Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Corporate plan 2015–16

Introduction

The Office of the Australian Information Commissioner (OAIC), presents the 2015–16 OAIC corporate plan, which covers the periods of 2015–16 to 2018–19, as required under paragraph 35(1)(b) of the Public Governance, Performance and Accountability Act 2013.

Purposes

The OAIC is an independent statutory agency, established in November 2010 under the Australian Information Commissioner Act 2010 (AIC Act).

The main functions of the OAIC are:

  • privacy functions — ensuring proper handling of personal information in accordance with the Privacy Act 1988 (Privacy Act) and other legislation
  • freedom of information (FOI) functions — protecting the public's right of access to documents under the Freedom of Information Act 1982 (FOI Act).

The OAIC’s mission is to promote and uphold information privacy and information access rights through organisational excellence.

The OAIC is successful when it:

  • assists entities covered by the Privacy Act to meet their privacy obligations while encouraging better privacy practice
  • influences government policy makers to consider privacy impacts when drafting legislation and new policy proposals
  • handles FOI regulatory functions in an efficient and timely manner.

Environment

Internal

The Australian Government announced in the 2014–15 Budget that the OAIC would cease operation and new arrangements for privacy and (FOI) regulation would commence from 1 January 2015.

The Freedom of Information Amendment (New Arrangements) Bill 2014 to abolish the OAIC was not considered by the Senate before the end of the 2014 sitting period.

Functions relating to FOI policy were transferred to the Attorney-General’s Department. FOI complaints are now handled by the Commonwealth Ombudsman. The OAIC continues to carry out the FOI review function. Resources have been provided to the OAIC for the exercise of the FOI review function for 2015–16.

The AIC Act gives the OAIC information policy functions, however these have ceased due to resourcing constraints.

The OAIC remains responsible for the full breadth of privacy functions, including privacy complaint resolution, a strategic assessment program, Commissioner-initiated investigations and the provision of education materials for the community, agencies and organisations.

Funding for the privacy functions has been appropriated to the OAIC for the period 2015–16 and over the forward estimates.

The OAIC will also undertake privacy functions relating to the implementation of mandatory telecommunications data retention and the Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014 (Cth). Additional funding has been provided for these functions.

The OAIC anticipates a continuing high volume of privacy and FOI review matters during the 2015–16 period, consistent with increases since the OAIC’s establishment in 2010. Additional work is anticipated with the Australian Government commitment to introducing a mandatory data breach notification scheme in 2015.

Cooperative relationships exist between the OAIC and other regulatory agencies, including the Commonwealth Ombudsman, New South Wales Information and Privacy Commission, Inspector-General of Intelligence and Security, the Telecommunications Industry Ombudsman and the Australian Communications and Media Authority. This includes having Memorandums of Understanding (MOUs) in place, where appropriate, to reduce regulatory duplication, and enable collaboration, streamlining and information sharing.

The OAIC has also entered into financial MOUs with government departments for the provision of privacy functions for specific programs and services. This includes MOUs between the OAIC and following agencies:

  • Department of Health for the Personally Controlled Electronic (eHealth) Record System and Healthcare Identifiers Service
  • Department of Human Services for privacy services
  • Department of Customs and Border Protection for privacy assessments and advice
  • Australian Capital Territory for services under the Information Privacy Act 2014 (ACT).

The OAIC has an MOU arrangement in place with the Australian Human Rights Commission for the provision of corporate services including finance, human resources and information technology.

External environment

Internationally and domestically, technological advancements are constantly occurring that have the potential to significantly impact on individual privacy. Big data, the Internet of Things and the evolution to a continuously connected world present great opportunities as well as presenting some risks to privacy. This global information economy has led to the OAIC’s engagement with international counterparts through organisations such as the Global Privacy Enforcement Network, the Asia Pacific Privacy Authorities Forum and the International Conference of Data Protection and Privacy Commissioners. The OAIC also has an MOU with the Data Protection Commissioner of Ireland to enable information sharing in global privacy enforcement.

