Publication date: 19 October 2022
Please note that the IC review figures provided in the published Annual Report will be corrected after additional review. A transcription error resulted in 39 IC reviews incorrectly reported as received in 2021-22, making for 1,956 IC reviews received (compared to 1,995 in the published annual report). A technical fault resulted in 15 IC Reviews being incorrectly reported as closed in 2021-22. There were 1,377 IC reviews closed (compared to 1,392 in the published annual report).
Part 1: Overview
About the OAIC
The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency within the Attorney-General’s portfolio, established under the Australian Information Commissioner Act 2010 (AIC Act).
Our purpose is to promote and uphold privacy and information access rights.
We do this by:
- ensuring proper handling of personal information under the Privacy Act 1988 and other legislation
- protecting the public’s right of access to documents under the Freedom of Information Act 1982 (FOI Act)
- performing strategic information management functions within the Australian Government under the AIC Act.
Our regulatory activities include:
- conducting investigations
- handling complaints
- reviewing decisions made under the FOI Act
- monitoring agency administration
- providing advice to the public, organisations and Australian Government agencies.
Outcome and program structure
Our portfolio budget statement describes the OAIC’s outcome and program framework.
Provision of public access to Commonwealth Government information, protection of individuals’ personal information, and performance of Information Commissioner, freedom of information and privacy functions.
Complaint handling, compliance and monitoring, and education and promotion.
Our annual performance statement details our activities and key deliverables and measures our performance against our portfolio budget statement targets and the strategic priorities set out in our Corporate Plan 2021–22.
Our strategic priorities are to:
- advance online privacy protections for Australians
- influence and uphold privacy and information access rights frameworks
- encourage and support proactive release of government information
- take a contemporary approach to regulation.
Overview from Australian Information Commissioner and Privacy Commissioner Angelene Falk
In an environment of rapid change, the OAIC continually challenges itself to be as effective as possible in delivering for the Australian people. The agility this requires informs our regulatory approach, which adapts and responds to changes in technology, legislation and community demand to build public trust and confidence in access to government-held information and the protection of personal information.
The appointment of Leo Hardiman PSM KC as Freedom of Information Commissioner was a welcome development to support the OAIC’s important freedom of information (FOI) work. In the short time since his appointment, Commissioner Hardiman has already made a significant contribution. I look forward to what we can collectively achieve.
During the year, the work of the OAIC continued to increase in volume and complexity. Collaboration both domestically and internationally has been critical to ensure targeted, informed and proportionate regulation. This collaboration ensures we leverage the expertise of others and amplifies the protection and promotion of access to information and privacy rights.
The release of open by design principles, a collaboration by Australian information commissioners and ombudsmen, underpinned our successful campaign to mark International Access to Information Day in 2021. The principles recognise that making government-held information open by design as a default setting supports our democracy and innovation. Importantly, proactive publication of information supports timely access to information, reduces the need for members of the community to make FOI applications and minimises FOI processing costs for agencies.
A further collaboration is the formation of the Digital Platform Regulators Forum (DP-REG) by the OAIC, the Australian Communications and Media Authority, the Australian Competition and Consumer Commission (ACCC) and the Office of the eSafety Commissioner. The proactive initiatives of DP-REG aim to promote proportionate, cohesive, well-designed and efficient digital platform regulation that best serves the public interest.
While the accelerating development of the digital world provides great opportunity, it also creates risks to privacy and access to information rights. That’s why we have focused our efforts on preventing risks and harms and supporting entities to take a proactive approach to building in access to information and privacy protections by design.
At the same time, the OAIC performs an important complaint and review role for the community. In 2021–22, we received a 3% increase in privacy complaints (2,544) compared to 2020–21; a significant increase of 63% in applications for Information Commissioner review (IC review) of FOI decisions of agencies and ministers (1,995); and a 42% increase in FOI complaints (215).
Each year, the OAIC finalises more IC review applications, but without further resources, we continue to face significant challenges. We finalised 1,392 IC reviews in 2021–22, an increase of 37% compared to 2020–21, which followed a 23% increase the previous year.
In 2021–22, we issued 103 IC reviews and 14 privacy determinations, providing guidance to regulated entities and establishing important precedents.
We also finalised a number of significant privacy Commissioner-initiated investigations (CIIs) focused on the collection of biometric information and the use of high privacy impact facial recognition technologies. Our civil penalty proceedings against US-based Facebook Inc and Facebook Ireland Limited in relation to the This is Your Digital Life app continue and we look forward to the hearing of substantive matters.
We also sought to improve privacy and access to information rights protections by providing detailed submissions and policy advice to the Australian Government and others. In 2021–22, we made 18 submissions and 60 bill scrutiny comments across both privacy and FOI. This includes our response to the Attorney-General’s Department’s Privacy Act Review: Discussion Paper. The OAIC’s submission to the discussion paper made 113 recommendations that seek to ensure Australia’s privacy regime continues to operate effectively and promote innovation and growth.
In 2021–22, we also led a successful Privacy Awareness Week, signing up a record number of supporters. This year’s event was built around the theme of privacy as the foundation of trust.
We continue to co-regulate the Consumer Data Right (CDR) with the ACCC. The CDR marked its second year of operation in the banking sector and is being expanded to new sectors, including energy and telecommunications. This is a significant regulatory program for the OAIC. Our focus is ensuring that participants understand and comply with the system’s privacy safeguards and that consumers are empowered to take greater control of their data. This is essential to realising the consumer and competition benefits of the program.
The Notifiable Data Breaches scheme also marked its fourth year of operation in 2022. Since its launch, we have finalised almost 4,000 data breach notifications, working with notifying organisations to support best practice in responding to data breaches.
The OAIC has also undertaken a significant program of corporate change, as we seek to attract committed and expert staff across Australia and continue our hybrid way of working. Our transition to new shared services arrangements during the year has provided the flexibility to recruit, train and support expert staff.
The OAIC continued to strive to make the best use of our resources and take regulatory action that creates the most value for the Australian community. The high level of activity across our functions set out in this annual report is a testament to the skill and commitment of our people, who work every day to promote and protect information access and privacy rights for all Australians.
Australian Information Commissioner and Privacy Commissioner
28 September 2022
Message from Freedom of Information Commissioner Leo Hardiman PSM KC
I am delighted to have joined the office as the Freedom of Information Commissioner this year, the 40th anniversary of the commencement of the Commonwealth FOI Act.
The statutory framework for FOI at the Commonwealth level has evolved significantly since the enactment of the FOI Act in 1982. Notable changes have included the abolition of conclusive certificates, the introduction of an overriding public interest test to be applied in determining whether a document should be exempt from disclosure and the introduction of an Information Publication Scheme to mandate the publication of a broad range of government information. The overarching governance arrangements for the FOI Act have also changed significantly with the establishment of the OAIC.
The environment within which the FOI Act operates also continues to evolve. The OAIC has continued to see an increase in demand for our FOI regulatory services, including a significant increase in the number of IC reviews and FOI complaints received year on year. This has provided, and continues to provide, the OAIC with both a challenge and an opportunity to examine the way we approach the performance of our FOI functions and to identify and implement changes to maintain and improve that performance.
As the Freedom of Information Commissioner, my focus over the next 12 months will be delivering the OAIC’s core FOI regulatory functions, particularly the conduct of IC reviews and the investigation of complaints. I will also be maintaining a focus on enhancing the information access system through the development of a shared culture within the Australian Government that supports and encourages compliance with the FOI Act as well as the proactive disclosure of information held by agencies.
In that regard, I will be focused on the FOI system as a whole, to identify where systemic improvements that advance the objects of the FOI Act can be made and to work with stakeholders to implement those improvements.
Our continued engagement with and support from stakeholders in the Commonwealth FOI system will be critical to our success.
Our year at a glance
Our annual performance statement
I, Angelene Falk, as the accountable authority of the Office of the Australian Information Commissioner (OAIC), present the 2021–22 annual performance statement of the OAIC, as required under paragraph 39(1)(a) of the Public Governance, Performance and Accountability Act 2013 (PGPA Act). In my opinion, this annual performance statement is based on properly maintained records, accurately reflects the performance of the OAIC and complies with ss 39(2) of the PGPA Act.
During this reporting period, the OAIC delivered on our purpose to promote and uphold privacy and information access rights. We measure our success against the performance indicators outlined in our Corporate Plan 2021–22, which features 19 indicators grouped under 4 strategic priorities. In 2021–22, we achieved 12 of our 19 indicators.
Figure 2.1: OAIC indicators by status
- We completed 1,392 Information Commissioner reviews (IC reviews) (compared to 1,018 in the previous year), finalising more than half within 120 days.
- We finalised 83% of IC reviews (1,158) within 12 months, which was an improvement on the previous year when we finalised 73% (740).
- We issued 103 decisions under s 55K of the Freedom of Information Act 1982 (FOI Act), compared to 54 in the previous year.
- We finalised 223 freedom of information (FOI) complaints, an increase of 28% on the previous year.
- We closed 4 Commissioner-initiated investigations (CIIs) and made 3 determinations following CIIs in relation to facial recognition, including a joint privacy investigation with the UK Information Commissioner’s Office (ICO).
- We made 14 privacy complaint determinations, exceeding our target of 12. These determinations had significant educational value and set important precedents.
- We closed 2,203 privacy complaints, resolving 90% within 12 months.
- We completed our first Consumer Data Right (CDR) privacy assessment of data holders’ compliance with Privacy Safeguard 1, and began 2 further assessments.
- We continued to engage closely with the Attorney-General’s Department on its ongoing review of the Privacy Act 1988, which included making a substantial submission to the Privacy Act Review: Discussion Paper in December 2021.
- We provided advice to the Australian Government related to the development of COVID-19 digital vaccination certificates and developed guidance on the handling of vaccination information.
- We led the Australia-wide campaigns for International Access to Information Day (IAID) 2021 and Privacy Awareness Week (PAW) 2022. We enlisted a record 653 government and private sector supporters for PAW.
- Ahead of IAID, we published a statement of principles along with other Australian information access commissioners and ombudsmen to support proactive disclosure of government-held information.
- We engaged proactively with domestic and international regulators through a range of forums, working groups and other collaborative mechanisms. We formed the Digital Platform Regulators Forum (DP-REG) with other independent Australian regulators.
- The Information Commissioner served on the Executive Committee of the Global Privacy Assembly (GPA) and chaired its Strategic Direction Sub-Committee. We co-chaired the GPA Digital Citizen and Consumer Working Group.
Note about statistics
Statistics in this report are current as of September 2022. Some matters are being assessed and adjustments may be made to related statistics. This may affect statistics for the period 1 July 2021 to 30 June 2022 that are published in future reports. Similarly, statistics may have been adjusted in previous annual reports due to changes to the status or categorisation of individual matters. As a result, statistics in this report from before July 2021 may differ from statistics in previous annual reports.
The OAIC Annual report 2021–22 is available in HTML on the Transparency Portal:
- Part 1: Overview
- Part 2: Performance
- Part 3: Management and accountability
- Part 4: Financial statements
- Part 5: Appendices
Publication date: 19 October 2022
Long text descriptions
Our year at a glance
Our year at a glance is an infographic with key statistics for 2021–22.
- We received 3% more privacy complaints – 2,544 in 2021–22 compared to 2,474 in 2020–21.
- We finalised 2% more privacy complaints – 2,203 in 2021–22 compared to 2,151 in 2020–21.
- 90% of privacy complaints were finalised within 12 months against a target of 80%.
- The average time taken to finalise a privacy complaint was 6 months.
- The top 5 sectors by privacy complaints received were:
- health service providers – 351
- Australian Government – 267
- finance – 253
- retail – 186
- online services – 152.
We handled 10,931 privacy enquiries, a 6% decrease from 2020–21. Of these, 7,375 were received via phone, 3,554 in writing and 2 in person.
Notifiable Data Breaches scheme
- We received 12% fewer notifications under the Notifiable Data Breaches scheme – 853 in 2021–22 compared to 967 in 2020–21.
- 81% of notifications were finalised within 60 days against a target of 80%.
- The average time taken to finalise a data breach notification was 69 days.
- The top 5 sectors by data breach notifications received were:
- health service providers – 162
- finance – 107
- legal, accounting and management services – 75
- education – 65
- Australian Government – 58.
Freedom of information (FOI) enquiries
We handled 1,940 FOI enquiries, a 6% increase from 2020–21. Of these, 1,181 were received via phone and 759 in writing.
- We received 42% more FOI complaints – 215 in 2021–22 compared to 151 in 2020–21.
- We finalised 28% more FOI complaints – 223 in 2021–22 compared to 174 in 2020–21.
- 74% of FOI complaints were finalised within 12 months against a target of 80%.
- The average time taken to finalise an FOI complaint was 10.5 months.
Information Commissioner reviews (IC reviews)
- We received 63% more applications for IC review of FOI decisions – 1,995 in 2021–22 compared to 1,224 in 2020–21.
- We finalised 37% more IC reviews – 1,392 in 2021–22 compared to 1,018 in 2020–21.
- 83% of applications for IC reviews were finalised within 12 months against a target of 80%.
- The average time taken to finalise an IC review was 6.3 months.
- The top 5 agencies involved in IC reviews were
- Department of Home Affairs – 1,022
- Services Australia – 116
- Department of Health – 63
- National Disability Insurance Agency – 54
- Australian Federal Police – 52.
Figure 2.1 is a doughnut chart showing OAIC indicators by status.
Achieved – 12
Not achieved – 6
Partially achieved – 1