Our annual report and performance statement details our activities and key deliverables, and measures our performance against our Portfolio Budget Statement targets and the strategic priorities set out in the OAIC Corporate Plan 2019–20.

Download the print version

Publication date: 15 October 2020

Part 1: Overview

About the OAIC

The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency within the Attorney­-General’s portfolio, established under the Australian Information Commissioner Act 2010.

Our key role is to meet the needs of the Australian community in relation to the regulation of privacy and freedom of information. We do this by:

  • ensuring proper handling of personal information under the Privacy Act 1988 and other legislation
  • protecting the public’s right of access to documents under the Freedom of Information Act 1982 (FOI Act)
  • performing strategic functions relating to information management within the Australian Government under the Australian Information Commissioner Act 2010 (AIC Act).

Outcome and program structure

Our Portfolio Budget Statement describes the OAIC’s outcome and program framework.


Provision of public access to Commonwealth Government information, protection of individuals’ personal information, and performance of Information Commissioner, freedom of information and privacy functions.

Program 1.1

Complaint handling, compliance and monitoring, and education and promotion.

Our annual performance statement details our activities and key deliverables, and measures our performance against our Portfolio Budget Statement targets and the strategic priorities set out in the OAIC Corporate Plan 2019–20:

  • Advance online privacy protections for Australians
  • Influence and uphold privacy and information access rights frameworks
  • Encourage and support proactive release of government-held information
  • Take a contemporary approach to regulation.


Our purpose is to promote and uphold privacy and information access rights.

We do this by:

  • making sure that Australian Government agencies and Australian Privacy Principles (APP) entities comply with the Privacy Act and other laws when handling personal information
  • protecting the public’s right of access to documents under the FOI Act
  • carrying out strategic information management functions within the Australian Government under the AIC Act.

Our regulatory activities include:

  • conducting investigations
  • handling complaints
  • reviewing decisions made under the FOI Act
  • monitoring agency administration
  • advising the public, organisations and agencies.

Commissioner’s review


The past 12 months have brought unprecedented challenges, with Australia’s worst bushfire season on record soon followed by the COVID-19 pandemic. These seismic events have had a significant impact on the everyday lives of us all.

They have also highlighted the importance of maintaining public trust and confidence in the handling of personal information and in providing access to government-held information, both vital tools in our emergency response.

The OAIC’s Corporate Plan for 2019–20 outlined a vision to increase public trust and confidence in the protection of personal information and access to government-held information. This has never been so important, as we sought solutions to halt the spread of the virus.

As the use of both personal information and digital solutions became necessary to respond to the pandemic and adjust to remote work, learning and social engagement, privacy issues also came to the fore.

Our engagement allowed us to harness the experience of data protection authorities around the world in grappling with the privacy impacts of new and emerging responses to COVID-19. Our international perspective and understanding informed and strengthened our advice to government, regulated entities and the community.

The OAIC has also taken on new responsibilities for overseeing privacy safeguards built into the COVIDSafe app system. We advised the Australian Government as it considered the privacy implications of the app and recommended legislative privacy protections to instil the highest level of trust and confidence in the community.

The amendments to the Privacy Act 1988 provide strong privacy protections and expand our regulatory oversight role to cover state and territory access to COVIDSafe data. The publication of the Privacy Impact Assessment for the app and the government’s response was an important transparency measure and sets a benchmark for government initiatives involving personal information.

In response to the challenges created by the pandemic, we have produced a range of privacy guidance for business, Australian Government agencies and individuals, including how to safeguard personal information in changed work environments and when venues are collecting information for contact tracing purposes.

The health and economic crisis caused by the coronavirus has created opportunities for greater transparency through proactive release and real-time provision of information. This approach by government demonstrates how transparency can increase community confidence and influence behaviour.

At the same time, the impact of the outbreak had the potential to affect agencies’ ability to meet statutory timeframes for processing freedom of information requests. We have recommended a range of measures to ensure agencies continue to meet their obligations, along with advice for people lodging FOI requests.

Earlier this year, we joined with our international and domestic counterparts to reinforce the importance of documenting decisions and providing access to government-held information through the pandemic and beyond. Our contribution to global transparency efforts includes our ongoing role in Australia’s Open Government Partnership, as a member of the working group for the third Open Government National Action Plan.

Regulatory action

In operating as a contemporary regulator, our regulatory posture and approach is evidence-based, proportionate and seeks to respond to community expectations in addressing risk. In privacy, as in access to information, we exercise our regulatory functions in a way that helps entities to understand and voluntarily comply with obligations. We also take action that deters and remediates breaches of privacy and information access rights where they occur.

Following a detailed investigation, including cooperation with international authorities, in 2019–20 the OAIC launched our first civil penalty action, against Facebook. This action is part of the OAIC’s ambition to advance online privacy protections for all Australians.

The government’s response to the Digital Platforms Inquiry, carried out by the Australian Competition and Consumer Commission (ACCC) and informed by the OAIC’s submissions and advice on privacy-related issues, has committed to a review of the Privacy Act. We have established a dedicated project team to engage with stakeholders and provide policy advice to government. We look forward to working cooperatively over the year ahead to advance a privacy law framework that is fit for purpose for the digital age.

We also worked closely with the ACCC in carrying out a significant program of work to implement the Consumer Data Right, which commenced on 1 July 2020. Our joint compliance and enforcement policy outlines how we will apply the CDR Rules and uphold the privacy safeguards to ensure consumer data is protected as the system expands.

The Notifiable Data Breaches scheme remains a focus for our agency. The scheme was introduced in February 2018 to strengthen consumer protection and elevate the security posture of organisations and agencies who handle personal information. In 2019–20 we recorded an 11% increase in notifications to the OAIC and to individuals at risk of harm.

We are engaging closely with notifying entities to understand the causes of breaches and ensure measures are put in place to rectify them and mitigate future incidents. We have also opened a number of Commissioner-initiated investigations to examine serious or systemic issues and evaluate compliance with the requirements of the scheme and the Privacy Act.

Regulatory functions

A highlight of 2019–20 is the success of our program to eliminate a backlog of privacy cases created by sustained increases in complaints over recent years. By implementing additional efficiency measures, and with the support of additional funding, we closed 3,366 privacy complaints during the financial year – a 15% improvement on 2018–19.

In a reversal of the recent trend, the number of incoming privacy complaints declined by 19% in 2019–20. The significant drop recorded in the second half of the reporting period is likely to be due to the COVID-19 pandemic.

Applications for Information Commissioner (IC) review of FOI decisions continued to grow in 2019–20, increasing by 15% to 1,066. Following the COVID-19 outbreak, we also recorded a significant increase in agency applications for extensions of time to process FOI requests.

While the OAIC continues to face resourcing challenges in the FOI area, we implemented further process improvements and resolved more IC reviews during the reporting period than ever before. We achieved a 26% improvement, resolving 829 IC reviews in 2019–20.

The significant increase in the number of applications after sustained increases in previous years, along with our focus on reducing the number of cases over 12 months old, meant we finalised 72% of IC reviews within 12 months, short of our target of 80%.

The OAIC also delivered a wide range of guidance for regulated entities and the community during 2019–20 to improve awareness and practice across our core regulatory functions. We led campaigns for Privacy Awareness Week and Right to Know Day, engaging the public, practitioners and regulated entities to promote privacy and access to information rights and responsibilities.

Building trust and confidence

Australia’s response to the pandemic has demonstrated what can be achieved at speed when there is a common goal in the public interest. I would like to express my appreciation to the staff of the OAIC, who have consistently shown great commitment, flexibility and focus in working to advance privacy rights and access to information throughout this period.

The regulatory areas that we oversee are a key part of the solution to navigating through these challenging times. The examples of privacy by design, strong privacy protections and government transparency during this period not only support a sense of optimism about our path to recovery, they also set an encouraging precedent for the future of information management.

Angelene Falk

Australian Information Commissioner
Privacy Commissioner
16 September 2020

Our year at a glance

In this infographic, percentages have been rounded to the nearest whole number. End-of-year statistics may differ from quarterly publication statistics.<br />We finalised 15% more privacy complaints: 3,366 in 2019–20 compared to 2,920 in 2018–19.<br />87% of all privacy complaints were finalised within 12 months against a target of 80% <br />The average time taken to finalise a privacy complaint was 4.7 months.<br />

row break

Most privacy complaints came from the following sectors: <br />Australian Government 12%<br />Finance (incl. superannuation) 11%<br />Health service providers 11%<br />Retail 6%<br />Telecommunications 6%<br />Online services 5% <br />

row break

row break

We handled 14,842 privacy enquiries 2019–20, including 10,937 by phone, 3,893 written and 12 <br />in person.<br />This was a 15% decrease from 2018–19

row break

We received 11% more notifications under the Notifiable Data Breaches (NDB) scheme; <br />1,050 in 2019–20 compared to 950 in 2018–19.<br />62%of all notifications under the NDB scheme were finalised within 60 days against a target of 80% <br />

row break

We handled 2,297 FOI enquiries in 2019–20, including 1,524 by phone, 772 written and 1 <br />in person.<br />This was a 20% decrease from 2018–19.

row break

We received 79% more FOI complaints; 109 in 2019–20 compared to 61 in 2018–19.

row break

We finalised 223% more FOI complaints; 71 in 2019–20 compared to 22 in 2018–19.The average time taken to close an FOI complaint was 11.6 months.<br />52% of all FOI complaints were finalised within 12 months against a target of 80%.<br />

row break

We received 15% more applications for Information Commissioner reviews of FOI decisions; 1,066 in 2019–20 compared to 928 in 2018–19

row break

The top 5 agencies involved in Information Commissioner reviews were: <br />Department of Home Affairs (283)<br />Services Australia (153)<br />Australian Federal Police (58)<br />Department of Defence (41)<br />Department of Foreign Affairs and Trade (33)<br />

row break

We finalised 26% more Information Commissioner reviews; 829 in 2019–20 compared to 659 in 2018–19.<br />The average time taken to finalise an Information Commissioner review was 8.1 months.<br />72% of applications for Information Commissioner review were finalised within 12 months against <br />a target of 80%.<br />

row break

Part 2: Performance


I, Angelene Falk, as the accountable authority of the Office of the Australian Information Commissioner (OAIC), present the 2019–20 annual performance statement of the OAIC, as required under paragraph 39(1)(a) of the Public Governance, Performance and Accountability Act 2013 (PGPA Act). In my opinion, this annual performance statement is based on properly maintained records, accurately reflects the performance of the entity, and complies with subsection 39(2) of the PGPA Act.

Overall performance

During this reporting period, we worked to achieve the 31 indicators outlined in the OAIC Corporate Plan 2019–20. We measure our success against our performance indicators which are grouped under our 4 strategic priorities.

We delivered on our purpose to promote and uphold privacy and information access rights.

In 2019–20, the OAIC achieved 16 of our 31 performance indicators and partially achieved 4 indicators. We did not achieve 8 indicators, and this result largely reflects increased volumes of work and our systematic efforts to reduce the backlog created by a sustained increase in privacy complaints and Information Commissioner (IC) review applications over recent years.

Three further indicators did not apply during this reporting period, as the commencement of the Consumer Data Right and reforms to the Privacy Act 1988 were delayed.

Among the highlights of our performance in 2019–20:

  • We assisted 3,366 complainants in resolving privacy issues, about 15% more than in 2018–19, with an average finalisation time of 4.7 months
  • We handled 14,842 privacy enquiries and 2,297 FOI enquiries, down 15% and 20% respectively on 2018–19
  • We finalised 26% more IC reviews than in 2018–19
  • We cooperated with our co-regulator, the Australian Competition and Consumer Commission (ACCC), to implement the Consumer Data Right on 1 July 2020
  • For the first time in the history of the OAIC, we commenced civil proceedings in the Federal Court. Proceedings are against Facebook Inc. and Facebook Ireland
  • Following the outbreak of COVID-19, we convened a COVID Taskforce and provided a significant volume of policy advice, including in relation to the important privacy safeguards that were built into the Australian Government’s COVIDSafe app
  • We released a Guide to health privacy to help providers understand their obligations and embed good privacy practice
  • We launched a new e-learning course to support good privacy practice in Australian Government agencies
  • We attracted a record number of supporters for our Privacy Awareness Week campaign
  • We led a campaign for Right to Know Day to raise awareness of access to information rights and responsibilities.

Click here for the 2019-20 Annual Report errata

Where to find the full report

The OAIC Annual Report 2019–20 is available in HTML on the Transparency Portal: