Publication date: 16 February 2023

Part 1: Executive summary

1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of Services Australia’s management of personal information under the Privacy Act 1988 (Cth) conducted in February 2022.[1]

1.2 The purpose of the assessment was to consider Services Australia’s handling of personal information as the Identity Exchange for the Australian Government Digital Identity System (DIS) in accordance with Australian Privacy Principle (APP) 1.2 and the Privacy (Australian Government Agencies – Governance) APP Code 2017 (the Code).[2]

1.3 APP 1.2 requires an entity to take reasonable steps to implement practices, procedures and systems that will:

  • ensure that the entity complies with the APPs, and
  • enable the entity to deal with privacy related enquiries or complaints from individuals.

Where an entity is handling personal information for the purposes of the DIS, the OAIC considers that the reasonable steps required under APP 1.2 will be informed by the requirements of the Trusted Digital Identity Framework (TDIF) which is an accreditation framework for the Digital Identity services.[3]

1.4 While the OAIC found that Services Australia has taken reasonable steps under APP 1.2 to ensure it complies with the APPs[4] and the Privacy Code, the assessment has identified 4 medium privacy risks and one high privacy risk and made 5 recommendations relating to Services Australia’s handling of personal information as the Identity Exchange. The OAIC also made several suggestions to assist Services Australia to enhance its information handling practices.

1.5 In summary, the assessment identified 4 medium privacy risks and recommends that Services Australia should:

  • amend Services Australia’s APP 1 privacy policy (Services Australia privacy policy)[5] about the Identity Exchange to clarify Services Australia’s role as an Identity Exchange and reflect the requirements of APP 1.4 and the TDIF
  • amend Services Australia’s privacy management plan to identify and document Services Australia’s specific, measurable privacy goals and targets as an Identity Exchange under the DIS and TDIF
  • develop an internal policy that clearly documents the separation between the different functions that Services Australia has in the DIS, and privacy measures that apply to the Identity Exchange
  • regularly review and test Services Australia’s data breach response plan to make sure it is up to date and staff understand what actions they are expected to take in the event of a breach.

1.6 The assessment also identified one high privacy risk and recommends that Services Australia must take steps to appropriately manage the medium and high risks identified in its regular information security assessments. This may be by continuing to implement the recommendations from these ICT assessments.

1.7 For more information about the OAIC’s privacy risk ratings, see the ‘Privacy risk guidance’ in Appendix A.

Part 2: Introduction

Background

Services Australia and Digital Identity

2.1 Digital Identity is a voluntary way for Australians to prove their identity online and access a range of Government services. At the time of fieldwork, Australian Government agencies (along with State and Territory agencies participating in pilots) can be onboarded to participate in the DIS.[6] For more information on Digital Identity, please see the Australian Government’s Digital Identity website.[7]

2.2 Services Australia manages the Identity Exchange on behalf of the Australian Government,[8] which securely transfers information with an individual’s consent between parties such as identity service providers.

Services Australia’s multiple roles within the Digital Identity system

2.3 In addition to being the Identity Exchange, Services Australia has separate roles within the DIS as the Temporary Oversight Authority, a Relying Party and Attribute Service Provider.[9] These additional roles are outside the scope of this assessment. Together, the Identity Exchange, Temporary Oversight Authority, Relying Party and Attribute Service Provider are called the ‘DIS functions’ in this report.

Trusted Digital Identity Framework accreditation

2.4 The TDIF is the technical framework within which the DIS operates, specifies the minimum standard entities must meet to become part of the system and provides the tools, rules, and accreditation criteria that protects the system. For more background, please see the Australian Government’s Digital Identity webpage on the TDIF.[10]

2.5 The Australian Government granted Services Australia TDIF accreditation on 13 May 2019.[11]

Part 3: Findings

Our approach

3.1 The key findings of the OAIC’s assessment of Services Australia’s role in the handling of personal information as the Identity Exchange for the DIS under APP 1.2 and the Code are set out below. In relation to its role as the Identity Exchange, the reasonable steps required by Services Australia under APP 1.2 are informed by the requirements of the TDIF.

