Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Part 1 Overview

Commissioner’s review

Photo of Timothy Pilgrim

Timothy Pilgrim PSM,
Australian Information and Privacy Commissioner

In last year’s Annual Report I noted that after a period of reform, resulting in improved and more-efficient services, the OAIC was well placed to respond to the 2016–17 Budget announcement that we would continue as the national regulator of both the Privacy Act and FOI Act.

I expressed my belief that the OAIC would respond confidently and positively to this confirmation of our role in protecting and upholding these two important information rights for Australian communities — and I am delighted to report that this has indeed occurred.

In 2016–17 the OAIC moved into a new phase of the office’s public role — adopting a more proactive and engaged approach to privacy and FOI regulation, ensuring that businesses and agencies are better placed to meet their responsibilities to communities.

Turning first to our privacy role; it’s my observation that developments in technological, social, commercial and government service delivery environments continue to drive increasing community and professional interest in privacy and privacy governance.

In this year’s Privacy Awareness Week the increase in community and business interest in privacy was evident. We had 369 businesses and agencies signing up to be Privacy Partners — a 49% increase on 2016 — and we had a more-than-tripling of mainstream media attention compared to 2016.

This shows just how privacy and data protection continue to be core, growing, consumer and community concerns.

Australians continue to be early-adopters of new technologies, many of which are reliant on personal information. But Australians also perceive greater risks in interacting with businesses online, and transparency is central to building their trust — as we found from the 2017 Australian Community Attitudes to Privacy Survey.

From the survey we learned that 83 per cent of Australians think that online environments are inherently more risky than offline, and 69 per cent of Australians said they are more concerned about their online privacy than they were five years ago. Significantly, 58 per cent of Australians have avoided a business because of privacy concerns and 44 per cent said they had chosen not to use a mobile app for the same reason.

These findings reinforce the view that a successful data-driven economy needs a strong foundation in privacy. That message is now as vital to the public sector as to private, as the Commonwealth seeks to build community trust for the future success of data, cyber and innovation agendas.

In this context, I am proud to have initiated the development of an Australian Public Service (APS) Privacy Governance Code, announced jointly with the Secretary of the Department of Prime Minister and Cabinet.

I, like many others, have long held the view that a single high standard for privacy governance across the APS is vital to gaining community support for important data sharing and innovation initiatives.

Australian Government agencies have a unique position in terms of their ability to collect and hold vast amounts of personal information, and so it is fair that they demonstrate the highest standards of personal information protection.

The Code, which comes into effect on 1 July 2018, will provide a clear outline to the Australian community on what they can expect from agencies handling their personal information. It will help build public trust and confidence in Government information-handling practices — by creating a clear, compulsory privacy standard across all of government.

In February this year, we saw the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017, establishing a Notifiable Data Breaches (NDB) scheme in Australia. The scheme, which comes into effect on 22 February 2018, reinforces organisational accountability for the valuable personal information they hold — ensuring individuals know when their personal information may have been disclosed, where this disclosure poses a risk to them.

I am pleased to note that the 2017 Community Attitudes Survey reveals 95%, or near universal, support for this proposition.

These two important measures — the Privacy Code and NDB Scheme — will jointly strengthen Australia’s privacy governance in both public and private sectors — and represent the most significant updates to our national privacy regulation since 2014.

Accordingly, the OAIC has been taking a proactive approach to working with businesses and agencies to ensure confident and smooth implementations of both initiatives.

To reach professionals the OAIC has built the national Privacy Professionals’ Network, rolling out a calendar of events that will include every Australian capital city; and actively engaging with the more than 1400 members from both the public and private sector throughout the year. Beyond the NDB scheme, we have also assisted businesses and agencies that will need to comply with the new European Union General Data Protection Regulation (GDPR) requirements.

To reach consumer and community interests, we have broadened the Consumer Privacy Network (CPN) to better reflect community needs — with groups representing the culturally and linguistically diverse (CALD) and young people.

Internationally, the OAIC was delighted to secure the 47th Asia Pacific Privacy Authorities (APPA) Forum, bringing together privacy authorities from the region.

