Privacy Impact Assessment Register Assessment Program

6 June 2022

Part 1: Executive summary

Privacy impact assessments

This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of Australian Government agencies’ compliance with s 15.1 of the Privacy (Australian Government Agencies – Governance) Code 2017 (Code).

Since 1 July 2018, it has been mandatory under s 15.1 of the Code for Australian Government agencies to maintain a register of the privacy impact assessments (PIAs) they conduct. Agencies must publish the register, or a version of the register on their websites.

A PIA is a systematic assessment that identifies privacy impacts of a project and sets out recommendations for managing, minimising or eliminating that impact. PIAs are an important component for the protection of privacy and should be part of agencies’ risk management and planning processes. PIAs can help ensure compliance, facilitate a privacy-by-design approach and identify better practice. PIAs demonstrate a commitment to accountable and transparent privacy practices and build public trust and confidence in an agency’s programs and policies.

The OAIC’s Privacy Officer Toolkit provides guidance to agencies in relation to the information that the PIA register should include. Agencies should include information about all completed PIAs on their registers. As a minimum, the PIA register should include the title of the agency’s PIA and as better practice may also include a summary of the project, the team responsible for undertaking the PIA and the outcome of the PIA or project.[1] The agency should also consider publishing a PIA, or a summary version or an edited copy of the PIA, on the agency’s register as permitted by the Code.[2]

Where no PIAs have been carried out agencies should nonetheless publish a PIA register as better practice, with a note indicating that no PIAs have been conducted. Agencies are also encouraged to include a currency date on their PIA register so the public is aware of when it was last updated.

Part 2: Findings

Home Affairs Portfolio

Agencies within the Home Affairs Portfolio were the first group of agencies assessed for compliance with s 15.1 of the Code. The Home Affairs Portfolio consists of 7 agencies, 5 of which are required to comply with the Privacy Act 1998 (Cth) (Privacy Act) and the Code.[3] These 5 agencies are listed in the following table, which sets out the findings of the assessment of the agencies within the Home Affairs Portfolio.

Agency

Compliant with s 15.1 of the Code

Recommendation / suggestion

Action taken by agency

Department of Home Affairs

Yes

None

No action required[4]

Australian Federal Police

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Australian Institute of Criminology

Yes[5]

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIA’s have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Accepted

Australian Transaction Reports Analysis Centre (AUSTRAC)

Yes

None

No action required

Office of the Special Investigator

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIA’s have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed

Agency has noted the OAIC’s suggestion and has taken action to clearly indicate on its website that no PIAs have yet been conducted, and that information will be published about PIAs as they are completed.

Social Services Portfolio

During July 2021, the OAIC assessed agencies within the Social Services Portfolio for compliance with s 15.1 of the Code. The Social Services Portfolio consists of 6 agencies, all of which are required to comply with the Privacy Act 1998 (Cth) (Privacy Act) and the Code. These 6 agencies are listed in the following table, which sets out the findings of the assessment of the agencies within the Social Services Portfolio.

Agency

Compliant with s 15.1 of the Code

Recommendation / suggestion

Action taken by agency

Department of Social Services

Yes

None

No action required

Australian Institute of Family Studies (AIFS)

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

NDIS Quality and Safeguards Commission

Yes

None

No action required[6]

Services Australia

Yes

None

No action required

Australian Hearing Services (Hearing Australia)

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

National Disability Insurance Scheme Launch Transition Agency (National Disability Insurance Agency)

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Foreign Affairs and Trade Portfolio

During August 2021, the OAIC assessed agencies within the Foreign Affairs and Trade Portfolio for compliance with s 15.1 of the Code. The Foreign Affairs and Trade Portfolio consists of 6 agencies, 5 of which are required to comply with the Privacy Act 1998 (Cth) (Privacy Act) and the Code.[7] These 5 agencies are listed in the following table, which sets out the findings of the assessment of the agencies within the Foreign Affairs and Trade Portfolio.

Agency

Compliant with s 15.1 of the Code

Recommendation / suggestion

Action taken by agency

Department of Foreign Affairs and Trade

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Australian Centre for International Agriculture Research (ACIAR)

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Australian Trade and Investment Commission (Austrade)

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Export Finance and Insurance Corporation (EFIC, Export Finance Australia)

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Tourism Australia

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Health Portfolio

During November 2021, the OAIC assessed agencies within the Health Portfolio for compliance with s 15.1 of the Code. The Health Portfolio consists of 20 agencies, 19 of which are required to comply with the Privacy Act 1998 (Cth) (Privacy Act) and the Code.[8] These 19 agencies are listed in the following table, which sets out the findings of the assessment of the agencies within the Health Portfolio.

Agency

Compliant with s 15.1 of the Code

Recommendation / suggestion

Action taken by agency

Department of Health

Yes

None

No action required.

Aged Care Quality and Safety Commission

Yes

None

No action required.

Australian Radiation Protection and Nuclear Safety Agency

Yes

Recommendation: agency publish a PIA register on their website as required by section 15.1 of the Code.

Agency has implemented the OAIC’s recommendation.

Cancer Australia

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Agency has implemented the OAIC’s suggestion.

National Blood Authority

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

National Health and Medical Research Council

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

National Health Funding Body

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Agency has implemented the OAIC’s suggestion.

National Mental Health Commission

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Organ and Tissue Authority

Yes

Suggestion: best practice suggestion that the agency update the PIA register twice a year, even where no PIAs have been undertaken by the agency. Add a date to advise when the PIA register was last updated.

Agency clearly indicates on its website, through publishing a blank PIA register, that no PIAs have yet been conducted. The agency also states that information will be published about PIAs as they are completed.

Professional Services Review Scheme

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Sport Integrity Australia

Yes

Suggestion: best practice suggestion that the agency update the PIA register twice a year, even where no PIAs have been undertaken by the agency. Add a date to advise when the PIA register was last updated.

Agency clearly indicates on its website, through publishing a blank PIA register, that no PIAs have yet been conducted. The agency also states that information will be published about PIAs as they are completed.

Australian Commission on Safety and Quality in Health Care

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Australian Digital Health Agency

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Australian Institute of Health and Welfare

Yes

None

No action required.

Australian Sports Commission

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Food Standards Australia New Zealand

Yes

Suggestion: best practice suggestion that the agency update the PIA register twice a year, even where no PIAs have been undertaken by the agency. Add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Independent Hospital Pricing Authority

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Agency has implemented the OAIC’s suggestion.

Office of the Gene Technology Regulator

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Agency has noted the OAIC’s suggestion and has taken action to clearly indicate on its website that no PIAs have yet been conducted.

Australian Industrial Chemicals Introduction Scheme

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Treasury Portfolio

The OAIC assessed agencies within the Treasury Portfolio for compliance with s 15.1 of the Code. The Treasury Portfolio consists of 18 agencies, 17 agencies of which are required to comply with the Privacy Act 1998 (Cth) (Privacy Act) and the Code[9]. These 17 agencies are listed in the following table, which sets out the findings of the assessment of the agencies within the Treasury Portfolio.

Agency

Compliant with s 15.1 of the Code

Recommendation / suggestion

Action taken by agency

Department of Treasury

Yes

Suggestion: best practice suggestions:

  • the agency add a date   to advise when the PIA register was last updated
  • the title of the register states   ‘Privacy Impact Assessments undertaken 2019 onwards’ and should be amended to   reflect that the obligation to maintain a PIA register commenced on 1 July   2018.

Agency has implemented the OAIC’s suggestions.

Australian Bureau of Statistics

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Australian Competition and Consumer Commission

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Australian Office of Financial Management

Yes

Suggestion: best practice suggestion that the agency update the PIA register twice a year, adding a date when the PIA register was last updated, even where no PIAs have been undertaken by the agency.

Agency has implemented the OAIC’s suggestion.

Australian Prudential Regulation Authority

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has noted the OAIC’s suggestion. The agency website states the requirement to maintain and publish a register of the PIAs undertaken.

Australian Securities and Investments Commission

Yes

None.

No action required.

Australian Taxation Office

Yes

None.

No action required.

Commonwealth Grants Commission

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Agency has implemented the OAIC’s suggestion.

Inspector-General of Taxation

Yes

Recommendation: agency publish a PIA register on their website as required by section 15.1 of the Code.

Agency has implemented the OAIC’s recommendation.

National Competition Council

Yes

Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. Make the register available in the results of the website search function, to enable access for the public.

Agency has noted the OAIC’s suggestion and has taken action to clearly indicate on its website that no PIAs have yet been conducted, and that information will be published about PIAs as they are completed.

Office of the Auditing and Assurance Standards Board

Yes

Suggestion: best practice suggestion that the agency update the PIA register twice a year, even where no PIAs have been undertaken by the agency. Add a date to advise when the PIA register was last updated.

At the time of the assessment, the agency had clearly indicated on its website, through publishing a blank PIA register, that no PIAs had been conducted. Agency has also stated on its website that information would be published about PIAs as they were completed. Agency has subsequently published a PIA on its register.

Office of the Australian Accounting Standards Board

Yes

Suggestion: best practice suggestion that the agency update the PIA register twice a year, even where no PIAs have been undertaken by the agency. Add a date to advise when the PIA register was last updated.