3.2 For the purposes of this assessment, the OAIC also considered Services Australia’s policies and procedures against Chapter 1 of the APP Guidelines, the Privacy (Australian Government Agencies – Governance) APP Code 2017 and the Privacy Management Framework which details steps that Services Australia is expected to take to meet its ongoing compliance obligations under APP 1.2.

3.3 APP 1.2 requires an APP entity to take reasonable steps to implement practices, procedures and systems that will ensure the entity complies with the APPs and any binding registered APP code and is able to deal with related inquiries and complaints.

Governance and training

3.4 To ensure compliance with APP 1.2, entities should have established procedures for the oversight, accountability and lines of authority for the management of personal information it handles. An entity’s governance arrangements should include appropriate training, resourcing and management focus that fosters a culture of privacy and security awareness with staff.

3.5 Services Australia has privacy governance arrangements in place including:

  • dedicated privacy staff responsible for agency-wide coordination, discussion, reporting, and response to privacy matters, including Identity Exchange related privacy matters
  • staff appointed to key roles and responsibilities in privacy management, specifically a Privacy Officer and a Privacy Champion, as part of its obligations under ss 10 and 11 of the Code
  • established boards and committees that govern and oversee new projects and ongoing data management and consider privacy issues related to the Identity Exchange. Privacy staff participate in these forums.

3.6 Services Australia requires all staff to undergo mandatory agency-wide privacy induction training and annual privacy refresher training.

Internal policies, practices, and procedures

3.7 Entities should document the internal policies, practices, and procedures that they use to handle personal information. The documentation should outline the measures that are in place to manage the privacy risks and threats to personal information. These documents should be regularly reviewed and updated to ensure they reflect the entity’s current acts and practices.

3.8 The OAIC identified several good internal policies, practices, and procedures implemented by the Services Australia that satisfy some of its obligations under APP 1.2 and the Code, as well its TDIF privacy and protective security obligations.

3.9 For example, Services Australia regularly reviews and updates its privacy practices, procedures and systems to ensure their currency and adequacy. It has also instituted a ‘privacy by design’ approach, including implementing procedures for conducting privacy threshold assessments (PTAs) and Privacy Impact Assessments (PIAs) where required, as part of its obligations under s 12 of the Code. As part of its TDIF accreditation, Services Australia conducted a PIA for the Identity Exchange in 2018 and undertakes a privacy assessment (which is separate from the PIA) as part of the annual assessment of the Identity Exchange.

3.10 The OAIC has, however, made several recommendations about Services Australia’s internal policies, practices and procedures in response to medium privacy risks identified during the assessment which are set out below.

APP privacy policy

3.11 Both APP 1 and the TDIF Privacy Requirements require the publication of a clearly expressed and up-to-date privacy policy. APP 1.4 includes a non-exhaustive list of information that must be included in an APP privacy policy. The functional requirements document TDIF Req PRIV-03-02-03a states that the applicant (in this case, Services Australia) must have a separate privacy policy in relation to its identity system to that of its other business, organisation functions, or accredited roles. This reflects the central object of APP 1 which is to ensure that entities manage personal information in an open and transparent manner. An APP privacy policy should be tailored to the specific information handling practices of an entity.

3.12 At the time of fieldwork, the OAIC found that the Services Australia privacy policy[12] did not directly mention the Identity Exchange, nor do the privacy policy’s layered sections (referred to by Services Australia as privacy notices), which discuss Services Australia’s various functions. One of these layered sections relates to the Services Australia’s role as the Digital Identity oversight authority, though it does not explicitly mention Services Australia’s role as the Identity Exchange. Services Australia’s privacy policy also links to a separate MyGov privacy notice (which makes references to the Identity Exchange) and to the Digital Identity website,which is the public website for the DIS and contains information about the Identity Exchange.[13]

3.13 The lack of a dedicated privacy policy for the identity system creates a medium risk that individuals will not be able to understand how their personal information is managed by Services Australia in its role as an Identity Exchange for the DIS, and the information flows associated with that personal information.

3.14 The OAIC recommends that Services Australia’s privacy policy should clearly identify Services Australia’s role as an Identity Exchange for the DIS and that this function involves Services Australia handling personal information. The content of the privacy policy should reflect the requirements of APP 1.4 as well as the matters the functional requirements documentation requires to be included in the privacy policy. It should also contain sufficient information to describe the personal information handling practices of the Identity Exchange. Examples of other information that could be included are the retention and destruction practices or obligations that are specific to data handled by the Identity Exchange.

3.15 Following the fieldwork, Services Australia provided the OAIC with a separate privacy policy and privacy notice for the Identity Exchange on another website operated by Services Australia. These documents set out Services Australia’s role as the Identity Exchange, including the types of information that it collects and shares as the Identity Exchange and why it collects and shares this information.

3.16 However, if Services Australia is taking a layered approach and is relying on a separate privacy policy for the Identity Exchange, the Services Australia privacy policy should have some brief text which sets out Services Australia’s handling of personal information as an Identity Exchange and then direct the reader to the separate policy for more detail.

Recommendation 1: Amend the Services Australia’s privacy policy in relation to the Identity Exchange.

The OAIC recommends that Services Australia should amend the Services Australia privacy policy by adding information which clarifies Services Australia’s role as an Identity Exchange for the DIS and that this function involves Services Australia handling personal information.

If Services Australia is taking a layered approach and is relying on a separate privacy policy for the Identity Exchange, the Services Australia privacy policy should include some brief text which sets out Services Australia’s handling of personal information as an Identity Exchange and then direct the reader to the separate policy for more detail.

Privacy management plan

3.17 Agencies are required under s 9 of the Code to have a privacy management plan (PMP) which identifies specific, measurable privacy goals and targets and sets out how the agency will meet its compliance obligations under APP 1.2. Agencies must also measure and document their performance against their PMP at least annually. The TDIF contains similar PMP requirements.[14]

3.18 Services Australia has developed a PMP for the 2020-21 financial year which is reviewed annually and identifies agency-wide specific, measurable goals and targets, and sets out how Services Australia will meet its compliance obligations under APP 1.2. The PMP, however, does not set out specific goals and targets in relation to Services Australia’s DIS functions, including the Identity Exchange. This PMP also does not contain any references to specific TDIF goals and targets.

3.19 Failing to set out specific and measurable goals and targets in relation to Services Australia’s DIS functions, including Identity Exchange, creates a medium risk that Services Australia will not be able to effectively measure and document its performance against its PMP on an annual basis.

Recommendation 2: Identify and document Services Australia’s specific and measurable DIS/TDIF privacy goals and targets by either amending Services Australia’s general PMP or developing a separate PMP.

The OAIC recommends that Services Australia should:

  • document compliance obligations under APP 1.2 and the TDIF with respect to how its DIS functions will be met, including the operation of the Identity Exchange
  • identify and document specific and measurable privacy goals and targets by either amending the existing general PMP or developing a separate PMP for Services Australia’s DIS functions.
Documenting Services Australia’s DIS functions

3.20 At the time of the assessment, the OAIC observed Services Australia had a range of general agency-wide privacy documents which also apply to (but do not mention) the Identity Exchange and TDIF privacy requirements, and a procedural document that sets out how requests for information from the Identity Exchange should be processed. However, except for this procedural document, the OAIC did not observe any other internal policy documents which set out the separation of DIS functions.

3.21 Clearly documenting how these DIS functions are operationally separate within Services Australia will ensure that specific privacy measures are in place to manage the risks and threats to the handling of personal information related to the Identity Exchange. It will also enable knowledge sharing and create consistency in the management of privacy issues regarding the Identity Exchange and how Services Australia is meeting its TDIF privacy requirements. The documents should outline:

  • the senior executive appointed as Services Australia’s designated ‘Accountable Authority’ under the TDIF[15] for the TDIF privacy and protective security requirements
  • Services Australia’s governance arrangements that sets out the DIS function’s responsibilities
  • how Services Australia operationalises the separation of its DIS functions
  • privacy measures that are in place to manage the risks and threats to personal information held on the Identity Exchange.

