Privacy

1. About this Privacy Policy

eSafety is responsible for promoting online safety for all Australians. This policy outlines how the Office of the eSafety Commissioner (eSafety) handles, manages and protects personal information in accordance with its obligations under the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) which are found in Schedule 1 of the Privacy Act.

2. Definitions

In accordance with section 6(1) of the Privacy Act:

Personal information means information or an opinion whether true or not, and whether recorded in a material form or not, about an identified or reasonably identifiable individual.   Put simply, personal information includes a broad range of information that could identify you or someone else.

Sensitive information is a subset of personal information that is afforded a higher level of protection due to its sensitivity, such as health information, racial or ethnic origin, political opinions, religious beliefs and sexual orientation or practices.

Health information is a subset of personal information that is related to your health or disability, including information about a health service you’ve had or will receive.

3. Collection of personal information

Why we collect personal information  

eSafety collects personal information to perform our functions, which are set out in section 27 of the Online Safety Act 2021 (Cth) (the Act). In summary, eSafety’s functions include to:

• promote online safety for Australians;
• support, encourage, conduct and evaluate research about online safety for Australians;
• make grants of assistance in relation to online safety for Australians’
• administer complaints systems for cyber-bullying material, cyber-abuse material and non-consensual sharing of intimate images;
• administer the online content (including industry codes and standards), basic online safety expectations and social media minimum age schemes;
• advise and assist persons in relation to their obligations under the Act;
• monitor and promote compliance with the Act; and
• coordinate activities of Commonwealth Departments, authorities and agencies relating to online safety for Australians.

More information about our functions is available on our website.

Specifically, we collect personal information to:

• handle a complaint or manage a report or investigation
• answer general enquiries
• provide specific support services
• manage events
• recruit and manage staff
• manage tenders, grants and sponsorships
• conduct an internal review of a decision under our internal review scheme
• provide education
• conduct communication and awareness campaigns
• run our website, or
• correspond and engage with you through newsletters and social media.

Kinds of personal information we collect  

The types of personal information eSafety collects will depend on the relevant activity being undertaken. This information may include:

• identification information (name, nationality, date of birth, sex/gender)
• contact details (address, phone number, email)
• images
• information about personal circumstances
• employee record
• internet protocol (IP) addresses (which may, but do not always, constitute personal information).

eSafety may also collect sensitive information (including health information) about you, when investigating complaints, managing reports and providing support services.

How we collect personal information

eSafety collects personal information by lawful and fair means. eSafety collects personal information directly from you, for example, when you provide us your details in relation to a complaint or report through an enquiry form.

In certain circumstances, eSafety may collect personal information about you from third parties. This includes where:

• eSafety is required or authorised by law to do so, for example, obtaining information for the purposes of handling a complaint or report (from a complainant, parent, guardian or school), or obtaining end-user identity information or contact details from an online service provider where relevant to the operation of the Act
• eSafety has your consent to do so
• it is not reasonably practicable to collect the information from you.

eSafety collects your personal information in a variety of ways. The primary ways include:

Complaints and reports

eSafety investigates complaints in relation to cyberbullying, adult cyber abuse, image-based abuse and illegal and restricted online content . 

The personal information eSafety collects may relate to the person making the complaint or report, any person on whose behalf the complaint or report is made, as well as other parties involved such as the person alleged to have posted the material. 

Investigating complaints and managing reports may require eSafety to collect sensitive information about you. This will only occur with your consent or if the collection is otherwise permitted under the Privacy Act or the Act. 

Industry engagement, compliance and enforcement

eSafety also enforces compliance with legislative obligations on the online industry under the Act, including the social media minimum age obligation and the Online Safety Codes and Standards. eSafety may receive personal information related to these roles and functions. For example, this may involve the collection of personal information of representatives of regulated entities.

TFA Support Service

eSafety provides tailored online safety advice to individuals and their representatives. An example is the Technology-facilitated Abuse (TFA) Support Service, which aims to provide specific advice, guidance and support for frontline workers and the victim-survivors they support to address TFA in the context of family, domestic and sexual violence (FDSV). 

