Skip to main content
  • On this page

Publication date: 6 June 2022

Part 1: Executive summary

Privacy impact assessments

This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of Australian Government agencies’ compliance with s 15.1 of the Privacy (Australian Government Agencies – Governance) Code 2017 (Code). Since 1 July 2018, it has been mandatory under s 15.1 of the Code for Australian Government agencies to maintain a register of the privacy impact assessments (PIAs) they conduct. Agencies must publish the register, or a version of the register on their websites. A PIA is a systematic assessment that identifies privacy impacts of a project and sets out recommendations for managing, minimising or eliminating that impact. PIAs are an important component for the protection of privacy and should be part of agencies’ risk management and planning processes. PIAs can help ensure compliance, facilitate a privacy-by-design approach and identify better practice. PIAs demonstrate a commitment to accountable and transparent privacy practices and build public trust and confidence in an agency’s programs and policies.

The OAIC’s Privacy Officer Toolkit provides guidance to agencies in relation to the information that the PIA register should include. Agencies should include information about all completed PIAs on their registers. As a minimum, the PIA register should include the title of the agency’s PIA and as better practice may also include a summary of the project, the team responsible for undertaking the PIA and the outcome of the PIA or project.[1] The agency should also consider publishing a PIA, or a summary version or an edited copy of the PIA, on the agency’s register as permitted by the Code.[2] Where no PIAs have been carried out agencies should nonetheless publish a PIA register as better practice, with a note indicating that no PIAs have been conducted. Agencies are also encouraged to include a currency date on their PIA register so the public is aware of when it was last updated.

Part 2: Findings

Home Affairs Portfolio

Agencies within the Home Affairs Portfolio were the first group of agencies assessed for compliance with s 15.1 of the Code. The Home Affairs Portfolio consists of 7 agencies, 5 of which are required to comply with the Privacy Act 1998 (Cth) and the Code.[3] These 5 agencies are listed in the following table, which sets out the findings of the assessment of the agencies within the Home Affairs Portfolio.

Agency

Compliant with s 15.1 of the Code

Recommendation/suggestion

Action taken by agency

Department of Home Affairs

Yes

None

No action required[4]

Australian Federal Police

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Australian Institute of Criminology

Yes[5]

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIA’s have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Accepted

Australian Transaction Reports Analysis Centre (AUSTRAC)

Yes

None

No action required

Office of the Special Investigator

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIA’s have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed

Agency has noted the OAIC’s suggestion and has taken action to clearly indicate on its website that no PIAs have yet been conducted, and that information will be published about PIAs as they are completed.

Social Services Portfolio

During July 2021, the OAIC assessed agencies within the Social Services Portfolio for compliance with s 15.1 of the Code. The Social Services Portfolio consists of 6 agencies, all of which are required to comply with the Privacy Act 1998 (Cth) and the Code. These 6 agencies are listed in the following table, which sets out the findings of the assessment of the agencies within the Social Services Portfolio.

Agency

Compliant with s 15.1 of the Code

Recommendation/suggestion

Action taken by agency

Department of Social Services

Yes

None

No action required

Australian Institute of Family Studies (AIFS)

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

NDIS Quality and Safeguards Commission

Yes

None

No action required[6]

Services Australia

Yes

None

No action required

Australian Hearing Services (Hearing Australia)

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

National Disability Insurance Scheme Launch Transition Agency (National Disability Insurance Agency)

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Foreign Affairs and Trade Portfolio

During August 2021, the OAIC assessed agencies within the Foreign Affairs and Trade Portfolio for compliance with s 15.1 of the Code. The Foreign Affairs and Trade Portfolio consists of 6 agencies, 5 of which are required to comply with the Privacy Act 1998 (Cth) and the Code.[7] These 5 agencies are listed in the following table, which sets out the findings of the assessment of the agencies within the Foreign Affairs and Trade Portfolio.

Agency

Compliant with s 15.1 of the Code

Recommendation/suggestion

Action taken by agency

Department of Foreign Affairs and Trade

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Australian Centre for International Agriculture Research (ACIAR)

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Australian Trade and Investment Commission (Austrade)

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Export Finance and Insurance Corporation (EFIC, Export Finance Australia)

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Tourism Australia

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Health Portfolio

During November 2021, the OAIC assessed agencies within the Health Portfolio for compliance with s 15.1 of the Code. The Health Portfolio consists of 20 agencies, 19 of which are required to comply with the Privacy Act 1998 (Cth) and the Code.[8] These 19 agencies are listed in the following table, which sets out the findings of the assessment of the agencies within the Health Portfolio.

Agency

Compliant with s 15.1 of the Code

Recommendation/suggestion

Action taken by agency

Department of Health

Yes

None

No action required.

Aged Care Quality and Safety Commission

Yes

None

No action required.

Australian Radiation Protection and Nuclear Safety Agency

Yes

Recommendation: agency publish a PIA register on their website as required by section 15.1 of the Code.

Agency has implemented the OAIC’s recommendation.

Cancer Australia

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Agency has implemented the OAIC’s suggestion.

National Blood Authority

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

National Health and Medical Research Council

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

National Health Funding Body

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Agency has implemented the OAIC’s suggestion.

National Mental Health Commission

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Organ and Tissue Authority

Yes

Suggestion: best practice suggestion that the agency update the PIA register twice a year, even where no PIAs have been undertaken by the agency. Add a date to advise when the PIA register was last updated.

Agency clearly indicates on its website, through publishing a blank PIA register, that no PIAs have yet been conducted. The agency also states that information will be published about PIAs as they are completed.

Professional Services Review Scheme

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Sport Integrity Australia

Yes

Suggestion: best practice suggestion that the agency update the PIA register twice a year, even where no PIAs have been undertaken by the agency. Add a date to advise when the PIA register was last updated.

Agency clearly indicates on its website, through publishing a blank PIA register, that no PIAs have yet been conducted. The agency also states that information will be published about PIAs as they are completed.

Australian Commission on Safety and Quality in Health Care

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Australian Digital Health Agency

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Australian Institute of Health and Welfare

Yes

None

No action required.

Australian Sports Commission

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Food Standards Australia New Zealand

Yes

Suggestion: best practice suggestion that the agency update the PIA register twice a year, even where no PIAs have been undertaken by the agency. Add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Independent Hospital Pricing Authority

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Agency has implemented the OAIC’s suggestion.

Office of the Gene Technology Regulator

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Agency has noted the OAIC’s suggestion and has taken action to clearly indicate on its website that no PIAs have yet been conducted.

Australian Industrial Chemicals Introduction Scheme

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Treasury Portfolio

The OAIC assessed agencies within the Treasury Portfolio for compliance with s 15.1 of the Code. The Treasury Portfolio consists of 18 agencies, 17 agencies of which are required to comply with the Privacy Act 1998 (Cth) and the Code[9]. These 17 agencies are listed in the following table, which sets out the findings of the assessment of the agencies within the Treasury Portfolio.

Agency

Compliant with s 15.1 of the Code

Recommendation/suggestion

Action taken by agency

Department of Treasury

Yes

Suggestion: best practice suggestions:

  • the agency add a date   to advise when the PIA register was last updated
  • the title of the register states   ‘Privacy Impact Assessments undertaken 2019 onwards’ and should be amended to   reflect that the obligation to maintain a PIA register commenced on 1 July   2018.

Agency has implemented the OAIC’s suggestions.

Australian Bureau of Statistics

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Australian Competition and Consumer Commission

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Australian Office of Financial Management

Yes

Suggestion: best practice suggestion that the agency update the PIA register twice a year, adding a date when the PIA register was last updated, even where no PIAs have been undertaken by the agency.

Agency has implemented the OAIC’s suggestion.

Australian Prudential Regulation Authority

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has noted the OAIC’s suggestion. The agency website states the requirement to maintain and publish a register of the PIAs undertaken.

Australian Securities and Investments Commission

Yes

None.

No action required.

Australian Taxation Office

Yes

None.

No action required.

Commonwealth Grants Commission

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Agency has implemented the OAIC’s suggestion.

Inspector-General of Taxation

Yes

Recommendation: agency publish a PIA register on their website as required by section 15.1 of the Code.

Agency has implemented the OAIC’s recommendation.

National Competition Council

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. Make the register available in the results of the website search function, to enable access for the public.

Agency has noted the OAIC’s suggestion and has taken action to clearly indicate on its website that no PIAs have yet been conducted, and that information will be published about PIAs as they are completed.

Office of the Auditing and Assurance Standards Board

Yes

Suggestion: best practice suggestion that the agency update the PIA register twice a year, even where no PIAs have been undertaken by the agency. Add a date to advise when the PIA register was last updated.

At the time of the assessment, the agency had clearly indicated on its website, through publishing a blank PIA register, that no PIAs had been conducted. Agency has also stated on its website that information would be published about PIAs as they were completed. Agency has subsequently published a PIA on its register.

Office of the Australian Accounting Standards Board

Yes

Suggestion: best practice suggestion that the agency update the PIA register twice a year, even where no PIAs have been undertaken by the agency. Add a date to advise when the PIA register was last updated.

At the time of the assessment, the agency had clearly indicated on its website, through publishing a blank PIA register, that no PIAs had been conducted. Agency has also stated on its website that information would be published about PIAs as they were completed. Agency has subsequently published a PIA on its register.

Productivity Commission

Yes

Recommendation: agency publish a PIA register on their website as required by section 15.1 of the Code.

Agency has implemented the OAIC’s recommendation.

Royal Australian Mint

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Australian Reinsurance Pool Corporation

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

National Housing Finance and Investment Corporation

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has noted the OAIC’s suggestion. Agency’s website states the requirement to maintain and publish a register of the PIAs undertaken.

Reserve Bank of Australia

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Education, Skills and Employment Portfolio

The OAIC assessed agencies within the Education, Skills and Employment Portfolio for compliance with s 15.1 of the Code. The portfolio consists of 7 agencies, 6 agencies of which are required to comply with the Privacy Act 1998 (Cth) and the Code[10]. These 6 agencies are listed in the following table, which sets out the findings of the assessment of the agencies within the Education, Skills and Employment Portfolio.

Agency

Compliant with s 15.1 of the Code

Recommendation/suggestion

Action taken by agency

Department of Education, Skills and Employment

Yes

Suggestion: best practice suggestion the agency add a date to advise when the PIA register was last updated.

Action: Agency has implemented the OAIC’s suggestion

Australian Research Council

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Action: Agency has implemented the OAIC’s suggestion

Tertiary Education Quality and Standards Agency

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Action: Agency has implemented the OAIC’s suggestion

Australian Curriculum, Assessment and Reporting Authority

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Action: No action taken by agency

Australian National University

Yes

None

No action required

Australian Skills Quality Authority (National Vocational Education and Training Regulator)

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Action: Agency has implemented the OAIC’s suggestion

Defence Portfolio

The OAIC assessed agencies within the Defence Portfolio for compliance with s 15.1 of the Code. The portfolio consists of 14 agencies, 10 of which are required to comply with the Privacy Act 1998 (Cth) and the Code.[11] The following table sets out the findings of the assessment of the agencies within the Defence portfolio.

Agency

Compliant with s 15.1 of the Code

Recommendation/suggestion

Action taken by agency

Department of Defence

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Army and Air Force Canteen Service (Frontline Defence Services)

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides a certainty to the community that the agency has a process to ensures PIAs will be listed

Agency has implemented the OAIC’s suggestion

Australian Military Forces Relief Trust Fund

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides a certainty to the community that the agency has a process to ensures PIAs will be listed

No action taken by agency

Defence Housing Australia

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Royal Australian Air Force Veterans' Residences Trust Fund

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides a certainty to the community that the agency has a process to ensures PIAs will be listed

Agency has implemented the OAIC’s suggestion

Royal Australian Air Force Welfare Trust Fund

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides a certainty to the community that the agency has a process to ensures PIAs will be listed

Agency has accepted the OAIC’s suggestion, but has not actioned

Royal Australian Navy Central Canteens Board (Royal Australian Navy Central Canteens Fund)

Yes

Recommendation: agency publish a PIA register on their website as required by section 15.1 of the Code

Agency has implemented the OAIC’s recommendation

Royal Australian Navy Relief Trust Fund

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides a certainty to the community that the agency has a process to ensures PIAs will be listed

No action taken by agency

Department of Veterans’ Affairs

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Australian War Memorial

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Industry, Science and Resources Portfolio

The OAIC assessed agencies within the Industry, Science and Resources Portfolio for compliance with s 15.1 of the Code. The portfolio consists of 6 agencies, all of which are required to comply with the Privacy Act 1998 (Cth) and the Code. The following table sets out the findings of the assessment of the agencies within the Industry, Science and Resources portfolio.

Agency

Compliant with s 15.1 of the Code

Recommendation/suggestion

Action taken by agency

Department of Industry, Science and Resources

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Geoscience Australia

Yes

None

No action required

IP Australia

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Australian Nuclear Science and Technology Organisation

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Commonwealth Scientific and Industrial Research Organisation

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

National Offshore Petroleum Safety and Environmental Management Authority

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Finance Portfolio

The OAIC assessed agencies within the Finance Portfolio for compliance with s 15.1 of the Code. The Finance Portfolio consists of 8 agencies, 6 agencies of which are required to comply with the Privacy Act 1998 (Cth) and the Code.[12] The following table sets out the findings of the assessment of the agencies within the Finance Portfolio.

Agency

Compliant with s 15.1 of the Code

Recommendation/suggestion

Action taken by agency

Department of Finance

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Australian Electoral Commission

Yes

None

No action required.

Digital Transformation Agency

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Future Fund Management Agency

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Independent Parliament Expenses Authority

Yes

Recommendation: agency publish a PIA register on their website as required by section 15.1 of the Code.

Agency has implemented the OAIC’s suggestion.

Commonwealth Superannuation Corporation (CSC)

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Best practice suggestion that the agency make the register available in the results of the website search function, to enable access for the public.

Agency has implemented the OAIC’s suggestion to add a last updated date.

Agency has implemented the OAIC’s suggestion to make the register accessible through the website search function.

Agriculture, Fisheries and Forestry Portfolio

The OAIC assessed agencies within the Agriculture, Fisheries and Forestry Portfolio for compliance with s 15.1 of the Code. The Agriculture, Fisheries and Forestry Portfolio consists of 9 agencies, all of which are required to comply with the Privacy Act 1998 (Cth) (Privacy Act) and the Code. The following table sets out the findings of the assessment of the agencies within the Agriculture, Fisheries and Forestry Portfolio.

Agency

Compliant with s 15.1 of the Code

Recommendation / suggestion

Action taken by agency

Department of Agriculture, Fisheries and Forestry

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Australian Fisheries Management Authority

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Best practice suggestion that the agency make the register available in the results of the website search function, to enable access for the public.

Agency has implemented the OAIC’s suggestions.

Australian Pesticides and Veterinary Medicines Authority

Yes

Suggestion: best practice suggestion that the agency update the PIA register twice annually.

Best practice suggestion that the agency make the register available in the results of the website search function, to enable access for the public.

Agency has implemented the OAIC’s suggestions.

Cotton Research and Development Corporation

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s  suggestions.

Fisheries Research and Development Corporation

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Agency has implemented the OAIC’s suggestion.

Grains Research and Development Corporation

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Best practice suggestion that the agency make the register available in the results of the website search function, to enable access for the public.

Agency has implemented the OAIC’s suggestions.

Regional Investment Corporation

Yes

Recommendation: agency publish a PIA register on their website as required by section 15.1 of the Code.

Agency has implemented the OAIC’s  recommendation.

Rural Industries Research and Development Corporation (trading as Agrifutures Australia)

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Wine Australia

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Agency has implemented the OAIC’s suggestion.

