The Australian Information Commissioner (Information Commissioner) has powers under the Privacy Act 1988 (Privacy Act) to conduct privacy assessments of APP entities, that is Australian and Norfolk Island Government agencies and private sector organisations.
The Commissioner can also conduct assessments of ACT public sector agencies as part of exercising some of the functions of the ACT Information Privacy Commissioner in the Information Privacy Act 2014 (ACT). For more information about these functions, please see Australian Capital Territory Privacy.
On this page
Information about assessment powers
An assessment provides a professional, independent and systematic appraisal of how well an agency or organisation (or discrete part of an agency/organisation) complies with all or part of its privacy obligations. In the past, the OAIC has referred to these assessments as ‘audits’.
Section 33C of the Privacy Act establishes that the Commissioner may conduct an assessment relating to the following:
- the Australian Privacy Principles (s 33C(1)(a)(i))
- a registered APP code (s 33C(1)(a)(ii))
- credit information files and credit reports held by credit reporting agencies and credit providers (s 33C(1)(b))
- tax file number recipients (s 33C(1)(c))
- data matching programs (s 33C(1)(d))
- claims information associated with the Medicare Benefits Scheme and the Pharmaceutical Benefits Scheme (s 33C(1)(e)).
Additionally, s 28A(1)(c) of the Privacy Act gives the Commissioner the ability to examine the records of the Commissioner of Taxation in relation to tax file numbers and tax file number information.
The Commissioner also has the power under s 309 of the Telecommunications Act 1997 to monitor compliance with certain record keeping requirements of telecommunications organisations.
The privacy assessment process
The OAIC approaches assessments as an educative process, and compliance with the Privacy Act is seen as part of good management practice. The assessment is, by necessity, a snapshot of personal information handling practices relating to an APP entity at a certain time and in a particular location. APP entities are encouraged to consider findings broadly and not limit issues identified in the assessment to the program that was the subject of assessment.
The assessment process, which begins with the identification of the entity selected for a privacy assessment and the proposed focus, is substantially the same regardless of whether it is an assessment of Australian Privacy Principles, credit information or tax file numbers.
Information about the assessment process can be found in the Privacy Performance Assessment Manual.
The OAIC's latest Annual Report provides information about the current privacy assessment program.
Recent privacy assessments
To help promote good privacy practices, the Office of the Australian Information Commissioner (OAIC) publishes the finalised reports of assessments (previously called audits) of Australian Government agencies and private sector organisations.
Where an assessment (or audit report) contains classified content, the OAIC may not be able to publish the report.
The list below is of assessments and audits finalised since 1 November 2010. Audits conducted by the former Office of the Privacy Commissioner and finalised before that date are available in the Privacy reports archive.