This audit would assess the effectiveness of the Australian Tax Office’s (ATO’s) and Services Australia’s management of the privacy of clients’ personal information and the Office of the Australian Information Commissioner’s (OAIC’s) management of privacy complaints and investigations.

The Privacy Act 1988 (Privacy Act) was introduced to promote and protect the privacy of individuals. It regulates how Australian Government agencies handle personal information and includes 13 Australian Privacy Principles that cover the processing of personal information. The Privacy Act is supported by the Privacy Regulation 2013.

The Attorney-General’s Department has overall policy responsibility for privacy and the OAIC has responsibility for administering privacy laws, providing guidance and assistance to entities and monitoring entities’ compliance with the Privacy Act. In December 2022, the Privacy Act was amended to increase maximum penalties and enhance OAIC’s enforcement powers.

Services Australia and the ATO hold and manage client (customer and taxpayer) information in the course of their delivery of services and payments and oversight of the tax and superannuation systems. Services Australia and the ATO share data for the purposes of comparing income data. Risks to the integrity and privacy of client information comprise data breaches through human error or system faults. Thirty-seven per cent of all notifiable data breaches in agencies covered by the Privacy Act in January to June 2022 were from human error and system faults and 63 per cent were from malicious and criminal attack, with 41 per cent of all data breaches resulting from cyber security incidents.

Work program portfolios

This potential Performance audit is featured in 4 annual audit work program portfolios: