(1) The Commissioner may conduct an assessment of the following matters:
(a) whether personal information held by an APP entity is being maintained and handled in accordance with the following:
(i) the Australian Privacy Principles;
(ii) a registered APP code that binds the entity;
(b) whether information held by an entity is being maintained and handled in accordance with the following to the extent that they apply to the information:
(i) the provisions of Part IIIA;
(ii) the registered CR code if it binds the entity;
(c) whether tax file number information held by a file number recipient is being maintained and handled in accordance with any relevant rules issued under section 17;
(d) whether the data matching program (within the meaning of the Data-matching Program (Assistance and Tax) Act 1990 ) of an agency complies with Part 2 of that Act and the rules issued under section 12 of that Act;
(e) whether information to which section 135AA of the National Health Act 1953 applies is being maintained and handled in accordance with the rules issued under that section.
(2) The Commissioner may conduct the assessment in such manner as the Commissioner considers fit.