Australian Government Agencies Privacy Code
The Australian Government Agencies Privacy Code (the Code) was registered on 27 October 2017 and commenced on 1 July 2018.
The Code applies to all Australian Government agencies subject to the Privacy Act 1988 (except for Ministers). It is a binding legislative instrument under the Act.
The Code sets out specific requirements and key practical steps that agencies must take as part of complying with Australian Privacy Principle 1.2 (APP 1.2). It requires agencies to move towards a best practice approach to privacy governance to help build a consistent, high standard of personal information management across all Australian Government agencies.
The Code enhances existing privacy capability within agencies, builds greater transparency in information handling practices, and fosters a culture of respect for privacy and the value of personal information. The Code therefore symbolises the commitment of Australian Government agencies to the protection of privacy, and helps build public trust and confidence in personal information handling practices and new uses of data proposed by agencies.
The Australian Information and Privacy Commissioner and the Secretary of the Department of Prime Minister and Cabinet jointly announced the Code on 18 May 2017.
What does the Code require?
The Code requires agencies to:
- have a privacy management plan
- appoint a Privacy Officer, or Privacy Officers, and ensure that particular Privacy Officer functions are undertaken
- appoint a senior official as a Privacy Champion to provide cultural leadership and promote the value of personal information, and ensure that the Privacy Champion functions are undertaken
- undertake a written Privacy Impact Assessment (PIA) for all ‘high privacy risk’ projects or initiatives that involve new or changed ways of handling personal information
- keep a register of all PIAs conducted and publish this register, or a version of the register, on their websites
- take steps to enhance internal privacy capability, including by providing appropriate privacy education or training in staff induction programs, and annually to all staff who have access to personal information
Agencies will still need to take other steps under APP 1.2 to ensure compliance with all the APPs.
The Code is flexible and scalable, taking into account an agency’s size, and the sensitivity and amount of personal information it handles.
Privacy Officer and Privacy Champion
The Privacy Officer is the first point of contact for privacy matters within an agency, and is responsible for ensuring day-to-day operational privacy activities are undertaken. A Privacy Champion is a senior official within an agency who is responsible for leadership activities and engagement that require broader strategic oversight.
Agencies will need to ensure that particular Privacy Officer and Privacy Champion functions are undertaken. While these functions are referred to as ‘Privacy Officer’ or ‘Privacy Champion’ functions, they may also be carried out by another person or team within the agency as appropriate.
Join our Privacy Professionals Network for updates on Privacy Code resources and events.