Annual report 2024-25

About the OAIC

The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency in the Attorney-General’s portfolio, established under the Australian Information Commissioner Act 2010(AIC Act).

We are responsible for promoting and upholding information access rights under the Freedom of Information Act 1982(FOI Act) and upholding the privacy rights of Australians under the Privacy Act 1988 (Privacy Act). The agency also administers the Notifiable Data Breaches (NDB) regime. In total, the OAIC has regulatory responsibilities under 39 Commonwealth statutes relating to My Health Record Act and digital health, the Consumer Data Right (CDR), Digital ID, social media minimum age, telecommunications and credit reporting. The effective administration of these regimes is essential to support public trust in government and the safety of Australians.

Our purpose is to promote and uphold privacy and information access rights. We do this by:

• making sure Australian Government agencies and organisations with an annual turnover of more than $3 million, and some other organisations, follow the Privacy Act and other laws when handling personal information
• protecting the public’s right of access to documents under the FOI Act, and
• carrying out strategic information management functions within the Australian Government under the AIC Act.

Our regulatory activities include:

• conducting investigations
• handling complaints
• reviewing decisions made under the FOI Act
• monitoring agency administration in relation to protection of personal information and access to information, and
• providing advice to the public, organisations and Australian Government agencies.

Our vision is to increase public trust and confidence in the protection of personal information and access to government-held information.

Our guiding principles across 2024–25 were:

• Proactive – We adopt a risk-based, education and enforcement-focused posture.
• Purpose driven – We focus on harms and outcomes and are driven by evidence and data.
• Proportionate – We prioritise our regulatory effort based on risk of harm to the community.
• People focused – We preserve expertise and talent. We make the best use of our resources and maximise opportunities for our people.

Outcome and program structure

Our Portfolio Budget Statement (PBS) describes the OAIC’s outcome and program framework.

Our annual performance statements detail our activities and key deliverables, and measures our performance against our PBS targets and the key activities set out in our Corporate plan 2024–25.

Our key activities are to:

• influence and uphold privacy and information access rights frameworks
• advance online privacy protections for Australians
• encourage and support proactive release of government information, and
• take a contemporary, harms-based approach to regulation.

Regulatory focus

In 2024–25, the major areas of focus for the OAIC were:

• ensuring emerging technologies, including artificial intelligence (AI), align with community expectations and regulatory requirements and targeting current and emerging harms effectively and proportionately while continuing to proactively guide compliance in a dynamic digital environment
• supporting the development of a privacy- protecting digital economy through regulating compliance and supporting entities under the NDB scheme, Digital ID system and co-regulation of the CDR
• leading the promotion of open government and cultivating the FOI capabilities of Australian Government agencies and ministers to secure timely access to and proactive release of government-held information – we sought to make compliance easier and increase OAIC regulatory effectiveness
• strengthening and enforcing protections for personal information and contributing to privacy law reform, and
• building internal capability and culture to advance the OAIC’s reputation as an innovative, harms- focused regulator delivering demonstrably efficient and effective regulatory action.

Regulatory approach

The OAIC’s regulatory approach used both encouragement and deterrence to promote and protect privacy and information access rights. We applied a proactive and harms-focused approach to prioritise our efforts. We took regulatory action to encourage and support compliance by regulated entities and addressed high-risk matters with the greatest potential for harm.

We sought to take regulatory action in response to issues:

• that created a risk of substantial harm to individuals and the community, especially to vulnerable people and groups
• that concerned systemic harms or contraventions
• where our action was likely to change sectoral or market practices, or have an educative or deterrent effect
• that were subject to significant public interest or concern, and
• where our action helped clarify aspects of policy or law, especially newer provisions of the Acts we administer.

We aimed to take regulatory action in a consistent, transparent and proportionate manner. When deciding on which regulatory tools to use, and how to use them, we:

• identified the risks of harm we were responding to, and the likelihood and possible consequences of those risks
• responded in ways that were proportionate, consistent with the expectations of the community and the Australian Government, and managed risks to adequately protect the public
• took timely and necessary action, and
• sought to minimise regulatory burden and cost.

