The eSafety Commissioner is responsible for promoting online safety for all Australians.
This policy describes how the eSafety Commissioner and staff assisting her (‘the Office’) handles, manages and protects personal information.
The Privacy Act 1988 (Cth) (the Privacy Act) contains 13 Australian Privacy Principles (the APPs) that regulate how private sector organisations and government agencies collect, use, disclose, hold and de-identify or destroy personal information, and how individuals may request to access and correct their personal information.
The Privacy Act defines personal information as information or an opinion about an identified individual or an individual who is reasonably identifiable. It also defines sensitive information, which is a subset of personal information that is generally afforded a higher level of protection than personal information. This includes health information and information relating to a person’s racial or ethnic origin and sexual orientation or practices.
The eSafety Commissioner is covered by the Privacy Act.
Purposes of collection
The Office collects personal information if it is reasonably necessary for, or directly related to, one or more of the eSafety Commissioner’s functions or activities.
The main reasons we would collect personal information would be to:
- Handle a complaint or manage a report
- Provide education
- Conduct communication and awareness campaigns
- Run our website, or
- Correspond and engage with you through newsletters and social media.
How personal information is collected
The Office collects personal information by lawful and fair means. The Office usually collects personal information directly from you, for example, when you provide us your details in relation to a complaint or report through an enquiry form.
However, the Office may obtain information about you from third parties in certain circumstances, including where:
- the eSafety Commissioner is required or authorised by law, for example, obtaining information for the purposes of handling a complaint or report (from a complainant, parent, guardian or school)
- the eSafety Commissioner has your consent to do so, or
- it is not reasonably practicable to collect the information from you.
Kinds of personal information collected and held
The Office collects personal information to enable us to carry out our regulatory functions and activities.
Complaints and reports
The Office investigates complaints in relation to cyberbullying and in relation to offensive and illegal content. It also manages complaints in relation to image-based abuse.
The kinds of personal information collected in order to investigate these complaints and reports varies between the schemes, but generally includes:
- your name (you may choose to make some complaints and reports anonymously);
- your contact details (unless you choose not to provide your name);
- your images
- whether you reside or are a business in Australia, and/or
- a URL that may lead to images that are personal information.
Personal information collected may also relate to the person making the complaint or report or to other parties involved, including the person alleged to have posted the material.
Investigating complaints and managing reports may require the Office to collect sensitive information about you. This will only occur if you have consented or if the collection is otherwise permitted under the Privacy Act or the Enhancing Online Safety Act 2015 (Online Safety Act).
The Office collects and holds personal information as part of our procurement processes. This includes the names and contact details of tenderers or contracting parties and is done to ensure we comply with the Public Governance, Performance and Accountability Act 2013 (the PGPA Act) and the Commonwealth Procurement Rules.
More information on the PGPA Act and the Commonwealth Procurement Rules is available at the Department of Finance’s PGPA associated instruments and policies page .
Public consultation and engagement
The Office engages with the public and our stakeholders through a number of mediums, including consultations, surveys, conferences and forums.
When the Office undertakes formal consultation, the documentation will make clear the purpose of the consultation and the purpose of the collection of personal information. Generally, the Office publishes the submissions we receive, including any personal information, unless otherwise claimed as confidential.
If you wish to make a submission anonymously or through the use of a pseudonym, you should contact the Office to see whether it is practicable to do so. Each confidentiality claim is assessed by the Office on a case-by-case basis.
Use of services
The Office collects and holds personal information used to register for a service, such as an online safety program or newsletter subscription. This may include details such as name, organisation, contact details and communication preferences. This helps the Office manage user access and provide the service requested.
Information about how your personal information will be handled and other terms and conditions for using a service will be provided before any personal information is collected.
Website traffic, cookies and analytics
The Office uses a range of tools to collect and view our website traffic information. This includes cookies and analytics. This helps the Office improve our website, customise our information and services, and pursue research and development.
The information collected by these tools may include the IP address of a device, the date and time a page was visited, the pages accessed and how long pages were viewed.
You can set browsers that will notify you before you receive a cookie. This may allow you to refuse to accept it. Users can also turn off or delete cookies.
The Office also uses Google Analytics. You can opt out of this collection by using the Google Analytics Opt-out Browser Add-on .
