Last updated: 10 November 2020

On this page:

About this policy

The Privacy Act 1988 (the Privacy Act) requires entities bound by the Australian Privacy Principles (APPs) to have a privacy policy. This privacy policy outlines the personal information handling practices of DHA, as an entity bound by the Privacy Act.

When used in this privacy policy, the term ‘personal information’ has the meaning given to it in the Privacy Act. In general terms, it is any information that can be used to personally identify you. This may include your name, address, telephone number, email address and profession or occupation. Where the information has been permanently de-identified, the information is no longer considered personal information.

‘Sensitive information’ is a subset of personal information as defined in the Privacy Act, and includes certain categories of personal information, for example health information, political opinions or associations, information about racial or ethnic origin, and sexual orientation. There are additional rules in the Privacy Act about how sensitive information must be handled, including that we must obtain your consent to collect and use your sensitive information.

This policy covers personal information relating to:

  • members of the Defence Force and their families
  • investors and tenants
  • an agent or representative of a person whose personal information may be given to or held by us
  • current, former or prospective employees of DHA
  • employees of contractors, consultants, suppliers and vendors of goods or services to DHA and our customers
  • any other individuals whose personal information may be given to or held by us in connection with our business functions and activities either directly or indirectly related to providing adequate and suitable housing to members of the Defence Force and their families.

Collection and use

We may collect and hold the following types of personal information about you, depending on the purpose for which we are collecting information from you:                                                                           

  • information to identify you, including your name, date of birth, or photo identification documentation such as passport or driver’s licence details
  • contact details such as your email address, postal and/or home address and phone numbers
  • profession, qualifications, licenses or certificates, occupation or job title, work location and rank
  • dependant information, including gender and date of birth (if applicable)
  • special needs information, including health information, relating to you and/or any of your dependants (if applicable)
  • financial institution/bank details
  • details of shareholdings or other financial or beneficial interests
  • employee information, such as tax file number (in accordance with the Privacy (Tax File Number) Rule 2015 (TFN Rule), salary and entitlement information, medical certificates, referees, declared conflicts of interest, and emergency contact details
  • information to assess your suitability for a job vacancy, such as your education and employment history
  • any other personal information you include in any form or other document you provide to us.

Purposes for which we use personal information

DHA will only collect, hold, use and disclose personal information for purposes that are directly related to, or reasonably necessary to enable us to perform our functions as prescribed in the Defence Housing Australia Act 1987 (DHA Act), including;

  • to verify your identity
  • to contact you in response to an enquiry by you about our products or services
  • to perform our business activities and functions
  • to provide you with access to any protected areas of our website
  • to present you with personalised housing options that meet your requirements
  • for recruitment and personnel management purposes (in relation to DHA employees and potential employees)
  • for marketing (including direct marketing), planning, product or service development, quality control or research purposes for us and our related bodies corporate, contractors or service providers
  • to enable our related bodies corporate, contractors, sub-contractors, consultants or service providers to deliver services to us or on our behalf in relation to our main function
  • In the course of handling and resolving a complaint to the extent that is necessary for us to investigate your complaint
  • to respond to any communications from you (including via social media)
  • for work health and safety purposes
  • to comply with any law, regulation or binding decision of a regulator.

In most cases your personal information will only be used for the primary purpose for which it was collected. In certain circumstances, DHA may use or disclose your information for a different purpose (the secondary purpose), such as where you have consented or would reasonably expect DHA to use or disclose the information for a secondary purpose, and/or the secondary purpose is:

  • related to the primary purpose for which the information was collected (or in the case of sensitive information, directly related to the primary purpose)
  • required or authorised under Australian law or has been ordered by a court or tribunal
  • reasonably necessary for enforcement-related activities.

How we collect your personal information

We will generally collect your personal information directly from you unless it is unreasonable or impracticable to do so. When collecting personal information from you directly, it will generally be:

  • through your registered access and use of our online portals
  • when you make an enquiry or complete an application
  • during conversations between you and our employees
  • via telephone, online or paper-based surveys conducted by us or a representative or Service provider of DHA
  • when you enter into a contract with us (for example, to purchase or lease a property or provide a service to us or on our behalf)
  • when you attend one of our locations such as an office or construction site where we may have security cameras in operation (clearly identified with signage).

We will also collect your personal information from a third party with your express or implied consent, or where we are required or authorised to do so by or under an Australian law or a court/tribunal order. For example, we collect personal information:

  • from the Department of Defence and its contracted providers in relation to your housing entitlements and requirements
  • from any regulator
  • from someone authorised to act or provide personal information on your behalf (e.g. your legal representative or financial adviser)
  • credit reporting agencies, law enforcement agencies and other government entities
  • from past employers or referees.

