Annual report 2022-23

Download the Annual report 2022-23

View the Annual report on Transparency.gov.au

Part 1: Overview

About the OAIC

The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency in the Attorney-General’s portfolio, established under the Australian Information Commissioner Act 2010 (AIC Act).

Our purpose is to promote and uphold privacy and information access rights.

We do this by:

• ensuring proper handling of personal information under the Privacy Act 1988 and other legislation
• protecting the public’s right of access to documents under the Freedom of Information Act 1982 (FOI Act)
• carrying out strategic information management functions within the Australian Government under the AIC Act.

Our regulatory activities include:

• conducting investigations
• handling complaints
• reviewing decisions made under the FOI Act
• monitoring agency administration
• providing advice to the public, organisations and Australian Government agencies.

Outcome and program structure

Our Portfolio Budget Statement describes the OAIC’s outcome and program framework.

Our annual performance statement details our activities and key deliverables and measures our performance against our portfolio budget statement targets and the key activities set out in our Corporate plan 2022–23.

Our key activities are to:

• influence and uphold privacy and information access rights frameworks
• advance online privacy protections for Australians
• encourage and support proactive release of government information
• take a contemporary approach to regulation.

Overview from the Australian Information Commissioner and Privacy Commissioner Angelene Falk

In 2022–23 the OAIC delivered our work for the Australian community through unprecedented times, as tens of millions of Australians were impacted by the biggest data breaches the country had experienced since the commencement of the Notifiable Data Breaches (NDB) scheme in 2018.

With the welcome support of additional government funding for privacy, we commenced and have substantially progressed major investigations into these breaches. They have brought into sharp relief the requirement for boards across corporate Australia, Ministers and Secretaries of Departments, to prioritise investment in protecting personal information and limiting its collection and retention. As cyber-attacks become increasingly prevalent and impactful, it’s individuals who are at risk of harm but business and others with custody of personal information at risk of serious reputational damage.

This is why the OAIC seeks to serve the Australian people by putting the individual at the centre of our approach. We focus on applying our regulatory tools to promote access to government-held information and protect personal information. This means assessing where potential community impacts are most significant, being targeted in our approach, maximising the use of our resources, and adapting to a rapidly changing and increasingly complex environment.

Achieving that goal requires certain foundations to be in place: appropriate law, resources, capability – the right people with the right tools – effective engagement with risk, appropriate governance and importantly, collaboration.

The OAIC has developed these foundations to take a proportionate and proactive approach to identifying and reducing harms.

We have sought to influence quality Freedom of Information (FOI) decision-making by providing guidance to agencies and working with them to improve the system. However, to achieve the vision for the OAIC’s role in FOI requires sufficient resources to meet current demand and address backlogs which have arisen since the office’s establishment, resulting in a legacy case load that persists and continues to grow.

This year applications for Information Commissioner review (IC review) of FOI decisions of agencies and ministers fell 16% to 1,647, a break in the significant increases of recent years primarily attributable to the Department of Home Affairs; and FOI complaints fell 2% to 212.

We finalised 1,519 IC reviews in 2022–23, an increase of 10% compared to 2021–22, which followed increases of 37% and 23% in the previous years respectively. But of 2,004 IC reviews on hand at 30 June, over half were more than 12 months old.

In 2018 the OAIC began efforts to garner support for a review of its functions and resourcing requirements, to ensure the organisation is positioned to meet the needs of the community. We have been consistent and persistent in our representations across all our functions. In the May 2023 Budget we were pleased to receive additional funding to bring in expertise to conduct a strategic assessment to ensure we are well placed to meet the regulatory challenges of the future.

While the funding had its genesis in ensuring the OAIC is able to regulate a reformed Privacy Act, it is essential that all our functions and operations form part of the review. Because we are one OAIC.

This is an opportunity full of promise. It will occur alongside a change in the composition of the OAIC at Commissioner level, following the Australian Government’s announcement that the OAIC will return to the 3 statutory office holder model: the Australian Information Commissioner (as agency head), Privacy Commissioner and Freedom Information (FOI) Commissioner.

This will strengthen our ability to carry out our important statutory functions. It recognises the complexity and volume of matters dealt with by the OAIC and will provide welcome specialisation and capacity to address this workload.

Effective and efficient regulation also requires law that is fit for purpose. The major data breaches were also a catalyst for the strengthening of the OAIC’s regulatory powers and available penalties, which was a precursor to expected wider legislative change resulting from the review of the Privacy Act 1988. Amendments were also made to the Australian Information Commissioner Act 2010 in line with the OAIC’s advice, to allow IC review decisions to be delegated to Senior Executive Service (SES).

During the year, we continued to engage with government agencies on issues of regulatory concern, and to promote the principles of Open by Design, which supports government agencies to build a culture of transparency and trust by prioritising, promoting and resourcing proactive disclosure. In doing so, we highlighted the importance of agencies developing robust digital systems that strengthen the community’s access to information.

Mr Leo Hardiman PSM KC served as the FOI Commissioner from 19 April 2022 to 19 May 2023. During his term Commissioner Hardiman worked to advance the objectives of the FOI Act to promote timely access to government-held information.

Mr Hardiman further developed FOI jurisprudence and his service to the Commonwealth is acknowledged.

Ms Toni Pirani commenced as acting FOI Commissioner on 20 May 2023 and has worked to further the objectives of the OAIC.

The OAIC has also embedded regulatory cooperation into our approach to performing our functions.

The OAIC continues to co-regulate the Consumer Data Right (CDR) with the Australian Competition and Consumer Commission (ACCC). During 2022–23, we provided advice on the privacy and confidentiality impacts of expanding the CDR to the non-bank lending sector, legislation to establish new functionality in the CDR to allow consumer-directed action and payment initiation, and new and amended data standards.

The Digital Platform Regulators Forum, comprising the OAIC, the Australian Communications and Media Authority, the ACCC and eSafety, continued work to promote proportionate, cohesive, well-designed and efficient digital platform regulation that best serves the public interest. The forum’s strategic priorities for the year included a focus on the impact of algorithms, seeking to increase transparency of digital platforms’ activities and how they are protecting users from potential harm, and collaboration and capacity building.

We have also been central to the whole of government response to data breaches, and to promoting regulatory cohesion through our co-chairing of the Cyber Regulators Network with the Australian Prudential Regulation Authority.

We have continued to engage internationally on privacy and access to information issues of global concern, including though our membership of working groups of the Global Privacy Assembly and as a member of the International Conference of Information Commissioners.

The OAIC continues to perform an important privacy complaint role for the community. In 2022–23, we received a 34% increase in privacy complaints (3,402) compared to 2021–22. We are focusing on the age of privacy complaints and have commenced a project to address a backlog of privacy complaints that are more than 12 months old.

In 2022–23, we also opened investigations into the personal information handling practices of certain retailers, focusing on the companies’ use of facial recognition technology.

We sought to promote and improve protections to privacy and access to information rights by providing detailed submissions and policy advice to the Australian Government and others. In 2022–23, we made 16 submissions and 75 bill scrutiny comments across both privacy and FOI.

The OAIC engages with the community as part of our education function and to inform our regulatory approach. We led a successful Privacy Awareness Week, signing up a record number of supporters, and a successful International Access to Information Day.

Not surprisingly, due to the increase in the number and scale of data breaches reported, our Australian Community Attitudes to Privacy Survey 2023 released in August 2023, found that data breaches are seen as the number one privacy concern by the community.

This year we also embedded our hybrid way of working to attract and retain skilled people nationally and new shared services providers for finance and ICT. This required us to bring capability in house to support these systems as a service.

The OAIC has also grown significantly this year, with 72 new staff joining, requiring investment from our people and culture team to recruit, onboard and support. We also heard what is important to our people through our results in the Australian Public Service Commission (APSC) Census, and successfully implemented a Census Roadmap to uplift the OAIC’s results across all indexes.

We are also critiquing the OAIC’s performance, and for the first time, we commissioned an independent stakeholder survey to seek feedback on key performance measures and set a baseline for the future. There are lessons to be learned and the data will be highly useful as we focus our efforts in the year ahead.

We can say confidently that privacy and access to information are very much in the spotlight and will continue to be so. Information access and privacy matters to Australians, and the OAIC will continue our important work to promote and protect these fundamental rights, harnessing the skills and commitment of our people.

We are one OAIC, delivering collectively for the Australian community. I want to thank the people of the OAIC for their determination, skill and dedication to delivering across our functions every day. The OAIC has a strong foundation on which to build, and it will move from strength to strength with the leadership of 3 expert commissioners.

Angelene Falk

Australian Information Commissioner and Privacy Commissioner

3 October 2023

Our year at a glance

Information Commissioner (IC) reviews

Our structure

The OAIC is headed by the Australian Information Commissioner, Angelene Falk. She is a statutory officer appointed by the Governor-General to the roles of Australian Information Commissioner and Privacy Commissioner.

The Commissioner has a range of powers and responsibilities outlined in the AIC Act, and also exercises powers under the FOI Act, the Privacy Act and other privacy-related legislation. She is the OAIC’s accountable authority, with responsibility for strategic oversight, corporate governance and the OAIC’s privacy, freedom of information and government information management functions.

Commissioner Falk was first appointed to these roles in August 2018 and reappointed for a second 3-year term in August 2021.

The OAIC is supported by a Deputy Commissioner, Senior Assistant Commissioner, and Assistant Commissioners. In May 2023, the Government announced that a separate standalone Privacy Commissioner would also be appointed, together with an ongoing Freedom of Information Commissioner (FOI Commissioner), returning the OAIC to a 3-Commissioner model.

Australian Information Commissioner and Privacy Commissioner

Over the past decade, Commissioner Falk has worked extensively with Australian Government agencies, the private sector and international organisations to address regulatory challenges and opportunities presented by rapidly evolving technology and potential uses of data. Her experience extends across industries and subject matter, including data breach prevention and management, data sharing, credit reporting, digital health and access to information.

Commissioner Falk is a member of the National Data Advisory Council and Digital Platform Regulators Forum. She was admitted as a legal practitioner to the Supreme Court of New South Wales in 1998 and holds a Bachelor of Laws with Honours, a Bachelor of Arts, a Graduate Diploma in Intellectual Property Law and a Graduate Diploma in Legal Practice.

Freedom of Information Commissioner

Mr Leo Hardiman PSM KC held the statutory office of FOI Commissioner from 19 April 2022 to 19 May 2023. Mr Hardiman was formerly Deputy Chief General Counsel and National Leader in the Office of General Counsel, Australian Government Solicitor, with more than 30 years’ experience advising the Commonwealth on legal matters.

On 20 May 2023, Ms Toni Pirani joined the OAIC as Acting FOI Commissioner. She holds a Bachelor of Laws and has worked in the public service for over 35 years, including roles with royal commissions, the Attorney-General’s Department and the Australian Financial Security Authority.

Our branches

Our 5 branches undertake work in relation to our privacy, FOI and information management functions.

The Dispute Resolution branch is responsible for resolving privacy disputes. This includes:

• handling privacy and FOI enquiries
• handling privacy complaints, which includes:

–   resolving privacy complaints at the earliest opportunity by assisting parties to reach settlement through conciliation

–   investigating more complex complaints and providing outcomes

–   supporting the Information Commissioner to make determinations, which may include declarations about entities taking remedial action

• administering the Notifiable Data Breaches scheme to ensure individuals are notified of data breaches so they can act to protect their personal information and that data breaches are contained and rectified
• conducting Commissioner-initiated preliminary inquiries and investigations into particular acts and practices, which may result in further regulatory action, that may include civil penalty proceedings, determinations and enforceable undertakings
• undertaking enforcement relating to the CDR system

The Regulation and Strategy branch is responsible for:

• providing strategic advice and guidance to individuals, government and businesses, which includes examining legislation and other proposals that may have an impact on privacy, data sharing and open government
• managing the program of work under the OAIC’s international strategy
• auditing privacy practices in industry and government agencies
• strategic policy advice and guidance in relation to the CDR system, monitoring and assessing

compliance, and handling CDR enquiries and complaints

• monitoring the privacy aspects of the COVIDSafe system, which is now completed.

The FOI branch is responsible for undertaking the OAIC’s FOI regulatory functions, including:

• undertaking Information Commissioner reviews
• monitoring, investigating and reporting on compliance through FOI complaints and Commissioner-initiated FOI investigations
• deciding on applications for vexatious applicant declarations and extensions of time
• collecting information and statistics from agencies and ministers about FOI matters
• providing advice and guidance on FOI and matters relating to information access, including the Information Publication Scheme.

The Major Investigations branch was established for 2 years on 31 October 2022 to investigate serious breaches of the Privacy Act, due to the increased complexity, scale and impact of these matters, and to recommend suitable regulatory responses. It is responsible for:

• investigating significant privacy breaches
• recommending suitable regulatory action which may include civil penalty proceedings, determinations and enforceable undertakings.

The Corporate branch provides enabling services across the OAIC which:

• includes the OAIC’s legal services, strategic communications, people and culture, governance, finance, business analytics and reporting, facilities and information management, and executive support functions
• coordinates the OAIC’s identification, assessment and mitigation of strategic and operational risks
• manages the security posture of the office, including compliance with the Protective Security Policy Framework.

Our purpose

Our purpose: To promote and uphold privacy and information access rights

Our vision: To increase public trust and confidence in the protection of personal information and access to government-held information

Guiding principles:

	Engaged We are active contributors and collaborators in the contemporary application of information protection and management legislation and regulation for businesses, government and the community
	Targeted We allocate resources efficiently, taking appropriate action in responding to risk and public expectations of Commonwealth regulators
	Expert We are a trusted authority on data protection and access to information, advising on policy, legislative reform and regulatory action, and providing education and guidance
	Independent We are professional by nature, and fair and impartial by application
	Agile We are collaborative in our response to changes in technology, legislation and the expectations of the community and government.