Services Australia falling short on breach reporting

Services Australia has failed to adequately notify the regulator of a sharp rise in data breaches.

The mega-agency – which runs Centrelink and Medicare and holds data on 27.5 million Australians – has failed to issue warnings of notifiable data breaches to the Office of the Australian Information Commissioner, an annual overview from the National Audit Office finds.

There were 6,042 privacy incidents in Services Australia from 2022-23 to 2024-25. However, the OAIC only received 89 notices of data breaches in 2024–25; 50 in 2023-24.

As well, Services Australia has been slow to report, with the OAIC often only learning of incidents 50 or more days after they occurred.

The audit office recommends the establishment of a centralised register for recording suspected data breaches and to support monitoring and oversight of future incidents.

There were other gaps, the audit finds, including a failure to analyse data on privacy breaches and complaints to assess risk.

Services Australia has also failed to establish an overarching assurance framework setting out how the agency satisfies itself that it is effectively managing the privacy of client information.

Inadequate protections for managing privacy is an overall theme running through the 87-page report. Despite developing governance arrangements and processes for handling data breaches and cyber-attacks, the audit finds Services Australia’s arrangements for managing privacy “fall short of its risk profile and emerging risks”.

Acknowledging that Services Australia has “largely appropriate policies in place” to meet the requirements of the Privacy Act, the audit office also found “gaps in arrangements to manage privacy risks at the enterprise level”. And while the agency undertakes privacy impact assessments, “there were record-keeping deficiencies”. Only 57 privacy impact assessments were completed by Services Australia from 2022-23 to 2024-25, the audit finds.

Among the National Audit Office recommendations:

Services Australia should improve the identification, assessment and management of privacy risks by implementing an enterprise-wide privacy risk management plan.

The Australian Government consider implementing arrangements to support Services Australia being provided with timely notification of third-party data breaches involving government-related identifiers such as Medicare numbers and Centrelink reference numbers.

Services Australia publish all data-matching program protocols on its website, including dates of operation, and regularly review the currency of the information published.

The Australian Government review existing data-matching activities undertaken by Services Australia and other government entities to assess whether the current frameworks are appropriate for use with contemporary data-matching and information-sharing practices and provide sufficient transparency and accountability.

The Attorney-General’s Department consider advice to the Australian Government on options to improve the transparency of entities’ compliance with the Privacy Act.

Responding to the findings, Services Australia said it notes the auditor’s recommendations, adding “protecting privacy is a key part of the agency’s core business”.

Business and government reported 1,113 data breaches in 2024 – up from 893 notifications in 2023. The Australian Government sector was the second highest for privacy complaints and third highest for notifiable data breaches.