Privacy Commissioner Releases Follow-up Desktop Audit of Privacy Management Plans (PMP) Report

The NSW Privacy Commissioner has today published a follow-up Desktop Audit of Privacy Management Plans (PMP) Report of universities, select councils and government departments’ compliance with the PMP requirements under the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act). The follow-up audit has identified that currency and review of PMPs continues to remain an issue. 

An effective PMP supports the core privacy management principles established under the PPIP Act, but also facilities good privacy practices being built into agency decision-making, as well as the design and structure of its systems, business processes, products and service delivery.

The outcomes from this follow-up review found for those agencies that were reviewed as part of the 2021 Report:

  • 79% (23 agencies) that were reviewed in the 2021 Report had submitted a PMP to the IPC in 2022
  • Of those, 31% (9 agencies) were from the local government sector; 27% (8 from the university sector) and 21% (6 from the public sector)
  • 100% of additional agencies reviewed had a PMP located on the agency website. 

The NSW Privacy Commissioner, Samantha Gavel said, “The results demonstrate that while there was progress made by agencies subject of the 2021 Report, the results in relation to the additional agencies included in this audit continue to demonstrate gaps in the currency of the PMPs within agencies.

“The IPC recognises that it has a positive role in assisting agencies to mature the level of compliance around a PMP, but it will also require positive leadership by senior officers within agencies to signal the importance, necessity, and support for currency around policies, practices and processes for the handling of information which are reflected in PMPs.”

Recommendations provided by the IPC in this follow-up audit suggest that agencies should take prompt action to implement measures informed by the findings.

These recommendations include:

  • Any agency that has not reviewed its PMP in the last 12 months do so as a matter of priority.
  • Agencies have an established and documented process for PMP review which includes the requirements necessary to achieve compliance with section 33(5) of the PPIP Act.
  • Agencies review and consider the labelling attached to their privacy management plan to ensure that they are clearly identifiable and distinguishable from other privacy policies.

Commissioner Gavel said, “Agency leaders are strongly encouraged to consider and implement the recommendations of this report in order to elevate compliance in relation to the handling of personal information, assist in preparing for the introduction of the MNDB Scheme and support the delivery of digital services to the public.

“Agency leaders are strongly encouraged to take the steps needed to achieve and maintain PMPs which have currency and provide value.”

The follow-up audit and the 2021 Report are available for download via the IPC website.




For further information, please contact:

Manager, Communications and Corporate Affairs on 0435 961 691 or email

About the Information and Privacy Commission:

The Information and Privacy Commission NSW (IPC) is an independent statutory authority that administers New South Wales’ legislation dealing with privacy and access to government information. The IPC supports the Information Commissioner and the Privacy Commissioner in fulfilling their legislative responsibilities and functions and to ensure individuals and agencies can access consistent information, guidance and coordinated training about information access and privacy matters.

About the NSW Privacy Commissioner

Samantha Gavel was appointed as NSW Privacy Commissioner on 4 September 2017. Her role is to promote public awareness and understanding of privacy rights in NSW, as well as provide information, support, advice and assistance to agencies and the general public.

For further information about the IPC visit our website at