3.22 Without documenting these governance arrangements, there is a medium risk that the separation of Services Australia’s DIS functions will not be properly enforced and any privacy issues regarding the Identity Exchange will not be managed appropriately and consistently. For example, it may increase the risk of personal information collected for the Identity Exchange being used or disclosed for a secondary purpose that is not covered by an exception under APP 6. The OAIC recommends that Services Australia should develop an internal policy that clearly documents the separation of these DIS functions.

Recommendation 3: Develop an internal policy that clearly documents the separation of Services Australia’s DIS functions and the privacy measures which apply to the Identity Exchange.

The OAIC recommends that Services Australia should develop an internal policy that clearly documents:

  • the accountable authority within Services Australia for the TDIF privacy and protective security requirements
  • the DIS functions, including governance arrangements that set out the various teams/branches within Services Australia responsible for each of these functions
  • how Services Australia operationalises the separation of its DIS functions, for example, any physical, logical, and organisational barriers between Services Australia’s DIS functions, access security measures for data held on the Identity Exchange, procedures for handling requests from the oversight authority for information held on the Identity Exchange and for securely lifting the Identity Exchange’s ‘double blind’
  • the privacy measures that are in place to manage the risks and threats to personal information held on the Identity Exchange. This could include (but is not limited to) links and references to the various privacy and security policies, procedures and arrangements which are relevant to TDIF/DIS and the handling of personal information held and processed by the Identity Exchange, including:
    • Services Australia’s operational privacy policy
    • Services Australia’s external APP 1 privacy policy for the Identity Exchange
    • Services Australia’s privacy management plan
    • Services Australia’s record of personal information holding (data asset register)
    • Services Australia’s data breach response plan (specifically Schedule 2 of the plan which deals with the Identity Exchange related data breaches)
    • the Systems Security Plan
    • the Security Risk Management Plan
    • relevant DIS/TDIF Memorandum of Understanding, and
    • any relevant ICT security governance.

Services Australia should also regularly review this document to ensure its currency and accuracy. Having a documented policy will mitigate against the risk of the loss of corporate knowledge and ensure continuity. It will also assist with any future internal or external assurance reviews of the Identity Exchange.

Policies and procedures in relation to information security

3.23 Under APP 1.2, an APP entity must take steps as are reasonable in the circumstances to implement practices, procedures and systems to ensure compliance with its information security obligations under APP 11. Access security and monitoring controls help agencies protect against internal and external risks by ensuring that personal information is only accessed by authorised persons, and any unauthorised access is detected in a timely manner. Weaknesses in an agency’s ICT security controls increases the likelihood of unauthorised access to systems.

3.24 The OAIC identified that Services Australia has several good information security and access controls in place. Services Australia regularly updates and maintains key documents relating to the management of security risks associated with the Identity Exchange such as the Systems Security Plan (SSP) and the Security Risk Management Plan (SRMP). It has applied appropriate access and security controls including reviewing audit logs, limited ‘need to know’ access to data held on the Identity Exchange, and information barriers between Services Australia’s various DIS functions. There are also established processes for relevant staff to review and evaluate incidents and collaborate with staff managing other risk areas (for example, cyber and fraud).

3.25 This assessment, however, identified several medium risks in relation to Services Australia’s information security and access controls which are set out below.

Information security assessments

3.26 Assessing the security risks to personal information is an important element of ‘privacy by design’. The assessment identified that Services Australia regularly conducts information security assessments of the Identity Exchange, including penetration testing and annual Infosec Registered Assessors Program (IRAP) assessments.

3.27 The SRMP notes that these information security assessments have identified several vulnerabilities, including a number of ICT security-related medium risks and one high risk. A number of risk treatments were recommended to address these vulnerabilities. Similarly, the IRAP assessment recommended that Services Australia develop a detailed implementation plan and schedule for all critical and high-risk vulnerabilities that have been identified.

