Privacy Impact Assessment Register Assessment Program - Home Affairs Portfolio

Part 1: Executive summary

Privacy impact assessments

This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of Australian Government agencies’ compliance with s 15.1 of the Privacy (Australian Government Agencies – Governance) Code 2017 (Code).

Since 1 July 2018, it has been mandatory under s 15.1 of the Code for Australian Government agencies to maintain a register of the privacy impact assessments (PIAs) they conduct. Agencies must publish the register, or a version of the register on their websites.

A PIA is a systematic assessment that identifies privacy impacts of a project and sets out recommendations for managing, minimising or eliminating that impact. PIAs are an important component for the protection of privacy and should be part of agencies’ risk management and planning processes. PIAs can help ensure compliance, facilitate a privacy-by-design approach and identify better practice. PIAs demonstrate a commitment to accountable and transparent privacy practices and build public trust and confidence in an agency’s programs and policies.

The OAIC’s Privacy Officer Toolkit provides guidance to agencies in relation to the information that the PIA register should include. Agencies should include information about all completed PIAs on their registers. As a minimum, the PIA register should include the title of the agency’s PIA and as better practice may also include a summary of the project, the team responsible for undertaking the PIA and the outcome of the PIA or project. [1] The agency should also consider publishing a PIA, or a summary version or an edited copy of the PIA, on the agency’s register as permitted by the Code. [2]

Where no PIAs have been carried out agencies should nonetheless publish a PIA register as better practice, with a note indicating that no PIAs have been conducted. Agencies are also encouraged to include a currency date on their PIA register so the public is aware of when it was last updated.

Part 2: Findings

Home Affairs Portfolio

Agencies within the Home Affairs Portfolio were the first group of agencies assessed for compliance with s 15.1 of the Code. The Home Affairs Portfolio consists of 7 agencies, 5 of which are required to comply with the Privacy Act 1998 (Cth) (Privacy Act) and the Code. [3] These 5 agencies are listed in the following table, which sets out the findings of the assessment of the agencies within the Home Affairs Portfolio.

Agency

Compliant with s 15.1 of the Code

Recommendation / suggestion

Action taken by agency

Department of Home Affairs

Yes

None

No action required [4]

Australian Federal Police

Yes

Suggestion :best practice suggestion that the agency add a date to advise when the PIA register was last updated

Agency has implemented the OAIC’s suggestion

Australian Institute of Criminology

Yes [5]

Suggestion : best practice suggestion that the agency publish a PIA register even where no PIAs have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed.

Accepted

Australian Transaction Reports Analysis Centre (AUSTRAC)

Yes

None

No action required

Office of the Special Investigator

Yes

Suggestion : best practice suggestion that the agency publish a PIA register even where no PIA’s have been undertaken by the agency. This provides certainty to the community that the agency has a process to ensure PIAs will be listed

Agency has noted the OAIC’s suggestion and has taken action to clearly indicate on its website that no PIAs have yet been conducted, and that information will be published about PIAs as they are completed.

Part 3: Description of assessment

Objective and scope of the assessment

This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with a registered APP code that binds the entity.

The assessment scope was limited to compliance with s 15.1 of the Code.

Selection of assessment targets

The OAIC used the Public Governance, Performance and Accountability Act 2013 Flipchart , published by the Department of Finance, to identify portfolios and their agencies. The OAIC then reviewed agencies by portfolio to assess their compliance with s 15.1 of the Code.

The OAIC used a risk-based approach to determine the order in which to review portfolios, considering factors such as the volume of personal information held, sensitivity of information holdings, and previous complaint statistics for the agencies within each portfolio.

Assessment Methodology

The OAIC assessed compliance through a desktop review of agency websites.

The OAIC reviewed all agencies within each portfolio to assess compliance with s 15.1 of the Code.

If agencies were found to be not compliant with s 15.1 the Code, the OAIC followed up with these agencies in writing:

  • providing 30 days for those agencies to publish their PIA register or provide reasons to the OAIC as to why the agency did not need to publish a PIA register
  • noting that the OAIC may take regulatory action where it is found that the agency was required to have a published PIA register.

After 30 days, the OAIC then conducted a further desktop review of websites of non-compliant agencies within the portfolio and reported on compliance at that date.

As well as compliance with s 15.1 of the Code, the OAIC also considered Code guidance, including the OAIC’s Privacy Officer Toolkit, to make best practice suggestions to agencies in relation to the contents of the PIA register.

Privacy Risks

Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance, the OAIC made recommendations to agencies about how to address those risks. Where the OAIC found low privacy risks, the OAIC made suggestions to agencies to take steps to better address compliance with requirements. Where relevant, these recommendations and suggestions are set out in a table in Part 2 of this report.

For more information about privacy risk ratings, refer to the OAIC’s ‘ Risk based assessments – privacy risk guidance ’ in Appendix A to Chapter 7 of the OAIC’s Guide to privacy regulatory action, which provides further detail on this approach.

Footnotes

[1] For further guidance in relation to PIA registers see the OAIC’s Privacy Officer Toolkit .

[2] Section 13 (Publication of PIA) of the Code provides that an agency may publish a PIA conducted under section 12, or a summary version or an edited copy of the PIA, on the agency’s website.

[3] The acts and practices of the Australian Criminal Intelligence Commission (ACIC) and the Australian Security Intelligence Organisation (ASIO) are exempt under s 7 of the Privacy Act and these agencies were not assessed.

[4] During the OAIC’s recent assessment of Home Affairs – Managing personal information - Passenger Names Records , following assessment fieldwork and after engagement with the OAIC on the requirement for an agency to maintain and publish a PIA register, Home Affairs advised the OAIC that it published a version of its register of PIAs on its website in April 2021.

[5] At the time of undertaking fieldwork for this assessment, the agency had not published a PIA register on their website. The OAIC requested the agency provide an explanation within 30 days as to why the agency did not have a PIA register published on its website. The agency did not provide the OAIC with a substantive response explaining why they do not have a register within the 30-day time frame. The agency subsequently provided the OAIC with reasons as to why they do not have a PIA register published on their website, (because they have not conducted any PIAs), which the OAIC has accepted.