Identity Verification Services: Assessment of the Document Verification Service Hub

Part 1: Executive summary

1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of the Attorney-General’s Department (the Department) as the administrator of the Identity Verification Services (IVS).^[1]

1.2 In accordance with the Identity Verification Services Act 2023 (IVS Act), the IVS consists of 3 approved identity verification facilities: the Document Verification Service (DVS) Hub, the Face Matching Service (FMS) Hub and the National Driver Licence Facial Recognition Solution (NDLFRS).^[2] These facilities allow a requesting party to verify an individual's identity against a government-issued document such as a passport or driver’s licence. The Department administers the 3 approved identity verification facilities.

1.3 These facilities play a vital role in verifying individuals' identities efficiently and securely, which is fundamental for minimising the risk of identity theft.

1.4 This assessment focused on the Department’s management of the DVS Hub.^[3] We assessed whether the Department was managing the DVS Hub in accordance with the privacy requirements of the IVS Act and the Privacy Act 1988 (Privacy Act), with specific focus on the Department’s privacy governance practices, DVS participation agreements and the completion of privacy impact assessments (PIAs).

1.5 As part of this assessment, we reviewed the Department’s privacy management and governance practices for the DVS, including the Department’s privacy-related documentation such as its policies and guidance materials. We also reviewed participation agreements for DVS requesting users.

1.6 We found that, overall, the Department has good privacy management practices in place in relation to the DVS Hub. However, we identified 4 medium privacy risks and made recommendations to address these risks.

1.7We found that the Department’s DVS Government Requesting Participation Agreement and DVS Business User Participation Agreement signed with the top 3 DVS requesting users, ^[4] and templates of those agreements appear to have the relevant privacy obligations and compliance requirements set out in the IVS Act,^[5] but for the 2 issues addressed in Recommendation 1.

Recommendation 1 – Within 12 months the Department should make the following amendments to the DVS participation agreements and/or associated documents such as access policies:

1. set out the purpose of a DVS request in the Department’s DVS Government Requesting Participation Agreement (and if appropriate associated documents), to align with s 10(1)(a)(i) of the IVS Act.
2. amend the wording in clause 4.9 of the DVS Business User Participation Agreement where the business user '...must not disclose information contained in an Identification Match Result obtained through the DVS...' to '...must not disclose identification information received as a result of a requested IVS' so that it is in line with s 10(2)(a) of the IVS Act.^[6]

1.8 We found that the Department’s general Privacy Management Plan^[7] (PMP) does not contain IVS specific privacy goals and targets, and while the Privacy Management Plan – IVS Assessment 2025 – July 2025 has specific and measurable IVS privacy goals (such as conducting, implementing, or reviewing and updating PIAs), no timeframes are specified.

Recommendation 2 – Within 3 months the Department should include specific timeframes on IVS goals, for example, timeframes on:

1. conducting, implementing or reviewing and updating PIAs
2. developing relevant policies and procedures associated with the IVS
3. implementing any other relevant and accepted recommendations from other reviews.

The Department should continue to regularly measure and document its performance in meeting its timeframes for its privacy goals and targets for the IVS. There are a range of ways the Department could achieve this, for example, as part of the Department's PMP; an attachment to the Department's PMP; a separate PMP for the IVS; or by maintaining its current approach (i.e. via information provided in its ‘Privacy Management Plan – IVS Assessment 2025 – July 2025’ which is against the Department’s PMP document).

1.9 We found the Department’s IVS Privacy Statement,^[8] which describes how the Department collects, stores, uses and discloses personal information when operating or providing the IVS (and is an extension of the Department’s privacy policy), did not include information about third party providers managing the IT infrastructure for the DVS, including handling personal information. Under Australian Privacy Principle (APP) 1.4(b), an APP entity’s privacy policy must contain information about how the entity collects and holds personal information. The policy must describe an APP entity’s usual approach to collecting and holding personal information. This should include how the entity stores and secures personal information.

Recommendation 3 – Within 3 months the Department should review and update its IVS Privacy Statement to include how the managed service provider handles personal information. Going forward, the Department should regularly review and update this document to ensure it remains accurate and up-to-date.

1.10 We found 2 issues identified in an internal audit of the Department’s IVS Compliance Assurance Program that should already be in place, and that implementing the 4 recommendations of the internal audit would assist the Department to monitor compliance as contemplated by  s 12 of the IVS Act.

