Part 1: Executive summary
Privacy impact assessments
This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of Australian Government agencies’ compliance with s 15.1 of the Privacy (Australian Government Agencies – Governance) Code 2017 (Code). Since 1 July 2018, it has been mandatory under s 15.1 of the Code for Australian Government agencies to maintain a register of the privacy impact assessments (PIAs) they conduct. Agencies must publish the register, or a version of the register on their websites. A PIA is a systematic assessment that identifies privacy impacts of a project and sets out recommendations for managing, minimising or eliminating that impact. PIAs are an important component for the protection of privacy and should be part of agencies’ risk management and planning processes. PIAs can help ensure compliance, facilitate a privacy-by-design approach and identify better practice. PIAs demonstrate a commitment to accountable and transparent privacy practices and build public trust and confidence in an agency’s programs and policies.
The OAIC’s Privacy Officer Toolkit provides guidance to agencies in relation to the information that the PIA register should include. Agencies should include information about all completed PIAs on their registers. As a minimum, the PIA register should include the title of the agency’s PIA and as better practice may also include a summary of the project, the team responsible for undertaking the PIA and the outcome of the PIA or project.[1] The agency should also consider publishing a PIA, or a summary version or an edited copy of the PIA, on the agency’s register as permitted by the Code.[2] Where no PIAs have been carried out agencies should nonetheless publish a PIA register as better practice, with a note indicating that no PIAs have been conducted. Agencies are also encouraged to include a currency date on their PIA register so the public is aware of when it was last updated.
Part 2: Findings
Home Affairs Portfolio
Agencies within the Home Affairs Portfolio were the first group of agencies assessed for compliance with s 15.1 of the Code. The Home Affairs Portfolio consists of 7 agencies, 5 of which are required to comply with the Privacy Act 1998 (Cth) and the Code.[3] These 5 agencies are listed in the following table, which sets out the findings of the assessment of the agencies within the Home Affairs Portfolio.
Agency | Compliant with s 15.1 of the Code | Recommendation/suggestion | Action taken by agency |
|---|---|---|---|
Department of Home Affairs | Yes | None | No action required[4] |
Australian Federal Police | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated | Agency has implemented the OAIC’s suggestion |
Australian Institute of Criminology | Yes[5] | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIA’s have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. | Accepted |
Australian Transaction Reports Analysis Centre (AUSTRAC) | Yes | None | No action required |
Office of the Special Investigator | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIA’s have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed | Agency has noted the OAIC’s suggestion and has taken action to clearly indicate on its website that no PIAs have yet been conducted, and that information will be published about PIAs as they are completed. |
Social Services Portfolio
During July 2021, the OAIC assessed agencies within the Social Services Portfolio for compliance with s 15.1 of the Code. The Social Services Portfolio consists of 6 agencies, all of which are required to comply with the Privacy Act 1998 (Cth) and the Code. These 6 agencies are listed in the following table, which sets out the findings of the assessment of the agencies within the Social Services Portfolio.
Agency | Compliant with s 15.1 of the Code | Recommendation/suggestion | Action taken by agency |
|---|---|---|---|
Department of Social Services | Yes | None | No action required |
Australian Institute of Family Studies (AIFS) | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated | Agency has implemented the OAIC’s suggestion |
NDIS Quality and Safeguards Commission | Yes | None | No action required[6] |
Services Australia | Yes | None | No action required |
Australian Hearing Services (Hearing Australia) | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated | Agency has implemented the OAIC’s suggestion |
National Disability Insurance Scheme Launch Transition Agency (National Disability Insurance Agency) | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated | Agency has implemented the OAIC’s suggestion |
Foreign Affairs and Trade Portfolio
During August 2021, the OAIC assessed agencies within the Foreign Affairs and Trade Portfolio for compliance with s 15.1 of the Code. The Foreign Affairs and Trade Portfolio consists of 6 agencies, 5 of which are required to comply with the Privacy Act 1998 (Cth) and the Code.[7] These 5 agencies are listed in the following table, which sets out the findings of the assessment of the agencies within the Foreign Affairs and Trade Portfolio.