3.28 The OAIC’s privacy management framework sets out steps that the OAIC expects entities to take to meet ongoing compliance obligations under APP 1.2.[16] Under this framework, part of establishing robust and effective privacy practices, procedures and systems includes implementing risk management processes that allow entities to identify, assess and then manage privacy risks, including personal information security risks. Good privacy management under this framework also involves systematically evaluating and enhancing privacy processes.

3.29 Through its information security assessments, Services Australia has taken steps to identify and assess privacy risks. However, at the time of the assessment, Services Australia had only made progress managing the risks highlighted by these information security assessments and had not fully implemented the recommendations from these ICT-audits.

3.30 Depending on whether Services Australia has taken appropriate steps under its relevant practices, procedures and systems to manage these risks, for example by implementing these recommendations, there may be a high privacy risk that Services Australia is breaching the requirements of APP 1.2.

3.31 The OAIC recommends that Services Australia must take steps to appropriately manage the medium and high risks identified in its regular information security assessments. This may be by continuing to implement the recommendations from these ICT assessments.[17] If appropriate action has not been taken, then Services Australia must evaluate its practices, procedures and systems for privacy risk management to ensure their adequacy and currency. Subject to that review, it may be necessary to implement a process to enhance these practices, procedures and systems in consideration of its obligations under APP 1.2.

Recommendation 4: Take appropriate steps to manage risks identified in the security assessments of the Identity Exchange.

The OAIC recommends that Services Australia must take steps to appropriately manage the medium and high risks identified in its regular information security assessments. This may be by continuing to implement the recommendations from these ICT assessments.

If appropriate action has not been taken, then Services Australia must evaluate its practices, procedures and systems for privacy risk management to ensure their adequacy and currency. Subject to that review, it may be necessary to implement a process to enhance these practices, procedures and systems in consideration of its obligations under APP 1.2.

Data breach response plan

3.32 In the event of a data breach, having a response plan that includes procedures and clear lines of authority can assist entities to contain the breach and manage the response. This plan should be regularly tested and clearly indicate responsible officers in the event of an incident. Similar requirements around data breach response plans are included in the TDIF.[18]

3.33 Services Australia has a data breach response plan in place which deals specifically with Identity Exchange related data breaches. During the assessment, however, Services Australia advised the OAIC that:

  • the data breach response plan has not been tested
  • the response team listed in the plan only contains high-level detail as Services Australia considers that each data breach may require its own unique response and needs to be flexible depending on the issue it needs to address.

3.34 Failing to test its data breach response plan in relation to the Identity Exchange creates a medium privacy risk as it may reduce Services Australia’s ability to identify risks and gaps in the plan and respond quickly to a data breach. This may include the risk that the failure to clearly indicate the response team and their responsibilities may mean that staff may not know of, or follow, Services Australia’s data breach response plan.

3.35 The OAIC recommends Services Australia should regularly test its data breach plan and make refinements based on the outcome of this testing. Testing the data breach response plan may assist in determining whether the absence of specific response team details would unnecessarily delay a response to a data breach involving the Identity Exchange.

Recommendation 5: Test Services Australia’s data breach response plan in relation to the Identity Exchange.

The OAIC recommends that Services Australia should test its data breach response plan in relation to the Identity Exchange and make refinements based on the outcome of this testing, to ensure its effectiveness.

Part 4: Recommendations and responses

Recommendation 1

OAIC recommendation

4.1 The OAIC recommends that Services Australia should amend the Services Australia privacy policy by adding information which clarifies Services Australia’s role as an Identity Exchange for the DIS and that this function involves Services Australia handling personal information.

If Services Australia is taking a layered approach and is relying on a separate privacy policy for the Identity Exchange, the Services Australia privacy policy should include some brief text which sets out Services Australia’s handling of personal information as an Identity Exchange and then direct the reader to the separate policy for more detail.

