Corporate plan 2023–24

Publication date: August 2023

Preliminary page

Contact

Mail:	Director, Strategic Communications Office of the Australian Information Commissioner GPO Box 5288 Sydney, NSW 2001
Email:	corporate@oaic.gov.au
Website	www.oaic.gov.au
Phone:	1300 363 992

Non-English speakers

If you speak a language other than English and need help, please call the Translating and Interpreting Service on 131 450 and ask the operator to contact the Office of the Australian Information Commissioner on 1300 363 992.

Accessible formats

Our publications can be made available in a range of accessible formats. If you would like this report in an accessible format, please contact us.

Creative commons

You are free to share, copy, redistribute, adapt, transform and build upon the materials in this plan with the exception of the Commonwealth Coat of Arms.

Please attribute the content of this publication as:
Office of the Australian Information Commissioner Corporate Plan 2023–24.

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and recognises their continuing connection to lands, waters and communities. We pay our respect to Aboriginal and Torres Strait Islander cultures and to Elders past and present.

Acknowledgement of Country

Pictured: Quandamooka woman, Elisa Jane Carmichael, who embraces traditional techniques alongside contemporary adaptations in her artistic practice.

Elisa is a descendant of the Ngugi people, one of three clans who are the traditional custodians of Quandamooka (also known as Yoolooburrabee) people of the sand and sea.

Photographer: Hannah Millerick. Location: Mparntwe Country (the Arrernte name for Alice Springs).

Commissioner’s foreword

I am pleased to present the Office of the Australian Information Commissioner (OAIC) Corporate plan 2023–24 for the 2023–24 to 2026–27 reporting periods, as required under section 35(1)(b) of the Public Governance, Performance and Accountability Act 2013.

As an independent statutory agency, our office regulates privacy and freedom of information under the Privacy Act 1988 and the Freedom of Information Act 1982 (FOI Act), and has information policy functions under the Australian Information Commissioner Act 2010. This corporate plan sets out our key activities and how we measure our performance.

This year, for the first time since 2014, the OAIC will have 3 statutory office holders: the Australian Information Commissioner (as agency head), a Privacy Commissioner and a Freedom of Information (FOI) Commissioner.

In recent years we have seen the development and passage of significant legislation, the challenges presented by COVID-19 and increased community demand for access to information. This occurred against a backdrop of an exponential rise in the exchange of data, the rapid emergence of technologies that have a large impact on privacy and a strong focus on the transparency of government activity.

The appointment of a standalone Privacy Commissioner will bolster the OAIC’s ability to carry out our important statutory functions, and reflects the increasing complexity and volume of matters that are addressed by Australia’s privacy and information access regulator.

It is timely to reflect on emerging challenges and our regulatory posture as we embed the model in its contemporary form. The OAIC will undergo a Strategic Assessment in 2023 alongside our considerable business-as-usual activities. This process is to ensure the OAIC is appropriately positioned to meet the challenges of the future.

Central to the OAIC’s regulatory approach is promoting compliance and better practice by supporting agencies and organisations to build in access to information and privacy protection at the outset. The complex information environments for business and government requires them to take an ‘information management by design’ approach. This is exemplified in our promotion of Privacy by Design, and through Open by Design Principles that support the proactive release of information. If implemented well, this architecture can provide a strong foundation to support proactive information management into the future.

Our privacy jurisdiction includes most Commonwealth agencies as well as the largest sectors in the economy. Our capabilities received further support in the 2023–24 Federal Budget when the OAIC was allocated an additional $44.3 million over 4 years to support privacy activities, including work responding to the increased complexity, scale and impact of notifiable data breaches, as reflected in recent large-scale breaches. In addition, the Budget allocated $9.2 million over 2 years to continue regulating privacy aspects of the Consumer Data Right (CDR), My Health Record and Digital Identity.

The increased funding to support the OAIC’s privacy regulation across the Australian economy will send a strong message that protection of Australians’ personal information must be a priority for business and government agencies. This message is consistent with the views expressed in our latest Australian Community Attitudes to Privacy Survey 2023. It also reflects the breadth of privacy issues of concern to the community as we move toward further reform of Australia’s Privacy Act 1988.

Significant data breaches have brought a renewed focus on cyber security across government, business and individuals, adding momentum to the development and implementation of the 2023–2030 Australian Cyber Security Strategy, and the OAIC will continue to contribute our expertise to strengthening the links between the strategy and the existing Notifiable Data Breaches scheme.

We will also continue to co-regulate the CDR with the Australian Competition and Consumer Commission (ACCC), focusing on preventing and addressing consumer harms and ensuring participants understand and comply with the CDR’s privacy safeguards.

The OAIC will continue to support the Open by Design principles by providing guidance to FOI practitioners alongside updated guidelines that advance the goal of information access. We will also advise on policy matters that support these objectives, and that advance the cause of timely and proactive access to information.

The review of the Information Publication Scheme (IPS) that is currently underway will help ensure agencies are taking a proactive approach to publishing information. The project, which is carried out every 5 years, is a detailed survey designed to assist agencies to gather information, analyse their operations and assess their compliance with the IPS.

In relation to Information Commissioner (IC) reviews, work continues to increase efficiencies and deal with the legacy caseload. The updating of the IC review procedure direction under Part VII of the FOI Act is designed to clarify the OAIC’s expectations of parties and create further efficiencies in the process. However, the need for appropriate government resourcing for the FOI function remains critical.

While we continue to navigate work of increasing volume and complexity across our regulatory functions, the OAIC’s vision continues to focus on public trust and confidence in the protection of personal information and access to government-held information. It is this focus that informs our key activities and priorities. We will continue to make the best use of our resources, sustain and develop our people, and take regulatory action that creates the most value for the Australian community.

The strategic assessment and a revised operating model to support the reinstatement of three Commissioners will position the OAIC to meet the regulatory challenges of the future. I look forward to what the OAIC will achieve.

Angelene Falk

Australian Information Commissioner and Privacy Commissioner

31 August 2023

Part 1: Operating context

The Office of the Australian Information Commissioner (OAIC) is an independent agency within the Attorney-General’s portfolio. Our primary regulatory functions are privacy and freedom of information (FOI). These intersect with government information policy functions. We perform all of these functions in a complex and changing domestic and global environment.

Our environment

A clear understanding of our operating environment and awareness of community expectations is imperative for the OAIC’s risk-based regulatory approach. We actively scrutinise our environment, assessing where potential community impacts are most significant, both domestically and internationally. We continue to increase our focus on regulatory cooperation by collaborating and sharing our expertise in the interests of minimising harm in the community, particularly among vulnerable groups. Our risk-based approach also means that we acknowledge which environmental factors are outside of our control and focus on those areas where we can be most effective.

Appointment of new Commissioners

The Attorney-General announced on 3 May 2023 that a standalone Privacy Commissioner would be appointed. This means the OAIC will have three statutory office holders: the Australian Information Commissioner (as agency head), a Privacy Commissioner and an FOI Commissioner.

This will bolster the OAIC’s ability to carry out our important statutory functions.

The government has advised that the Privacy Commissioner and FOI Commissioner will be appointed following a merit-based selection process.

Regulatory function growth

We continue to navigate work of increasing volume and complexity across our regulatory functions.

In recent years, the FOI area has seen growth in the number of review decisions made by agencies on FOI requests, and in FOI-related complaints. However, there are signs this growth is slowing. The OAIC provides resources and advice to agencies to support appropriate and timely decision making. The OAIC also monitors and engages with agencies regarding their adherence to statutory timeframes.

In the last year we have seen an increase in the number and scale of data breaches reported through the Notifiable Data Breaches scheme, several of which impacted the personal information of millions of Australians.

Data breaches reported to the OAIC are increasingly attributable to cyber security incidents arising from malicious or criminal attacks. They highlight the privacy risks inherent in the digital environment, and the need for entities to take a vigilant and proactive approach to meeting their privacy obligations.

