personal information.
Summary
Overview
eSafety is responsible for promoting online safety for all Australians.
This summary of our privacy policy outlines the key points about how eSafety handles, manages and protects personal information.
eSafety collects, holds, uses and discloses personal information to undertake the Commissioner’s functions and activities under the Online Safety Act 2021 (Online Safety Act), the Telecommunications Act 1997 and the Criminal Code Act 1995.
eSafety handles information in accordance with our obligations under the Privacy Act 1988 (Privacy Act), the Freedom of Information Act 1982 (Freedom of Information Act) and the Public Governance, Performance and Accountability Act 2013 (PGPA Act).
eSafety will update this privacy policy when our information handling practices change. Updates will be published on our website.
Collection
eSafety usually collects personal information (including sensitive information) from you or your authorised representative in order to undertake a regulatory action, such as assess a complaint or manage a report, or for activities consistent with a regulatory function.
eSafety sometimes collects personal information from a publicly available source or third party, if permitted under legislation, if doing so enables us to better assess a complaint or perform another regulatory action.
Personal information may also be collected through the eSafety website and our use of social networking services, such as Facebook, Instagram, Twitter, LinkedIn, Snapchat and YouTube (a Google company). eSafety uses this information to improve the eSafety website, receive feedback from the community and increase engagement with you.
Use and disclosure
eSafety only uses or discloses personal information for the purpose for which it was collected or in other permitted circumstances, such as where you consent for it to be used or disclosed for another purpose.
eSafety will not disclose sensitive information about you unless you agree or in other limited circumstances, such as when eSafety is required or authorised by law.
The Online Safety Act lets us provide your information to specific authorities without your consent in certain circumstances, including an authority of a foreign country responsible for regulating, or enforcing laws relating to, either or both of the following matters:
- matters relating to the capacity of individuals to use social media services, relevant electronic services and designated internet services in a safe manner,
- matters relating to material that is accessible to, or delivered to, the end‑users of social media services, relevant electronic services and designated internet services.
You may also choose to engage with us through a social networking service or our website. The companies we use for these purposes may also store information overseas.
Access and correction
You can request access to the personal information eSafety holds about you. We will provide you access in most circumstances.
You can request that eSafety correct your personal information. We will take reasonable steps to correct the information we hold about you if we consider it inaccurate, out of date, incomplete, irrelevant or misleading.
How to make a complaint
You can complain to eSafety in writing about how we have handled your personal information. eSafety will respond to your complaint within 30 days. You can contact eSafety from our contact us page.
Privacy policy
eSafety is responsible for promoting online safety for all Australians.
This policy describes how the Commissioner and staff assisting her handle, manage and protect personal information.
The Privacy Act contains 13 Australian Privacy Principles (the APPs) that regulate how private sector organisations and government agencies collect, use, disclose, hold and de-identify or destroy personal information, and how individuals may request to access and correct their personal information.
The Privacy Act defines personal information as information or an opinion about an identified individual or an individual who is reasonably identifiable. It also defines sensitive information, which is a subset of personal information that is generally afforded a higher level of protection than personal information. This includes health information and information relating to a person’s racial or ethnic origin and sexual orientation or practices.
eSafety is covered by the Privacy Act.
Collection of personal information
Purposes of collection
eSafety collects personal information if it is reasonably necessary for, or directly related to, one or more of the Commissioner’s functions or activities.
The main reasons we would collect personal information would be to:
- handle a complaint or manage a report
- conduct an internal review of a decision under our internal review scheme
- provide education
- conduct communication and awareness campaigns
- run our website, or
- correspond and engage with you through newsletters and social media.
How personal information is collected
eSafety collects personal information by lawful and fair means. eSafety usually collects personal information directly from you, for example, when you provide us your details in relation to a complaint or report through an enquiry form.
However, eSafety may obtain information about you from third parties in certain circumstances, including where:
- eSafety is required or authorised by law – for example, obtaining information for the purposes of handling a complaint or report (from a complainant, parent, guardian or school), or obtaining end-user identity information or contact details from an online service provider where relevant to the operation of the Online Safety Act
- eSafety has your consent to do so, or
- it is not reasonably practicable to collect the information from you.