Finally, as Australians understand privacy rights more and more they are increasingly likely to enforce them — so it is not surprising that complaints registered for resolution with our office have increased by 17% this year.

To help address this challenge within our resources the OAIC is trialling a new early resolution approach, using new processes for intake, referral and resolution of complaints. The first month of the trial saw a substantial increase in the number of matters successfully dealt with.

Next year marks 30 years since The Privacy Act 1988 (Privacy Act) was passed. It is fair to say that the challenges of Australian privacy and data protection are vastly more complex than they were in 1988. But no matter how much our environment evolves, Australians’ right to privacy remains as important as ever.

The same applies to their Freedom of Information rights, where Australian interest in the information that underpins government decisions continues to grow.

Consequently, the 2016–17 year was also a period of re-consolidation in respect of our FOI functions; as we worked to implement the Government’s decision to return all functions under the FOI Act back to the OAIC.

During this same period, the Office experienced a 24% increase in Information Commissioner Review applications — resulting in the largest number of applications received by the Office since its establishment in November 2010.

We also improved our administration of FOI matters, increasing the number of reviews finalised by 13% compared to last year.

An observation I would like to offer here is that we continue to see that some 82% of FOI matters are dominated by requests from individuals to access their own information.

While I accept that in some cases there are complexities to these requests, many are straightforward, and involve individuals seeking their own personal information which they are also entitled to access under the Privacy Act in most cases.

So, it is in the interest, and the efficiency, of agencies to promote and support the right to access one’s own personal information held by the agency and to handle these requests administratively where at all possible.

After all, in circumstances where access personal information held in the records of an agency is a right under both the Privacy Act and the FOI Act, we should be looking to reduce the workload on both our clients and our colleagues. I would also comment that we still have work to do in ensuring that the efficiency offered by default publication of uncontentious information requests is maximised. Accordingly, in line with our commitment to support government agencies in how they resolve FOI matters better, we have reviewed and reissued a number of FOI Guidelines about the operation of the Act and have commenced working on an FOI Regulatory action policy.

These actions are timely in light of the Government’s release of Australia’s first National Action Plan for the Open Government Partnership. The OAIC has long been an advocate for more open, accountable and responsive government. We welcome the opportunity to be part of Australia’s participation in this global movement; and to our own role as a member of the Government’s Open Government Forum, under the Action Plan.

It is therefore a busy time ahead for the OAIC on both the privacy and FOI fronts, and I would like to acknowledge the support of the OAIC’s networks and stakeholders — including the many Commonwealth agencies that we advise and support to deliver whole-of-government initiatives.

I’d also like to thank the skilled and dedicated OAIC staff, who work hard to promote and uphold the privacy and information access rights of all Australians, and who support Australian businesses and agencies to do the same.

Timothy Pilgrim PSM

Australian Information and Privacy Commissioner

14 September 2017

Back to Contents

Our year at a glance

Back to Contents

Our environment

The Australian economy is more information-driven than ever. Large and small companies are harnessing the power of ‘big data’ to discover even more detail about customer habits and trends. Technology has changed, and will continue to change, many of our everyday transactions.

This year Australia has seen a number of high profile privacy or cyber security incidents, which impact the public’s perceptions of the ability of organisations to handle personal information properly.

Against this climate, the Australian community are increasingly exercising their personal information rights. The number of privacy complaints made to the OAIC each year has increased by almost 150% over the last decade.

Equally, the findings from the 2017 Australian Community Attitudes to Privacy Survey showed how privacy and data protection continue to be of concern to consumers and reinforce the view that a successful data-driven economy needs a strong foundation in privacy.

Privacy governance in the both the public and private sectors will significantly strengthen next year with the implementation of the Australian Public Service (APS) Privacy Governance Code and the Notifiable Data Breaches (NDB) scheme, the planning for which we have commenced.

In addition, as the independent regulator for the privacy aspects of the My Health Record system, we have continued to work with the health sector as it prepares for the system to become opt-out by the end of 2018.

Of equal importance in our information-driven economy is Freedom of information — a vital pillar of open government.

