The Office of the Australian Information Commissioner’s (OAIC’s) purpose is to promote and uphold privacy and information access rights. Our vision is to increase public trust and confidence in the protection of personal information and access to government-held information. Our 4 Key Activities are set out in our Corporate Plan.

In carrying out our Key Activities, decisions to undertake discretionary regulatory action are taken in accordance with the OAIC’s Regulatory action policies[1]. These policies require consideration of a range of factors including the objects of the relevant statute and the risks and impact of non-compliance.

The OAIC has considered the relevant factors in the identification of the following regulatory priorities for 2022–23, to ensure that the OAIC’s resources are focused on the prevention of privacy harm and upholding the community’s access to information rights in the areas of greatest impact and concern.

The OAIC has identified four areas for regulatory focus in 2022–23:

  1. Online platforms, social media and high privacy impact technologies
  2. Security of personal information
  3. Ensuring the privacy safeguards in the Consumer Data Right are effectively implemented by participants
  4. The timely and proactive release of government-held information.

1. Online platforms, social media and high privacy impact technologies

In concert with other members of the Digital Platform Regulators Forum (DP-REG), the OAIC will prioritise regulatory activities to address harms arising from practices of online platforms and services which impact on individual’s choice and control, through opaque information  practices or terms and conditions of service.

Priorities within this area include technologies and business practices that record, monitor, track and enable surveillance, and the use of algorithms to profile individuals in ways they may not understand or expect, with adverse consequences.

2. Security of personal information

The OAIC will prioritise regulatory action where there are serious failures to take reasonable steps to protect personal information or comply with reporting requirements of the Notifiable Data Breaches Scheme, particularly where risks and mitigations have previously been publicised by the OAIC. The personal information security practices of the finance and health sectors will continue to be areas of particular focus, as the top two sectors reporting breaches.

3. Consumer Data Right

Consumer confidence in the Consumer Data Right will be underpinned by coordinated compliance and enforcement activities by the OAIC and the ACCC. The OAIC’s focus is on ensuring that the fundamental privacy safeguards provided by the system are upheld by participants to protect consumers’ information.

4. Proactive disclosure of government-held information

The timely release of government-held information, with a focus on quality decision-making and proactive release of information, is consistent with the objects of the Freedom of Information Act 1982 and supports participative democracy. The OAIC will continue to focus on the need for agencies to make timely decisions and proactively disclose information to support an efficient access to information regime.