The Treasury also maintains a Register of Privacy Impact Assessments.
On this page
How we collect personal information
Use and disclosure of personal information
About this policy
- how you can access the information we hold about you and ask for that information to be corrected
- how you can make a complaint about the way we have handled your personal information
The Privacy Act
The Privacy Act 1988 (Privacy Act) protects personal information of individuals and requires the Treasury to comply with the Australian Privacy Principles (APPs) in Schedule 1 to that Act.
The APPs set out standards, rights and obligations around personal information. ‘Personal information’ is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not.
Personal information includes ‘sensitive information’, which is a particular category of personal information. While we recognise that protecting all personal information is important in gaining and maintaining your trust, sensitive information is often afforded a higher level of protection.
How we collect personal information
We collect and hold a broad range of personal information in records relating to:
- correspondence from members of the public or organisations addressed to us or our portfolio Ministers;
- correspondence from other Australian Government ministers and agencies;
- applications for foreign investment approvals under the Foreign Acquisitions and Takeovers Act 1975;
- employment and personnel matters relating to staff and contractors;
- facilitating appointments;
- facilitating meetings (for example, meetings with the Treasurer);
- administering programs for which the Treasury is the administering agency;
- research we have commissioned;
- contract management ;
- Royal Commissions;
- complaints (including privacy complaints) and feedback provided to us;
- requests under the Freedom of Information Act 1982 (FOI Act);
- legal advice provided by internal and external lawyers; and
- the performance of legislative and administrative functions.
We collect this personal information in a variety of ways. These include:
- correspondence and submissions;
- paper-based forms;
- online (web-based forms and email); and
- phone calls, faxes and face-to-face meetings.
The Treasury often collects personal information directly from you or your representative (for example, your lawyer). However, in some circumstances we may also collect information about you from another Australian, State or Territory government body, or from another organisation.
We only collect personal information where that information is reasonably necessary for, or directly related to, one or more of our functions or activities.
Types of information we hold
The personal information we collect and hold varies depending on what we need to perform our functions and responsibilities. It may include:
- your name, address and contact details (for example your phone number or email address);
- information about your identity (such as date of birth, country of birth, passport details, visa details and driver's licence);
- information about your personal circumstances (for example age, gender, marital status and occupation);
- information about your financial affairs (for example payment details, bank account details, and business and financial interests);
- information about your employment (for example applications for employment, work history, referee comments and remuneration); and
- government identifiers.
We may also collect or hold ‘sensitive information’ which is a subset of personal information under the Privacy Act.
Generally, we will only collect sensitive information if you have consented and its collection is reasonably necessary for, or directly related to, one or more of our functions or activities or the collection is required or authorised by law.
The definition of sensitive information includes information about the following:
- your health;
- your next of kin or designated emergency contacts;
- your membership of a professional or trade association, or a trade union;
- your racial or ethnic origin;
- criminal activities you may have been involved in; and
- your biometrics (including photographs and voice or video recordings of you).
Some personal information collected by the Treasury may be protected information under its portfolio legislation. Information that is protected information generally contains rules for the collection, use and disclosure of information under the relevant legislation.
For example, any information (including personal information) that is obtained under, in accordance with or for the purposes of the Foreign Acquisitions and Takeovers Act 1975 is ‘protected information’. The misuse or mishandling of protected information under the Foreign Acquisitions and Takeovers Act 1975 could constitute an offence under that Act. These rules operate alongside the rules in the Privacy Act.
For example, where we ask you to provide personal information in relation to your employment or in a public submission to a policy proposal, we will provide you with a privacy notice at the time of collection or as soon as practicable afterwards. These privacy notices explain our personal information handling practices in relation to that particular purpose or activity.
The Treasury website is managed internally by the department. Generally, the Treasury only collects personal information from its website where a person chooses to provide that information (for example, in submitting a web form).
If you visit our website to read or download information, the Treasury records a range of technical information which does not reveal your identity. This information includes your IP or server address, your general locality and the date and time of your visit to the website. This information is used for statistical and development purposes.
No attempt is made to identify you through your browsing other than in exceptional circumstances, such as an investigation into the improper use of the website.
The Treasury makes use of third-party sites, which may include Facebook, YouTube, MailChimp, SurveyMonkey, Twitter, LinkedIn and Google Analytics, to deliver some functionality of the Treasury website. These third parties may capture and store your personal information outside Australia and may not be subject to the Privacy Act in the same way as the Treasury or at all. The Treasury is not responsible for the privacy practices of these third parties and encourages you to examine each party's privacy policies and make your own decisions regarding their reliability.
The Treasury website also contains links to other websites. The Treasury is not responsible for the content and privacy practices of other websites and encourages you to examine each website's privacy policies and make your own decisions regarding their reliability.