In providing this service, eSafety collects personal information about the frontline workers seeking assistance and the victim-survivor(s). The types of personal information collected vary on a case-by-case basis and could include sensitive and health information. 

Internal reviews

eSafety conducts reviews of certain decisions under the Act in accordance with its internal review scheme. 

The personal information eSafety collects may relate to the person making the request for review or to other parties involved, including the person alleged to have posted the material the subject of the original decision. 

Conducting an internal review may require eSafety to collect sensitive information about you. This will only occur with your consent or if the collection is otherwise permitted under the Privacy Act or the Online Safety Act. 

Procurement

eSafety collects and holds personal information as part of our procurement processes. This includes the names and contact details of tenderers or contracting parties and is done to ensure we comply with the Public Governance, Performance and Accountability Act 2013 (Cth) (PGPA Act) and the Commonwealth Procurement Rules. 

More information on the PGPA Act and the Commonwealth Procurement Rules is available at the Department of Finance’s PGPA associated instruments and policies page. 

Public consultation and engagement

eSafety engages with the public and our stakeholders through a number of mediums, including consultations, surveys, conferences and forums. 

When eSafety undertakes formal consultation, the documentation will make clear the purpose of the consultation and the purpose of the collection of personal information. Generally, eSafety publishes the submissions we receive, including any personal information, unless otherwise claimed as confidential. 

If you wish to make a submission anonymously or through the use of a pseudonym, you should contact eSafety to see whether it is practicable to do so. Each confidentiality claim is assessed by eSafety on a case-by-case basis. 

Use of services

eSafety collects and holds personal information used to register for a service, such as an online safety program or newsletter subscription. This may include details such as name, organisation, contact details and communication preferences. This helps eSafety manage user access and provide the service requested. 

eSafety will provide information about how your personal information will be handled and other terms and conditions for using a service before any personal information is collected. 

Website traffic, cookies and analytics

eSafety uses a range of tools to collect and view our website traffic information. This includes cookies and analytics such as Google Analytics. This helps eSafety improve our website, customise our information and services, and conduct research and development.

The information collected by these tools may include information such as the IP address of a device, the date and time a page was visited, the pages accessed and how long pages were viewed.

eSafety does not attempt to identify users or their browsing activities, except in limited circumstances including where required or authorised by law (for example, where identification is reasonably necessary for law enforcement investigations).

You can set browsers that will notify you before you receive a cookie. This may allow you to refuse to accept it. Users can also turn off or delete cookies. You can also opt out of the Google Analytics collection by using the Google Analytics Opt-out Browser Add-on.

The eSafety website uses both Australian Government and commercial web-hosting facilities. 

Social media

eSafety uses social networking services, including Facebook, YouTube (a Google company), Instagram, LinkedIn, Snapchat and TikTok to engage with the public. eSafety may collect your personal information if you engage with us on these services, but we will only use it to help us communicate with you and the public. 

These social networking services will also handle your personal information for their own purposes in accordance with their own privacy policies. You can access the privacy policies for Facebook, YouTube, Instagram, LinkedIn, Snapchat and TikTok on their websites. 

Emails and newsletters

eSafety communicates with the public through email distribution lists and newsletters. With your consent, eSafety will collect your email and, if you provide it, other contact details when you subscribe to an eSafety mailing list. eSafety only uses this to update you on its activities and to administer the lists. 

Surveys

eSafety conducts research to enable better understanding of Australians’ experiences online and the role of eSafety’s initiatives in preventing or mitigating  harms. eSafety also uses web intercept surveys to evaluate particular resources or products. For certain surveys, eSafety uses Qualtrics XM, a survey and customer engagement survey solution.

eSafety collects some personal information in carrying out these surveys. For research and evaluation of survey results, we use aggregated information that does not identify any single respondent.

Anonymity and use of a pseudonym

eSafety will provide you with the option to remain anonymous or to use a pseudonym when dealing with eSafety, unless it is impracticable or where a law requires or authorises eSafety to deal with identified individuals.  

Complaints related to cyberbullying of a child (under 18 years), adult cyber abuse (18 years and older), image-based abuse and illegal and restricted content can be made anonymously. 

