Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Australian Government Agencies Privacy Code

Australian Government Agencies Privacy Code

The Australian Government Agencies Privacy Code (the Code) was registered on 27 October 2017 and commenced on 1 July 2018.

The Code sets out specific requirements and key practical steps that agencies must take as part of complying with Australian Privacy Principle 1.2 (APP 1.2). It requires agencies to move towards a best practice approach to privacy governance to help build a consistent, high standard of personal information management across all Australian Government agencies.

The Code enhances existing privacy capability within agencies, builds greater transparency in information handling practices, and fosters a culture of respect for privacy and the value of personal information. The Code therefore symbolises the commitment of Australian Government agencies to the protection of privacy, and helps build public trust and confidence in personal information handling practices and new uses of data proposed by agencies.

The Australian Information and Privacy Commissioner and the Secretary of the Department of Prime Minister and Cabinet jointly announced the Code on 18 May 2017.

Who does the Code apply to?

The Code applies to all Australian Government agencies subject to the Privacy Act 1988 (except for Ministers). It is a binding legislative instrument under the Act.

Back to Contents

When does the Code commence?

The Code commenced on 1 July 2018. The OAIC collaborated with agencies in the implementation period, offering a range of support and training tools.

Back to Contents

What does the Code require?

The Code requires agencies to:

  • have a privacy management plan
  • appoint a Privacy Officer, or Privacy Officers, and ensure that particular Privacy Officer functions are undertaken
  • appoint a senior official as a Privacy Champion to provide cultural leadership and promote the value of personal information, and ensure that the Privacy Champion functions are undertaken
  • undertake a written Privacy Impact Assessment (PIA) for all ‘high privacy risk’ projects or initiatives that involve new or changed ways of handling personal information
  • keep a register of all PIAs conducted and publish this register, or a version of the register, on their websites
  • take steps to enhance internal privacy capability, including by providing appropriate privacy education or training in staff induction programs, and annually to all staff who have access to personal information.

Agencies will still need to take other steps under APP 1.2 to ensure compliance with all the APPs.

The Code is flexible and scalable, taking into account an agency’s size, and the sensitivity and amount of personal information it handles.

Read the Australian Government Agencies Privacy Code

Back to Contents

OAIC resources

The OAIC is currently working on a number of resources to assist agencies to prepare for the commencement of the Code and meet their privacy obligations on an ongoing basis.

The Australian Government Agencies Privacy Code Checklist

The OAIC has developed the Australian Government Agencies Privacy Code Checklist as a starting point in preparing agencies for the commencement of the Code. This Checklist can be used by the Privacy Champion, Privacy Officer or a person in the agency who has the relevant internal privacy governance expertise and authority.

The Checklist sets out the key requirements of the Code and helps to identify the steps agencies need to take to implement the Code obligations. It has been designed to provide agencies with a high-level snapshot of their current state of Code compliance, the work that still needs to be done to comply, and links to relevant OAIC resources. The Checklist also includes space for agencies to write notes about the actions they have already taken or are still required.

View the Checklist

Back to Contents

The Privacy Officer Toolkit

The Code requires all Australian Government agencies to have a Privacy Officer. The OAIC has developed a Privacy Officer Toolkit, which contains tailored guidance and resources to assist Privacy Officers and others carrying out privacy functions for their agency.

The Privacy Officer Toolkit also includes guidance about a number of relevant Code requirements, such as the requirement to maintain and publish a register of Privacy Impact Assessments, the requirement to maintain a record of personal information holdings, and some of the frequently asked questions we’ve received about the Privacy Officer role.

Open the Privacy Officer Toolkit

Back to Contents

Privacy management plan (for agencies)

This template is designed for agencies, but can also be used by organisations wishing to improve their privacy management. For guidance specific to organisations, please see the information about PMPs on the Privacy management plan template (for organisations) page.

A privacy management plan identifies specific, measurable goals and targets, and sets out how an agency will meet its compliance obligations under APP 1.2. The Australian Government Agencies Privacy Code requires agencies to have a privacy management plan, and to measure and document performance against the plan at least annually.

The OAIC has developed an Interactive Privacy Management Plan (PMP), a tool to assist agencies to assess the current state of their privacy practices and set privacy goals and targets. You can refer to the Interactive Privacy Management Plan Explained companion guide, and to our ‘How to prepare your agency’s privacy management plan’ webinar and accompanying slides for information about how to use this interactive tool.

Back to Contents

Education or training

The Code requires agencies to provide privacy education or training in staff induction programs, and to take reasonable steps to provide privacy education or training annually to staff that have access to personal information in the course of performing their duties as a staff member.

The OAIC has produced two video resources with key messages about privacy for new starters to the Australian Public Service, and for those responsible for policy and project management.

The videos are short and simple, and have been designed for use in induction and training programs. We encourage you to incorporate these videos into your agency’s privacy resources and publish on them on your intranet.


The OAIC has also launched a Privacy Impact Assessment eLearning program, and is developing a general privacy eLearning program and a face-to-face training program for Privacy Officers. This section will be updated when these resources are available.

Back to Contents

Privacy Impact Assessments

A PIA is a systematic assessment of a project that identifies the impacts that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising, or eliminating that impact.

The OAIC is developing guidance on the PIA requirements in the Code, including how to assess privacy risk. This will complement our existing Guide to undertaking privacy impact assessments and our PIA eLearning program.

This section will be updated when this resource is available.

Back to Contents

Events and speeches

The OAIC held a seminar on the Australian Government Agencies Privacy Code on 28 November 2017. The Australian Information and Privacy Commissioner and other OAIC representatives presented an overview of the requirements of the Code, and highlighted the range of resources that will be available to support agencies. The event also included a panel session, where representatives from the Attorney-General’s Department, the Department of Human Services, the Department of Immigration and Border Protection, and the Australian Bureau of Statistics shared the current privacy initiatives within their agencies, and the ways in which they are preparing for the implementation of the Code.

» Read the Commissioner’s opening welcome and view the presentation slides from the seminar

Back to Contents

Privacy Officer and Privacy Champion

The Privacy Officer is the first point of contact for privacy matters within an agency, and is responsible for ensuring day-to-day operational privacy activities are undertaken. A Privacy Champion is a senior official within an agency who is responsible for leadership activities and engagement that require broader strategic oversight.

Agencies will need to ensure that particular Privacy Officer and Privacy Champion functions are undertaken. While these functions are referred to as ‘Privacy Officer’ or ‘Privacy Champion’ functions, they may also be carried out by another person or team within the agency as appropriate.

Back to Contents

Keep updated

Sign-up to the Privacy Professionals’ Network to receive notifications on developments in Privacy Code resources and events.

You can also contact our Enquiries Line on 1300 363 992 or

This page will be updated as new guidance and educational materials are released.

Back to Contents

This initiative supports Australia’s Open Government National Action Plan.