The Australian Information Commissioner (Information Commissioner) has powers under the Privacy Act 1988 (Privacy Act) to conduct privacy assessments of APP entities, that is Australian and Norfolk Island Government agencies and private sector organisations.
The Commissioner can also conduct assessments of ACT public sector agencies as part of exercising some of the functions of the ACT Information Privacy Commissioner in the Information Privacy Act 2014 (ACT).For more information about these functions, please see Australian Capital Territory Privacy.
Information about assessment powers
An assessment provides a professional, independent and systematic appraisal of how well an agency or organisation (or discrete part of an agency/organisation) complies with all or part of its privacy obligations. In the past, the OAIC has referred to these assessments as ‘audits’.
Section 33C of the Privacy Act establishes that the Commissioner may conduct an assessment relating to the following:
- the Australian Privacy Principles (s 33C(1)(a)(i))
- a registered APP code (s 33C(1)(a)(ii))
- credit information files and credit reports held by credit reporting agencies and credit providers (s 33C(1)(b))
- tax file number recipients (s 33C(1)(c))
- data matching programs (s 33C(1)(d))
- claims information associated with the Medicare Benefits Scheme and the Pharmaceutical Benefits Scheme (s 33C(1)(e)).
Additionally, s 28A(1)(c) of the Privacy Act gives the Commissioner the ability to examine the records of the Commissioner of Taxation in relation to tax file numbers and tax file number information.
The Commissioner also has the power under s 309 of the Telecommunications Act 1997 to monitor compliance with certain record keeping requirements of telecommunications organisations.
The privacy assessment process
The OAIC approaches assessments as an educative process, and compliance with the Privacy Act is seen as part of good management practice. The assessment is, by necessity, a snapshot of personal information handling practices relating to an APP entity at a certain time and in a particular location. APP entities are encouraged to consider findings broadly and not limit issues identified in the assessment to the program that was the subject of assessment.
The assessment process, which begins with the identification of the entity selected for a privacy assessment and the proposed focus, is substantially the same regardless of whether it is an assessment of Australian Privacy Principles, credit information or tax file numbers.
Information about the assessment process can be found in Chapter 7: Privacy assessments of the Guide to Privacy Regulatory Action.
The OAIC’s latest Annual Report provides information about the current privacy assessment program.
Recent privacy assessments
To help promote good privacy practices, the OAIC publishes the finalised reports of assessments (previously called audits) of Australian Government agencies and private sector organisations.
Where an assessment (or audit report) contains classified content, the OAIC may not be able to publish the report.
These are the assessments and audits finalised since 2013. Visit Trove for assessments between 2011 to 2013 and audits conducted by the former Office of the Privacy Commissioner.