Response by Services Australia to the recommendation

4.2 The Agency accepts the recommendation.

The Agency has amended the Services Australia Privacy accordingly.

Recommendation 2

OAIC recommendation

4.3 The OAIC recommends that Services Australia should:

  • document compliance obligations under APP 1.2 and the TDIF with respect to how its DIS functions will be met, including the operation of the Identity Exchange
  • identify and document specific and measurable privacy goals and targets by either amending the existing general PMP or developing a separate PMP for Services Australia’s DIS functions.

Response by Services Australia to the recommendation

4.4 The Agency accepts this recommendation.

The Agency is developing a policy framework (as referenced in recommendation 3) which will include the compliance obligations for how the Agency’s DIS functions will be met under APP 1.2 and the TDIF. This will include the operation of the Identity Exchange. Relevant documentation to this effect will form part of this policy.

Since the OAIC field visits in February 2022, the Agency has updated its PMP to include specific and measurable privacy goals for the Agency. The Agency will further amend the PMP by March 2023 to incorporate measurable privacy goals for the Agency’s DIS functions.

Recommendation 3

OAIC recommendation

4.5 The OAIC recommends that Services Australia develop an internal policy that clearly documents:

  • the accountable authority within Services Australia for the TDIF privacy and protective security requirements
  • the DIS functions, including governance arrangements that set out the various teams/branches within Services Australia responsible for each of these functions
  • how Services Australia operationalises the separation of its DIS functions, for example, any physical, logical, and organisational barriers between Services Australia’s DIS functions, access security measures for data held on the Identity Exchange, procedures for handling requests from the oversight authority for information held on the Identity Exchange and for securely lifting the Identity Exchange’s ‘double blind’
  • the privacy measures that are in place to manage the risks and threats to personal information held on the Identity Exchange. This could include (but is not limited to) links and references to the various privacy and security policies, procedures and arrangements which are relevant to TDIF/DIS and the handling of personal information held and processed by the Identity Exchange, including:
    • Services Australia’s operational privacy policy
    • Services Australia’s external APP 1 privacy policy for the Identity Exchange
    • Services Australia’s privacy management plan
    • Services Australia’s record of personal information holding (data asset register)
    • Services Australia’s data breach response plan (specifically Schedule 2 of the plan which deals with the Identity Exchange related data breaches)
    • the Systems Security Plan
    • the Security Risk Management Plan
    • relevant DIS/TDIF Memorandum of Understanding, and
    • any relevant ICT security governance.
  • Services Australia should also regularly review this document to ensure its currency and accuracy. Having a documented policy will mitigate against the risk of the loss of corporate knowledge and ensure continuity. It will also assist with any future internal or external assurance reviews of the Identity Exchange.

Response by Services Australia to the recommendation

4.6 Services Australia (the Agency) accepts this recommendation.

The Agency has established a working group to implement this recommendation.

The working group is comprised of Agency stakeholders who have a role in management of the Identity Exchange. The working group will also consult other stakeholders, such as the Interim Oversight Authority, as appropriate. The proposed policy will provide a framework that will:

  • identify and provide guidance on the current and future operational support requirements for the DIS and the Identity Exchange within the Agency; and
  • document compliance requirements under the TDIF and APP 1.2, providing a point of reference to Agency policies, procedures and arrangements relevant to these obligations.

As of January 2023, the working group have identified and documented the responsible business areas for different functions in the management of DIS and the Identity Exchange.

The development of this policy is scheduled for completion by the end of March 2023. Once developed, the policy will be regularly reviewed and updated, as required, in line with standard Agency review processes.

Recommendation 4

OAIC recommendation

4.7 The OAIC recommends that Services Australia must take steps to appropriately manage the medium and high risks identified in its regular information security assessments. This may be by continuing to implement the recommendations from these ICT assessments.

If appropriate action has not been taken, then Services Australia must evaluate its practices, procedures and systems for privacy risk management to ensure their adequacy and currency. Subject to that review, it may be necessary to implement a process to enhance these practices, procedures and systems in consideration of its obligations under APP 1.2.

Response by Services Australia to the recommendation

4.8 Services Australia (the Agency) accepts this recommendation.

The Agency is taking a coordinated approach, involving experts across various ICT and cyber security teams, to continue to appropriately implement the recommendations from previous ICT assessments.

The Agency’s Cyber Security Division (CSD) provides security guidance and recommendations to technology decision makers, in line with the Information Security Manual and relevant policies, to support the Agency’s risk management.

Under the Cyber Security Governance Framework, a business owner at the SES level takes responsibility for risks associated with each system. This ensures sufficiently senior personnel are responsible for the appropriate allocation of resources relating to security, the regular assessment of technology and the effective management of risks, in line with Agency cyber policies. Among other things, the business owners:

  • identify and communicate business risk to system owners and CSD;
  • select controls that address security risk or security objectives;
  • fund security activity to ensure their systems maintain a strong cyber security posture; and
  • report changes to risks, controls or treatments to CSD.

CSD continues to improve assurance processes relating to risk management. This includes providing guidance on current and emerging risks, improving reporting and recommended treatments, and monitoring and managing vulnerability remediation – to promote the security of Agency systems.

Recommendation 5

OAIC recommendation

4.9 The OAIC recommends that Services Australia should test its data breach response plan in relation to the Identity Exchange and make refinements based on the outcome of this testing, to ensure its effectiveness.

Response by Services Australia to the recommendation

4.10 Services Australia (the Agency) accepts this recommendation.

The Agency will test its Data Breach Response Plan against the Digital Identity Exchange during the first quarter of 2023 and will make refinements based upon the outcome.

Part 5: Description of assessment

Objective and scope of the assessment

5.1 This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the APPs.

5.2 The objective of this assessment was to establish whether Services Australia, in its role as the operator of the Identity Exchange for the DIS, is taking reasonable steps under Australian Privacy Principle (APP) 1.2 to implement practices, procedures and systems that will ensure it complies with the APPs and any relevant registered APP code and is able to deal with related inquiries and complaints.

5.3 The scope of this assessment was limited to Services Australia’s obligations under APP 1.2, including compliance with the Code, to the extent that those obligations are relevant to the operation of the Identity Exchange.

5.4 This assessment examined Services Australia’s handling of personal information in relation to the DIS. The assessment specifically focused on the following matters:

  • Services Australia’s role as an Identity Exchange and its acts and practices related to the handling of personal information held and processed by the Identity Exchange
  • the privacy and personal information security handling arrangements deployed by Services Australia in relation to the Identity Exchange, reviewing its practices, policies, procedures, systems, governance, risk management and training applicable to the handling of personal information contained in the Identity Exchange, and the implementation of these arrangements
  • examining whether the practices, procedures and systems implemented by Services Australia support the Identity Exchange in meeting the privacy and personal information security requirements of the TDIF accreditation process. This includes how the Identity Exchange has been accredited against these requirements during the initial application to join the TDIF, and on an ongoing basis, for example, annual reviews that have been conducted for TDIF accreditation
  • examining the structural separation of the Identity Exchange including, from other areas in Services Australia responsible for MyGov (relying party in the Digital Identity system) and the DIS Interim Oversight Authority. The scope would include consideration of any impact the multiple DIS functions performed by Services Australia has on the privacy and personal information security posture of the Identity Exchange.

5.5 The assessment’s scope did not include:

  • a physical review or testing of the technical capabilities or controls of the ICT systems used by Services Australia to operate the Identity Exchange
  • an examination of the acts and practices of other participants in the DIS
  • Services Australia’s DIS functions with the exception of the Identity Exchange (Services Australia’s data breach management for the DIS was assessed from an Identity Exchange perspective only)

5.6 In this privacy assessment report, the OAIC makes recommendations to address ‘high’ and ‘medium’ privacy risks. For example, a likely breach of relevant legislative obligations (such as, APPs, Privacy Code or other legislation) or where significant requirements of a specific obligation are likely not being met will result in a high risk being identified in the report. For more information about these privacy risk ratings, see Chapter 7 of the OAIC’s Guide to privacy regulatory action.[19]

Privacy risks

5.7 Where the OAIC identified privacy risks and considered those privacy risks to be high or medium risks according to OAIC guidance (Appendix A refers), the OAIC makes recommendations to Services Australia about how to address those risks. These recommendations are set out in Part 4 of this report.