4. Use and disclosure of personal information  

eSafety will use or disclose personal information only for the purpose for which it was collected. eSafety will not use or disclose personal information for another purpose unless:  

• you consent for eSafety to do so
• the use or disclosure is required or authorised by or under an Australian law
• another exception under the Privacy Act applies, including where eSafety reasonably believes that it is reasonably necessary for one or more enforcement-related activities or a permitted general situation exists.

For example, with your consent, we might provide relevant information (like the location of an image that is the subject of an investigation) to the content host identified in your report to get the image taken down or use a tool that allows us to search whether your image is available in certain other locations online.

Part 15 of the Act permits eSafety to disclose information in certain circumstances and with certain conditions, including to an authority of a foreign country responsible for regulating, or enforcing laws relating to, either or both of the following matters:

• matters relating to the capacity of individuals to use social media services, relevant electronic services and designated internet services in a safe manner,
• matters relating to material that is accessible to the end-users of social media services, relevant electronic services and designated internet services,

provided it is not prohibited by Part 13 or 15 of the Telecommunications Act 1997 (Cth).

eSafety may also disclose information to an authority if satisfied that the information will enable or assist the authority to perform or exercise any of the authority’s functions or powers, provided the information was obtained as a result of a function or power conferred on the Commissioner under the Act.

Disclosure of personal information outside of Australia

eSafety generally only discloses personal information overseas in order to help us fulfil a regulatory function. The Act lets us provide your information to certain authorities without your consent, including foreign authorities (see relevant information above in this section).

Quality and security of personal information

eSafety takes reasonable steps to ensure the quality of the personal information we collect and disclose is accurate, up-to-date and complete.

eSafety has a range of measures in place to protect the personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. These measures include:

• implementing and regularly assessing organisational and technical controls that uphold the security of personal information,
• implementing and reviewing and updating eSafety’s data breach response plan to ensure that eSafety meets its obligations under the notifiable data breach (NDB) scheme under the Privacy Act, and
• undertaking privacy threshold and impact assessments when information handling practices change, or new practices are introduced.

All information collected by eSafety is secured and managed in accordance with the Australian Government’s Protective Security Policy Framework, Information Security Manual and the Archives Act 1983 (Cth). You can find further information at the National Archives of Australia’s webpage for Commonwealth Records Management.

6. Access to and correction of personal information

Under the Privacy Act, you have the right to ask:

• for access to personal information that we hold about you
• that we correct your personal information.

eSafety will consider any request you make to access, or seek the correction of, your personal information within 30 days.

eSafety will take reasonable steps to correct information we hold about you, if we consider it inaccurate, out of date, incomplete, irrelevant or misleading. You may need to demonstrate how your personal information is incorrect.

eSafety will ask you to verify your identity before we give you access to your information or correct it.

To make a request to eSafety for access to your personal information, or to seek correction of your personal information, you may do so via the general enquiry form on our Contact us webpage, or via email to privacy@esafety.gov.au.  

You also have the right under the Freedom of Information Act 1982 (Cth) (FOI Act) to request access to documents eSafety holds. If the information eSafety holds about you is incomplete, incorrect, out-of-date or misleading, you can also ask that it be amended or annotated under the FOI Act. More information about making an FOI request is available at Freedom of information.

7. Making a complaint

eSafety manages personal information in accordance with its obligations and responsibilities under the Privacy Act and APPs.

If you have a complaint about how eSafety has handled your personal information, or that eSafety has breached the APPs, you should outline your complaint in writing and lodge it with eSafety through the general enquiry form on our Contact us webpage or via email to privacy@esafety.gov.au.

eSafety will assess your complaint within 30 days. All complaints will be managed confidentially and in accordance with the Privacy Act.

If you are dissatisfied with the outcome of your complaint or the way in which eSafety has handled your complaint, you may complain to the Office of the Australian Information Commissioner (OAIC). A complaint to the OAIC needs to be made in writing. For more information, see the OAIC’s website.

8. Further information

You can contact eSafety for more information about this privacy policy via the general enquiry form on our Contact us webpage, or via email to privacy@esafety.gov.au.