Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Corporate Plan 2016–17

Introduction

I, Timothy Pilgrim, Acting Australian Information Commissioner, present the Office of the Australian Information Commissioner’s Corporate Plan 2016–17, for the 2016–17 to 2019–20 reporting periods, as required under section 35(1)(b) of the Public Governance, Performance and Accountability Act 2013.

Back to Contents

About this plan

The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency, established in November 2010 under the Australian Information Commissioner Act 2010 (AIC Act).

The main functions of the OAIC are:

  • privacy functions — ensuring proper handling of personal information in accordance with the Privacy Act 1988 (Privacy Act) and other legislation
  • freedom of information (FOI) functions — protecting the public's right of access to documents under the Freedom of Information Act 1982 (FOI Act).

We also have an information policy function under the AIC Act to report on policy and practice relating to information held by the Australian Government.

Back to Contents

Commissioner’s message

The Office of the Australian Information Commissioner (OAIC) plays a unique role in promoting and protecting two of the fundamental pillars of open democratic government in the information age.

These are:

  • the right of individuals to access government-held information and understand how it is used for public purposes
  • the right of individuals to exercise choice and control over their personal information.

Over the next four years, as business and government seek to harness the power of information to develop new products and services, the above rights will remain deeply relevant to Australian communities.

In privacy we see the public and commercial promise of data innovation never more apparent, yet the protection of personal information never more integral to consumer and community trust — which are required for innovation to succeed. The OAIC’s role as privacy regulator is the bridge between these concerns — allowing businesses and agencies innovate products, policies and services, while ensuring consumer and public trust.

At the same time, community expectations of transparency as to how government information is being used to make decisions continues to grow — a natural consequence of the increasing ability of individuals to access, interrogate and understand all manner of information interests.

This is also an expected consequence of the social compact that has evolved as Australians are encouraged to support data-driven innovations that rely on personal information for success. Available evidence suggests Australians understand the personal and community benefits of data innovation, but expect transparency and protection of personal identity to be integral.

The nexus between data innovation, freedom of information, and personal information protection therefore requires what I describe as a ‘strategically-transparent’ approach to information management. While neither privacy nor FOI are absolute rights; a proactive, pro-disclosure and by-design approach ensures businesses and agencies [1] are best-placed to meet their responsibilities to communities while building trust.

Building that proactive and strategic approach to privacy and information management is a core function of the OAIC. Partnered with our role as regulator and protector of these rights — and the Government’s 2016–17 Budget decision to forward-fund the OAIC is an endorsement both of information privacy rights and of public information as a national asset.

Accordingly, I welcome the opportunity this Corporate Plan presents to confidently project a full four-year outlook, and respond with new corporate challenges, programs and engagement. The plan also outlines how the OAIC will progressively renew our measures of success to focus on the public value, impact and influence of our work.

It is a plan that aptly speaks of an office that is outward-looking, and offers unique value to Australian government agencies and communities each day.

Timothy Pilgrim PSM

Australian Privacy Commissioner
Acting Australian Information Commissioner

31 August 2016

Back to Contents

Purpose

Our purpose is to promote and uphold information privacy and information access rights through organisational excellence.

We are successful when we:

  • promote and uphold information privacy rights for individuals
  • assist businesses and government[2] agencies covered by the Privacy Act 1988 to meet their privacy obligations while encouraging better privacy practice
  • influence government policy makers to consider privacy and Freedom of Information (FOI) impacts when drafting legislation and new policy proposals
  • undertake FOI regulatory functions under the Freedom of Information Act 1982 in an efficient and timely manner
  • assist businesses and government agencies improve their information management capabilities in relation to privacy and FOI.

Back to Contents

Environment

The next four years will once again see rapid change in the technological, social and government service delivery environments relevant to our statutory roles.

Australians will continue to experience an exponential expansion of the scope and diversity of how personal information is being captured and used by businesses and government — as we are in an unprecedented period of development of new products and services which rely on personal information for delivery.

This data is then used for research and development into new products and services which, in turn, rely on personal information for delivery and further research and development. The resulting ‘data-driven economy’ is a cyclical and seemingly-exponential capitalisation on the innovation potential of data and data analytics — with personal information often the primary data source.

We clearly appreciate both the economic and public potential of this data, and that the potential may be best realised when data sets can be reused and built upon. Beyond offering new products or services, there is substantial research, service and policy potential to be realised in both the public and private sector.