Kinds of personal information collected and held
eSafety collects personal information to enable us to carry out our regulatory functions and activities.
eSafety does not collect personal information and cannot identify corporate information through the use of the Safety by Design assessment tools.
Further information about how non-identifiable data is collected, used and stored is available on the Safety by Design privacy page.
Complaints and reports
eSafety investigates complaints in relation to cyberbullying, adult cyber abuse, image-based abuse and illegal and restricted online content.
The kinds of personal information collected in order to investigate these complaints and reports varies between the schemes, but generally includes:
- your name (you may choose to make some complaints and reports anonymously)
- your contact details (unless you choose not to provide your name)
- your images
- whether you reside or are a business in Australia, and/or
- a URL that may lead to images that are personal information.
Personal information collected may also relate to the person making the complaint or report or to other parties involved, including the person alleged to have posted the material.
Investigating complaints and managing reports may require eSafety to collect sensitive information about you. This will only occur if you have consented or if the collection is otherwise permitted under the Privacy Act or the Online Safety Act.
Internal review
eSafety conducts reviews of certain decisions under the Online Safety Act in accordance with its internal review scheme.
The kinds of personal information collected in order to conduct a review will vary for each review, but will generally include:
- your name and contact details
- your original case reference number, if you know it, and/or
- any relevant documents or information (other than those previously provided) to support your review, to the extent these contain personal information.
Personal information collected may also relate to the person making the request for review or to other parties involved, including the person alleged to have posted the material the subject of the original decision.
Conducting an internal review may require eSafety to collect sensitive information about you. This will only occur if you have consented or if the collection is otherwise permitted under the Privacy Act or the Online Safety Act.
Procurement
eSafety collects and holds personal information as part of our procurement processes. This includes the names and contact details of tenderers or contracting parties and is done to ensure we comply with the PGPA Act and the Commonwealth Procurement Rules.
More information on the PGPA Act and the Commonwealth Procurement Rules is available at the Department of Finance’s PGPA associated instruments and policies page.
Public consultation and engagement
eSafety engages with the public and our stakeholders through a number of mediums, including consultations, surveys, conferences and forums.
When eSafety undertakes formal consultation, the documentation will make clear the purpose of the consultation and the purpose of the collection of personal information. Generally, eSafety publishes the submissions we receive, including any personal information, unless otherwise claimed as confidential.
If you wish to make a submission anonymously or through the use of a pseudonym, you should contact eSafety to see whether it is practicable to do so. Each confidentiality claim is assessed by eSafety on a case-by-case basis.
Use of services
eSafety collects and holds personal information used to register for a service, such as an online safety program or newsletter subscription. This may include details such as name, organisation, contact details and communication preferences. This helps eSafety manage user access and provide the service requested.
Information about how your personal information will be handled and other terms and conditions for using a service will be provided before any personal information is collected.
Website traffic, cookies and analytics
eSafety uses a range of tools to collect and view our website traffic information. This includes cookies and analytics such as Google Analytics and Usabilla. This helps eSafety improve our website, customise our information and services, and conduct research and development.
The information collected by these tools may include information such as the IP address of a device, the date and time a page was visited, the pages accessed and how long pages were viewed.
eSafety does not attempt to identify users or their browsing activities, unless the user has signed up to an online service or a law enforcement agency or other government agency exercises its legal authority to inspect our internet web server logs for an investigation.
You can set browsers that will notify you before you receive a cookie. This may allow you to refuse to accept it. Users can also turn off or delete cookies. You can also opt out of the Google Analytics collection by using the Google Analytics Opt-out Browser Add-on.
The eSafety website uses both Australian Government and commercial web-hosting facilities.
Social media
eSafety uses social networking services, including Twitter, Facebook, YouTube (a Google company), Instagram, LinkedIn and Snapchat to engage with the public. eSafety may collect your personal information if you engage with us on these services, but we will only use it to help us communicate with you and the public.
These social networking services will also handle your personal information for their own purposes in accordance with their own privacy policies. You can access the privacy policies for Twitter, Facebook, YouTube (a Google company), Instagram, LinkedIn and Snapchat on their websites.