Recommendation 4 – Within 1 month the Department should continue to implement all the recommendations from the IVS Compliance Assurance Program – The Department’s Internal Audit Final Report dated May 2025.

1.11 We make 2 suggestions to improve DVS participation agreements and associated documents, the Department’s privacy documents and guidance materials for DVS users to enhance clarity and support accountability for all DVS participants.

Part 2: Document Verification Service Hub

2.1 Under the IVS Act, the Department is authorised to develop, operate and maintain the 3 approved identity verification facilities. This includes responsibility for oversight and scrutiny of the facilities.

2.2 The DVS is offered through the DVS Hub. The DVS Hub is one of the 3 approved identity verification facilities that provides 1:1 matching to verify biographic information such as name or date of birth against a government-issued document such as a birth certificate or Medicare card. The DVS Hub performs this 1:1 matching service by processing DVS Information Match Requests (DVS Requests).

2.3 A DVS Request involves an individual providing details of an identification document, such as a driver’s licence, to establish their identity, either by submitting their details online or by phone, or in a written application or by presenting a physical document or a copy of the document. The individual must give their express consent for a DVS requesting user (which include government requesting agencies and business users), to verify the details of their identification document.

2.4 The DVS requesting user enters the details of the identification document such as a driver’s licence number into its (or its Gateway Service Provider’s (GSP))^[9] system or interface.^[10] The DVS Request is then sent to the DVS Hub for processing.

2.5 The DVS Hub receives the encrypted details of the identification document and acts as a routing point to send the encrypted data as a package to the data holding agency, for example, the relevant government agency that issued the driver’s licence.^[11]

2.6 The data holding agency matches the details of an identification document against the records it holds to determine whether the information provided matches their records and it then sends an encrypted response back to the DVS Hub. The DVS Hub re-encrypts the response and sends the response back to the DVS requesting user through a secure communications route. The DVS requesting user receives responses which either confirm the details match, do not match and reasons why, or advise if an error occurred.^[12]

2.7 The following is a diagram of the DVS Hub and the DVS response showing the flows of information when a DVS Request is made:

2.8 In order to make DVS Requests or to use DVS, parties must sign a DVS participation agreement that specifies security standards, compliance requirements and privacy obligations for the parties. The DVS participation agreement is a written agreement between the Department and one or more parties that deals with the request and provision of DVS identification information made available by the parties. The DVS participation agreement also provides that parties must comply with the IVS Act, IVS Rules, ^[13] the agreement and each relevant access policy.^[14]

2.9 The DVS Access Policy^[15] outlines the conditions and criteria that government users, business users and identity service providers (IDSPs) must meet in order to> be eligible to access the DVS.

2.10 There are 5 types of participants^[16] in the DVS:

• Government requesting agencies^[17]
• Business users^[18]
• Data holding agencies
• GSPs^[19]
• IDSPs.^[20]

2.11 The IVS Act commenced in December 2023. Under a transitional arrangement, DVS users had until 14 December 2025 to sign up to new DVS participation agreements under the IVS Act.^[21]

2.12 Government requesting agencies (including state, territory and Commonwealth agencies) and business users (such as commercial private entities) collect an individual’s personal information for the purpose of verifying the individual’s identity, typically for the purposes of providing goods or services to the individual.^[22]

2.13 As part of this assessment, we reviewed the DVS participation agreements of the top 3 DVS requesting users that make DVS Requests. One of the top 3 DVS requesting users is a government requesting agency. The other 2 DVS requesting users are business users from the telecommunications and banking sectors.

2.14 The method by which DVS users connect to the DVS Hub varies. For example, government users can connect to the DVS Hub through a GSP, via a portfolio department or directly.^[23] Business users can connect to the DVS Hub through a GSP. ^[24]

2.15 The table below shows the number of connections to the DVS Hub and DVS transactions, by the type of DVS user, for the period 1 July 2024 to 30 June 2025. The numbers for each connection type refers only to users who transacted during this period.

Source: Figures provided by the Department for the period 1 July 2024 to 30 June 2025.

Part 3: Observations, findings and recommendations

3.1 We reviewed documents provided by the Department and conducted fieldwork interviews with relevant Department staff to make observations and findings within the scope of this assessment. Our focus was on the Department’s privacy governance practices, DVS participation agreements and the completion of PIAs.

