Protecting Information Rights – Advancing Information Policy

Phone iconCONTACT US: 1300 363 992
 
We're now a part of the Office of the Information Commissioner. Go to www.oaic.gov.au to find out more.

Site Changes

Audits

Powers to Conduct Audits

The Privacy Commissioner has powers under the Privacy Act 1988 to audit Australian and ACT government agencies and in some cases private sector organisations.

The audit is a key method for determining the extent of compliance with the Privacy Act and the existence of the audit functions and program encourages agencies and organisations subject to the Act to take compliance seriously.

The Commissioner's audit powers are set out in several sections of the Act:

  • auditing Australian and ACT government agency compliance with the Information Privacy Principles (IPPs) - section 27(1)(h)
  • examining the records of the Commissioner of Taxation in relation to tax file numbers (TFNs) and TFN information - section 28(1)(d)
  • auditing TFN recipients - section 28(1)(e)
  • auditing credit information files and credit reports held by credit reporting agencies and credit providers - section 28A(1)(g).
  • at the request of the organisation, audit a private sector organisation covered by the Privacy Act - section 27(3)

In addition the Commissioner has the power under section 309 of the Telecommunications Act 1997 to monitor compliance with certain record keeping requirements of telecommunications organisations.

Back to Top

Audit Reports

  • To help promote good privacy practices, the Privacy Commissioner has decided to publish the finalised reports of audits of Australian and ACT Government agencies undertaken since 1 July 2002.
  • Where an audit report contains classified content, the Office may not be able to publish the report.

Audits of Australian Government Agencies

Audits commenced in the 2008-09 financial year:

  • Australian Customs and Border Protection Service: Passenger Name Records (PNR data) No 2 – (HTML) (PDF)
  • Australian Customs and Border Protection Service: Passenger Name Records (PNR data) No 1 – (HTML) (PDF)

Audits commenced in the 2006-07 financial year:

  • Australian Customs Service: SmartGate Automated Border Processing - PDF

Audits commenced in the 2005-06 financial year:

  • Department of Foreign Affairs and Trade, Department of Immigration and Multicultural Affairs and Centrelink: Document Verification Service Prototype - PDF

Audits commenced in the 2004-05 financial year:

  • Department of Foreign Affairs and Trade & Australian Customs Service: ePassport & SmartGate Trials - PDF
  • Australian Customs Service: Passenger Analysis Unit (report withheld due to classified content)

Audits commenced in the 2003-04 financial year:

  • Australian Customs Service: Passenger Analysis Unit (report withheld due to classified content)

Audits commenced in the 2002-03 financial year:

Audits of ACT Government Agencies

Audits commenced in the 2008-09 financial year:

  • ACT Human Rights Commission - PDF
  • ACT Public Trustee - PDF

Audits commenced in the 2007-08 financial year:

  • ACT Planning and Land Authority - PDF

Audits commenced in the 2005-06 financial year:

  • ACT Office of the Community Advocate (now ACT Public Advocate): Client Records - PDF
  • ACT Corrective Services: Client and Staff Records - PDF

Audits commenced in the 2004-05 financial year:

  • ACT Department of Justice And Community Safety: Registrar General’s Office - PDF
  • ACT Department of Treasury: First Homer Owners Grant (report withheld due to classified content)

Audits commenced in the 2003-04 financial year:

  • Canberra Institute of Technology: Staff and Student Records - PDF
  • ACT Department of Disability, Housing and Community Services: Client Records - PDF

Audits commenced in the 2002-03 financial year:

  • ACT Residential Tenancies Tribunal: Client and Employee Records - PDF

Back to Top

The audit process

Privacy audit teams make a point of stressing to agencies and organisations subject to audit that the audit is an educative process and compliance with the Privacy Act is seen as part of good management practice. The audit is, by necessity, a snapshot of personal information handling practices relating to an agency or organisation program at a certain time and in a particular location. Agencies and organisations are encouraged to consider audit findings broadly and not limit issues identified in audits to the program which is the subject of audit.

The audit process, which begins with the identification of the agency or organisation selected for audit and the proposed audit focus, is basically the same regardless of whether it is an Information Privacy Principles, credit information or tax file number audit.

The auditee is contacted approximately a month prior to the scheduled commencement of the audit and formal notification of the audit is sent to the Chief Executive Officer or nominated officer. The notification contains a request for pre-audit documentation: such as the annual report, organisation chart, corporate plan, and details of privacy training undertaken.

The audit commences at the auditee premises with a brief opening conference attended by key people in the agency or organisation and the audit team. This conference is used to provide advice to the auditee on the process, arrange house-keeping matters for the duration of the audit and respond to any issues or concerns the auditee may have. The next step is an assessment of structure and controls implemented by management to ensure the auditee maintains its records of personal information (including credit and tax file number information) in accordance with the provisions of the Privacy Act. This is followed up by inspection of areas within the agency or organisation where personal information is held and of the security measures in place to protect the information.

Any issues that are of concern to the auditors are brought to the attention of management immediately and are provided in summary form at the closing conference held prior to departure of the auditors from the auditee premises. This summary forms the basis for discussion with management on issues that are likely to be included in the audit report.

A draft report is then issued which outlines the auditors' findings and recommendations, provides the auditee with a medium for open discussion on the findings and enables preparation of a formal response to the recommendations. A response to the draft report is sought from the auditee. The auditee response, including acceptance or non-acceptance of the recommendations and any other commentary, forms the basis of the final audit report.

On occasions, matters of policy are raised during the audit process, and this may delay completion of the final report or the issue may be addressed outside the audit process in preference to delaying the finalisation of the audit.

The Privacy Commissioner's latest Annual Report provides information about the current audit program.

For more specific information on the audit process, please select one of the following links:

  • Information Privacy Principles Audit Process - PDF
  • Tax File Number Audit Process - PDF
  • Credit Information Audit Process - PDF

Back to Top

Audit Manuals

  • Information Privacy Principles Audit Manual Part 1 (March 1995) - PDF
  • Tax File Number Audit Manual Part 2 (March 1995) - PDF
  • Credit Information Audit Manual Part 3 (March 1995) - PDF

Back to Top