Office of the Migration Agents Registration Authority

Privacy Policy

This privacy policy applies to personal information collected by the Office of the Migration Agents Registration OMARA (the “OMARA”). The OMARA is bound by provisions relating to the collection, use and disclosure of personal information by various Commonwealth laws – particularly the Migration Act 1958 (Cth) (the “Migration Act”) and the Privacy Act 1988 (Cth) (the “Privacy Act”).

This privacy policy is an overview, and does not provide details about all of the OMARA’s personal information management practices, procedures and systems. Further information can be obtained from the Department of Home Affairs (the Department) privacy policy at the Department’s webpage. 
Department of Home Affairs Privacy Policy

The OMARA’s role

The key objectives of the OMARA are to ensure that:

  • consumers understand their rights and agents understand their obligations under the regulatory framework;
  • only suitable persons are registered as migration agents, and unsuitable persons are refused registration or re-registration;
  • registered migration agents maintain appropriate knowledge and skills to enable them to provide accurate and timely advice to consumers;
  • registered migration agents are monitored to ensure the integrity of their conduct and the quality of the immigration assistance provided to consumers; and
  • consumers of the services of registered, or formerly registered, migration agents are provided with an efficient and effective complaints handling service.

The OMARA’s obligations under the Privacy Act

This privacy policy sets out how we comply with our obligations under the Privacy Act 1988.  The Privacy Act sets out 13 Australian Privacy Principles (APPs) that regulate the collection, use, disclosure and storage of personal information and how individuals can access and correct personal information held about them.  The OMARA is legally bound by the APPs.

The Privacy Act defines ‘personal information’ as:

information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a)  whether the information or opinion is true or not; and

(b)  whether the information or opinion is recorded in a material form or not.

The Privacy Act also places a higher standard of protection on sensitive information.  Sensitive information includes:

Information or an opinion about an individual's:

  • racial or ethnic origin
  • political opinions
  • membership of a political association
  • religious beliefs or affiliations
  • philosophical beliefs
  • membership of a professional or trade association
  • membership of a trade union
  • sexual orientation or practices
  • criminal record
  • health information about an individual
  • genetic information about an individual that is not otherwise health information
  • biometric information that is to be used for the purpose of automated biometric verification or biometric identification
  • biometric templates

Outline of this Policy

This policy has three parts comprising:

Part A - Collection, use and disclosure of information explains our general information handling practices and covers how and for what purpose we collect, use and disclose personal information, including disclosures outside Australia. This part also outlines the type of personal information we collect.

Part B - How we hold information explains how and for what purpose we hold the personal information we collect.

Part C - Access, correction and complaints explains how an individual can access and seek to correct their personal information.  It also explains how an individual can complain about a breach of the Privacy Act, including the APPs, and how we will deal with such a complaint.


Part A — Collection, use and disclosure of information

We collect personal information for purposes directly related to our functions or activities under the Migration Act and only when it is necessary for, or directly related to, such purposes.

Personal information (including sensitive information) will only be used or disclosed for the purpose for which it was collected unless the law requires or permits use or disclosure for another purpose, or permission is given by the individual to use or disclose the information for another purpose.

Online, all interactions between clients and us are protected by an industry standard 128-bit SSL encryption technology. Firewall technology is employed to help protect our internal systems and personal information against intrusion from the internet.

Personal information is stored in compliance with Australian government security requirements. Access is audited and monitored by us and employees are trained on security rules and privacy issues.

How we collect information

Our usual practice is to collect personal information directly from registered migration agents or individuals associated with the registered migration agent or directly from the person making the complaint. We collect this information in a variety of ways, including paper based forms, online (through our website as well as email), over the telephone and by fax.  We also collect personal information from other sources. These include the Department, third parties or a publicly available source.  Third parties include other Australian government agencies, law enforcement agencies, legal services commissions, foreign governments, employers and members of the public who contact us with information.

What we collect and the purpose of collection

Our primary purpose when collecting personal information is to carry out our function of regulating the Australian migration advice profession in order to provide consumers of migration advice services with appropriate protection and assurance.

The OMARA will collect personal/sensitive Information in connection with:

  • an application for registration as a migration agent; or
  • a complaint about a registered migration agent.

Set out below are the types of information we collect and hold, and the purpose of the collection.

Application for registration as a migration agent

In order to process an application for registration as a migration agent we collect a wide variety of personal information. In general the collection of personal information includes:

  • name;
  • contact details;
  • residential address;
  • date of birth;
  • country of birth;
  • qualifications;
  • business information;
  • complaints history;
  • criminal record; and
  • information submitted by the applicant in support of their claims.

By applying for registration as a migration agent, the applicant is taken to have given consent to collect personal information (including sensitive information). 

Complaints about registered migration agents

When a complaint is made about a registered migration agent we collect the following information from the complainant:

  • name;
  • contact details;
  • residential address;
  • date of birth;
  • main language spoken at home; and
  • documents supporting the complaint made.

Documents supporting the complaint made may include:

  • the Agreement for Services and Fees (contract) with the registered migration agent;
  • receipts or proof of payments made to the registered migration agent;
  • correspondence from the registered migration agent that is relevant to the complaint; and
  • records from the Department relevant to the complaint, such as correspondence regarding the processing of the visa application and the visa decision record.

In the course of investigating a complaint, the OMARA may also collect information from the registered migration agent about the complaint, such as the migration agent’s client file for the person making the complaint.

These supporting documents may include personal and/or sensitive information about the complainant, family members, authorised recipients, representatives or any other person relevant to the complaint.

Persons who make a complaint to the OMARA are also required to give consent for the OMARA to provide their name, the substance of the complaint, and in some cases copies of all the documents they have submitted with their complaint, to the registered migration agent that is the subject of the complaint.

Complaints about unregistered migration advice

At times complaints are received about people who are not registered migration agents. The personal information collected from the complainant may include:

  • name;
  • contact details;
  • residential address;
  • date of birth;
  • main language spoken at home; and
  • documents supporting the complaint made.

These complaints are referred to the Department for investigation, however the electronic records containing personal information are retained by the OMARA.

Monitoring the integrity and quality of the immigration assistance by registered migration agents

In order to monitor compliance with the Code of Conduct for registered migration agents we may collect a variety of personal information. This may include:

  • business information;
  • visa lodgment rates and outcomes;
  • results of English language testing;
  • complaints history;
  • qualifications;
  • agent advertising;
  • client accounts;
  • professional indemnity insurance information details; and
  • professional library subscriptions.

Maintaining our website

The OMARA operates a separate website to the Department.

A record of each visit to the website is logged. This information is recorded for statistical purposes and is used by the OMARA to monitor the use of the website, discover what information is most and least used and to make the website more useful to users.

The information we log when users access our website includes:

  • the person’s IP or server address;
  • the date and time of the visit to the site;
  • the pages accessed;
  • the person’s operating system;
  • the person’s web browser version and type;
  • the time taken to transmit information to the person; and
  • the previous internet address from which the person came directly to this website.

This information is analysed to show broken links on our website, bottlenecks, and other site problems. We use this information to maintain the site for efficient use.

No attempt is made to identify the person through browsing activities except in the event of an investigation into the improper use of our internet facility or alleged interference with privacy, or where an enforcement body exercises a warrant to inspect the Internet Service Provider's logs.

The OMARA does not collect personal information about you when you visit our website. More information is available about the OMARA’s Online Security.
Online Security

Use of personal information

We will use personal information for the purposes for which it was collected, and for secondary purposes where permitted by law or where permission is given by the individual.

Personal information is frequently used for a secondary purpose where enforcement-related activities are being conducted or in circumstances where a person would reasonably expect us to use the information and the secondary purpose is either directly related to the primary purpose (for sensitive information) or related to the primary purpose (for other personal information). For example, the information provided for the primary purpose of processing an application for registration as a migration agent can be used for the secondary purpose of investigating a complaint or assessing subsequent applications.  Secondary purpose can also include processing matters under the FOI and Privacy Acts.

Disclosure of personal information and the purpose of disclosure

Similarly, the Privacy Act allows us to disclose personal information for the primary purpose for which it was collected. Personal information may be disclosed for a secondary purpose in certain circumstances. Generally, this is where a person would reasonably expect us to disclose the personal information for the secondary purpose, and the secondary purpose is either directly related to the primary purpose (for sensitive information) or related to the primary purpose (for other personal information), for other purposes permitted by law or with the consent of the individual.

Usual disclosures to other Government agencies

Information provided in connection with an application for registration as a migration agent may be passed to agencies that are authorised to receive it. In accordance with section 290 of the Migration Act, the OMARA must not register an applicant who is not fit and proper or not a person of integrity. The OMARA must carry out checks to establish the facts surrounding this requirement. Personal details (such as name, address and date of birth) may be given to a contracted information broker to examine information held on the Australian Securities and Investment Commission’s public register relating to bankruptcy or corporate involvement.

Documents provided to support a registration application can be referred to the issuing authority (either overseas or in Australia) for authentication or to manage compliance obligations.

Other Australian government agencies also have power under Australian law to obtain certain personal information from us for the purpose of administering their portfolio legislation.  Government agencies that we disclose information to include but are not limited to:

  • Administrative Appeals Tribunal
  • Commonwealth Ombudsman
  • Australian Human Rights Commission
  • Australian Taxation Office

Disclosure to nominated representatives

Where a person has nominated a third party, such as a legal representative, a family member, Ombudsman, or a Member of Parliament, personal information will be disclosed to those third parties.

Disclosures surrounding complaints

Personal information about a complainant is only disclosed to the registered migration agent who is the subject of the complaint with the consent of the complainant.

Where complaints involve lawyer agents, personal information about the registered migration agent may be disclosed to the relevant Legal Services Commission.

Authorised disclosure of personal information

We have authority under section 287(1) of the Migration Act to keep a register listing individuals who are registered as migration agents. Section 287(2) requires the register to show the following information:

  • the agent’s full name;
  • any business name of the agent or the agent’s employer;
  • a business address for the agent;
  • a telephone number for contacting the agent;
  • the date on which the agent was most recently registered;
  • particulars of any suspension of the agent’s registration;
  • particulars of any caution given to the agent; and
  • particulars of any other prescribed matter.

Section 287(3)(b) requires the OMARA to keep records to show:

  • what was in the register from time to time; and
  • particulars of any cancellation or suspension of an agent’s registration or of any caution given to such an agent.

This register is publicly accessible online. 
Search the register of migration agents.

The OMARA is required to make disciplinary details publicly available about a registered migration agent or an inactive agent in accordance with Sections 305A and 311C of the Migration Act, in the manner specified by Section 306AL and 311P of the Migration Act. Published decisions are available on the OMARA’s web page.
Disciplinary Decisions

Disclosure under the Privacy Act for law enforcement

The OMARA is authorised to disclose information to law enforcement bodies and intelligence bodies for the purpose of enforcing criminal law, laws imposing a pecuniary penalty or for the purpose of protecting public revenue.

Disclosure of personal information to overseas recipients

On occasions, we disclose personal information to overseas recipients, such as registered migration agents who reside in other countries and who are the subject of a complaint.

Research, evaluations and surveys

We periodically use the personal information collected to conduct and analyse research, conduct surveys, and evaluate the OMARA’s programmes and services. However, we do not disclose personal information to the public. Where surveys are conducted, we will inform clients of how data will be used. Where research is conducted by a contractor, the contract will include conditions regarding the use and disclosure of information.


Part B — How we hold information

Our files and Customer Relationship Management system

The OMARA keeps electronic records of case and other files in our Customer Relationship Management system (CRM). These contain records of applications, complaints and enquiries received, action taken in processing and finalising decisions and responses, and any information relevant to these decisions.  

All staff of the OMARA have access to this information.  Information technology service providers involved in the on-going development and maintenance of the CRM also have access to this information. Our information includes an audit history.

A record containing personal information can only be destroyed after it has reached its destruction date as identified in a records authority issued by the National Archives of Australia. When no longer required, personal information is destroyed, in a secure manner, in accordance with Australian Government records management regulations, guidelines and authorities, including the Archives Act 1983, Records Authorities and General Disposal Authorities.

Finance Records and Financial Management Information System (SAP)

The purpose of these records is to administer the operations and finances of the OMARA.

The personal information in these records relates to anyone who has financial dealings with the OMARA.

These records may include:

  • name;
  • address;
  • telephone number;
  • facsimile number;
  • email address;
  • Australian Business Number;
  • bank account details; and
  • partial credit card numbers (stored for anyone who pays the Authority by credit card.)

The records are stored on paper and computer media. The OMARA uses SAP to manage its finances and all financial information is provided to the Department in accordance with the Public Governance, Performance and Accountability Act 2013(Cth). Details of financial transactions in SAP can only be accessed by staff in the Department’s finance section. The financial transactions relating to the OMARA are included in the Department’s financial results and reporting.

Storage and data security

We use a range of physical and electronic security measures to protect personal information from misuse and loss, and from unauthorised access, modification or disclosure. These measures include, but are not limited to, restricted physical access to our office, restricted access to our files, secure databases, computer-user identifiers and passwords. 

Any applications made or information provided using online service sections of our website are encrypted.

We developed a Protective Security Policy Framework (PSPF), which includes information security management policies.

The PSPF ensures that:

  • all official information is safeguarded to ensure its confidentiality, integrity, and availability by applying safeguards so that:
    • only authorised people, using approved processes, can access information;
    • information is only used for its official purpose, retains its content integrity, and is available to satisfy operational requirements; and
    • information is classified and labelled as required.
    • all information created, stored, processed, or transmitted in or over government information and communication technology (ICT) systems is properly managed and protected throughout all phases of a system's life cycle, in accordance with the protocols and guidelines set out in the PSPF, which includes the Australian Government Information Security Manual, produced by the Australian Signals Directorate.

The following is a brief summary of our current practices and procedures for storing and securing data:

  • access to information collected from clients is restricted to authorised persons on a need to know basis;
  • our internal networks and databases are protected using firewall, intrusion detection and other technologies;
  • paper files containing sensitive information are protected in accordance with Australia Government Security policy and secured in locked cabinets, Australian Government-approved security containers or secure rooms with restricted access;
  • our premises are under 24-hour surveillance and access is via security passes only, with all access and attempted access logged electronically; and
  • we regularly conduct system audits and staff training to ensure we adhere to our established protective and computer security practices.


Part C — Access, correction and complaints

Data quality

We will endeavour to ensure that personal information sought and held by the OMARA is relevant, accurate, complete and up-to-date.  These steps include correcting personal information that is inaccurate, out-of-date, incomplete, irrelevant or misleading when it is reasonable to do so.

Audits and quality inspections are conducted to ensure the accuracy and integrity of information is checked regularly and any systemic data quality issues are identified and resolved promptly.

Accessing and correcting personal information held by the OMARA

You can access the personal information that we hold about you. We will provide access unless we consider that there is a sound reason under the Privacy Act, the Freedom of Information Act 1982 (Cth) (the “FOI Act”) or any other relevant Acts including the Migration Act to withhold the information. You can also ask us to correct the personal information we hold about you under the FOI Act. If we refuse to give access to or to correct personal information held by us, we will provide you with written reasons for the refusal. 

For more information about how to request access to personal information and your available options, see the OMARA web page.
Freedom of information and privacy


How to make a complaint or enquiry

If you wish to find out more about how we manage personal information or if you have a concern regarding the way in which we handle your personal information and wish to make a complaint, please contact us. 
Contact us

There are other ways to provide feedback or make a complaint about the OMARA. 
Give Feedback

Making a complaint to the Office of the Australian Information Commissioner (OAIC)

If a person is dissatisfied with our response to their privacy matter, they can write to the OAIC. The OAIC can investigate privacy complaints about the protection of personal information, order compensation to be paid where warranted and direct departments to change the way they handle personal information. If a person needs help lodging a compliant with the OAIC, they can call the OAIC Enquiries Line on 1300 363 992.  If calling from outside Australia, the number is: +61 2 9284 9749. 

The OAIC can receive privacy complaints through:

  • the online privacy complaint form (please refer to the OAIC’s website);
  • by mail (if a person has concerns about postal security, they might want to consider sending their complaint by registered mail); and
  • by email (email that is not encrypted can be copied or tracked).

Contact details for the OAIC are:


Post: Sydney Office
GPO Box 5218 
Sydney NSW 2001

OAIC’s website

A person can make a complaint directly to the OAIC rather than to us, however it is likely that the OAIC would recommend that a person try to resolve the complaint directly with us in the first instance.