Fact Sheet - Monitoring compliance with the GIPA Act
Read the document below or download it here Fact Sheet - Monitoring compliance with the GIPA Act, updated March 2020
Under section 17 of the GIPA Act, the Information Commissioner is to “monitor, audit and report on the exercise by agencies of their functions under and compliance with” the Act.
The purpose of this fact sheet is to inform agencies and citizens how the IPC approaches its monitoring, auditing and reporting functions.
The IPC’s approach
In order to promote access to government information, the IPC has developed a compliance program with three levels.
Level 1 – self-assessment
To support this self-assessment process, the IPC works collaboratively with agencies to help the agency address areas for improvement as identified during its assessment of its systems, policies and practices designed to comply with the GIPA Act through the provision of advice, guidance and assistance and published resources.
Level 2 – compliance audit
A compliance audit under section 17 of the GIPA Act may be triggered by a complaint or a series of complaints about an agency, or may be initiated by the IPC as part of its annual audit program.
Compliance audits adhere to the principles of procedural fairness. A compliance audit can be limited in scope to a particular aspect of legislative compliance or more broadly in respect to a number of legislative issues identified.
The IPC will notify the agency of a compliance audit and the general scope of the audit that will be undertaken at the time of the compliance audit.
Once we have completed our compliance audit we will document the relevant facts, reach a conclusion based on the available evidence, and determine a suitable response in accordance with our legislation and the principles of procedural fairness.
The agency will be given the opportunity to consider a draft report and provide comment. The IPC will consider the Agency’s comments before forming a final view and concluding the compliance audit.
If an adverse comment is going to be made about the
agency in a compliance audit, the Commissioner must inform the Minister responsible for the agency and must, if requested, consult the Minister.
A report may also be made available to a complainant whose complaint led to the review.
The Information Commissioner may request that the agency reported on notify the IPC of action taken or proposed as a result of the review.
Level 3 – formal investigation
This will involve the exercise of the Information Commissioner’s formal powers, as set out in Division 4 of the Government Information (Information Commissioner) Act 2009.
The IPC has published a fact sheet, Being Investigated by the IPC. The fact sheet provides more detailed information about how the IPC approaches investigations under the GIIC Act and is available here.
In general, a formal investigation may be initiated in response to a complaint or a series of complaints, whether from the public, a public interest disclosure, another accountability agency. The Information Commissioner may also exercise her functions under section 21 of the GIIC Act to investigate agency systems, policies and practices.
If the Information Commissioner decides to undertake a formal investigation under section 21, then the Information Commissioner must give the report to the Minister responsible for the agency, and principal officer for the agency.
The Commissioner may decide to make public a report of a formal investigation. If so, the report will be made to the Presiding Officer of each House of Parliament and to the Minister responsible for the agency the subject of the report.
Reporting on compliance monitoring
Compliance audits provide agencies with assistance, guidance and advice on the findings from the audit and are generally published by the IPC.
Results of compliance audits and formal investigations may be reported on by letter to the head of the agency audited; in the IPC’s annual report; or, if the Commissioner considers it appropriate, in a special report to Parliament.
For more information
Contact the Information and Privacy Commission NSW (IPC):
NOTE: The information in this fact sheet is to be used as a guide only. Legal advice should be sought in relation to individual circumstances.
 Section 23(4) GIIC Act
 Section 24(3) GIIC Act
 Section 22 GIIC Act
 Section 21 GIIC Act