The Australian Government ensures the safety and security of its operations to remain a trusted custodian of sensitive information. This standard is designed to ensure that personal information of individuals is handled in a manner that is consistent with legislative and regulatory frameworks. This helps enhance trust in government, promote transparency, and foster a culture of privacy awareness.
It is critical this standard be considered alongside those of related capabilities:
- Application Security
- Information Asset Security
- Network Security
- Permissions
Comply with legislation
Entities must:
- comply with relevant Commonwealth legislation including (but not limited to):
- Privacy Act 1988 (Cth)
- Archives Act 1983 (Cth)
- Freedom of Information Act 1982 (Cth)
- adhere to the principles-based law of the Australian Privacy Principles (APPs)
- comply with any other legislation applicable to specific functions and circumstances.
Entities should:
- utilise the Office of the Australian Information Commissioner (OAIC) APP guidelines to assist in applying the APPs
- seek independent legal advice where appropriate.
Align to guidelines and standards
Entities must:
- apply the principles and requirements of the Protective Security Policy Framework throughout their organisation.
Entities should:
- participate in the Australian Government Digital Identity System
- meet the requirements set out in the Trusted Digital Identity Framework
- apply a risk-based approach to privacy to align with the Information Security Manual (ISM)
- be aware of, and apply, other standards relevant to their operating context.
Be private-by-design
Entities should:
- embed privacy practices into the design and implementation of solutions
- develop and maintain robust governance and reporting
- ensure protocols, procedures, and technology solutions adapt to changing privacy laws, technologies, opportunities, and threats
- foster a culture of privacy awareness through training and governance
- follow OAIC’s Privacy by Design guidance.
Take a proactive approach to privacy risks and incident responses
Entities must:
- undertake a Privacy Impact Assessment (PIA) for all high privacy risk projects
- periodically review PIAs to reflect changes in technology and data usage
- implement mechanisms to detect, report, and respond to data breaches in line with the Notifiable Data Breaches (NDB) scheme.
Entities should:
- conduct PIAs even when not mandatory, to understand privacy impacts
- use the Office of the Australian Information Commissioner’s (OAIC’s) PIA guide to tailor the PIA process to specific business needs
- choose technology solutions with advanced monitoring and alerting capabilities
- use the OAIC’s data breach preparation and response guide to prepare for, and respond to, a data breach.
Adhere to reuse principles
The Australian Government Architecture provides information for entities on Reuse.
Entities should:
- compare their requirements with those of other comparable entities and system functions, and seek to reuse learnings from preceding implementations
- consider specific functional and non-functional requirements prior to solution design or consideration of technology choice, including:
- volume and nature of information assets
- broader system purpose
- performance and availability requirements
- privacy/sensitivity concerns
- meet the requirements of the Digital and ICT Reuse Policy.