Corporate plan 2025–26

Message from the Information Commissioner

As the accountable authority, I am pleased to present the 2025–26 Corporate Plan for the Office of the Australian Information Commissioner (OAIC).

This Corporate Plan covers reporting periods 2025–26 to 2028–29, prepared in accordance with paragraph 35(1)(b) of the Public Governance, Performance and Accountability Act 2013 (PGPA Act). The Corporate Plan sets out our key activities and how we will measure our performance.

By promoting and upholding privacy and information access, the OAIC plays a critical role in building public trust and confidence in the institutions and systems of government, economy and society that lie at the heart of our democracy.

Under our three-Commissioner model, I have the pleasure of working alongside Ms Carly Kind, Privacy Commissioner, and Ms Toni Pirani, Freedom of Information Commissioner, to deliver our core functions. Together, we are focused on enhancing the OAIC’s capacity to deliver effective and purposeful regulatory outcomes. These outcomes are informed by the expertise and data available to us as the single national regulator of information access, privacy rights and information governance in the Australian public sector.

We are committed to continuous improvement, always exploring better ways to harness the synergies between information access and privacy rights to more effectively execute our functions. Through our connected approach we will continue to apply our unique regulatory insights to maximise our regulatory impact. This impact will be further augmented, in the coming years, by new enforcement powers granted to the Information Commissioner under the Privacy and Other Legislation Amendment Act 2024 (Cth).

In our complex world, past practices and assumptions are being challenged—with dazzling speed and intensity—by changes in technology, communication and ways of working. We are committed to narrowing the gap between technological innovation and effective regulation. We want to ensure our regulation does not hinder the adoption of technology which has the potential to build the capability of the Australian people and to expand the productive capacity of the broader economy. As such we must ensure that our regulatory approach provides a complementary framework for managing risks that emerging technologies may pose, whether to individuals or to the maintenance of fair and competitive markets. By adopting a contemporary, adaptive and harms-based approach to our regulation, the potential for the social and economic benefits of new technology can be enjoyed while individuals’ privacy and information access rights are respected.

The impact of technology on the sectors we regulate is exemplified by the rapid development of generative artificial intelligence (AI). Whilst the AI regulatory environment is still forming, we are actively learning and adapting our approach to address the core requirements of information integrity, legality, privacy and ethics at the heart of good AI practice and performance. We are also mindful that AI brings not just risks, but also possibilities for enhanced regulation. We have an opportunity to shape new and better ways of achieving our purposes, which we will continue to explore.

We are also evolving our ways of working in line with broader reforms to, and uplift of, the Australian Public Service. We are conscious of the new stewardship obligation placed upon every public servant to ensure the APS remains effective, trusted and sustainable for the long term.

In our complex world, past practices and assumptions are being uniquely challenged—with dazzling speed and intensity—by changes in technology, communication and ways of working.

Effective stewardship of the national resource that is government information means information integrity and accessibility; through proactive release of information and the statutory access pathways created to enshrine the fundamental human rights of information access and privacy.

Against the background of these changes, our core focus remains the delivery of effective regulatory oversight of the agencies and entities within our ambit. To this end, we will continue to deliver high-quality decisions as expeditiously as possible, with an ongoing effort to reduce the number of older matters we have previously reported upon, which I’m pleased to observe has declined in response to our new approaches.

In the coming years, in the context of organisational, technological and policy changes to our operating environment, we will remain focused on our common mission and shared purpose: to be a thoughtful regulator. How we do this is reflected in the regulatory and strategic program set out in this Corporate Plan, which will deliver to the government and community an information management regulator that is purpose- driven, proactive, proportionate and people-focused.

It is my honour to continue leading the OAIC’s vital contribution to the social, economic and cultural life of Australia.

Elizabeth Tydd
Australian Information Commissioner
20 August 2025

Overview

The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency within the Attorney-General’s portfolio. We are the national independent regulator for privacy and freedom of information, responsible for:

• promoting and enforcing compliance with the Privacy Act 1988 (Privacy Act), including protecting individuals’ personal information
• protecting and upholding the public’s right of access to documents under the Freedom of Information Act 1982 (FOI Act), and
• carrying out strategic information management functions within the Australian Government.

Our functions are prescribed in Part 2 of the Australian Information Commissioner Act 2010 (AIC Act) and include conducting investigations to monitor compliance, taking enforcement action where required, reviewing decisions, handling complaints, and providing guidance and advice on government information management, freedom of information and privacy matters.

In addition to the three principal Acts outlined above, almost 40 pieces of primary and subordinate legislation confer regulatory and other legal responsibilities on the OAIC, or require other bodies to consult us on privacy matters (see Appendix A).

Under the Commonwealth Performance Framework, our Corporate Plan is part of a planning and reporting cycle that guides our work. It covers the forward 4 years and is updated annually.

The Portfolio Budget Statements (PBS) show the OAIC’s allocated resources and proposed outcomes on an annual basis. The Corporate Plan is the OAIC’s primary planning document describing our role, the key activities we undertake and how we will measure our performance. The Annual Report and Performance Statements provide an overview of our activities, and a summary of our non-financial and financial performance for the year under review, demonstrating what we have achieved.

Snapshot

Environment, capabilities, risk and stakeholder engagement

About the OAIC

How we regulate

The OAIC aims to be a responsive regulator. We use our full regulatory toolkit across education, compliance and enforcement to achieve effective regulatory outcomes. We use education and persuasion to encourage and promote compliance. If necessary, we use coercive and compulsory powers to enforce privacy obligations and information access rights.

Our priorities are also informed by our access to data and intelligence. We will continue to partner with other regulators and enforcement bodies on joint responsibilities and priorities to respond to contraventions in a collective and coherent way, drawing on the best of our shared expertise.

The OAIC anticipates that in 2025–26 we will continue to experience a demand for regulatory decision-making and action that exceeds our current capacity. To manage this imbalance, while consistently progressing existing and new privacy complaints and requests for FOI reviews, we will continue to determine our regulatory priorities with regard to our Statement of  Regulatory Approach.

We are more likely to take regulatory action in response to issues:

• that create a risk of substantial harm to individuals and the community, especially to vulnerable people and groups
• that concern systemic harms or contraventions
• where our action is likely to change sectoral or market practices, or have an educative or deterrent effect
• that are subject to significant public interest or concern, and
• where our action will help clarify aspects of policy or law, especially newer provisions of the legislation we administer.

Alongside our statutory obligations, our regulatory approach is informed by the priorities of the Australian Government, as set out in the Ministerial Statement of Expectations provided to us in 2024. The OAIC described our intentions for meeting those expectations, including how we will demonstrate progress, in the agency’s Statement of Intent, dated 30 October 2024. Both statements are available on our website.

Consistent with regulator best practice principles, the OAIC will:

• seek opportunities to engage and consult genuinely with stakeholders
• be receptive to feedback and diverse stakeholder views
• seek to increase transparency in decision- making processes, and
• provide up-to-date, clear and accessible guidance and information to assist regulated entities with compliance.

We aim to embed and act in accordance with the Government’s principles of regulator best practice when conducting our operations and strive for continuous improvement against these principles.

How we work

The OAIC promotes an organisational culture that supports best regulator practice. We are committed to supporting and building the capability of our staff, guided by four pillars which apply across all aspects of our work:

Key activities

Key activity 1

Influence and uphold privacy and information access rights frameworks

The OAIC has a wide range of regulatory functions and powers which are prescribed by Commonwealth legislation, primarily the Australian Information Commissioner Act 2010 (AIC Act), the Freedom of Information Act 1982 (FOI Act) and the Privacy Act 1988. We also have specific functions in relation to the Consumer Data Right (CDR), My Health Record and Digital ID and almost 40 other pieces of legislation as set out in Appendix A. We will continue to discharge these statutory obligations throughout the reporting period.

We will continue to influence and uphold privacy and information access rights frameworks in 2025–26 by discharging our regulatory functions and powers to:

• ensure Australians’ access to information through the FOI Act
• regulate how government agencies and other organisations handle personal information under the Privacy Act
• promote awareness of and compliance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act
• undertake work to ensure Australians’ privacy is protected as the Digital ID system is expanded
• facilitate an efficient credit reporting system that protects individuals’ privacy
• increase public trust and confidence in the handling of health information through our oversight of
• the My Health Record system and the Healthcare Identifiers Service
• co-regulate the Consumer Data Right (CDR) with the Australian Competition and Consumer Commission (ACCC), and
• undertake our functions in the legislation listed in Appendix A.

As the FOI regulator, in addition to processing Information Commissioner reviews (IC reviews) and other casework matters, we will engage with the FOI community with proactive support and guidance about their FOI obligations. We will continue engaging in more intensive compliance, investigative and enforcement action where agencies’ non-compliance with their FOI obligations is significant, in order to ensure information rights are respected.

As the privacy regulator, a key plank of our regulatory strategy will be to take targeted, risk-based enforcement action when assessed as necessary.

We will progress civil penalty proceedings under the Privacy Act against a number of entities. We also have several investigations underway into organisations in relation to data breaches, as well as into organisations using emerging and high privacy impact technologies.

We will continue to co-regulate Australia’s Digital ID System with the ACCC. As the privacy regulator of Australia’s Digital ID System and other APP identity- related entities, the OAIC is responsible for ensuring individuals’ privacy is protected when using accredited Digital ID services and other identity-related services. We will engage with Digital ID participants to help them understand their privacy obligations, including by publishing guidance material, contributing to education and awareness strategies, investigating complaints and conducting assessments.

Facilitating an efficient credit reporting system that protects individuals’ privacy will be another area of focus. We will be supporting Government in its consideration of the findings of the Review of Australia’s credit reporting framework (the Review), with several recommendations from its report relating to the OAIC’s role as regulator. Amongst other things, the OAIC will be receiving and reviewing Credit Reporting Bodies’ (CRB) independent review reports, with some CRBs due to commence their next review in 2026.

Our work co-regulating the Consumer Data Right (CDR) with the ACCC is ongoing. The OAIC regulates and enforces the privacy aspects of the CDR. The objective of our regulatory approach is to ensure consumers have trust and confidence in the CDR framework as a data-sharing mechanism. We collaborate with the Treasury, ACCC and the Data Standards Body to ensure fundamental privacy protections in the CDR are maintained.

Our influence is reinforced through our active communication and education activities in the Australian community. In addition to leading the Australia-wide campaign for Privacy Awareness Week, we also participate in activities to support International Day for Universal Access to Information (IDUAI) each year, and publish a range of useful privacy and information access resources. These align with our Commissioners’ priorities to make FOI and privacy compliance easier.

We aim to ensure our influence extends beyond Australia. To this end, during 2025–26 we will participate in a range of international meetings, seminars and conferences, to continue collaboration with our international privacy and FOI counterparts.

Key activity 2

Advance online privacy protections for Australians

The OAIC will advance online privacy protections for Australians to support the Australian economy by influencing the development of legislation, taking a contemporary and harms-based approach to regulation, and raising awareness of online privacy risks and protections.

The OAIC continues to promote privacy in the context of emerging technologies and digital initiatives. We are building our capacity to respond swiftly and effectively to new and emerging challenges in the digital sphere. We are actively learning and adapting our approach to address the core requirements of information access and privacy at the heart of good AI practice and performance.

We recognise that the online environment is central to the economy, education and our social connections. We are focusing on regulatory activities that address privacy harms arising from the practices of online platforms and services that impact individuals’ choice and control, including opaque information-sharing practices or terms and conditions of service. This will improve the ability of Australians to manage their privacy choices online, and will improve protections for children and other vulnerable groups.

A key area of focus in the coming year will be our work to develop a Children’s Online Privacy Code, following passage of the Privacy and Other Legislation Amendment Act 2024 (the POLA Act). We will be consulting widely and incorporating insights from children and young people into our Code drafting process. This will ensure different voices are represented and will put children at the centre of privacy protections in Australia.

The OAIC will also have a regulatory role in supervising the social media minimum age framework in the Online Safety Act 2021. The OAIC will regulate and enforce the privacy aspects of the obligation when it commences in December 2025.

We have a number of preliminary investigations underway looking at concerning practices in new and emerging technologies. We will continue to review and consider new technologies and the use of data sets containing personal information held by companies where we perceive there to be consumer harms.

Following on from our October 2024 guidance on the development and training of generative AI models, and the use of commercially available AI models, we will continue to scrutinise privacy and information- management issues arising from the deployment of AI and will work with other regulators who are also addressing the rapid emergence of AI. Robust privacy governance and safeguards are essential for businesses to gain advantage from AI and build trust and confidence in the community. We will also continue our work on biometrics, specifically on facial recognition technology.

Other ways we will enhance online privacy protection will include through our responses to specific privacy complaints and queries from individuals and regulated entities, administering the NDB scheme, through our proactive enforcement activities, and by sharing our general expertise as the privacy regulator. We will continue to feed our expertise into proposals from across government on policy and legislative reforms relevant to privacy in the digital realm.

Key activity 3

Encourage and support proactive release of government information

The OAIC will promote a proactive approach to the publication of government-held information. We will focus on supporting efficient access to information and facilitating innovation and engagement.

Recognising that government-held information is a national resource to be managed for public purposes, the OAIC will continue to promote open government to better serve the Australian community. We will continue to uplift agencies’ capability in the exercise of their FOI functions by reinforcing their need to make timely decisions and by encouraging proactive disclosure of information.

We encourage proactive release of government-held information through our administration of the Information Publication Scheme (IPS) and through our promotion to agencies of informal release processes, such as administrative access. These efforts will continue to enhance transparency and support an efficient FOI system.

To ensure our own, and other agencies’, transparency the OAIC now publishes figures about our FOI complaints and IC review caseloads. We also publish the Australian Government FOI statistics dashboard, which presents key FOI data for the past five years, as collected by agencies and ministers and reported to us. The dashboard will be updated quarterly, making information about the FOI system more accessible, and will assist agencies in benchmarking their FOI performance.

We will also meet our obligations under this key activity through targeted outreach activities. For example, we will promote use of our self-assessment tool, to assist agencies to identify gaps and areas for improvement in their FOI practices. We will continue to proactively review and update the FOI Guidelines and will contribute to building agency FOI processing capacity by continuing to offer FOI practice webinars. These may be planned when significant decisions are published or may focus on more general contemporary FOI issues.

As with every year, we will continue to encourage and support proactive release of government information through participation in IDUAI events, and other opportunities for awareness-raising.

Key activity 4

Take a contemporary, harms-based approach to regulation

The OAIC will take a contemporary, harms-based approach to promoting and upholding Australia’s privacy and FOI laws. We are committed to developing a skilled, multidisciplinary workforce that is supported by the tools needed to deliver our regulatory role in a dynamic, responsive and targeted manner.

OAIC’s regulatory approach will continue to combine intelligence-driven education, compliance and enforcement activities, recognising the relationship between different levels of intervention in a responsive regulatory continuum.

The OAIC will embed a regulatory approach that uses both encouragement and deterrence to promote and protect privacy and information access rights. This framework reinforces a central characteristic of the OAIC’s regulatory philosophy: a focus on outcomes and purpose.

We start from the simple question ‘what are we trying to achieve?’ This ensures that the range of options for how, when and why we intervene is as wide, creative and impactful as possible.

With this framework in mind, in 2025–26 we will take regulatory action in a consistent, transparent and proportionate manner. When deciding which regulatory tools to use, and how to use them, we will:

• identify the risks of harm we are responding to, and the likelihood and possible consequences of those risks
• respond in ways that are proportionate, consistent with the expectations of the community and the Australian Government, and manage risks to adequately protect the public
• take timely and necessary action, and
• seek to minimise regulatory burden and cost.

Decisions to undertake regulatory action are also taken in accordance with the OAIC’s Regulatory Action Priorities. These policies require consideration of a range of factors including the objects of the relevant statute and the risks and impact of non-compliance.

OAIC regulatory priorities

The OAIC’s purpose is to promote and uphold privacy and information access rights. Our vision is to increase public trust and confidence in the protection of personal information and access to government-held information. The OAIC recognises that community confidence and trust will contribute to a healthy democracy and positively impact the economy.

Decisions to undertake regulatory action are taken in accordance with the OAIC’s regulatory approach. These policies require consideration of a range of factors including the objects of the relevant statute and the risks and impact of non-compliance.

The OAIC has considered the relevant factors in the identification of the following regulatory priorities for 2025–26, to ensure that the OAIC’s resources are focused on the prevention of privacy harm and upholding the community’s access to information rights in the areas of greatest impact and concern.

The OAIC's four areas for regulatory focus in 2025–26

Rebalancing power and information asymmetries

The OAIC will focus on sectors and technologies that compromise rights and create power and information imbalances including:

• the rental and property, credit reporting and data brokerage, sectors
• advertising technology (Ad tech) such as pixel tracking
• practices that erode information access and privacy rights in the application of artificial intelligence
• excessive collection and retention of personal information
• systemic failures to enable timely access to government information

Rights preservation in new and emerging technologies

The OAIC will protect and uphold privacy and information access rights when dealing with new and emerging technologies with high impact, including:

• Facial recognition technology and forms of biometric scanning
• new surveillance technologies such as location data tracking in apps, cars and other devices
• the preservation of both privacy and information access rights in government use of artificial intelligence and automated decision making.

Strengthening the information governance of the Australian Public Service

The OAIC will strengthen information governance and integrity in the Australian Public Service through:

• highlighting areas where information handling practices are inadequate and data is not managed appropriately through its life cycle, including how requests for access under the FOI Act and Privacy Acts are managed.
• providing guidance to elevate administrative decision-making in the Australian Public Sector
• monitoring the use of messaging apps by government agencies
• identifying government integrity risks arising from information management practices that impact on trust in government, including poor disclosure practices.

Ensuring timely access to government information

The OAIC will support the timely release of government information in line with the objects of the Freedom of Information Act by:

• progressing complaint investigations or monitoring activities and using data to highlight systemic underperformance by individual agencies, particularly in relation to agencies’ refusal rates, compliance with statutory timeframes, disclosure log practices and information publication scheme compliance.

Operating context

Our work over the coming year will be influenced by the OAIC’s operating context. This includes the environment in which we operate, the capabilities we have to deliver our statutory functions, our approach to risk management and oversight, and how we will work with our stakeholders to ensure our work meets their needs, is relevant and timely.

Our environment

A clear understanding of our operating environment is crucial to the OAIC’s risk-based regulatory approach, and to our education, compliance- and enforcement-focused posture. We actively scrutinise our environment, assessing and prioritising our regulatory effort where the potential risk of harm to the community is most significant. Our risk-based approach also means we acknowledge which environmental factors are outside our control and focus on those areas where we can make the best use of our resources and be most effective.

Different factors influence how and why we operate as we do. For example, many of the organisations we regulate do business in different Australian states and territories and are subject to different regulatory regimes in each jurisdiction. Some of our regulated entities also participate in the global economy. This makes it important for the OAIC to be connected to other regulators domestically and internationally to ensure our advice is consistent and strategic. It also means we can springboard off other guidance or regulatory approaches, where available, to promote greater efficiency.

Optimising our resources is always an important consideration. As an agency of government, we are accountable to the Australian public and subject to strict rules on how we acquit the funding that has been provided to us. We must use those taxpayer resources ethically, effectively and efficiently. We have systems to control for risk and to promote integrity, which are described later in this section.

Related to protecting public resources, we are mindful that the system of information access which promotes integrity and accountability by government, and by government agencies and institutions, is itself a national resource that needs to be protected. The effective operation of the right to access information is a fundamental feature of open government and democracy and we are committed to safeguarding that right.

Finally, our agency operations are being conducted at a time of rapid technological change and advancement. In response, we need to advocate for privacy-by- design, proactively building privacy protections into the design and development of new systems. As the context we operate in continues to evolve, our response to those changes must, despite the inherit technical complexity and nuance, continue to be clear, accurate and useful for the entities relying on us to lead a path through the new landscape. In this regard we strive to inject certainty for both entities and the community.

Operational changes

In 2024 the OAIC redesigned its structure. This restructure was made in response to a reduced operating budget following the May 2024 Budget and also in response to a recommendation from a Strategic Review of the organisation conducted in 2023. The Strategic Review recommended the OAIC redesign its structure to better reflect the three-Commissioner model and to deliver more efficient and effective regulatory functions.

The new structure has moved away from the previous subject matter silos around which the OAIC previously operated. The new structure comprises:

• Information Rights Division (IRD)
• Regulatory Action Division (RAD)
• Regulatory Intelligence and Strategy Branch
• Enabling Services Branch
• Office of the Commissioner, and
• Legal Services Team.

The structure includes the creation of two new SES Band 2 roles overseeing IRD and RAD. These Executive General Managers will ensure a strategic and coordinated approach to the OAIC’s case management and enforcement/compliance functions.

Legislative changes

Our operating environment is influenced by changes to the legislation we administer. For example, major reforms were made in the Privacy Act in December 2024. The OAIC will have a role in implementing some aspects of these reforms including:

• developing the Children’s Online Privacy Code to address online privacy for children, in relation to which we have begun consulting the community
• exercising enhanced regulatory powers, including issuing lower-threshold infringement notices and new compliance notices, and
• monitoring use of the new statutory tort for serious invasions of privacy so we know when proceedings have been commenced in relation to matters we are separately investigating through our complaint- handling process.

More broadly, the OAIC will continue to provide advice on trends and issues (both emerging and current), to inform wider policy discussions on information access and privacy.

Capability

The OAIC’s information and communications technology (ICT) capability supports our role as a contemporary regulator by enabling efficient,

transparent and data-driven operations. We routinely upgrade our systems, digital devices and network infrastructure to ensure our information is secure and accurate. With up-to-date data insights we can enhance our decision-making and respond more effectively to current regulatory challenges.

Following a technology systems review in 2023–24, we have increased our internal support for ICT services and we are exploring system upgrades to ensure our core regulatory tools continue to meet our needs. We have expanded our use of collaboration and planning applications, enabling staff across different business areas to streamline processes and digital workflows while reducing manual effort and increasing accountability.

Our people are our greatest strength. They enable us to meet our regulatory responsibilities and to promote and uphold privacy and information access rights.

Since the conclusion of the organisational redesign in early 2025, the OAIC has focussed on ensuring we have the right people and capabilities required for now and into the future. We value attracting and retaining a highly skilled workforce that reflects the dispersed Australian community we serve. To support this, we will deliver a considered Learning and Development Strategy that responds to organisational needs and focuses on three core areas: mandatory, regulatory and APS Craft.

Risk oversight and management systems

Governance framework

Our governance arrangements facilitate informed and timely decision-making and ensure the OAIC is well positioned to harness the collective expertise of our three Commissioners, the Executive and our people to address opportunities and challenges of the future.

Key decision-making and accountability bodies within the OAIC include:

• Governance Board, comprising the three Commissioners and the OAIC’s two Executive General Managers – the board determines the agency’s strategic objectives and priorities
• Regulatory Board, comprising the three Commissioners and Executive General Managers plus General Managers who manage the regulatory environment – the SRC provides collective leadership and support for regulatory activities in FOI, privacy and information access
• Executive Management Forum, comprising all SES- level staff and Principal Directors – to collaborate on matters warranting cross-organisational input and decision-making
• Audit and Risk Committee (ARC), comprising external members – to provide independent advice to the Information Commissioner and Governance Board on the appropriateness of the OAIC’s financial reporting, performance measurement, risk management and systems of internal control, and
• a range of function-based committees – these provide agency staff with an opportunity to participate in consideration of matters such as workplace health and safety, diversity and enterprise agreement matters.

Risk management

Our Risk Management Framework and Policy details our robust and holistic approach to risk oversight and management. It is aligned with the requirements of the PGPA Act and the Commonwealth Risk Management Policy.

The Chief Risk Officer and Director of Governance, Risk and Compliance work collaboratively to oversee and champion risk management, risk capability and risk culture across the OAIC. Agency staff regularly report to the Information Commissioner and Executive through various governance committees, receive independent advice from the OAIC’s ARC, and have a robust internal audit program. This enables the OAIC to monitor and respond to current and emerging risks, threats and opportunities efficiently and effectively.

Our risk appetite statement outlines the level of risk we are comfortable accepting, and internal documents provide further guidance on how to apply this specifically to our regulatory and corporate activities.

Our risk tolerances reflect a more informed and specific calibration as recommended.

We seek to achieve the optimal balance between identifying and engaging with risks in the context of delivering our regulatory activities, while upholding our accountability obligations and reputation as a trusted government agency and advisor. Our risk appetite statement is one of several documents and strategies that assist us to develop a better understanding of risk. An understanding of risk enables us to embrace opportunities, deal with threats, foster innovation and build a strong risk culture across the OAIC.

During 2025–26, we will focus on uplifting our risk control testing program and enhancing our risk culture and capability in alignment with our risk appetite statement and regulatory posture.

Our enterprise risks

Our enterprise risk profile provides a high-level and overarching view of the risks that have the most profound impact on our ability to deliver our strategic and operational priorities. Regular review of the register and engagement with risk, control and treatment owners enables us to understand and respond in a timely manner to the current and emerging risks that may threaten – or present an opportunity for – our operations.

Our focus in 2025–26 is to remain agile in a complex and evolving environment where unforeseen opportunities and threats may influence both strategic priorities and daily operations. Recognising that risk is inherent to our role and activities, our risk management framework and policy aim not to eliminate risk, but to support informed decision-making by maximising opportunities and minimising negative impacts.

Cooperation

Collaboration and consultation lie at the heart of our role as a thoughtful regulator. The agency will continue our collaborative approach across subject matter experts in FOI and privacy, as well cooperating across government to ensure a well-functioning operational environment in response to some of the logistical challenges we face as a smaller agency.

The Information Commissioner actively engages with and contributes to better regulation through a range of fora and appointments, including through membership of the:

• APS Integrity Agencies Group
• National Data Advisory Council
• Services Australia myGov Strategic Committee
• Regulator Leadership Cohort
• APS Small Agency Forum
• International Conference of Information Commissioners (ICIC)
• Administrative Review Council
• Digital Platform Regulators Forum (DP-Reg)
• CDR Governance Committee.

This approach to collaboration and cooperation cascades throughout the OAIC and ensures we are an engaged and informed regulator.

We work with other domestic information access regulators through the Association of Information Access Commissioners, which promotes best practice in information access policies and laws across Australia and New Zealand.

Our privacy regulation will continue to be informed by insights we receive from participation in such fora as the network of External Dispute Resolution (EDR) providers recognised by the Information Commissioner to deal with privacy matters and the Cyber Security Regulator Network. This collaboration assists us to deliver cohesive regulation of digital platforms as we advance online privacy protections for Australians.

We also support related work being done by agencies such as the Australian Digital Health Agency, Services Australia, the Department of Home Affairs and the Department of Health and Aged Care. The OAIC cooperates with state and territory privacy regulators to share information and insights through Privacy Authorities Australia.

International cooperation and thought leadership

Our international cooperation will remain an essential component of our work, enabling us to leverage understanding of the global privacy and information access landscape and ensure domestic frameworks are fit for purpose and aligned with best practice.

We engage in several key international networks to keep informed of challenges and opportunities in privacy and access to information. This work includes our involvement in the Global Privacy Assembly and the ICIC.

The OAIC actively considers opportunities to engage in joint regulatory actions. Established memoranda of understanding with the United Kingdom’s Information Commissioner’s Office, Irish Data Protection Commission, Personal Data Protection Commission of Singapore and the New Zealand Office of the Privacy Commissioner are essential for identifying opportunities for regulatory and enforcement cooperation, information sharing and joint investigations.

Our cooperation and collaboration

Regulated community

• Industry
• Australian Government agencies

Australian community

• Community groups
• Consumer advocacy organisations
• Australian Financial Complaints Authority
• External dispute resolution schemes

Domestic and international regulators

• State and territory regulators
• Co-regulators
• International regulators

Academia and research organisations

• Universities

Australian Government

• Attorney-General’s Department
• Australian Communications and Media Authority
• Australian Competition and Consumer Commission
• Australian Digital Health Agency
• Australian Human Rights Commission
• Australian Prudential Regulation Authority
• Australian Securities and Investments Commission
• Commonwealth Ombudsman
• Department of Employment and Workplace Relations
• Department of Finance
• eSafety Commissioner
• National Commission for Aboriginal and Torres Strait Islander Children and Young People
• Office of the National Data Commissioner
• Treasury

Performance

Our performance measurement framework describes how we measure our progress towards achieving our mission and purpose through:

• key activities that describe our key functions and areas of work
• intended results that describe the impact, difference or results we want to achieve in relation to our key activities
• performance measures we use to evaluate our progress towards the intended results
• targets that describe the results we are aiming for in each performance measure
• methodologies and data sources that describe how our performance information is collected, analysed and reported.

The OAIC has carefully considered its key activities and has identified measures and targets that are appropriate to measure and assess the agency’s performance in achieving its purposes. Each measure is based on data and records that will be relied on in the OAIC’s performance statements to report on the measures.

Our performance management framework is reflected in our 2025–26 portfolio budget statement (PBS).

Key activity 1

Influence and uphold privacy and information access rights frameworks

*This does not include privacy complaints, FOI complaints and Information Commissioner reviews that are subject to other regulatory action the OAIC is taking in respect of the same facts or incident. Records of these cases are maintained in the OAIC’s information management system.

Key activity 2

Advance online privacy protections for Australians

Key activity 3

Encourage and support proactive release of government information

Key activity 4

Take a contemporary, harms-based approach to regulation

Appendix A

Legislation conferring functions on Information Commissioner or the OAIC

The following Acts or instruments confer regulatory and other functions, powers, responsibilities or obligations on the Information Commissioner or the OAIC in relation to privacy and information access matters.

• Administrative Review Tribunal Act 2024
• Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)
• Anti-Money Laundering and Counter-Terrorism Financing Rules (Cth)
• Child Care Act 1972 (Cth)
• Competition and Consumer Act 2010 (Cth)
• Competition and Consumer (Consumer Data Right) Rules 2020 (Cth)
• Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2019 (Cth)
• Consumer Data Right (Energy Sector) Designation 2020 (Cth)
• Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014 (Cth)
• Crimes Act 1914 (Cth), pt VIIC (spent convictions)
• Data Availability and Transparency Act 2022 (Cth)
• Data-matching Program (Assistance and Tax) Act 1990 (Cth)
• Digital ID Act 2024
• Environment Protection and Biodiversity Conservation Act 1999
• Financial Sector Reform Act 2022 (Cth)
• Foreign Influence Transparency Scheme Act 2018 (Cth)
• Healthcare Identifiers Act 2010 (Cth)
• Healthcare Identifiers Regulations 2010 (Cth)
• Identity Verification Services Act 2023 (Cth)
• Imported Food Control Act 1992 (Cth)
• Information Privacy Act 2014 (ACT)
• My Health Records Act 2012 (Cth)
• My Health Records Regulations 2012 (Cth)
• My Health Records Rules 2016 (Cth)
• My Health Records (Information Commissioner Enforcement Powers) Guidelines 2016 (Cth)
• National Cancer Screening Register Act 2016 (Cth)
• National Consumer Credit Protection Act 2009 (Cth)
• National Health Act 1953 (Cth)
• National Health (Privacy) Rules 2021 (Cth) Online Safety Act 2021
• Personal Property Securities Act 2009 (Cth)
• Privacy (Tax File Number) Rules 2015 (Cth)
• Product Emissions Standards Act 2017 (Cth)
• Road Vehicle Standards Act 2018 (Cth)
• Social Security (Administration) Act 1999 (Cth)
• Student Identifiers Act 2014 (Cth)
• Taxation Administration Act 1953 (Cth) (handling of tax file numbers)
• Telecommunications Act 1997 (Cth)
• Telecommunications (Interception and Access) Act 1979 (Cth)

Appendix B

List of requirements

The OAIC’s Corporate Plan has been prepared in accordance with the requirements of section 35 of the PGPA Act, sections 16E and 16EA of the Public Governance, Performance and Accountability Rule 2014, and the Resource Management Guide 132 (Corporate plans for Commonwealth entities).