<!doctype html> <html lang="en"> <head> <title>Assessing privacy risks in changed working environments: privacy impact assessments | OAIC</title> <!-- Misc Metadata --> <meta charset="utf-8"> <meta name="mobile-web-app-capable" content="yes"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0"> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <!-- Global Default Metadata --> <meta name="dcterms.title" content="Assessing privacy risks in changed working environments: privacy impact assessments"> <meta name="dcterms.creator" content="OAIC"> <meta name="dcterms.created" content="2022-09-08T11:41:24+10:00"> <meta name="dcterms.modified" content="2024-09-05T11:41:25+10:00"> <meta name="dcterms.issued" content="2023-03-10T16:34:19+11:00"> <meta name="dcterms.format" content="HTML"> <meta name="dcterms.identifier" content="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/assessing-privacy-risks-in-changed-working-environments-privacy-impact-assessments"> <!-- Custom Metadata --> <!-- Page //--> <!-- SEO //--> <meta name="publishedDate" content="10 March 2023"> <meta name="publishedDate_ISO" content="2023-03-10T00:00:00+11:00"> <meta name="description" content="Tips on key issues an entity regulated by the Privacy Act 1988 should consider when assessing the privacy impacts of a remote working arrangement" /> <meta name="pdISO" content="2023-03-10T00:00:00+11:00" /> <meta name="robots" content="" /> <!-- Chapter navigation //--> <meta name="chapter-nav" content="no" /> <meta name="chapter-nav-prev" content="" /> <meta name="chapter-nav-next" content="" /> <meta name="chapter-nav-prev-btn-text" content="Previous chapter" /> <meta name="chapter-nav-next-btn-text" content="Next chapter" /> <meta name="background_color" content="chapter-navigation__wrapper--white" /> <!-- Media //--> <meta name="show-related-articles" content="no" /> <meta name="topic" content="Privacy" /> <meta name="contentType" content="" /> <meta name="featuredNews" content="no" /> <meta name="author-name" content="" /> <meta name="author-title" content="" /> <meta name="author-image" content="" /> <!-- Search //--> <meta name="type" content="web" /> <!-- Feedback //--> <meta name="showFeedbackWidget" content="yes" /> <meta name="showShareWidget" content="yes" /> <!-- Google+ Schema.org Data | https://developers.google.com/+/web/snippet/article-rendering --> <meta itemprop="name" content="Assessing privacy risks in changed working environments: privacy impact assessments" /> <meta itemprop="description" content="Tips on key issues an entity regulated by the Privacy Act 1988 should consider when assessing the privacy impacts of a remote working arrangement" /> <meta itemprop="image" content="" /> <!-- Twitter Card Data | https://dev.twitter.com/cards/types/summary --> <meta name="twitter:card" content="summary" /> <meta name="twitter:site" content="@OAICgov" /> <meta name="twitter:title" content="Assessing privacy risks in changed working environments: privacy impact assessments" /> <meta name="twitter:description" content="Tips on key issues an entity regulated by the Privacy Act 1988 should consider when assessing the privacy impacts of a remote working arrangement" /> <meta name="twitter:image" content="" /> <!-- Open Graph Data | http://ogp.me/ --> <meta property="og:title" content="Assessing privacy risks in changed working environments: privacy impact assessments" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/assessing-privacy-risks-in-changed-working-environments-privacy-impact-assessments" /> <meta property="og:image" content="" /> <meta property="og:description" content="Tips on key issues an entity regulated by the Privacy Act 1988 should consider when assessing the privacy impacts of a remote working arrangement" /> <meta property="og:site_name" content="OAIC" /> <meta property="article:published_time" content="2023-03-10T16:34:19+11:00" /> <meta property="article:modified_time" content="2024-09-05T11:41:25+10:00" /> <meta property="article:tag" content="" /> <meta name="theme-color" content="#fafafa"> <!-- Readspeaker --> <script src="//cdn-oc.readspeaker.com/script/9755/webReader/webReader.js?pids=wr" type="text/javascript" id="rs_req_Init"></script> <!-- Google Tag Manager --> <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-PTH9SP3B');</script> <!-- End Google Tag Manager --> <!-- Google Site Verification --> <meta name="google-site-verification" content="sQVHBUKhjuCjBjithPialZYhGQ5SPKwjb1_rY8OqsjA" /> <link rel="stylesheet" href="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/main.css?h=06ed308"> <link rel="stylesheet" href="https://www.oaic.gov.au/__data/assets/css_file/0024/240585/custom.css?v=0.1.202"> <!-- Fonts --> <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/font/bootstrap-icons.min.css"> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Source+Code+Pro:ital,wght@0,200;0,300;0,400;0,500;0,600;0,700;0,800;0,900;1,200;1,300;1,400;1,500;1,600;1,700;1,800;1,900&display=swap" rel="stylesheet"> <!-- Favicons --> <link rel="shortcut icon" href="https://www.oaic.gov.au/__data/assets/image/0016/14182/favicon-32x32.png"> <link rel="apple-touch-icon" href="https://www.oaic.gov.au/__data/assets/image/0015/14181/apple-touch-icon.png"> <!-- Running Squiz Matrix Developed by Squiz - http://www.squiz.net Squiz, Squiz Matrix, MySource, MySource Matrix and Squiz.net are registered Trademarks of Squiz Pty Ltd Page generated: 25 November 2024 05:28:49 --> </head> <body class="inside"> <!-- Cookie banner start --> <section class="cookie-banner" aria-labelledby="cookie-heading"> <h2 class="visuallyhidden" id="cookie-heading">We use cookies on this site</h2> <div class="cookie-banner__content"> <div> <p>We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our <a href="https://www.oaic.gov.au/about-the-OAIC/our-corporate-information/plans-policies-and-procedures/privacy-policy">privacy policy</a>.</p> </div> <button class="cookie-banner__close primary-button" id="close-cookie-banner" aria-label="Close and accept cookie policy">Close</button> </div> </section> <!-- Cookie banner end --> <!-- Skip to content start --> <div class="skip-to-content"> <a href="#main-content-area" class="skip-to-content__link visuallyhidden focusable">Skip to main content</a> </div> <!-- Skip to content end --> <div class="page-wrapper"> <!-- Notification banner start --> <!-- Notification banner end --> <!-- Header start --> <!--noindex--> <header class="site-header"> <div class="utility-nav"> <div class="utility-nav__wrapper"> <a href="/news" class="utility-nav__link ">News</a> <a href="/about-the-OAIC/join-our-team" class="utility-nav__link ">Join our team</a> <a href="/contact-us" class="utility-nav__link ">Contact us</a> </div> </div> <div class="header-content"> <a href="https://www.oaic.gov.au" class="header-logo"> <img src="https://www.oaic.gov.au/__data/assets/file/0020/13664/oaic-header-logo.svg" alt="OAIC - Australian Government - Office of the Australian Information Commissioner"> </a> <button class="mobile-menu" aria-controls="header-nav" aria-expanded="false"> <img class="menu-icon menu-icon--burger" src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/hamburger-menu.svg" alt="open menu"> <img class="menu-icon menu-icon--close" src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/cancel-icon-white.svg" alt="close menu"> </button> <div class="search-container search-container--header"> <form class="input-form" action="https://www.oaic.gov.au/search" data-action="https://www.oaic.gov.au/search?SQ_ASSET_CONTENTS_RAW"> <input name="query" autocomplete="off" id="autoComplete" placeholder="Search&hellip;" class="search-box" aria-label="Search input" data-autocomplete-endpoint="https://dxp-au-search.funnelback.squiz.cloud/s/suggest.json?collection=113e9365-ffcc-4320-a995-5c1b98bea3bb~sp-oaic-web-new&profile=auto-completion-global&fmt=json%2B%2B&alpha=0.5&show=10"> <input type="hidden" name="form" value="result"> <button type="button" id="clear-text-btn" class="cancel-logo" aria-label="Clear text"> <img src="https://www.oaic.gov.au/__data/assets/file/0022/13666/cancel-icon.svg" alt="clear text cancel icon"> </button> <button type="submit" aria-label="Submit search"> <img class="search-icon" src="https://www.oaic.gov.au/__data/assets/file/0023/13667/search-outline.svg" alt="search icon thst submits form"> </button> </form> </div> <div id="header-nav" class="header-nav"> <nav class="header-nav__nav"> <div class="header-nav__item"> <a href="https://www.oaic.gov.au" class="header-nav__link " > Home </a> </div> <div class="header-nav__item"> <button class="header-nav__button current" aria-expanded="false" > Privacy <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/privacy" class="header-nav__sub-link"> Privacy </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/privacy/your-privacy-rights" class="header-nav__sub-link"> Your privacy rights </a> <a href="https://www.oaic.gov.au/privacy/privacy-complaints" class="header-nav__sub-link"> Privacy complaints </a> <a href="https://www.oaic.gov.au/privacy/australian-privacy-principles" class="header-nav__sub-link"> Australian Privacy Principles </a> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies" class="header-nav__sub-link"> Privacy guidance for organisations and government agencies </a> <a href="https://www.oaic.gov.au/privacy/notifiable-data-breaches" class="header-nav__sub-link"> Notifiable data breaches </a> <a href="https://www.oaic.gov.au/privacy/privacy-legislation" class="header-nav__sub-link"> Privacy legislation </a> <a href="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions" class="header-nav__sub-link"> Privacy assessments and decisions </a> <a href="https://www.oaic.gov.au/privacy/privacy-registers" class="header-nav__sub-link"> Privacy registers </a> </div> </div> </div> </div> <div class="header-nav__item"> <button class="header-nav__button " aria-expanded="false" > Freedom of information <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/freedom-of-information" class="header-nav__sub-link"> Freedom of information </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/freedom-of-information/your-freedom-of-information-rights" class="header-nav__sub-link"> Your freedom of information rights </a> <a href="https://www.oaic.gov.au/freedom-of-information/how-to-access-government-information" class="header-nav__sub-link"> How to access government information </a> <a href="https://www.oaic.gov.au/freedom-of-information/freedom-of-information-guidance-for-government-agencies" class="header-nav__sub-link"> Freedom of information guidance for government agencies </a> <a href="https://www.oaic.gov.au/freedom-of-information/freedom-of-information-legislation-and-determinations" class="header-nav__sub-link"> Freedom of information legislation and determinations </a> <a href="https://www.oaic.gov.au/freedom-of-information/information-commissioner-decisions-and-reports" class="header-nav__sub-link"> Information Commissioner decisions and reports </a> <a href="https://www.oaic.gov.au/freedom-of-information/freedom-of-information-statistics-for-the-oaic" class="header-nav__sub-link"> Freedom of information statistics for the OAIC </a> </div> </div> </div> </div> <div class="header-nav__item"> <button class="header-nav__button " aria-expanded="false" > Consumer Data Right <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/consumer-data-right" class="header-nav__sub-link"> Consumer Data Right </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/consumer-data-right/information-for-consumers" class="header-nav__sub-link"> Information for consumers </a> <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-complaints" class="header-nav__sub-link"> Consumer Data Right complaints </a> <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business" class="header-nav__sub-link"> Consumer Data Right guidance for business </a> <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-legislation,-regulation-and-definitions" class="header-nav__sub-link"> Consumer Data Right legislation, regulation and definitions </a> <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-assessments" class="header-nav__sub-link"> Consumer Data Right assessments </a> </div> </div> </div> </div> <div class="header-nav__item"> <a href="https://www.oaic.gov.au/digital-id" class="header-nav__link " > Digital ID </a> </div> <div class="header-nav__item"> <button class="header-nav__button " aria-expanded="false" > Engage with us <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/engage-with-us" class="header-nav__sub-link"> Engage with us </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/engage-with-us/consultations" class="header-nav__sub-link"> Consultations </a> <a href="https://www.oaic.gov.au/engage-with-us/submissions" class="header-nav__sub-link"> Submissions </a> <a href="https://www.oaic.gov.au/engage-with-us/translations" class="header-nav__sub-link"> Translations </a> <a href="https://www.oaic.gov.au/engage-with-us/events" class="header-nav__sub-link"> Events </a> <a href="https://www.oaic.gov.au/engage-with-us/networks" class="header-nav__sub-link"> Networks </a> <a href="https://www.oaic.gov.au/engage-with-us/research-and-training-resources" class="header-nav__sub-link"> Research and training resources </a> </div> </div> </div> </div> <div class="header-nav__item"> <button class="header-nav__button " aria-expanded="false" > About the OAIC <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/about-the-OAIC" class="header-nav__sub-link"> About the OAIC </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/about-the-OAIC/what-we-do" class="header-nav__sub-link"> What we do </a> <a href="https://www.oaic.gov.au/about-the-OAIC/who-we-are" class="header-nav__sub-link"> Who we are </a> <a href="https://www.oaic.gov.au/about-the-OAIC/join-our-team" class="header-nav__sub-link"> Join our team </a> <a href="https://www.oaic.gov.au/about-the-OAIC/access-our-information" class="header-nav__sub-link"> Access our information </a> <a href="https://www.oaic.gov.au/about-the-OAIC/our-regulatory-approach" class="header-nav__sub-link"> Our regulatory approach </a> <a href="https://www.oaic.gov.au/about-the-OAIC/our-corporate-information" class="header-nav__sub-link"> Our corporate information </a> <a href="https://www.oaic.gov.au/about-the-OAIC/information-policy" class="header-nav__sub-link"> Information policy </a> <a href="https://www.oaic.gov.au/about-the-OAIC/serving-legal-documents-on-the-australian-information-commissioner" class="header-nav__sub-link"> Serving legal documents on the Australian Information Commissioner </a> </div> </div> </div> </div> <div class="header-nav__item header-nav__item--mobile-only"> <a href="/news" class="header-nav__link">News</a> </div> <div class="header-nav__item header-nav__item--mobile-only"> <a href="/about-the-OAIC/join-our-team" class="header-nav__link">Join our team</a> </div> <div class="header-nav__item header-nav__item--mobile-only"> <a href="/contact-us" class="header-nav__link">Contact us</a> </div> </nav> </div> </div> </header> <div class="nav-close-overlay"></div> <!--endnoindex--> <!-- Header end --> <main class="main"> <div class="breadcrumb__wrapper"> <div class="section "> <div class="section-item flex-box "> <div class="breadcrumb breadcrumb--separator-chevron"> <nav class="breadcrumb__nav" aria-label="Breadcrumb"> <ul class="breadcrumb__list"> <span class="breadcrumb__list-item"><a href="https://www.oaic.gov.au" class="breadcrumb__list-item-link" aria-label="Go to home page"><svg xmlns="http://www.w3.org/2000/svg" version="1.0" viewBox="0 0 50 50" height="24" width="24"><path d="M25 9.0937 7.281 25.3747h5.563v15.531h24.312v-15.531h5.563L25 9.0937z" fill="currentColor"></path></svg></a></span> <li class="breadcrumb__list-item"> <a class="breadcrumb__list-item-link" href="https://www.oaic.gov.au/privacy">Privacy</a> </li> <li class="breadcrumb__list-item"> <a class="breadcrumb__list-item-link" href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies">Privacy guidance for organisations and government agencies</a> </li> <li class="breadcrumb__list-item"> <a class="breadcrumb__list-item-link" href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments">Privacy impact assessments</a> </li> <li class="breadcrumb__list-item"> <a class="breadcrumb__list-item-link" href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/assessing-privacy-risks-in-changed-working-environments-privacy-impact-assessments">Assessing privacy risks in changed working environments: privacy impact assessments</a> </li> </ul> </nav> </div> </div> </div> </div> <div class="content-wrapper"> <div class="lhs-wrapper"> <div class="lhs-nav"> <a href="https://www.oaic.gov.au/privacy" class="lhs-nav__level-1"> Privacy </a> <div class="lhs-nav__nav-wrapper"> <div class="lhs-nav__level-2"> <h4> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies"> Privacy guidance for organisations and government agencies </a> </h4> <button class="lhs-nav__level-2-toggle" aria-expanded="false" aria-label="Expand Level 2 submenu: Privacy guidance for organisations and government agencies"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" aria-hidden="true" /> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-minus-white.svg" class="icon-minus" aria-hidden="true" /> </button> </div> <ul class="lhs-nav__level-3"> <li class="lhs-nav__level-3-link has-children"> <div class="lhs-nav__level-3-accordion"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations"> Organisations </a> <button class="lhs-nav__level-3-toggle" aria-expanded="false" aria-label="Expand Level 3 submenu: Organisations"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus.svg" class="icon-plus" aria-hidden="true" /> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-minus.svg" class="icon-minus" aria-hidden="true" /> </button> </div> <ul class="lhs-nav__level-4"> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/credit-reporting" class=""> Credit reporting </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/direct-marketing" class=""> Direct marketing </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/employee-records-exemption" class=""> Employee records exemption </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/id-scanners" class=""> ID scanners </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/opting-in-to-the-privacy-act" class=""> Opting in to the Privacy Act </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/privacy-for-not-for-profits,-including-charities" class=""> Privacy for not-for-profits, including charities </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/privacy-management-plan-template" class=""> Privacy management plan template </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/selling-a-business" class=""> Selling a business </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/small-business" class=""> Small business </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/sporting-clubs" class=""> Sporting clubs </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/start-ups" class=""> Start-ups </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/tips-for-good-privacy-practice" class=""> Tips for good privacy practice </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/trading-in-personal-information" class=""> Trading in personal information </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/guidance-for-edr-schemes-when-handling-complaints-about-notifiable-data-breaches" class=""> Guidance for EDR schemes when handling complaints about notifiable data breaches </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/tracking-pixels-and-privacy-obligations" class=""> Tracking pixels and privacy obligations </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/facial-recognition-technology-a-guide-to-assessing-the-privacy-risks" class=""> Facial recognition technology: a guide to assessing the privacy risks </a> </li> </ul> </li> <li class="lhs-nav__level-3-link has-children"> <div class="lhs-nav__level-3-accordion"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/government-agencies"> Government agencies </a> <button class="lhs-nav__level-3-toggle" aria-expanded="false" aria-label="Expand Level 3 submenu: Government agencies"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus.svg" class="icon-plus" aria-hidden="true" /> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-minus.svg" class="icon-minus" aria-hidden="true" /> </button> </div> <ul class="lhs-nav__level-4"> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/government-agencies/agency-referee-reports" class=""> Agency referee reports </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/government-agencies/australian-government-agencies-privacy-code" class=""> Australian Government Agencies Privacy Code </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/government-agencies/conducting-surveys" class=""> Conducting surveys </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/government-agencies/guidelines-on-data-matching-in-australian-government-administration" class=""> Guidelines on data matching in Australian Government administration </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/government-agencies/privacy-impact-assessment-register-assessment-program" class=""> Privacy impact assessment register assessment program </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/government-agencies/privacy-code-checklist" class=""> Privacy Code checklist </a> </li> </ul> </li> <li class="lhs-nav__level-3-link "> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/guidance-on-privacy-and-developing-and-training-generative-ai-models"> Guidance on privacy and developing and training generative AI models </a> </li> <li class="lhs-nav__level-3-link "> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/guidance-on-privacy-and-the-use-of-commercially-available-ai-products"> Guidance on privacy and the use of commercially available AI products </a> </li> <li class="lhs-nav__level-3-link has-children"> <div class="lhs-nav__level-3-accordion"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/health-service-providers"> Health service providers </a> <button class="lhs-nav__level-3-toggle" aria-expanded="false" aria-label="Expand Level 3 submenu: Health service providers"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus.svg" class="icon-plus" aria-hidden="true" /> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-minus.svg" class="icon-minus" aria-hidden="true" /> </button> </div> <ul class="lhs-nav__level-4"> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/health-service-providers/communications-with-patients" class=""> Communications with patients </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/health-service-providers/data-breach-action-plan-for-health-service-providers" class=""> Data breach action plan for health service providers </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/health-service-providers/guide-to-health-privacy" class=""> Guide to health privacy </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/health-service-providers/individual-healthcare-identifiers" class=""> Individual healthcare identifiers </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/health-service-providers/my-health-record" class=""> My Health Record </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/health-service-providers/privacy-action-plan-for-your-health-practice" class=""> Privacy action plan for your health practice </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/health-service-providers/taking-photos-of-patients" class=""> Taking photos of patients </a> </li> </ul> </li> <li class="lhs-nav__level-3-link has-children"> <div class="lhs-nav__level-3-accordion"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information"> Handling personal information </a> <button class="lhs-nav__level-3-toggle" aria-expanded="false" aria-label="Expand Level 3 submenu: Handling personal information"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus.svg" class="icon-plus" aria-hidden="true" /> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-minus.svg" class="icon-minus" aria-hidden="true" /> </button> </div> <ul class="lhs-nav__level-4"> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/anti-money-laundering-obligations" class=""> Anti-money laundering obligations </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/centrelink-requests-for-information" class=""> Centrelink requests for information </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/dealing-with-requests-for-access-to-personal-information" class=""> Dealing with requests for access to personal information </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/dealing-with-requests-for-correction-of-personal-information" class=""> Dealing with requests for correction of personal information </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/de-identification-and-the-privacy-act" class=""> De-identification and the Privacy Act </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/de-identification-decision-making-framework" class=""> De-identification Decision-Making Framework </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/guide-to-securing-personal-information" class=""> Guide to securing personal information </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/guide-to-the-privacy-persons-reported-as-missing-rule-2024" class=""> Guide to the Privacy (Persons Reported as Missing) Rule 2024 </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/guidelines-for-state-and-territory-governments-creating-nationally-consistent-requirements-to-collect-personal-information-for-contact-tracing-purposes" class=""> Guidelines for state and territory governments: creating nationally consistent requirements to collect personal information for contact tracing purposes </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/national-relay-service" class=""> National Relay Service </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/posting-photos-and-videos" class=""> Posting photos and videos </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/protecting-customers-personal-information" class=""> Protecting customers' personal information </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/sending-personal-information-overseas" class=""> Sending personal information overseas </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/the-privacy-tax-file-number-rule-2015-and-the-protection-of-tax-file-number-information" class=""> The Privacy (Tax File Number) Rule 2015 and the protection of tax file number information </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/transfer-of-financial-adviser-records" class=""> Transfer of financial adviser records </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/what-is-personal-information" class=""> What is personal information? </a> </li> </ul> </li> <li class="lhs-nav__level-3-link has-children"> <div class="lhs-nav__level-3-accordion"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/preventing-preparing-for-and-responding-to-data-breaches"> Preventing, preparing for and responding to data breaches </a> <button class="lhs-nav__level-3-toggle" aria-expanded="false" aria-label="Expand Level 3 submenu: Preventing, preparing for and responding to data breaches"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus.svg" class="icon-plus" aria-hidden="true" /> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-minus.svg" class="icon-minus" aria-hidden="true" /> </button> </div> <ul class="lhs-nav__level-4"> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/preventing-preparing-for-and-responding-to-data-breaches/data-breach-preparation-and-response" class=""> Data breach preparation and response </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/preventing-preparing-for-and-responding-to-data-breaches/preventing-data-breaches-advice-from-the-australian-cyber-security-centre" class=""> Preventing data breaches: advice from the Australian Cyber Security Centre </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/preventing-preparing-for-and-responding-to-data-breaches/guidance-for-entities-in-preparing-for-and-responding-to-cyber-incidents" class=""> Guidance for entities in preparing for and responding to cyber incidents </a> </li> </ul> </li> <li class="lhs-nav__level-3-link current has-children"> <div class="lhs-nav__level-3-accordion"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments"> Privacy impact assessments </a> <button class="lhs-nav__level-3-toggle" aria-expanded="false" aria-label="Expand Level 3 submenu: Privacy impact assessments"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus.svg" class="icon-plus" aria-hidden="true" /> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-minus.svg" class="icon-minus" aria-hidden="true" /> </button> </div> <ul class="lhs-nav__level-4"> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/10-steps-to-undertaking-a-privacy-impact-assessment" class=""> 10 steps to undertaking a privacy impact assessment </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/assessing-privacy-risks-in-changed-working-environments-privacy-impact-assessments" class="current"> Assessing privacy risks in changed working environments: privacy impact assessments </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/guide-to-undertaking-privacy-impact-assessments" class=""> Guide to undertaking privacy impact assessments </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/privacy-by-design" class=""> Privacy by design </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/privacy-impact-assessment-tool" class=""> Privacy impact assessment tool </a> </li> </ul> </li> <li class="lhs-nav__level-3-link has-children"> <div class="lhs-nav__level-3-accordion"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19"> COVID-19 </a> <button class="lhs-nav__level-3-toggle" aria-expanded="false" aria-label="Expand Level 3 submenu: COVID-19"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus.svg" class="icon-plus" aria-hidden="true" /> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-minus.svg" class="icon-minus" aria-hidden="true" /> </button> </div> <ul class="lhs-nav__level-4"> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/coronavirus-covid-19-understanding-your-privacy-obligations-to-your-staff" class=""> Coronavirus (COVID-19): understanding your privacy obligations to your staff </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/coronavirus-covid-19-vaccinations-understanding-your-privacy-obligations-to-your-staff" class=""> Coronavirus (COVID-19) vaccinations: understanding your privacy obligations to your staff </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/covidsafe-reports" class=""> COVIDSafe Reports </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/guidance-for-businesses-collecting-personal-information-for-contract-tracing" class=""> Guidance for businesses collecting personal information for contract tracing </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/national-covid-19-privacy-principles" class=""> National COVID-19 privacy principles </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/privacy-update-on-the-covidsafe-app" class=""> Privacy update on the COVIDSafe app </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/retention-and-deletion-of-personal-information-collected-during-covid-19" class=""> Retention and deletion of personal information collected during COVID-19 </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/guidance-for-businesses-collecting-covid-19-vaccination-information" class=""> Guidance for businesses collecting COVID-19 vaccination information </a> </li> </ul> </li> <li class="lhs-nav__level-3-link has-children"> <div class="lhs-nav__level-3-accordion"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance"> More guidance </a> <button class="lhs-nav__level-3-toggle" aria-expanded="false" aria-label="Expand Level 3 submenu: More guidance"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus.svg" class="icon-plus" aria-hidden="true" /> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-minus.svg" class="icon-minus" aria-hidden="true" /> </button> </div> <ul class="lhs-nav__level-4"> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/australian-bushfires-disaster-emergency-declaration-understanding-your-privacy-obligations" class=""> Australian Bushfires Disaster Emergency Declaration: understanding your privacy obligations </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/australian-entities-and-the-european-union-general-data-protection-regulation" class=""> Australian entities and the European Union General Data Protection Regulation </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/emergencies-and-disasters" class=""> Emergencies and disasters </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/guide-to-data-analytics-and-the-australian-privacy-principles" class=""> Guide to data analytics and the Australian Privacy Principles </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/guide-to-developing-an-app-privacy-policy" class=""> Guide to developing an APP privacy policy </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/how-to-develop-an-app-privacy-policy-poster" class=""> How to develop an APP privacy policy (poster) </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/guidelines-for-developing-codes" class=""> Guidelines for developing codes </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/guidelines-for-recognising-external-dispute-resolution-schemes" class=""> Guidelines for recognising external dispute resolution schemes </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/handling-privacy-complaints" class=""> Handling privacy complaints </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/keeping-records-of-disclosures-under-the-telecommunications-act-1997" class=""> Keeping records of disclosures under the Telecommunications Act 1997 </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/mobile-privacy-a-better-practice-guide-for-mobile-app-developers" class=""> Mobile privacy: a better practice guide for mobile app developers </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/privacy-management-framework-enabling-compliance-and-encouraging-good-practice" class=""> Privacy management framework: enabling compliance and encouraging good practice </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/privacy-public-interest-determination-guide" class=""> Privacy public interest determination guide </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/self-assessment-checklist-privacy-obligations-under-the-data-retention-scheme" class=""> Self-assessment checklist: privacy obligations under the Data Retention Scheme </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/telecommunications-service-providers-obligations-arising-under-the-privacy-act-1988-as-a-result-of-part-5-1a-of-the-telecommunications-interception-and-access-act-1979" class=""> Telecommunications service providers' obligations arising under the Privacy Act 1988 as a result of Part 5-1A of the Telecommunications (Interception and Access) Act 1979 </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/privacy-considerations-for-financial-services-entities-receiving-data-from-a-carrier-or-carriage-service-provider-under-the-telecommunications-regulations" class=""> Privacy considerations for financial services entities receiving data from a carrier or carriage service provider </a> </li> </ul> </li> </ul> </div> </div> </div> <div class="middle-wrapper"> <!-- Body start --> <div id="main-content-area" class="page-content"> <div class="toc"> <ul class="toc__list"> <li class="toc__heading"> <h2 class="toc-exclude">On this page</h2> </li> </ul> </div> <section class="banner-grey-newsroom__wrapper"> <div class="banner-grey-newsroom__content"> <h1 class="banner-grey-newsroom__title">Assessing privacy risks in changed working environments: privacy impact assessments</h1> </div> </section> <!--.banner-grey-newsroom__wrapper --> <script> if(document.querySelector('.banner-grey-newsroom__wrapper .banner-grey-newsroom__content')) { document.querySelector('.breadcrumb__wrapper').insertAdjacentElement('afterend',document.querySelector('.banner-grey-newsroom__wrapper .banner-grey-newsroom__content').closest(' .banner-grey-newsroom__wrapper')) } </script> <div class="gov-numbered-paragraphs" id="component_21719"> <div><div><div><div>Publication date: 6 April 2020</div></div></div><div><div id="page-content"><h2 id="overview">Overview</h2><p>The OAIC appreciates the unprecedented challenges <a href="https://www.oaic.gov.au/_old/privacy/your-privacy-rights/government-agencies">Australian government agencies</a> and <a href="https://www.oaic.gov.au/_old/privacy/privacy-for-organisations">private sector employers</a> are facing in combating the spread of COVID-19. To prevent or manage the risk of COVID-19, you may have implemented, or are considering, remote working arrangements for employees or are expanding existing arrangements.</p><p>The purpose of this resource is to provide tips on key issues that entities regulated by the <em>Privacy Act 1988</em> (Cth) should consider when assessing the privacy impacts of a remote working arrangement. This resource should be read in conjunction with the <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/assessing-privacy-risks-in-changed-working-environments-privacy-impact-assessments#additional-resources">additional resources</a> listed below.</p><p>The Privacy Act does not prevent employees from working remotely as a response to COVID-19, however, the Australian Privacy Principles (APPs) will continue to apply. You should consider whether any changes to working arrangements will impact on the handling of personal information, assess any potential privacy risks, and put in place appropriate mitigation strategies. Assessing potential privacy risks will also help you reduce the risk of a data breach, which occurs when personal information is subject to unauthorised access or disclosure or is lost.</p><p>A <a href="https://www.oaic.gov.au/_old/privacy/guidance-and-advice/guide-to-undertaking-privacy-impact-assessments">privacy impact assessment</a> (PIA) is a useful tool for evaluating and mitigating risks to personal information. The scale and scope of your PIA will depend on the extent of the change to your working arrangements and other factors such as the size of your entity, its resources, and the types of personal information that you handle.</p><p>Agencies should also consider their obligations under the <a href="https://www.oaic.gov.au/_old/privacy/privacy-for-government-agencies/australian-government-agencies-privacy-code">Privacy (Australian Government Agencies &ndash; Governance) APP Code 2017</a> (the Code) to undertake a PIA for all high privacy risk projects.<a id="ftnref1" href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/assessing-privacy-risks-in-changed-working-environments-privacy-impact-assessments#ftn1">[1]</a></p><h2 id="why-assess-privacy-risks-through-a-pia">Why assess privacy risks through a PIA?</h2><p>The OAIC acknowledges that, given the urgent circumstances surrounding the COVID-19 pandemic, you may have already implemented or expanded existing remote working arrangements for your employees. Business Continuity Plans and risk assessments will have guided your decisions.</p><p>Under APP 11 (security of personal information), entities must take active measures to protect personal information they hold from misuse, interference and loss, as well as unauthorised modification or disclosure.<a id="ftnref2" href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/assessing-privacy-risks-in-changed-working-environments-privacy-impact-assessments#ftn2">[2]</a> In addition, the <a href="https://www.oaic.gov.au/_old/privacy/notifiable-data-breaches">Notifiable Data Breach (NDB) scheme</a> applies to all entities with existing personal information security obligations under the Privacy Act. The NDB scheme requires entities to notify affected individuals and the OAIC in the event of an &lsquo;eligible data breach&rsquo;.<a id="ftnref3" href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/assessing-privacy-risks-in-changed-working-environments-privacy-impact-assessments#ftn3">[3]</a> These obligations continue to apply to your remote working arrangements.</p><p>A PIA provides a useful framework to screen for unexpected privacy issues and may help to further mitigate any privacy risks associated with the remote working arrangements that have been implemented. Mitigating privacy issues will also help reduce the risk of experiencing a data breach, which could trigger your notification obligations under the NDB scheme.</p><p>It is never too late to conduct a PIA. A PIA should also be an iterative process during the life of any project, being updated to take account of changes to working arrangements as they evolve. The checklist below is intended to help you consider and assess common privacy issues that may arise in a remote working arrangement.</p><p>For more information about undertaking a PIA, see the OAIC&rsquo;s <a href="https://www.oaic.gov.au/_old/privacy/guidance-and-advice/guide-to-undertaking-privacy-impact-assessments">Guide to undertaking privacy impact assessments</a> (PIA Guide) and <a href="./?external-uuid=515b2f7c-3a9a-446d-b0cd-9f7ba12cc5da">PIA e-Learning course</a>.</p><h2 id="is-a-pia-necessary">Is a PIA necessary?</h2><p>While you may have had remote working arrangements in place for some staff previously, the current situation in relation to COVID-19 has likely resulted in a substantial increase to the numbers of employees working from home and/or an expansion to types of work tasks that have traditionally been performed remotely. Changes to the way personal information is handled may also be required as a result of a shift to a remote working arrangement.</p><p>You should undertake a threshold assessment to establish whether a PIA of your remote working arrangements is necessary. For more information about undertaking a threshold assessment, see the OAIC&rsquo;s <a href="https://www.oaic.gov.au/_old/privacy/guidance-and-advice/guide-to-undertaking-privacy-impact-assessments">PIA Guide</a>.</p><p>A PIA may not be necessary if your remote working arrangements do not change existing information handling practices, the privacy implications of these practices have been assessed previously (whether as part of a threshold assessment, a PIA or other risk-assessment process) and controls are current and working well. You may have considered the privacy issues through other mechanisms, like a risk assessment as part of your Business Continuity Plan. Regardless of whether you proceed to a PIA, you should keep a record of your threshold assessment.</p><h2 id="how-detailed-does-a-pia-need-to-be">How detailed does a PIA need to be?</h2><p>There is no single way of doing a PIA and entities are encouraged to take a flexible approach. The scale and scope of a PIA will depend on the scale and scope of a particular project.</p><p>For example, if you have had remote working arrangements in place for some time and only minor adjustments are being made to the types of work that can be performed from home, a PIA may end up only a couple of pages long. If remote working arrangements will result in a significant change to your business-as-usual practices, including changes to the way personal information is handled, then the PIA may need to consider a broader range of issues.</p><p>A PIA doesn&rsquo;t set out to identify and eliminate every possible privacy risk, however, it should identify any genuine risks that may be associated with your remote working arrangements, assess how serious those risks are, and consider ways that those risks can be mitigated.