Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Part 1 Overview

About us

The Office of the Australian Information Commissioner is an independent statutory agency within the Attorney-General Department’s portfolio, established under the Australian Information Commissioner Act 2010.

Our core functions are:

  • privacy — ensuring proper handling of personal information in accordance with the Privacy Act 1988 (Privacy Act) and other legislation
  • freedom of information — protecting the public’s right of access to documents under the Freedom of Information Act 1982 (FOI Act)
  • information policy — reporting on policy and practice relating to information held by the Australian Government.

The head of the agency is the Australian Information Commissioner; supported by an average of 64 staff throughout the year.[1]

Back to Contents

Vision

Our vision is an Australia where government information is managed as a national resource and personal information is respected and protected.

Back to Contents

Purpose

Our purpose is to promote and uphold information privacy and information access rights through organisational excellence.

We are successful when we:

  • promote and uphold information privacy rights for individuals
  • assist businesses and agencies covered by the Privacy Act to meet their privacy obligations while encouraging better privacy practice
  • influence government policy makers to consider privacy and access to information impacts when drafting legislation and new policy proposals
  • undertake regulatory functions under the FOI Act in an efficient and timely manner
  • assist businesses and agencies to improve their information management capabilities in relation to privacy and FOI.

Back to Contents

Commissioner’s review

Developments in technological, social, commercial and government service delivery environments all highlight how the OAIC’s roles and functions are more relevant to Australian communities than ever before.

This has been a pivotal reporting year for the Office of the Australian Information Commissioner (OAIC). A challenging period for our organisation concluded and the OAIC has moved positively and proactively to commence a new phase of our public service.

As I noted in last year’s annual report, the OAIC responded positively through that period of uncertainly by instituting internal reforms that have resulted in improved and more-efficient services — illustrating our ability to efficiently and effectively deliver the rights and protections provided for in the Privacy Act and FOI Act.

This placed the OAIC in an excellent position to promote and protect these important rights through the past two years. It also positioned us to immediately respond and move forward following the Australian Government’s announcement, as part of the 2015–16 Budget, that the OAIC would remain responsible for regulation under both Acts.

That preparedness is vital, as ongoing developments in technological, social, commercial and government service delivery environments all highlight how the OAIC’s roles and functions are more relevant to Australian communities than ever before.

Australians continue to experience an expansion of the scope and diversity of how their personal information is being captured and used by public and private organisations, embracing new products and services which rely on personal information for delivery.

This has further increased community and professional interest in privacy and privacy governance and this is reflected in our achievements. In 2015–16 we handled over 19,000 privacy enquiries, an 18% increase from the previous year. We also received over 2,100 formal privacy complaints and achieved a rate of 97% complaint resolution within 12 months of receipt.

Significantly, while privacy enquiries continue to rise, the ratio of enquiries translating into formal complaints has lowered. This suggests two positive outcomes: firstly, that individuals are being empowered — at the enquiry stage — with the right advice and information to resolve matters satisfactorily. And secondly, that Australian agencies and businesses are taking privacy seriously — building sufficient knowledge capital and expertise to avoid privacy breaches in the first place.

The above outcomes are positive signals of the reach and effect of OAIC’s privacy promotion, guidance, audit and complaint resolution functions. It also shows how these work together in a positive cycle of preventing privacy breaches and communicating lessons learnt through resolving breaches that still occur.

This year also saw a significant shift in the public data landscape, with the Australian Government actively pursuing the innovation potential of data.

The OAIC appreciates the economic and social potential of data, and that this potential may be best realised when data sets can be reused and built upon. However, a critical condition for realising this potential is retaining community confidence that individual privacy is being protected — an outcome best achieved through a transparent approach to personal information management.

That transparent approach directly supports another key Australian Government decision of the past year, Australia’s commitment to the Open Government Partnership — an international platform for more open, accountable and responsive government.

The OAIC welcomes this commitment, as it has been our longstanding position that public information is a national resource and that access to government information is essential to stimulate innovation and economic development, to evaluate the performance of government, and to hold decisions to account.

Underpinning this is the ability of Australian communities to access information held by government; and the FOI Act provides that ability.

With this in mind, the OAIC has continued to implement efficiencies in our administration of FOI matters, particularly in the area of Information Commissioner (IC) reviews of government agency decisions. I am very pleased to report that the OAIC closed 454 applications for an IC review and only 18% of those closed required a formal decision being made by me.

This outcome speaks to the success of our approach of conciliating matters before moving to more formal processes.

It also suggests that government agencies are building the knowledge and approaches required to resolve FOI matters without the need for more formal processes.

What our successes in both privacy and FOI regulation show is that open government, information access, data innovation and personal information protection are all dependent on a ‘strategically-transparent’ approach to information management. Neither privacy nor FOI rights are absolute, but both benefit from a proactive and transparent approach by businesses and agencies. This both avoids unnecessary complaints and reduces scepticism on the occasions when entities elect to legitimately rely on exemptions to these rights.

The OAIC, as the national expert in both FOI and personal information regulation, is in a unique position to support delivery of these goals of contemporary Australian governance — in both public and commercial contexts.

We will continue to work proactively with government agencies and businesses to realise Australia’s economic and social potential in the data-driven economy; and will continue to promote and support Australian’s rights to privacy, information access and transparency of government decision-making.

Timothy Pilgrim PSM

Australian Privacy Commissioner
Acting Australian Information Commissioner

27 September 2016

Back to Contents

Privacy highlights

Back to Contents

FOI highlights

Back to Contents

What we do

We are at the forefront of policy, guidance and enforcement of Australia’s privacy and freedom of information laws; shaping how emerging technologies and data practices impact the lives of every Australian.

Privacy

Our office aims to protect the privacy rights of individuals while educating and helping businesses and government agencies understand and meet their privacy obligations.

We accomplish this by:

  • investigating privacy complaints and breaches
  • undertaking privacy assessments
  • making legally binding determinations and accepting enforceable undertakings
  • providing advice and guidance to individuals, businesses and agencies on their privacy rights and obligations
  • implementing enforceable codes and recognising external dispute resolution schemes
  • raising awareness about privacy and educating Australian communities, businesses and agencies about their privacy rights and obligations.

FOI

Through our FOI function we uphold the community’s right to access public information, and promote the management of public information as a national resource.

We accomplish this by:

  • reviewing FOI decisions of government agencies and ministers
  • monitoring and investigating ministers’ and government agencies’ compliance with the FOI Act through investigations initiated by the Commissioner
  • providing advice and guidance to individuals and government agencies on their FOI rights and obligations
  • compiling FOI data and assessing trends
  • raising awareness of FOI and educating Australians and government agencies about their rights and obligations.

Back to Contents

Who we are

Acting Australian Information Commissioner and Australian Privacy Commissioner: Timothy Pilgrim PSM. Assistant Commissioner Dispute Resolution: SES B1 — Karen Toohey. Assistant Commissioner Regulation and Strategy: SES B1 — Angelene Falk.

Commissioner roles

The OAIC is headed by the Australian Information Commissioner, a statutory officer appointed by the Commonwealth Governor-General. The Commissioner has a range of powers and responsibilities outlined in the Australian Information Commission Act (AIC Act), and also has the capacity to exercise powers under the FOI Act and Privacy Act.

As the head of the agency, the Australian Information Commissioner is effectively the ‘chief executive’ of the OAIC — with strategic oversight and accountability for the agency’s regulatory, strategic, advisory and dispute resolution functions, as well as its financial and governance reporting.

The AIC Act provides for there to be a Privacy Commissioner and Freedom of Information Commissioner. In 2015–16, the Privacy Commissioner and Acting Australian Information Commissioner roles were occupied by Timothy Pilgrim. The Freedom of Information Commissioner was vacant during

this period. However the functions under the FOI Act are vested in the Australian Information Commissioner, and are also exercised by the Privacy Commissioner, through the Australian Information Commissioner Act 2010.

The Commissioner reports to the Australian Parliament, through the Attorney-General.

Dispute Resolution Branch

The Dispute Resolution Branch carries out our dispute resolution, investigation and decision-making functions in relation to privacy and FOI.

These functions can be initiated by an individual or on the Commissioner’s own initiative. The branch also performs an enquiries line function to provide information about privacy and FOI to the public, businesses and agencies. The branch also receives and manages data breach notifications. It also provides legal and record management services for the entire agency.

Regulation and Strategy Branch

The Regulation and Strategy Branch delivers a broad range of strategic advice, regulatory functions, communication strategy, corporate reporting, governance, financial management, secretariat and network coordination.

The branch provides advice and guidance to the public, businesses and government agencies — as well as assessing the practices and performance of regulated entities. The branch also develops legislative instruments.

It delivers significant services under memorandums of understanding including in areas of digital health. The branch also administers the mandatory digital health data breach notification scheme.

Back to Contents

Our networks

Our networks provide valuable stakeholder input to better inform the policies and decisions of the OAIC, and provide methods of outreach to interested stakeholder groups.

This year we established new networks for consumers and privacy professionals.

Consumer Privacy Network

The Consumer Privacy Network (CPN) was formed in March 2016, with its first meeting held in late May. Through the CPN, we aim to better inform our understanding of, and response to, current privacy issues affecting consumers. The CPN reinforces our commitment to engaging and consulting with consumer communities to best inform our work.

Current members

  • Australian Communications Consumer Action Network (ACCAN)
  • Australian Privacy Foundation (APF)
  • Consumer Action Law Centre (CALC)
  • Consumer Credit Law Centre South Australia (CCLCSA)
  • Consumers Health Forum of Australia (CHF)
  • Electronic Frontiers Australia Inc. (EFA)
  • Financial Rights Legal Centre Inc. [New South Wales]
  • Internet Society of Australia (ISOC-AU)
  • Legal Aid New South Wales
  • Legal Aid Queensland.

Privacy Professionals’ Network

During the year we formed the Privacy Professionals’ Network (PPN), with the first meeting held in Perth. With over 200 members, the PPN provides privacy professionals from the public and private sector with information and news on the most recent privacy developments and issues and an opportunity to raise issues affecting professionals.

Our PPN brings together private and public sector professionals, reflecting the unified nature of the Australian Privacy Principles. The PPN is an open network and we actively encourage individuals with a professional interest in privacy to join.

External Dispute Resolution schemes

Our office continued to work closely with pre-existing networks, including External Dispute Resolution (EDR) scheme members. The EDR scheme recognises the extensive experience and industry specific knowledge that existing industry based external dispute resolution bodies possess. The EDR scheme currently recognises 10 organisations, including those from the financial, credit, utilities, services and transportation industry.

Current recognised schemes are:

  • Credit and Investments Ombudsman (CIO)
  • Energy & Water Ombudsman NSW (EWON)
  • Energy + Water Ombudsman Queensland (EWOQ)
  • Energy & Water Ombudsman SA (EWOSA)
  • Energy and Water Ombudsman Victoria (EWOV)
  • Energy and Water Ombudsman Western Australia (EWOWA)
  • Financial Ombudsman Service (FOS)
  • Public Transport Ombudsman Victoria (PTO)
  • Telecommunications Industry Ombudsman (TIO)
  • Tolling Customer Ombudsman (TCO).

Other networks

We also participate in a number of external networks that allow us to work closely with and learn from our FOI, data protection and privacy counterparts both domestically and internationally.

Association of Access Information Commissioners

This Australian network is for government authorities who administer FOI legislation. Members meet in person each year to discuss a range of matters including the legislative and operating environment, emerging areas of interest, research and best practice approaches.

International Conference of Information Commissioners

The international conference aims to provide the international community of commissioners, practitioners and advocates with a forum to exchange ideas for the advancement of access to information.

Privacy Authorities Australia

Privacy Authorities Australia brings together state and federal privacy regulators and provides members with an opportunity to share experiences and information. Members meet to collaborate regularly on privacy issues of common interest.

Asia Pacific Privacy Authorities

Asia Pacific Privacy Authorities (APPA) brings together privacy and data protection authorities from across our region. APPA currently includes 19 members from the Asia Pacific region. Members meet bi-annually and work cooperatively throughout the year on technology, education and cross-border enforcement issues.

International Conference of Data Protection & Privacy Commissioners

The International Conference of Data Protection & Privacy Commissioners (ICDPPC) is the largest and oldest network for data protection and privacy administrators. The network brings together about 113 organisations from around the world. Members meet annually to discuss the latest trends, current privacy and data protection environment and to undertake joint initiatives. Our office attends this meeting regularly and contributes to papers and discussions.

Global Privacy Enforcement Network

The Global Privacy Enforcement Network (GPEN) is open to all data protection and privacy authorities. There are currently 63 authorities active in the network, including economic unions, state and federal authorities. Members regularly share news and information on a variety of matters including best practice investigative techniques, communication and awareness raising approaches and the latest privacy research. It also provides a secure means of exchanging information between privacy regulators on issues of common concern.

Asia-Pacific Economic Cooperation

The Asia-Pacific Economic Cooperation (APEC) administers a number of working groups including a working group focused on privacy, data transfers and digital interactions. We do not officially participate in any of APEC’s working groups. However, we do monitor them regularly and assess the impacts on our operating landscape. We also regularly review opportunities to co-sponsor APEC projects and research.

We have also adopted and are participants in the APEC Cross-border Privacy Enforcement Arrangement (CPEA). This arrangement assisted with facilitating our work on the joint Ashley Madison investigation with the Office of the Privacy Commissioner of Canada. Further information about this investigation is available within the Commissioner initiated investigation section of this report.

Common Thread Network

The Common Thread Network (CTN) is a relatively new network with 11 members focused on bringing together and linking data protection and privacy authorities from across the Commonwealth of nations. The CTN aims to promote cross-border cooperation between members and to build strong capabilities for effective data protection across Commonwealth countries.

Back to Contents

Collaboration

We actively develop and nurture our working relationships with government agencies, peak bodies and the business community. These relationships allow us to educate and improve our stakeholders’ understanding of Australian privacy and information access laws. They also provide us with opportunities to gather best-practice and receive advice and guidance.

We also work closely with peak bodies, industry and business groups to ensure that our guidance is timely, accurate and relevant to contemporary business contexts, and that future guidance, education and training opportunities are best targeted to meet emerging industry issues and trends.

Memoranda of understanding

During the year, we provided strategic advice and support to government agencies on effective privacy management. We also provided regulatory oversight on significant government programs involving personal information. For further details see Appendix B.

Back to Contents

Footnotes

[1] Average staff number for 2015–16. The total headcount at 30 June 2016 was 75.

Back to Contents

Long text descriptions

Privacy highlights — long text description

This infographic shows our privacy achievements and highlights for 2015–16.

The first diagram shows the number of privacy enquiries for 2015–16.

During the year, we handled 18% more privacy enquires than last year.

In 2015–16, we received a total of 19,092 enquires.

  • Phone: 15,160
  • Written: 3,912
  • In person: 20

In 2014–15, where we received a total of 16,166 enquires.

  • Phone: 13, 229
  • Written: 2,925
  • In person: 12

The second diagram shows the number of complaints we received and the top 10 most complained about sectors.

In 2015–16, we received 2,128 privacy complaints and achieved a rate of 97% of complaint resolution within 12-months of recept.

The top 10 complained about sectors and the number of complaints we received from each sector were:

  • Finance and superannuation: 336
  • Australian Government: 223
  • Health service providers: 200
  • Credit reporting bodies: 153
  • Telecommunications: 151
  • Online services: 120
  • Retail: 111
  • Utilities: 98
  • Debt collectors: 88
  • Business and/or professional associations: 76

The third diagram shows a breakdown of the data breach notifications that we received. Including the total, the top five sectors and the number of Commissioner-initiated investigations that we conducted.

This year, we managed 107 voluntary data breach notifications (DBN).

The top five sectors for voluntary DBNs were:

  1. Australian Government
  2. Finance (including superannuation)
  3. Health service providers
  4. Retail
  5. Online services

During the year we also conducted 17 Commissioner-initiated investigations (CIIs), this was up from 4 in 2014–15 and 6 in 2013–14.

The fourth diagram shows some of our other achievements for the year.

They include:

  • We conducted 21 assessments of the privacy practices of businesses and Australian Government agencies
  • We partnered with 246 businesses and agencies to promote Privacy Awareness Week 2016
  • We provided 230+ pieces of substantial advice to public and private sector organisations.

Back to Privacy highlights

FOI highlights — long text description

This infographic shows our FOI achievements and highlights for 2015–16.

The first diagram shows the number of FOI enquiries for 2015–16.

During the year, we handled 19% more FOI enquires than last year.

In 2015–16, we received a total of 2,483 enquires.

  • Phone: 1,854
  • Written: 624
  • In person: 5

In 2014–15, where we received a total of 1,900 enquires.

  • Phone: 1,411
  • Written: 484
  • In person: 5

The second diagram shows how many Information Commissioner (IC) reviews we managed. It also provides a comparison to previous years.

We managed 510 IC reviews this year, up from 323 in 2014–15 but down compared to 2013–14 where we managed 524 IC reviews.

The third diagram shows a breakdown of our results and decisions for the IC reviews that we managed.

In 2015–16, 82% of applications for an Information Commissioner review was finalised without proceeding to a formal decision.

Of the 510 IC reviews that we managed:

  • 38% applicants withdrew after a revised decision was given or for another reason
  • 2% reached a formal agreement
  • 10% were out of scope
  • 7% were allowed to go directly to the AAT
  • 25% were not investigated due to lack of substance, lack of cooperation or lost contact
  • 18% received a commissioner decision

Back to FOI highlights

Back to Contents