Services Australia has been criticised for failing to effectively manage the privacy of client information, with an audit finding critical deficiencies in risk management, data breach notifications and transparency.

An Australian National Audit Office (ANAO) report found the agency's privacy arrangements "fall short of its risk profile and emerging risks" despite handling personal information for more than 27 million Australians.

Services Australia delivers government services and payments through three main programs: Medicare, Centrelink, and Child Support. The agency also delivers services on behalf of other government departments including aged care, student assistance and the National Disability Insurance Scheme.

"Services Australia is partly effective in managing the privacy of client information," the report stated. "There were deficiencies with risk management, data matching, record-keeping, privacy impact assessments, transparency and reporting."

The audit found Services Australia has no enterprise-level privacy risk management plan despite operating in what it acknowledges is a "high-risk privacy environment."

Privacy incidents surged from 3,646 in 2020–21 to 11,413 in 2024–25, driven largely by malicious actors. Notifiable data breaches nearly doubled from 50 in 2023–24 to 89 in 2024–25.

Data Matching Framework Under Scrutiny

A critical finding concerned Services Australia's decision to stop conducting data matching under the Data-matching Program (Assistance and Tax) Act 1990, instead following voluntary guidelines.

"There was no documented rationale or legal advice to underpin this change," the report noted. "This approach reduces transparency and accountability to Parliament."

The agency has published only 13 of 32 data-matching protocols, falling short of Office of the Australian Information Commissioner (OAIC) voluntary guidelines.

The audit found Services Australia has not fully implemented Royal Commission into the Robodebt Scheme recommendations relating to data matching practices.

Services Australia failed to meet the legislated 30-day requirement for assessing potential notifiable data breaches in 2022–23 and 2023–24. Between July 2019 and June 2025, only 27 per cent of confirmed breaches were processed within the required timeframe.

"Services Australia did not notify affected individuals and the OAIC in accordance with its internal target timeframes, although performance improved in the first quarter of 2025–26," the report stated.

The audit noted Services Australia has not documented its approach to assuring that its handling of notifiable data breaches complies with the Privacy Act.

Privacy Impact Assessment Transparency Concerns

While Services Australia undertakes privacy impact assessments (PIAs) for high-risk projects, the audit found record-keeping deficiencies and lack of public consultation.

None of the PIAs assessed by ANAO included public consultation, despite OAIC guidance recommending this practice. Of 18 Freedom of Information requests for PIAs since 2020, only one was successful, with 14 refused on legal professional privilege grounds.

"Services Australia does not publish PIAs," the report stated. "It does not provide information to the public on its PIAs beyond report dates and titles."

The ANAO made eight recommendations, including five directed to Services Australia and three to other government entities.

Key recommendations for Services Australia include implementing an enterprise-wide privacy risk management plan, publishing all data-matching protocols, improving PIA transparency, analysing privacy complaints to identify trends, and establishing a privacy assurance strategy.

Services Australia agreed to four recommendations and agreed in principle to one concerning privacy risk management, stating it would "explore opportunities to improve the identification, assessment and management of privacy risk."

The Attorney-General's Department was asked to consider improving transparency of entities' Privacy Act compliance through advice to government on reporting options.

Broader Data Breach Environment

The audit comes as Australia faces increasing data breach threats. The OAIC reported business and government reported 1,113 data breaches in 2024, up from 893 in 2023.

"The trends we are observing suggest the threat of data breaches, especially through the efforts of malicious actors, is unlikely to diminish," the Privacy Commissioner stated in May 2025.

The Australian Government sector was the second highest sector for privacy complaints and third highest for notifiable data breaches in 2023–24.

Services Australia Chief Executive Officer David Hazlehurst said: "The Agency welcomes the report and notes the report recommendations aimed at further strengthening the Agency's management of privacy."

"Protecting privacy is a key part of the Agency's core business and promotes trust and confidence in the Agency to deliver government services to all Australians."

Download the full report.