The Commissioner has powers under the Privacy Act 1988 (Privacy Act) to conduct privacy assessments of APP entities, that is Australian and Norfolk Island Government agencies and private sector organisations.
The Commissioner can also conduct assessments of ACT public sector agencies as part of exercising some of the functions of the ACT Information Privacy Commissioner in the Information Privacy Act 2014 (ACT). For more information about these functions, please see Australian Capital Territory Privacy.
An assessment provides a professional, independent and systematic appraisal of how well an agency or organisation (or discrete part of an agency/organisation) complies with all or part of its privacy obligations. In the past, the OAIC has referred to these assessments as ‘audits’.
Section 33C of the Privacy Act establishes that the Commissioner may conduct an assessment relating to the following:
- the Australian Privacy Principles (s 33C(1)(a)(i))
- a registered APP code (s 33C(1)(a)(ii))
- credit information files and credit reports held by credit reporting agencies and credit providers (s 33C(1)(b))
- tax file number recipients (s 33C(1)(c))
- data matching programs (s 33C(1)(d))
- claims information associated with the Medicare Benefits Scheme and the Pharmaceutical Benefits Scheme (s 33C(1)(e)).
Additionally, s 28A(1)(c) of the Privacy Act gives the Commissioner with the ability to examine the records of the Commissioner of Taxation in relation to tax file numbers and tax file number information.
The Commissioner also has the power under s 309 of the Telecommunications Act 1997 to monitor compliance with certain record keeping requirements of telecommunications organisations.
To read the Office of the Australian Information Commissioner's (OAIC) assessment and audit reports, see the List of privacy assessments page. Audit reports published by the former Office of the Privacy Commissioner are found in the Privacy reports — archive.
The privacy assessment process
The OAIC approaches assessments as an educative process, and compliance with the Privacy Act is seen as part of good management practice. The assessment is, by necessity, a snapshot of personal information handling practices relating to an APP entity at a certain time and in a particular location. APP entities are encouraged to consider findings broadly and not limit issues identified in the assessment to the program that was the subject of assessment.
The assessment process, which begins with the identification of the entity selected for a privacy assessment and the proposed focus, is substantially the same regardless of whether it is an assessment of Australian Privacy Principles, credit information or tax file numbers.
Information about the assessment process can be found in the Guide to privacy regulatory action.
The OAIC's latest Annual Report provides information about the current privacy assessment program.