3.2 We did not identify any significant or systemic high privacy risks regarding the Department’s compliance with the IVS Act and Privacy Act. However, the OAIC did identify some areas for improvement to ensure ongoing future compliance with the IVS Act and Privacy Act.

3.3 We identified 4 medium privacy risks and 2 low privacy risks in relation to the:

• DVS participation agreements and associated documents
• IVS privacy goals and targets
• Department’s privacy documents and guidance materials for DVS users
• Recommendations from the IVS Compliance Assurance Program – The Department’s Internal Audit Final Report dated May 2025.

3.4 To address these risks, we made 4 recommendations and 2 suggestions.

DVS participation agreements and associated documents

Observations

3.5 The signed DVS Government Requesting Participation Agreement and DVS Business User Participation Agreements with the top 3 DVS requesting users (as well as template agreements) appear to have the relevant privacy obligations and compliance requirements set out in ss 9-12 of the IVS Act, with a few exceptions.

Finding

3.6 We identified instances where privacy clauses and definitions were absent from a DVS participation agreement and associated documents:

• section 10(1)(a)(i) of the IVS Act requires that a participation agreement must require each party to the agreement that proposes to request identity verification services, to request a DVS for the purposes of verifying the identity of an individual. In the DVS Government Requesting Participation Agreement reviewed, reference to the purpose is not included;
• section 10(2)(a) of the IVS Act limits the circumstances in which parties can disclose ‘identification information.’ However, the DVS Business User Participation Agreement (clause 4.9) refers to 'Identification Match Result.' The term 'identification information' is broader than 'Identification Match Result,' and covers information:

1. contained in a specimen document that purports to be a DVS document
2. that is associated with a DVS document issued by a government authority, or
3. about the outcome of a comparison involved in a DVS relating to the individual.

3.7 The points above raise a medium level privacy risk that the Department may not be fully compliant with privacy provisions such as s 10 of the IVS Act. It is important that privacy obligations of parties to DVS participation agreements are set out clearly in the DVS participation agreements and/or associated documents to ensure that the privacy obligations of the IVS Act are met.

3.8 Within the next 12 months, where appropriate and relevant, the Department should apply the changes above consistently across existing and future DVS participation agreements and associated documents (including access policies).

3.9 Additionally, the OAIC identified a few areas the Department could improve in relation to the privacy clauses and definitions in the DVS participation agreements and associated documents. These issues raise a low level privacy risk as they may lead to uncertainty regarding the privacy obligations of parties subject to the DVS participation agreement and associated documents and are as follows:

• the DVS Business User Participation Agreements themselves meet the legislative requirements to include this information (under s 9(2)(c) and s 9(3) of the IVS Act). However, statement 2 (privacy information and processes) of the DVS Business User Annual Compliance Statement template appears to not require business users to attest whether they advise where individuals can get information about the operation and management of the approved identity verification facilities by the Department in connection with the requesting and provision of IVS. Business users are required to submit this statement annually to the Department to demonstrate that their use of the DVS is in accordance with their participation agreement. Requiring business users to report whether they are providing this information in their privacy policy and making it available to individuals would ensure individuals are made aware of their privacy rights and the Department’s privacy obligations before consenting to a DVS Request
• privacy clauses 4.2(a)(vi) (regarding the Framework Administrator’s responsibility to ‘ensure DVS security and privacy safeguards’) and 14.4(a) (regarding the requirement for parties to develop a privacy management framework) in the DVS Government Requesting Participation Agreement appear to be absent from the DVS Business User Participation Agreement template and signed agreements with 2 of the top 3 DVS requesting users. Including these privacy clauses in the DVS Business User Participation Agreement template and signed agreements would ensure parties are aware of their privacy obligations when handling personal information
• clause 12 (Declaration) of the DVS Business User Annual Compliance Statement template states: ‘We have audited our use of the DVS and confirm that our use is in accordance with the DVS Business User Participation Agreement and the DVS Access Policy, or as described in the annual Compliance Statement.' Business users are asked to check the Declaration box confirming this statement. However, a similar provision is not included in the Schedule 3 Compliance Statement template for the DVS Government Requesting Participation Agreement. Amending the Schedule 3 Compliance Statement template for the DVS Government Requesting Participation Agreement to insert a provision equivalent to clause 12 would assist the government requesting agency to confirm its use of the DVS is in line with their agreement and access policy
• the word 'Services' (with a capitalised ‘S’) is referred to in clause 23.3(b)(v) of the DVS Government Requesting Participation Agreement. It does not appear that the term ‘Services’ has been clearly defined in the agreement. Having the term ‘Services’ clearly defined in the agreement would avoid confusion and provide clarity what these ‘Services’ are.

