Privacy policy

About this policy

The Department of the Treasury’s privacy policy explains how and why we collect, use, disclose and store personal information.

Our privacy policy also explains how you can:

• access the information we hold about you
• ask for that information to be corrected
• make a complaint about the way we handled your personal information.

Remaining anonymous

Where possible, you can interact with us anonymously or use a pseudonym. But for many of our functions and activities you may be required to give certain personal information.

For example, we will require personal information if:

• you are applying for a job with us or
• we need to confirm your identity for the release of personal information.

Privacy Act

The Privacy Act 1988 (Privacy Act) protects personal information of individuals and requires Treasury to comply with the Australian Privacy Principles (APPs) in Schedule 1 to that Act.

Australian Privacy Principles

The APPs set out standards, rights and obligations around personal information.

Visit the Office of the Australian Information Commissioner (OAIC) website to:

• read more on the Privacy Act
• read more on the Australian Privacy Principles

Personal information

‘Personal information’ is defined in section 6 of the Privacy Act to mean information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and irrespective of the form of the information.

Personal information includes ‘sensitive information’, which is a particular category of personal information.

Sensitive information

We protect all personal information, especially sensitive information.

Sensitive information includes information or an opinion about an individual’s:

• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership or associations
• sexual orientation
• criminal record
• health
• biometrics.

How we collect personal information

We collect personal information in different ways, including:

• correspondence and submissions
• paper-based forms
• online (website forms, virtual meetings and email)
• phone calls and
• face-to-face meetings.

Treasury may collect personal information directly from you or your representative, for example, your lawyer.

In some circumstances we may also collect information about you from another Australian, state or territory government body, or from another individual or organisation.

Privacy collection notice

When we collect your personal information, we will notify you with a privacy collection notice, if reasonable to do so. This notice will explain any specific privacy practices in more detail.

For example, where we ask you to provide personal information in relation to your employment or in a public submission to a policy proposal, we will provide you with a privacy notice at the time of collection or as soon as practicable afterwards.

These privacy notices explain our personal information handling practices in relation to that particular purpose or activity.

Why we collect personal information

We only collect personal information where that information is reasonably necessary for, or directly related to, one or more of our functions or activities, including to:

• correspond with members of the public or with organisations who wrote to us or our portfolio ministers
• correspond with other Australian Government ministers and agency
• process applications for foreign investment approvals under the Foreign Acquisitions and Takeovers Act 1975
• onboard new employees, contractors or statutory appointees
• manage ongoing staff employment
• facilitate appointments or meetings
• administer programs for which Treasury is the administering agency
• manage our contracts
• administer payments
• undertake public consultation on public policy
• handle complaints, including privacy complaints, and feedback given to us
• process requests under the Freedom of Information Act 1982 and
• undertake our legislative and administrative functions.

Use and disclosure of personal information

We generally only use and disclose personal information for the primary purpose for which we collected it.

We will only use or disclose your personal information for a secondary purpose if you consent or one of the following exceptions applies:

• you would reasonably expect us to use the information for the secondary purpose and the secondary purpose is related (or directly related for sensitive information) to the primary purpose
• it is legally required or authorised, such as by an Australian law, or a court or tribunal order
• it is reasonably necessary for an enforcement-related activity
• we reasonably believe that it is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety
• we have reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to our functions or activities has been, is being or may be engaged in and we reasonably believe that it is necessary in order for us to take appropriate action in relation to the matter
• we reasonably believe that it is necessary to help locate a person who has been reported as missing
• it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim
• it is reasonably necessary for the purposes of a confidential alternative dispute resolution process or
• we reasonably believe that it is necessary for our diplomatic or consular functions or activities.

Third party disclosure

The types of parties that we may share your personal information with, or who may collect personal information on our behalf, include but are not limited to:

• other Commonwealth agencies
• Commonwealth ministers and their offices
• suppliers and other third parties with whom we have commercial relationships (for example, for research and programs directly related to one of our functions)
• whole of government suppliers.

We will ensure that appropriate protections of your personal information are in place with these third parties, in accordance with our obligations under the Privacy Act.