However, as recognised by other key stakeholders such as the Productivity Commission and Department of the Prime Minister and Cabinet’s Public Data Branch, a critical condition for realising this potential is retaining community confidence that individual privacy is being protected — an outcome best achieved through a transparent approach to personal information management.

That transparent approach directly supports a related national challenge: the Australian Government’s commitment to the Open Government Partnership — an international platform for more open, accountable and responsive government. The Australian Government has committed to develop a National Action Plan to support the Partnership goals, which ‘directly align with Australia’s long and proud tradition of open and transparent government’[3].

We welcome this international commitment. It has been our longstanding position that public information is a national resource; and that access to government information is essential to stimulate innovation and economic development, to evaluate the performance of government, and hold decisions to account.

Open government, information access, data innovation and personal information protection are therefore co-dependent on a ‘strategically-transparent’ approach to information management; and the OAIC is in a unique position to support delivery of these key goals of contemporary Australian governance.

Our legislative framework is principles-based and flexible, which can adapt and support both data-innovation and data-protection, and we are uniquely placed to work with both business and government entities to support a privacy-by-design approach to commercial and policy innovation.

Accordingly, we look forward to working proactively with the Australian Government and businesses to realise Australia’s economic and community potential from the data-driven economy; and will continue to promote and support Australians’ rights to privacy, information access and transparency of government decision making.

Back to Contents

Challenges, goals and measurement

The Enhanced Commonwealth Performance Framework[4] challenges all government agencies to ensure performance measures are clear, externally focussed, and convey delivery against an agency’s purpose. The framework encourages government agencies to holistically review and renew measurement systems, including allowing time to establish and build new measures, baselines and targets over the four-year outlook.

With forward funding for four years now secured, we are embracing the above challenge and 2016–17 will be the last in which OAIC reports against its current suite of measures.

The new areas of measurement flagged against our three key challenges will become active from 2017–18, this will also allow us to proactively align with the Commonwealth’s Regulator Performance Framework.

Back to Contents

Performance

We have three overall challenges that we need to meet to achieve our purpose. We are moving towards developing measures to effectively measure the external impact of our three challenges over forward estimates.

  1. Promote, uphold and shape Australian information privacy rights.
  2. Promote and uphold Australian information access rights.
  3. Develop the personal information management capabilities of Australian businesses and government agencies.

Back to Contents

Challenge one: Promote, uphold and shape Australian information privacy rights

Our environment

The expansion of the collection and use of personal information in both public and private sectors presents challenges to Australians’ privacy, which we will actively engage in.

Government

The Australian Government’s public sector data policy is welcomed by the OAIC as it aligns with the objective, outlined in the FOI Act, of managing public sector information as a national resource for public benefit. We are also acutely aware of the need to secure public confidence in public data innovation by embedding transparent privacy governance into the data innovation environment.

Accordingly, we will work to assist government agencies to identify privacy risks and build in protections, to enable data innovation in a way which preserves community trust. This includes working directly with government agencies on new policies and programs where privacy protection will be key; such as digital health, new models for engagement with government services, and the use of data analytics to prevent welfare fraud.

We will continue to work to provide a critical assessment role in national security and law enforcement initiatives such as mandatory data retention laws, biometric security, and national identity management systems.

The OAIC also notes the appointment of a Cyber Security Advisor to the Prime Minister and the related Cyber Security Strategy, which we support. In line with Australian Privacy Principle 11, we will work with the Cyber Security Advisor on the need to embed protection of personal information into the implementation of the strategy by both government and business.

The likely development of a mandatory data breach notification scheme may create significant resourcing challenges for the OAIC — both in terms of responding to demand for regulator advice, and in terms of the potential of such a scheme to initially increase the volume of individual privacy complaints to be resolved. We will work closely with the Attorney-General’s Department as any potential scheme is developed.

New technology

Advances in fields such as biometric information, the Internet of Things, data-analytics and de-identification signal a need to examine existing privacy governance practices, and reach common frameworks, standards and terminology around how these will incorporate the protection of personal information. We are uniquely placed to bring government, business and technical expertise together to address the privacy dimensions of these technologies to protect both individual privacy, and organisational reputation.

Community awareness

In tandem with this work is the need for Australians to understand the privacy rights they hold. Australian interest in privacy as a fundamental community and consumer concern is rapidly increasing and solidifying. Illuminating the link between this concern and the protection the OAIC offers is vital to ensuring that Australians can engage with both business and government services alike with confidence and a high level of privacy trust — an outcome that benefits both community and economic imperatives.

We will look to significantly increase our engagement in public communication, education and outreach campaigns to ensure Australians understand our role in providing free advice and resolution to mishandling of personal information.

Instrumental to this will be interrogating the potential gap between ‘privacy’ as a broad and multi-layered community concern, and the more specific concern of ‘personal information’ (described in many jurisdictions as ‘personal data protection’) which we regulate.

International

Data knows no borders, and personal data protection is a global regulatory challenge. We will continue to play a policy leadership role in developing personal information rights within the Asia Pacific region, and will look to expand our influencing and knowledge-development role in global privacy fora such as the Asia Pacific Privacy Authorities, the Global Privacy Enforcement Network, the Commonwealth’s ‘Common Thread’ privacy network and APEC’s Cross-border Privacy Enforcement Arrangement (CPEA).

We will look to reduce fragmentation and to play a leadership role to work towards better interoperability of privacy responsibilities. Acknowledging the borderless nature of data transactions, we will continue to build effective partnerships with fellow data protection authorities. This will ensure that the privacy rights of Australians can be protected, no matter where the sources of their products or services lie — and that privacy breaches are addressed efficiently across jurisdictions.

It is equally important for Australian businesses who trade globally to understand their privacy obligations across jurisdictions, and we will work with the regulated community to build their capacity and compliance in a global environment. Particular challenges in the years ahead include building knowledge capacity in Australian businesses for environmental changes that will take effect across European Union (EU) member states in 2018, through the General Data Protection Regulation. These changes will impact all Australian businesses who offer products or services to EU citizens.

Our capability

Internally, we will seek to further build our information technology and data analytics capacity through training, partnerships with academic, government and corporate sector leaders in this space — to ensure that our privacy protection frameworks realistically align with rapidly-changing consumer and organisational contexts.

Our action plan

We will promote, uphold and shape Australian information privacy rights by undertaking the following activities.

1. Handle privacy complaints

Our free service for individuals to make a privacy complaint about an entity covered by Australia’s Privacy Act 1988 (Privacy Act).

 

2016–17

2017–18

2018–19

2019–20

Intended outcomes

80% of privacy complaints finalised within 12 months.

Ensure the timeliness and quality of complaint resolution.

Resolve the majority of complaints by conciliation with both parties.

Raise awareness about our complaints handling function.

Ensure the timeliness and quality of complaint resolution.

Resolve the majority of complaints by conciliation with both parties.

Raise awareness about our complaints handling function.

Ensure the timeliness and quality of complaint resolution.

Resolve the majority of complaints by conciliation with both parties.

Raise awareness about our complaints handling function.

Ensure the timeliness and quality of complaint resolution.

Resolve the majority of complaints by conciliation with both parties.

Raise awareness about our complaints handling function.

How we measure results

Quantitative complaint handling statistics to assess completion rates, outcomes and timeframes.

Develop methodology for measuring the intended outcomes outlined above.

Quantitative complaint handling statistics to assess completion rates, outcomes and timeframes.

Measure against existing methodology.

Quantitative complaint handling statistics to assess completion rates, outcomes and timeframes.

Measure against existing methodology.

Quantitative complaint handling statistics to assess completion rates, outcomes and timeframes.

Measure against existing methodology.

2. Conduct privacy assessments

The Commissioner has the power to conduct an assessment of any business or Australian Government agency covered by the Privacy Act.

 

2016–17

2017–18

2018–19

2019–20

Intended outcomes

The median for the completion of assessments is within six months.

Provide a professional, independent and systematic appraisal of how well government agencies and businesses comply with the Privacy Act.

Entities change practices to ensure compliance with the Privacy Act.

Key learnings from assessments are incorporated into our guidance and educational materials.

Provide a professional, independent and systematic appraisal of how well government agencies and businesses comply with the Privacy Act.

Entities change practices to ensure compliance with the Privacy Act.

Key learnings from assessments are incorporated into our guidance and educational materials.

Provide a professional, independent and systematic appraisal of how well government agencies and businesses comply with the Privacy Act.

Entities change practices to ensure compliance with the Privacy Act.

Key learnings from assessments are incorporated into our guidance and educational materials.

Provide a professional, independent and systematic appraisal of how well government agencies and businesses comply with the Privacy Act.

Entities change practices to ensure compliance with the Privacy Act.

Key learnings from assessments are incorporated into our guidance and educational materials.

How we measure results

Quantitative assessment statistics to assess completion rates, outcomes and timeframes.

Develop methodology for measuring the intended outcomes outlined above.