3.10 Implementing the following suggestions would provide further clarity and accountability for all DVS participants and provide additional assurance that DVS users are complying with the IVS Act.

3.11 When the opportunity arises to next review the DVS participation agreements and associated documents, where appropriate and relevant, the Department could apply the changes in Suggestion 1 consistently across existing and future DVS participation agreements and associated documents.

IVS privacy goals and targets

Observations

3.12 The Department is required under APP 1.2 to take reasonable steps to implement practices, procedures and systems that ensure compliance with the APPs.

3.13 In July 2025, the Department assessed the IVS against the Department's PMP. Privacy Management Plan - IVS Assessment 2025 - July 2025 sets out the privacy goals and targets for the IVS including:

• conducting, implementing or reviewing and updating PIAs
• developing relevant policies and procedures associated with the IVS
• implementing any other relevant recommendations from other reviews, for example, the Department’s internal audit into its IVS Compliance Assurance Program.^[25]

Finding

3.14 In the previous IVS assessment,^[26] we said we expect that IVS performance information is included when measuring against PMP performance measures. However, we found that the Department’s general PMP does not contain IVS specific privacy goals and targets, and while the Privacy Management Plan – IVS Assessment 2025 – July 2025 has specific and measurable IVS privacy goals (such as conducting, implementing, or reviewing and updating PIAs), no timeframes are specified.

3.15 The matters give rise to a medium level privacy risk that the Department may not be fully compliant with the requirements of APP 1.2. The Department has adequately set specific privacy goals and targets for the IVS in order to ensure compliance with the IVS Act and Privacy Act. However, without specific timeframes, the IVS privacy goals and targets may not be implemented.

Privacy documents and guidance materials for DVS users

Observations

3.16 The Privacy (Australian Government Agencies – Governance) APP Code 2017^[27] (the Code) sets out specific requirements and key practical steps that agencies must take as part of complying with APP 1.2. Section 17 of the Code states that an agency must regularly review and update its privacy practices, procedures and systems, to ensure their currency and adequacy for the purposes of compliance with the APPs. The scope of the review must include any privacy policy prepared for the purposes of APP 1.

3.17 The IVS Privacy Statement describes how the Department collects, stores, uses and discloses personal information when operating or providing the IVS under the IVS Act. This is an extension of the Department’s privacy policy^[28] obligations under APP 1.^[29]

3.18 Under APP 1.4(b), an APP entity’s privacy policy must contain information about how the entity collects and holds personal information. The policy must describe an APP entity’s usual approach to collecting and holding personal information. This should include how the entity stores and secures personal information. For example, the policy may explain that personal information is stored by a third party data storage provider.^[30]

3.19 We reviewed the IVS Privacy Statement, and privacy documents and guidance materials for DVS users. Generally they appeared to be accurate and up-to-date, but there were a small number of exceptions.

Finding

3.20 We identified one area in the Department’s privacy documentation for DVS users that appeared to be inaccurate.

3.21 The IVS Privacy Statement did not include information about third party providers and contractors and their handling of personal information. The Department has a contract in place with a managed service provider to provide and manage the IT infrastructure for the DVS, including the handling of personal information. As such, this information should be included in the Department’s IVS Privacy Statement regarding the managed service provider’s handling of personal information. This should include how the managed service provider collects, uses, discloses, stores and secures personal information.

3.22 This issue raises a medium level privacy risk that the Department may not be fully compliant with the requirements of APP 1.2 and s 17 of the Code.

3.23 Additionally, we identified 2 areas in the Department’s privacy document and guidance material for DVS users that it could update to improve the quality of these materials. These issues raise a low level privacy risk as they may lead to uncertainty regarding the IVS complaints process and business user compliance obligations.

3.24 The first is in relation to the Department’s IVS Privacy Statement where the hyperlink to lodge a privacy complaint with the OAIC links to the APPs webpage rather than a webpage advising on privacy complaints.

