Skip to main content
The .gov.au means it’s official

Australian government websites always use a .gov.au domain. Before sharing sensitive information online, make sure you’re on a .gov.au site by inspecting your browser’s address (or 'location') bar.

This site is secure

The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Webforms and privacy

GovCMS webforms and privacy: what you need to know

GovCMS makes it easy to create webforms that collect information from stakeholders or website users. For example, a form might ask for contact details and communication preferences.

Collecting personal information has legal and privacy implications. Government agencies must comply with a range of legislation, codes, and frameworks. Failing to do so could result in non-compliance.

Here's what you must consider before creating a webform hosted on the GovCMS platform.

Legal and privacy overview for GovCMS webforms

GovCMS is certified to collect, store, and transmit information up to the OFFICIAL: Sensitive classification. Your agency must still meet legal and procedural obligations before collecting such data, including:

  • Privacy compliance
  • Security requirements
  • Risk assessment
  • Legal authority to collect the information
  • Due diligence

Example: Your agency cannot collect Tax File Numbers, unless it has legal authority to do so.

These responsibilities are guided by:

  • Federal, state and territory privacy laws
  • Agency-specific legislation
  • The Protective Security Policy Framework (PSPF)
  • The Information Security Manual (ISM)
  • Your organisation’s Memorandum of Understanding (MOU) with GovCMS

The MOU includes privacy clauses that remain in effect even after expiration or termination.

What is OFFICIAL: Sensitive?

According to the PSPF, information is classified as OFFICIAL: Sensitive when:

  • It is not subject to a formal security classification, and
  • Disclosure could cause limited harm to individuals, agencies, or the government.

Understanding personal and sensitive information

Personal information

This includes any data that can reasonably identify an individual. It is protected under Australian privacy law.

Sensitive information

Sensitive information is a category of personal information that includes:

  • Health data
  • Political opinions
  • Religious beliefs
  • Criminal records

It has higher privacy protection under the Australian Privacy Principles (APPs).

Collecting, storing, and transmitting personal or sensitive data

If your agency is subject to the Privacy Act 1988, it must comply with the Australian Government Agencies Privacy Code, which requires:

  • A published privacy management plan
  • Appointing a privacy officer and privacy champion
  • Completing a Privacy Impact Assessment (PIA) for high-risk projects
  • Maintaining a PIA register

See the full Australian Government Agencies Privacy Code

Before you publish a webform that collects sensitive data, you may need to:

  • Complete a PIA
  • Add a privacy notice explaining what data is collected, why, and how it will be used/shared

Whether this is required depends on whether your site already collects personal/sensitive data.

More guidance:

What are your options?

Before designing a webform, ask:

  • Why are you collecting this information?
  • Is it necessary?
  • Could it discourage users from completing the form?

Example: Is it essential to ask for a user’s full name, mobile number, desk phone, email, and office address?

Work with your privacy officer

Most agencies already have a privacy officer and at least one PIA. Your privacy officer can advise on:

  • Whether your agency has the legal authority to collect the data
  • Whether the information request may discourage engagement

If your agency doesn’t have a privacy officer, consult your legal team and refer to the Office of the Australian Information Commissioner (OAIC)(Opens in a new tab/window). They provide checklists and tools to help agencies meet privacy obligations.

You should also consult your security and ICT teams if information is being transmitted to internal or external systems.

Security considerations: ISM and PSPF

When handling OFFICIAL: Sensitive data, compliance with the ISM and PSPF is mandatory:

The GovCMS-specific PIA

GovCMS has developed a PIA template to help customers streamline compliance. The template includes pre-filled sections relevant to GovCMS. However, each agency is responsible for its own PIA. You will only need to customise content specific to your website.

 

Key legislation, frameworks, and policies

Legislation/CodeDescriptionLink
Privacy Act 1988Governs privacy for federal agencies and some organisations.Privacy Act(Opens in a new tab/window)
Australian Government Agencies Privacy CodeApplies to all federal government agencies (except Ministers).Privacy Code(Opens in a new tab/window)
Australian Privacy Principles (APPs)Core principles for handling personal information.APPs Guidelines(Opens in a new tab/window)
Information Security Manual (ISM)Cybersecurity controls and best practices.ISM(Opens in a new tab/window)
Protective Security Policy Framework (PSPF)Requirements to protect people, info, and assets.PSPF(Opens in a new tab/window)
State/Territory Privacy LegislationState-based privacy laws apply to public sector agencies.Privacy by State(Opens in a new tab/window)
Privacy Regulation 2013Additional privacy obligations under federal law.Privacy Regulation 2013(Opens in a new tab/window)
Security of Government Business DirectiveCovers handling of sensitive information.Security Directive(Opens in a new tab/window)

 

Make the move to GovCMS

Contact us
Return focus to the top of the page