Australian Government Architecture
Search

Type

Capability

Reference

.

Mandate

Endorsed

Privacy Protection

Definition

Privacy protection involves safeguarding information that identifies who we are, what we do, and what we believe. It encompasses regulations, processes, and technologies used to secure personally identifiable information about individuals and businesses, which is collected, processed, and stored on digital and ICT systems and networks.

Purpose

Appropriate privacy protections support digital innovation, enhance trust in Commonwealth entities, and meet regulatory obligations.

The Privacy Protection capability is realised through:

  • understanding the reason for collecting private information
  • defining the management and use of private information
  • planning for the impact of breaches in privacy by an entity
  • strategic technology investments, by supporting a scalable approach to privacy that balances innovation with the need to satisfy regulatory requirements
  • implementation of structured protocols and procedures, which put privacy first
  • considering the capability as part of a complementary suite of Cyber Security Capabilities, including Application Security, Information Asset Security, Network Security, and Permissions.

Objective

The objectives of this content are to:

  • align digital and ICT solutions with privacy laws to ensure the secure and responsible handling of personal information
  • ensure that entities are familiar with privacy best practice, allowing them to make informed decisions on investment in this capability
  • ensure the adoption of best practices in privacy protocols and procedures to mitigate risks associated with the handling of personal information.

Whole-of-government applicability

On 22 November 2023, the Australian Government released the 2023-2030 Australian Cyber Security Strategy, a roadmap that will help realise the Australian Government’s vision of becoming a world leader in cyber security by 2030. The capability of privacy supports its agenda through:

  • ensuring that privacy considerations are incorporated into the design, development, and deployment of applications across the Australian Public Service
  • preventing vulnerabilities, reducing the risk of security breaches, and protecting sensitive data and systems.

The Data and Digital Government Strategy (DDGS) sets a vision for 2030 to deliver simple, secure and connected public services for all people and business, through world class data and digital capabilities.

Maturity in the capability of privacy protection will be of critical importance to the DDGS missions:

  • Trusted and secure: The Australian Government commits to improving and maintaining trust in its use of data and digital technologies including through adopting robust and appropriate privacy and security settings to keep peoples’ information safe.
  • Simple and seamless services: The Australian Government commits to ensuring technology is scalable, secure, resilient and interoperable, with new systems and infrastructure that supports data access and discoverability.

Policy Elements

Policy:
POL47
Privacy Protection policy Mandate:
Endorsed
Status:
Core

  • Comply with legislation

    Entities must comply with the Privacy Act (1998), which governs all Australian government entities. This includes adherence with the Australian Privacy Principles.

  • Align to guidelines and standards

    Entities are required to comply with the Protective Security Policy Framework, and any other relevant mandatory frameworks, policies, and standards.

  • Be private-by-design

    Privacy must be integrated as a core element of digital products and services from the design phase through to deployment and beyond. This approach ensures privacy considerations are embedded throughout the lifecycle of the investment. 

  • Take a proactive approach to privacy risks and incident responses

    Proactive development of overarching as well as programme-specific approaches to privacy, proactively assess and manage risk, enables both confidence in the system, and response to incidents in a considered and timely manner.

  • Adhere to reuse principles

    Entities must give priority to the adoption of reuseable digital and ICT solutions, patterns, or knowledge, and, where necessary, design new solutions with a focus on future reuse.

Domains

This capability is part of the following domain.
DOM9

Cyber Security

Policies

The following policies have requirements that impact this capability.
Protective Security Policy Framework (PSPF)
POL19
Mandate: Endorsed
Status: Core
The PSPF sets out Australian Government policy across six security domains and prescribes what Australian Government entities must do to protect their people, information and resources, both domestically and internationally. Application of the PSPF assures government that entities are implementing…
Privacy Protection policy
POL47
Mandate: Endorsed
Status: Core
This policy describes the requirements for entities planning digital investments involving privacy protection considerations. Applicability Digital investment proposals are assessed against this policy by the DTA through the Digital and ICT Investment Oversight Framework (IOF). Commonwealth…

Standards

The following standards support development of digital solutions in this capability.

Privacy Protection standard

STA65
The Australian Government ensures the safety and security of its operations to remain a trusted custodian of sensitive information. This standard is designed to ensure that personal information of individuals is handled in a manner that is consistent with legislative and regulatory frameworks. This…

Designs

The following designs include examples of how digital solutions in this capability can be delivered.

OAIC Guide to undertaking privacy impact assessments

DES111

Lead Agency: Office of the Australian Information Commissioner

The OAIC Guide to undertaking privacy impact assessments describes a process for undertaking a privacy impact assessment (PIA)

Privacy Officer Toolkit

DES152

Lead Agency: Office of the Australian Information Commissioner

The Office of the Australian Information Commissioner has developed a Privacy Officer Toolkit to help privacy officers to understand and perform their functions under the Australian Government Agencies Privacy Code. It assists officers in navigating the Privacy Act and other relevant…

Guide to developing an APP privacy policy

DES153

Lead Agency: Office of the Australian Information Commissioner

This guide is based on the Australian Privacy Principles (APPs) in the Privacy Act 1988, and the Office of the Australian Information Commissioner’s (OAIC) APP Guidelines. It is designed to help APP entities prepare and maintain an APP privacy policy. It provides tips and a process for developing a…

Australian Privacy Principles guidelines

DES154

Lead Agency: Office of the Australian Information Commissioner

The Australian Privacy Principles guidelines (APP guidelines) outline the mandatory requirements in the Australian Privacy Principles (APPs), the Information Commissioner’s interpretation of the APPs, examples that explain how the APPs may apply to particular circumstances, and good…

Integrated Regulatory Information System (IRIS)

DES155

Lead Agency: Comcare

Technology Type: Microsoft Dynamics 365

Responsible agency: Comcare Integrated Regulatory Information System (IRIS) is the primary application used by Comcare’s Regulatory Operations Group for various regulatory licensing, monitoring, compliance, and investigation tasks. It is a central, organised, easy-to access place to store data…
Was this information helpful?

Do not include any personal information. We are unable to respond to comments or feedback. If you would like a response, please email, or phone us. Our details are on the AGA contact page www.architecture.digital.gov.au/contact-us.