Overseas recipient disclosure

We may need to provide your personal information to an overseas recipient as part of our work.

In some cases, we may have to disclose limited personal information to recipients overseas under legislation or international information sharing agreements. This may occur, for example, in relation to a law enforcement matter such as a criminal investigation.

Where there is no requirement for us to disclose personal information to an overseas recipient, we will either seek your consent or amend the information to ensure your personal information is not identifiable.

The most common example of disclosure of personal information overseas will be to arrange overseas deployment or travel for Treasury staff.

Information types we hold

The personal information we collect and hold varies depending on what we need to perform our functions and responsibilities. We may collect:

• your name, address and contact details (for example your phone number or email address)
• information about your identity (such as date of birth, country of birth, passport details, visa details and driver's licence)
• information about your personal circumstances (for example age, gender, marital status and occupation)
• information about your financial affairs (for example payment details, bank account details, and business and financial interests)
• information about your employment (for example applications for employment, work history, referee comments and remuneration) and
• government identifiers.

Generally, we will only collect sensitive information if you have consented and its collection is reasonably necessary for, or directly related to, one or more of our functions or activities or the collection is required or authorised by law.

Protected information

Some personal information we collect may be protected information under other legislation. Protected information is subject to rules for the collection, use and disclosure of information under the relevant legislation.

For example, any information (including personal information) that is obtained under, in accordance with or for the purposes of the Foreign Acquisitions and Takeovers Act 1975 is ‘protected information’ under that Act.

The misuse or mishandling of protected information under the Foreign Acquisitions and Takeovers Act 1975 could constitute an offence under that Act. These rules operate alongside the rules in the Privacy Act.

Our websites

Treasury internally manages several websites in our portfolio. Generally, we only collect personal information from our websites where a person chooses to provide that information (for example, submitting a webform).

Technical information

If you visit our websites to read or download information, we record different technical information which does not reveal your identity.

This information includes:

• your internet protocol (IP) or server address
• your general locality and
• the date and time of your visit to the website.

This information is used for statistical and development purposes.

No attempt is made to identify you through your browser other than in exceptional circumstances, such as an investigation into the improper use of the website.

Third party sites

Treasury websites may link to third party sites, which may include:

• Facebook
• LinkedIn
• Vimeo
• X
• YouTube.

These third parties may capture and store your personal information outside Australia and may not be subject to the Privacy Act in the same way as Treasury or at all.

We are not responsible for the privacy practices of these third parties. We encourage you to examine each party's privacy policies and make your own decisions regarding their reliability.

Cookies

Cookies are used to maintain contact with a user throughout a website session.

A cookie is a small file supplied by Treasury's web server and stored by your web browser software on your computer’s hard drive when you access our websites.

Cookies allow us to recognise an individual web user as they browse our websites. When you close your browser the session cookie set for our websites is destroyed. No personal information is maintained which might identify you should you visit our websites again.

Digital communication

There are inherent risks associated with the transmission of information over the internet, including via email.

You should be aware of this when you send personal information to us via email or via our webforms.

If this is of concern to you then you may use other communication methods, such as post or phone (although these also have risks associated with them).

Treasury only records email addresses when a person sends a message or subscribes to a mailing list.

Storage and data security

We take all reasonable steps to protect the personal information held in our possession against loss, unauthorised access, use, modification, disclosure or misuse.

We store all personal information in Australia and take reasonable steps to ensure any third parties with whom we may share personal information in accordance with this policy, also store personal information in Australia.

Treasury will take seriously and deal promptly with any accidental or unauthorised disclosure of personal information.

Storage of personal information and the disposal of information when no longer required, is managed in accordance with the Australian Government's records management regime. When the personal information we collect is no longer required, we delete or destroy it in a secure manner, unless we are required to maintain it because of a law, or court or tribunal order.

Disposal freeze

For example, under the Archives Act 1983, we must maintain personal information that is, or forms part of, a Commonwealth record. We must also maintain records for certain other purposes, including where the National Archives of Australia issues a disposal freeze in response to prominent or controversial issues or events.

