This audit would assess the effectiveness of the Australian Taxation Office’s (ATO’s) and Services Australia’s management of the privacy of clients’ personal information and the Office of the Australian Information Commissioner’s (OAIC’s) management of privacy complaints and investigations.

The Attorney-General’s Department has overall policy responsibility for privacy and the OAIC has responsibility for administering privacy laws, providing guidance and assistance to entities and monitoring entities’ compliance with the Privacy Act 1988 (Privacy Act). In December 2022, the Privacy Act was amended to increase maximum penalties and enhance OAIC’s enforcement powers. In September 2023, the Australian Government released its response to the Privacy Act Review Report dated 16 February 2023.

Services Australia and the ATO hold and manage client (customer and taxpayer) information in the course of their delivery of services and payments, and oversight of the tax and superannuation systems. Services Australia and the ATO share data for the purposes of comparing income data. Risks to the integrity and privacy of client information comprise data breaches through human error or system faults. Twenty-nine per cent of all notifiable data breaches in agencies covered by the Privacy Act from January to June 2023 were from human error and system faults and 70 per cent were from malicious and criminal attack, with 60 per cent of all data breaches resulting from cyber security incidents.