Privacy part B – How we hold information

Personal information collected by us is held in electronic databases. Some personal information is also held in paper files.

The databases maintain audit trails whenever personal information in electronic records is accessed, added, amended or deleted on the database.

A departmental record containing personal information can only be destroyed after it has reached its destruction date as identified in a records authority issued by the National Archives of Australia. When no longer required, personal information is destroyed, in a secure manner, in accordance with Australian Government records management regulations, guidelines and authorities, including the Archives Act 1983, Records Authorities and General Disposal Authorities.

Storage and data security

We developed a Protective Security Policy Framework (PSPF), which includes information security management policies.

The PSPF ensures that:

  • all official information is safeguarded to ensure its confidentiality, integrity, and availability by applying safeguards so that:
    • only authorised people, using approved processes, access information
    • information is only used for its official purpose, retains its content integrity, and is available to satisfy operational requirements
    • information is classified and labelled as required.
  • all information created, stored, processed, or transmitted in or over government information and communication technology (ICT) systems is properly managed and protected throughout all phases of a system's life cycle, in accordance with the protocols and guidelines set out in the PSPF, which includes the Australian Government Information Security Manual, produced by the Australian Signals Directorate.

The following is a brief summary on our current practices and procedures in storing and securing data:

  • access to information collected from clients is restricted to authorised persons on a need to know basis
  • our internal networks and databases are protected using firewall, intrusion detection and other technologies
  • applications made using online services and e-services sections of our website are encrypted
  • paper files containing sensitive information are protected in accordance with Australia Government Security policy and secured in locked cabinets, Australian Government-approved security containers or Secure Rooms with restricted access
  • our premises are under 24-hour surveillance and access is via security passes only, with all access and attempted access logged electronically
  • we regularly conduct system audits and staff training to ensure we adhere to our established protective and computer security practices.

Site visit data

A record of each visit to our site is logged. Information is recorded for statistical purposes and is used by us to monitor the use of the site, discover what information is most and least accessed and to make the site more useful.

The information we log when you access our website includes:

  • your IP or server address
  • the date and time of your visit to the site
  • the pages or files accessed by you
  • your operating system
  • your web browser version and type
  • the time taken to transmit the information to you
  • the previous internet address from which you were referred to our website.
  • The information we collect is analysed to show broken links on our website, bottlenecks, and other site problems. We use this information to maintain the site for efficient use. We might also collect information about the IT device you use. This information could be used to identify you to assist us to carry out our functions and activities.


    We use cookies for maintaining contact with a user through a website session. A cookie is a small file supplied by us, and stored by the web browser software on a person’s computer when they access our site. An explanation of what cookies are and how they work can be found at the site of the Privacy Commissioner. Cookies allow us to recognise people as individual web users as they browse the website.

    Two cookie types may be used by our website - session cookies and persistent cookies.

    Session cookies

    These exist only for the duration of a web browser session with a particular website/host. All cookies will be immediately lost when a person ends their internet session or shuts down their computer. Our copy of each user’s information will be automatically deleted twenty minutes after they have last used the system. This information is only used to help people use our website systems more efficiently, not to track their movements through the internet, or to record personal information about them.

    Persistent cookies

    These files stay in one of a user’s browser subfolders until that person deletes them manually or their browser deletes them based on the duration period contained within the persistent cookie’s file (usually beyond the termination of the current session).

    No personal information is stored within cookies used by our website. No attempt will be made to identify anonymous users or their browsing activities unless legally compelled to do so, such as where a law enforcement body exercises a warrant to inspect the Internet Service Provider's log files.