Notifiable data breaches

Treasury and its contractors are subject to the Notifiable Data Breaches Scheme under the Privacy Act.

We will act in accordance with the requirements of the scheme and OAIC's data breach preparation and response in assessing and responding to suspected notifiable data breaches.

Where a breach of personal information occurs that is likely to cause serious harm to individuals, we will notify OAIC and affected individuals as required.

We will aim to provide you with timely advice to ensure you are able to manage any loss, financial or otherwise, that could result from the breach.

Accessing and correcting personal information

You have a right to request access to the personal information Treasury holds about you and to request its correction in accordance with APPs 12 and 13 in the Privacy Act.

The Privacy Act permits access to be refused in certain cases, including where an exemption under the FOI Act would apply. There is no charge for making an access or correction request.

For a correction request, where we are satisfied that your personal information is incomplete, incorrect, out-of-date, irrelevant or misleading, we may amend the record.

Where we agree to amend a record, we must, as far as possible, retain the text of the record as it was prior to the amendment. Where an amendment request is refused, we must provide reasons for the refusal and the mechanisms available to you to dispute that decision.

To request access or correction to your personal information held by Treasury, you can contact our Privacy Officer.

We will discuss the nature of your request with you and can give guidance on whether your request is better dealt with under the Privacy Act, the FOI Act or another arrangement. This will likely depend on your circumstances.

For example, for complex access requests, we may suggest that you use the FOI Act instead of the Privacy Act for the following reasons:

• an FOI access request can relate to any document held by an agency and is not limited to personal information
• the FOI Act has a consultation process for dealing with documents that contain the personal or business information of third parties
• the FOI Act includes a right to apply for internal review or Information Commissioner review of an access refusal decision

Proof of identity

In all cases where a request relates to documents that contain your personal information, we will ask you to provide evidence of your identity before we deal with your request.

If you authorise another person to make a request on your behalf, we will ask you for the letter to authorise the request.

If you are seeking documents containing personal information on behalf of another person, we will ask for evidence of both identities, showing clearly that you are the person who is authorised to apply on behalf of the other person.

Acceptable identity documents

Acceptable identity documents include:

• a passport
• an Australian driver’s licence or
• any other official identification in the English language which contains your photo, signature and address.

Certified copies

Copies of identification documents should be certified as true copies of the originals by a person with the power to witness a Commonwealth statutory declaration.

Privacy contact and complaints

Contact our Privacy Officer

You can contact the Privacy Officer if you want to:

• ask a question about our privacy policy, or how we manage personal information
• obtain access to, or seek correction of your personal information held by Treasury
• make a privacy complaint about Treasury
• obtain a copy of this policy in another format.

You can contact the Privacy Officer by:

• emailing privacy@treasury.gov.au
• calling 02 6263 2800
• post to Privacy Officer, General Counsel Branch, The Treasury, Langton Crescent, Parkes ACT 2600.

Privacy complaints

A complaint may be made on behalf of a complainant by a guardian, friend, advocate or family member, but the person acting on behalf of the complainant must have written authorisation and verify their identity.

There are no fees or charges for making a privacy complaint to Treasury. Your complaint should include:

• a brief description of your privacy problem, including:
  • what happened
  • when it happened
• what personal information of yours was affected
• the name of the relevant department area or contact person
• your contact details.

We will use your contact details to contact you about your complaint. Sometimes we may ask you for additional information in order to investigate your complaint. If you do not provide this, it may affect how we handle your complaint.

If we receive a complaint from you we will decide what action, if any, we should take to resolve the complaint.

OAIC complaints

You may also complain to OAIC about how Treasury handled your personal information. Before you can lodge a complaint with OAIC, you will need to first complain directly to us. You must allow us 30 days to investigate, unless OAIC decides that a complaint to the department is not appropriate in the circumstances.

If you do not receive a response after 30 days, or you are dissatisfied with Treasury’s response to your complaint, you may complain to OAIC, and the Commissioner will attempt to resolve the complaint.

---

We review this policy regularly and may update it from time to time.

This policy was last updated on: 9 September 2025