Agency | Compliant with s 15.1 of the Code | Recommendation/suggestion | Action taken by agency |
|---|---|---|---|
Department of Foreign Affairs and Trade | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated | Agency has implemented the OAIC’s suggestion |
Australian Centre for International Agriculture Research (ACIAR) | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated | Agency has implemented the OAIC’s suggestion |
Australian Trade and Investment Commission (Austrade) | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated | Agency has implemented the OAIC’s suggestion |
Export Finance and Insurance Corporation (EFIC, Export Finance Australia) | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated | Agency has implemented the OAIC’s suggestion |
Tourism Australia | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated | Agency has implemented the OAIC’s suggestion |
Health Portfolio
During November 2021, the OAIC assessed agencies within the Health Portfolio for compliance with s 15.1 of the Code. The Health Portfolio consists of 20 agencies, 19 of which are required to comply with the Privacy Act 1998 (Cth) and the Code.[8] These 19 agencies are listed in the following table, which sets out the findings of the assessment of the agencies within the Health Portfolio.
Agency | Compliant with s 15.1 of the Code | Recommendation/suggestion | Action taken by agency |
|---|---|---|---|
Department of Health | Yes | None | No action required. |
Aged Care Quality and Safety Commission | Yes | None | No action required. |
Australian Radiation Protection and Nuclear Safety Agency | Yes | Recommendation: agency publish a PIA register on their website as required by section 15.1 of the Code. | Agency has implemented the OAIC’s recommendation. |
Cancer Australia | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. | Agency has implemented the OAIC’s suggestion. |
National Blood Authority | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
National Health and Medical Research Council | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
National Health Funding Body | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. | Agency has implemented the OAIC’s suggestion. |
National Mental Health Commission | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Organ and Tissue Authority | Yes | Suggestion: best practice suggestion that the agency update the PIA register twice a year, even where no PIAs have been undertaken by the agency. Add a date to advise when the PIA register was last updated. | Agency clearly indicates on its website, through publishing a blank PIA register, that no PIAs have yet been conducted. The agency also states that information will be published about PIAs as they are completed. |
Professional Services Review Scheme | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Sport Integrity Australia | Yes | Suggestion: best practice suggestion that the agency update the PIA register twice a year, even where no PIAs have been undertaken by the agency. Add a date to advise when the PIA register was last updated. | Agency clearly indicates on its website, through publishing a blank PIA register, that no PIAs have yet been conducted. The agency also states that information will be published about PIAs as they are completed. |
Australian Commission on Safety and Quality in Health Care | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Australian Digital Health Agency | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Australian Institute of Health and Welfare | Yes | None | No action required. |
Australian Sports Commission | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Food Standards Australia New Zealand | Yes | Suggestion: best practice suggestion that the agency update the PIA register twice a year, even where no PIAs have been undertaken by the agency. Add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Independent Hospital Pricing Authority | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. | Agency has implemented the OAIC’s suggestion. |
Office of the Gene Technology Regulator | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. | Agency has noted the OAIC’s suggestion and has taken action to clearly indicate on its website that no PIAs have yet been conducted. |
Australian Industrial Chemicals Introduction Scheme | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Treasury Portfolio
The OAIC assessed agencies within the Treasury Portfolio for compliance with s 15.1 of the Code. The Treasury Portfolio consists of 18 agencies, 17 agencies of which are required to comply with the Privacy Act 1998 (Cth) and the Code[9]. These 17 agencies are listed in the following table, which sets out the findings of the assessment of the agencies within the Treasury Portfolio.