When we collect your personal information, we will take reasonable steps to ensure you are informed about why we are collecting your personal information, and any other relevant matters in relation to the circumstances of that collection, such as who we plan on disclosing the information to (where relevant). We will provide this information at the time of collection where practicable.

Online platforms - use of our website and online portals


A cookie is a short piece of data which is sent from a web server to a web browser on the user's computer or device when the browser visits the server's website and is stored on the user's computer or device. Cookies do not collect personal information. If you do not wish to receive cookies, you can set your browser so that your computer does not accept them. Cookies are used for authentication into Online Services, analysis and marketing purposes.

Google Analytics

We use Google Analytics to collect information about visitors to our website to better understand how our website is used and to improve user experience. Google Analytics may collect your server address, browser type, version and language, operating system, pages viewed and documents downloaded, page access times and referring website addresses. No attempt will be made to identify you based on this information except, in the unlikely event of an investigation by a law enforcement agency or where we are required to do so by court/tribunal order. Google Analytics does not track activity within the Online Services section of our website.

Online surveys

We may use third party software suppliers to administer online surveys. Our suppliers may use third party cookies. The information collected by these cookies is not capable of identifying you and is only used to ensure our surveys run smoothly. We will only use the information collected from the surveys for statistical and maintenance purposes.


We collect data about your activities when you visit our website where we display advertisements (“Publishers”) to serve you more relevant advertisements (referred to as “Retargeting”). The data collected is anonymised and cannot be associated with or used to identify you as an individual.

You may opt out of the automated collection of information by third-party ad networks for the purpose of delivering advertisements tailored to your interests, by visiting the Network Advertising Initiative opt out page. Users may opt out of Google’s use of cookies by visiting the Google advertising opt-out page.

Links to external websites

Our website may contain links to other websites operated by third parties. We make no representations or warranties in relation to the privacy practices of any third party website and we are not responsible for the privacy policies or the content of any third party website. Third parties whose websites have been accessed via our website are responsible for informing you about their own privacy practices.

Social networking services

We use social networking services such as Twitter, Facebook, YouTube, LinkedIn and Instagram to communicate with the public. When you communicate with us using these services we may collect your personal information. However, we only use it to communicate with you on these public forums, or directly if we need to specifically respond to a question or statement you posed. The social networking services will also collect your personal information for its own purposes. These sites have their own privacy policies.

Direct marketing

We may send you direct marketing communications and information about our services when we consider that you would reasonably expect us to use your personal information for the purpose of direct marketing, for example when you have provided your consent or we have notified you that you may receive direct marketing upon collection of your personal information. These communications may be sent in various forms, including mail, SMS and email, in accordance with applicable marketing laws, such as the Spam Act 2003 (Cth) and may be sent via a representative, or service provider of DHA.

If you indicate a preference for a method of communication, we will endeavour to use that method whenever practicable to do so. In addition, at any time, you may opt-out of receiving marketing materials from us by contacting us (see the details on the right under 'contacting us') or by using opt-out facilities provided in the marketing communications. We will then remove your name from our mailing list. We do not provide your personal information to other organisations for the purposes of their direct marketing.


We may disclose your personal information:

  • to related bodies corporate, contractors or service providers who perform services on our behalf in connection with our business and functions
  • to other Commonwealth or State government agencies or other entities as required or authorised by or under applicable laws or rules, such as the Privacy Act, the DHA Act and the Public Governance, Performance and Accountability Act 2013
  • to your nominated representative with your permission
  • to other individuals or entities with your consent or when you would reasonably expect us to make such a disclosure in relation to our business functions and activities as outlined in other sections in this policy.

Use of contractors and consultants

DHA uses contractors, sub-contractors, consultants and outsourced service providers to undertake certain business functions and activities on our behalf, for example housing maintenance, marketing, data analysis and research activities. This may involve disclosing your personal information to those providers for the purposes of performing the relevant services.

Personal information about you may be provided to a contractor or service provider when necessary to deliver our services via DHA’s Online Services.

Sometimes DHA engages recognised professional or expert advisors from outside DHA, including legal advisers to whom your personal information may be disclosed. We will only do this for a purpose that is directly related to, or reasonably necessary to enable us to perform our functions.

To protect the personal information we provide to third party contractors, we take contractual measures to ensure the contractor and its employees comply with the Privacy Act and the APPs, and only handle the personal information for the purposes of the contract.

Overseas disclosure

DHA may disclose your personal information to third party providers, who may operate an overseas contact centre to manage appointments. DHA takes reasonable steps to ensure that third party providers who may utilise overseas contact centres, as recipients of your personal information do not breach the APPs when handling your personal information.

Your personal information will not be disclosed overseas other than as described in this privacy policy, without your consent.

Security and storage

Personal information collected by us is securely stored electronically on DHA’s IT systems, backup servers and on third party provided long term cloud tertiary storage. DHA undertake Security Risk Assessments before engaging third party service providers to ensure compliance with relevant data protection legislation.  In some limited cases, we may also hold your personal information on securely stored paper files.