At the time of the assessment, the agency had clearly indicated on its website, through publishing a blank PIA register, that no PIAs had been conducted. Agency has also stated on its website that information would be published about PIAs as they were completed. Agency has subsequently published a PIA on its register.

Productivity Commission

Yes

Recommendation: agency publish a PIA register on their website as required by section 15.1 of the Code.

Agency has implemented the OAIC’s recommendation.

Royal Australian Mint

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Australian Reinsurance Pool Corporation

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

National Housing Finance and Investment Corporation

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has noted the OAIC’s suggestion. Agency’s website states the requirement to maintain and publish a register of the PIAs undertaken.

Reserve Bank of Australia

Yes

Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated.

Agency has implemented the OAIC’s suggestion.

Part 3: Description of assessment

Objective and scope of the assessment

This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with a registered APP code that binds the entity.

The assessment scope was limited to compliance with s 15.1 of the Code.

Selection of assessment targets

The OAIC used the Public Governance, Performance and Accountability Act 2013 Flipchart, published by the Department of Finance, to identify portfolios and their agencies. The OAIC then reviewed agencies by portfolio to assess their compliance with s 15.1 of the Code.

The OAIC used a risk-based approach to determine the order in which to review portfolios, considering factors such as the volume of personal information held, sensitivity of information holdings, and previous complaint statistics for the agencies within each portfolio.

Assessment Methodology

The OAIC assessed compliance through a desktop review of agency websites.

The OAIC reviewed all agencies within each portfolio to assess compliance with s 15.1 of the Code.

If agencies were found to be not compliant with s 15.1 the Code, the OAIC followed up with these agencies in writing:

  • providing 30 days for those agencies to publish their PIA register or provide reasons to the OAIC as to why the agency did not need to publish a PIA register
  • noting that the OAIC may take regulatory action where it is found that the agency was required to have a published PIA register.

After 30 days, the OAIC then conducted a further desktop review of websites of non-compliant agencies within the portfolio and reported on compliance at that date.

As well as compliance with s 15.1 of the Code, the OAIC also considered Code guidance, including the OAIC’s Privacy Officer Toolkit, to make best practice suggestions to agencies in relation to the contents of the PIA register.

Privacy Risks

Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance, the OAIC made recommendations to agencies about how to address those risks. Where the OAIC found low privacy risks, the OAIC made suggestions to agencies to take steps to better address compliance with requirements. Where relevant, these recommendations and suggestions are set out in a table in Part 2 of this report.

For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’ in Appendix A to Chapter 7 of the OAIC’s Guide to privacy regulatory action, which provides further detail on this approach.

Footnotes

[1] For further guidance in relation to PIA registers see the OAIC’s Privacy Officer Toolkit.

[2] Section 13 (Publication of PIA) of the Code provides that an agency may publish a PIA conducted under section 12, or a summary version or an edited copy of the PIA, on the agency’s website.

[3] The acts and practices of the Australian Criminal Intelligence Commission (ACIC) and the Australian Security Intelligence Organisation (ASIO) are exempt under s 7 of the Privacy Act and these agencies were not assessed.

[4] During the OAIC’s recent assessment of Home Affairs – Managing personal information - Passenger Names Records, following assessment fieldwork and after engagement with the OAIC on the requirement for an agency to maintain and publish a PIA register, Home Affairs advised the OAIC that it published a version of its register of PIAs on its website in April 2021.

[5] At the time of undertaking fieldwork for this assessment, the agency had not published a PIA register on their website. The OAIC requested the agency provide an explanation within 30 days as to why the agency did not have a PIA register published on its website.  The agency did not provide the OAIC with a substantive response explaining why they do not have a register within the 30-day time frame. The agency subsequently provided the OAIC with reasons as to why they do not have a PIA register published on their website, (because they have not conducted any PIAs), which the OAIC has accepted.

[6] At the time the OAIC conducted the initial desktop review, the NDIS Quality and Safeguards Commission did not have a PIA register published on its website in July 2021. After consultation in July 2021, the agency advised that it had undertaken a PIA in March 2021 and the agency also identified a PIA completed jointly with another agency in July 2019. The agency subsequently published a PIA register in early August 2021 and were found to be compliant during the subsequent desktop review.

[7] The acts and practices of the Australian Secret Intelligence Service are exempt under s 7 of the Privacy Act and this agency was not assessed.

[8] Australian National Preventative Health Agency ceased operations on 30 June 2014. Its key functions have transferred to the Department of Health.

[9] The Financial Adviser Standards and Ethics Authority Ltd Does not fit the definition of an 'agency' under s 6 of the Privacy Act.