Agency | Compliant with s 15.1 of the Code | Recommendation/suggestion | Action taken by agency |
|---|---|---|---|
Department of Treasury | Yes | Suggestion: best practice suggestions:
| Agency has implemented the OAIC’s suggestions. |
Australian Bureau of Statistics | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Australian Competition and Consumer Commission | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Australian Office of Financial Management | Yes | Suggestion: best practice suggestion that the agency update the PIA register twice a year, adding a date when the PIA register was last updated, even where no PIAs have been undertaken by the agency. | Agency has implemented the OAIC’s suggestion. |
Australian Prudential Regulation Authority | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has noted the OAIC’s suggestion. The agency website states the requirement to maintain and publish a register of the PIAs undertaken. |
Australian Securities and Investments Commission | Yes | None. | No action required. |
Australian Taxation Office | Yes | None. | No action required. |
Commonwealth Grants Commission | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. | Agency has implemented the OAIC’s suggestion. |
Inspector-General of Taxation | Yes | Recommendation: agency publish a PIA register on their website as required by section 15.1 of the Code. | Agency has implemented the OAIC’s recommendation. |
National Competition Council | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. Make the register available in the results of the website search function, to enable access for the public. | Agency has noted the OAIC’s suggestion and has taken action to clearly indicate on its website that no PIAs have yet been conducted, and that information will be published about PIAs as they are completed. |
Office of the Auditing and Assurance Standards Board | Yes | Suggestion: best practice suggestion that the agency update the PIA register twice a year, even where no PIAs have been undertaken by the agency. Add a date to advise when the PIA register was last updated. | At the time of the assessment, the agency had clearly indicated on its website, through publishing a blank PIA register, that no PIAs had been conducted. Agency has also stated on its website that information would be published about PIAs as they were completed. Agency has subsequently published a PIA on its register. |
Office of the Australian Accounting Standards Board | Yes | Suggestion: best practice suggestion that the agency update the PIA register twice a year, even where no PIAs have been undertaken by the agency. Add a date to advise when the PIA register was last updated. | At the time of the assessment, the agency had clearly indicated on its website, through publishing a blank PIA register, that no PIAs had been conducted. Agency has also stated on its website that information would be published about PIAs as they were completed. Agency has subsequently published a PIA on its register. |
Productivity Commission | Yes | Recommendation: agency publish a PIA register on their website as required by section 15.1 of the Code. | Agency has implemented the OAIC’s recommendation. |
Royal Australian Mint | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Australian Reinsurance Pool Corporation | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
National Housing Finance and Investment Corporation | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has noted the OAIC’s suggestion. Agency’s website states the requirement to maintain and publish a register of the PIAs undertaken. |
Reserve Bank of Australia | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Education, Skills and Employment Portfolio
The OAIC assessed agencies within the Education, Skills and Employment Portfolio for compliance with s 15.1 of the Code. The portfolio consists of 7 agencies, 6 agencies of which are required to comply with the Privacy Act 1998 (Cth) and the Code[10]. These 6 agencies are listed in the following table, which sets out the findings of the assessment of the agencies within the Education, Skills and Employment Portfolio.
Agency | Compliant with s 15.1 of the Code | Recommendation/suggestion | Action taken by agency |
|---|---|---|---|
Department of Education, Skills and Employment | Yes | Suggestion: best practice suggestion the agency add a date to advise when the PIA register was last updated. | Action: Agency has implemented the OAIC’s suggestion |
Australian Research Council | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Action: Agency has implemented the OAIC’s suggestion |
Tertiary Education Quality and Standards Agency | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Action: Agency has implemented the OAIC’s suggestion |
Australian Curriculum, Assessment and Reporting Authority | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Action: No action taken by agency |
Australian National University | Yes | None | No action required |
Australian Skills Quality Authority (National Vocational Education and Training Regulator) | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Action: Agency has implemented the OAIC’s suggestion |
Defence Portfolio
The OAIC assessed agencies within the Defence Portfolio for compliance with s 15.1 of the Code. The portfolio consists of 14 agencies, 10 of which are required to comply with the Privacy Act 1998 (Cth) and the Code.[11] The following table sets out the findings of the assessment of the agencies within the Defence portfolio.