The OAIC has developed relationships with key global and domestic companies to enable appropriate information sharing and complaint resolution.

The OAIC also engages and consults with the public, government agencies, the business community and Civil Society groups in relation to resources, publications and privacy issues.

Performance

The OAIC has three strategic goals that underpin our work:

Goal 1 Promote and uphold information privacy rights

The OAIC will work to protect the personal information held by entities in accordance with the Privacy Act and associated legislation. In 2015–16, the OAIC will focus on working with businesses and government to assist them to understand their personal information handling responsibilities, implement a good privacy governance framework and to encourage the development of a privacy culture within organisations and agencies.

The OAIC aims to deliver outcomes that benefit business, government and the community by progressing the following activities:

Activity 1.1: Handle privacy complaints

Privacy complaints will be handled in accordance with our Service Charter ensuring that complaints are processed in line with quality and timeliness benchmarks.

Planned performance
2015–162016–172017–182018–19
80% of privacy complaints finalised within 12 months 80% of privacy complaints finalised within 12 months 80% of privacy complaints finalised within 12 months 80% of privacy complaints finalised within 12 months
Evaluation

This activity will be evaluated by analysing quantitative complaint handling statistics to assess completion rates. A customer satisfaction survey will be trialled in 2015–16, with expected implementation in 2017–18.

Activity 1.2: Conduct performance assessments

The OAIC undertakes a targeted performance assessment program of entities’ privacy compliance. In 2015–16, the assessment program will focus on those entities using large amounts of personal information and new technologies. The OAIC will also be focusing on the telecommunications sector and the collection of personal information under the Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014 (Cth). The OAIC also undertakes a program of assessments funded by various MOUs. Beyond 2015–16, future assessment targets will be identified by analysing the external environment and in consultation with MOU partners.

Planned performance
2015–162016–172017–182018–19
Performance assessments completed within 6 months Performance assessments completed within 6 months Performance assessments completed within 6 months Performance assessments completed within 6 months
Evaluation

The OAIC will measure the success of performance assessments by analysing:

  • completion rates for assessments using quantitative statistics
  • incorporation of important assessment learnings into guidance and education materials
  • implementation of material recommendations by assessed entities within 12 months of the publication of the assessment report.

Activity 1.3: Conduct Commissioner-initiated investigations and handle voluntary and mandatory data breach notifications

The OAIC undertakes Commissioner-initiated investigations (CII) into acts or practices that may be an interference with privacy, including data breach incidents. Investigation targets are identified in accordance with the OAIC’s Privacy regulatory action policy.

The OAIC also administers a system of voluntary reporting of data breaches, and mandatory data breach notifications under the Personally Controlled Electronic Health Records (PCEHR) Act. The OAIC handles data breach notifications in accordance with its Privacy regulatory action guide.

Planned performance
2015–162016–172017–182018–19

80% of CIIs are finalised within 8 months

80% of data breach notifications handled or escalated to CII within 60 days

80% of CIIs are finalised within 8 months

80% of data breach notifications handled or escalated to CII within 60 days

80% of CIIs are finalised within 8 months

80% of data breach notifications handled or escalated to CII within 60 days

80% CIIs are finalised within 8 months

80% of data breach notifications handled or escalated to CII within 60 days

Evaluation

The OAIC will evaluate the success of its investigations by analysing:

  • quantitative completion rate data
  • incorporation of important assessment learnings into guidance and education materials
  • implementation of enforceable undertakings and determinations by investigated entities.

Activity 1.4: Provide a public information service

The OAIC provides a public information and enquiries line service for the community, business and government. In 2015–16, the OAIC will focus on the implementation of new technologies to improve contact options for enquirers.

Enquiries are processed within quality and timeliness benchmarks and in accordance with our Customer Service Charter.

Planned performance
2015–162016–172017–182018–19
100% of enquiries finalised within 10 days 100% of enquiries finalised within 10 days 100% of enquiries finalised within 10 days 100% of enquiries finalised within 10 days
Evaluation

The OAIC will evaluate the success of its public information service by analysing:

  • enquiry finalisation data using quantitative statistics
  • information from enquirers on satisfaction with service using qualitative methods.

