The OAIC’s Privacy Foundations Self-Assessment Tool: Pros, Cons, and Our Review

Last month, the Office of the Australian Information Commissioner (OAIC) released a self-assessment tool for organisations operating in Australia. The assessment is designed to take 15-20 minutes to complete and it scores your overall privacy maturity. 

Generally speaking, we like the tool! It’s easy to follow, easy to understand, and it highlights some of the key foundational elements of privacy maturity – including items that are often overlooked, like timely destruction of personal information. 

But, there are some limitations too. We dig into how this tool works, and its pros and cons in this post.

How the OAIC’s Privacy Foundations Self-Assessment Tool Works

The tool is available as a downloadable in either PDF or Excel format. We used the PDF version for our review (but the Excel version is definitely better and doesn’t have some of the issues outlined above).

Essentially, the tool is a 28-page document with the following layout: 

• Introduction: Pages 1-2 contain a description of how the tool works and a disclaimer. It reiterates at this stage that it is intended to assess privacy maturity, not privacy compliance. 
• Questionnaire: Pages 3-21 contain a Questionnaire and scoring details. On any given question, you can score either 0, 5, or 1, depending on your internal practices. The document also highlights recommendations for lower privacy maturity scores and considerations for those scoring 1 on any given question. Worth noting is that there are some formatting issues, with some blank pages and others containing just one line of text. So the page count may reduce in the future with re-formatting, which will make completion less daunting. 
• Action Plan: Pages 22-28 contain the Action Plan. These pages outline what you should be doing to advance your privacy maturity based on your score from the Questionnaire. Then, there are multiple pages with a blank framework for you to fill in – including an outline of your Action, Accountable person, and Due Date for your implementation plan for each element of the Questionnaire. 

Note we’ve used the PDF page count functionality for our description above (though the paging may well be updated). 

What The OAIC’s Foundational Privacy Self-Assessment Tool Covers

The Questionnaire covers the following foundational elements of organisational privacy: 

1. Accountability
2. Transparency
3. Training
4. Managing Privacy Risk
5. Managing Third-Party Risk (see our detailed guide on third-party risk management)
6. Collection of personal information
7. Sensitive Information and Consent 
8. Managing Use and Disclosure
9. Direct Marketing Compliance (see our privacy considerations for marketing teams)
10. Information Inventory 
11. Cyber Security 
12. Data Breach Management
13. Secure and Timely Destruction or De-identification
14. Enquiries, Complaints, and Requests. 

Benefits of the OAIC’s Privacy Foundations Tool

The tool lays out 14 foundational privacy practices in clear, plain language. We like the fact that it’s easy to follow and it offers practical guidance at every step. The scoring system makes it clear where your organisation should direct its efforts to improve privacy maturity, and makes it easier to identify gaps and blind spots. 

Here’s a list of practical applications we see for the tool: 

• Initial Privacy Health Check: Organisations can use it to get a quick overview of their current privacy practices and identify immediate areas for improvement. This is especially useful for those without dedicated privacy expertise in-house.
• Developing a Privacy Management Plan: The tool’s results directly feed into creating a Privacy Management Plan for the organisation, offering a structured way to outline actions and responsibilities.
• Employee Training and Awareness: The questions themselves introduce foundational privacy concepts, which can be used as discussion points or a baseline for internal privacy training sessions for staff.
• Identifying Gaps in Policies and Procedures: By answering “Partial” or “No” to questions, organisations can pinpoint specific areas where their privacy policies, procedures, or systems are lacking or inconsistently applied.
• Prioritising Privacy Initiatives: The scoring system and tailored recommendations help organisations understand their privacy maturity level and prioritise which privacy improvements to tackle first. For instance, a low score (“Initial” or “Commencing”) will highlight the need to establish foundational practices.
• Guiding Internal Discussions: The tool can serve as a common framework for different departments (e.g., legal, IT, marketing, HR) to discuss and align on privacy responsibilities and practices within the organisation.
• Benchmarking Progress Over Time: While not explicitly a benchmarking tool against other organisations, organisations can complete the self-assessment periodically to track their own progress in improving privacy maturity over time.
• Preparing for More In-Depth Assessments: For organisations covered by the Privacy Act, completing this foundational tool can provide a useful preparatory step before engaging with the OAIC’s more in-depth Privacy Management Plan tool or seeking independent expert advice.
• Demonstrating Commitment to Privacy: Completing and acting on the recommendations from the tool can demonstrate an organisation’s proactive commitment to building consumer trust and confidence by handling personal information safely and securely.

Limitations of the OAIC’s Privacy Foundations Tool

While being a helpful tool for organisations looking for a starting point for promoting a culture of privacy and promoting privacy maturity, the tool does have some limitations – which are to be expected given its title as  Privacy Foundations Self-Assessment Tool. 

Importantly, it does not assess compliance under Australia’s Privacy Act, or other legal obligations.   Nor does it necessarily identify organisational privacy risk levels (though it can be a helpful input into privacy risk consideration, based on identified maturity levels).

There are other tools that are helpful if you’re more focused on legal compliance at this stage. We suggest the OAIC’s interactive privacy management plan tool. 

There are some areas which it might help to look at in more detail, for example:

• Are people given the option to deal with the organisation anonymously / pseudonymously wherever possible?
• Is there any opportunity for the collection of unsolicited information?
• Are any government identifiers collected and if they are, how are they used?

However, we also understand that the tool can’t cover everything and the above are some of the more detailed issues which would be part of the next review.

It can also be hard to measure privacy maturity across an organisation – with different parts of the organisation likely to have different privacy responsibilities, practices and associated risks.  A useful next step might be guidance on how to use the tool across a more complex agency or organisation, which might include multiple assessments being aggregated into an overarching privacy maturity view.

It is interesting that the tool refers to the use of opt-outs for marketing – although this is allowed under the Privacy Act, best practice suggests that opt-in is the preferred option and a change in the definition of ‘consent’ in the future may further support this approach.

Conclusion

Ultimately, using this tool requires an initial 15-20 minute investment. From there, it will either identify some gaps in your privacy practices or, in cases where your privacy maturity is currently on the lower side, it will offer a basic framework for improving privacy.

It is a great starting point for organisations yet to begin their privacy maturity uplift journey and provides a great insight into the areas the OAIC regarded as foundational.

It is also really encouraging to see this sort of practical tool released by the OAIC. We are confident that it will be widely used and appreciated by Australian entities covered by the Privacy Act. 

If you’d like an outside opinion on your organisation’s privacy practices or your next steps for improving your privacy maturity, reach out. Our team of privacy professionals regularly offers outsourced privacy services ranging from privacy management to tailored training and awareness programs.