(1) The Commissioner may conduct an assessment of the following matters:
(a) whether personal information held by an APP entity is being maintained and handled in accordance with the following:
(i) the Australian Privacy Principles;
(ii) a registered APP code that binds the entity;
(b) whether information held by an entity is being maintained and handled in accordance with the following to the extent that they apply to the information:
(i) the provisions of Part IIIA;
(ii) the registered CR code if it binds the entity;
(c) whether tax file number information held by a file number recipient is being maintained and handled in accordance with any relevant rules issued under section 17;
(d) whether the data matching program (within the meaning of the Data-matching Program (Assistance and Tax) Act 1990 ) of an agency complies with Part 2 of that Act and the rules issued under section 12 of that Act;
(e) whether information to which section 135AA of the National Health Act 1953 applies is being maintained and handled in accordance with the rules issued under that section;
(f) whether the matching of information under Part VIIIA of the National Health Act 1953 , and the handling of information relating to that matching, is in accordance with that Part, including:
(i) any terms and conditions relating to the matching of the information determined by the Chief Executive Medicare under paragraph 132B(3)(a) of that Act; and
(ii) the principles made by the Minister under subsection 132F(1) of that Act.
(2) The Commissioner may conduct the assessment in such manner as the Commissioner considers fit.