</p><h2 id="things-to-consider-in-a-pia-of-remote-working-arrangements">Things to consider in a PIA of remote working arrangements</h2><p>This section outlines key factors that you should consider in assessing personal information handling in remote working arrangements including:</p><ul><li>Governance, culture and training</li><li>ICT security</li><li>Access security</li><li>Data breaches</li><li>Physical security</li></ul><p>This is not an exhaustive list and does not cover the entirety of an entity&rsquo;s obligations under the APPs. You should read this section in conjunction with the list of <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/assessing-privacy-risks-in-changed-working-environments-privacy-impact-assessments#additional-resources">additional resources</a> below.</p><h3 id="governance-culture-and-training">Governance, culture and training</h3><p>Your privacy and security governance arrangements should include appropriate training, resourcing, documented policies and procedures, and management oversight to ensure you foster a culture of privacy and staff are aware of their privacy and security obligations when working remotely.</p><h4>Questions to consider</h4><ul><li>What governance arrangements do you have in place around remote working arrangements? <ul><li>do you have a documented process for reviewing and approving applications to work remotely?</li><li>how often are remote working arrangements reviewed to ensure they are still appropriate and effective for each staff member?</li></ul></li><li><p>Are staff members educated on physical security and the handling of personal information when working from home?</p></li><li><p>Are staff members educated on ICT and cyber security practices, such as identifying phishing or spear-phishing emails?</p></li><li><p>Is there a policy that covers information security when staff members work offsite, such as from home, a secondary site office or a temporary office?</p></li><li><p>Are there clear polices governing the use of end-user devices, including use of staff&rsquo;s own devices (known as &lsquo;Bring Your Own Device (BYOD)&rsquo;) and procedures for taking work home?</p></li></ul><h3 id="ict-security">ICT Security</h3><p>As more staff work from home, and the use of remote technology increases, adversaries may attempt to take advantage of any real or perceived vulnerabilities introduced as a result of that change. ICT security measures help mitigate the risks of internal and external attackers and the damage caused by malicious software such as malware, computer viruses and other harmful programs.</p><h4>Questions to consider</h4><ul><li><p>Do all devices, Virtual Private Networks and firewalls have necessary updates and the most recent security patches (including to operating systems and antivirus software) and have strong passwords?</p></li><li><p>Have you considered increasing cyber security measures in anticipation of the higher demand on remote access technologies and tested them ahead of time?</p></li><li><p>Have you implemented a secure method for staff to access your network and systems (eg. a secure remote desktop client)?</p></li><li><p>Do you use multifactor authentication for remote access to systems and resources (including cloud services)?</p></li><li><p>Are staff able to remotely access systems with their personal devices? What technical and procedural controls do you have in place to mitigate security risks associated with personal devices?</p></li><li><p>Have you assessed the privacy and security controls of any new technology, such as videoconferencing facilities, that you are using?</p></li><li><p>Are there strong minimum standards for security of end-user devices (such as password protection, encryption)?</p></li><li><p>Have technical solutions which block or mitigate the effects of phishing, spear-phishing and social-engineering attacks been applied (eg. are email attachments received from an external source scanned before they are open)?</p></li></ul><h3 id="access-security">Access security</h3><p>Remote working arrangements may give rise to the &lsquo;trusted insider risk&rsquo;, particularly in circumstances where staff members are not subject to the same level of supervision and oversight as they would be in a traditional office environment. Access security and monitoring controls help you protect against internal and external risks by ensuring that personal information is only accessed by authorised persons.</p><h4>Questions to consider</h4><ul><li><p>Do you limit access to personal information to those staff necessary to enable your entity to carry out its functions and activities?</p></li><li><p>Have you considered employing remote wiping software to allow for the deletion of personal information stored on end-user devices which have been lost or stolen?</p></li><li>Is password or passphrase complexity enforced? For example, including uppercase characters, lowercase characters, punctuation, symbols and/or numbers? <ul><li>Are there mechanisms for changing them regularly?</li><li>Is reuse of passwords or passphrases blocked?</li><li>Is there a minimum length requirement? Is sharing of passwords or passphrases forbidden?</li></ul></li><li><p>Do accounts lock the user out after a specified number of failed logins?</p></li><li>What methods do you use to identify inappropriate access of files or databases containing personal information? <ul><li><p>Do you use audit logs and audit trails?</p></li><li><p>Is access by both internal and external persons monitored? Is there a method for identifying anomalous behaviour?</p></li><li><p>Do you have the capability to proactively monitor access to systems to identify potential instances of unauthorised access or misuse? Have you considered whether to increase the use of that capability because of the change to the working environment?</p></li><li><p>Are these measures mainly reactive (review of logs, responding to incidents) or do they also involve real time or close to real time monitoring or access activity?</p></li><li><p>If anomalous behaviour is detected, what processes are used to immediately remove or reduce any risk, and then determine whether such behaviour amounts to unauthorised access, including any processes in place to assess whether the access might give rise to an eligible data breach for the purposes of the NDB scheme?</p></li></ul></li></ul><h3 id="data-breaches">Data breaches</h3><p>A data breach occurs when personal information that an entity holds is subject to unauthorised access or disclosure or is lost. A data breach may be caused by malicious action (by an external or internal party), human error, or a failure in information handling or security systems. Examples of data breaches that could occur when staff are working remotely include:</p><ul><li><p>unauthorised access to systems containing personal information by an employee (the &lsquo;trusted insider risk&rsquo;)</p></li><li><p>unauthorised disclosure of personal information where a staff member discusses the personal information of another individual where it can be overheard by a third party (such as another member of the household), or enables a record of personal information to be seen by someone else (such as by leaving a computer screen unlocked or by making notes that are obtained or viewed by a third party), or</p></li><li><p>loss or theft of physical devices (such as a phone or laptop) or paper records that contain personal information.</p></li></ul><p>Where personal information is compromised and is likely to result in serious harm to any of the individuals to whom the information relates, it must be notified to the OAIC and affected individuals in accordance with the NDB scheme.</p><p>In the event of a data breach, having a <a href="https://www.oaic.gov.au/_old/privacy/guidance-and-advice/data-breach-preparation-and-response">response plan</a> that includes procedures and clear lines of authority can assist you to contain the breach and manage your response, including whether notification is necessary under the NDB scheme. Ensuring that staff (including contractors) are aware of the plan and understand the importance of reporting breaches is essential for the plan to be effective.</p><h4>Questions to consider</h4><ul><li><p>Are staff aware of the agency&rsquo;s data breach response plan and arrangements? Is it easily accessible by staff working from home?</p></li><li><p>Do changes need to be made to the method for notifying actual or suspected incidents if data breach response staff are working from home?</p></li><li><p>Does the data breach response team have the appropriate capacity under the new working arrangements to respond quickly to actual or suspected incidents? Do changes need to be made to the team to account for work from home arrangements?</p></li><li><p>Has the agency data breach response plan been tested via a simulated exercise involving a working from home arrangement to identifying whether any modifications are required strengthen to the plan?