5.8 OAIC assessments are conducted as a ‘point in time’ exercise. That is, our observations and analysis are only applicable to the time period during which the assessment was undertaken.

5.9 For more information about privacy risk ratings, see the OAIC’s ‘Risk based assessments – privacy risk guidance’. Chapter 7 of the OAIC’s Guide to privacy regulatory action provides further detail on this approach.

Timing, location and assessment techniques

5.10 The OAIC conducted a risk-based assessment of Services Australia’s handling of personal information in relation to the DIS in accordance with APP 1.2 and the Code.

5.11 The assessment involved the following:

  • review of relevant policies and procedures provided by Services Australia
  • fieldwork, which included remote interviews with key staff at Services Australia on 23 and 24 February 2022.

Reporting

5.12 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege.

Appendix A: Privacy risk guidance

Privacy risk rating

Entity action required

Likely outcome if risk is not addressed

High risk

Entity must, as a high priority, take steps to address mandatory requirements of Privacy legislation

Immediate management attention is required

This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects

  • Likely breach of relevant legislative obligations (for example, APP, TFN, Credit) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking)
  • Likely adverse or negative impact upon the handling of individuals’ personal information
  • Likely violation of entity policies or procedures
  • Likely reputational damage to the entity, such as negative publicity in national or international media.
  • Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines
  • Likely ministerial involvement or censure (for agencies)

Medium risk

Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation

Timely management attention is expected

This is an internal control or risk management issue that may lead to the following effects

  • Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation
  • Possible adverse or negative impact upon the handling of individuals’ personal information
  • Possible violation of entity policies or procedures
  • Possible reputational damage to the entity, such as negative publicity in local or regional media.
  • Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities.
  • Possible ministerial involvement or censure (for agencies)

Low risk

Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy legislation

Management attention is suggested

This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed.

  • Risks are limited, and may be within acceptable entity risk tolerance levels
  • Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit)
  • Minimum compliance obligations are being met

Footnotes

[1] This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the Australian Privacy Principles (APPs).

Agencies

[2] The Privacy Code sets out specific requirements and key practical steps that agencies must take as part of complying with APP 1.2. For more information, see https://www.oaic.gov.au/privacy/privacy-for-government-agencies

[3] The TDIF sets out the requirements that applicants need to meet to achieve accreditation. An entity can either be accredited only which demonstrates their DI services are trusted, safe and secure to the standards of the Australian Government, or accredited and participate in the Australian Government Digital Identity System. For further information on the Framework, refer to the Digital Identity website: https://www.digitalidentity.gov.au/tdif

[4] Further information about the Australian Privacy Principles can be found on the OAIC website https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines

[6] The OAIC understands that, pending the passage of Digital Identity legislation, the DIS will expand over time to include more government agencies as well as private sector entities – See www.digitalidentity.gov.au/system-partners accessed at 3 March 2022

[8] For more information, see the Digital Identity exchange privacy policy (auth.identity.gov.au/static/policy)

[9] For more information on these roles, see www.digitalidentity.gov.au/tdif#accredited

[13] Following the fieldwork, the OAIC has become aware that the Services Australia’s privacy policy now refers to its role as the Identity Exchange and links to separate privacy policy and notice for the Identity Exchange.

[15] See requirement FRAUD-02-01-01 of the TDIF

[17] Immediately after the fieldwork for this assessment, on 22 March 2022, the OAIC provided a written summary to Services Australia by email of the preliminary findings and recommendations which recommended that Services Australia continue implementing recommendations from these security assessments.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia