Publication date: August 2020
You are free to share, copy, redistribute, adapt, transform and build upon the materials in this plan with the exception of the Commonwealth Coat of Arms.
Please attribute the content of this publication as:
Office of the Australian Information Commissioner Corporate Plan 2020–21.
|Mail:||Director, Strategic Communications|
Office of the Australian Information Commissioner
GPO Box 5218
Sydney, NSW 2001
|Phone:||1300 363 992|
If you speak a language other than English and need help, please call the Translating and Interpreting Service on 131 450 and ask for the Office of the Australian Information Commissioner on 1300 363 992.
All our publications can be made available in a range of accessible formats. If you would like this report in an accessible format, please contact us.
Statement of preparation
I, Angelene Falk, Australian Information Commissioner, present the Office of the Australian Information Commissioner’s Corporate Plan 2020–21, for the 2020–21 to 2023–24 reporting periods, as required under section 35(1)(b) of the Public Governance, Performance and Accountability Act 2013.
28 August 2020
The Office of the Australian Information Commissioner is an independent statutory agency within the Attorney-General Department’s portfolio, established under the Australian Information Commissioner Act 2010 (AIC Act).
Our key role is to meet the needs of the Australian community when it comes to the regulation of privacy and freedom of information. We do this by:
- Ensuring proper handling of personal information in accordance with the Privacy Act 1988 (Privacy Act) and other legislation
- Protecting the public’s right of access to documents under the Freedom of Information Act 1982 (FOI Act)
- Performing strategic functions relating to information management in the Australian Government, in accordance with the AIC Act.
Structure of our plan
Our Corporate Plan outlines who we are, what we are here to do, our vision and how we will achieve it. The plan is broken into two parts:
- Part 1 – Operating context – Our environment, Capabilities, Risk management, Cooperation and collaboration
- Part 2 – Our strategic priorities – Corporate Plan overview
This year’s Corporate Plan sets out how the OAIC will achieve our core purpose — to promote and uphold privacy and information access rights — in the context of a vastly different environment to that of a year ago. The COVID-19 pandemic has transformed the way we work and live, and how we communicate with one another, in ways we could have not imagined at the start of 2020.
Australia has fared better than many other nations due to swiftly implemented public health measures, but the pandemic has brought enormous social and economic impacts. It has also focused attention on the right to privacy, and the need for transparency across both personal information handling and government decision-making.
As governments and businesses seek solutions to halt the spread of the coronavirus, there is a heightened need to use personal information to achieve public health and economic outcomes.
This is critical. But the use of personal information must be demonstrably necessary, reasonable and proportionate. We must also emerge from the pandemic with rights protected.
The OAIC has a central role to play in supporting these outcomes, as they are realised most effectively where privacy is safeguarded and decision-making processes are transparent. We know that protecting personal information and minimising privacy impacts is essential for the community trust and confidence needed to find and adopt solutions at speed. To maintain that trust over time, access to the information used by governments to shape their pandemic response will continue to be fundamental, in providing transparency and accountability.
Over the next four years, the OAIC will continue our regulatory efforts to achieve our vision of increased public trust and confidence in the protection of personal information and access to government-held information.
We are focused on action that increases individuals’ ability to manage their privacy choices and exercise control, and enhances the accountability of regulated entities. This underpins not only our approach to privacy reform, but to regulating and enforcing existing privacy protections.
We will continue to advance online privacy protections for Australians, influence and uphold privacy and information access rights frameworks, and encourage and support proactive release of government-held information.
Our regulatory priorities respond to the needs of our domestic environment and are informed and influenced by activity across the global regulatory landscape. We are taking a leadership role in promoting globally interoperable regulatory approaches, and coordinated and joint enforcement activities.
In achieving our purpose, the OAIC is guided by our key principles: we are targeted, engaged, agile,
independent and expert in exercising our regulatory functions. Operating as a contemporary regulator, our effective risk management, performance measurement framework, and highly engaged and capable workforce underpin our effort.
As the pandemic continues and the recovery emerges, both public health, policy and economic outcomes can be supported through promoting and upholding privacy and information access rights. It is that objective that the OAIC seeks to achieve, in the public interest.
Australian Information Commissioner and Privacy Commissioner
28 August 2020
The year ahead
COVIDSafe contact tracing app and the pandemic response
The Australian Government’s COVIDSafe contact tracing app was supported by a detailed Privacy Impact Assessment and amendments to the Privacy Act 1988 which provided transparency and accountability in relation to its use of personal information. The OAIC has an expanded regulatory role and powers in relation to the app and National Data Store, including the handling of COVIDSafe app data by state and territory health authorities. Any unauthorised collection, use or disclosure of COVIDSafe app data is not only a criminal offence under the amendments, but also triggers the regulatory powers of the OAIC.
The OAIC has convened a National COVID-19 Privacy Team to bring regulators together to respond to proposals with national implications. Over the coming year, the OAIC will monitor the handling of personal information in the COVIDSafe system and report in November 2020.
The OAIC will also continue to provide guidance to entities that are handling personal information in order to prevent and manage the spread of COVID-19. We will also pursue related regulatory activities where necessary, where personal information is at risk through practices related to the pandemic.
Privacy law reform
The year ahead will be a significant one for privacy law reform in Australia, with a government review of the Privacy Act providing a landmark opportunity to ensure our privacy framework can respond to new challenges in the digital environment. The OAIC will play a key role through exercising our function to advise on the need for legislative action in the interests of the privacy of individuals.
Our approach to reform is informed by four key elements: the need for global interoperability to make sure our laws connect around the world and data is protected wherever it flows; enabling privacy self-management, so individuals can exercise meaningful choice and control; ensuring organisational accountability, with sufficient obligations built into the system; and a contemporary approach to regulation providing the right tools to regulate in line with community expectations.
Privacy in the online environment
As the importance of the online environment increases for the economy, education and our connections, we are particularly focused on privacy practices that occur online and as a result of new and emerging uses of technology. We are preparing for the introduction of a binding code of practice for online platforms and social media, supported by legislation. This will improve the ability of Australians to manage privacy choices through transparent policies and better practices around consent, and improve protections for children and other Australians with particular needs.
The innovative use of personal information can lead to positive economic and social outcomes, but it can also result in harms, and we will pursue regulatory activities to mitigate these risks.
Consumer Data Right implementation
The Consumer Data Right (CDR) commenced in the banking sector in July 2020, giving consumers greater choice and control over their data. As co-regulator of the Consumer Data Right, the OAIC will undertake a number of regulatory activities. Our aim is to ensure that providers understand and comply with the privacy safeguards so that consumers can share their data with confidence.
In 2020–21, the OAIC will continue to collaborate closely with the Australian Competition and Consumer Commission to develop a strong privacy framework to support the Consumer Data Right rollout to the energy sector.
Notifiable data breaches
The introduction of the Notifiable Data Breaches scheme in 2018 is driving a greater focus on data breach prevention strategies, including measures to embed training and minimise human error in order to protect personal information.
The OAIC has an effective framework to assess and respond to notifications and provide guidance to businesses, agencies and the community. We will continue to provide statistical reports on the causes of data breaches, to inform prevention strategies.
Our focus on personal information security will also be reflected in our compliance and enforcement activities.
My Health Record
The OAIC oversees the privacy aspects of the My Health Record system which is managed by the Australian Digital Health Agency. In the coming year, we will continue to monitor, regulate and provide advice on the operation of the system, along with guidance for healthcare providers to support good privacy practice. The OAIC will engage with the implementation of the Australian National Audit Office’s recommendations following their report into the My Health Record system, alongside the review of the My Health Records Act 2012.
The OAIC continues to promote transparency and accountability in government through initiatives that facilitate the proactive provision of government-held information to the community.
These initiatives are aimed at making better use of government-held information to support Australian’s efficient access to information, innovation and engagement, while ensuring appropriate privacy safeguards are in place.
As demand for our access to information services continues to increase, we remain focused on process improvement, and are supporting agencies with updated guidance and resources to help ensure freedom of information frameworks are implemented efficiently and effectively.
We will also continue to engage with the Open Government Partnership, with delivery of the third National Action Plan an opportunity to set goals that strengthen and enhance transparency for all.
Our purpose is to promote and uphold privacy and information access rights.
Our vision is to increase public trust and confidence in the protection of personal information and access to government-held information.
Engaged — Active contributors and collaborators in the contemporary application of information protection and management legislation and regulation for businesses, government and the community
Targeted — Efficient in the allocation of resources, taking appropriate action and responsive to risk and public expectations of Commonwealth regulators
Expert — Trusted authority on data protection and access to information, advising on policy, legislative reform and regulatory action, and providing education and guidance
Independent — Professional by nature, fair and impartial by application
Agile — Collaborative and responsive to changes in technology, legislation and the expectations of the community and government.
How we will achieve our ambition
We have identified 4 strategic priorities to enable us to deliver on our purpose and achieve our vision.
This corporate plan outlines these priorities and our key activities between 2020–21 and 2023–24.
It also describes our performance measurement framework, including:
- Indicators – define how we assess our progress towards our strategic priorities
- Measures – define how we will achieve our indicators
- Targets – set clear expectations of success.
What will enable our success
This corporate plan describes key enabling factors to help us achieve our strategic priorities.
We constantly review our capabilities to ensure we have the resources needed to drive our key focus areas.
We have risk oversight and management systems in place to support the achievement of our strategic priorities.
Cooperation and collaboration
We work with stakeholders to deliver our core regulatory functions and cooperate at domestic and international level to advance our strategic priorities.
Part 1: Operating context
The Office of the Australian Information Commissioner promotes and upholds privacy and information access rights. We perform our regulatory functions in a complex global data environment. Our effective risk management and highly capable workforce underpin our efforts. We cooperate with our counterparts and collaborate with other agencies to advance our strategic priorities.
Understanding and responding to our environment is essential to achieving our vision of greater trust and confidence in personal information protection and access to government-held information. When that environment is changing rapidly in response to the COVID-19 pandemic, and will continue to change in ways we cannot yet foresee, this poses a significant challenge.
Our Corporate Plan 2020–21 identifies the key factors shaping our environment and affecting how we apply our guiding principles to deliver on our agency’s purpose. The core principles of transparency and accountability underpin the privacy and information access frameworks that we regulate. We support these principles through the exercise of all our functions, including our regulation of the Privacy Act 1988 (Privacy Act) and the Freedom of Information Act 1982 (FOI Act).
Over the past five years, the OAIC has experienced significant growth across our regulatory functions, particularly in our primary functional areas of privacy complaints and reviews of agencies’ freedom of information (FOI) decisions (IC reviews). This reflects heightened awareness and expectations of transparency and accountability from the community when it comes to both personal information handling and access to information.
The introduction of the Notifiable Data Breaches scheme in 2018 expanded the OAIC’s responsibilities and increased protections for consumers at risk of harm from data breaches. The OAIC also plays an important role in relation to the My Health Record system, managing complaints when sensitive and personal information is mishandled and providing assurance over its statutory privacy protections.
In the past 12 months, our responsibilities have been further expanded to include oversight of privacy protections in relation to the COVIDSafe app. We also regulate the privacy safeguards and complaints mechanism built into the new Consumer Data Right which commenced on 1 July 2020.
Globalised and rapidly evolving data environment
While countries around the world impose entry restrictions, our personal information continues to travel across national borders. Physical distancing requirements and remote working arrangements are driving an increase in online engagement. In a rapidly evolving data environment, a global regulatory approach is needed to protect Australians’ data wherever it flows.
Increased value of data as a commodity
In a digital economy, the volume of data held by government and business is growing exponentially. Business is increasingly sophisticated in its use of personal data to offer more tailored products and drive financial returns. Physical distancing requirements and remote working environment are fuelling the expansion of ecommerce.
Public trust in information handling and expectations of greater transparency and accountability
The OAIC works to align community expectations and organisational practice in handling personal information and implementing new technologies. Community expectations regarding transparency and accountability of government agencies and ministers are reflected in an increasing number of applications for review of FOI decisions.
The impact of the COVID-19 pandemic has brought unprecedented challenges for Australian society and the Australian Government has had to make significant decisions affecting public health and the economy. The right of the public to access information about these decisions is vital. Promoting the proactive disclosure and publication of information will help to build trust in government and has the potential to reduce the impact of processing FOI requests on agency resources.
The COVID-19 pandemic has heightened public awareness of privacy as a critical issue and the need to carefully balance the protection of individuals with other public benefits. The Bushfire Disaster Emergency Declaration also illustrated the need to balance different public goods.
The review of Australia’s privacy law will focus attention on privacy issues around emerging technologies, profiling and automated decision-making. A strong foundation of privacy and data protection supports innovation and drives the growth of the digital economy. Globally interoperable data protection laws are increasingly important to protect all consumers online and reduce unnecessary burdens on business.
Shift in expectations of regulators
The contemporary approach to regulation expected by the community is that government regulators utilise the full range of compliance and enforcement tools available in the law. As a regulator, we engage with these expectations by taking an approach that drives more efficient processes and greater effectiveness. We are enhancing our people capability to ensure capacity across our full suite of compliance and enforcement powers. We will also support reform measures that provide greater regulatory flexibility and deterrent capacity to the OAIC.
Enabling innovation and growth
Strong privacy and data protection frameworks support innovation and growth in the Australian digital economy and international trade. Globally interoperable data protection laws are increasingly important to protect all consumers online and reduce regulatory friction for business.
Government transparency initiatives
New access to information initiatives are emerging internationally, aimed at building effective, accountable and inclusive institutions at all levels. Working in partnership with other information management agencies, the OAIC has a role to play in delivering on Australia’s commitment to Open Government. We will explore ways to apply the FOI Act to help meet community expectations about the accountability and transparency of government agencies and ministers. Making information held by government publicly available as a national resource supports innovation and growth.
International regulatory collaboration
Cooperation among privacy and data protection authorities is accelerating in response to shared challenges including the COVID-19 pandemic. Australia is at the forefront of international collaboration including through our leadership role in the Global Privacy Assembly.
As a small agency the OAIC accesses shared service arrangements for the provision of services that support our capability. Information and communication technology (ICT), financial and some human resources services are provided by the Australian Human Rights Commission.
The OAIC Executive, with support from dedicated OAIC staff in key capability areas, takes a strategic approach to growing and stabilising our capabilities to enable us to deliver our core business effectively.
Strategies and plans associated with our capability are outlined within Strategic Priority 4.
The OAIC’s committed workforce of more than 120 staff is central to achieving our strategic priorities. To enhance and develop our people capability, we have specialist programs in the areas of leadership development, culture, workforce planning, staff attraction and retention, training and organisational learning. The OAIC also implements a comprehensive approach to improving diversity and inclusion.
Our current people capability is tested by an increase in our workload and responsibilities including the implementation of new legislative schemes, such as the Consumer Data Right and the COVIDSafe system.
The OAIC recognises that a multidisciplinary approach is necessary for a contemporary regulator. We are implementing strategies to attract new staff with expertise from other sectors to broaden our skill set and perform our regulatory functions more effectively. We also obtain temporary specialist expertise to help address short-term workloads and workload peaks.
The OAIC infrastructure is substantially located in the Sydney central business district. Office space was recently consolidated to bring together staff located on multiple floors, as the OAIC expanded in recent years.
We will finalise the second phase of our building works and undertake a review of our infrastructure framework in light of lessons learned from the rapid implementation of remote work arrangements for all staff as a result of the COVID-19 pandemic.
The OAIC’s ICT capability encompasses operating systems, software applications, networking components and digital devices. The OAIC promotes a strong ICT security culture through training and awareness initiatives.
The OAIC has an ICT framework which is flexible and agile to meet the demands of the dynamic work environment. We have quickly adapted to the requirements of remote working and will continue to respond to the technology needs of our workforce, including the evaluation of new technology solutions.
Human resources, information management and finance systems upgrades will be considered to ensure they support the OAIC’s needs.
Positive risk management culture
The effective management of risks plays an important role in shaping the OAIC’s strategic priorities, contributes to well-informed organisational decision making and is critical to the delivery of our purpose – to promote and uphold privacy and information access rights.
Risk management framework
Our Risk Management Policy defines the OAIC’s approach to risk management and supports effective risk management across the business.
Our Risk Management Framework and Procedures document:
- outlines practices and actions to embed risk management into business practices and cultivate a positive risk culture
- assigns clear roles and responsibilities across the OAIC organisational and management structure
- details the OAIC’s shared risk management agreements
- identifies the stakeholders with whom we communicate about risk.
Risk mitigation (or control activities) are well managed through regular review of organisational plans for identified risk areas, and in preparation for the introduction of new projects, programs and schemes. We review all control activities associated with implementation to ensure that any identified risks are mitigated and we actively monitor potential risks associated with the project or program.
Commonwealth Risk Management Policy
The OAIC proactively addresses all elements of the Department of Finance Risk Management Policy requirements. The goal of the policy is to embed risk management into the culture of the OAIC so the shared understanding of risk leads to well informed, evidence-based decision making.
Audit and Risk Committee
The OAIC Audit and Risk Committee oversees the OAIC’s organisational and strategic risk. The committee has historically comprised senior members of staff from within the OAIC and Australian Government. The OAIC is welcoming new members from outside government to the committee in August 2020.
The OAIC has commenced a comprehensive review of its risk management approach through the first half of the 2020–21 financial year. This work began in the 2019–20 financial year with the development of a revised strategic risk framework and consideration of key risk factors in our domains of responsibility. Planned work includes the review of our risk policies and procedures and the development of detailed risk profiles for specific areas of high risk, including significant new regulatory responsibilities in relation to the Consumer Data Right and the COVIDSafe app.
The OAIC is also working closely with our co-regulator, the ACCC, to ensure that privacy risks in the Consumer Data Right are managed effectively.
Enhancing risk management capability and approach
The OAIC has expanded its risk management capability, appointing an Assistant Commissioner, Corporate and bringing on board senior staff to provide advice and guidance.
The OAIC has developed its strategic risk profile by focusing on what we must get right to deliver on our strategic priorities. Early in this planning period, we will review our strategic risk control framework. These strategic risks fall into a number of themes.
Our people: We must ensure our current and future workforce has the skill set needed to enable us to be a contemporary regulator. We are committed to ensuring the safety and wellbeing of our staff, which brings new challenges in a remote working environment.
To be successful we must:
- attract, grow and retain our staff
- place the safety and wellbeing of our staff at the centre of our operations.
Good governance and infrastructure: Good governance and secure, reliable infrastructure are fundamental to a high-performing agency. We strive to have best practice governance processes and systems, and a quality framework. We must also be leaders in relation to security, privacy and confidentiality.
To be successful we must:
- invest in and regularly review our ICT and adhere to a quality framework
- have appropriate fraud, probity and risk management infrastructure
- be an exemplar in the domains of security, privacy and confidentiality.
Focus on outcomes: We must use our resources strategically to provide the greatest benefit for the community. This requires prioritisation of activities which will be most effective in delivering on our purpose.
To be successful we must:
- strategically prioritise work and be able to de-prioritise less important work.
- scan the landscape and identify emerging challenges.
- strive for whole OAIC, timely responses.
Be community-centric and stakeholder focused: Building and maintaining positive relationships with the community and our stakeholders is critical to our success.
To be successful we must:
- be a respected and trusted regulator, influential in the debate about privacy and information access
- be an agency which is defined by being accessible, understanding, empathetic and in touch with community sentiment
- work to increase community trust and confidence in privacy and information access rights, and communicate our work effectively to stakeholders
Cooperation and collaboration
The OAIC works closely with a range of Australian Government agencies and other organisations, including domestic and international regulators, to deliver our core regulatory functions and advance our strategic priorities.
The OAIC works in collaboration with a number of agencies and regulators such as the Attorney-General’s Department, the Australian Cyber Security Centre, the Australian Competition and Consumer Commission (ACCC) and the Office of the eSafety Commissioner to advance online privacy protection for Australians. The OAIC will also engage with the Attorney-General’s Department and other stakeholders in the review of the Privacy Act, bringing our regulatory experience to help ensure that Australia’s privacy framework is fit for purpose in the digital age.
The OAIC will continue to work with key agencies to improve privacy protections and promote best practice. This includes the Attorney-General’s Department, Australian Public Service Commission, Australian Government Solicitor, Australian Digital Health Agency, Australian Government Department of Health and our network of privacy officers and champions across government. We also have a Memorandum of Understanding with the Australian Communications and Media Authority in relation to sharing information for investigations to better inform regulatory outcomes.
Consumer Data Right
The OAIC is collaborating with our co-regulator, the ACCC, to implement the Consumer Data Right and embed processes to ensure the safe and effective operation of the system. This includes taking an integrated approach to developing compliance and enforcement policies, project planning and risk management activities. We are also working with the ACCC to establish a framework for data portability in the energy sector.
Access to information
The OAIC works with Australian Government agencies to improve processes, increase knowledge and understanding of the FOI Act, and enhance access to information. We work with agencies to achieve informal outcomes where possible, consistent with the FOI Act requirement to facilitate and promote public access to information promptly and at the lowest reasonable cost. Our Information Contact Officer Network brings together nearly 500 people from government agencies and deepens FOI practitioners’ expertise through information sharing, meetings and alerts.
Cooperating with local and international counterparts
The OAIC cooperates with state and territory privacy and information access regulators to share information and insights and to collaborate on issues of national significance, including through our participation in the Association of Information Access Commissioners and Privacy Authorities Australia.
The OAIC also collaborates with international regulators to share information, develop strategies and take regulatory action to protect Australians’ personal information across jurisdictions.
The OAIC has established Memorandums of Understanding with international regulators to support greater cooperation, including with the Information Commissioner for the United Kingdom, the Data Protection Commissioner for Ireland and the Personal Data Protection Commission of the Republic of Singapore. We are actively engaged with other international regulators through forums such as the Global Privacy Assembly, Asia Pacific Privacy Authorities Forum and the International Conference of Information Commissioners.
Part 2: Our strategic priorities
We will deliver on our purpose and increase public trust and confidence in the protection of personal information and access to government-held information through our strategic priorities.
Strategic Priority 1: Advance online privacy protection for Australians
The OAIC will advance online privacy protections for Australians to support the Australian economy, influencing the development of legislation, applying a contemporary approach to regulation (including through collaboration) and raising awareness of online privacy protection frameworks.
In parallel with exponential growth in the use of data to drive the digital economy, the regulatory framework needed to protect Australians’ privacy online is expanding. Global data regulation also continues to evolve creating greater opportunities for international cooperation and collaboration.
Personal information is being used in new ways, across rapidly developing platforms, complex structures and multiple jurisdictions. This makes it more difficult for individuals to effectively manage their personal information.
In this context, achieving an appropriate regulatory balance between organisational accountability and effective privacy self-management is challenging.
The considerable volume of data held by business and government continues to grow, alongside the value of data as a commodity, as we increasingly rely on data for technological innovation – through artificial intelligence (AI), machine learning, algorithms, biometrics and more.
Data-sharing practices are constantly adapting to meet the needs of the global economy. This can create vulnerabilities for entities, as it may increase their susceptibility to a data breach through malicious attack, human error or system fault.
Online privacy is increasingly important for Australians, particularly as we rely more on digital communication due to physical distancing requirements. In April this year, the Information Commissioner was granted leave to bring legal proceedings against Facebook in the Federal Court, alleging that the personal information of Australian Facebook users was disclosed to the This is Your Digital Life app for a purpose other than that for which the information was collected in breach of the Privacy Act 1988. The information was exposed to the risk of being disclosed to Cambridge Analytica for political profiling purposes and to other third parties.
In July, the OAIC joined with the Information Commissioner of the UK to conduct an investigation into the personal information handling practices of Clearview AI Inc., focusing on the company’s use of ‘scraped’ data and biometrics of individuals.
In 2020–21, the OAIC will provide policy advice to the Australian Government on privacy law reform with the goal of achieving a framework that is fit for purpose in the digital age. We will work to enhance online privacy protections, including people with particular needs, such as children. The OAIC will continue to promote awareness of privacy risks and provide guidance for individuals and regulated entities on how to protect personal information online.
The OAIC will support innovation and Australian businesses’ capacity to benefit from using data while minimising privacy risks for the community. We will also seek to influence the development of policy for globally interoperable privacy protection.
We have identified three key focus areas in 2020–21 to 2023–24 specific to Strategic Priority 1.
Provide expert advice to government so that Australians’ data is protected by a strong, globally interoperable privacy law framework
Key activity 2: Oversee the development of a code of practice for digital platforms
The OAIC will work with stakeholders to develop a binding code of practice for online platforms and social media that provides stronger privacy protections for Australians in the online environment, including people with particular needs, such as children.
Develop a code of practice for digital platforms
Provide guidance and support
Utilise a range of compliance and enforcement tools
Key activity 3: Identify and take appropriate regulatory action
The OAIC will effectively regulate the protection of personal information in the online environment and increase regulated entities’ awareness of their obligations. This includes auditing compliance, engaging with regulated entities about new projects or initiatives that have privacy impacts, and taking appropriate regulatory action to address identified deficiencies. We will also work to raise public awareness of online privacy risks and mitigation strategies.
Implement governance arrangements in support of strategic regulatory posture
Take a proportionate and evidence-based approach to privacy risks using the suite of regulatory tools
Undertake joint investigations or tactics and intelligence sharing with international privacy regulators
Promote awareness of online privacy risks and mitigation strategies
Strategic Priority 1: Advance online privacy protections for Australians
Australians’ personal information is protected wherever it flows
The OAIC supports
The OAIC engages
|The OAIC provides
policy advice to
The OAIC is a leader in the global privacy community to strengthen protection of Australians’ personal information
The OAIC has a
The OAIC engages
|Views of stakeholders
have been sought
A code of practice for digital platforms increases the privacy protection of Australians in the online environment
|Code of practice for
digital platforms is
|Code is registered||●||●||●||●|
Strategic Priority 2: Influence and uphold privacy and information access rights frameworks
The OAIC promotes access to government-held information through the regulation of the Freedom of Information Act 1982 (FOI Act) and our role in information policy. The OAIC will continue to promote and uphold these rights and regulatory frameworks through delivery of our core functions. This includes influencing domestic legislative and regulatory developments to advance the rights of all members of the community to access government-held information.
Our regulatory responsibilities for privacy have expanded with the introduction of the COVIDSafe app. The OAIC also has a new co-regulation role for the Consumer Data Right which began in the banking sector on 1 July 2020.
As the importance of data grows rapidly and the global regulatory framework continues to evolve, community expectations about how entities manage personal information have also increased. This is demonstrated by the steady number of privacy complaints received by the OAIC. It is also evident in the growing number of applications for review of agency FOI decisions (IC reviews) as people seek access to government-held information.
The ever-expanding volumes of data holdings across the public and private sectors, and constantly adapting data practices, are also creating greater exposure to potential data breaches.
The OAIC’s role in holding entities accountable is exercised through our core regulatory functions, including conciliating and investigating privacy complaints, responding to notifiable data breaches, and overseeing the privacy aspects of the My Health Record system and Consumer Data Right scheme. As the Consumer Data Right becomes more established, the OAIC has an important role to play in providing guidance to participants and consumers about the privacy safeguards in the system and how we will exercise our regulatory powers.
The COVID-19 pandemic has brought significant changes to our operating context and regulatory role. In response to the coronavirus, the Australian Government developed the COVIDSafe app to augment contact tracing to help contain the spread of the virus. The OAIC is responsible for monitoring compliance with privacy protections, and for providing guidance and education materials to support participants in the COVIDSafe system.
By facilitating access to government-held information the OAIC supports public scrutiny of government processes and participation in democracy. We also take targeted action across both regulatory areas based on proactive monitoring of the environment and responses to intelligence received.
We have identified four key focus areas in 2020–21 to 2023–24 specific to Strategic Priority 2.
Key activity 1: Influence policy and legislative change to ensure frameworks remain appropriate
The OAIC will provide advice to government about policy and legislative change that responds to the contemporary environment and enhances information access rights. This includes influencing global regulatory developments to advance the national interest. The OAIC will engage with the Attorney-General’s Department and other stakeholders in the review of the Privacy Act, to help ensure that Australia’s privacy framework is fit for purpose in the digital age.
Provide policy advice to government on review of Privacy Act
Implement Privacy Act
Deliver guidance and education materials to support implementation of Privacy Act amendments
Key activity 2: Identify and take appropriate regulatory action
The OAIC regulates the community’s access to government-held information under the FOI Act, conducts independent merits review of FOI decisions made by Australian Government agencies and ministers, and investigates complaints about action taken by Australian Government agencies under the FOI Act. The OAIC also regulates the handling of personal information by organisations and agencies. The OAIC will continue to promote and uphold these rights and regulatory frameworks through delivery of our core functions.
We will maintain effective and efficient complaints, review, investigations, notifiable data breaches and assessment functions and a public information service. We will ensure that compliance risks and significant or systemic issues are identified, and appropriate regulatory action is taken to change practices.
Over the coming year, the OAIC will monitor and provide guidance and advice to mitigate action that impacts on the public’s right to access government-held information and have their personal information protected. We will also undertake awareness and education activities to help Australians access government-held information and manage privacy risks.
Take appropriate regulatory
Administer the NDB scheme
|Regulate privacy aspects of the My Health Record system||✓||✓||✓||✓|
|Conduct IC reviews of FOI
|Improve compliance with
FOI and privacy legislation
Promote awareness of privacy and access to information rights
Key activity 3: Regulate the Consumer Data Right
The OAIC will work collaboratively with the Australian Competition and Consumer Commission (ACCC) to ensure the effective regulation of the Consumer Data Right (CDR) gives Australians greater choice and control over the use and disclosure of their data.
The OAIC will provide clear guidance for both consumers and participants about their rights and obligations under the Consumer Data Right system. We will provide an effective complaints handling service for individual and small business consumers to ensure the privacy safeguards and related CDR Rules are upheld.
The OAIC will also undertake strategic enforcement in relation to the protection of privacy and confidentiality. The OAIC will use the range of its regulatory powers as appropriate, including the power to conduct Commissioner-initiated investigations and assessments of compliance with the privacy safeguards and rules.
Provide information about privacy safeguards under the Consumer Data Right
Regulate privacy safeguards
Key activity 4: Monitor the COVIDSafe system
The OAIC will deliver its new regulatory responsibilities to ensure the statutory privacy safeguards for COVIDSafe app data protect personal information within the COVIDSafe system.
This includes monitoring compliance with the new legislation and providing guidance and education materials to support participants in the COVIDSafe system. We will meet our reporting obligations in relation to the Commissioner’s functions and powers under Part VIIIA of the Privacy Act.
Effectively regulate the
Report on the privacy aspects of the COVIDSafe app
Strategic Priority 2: Influence and uphold privacy and information access rights frameworks
The OAIC identifies,
The OAIC influences
Number of submissions
|2.2||Respond to privacy
Time taken to finalise
|90% of written
enquiries are finalised
|Time taken to finalise
|80% of privacy
Ensure timely handling
Time taken to resolve
80% of NDBs are
|Time taken to resolve
My Health Record
|80% of My Health
Record NDBs are
Time taken to finalise
80% of CIIs are
|2.7||Provide merits review
of FOI decisions made
|Time taken to finalise
|80% of IC reviews are
Time taken to resolve
80% of FOI complaints
The OAIC promotes
The OAIC leads
The OAIC promotes
Enquiry, complaint and
* Asterisk indicates PBS measure.
Strategic Priority 3: Encourage and support proactive release of government-held information
The OAIC will continue to champion government transparency by developing initiatives that proactively provide access to government-held information. These will be aimed at making better use of government-held information to support Australians’ efficient access to information, innovation and engagement while ensuring appropriate privacy safeguards are in place.
Members of the public continue to have high expectations that government will make decisions and deliver services in an accountable and transparent way. The OAIC will continue to work to ensure that Australian Government agencies provide access to information not only on request, but proactively publish information of interest to the community.
As a result of the COVID-19 pandemic, the Australian Government has made significant decisions in relation to public health and the economy. The public’s access to information about these important government decisions, particularly through the proactive disclosure and publication of information, will support trust in government at this critical time.
The OAIC supports government accountability and transparency by effectively and efficiently delivering our functions, exploring and implementing strategies to meet the increasing demand for FOI reviews, complaints and guidance.
We have identified two key focus areas in 2020–21 to 2023–24 specific to Strategic Priority 3.
Key activity 1: Develop government capability
The OAIC will continue to work with Australian Government agencies to help ensure high-quality, timely decision making under the FOI Act. The OAIC will provide guidance – through updated FOI Guidelines and regular interaction with agencies – to promote greater access to government-held information.
We will review and update our resources to assist agencies and ministers to apply the FOI Act, and actively promote the Information Publication Scheme (IPS) to support government transparency initiatives.
Publish guidance on FOI Act
Update IPS resources to support
Key activity 2: Influence information management framework
The OAIC will work with stakeholders to improve access to government information to support public participation and engagement, and to strengthen transparency and accountability.
We will engage with ministers and agencies to promote understanding of the FOI Act, and help FOI policy and practice meet the expectations of the Australian community.
We will continue to work as part of the Open Government Forum and contribute to the development of the third Open Government National Action Plan. The OAIC will engage with domestic and international counterparts to promote information access rights.
Provide policy advice to the
Contribute to development of third Open Government National Action Plan
|Participate in international
information access forums
Strategic Priority 3: Encourage and support proactive release of government-held information
The OAIC actively
The OAIC uses the
The OAIC develops
The OAIC develops
Strategic Priority 4: Contemporary approach to regulation
The OAIC will take a contemporary approach to our regulatory role in promoting and upholding Australia’s privacy and FOI laws. This means engaging with and being responsive to the community’s expectations of its regulatory bodies.
The OAIC is committed to developing a capable, multidisciplinary workforce with a breadth of technical skills to provide guidance and advice, and to take regulatory action.
Community and government expectations of regulators are shifting. Australians demand fairness and transparency from government and other entities, and regulators are expected to exercise the extent of their powers for the benefit of the community. In response, the OAIC takes a contemporary approach to the way we regulate, engaging with and being responsive to these expectations.
The regulation of privacy and information access transcends national borders. The OAIC cooperates with other regulators as we move to an increasingly global approach to regulation. Cooperation between regulators creates opportunities for the OAIC to engage with international counterparts to share information and conduct joint investigations. The benefits include efficiency, greater alignment in international interpretation of privacy principles, and benefits to the community and regulated entities through enhanced coordination.
We have identified two key focus areas in 2020–21 to 2023–24 specific to Strategic Priority 4.
Key activity 1: Review our regulatory approach
The OAIC will continue to review our regulatory approach to ensure it aligns with government and public expectations of domestic regulators, and that the necessary statutory powers are in place to meet those expectations. This will include the strategic consideration of all available regulatory responses to significant privacy and access to information risks in order to influence the behaviour of the regulated community.
Ensure the strategic use of
Engage with domestic and
Key activity 2: Build internal capability
The OAIC will enhance internal capability in the areas of governance, information and people management. We will undertake recruitment and training in areas of emerging technical capability requirements. We will be guided by our staff capability map, together with input from the leadership group, in building our internal capability.
Develop staff capability map
Implement revised capability
Implement data management
|Review work management
and information management
|Embed revised governance
|Finalise comprehensive risk
|Build and maintain internal
Strategic Priority 4: Contemporary approach to regulation
The OAIC takes
The OAIC utilises the
|The OAIC engages
| The OAIC
collaborates on policy
Positive rates against
|Align with APS
activities result in
|90% of recruitment
activities result in
map supports the
| The OAIC uses staff
capability map to
training aligned to
Mature the OAIC
Timely, accurate and
complies with OAIC
Commonwealth Regulator Performance Framework
Our Corporate Plan is delivered under the Public Governance, Performance and Accountability Act 2013. Many of the measures detailed in this Corporate Plan also satisfy the reporting requirements under the Commonwealth Regulator Performance Framework (RPF).
The RPF encourages regulators to carry out their functions with the minimum impact necessary, to reduce the burden of unnecessary or inefficient regulation imposed on individuals, business and community organisations; and to effect positive ongoing and lasting cultural change within regulators.
To streamline our reporting requirements, we have indicated within our measurement matrix if the measure is also reporting under the RPF, and which key performance indicators (KPIs) it relates to under the RPF.
Strategic Priority 1 indicators
Strategic Priority 2 indicators
Strategic Priority 3 indicators
Strategic Priority 4 indicators
1. Reducing regulatory
|2.2, 2.9, 2.10, 2.11||3.1, 3.2|
3. Risk-based and
|2.5, 2.6 2.11||4.1, 4.2, 4.7|
4. Efficient and
|1.1, 1.3||2.3, 2.4, 2.5, 2.6, 2.7,
|4.1, 4.2, 4.7|
|5. Transparency||2.6, 2.7, 2.8, 2.9||3.1, 3.2|
|1.1, 1.2, 1.3||2.1, 2.8||3.1||4.3, 4.4, 4.6, 4.7|
Corporate Plan Overview
Advance online privacy
▶ Australians’ personal information is protected wherever it flows
Influence and uphold
| ▶ The OAIC identifies, scrutinises and advances policy and legislative reform proposals
▶ Respond to privacy and information access enquiries from the public
Encourage and support
▶ More government-held information is published proactively
▶ The OAIC takes appropriate regulatory action in relation to privacy and access to information risks