The cyber.gov.au website (CGA), including the cyber-incident reporting portal, is operated by the Australian Cyber Security Centre (ACSC). The ACSC is part of the Australian Signals Directorate (ASD), an Australian government agency.
This statement explains the type of information that is collected by the CGA, how such information is used, and under what circumstances and to whom it may be disclosed. If you have any concerns, you should direct them to email@example.com.
Rules binding persons accessing data stored on this site
The ACSC staff who operate the CGA are subject to the Intelligence Services Act 2001 and Rules to Protect the Privacy of Australians issued by the Minister responsible for ASD pursuant to that Act. ASD is not subject to the operation of the Privacy Act 1988 when handling the personal information you submit to, or is collected by, CGA.
Information collected through CGA
When you visit CGA, the following information is logged and retained:
- the operating system and browser you are using
- the address of the referring site (the previous site you visited that linked to ours, typically a search engine)
- your IP address (the network address of your internet connection)
- the date and time of your visit
- the pages you visited and files you downloaded.
This information is recorded for statistical purposes and is used by us to monitor the use of the site, and to make improvements.
The Twitter follow button on our contact page also sets a cookie. Details are available from Twitter. The Twitter link in the site footer does not set a cookie.
Personal information submitted through cyber-incident reporting portal
When you make a cyber-crime report through CGA, the ACSC only collects as much personal information as is reasonably necessary to understand the incident that you are reporting. We collect that information so we are able to assess whether your report should be referred to a law enforcement agency or other entity and to enable us to provide the most effective mitigation advice.
Use and disclosure
By submitting a cyber-incident report, you acknowledge your personal information may be provided to other Government agencies and private sector organisations in Australia. These include Australian law enforcement (eg police) and regulatory agencies (eg ACCC) along with relevant companies (eg banks or telecommunications providers). We will only use or disclose your personal information for the purposes of detecting, investigating and preventing criminal activity and analysing cybercrime data. We choose who we share information with carefully and they may change over time.
The cyber–incident reporting portal is not designed for reporting emergencies where an immediate police presence is required. However, if initial analysis of a cyber-incident report indicates there may be an immediate threat to life, the report will be immediately referred to the appropriate police force for priority assessment and appropriate action.
Some of the organisations that we share your personal information with may contact you to gather further information or make further investigations. Any information you provide to those organisations outside the CGA portal is not governed by this Privacy Statement.
In some cases we may need to provide your personal information to overseas law enforcement agencies as part of the criminal investigation process. We may also disclose your personal information to recipients overseas under international agreements that relate to information between Australia and other countries.
Storage of information by ACSC
Personal information that you provide which is held by the ACSC may be stored in cloud storage services operated by third parties, which could be located in Australia or overseas.
You can lodge cyber-crime anonymously if you don’t want to provide us with your personal information. If you make a report anonymously, the ability to investigate your report and take action may be limited. When you make an anonymous report, the ACSC will still collect and retain the statistical information listed above for statistical and analytical purposes and to ensure that malicious reporting can be detected and acted on.