-
On this page
What is a Privacy Management Plan?
All Australian Government Agencies are required to have a Privacy Management Plan (PMP) under the Australian Government Agencies Privacy Code. The PMP identifies specific, measurable privacy goals and targets and sets out how an agency, including the Office of the Australian Information Commissioner (OAIC) will meet its compliance obligations under APP 1.2. The OAIC must measure and document its performance against its privacy management plan at least annually.
Before developing a PMP, every agency will need to understand the current state of their privacy practices. The OAIC has built on previous PMPs and used the OAIC’s Interactive PMP Explained resource to help identify opportunities to improve maturity.
What are the next steps?
This PMP describes the actions that the OAIC must take in order to meet its privacy compliance obligations and maturity targets for the year following the PMP's commencement date 1 July 2024. The OAIC PMP FY 24/25 builds on actions identified in previous PMPs to improve maturity levels and record how it has done so. The PMP Steering Committee has a focus on innovative approaches to delivering PMP Compliance Activities and as part of considerations for subsequent PMPs.
About this PMP
Agency name: Office of the Australian Information Commissioner
PMP commencement date: Monday, 1 July 2024
PMP end date: Following commencement, this PMP will operate until Monday, 30 June 2025.
Recommended review period: Tuesday, 1 April 2025 to Monday, 30 June 2025
Privacy risk profile
In the course of preparing this PMP, the OAIC has considered various matters relevant to its privacy risk profile. The details of these considerations are provided below for reference.
Privacy risk profile rationale
The OAIC has determined that it has a high privacy risk profile, primarily because:
- The OAIC has regulatory oversight of entities under the Privacy Act in respect of their handling of personal information;
- The OAIC has a number of functions and powers under the Privacy Act, the FOI Act and other laws in relation to the conducting of investigations, the handling of complaints, the reviewing of decisions made under the FOI Act, monitoring agency administration and advising the public, organisations and agencies and its other stakeholders in the course of which it collects and handles personal information. Whilst the volume of records it holds is relatively low, complainant information may be 'sensitive information' under the Privacy Act, or by its nature be considered sensitive to the individuals and respondents involved. The information will sometimes relate to vulnerable members of the community; and
- The OAIC relies on the trust of the community to fulfil its privacy and FOI functions. Individuals must be willing to freely provide their personal information to the OAIC so that it can effectively handle privacy and FOI complaints and investigations, and undertake IC review. Community confidence in the OAIC’s findings is an important aspect of a functioning regulatory system.
Current state
Privacy maturity assessment outcomes
This PMP has been prepared using an assessment of the OAIC’s privacy maturity, the results of which are recorded in the table below. An asterisk (*) next to an attribute name means that it is a 'compliance attribute' and that the OAIC must have a minimum maturity level of 'Developing' to comply with the Privacy Act or the Code.
The OAIC’s overall rating is currently at ‘defined’ maturity level. The OAIC privacy management maturity level of Defined is based on a Privacy Program Maturity Assessment Framework outlined in the Interactive Privacy Management Plan Explained resource.
Defined maturity level
Defined maturity level means Privacy culture is well developed and defined. Practices, procedures and systems are consistent, proactive, documented, integrated into broader organisational frameworks and measured. The diagram below explains the four cumulative maturity levels obtained from the ‘Interactive PMP explained’ Guidance (D2022/014055, page 25).
The compliance activities identified below outline steps the OAIC needs to take in order to reach the appropriate privacy maturity target level of Defined or Leader.