Next year we will develop and publish an FOI regulatory action policy that outlines our approach to undertaking IC reviews, FOI complaints and Commissioner-initiated investigations.

The OAIC is also supporting progress against Australia’s Open Government National Action Plan 2016–2018. The Plan provides a road map for Australia’s participation in the Open Government Partnership (OGP), an international forum for reformers committed to making their governments more open, accountable, and responsive to citizens. These activities also align with Australia’s open data agenda, of which FOI is an integral part.

Back to Contents

Who we are

The OAIC is headed by the Australian Information Commissioner, a statutory officer appointed by the Governor-General. The Commissioner has a range of powers and responsibilities outlined in the Australian Information Commissioner Act 2010 (AIC Act), and exercises powers under the FOI Act and Privacy Act.

The AIC Act provides for there to be a Privacy Commissioner and Freedom of Information Commissioner.

Timothy Pilgrim is the Australian Information Commissioner and Australian Privacy Commissioner. He reports to the Australian Parliament, through the Attorney-General.

As head of the agency, the Australian Information Commissioner is responsible for the strategic oversight and accountability for the agency’s regulatory, strategic, advisory and dispute resolution functions, as well as its financial and governance reporting.

The Commissioner is supported by his principle adviser the Deputy Commissioner Angelene Falk who oversees the operation of the OAIC’s services in both privacy protection and information access, and the corporate and communication functions.

Assistant Commissioner Andrew Solomon is responsible for the Dispute Resolution branch covering case management and resolution of privacy complaints and FOI reviews and complaints, Commissioner-initiated investigations; legal services and the public enquiries line.

Assistant Commissioner Melanie Drayton is responsible for the Regulation and Strategy branch which provides advice and guidance, examines and drafts submissions on proposed legislation, conducts assessments, and provides advice on inquiries and proposals that may have an impact on privacy.

Executive bios are on page 26

The OAIC staff are experts in their field. They share a deep commitment to ensuring the rights of Australians are protected when it comes to privacy and freedom of information.

Australian Information Commissioner and Australian Privacy Commissioner Timothy Pilgrim PSM
Deputy Commissioner Angelene Falk
  • Dispute Resolution BranchAssistant Commissioner
    Andrew Solomon
  • Regulation and Strategy BranchAssistant Commissioner
    Melanie Drayton

Timothy Pilgrim PSM

In October 2016, Timothy was formally appointed the Australian Information Commissioner along with his responsibilities as Australian Privacy Commissioner. Timothy has been Australian Privacy Commissioner since 2010 and was Acting Australian Information Commissioner from 2015. Prior to this, Timothy was the Deputy Privacy Commissioner from 1998 to 2010. Before joining the Office of the Privacy Commissioner, Timothy held senior management positions in a range of Australian Government agencies, including the Small Business Program within the Australian Taxation Office and the Child Support Agency.

Timothy has made a significant contribution to the field of privacy in Australia. His achievements include involvement in developing the private sector provisions of the Privacy Act 1988, which included widespread consultation with community, business and government organisations. He also played a key role in implementing the private sector provisions, which took effect on 21 December 2001. More recently, Timothy has led the implementation of the 2014 reforms to the Privacy Act, the most significant reforms to the Act since its commencement. In doing so he worked closely with businesses, consumer groups and Australian Government agencies to build awareness of privacy rights and obligations, and ensure compliance with the new requirements.

Timothy has also worked at the international level to ensure that Australia is equipped to deal with global privacy challenges. He has played an important role in the implementation of the Asia-Pacific Economic Co-operation (APEC) Privacy Framework, which aims to promote a consistent approach to information privacy protection across APEC member economies. Timothy has also been closely involved in developing a framework for privacy regulators around the world to cooperate on cross-border enforcement matters.

He has extensive experience in corporate management, covering fields such as human resource management, industrial relations and parliamentary liaison. More broadly, at the corporate level he has been responsible for providing high level advice on strategies for implementing large scale cultural change.

Awarded a Public Service Medal in the 2015 Australia Day Honours List for ‘outstanding public service in the development and implementation of major reforms to the Privacy Act 1988’, Timothy holds a Bachelor of Arts degree from the University of Sydney.

Angelene Falk

Prior to being appointed Deputy Commissioner, Angelene was the Assistant Commissioner of Regulation and Strategy at the OAIC. In this role she oversaw proactive privacy regulation including through Commissioner-initiated investigations, assessments of both public and private sector organisations and handled data breach notifications, many of which attract significant media attention.

Prior to her appointment to the former Office of the Privacy Commissioner in 2007, Angelene held positions with Boards and Commissions as lawyer, educator and policy adviser in the discrimination area. Protecting and promoting rights and responsibilities is an important priority for Angelene, one which she continues in her role today.

Andrew Solomon

Andrew has held senior management positions in two Australian Government regulatory agencies, firstly as the NSW State Manager for the National Native Title Tribunal for seven years and for the past 11 years with the OAIC (formerly the Office of the Privacy Commissioner) —dealing with all functions of the office during that time.

Melanie Drayton

Prior to being appointed Assistant Commissioner, Melanie held a variety of director level positions within the OAIC. Melanie’s breadth of responsibilities has seen her work across privacy, freedom of information and information policy functions which included preparing guidance, drafting legislative instruments and promoting the requirements of the Privacy Act 1988 and the Freedom of Information Act 1982. Prior to commencing her tenure at the OAIC, Melanie worked for the NSW government and community sector.

Photo of Executive

Left to right: Melanie Drayton, Timothy Pilgrim, Angelene Falk and Andrew Solomon.

Back to Contents

Communication and collaboration

This year we used a variety of different channels to raise awareness about privacy and freedom of information, engaging with businesses and agencies and the Australian public.

This section contains highlights of some of these activities, with other activities outlined in Chapter 2.

Our networks

The OAIC hosts and participates in a number of domestic and international privacy networks which provide opportunities for organisations to meet, collaborate and share expertise.

Privacy Professionals’ Network

This year there was a significant increase in public and private sector privacy professionals interested in joining the Privacy Professionals’ Network (PPN) — membership increased from 169 to 1235 members. Approximately 70% of members are from the private sector, with the remainder from the public sector. Members have the opportunity to hear from experts, listen to case studies, and network with other members.

Consumer Privacy Network

The Consumer Privacy Network (CPN) assists the OAIC to further understand and respond to current privacy issues affecting consumers. Members are appointed for a two-year period. The full list of current members are:

  • Australian Communications Consumer Action Network
  • Australian Privacy Foundation
  • Consumer Action Law Centre (CALC)
  • Consumer Credit Law Centre SA (CCLCSA)
  • Consumers Health Forum of Australia
  • Electronic Frontiers Australia, Inc
  • Financial Rights Legal Centre Inc (NSW)
  • Internet Australia
  • Legal Aid NSW
  • Legal Aid Queensland
  • The Foundation of Young Australians*
  • National LGBTI Health Alliance*
  • Federation of Communities’ Councils of Australia*
  • National Mental Health Consumer and Carer Forum.*

* Became members during 2017–18.

eNewsletters

We distributed 11 OIACnet eNewsletters to subscribers, 13 to PPN members and four to our Information Contact Officer Network (ICON) members — providing the latest news about our activities, publications and other relevant information.

External Dispute Resolution schemes

The Information Commissioner can recognise external dispute resolution (EDR) schemes to handle particular privacy-related complaints (s 35A of the Privacy Act 1988).

The EDR schemes currently recognised are:

  • Credit and Investments Ombudsman (CIO)
  • Energy & Water Ombudsman NSW (EWON)
  • Energy + Water Ombudsman Queensland (EWOQ)
  • Energy & Water Ombudsman SA (EWOSA)
  • Energy and Water Ombudsman Victoria (EWOV)
  • Energy and Water Ombudsman Western Australia (EWOWA)
  • Financial Ombudsman Service (FOS)
  • Public Transport Ombudsman Victoria (PTO)
  • Telecommunications Industry Ombudsman (TIO)
  • Tolling Customer Ombudsman (TCO).

External networks

Privacy Authorities Australia

Privacy Authorities Australia is a group of Australian privacy authorities that meet regularly to promote best practice and consistency of privacy policies and laws. Membership includes the OAIC and privacy representatives from all states and territories.

Asia Pacific Privacy Authorities

This is the principal forum for privacy authorities in the Asia Pacific region to form partnerships and exchange ideas about privacy regulation, new technologies and the management of privacy enquiries and complaints.

Global Privacy Enforcement Network

The network is designed to facilitate cross-border cooperation in the enforcement of privacy laws. It builds on the Organisation for Economic Co-operation and Development’s (OECD) Recommendation on Privacy Law Enforcement Cooperation (the Recommendation) (2007), which recognised the need for greater cooperation between privacy enforcement authorities on cross-border privacy matters.

Asia-Pacific Economic Cooperation

The Asia-Pacific Economic Cooperation (APEC) administers a number of working groups including a working group focused on privacy, data transfers and digital interactions. We do not officially participate in any of APEC’s working groups. However, we do monitor them regularly and assess the impacts on our operating landscape. We also regularly review opportunities to co-sponsor APEC projects and research.

We have also adopted and are participants in the APEC Cross-border Privacy Enforcement Arrangement (CPEA).

International Conference of Data Protection and Privacy Commissioners

The largest and oldest network for data protection and privacy authorities, it brings together organisations from around the world.

The Association of Access Information Commissioners

This Australian network is for information access authorities who administer FOI legislation.

Common Thread Network

This network brings together data protection and privacy authorities from across the Commonwealth of nations.

The International Conference of Information Commissioners

The international conference provides an opportunity for commissioners, practitioners and advocates to exchange ideas for the advancement of access to information.

Events

As part of Privacy Awareness Week 2017, 132 privacy professionals attended the main industry event and over 50 people registered to attend the ‘Growing up digital’ event held in conjunction with the eSafety Commissioner.

We also held a number of PPN events this year across Australia, including a free public lecture in Perth on the modern day interactions between privacy governance, technology and trust and a Queensland University of Technology event to discuss the Mandatory Data Breach Notification Bill and EU General Data Protection Regulation (GDPR) scheme.

An additional focus for this year was a series of ‘grass roots’ community engagement events. For example we participated in Sydney Gay and Lesbian Mardi Gras Fair Day, promoting positive privacy practices to around 70,000 people.

This year, OAIC Executives gave a number of speeches to audiences from the public, private, community, health and education sectors, as well as an event targeting start-up businesses. We also spoke at international events for privacy professionals.

Photo of 5 panellists.

Timothy Pilgrim, Australian Information and Privacy Commissioner, and four panel members at an event.

Privacy Awareness Week 2017

Privacy Awareness Week (PAW) is an annual initiative of the Asia Pacific Privacy Authorities forum. It is held every year to promote and raise awareness of privacy issues and the importance of protecting personal information.

It’s encouraging to see that Australians are alert to privacy risks. But we need to convert awareness into action, and use the options already available to us to protect our personal information.

Timothy Pilgrim PSM, Australian Information and Privacy Commissioner, in Media Release Commissioner calls for action as privacy concerns grow 15 May 2017

In 2017, the theme was ‘trust and transparency’, highlighting the consumer and community trust that flows to organisations who handle personal information transparently, and with care, throughout the information life cycle.

The community interest in privacy was high.

  • 49 per cent increase in PAW partners — 369 compared to 246 in 2016
  • Over 250 mainstream media mentions compared and 20+ broadcast media interviews — equating to 31 hours of airtime that was equal to $250,000 worth of paid media content.

While 61 per cent of us check website security, … over 65 per cent of Australians do not read privacy policies, and half do not regularly adjust privacy settings on social media, or clear their browsing history…For businesses, these results show there is still work to do to make privacy easy for customers to manage. Those long-winded privacy notices and complex settings need to be replaced by clear language and point-in-time notifications.

Timothy Pilgrim PSM, Australian Information and Privacy Commissioner, in Media Release Commissioner calls for action as privacy concerns grow 15 May 2017

Australian Community Attitudes to Privacy Survey 2017

The OAIC’s Australian Community Attitudes to Privacy Survey (ACAPS) is a longitudinal study into public awareness of, and concern about, privacy. The survey has been conducted in various forms since 1990 and was last undertaken in 2013.

Given the technological, social and consumer landscape in which our personal information is used, it is not surprising that the survey showed that Australians are increasingly concerned about the privacy risks that have evolved in tandem with new technology and new ways of connecting socially.

The survey revealed that 69 per cent of Australians say they feel more concerned about their online privacy than they did five years ago, and 83 per cent believe privacy risks are greater online than offline. Around one-in-four regret social media activity and a similar percentage knowing a victim of identity theft.

A striking message for the OAIC is that while privacy is increasingly of interest to Australian consumers and communities, many of us are not converting that interest into using basic privacy protections that are already available to us.

The full survey findings are on the OAIC website.

‘… our survey shows the majority of Australians have decided not to deal with a business due to privacy concerns.’

Timothy Pilgrim PSM, Australian Information and Privacy Commissioner, in Media Release Commissioner calls for action as privacy concerns grow 15 May 2017

Media

This year has seen a significant increase in community and media attention around our work, privacy and FOI. As seen in the ACAPS study, privacy is increasingly of interest from Australian consumers and communities, and several high profile privacy incidents have prompted Australians to reflect on how their information is protected.

In 2016–17 we adopted a strategic and proactive approach to disseminating information and raising awareness, resulting in a strong media presence across a variety of channels.

Media enquiries increased by 40 per cent (255 in 2016–17 compared to 181 in 2015–16). These have been from a mixture of mainstream, business and community publications.

Photo of radio interview.

Timothy Pilgrim being interviewed in a radio studio.

Social media

Twitter: 10% increase in followers. LinkedIn: 28% increase in followers. Facebook: 9.5% increase in page likes.

Back to Contents

Long text descriptions

Privacy highlights

We received 17% more privacy complaints — in 2016–17, there were 2,494 total privacy complaints, compared to 2,128 in 2015–16.

During the year, the majority of complaints came from the following sectors:

  • Finance (including superannuation): 15%
  • Health service providers: 11%
  • Australian Government: 10%
  • Telecommunications: 8%
  • Credit reporting bodies: 6%
  • Retail: 5%

We closed 22% more privacy complaints — in 2016–17, we closed 2,485 total privacy complaints, compared to 2,038 in 2015–16. In 2016–17, the average time taken to close a complaints was 4.7 months, compared to the time taken last year of 4.9 months.

In 2016–17, 95% of all privacy complaints were resolved within 12 months of receipt. In 2015–16, 97% of all privacy complaints were resolved within 12 months of receipt.

We handled 16,793 privacy enquiries which was a 12% decrease on last year. They were:

  • Phone enquiries: 13,301
  • Written enquiries: 3,478
  • In person: 14

We received 114 voluntary data breach notifications, which was a 7% increase on last year when we received 107. The top five sectors were:

  1. Australian Government
  2. Finance (including superannuation)
  3. Retail
  4. Health service providers
  5. Telecommunications

92% of voluntary data breach notifications were closed within 60 days. We managed 35 mandatory data breach notifications (a 119% increase on last year).

We partnered with 369 businesses and agencies to promote Privacy Awareness Week 2017 (an increase from 246 in 2015–16 and 237 in 2014–2015).

Back to Privacy highlights

FOI highlights

We received 632 Information Commissioner reviews of FOI requests. We had 373 in 2014–15 and 510 in 2015–16. We finalised 86% of applications for an Information Commissioner review within 12 months of receipt.

We finalised 515 Information Commissioner reviews (a 13% increase compared to 2015–2016 when 454 were finalised).

100% of FOI complaints finalised were completed within 12 months of receipt. The average time taken to close FOI complaints was 3 months.

We handled 2,062 FOI enquiries which was a decrease on last year. They were:

  • Phone enquiries: 1,454
  • Written enquiries: 599
  • In person: 9

Back to FOI highlights

Back to Contents