Cookies are used to maintain contact with a user throughout a website session. A cookie is a small file supplied by the Treasury web server and stored by your web browser software on your computer’s hard drive when you access the Treasury website. Cookies allow the Treasury to recognise an individual web user as they browse the department’s website. When you close your browser the session cookie set by the Treasury's website is destroyed and no personal information is maintained which might identify you should you visit the Treasury's website at a later date.
There are inherent risks associated with the transmission of information over the internet, including via email. You should be aware of this when sending personal information to us via email or via the Treasury website. If this is of concern to you then you may use other methods of communication with the Treasury, such as post, fax, or phone (although these also have risks associated with them).
The Treasury only records email addresses when a person sends a message or subscribes to a mailing list. Any personal information provided, including email addresses, will only be used or disclosed for the purpose for which it was provided.
Use and disclosure of personal information
We will not provide your personal information to other government agencies, private sector organisations, or anyone else unless you consent or one of the following exceptions applies:
- you would reasonably expect us to use the information for that purpose;
- it is legally required or authorised, such as by an Australian law, or a court or tribunal order;
- it is reasonably necessary for an enforcement-related activity;
- we reasonably believe that it is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety;
- we have reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to our functions or activities has been, is being or may be engaged in and we reasonably believe that it is necessary in order for us to take appropriate action in relation to the matter;
- we reasonably believe that it is necessary to help locate a person who has been reported as missing;
- it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim;
- it is reasonably necessary for the purposes of a confidential alternative dispute resolution process; or
- we reasonably believe that it is necessary for our diplomatic or consular functions or activities.
The third parties that we may disclose your personal information to or who may collect personal information on our behalf, include but are not limited to:
- suppliers and other third parties with whom we have commercial relationships (for example, for research and programs directly related to one of our functions); and
- any organisations for any authorised purpose that directly related to one of our functions, with your express consent.
We will ensure that appropriate protections of your personal information are in place with these third parties, in accordance with our obligations under the Privacy Act. This includes ensuring that research we commission involves the collection of de-identified (anonymised) data.
Disclosure to overseas recipients
We may need to provide your personal information to an overseas recipient as part of our work.
In some cases, we may have to disclose limited personal information to recipients overseas under legislation or international information sharing agreements. This may occur, for example, in relation to a law enforcement matter such as a criminal investigation.
However, where there is no requirement for us to disclose personal information to an overseas recipient, we will either seek your consent or amend the information to ensure your personal information is not identifiable. The most common example of disclosure of personal information overseas will be to arrange overseas deployment or travel for Treasury staff.
Storage and data security
We take all reasonable steps to protect the personal information held in our possession against loss, unauthorised access, use, modification, disclosure or misuse. The Treasury will take seriously and deal promptly with any accidental or unauthorised disclosure of personal information.
Storage of personal information (and the disposal of information when no longer required) is managed in accordance with the Australian Government's records management regime. When the personal information we collect is no longer required, we delete or destroy it in a secure manner, unless we are required to maintain it because of a law, or court or tribunal order.
For example, under the Archives Act 1983, we must maintain personal information that is, or forms part of, a Commonwealth record. We must also maintain records for certain other purposes, including where the National Archives of Australia issues a disposal freeze in response to prominent or controversial issues or events. Find out more about current disposal freezes on the National Archives of Australia website.
The Treasury and its contractors are subject to the Notifiable Data Breaches Scheme under the Privacy Act, and we will act in accordance with the requirements of the Scheme and Office of the Australian Information Commissioner's (OAIC) Data breach preparation and response in assessing and responding to suspected notifiable data breaches.
Where a breach of personal information occurs that is likely to cause serious harm to individuals, we will notify OAIC and affected individuals as required. We will aim to provide you with timely advice to ensure you are able to manage any loss—financial or otherwise—that could result from the breach.
Access and correction
You have a right to request access to the personal information the Treasury holds about you and to request its correction in accordance with APPs 12 and 13 in the Privacy Act.
The Privacy Act permits access to be refused in certain cases, including where an exemption under the FOI Act would apply. There is no charge for making an access or correction request.
For a correction request, where we are satisfied that your personal information is incomplete, incorrect, out-of-date, irrelevant or misleading, we may amend the record. Where we agree to amend a record, we must, as far as possible, retain the text of the record as it was prior to the amendment. Where an amendment request is refused, we must provide reasons for the refusal and the mechanisms available to you to dispute that decision.
To request access or correction to your personal information held by the Treasury, you can contact the department’s Privacy Officer using the details outlined in the ‘How to contact us’ section below. We will discuss the nature of your request with you and can provide guidance on whether your request is better dealt with under the Privacy Act, the FOI Act or another arrangement. This will likely depend on your circumstances.
For example, for complex access requests, we may suggest that you use the FOI Act instead of the Privacy Act for the following reasons:
- an FOI access request can relate to any document held by an agency and is not limited to personal information
- the FOI Act has a consultation process for dealing with documents that contain the personal or business information of third parties
- the FOI Act includes a right to apply for internal review or Information Commissioner review of an access refusal decision
Evidence of identity
In all cases where a request relates to documents that contain your personal information, we will ask you to provide evidence of your identity before we deal with your request. Your request should include a physical address, as we prefer to forward documents containing personal information to you by registered post rather than email.