Emails and newsletters
eSafety communicates with the public through email distribution lists and newsletters. With your consent, eSafety will collect your email and, if you provide it, other contact details when you subscribe to an eSafety mailing list. eSafety only uses this to update you on its activities and to administer the lists.
Notification
eSafety collects personal information in order to fulfil the eSafety Commissioner’s statutory functions and obligations or to undertake activities consistent with a regulatory function.
Before, at the time, or soon after collecting personal information, eSafety will provide you a notice outlining certain matters, including the purposes of collection, the consequences if personal information is not collected and whether eSafety usually discloses information of this kind to another entity.
Anonymity and use of pseudonym
eSafety will provide you the option of not identifying yourself, or using a pseudonym, unless it would be impractical for eSafety to deal with a person in that way or where a law requires or authorises eSafety to deal with individuals who have identified themselves.
Complaints related to offensive and illegal content can always be made anonymously.
Reports relating to image-based abuse do not require a complainant to provide their name.
Use and disclosure of personal information
eSafety will use or disclose personal information only for the purpose for which it was collected. eSafety will only use or disclose personal information for another purpose in certain permitted circumstances, including when:
- you consent for eSafety to do so
- the use or disclosure is required or authorised by or under an Australian law
- another exception under the Privacy Act applies, including where eSafety reasonably believes that it is reasonably necessary for one or more enforcement-related activities or a permitted general situation exists.
For example, with your consent, we might provide relevant information (like the location of an image that is the subject of an investigation) to the content host identified in your report to get the image taken down or use a tool that allows us to search whether your image is available in certain other locations online.
Part 15 of the Online Safety Act permits eSafety to disclose information in certain circumstances and with certain conditions, including to an authority of a foreign country responsible for regulating, or enforcing laws relating to, either or both of the following matters:
- matters relating to the capacity of individuals to use social media services, relevant electronic services and designated internet services in a safe manner,
- matters relating to material that is accessible to the end‑users of social media services, relevant electronic services and designated internet services,
provided it is not prohibited by Part 13 or 15 of the Telecommunications Act 1997.
eSafety may also disclose information to an authority if satisfied that the information will enable or assist the authority to perform or exercise any of the authority’s functions or powers, provided the information was obtained as a result of a function or power conferred on the Commissioner under the Online Safety Act.
We generally only disclose personal information overseas in order to help us fulfil a regulatory function. The Online Safety Act lets us provide your information to certain authorities without your consent, including foreign authorities.
You may also choose to engage with us through a social networking service or our website. The companies we use for these purposes may also store information overseas.
Quality and security of personal information
eSafety takes reasonable steps to ensure the quality of the personal information we collect and disclose is accurate, up-to-date and complete.
eSafety has a range of measures in place to protect the personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.
All information collected by eSafety is secured and managed in accordance with the Australian Government’s Protective Security Policy Framework, Information Security Manual and the Archives Act 1983 (Cth). You can find further information at the National Archives of Australia’s webpage for Commonwealth Records Management).
Access to and correction of personal information
eSafety will consider any request you make to access, or seek the correction of, your personal information within 30 days.
eSafety will take reasonable steps to correct information we hold about you, if we consider it inaccurate, out of date, incomplete, irrelevant or misleading. You may need to demonstrate how your personal information is incorrect.
eSafety will ask you to verify your identity before it gives you access to your information or corrects it.
You also have the right under the Freedom of Information Act to request access to the documents eSafety holds. If the information eSafety holds about you is incomplete, incorrect, out-of-date or misleading, you can ask it that it be changed or annotated.
Making a complaint
eSafety manages personal information in accordance with its obligations and responsibilities under the APPs.
If you have a complaint about how eSafety has handled your personal information, you should outline your complaint in writing and lodge it with eSafety through the Contact us page.
eSafety will assess your complaint within 30 days.
If you are unhappy with how we have handled your complaint, you may be able to complain to the Office of the Australian Information Commissioner.
Contact eSafety
You can contact eSafety for more information about this privacy policy from our Contact us page.
Last updated: 18/03/2024