This audit would assess the effectiveness of the Australian Tax Office’s (ATO’s) and Services Australia’s management of the privacy of clients’ personal information, and the Office of the Australian Information Commissioner’s (OAIC’s) management of privacy complaints and investigations.

The Privacy Act 1988 (Privacy Act) was introduced to promote and protect the privacy of individuals. It regulates how Australian Government agencies handle personal information, and includes 13 Australian Privacy Principles (APPs) that cover the processing of personal information. The Privacy Act is supported by the Privacy Regulation 2013.

The Attorney-General’s Department (AGD) has overall policy responsibility for privacy and has been conducting a review of the Privacy Act since December 2019. The OAIC’s responsibilities include administering privacy laws, providing guidance and assistance to entities (including special measures in response to the COVID-19 pandemic) and monitoring entities’ compliance with the Privacy Act. The National Data Commissioner within the Department of the Prime Minister and Cabinet is responsible for fostering best practice public sector data handling and sharing.

Services Australia and the ATO hold and manage client (customer and taxpayer) information in the course of their delivery of services and payments and oversight of the tax and superannuation systems, and share information for the purposes of comparing income data. Risks to the integrity and privacy of client information comprise data breaches through human error or system faults (45 per cent of all notifiable data breaches in agencies covered by the Privacy Act in July-December 2021) and malicious and criminal cyber attack (55 per cent).

Work program portfolios

This potential Performance audit is featured in 4 annual audit work program portfolios: