Go to top of page

Sect 1.4 Managing personal information

Note that this page is under review. It has not yet been updated to reflect changes to the Public Service Act 1999 and Public Service Regulations 1999, or contained in the Australian Public Service Commissioner's Directions 2013, that came into effect on 1 July 2013. Agencies may continue to use the
guidance for reference, but should be aware that it may not reflect current legislative requirements.

Relevant elements of the Values, Code of Conduct and Regulations

APS Values

  • The APS is openly accountable for its actions, within the framework of Ministerial responsibilities to the government, the Parliament and the Australian public.

APS Code of Conduct

  • An APS employee must act with care and diligence in the course of APS employment.
  • An APS employee, when acting in the course of APS employment, must comply with all applicable Australian laws.
  • An APS employee must maintain appropriate confidentiality about dealings that the employee has with any Minister or Minister's member of staff.
  • An APS employee must not make improper use of: (a) inside information, or (b) the employee's duties, status, power or authority in order to gain, or seek to gain, an advantage for the employee or for any other person.
  • An APS employee must comply with any other conduct requirement that is prescribed by the regulations.

Public Service regulations


  1. This regulation is made for subsection 13 (13) of the Act.
  2. This regulation does not affect other restrictions on the disclosure of information.
  3. An APS employee must not disclose information which the APS employee obtains or generates in connection with the APS employee's employment if it is reasonably foreseeable that the disclosure could be prejudicial to the effective working of government, including the formulation or implementation of
    policies or programs.
  4. An APS employee must not disclose information which the APS employee obtains or generates in connection with the APS employee's employment if the information:
    1. (a) was, or is to be, communicated in confidence within the government; or
    2. (b) was received in confidence by the government from a person or persons outside the government;
  • whether or not the disclosure would found an action for breach of confidence.
  1. Subregulations (3) and (4) do not prevent a disclosure of information by an APS employee if:
    1. the information is disclosed in the course of the APS employee's duties; or
    2. the information is disclosed in accordance with an authorisation given by an Agency Head; or
    3. the disclosure is otherwise authorised by law; or
    4. the information that is disclosed:
      1. is already in the public domain as the result of a disclosure of information that is lawful under these Regulations or another law; and
      2. can be disclosed without disclosing, expressly or by implication, other information to which subregulation (3) or (4) applies.
  2. Subregulations (3) and (4) do not limit the authority of an Agency Head to give lawful and reasonable directions in relation to the disclosure of information.

Note Under section 70 of the Crimes Act 1914, it is an offence for an APS employee to publish or communicate any fact or document which comes to the employee's knowledge, or into the employee's possession, by virtue of being a Commonwealth officer, and which it is the employee's duty
not to disclose.

The principal legislation governing the management and use of personal information is the Privacy Act 1988 and the Freedom of Information Act 1982 (FOI Act).

Section 6 of the Privacy Act defines personal information to mean:

…information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

The APS holds substantial personal information about the public and APS employees. Under the FOI and Privacy Acts personnel information about APS employees qualifies as personal information.

Some personal information is confidential and/or sensitive. Unauthorised disclosure of information could result in embarrassment, disadvantage and even physical harm.

An FOI applicant is entitled to any information that is not exempt from disclosure under that Act. It may sometimes be appropriate to disclose personal information under FOI. Decisions about whether information should be disclosed will depend on the competing public interests of disclosure and non-disclosure
and the facts and circumstances of the case.


The Privacy Act establishes processes for the management of personal information including its collection, storage and security, access and correction, use and disclosure. The Privacy Act (section 14) sets out the Information Privacy Principles (IPPs) that govern the way agencies manage personal information.
Below is a brief overview of the requirements of the IPPs.

Under the IPPs, personal information is collected for a particular purpose and its use and disclosure is restricted to that purpose (although the Act does contain exceptions). For example, information collected by Centrelink about their clients cannot be disclosed to Medicare Australia or the Department
of Immigration and Citizenship unless one of the exemptions in the Privacy Act provides for this.

The IPPs require APS employees to secure records against loss and unauthorised access, use, modification, disclosure or other misuse.

Individuals are entitled to access records of personal information about them, except where access to documents is limited by any Commonwealth law.

Agencies must take all reasonable steps to ensure the personal information is accurate, up-to-date, complete, not misleading and relevant to the purpose for which it was collected and used.

The Privacy Act regulates the use and disclosure of tax file numbers. The Data-matching Program (Assistance and Tax) Act 1990 establishes privacy standards governing the conduct of certain data-matching programs in Commonwealth administration.

The Privacy Commissioner also has functions under the spent convictions scheme under Part VIIC of the Crimes Act 1914, which regulates the use and disclosure of information about spent minor convictions.

Breaches of privacy

A person who believes an agency has interfered with their privacy should first write to the agency about their complaint. If they are not satisfied with the outcome of the agency's investigation, they can complain to the Privacy Commissioner. The Privacy Commissioner can obtain information and documents,
examine witnesses and compel people to attend conferences. Once the investigation is complete, the Privacy Commissioner encourages the complainant and respondent to conciliate. If the matter cannot be conciliated, the Privacy Commissioner can determine there has been interference with the complainant's
privacy, and can make various determinations, including compensation. The Privacy Commissioner's determinations are enforceable including by order of the Federal Court of Australia.

Freedom of information

The FOI Act allows the public access to documents held by agencies. A person may apply to obtain personal information about themselves, and in certain circumstances, about others. Such disclosure of personal information is broadly consistent with the Privacy Act, as that disclosure will usually fit
within the exception contained in IPP 11(1)(d). While the Privacy Act is thus no general bar to disclosure of personal information under the FOI Act, this is a complex area, and further advice should be sought if needed. FOI and Privacy Contact Officers within the agency should be consulted in the first

Other laws

Other legislation governs the management of personal information including the Crimes Act and the Archives Act.

Although legislative sanctions apply to the inappropriate disclosure of personal information, the FOI Act provides APS employees with immunity against certain actions where they disclose information under that Act in good faith.

Personal information may be disclosed through other legislation such as the Safety, Rehabilitation and Compensation Act 1988, or in accordance with agency-specific guidelines.

Some legislation includes confidentiality and secrecy provisions, which authorise or require agencies to refuse access to certain records containing personal information. An application could still be made under the FOI Act which may allow access.

Code of Conduct investigations

There may be situations, such as during the course of a Code of Conduct investigation, where agencies may wish to disclose information to another party, including the complainant or another agency to which an employee moves. Any disclosure of information should be consistent with the IPPs.

Circulars 2007/2 and 2008/3 issued by the Australian Public Service Commission provide further advice on disclosing information relating to Code of Conduct investigations to other agencies and to complainants.

Last reviewed: 
29 March 2018