Prime Minister and Cabinet Portfolio

The OAIC assessed agencies within the Prime Minister and Cabinet Portfolio for compliance with s 15.1 of the Code. The Prime Minister and Cabinet Portfolio consists of 20 agencies, 11 agencies of which are required to comply with the Privacy Act 1998 (Cth) (Privacy Act) and the Code. The following table sets out the findings of the assessment of the agencies within the Prime Minister and Cabinet  Portfolio.

Agency

Compliant with s 15.1 of the Code

Recommendation / suggestion

Action taken by agency

Department of Prime Minister and Cabinet

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Australian Public Service Commission

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

National Indigenous Australians Agency

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Office of the Official Secretary to the Governor-General

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Agency has implemented the OAIC’s suggestion.

Workplace Gender Equality Agency

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Australian Institute of Aboriginal and Torres Strait Islander Studies

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Agency has implemented the OAIC’s suggestion.

Indigenous Business Australia

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Indigenous Land and Sea Corporation

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Agency has implemented the OAIC’s suggestion.

Northern Territory Aboriginal Investment Corporation

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Best practice suggestion that the agency make the register available in the results of the website search function to enable better access for the public.

Agency has implemented the OAIC’s suggestions.

Torres Straight Regional Authority

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Best practice suggestion that the agency make the register available in the results of the website search function, to enable better access for the public.

Agency has implemented the OAIC’s suggestions.

Wreck Bay Aboriginal Community Council

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Best practice suggestion that the agency make the register available in the results of the website search function, to enable better access for the public.

Agency has implemented the OAIC’s suggestion.

Agency has implemented the OAIC suggestion.

Attorney-General’s Portfolio

The OAIC assessed agencies within the Attorney-General’s Portfolio for compliance with s 15.1 of the Code. The Attorney-General’s Portfolio consists of 17 agencies, 14 of which are required to comply with the Privacy Act 1998 (Cth) (Privacy Act) and the Code. The OAIC previously assessed the Australian Federal Police, Australian Institute of Criminology, Australian Transaction Reports and Analysis Centre (AUSTRAC) and the Office of the Special Investigator when they were in the Home Affairs Portfolio, so we have not re-assessed these agencies.

We have not conducted an assessment of the OAIC as part of the PIA register assessment program. Instead, we have undertaken an administrative review of the OAIC’s compliance with PIA requirements of the Code, applying the same criteria.

Agency

Compliant with s 15.1 of the Code

Recommendation / suggestion

Action taken by agency

Attorney-General’s Department

Yes

Suggestion: best practice suggestion that the agency update the PIA register twice a year, even when no PIAs have been undertaken by the agency.

Agency has implemented the OAIC’s suggestion.

Administrative Appeals Tribunal

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Australian Financial Security Authority

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Australian Law Reform Commission

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Agency has implemented the OAIC’s suggestion.

Federal Court of Australia

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Office of the Commonwealth Ombudsman

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Office of the Director of Public Prosecutions (CDPP)

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Office of Parliamentary Counsel

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Australian Human Rights Commission

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Infrastructure, Transport, Regional Development, Communications and the Arts Portfolio

The OAIC assessed agencies within the Infrastructure, Transport, Regional Development and the Arts Portfolio for compliance with s 15.1 of the Code. The Infrastructure, Transport, Regional Development and the Arts Portfolio consists of 31 agencies, 25 of which are required to comply with the Privacy Act 1998 (Cth) (Privacy Act) and the Code. The following table sets out the findings of the assessment of the agencies within the Infrastructure, Transport, Regional Development, Communications and the Arts portfolio.

Agency

Compliant with s 15.1 of the Code

Recommendation / suggestion

Action taken by agency

Dept of Infrastructure, Transport, Regional Development, Communications and the Arts

Yes

Suggestion: best practice suggestion that the agency update the PIA register twice a year, even when no PIAs have been undertaken by the agency.

Agency has implemented the OAIC’s suggestion.

Australian Communications and Media Authority (ACMA)

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Australian Transport Safety Bureau (ATSB)

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

National Archives of Australia

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

National Capital Authority

Yes

Recommendation: agency publish a PIA register on their website as required by section 15.1 of the Code.

Agency has implemented the OAIC’s recommendation.

High Speed Rail Agency

Yes

Recommendation: agency publish a PIA register on their website as required by section 15.1 of the Code.[4]

Agency has implemented the OAIC’s recommendation.

Air Services Australia

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Australia Council for the Arts

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Australian Broadcasting Corporation

Yes

None

No action required.

Australian Film, Television and Radio School

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Best practice suggestion that the agency make the register available in the results of the website search function, to enable better access for the public.

Agency has implemented the OAIC’s suggestions.

Australian Maritime Safety Authority

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Australian National Maritime Museum

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

No action taken by agency.

Australian Postal Corporation

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Civil Aviation Safety Authority

Yes

None

No action required.

Infrastructure Australia

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Best practice suggestion that the agency make the register available in the results of the website search function, to enable better access for the public.

Agency has implemented the OAIC’s suggestions.

National Film and Sound Archive of Australia

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Agency has implemented the OAIC’s suggestion.

National Gallery of Australia

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Best practice suggestion that the agency make the register available in the results of the website search function, to enable better access for the public.

Agency has implemented the OAIC’s suggestions.

National Library of Australia

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

National Museum of Australia

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

National Portrait Gallery of Australia

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Agency has implemented the OAIC’s suggestion.

National Transport Commission

Yes

Recommendation: agency publish a PIA register on their website as required by section 15.1 of the Code.

Agency has implemented the OAIC’s recommendation.

Screen Australia

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Special Broadcasting Service Corporation

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Northern Australia Infrastructure Facility

Yes

None

No action required.

Old Parliament House

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Best practice suggestion that the agency make the register available in the results of the website search function, to enable better access for the public.

Agency has implemented the OAIC’s suggestions.

Objective and scope of the assessment

This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with a registered APP code that binds the entity.The assessment scope was limited to compliance with s 15.1 of the Code.

Selection of assessment targets

The OAIC used the Public Governance, Performance and Accountability Act 2022,  published by the Department of Finance, to identify portfolios and their agencies. The OAIC then reviewed agencies by portfolio to assess their compliance with s 15.1 of the Code.The OAIC used a risk-based approach to determine the order in which to review portfolios, considering factors such as the volume of personal information held, sensitivity of information holdings, and previous complaint statistics for the agencies within each portfolio.

Assessment methodology

The OAIC assessed compliance through a desktop review of agency websites.The OAIC reviewed all agencies within each portfolio to assess compliance with s 15.1 of the Code.If agencies were found to be not compliant with s 15.1 the Code, the OAIC followed up with these agencies in writing:

  • providing 30 days for those agencies to publish their PIA register or provide reasons to the OAIC as to why the agency did not need to publish a PIA register
  • noting that the OAIC may take regulatory action where it is found that the agency was required to have a published PIA register.

After 30 days, the OAIC then conducted a further desktop review of websites of non-compliant agencies within the portfolio and reported on compliance at that date.As well as compliance with s 15.1 of the Code, the OAIC also considered Code guidance, including the OAIC’s Privacy Officer Toolkit, to make best practice suggestions to agencies in relation to the contents of the PIA register.

Privacy risks

Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance, the OAIC made recommendations to agencies about how to address those risks. Where the OAIC found low privacy risks, the OAIC made suggestions to agencies to take steps to better address compliance with requirements. Where relevant, these recommendations and suggestions are set out in a table in Part 2 of this report.For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’ in Appendix A to Chapter 7 of the OAIC’s Guide to privacy regulatory action, which provides further detail on this approach.

Part 3: Description of assessment

Objective and scope of the assessment

This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with a registered APP code that binds the entity.

The assessment scope was limited to compliance with s 15.1 of the Code.

Selection of assessment targets

The OAIC used the Public Governance, Performance and Accountability Act 2013 Flipchart, published by the Department of Finance, to identify portfolios and their agencies. The OAIC then reviewed agencies by portfolio to assess their compliance with s 15.1 of the Code.

The OAIC used a risk-based approach to determine the order in which to review portfolios, considering factors such as the volume of personal information held, sensitivity of information holdings, and previous complaint statistics for the agencies within each portfolio.

Assessment methodology

The OAIC assessed compliance through a desktop review of agency websites.

The OAIC reviewed all agencies within each portfolio to assess compliance with s 15.1 of the Code.

If agencies were found to be not compliant with s 15.1 the Code, the OAIC followed up with these agencies in writing:

  • providing 30 days for those agencies to publish their PIA register or provide reasons to the OAIC as to why the agency did not need to publish a PIA register
  • noting that the OAIC may take regulatory action where it is found that the agency was required to have a published PIA register.

After 30 days, the OAIC then conducted a further desktop review of websites of non-compliant agencies within the portfolio and reported on compliance at that date.

As well as compliance with s 15.1 of the Code, the OAIC also considered Code guidance, including the OAIC’s Privacy Officer Toolkit, to make best practice suggestions to agencies in relation to the contents of the PIA register.

Privacy risks

Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance, the OAIC made recommendations to agencies about how to address those risks. Where the OAIC found low privacy risks, the OAIC made suggestions to agencies to take steps to better address compliance with requirements. Where relevant, these recommendations and suggestions are set out in a table in Part 2 of this report.

For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’ in Appendix A to Chapter 7 of the OAIC’s Guide to privacy regulatory action, which provides further detail on this approach.

Footnotes

[1] For further guidance in relation to PIA registers see the OAIC’s Privacy Officer Toolkit.

[2] Section 13 (Publication of PIA) of the Code provides that an agency may publish a PIA conducted under section 12, or a summary version or an edited copy of the PIA, on the agency’s website.

[3] The acts and practices of the Australian Criminal Intelligence Commission (ACIC) and the Australian Security Intelligence Organisation (ASIO) are exempt under s 7 of the Privacy Act and these agencies were not assessed.

[4] During the OAIC’s recent assessment of Home Affairs – Managing personal information - Passenger Names Records, following assessment fieldwork and after engagement with the OAIC on the requirement for an agency to maintain and publish a PIA register, Home Affairs advised the OAIC that it published a version of its register of PIAs on its website in April 2021.

[5] At the time of undertaking fieldwork for this assessment, the agency had not published a PIA register on their website. The OAIC requested the agency provide an explanation within 30 days as to why the agency did not have a PIA register published on its website.  The agency did not provide the OAIC with a substantive response explaining why they do not have a register within the 30-day time frame. The agency subsequently provided the OAIC with reasons as to why they do not have a PIA register published on their website, (because they have not conducted any PIAs), which the OAIC has accepted.

[6] At the time the OAIC conducted the initial desktop review, the NDIS Quality and Safeguards Commission did not have a PIA register published on its website in July 2021. After consultation in July 2021, the agency advised that it had undertaken a PIA in March 2021 and the agency also identified a PIA completed jointly with another agency in July 2019. The agency subsequently published a PIA register in early August 2021 and were found to be compliant during the subsequent desktop review.

[7] The acts and practices of the Australian Secret Intelligence Service are exempt under s 7 of the Privacy Act and this agency was not assessed.

[8] Australian National Preventative Health Agency ceased operations on 30 June 2014. Its key functions have transferred to the Department of Health.

[9] The Financial Adviser Standards and Ethics Authority Ltd Does not fit the definition of an 'agency' under s 6 of the Privacy Act.

[10] Australian Institute for Teaching and School Leadership Limited does not fit the definition of an 'agency' under s 6 of the Privacy Act.

[11] AAF Company (Trustee of Army Amenities Fund and Messes Trust Fund), Australian Strategic Policy Institute Ltd and RAAF Welfare Recreational Company are excluded under s 6 of the Privacy Act; Australian Signals Directorate is excluded under s 7 of the Privacy Act.

[12] ASC Pty Ltd and Australian Naval Infrastructure Pty Ltd are excluded under s 6 of the Privacy Act.