Privacy for government
Personal information is essential to the work of Australian government agencies.
Agencies must uphold a consistent, high standard of personal information handling practices to meet community expectations and build community trust.
This Privacy Awareness Week, the OAIC is urging Australian government agencies, together with businesses, to ‘power up’ on privacy.
Transparency
Clarity matters
The best privacy practice starts with transparency. If your agency is collecting personal information from people, it must be open and transparent about how it will handle it.
Transparency needs to apply both within your agency – so staff know the parameters and requirements they work within – and in the community. It means clear privacy policies and notices, and clarity on how the agency is managing privacy risks.
The Australian Government Agencies Privacy Code requirements for privacy management plans and privacy impact assessments reflect the need for good privacy practices to be built in at the ground level.
Know what’s in the box
Be clear on what data your agency has, where it’s stored, why it was collected, and how you are protecting it. Also, examine arrangements with service providers. Do they measure up on privacy?
Some practical steps are to:
Do the housekeeping
Is your agency holding information it doesn’t need? Map the information lifecycle and ensure appropriate review, retention and destruction schedules. Don’t overlook information held by third-party providers.
Seek informed consent
Make sure your privacy information is clear, accessible, and accurate when seeking consent.
Apply privacy by design
Embed good privacy practices into the design specifications of products and services from the beginning. Undertake privacy impact assessments; they will help you adopt a privacy by design approach.
Accountability
Show your privacy leadership – in good times and bad
Privacy is a human right and it’s one Australians value highly. It is also an essential part of creating public trust and confidence in government. People expect government to respect and protect their privacy.
To help ensure high standards in managing personal information, all Australian Government agencies are required to adhere to the Australian Government Agencies Privacy Code, as well as the Australian Privacy Principles.
The Code reflects the commitment of Australian Government agencies to the protection of privacy, and helps build public trust and confidence in personal information handling practices. It enhances existing privacy capability within agencies, builds greater transparency in information handling practices, and fosters a culture of respect for privacy and the value of personal information.
In striving for, and applying, best practice in privacy governance, agencies not only answer community expectations; they can also provide leadership more broadly, including (and critically) through requirements when using third-party providers.
Be thoughtful in data collection practices
Government agencies collect and generate a significant amount of information, which serves important public purposes. But be mindful of not collecting unnecessary information. Consider de-identification where appropriate.
Some practical steps are to:
Apply high standards
Government agencies should manage personal information to a consistently high standard; make great privacy practices a strength.
Act fast — don’t delay
Ensure prompt notification of data breaches by having effective systems for detecting, assessing, responding to and notifying breaches.
Embed a strong privacy culture
Make privacy a leadership priority and foster a strong privacy culture at all levels.
Security
Protect personal data
Power up the security of personal information in your agency by using the right tools and guarding against known and emerging threats.
Having the right processes in place will help you keep the community’s personal information safe.
That means strong data governance, and reviewing and strengthening access security and ICT security measures, including to detect and respond to threats, particularly with a view to emerging threats.
Ensure processes to detect and respond to cyber threats in a timely manner – and report cyber-crimes, cyber security incidents or vulnerabilities. The Australian Signals Directorate’s Australian Cyber Security Centre can provide technical assistance.
For government agencies, data breaches are more likely to be caused by human error than malicious or criminal attacks. Shore up human risks with regular, clear and accessible staff training.
Power up your agency’s privacy settings with the help of the resources on our website – see the list below.
Power up your people
Most data breaches in government agencies are due to human error. Three key things you can do are:
- promote staff awareness about secure information handling practices
- look for technology solutions that help staff (such as email filtering)
- design systems and processes that anticipate and minimise the risk of human error.
Some practical steps are to:
Guard against impersonation
Have strong identity management and authentication steps. Foster a privacy-aware culture to help staff identify instances of fraud, and keep access secure.
Use the right tools
Have up-to-date privacy management and data breach response plans, and make use of our guidance and tools. Utilise cyber security mitigation strategies.
Lock the doors
Most data breaches within government agencies result from human error, so mitigate this risk through strong processes, technology and training. Be vigilant about the practices of third-party providers, and consider risks posed by outdated technology and platforms.
Test your knowledge
Test how ‘powered up’ your privacy settings and knowledge are with our quick quiz, and claim your reward.
Did you know?
Australian Government agencies have additional responsibilities under the Australian Government Agencies Privacy Code.
The code requires agencies to take a best practice approach to privacy governance to help build a consistent, high standard of personal information management across all Australian Government agencies.
Become a PAW supporter
Becoming a PAW supporter gives your agency access to our supporter toolkit to help increase privacy awareness among your staff, community and stakeholders. It shows your commitment to good privacy practice and advancing the privacy rights of individuals.
Additional resources for government
Want to know more about best practice in privacy, and responding to data breaches?
There is a range of information and resources available from us (the Office of the Australian Information Commissioner) at the links below. We have also included links to a range of other very useful resources.
-
Use the Privacy Code checklist
Our checklist can help your agency meet its obligations under the Australian Government Agencies Privacy Code and improve privacy practices.
-
Privacy Impact assessments
A privacy impact assessment (PIA) is a systematic assessment of a project that identifies potential privacy impacts and recommendations to manage, minimise or eliminate them. Australian Government agencies are required to undertake a PIA for all high privacy risk projects.
-
Interactive Privacy Management Plan
Use our Interactive Privacy Management Plan to assess current privacy practices and set privacy goals and targets.
-
Privacy management framework
Our privacy management framework provides guidance on implementing practices, procedures and systems that ensure compliance with the Australian Privacy Principles.
-
Toolkit for Privacy Officers
Our toolkit helps privacy officers navigate privacy requirements, promote best practice and make the best use of data within a framework that safeguards personal information.
-
Responding to a data breach
Access our resources for organisations and agencies to help prevent and manage data breaches.
-
Privacy breaches involving cyber incidents
The Australian Signals Directorate’s Australian Cyber Security Centre’s (ASD's ACSC) incident management capabilities provide technical incident response advice and assistance to Australian organisations that have been, or may be, impacted by a cyber security incident.
-
Report a cybercrime, incident or vulnerability
You can report a cybercrime, incident or vulnerability with the Australian Signals Directorate’s Australian Cyber Security Centre.
-
State and territory privacy legislation
The Privacy Act is a federal law. Most Australian states and territories have equivalent legislation which covers their public sector agencies. Find out more about state regulators.
-
Uplifting privacy protections
Read more about the work to progress the Australian Government’s response to the Privacy Act Review Report.