The Australian Information Commissioner has powers to conduct privacy assessments of agencies and organisations (APP entities) covered by the Privacy Act 1988.

The Commissioner may also conduct assessments of ACT public sector agencies in exercising some of the functions of the ACT Information Privacy Commissioner in the Information Privacy Act 2014 (ACT). under an arrangement between the Australian and ACT governments.

A privacy assessment provides a professional, independent and systematic appraisal of how well an agency or organisation (or discrete part of an agency/organisation) complies with all or part of its privacy obligations.

Section 33C of the Privacy Act establishes that the Commissioner may conduct an assessment relating to the following:

  • the Australian Privacy Principles (s 33C(1)(a)(i))
  • a registered APP code (s 33C(1)(a)(ii))
  • credit information files and credit reports held by credit reporting agencies and credit providers (s 33C(1)(b))
  • tax file number recipients (s 33C(1)(c))
  • data matching programs (s 33C(1)(d))
  • claims information associated with the Medicare Benefits Scheme and the Pharmaceutical Benefits Scheme (s 33C(1)(e))
  • acts or practices of an entity or a state or territory authority in relation to COVID app data (s 33C, 94T(1)).

Section 28A(1)(c) of the Privacy Act gives the Commissioner the ability to examine the records of the Commissioner of Taxation in relation to tax file numbers and tax file number information.

The Commissioner also has the power under s 309 of the Telecommunications Act 1997 to monitor compliance with certain record keeping requirements of telecommunications organisations.

The privacy assessment process

We undertake privacy assessments where it will contribute to achieving our goal of promoting and ensuring the protection of personal information. We approach assessments as an educative process, and compliance with the Privacy Act is seen as part of good management practice.

An assessment is, by necessity, a snapshot of personal information handling practices relating to an APP entity at a certain time and in a particular location. APP entities are encouraged to consider findings broadly and not limit issues identified in the assessment to the program that was the subject of assessment.

There are four main stages commonly involved in a privacy assessment: targeting, planning, fieldwork and reporting. The process is substantially the same regardless of whether it is an assessment of Australian Privacy Principles, credit information or tax file numbers.

More detailed information about the privacy assessment process can be found in Chapter 7: Privacy assessments of the Guide to Privacy Regulatory Action.

The OAIC’s annual reports also provide information about the privacy assessment program.