MEDIA RELEASE 29 January 2026
Shadow Attorney-General and Federal Member for Fisher, Andrew Wallace MP, says a report published last month by the Australian National Audit Office (ANAO) has revealed serious and ongoing failures by the Albanese Government to protect Australians’ private information, raising questions about why long-standing privacy risks have been allowed to persist.
The ANAO report, titled Managing the Privacy of Client Information in Services Australia, found that Services Australia is only partly effective in managing the privacy of client information, with existing arrangements falling short of addressing emerging and escalating privacy risks.
Services Australia holds personal information of approximately 27.5 million Australians through services such as Medicare, Centrelink and child support, meaning the vast majority of Australians are exposed to the consequences of any failure in privacy governance.
Despite the scale and sensitivity of this data, the ANAO found that Services Australia’s privacy governance and risk-management arrangements have not kept pace with the scale and complexity of the risks it faces.
Mr Wallace said the audit’s findings further undermine already eroding public trust in government, particularly where agencies are entrusted with some of the most sensitive personal information in the country.
“Australians expect that when they use essential services such as Centrelink or Medicare – services that require deeply personal and sensitive information, the Government will do everything it can to protect that data. This report confirms the Government is failing in one of its most fundamental responsibilities.”
The findings come amid a sharp rise in data breaches across both government and the private sector. In 2023-24, the Australian Government sector was the second highest source of privacy complaints and the third highest source of notifiable data breaches, which are incidents serious enough to legally require reporting.
In May 2025, the Privacy Commissioner warned that 1,113 data breaches were reported across business and government in 2024, up from 893 in the previous year, cautioning that the threat posed by malicious actors is unlikely to diminish and risks to Australians will likely increase in the absence of strengthened privacy and security measures.
Concerningly, notifiable data breaches within Services Australia jumped from 50 to 89 in 2024-25, compared to just three in 2019-20, with the majority of these breaches caused by malicious or criminal attacks.
The audit also highlighted a troubling lack of transparency and accountability across the Commonwealth Government. Commonwealth entities are not required to report on their privacy management or compliance with the Privacy Act 1988 (Cth) in annual reports. Additionally, there is currently no requirement for third parties to notify Services Australia when they experience a breach involving agency data.
As a result, Parliament and the public have limited visibility over whether legal obligations are being met.
While the ANAO has recommended reforms to improve transparency, this gap has been allowed to persist for too long. Mr Wallace said the Government must act immediately on the ANAO’s recommendations to restore public confidence and provide certainty about how Australians’ data is being handled.
“These findings reflect a broader pattern of weakened transparency, including the Government’s recent ill-fated attempts at freedom of information reform. Since the election, Australians have been consistently let down on issues that go to the heart of trust in government.”
Mr Wallace said that the despite repeated warnings and multiple reviews, the Government has failed to act decisively to strengthen oversight, accountability and data protection.
“At a time of increased data breaches and increasingly sophisticated cyber threats, continued inaction represents a serious failure of governance.”
Mr Wallace said Australians are entitled to know why, after years of warnings, the Government has still not put in place robust safeguards to protect their personal information.
“Protecting Australians’ personal data is a fundamental responsibility of government. This report confirms that this responsibility is not being met.”
[ENDS]
Media Contact: Brendan West – 0402 556 646 – Brendan.west@aph.gov.au