Agency | Compliant with s 15.1 of the Code | Recommendation/suggestion | Action taken by agency |
|---|---|---|---|
Department of Defence | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated | Agency has implemented the OAIC’s suggestion |
Army and Air Force Canteen Service (Frontline Defence Services) | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides a certainty to the community that the agency has a process to ensures PIAs will be listed | Agency has implemented the OAIC’s suggestion |
Australian Military Forces Relief Trust Fund | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides a certainty to the community that the agency has a process to ensures PIAs will be listed | No action taken by agency |
Defence Housing Australia | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated | Agency has implemented the OAIC’s suggestion |
Royal Australian Air Force Veterans' Residences Trust Fund | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides a certainty to the community that the agency has a process to ensures PIAs will be listed | Agency has implemented the OAIC’s suggestion |
Royal Australian Air Force Welfare Trust Fund | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides a certainty to the community that the agency has a process to ensures PIAs will be listed | Agency has accepted the OAIC’s suggestion, but has not actioned |
Royal Australian Navy Central Canteens Board (Royal Australian Navy Central Canteens Fund) | Yes | Recommendation: agency publish a PIA register on their website as required by section 15.1 of the Code | Agency has implemented the OAIC’s recommendation |
Royal Australian Navy Relief Trust Fund | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides a certainty to the community that the agency has a process to ensures PIAs will be listed | No action taken by agency |
Department of Veterans’ Affairs | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated | Agency has implemented the OAIC’s suggestion |
Australian War Memorial | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated | Agency has implemented the OAIC’s suggestion |
Industry, Science and Resources Portfolio
The OAIC assessed agencies within the Industry, Science and Resources Portfolio for compliance with s 15.1 of the Code. The portfolio consists of 6 agencies, all of which are required to comply with the Privacy Act 1998 (Cth) and the Code. The following table sets out the findings of the assessment of the agencies within the Industry, Science and Resources portfolio.
Agency | Compliant with s 15.1 of the Code | Recommendation/suggestion | Action taken by agency |
|---|---|---|---|
Department of Industry, Science and Resources | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated | Agency has implemented the OAIC’s suggestion |
Geoscience Australia | Yes | None | No action required |
IP Australia | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated | Agency has implemented the OAIC’s suggestion |
Australian Nuclear Science and Technology Organisation | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated | Agency has implemented the OAIC’s suggestion |
Commonwealth Scientific and Industrial Research Organisation | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated | Agency has implemented the OAIC’s suggestion |
National Offshore Petroleum Safety and Environmental Management Authority | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated | Agency has implemented the OAIC’s suggestion |
Finance Portfolio
The OAIC assessed agencies within the Finance Portfolio for compliance with s 15.1 of the Code. The Finance Portfolio consists of 8 agencies, 6 agencies of which are required to comply with the Privacy Act 1998 (Cth) and the Code.[12] The following table sets out the findings of the assessment of the agencies within the Finance Portfolio.
Agency | Compliant with s 15.1 of the Code | Recommendation/suggestion | Action taken by agency |
|---|---|---|---|
Department of Finance | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Australian Electoral Commission | Yes | None | No action required. |
Digital Transformation Agency | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Future Fund Management Agency | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Independent Parliament Expenses Authority | Yes | Recommendation: agency publish a PIA register on their website as required by section 15.1 of the Code. | Agency has implemented the OAIC’s suggestion. |
Commonwealth Superannuation Corporation (CSC) | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. Best practice suggestion that the agency make the register available in the results of the website search function, to enable access for the public. | Agency has implemented the OAIC’s suggestion to add a last updated date. Agency has implemented the OAIC’s suggestion to make the register accessible through the website search function. |
Agriculture, Fisheries and Forestry Portfolio
The OAIC assessed agencies within the Agriculture, Fisheries and Forestry Portfolio for compliance with s 15.1 of the Code. The Agriculture, Fisheries and Forestry Portfolio consists of 9 agencies, all of which are required to comply with the Privacy Act 1998 (Cth) (Privacy Act) and the Code. The following table sets out the findings of the assessment of the agencies within the Agriculture, Fisheries and Forestry Portfolio.
Agency | Compliant with s 15.1 of the Code | Recommendation / suggestion | Action taken by agency |
|---|---|---|---|
Department of Agriculture, Fisheries and Forestry | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Australian Fisheries Management Authority | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. Best practice suggestion that the agency make the register available in the results of the website search function, to enable access for the public. | Agency has implemented the OAIC’s suggestions. |
Australian Pesticides and Veterinary Medicines Authority | Yes | Suggestion: best practice suggestion that the agency update the PIA register twice annually. Best practice suggestion that the agency make the register available in the results of the website search function, to enable access for the public. | Agency has implemented the OAIC’s suggestions. |
Cotton Research and Development Corporation | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. Best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestions. |
Fisheries Research and Development Corporation | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. | Agency has implemented the OAIC’s suggestion. |
Grains Research and Development Corporation | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. Best practice suggestion that the agency make the register available in the results of the website search function, to enable access for the public. | Agency has implemented the OAIC’s suggestions. |
Regional Investment Corporation | Yes | Recommendation: agency publish a PIA register on their website as required by section 15.1 of the Code. | Agency has implemented the OAIC’s recommendation. |
Rural Industries Research and Development Corporation (trading as Agrifutures Australia) | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Wine Australia | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. | Agency has implemented the OAIC’s suggestion. |
Prime Minister and Cabinet Portfolio
The OAIC assessed agencies within the Prime Minister and Cabinet Portfolio for compliance with s 15.1 of the Code. The Prime Minister and Cabinet Portfolio consists of 20 agencies, 11 agencies of which are required to comply with the Privacy Act 1998 (Cth) (Privacy Act) and the Code. The following table sets out the findings of the assessment of the agencies within the Prime Minister and Cabinet Portfolio.
Agency | Compliant with s 15.1 of the Code | Recommendation / suggestion | Action taken by agency |
|---|---|---|---|
Department of Prime Minister and Cabinet | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Australian Public Service Commission | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
National Indigenous Australians Agency | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Office of the Official Secretary to the Governor-General | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. | Agency has implemented the OAIC’s suggestion. |
Workplace Gender Equality Agency | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Australian Institute of Aboriginal and Torres Strait Islander Studies | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. | Agency has implemented the OAIC’s suggestion. |
Indigenous Business Australia | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Indigenous Land and Sea Corporation | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. | Agency has implemented the OAIC’s suggestion. |
Northern Territory Aboriginal Investment Corporation | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. Best practice suggestion that the agency make the register available in the results of the website search function to enable better access for the public. | Agency has implemented the OAIC’s suggestions. |
Torres Straight Regional Authority | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. Best practice suggestion that the agency make the register available in the results of the website search function, to enable better access for the public. | Agency has implemented the OAIC’s suggestions. |
Wreck Bay Aboriginal Community Council | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. Best practice suggestion that the agency make the register available in the results of the website search function, to enable better access for the public. | Agency has implemented the OAIC’s suggestion. Agency has implemented the OAIC suggestion. |
Attorney-General’s Portfolio
The OAIC assessed agencies within the Attorney-General’s Portfolio for compliance with s 15.1 of the Code. The Attorney-General’s Portfolio consists of 17 agencies, 14 of which are required to comply with the Privacy Act 1998 (Cth) (Privacy Act) and the Code. The OAIC previously assessed the Australian Federal Police, Australian Institute of Criminology, Australian Transaction Reports and Analysis Centre (AUSTRAC) and the Office of the Special Investigator when they were in the Home Affairs Portfolio, so we have not re-assessed these agencies.
We have not conducted an assessment of the OAIC as part of the PIA register assessment program. Instead, we have undertaken an administrative review of the OAIC’s compliance with PIA requirements of the Code, applying the same criteria.
Agency | Compliant with s 15.1 of the Code | Recommendation / suggestion | Action taken by agency |
|---|---|---|---|
Attorney-General’s Department | Yes | Suggestion: best practice suggestion that the agency update the PIA register twice a year, even when no PIAs have been undertaken by the agency. | Agency has implemented the OAIC’s suggestion. |
Administrative Appeals Tribunal | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Australian Financial Security Authority | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Australian Law Reform Commission | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. | Agency has implemented the OAIC’s suggestion. |
Federal Court of Australia | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Office of the Commonwealth Ombudsman | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Office of the Director of Public Prosecutions (CDPP) | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Office of Parliamentary Counsel | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Australian Human Rights Commission | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Infrastructure, Transport, Regional Development, Communications and the Arts Portfolio
The OAIC assessed agencies within the Infrastructure, Transport, Regional Development and the Arts Portfolio for compliance with s 15.1 of the Code. The Infrastructure, Transport, Regional Development and the Arts Portfolio consists of 31 agencies, 25 of which are required to comply with the Privacy Act 1998 (Cth) (Privacy Act) and the Code. The following table sets out the findings of the assessment of the agencies within the Infrastructure, Transport, Regional Development, Communications and the Arts portfolio.
Agency | Compliant with s 15.1 of the Code | Recommendation / suggestion | Action taken by agency |
|---|---|---|---|
Dept of Infrastructure, Transport, Regional Development, Communications and the Arts | Yes | Suggestion: best practice suggestion that the agency update the PIA register twice a year, even when no PIAs have been undertaken by the agency. | Agency has implemented the OAIC’s suggestion. |
Australian Communications and Media Authority (ACMA) | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Australian Transport Safety Bureau (ATSB) | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
National Archives of Australia | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
National Capital Authority | Yes | Recommendation: agency publish a PIA register on their website as required by section 15.1 of the Code. | Agency has implemented the OAIC’s recommendation. |
High Speed Rail Agency | Yes | Recommendation: agency publish a PIA register on their website as required by section 15.1 of the Code.[4] | Agency has implemented the OAIC’s recommendation. |
Air Services Australia | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Australia Council for the Arts | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Australian Broadcasting Corporation | Yes | None | No action required. |
Australian Film, Television and Radio School | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. Best practice suggestion that the agency make the register available in the results of the website search function, to enable better access for the public. | Agency has implemented the OAIC’s suggestions. |
Australian Maritime Safety Authority | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Australian National Maritime Museum | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | No action taken by agency. |
Australian Postal Corporation | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Civil Aviation Safety Authority | Yes | None | No action required. |
Infrastructure Australia | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. Best practice suggestion that the agency make the register available in the results of the website search function, to enable better access for the public. | Agency has implemented the OAIC’s suggestions. |
National Film and Sound Archive of Australia | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. | Agency has implemented the OAIC’s suggestion. |
National Gallery of Australia | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. Best practice suggestion that the agency make the register available in the results of the website search function, to enable better access for the public. | Agency has implemented the OAIC’s suggestions. |
National Library of Australia | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
National Museum of Australia | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
National Portrait Gallery of Australia | Yes | Suggestion: best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed. | Agency has implemented the OAIC’s suggestion. |
National Transport Commission | Yes | Recommendation: agency publish a PIA register on their website as required by section 15.1 of the Code. | Agency has implemented the OAIC’s recommendation. |
Screen Australia | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Special Broadcasting Service Corporation | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. | Agency has implemented the OAIC’s suggestion. |
Northern Australia Infrastructure Facility | Yes | None | No action required. |
Old Parliament House | Yes | Suggestion: best practice suggestion that the agency add a date to advise when the PIA register was last updated. Best practice suggestion that the agency make the register available in the results of the website search function, to enable better access for the public. | Agency has implemented the OAIC’s suggestions. |
Objective and scope of the assessment
This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with a registered APP code that binds the entity.The assessment scope was limited to compliance with s 15.1 of the Code.
Selection of assessment targets
The OAIC used the Public Governance, Performance and Accountability Act 2022, published by the Department of Finance, to identify portfolios and their agencies. The OAIC then reviewed agencies by portfolio to assess their compliance with s 15.1 of the Code.The OAIC used a risk-based approach to determine the order in which to review portfolios, considering factors such as the volume of personal information held, sensitivity of information holdings, and previous complaint statistics for the agencies within each portfolio.
Assessment methodology
The OAIC assessed compliance through a desktop review of agency websites.The OAIC reviewed all agencies within each portfolio to assess compliance with s 15.1 of the Code.If agencies were found to be not compliant with s 15.1 the Code, the OAIC followed up with these agencies in writing:
- providing 30 days for those agencies to publish their PIA register or provide reasons to the OAIC as to why the agency did not need to publish a PIA register
- noting that the OAIC may take regulatory action where it is found that the agency was required to have a published PIA register.
After 30 days, the OAIC then conducted a further desktop review of websites of non-compliant agencies within the portfolio and reported on compliance at that date.As well as compliance with s 15.1 of the Code, the OAIC also considered Code guidance, including the OAIC’s Privacy Officer Toolkit, to make best practice suggestions to agencies in relation to the contents of the PIA register.
Privacy risks
Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance, the OAIC made recommendations to agencies about how to address those risks. Where the OAIC found low privacy risks, the OAIC made suggestions to agencies to take steps to better address compliance with requirements. Where relevant, these recommendations and suggestions are set out in a table in Part 2 of this report.For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’ in Appendix A to Chapter 7 of the OAIC’s Guide to privacy regulatory action, which provides further detail on this approach.
Part 3: Description of assessment
Objective and scope of the assessment
This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with a registered APP code that binds the entity.
The assessment scope was limited to compliance with s 15.1 of the Code.
Selection of assessment targets
The OAIC used the Public Governance, Performance and Accountability Act 2013 Flipchart, published by the Department of Finance, to identify portfolios and their agencies. The OAIC then reviewed agencies by portfolio to assess their compliance with s 15.1 of the Code.
The OAIC used a risk-based approach to determine the order in which to review portfolios, considering factors such as the volume of personal information held, sensitivity of information holdings, and previous complaint statistics for the agencies within each portfolio.
Assessment methodology
The OAIC assessed compliance through a desktop review of agency websites.
The OAIC reviewed all agencies within each portfolio to assess compliance with s 15.1 of the Code.
If agencies were found to be not compliant with s 15.1 the Code, the OAIC followed up with these agencies in writing:
- providing 30 days for those agencies to publish their PIA register or provide reasons to the OAIC as to why the agency did not need to publish a PIA register
- noting that the OAIC may take regulatory action where it is found that the agency was required to have a published PIA register.
After 30 days, the OAIC then conducted a further desktop review of websites of non-compliant agencies within the portfolio and reported on compliance at that date.
As well as compliance with s 15.1 of the Code, the OAIC also considered Code guidance, including the OAIC’s Privacy Officer Toolkit, to make best practice suggestions to agencies in relation to the contents of the PIA register.
Privacy risks
Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance, the OAIC made recommendations to agencies about how to address those risks. Where the OAIC found low privacy risks, the OAIC made suggestions to agencies to take steps to better address compliance with requirements. Where relevant, these recommendations and suggestions are set out in a table in Part 2 of this report.
For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’ in Appendix A to Chapter 7 of the OAIC’s Guide to privacy regulatory action, which provides further detail on this approach.
Footnotes
[1] For further guidance in relation to PIA registers see the OAIC’s Privacy Officer Toolkit.
[2] Section 13 (Publication of PIA) of the Code provides that an agency may publish a PIA conducted under section 12, or a summary version or an edited copy of the PIA, on the agency’s website.
[3] The acts and practices of the Australian Criminal Intelligence Commission (ACIC) and the Australian Security Intelligence Organisation (ASIO) are exempt under s 7 of the Privacy Act and these agencies were not assessed.
[4] During the OAIC’s recent assessment of Home Affairs – Managing personal information - Passenger Names Records, following assessment fieldwork and after engagement with the OAIC on the requirement for an agency to maintain and publish a PIA register, Home Affairs advised the OAIC that it published a version of its register of PIAs on its website in April 2021.
[5] At the time of undertaking fieldwork for this assessment, the agency had not published a PIA register on their website. The OAIC requested the agency provide an explanation within 30 days as to why the agency did not have a PIA register published on its website. The agency did not provide the OAIC with a substantive response explaining why they do not have a register within the 30-day time frame. The agency subsequently provided the OAIC with reasons as to why they do not have a PIA register published on their website, (because they have not conducted any PIAs), which the OAIC has accepted.
[6] At the time the OAIC conducted the initial desktop review, the NDIS Quality and Safeguards Commission did not have a PIA register published on its website in July 2021. After consultation in July 2021, the agency advised that it had undertaken a PIA in March 2021 and the agency also identified a PIA completed jointly with another agency in July 2019. The agency subsequently published a PIA register in early August 2021 and were found to be compliant during the subsequent desktop review.
[7] The acts and practices of the Australian Secret Intelligence Service are exempt under s 7 of the Privacy Act and this agency was not assessed.
[8] Australian National Preventative Health Agency ceased operations on 30 June 2014. Its key functions have transferred to the Department of Health.
[9] The Financial Adviser Standards and Ethics Authority Ltd Does not fit the definition of an 'agency' under s 6 of the Privacy Act.
[10] Australian Institute for Teaching and School Leadership Limited does not fit the definition of an 'agency' under s 6 of the Privacy Act.
[11] AAF Company (Trustee of Army Amenities Fund and Messes Trust Fund), Australian Strategic Policy Institute Ltd and RAAF Welfare Recreational Company are excluded under s 6 of the Privacy Act; Australian Signals Directorate is excluded under s 7 of the Privacy Act.
[12] ASC Pty Ltd and Australian Naval Infrastructure Pty Ltd are excluded under s 6 of the Privacy Act.