Since legislative changes in December 2022, the OAIC has greater powers to share information about data breaches, obtain information about an actual or suspected data breach, and assess an entity’s compliance with the Notifiable Data Breaches scheme.

The OAIC continues to work with entities to promote compliance with the Privacy Act 1988 (Privacy Act) and to mitigate the risk of data breaches, while taking enforcement action where appropriate.

Cyber security

Significant data breaches have brought a renewed focus on cyber security among government, business and individuals. The Australian community is keenly aware of the very real risks that come with the opportunities of a digital economy.

Effective privacy regulation plays a central role in uplifting Australia’s cyber security posture. Our goal is to make Australian entities more resilient to cyber security threats by providing information on causes of data breaches and prevention strategies; advising entities that experience a breach to contain and remediate; and taking regulatory actions. This year the OAIC is also working collaboratively with other Australian regulators to understand, respond to and share information about cyber security risks and incidents efficiently and effectively.

The OAIC will continue to engage with the Australian Government as it develops and implements the 2023–2030 Australian Cyber Security Strategy, working towards its goal to make Australia the most cyber secure nation in the world by 2030. In addition to recognising and supporting measures to uplift cyber security, the OAIC will continue to advise lawmakers and policymakers to ensure cyber security reforms complement and support the existing Notifiable Data Breach scheme, and the OAIC’s ability to exercise its powers and functions under the Privacy Act.

The OAIC has a key role to play in ensuring the personal identity of Australians is protected, and seeks to be agile in its response to the evolving nature of identity crime in Australia. As the Australian Government modernises its identity system to create strong and secure digital identities and to uplift identity resilience, we will continue to advise on privacy impacts and the implementation of appropriate privacy safeguards, as well as developing a robust regulatory framework. In addition, we will continue to assess privacy protections within the digital identity system.

Australia’s regulatory frameworks, including those within the OAIC’s remit, are a critical tool for strengthening critical infrastructure security and resilience, including from the threat of cybercrime. We will support enhanced security standards in relation to the handling of personal information as the Australian Government implements the Critical Infrastructure Resilience Strategy 2023.

Transparency initiatives

Community expectations for the release of government-held information and proactive disclosure remain strong.

Promoting proactive release alongside the right of access to government-held documents remains a focus for the OAIC. We are working to support efficient access to information while ensuring appropriate privacy safeguards are in place.

We continue to provide guidance, advice and a range of resources to FOI practitioners, ministers and government agencies to enable them to engage positively with the Freedom of Information Act 1982 (FOI Act).

Key areas of this work include the OAIC’s contribution to and membership of the Open Government Partnership (OGP) Forum. This year, the OGP Forum will reaffirm and create Australia’s Third National Action Plan (NAP3) to be developed by December 2023. NAP3 will seek to capture an ambitious plan for open government, transparency and accountability.

The OAIC continues its work in facilitating and encouraging practices that are ‘open by design’. We do so by promoting the Open by Design principles endorsed by the Australian Information Access Commissioners in September 2021 ahead of the annual recognition of International Access to Information Day (IAID).

We also highlight the important work required of agencies in developing robust digital systems. This was our theme for IAID 2022, to further strengthen the community’s access to information. The OAIC will continue this work in collaboration with Australian and New Zealand information commissioners and ombudsmen.

Digital economy

The scale and scope of technological change – including the emergence of new platforms and services – has created new ways for individuals to interact in the online environment, which has the potential to increase prevailing privacy risks and create new privacy harms. The exponential growth in the collection of personal information – combined with practices such as data sharing, tracking and monitoring – have contributed to the emergence of these risks, both in Australia and globally.

The globalised digital economy can present data security risks such as increased cyber security threats, so we need a unified regulatory approach to protect Australians’ data wherever it flows. Cooperation between global regulators promotes consistent data protection standards and the secure flow of personal information across borders. The OAIC will continue to collaborate with international regulators to influence and shape the global regulatory environment, and to promote higher standards of data protection around the globe.

It is essential that public trust and confidence in the data handling activities of government and business are in place. This makes it possible to realise the economic and social opportunities of the modern digital economy, and to ensure regulatory settings are appropriate.

The OAIC uses a range of regulatory tools to promote best practice in the handling of personal information. These tools include awareness-raising initiatives, and conducting privacy assessments and enforcement action where warranted. The OAIC has also been actively engaging with the Attorney-General’s Department to review the Privacy Act 1988 (Privacy Act) and has contributed a number of significant submissions.

Online privacy and technology

The OAIC continues to focus on regulating the online environment and technologies that have a large impact on privacy, including facial recognition technology.

On 7 March 2023, the Full Court of the High Court of Australia revoked Facebook Inc’s special leave to appeal. The High Court granted the Commissioner’s application to revoke special leave due to a change in the Federal Court Rules in relation to overseas service, clearing the way for the substantive case to be heard by the Federal Court.

This recent decision follows proceedings in the Federal Court of Australia in March 2020, which alleged that the personal information of Australian Facebook users was disclosed to the ‘This is Your Digital Life’ app for a purpose other than that for which the information was collected, in breach of the Privacy Act. The Commissioner alleges that information was exposed to the risk of being disclosed to Cambridge Analytica for political profiling purposes, and to other third parties.

The OAIC will continue engaging with the Global Privacy Assembly International Enforcement Working Group to identify common concerns and opportunities for privacy enforcement cooperation and capacity building. We will also monitor, actively consider and liaise with international counterparts on emerging issues relating to high privacy impact technologies that may be appropriate to take forward to regulatory action, such as artificial intelligence and facial recognition technology. This was seen in the OAIC’s and UK Information Commissioner’s Office investigation into Clearview A.I.

Australian Community Attitudes to Privacy Survey

The Australian Community Attitudes to Privacy Survey (ACAPS) will be published this year, based on a nationally representative sample of unique respondents aged 18 years and over. ACAPS is a longitudinal survey of Australians’ perceptions of and concerns about their privacy, which helps us to collect data to assist our work across policy, compliance and communications initiatives and informs our regulatory approach.

Consumer Data Right

The Consumer Data Right (CDR) supports innovation and economic growth by providing consumers in designated sectors of the economy with greater ability to authorise access to their data within a secure system. It allows consumers to ask for their data to be securely transferred to an accredited provider in order to investigate, compare and access services more easily.

Currently operational in the banking and energy sectors, the CDR is expected to expand to include the non-bank lending sector, and work is progressing to design new CDR functionality to allow consumer-directed action and payment initiation. If introduced, this would expand the CDR from a data sharing system to one that allows consumers to authorise, manage and facilitate actions in the CDR.

As the CDR expands, our goal is to ensure the data protection and privacy framework remains robust, and that consumers continue to be protected by effective accountability mechanisms. A strong privacy and security framework is necessary not only for protecting consumers’ information, but also for maintaining public confidence in, and the integrity of, the CDR system.

We co-regulate the CDR with the Australian Competition and Consumer Commission (ACCC). The OAIC focuses on preventing and addressing consumer harm, and ensuring participants understand and comply with the CDR’s privacy safeguards. We do this by engaging with CDR participants to help them understand their privacy obligations, including by publishing guidance material, investigating complaints and assessing compliance. We also publish information about the CDR for consumers, and contribute to education and awareness strategies regarding the CDR and our role. We advise on the privacy implications of proposed amendments to and expansions of the CDR framework, including the designation of new sectors and development of new rules. Our activities ensure that consumers can be confident sharing their data within the CDR.

The OAIC will continue collaborating with the Treasury, the ACCC and the Data Standards Body to develop and maintain a robust privacy framework as the CDR expands. This includes contributing to a cyber security uplift of the CDR; supporting implementation of the Australian Government’s response to the inquiry in future directions for the CDR; and considering the Government’s response to the independent statutory review of the CDR.

Digital health

Health information is a particularly sensitive type of personal information and the assurance of privacy controls for its protection remains a priority for the OAIC this year. The COVID-19 pandemic has increased rates of digitisation and we have seen both health service providers and individuals increasingly embrace digital health technologies in the delivery of health services over the past few years. The OAIC continues to monitor developments in digital health and provide advice and guidance to ensure that privacy is a central consideration in the design and implementation of digital health initiatives.

The Information Commissioner is the independent privacy regulator for both the My Health Record system and the Healthcare Identifiers Service. In addition to our compliance and enforcement role, the OAIC performs proactive education and guidance functions to ensure these services handle health information in a way that protects individual privacy. The OAIC will continue to look for opportunities to deliver these functions innovatively, including by developing interactive tools and collaborating with our stakeholders.

The OAIC engages with government to ensure policy and legislative reforms impacting digital health services include appropriate privacy safeguards and transparency requirements, and are supported by clear oversight and reporting mechanisms. We emphasise the importance of building public trust in these reforms through strong privacy protections to ensure their success.

The OAIC is also progressing the National Health (Privacy) Rules 2021 review to ensure the rules remain fit for purpose to regulate how Australian Government agencies use, store, disclose and link Medicare Benefits Schedule and Pharmaceutical Benefits Schedule claims information. In the year ahead, the OAIC will commence public consultation on draft rules.

Credit reporting

A key objective of the Privacy Act is to facilitate an efficient credit reporting system that protects individuals’ privacy. The OAIC will continue our work in credit reporting, both through conciliating complaints and by appropriately using our regulatory powers to ensure compliance with obligations under the Privacy Act and the Privacy (Credit Reporting) Code 2014 version 2.3 (CR Code).

In the coming year, we will continue implementing the proposals from the 2021 independent review of the CR Code. We will be implementing proposals to improve overall education and awareness; proposals focused on compliance and monitoring; and proposals to raise Part IIIA issues with government. We will also be requesting that the industry code developer submit an application to vary the CR Code, giving effect to proposals from the report that require amendments to the CR Code. These amendments will include minor adjustments to ensure the smooth functioning of the CR Code, as well as significant changes that will enhance individual rights and the operation of credit reporting. One such significant change will include the introduction of a ‘soft enquiries’ framework.

As part of our work to raise Part IIIA issues with government, we will be actively participating in the statutory reviews of Part IIIA of the Privacy Act and the National Consumer Credit Protections Act 2009, which are both due to be completed before 1 October 2024.

Our capability

The OAIC will use resources strategically to achieve the greatest benefit for the community, and will continuously improve processes to ensure we perform our regulatory functions effectively and efficiently. We will strive to develop and sustain a capable, multidisciplinary workforce with a breadth of technical skills that equips us to provide guidance and advice and take appropriate regulatory action.

Our greatest asset: our people

We are committed to attracting, developing and retaining talent as we grow and maintain a highly engaged, skilled and professional workforce in an environment where there is significant competition for skills.

The People and Culture team operates in partnership with the Australian Public Service Commission, professional bodies and education providers to offer learning and development opportunities and targeted skills training to our people using hybrid delivery methods (a mixture of face to face and face to screen). The OAIC will continue to invest in ICT equipment, systems and professional development, to enable staff to work effectively at their relevant classifications, complemented by targeted professional development that broadens and enhances their knowledge and skills.

Recruitment, retention and culture

The OAIC’s recruitment methods are aligned with our hybrid work model, ensuring we engage the best talent from across Australia. This approach had strengthened our employee value proposition, offering flexibility, a geographically diverse workforce and the ability to operate as a small and agile agency that offers an employee-focused hybrid way of working.

In 2022 we developed our hybrid work model, which is guided by a set of principles and mutual commitments. By embedding hybrid work, we aim to improve staff satisfaction, retention and attraction. This supports the delivery of the OAIC’s purpose of promoting and upholding rights related to privacy and information access.

In 2023-24 the OAIC will continue to engage with the Australian Public Service (APS) and non-APS agencies to promote, support and encourage staff mobility. The APSJobs Mobility Portal, led by the Australian Public Service Commission for existing Commonwealth employees, is a key channel for this activity.

System capability

The OAIC continues to promote the efficient and effective use of information and communications technology (ICT) tools through staff information sessions and regular updates. Upgrades to our operating systems, software applications, networking components and digital devices support our work arrangements securely and efficiently. Future upgrades will be made as required to ensure the OAIC’s ICT capability meets our needs as a contemporary regulator.

To best support the learning and development of our people, the OAIC successfully implemented the Learnhub learning management system in December 2022. This system is enabling our people to undertake mandatory training, complete induction training modules and participate in courses procured from partnering providers. Learnhub is also providing the OAIC with a sound personal learning and development record management system that underpins successful learning delivery.

This year the OAIC will conduct a review of our current case and document systems to ensure the OAIC has the technology and systems to enable it to best perform its functions and powers into the future.

Our cooperation and collaboration

The OAIC works closely with a range of Australian Government agencies and other organisations, including domestic and international regulators. We also engage with integrity agencies such as the Inspector-General of Intelligence and Security, and the Commonwealth Ombudsman.

In our work resolving privacy and FOI matters and in performing our regulatory functions, the OAIC is procedurally fair, transparent and responsive in ways that are consistent with the principles of regulator best practice. Publication of OAIC priorities, guidelines and decisions provides transparency to regulated entities. The OAIC publishes high-level outcomes of conciliated privacy complaints and recommendations made in FOI complaints on its website.

Privacy regulation

Now in its second year of operation, the Digital Platform Regulators Forum (DP-REG) brings together the OAIC, Australian Communications and Media Authority (ACMA), ACCC and Office of the eSafety Commissioner to share information about, and collaborate on, cross-cutting issues and activities to address the risks and harms faced by Australians in the online environment. Members of the DP-REG continue to increase collaboration and build capacity for the forum.

The forum regularly considers how competition, consumer protection, privacy, online safety and data issues intersect. DP-REG’s strategic priorities include a focus on the impact of algorithms, efforts to increase transparency of digital platforms’ activities and strategies to protect users from potential harm. The forum helps to support a streamlined and cohesive approach to the regulation of digital platforms as we advance online privacy protection for Australians.

The OAIC has 2 memoranda of understanding with the ACCC. The first supports the co-regulation of the CDR. The second guides and facilitates collaboration, information sharing, cooperation and mutual assistance in areas other than the CDR. There is a similar memorandum of understanding in place between the OAIC and ACMA.

As the work connected with the review of the Privacy Act progresses, we will continue to bring our regulatory experience to the Attorney-General’s Department to design a privacy framework that is fit for purpose in the digital age.

We will continue to engage with the National Data Commissioner on supporting the sharing and use of government-held information under the Data Availability and Transparency Act 2022, and protecting personal information within the scheme.

As a founding member of the Cyber Security Regulator Network (CSRN), we will collaborate with the Australian Prudential Regulation Authority (APRA), the Australian Securities and Investments Commission (ASIC), ACMA and the ACCC to meet the challenges posed by the current environment. The CSRN will work to reduce duplication or gaps in regulatory responses and improve the effectiveness and efficiency of regulatory activity.

The OAIC will provide relevant and constructive advice to government on a range of national reforms that impact privacy, including digital identity, cyber security and online government services. Our advice will focus on ensuring these reforms preserve and raise standards in relation to the handling of personal information. We also work to improve privacy protections and promote best practice with agencies such as the Australian Digital Health Agency, Services Australia, the Department of Home Affairs and the Department of Health and Aged Care.

The OAIC also cooperates with state and territory privacy regulators to share information and insights through the Privacy Authorities Australia group.

Access to information

The OAIC assists Australian Government agencies and ministers to improve processes and increase knowledge and understanding of the FOI Act, including through Information Contact Officers Network events.

The OAIC will update the Directions related to certain procedures to be followed in Information Commissioner reviews under Part VII of the FOI Act. The changes in the updated Directions are intended to clarify expectations and increase efficiencies with a view to resolving IC reviews in a more timely and cost-effective way.

During 2023, a senior Commonwealth FOI leadership group was established, comprising Senior Executive Service (SES) Band 1 officers. A key purpose of the senior leadership group is to foster greater whole-of-government leadership in the area of information access, with a view to improving the administration of the FOI Act and giving effect to the FOI Act’s pro-disclosure objectives. Matters discussed at meetings include showcasing best practice and innovation, and discussing information access issues and practices across agencies.

The OAIC also actively collaborates with other domestic information access regulators through the Association of Information Access Commissioners (AIAC), which promotes best practice in information access policies and laws across Australia and New Zealand.

Information Publication Scheme review

We continue to promote proactive release of information through the Information Publication Scheme (IPS) under the FOI Act, and through informal release of information as part of administrative access processes.

In June 2023, the OAIC commenced work on the IPS review. This Commonwealth review of agency and Ministers’ Office compliance with the IPS is a significant review conducted by the Information Commissioner every 5 years.

Agencies have an ongoing compliance obligation under the IPS, as set out in s 9 of the FOI Act. As part of the review, the OAIC will work alongside agencies and Ministers to help agencies meet their IPS obligations. The project will involve a detailed survey, designed to assist agencies to gather information and analyse their operations and compliance with the IPS. This will also enable a comparative analysis of previous IPS surveys carried out in 2012 and 2018.

International cooperation

Cooperation and collaboration with other data protection authorities around the world enables the OAIC to effectively regulate Australia’s privacy and information access landscape by keeping us informed about trends and developments in other jurisdictions. Engagement with the international community is essential to ensuring that domestic frameworks are fit for purpose and aligned with best practice.

The OAIC works with international regulators to share knowledge, exchange information and address challenges relating to data protection, privacy and information access. This work includes our involvement in the Global Privacy Assembly (GPA) and the International Conference of Information Commissioners (ICIC).

We take a leading role in global privacy issues, through our role as co-chair of the GPA Digital Citizen and Consumer Working Group. We remain active at the forefront of common challenges facing regulators through our membership of the GPA International Enforcement Working Group and participation in its Cyber Security subgroup.

The OAIC’s engagement in the GPA supports our objective of protecting Australians’ personal information globally. We also engage with other international regulators through forums such as the Asia Pacific Privacy Authorities forum, the Global Privacy Enforcement Network and the Common Thread Network.

Established memoranda of understanding with the UK Information Commissioner’s Office, Irish Data Protection Commission and Personal Data Protection Commission of Singapore are essential for identifying opportunities for regulatory and enforcement cooperation, information sharing and joint investigations.

The OAIC is active in promoting information access rights internationally, as a member of the International Conference of Information Commissioners and through our work with agency peers. We will continue to assist emerging jurisdictions to develop FOI capability and fit-for-purpose frameworks by sharing experience and best practice.

This includes continuing engagement at the regional and international level to discuss information access developments and promote Open by Design principles. This builds on our prior engagement with members of the ICIC and UN programs to support Pacific Island countries to strengthen their national integrity systems.

Risk oversight and management

The OAIC’s well-established risk approach and systems of risk oversight and management help staff across the agency to manage risks in accordance with the:

Public Governance, Performance and Accountability Act 2013 (PGPA Act)
Commonwealth Risk Management Policy
Work Health and Safety Act 2011
Commonwealth Fraud Control Framework
OAIC Risk Management Policy and Framework.

Positive risk management culture

The OAIC supports the continuous development of a positive risk culture in which staff at every level appropriately manage risk as an intrinsic part of their day-to-day work. Our risk culture drives innovation, and helps us manage threats, embrace opportunities, and empower our staff to make informed, risk-based decisions.

Effective risk management is embedded into the OAIC’s everyday practices, procedures and governance, which helps to ensure we take a consistent approach across all areas of the OAIC and our operations. Risk is managed by investing in the skills of our people, who are supported by governance frameworks, policies and technology to identify and manage risk.

Risk management framework

The OAIC Risk Management Policy and Framework details our approach to risk management and is supported by the following to create the agency’s robust and holistic approach to risk management:

OAIC Risk Appetite Statement
Domain Risk Assessments – Information Access and Privacy
Risk Assurance Map
Enterprise, Branch, Program and Function Risk Profiles
OAIC Business Continuity Plan
OAIC Fraud Control Plan
Work Health and Safety policies and procedures
OAIC Risk Control Testing Plan and Schedule.

The Chief Risk Officer and Director, Governance and Risk oversee risk management, risk capability and risk culture across the OAIC, and provide regular reporting to the accountable authority, Audit and Risk Committee, and the Operations and other governance committees regarding current and emerging risks, threats and opportunities.

As part of the Risk Management Policy and Framework, OAIC staff use a risk matrix to assess, report and escalate risk as a way of achieving a considered and consistent approach to risk management oversight, control and accountability.

Risk appetite

Our risk appetite is the amount and type of risk the OAIC is prepared to accept in pursuit of our objectives. As an agency, we identify and manage risk in the context of our overall regulatory requirements and performance, aligned with our risk appetite, to embrace opportunities, deal with threats, foster innovation and build a strong risk culture across the OAIC.

The OAIC acknowledges that risk is a part of our operational posture and necessary to maximise outcomes for the Australian community. We encourage prudent risk taking and, should circumstances warrant, higher levels of risk may be tolerated with appropriate consideration, Executive endorsement, monitoring and review. Our appetite and tolerances for risk are defined in our Risk Appetite Statement.

Risk mitigation

The OAIC has defined enterprise risks and ensures we have risk mitigation strategies for all major projects, programs and functions. We have developed risk profiles that identify risk owners, current controls, risk ratings, control effectiveness and future treatment priorities. Risk profiles assist the Executive, governance committees and agency staff to make risk-based, informed decisions. This is supported through a structured risk review process, conducted at least monthly or when risks change or emerge, whereby risk profiles are regularly reviewed and updated so they evolve with the dynamic risk environment and as the OAIC’s risk controls mature.

In response to the hybrid working environment of the OAIC, the agency has updated its Business Continuity and Response Plan, Emergency Response Procedures and Work Health and Safety policies, to ensure risks are identified and mitigated to protect staff safety, health and wellbeing, and to support business continuity.

The OAIC is proactive in its identification of risk and mitigation activities. This is demonstrated in our suite of documents that support our ongoing management of risks and responsibilities of the OAIC under the Protective Security Policy Framework and Commonwealth Fraud Control Framework, with designated risk profiles and oversight by specialised governance committees such as the Security Governance Committee.

In 2023, we developed a comprehensive plan and schedule for a risk control testing program, to provide greater assessment and clarity around the effectiveness of individual risk controls in place for identified enterprise and function-based risk profiles. The outcomes of this testing identify opportunities to strengthen existing controls, and prioritise implementation of future controls to mitigate risks faced by the agency.

Audit and Risk Committee

The OAIC has an Audit and Risk Committee and an internal audit program to provide specialised and independent advice on the appropriateness of the OAIC’s performance and financial responsibilities, system of risk oversight and management, and system of internal control. The Audit and Risk Committee reviews whether the agency has a current and appropriate risk management framework, as well as the necessary controls to allow timely and effective identification and management of agency risks.

The committee meets quarterly and assists the Australian Information Commissioner with discharging statutory responsibilities by reporting directly to the Commissioner and providing independent advice. The committee has an independent chair and 2 independent members.

Our enterprise risks

Risk management is an important part of our compliance with the PGPA Act. The OAIC Enterprise Risk Profile helps us to understand and manage the high-level risks that may threaten – or present an opportunity to the delivery of – our operations. It is designed to provide a high-level, overarching view of the OAIC’s enterprise risk environment. Project- and program-level risks are captured and escalated through subject-specific risk profiles and governance processes.

In October 2022, the OAIC held a series of risk workshops to review the OAIC’s enterprise risks, attended by risk owners and staff who have risk management oversight responsibilities.

The following table outlines some of our key enterprise risks and internal controls. The OAIC continues to regularly review these enterprise risks to ensure they remain current and aligned with the changing risk environment, and that appropriate controls are in place to manage emerging risks.

Table 1.0: Enterprise risks and risk management strategies
Risk category	Enterprise risk	Risk tolerance	Risk management strategies
Our people	The OAIC is able to attract, grow and retain its people.	Low	Internal and external secondment opportunities. In-house recruitment specialist. Comprehensive induction program. Hybrid working environment supported by underpinning Hybrid Working Principles and policies. Diversity Committee initiatives. Work Health and Safety policies. Effective internal communication. Engagement with staff through consultation forums, staff meetings, status surveys and exit interviews. Learning and Development Program. Support for professional association and certification for staff.
Focus on outcomes	The OAIC is able to strategically prioritise its work to deliver statutory functions.	Medium	Strategic and corporate planning processes. Publication of regulatory priorities. Reporting to Operations Committee and Executive Committee. Effective team planning and workflow management. Regulatory committees provide advice on regulatory landscape.
Focus on outcomes	The OAIC contributes to increased trust and confidence in privacy and information access.	Low	Publication of Commissioner decisions and complaints outcomes. Publication of regulatory priorities. Inter-agency cooperation and coordination. Exercise of various regulatory functions and powers. Public awareness campaigns and stakeholder communications. Redesign of the OAIC Performance Measurement Framework.
Good governance and structure	The OAIC is agile, responsive and risk-informed.	Low	Governance committees informed by data analysis. Monitoring of parliamentary, media, domestic, internal, and advice capability. Strategic planning. Workflow management informed by business reporting systems and process review. Designated Business Analytics and Reporting Data team.
Focus on outcomes	The OAIC has quality regulatory processes, systems and products.	Low	Information management policy and resources. Sophisticated technical and network systems to support information handling and storage. Internal review and update of systems and processes. Controlled document framework. Continuous improvement of systems and processes.
Community centric and stakeholder focused	The OAIC is able to build and maintain strong influence and positive relationships.	Low	Exercise of various regulatory functions and powers. Active participation in domestic and international forums. Effective management of stakeholder relationships. Media monitoring and response. Performance measurement framework that evaluates stakeholder views.
Good governance and structure	The OAIC has robust governance.	Low	Numerous established governance and specialist committees. Reporting framework business intelligence. Independent internal audit program. Controlled document framework. Legislative compliance framework. Specialist boards and committees for significant projects or programs. Performance measurement framework. Designated Governance and Risk team.
Our people	The OAIC is a safe and healthy working environment.	Low	Work Health and Safety policies and procedures. Health, safety, diversity and wellbeing committees. Hazard Inspection Program. Physical security arrangements and Protective Security Policy Framework. Employee Assistance Program. Internal communication and engagement. Psychosocial Hazard Prevention Plan.
Good governance and structure	The OAIC protects the information entrusted to it.	Low	Information management policy and procedures. Protective Security Policy Framework. Privacy Management Plan system controls. Mandatory annual privacy and security training for all OAIC staff. Protected ICT network. Data Breach Response Plan. Appointment of Chief Information Officer, Chief Information Governance Officer, Chief Security Officer, Chief Privacy Officer and Agency Security Advisor. Information security audits and reviews.
Focus on outcomes	The OAIC meets expectations for contemporary regulation.	Low	Proportionate regulatory action taken in line with published policies. Proactive engagement with stakeholders. Collaboration with other domestic and international regulators. Active media campaigns and response to media enquiries. Guidance on emerging issues.

Governance

The OAIC is committed to transparency, accountability and good governance. We review our governance framework regularly and following substantial changes in our operating environment. This responsiveness ensures that our framework delivers effective and efficient governance, and is structured in a way that supports the committees to identify and respond to strategic issues.

Our governance framework facilitates informed and timely decision making, and supports the oversight of risk management, legislative requirements, regulatory posture and systems of internal control. This impactful and efficient governance structure enables the OAIC to achieve our objectives and meet our performance targets.

Regulatory Action Committee (RAC)

The RAC advises the Information Commissioner on significant, or potentially significant, emerging privacy risks. The RAC makes recommendations for regulatory action to inform the Information Commissioner's exercise of functions or powers.

Health, Safety and Wellbeing Committee

This committee facilitates cooperation between the person conducting a business or undertaking (PCBU) and workers when instigating, developing and carrying out measures designed to ensure the workers’ health and safety at work. This work is to ensure compliance with WHS legislative standards and requirements and make sure workplace inspections are carried out.

Security Governance Committee

The Security and Governance Committee supports the OAIC Chief Security Officer to understand the agency’s security risks and determine appropriate mitigation strategies; monitor performance of the OAIC against the requirements of the Protecting Security Policy Framework; and provide assurance to the accountable authority that the OAIC is meeting its security obligations.

Information Governance Committee

This committee ensures a consistent, systematic and enterprise-wide approach to managing information assets. It is responsible for enterprise-wide record, information and data matters.

OAIC Consultative Forum

This forum facilitates consultation between the OAIC, employees and, where they choose, employees’ representatives. It considers issues relating to implementing the Enterprise Agreement 2016–2019; policies and guidelines for working arrangements; and other matters affecting the working arrangements of OAIC employees.

OAIC Diversity Committee

The OAIC Diversity Committee prepares the OAIC’s Workplace Diversity Strategy, implements actions under the OAIC’s annual Multicultural Access and Equity Plan, and champions diversity and multicultural activities across the OAIC to promote a fair, inclusive and productive workplace.

Part 2: Our vision, purpose and key activities

This corporate plan describes the key enabling factors that will help us achieve our vision.

Our purpose: To promote and uphold privacy and information access rights

Our vision: To increase public trust and confidence in the protection of personal information and access to government-held information

Guiding principles:

Engaged – We are active contributors and collaborators in the contemporary application of information protection and management legislation and regulation for businesses, government and the community

Targeted – We allocate resources efficiently, taking appropriate action in responding to risk and public expectations of Commonwealth regulators

Expert – We are a trusted authority on data protection and access to information, advising on policy, legislative reform and regulatory action, and providing education and guidance

Independent – We are professional by nature, and fair and impartial by application

Agile – We are collaborative in our response to changes in technology, legislation and the expectations of the community and government.

Key activity 1

Influence and uphold privacy and information access rights frameworks

The Office of the Australian Information Commissioner (OAIC) is responsible for a wide range of regulatory functions and powers under the Freedom of Information Act 1982 (FOI Act) and the Privacy Act 1988 (Privacy Act). We also regulate the privacy aspects of the Consumer Data Right (CDR).

The OAIC regulates the community’s access to government-held information under the Freedom of Information Act 1982 (FOI Act). Our freedom of information (FOI) function includes conducting independent merit reviews of FOI decisions made by Australian Government agencies and ministers, and investigating complaints about actions taken by Australian Government agencies under the FOI Act.

The OAIC monitors the FOI system using a range of methods including analysing agency statistics, Information Commissioner review applications and complaints, and monitoring extension of time applications, vexatious applicant declarations, and the Information Publication Scheme (IPS) review to inform education and regulatory activity. The OAIC promotes timely and proactive access to information when making decisions about extensions of time, issuing guidelines under s 93A of the FOI Act, and providing practical guidance, including in relation to the IPS.

We also regulate the handling of personal information by Commonwealth agencies and certain organisations under the Privacy Act. Many privacy complaints are appropriately addressed through our early resolution and conciliation processes, or through recognised external dispute resolution schemes. Others are formally investigated and may result in declarations or other regulatory action.

We are notified of eligible data breaches and conduct privacy investigations that are commenced by the Commissioner in the absence of a complaint.

We continue to respond to the increased complexity, scale and impact of these matters, and have established a Major Investigations Branch to meet these challenges. This work sends a strong message that the protection of personal information must be a priority for organisations and government agencies.

We conduct assessments to ensure entities meet their privacy obligations, which involves identifying and making recommendations to address privacy risks and areas of non-compliance. We regulate the privacy aspects of the CDR, which provides consumers with greater access to and control over their data, and improves consumers’ ability to compare and switch between products and services.

Our CDR regulation is underpinned by coordinated compliance and enforcement activities with the Australian Competition and Consumer Commission (ACCC). The objective of our approach is to ensure that consumers can trust the security and integrity of the CDR. Consumers must be confident the CDR works as intended and that the regulatory framework put in place will protect their interests.

We will continue to collaborate with Treasury, the ACCC and the Data Standards Body to ensure that the fundamental privacy protections that are central to consumer trust and confidence in the CDR are maintained. We will issue updated privacy safeguard guidelines and advice on the CDR as it expands.

The OAIC will continue to advise on the privacy aspects of the My Health Record system and respond to risks identified through enquiries and complaints, privacy assessments and mandatory data breach notifications relating to the My Health Record system.

Our activities aimed at ensuring Australia’s frameworks are fit for the purpose of protecting Australians’ personal information will be achieved through the review and updating of statutory instruments for which we have regulatory responsibility. We also have an ongoing commitment to monitoring activities and advising agencies that are developing laws, programs or policies that affect privacy.

We will engage with organisations and agencies through multiple channels, including consultations, meetings, our Information Contact Officers Network and Information Matters newsletters, annual Privacy Awareness Week and International Access to Information Day campaigns, and privacy educative activities.

Key activity 2

Advance online privacy protection for Australians

The OAIC will advance online privacy protections for Australians to support the Australian economy, influencing the development of legislation, applying a contemporary approach to regulation and raising awareness of online privacy protection frameworks.

The Digital Platform Regulators Forum (DP-REG), in which the OAIC was a founding member alongside the ACCC, Australian Communications and Media Authority (ACMA) and Office of the eSafety Commissioner, will continue to focus on assessing the impact of algorithms, improving digital transparency, and increasing collaboration and capacity building between the 4 members.

The OAIC will continue to prioritise regulatory action to address the harms arising from the practices of online platforms and services that impact individuals’ choice and control, either through opaque information sharing practices or in the terms and conditions of service. Through the DP-REG we will also seek to understand the benefits, risks and harms of generative artificial intelligence and how it intersects with our regulatory activities.

The OAIC will continue to contribute to the Australian Government’s privacy law reform program, conscious of the need to support a thriving digital economy while minimising privacy risks for the community.

We will continue to focus on increasing awareness of privacy risks and providing guidance to individuals, organisations and agencies about how to protect personal information online. The most visible demonstration of this is Privacy Awareness Week, a national event supported and promoted through Privacy Authorities Australia and the Asia Pacific Privacy Authorities forum. Each year, the event raises awareness about the importance of protecting personal information among agencies, businesses and consumers, via events, speeches and educational materials.

The OAIC is prioritising collaboration and engagement with domestic and international regulators to collectively enhance our effectiveness at addressing the complex, new and emerging features of cybercrime. These networks provide a forum for sharing information on emerging risks, and on prevention and response to cyber incidents impacting privacy. We have used and will continue to use the amendments to privacy legislation, through the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, to exercise our greater enforcement and information sharing powers.

Our membership of the Global Privacy Assembly, Asia Pacific Privacy Authorities forum and Global Privacy Enforcement Network gives us a platform for influencing the development of globally interoperable and consistently high standards of privacy regulation. Through these bodies we share knowledge, exchange ideas and identify solutions to emerging issues, covering matters such as uses of artificial intelligence and technologies that pose a high privacy risk. Our leadership on the Digital Citizen and Consumer Working Group places us at the forefront of developments in cross-regulatory collaboration and intersections between privacy and other regulatory spheres.

The OAIC will also actively consider opportunities to engage in joint regulatory actions, including cross-border investigations. This willingness is demonstrated through our joint investigation into the personal information handling practices of the Latitude group of companies (Latitude) with the New Zealand Office of the Privacy Commissioner, announced on 10 May 2023.

The decision to pursue joint regulatory action in this case follows preliminary inquiries into the matter by both offices and is the first joint privacy investigation by Australia and New Zealand, reflecting the impact of the data breach on individuals in both countries.

Key activity 3

Encourage and support proactive release of government information

The OAIC will continue to promote a proactive approach to the publication of government-held information. We will focus on efficient access to information and facilitate innovation and engagement while ensuring privacy is protected.

A key focus for the OAIC in 2023–24 is the 5-yearly IPS review.

We continue to promote proactive release of information through the IPS under the FOI Act and informally releasing information through administrative access processes.

In June 2023, we commenced work on the latest 5-yearly IPS review. This review of agency compliance and that of the Ministers Office is a significant step in assessing compliance with the IPS and assisting agencies to determine their current IPS concerns.

Agencies have an ongoing compliance obligation under the IPS, as set out in section 9 of the FOI Act. The review will be conducted alongside agencies and Ministers, working directly with agencies to help them meet these obligations. The project will be conducted through a detailed survey, designed to assist agencies to gather information and analyse their operations and compliance with the IPS. The review will also enable a comparative analysis of previous IPS surveys carried out in 2012 and 2018.

The OAIC actively collaborates with other domestic information access regulators through the Association of Information Access Commissioners (AIAC), which promotes best practice in information access policies and laws across Australia and New Zealand.

Australians expect government to make decisions and deliver services in an accountable and transparent way. The OAIC actively works with agencies, providing guidance, education and information, not only on request, but by proactively publishing information of interest to the community.

Government-held information is a national resource that should be managed for public purposes. Increased scrutiny and participation in government processes promotes better decision making. Through our regulatory functions – including Information Commissioner reviews, investigations of FOI complaints, monitoring of agency information access statistics and consideration of extension of time applications – we gain insight into emerging information access trends within our regulatory environment.

The timely release of government-held information, with a focus on quality decision making and proactive release of information, is consistent with the objects of the FOI Act and supports participative democracy. The OAIC will continue to focus on the need for agencies to make timely decisions and encourage proactive disclosure of information, to increase transparency and support an efficient FOI system.

The OAIC does this by improving the delivery of Information Commissioner review functions, with a view to providing timely reviews and improving agencies’ and ministers’ decision making through guidance as set out in review decisions; reviewing key guidelines that can facilitate a pro-disclosure approach; and ensuring that agencies make sound and timely decisions including through intervening early in the Commissioner’s review of deemed access refusals; investigating complaints; and considering applications for extension of time.

We will continue to support an approach within agencies and the offices of Australian Government ministers to facilitate and promote the public’s ability to access information quickly and at the lowest reasonable cost.

The OAIC will engage with agencies and ministers to promote understanding of the FOI Act and to ensure that FOI practice is consistent with the legislation and meets the expectations of the community. We will develop capability by providing guidance, including new and updated resources on our website.

We will participate in implementing the third Open Government National Action Plan and the Open Government Partnership initiative. Our ability to promote access to information rights is bolstered by our strong relationships with both domestic and international regulators. We also assist emerging FOI jurisdictions with the aim of building transparency both nationally and internationally.

Key activity 4

Take a contemporary approach to regulation

In order to engage with and be responsive to the community’s expectations of our regulatory bodies, the OAIC will take a contemporary approach to our regulatory role in promoting and upholding Australia’s privacy and FOI laws.
The OAIC is committed to developing a skilled, multidisciplinary workforce that is supported by the tools needed to deliver our regulatory role in a dynamic and targeted manner.

As a regulator, we must discharge our functions and exercise our powers fairly, transparently and in the public interest. We use data and other evidence-based methods to assess risk, and use appropriate regulatory tools to address privacy and information access issues.

We discharge our regulatory functions by assessing and resolving complaints, conducting investigations, making findings and declarations, and taking enforcement action, as appropriate. By providing advice and guidance through our education and assessment activities, we support entities to demonstrate best practice in their handling of information.

Our approach to exercising regulatory powers in relation to privacy and FOI matters is articulated in policies and guides. We routinely review our regulatory approach to ensure that it aligns with government and community expectations.

The OAIC has identified 4 areas for regulatory focus in 2023–24:

Online platforms, social media and high privacy impact technologies
Security of personal information
Ensuring the privacy safeguards in the Consumer Data Right are effectively implemented by participants
The timely and proactive release of government-held information.