We take reasonable steps to ensure your personal information is protected from misuse, interference, loss and from unauthorised access, modification or disclosure.

DHA regularly assesses the risk of misuse, interference, loss and unauthorised access, modification or disclosure of information. To address these risks, DHA keeps an electronic record (audit trail) of when someone has added, changed or deleted personal information held in our systems and review when required, that staff only access those records when they need to for business related purposes.

You should be aware that there may be inherent risks associated with the transmission of information over the internet. If you are submitting personal details or other information over the internet which you wish to remain private, please note that, while all attempts are made to secure information transmitted to this online platform, there is a possibility that information you submit could be observed by a third party while in transit.

DHA may also utilise third party providers that may be based overseas for the purposes of personal information collection and storage, for example cloud storage. Wherever possible, DHA engages cloud storage providers that store data in Australia. However, in the event that DHA engages a third party provider to facilitate collection or storage of personal information, that utilises overseas data storage facilities, DHA will take reasonable steps to ensure that the third party provider and any of its subcontractors are contractually or otherwise legally obliged to only handle the information for the limited purpose of storing information.

Retention of personal information

We aim to keep personal information only for as long as we need to comply with the law. When we no longer need personal information and are lawfully able to do so, we take reasonable steps to destroy or de-identify it. Personal information collected by DHA may become part of a Commonwealth record. DHA must retain your personal information held within Commonwealth records in accordance with the Archives Act 1983 (the Archives Act). For more information about how the APPs intersect with the Archives Act, please visit the relevant page on the National Archives of Australia website here.

Access and correction

You have a right to access your personal information unless we are entitled to refuse access on grounds permitted under the Privacy Act. This includes where such refusal is required or authorised by the Freedom of Information Act 1982 (the FOI Act) or another Commonwealth Act providing for access to documents or information.

You may also request us to correct any personal information that you believe is inaccurate, out of date, incomplete, irrelevant, or misleading. We will take reasonable steps to make that correction upon being satisfied that the information is inaccurate, out of date, incomplete, irrelevant, or misleading. It is useful if you provide information and details to support your request.

You can request access to, or correction of the personal information we hold about you by contacting us via our contact details on the right. We may ask you to verify your identity before we give you access to your information or correct it. If we do not give you access to your personal information or decide that we will not correct your personal information, we will provide you with written reasons for our decision. We will endeavour to respond to your request within 30 days of receiving it. If there may be a delay in responding to your request, we will contact you to advise you.

We will not charge you for providing access to, or correcting your personal information.

The FOI Act also provides mechanisms for seeking access to, and the correction of, your personal information. For further information about making an FOI request to DHA please go to our Freedom of Information page.

Privacy complaints

We recognise the importance of protecting your personal information. If you believe that we have breached our obligations under the Privacy Act in handling your personal information, you may contact us via our contact details on the right.

On receiving your complaint, we will investigate your complaint within a reasonable time. We will deal with your complaint confidentially. As part of that investigation, we may ask you for further information and may also ask you to provide us with details of your complaint in writing so that we can better understand the precise nature of your complaint.

Our Privacy Team will assist you with your complaint. In most cases, a member of our Privacy Team will respond to you in writing (by letter or by email). If you believe that the Privacy Officer’s decision or response is not correct or appropriate, you may provide details of the claimed deficiency and ask the Privacy Officer to further consider the issue. After the Privacy Officer further responds, and if you remain unsatisfied, you may escalate the matter to DHA’s General Manager, Governance.

Under the Privacy Act, the Australian Information Commissioner has the authority to investigate complaints, or acts or practices that may be a breach of privacy even if there is no complaint. If you make a complaint to DHA about a DHA practice which you think amounts to an arbitrary or unreasonable interference with your privacy and you do not believe that the matter has been resolved satisfactorily, you can write to the Office of the Australian Information Commissioner (OAIC), preferably using the online Privacy Complaint form available on the OAIC website (see link in 'Further reading' on the right).

Contacting us

If you have any questions about your personal information or this privacy policy, please contact our Privacy team using the details set out below.

By post:
Privacy Officer
Privacy and FOI Team
PO Box 4923
Kingston ACT 2604

By telephone:
13 93 42

By email:

Changes to our privacy policy

We may change this privacy policy from time to time.  Any updated versions of this privacy policy will be posted on our website.

This privacy policy was last updated on
10 November 2020

Download the PDF version of our privacy policy (PDF 415kb).

Further reading

Privacy Impact Assessment (PIA) Register

In accordance with the Privacy (Australian Government Agencies - Governance) APP Code 2017 (the Privacy Code), DHA publishes a summary of all Privacy Impact Assessments (PIAs) undertaken from 1 July 2018 on its PIA Register.