Publication date: 2018

Download the print version

Preliminary page

Creative Commons

You are free to share, copy, redistribute, adapt, transform and build upon the materials in this plan with the exception of the Commonwealth Coat of Arms.

Please attribute the content of this publication as:
Office of the Australian Information Commissioner Corporate Plan 2018–19.

Contact

Mail: Director, Strategic Communications and Coordination
Office of the Australian Information Commissioner
GPO Box 5218
Sydney, NSW 2001

Email: enquiries@oaic.gov.au
Website: www.oaic.gov.au
Twitter: @OAICgov
Phone: 1300 363 992

Non-English speakers

If you speak a language other than English and need help, please call the Translating and Interpreting Service on 131 450 and ask for the Office of the Australian Information Commissioner on 1300 363 992.

Accessible formats

All our publications can be made available in a range of accessible formats. If you would like this report in an accessible format, please contact us.

Design

L+L Design

Statement of preparation

I, Angelene Falk, Acting Australian Information Commissioner, present the Office of the Australian Information Commissioner’s Corporate Plan 2018–19, for the 2018–19 to 2021–22 reporting periods, as required under section 35(1)(b) of the Public Governance, Performance and Accountability Act 2013.

8 August, 2018

About us

The Office of the Australian Information Commissioner is an independent statutory agency within the Attorney-General Department’s portfolio, established under the Australian Information Commissioner Act 2010 (AIC Act).

Our key role is to the meet the needs of the Australian community when it comes to the regulation of privacy and freedom of information. We do this by:

  • Ensuring proper handling of personal information in accordance with the Privacy Act 1988 (Privacy Act) and other legislation
  • Protecting the public’s right of access to documents under the Freedom of Information Act 1982 (FOI Act)
  • Performing strategic functions relating to information management in the Australian Government, in accordance with the AIC Act

Purpose

Our Purpose is to promote and uphold privacy and information access rights.

Purpose Statements

We have broken down our Purpose into two Purpose Statements, and all of the work that we do aligns to these Purpose Statements. Our key activities within this corporate plan are also presented according to these Purpose Statements:

  • We promote and uphold privacy rights
  • We promote and uphold information access rights

Our performance of strategic functions relating to information management in the Australian Government is delivered within these Purpose Statements.

We are at the forefront of guidance and enforcement of Australia’s privacy and freedom of information laws.

Key deliverables for 2018–19

These priority projects, initiatives and actions will help us to achieve our Purpose in the coming year.

To help us promote and uphold privacy rights we will:

  • Continue to administer the Notifiable Data Breaches scheme, and work with key stakeholders to build business and government capacity to reduce the potential for and to respond to data breaches, and to assist individuals who are affected by a data breach

  • Engage in the development and prepare for commencement of the Consumer Data Right and work collaboratively with the Australian Competition and Consumer Commission (ACCC)

  • Work collaboratively with the National Data Commissioner to assist in the development of a new data sharing and release framework

  • Work with credit providers, credit reporting bodies, consumers and external dispute resolution schemes to help ensure that changes to credit reporting under the proposed mandatory Comprehensive Credit Reporting (CCR) regime are implemented in a way that protects the privacy of individuals and facilitates an efficient credit reporting system

  • Update existing guidance where required and develop new guidance on privacy rights and obligations

  • Use our discretionary regulatory powers in a proportionate and targeted way to ensure the protection of personal data

  • Support compliance with the Australian Government Agencies Privacy Code

  • Conduct targeted assessments in priority areas in order to monitor and improve privacy practices

  • Promote Privacy Awareness Week 2019

To help us promote and uphold information access rights we will:

  • Continue the development of our early resolution process to improve the review time of Information Commissioner reviews and to further meet the objectives of providing an informal, non-adversarial and timely review process

  • Update resources for applicants to help them understand the Information Commissioner review process

  • Update resources for agencies and ministers to support best practice decision making

  • Support FOI officers through the provision of communication materials, training and advice

  • Continue to participate in the Open Government Forum, and contribute to the development and implementation of Australia’s next Open Government National Action Plan

  • Review the administration of the Information Publication Scheme and disclosure logs by agencies and ministers

  • Monitor agencies’ compliance with the statutory decision making timeframes, as set out in the FOI Act

  • Conduct a campaign for Right to Know Day 2018

Key success factors

We are successful when we:

Assist businesses and Australian Government agencies to understand their privacy obligations, and encourage them to respect and protect the personal information they handle.

Primary activities:

  • Develop the privacy management capabilities of Australian Government agencies and businesses, and promote privacy best practice
  • Manage data breach notifications
  • Conduct privacy assessments
  • Develop legislative instruments
  • Conduct regulatory activities and help businesses understand their rights and responsibilities under the Consumer Data Right

Efficiently and effectively take action against suspected interferences with privacy to improve compliance with the Privacy Act.

Primary activities:

  • Conduct Commissioner initiated investigations
  • Manage privacy complaints

Help the community to understand and feel confident to exercise their privacy and information access rights.

Primary activities:

  • Provide a public information service
  • Promote awareness and understanding of privacy rights in the community
  • Provide an FOI public information service
  • Promote awareness and understanding of information access rights in the community

Assist Australian Government agencies to understand their freedom of information obligations, and respect and promote access to government information.

Primary activity:

  • Develop the FOI capabilities of Australian Government agencies and ministers, and promote FOI best practice.

Efficiently and effectively carry out our regulatory functions under the Freedom of Information Act 1982.

Primary activities:

  • Conduct Information Commissioner reviews
  • Investigate FOI complaints and conduct Commissioner initiated investigations

Our Environment

At the OAIC we continue to be at the forefront of developing guidance for, and enforcing, Australia’s privacy and freedom of information laws — and this means the work we do can impact the lives of all Australians. We regulate business and government agencies’ collection and management of personal information to ensure it is handled responsibly, and we also regulate the release of information under Commonwealth freedom of information laws.

The issues within the OAIC’s remit — information privacy, information access and information policy — have never been more relevant.

Data sharing practices are rapidly evolving, and the considerable volume of data held by business and government is growing.

The OAIC works to support greater transparency and accountability in the exercise of all its functions. These principles are at the core of the Privacy Act and are manifest in recent privacy legislative developments, such as the Notifiable Data Breaches scheme and the Australian Government Agencies Privacy Code. They also apply to the FOI Act, as access to government held information supports transparent and accountable government.

In 2018–19, increased transparency and accountability for the way in which personal information is handled will be achieved through continuing regulation of the Notifiable Data Breaches scheme, ensuring data breaches are contained, individuals are notified and steps are put in place to prevent reoccurrence. The OAIC will provide the community with information on the causes of data breaches and we will focus our education on prevention. The scheme is in its early stages, but is already showing benefits to the community who — once notified — can take remediation steps. The scheme is also shining a spotlight on the importance of robust data protection measures.

Over the coming year, we will be focused on preparing for the commencement of the Consumer Data Right, helping to ensure that the legislative framework, standards and processes are designed in a way that support privacy and data security, for the benefit of all individuals who wish to use the scheme. We will also be working collaboratively with the National Data Commissioner and engaging with the development of the legislative and governance arrangements for the better use of government held information to support innovation and inform policy, while ensuring appropriate privacy safeguards.

The proposed mandatory Comprehensive Credit Reporting scheme, and the OAIC’s regulatory role regarding privacy for the My Health Records system are also areas in which many of our key deliverables for the next four years lie.

In relation to FOI, the OAIC’s goal is to promote open government through access to information, in recognition that, as the FOI Act states, ‘information held by the Government… is a national resource’. This acknowledges the vital role that open government and access to information plays in a healthy democracy.

The OAIC will continue to promote good decision making by agencies and ministers that furthers the objects of the FOI Act, and to support the availability of government held information.

Our review of the Information Publication Scheme will assist government agencies to take a proactive approach to publishing the information they hold.

The OAIC is a member of the Open Government Forum, and this year we are focused on contributing to the development and implementation of Australia’s next Open Government National Action Plan, which aims to make governments more open, accountable and responsive to citizens. These activities align with Australia’s open data agenda, of which FOI is an integral part.

The OAIC continues to experience a significant increase in the volume of work in both the privacy and the FOI aspects of our role. Our work is of relevance across business and government, and we anticipate that it will continue to grow. The 2017–18 reporting year showed a continuation of the year-on-year substantial growth in privacy complaints and Information Commissioner reviews dealt with by the OAIC, as well as an increasing demand for the expertise of the OAIC to inform the work of business and government.

We have highly skilled and dedicated staff committed to delivering the best outcomes for the Australian community. Over the course of this plan the OAIC will focus on ensuring we continue to develop leadership and capability to ensure we can continue to meet the demands of our changing environment. We will also closely monitor the independent review of the Australian Public Service and consider its application in our context.

Legislative change

The evolution of the Privacy Act brings about legislative change which has broad impacts and shapes much of the OAIC’s work for the coming four years. Four of the major recent or forthcoming legislative changes include the Notifiable Data Breaches scheme, the Consumer Data Right, the proposed Data Sharing and Release Bill and proposed mandatory Comprehensive Credit Reporting, as follows:

Notifiable Data Breaches scheme

The community’s expectation for transparency when a data breach occurs that is likely to result in serious harm, is now a legal obligation in Australia. The Notifiable Data Breaches (NBD) scheme came into operation in February 2018, and our early learnings from the notifications we are seeing indicate that a robust privacy culture that embeds training and minimises human error needs to strongly support the IT cyber security aspects of protecting personal information.

In the first four-and-a-quarter months of the NDB scheme’s operation — from 22 February to 30 June 2018 — the OAIC received 305 data breach notifications. By comparison, in the 2016–17 financial year, the OAIC received 114 data breach notifications on a voluntary basis.

In the coming years it is anticipated that the number of notifiable data breaches will continue to increase, as will the resulting consumer awareness and community interest. The OAIC has established a framework to receive notifications, respond to them and to resolve them, and will continue to work to improve our processes and the guidance we provide to businesses, agencies and the community. The OAIC is focused on educating about the causes of data breaches and preventing breaches through increased awareness of mitigation strategies.

The Consumer Data Right (CDR)

The Consumer Data Right (CDR) is one outcome of the Productivity Commission’s Data Availability and Use report which examined ways of making public and private sector data more readily available for use, while also increasing consumers’ control over their data. The CDR seeks to give Australians greater control over their data; enabling customers to make a choice to share their transaction, usage and product data with service competitors and comparison services.

The CDR is expected to commence on 1 July 2019 and the initial phases will be implemented across the banking sector. The OAIC will handle complaints and provide advice regarding the privacy aspects of the scheme, particularly to support businesses as they transition to the new regulations.

People want more control over their data. As the CDR is expanded over the coming years it will do just that — empower individuals by enhancing their ability to compare and switch products and have control over how their data is used.

Data Sharing and Release Bill

On 1 May 2018, the Australian Government released its response to the Productivity Commission’s Data Availability and Use report. The Government committed to reforming data governance within government to better realise the benefits of increased data use, while maintaining trust and confidence in the system. The Australian Government committed to:

  • Establishing a National Data Commissioner to implement and oversee a data sharing and release framework
  • Introducing legislation to improve the sharing, use and reuse of public sector data while maintaining the strong security and privacy protections the community expects
  • Introducing a Consumer Data Right to allow consumers to share their transaction, usage and product data with service competitors and comparison services

The OAIC will engage with the development of the legislative and governance arrangements for the better use of government held information to support innovation and inform policy, while ensuring appropriate privacy safeguards.

Mandatory Comprehensive Credit Reporting

On 2 November 2017, the Treasurer announced the Australian Government’s intention to legislate for a mandatory Comprehensive Credit Reporting (CCR) regime. The mandatory CCR regime would require certain credit providers to supply CCR information (such as information about an individual’s repayment history) to credit reporting bodies. The supply of this information is currently provided for, but not required, under Part IIIA of the Privacy Act.

The OAIC’s role is to work with Australian Government agencies and credit stakeholders to ensure that privacy of individuals is protected and to support an effective and efficient CCR scheme.

International

The OAIC recognises that today’s globalised and rapidly evolving data environment presents complex challenges. We are positioned alongside international regulators to ensure that we meet these challenges to protect the personal information of Australians.

In addition to regulatory developments here, Australian businesses may now need to consider their privacy obligations in other jurisdictions. The European Union General Data Protection Regulation (GDPR) came into effect in May 2018 and, similar to Australia’s NDB scheme and the Australian Government Agencies Privacy Code, the requirements are concentrated on enhancing the accountability and transparency of organisations that handle personal information. We have released guidance and continue to engage business and government about the effects on Australian business and individuals.

We continue to strengthen our collaborative relationships with other international regulatory authorities. Our guidance and regulatory activities are informed by the international landscape to achieve best practice. We participate in a number of international forums with global leaders in the privacy and access to information community, such as:

  • The Asia Pacific Privacy Authorities (APPA) forum — to understand best practice and to share information on emerging technology, trends and changes to privacy regulation.
  • The International Conference of Data Protection and Privacy Commissioners provides leadership at international level in data protection and privacy.
  • The International Conference of Information Commissioners supports the exchange of ideas between Commissioners, practitioners and advocates to advance access to information.

Domestic

On a domestic level the OAIC is a member of Privacy Authorities Australia (PAA) — a group of Australian privacy authorities that meet to promote best practice. In addition to the OAIC, PAA membership includes privacy representatives from all states and territories.

We also work with the statutory officers responsible for freedom of information oversight and the development of information policy in our role in the Association of Information Access Commissioners (AIAC). In AIAC we exchange information about the exercise of our oversight responsibilities and promote best practice.

Commonwealth Regulator Performance Framework

As referred to on page 4, our corporate plan is delivered under the Public Governance, Performance and Accountability Act 2013. Many of the Measures listed in this corporate plan also satisfy the reporting requirements under the Commonwealth Regulator Performance Framework (RPF).

The RPF encourages regulators to carry out their functions with the minimum impact necessary, to reduce the burden of unnecessary or inefficient regulation imposed on individuals, business and community organisations; and to effect positive ongoing and lasting cultural change within regulators.

To streamline our reporting requirements, we have indicated within our Measurement matrix if the Measure is also reporting under the RPF, and which of the RPF’s Key Performance Indicators (KPIs) it is relevant to.

The outcomes-based KPIs are referred to numerically within the Measurement matrix:

  1. Reducing regulatory burden
  2. Effective communications
  3. Risk-based and proportionate approaches
  4. Efficient and coordinated regulatory action
  5. Transparency
  6. Continuous improvement

Performance — We promote and uphold privacy rights

We will promote and uphold Australian privacy rights by carrying out the following activities:

Activity 1.1 — Develop the privacy management capabilities of businesses and Australian Government agencies and promote privacy best practice

Activity 1.2 — Manage data breach notifications

Activity 1.3 — Conduct Commissioner initiated investigations

Activity 1.4 — Resolve privacy complaints

Activity 1.5 — Conduct privacy assessments

Activity 1.6 — Provide a public information service regarding privacy

Activity 1.7 — Promote awareness and understanding of privacy rights in the community

Activity 1.8 — Develop legislative instruments

Activity 1.9 — Conduct regulatory activities and help businesses understand their rights and responsibilities under the Consumer Data Right

Activity 1.1 — Develop the privacy management capabilities of businesses and Australian Government agencies and promote privacy best practice

The OAIC provides guidance and support to businesses and Australian Government agencies to help develop their privacy management capabilities and to promote privacy best practice.

We will have contributed to our Purpose if the guidance and support that we have provided has assisted businesses and Australian Government agencies to understand their privacy obligations, and encouraged them to respect and protect the personal information they handle.

Delivery strategy

In 2018–19 we will:

  • Provide ongoing advice and guidance to Australian Government agencies to support their compliance with the Australian Government Agencies Privacy Code, and to enhance privacy management capability across the public sector

  • Provide advice and guidance to Australian Government agencies and organisations about how the Australian Privacy Principles and the My Health Records legislative framework applies to the handling of health information

  • Work with credit providers, credit reporting bodies, consumers and external dispute resolution schemes to help ensure that changes to credit reporting under the proposed mandatory Comprehensive Credit Reporting (CCR) regime are implemented in a way that protects the privacy of individuals and facilitates an efficient credit reporting system

  • Work with Australian Government agencies and businesses to help ensure that the Australian Government’s Response to the Productivity Commission Inquiry into Data Availability and Use, is implemented in a way that upholds the highest standards of privacy for individuals

  • Work collaboratively with the National Data Commissioner to assist in the development of a new data sharing and release framework

  • Work with the Attorney-General’s Department to ensure that the requirements of the APEC Cross Border Privacy Rules System are implemented in Australia in a way that maintains and builds upon existing privacy protections and reflects community expectations of privacy

  • Update existing guidance where required and develop new guidance on privacy rights and obligations

  • Develop a stakeholder strategy to increase engagement with members of the OAIC’s Privacy Professionals’ Network (PPN)

Over the next four years we will:

  • Monitor the success of the Australian Government Agencies Privacy Code and its effect on building privacy management capability

  • Continue to expand the PPN, and hold regular stakeholder meetings of the PPN and the Consumer Privacy Network

  • Continue to identify, develop and promote key privacy resources to build privacy management capability in Australian Government agencies and businesses

  • Continue to expand the number of education and training resources, and events available to Australian Government agencies and businesses, including webinars and eLearning

  • Continue to monitor proposed changes to legislation and government programs for privacy impacts

  • Continue to provide advice and guidance to Australian Government agencies and businesses on emerging privacy issues

Performance

We will demonstrate our performance through the following Measures:

Activity 1.1 — Develop the privacy management capabilities of businesses and Australian Government agencies and promote privacy best practice

No.

Measure[1]

Projected outcome

Beneficiary

2018 to 20192019 to 20202020 to 20212021 to 2022

RPF Measure

RPF
KPI

1.1.1

The OAIC applies a risk-based, proportionate approach to facilitate privacy compliance and promote privacy best practice

Develop organisations’ privacy management capabilities

Businesses and Australian Government agencies

ticktickticktick

Yes

3

1.1.2

Guidance and educational materials are updated to include learnings from regulatory activities such as assessments and investigations

Promote compliance with privacy obligations and privacy best practice

Businesses and Australian Government agencies

ticktickticktick

Yes

1, 2

1.1.3

Regular engagement and consultation with businesses and Australian Government agencies is undertaken

Develop organisations’ privacy management capabilities

Businesses and Australian Government agencies

ticktickticktick

Yes

1, 2, 6

1.1.4

Privacy Professionals’ Network members are provided with information that is relevant and engaging, a minimum of ten times per year

Promote compliance with privacy obligations and privacy best practice

Businesses and Australian Government agencies

ticktickticktick

Yes

2, 6

1.1.5

Levels of engagement with Privacy Professionals’ Network members are recorded

Target more relevant and engaging communication to promote compliance with privacy obligations and privacy best practice

Businesses and Australian Government agencies

ticktickticktick

Yes

2, 6

[1] Measure 1.1.4 from the OAIC Corporate Plan 2017–18 (‘The number of participating partners for Privacy Awareness Week is increased’) has been replaced by a new Measure 1.1.4 and new Measure 1.1.5. The OAIC considers that the new Measures are a more meaningful way of demonstrating ongoing and effective engagement with an increasing number of stakeholders.

Activity 1.2 — Manage data breach notifications

The OAIC manages data breach notifications from businesses and Australian Government agencies.

We will have contributed to our Purpose if our response to data breach notifications has assisted businesses and Australian Government agencies to understand their privacy obligations, and encouraged them to respect and protect the personal information they handle.

Delivery strategy

In 2018–19 we will:

  • Provide information to the community, organisations and Australian Government agencies about the operation of the NDB scheme, including through quarterly publication of statistics about the notifications received and resources

  • Work with key stakeholders to build business and government capacity to reduce the potential for and to respond to data breaches, and to assist individuals who are affected by a data breach

  • Review our approach to publishing NDB scheme statistics after the scheme has been in operation for 12 months

Over the next four years we will:

  • Continue to manage and ensure compliance with the NDB scheme (which commenced on 22 February 2018)

  • Continue to administer the legislated My Health Records data breach notification scheme

  • Conduct activities to promote best practice in data breach prevention and management

  • Continue to monitor and enhance our systems and processes for handling data breach notifications

Performance

We will demonstrate our performance through the following Measures:

Activity 1.2 — Manage data breach notifications

No.

Measure

Projected outcome

Beneficiary

2018 to 20192019 to 20202020 to 20212021 to 2022

RPF Measure

RPF
KPI

1.2.1

80% of data breach notifications are finalised within 60 days

Assist businesses and Australian Government agencies to understand their privacy obligations;

Encourage the respect and protection of personal information

Businesses and Australian Government agencies;

Affected individuals

ticktickticktick

Yes

2

1.2.2

80% of My Health Records data breach notifications are finalised within 60 days

Assist businesses and Australian Government agencies to understand their privacy obligations;

Encourage the respect and protection of personal information

Businesses and Australian Government agencies;

Affected individuals

ticktickticktick

Yes

2

1.2.3

Guidance and support tools are promoted for the data breach notification schemes the OAIC oversees

Encourage the respect and protection of personal information

Businesses and Australian Government agencies;

The Australian community

    

Yes

2, 5

1.2.4

Statistics on data breach notifications are published

Assist businesses and Australian Government agencies to understand their privacy obligations;

Encourage the respect and protection of personal information

Businesses and Australian Government agencies;

The Australian community

ticktickticktick

No

N/A

Activity 1.3 — Conduct Commissioner initiated investigations

The Australian Information Commissioner has the power to investigate an incident that may be an interference with privacy, without first receiving a complaint from an individual. These investigations are known as Commissioner initiated investigations (CIIs).

We will have contributed to our Purpose if the action we have taken against suspected interferences with privacy has improved compliance with the Privacy Act 1988, and has assisted businesses and Australian Government agencies to understand their privacy obligations.

Delivery strategy

In 2018–19 we will:

  • Use our discretionary regulatory powers in a proportionate and targeted way to ensure the protection of personal data

  • Undertake CIIs in line with our regulatory action policy, using a proportionate and risk-based approach to identify CII targets

Over the next four years we will:

  • Continue to conduct CIIs that improve the personal information handling practices of the businesses and Australian Government agencies that are investigated

  • Continue to liaise with privacy regulators in Australia and internationally when conducting CIIs

Performance

We will demonstrate our performance through the following Measures:

Activity 1.3 — Conduct Commissioner initiated investigations

No.

Measure

Projected outcome

Beneficiary

2018 to 20192019 to 20202020 to 20212021 to 2022

RPF Measure

RPF
KPI

1.3.1

80% of CIIs are finalised within 8 months

Assist businesses and Australian Government agencies to understand their privacy obligations

Businesses and Australian Government agencies;

Affected individuals

ticktickticktick

Yes

2

1.3.2

CIIs result in improvements in the privacy practices of investigated organisations

Improve compliance with the Privacy Act 1988

Businesses and Australian Government agencies;

The Australian community

ticktickticktick

No

N/A

1.3.3

CII outcomes and lessons learnt are publicly communicated

Assist businesses and Australian Government agencies to understand their privacy obligations;

Improve compliance with the Privacy Act 1988

Businesses and Australian Government agencies;

The Australian community

ticktickticktick

Yes

1, 2

1.3.4

The OAIC applies a risk-based and proportionate approach to commencing and conducting CIIs

Assist businesses and Australian Government agencies to understand their privacy obligations;

Improve compliance with the Privacy Act 1988

Businesses and Australian Government agencies;

Affected individuals

ticktickticktick

Yes

3

Activity 1.4 — Resolve privacy complaints

The OAIC provides a free service for individuals to make a privacy complaint about a business or Australian Government agency that is covered by the Privacy Act 1988.

We will have contributed to our Purpose if we have efficiently and effectively resolved privacy complaints received.

Delivery strategy

In 2018–19 we will:

  • Continue to enhance our early resolution process to assist more efficient handling of privacy complaints

  • Support the development and prepare for commencement of the mandatory Comprehensive Credit Reporting (CCR) regime

Over the next four years we will:

  • Continue to resolve privacy complaints in line with our service standards

  • Continue to review and improve our complaint handling processes, in accordance with best practice, to reduce wait times and improve efficiency and effectiveness

Performance

We will demonstrate our performance through the following Measures:

Activity 1.4 — Resolve privacy complaints

No.

Measure

Projected outcome

Beneficiary

2018 to 20192019 to 20202020 to 20212021 to 2022

RPF Measure

RPF
KPI

1.4.1

80% of privacy complaints are finalised within 12 months

Provide an efficient and effective complaint handling process

Affected individuals;

Businesses or Australian Government agencies

ticktickticktick

Yes

2

1.4.2

The complaint handling service is promoted to the community

Empower people to understand their rights

Affected individuals;

The Australian community

ticktickticktick

No

N/A

1.4.3

Complaint handling processes are reviewed to ensure they align with current best practice and relevant legislative developments

Provide an efficient and effective complaint handling process

Affected individuals;

Businesses and financial services

ticktickticktick

Yes

6

Activity 1.5 — Conduct privacy assessments

The Australian Information Commissioner has the power to conduct an assessment of any business or Australian Government agency covered by the Privacy Act 1988.

We will have contributed to our Purpose if we have assisted businesses and Australian Government agencies to meet their privacy obligations, and encouraged them to respect and protect the personal information they handle.

Delivery strategy

In 2018–19 we will conduct:

  • Assessments of Australian Government agencies in line with our commitments under Memorandums of Understanding
  • Targeted assessments in priority areas in order to monitor and improve privacy practices

Over the next four years we will:

  • Continue to conduct assessments that are professional, independent and practical, to help businesses and Australian Government agencies meet their privacy obligations.

Performance

We will demonstrate our performance through the following Measures:

Activity 1.5 — Conduct privacy assessments

No.

Measure

Projected outcome

Beneficiary

2018 to 20192019 to 20202020 to 20212021 to 2022

RPF Measure

RPF
KPI

1.5.1

Complete assessments in accordance with the schedule developed in consultation with the business or agency being assessed

Assist businesses and Australian Government agencies to meet their privacy obligations

Businesses and Australian Government agencies;

Affected individuals

ticktickticktick

Yes

1, 2

1.5.2

Monitoring and compliance approaches are coordinated with the business and operational needs of the business or agency being assessed

Assist businesses and Australian Government agencies to meet their privacy obligations

Businesses and Australian Government agencies

ticktickticktick

Yes

1, 2, 4

1.5.3

A high proportion of recommendations are accepted by the business or agency being assessed

Assist businesses and Australian Government agencies to meet their privacy obligations;

Encourage the respect and protection of personal information

Businesses and Australian Government agencies;

Affected individuals;

The Australian community

ticktickticktick

Yes

1, 2,
3, 4

1.5.4

Key assessment outcomes and lessons learnt are publicly communicated where appropriate

Assist businesses and Australian Government agencies to meet their privacy obligations

Businesses and Australian Government agencies;

The Australian community

ticktickticktick

Yes

5

Activity 1.6 — Provide a public information service regarding privacy

The OAIC offers a free public information service on any privacy related matter. Our service is mainly delivered through telephone and written enquiries.

We will have contributed to our Purpose if our public information service has helped the community to understand their privacy rights and to feel confident to exercise those rights; and if we have assisted businesses and Australian Government agencies to understand their privacy obligations, and encouraged them to respect and protect the personal information they handle.

Delivery strategy

In 2018–19 we will:

  • Review our Service Charter to ensure it reflects our commitment to the timeliness and quality of our public information service.

Over the next four years we will:

  • Continue to raise awareness about our public information service
  • Review and enhance our communication channels to maximise the accessibility of our public information services
  • Enhance website content to maximise the efficiency of our public information service

Performance

We will demonstrate our performance through the following Measures:

Activity 1.6 — Provide a public information service regarding privacy

No.

Measure

Projected outcome

Beneficiary

2018 to 20192019 to 20202020 to 20212021 to 2022

RPF Measure

RPF
KPI

1.6.1

90% of written enquiries are responded to within 10 working days

Assist businesses and Australian Government agencies to understand their privacy obligations

Businesses and Australian Government agencies;

Affected individuals

ticktickticktick

Yes

2

1.6.2

Community, legal and other networks are identified for targeted promotion of the public information service

Help the community to understand their privacy rights and to feel confident to exercise those rights

Targeted groups within the Australian community

ticktickticktick

No

N/A

1.6.3

Website content is reviewed and updated as required to support our public information service

Help the community to understand their privacy rights and to feel confident to exercise those rights

The Australian community

ticktickticktick

Yes

2, 6

Activity 1.7 — Promote awareness and understanding of privacy rights in the community

The OAIC conducts awareness raising activities to ensure that the community is well informed of issues that impact their privacy rights.

We will have contributed to our Purpose if our awareness raising activities have helped the community to understand their privacy rights and to feel confident to exercise those rights.

Delivery strategy

In 2018–19 we will:

  • Develop a community outreach strategy that identifies target groups for communication campaigns, and opportunities for community education
  • Continue to hold public events across Australia
  • Promote Privacy Awareness Week 2019

Over the next four years we will:

  • Continue to revise and improve the content for the community on the OAIC’s website
  • Continue to engage with community groups and representatives, including through our Consumer Privacy Network
  • Consider partnerships with specific community interest groups to further promote awareness of privacy rights
  • Continue to conduct the Australian Community Attitudes to Privacy Survey
  • Ensure that our communication products consider the needs of culturally and linguistically diverse groups, including by identifying appropriate resources for translation.

Performance

We will demonstrate our performance through the following Measures:

Activity 1.7 — Promote awareness and understanding of privacy rights in the community

No.

Measure

Projected outcome

Beneficiary

2018 to 20192019 to 20202020 to 20212021 to 2022

RPF Measure

RPF
KPI

1.7.1

Media and social media mentions about privacy rights increase

Help the community to understand their privacy rights and to feel confident to exercise those rights

The Australian community

ticktickticktick

No

N/A

1.7.2

Awareness and understanding about privacy rights and the role of the OAIC improves

Help the community to understand their privacy rights and to feel confident to exercise those rights

The Australian community

ticktickticktick

No

N/A

1.7.3

Attendance numbers and positive feedback from public facing events increases

Help the community to understand their privacy rights and to feel confident to exercise those rights

The Australian community

ticktickticktick

No

N/A

1.7.4

The OAIC’s website is accessible to the community and content about privacy rights is regularly reviewed and updated

Help the community to understand their privacy rights and to feel confident to exercise those rights

The Australian community

ticktickticktick

No

N/A

Activity 1.8 — Develop legislative instruments

The Australian Information Commissioner has powers under the Privacy Act 1988 and other legislation to make or approve legally binding guidelines and rules.

We will have contributed to our Purpose if the legislative instruments that we have developed have assisted businesses and Australian Government agencies to understand their privacy obligations, and encouraged them to respect and protect the personal information they handle.

Delivery strategy

In 2018–19 we will:

  • Work with the Department of Health and other stakeholders in relation to the handling of health and other information
  • Consider further variations to the Privacy (Credit Reporting) Code 2014 (CR Code), following an independent review of the CR Code in 2017

Over the next four years we will:

  • Continue to consider and respond to applications for Public Interest Determinations and Australian Privacy Principles codes
  • Continue to ensure that existing legislative instruments are appropriate and up-to-date

Performance

We will demonstrate our performance through the following Measures:

Activity 1.8 — Develop legislative instruments

No.

Measure

Projected outcome

Beneficiary

2018 to 20192019 to 20202020 to 20212021 to 2022

RPF Measure

RPF
KPI

1.8.1

Applications for Public Interest Determinations and Australian Privacy Principles codes are considered and responded to in a timely manner

Assist businesses and Australian Government agencies to understand their privacy obligations;

Encourage the respect and protection of personal information

Businesses and Australian Government agencies

ticktickticktick

Yes

1, 6

1.8.2

Legislative instruments are reviewed when necessary

Assist businesses and Australian Government agencies to understand their privacy obligations;

Encourage the respect and protection of personal information

Businesses and Australian Government agencies;

The Australian community

ticktickticktick

No

N/A

Activity 1.9 — Conduct regulatory activities and help businesses understand their rights and responsibilities under the Consumer Data Right

The Consumer Data Right (CDR) will provide a safe way for individuals and businesses to direct data holders to share their data with accredited third parties. The first rollout of the CDR will be in the banking sector beginning in mid-2019.

The CDR will operate under a multi-regulator model. The Australian Competition and Consumer Commission (ACCC) has primary responsibility for ensuring the system as a whole operates as intended, including supporting competition and good consumer outcomes within the system, and setting rules. The Data Standards body has responsibility for setting technical standards for the system. The OAIC’s role is to support strong privacy protections under the CDR, which includes advising the ACCC during the rule-making process, working with the Data Standards Body on the development of technical standards to ensure they are consistent with the privacy protections in the rules, and handling complaints.

We will have contributed to our Purpose if we have assisted businesses to understand their obligations under the CDR, and encouraged them to respect and protect the personal information they handle; when we have efficiently and effectively taken action against suspected breaches of the CDR rules; and when we have helped the community to understand and feel confident to exercise their rights under the CDR.

Delivery strategy

In 2018–19 we will:

  • Engage with the Treasury on the development of the legislation to implement the CDR scheme, to help ensure an appropriate and robust framework for the protection of privacy
  • Consult with the ACCC regarding the development of the CDR scheme, including the development of the CDR rules and preparations for commencement
  • Prepare to exercise our complaint handling and other related functions under the CDR by developing internal processes and protocols

Over the next four years we will:

  • Continue to advise the Treasury, the ACCC, the Data Standards Body and other stakeholders on privacy aspects of the CDR scheme
  • Work with the Data Standards Body to develop technical standards that provide appropriate privacy and security protections
  • Implement then continue to oversee a robust complaint handling process, in conjunction with appropriate external dispute resolution services, to effectively manage complaints about the handling of CDR data for individual consumers, and small and medium-sized enterprises (those with an annual turnover of less than $3 million)
  • Address systemic or serious privacy-related breaches of the CDR framework through our regulatory powers
  • Provide advice and guidance on the CDR
  • Develop and deliver a consumer education campaign, focusing on education regarding privacy and complaint handling processes in the CDR

Performance

We will demonstrate our performance through the following Measures:

Activity 1.9 — Conduct regulatory activities and help businesses understand their rights and responsibilities under the Consumer Data Right

No.

Measure[2]

Projected outcome

Beneficiary

2018 to 20192019 to 20202020 to 20212021 to 2022

RPF Measure

RPF
KPI

1.9.1

Regular dialogue with the ACCC and other relevant stakeholders is conducted to ensure the effective operation of the CDR scheme

Assist businesses to understand their privacy obligations;

Encourage the respect and protection of personal information

The ACCC and other stakeholders;

The Australian community

ticktickticktick

Yes

2, 4

1.9.2

Guidance and education materials are developed to support a clear understanding of rights and obligations under the CDR scheme

Help the community to understand their privacy rights and to feel confident to exercise those rights;

Assist businesses to understand their privacy obligations

The Australian community;

The regulated community

ticktickticktick

Yes

2, 5

1.9.3

Internal processes and protocols are developed to support the implementation of the CDR

Assist businesses to understand their privacy obligations;

Provide an efficient and effective complaint handling process

The regulated community;

Affected consumers

ticktickticktick

Yes

1, 3, 5

[2] Activity 1.9 is a new activity in the OAIC Corporate Plan 2018–19. New performance Measures have been developed for Activity 1.9, as outlined in the table above.

Performance — We promote and uphold information access rights

We will promote and uphold information access rights by carrying out the following activities:

Activity 2.1 — Develop the FOI capabilities of Australian Government agencies and ministers, and promote FOI best practice

Activity 2.2 — Conduct Information Commissioner reviews

Activity 2.3 — Investigate FOI complaints and conduct Commissioner initiated investigations

Activity 2.4 — Provide an FOI public information service

Activity 2.5 — Promote awareness and understanding of information access rights in the community

Activity 2.1 — Develop the FOI capabilities of Australian Government agencies and ministers, and promote FOI best practice

The OAIC provides advice and guidance to develop the FOI capabilities of Australian Government agencies and ministers, and to promote FOI best practice.

We will have contributed to our Purpose if the advice and guidance that we have provided to Australian Government agencies and ministers has assisted them to understand their FOI obligations, and has encouraged them to respect and promote access to government information.

Delivery strategy

In 2018–19 we will:

  • Review and update the guidelines that are issued under section 93A of the FOI Act. Agencies and ministers must consider these guidelines when performing a function or exercising a power under the Act

  • Review and update resources to assist agencies and ministers apply the FOI Act

  • Review the administration of the Information Publication Scheme (IPS) and disclosure logs by agencies and ministers

  • Review, update, and provide guidance to assist agencies to publish information in accordance with the IPS

  • Continue to participate in the Open Government Forum, and contribute to the development and implementation of Australia’s next Open Government National Action Plan

  • Develop processes for verifying the accuracy of data input for FOI statistical reporting

  • Monitor agencies’ compliance with the statutory decision making timeframes, as set out in the FOI Act

  • Support FOI officers through the provision of communication materials, training and advice

Over the next four years we will:

  • Promote awareness and understanding of the Freedom of Information Act 1982 (FOI Act) and the Information Commissioner’s FOI regulatory functions, through networks such as the Information Contact Officer Network (ICON)

  • Continue to revise key FOI resources and guidelines

  • Continue to engage with stakeholders, including through ICON, the Association of Information and Access Commissioners, and the Open Government Forum

  • Continue to engage with Australian Government agencies and ministers on FOI matters

Performance

We will demonstrate our performance through the following Measures:

Activity 2.1 — Develop the FOI capabilities of Australian Government agencies and ministers, and promote FOI best practice

No.

Measure

Projected outcome

Beneficiary

2018 to 20192019 to 20202020 to 20212021 to 2022

RPF Measure

RPF
KPI

2.1.1

Tools and guidance are updated to assist Australian Government agencies to publish information in accordance with the Information Publication Scheme

Encourage Australian Government agencies to respect and promote access to government information

Australian Government agencies;

The Australian community

ticktickticktick

Yes

1, 2

2.1.2

Guidance and resources are reviewed and updated to assist Australian Government agencies and ministers to apply the FOI Act

Assist Australian Government agencies to understand their FOI obligations

Australian Government agencies;

The Australian community

ticktickticktick

Yes

1, 2

2.1.3

Information is provided to stakeholders that is relevant in both content and delivery

Assist Australian Government agencies to understand their FOI obligations;

Encourage Australian Government agencies to respect and promote access to government information

Australian Government agencies;

The Australian community

ticktickticktick

No

N/A

Activity 2.2 — Conduct Information Commissioner reviews

If a person disagrees with the decision of an Australian Government agency or minister, under the Freedom of Information Act 1982 (FOI Act) they can make a request for the Australian Information Commissioner to review the decision. This is called an Information Commissioner review (IC review).

The OAIC will have contributed to our Purpose if we have carried out our IC review functions efficiently and effectively.

Delivery strategy

In 2018–19 we will:

  • Continue the development of our early resolution process to improve the review time of IC reviews and to further meet the objectives of providing an informal, non-adversarial and timely review process
  • Update resources for applicants to help them understand the IC review process
  • Update resources for agencies and ministers to support better decision making

Over the next four years we will:

  • Continue to ensure the efficiency and quality of the IC review function
  • Continue to revise key IC review resources and guidelines where necessary
  • Continue to engage with Australian Government agencies and ministers on IC review matters
  • Provide information through the Information Contact Officer Network (ICON) about the IC review function
  • Continue to publish decisions issued under section 55K of the FOI Act
  • Continue to build on existing jurisprudence that shapes the FOI jurisdiction

Performance

We will demonstrate our performance through the following Measures:

Activity 2.2 — Conduct Information Commissioner reviews

No.

Measure

Projected outcome

Beneficiary

2018 to 20192019 to 20202020 to 20212021 to 2022

RPF Measure

RPF
KPI

2.2.1

80% of IC reviews are completed within 12 months

Reviews conducted efficiently and effectively

Affected individuals;

Affected Government agencies or ministers

ticktickticktick

Yes

1, 3, 4

Activity 2.3 — Investigate FOI complaints and conduct Commissioner initiated investigations

The OAIC provides a free service for individuals to make a complaint about how an Australian Government agency has handled their FOI matter.

The Australian Information Commissioner may also initiate investigations about the FOI actions of Australian Government agencies. These are known as Commissioner initiated investigations (CIIs).

The OAIC will have contributed to our Purpose if we have efficiently and effectively resolved FOI complaints and CIIs, and assisted government agencies to understand their FOI obligations.

Delivery strategy

In 2018–19 we will:

  • Develop an early resolution process to improve the processing times of FOI complaints
  • Update resources for agencies to promote best FOI practices

Over the next four years we will:

  • Continue to monitor and address the effectiveness of FOI processing within agencies
  • Continue to revise key resources and guidelines where necessary
  • Continue to ensure the efficiency and quality of the complaint investigation process

Performance

We will demonstrate our performance through the following Measures:

Activity 2.3 — Investigate FOI complaints and conduct Commissioner initiated investigations

No.

Measure

Projected outcome

Beneficiary

2018 to 20192019 to 20202020 to 20212021 to 2022

RPF Measure

RPF
KPI

2.3.1

80% of FOI complaints are finalised within 12 months

Investigations conducted efficiently and effectively

Affected individuals;

Affected Australian Government agencies

ticktickticktick

Yes

1, 3, 4

2.3.2

80% of FOI Commissioner initiated investigations are finalised within 8 months

Investigations conducted efficiently and effectively;

Assist Australian Government agencies to understand their FOI obligations

Affected individuals;

Affected Australian Government agencies

ticktickticktick

Yes

1, 3, 4

Activity 2.4 — Provide an FOI public information service

The OAIC provides a free public information service on FOI related matters. Our service is mainly delivered through telephone and written enquiries.

We will have contributed to our Purpose if our public information service has helped the community to understand their information access rights and to feel confident to exercise those rights; and if we have assisted Australian Government agencies and ministers to understand their FOI obligations, and encouraged them to respect and promote access to government information.

Delivery strategy

In 2018–19 we will:

  • Review our Service Charter to ensure it reflects our commitment to the efficiency and quality of our public information service

Over the next four years we will:

  • Continue to raise awareness about our public information service
  • Review and enhance our communication channels to maximise the accessibility of our services
  • Review and update website content to maximise the efficiency of our public information service

Performance

We will demonstrate our performance through the following Measures:

Activity 2.4 — Provide an FOI public information service

No.