In discharging our regulatory functions, we adhere to the following principles of regulatory best practice:

Continuous improvement and building trust – adopting a holistic view, continuously monitoring and seeking to improve our performance, capability and culture, and building trust and confidence in our regulatory functions.
Adopting a risk-based and data-driven approach to our activities – to manage risks proportionally and maintain essential safeguards by leveraging data, evidence-based methods and digital technology, to support our activities and reduce administrative burden on those we regulate.
Collaboration and engagement – being transparent and responsive to the needs of the community and those we regulate, genuinely engaging with and seeking feedback from our stakeholders on our performance, and implementing regulation in a modern and collaborative way.

The OAIC will monitor our performance against the principles of regulatory best practice through our performance measurement framework – specifically measures 4.1, 4.2 and 4.3.

The Attorney General issued the OAIC with a Ministerial Statement of Expectations in March 2023. It outlines the Government’s expectations of how the OAIC will achieve our objectives, carry out our functions and exercise our powers. It can be found on our website.

In June 2023 the OAIC responded to the Statement of Expectations with a Statement of Intent. It outlines how the OAIC intends to meet those expectations, including how it will demonstrate progress. It can be found on the OAIC website.

Part 3: Performance measurement framework

Our performance measurement framework describes how we will measure our progress towards achieving our mission and purpose through:

key activities that describe our key functions and areas of work
intended results that describe the impact, difference or results we want to achieve in relation to our key activities
performance measures we use to evaluate our progress towards the intended results
targets that describe the results we are aiming for in each performance measure
methodologies and data sources that describe how our performance information is collected, analysed and reported.

To assess achievement against our key activities we use a mix of output, effectiveness and efficiency measures. This aims to achieve an appropriate balance in our reported performance information and enables an unbiased assessment of our results at the end of the performance cycle.

Additionally, the OAIC commissioned an independent research company to survey stakeholders about how we are performing on key measures listed in our 2022–23 Corporate Plan to set a base line for future performance measurement. Feedback from the survey will provide input into the 2022–23 Annual Performance Statement.

Our measures are of the following types:

Output measures assess the quantity and quality of the goods and services produced by an activity.
Effectiveness measures assess whether the activities have had the intended impact.
Efficiency measures assess the cost of producing a unit of output. Measuring efficiency within the OAIC is difficult given the nature of our outputs, which are not standardised. Accordingly, we have used proxy efficiency measures based on enquiry resolution times.
The Office of the Australian Information Commissioner (OAIC) Performance Management Framework is reflected in our Portfolio Budget Statement 2023–24.

Key activity 1

Influence and uphold privacy and information access rights frameworks

The OAIC has a wide range of regulatory functions and powers under the Privacy Act 1988 (Privacy Act) and other laws. We continue to exercise our powers and perform our functions to promote and protect the privacy of individuals.

The OAIC also regulates the privacy aspects of the Consumer Data Right (CDR). The OAIC will continue to work collaboratively with the Australian Competition and Consumer Commission (ACCC) to ensure the ongoing and effective regulation of the CDR. As the CDR continues to develop, the OAIC will promote the inclusion of privacy protections that are central to consumers’ trust and confidence in the CDR. The OAIC will continue to develop and update guidance for CDR participants and consumers about their privacy obligations and rights.

The OAIC promotes access to government-held information through the regulation of the Freedom of Information Act 1982 (FOI Act) and our role in information policy. The OAIC will continue to perform our regulatory functions and promote the rights of all members of the community to access government-held information.

The OAIC will continue to engage with and influence the global privacy dialogue to support interoperable and globally consistent data protection frameworks.

Intended result 1.1: The OAIC’s activities support the effective regulation of the Consumer Data Right
Performance measure	23–24 target	24–25 target	25–26 target	26–27 target	Methodology/data source	Type
1.1 Effectiveness of the OAIC’s contribution to the regulation of the Consumer Data Right as measured by stakeholder feedback Metric: Average performance rating from stakeholders based on a composite survey-based performance index	2022–23 Baseline result exceeded	Prior year’s result exceeded	Prior year’s result exceeded	Prior year’s result exceeded	Annual stakeholder survey conducted by an independent professional provider	Effectiveness

Intended result 1.2: The OAIC’s regulatory outputs are timely
Performance measure	23–24 target	24–25 target	25–26 target	26–27 target	Methodology/ data source	Type
1.2.1 Time taken to finalise privacy complaints	80% of privacy complaints are finalised within 12 months	80% of privacy complaints are finalised within 12 months	80% of privacy complaints are finalised within 12 months	80% of privacy complaints are finalised within 12 months	OAIC information management system	Output
1.2.2 Time taken to finalise privacy and FOI Commissioner-initiated investigations (CIIs)	80% of CIIs are finalised within 12 months	80% of CIIs are finalised within 12 months	80% of CIIs are finalised within 12 months	80% of CIIs are finalised within 12 months	OAIC information management system	Output
1.2.3 Time taken to finalise Notifiable Data Breaches (NDBs)	80% of NDBs are finalised within 60 days	80% of NDBs are finalised within 60 days	80% of NDBs are finalised within 60 days	80% of NDBs are finalised within 60 days	OAIC information management system	Output
1.2.4 Time taken to finalise My Health Record notifications	80% of My Health Record notifications are finalised within 60 days	80% of My Health Record notifications are finalised within 60 days	80% of My Health Record notifications are finalised within 60 days	80% of My Health Record notifications are finalised within 60 days	OAIC information management system	Output
1.2.5 Time taken to finalise Information Commissioner reviews of FOI decisions made by agencies and Ministers	80% of IC reviews are finalised within 12 months	80% of IC reviews are finalised within 12 months	80% of IC reviews are finalised within 12 months	80% of IC reviews are finalised within 12 months	OAIC information management system	Output
1.2.6 Time taken to finalise FOI complaints	80% of FOI complaints are finalised within 12 months	80% of FOI complaints are finalised within 12 months	80% of FOI complaints are finalised within 12 months	80% of FOI complaints are finalised within 12 months	OAIC information management system	Output
1.2.7 Time taken to finalise written privacy and information access enquiries from the public	90% of written enquiries are finalised within 10 working days	90% of written enquiries are finalised within 10 working days	90% of written enquiries are finalised within 10 working days	90% of written enquiries are finalised within 10 working days	OAIC information management system	Output

Key activity 2

Advance online privacy protection for Australians

The OAIC will advance online privacy protections for Australians and minimise the risks of technologies that have a high privacy impact. In doing so we will support engagement in the Australian digital economy, influence the development of legislation, apply a contemporary approach to regulation (including through collaboration) and raise awareness of online privacy protection.

Intended result 2: The OAIC’s activities support innovation and capacity for Australian businesses to benefit from using data, while minimising privacy risks for the community
Performance measure	23–24 target	24–25 target	25–26 target	26–27 target	Methodology/data source	Type
2.1 Effectiveness of the OAIC’s contribution to the advancement of online privacy protections and policy advice as measured by stakeholder feedback Metric: Average performance rating from stakeholders based on a composite survey-based performance index	2022–23 baseline result exceeded	Prior years’ result exceeded	Prior years’ result exceeded	Prior year’s result exceeded	Annual stakeholder survey conducted by an independent professional provider	Effectiveness

Key activity 3

Encourage and support timely disclosure of government information

The OAIC will continue to promote a proactive approach to the publication of government-held information. We will focus on making better use of government-held information to support efficient access to information and facilitate innovation and engagement while ensuring privacy is protected.

Intended result 3: The OAIC’s activities support Australian Government agencies to provide quick access to information requested and at the lowest reasonable cost, and proactively publish information of interest to the community
Performance measure	23–24 target	24–25 target	25–26 target	26–27 target	Methodology/data source	Type
3.1 Percentage of OAIC recommendations accepted by agencies following FOI complaint investigations	90%	90%	90%	90%	OAIC information management system	Effectiveness
3.2 Effectiveness of the OAIC’s advice and guidance on FOI obligations and the Information Publication Scheme in supporting government agencies to provide public access to government-held information, as measured by stakeholder feedback Metric: Average performance rating from stakeholders based on a composite survey-based performance index	2022–23 Baseline result exceeded	Prior years’ result exceeded	Baseline result exceeded	Baseline result exceeded	Annual stakeholder survey conducted by an independent professional provider	Effectiveness

Key activity 4

Contemporary approach to regulation

The OAIC will take a contemporary approach to our regulatory role in promoting and upholding Australia’s privacy and FOI laws. This means engaging with and responding to the community’s expectations of Australia's regulatory bodies.