Overview from the Australian Information Commissioner

As the national regulator for privacy and freedom of information we are charged with a significant duty to the Australian community. The rights we promote and protect contribute directly to a healthy democratic system of government that serves us all. Our regulatory priorities advance the rights we uphold and inject certainty into markets and contribute to a vibrant economy. My task and honour, as Australian Information Commissioner and agency head, is to ensure that we are well placed to credibly execute those duties and ensure that the human rights of freedom of information and privacy are both explicit and secured in a dynamic digital environment.

This environment requires a contemporary approach to regulation. That approach is tethered to regulatory transparency and proportionality. Informed by regulatory intelligence, my fellow Commissioners Toni Pirani, Freedom of Information Commissioner, and Carly Kind, Privacy Commissioner, established and promoted our 2024–25 priorities. It has been a professional highlight to work with Commissioner Pirani, who will step down from the role in 2025.

Her contribution to the community and the OAIC has been outstanding.

Priorities

Making compliance easier is one of our shared whole- of-OAIC commitments to achieve the objective of understanding and responding to the challenges faced by regulated entities and delivering better outcomes to the Australian community. We recognise that a clear articulation of our regulatory approach will inject certainty and clarity for regulated entities. Our Statement of Regulatory Approach confirms that we apply a proactive and harm-focused approach to prioritise our efforts. We take regulatory action to encourage and support compliance by regulated entities and to address high-risk matters with the greatest potential for harm.

Our publication of priorities and approach provide a clear view of what we, as the national regulator will do to secure the Australian community’s rights, and how we will do it.

Regulatory impact

Consultation, to inform proportionate responses to harm and to guide or regulatory advice, is essential to our new way of working. This approach is embedded in our regulatory strategy with the establishment of a new data and insights unit to deliver a data-driven approach to regulation. Through a proactive data- informed approach we can identify and prevent harm.

We recognise that we hold highly valuable regulatory insights and the purposeful application of these insights, fortified by collaboration with other regulators, will enable us to address systemic harms.

The impact of our new ways of working is measurable, even at this early stage.

In 2024–25 we received a 21% increase in FOI reviews. Notwithstanding that significant increase, we finalised 41% more reviews this year than the preceding year.

As a further measure of the effectiveness of our educative and advisory functions, 82% of agencies reported the FOI Guidelines were the most used resource to assist them in performing their FOI Act functions. Over half of agencies used OAIC resources at least weekly (32%), fortnightly (13%) or monthly (13%). We have deployed guidance and tools to make compliance easier. The privacy foundations self- assessment tool, the FOI self-assessment tool and a new Freedom of Information (FOI) statistics dashboard all position regulated entities to achieve compliance by clearly articulating better practice and reporting against outcomes.

In privacy we have undertaken pioneering work to secure trust in the digital economy and delivery of government services. We published our Digital ID Regulatory Strategy, which describes how we will use our regulatory powers to build trust and confidence in Australia’s Digital ID System, and make identity verification in Australia more secure and privacy protective. We registered a new Privacy Credit Reporting Code which enhanced protections for Australians’ credit information. Significantly we commenced work on the Children’s Online Privacy Code, which will enhance protections in the online realm for children and see Australia recognised as an international leader in online privacy protection.

In responsibly and effectively applying our enforcement functions we maximised the deterrent benefits of our statutory powers and brought to an end some significant privacy breaches including a $50 million payment program as part of an enforceable undertaking received from Meta Platforms, Inc. (Meta) and an enforceable undertaking  offered by Oxfam Australia after the not-for-profit experienced a data breach in January 2021.

We have seized the opportunity presented by the three Commissioner model to deliver a groundbreaking report on Australian Government agencies’ use of messaging apps. We made recommendations to help agencies better meet their recordkeeping, FOI and privacy obligations when using those apps.

The results of our stakeholder survey demonstrate some remarkable results notwithstanding the significant program of change that we embarked upon. The key findings include:

• advancing online privacy protections increased from 60% to 66%
• encouraging and supporting proactive disclosure of government information increased from 56% to 65%
• OAIC’s regulatory activities demonstrate a commitment to continuous improvement and building trust increased from 63% to 66%
• OAIC’s regulatory activities demonstrate collaboration and engagement increased from 58% to 64%
• OAIC’s regulatory activities are based on risk and data rose from 56% to 59%.

By amplifying our approach to data-informed regulatory action we have matured in our regulatory policy advice function. We work collaboratively with the Attorney-General’s Department (AGD) and co-regulators to provide our regulatory insight and expertise. In doing so, broader policy and regulatory action is underpinned by data and is, as a result, more credible and robust.

Our commitment

Our impact will be augmented by the benefits we are deriving from a major program of organizational change. In December 2024 we implemented a revised organisational structure that harnesses OAIC systems, resources and our individual capabilities to deliver collective and more credible outcomes. We are committed to meaningful engagement with regulated entities and the community, and our new structure ensures that we engage, identify and mitigate emerging harm.

A new leadership team has injected purpose and direction together with capabilities and a service orientated culture. Our new Information Rights Division, led by Ms Ashleigh McDonald has spearheaded our proactive and proportionate approach to case management and facilitated the exchange of expertise between the statutory domains of privacy and freedom of information.

Our Regulatory Action Division led by Ms Rowena Park, has accelerated enforcement action to maximise the deterrent impact of high contested litigation against national and international entities.

With this new structure and leadership team we are poised to advance information rights more holistically. Through a joined-up approach to regulating information rights we can apply our intelligence and capabilities to provide comprehensive advice and guidance to regulated entities and the community.

Significantly, this change will also position us to deliver better regulatory outcomes to the Australian community. We are well positioned to secure rights and therefore community trust in government’s increasing deployment of technology.

Our stakeholder results evidence the positive impact of our change program. With many of the benefits of change still to be realised, these early results demonstrate that our direction is sound.

Applying the expertise available under our three Commissioner model we have defined a clear pathway to increase our regulatory impact against a backdrop of global challenges to information rights. That pathway is grounded in a recognition that it is our collective insights, collaboration, engagement and expertise that will assure our mission.

Elizabeth Tydd
Australian Information Commissioner
10 October 2025

Overview from the Freedom of Information Commissioner

The 2024–25 year has again been productive for the OAIC’s freedom of information functions. Although we continue to deal with a significant backlog of IC Reviews, this year saw a reduction in the number on hand for the first time since 2014–15. In 2024–25 we reduced the number of IC reviews on hand by 16%, finalising 41% more than in the previous year while receiving an increase in new matters of 21%. The age of our oldest matter reduced from 65 months to 56 months.

A total of 248 IC reviews were finalised by way of a published decision under s 55K of the FOI Act – this is a significant increase compared to the previous year where 207 reviews were finalised in this way.

This significant achievement is due to the ongoing commitment and dedication of OAIC staff as well as constructive engagement from agency FOI practitioners and FOI applicants. The commencement of new procedure directions in July 2024 has delivered closer engagement between parties at the start of the IC review process facilitating earlier resolution of some matters. It has also provided more transparency to parties in the review process by requiring direct exchange of submissions.

In 2024–25, in anticipation of the 2025 Federal election, the OAIC prioritised IC reviews involving decisions made on behalf of Ministers. This provided the opportunity to apply the principles set out by the Federal Court in its decision in Attorney-General (Cth) v Patrick [2024] FCAFC 126 (24 September 2024), providing clarity to decision-makers through both IC review decisions and changes to the FOI Guidelines.

Although the OAIC did not complete any complaint investigations in 2024–25 we were able to finalise 92% of complaints within 12 months with the average time to finalise an FOI complaint being 2.8 months.

This is a significant improvement from 2023–24 when, while clearing a significant backlog of complaints, we finalised 65% of complaints within 12 months. We commenced investigations into compliance with statutory timeframes by the Department of Defence, the Department of Veterans’ Affairs and the Australian Federal Police, which are ongoing at the end of the reporting period and expected to be completed early in 2025–26.

This year the OAIC launched a new FOI statistics dashboard to improve public access to data about the operation of Australia’s FOI system. This tool is updated quarterly and enables users to see what is happening not just for the system but also at an agency level. It is accompanied by quarterly statistics on the OAIC’s regulation of the FOI system.

This year we have also prepared a separate volume of this annual report to improve accessibility of agency performance data and provide more detailed regulatory information.

We continue to strive to uplift agency capability in the exercise of FOI functions and to make FOI compliance easier. Our efforts to do so are demonstrated by an FOI Practitioner Survey we conducted in 2024–25 to better understand the needs of this group, the launch of an FOI self-assessment tool for agencies and our ongoing program of webinars for FOI practitioners.

As I leave office, I wish to express my gratitude to the professionals in the OAIC and in agencies who work to advance the important rights enshrined in the FOI Act for the benefit of all Australians. It has been my pleasure and my privilege to work with you.

Toni Pirani
FOI Commissioner
26 September 2025

Overview from the Privacy Commissioner

This has been my first full year in the role of Privacy Commissioner, and has been characterised by ever- increasing risks to the protection of Australian’s privacy. With data breaches continuing to mount, AI and other emerging technologies becoming part of our day-to- day reality, and novel scams and online harms creating community concern, the work of the OAIC has never been more important, or more challenging.

The period of 1 July to 31 December 2024 saw the OAIC notified of 595 data breaches, an increase of 15% compared to the previous 6 months. Across the 2024 calendar year, data breach notifications were up 25% year on year. Individual and representative complaints to the OAIC, arising out of data breaches as well as other privacy interferences, also increased this financial year, totalling 3,295. Health service providers, the financial sector and Australian government agencies were the sectors most likely to notify of a data breach, and most likely to be the subject of a complaint.

In response to these building trends, the OAIC has focused on a dual-track regulatory response which prioritises both education and enforcement. Acknowledging the uplift required across the public and private sectors to ensure robust Privacy Act compliance, the OAIC has invested in and developed resources to support businesses and agencies to enhance their privacy governance. For example, in embodying the Privacy Awareness Week 2025 theme of ‘Privacy – It’s Everyone’s Business’ we released the Privacy Foundations self-assessment tool, a simple resource designed to help businesses who want to embed a culture of privacy and improve practices procedures and systems. Throughout the year, we issued new guidance clarifying the application of the Australian Privacy Principles (APPs) to a range of emerging technologies, including tracking pixels, facial recognition and AI, and we updated our charities and non-profits guidance. We launched a blog which we used to share information in a more accessible manner, and to explain the impact of some of the 10 determinations we issued in 2024–25. And together with our Digital Platform Regulators Forum partners, we released a working paper on multimodal foundation models.

In parallel, and in acknowledgment of the expectations of the Australian community, the OAIC has been focused on stepping up enforcement action to address the most egregious, persistent and systemic privacy harms. In December 2024, we reached a landmark settlement with Meta in which the digital platform agreed to establish a payment program worth $50 million for individuals affected by the Cambridge Analytica incident. The OAIC entered into an enforceable undertaking with Oxfam, in relation to a data breach experienced by the charity in 2021, and issued important determinations in relation to the use of facial recognition technology by Bunnings Group and predatory web scraping activities pursued by the Grubisa companies, Property Lovers and Master Wealth Control. Investigations have been commenced in relation to connected cars, ‘rent tech’ apps, the use of tracking pixels, and the development and training of AI models, as well as into major data breaches of significant concern.

Alongside this proactive and strategic work, the OAIC continues to play a vital role providing policy input and regulatory oversight to government digital initiatives, and in administering a range of other responsibilities under more than 30 legislative domains. Three key areas warrant particular mention: the OAIC registered a new Privacy Credit Reporting Code in October 2024, on application of the code developer Arca, which enhanced protections for Australians’ credit information. The OAIC also took up a formal role as the privacy regulator of the government’s Digital ID scheme, which came into effect in December 2024. And after the passage of the Privacy and Other Legislation Amendment Act 2024 in November 2024, the OAIC commenced work on the Children’s Online Privacy Code, which will enhance protections in the online realm for children under the age of 18 when it is registered in late 2026.

With each month that passes in the role of Privacy Commissioner, I gain a greater appreciation of the complexity of privacy issues and the genuine needs of the regulated community in Australia. As we move into the new financial year, I am committed to working alongside my OAIC colleagues to continue to seek to address those issues and meet those needs through our dual approach to education and enforcement. I am convinced there is much we can do as the nation’s privacy regulator to give individuals back some of the control and agency over their personal information that they so need, and at the same time support regulated entities to secure and retain their social licence to be trustworthy stewards of Australian’s data.

Carly Kind
Privacy Commissioner
25 September 2025

Our year at a glance

Our structure

The OAIC is headed by the Australian Information Commissioner, who is a statutory officer appointed by the Governor-General.

The Information Commissioner has a range of powers and responsibilities outlined in the AIC Act, and also exercises powers under the FOI Act, the Privacy Act and 39 other pieces of legislation.

The Information Commissioner is the OAIC’s accountable authority, with responsibility for strategic oversight, corporate governance and the OAIC’s privacy, freedom of information and government information management functions.

The OAIC leadership team comprises two Executive General Managers, General Managers and Principal Directors.

Australian Information Commissioner

This role was held by Ms Angelene Falk for part of 2024–25, with her term concluding on 15 August 2024. Ms Elizabeth Tydd took up the position of Information Commissioner on 16 August 2024 for a 5-year term.

Commissioner Tydd is an experienced agency head and has occupied a number of statutory decision- making roles, including Information Commissioner and CEO of the NSW Information and Privacy Commission, Australian Freedom of Information Commissioner, Deputy President of the Workers Compensation Commission and Deputy Chairperson of the former Consumer, Trader and Tenancy Tribunal.

She has extensive regulatory and governance experience at an executive and board level in a range of jurisdictions and industries, including commercial, not-for-profit and public sector oversight.

Commissioner Tydd holds a Bachelor of Laws, Graduate Diploma of Legal Practice and Master of Laws from the University of Technology Sydney, as well as postgraduate certificates in executive management and governance, together with postgraduate qualifications in leadership and policy from Harvard University. She possesses expertise in digital government and has written extensively on this subject.

Privacy Commissioner

Ms Carly Kind commenced as Australia’s Privacy Commissioner in February 2024 for a 5-year term.

She was previously the inaugural director of the UK-based Ada Lovelace Institute, a research institute focused on the ethical and societal impacts of data and AI.

She has worked with the European Commission, the Council of Europe, numerous UN bodies and a range of civil society organisations.

Commissioner Kind has a Masters of Science, International Relations (Hons) from the London School of Economics, a Graduate Diploma in Legal Practice, and a Bachelor of Arts (International Relations) (Hons) and Bachelor of Laws from the University of Queensland.

Freedom of Information Commissioner

Ms Elizabeth Tydd held the office of FOI Commissioner from 1 July 2024 until 15 August 2024. Ms Toni Pirani took up the position as Australia’s FOI Commissioner from 16 August 2024, leaving office on 26 September 2025.

Ms Pirani has 35 years’ experience in the Australian Public Service (APS) and has been responsible for establishing, leading and managing complex operations including 2 Royal Commissions and the office of the Interim National Commissioner for Defence and Veteran Suicide Prevention. She previously acted as the FOI Commissioner in 2013 and in 2023–24.

Commissioner Pirani holds a Bachelor of Laws and a Graduate Diploma in Legal Practice. She was admitted as a Legal Practitioner in the High Court of Australia, Supreme Court of NSW and Supreme Court of the ACT in 1992.

Designing the future OAIC

In 2024–25, the OAIC engaged Nous Group (Nous) to assist in developing a new organisational structure which would transition the OAIC into a more effective, harms-focused regulator. The new structure was implemented in December 2024, with the purpose of supporting the OAIC to achieve its regulatory objectives. This new ‘One OAIC’ approach seeks to combine elements of privacy and FOI where practicable while retaining and highlighting regulated area expertise.

A new leadership structure was implemented, which reflects the level of risk and workload associated with different areas. The structure designates the level of leadership for each branch and, in the case of the Information Rights Division, grouping of branches. It includes two SES Band 2 Executive General Managers, who undertake complementary management and leadership roles, focusing respectively on information rights and regulatory action. Branches continue to be led by General Managers, and the new structure also implements a number of principal directors to lead groups of teams (as well as some larger or more complex functions within branches) where appropriate.

Regulatory Action Division

The Regulatory Action Division is led by an Executive General Manager and has three specialist teams overseeing the management of compliance, investigation and enforcement to promote adherence to the FOI Act and Privacy Act. This includes:

• the management of Commissioner-initiated and some high-risk complaint investigations
• complex NDB matters
• general and funded assessments (including those for CDR and Digital ID), and
• the enforcement of privacy and FOI legislation through regulatory action.

The division is responsible for:

• advising Commissioners on regulatory pathways and initiatives, and
• delivering meaningful regulatory outcomes and influencing entities’ conduct towards compliance within the regulated community.

Information Rights Division

The Information Rights Division manages and resolves all externally generated FOI and privacy cases, from pre-intake enquiries to resolution. It is also responsible for the OAIC’s interactions with members of the community, for example the OAIC’s public enquiries function.

The division is led by an Executive General Manager and has three branches which are overseen by either an SES 1 General Manager or a Principal Director (EL2) depending on the nature and scale of work, and the level of associated risk.

FOI Case Management Branch

Responsible for undertaking regulatory functions under the FOI Act, including:

• consideration of IC reviews
• FOI complaints
• vexatious applicant declarations, and
• extension of time applications.

Privacy Case Management Branch

Responsible for managing privacy complaints through:

• early resolution
• consideration for conciliation, and
• investigation to resolution, including making determinations dismissing or substantiating a complaint.

Intake and Eligibility Branch

Responsible for managing:

• a triage function for all incoming regulatory case management matters
• privacy complaints
• FOI reviews and complaints
• data breach notifications
• enquiries, and
• complainant services functions.

Enabling Services Branch

The Enabling Services Branch provides a suite of corporate services and operational support to OAIC staff and our key stakeholders. It underpins the OAIC’s capabilities, managing essential functions that allow for effective governance, risk and operations across the OAIC, including:

• corporate services
• finance
• people and culture, and
• governance and risk.

Legal Services Branch

The Legal Services team provides:

• internal advising
• case managing litigation
• supporting the Information Commissioner in tribunal appearances, and
• supporting external legal representation for complex, high-risk cases.

Their primary areas of practice are:

• corporate legal matters, including industrial relations
• contract management
• procurement, and
• administrative law.

This ensures the OAIC’s operations are compliant with relevant legislation and regulations.

Office of the Commissioners

The Office undertakes strategic engagement with internal and external stakeholders to support delivery of the Commissioners’ statutory functions.

For the first half of the reporting period, the Office included a Reform Taskforce, which was responsible for implementing our restructure activities. Delivery of whole-of-OAIC projects is monitored and reported upon through this Office.

The Office of the Commissioners also provides Commissioners with comprehensive executive support.

Regulatory Intelligence and Strategy Branch

The Regulatory Intelligence and Strategy Branch is the centre of data, policy research and guidance that informs the OAIC’s regulatory decision-making and strategy, influences policy and legislative processes, and educates the regulated community to support their privacy and FOI obligations.

The branch:

• provides intelligence and data to inform regulatory decision-making by the OAIC’s Commissioners
• develops guidance and publications to educate businesses, agencies and the community on information rights
• communicates the OAIC’s work and its impact on people and their lives, including by working with the media, business and government stakeholders
• engages with legislative and policy processes to ensure an information rights and regulatory perspective is considered, and
• delivers various specialist regulatory roles conferred on the OAIC (including Digital ID, CDR, My Health Record and credit reporting regulation).