Measure

Projected outcome

Beneficiary

2018 to 20192019 to 20202020 to 20212021 to 2022

RPF Measure

RPF
KPI

2.4.1

90% of FOI written enquiries are finalised within 10 working days

Assist Australian Government agencies to understand their FOI obligations

Australian Government agencies;

The Australian community

ticktickticktick

Yes

2

2.4.2

New community, legal and other networks are identified for targeted promotion of the public information service

Help the community to understand their information access rights

The Australian community

ticktickticktick

Yes

2

2.4.3

Website content is regularly reviewed and updated to support our public information service

Help the community to understand their information access rights

The Australian community

ticktickticktick

Yes

2, 6

Activity 2.5 — Promote awareness and understanding of information access rights in the community

The OAIC conducts awareness raising activities to ensure that the community is well informed about their information access rights.

We will have contributed to our Purpose if our awareness raising activities have helped the community to better understand their information access rights.

Delivery strategy

In 2018–19 we will:

  • Conduct a campaign for Right to Know Day 2018
  • Continue to engage with other Information Commissioners to share knowledge and raise awareness about information access rights
  • Deliver a new OAIC website with revised content for individuals
  • Explore options to assist individuals to understand the Commonwealth information access framework

Over the next four years we will:

  • Continue to raise public awareness about information access rights
  • Conduct Right to Know Day activities on an annual basis
  • Ensure that our communication products consider the needs of culturally and linguistically diverse groups including by identifying appropriate resources for translating

Performance

We will demonstrate our performance through the following Measures:

Activity 2.5 — Promote awareness and understanding of information access rights in the community

No.

Measure

Projected outcome

Beneficiary

2018 to 20192019 to 20202020 to 20212021 to 2022

RPF Measure

RPF
KPI

2.5.1

Media and social media mentions about information access rights increase

Help the community to better understand their information access rights

Members of the Australian community

ticktickticktick

No

N/A

2.5.2

The OAIC’s website is accessible to the community and content about information access rights is regularly reviewed and updated

Help the community to better understand their information access rights

Members of the Australian community

ticktickticktick

No

N/A

Capability

The OAIC has a dedicated and expert team of staff who are experienced in carrying out all aspects of our legislative functions, from advice, guidance and communications, to complaint handling, investigations, assessments and Information Commissioner reviews. We have added to our capabilities over the past financial year by recruiting to fill a number of vacancies and further expand our skillset. To deliver our need for technical skills across a range of areas of expertise, we will develop a comprehensive workforce management plan, focused on attraction, retention and development.

Our current capabilities are tested by an increase in our workload and responsibilities, for example, with the introduction of the Notifiable Data Breaches scheme in February 2018. The implementation of new legislative schemes, such as the Consumer Data Right and the Comprehensive Credit Reporting scheme, are expected to further increase demand for advice, guidance and regulatory action.

While our workload and responsibilities grow, our challenge is to continue to manage our responsibilities effectively with the resources available.

This necessitates us looking at how we work and what we can do to deliver improved and more efficient services. For example, in 2017–18 we trialled an early resolution approach to privacy complaints. We will build on the success of this approach by considering how we can apply the same benefits to other areas of our regulatory work.

In recognition of the global nature of the privacy landscape and organisational data flows, we build and maintain strong and productive relationships with privacy authorities in other domestic and international jurisdictions, in order to collaborate on investigations and share information about privacy best practice.

The input we receive through the Consumer Privacy Network and the Privacy Professionals’ Network ensures that our frameworks align with the rapidly changing consumer and organisational contexts.

We also participate in two important FOI networks, the Association of Information Access Commissioners and the International Conference of Information Commissioners, which assists us to ensure that our FOI regulatory activities are aligned with global best practice.

We are currently developing a new website, which will be launched during the 2018–19 financial year. As part of this project, we are focused on ensuring that the content on our website is clear and helps visitors solve the problems or find the answers they are searching for. This will have a dual benefit of assisting agencies, businesses and the community to interact with us with greater ease, and enabling our Enquiries team to focus on more complex email and phone enquiries.

These initiatives, combined with the dedication and skill of our staff, will ensure that we are well placed to deliver our activities and to meet our Purpose over the coming reporting period.

Risk and oversight management

Over the past 12 months, the OAIC has further developed effective risk processes, which have enhanced our risk management capability. We take steps to address the risk management capability in the OAIC. This includes educating our people and providing a clear understanding of risk appetite to help our staff assess risks, make informed decisions, confidently engage with risk and harness its opportunities, while minimising adverse consequences.

We recognise that commitment to risk management contributes to sound management practice and increasing confidence in performance. Over the past 12 months we have been proactive in addressing all elements of the Commonwealth Risk Management Policy requirements.

Risk mitigation (or control activities) are well managed through a regular process of cross referencing to organisational plans for identified risk areas, and in preparation for the introduction of new projects, programs and schemes. We review all control activities associated with implementation to ensure that any identified risks are mitigated and we actively monitor potential risks associated with the project or program. Risk is also overseen by our Audit Committee.

In our approach to risk management, the OAIC considers factors that may affect our ability to effectively engage with, and manage our relationships with, our stakeholders.

Working under a robust risk management framework helps us to achieve our Purpose by promoting and upholding privacy and information access rights in a way that manages risk, to instil confidence in the community and our stakeholders.

The OAIC has implemented key elements of the Commonwealth Risk Management Policy as outlined below:

a) Establishing a risk management policy

The OAIC’s Risk Management Policy defines the OAIC’s approach to the management of risk and how this approach supports our strategic plans and objectives.

b) Establishing a risk management framework

The OAIC has in place a Risk Management Framework and Procedures document which is reviewed every three years.

c) Defining responsibility for managing risk

The OAIC’s Risk Management Framework and Procedures document assigns risk management roles and responsibilities across the OAIC organisational and management structure.

d) Embedding systematic risk management into business processes

The OAIC’s Risk Management Framework and Procedures document outlines the practices and actions to embed risk management into business practices.

e) Developing a positive risk culture

The OAIC’s Risk Management Framework and Procedures document outlines the practices and actions to embed a positive risk culture at the OAIC.

f) Communicating and consulting about risk

The OAIC’s Risk Management Framework and Procedures document identifies the stakeholders with whom the OAIC communicates risk information.

g) Understanding and managing shared risk

The OAIC’s Risk Management Framework and Procedures document details the OAIC’s shared risk management arrangements.

h) Maintaining risk management capability

The OAIC is committed to ensuring that management and staff develop appropriate risk management capabilities through training.

Final page

oaic.gov.au

Office of the Australian Information Commissioner

1300 363 992
enquiries@oaic.gov.au
@OAICgov