Go to top of page

12.3 Privacy and security

Customer records and personal information

The department’s privacy framework is guided by the Operational Privacy Policy, with which all staff must comply. Among other things, the policy requires all staff to:

  • acknowledge their privacy and confidentiality responsibilities every year
  • complete privacy training every year
  • report privacy incidents as soon as they are identified.

Personal information related to the administration of the department’s programs and services is protected by the Privacy Act 1988 and the secrecy provisions in the various laws under which the department delivers its services, such as the Social Security (Administration) Act 1999. The department considers requests for personal information under the Privacy Act 1988 and relevant secrecy provisions.

Privacy impact assessments

As the department develops new projects and program improvements, it considers the potential impact on privacy. Under the department’s Operational Privacy Policy, the department undertakes privacy impact assessments to:

  • minimise privacy risks and impacts
  • ensure compliance with statutory obligations
  • meet the department’s commitment to safeguarding customer privacy.

Privacy incidents

The department investigates all privacy complaints and uses escalation and reporting processes to minimise and mitigate the effects of any privacy incident. In 2018–19, the total number of substantiated privacy incidents was 1,416.


The department emphasises the need for security as part of the department’s culture and applies the Australian Government Protective Security Policy Framework through effective security risk management, monitoring and review of security plans and policies, training, and education.

In 2018–19, the department continued to strengthen security governance arrangements through the Work Health and Safety Sub-Group and the establishment of a Chief Security Officer role.