The Privacy Commissioner has powers under the Privacy Act 1988 (Privacy Act) to audit Australian and ACT government agencies and in some cases private sector and state government organisations.
An audit provides a professional, independent and systematic assessment of how well an agency or organisation (or discrete part of an agency/organisation) complies with all or part of its privacy obligations.
The Privacy Commissioner's audit powers are set out in several sections of the Privacy Act:
- auditing Australian and ACT government agency compliance with the Information Privacy Principles (IPPs) — s 27(1)(h)
- examining the records of the Commissioner of Taxation in relation to tax file numbers (TFNs) and TFN information — s 28(1)(d)
- auditing TFN recipients — s 28(1)(e)
- auditing credit information files and credit reports held by credit reporting agencies and credit providers — s 28A(1)(g)
- at the request of the organisation, audit a private sector organisation covered by the Privacy Act — s 27(3).
The Privacy Commissioner also has the power under s 309 of the Telecommunications Act 1997 to monitor compliance with certain record keeping requirements of telecommunications organisations.
From 12 March 2014, the Privacy Commissioner will have enhanced powers to conduct audits of public and private sector organisations. For further information, see the Privacy law reform page of this site.
To read the Office of the Australian Information Commissioner's (OAIC) audit reports, see the List of privacy audits page. Audit reports published by the former Office of the Privacy Commissioner are found in the Privacy reports — archive
The audit process
The OAIC approaches audits as an educative process, and compliance with the Privacy Act is seen as part of good management practice. The audit is, by necessity, a snapshot of personal information handling practices relating to an agency or organisation program at a certain time and in a particular location. Agencies and organisations are encouraged to consider audit findings broadly and not limit issues identified in audits to the program that was the subject of audit.
The audit process, which begins with the identification of the agency or organisation selected for audit and the proposed audit focus, is substantially the same regardless of whether it is an Information Privacy Principles, credit information or tax file number audit.
Information about the audit process can be found in the Privacy Performance Assessment Manual. Information about the framework under which the OAIC conducts audits is available in the Privacy Performance Assessment Charter.
The OAIC's latest Annual Report provides information about the current audit program.