The Office does not attempt to identify users or their browsing activities, unless the user has signed up to an online service or a law enforcement agency or other government agency exercises its legal authority to inspect our internet web server logs for an investigation.
The eSafety Commissioner’s website uses both Australian Government and commercial web-hosting facilities.
The Office uses social networking services, including Twitter, Facebook, YouTube, Instagram and Snapchat, to engage with the public. The Office may collect your personal information if you engage with us on these services, but we will only use it to help us communicate with you and the public.
These social networking services will also handle your personal information for their own purposes in accordance with their own privacy policies.
Emails and newsletters
The Office communicates with the public through email distribution lists and newsletters. With your consent, the Office will collect your email and, if you provide it, other contact details when you subscribe to an Office mailing list. The Office only uses this to update you on its activities and to administer the lists.
The Office collects personal information in order to fulfil the eSafety Commissioner’s statutory functions and obligations or to undertake activities consistent with a regulatory function.
Before, at the time, or soon after collecting personal information, the Office will provide you a notice outlining certain matters, including the purposes of collection, the consequences if personal information is not collected and whether the the Office Commissioner usually discloses information of this kind to another entity.
Anonymity and use of pseudonym
The Office will provide you the option of not identifying yourself, or using a pseudonym, unless it would be impractical for the eSafety Commissioner to deal with a person in that way or where a law requires or authorises the eSafety Commissioner to deal with individuals who have identified themselves.
Complaints related to offensive and illegal content can always be made anonymously.
Reports relating to image based abuse do not require a complainant to provide their name.
The Office will use or disclose personal information only for the purpose for which it was collected. The Office will only use or disclose personal information for another purpose in certain permitted circumstances, including when:
- you consent for the Office to do so
- the use or disclosure is required or authorised by or under an Australian law
- another exception under the Privacy Act applies, including the eSafety Commissioner reasonably believes that it is reasonably necessary for one or more enforcement-related activities or a permitted general situation exists.
For example, with your consent, we might provide relevant information (like the location of the image) to the content host identified in your report to get the image taken down or use a tool that allows us to search whether your image is available in certain other locations online.
Part 9 of the Online Safety Act permits the eSafety Commissioner to disclose information in certain circumstances and with certain conditions, including to an authority of a foreign country responsible for regulating matters relating to online safety for children, provided it is not prohibited by Part 13 of the Telecommunications Act 1997.
The eSafety Commissioner may also disclose information to an authority if satisfied that the information will enable or assist the authority to perform or exercise any of the authority’s functions or powers, provided the information was obtained as a result of a function or power conferred on the eSafety Commissioner under the Online Safety Act or the Broadcasting Services Act 1992.
We generally only disclose personal information overseas in order to help us fulfil a regulatory function. The Online Safety Act lets us provide your information to certain authorities without your consent, including foreign authorities.
You may also choose to engage with us through a social networking service or our website. The companies we use for these purposes may also store information overseas.
The Office takes reasonable steps to ensure the quality of the personal information we collect and disclose is accurate, up-to-date and complete.
The Office have a range of measures in place to protect the personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.
All information collected by the Office is secured and managed in accordance with the Australian Government’s Protective Security Policy Framework , Information Security Manual and the Archives Act . You can find further information at the National Archives of Australia’s webpage for Commonwealth Records Management .
The eSafety Commissioner will consider any request you make to access, or seek the correction of, your personal information within 30 days.
The Office will take reasonable steps to correct information we hold about you, if we consider it inaccurate, out of date, imcomplete, irrelevant or misleading. You may need to demonstrate how your personal information is incorrect.
The Office will ask you to verify your identity before it gives you access to your information or corrects it.
You also have the right under the Freedom of Information Act 1982 to request access to the documents the eSafety Commissioner holds. If the information the eSafety Commissioner holds about you is incomplete, incorrect, out-of-date or misleading, you can ask it that it be changed or annotated.
The Office manages personal information in accordance with its obligations and responsibilities under the APPs.
If you have a complaint about how the Office has handled your personal information, you should outline your complaint in writing and lodge it with eSafety through the details on the Contact us page.
The Office will assess your complaint within 30 days.
If you’re unhappy with how we have handled your complaint, you may be able to complain to the Office of the Australian Information Commissioner