If another person has authorised you to make a request on their behalf, we will ask you for the letter authorising you to make the request. If you are seeking documents containing personal information on behalf of another person, we will ask for evidence of both identities, showing clearly that you are the person who is authorised to apply on behalf of the other person.
Acceptable identity documents include: a passport, an Australian driver’s licence or any other official identification in the English language which contains your photo, signature and address. Copies of identification documents should be certified as true copies of the originals by a person with the power to witness a Commonwealth statutory declaration.
If you have a complaint about the way the Treasury has handled your personal information, you may contact our Privacy Officer using our contact details set out at ‘How to contact us’ below.
A complaint may be made on behalf of a complainant by a guardian, friend, advocate or family member, but the person acting on behalf of the complainant must have written authorisation and verify their identity.
There are no fees or charges for making a privacy complaint to the Treasury. Your complaint should include:
- a brief description of your privacy problem, including:
- what happened
- when it happened
- what personal information of yours was affected
- the name of the relevant departmental area or contact person
- your contact details
We will use your contact details to contact you about your complaint. Sometimes we may ask you for additional information in order to investigate your complaint. If you do not provide this, it may affect how we handle your complaint.
If we receive a complaint from you we will decide what action, if any, we should take to resolve the complaint.
You may also complain to OAIC about how the department handled your personal information. However, before you can lodge a complaint with OAIC, you will need to first complain directly to the Treasury and allow 30 days for us to investigate, unless OAIC decides that a complaint to the department is not appropriate in the circumstances. If you do not receive a response after 30 days, or you are dissatisfied with the Treasury’s response to your complaint, you may complain to OAIC and the Commissioner will attempt to resolve the complaint.
How to contact us
You can contact the Privacy Officer if you want to:
- obtain access to or seek correction of your personal information held by the Treasury
- make a privacy complaint about the Treasury
- obtain a copy of this policy in another format
You can contact the Privacy Officer by any of the following ways:
General Counsel’s Unit
PARKES ACT 2601
From inside Australia: (02) 6263 2800
From overseas: +61 2 6263 2800
You can obtain further information about the Privacy Act from the Office of the Australian Information Commissioner website or on 1300 363 992 (10 am to 4 pm, Monday to Friday AEST/AEDT).
We review this policy regularly and may update it from time to time.
This policy was last updated on: 31 July 2020
Privacy Impact Assessment Register
The Privacy (Australian Government Agencies – Governance) APP Code 2017 (Cth) (the Privacy Code) requires that all agencies, including the Department of the Treasury, must conduct a Privacy Impact Assessment (PIA) for all high privacy risk projects.
A project may be a high privacy risk project if the Treasury considers that the project involves any new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals. The Treasury is also required to conduct a PIA if directed to do so by the Office of the Australian Information Commissioner (OAIC).
The Treasury is required to maintain a register of all PIAs it conducts and must publish that register, or a version of that register, on its website.
This following PIA register is published in compliance with the Privacy Code.
Privacy Impact Assessments undertaken 1 July 2018 onwards
Register last updated: 31 January 2023
Title of project
Short description of project
Date the PIA was signed
Link to PIA
Consumer Data Right
Implementing the Consumer Data Right (CDR) to give consumers better access and control over their data. (Internal)
Consumer Data Right
Implementing the CDR to give consumers better access and control over their data. (Maddocks)
29 November 2019
Consumer Data Right
Supplementary PIA focusing on expanding the CDR to the energy sector. (KPMG)
30 June 2020
|Consumer Data Right||PIA update: ‘version 3’ CDR rules amendments to expand participation pathways for businesses and give consumers better access and control over their data. (Maddocks)||29 September 2021||CDR PIA September 2021|
|Consumer Data Right||PIA update: ‘version 4’ CDR rules amendments as they relate to the energy sector. (Maddocks)||26 November 2021||CDR PIA November 2021|
|Consumer Data Right||PIA update: examining the privacy impact of designating the telecommunications sector to the CDR. (Internal, with input from Maddocks)||November 2021||Telecommunications sectoral assessment report – Attachment A|
|Consumer Data Right||PIA update: examining the privacy impact of designating the non-bank lending sector to the CDR. (Internal, with input from KPMG)||August 2022||Non-bank lending sectoral assessment report – Attachment A|
|Consumer Data Right||PIA on proposed legislation to enable action initiation in the Consumer Data Right||10 October 2022||
CDR - Exposure draft legislation to enable action initiation
|Youpla Group Funeral Benefits Program||Grant program administered by Treasury and the Department of Industry, Science and Resources to help the families of people affected by the collapse of the Youpla Group (also known as the Aboriginal Community Benefits Fund).||29 November 2022||N/A|