3.25 The second is in relation to the DVS Business User Participation Agreement -Summary dated 20 January 2025, which is a fact sheet that is provided to business users to help them understand the terms and conditions in the DVS Business User Participation Agreement, appeared to be inaccurate. The fact sheet outlined that the 12-month transition period for all entities that make requests through the DVS to become a party to a ‘participation agreement’ with the Department expires on 14 June 2025. However, on 7 June 2025, this transition period was extended to 18 months and the expiry date should be 14 December 2025.^[31]

Recommendations from the IVS Compliance Assurance Program – the Department’s Internal Audit Final Report dated May 2025

Observations

3.26 The Department has an IVS Compliance and Assurance Framework which is an important foundation to provide the Department’s staff with support and guidance for enforcing compliance.

3.27 Additionally, under the IVS Compliance and Assurance Framework, the Department has an IVS Audit and Compliance Plan (Plan) that outlines the framework for ensuring compliance by all users of the IVS. This Plan applies to all IVS participants including authorised non‑government entities and government entities.

3.28 The Department has an IVS Compliance Assurance Program which includes usage scans, environmental scans and compliance audits. The Department’s current approach to compliance audits includes DVS user self-assessed annual compliance statements and annual independent audits^[32] of DVS business users, GSPs, IDSPs and the managed service provider.

3.29 In early 2025, the Department conducted an internal audit into its IVS Compliance Assurance Program to review the appropriateness of the Department’s current compliance assurance arrangements for government user compliance statements. The audit also made recommendations for expanding the compliance statement assurance coverage to participation agreements for private sector organisations. This audit identified 4 areas the Department should strengthen its IVS Compliance Assurance Program including:

1. revising the IVS Compliance and Assurance Framework to enable scalability and leveraging a strategic and risk-based approach to assurance coverage
2. making compliance expectations clear to users including annual audit requirements
3. establishing processes and systems for tracking, managing and reporting non-compliance across the expanding range of users
4. undertaking a formal risk assessment of the IVS to align with the Department’s Risk Management Policy and guidelines.

3.30 The 4 areas identified by the internal audit relate to the Department’s compliance with s 12 of the IVS Act, specifically in relation to participation agreements. The audit rated these areas as medium risks that need to be addressed by the Department. The Department advised that the audit recommendations are scheduled to be implemented by December 2025.

3.31 As part of implementing the first recommendation from the internal audit, the Department expects to further improve the IVS Compliance and Assurance Framework, including developing an IVS Compliance Assurance Strategy that sets out a risk-based approach to the IVS Compliance Assurance Program. This will ensure compliance efforts are targeted at IVS users that represent the greatest compliance risk. The IVS Compliance Assurance Strategy will be supported by an annual compliance risk assessment that informs an annual compliance plan.

Finding

3.32 Implementing the 4 recommendations of the internal audit would assist the Department in monitoring compliance as contemplated by s 12 of the IVS Act. Section 12 of the IVS Act outlines the requirements for participation agreements to allow the Department to monitor compliance, including the handling of personal information.

3.33 Internal audit recommendations 1 and 3 relate to scaling up the IVS Compliance and Assurance Framework to deal with the volume of annual compliance requirements the Department could receive once a critical mass of DVS users become parties to participation agreements. The Department has committed to implement these recommendations by December 2025. There was no evidence before this assessment that a scale-up could occur sooner (i.e., prior to December 2025), or to question the Department’s commitment in this regard.

3.34 Internal audit recommendation 2 is directed at making compliance expectations clearer; and internal audit recommendation 4 requires the Department to undertake a risk assessment of the IVS with a view to achieving alignment with the Department’s Risk Management Policy and guidelines. We are of the view that these features should be in place already and relate directly to managing current compliance risks. The matters reflected in recommendations 2 and 4 of the internal audit raise a medium level privacy risk that the Department may not be able to effectively monitor compliance as contemplated by s 12 of the IVS Act.

3.35 As the internal audit report highlighted that it is expected that there will be an increase in IVS users and therefore increased data flows in the IVS (and for the purposes of this assessment, the DVS), these privacy risks identified in recommendations 2 and 4 of the internal audit may further increase. Therefore, it is important to ensure the Department has in place a robust IVS Compliance Assurance Program by the time the transition period for DVS users to sign new participation agreements has concluded and the introduction of the proposed overarching IVS Compliance Assurance Framework, including the IVS Compliance Assurance Strategy and supporting documents (all scheduled to occur by December 2025).

