Privacy Statement

The Digital Transformation Agency (DTA) is an Australian Government entity. The DTA is legally required to comply with:

  • the obligations under the Privacy Act 1988 (Cth) applicable to agencies
  • Australian Government Agencies Privacy Code 

This statement applies to the personal information collected, used and disclosed by the DTA as part of administering Notify. It sets out each type of personal information that we collect and the primary purpose for which we collect that information. You should note that the Privacy Act 1988 (Cth) also allows us to use or disclose your personal information for other purposes.

DTA also has a general Privacy Statement that applies to the DTA as a whole. It includes information about:

  • the use of cookies by the DTA
  • surveys conducted by the DTA
  • how to contact DTA if you have a privacy question or issue that does not relate to Notify

Personal information and sensitive information have the meaning given in the Privacy Act 1988 (Cth). The broader term information should be read as pertaining to both. Other bolded words are defined in the Terms of Use.

What information is collected?

Collection of information about users

We collect the following personal information when users sign up to Notify on behalf of government service entities:

  • your name (first name and surname)
  • your email address
  • your mobile phone number
  • a password for you to use to access the service

Collection of user's customer information

You will likely upload personal information about your customers to Notify. This information will form the basis of the messages you are sending, for example, your customer’s names, appointment times and locations, status of their applications etc.

You may also upload sensitive information to Notify, with examples including:

  • one-time access links to online services
  • authentication codes used in two-factor authentication

Why is this information collected?

We require your information to ensure only legitimate users of Notify can use it to send notifications.

We use your information to check that you are allowed to access Notify and to record your activity when using it.

We will not:

  • sell or rent your information to third parties
  • share your information with third parties for marketing purposes

We will share your information if we are required to do so by law – for example, by court order, or to prevent fraud or other crime.

We collect these details so that we can:

  • personalise Notify for you
  • enable you to test notifications by sending emails and text messages to yourself
  • enable you to use two-factor authentication to log into Notify
  • get in contact with you about your usage of Notify

How is this information collected?

Information is collected from users through account registrations and uploads submitted to Notify servers.

During beta for Notify we may be running software on our website that generates usability insights to be captured. We do this for the purpose of understanding what we can improve in Notify. The software tracks mouse paths, clicks, and a variety of other interaction types on Notify.

We will not let the software capture any personal information that you have not explicitly and knowingly submitted, including your name, email address, phone number or password, or any user data you upload to Notify.

Notify uses cookies to remember you once you have logged in and to ensure that your information is kept secure while using the service. The Notify session cookie expires after 8 hours of inactivity. For more information see cookies.

You may contact us to receive more information about how we use these tools to improve Notify. 

How is the information held?

User personal information collected through Notify is normally retained by the Notify team for a period of at least six months, past the end of its required business use. The end of its required business use is marked by you asking for your account to be deleted. This is to allow review of completed processes, internal auditing, complaint management, quality assurance and business improvement.

Customer information is deleted automatically after 7 days.

As a government agency, the DTA is also required to comply with the Archives Act 1983 (Cth). This means that the DTA can only delete or amend records where this is consistent with the Archives Act 1983 (Cth). Information about the DTA's activities, including the personal information referred to in this privacy statement, is generally retained with the DTA's record management system for 7 years. Some records may be retained for a longer period.

Access to your personal information is restricted to service providers and personnel employed by or contracted to the DTA who need it to provide services to you.

Telecommunications providers will also delete information sent using Notify after 7 days unless they are required by law to retain the information.

Logs of the messages sent will be stored indefinitely. While the information that is included in the message can be purged after sending, the recipient detail (either phone number or email address) will be kept in the logs. If you do not want Notify to keep copies of the variable information you have used to fill in a template that has been sent, you can configure Notify so that it does not store these details.

How is the information protected?

We are committed to doing all that we can to keep your information secure. To prevent unauthorised access or disclosure we have put in place technical and organisational procedures to secure the information we collect about you – for example, we protect your information using varying levels of encryption. We also make sure that any third parties that we deal with have an obligation to keep all personal information they process on our behalf secure.

The Notify domain is hosted in Australia in secure, government accredited facilities. We apply a range of security controls to protect Notify from unauthorised access, as described in our security statement (TBA).

What are my rights relating to disclosed information?

At any time, you may:

  • request access to personal information about you that we hold.
  • request the removal of personal information about you that we hold. To the extent possible, with reference to the Archives Act 1983 (Cth), the DTA will comply with this request where it does not impact the ongoing utility of Notify and its related activities.
  • ask us to correct your personal information if you find that it is not accurate, up-to-date, or complete.
  • make a complaint about our handling of your personal information.

How we deal with requests or complaints

You can submit requests or complaints to us by email or post, see Contact us for details.

We undertake to respond within 30 days. If the request or complaint will take longer to resolve, we will provide you with a date by which we expect to respond.

If you are not satisfied with how we have dealt with your complaint you can also submit a complaint to the Office of the Australian Information Commissioner (OAIC).

Children’s privacy protection

We understand the importance of protecting children’s privacy online. Our services are not designed for, or intentionally targeted at, children 13 years of age or younger. It is not our policy to intentionally collect or maintain information about anyone under the age of 13.

Contact us

You can contact the Notify team by email or post:

Position title: Product Manager, Notify

Postal address:

  • Notify
  • c/o Digital Transformation Agency
  • PO Box 457
  • Canberra City ACT 2601


If you contact us via the Notify website, our support email or another channel, we will collect any name or contact details that you provide.

This information is collected and disclosed for the purposes of responding to your feedback or request. For example, we may disclose it to another person within your agency if your enquiry relates to an existing Notify account in use by staff at your agency.

Last Updated: 06/05/2020