Skip to Content
 Close search

Privacy policy

Privacy Policy

The Productivity Commission (the Commission) has adopted a layered policy format designed to assist you to access the information you need easily and as quickly as possible.

Expand allCollapse all

Part A

A summary of key points in relation to the Commission’s privacy practices including how you can access your personal information and seek its correction, and how to make a complaint about the way we have handled your personal information.


The purpose of this policy is to:

  • clearly communicate the personal information handling practices of the Productivity Commission (the Commission)
  • provide individuals with a more complete understanding of the sort of personal information the Commission holds, and the way we handle that information.

The Privacy Act

The Privacy Act 1988 (the Privacy Act) was introduced to promote and protect the privacy of individuals and to regulate how Australian Government agencies, and other organisations, handle personal information.

The Privacy Act includes the Australian Privacy Principles (APPs). These set out standards, rights, and obligations in relation to handling, holding, accessing, and correcting personal information.

Detailed information on the Privacy Act can be found on the Office of the Australian Information Commissioner (OAIC) website.

What is ‘Personal Information’?

Personal information is defined in the Privacy Act as information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not, and
  • whether the information or opinion is recorded in a material form or not (s 6(1)).

Sensitive information is a class of personal information which includes information about an individual’s:

  • racial or ethnic origin
  • political opinions
  • membership of a political association
  • religious beliefs or affiliations
  • philosophical beliefs
  • membership of a professional or trade association
  • membership of a trade union
  • sexual orientation or practices
  • criminal record
  • health information (including information, or an opinion about, the health, illness, disability, or injury of an individual)
  • biometric information (including an electronic copy of an individual’s face, fingerprints, signature, or voice) that is used for automated biometric verification or identification.

Anonymity and pseudonymity

In general, you have the right to interact anonymously or pseudonymously with the Commission. There are circumstances, however, where it is impractical for us to deal with individuals without knowing their identity.

If you are seeking information of a general nature from us, it is unlikely that you will be required to provide your real identity for that purpose. However, without knowing your real identity, the type of information we are able to provide to you may be limited.

Before disclosing confidential or personal information, we will need to establish your identity. In part, this is for the purpose of protecting against the unauthorised disclosure of personal information. Similarly, if you are seeking information about specific circumstances, we may be unable provide information without knowing the specific details of your request (which may require that you disclose your identity to us).

Access and correction

You have the right to request access to the personal information about you that we hold, and you may also request that we correct that personal information.

APPs 12 and 13 in the Privacy Act provide individuals with a right of access to and correction of personal information held by an agency. Similar rights also exist under the Freedom of Information Act 1982 (FOI Act).

Whenever possible, the Commission will provide access to, and correction of, personal information without the need for formal procedures under the legislation.

If you request access or correction, we will provide access or correct the information unless there are valid reasons for not doing so under the Privacy Act, the FOI Act, or another relevant law. If we do not provide you with access or we do not make requested changes, we will notify you of the reasons for not doing so and we will also notify you of your review rights.

If you wish to request access or correction, please contact the Commission’s Privacy Contact Officer using the details in the Contact Us below.

Evidence of identity

In all cases where a request relates to documents that contain your personal information, we will ask you to provide evidence of your identity before we deal with your request. Your request should include a physical address whenever possible, as we prefer to forward documents containing personal information to you by registered post rather than email.

If another person has authorised you to make a request on their behalf, we will ask you for the letter authorising you to make the request. If you are seeking documents containing personal information on behalf of another person, we will ask for evidence of both identities, showing clearly that you are the person who is authorised to apply on behalf of the other person.

Acceptable identity documents include: a passport, an Australian driver’s licence or any other official identification in the English language which contains your photo, signature, and address. Copies of identification documents should be certified as true copies of the originals by a person with the power to witness a Commonwealth statutory declaration.


If you believe the Commission has mishandled your personal information you may submit a complaint to us.

Complaints must be in writing to the Privacy Contact Officer at the email or postal address provided in the Contact Us below.

Your complaint should include a description of your privacy concern, including:

  • what personal information of yours was affected
  • what happened
  • when it happened
  • the relevant Commission work area or contact person (if known)
  • your contact details.

We will use your contact details to contact you about your complaint. Sometimes we may ask you for additional information in order to investigate your complaint.

If you do not provide your contact details, we may not be able to fully investigate and respond to your complaint.

We will respond to complaints within 30 days of receipt. If you are dissatisfied with the Commission’s response to a complaint, you may complain to the OAIC - an independent external body.

Part B

How the Commission collects, holds, uses, and discloses personal information in relation to its main activities and functions.

How we collect personal information

We collect and hold a range of personal information in records relating to:

  • the performance of legislative and administrative functions, including the conduct of public inquiries and research
  • public awareness, including when people ask to be on an email or mailing list so we can send them information about our activities and publications
  • human resource management
  • financial management
  • correspondence from members of the public or organisations
  • complaints (including privacy complaints and competitive neutrality complaints)
  • requests made to the Commission under the FOI Act.

We collect this information in a variety of ways including via:

  • correspondence and submissions
  • paper based forms
  • online (web- based forms and email)
  • phone calls
  • face to face and online meetings.

We often collect personal information directly from you or your authorised representative however, in some circumstances, we may also collect information about you from another Federal, State or Territory government organisation, or other organisation.

We only collect personal information where that information is reasonably necessary for, or is directly related to, one or more of our functions and responsibilities or the collection is required or authorised by law.

Types of information we hold

The personal information we collect, and hold varies depending on what functions or activities we need to perform. It may include:

  • your name, address and contact details, for example your email address and phone number, information about your identity, for example, birth certificate, passport details, driver’s licence
  • next of kin or designated emergency contacts
  • photograph(s)
  • your signature
  • information about your personal circumstances for example, gender, age, and occupation
  • financial information for example, your payment and bank details and remuneration
  • information about your employment, for example, work history, applications for employment, and referee comments
  • government identifiers, for example your Tax File Number.

Sensitive information

We may also collect and hold sensitive information about you including information about:

  • your health, including any illness, disability, or injury you might have
  • your racial or ethnic origin
  • any criminal record you may have
  • your membership of a trade union, professional or trade association
  • sexual orientation or practices.

Data quality

We take reasonable steps to ensure that the personal information we collect is accurate, up-to-date, and complete. These steps include maintaining and updating personal information when we are advised by individuals that their personal information has changed, and at other times, as necessary.

Data security

We take reasonable steps to protect the personal information we hold against interference, loss, unauthorised access, use, modification or disclosure, and other misuse, in line with the Australian Protective Security Policy Framework (PSPF).

These steps include multi-factor authentication for accessing our electronic IT systems, securing paper files in locked cabinets, and implementing physical access restrictions. In addition, we also manage personal information in accordance with our records management policies and procedures.

When no longer required, personal information is destroyed in a secure manner, or deleted in accordance with the Archives Act 1983.

How we handle specific types of files that contain personal information

Contact and mailing list records

Several areas in the Commission maintain contact and mailing lists. These include contact information about individuals who may have an interest in receiving information about one or more of the Commission’s functions and activities.

The personal information recorded may include:

  • names
  • email addresses
  • agency, organisation, or department details
  • APS employees’ APS classification level
  • postal addresses
  • telephone numbers.

This personal information is maintained on paper and electronic files and access is restricted to Commission employees whose duties require access to the information. Information in electronic records is maintained on the Commission’s information and communications technology (ICT) infrastructure in accordance with the Commission's ICT security policies and practices.

The purpose of the contact lists maintained by the Commission is to distribute information to, and communicate with individuals about our activities, and publications. Personal information is collected, held, used, and disclosed only for these purposes.

We do not give personal information about an individual to other agencies, organisations, or anyone else without consent unless the individual would reasonably expect, or has been told, that information of that kind is usually passed to those agencies, organisations or individuals, or the disclosure is otherwise required or authorised by law.

We maintain and update personal information in our contacts lists when we are advised by individuals that their personal information has changed. We will remove contact information of individuals who advise us that they no longer wish to be contacted.

Personnel records

The Commission maintains personnel records about current and former Commission employees.