</p></li></ul><h3 id="physical-security"><a name="physical-security"></a>Physical security</h3><p>Physical security is an important part of ensuring that personal information held on your network is secure when accessed by staff working remotely. While it may not be possible to assess the individual physical security arrangements of each staff member&rsquo;s workspace, agencies should consider other ways of facilitating good privacy and security practices.</p><h4>Questions to consider</h4><ul><li><p>Have you considered whether there are certain work tasks that should not be performed from home where the privacy risks can&rsquo;t be mitigated?</p></li><li><p>Have you considered how the risk of unauthorised disclosure can be further mitigated by modifying work tasks that are able to be performed from home (eg. increasing communication over email rather than the phone (if there is a risk of being overheard), re-allocation of matters to staff with a private home office, or nominating times where staff may come into the office to carry out certain essential tasks)?</p></li><li>Have you provided clear guidance regarding physical security measures that all staff working remotely are required to take? This should include directions around: <ul><li>working only from the home authorised and not in public spaces</li><li>ensuring screens are angled so they cannot be viewed by anyone else and locked when not in use</li><li>ensuring that no other member of the household uses work devices</li><li>ensuring that phone conversations where personal information is disclosed cannot be overheard by other members of the household</li><li>using generic terms (such as customer, client or complainant) on phone calls or in videoconferencing so that an individual is not reasonably identifiable</li><li>storing devices (particularly work devices) in a safe location when not in use</li><li>not making any hard copies of documents containing personal information</li><li>not emailing any agency information including personal information to their personal email accounts</li><li>not discussing or transmitting agency information, including personal information with colleagues, or third parties, via personal chat groups.</li></ul></li><li><p>Have you considered proactive measures to ensure staff have adequate physical security measures in their home? (eg. consider implementing an ongoing program of &lsquo;spot checks&rsquo;, which could be carried out through virtual or remote methods, to inspect staff members individual working arrangements)</p></li><li><p>Where staff do not have a private home office, consider what steps could be taken to enable a temporary workspace to be established in a separate room of the home, or redesign work tasks to remove the need to handle personal information.</p></li></ul><h2 id="additional-resources">Additional resources</h2><p>You should also refer to the resources listed below where relevant to your entity.</p><h3 id="oaic-resources">OAIC resources</h3><ul><li><a href="https://www.oaic.gov.au/_old/privacy/guidance-and-advice/guide-to-undertaking-privacy-impact-assessments">Guide to undertaking privacy impact assessments</a></li><li><a href="./?external-uuid=515b2f7c-3a9a-446d-b0cd-9f7ba12cc5da">PIA e-Learning course</a></li><li><a href="https://www.oaic.gov.au/_old/privacy/guidance-and-advice/guide-to-securing-personal-information">Guide to securing personal information</a></li><li><a href="https://www.oaic.gov.au/_old/privacy/guidance-and-advice/data-breach-preparation-and-response">Data breach preparation and response guide</a></li><li><a href="https://www.oaic.gov.au/_old/privacy/guidance-and-advice/coronavirus-covid-19-understanding-your-privacy-obligations-to-your-staff">Coronavirus (COVID-19): Understanding your privacy obligations to your staff</a></li></ul><div><p class="callout">Keep up to date with the latest advice from the <a href="https://www.cyber.gov.au/">Australian Cyber Security Centre</a></p><p class="callout">Agencies should ensure continued compliance with <a href="https://www.protectivesecurity.gov.au/">Protective Security Policy Framework</a> requirements</p></div></div></div></div> </div> <div class="footnotes"><h2 id="footnotes">Footnotes</h2><p><a id="ftn1" href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/assessing-privacy-risks-in-changed-working-environments-privacy-impact-assessments#ftnref1">[1]</a> For the purposes of Part 3 of the Code, a project may be a high privacy risk project if the agency reasonably considers that the project involves any new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals. The term &lsquo;project&rsquo; covers the full range of activities and initiatives undertaken by agencies that may have privacy implications, including increased remote working arrangements.</p><p><a id="ftn2" href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/assessing-privacy-risks-in-changed-working-environments-privacy-impact-assessments#ftnref2">[2]</a> For more information, see the OAIC&rsquo;s <a href="https://www.oaic.gov.au/_old/privacy/guidance-and-advice/guide-to-securing-personal-information">Guide to securing personal information</a>.</p><p><a id="ftn3" href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/assessing-privacy-risks-in-changed-working-environments-privacy-impact-assessments#ftnref3">[3]</a> A data breach is eligible if it is likely to result in serious harm to any of the individuals to whom the information relates. Entities must conduct a prompt and reasonable assessment if they suspect that they may have experienced an eligible data breach. For more information, see <a href="https://www.oaic.gov.au/_old/privacy/notifiable-data-breaches">Notifiable Data Breaches</a>.</p></div><section class="background--grey"> <div class="feature-cards__wrapper"> <h2 class="feature-cards__main-heading">Related pages</h2> <div class="feature-cards__tile"> <!--<div class="feature-cards__tile-s">--> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/guide-to-undertaking-privacy-impact-assessments" class="feature-cards__tile-links" data-order="1"> <h3 class="feature-cards__heading">Guide to undertaking privacy impact assessments</h3> <p class="feature-cards__text">Our suggested 10 step PIA process, intended for all APP entities</p> <div class="feature-cards__call-to-action"> <span class="feature-cards__arrow"> <img src="https://www.oaic.gov.au/__data/assets/file/0020/12548/arrow.svg" alt="" class="icon" aria-hidden="true"> </span> </div> </a> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/guide-to-securing-personal-information" class="feature-cards__tile-links" data-order="2"> <h3 class="feature-cards__heading">Guide to securing personal information</h3> <p class="feature-cards__text">'Reasonable steps' to protect personal information</p> <div class="feature-cards__call-to-action"> <span class="feature-cards__arrow"> <img src="https://www.oaic.gov.au/__data/assets/file/0020/12548/arrow.svg" alt="" class="icon" aria-hidden="true"> </span> </div> </a> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/coronavirus-covid-19-understanding-your-privacy-obligations-to-your-staff" class="feature-cards__tile-links" data-order="3"> <h3 class="feature-cards__heading">Coronavirus (COVID-19): understanding your privacy obligations to your staff</h3> <p class="feature-cards__text">Privacy advice for entities during COVID-19 pandemic</p> <div class="feature-cards__call-to-action"> <span class="feature-cards__arrow"> <img src="https://www.oaic.gov.au/__data/assets/file/0020/12548/arrow.svg" alt="" class="icon" aria-hidden="true"> </span> </div> </a> </div> </div><!-- /.feature-cards__wrapper --> </section> </div> <!-- Body end --> </div> </div> </main> <!-- Footer start --> <!--noindex--> <div class="footer"> <div class="footer__upper"> <div class="footer__upper--wrapper"> <div class="back-to-top__wrapper"> <button class="back-to-top" aria-label="Back to top"> <svg class="back-to-top__icon" aria-hidden="true" focusable="false" width="28" height="47" viewBox="0 0 28 47" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M6 8.82715L14 1.00106" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M22 8.82715L14 1.00106" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M14 21L14 1" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M2.94 41V33.41H0.36V31.25H8.1V33.41H5.52V41H2.94ZM13.2027 41.18C12.5227 41.18 11.9027 41.065 11.3427 40.835C10.7927 40.605 10.3177 40.275 9.9177 39.845C9.5277 39.405 9.2227 38.87 9.0027 38.24C8.7827 37.6 8.6727 36.88 8.6727 36.08C8.6727 35.28 8.7827 34.57 9.0027 33.95C9.2227 33.32 9.5277 32.795 9.9177 32.375C10.3177 31.945 10.7927 31.62 11.3427 31.4C11.9027 31.18 12.5227 31.07 13.2027 31.07C13.8727 31.07 14.4877 31.18 15.0477 31.4C15.6077 31.62 16.0827 31.945 16.4727 32.375C16.8727 32.805 17.1827 33.33 17.4027 33.95C17.6227 34.57 17.7327 35.28 17.7327 36.08C17.7327 36.88 17.6227 37.6 17.4027 38.24C17.1827 38.87 16.8727 39.405 16.4727 39.845C16.0827 40.275 15.6077 40.605 15.0477 40.835C14.4877 41.065 13.8727 41.18 13.2027 41.18ZM13.2027 38.96C13.7927 38.96 14.2527 38.705 14.5827 38.195C14.9227 37.675 15.0927 36.97 15.0927 36.08C15.0927 35.19 14.9227 34.505 14.5827 34.025C14.2527 33.535 13.7927 33.29 13.2027 33.29C12.6127 33.29 12.1477 33.535 11.8077 34.025C11.4777 34.505 11.3127 35.19 11.3127 36.08C11.3127 36.97 11.4777 37.675 11.8077 38.195C12.1477 38.705 12.6127 38.96 13.2027 38.96ZM19.4784 41V31.25H23.0484C23.5784 31.25 24.0834 31.305 24.5634 31.415C25.0434 31.515 25.4634 31.695 25.8234 31.955C26.1834 32.205 26.4684 32.54 26.6784 32.96C26.8984 33.37 27.0084 33.88 27.0084 34.49C27.0084 35.09 26.8984 35.605 26.6784 36.035C26.4684 36.465 26.1834 36.82 25.8234 37.1C25.4634 37.37 25.0484 37.575 24.5784 37.715C24.1084 37.845 23.6184 37.91 23.1084 37.91H22.0584V41H19.4784ZM22.0584 35.87H22.9884C23.4984 35.87 23.8734 35.75 24.1134 35.51C24.3634 35.27 24.4884 34.93 24.4884 34.49C24.4884 34.05 24.3534 33.74 24.0834 33.56C23.8134 33.38 23.4284 33.29 22.9284 33.29H22.0584V35.87Z" fill="white"/></svg> </button> </div> <div class="footer__logo-group"> <img src="https://www.oaic.gov.au/__data/assets/file/0020/12962/logo.svg" class="logo--main" alt="OAIC logo"> <a href="https://www.oaic.gov.au/about-the-OAIC/access-our-information/freedom-of-information-requests-to-the-oaic" class="footer-logo" aria-label="OAIC sub-logo"> <img src="https://www.oaic.gov.au/__data/assets/file/0021/12963/logo2.svg" class="logo--sub" alt="OAIC sub logo"> </a> <a href="https://www.oaic.gov.au/about-the-OAIC/access-our-information/our-information-publication-scheme" class="footer-logo" aria-label="OAIC Information Publication Scheme"> <img src="https://www.oaic.gov.au/__data/assets/image/0026/91385/ips_white_text.png" class="logo--sub" width="120px" alt="Information Publication Scheme"> </a> </div><div class="footer__link-group"> <ul class="link-list"> <li><a href="https://www.oaic.gov.au/sitemap" class="footer-link" aria-label="Site map">Site map</a></li><li><a href="https://www.oaic.gov.au/about-the-OAIC/copyright" class="footer-link" aria-label="Copyright">Copyright</a></li><li><a href="https://www.oaic.gov.au/about-the-OAIC/terms-and-conditions" class="footer-link" aria-label="Terms and conditions">Terms and conditions</a></li><li><a href="https://www.oaic.gov.au/about-the-OAIC/our-corporate-information/plans-policies-and-procedures/privacy-policy" class="footer-link" aria-label="Privacy policy">Privacy policy</a></li><li><a href="https://www.oaic.gov.au/about-the-OAIC/accessibility" class="footer-link" aria-label="Accessibility">Accessibility</a></li> </ul> </div> </div> </div> <div class="footer__lower"> <div class="footer__util-group"> <div class="footer__contact"> <a href="https://www.oaic.gov.au/contact-us" class="contact--link" aria-label="Contact us">Contact us</a> <a href="tel:1300 363 992" class="contact--phone" aria-label="Call 1300 363 992">1300 363 992</a> <p class="contact--hours">Monday to Thursday 10 am to 4 pm (AEST/AEDT)</p> </div> <div id="footer_language_listing_13517"> <div class="footer__language-list"> <label for="languages">Translations</label> <select name="languages" id="languages" onChange="if (this.value.startsWith('https://www.oaic.gov.au')) window.location = this.value;"> <option value="">Please select&hellip;</option> <option lang="ar" value="https://www.oaic.gov.au/engage-with-us/translations/arabic">العربية</option><option lang="zh" value="https://www.oaic.gov.au/engage-with-us/translations/chinese">中文</option><option lang="el" value="https://www.oaic.gov.au/engage-with-us/translations/greek">ελληνικός</option><option lang="it" value="https://www.oaic.gov.au/engage-with-us/translations/italian">Italiano</option><option lang="es" value="https://www.oaic.gov.au/engage-with-us/translations/spanish">Español</option><option lang="th" value="https://www.oaic.gov.au/engage-with-us/translations/thai">ไทย</option><option lang="vi" value="https://www.oaic.gov.au/engage-with-us/translations/vietnamese">Tiếng Việt</option><option lang="EN" value="https://www.oaic.gov.au/engage-with-us/translations/easy-english">Easy English</option> </select> </div> </div> <div class="footer__social"> <p class="social--header">Follow us</p> <ul class="social-list"> <li> <a href="https://www.facebook.com/OAICgov" class="social-link social-link--facebook" aria-label="OAIC on Facebook"> <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0025/12958/facebook.svg" alt="OAIC on Facebook"> </a> </li> <li> <a href="https://twitter.com/OAICgov" class="social-link social-link--twitter" aria-label="OAIC on Twitter" > <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0026/12959/x-logo.svg" alt="OAIC on Twitter"> </a> </li> <li> <a href="https://www.youtube.com/user/oaicgov" class="social-link social-link--youtube" aria-label="OAIC on Youtube" > <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0018/12960/youtube.svg" alt="OAIC on Youtube"> </a> </li> <li> <a href="https://au.linkedin.com/company/office-of-the-australian-information-commissioner" class="social-link social-link--linkedin" aria-label="OAIC on Linkedin"> <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0019/12961/linkedin.svg" alt="OAIC on Linkedin"> </a> </li> <li> <a href="https://www.instagram.com/oaicgov/" class="social-link social-link--Instagram" aria-label="OAIC on Instagram" > <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0023/91364/Instagram_Glyph_White.svg" alt="OAIC on Instagram"> </a> </li> </ul> </div> </div> <div class="footer__content-group"> <p class="footer__content-header">Acknowledgement of Country</p> <p class="footer__content-text">The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.</p> <p class="footer__content-copyright">&copy; Commonwealth of Australia</p> </div> </div> </div><!-- /.footer --> <!--endnoindex--> <!-- Footer end --> </div> <!-- Footer JS start --> <!--noindex--> <div id="footer_js" style="display: none !important;"> <script src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/js/runtime.js?h=06ed308"></script> <script src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/js/main.js?h=06ed308"></script> <script src="https://www.oaic.gov.au/__data/assets/js_file/0025/242791/custom.js"></script> <script> var lhsWrapper = document.querySelector('.lhs-wrapper'); if(lhsWrapper) { lhsWrapper.innerHTML.trim() === '' ? lhsWrapper.style.display='none' : ''; } //Readpeaker function readSpeaker() { var readButtonContent = ` <div id="readspeaker_button1" class="rs_skip rsbtn rs_preserve"> <a rel="nofollow" class="rsbtn_play" accesskey="L" title="Listen to this page using ReadSpeaker webReader" href="//app-oc.readspeaker.com/cgi-bin/rsent?customerid=9755&lang=en_au&readclass=page-content&url=https%3A%2F%2Fwww.oaic.gov.au%2Fprivacy%2Fprivacy-guidance-for-organisations-and-government-agencies%2Fprivacy-impact-assessments%2Fassessing-privacy-risks-in-changed-working-environments-privacy-impact-assessments"> <span class="rsbtn_left rsimg rspart"><span class="rsbtn_text"><span>Listen</span></span></span> <span class="rsbtn_right rsimg rsplay rspart"></span> </a> </div>`; var readButtonSearch = ` <div id="readspeaker_button2" class="rs_skip rsbtn rs_preserve"> <a rel="nofollow" class="rsbtn_play" accesskey="L" title="Listen to this page using ReadSpeaker webReader" href="//app-oc.readspeaker.com/cgi-bin/rsent?customerid=9755&lang=en_au&readclass=search-content&url=https%3A%2F%2Fwww.oaic.gov.au%2Fprivacy%2Fprivacy-guidance-for-organisations-and-government-agencies%2Fprivacy-impact-assessments%2Fassessing-privacy-risks-in-changed-working-environments-privacy-impact-assessments"> <span class="rsbtn_left rsimg rspart"><span class="rsbtn_text"><span>Listen</span></span></span> <span class="rsbtn_right rsimg rsplay rspart"></span> </a> </div>`; //for content pages var pageContent = document.querySelector('.page-content'); //for search pages var pageSearch = document.querySelector('.search-content'); if(pageContent) pageContent.insertAdjacentHTML('afterbegin', readButtonContent); if(pageSearch) pageSearch.insertAdjacentHTML('afterbegin', readButtonSearch); } readSpeaker(); </script> <script> function feedbackGrepCallback(response) { if (response.length > 0) { document.querySelector(".feedback__submit input").disabled = false } } function feedbackGrepExpiredCallback(response) { if (!response) { document.querySelector(".feedback__submit input").disabled = true } } </script> </div> <style> .page-content section.banner-grey-newsroom__wrapper, .page-content section.landing-page { display: none; } </style> <!--endnoindex--> <!-- Footer JS end --> </body> </html>