priivacy

    Compliance Deep-Dive

    Australian Privacy Principles

    Demo Scan (Copy) · scanned May 27, 2026

    Jurisdiction AU · OAIC (Office of the Australian Information Commissioner)

    Overall compliance risk
    CRITICAL risk
    3 of 8 articles flagged across 1,074 findings.
    Files scanned
    70
    Files with PII
    68
    Total findings
    1,074
    Articles touched
    8 / 8
    Top actions to take
    1. 1.APP-3Audit whether sensitive identifiers (TFN, Medicare, passport) are collected only where legally permitted and necessary.
    2. 2.APP-3Document the legal basis for collecting each high-sensitivity identifier present in scan findings.
    3. 3.APP-6Review sharing settings on files containing high-sensitivity PII — ensure no unintended external access.
    4. 4.APP-6Map internal use cases for each sensitive PII type to documented legal bases.
    5. 5.APP-11Delete copies of full ID documents (passport, drivers licence, Medicare card) — Privacy Act data minimisation. If you're an AML/CTF Tranche 1 reporting entity, OAIC 31 March 2026 guidance now makes this explicit: AML/CTF does not require retention of full ID document copies.
    6. 6.APP-11Redact or quarantine files containing other restricted identifiers (TFN, bank account, credit card).
    7. 7.APP-11Review access permissions on any file with critical PII — apply least-privilege.
    8. 8.APP-11Enforce retention policies on files containing PII that is no longer needed.

    Article-by-article assessment

    APP-1
    Open and transparent management of personal information

    Entities must have a clearly expressed and up-to-date privacy policy.

    NONE
    Evidence from this scan
    PII TypeSensitivityFindingsFiles
    Recommended actions
    • Review the published privacy policy against the categories of PII actually held.
    • Ensure the policy names the jurisdictions where personal information is stored.
    APP-3
    Collection of solicited personal information

    Only collect personal information necessary for one or more of the entity's functions.

    HIGH
    Evidence from this scan
    PII TypeSensitivityFindingsFiles
    Driver's Licenceconfidential22
    Passport Numberrestricted2817
    Recommended actions
    • Audit whether sensitive identifiers (TFN, Medicare, passport) are collected only where legally permitted and necessary.
    • Document the legal basis for collecting each high-sensitivity identifier present in scan findings.
    APP-5
    Notification of the collection of personal information

    At or before the time of collection, take reasonable steps to notify the individual.

    NONE
    Evidence from this scan
    PII TypeSensitivityFindingsFiles
    Recommended actions
    • Confirm collection notices cover the PII categories identified in the scan.
    APP-6
    Use or disclosure of personal information

    Personal information may only be used/disclosed for the primary purpose of collection (with limited exceptions).

    HIGH
    Evidence from this scan
    PII TypeSensitivityFindingsFiles
    Passport Numberrestricted2817
    Driver's Licenceconfidential22
    Recommended actions
    • Review sharing settings on files containing high-sensitivity PII — ensure no unintended external access.
    • Map internal use cases for each sensitive PII type to documented legal bases.
    APP-8
    Cross-border disclosure of personal information

    Before disclosing personal information overseas, take reasonable steps to ensure the overseas recipient does not breach the APPs.

    NONE
    Evidence from this scan
    PII TypeSensitivityFindingsFiles
    Recommended actions
    • Verify cloud storage regions — SharePoint/OneDrive tenants hosting Australian PII should be in a jurisdiction with adequate protection.
    APP-11
    Security of personal information

    Take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure.

    CRITICAL
    Evidence from this scan
    PII TypeSensitivityFindingsFiles
    Driver's Licenceconfidential22
    Passport Numberrestricted2817
    Credit Card Numberrestricted1001
    Date of Birthconfidential3320
    Person Nameinternal35641
    International Bank Account Numberrestricted11
    Recommended actions
    • Delete copies of full ID documents (passport, drivers licence, Medicare card) — Privacy Act data minimisation. If you're an AML/CTF Tranche 1 reporting entity, OAIC 31 March 2026 guidance now makes this explicit: AML/CTF does not require retention of full ID document copies.
    • Redact or quarantine files containing other restricted identifiers (TFN, bank account, credit card).
    • Review access permissions on any file with critical PII — apply least-privilege.
    • Enforce retention policies on files containing PII that is no longer needed.
    APP-12
    Access to personal information

    An individual has a right to request access to their personal information held by an entity.

    NONE
    Evidence from this scan
    PII TypeSensitivityFindingsFiles
    Recommended actions
    • Ensure a documented process exists for subject access requests against the scanned data sources.
    APP-13
    Correction of personal information

    Entity must take reasonable steps to correct personal information held to ensure accuracy.

    NONE
    Evidence from this scan
    PII TypeSensitivityFindingsFiles
    Recommended actions
    • Verify data owners of files containing PII can be contacted for correction requests.

    Generated 5/27/2026, 12:41:00 PM · Australian Privacy Principles · OAIC (Office of the Australian Information Commissioner)