The personal information in these files relates to individual employees and may include:

  • records relating to attendance and overtime
  • leave applications and approvals
  • medical certificates and other health related information
  • disability status
  • racial or ethnic origin
  • contracts and conditions of employment
  • payroll and pay related records, including banking details and superannuation contributions
  • tax file numbers and declaration forms
  • declarations of pecuniary interests
  • personal history files
  • citizenship information
  • performance appraisals
  • records relating to learning and development activities
  • completed questionnaires and personnel survey forms
  • records relating to personal welfare matters
  • next of kin details
  • copies of academic qualifications
  • information about criminal records
  • information relating to character checks and security clearances.

Records relating to recruitment may also include:

  • applications for employment, including résumé(s), statement(s) addressing selection criteria and referee reports
  • information relating to relocation of staff and removal of personal effects.

A smaller number of records relate to information about:

  • accidents and injuries
  • compensation cases
  • workplace rehabilitation
  • counselling and discipline matters, including disciplinary, investigation and action files and legal records
  • complaints and grievances.

Information in personnel records is usually collected directly from individuals when they are engaged by the Commission or when they transfer to the Commission from another APS agency.

The Commission may also collect personal information from third parties where the individual has consented to such collection or would reasonably expect the Commission to collect the personal information in this way (for example, from recruitment agencies or from referee reports).

Some information is generated over the course of an employee's time working at the Commission.

Personal information is maintained on paper and electronic files and access is restricted to Commission employees whose duties require access to the information.

Information in electronic records is maintained on the Commission ICT infrastructure in accordance with the Commission's ICT security policies and practices.

The Commission’s payroll and some other HR functions including leave management, are undertaken by Commission staff using cloud-based software contracted from an external provider (Aurion). As such, personal information relevant to these functions is disclosed to Aurion.

Purposes for which information is collected, held, used, and disclosed

The purpose of personnel records is to maintain employee information for business and employment related purposes, or where authorised or required by law. As an employer, the Commission must comply with a range of legal requirements relating to employment, including work health and safety, taxation, and superannuation legislation.

Personal information may be disclosed, where appropriate, to Comcare, Commonwealth Medical Officers, superannuation administrators, the Australian Taxation Office, and other regulatory bodies.

When an Australian Public Service (APS) employee transfers to another APS agency, personal information is disclosed to the receiving agency for the purpose of the receiving agency's personnel management functions.

Contractors and consultancies

The Commission maintains various administrative and corporate services records. These include records about individuals and organisations the APS may engage with for a range of administrative purposes.

Personal information about contractors and consultants is collected to enable the proper and efficient management of expenditure on external services providers.

Personal information contained in these files may include:

  • names
  • contact details, including postal and email addresses and telephone numbers
  • curriculum vitae
  • skills, qualifications, and experience
  • fees, rates, and charges
  • references
  • business structure and financial information
  • performance evaluations.

Information about contractors and consultants is usually collected directly from individuals or their employers. In some cases, referees may provide the Commission with information about a contractor or consultant. Sometimes we collect personal information from a third party or from a publicly available source such as a website or telephone directory. We usually only collect personal information in this way if the individual would reasonably expect us to or has given their consent.

Personal information is maintained on paper and electronic files and access is restricted to Commission employees whose duties require access to the information.

Information in electronic records is maintained on the Commission’s ICT infrastructure in accordance with the Commission's ICT security policies and practices.

Financial management records

The purpose of these records is to comply with legislative requirements in respect of financial management, the recording of transactions and to support financial planning and budgeting.

Personal information contained in these records may include:

  • names
  • contact details, including postal and email addresses and telephone numbers
  • bank account details
  • employee pay information.

Personal information is maintained on paper and electronic files and access is restricted to Commission employees whose duties require access to the information.

Some of this information may be disclosed as required to the Department of Finance, the Australian National Audit Office, the Australian Government Solicitor, and the Commission’s auditors who are staff from external accounting firms contracted to undertake this work.

Inquiry and research files

The purpose of these records is to record details relating to public inquiries, studies and supporting research. Personal information may be collected when an individual takes part in a Commission public inquiry, study or supporting research and provides personal information as part of those activities. (Note: generally, research data being analysed is in a de‑identified form.)

Personal information recorded may include names and contact details including telephone numbers and email addresses.

All personal details are removed from submissions to public inquiries before they are published on our website.

Personal information is maintained on paper and electronic files and access is restricted to Commission employees whose duties require access to the information.

Competitive neutrality complaints files

The purpose of these files is to document complaint queries and record details of investigations relating to competitive neutrality.

Records are mainly of organisations and companies but may include some information about individuals. This may include names, occupation, and contact details, including addresses, telephone numbers and email addresses.

Personal information may also include files relating to interviews, meetings, telephone discussions and correspondence between applicants, Commission staff and other interested parties in relation to competitive neutrality issues.

Personal information is maintained on paper and electronic files and access is restricted to Commission employees whose duties require access to the information.

Part C

Our personal information handling practices when you visit our website or communicate with us via email or social networking services and also about the Commission’s Privacy Impact Assessment Register (PIA).

Our website

Generally, we only collect personal information from our website where a person chooses to provide that information.

The Commission's web server makes a record of each visit to the site and logs the following information for statistical purposes:

  • the user's Internet Protocol (IP) address
  • the user's top level domain name (e.g. .com, .gov, .au, etc.)
  • the date and time of the visit to the site
  • the pages accessed and documents downloaded
  • the previous site visited
  • the type of browser used.

These logfiles are used for statistical purposes to help improve the services offered on our website and to diagnose any problems with our server. No attempt will be made to identify individual users or their browsing activities except, in the event of an investigation, where a law enforcement agency may exercise a warrant to inspect our logfiles.

When an attempt is made to 'hack into' the Productivity Commission's internal network, the user's Internet Service Provider (ISP) and relevant law enforcement agencies may be notified.


The Commission's website uses temporary web browser cookies to enable better analysis of user navigation patterns and to provide additional information to our web usage analysis software. These cookies can be blocked by users without affecting interaction with the site.

Information security

Our site has security measures in place to protect the loss, misuse, and alteration of the information under our control.

Users of our site should also be aware of the inherent security risks associated with transmission of personal information over the Internet and bear this in mind when deciding whether to use the electronic communication facilities available on our site or use more conventional means (telephone, or via post).

Our site contains links to other websites. The Commission is not responsible for the content and privacy practices of these third parties.

Social networking services

We may use social networking services such as LinkedIn, Facebook, and Twitter. When you communicate with us using these services, we may collect your personal information. No attempt will be made to further identify individuals except where authorised or required by law.

These services have their own privacy policies, which can be accessed on their websites. The Commission is not responsible for the privacy practices or content of these services.

Privacy Impact Assessment Register

The Privacy (Australian Government Agencies – Governance) APP Code 2017 (Cth) the Privacy Code requires that all agencies, including the Commission, must conduct a Privacy Impact Assessment (PIA) for all high privacy risk projects.

A project may be a high privacy risk project if the Commission considers that the project involves any new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals. The Commission is also required to conduct a PIA if directed to do so by the Office of the Australian Information Commissioner (OAIC).

The Commission, as required, maintains a register of all PIAs it conducts, and this is published on our website. Read the Privacy Impact Assessment Register section below for more information.

Contact us

If you wish to:

  • ask questions or provide comment about this policy
  • obtain access to, or seek correction of your personal information
  • make a complaint about how we have handled your personal information.

You can contact us via email or post as follows.



Privacy Contact Officer
Productivity Commission
Locked Bag 2, Collins St East
Melbourne VIC 8003

Privacy Impact Assessment Register

Under the Privacy APP Code 2017 , the Commission must conduct Privacy Impact Assessments (PIAs) for high privacy risk projects that involve new ways of handling personal information which may significantly impact an individual’s privacy.

A PIA is a systematic assessment of a project that identifies the impact it might have on the privacy of individuals, and sets out recommendations for managing, minimising, or eliminating that impact.

This register sets out the PIAs completed by the Commission since the APP Code 2017 came into force on 1 July 2018.

If you require further information, please contact the Commission’s Privacy Contact Officer at

Privacy Impact Assessment Register

Date CompletedProject

27 August 2021

Migration of Aurion to the AWS Cloud