Intended result 4: The OAIC’s approach to its regulatory role is consistent with better practice principles
Performance measure	23–24 target	24–25 target	25–26 target	26–27 target	Methodology/data source	Type
4.1 Stakeholder assessment of the extent to which the OAIC’s regulatory activities demonstrate a commitment to continuous improvement and building trust Metric: Average performance rating from stakeholders based on a composite survey-based performance index	2022–23 Baseline result exceeded	Prior year’s result exceeded	Prior year’s result exceeded	Prior year’s result exceeded	Annual stakeholder survey conducted by an independent professional provider	Effectiveness
4.2 Stakeholder assessment of the extent to which the OAIC’s regulatory activities demonstrate collaboration and engagement Metric: Average performance rating from stakeholders based on a composite survey-based performance index	2022–23 Baseline result exceeded	Prior year’s result exceeded	Prior year’s result exceeded	Prior year’s result exceeded	Annual stakeholder survey conducted by an independent professional provider	Effectiveness
4.3 Stakeholder assessment of the extent to which the OAIC’s regulatory activities are based on risk and data Metric: Average performance rating from stakeholders based on a composite survey-based performance index	2022–23 Baseline result exceeded	Prior year’s result exceeded	Prior year’s result exceeded	Prior year’s result exceeded	Annual stakeholder survey conducted by an independent professional provider	Effectiveness
4.4 Number of stakeholder engagement activities Metric: Number of activities delivered via different engagement mechanisms	Targets not appropriate due to fluctuations in nature and complexity of policy environment in any given year	Targets not appropriate due to fluctuations in nature and complexity of policy environment in any given year	Targets not appropriate due to fluctuations in nature and complexity of policy environment in any given year	Targets not appropriate due to fluctuations in nature and complexity of policy environment in any given year	Data snapshot demonstrating key formal engagements supplemented by case studies to demonstrate breadth, variety and effectiveness of engagement activities and modes of delivery	Effectiveness
4.5 Average call duration of telephone enquiries to the OAIC public enquiry line	Lower than baseline result	Lower than prior year’s result	Lower than prior year’s result	Lower than prior year’s result	OAIC information management system	Efficiency

Alignment between PBS 2023–24 and Corporate Plan 2023–24

The following table describes the alignment between our outcome and program structure described in the PBS, and our corporate plan purposes and key activities.

Outcome statement (PBS 2023–24)	Program (PBS 2023–24)	Purposes (Corporate Plan 2023–24)	Key activities (Corporate Plan 2023–24)
Outcome 1: Provision of public access to Commonwealth Government information, protection of individuals’ personal information, and performance of information commissioner, freedom of information and privacy functions.	Program 1.1: Complaint handling, compliance and monitoring, and education and promotion.	To promote and uphold privacy and information access rights.	Influence and uphold privacy and information access rights frameworks
			Advance online privacy protections for Australians
			Encourage and support proactive release of government information
			Take a contemporary approach to regulation.

Performance measures and performance indicators

We will measure our performance in 2023–24 against our set of 16 indicators grouped by 4 key activities.

1. Influence and uphold privacy and information access rights frameworks
Intended result 1.1: The OAIC’s activities support the effective regulation of the Consumer Data Right (CDR) 1.1 Effectiveness of the OAIC’s contribution to the regulation of the Consumer Data Right as measured by stakeholder feedback. Intended result 1.2: The OAIC’s regulatory outputs are timely 1.2.1 Time taken to finalise privacy complaints 1.2.2 Time taken to finalise privacy and Freedom of Information (FOI) Commissioner–initiated investigations (CIIs) 1.2.3 Time taken to finalise notifiable data breaches (NDBs) 1.2.4 Time taken to finalise My Health Record notifications 1.2.5 Time taken to finalise Information Commissioner reviews of FOI decisions made by agencies and Ministers 1.2.6 Time taken to finalise FOI complaints 1.2.7 Time taken to finalise written privacy and information access enquiries from the public.

1. Influence and uphold privacy and information access rights frameworks

Intended result 1.1: The OAIC’s activities support the effective regulation of the Consumer Data Right (CDR)

1.1 Effectiveness of the OAIC’s contribution to the regulation of the Consumer Data Right as measured by stakeholder feedback.

Intended result 1.2: The OAIC’s regulatory outputs are timely

1.2.1 Time taken to finalise privacy complaints

1.2.2 Time taken to finalise privacy and Freedom of Information (FOI) Commissioner–initiated investigations (CIIs)

1.2.3 Time taken to finalise notifiable data breaches (NDBs)

1.2.4 Time taken to finalise My Health Record notifications

1.2.5 Time taken to finalise Information Commissioner reviews of FOI decisions made by agencies and Ministers

1.2.6 Time taken to finalise FOI complaints

1.2.7 Time taken to finalise written privacy and information access enquiries from the public.

2. Advance online privacy protections for Australians
Intended result 2: The OAIC’s activities support innovation and capacity for Australian businesses to benefit from using data, while minimising privacy risks for the community 2.1 Effectiveness of the OAIC’s contribution to the advancement of online privacy protections and policy advice as measured by stakeholder feedback.

2. Advance online privacy protections for Australians

Intended result 2: The OAIC’s activities support innovation and capacity for Australian businesses to benefit from using data, while minimising privacy risks for the community

2.1 Effectiveness of the OAIC’s contribution to the advancement of online privacy protections and policy advice as measured by stakeholder feedback.

3. Encourage and support proactive release of government information
Intended result 3: The OAIC’s activities support Australian Government agencies to provide access to information on request promptly and at the lowest reasonable cost, and to proactively publish information of interest to the community 3.1 Percentage of OAIC recommendations made after FOI complaint investigations had been accepted by agencies 3.2 Effectiveness of OAIC’s advice and guidance on FOI obligations and the Information Publication Scheme (IPS) in supporting government agencies to provide public access to government-held information, as measured by stakeholder feedback.

3. Encourage and support proactive release of government information

Intended result 3: The OAIC’s activities support Australian Government agencies to provide access to information on request promptly and at the lowest reasonable cost, and to proactively publish information of interest to the community

3.1 Percentage of OAIC recommendations made after FOI complaint investigations had been accepted by agencies

3.2 Effectiveness of OAIC’s advice and guidance on FOI obligations and the Information Publication Scheme (IPS) in supporting government agencies to provide public access to government-held information, as measured by stakeholder feedback.

4. Take a contemporary approach to regulation
Intended result 4: The OAIC’s approach to its regulatory role is consistent with better practice principles 4.1 Stakeholder assessment of the extent to which the OAIC’s regulatory activities demonstrate a commitment to continuous improvement and building trust 4.2 Stakeholder assessment of the extent to which the OAIC’s regulatory activities demonstrate collaboration and engagement 4.3 Stakeholder assessment of the extent to which the OAIC’s regulatory activities are risk based and data driven 4.4 Number of stakeholder engagement activities 4.5 Average call duration of telephone enquiries to the OAIC public enquiry line.

4. Take a contemporary approach to regulation

Intended result 4: The OAIC’s approach to its regulatory role is consistent with better practice principles

4.1 Stakeholder assessment of the extent to which the OAIC’s regulatory activities demonstrate a commitment to continuous improvement and building trust

4.2 Stakeholder assessment of the extent to which the OAIC’s regulatory activities demonstrate collaboration and engagement

4.3 Stakeholder assessment of the extent to which the OAIC’s regulatory activities are risk based and data driven

4.4 Number of stakeholder engagement activities

4.5 Average call duration of telephone enquiries to the OAIC public enquiry line.