Privacy impact assessment of the DVS

Observations

3.36 In 2024, the Department, as the Framework Administrator of the IVS, engaged Griffin Legal (a private law firm) to commence a PIA^[33] that evaluated the DVS in its entirety, within the context of the new IVS legislative framework. The PIA covered ‘standard uses’ of the DVS. The DVS participation agreements require users to ensure their use of the DVS is consistent with the findings and recommendations of this PIA. If they identify their use is inconsistent with the findings and recommendations, they must:

• promptly notify the Framework Administrator in writing of the inconsistency, including reasonable information regarding the nature and extent of the inconsistency
• commission an independent PIA in relation to their use of the DVS
• share the findings and recommendations of the PIA with the Framework Administrator, which the Framework Administrator may publish.

3.37 As at 23 July 2025, the Department advised the OAIC that it has not received any notifications from the top 3 DVS requesting users that their use of the DVS is inconsistent with the findings and recommendations of the PIA mentioned above.

Finding

3.38 The OAIC did not identify any privacy risks in relation to the Department’s PIA.

Part 4: Description of assessment

Role of the Australian Information Commissioner

4.1 This assessment was conducted under s 40(1) of the IVS Act and s 33C(1)(a) of the Privacy Act.

4.2 Section 40(1) of the IVS Act provides for annual assessments by the Information Commissioner on the operation and management of the identity verification facilities by the Department.

4.3 Specifically, the Information Commissioner has the function of:

• assessing the approved identity verification facilities in relation to any act or practice of the Department during the financial year; and
• providing the Secretary of the Department with a written report on that assessment.

4.4 The Information Commissioner is required to perform both aspects of this assurance function within 6 months of the end of each financial year ending after the commencement of s 40(1) of the IVS Act (being 14 June 2024). For the purposes of the Privacy Act, an assessment under s 40(1) of the IVS Act is taken to be an assessment under paragraph 33C(1)(a) of the Privacy Act.^[34]

4.5 Section 33C(1)(a)(i) of the Privacy Act states that the Information Commissioner may conduct an assessment as to whether personal information held by an APP entity is being maintained and handled in accordance with the APPs and a registered APP code (if any) that binds the entity.

4.6 The Information Commissioner provided this report to the Secretary of the Department on 20 November 2025.

Objective, scope and methodology of the assessment

4.7 The objective of this assessment was to assess whether the Department was managing the identity verification facilities, and personal information held on the DVS Hub, in accordance with the requirements of the IVS Act and the Privacy Act. This objective included determining whether the Department established effective privacy governance arrangements to manage DVS requesting users and by extension, personal information handled by the DVS Hub.

4.8 The scope of the assessment focused on the Department’s compliance with the IVS Act, APP 1.2 and the Code, to the extent that these requirements relate to the Department’s management of participation agreements with DVS requesting users. This included how it reviewed the conduct and implementation of PIAs by DVS requesting users. Based on information provided by the Department on 17 July 2025 regarding DVS transaction numbers for the top 3 requesting users that have signed the new DVS participation agreements, the OAIC focussed on participation agreements with those top 3 DVS requesting users who are from the government, telecommunications and banking sectors.

4.9 We used 2 criteria to determine whether the Department was meeting the assessment objective:

1. Do the Department’s participation agreements with the top 3 DVS requesting users include the privacy safeguards required by the IVS Act?
2. Has the Department taken reasonable steps to ensure completion of, and address the privacy risks identified by, the PIAs in relation to the top 3 DVS requesting users?

4.10 We limited the assessment scope to the Department, because under the IVS Act, the OAIC has the function of assessing the approved identity verification facilities in relation to any act or practice of the Department. We therefore did not assess the privacy practices of the top 3 DVS requesting users.

Privacy risks

4.11 Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance (see Appendix B), the OAIC makes recommendations about how to address those risks. These recommendations are set out in Part 3 of this report.

4.12 The OAIC assessments are conducted as a ‘point in time’ assessment; that is, our observations and findings are only applicable to the time period in which the assessment was undertaken.

4.13 For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’ (see Appendix B). Chapter 9: Privacy assessments provides further detail on this approach.

Reporting

4.14 The OAIC publishes final assessment reports in full, or in an abridged version, on our website at Privacy assessments. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published in full.