Australian Government Architecture
Search

Type

Policy

Reference

.

Applicable from

31 Jan 2025

Mandate

Endorsed

Status

Core

Responsible agency

Digital Transformation Agency

Privacy Protection policy

This policy describes the requirements for entities planning digital investments involving privacy protection considerations.

Applicability

Digital investment proposals are assessed against this policy by the DTA through the Digital and ICT Investment Oversight Framework (IOF).

Commonwealth entities are encouraged to apply this policy to all digital investments.

Policy requirements

  • Comply with legislation

    Entities must comply with the Privacy Act (1998), which governs all Australian government entities. This includes adherence with the Australian Privacy Principles.

  • Align to guidelines and standards

    Entities are required to comply with the Protective Security Policy Framework, and any other relevant mandatory frameworks, policies, and standards.

  • Be private-by-design

    Privacy must be integrated as a core element of digital products and services from the design phase through to deployment and beyond. This approach ensures privacy considerations are embedded throughout the lifecycle of the investment. 

  • Take a proactive approach to privacy risks and incident responses

    Proactive development of overarching as well as programme-specific approaches to privacy, proactively assess and manage risk, enables both confidence in the system, and response to incidents in a considered and timely manner.

  • Adhere to reuse principles

    Entities must give priority to the adoption of reuseable digital and ICT solutions, patterns, or knowledge, and, where necessary, design new solutions with a focus on future reuse.

Capabilities

This policy includes requirements that relate to the following capability.
CAP51

Privacy Protection

Standards

The following standards show what to do to satisfy this policy.

Privacy Protection standard

STA65
The Australian Government ensures the safety and security of its operations to remain a trusted custodian of sensitive information. This standard is designed to ensure that personal information of individuals is handled in a manner that is consistent with legislative and regulatory frameworks. This…

Designs

The following designs can be relevant to meeting the requirements of this policy.

OAIC Guide to undertaking privacy impact assessments

DES111
The OAIC Guide to undertaking privacy impact assessments describes a process for undertaking a privacy impact assessment (PIA)

Privacy Officer Toolkit

DES152
The Office of the Australian Information Commissioner has developed a Privacy Officer Toolkit to help privacy officers to understand and perform their functions under the Australian Government Agencies Privacy Code. It assists officers in navigating the Privacy Act and other relevant…

Guide to developing an APP privacy policy

DES153
This guide is based on the Australian Privacy Principles (APPs) in the Privacy Act 1988, and the Office of the Australian Information Commissioner’s (OAIC) APP Guidelines. It is designed to help APP entities prepare and maintain an APP privacy policy. It provides tips and a process for developing a…

Australian Privacy Principles guidelines

DES154
The Australian Privacy Principles guidelines (APP guidelines) outline the mandatory requirements in the Australian Privacy Principles (APPs), the Information Commissioner’s interpretation of the APPs, examples that explain how the APPs may apply to particular circumstances, and good…

Integrated Regulatory Information System (IRIS)

DES155
Responsible agency: Comcare Integrated Regulatory Information System (IRIS) is the primary application used by Comcare’s Regulatory Operations Group for various regulatory licensing, monitoring, compliance, and investigation tasks. It is a central, organised, easy-to access place to store data…
Was this information helpful?

Do not include any personal information. We are unable to respond to comments or feedback. If you would like a response, please email, or phone us. Our details are on the AGA contact page www.architecture.digital.gov.au/contact-us.