Activity 1.5: Assist regulated entities to improve understanding of privacy compliance

In 2015–16, the OAIC’s promotion and education activities will focus on developing targeted resources for entities and actively promoting the importance of good privacy governance including the implementation of an organisational culture that respects privacy. The OAIC aims to consult with external stakeholders on the development of resources to ensure that they meet stakeholder needs.

The OAIC will also work with government agencies to assist them to minimise privacy impacts in legislation and program development, and will provide advice to government agencies and guidance to business on emerging privacy issues.

Planned performance
2015–162016–172017–182018–19

Key privacy resources are identified, developed and promoted for business, government and community

Undertake consultations with stakeholders on significant privacy resources

Monitor proposed enactments and government programmes for privacy impacts

Provide advice to government agencies and guidance to business on emerging privacy issues

Key privacy resources are identified, developed and promoted for business, government and community

Undertake consultations with stakeholders on significant privacy resources

Monitor proposed enactments and government programmes for privacy impacts

Provide advice to government agencies and guidance to business on emerging privacy issues

Key privacy resources are identified, developed and promoted for business, government and community

Undertake consultations with stakeholders on significant privacy resources

Monitor proposed enactments and government programmes for privacy impacts

Provide advice to government agencies and guidance to business on emerging privacy issues

Key privacy resources are identified, developed and promoted for business, government and community

Undertake consultations with stakeholders on significant privacy resources

Monitor proposed enactments and government programmes for privacy impacts

Provide advice to government agencies and guidance to business on emerging privacy issues

Evaluation

The OAIC will evaluate the success of promotion and education activities by analysing:

  • quantitative data, including website analytics, published submissions, consultations, speeches delivered, media enquiries handled and policy advices given
  • qualitative stakeholder feedback following consultation and release of materials.

Activity 1.6: Promote awareness and understanding of privacy rights in the community

The OAIC will continue to promote and educate the community about privacy rights through annual campaigns such as Privacy Awareness Week. The OAIC will work with stakeholders to provide guidance on key privacy issues affecting the community. In 2015–16, a new website will be launched that has new accessibility features to improve access to information for people with disabilities. A consultation forum with advocates and community groups will be re-formed.

Planned performance
2015–162016–172017–182018–19

New website with enhanced accessibility features launched

Privacy Awareness Week campaign held with an increase in the number of participating private and public sector partners

Privacy Awareness Week campaign held with an increase in the number of participating private and public sector partners Privacy Awareness Week campaign held with an increase in the number of participating private and public sector partners Privacy Awareness Week campaign held with an increase in the number of participating private and public sector partners
Evaluation

The OAIC will evaluate the success of promotion and education activities for the community by analysing:

  • quantitative website analytics including social media traffic
  • qualitative feedback from stakeholders on consultation drafts for education materials.

Activity 1.7: Develop legislative instruments

The OAIC will consider the necessity for any additional legislative instruments, including applications from regulated entities to develop legislative instruments and APP codes. The OAIC will undertake consultations to ensure that legislative instruments are in the public interest.

Planned performance

2015–16

2016–17

2017–18

2018–19

Applications for Public Interest Determinations and APP codes are considered

Legislative instruments are up to date

Applications for Public Interest Determinations and APP codes are considered

Legislative instruments are up to date

Applications for Public Interest Determinations and APP codes are considered

Legislative instruments are up to date

Applications for Public Interest Determinations and APP codes are considered

Legislative instruments are up to date

Evaluation

The OAIC will evaluate the effectiveness of legislative instruments by analysing:

  • qualitative feedback from stakeholders on consultations
  • quantitative data, including number of codes and public interest determinations made.

Goal 2 Promote and uphold information access rights

The OAIC will uphold the public’s right of access to documents under the FOI Act. In 2015–16, the OAIC will conduct reviews of FOI decisions made by ministers and entities in a timely and efficient manner. The OAIC has only received funding for this function to continue in 2015–16.

