Audit Information

	Federal Privacy Law
		Privacy Act
		Privacy Act Regulations
		Public Interest Determinations
		Guidelines
		Complaint Case Notes & Determinations
		Audits
		Information Privacy Principles
		National Privacy Principles
		Private Sector Codes and Opt-in Registers
		Credit Reporting
		Health
		Telecommunications
		Tax File Numbers
		Spent Convictions
		Data-matching
		Privacy Advisory Committee
		Private Sector Review 2005
		ALRC Privacy Inquiry 2006 - 08
		Privacy Law History
	SPECIFIC PRIVACY INFORMATION FOR:
		Individuals
		Business
		Health
		Government

		Federal Privacy Law
		About the Office
		Frequently Asked Questions
		IT and Internet Issues
		Media and Speeches
		Publications
		Privacy Links
		International
		Contact us

Audit Information

View printable version of this page

Powers to Conduct Audits
Audit Reports
The Audit Process
Audit Manuals
Australian Government Websites Audit 2001

Powers to Conduct Audits

The Privacy Commissioner has powers under the Privacy Act 1988 to audit Australian and ACT government agencies and in some cases private sector organisations.

The audit is a key method for determining the extent of compliance with the Privacy Act and the existence of the audit functions and program encourages agencies and organisations subject to the Act to take compliance seriously.

The Commissioner's audit powers are set out in several sections of the Act:

auditing Australian and ACT government agency compliance with the Information Privacy Principles (IPPs) - section 27(1)(h)
examining the records of the Commissioner of Taxation in relation to tax file numbers (TFNs) and TFN information - section 28(1)(d)
auditing TFN recipients - section 28(1)(e)
auditing credit information files and credit reports held by credit reporting agencies and credit providers - section 28A(1)(g).
at the request of the organisation, audit a private sector organisation covered by the Privacy Act - section 27(3)

In addition the Commissioner has the power under section 309 of the Telecommunications Act 1997 to monitor compliance with certain record keeping requirements of telecommunications organisations.

Audit Reports

To help promote good privacy practices, the Privacy Commissioner has decided to publish the finalised reports of audits of Australian and ACT Government agencies undertaken since 1 July 2002.

Where an audit report contains classified content, the Office may not be able to publish the report.

Audits of Australian Government Agencies

Audits commenced in the 2006-07 financial year:

Australian Customs Service: SmartGate Automated Border Processing - PDF, Word

Audits commenced in the 2005-06 financial year:

Department of Foreign Affairs and Trade, Department of Immigration and Multicultural Affairs and Centrelink: Document Verification Service Prototype - PDF, Word

Audits commenced in the 2004-05 financial year:

Department of Foreign Affairs and Trade & Australian Customs Service: ePassport & SmartGate Trials - PDF, Word
Australian Customs Service: Passenger Analysis Unit (report withheld due to classified content)

Audits commenced in the 2003-04 financial year:

Australian Customs Service: Passenger Analysis Unit (report withheld due to classified content)

Audits commenced in the 2002-03 financial year:

CrimTrac (report published as component of Report of Independent Review of Part 1D of the Crimes Act 1914 - Forensic Procedures available from the Attorney General’s website)

Audits of ACT Government Agencies

Audits commenced in the 2007-08 financial year:

ACT Planning and Land Authority - PDF, Word

Audits commenced in the 2005-06 financial year:

ACT Office of the Community Advocate (now ACT Public Advocate): Client Records - PDF, Word
ACT Corrective Services: Client and Staff Records - PDF, Word

Audits commenced in the 2004-05 financial year:

ACT Department of Justice And Community Safety: Register General’s Office - PDF, Word
ACT Department of Treasury: First Homer Owners Grant (report withheld due to classified content)

Audits commenced in the 2003-04 financial year:

Canberra Institute of Technology: Staff and Student Records - PDF, Word
ACT Department of Disability, Housing and Community Services: Client Records - PDF, Word

Audits commenced in the 2002-03 financial year:

ACT Residential Tenancies Tribunal: Client and Employee Records - PDF, Word

The audit process

Privacy audit teams make a point of stressing to agencies and organisations subject to audit that the audit is an educative process and compliance with the Privacy Act is seen as part of good management practice. The audit is, by necessity, a snapshot of personal information handling practices relating to an agency or organisation program at a certain time and in a particular location. Agencies and organisations are encouraged to consider audit findings broadly and not limit issues identified in audits to the program which is the subject of audit.

The audit process, which begins with the identification of the agency or organisation selected for audit and the proposed audit focus, is basically the same regardless of whether it is an Information Privacy Principles, credit information or tax file number audit.

The auditee is contacted approximately a month prior to the scheduled commencement of the audit and formal notification of the audit is sent to the Chief Executive Officer or nominated officer. The notification contains a request for pre-audit documentation: such as the annual report, organisation chart, corporate plan, and details of privacy training undertaken.

The audit commences at the auditee premises with a brief opening conference attended by key people in the agency or organisation and the audit team. This conference is used to provide advice to the auditee on the process, arrange house-keeping matters for the duration of the audit and respond to any issues or concerns the auditee may have. The next step is an assessment of structure and controls implemented by management to ensure the auditee maintains its records of personal information (including credit and tax file number information) in accordance with the provisions of the Privacy Act. This is followed up by inspection of areas within the agency or organisation where personal information is held and of the security measures in place to protect the information.

Any issues that are of concern to the auditors are brought to the attention of management immediately and are provided in summary form at the closing conference held prior to departure of the auditors from the auditee premises. This summary forms the basis for discussion with management on issues that are likely to be included in the audit report.

A draft report is then issued which outlines the auditors' findings and recommendations, provides the auditee with a medium for open discussion on the findings and enables preparation of a formal response to the recommendations. A response to the draft report is sought from the auditee. The auditee response, including acceptance or non-acceptance of the recommendations and any other commentary, forms the basis of the final audit report.

On occasions, matters of policy are raised during the audit process, and this may delay completion of the final report or the issue may be addressed outside the audit process in preference to delaying the finalisation of the audit.

The Privacy Commissioner's latest Annual Report provides information about the current audit program.

For more specific information on the audit process, please select one of the following links:

Information Privacy Principles Audit Process - PDF, Word
Tax File Number Audit Process PDF, Word
Credit Information Audit Process PDF, Word

Audit Manuals

Information Privacy Principles Audit Manual Part 1 (March 1995) - PDF, Word
Tax File Number Audit Manual Part 2 (March 1995) - PDF, Word
Credit Information Audit Manual Part 3 (March 1995) - PDF, Word