Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Consultation draft: APS Privacy Governance Code

pdfPrintable version130.53 KB       docxWord DOCX version74.6 KB

Privacy (Australian Public Service - Governance) APP Code YYYY

Made under the Privacy Act 1988

I, Timothy Pilgrim PSM, Australian Information Commissioner, have developed the following APP code and included it on the Codes Register.


Timothy Pilgrim PSM
Australian Information Commissioner

Part 1—Introduction

1     Name

  1. This APP code may be cited as the Privacy (Australian Public Service - Governance) APP Code YYYY.
  2. This APP code may also be cited as the APS Privacy Governance Code.

2     Commencement

This APP code comes into force on 1 July 2018.

3     Authority

This APP code has been developed under section 26G of the Privacy Act 1988.

4     Preamble

APP 1 is the foundation principle that assists agencies to achieve compliance with the APPs. Compliance with APP 1 is essential to ensure good privacy management and governance practices, which can build community trust and confidence in those practices.

APP 1 implicitly promotes a ‘privacy by design’ approach to ensure that privacy compliance is included in the design of information systems and practices from their inception. It does this by requiring agencies to take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs and any binding registered APP code.

5     Definitions

Note: A number of expressions used in this APP code are defined in the Act, and have the same meaning in this APP code, including the following:

  1. agency;
  2. APP code;
  3. Commissioner;
  4. personal information;
  5. privacy impact assessment; and
  6. sensitive information.

In this APP code:

Act means the Privacy Act 1988.

APP means an Australian Privacy Principle as set out in the Act.

Data matching means the bringing together of at least two data sets that contain personal information, and that come from different sources, and the comparison of those data sets with the intention of producing a match to determine whether administrative action is warranted.

OAIC means the Office of the Australian Information Commissioner.

PIA means privacy impact assessment.

PIA report means a report as described in paragraph 12(2)(b).

privacy champion has the meaning given by section 11.

privacy management plan has the meaning given by section 9.

privacy officer has the meaning given by section 10.

project means any agency activity or initiative that may have privacy implications.

6     Objectives

The objectives of this APP code are to:

  1. set out specific requirements that agencies must undertake as part of their compliance with APP 1.2;
  2. enhance the privacy capability and accountability of agencies;
  3. promote good privacy governance within agencies to create and embed a culture that respects privacy and treats personal information as a valuable asset; and
  4. build community trust and confidence in the personal information handling practices of agencies.

7     Agencies bound by this APP code

This APP code is binding on all agencies.

Note: This APP code does not affect the operation of Part II, Division 3 of the Act which sets out the acts and practices which come within the scope of the Act and those acts and practices that do not come within the scope of the Act. As an example, section 7 of the Act sets out the extent to which a reference in the Act to an 'act or practice' is an act or practice of an agency for the purposes of the Act.

8     Application of this APP code to APP 1.2

For the purposes of paragraph 26C(2)(a) of the Act, agencies must apply Parts 2 to 4 of this APP code as part of meeting their obligations under APP 1.2.

Note: Under subsection 40(2) of the Act the Commissioner, on his or her own initiative, may investigate an act or practice if the act of practice may be a breach of APP 1 and the Commissioner thinks it is desirable that the act or practice be investigated.

Part 2—Privacy management and governance

9     Privacy management plan

  1. An agency must have a privacy management plan.
  2. A privacy management plan is a document that:
    1. identifies specific, measurable privacy goals and targets; and
    2. sets out how an agency will meet its compliance obligations under APP 1.2.
  3. An agency must measure and document its performance against its privacy management plan at least annually.

10     Privacy officer

  1. An agency must designate an officer of the agency as a privacy officer.
  2. An agency must, at all times, have a designated privacy officer.
  3. An agency may designate an officer as a privacy officer by reference to a position or role within the agency.
  4. An agency must ensure that the designated privacy officer:
    1. is the primary point of contact for advice on privacy matters in the agency;
    2. is the primary point of contact for the OAIC on privacy matters involving the agency;
    3. has responsibility for ensuring the proper handling of internal and external privacy enquiries, privacy complaints, and requests for access to and correction of personal information made under the Act;
    4. has responsibility for ensuring the maintenance of the records of the agency's personal information holdings;
    5. has responsibility for ensuring that the agency is conducting PIAs in accordance with Part 3 of this APP code and oversees the PIA process;
    6. has responsibility for the preparation of regular reports to the agency’s executive, including to the privacy champion, including about any privacy issues arising from the agency’s handling of personal information;
    7. has responsibility for reviewing and measuring the agency’s performance against the privacy management plan at least annually;
    8. has responsibility for reviewing and updating the agency's privacy management plan at least annually; and
    9. regularly reviews internal processes to meet the requirements of section 17 of this Code.
  5. An agency must keep the OAIC notified in writing of the designated privacy officer and the privacy officer’s contact details.

11      Privacy champion

  1. An agency must, at all times, have a designated privacy champion.
  2. An agency may designate an officer as a privacy champion by reference to a position or role within the agency.
  3. An agency must ensure that the designated privacy champion:
    1. is a senior official within the agency;
    2. must review and/or approve the agency’s Privacy Management Plan, and documented reviews of the agency’s progress against this Plan (in consultation with the Privacy Officer);
    3. has responsibility for promoting a culture of privacy within the agency that values and protects personal information; and
    4. has responsibility for providing leadership and advice within the agency on broader strategic privacy issues.
  4. An agency's designated privacy officer may also be its designated privacy champion.

Part 3—PIAs

12     Conduct of PIA

  1. An agency must assess whether a project is a high risk project.
  2. An agency must, for all high risk projects that will involve the handling of personal information:
    1. conduct a PIA;
    2. prepare a written report setting out the process and outcomes of the PIA, including any recommendations made; and
    3. retain a written response by the agency to any recommendations made in the PIA report.
  3. For the purposes of this section, a project may be a high risk project if the project involves any one or more of the following:
    1. material change to existing policies, processes or systems that involve personal information;
    2. the establishment of a new way of identifying individuals, such as a unique identifier, biometrics or online identification system;
    3. a material difference in the collection of, or the method of collection of, new or changed types of personal information;
    4. the collection of sensitive information;
    5. the use or disclosure of personal information for a purpose other than the purpose for which it was collected;
    6. data matching or the bulk transfer of data;
    7. the transfer of personal information to an overseas recipient;
    8. a changed, or new, risk of misuse, interference and loss, or unauthorised access, modification or disclosure of personal information;
    9. the agency considers that the project involves such sensitivity, or is of such significance, that it constitutes a high risk project; or
    10. the agency considers that the project is a high risk project for one of the above reasons or any other reason relating to privacy.

Note: An agency is also required to conduct a PIA if directed to do so by the Commissioner pursuant to section 33D of the Act.

13      Publication of PIA report

  1. An agency must publish a PIA report, and the agency's response to the recommendations set out in the PIA report, on the agency’s website, unless publication would:
    1. unreasonably reveal information about an agency’s systems, processes or operations;
    2. involve unlawful or unreasonable disclosure of personal information about any individual;
    3. unreasonably reveal information about law enforcement or national security activities; or
    4. involve the disclosure of an exempt document for the purposes of the Freedom of Information Act 1982.
  2. If it is possible for an agency to prepare a summary version or an edited copy of a PIA report or agency's response to that report, from which any information of the kinds specified in subsection 13(1) has been deleted, it must do so and must publish that summary version or edited copy on its website.

14     Joint PIA

If two or more agencies participate in the same project, they may conduct a joint PIA. Each agency must retain a copy of the PIA report and publish a copy of that PIA report, summary version or edited copy on its website in accordance with section 13.

15    Register of PIAs

  1. An agency must maintain a register of PIAs it conducts.
  2. An agency may provide a copy of that register, and any PIA reports that are listed on that register, to the Commissioner on request from the Commissioner.

Part 4—Internal privacy capability

16     Privacy training

  1. An agency must include privacy training in any staff induction program and regular staff training programs it provides, including such programs delivered to short term staff, service providers and contractors. The privacy training must address the privacy obligations of agency staff, and agency policies and procedures relating to privacy.
  2. An agency must provide privacy training annually to all staff who have access to personal information in the course of performing their duties as a staff member.

17     Regular review of internal processes

  1. An agency must regularly review and update its privacy practices, procedures and systems, to ensure their adequacy for the purpose of compliance with the APPs and currency. The scope of the review must include any:
    1. privacy policy prepared for the purposes of APP 1; and
    2. privacy notice prepared for the purposes of APP 5.
  2. An agency must monitor compliance with its privacy practices, procedures and systems regularly.