Activity 2.1: Provide a timely and effective Information Commissioner review function

The OAIC will focus on ensuring that Information Commissioner review processes meet quality and timeliness benchmarks.

Planned performance
2015–162016–172017–182018–19
80% of Information Commissioner reviews completed in 12 months This function is not expected to continue This function is not expected to continue This function is not expected to continue
Evaluation

The OAIC will measure the success of the Information Commissioner review function by analysing quantitative review completion rates.

Activity 2.2: Provide an information service to the community on information access rights

The OAIC provides information about FOI to the community through a national information service. Beyond 2015–16, it is expected that the OAIC will not perform this function.

Enquiries are processed within quality and timeliness benchmarks and in accordance with our Customer Service Charter.

Planned performance
2015–162016–172017–182018–19

100% of enquiries finalised within 10 days

This function is not expected to continue

This function is not expected to continue

This function is not expected to continue

Evaluation

The OAIC will evaluate the success of its public information service by analysing:

  • enquiry finalisation data using quantitative statistics
  • information from enquirers on satisfaction with service using qualitative methods.

Goal 3 Organisational excellence

The OAIC aims to achieve organisational excellence by supporting and developing the OAIC’s people, systems and processes. In 2015–16, the OAIC will focus on building its people capability to effectively carry out the OAIC’s functions.

The OAIC aims to deliver outcomes that benefit business, government and the community by progressing the following activity:

Activity 3.1: Excellence in people management

The OAIC will strive for excellence in people management by building an expert and skilled workforce to perform OAIC functions.

Planned performance
2015–162016–172017–182018–19
Annual staff survey results on people management indicators are maintained or improved Annual staff survey results on people management indicators are maintained or improved Annual staff survey results on people management indicators are maintained or improved Annual staff survey results on people management indicators are maintained or improved
Evaluation

The OAIC will evaluate the success of its people management by analysing:

  • annual staff and agency survey results.

Capability

The OAIC is a micro-agency operating in an ever changing environment that aims to be agile and innovative in the work that we do. To do this, we are continually working to ensure that we have appropriately skilled personnel and robust systems in place to allow us to respond to our strategic challenges.

Workforce

The OAIC faces challenges in recruiting and retaining skilled staff in a competitive Sydney labour market. In the rapidly changing environment in which the OAIC operates, we are continually monitoring and managing our workforce capability. The OAIC will focus on building workforce capacity, after a period of operational uncertainty, to ensure that we have the right people with the right skills in the right jobs to deliver on our goals and objectives.

In 2015–16, the OAIC will focus on resourcing to meet the OAIC’s increasing workload, particularly in the data breach notification and national security area.

The OAIC values the diversity and specialist skills of our staff, including conciliation and policy development. We will continue to strive for people management excellence.

Information Communications Technology

Essential to the OAIC’s stakeholder engagement and relationship management is the ability to communicate information externally and internally. In 2015–16, the OAIC will review its staff intranet platform and explore ways to provide alternative communication methods when engaging with our national information service.

Risk oversight and management

The OAIC is committed to an active risk management program extending to all aspects of its operations. As a non-corporate Commonwealth entity, the OAIC’s risk management system is in accordance with the requirements of Comcover’s Commonwealth Risk Management Policy.

The OAIC’s regulatory activities are conducted in line with the OAIC’s Privacy regulatory action policy. The OAIC is guided by the following principles when taking privacy regulatory action: independence, accountability, proportionality, consistency, timeliness and transparency.

The OAIC’s Audit Committee provides the Information Commissioner with independent assurance and assistance on the OAIC’s risk, control and accountability responsibilities. The Audit Committee oversees the work of the OAIC’s internal auditors and ensures that the Strategic Internal Audit Workplan and risk register provides appropriate coverage of the OAIC’s strategic and operational risks. In 2015–16, the Audit Committee will focus on producing an internal audit plan and review of the risk register.