Privacy by Design: The Standard for Information Systems Under Australian Law

ATQ and CEO of Services Australia (Privacy) [2025] AICmr

A recent binding determination by the Privacy Commissioner provides useful guidance as to the types of systems the Commissioner considers suitable to prevent personal information being disclosed without authorisation or becoming inaccurate or out of date. The case sends a clear message: privacy policies alone are not enough - systems, training, and enforcement mechanisms must operate effectively and proactively to protect against unauthorised disclosures and inaccurate data handling. In this article, we outline the relevant privacy law that Australian organisations must adhere to and examine how Services Australia (SA) deviated from these requirements. We also highlight practical compliance lessons for other APP entities, particularly those handling sensitive information on a large scale.

The Australian Privacy Principles (APPs), found in Schedule 1 of the Privacy Act 1988 (Cth) (Privacy Act) regulate the collection, use and disclosure of personal information by eligible companies and government organisations in Australia (APP entities). Although principles-based, the APP obligations are binding and carry penalties for non-compliance.

Repeated Privacy Breaches by Services Australia

SA holds personal information, including sensitive information, such as names, dates of birth, addresses, Medicare histories and vaccination histories. Between 2015 and 2021, SA, through Medicare, repeatedly mishandled a customer's personal information, resulting in serious privacy breaches. Due to an ongoing intertwinement of records, the customer’s details became entangled with those of another Medicare user, leading to multiple errors over several years.

On three separate occasions, SA employees mistakenly updated the complainant’s records with another customer’s address, creating ongoing confusion and potential risks. In a further breach, the complainant’s entire COVID-19 and influenza vaccination history was incorrectly assigned to another person’s Medicare record, compromising both individuals’ medical information.

These events demonstrate the risks of systemic failure where information systems are not sufficiently robust or accurate, particularly when managing large volumes of sensitive information.

Disclosure of Information for a Non-Permitted Purpose (APP 6)

APP 6.1 states that if an APP entity holds personal information about an individual that was collected for a primary purpose (here, the collection of personal information for the purpose of providing services), the entity must not use or disclose that information for a secondary purpose without consent.^[1]

Through various actions causing, and resulting from, the intertwinement, SA was determined to have used and disclosed personal information for a secondary, non-permitted purpose of mistakenly updating another’s record, including by:

1. sending the complainant’s Medicare card (containing a number and expiry date) to a third party in the mail (twice);
2. disclosing medical claims information of other customers to the complainant;
3. sending the complainant a notice intended for another customer that the other customer had nearly reached their claims threshold; and
4. making the complainant’s immunisation history available to a third party, including the date and type of immunisation administered (twice).

The Commissioner found that these were not isolated lapses but symptoms of broader, systemic shortcomings.

Inadequacy of Systems to Ensure Up-to-Date Information (APP 10)

SA was determined to have breached APP 10 by failing to ensure the complainant’s personal information was accurate, up-to-date, complete and relevant, by:

1. having on the complainant’s record Medicare claims of another person;
2. notifying the complainant of the status of another customer’s claim entitlement, due to inaccurate contact information on the complainant’s account; and
3. the complainant’s COVID and influenza vaccination history being assigned to another person.

SA had internal Guidelines to confirm the collection, use and disclosure of personal information is accurate, up-to-date and complete. However, the Commissioner determined that Guidelines, without compliance systems, were insufficient. This underscores that having policy frameworks without effective operational execution will not shield organisations from liability.

Inadequacy of systems to protect from unauthorised disclosure (APP 11)

The Commissioner determined SA additionally failed to take reasonable steps to prevent the disclosure of information, in breach of APP 11.1.

The system employed to protect the complainant’s information such that where intertwined records were identified or suspected a warning was to be placed on complainant’s account to indicate actual or suspected data integrity issues. A specialised team was then required to make any changes. That system was employed widely at SA.

In determining that there was a failure to take reasonable steps, the Commissioner considered the breaches occurring as evidence of inadequacy of procedures and systems, particularly in light of the frequency, duration, and extended period over which the same or similar disclosures occurred. A key takeaway is that repeat breaches over time may indicate systemic inadequacies, triggering exposure to liability under multiple APPs. This approach is significant from a compliance perspective, as a single instance of disclosure can not only constitute a breach but also indicate broader systemic deficiencies, potentially leading to non-compliance with multiple APPs.

The Commissioner firstly determined the standard of procedures SA should have upheld in respect of its governance, culture and training, practices, procedures and systems, and then considered that standard had not been met. In setting the bar, the Commissioner noted:

1. the size, nature, and budget of SA as a large Commonwealth agency which provides essential services to most of Australia through Medicare, Centrelink, and Child Support;
2. the types of sensitive information including about customers health and welfare, financial situation, disabilities, citizenship status and family circumstances for millions of Australians, held by SA, and the consequences associated with unauthorised access or disclosure of that information; and
3. the practical implications of implementing security measures as indicating such measures as warranting implementation.

The Commissioner also highlighted that the account flagging system had not protected the complainant against subsequent recurrences and had been burdensome to the consumer when dealing with a specialised team to undertake routine tasks, such obtaining a vaccination certificate.

Appropriate Procedures and Systems to Enable Data Integrity

The Commissioner also assessed the steps SA could have taken through appropriate training to meet reasonable standards, providing valuable and novel guidance for APP entities.

These examples provide a checklist for other APP entities to benchmark their systems and training protocols.

SA Penalties

SA was declared to have engaged in conduct constituting an interference with the complainant’s privacy for reasons discussed above, and was ordered to:

1. apologise in writing to the complainant;
2. within three months, review the effectiveness of its internal guidelines as to the intertwinement of customer records, with recommendations to be provided to the OAIC within 30 days of finalisation of that report; and
3. within 30 days of implementation of the recommendations, provide the OAIC with details of implementation action taken;
4. provide a summary to the complainant of findings and recommendations which are relevant to the matters complained of; and
5. pay $10,000 for non-economic loss caused by the interference with the complainant’s privacy.

Penalties for serious or repeated breaches of the APPs

Serious or repeated breaches of the Privacy Act can expose APP entities to significant civil penalties, for each contravention is the greater of:^[2]

1. $50,000,000;
2. three times the value of the benefit obtained directly or indirectly for the breach; or
3. if the benefit cannot be determined, 30% of the adjusted turnover^[3] during the turnover period for the contravention.

For breaches of the APPs that are not serious or repeated, a Court may award a penalty of up to 2,000 units, currently $626,000 ($313 x 2000).^[4]

The OAIC may also issue a compliance notice requiring compliance with certain (more administrative) APPs, including to have a privacy policy containing prescribed information.^[5] Failure to take the steps specified in that notice would amount to a contravention exposing liability to civil penalty to an amount assessed on the basis of the seriousness of the interference.^[6]

For the same APPs which may be the subject of a compliance notice for breach, the Court may issue an infringement notice, which gives an opportunity, though does not cast an obligation, to pay a fine for purported non-compliance to avoid Court.^[7]

This determination reflects the Commissioner’s view that effective privacy protections require properly implemented arrangements, not just indicative policies, to genuinely prevent unauthorised disclosures. These structures should be proactive and preventive rather than merely remedial.

It was not sufficient for SA to have offered the customer a verifying password option, the system needed to have been in place prior to the disclosures. The Commissioner noted that the rigorousness of steps will increase relative to the seriousness of the consequences of disclosure of the kind of information in question.

Takeaways

This determination is a strong signal to APP entities: “set and forget” privacy compliance is not enough. Policies must be embedded within effective, auditable systems, and continuously monitored, particularly when dealing with sensitive data at scale. The determination follows an investigation by the OAIC, indicating a willingness of the Commissioner to exercise a regulatory ambit to exercise and enforce against breaches. This action is further indication that the Commissioner is prepared to hold agencies accountable for systemic failures, not just individual errors.

Please reach out to our expert team for guidance on compliance with the OAIC’s regulatory requirements.