Quantitative assessment statistics to assess completion rates, outcomes and timeframes.

Measure against existing methodology.

Quantitative assessment statistics to assess completion rates, outcomes and timeframes.

Measure against existing methodology.

Quantitative assessment statistics to assess completion rates, outcomes and timeframes.

Measure against existing methodology.

3. Conduct Commissioner initiated investigations and handle voluntary and mandatory data breach notifications

Commissioner initiated investigations (CII) look into whether the actions of a business or government agency may be an interference with the privacy of an individual. Voluntary and mandatory data breach notifications are also managed by the OAIC.

 

2016–17

2017–18

2018–19

2019–20

Intended outcomes

80% of CIIs are finalised within eight months and 80% of voluntary data breach notifications are processed or escalated to CII within 60 days. 80% of mandatory digital health data breach notifications are processed or escalated to CII within 60 days.

Increase awareness about the voluntary data breach notification scheme with the OAIC.

Key learnings are incorporated into our guidance and educational materials.

Entities change practices and implement recommendations from enforceable undertakings and determinations.

Maintain timeframes for finalising CIIs and data breach notifications.

Increase awareness about the voluntary data breach notification scheme with the OAIC.

Key learnings are incorporated into our guidance and educational materials.

Entities change practices and implement recommendations from enforceable undertakings and determinations.

Maintain timeframes for finalising CIIs and data breach notifications.

Increase awareness about the voluntary data breach notification scheme with the OAIC.

Key learnings are incorporated into our guidance and educational materials.

Entities change practices and implement recommendations from enforceable undertakings and determinations.

Maintain timeframes for finalising CIIs and data breach notifications.

Increase awareness about the voluntary data breach notification scheme with the OAIC.

Key learnings are incorporated into our guidance and educational materials.

Entities change practices and implement recommendations from enforceable undertakings and determinations.

How we measure results

Quantitative statistics to assess the number of notifications, completion rates, outcomes and timeframes.

Develop methodology for measuring the intended outcomes outlined above.

Quantitative statistics to assess the number of notifications, completion rates, outcomes and timeframes.

Measure against existing methodology.

Quantitative statistics to assess the number of notifications, completion rates, outcomes and timeframes.

Measure against existing methodology.

Quantitative statistics to assess the number of notifications, completion rates, outcomes and timeframes.

Measure against existing methodology.

4. Provide a public information service

Free public information service on any privacy related matter. Our service includes in-person, telephone and email enquiries.

 

2016–17

2017–18

2018–19

2019–20

Intended outcomes

90% of written enquiries are finalised within 10 working days.

Raise public awareness about our information services for privacy related matters.

Ensure the timeliness and quality of the public information service.

Raise public awareness about our information services for privacy related matters.

Ensure the timeliness and quality of the public information service.

Raise public awareness about our information services for privacy related matters.

Ensure the timeliness and quality of the public information service.

Raise public awareness about our information services for privacy related matters.

How we measure results

Quantitative statistics to assess the success of the service.

Develop methodology for measuring the intended outcomes above.

Analysing quantitative statistics.

Measure against existing methodology.

Analysing quantitative statistics.

Measure against existing methodology.

Analysing quantitative statistics.

Measure against existing methodology.

5. Assist businesses and agencies to improve their understanding of privacy compliance and promote privacy best practice

We provide entities with guidance on complying with the Privacy Act and encourage best practice by providing accurate and timely advice to a variety of sectors.

 

2016–17

2017–18

2018–19

2019–20

Intended outcomes

Key privacy resources are identified, developed and promoted for business, government and the community.

Consultations are undertaken with stakeholders on significant privacy resources.

Proposed enactments and government programs are monitored for privacy impacts.

Advice is provided to government agencies and guidance to business on emerging privacy issues.

Key privacy resources are identified, developed and promoted for business, government and the community.

Consultations are undertaken with stakeholders on significant privacy resources.

Proposed enactments and government programs are monitored for privacy impacts.

Advice is provided to government agencies and guidance to business on emerging privacy issues.

Key privacy resources are identified, developed and promoted for business, government and the community.

Consultations are undertaken with stakeholders on significant privacy resources.

Proposed enactments and government programs are monitored for privacy impacts.

Advice is provided to government agencies and guidance to business on emerging privacy issues.

Key privacy resources are identified, developed and promoted for business, government and the community.

Consultations are undertaken with stakeholders on significant privacy resources.

Proposed enactments and government programs are monitored for privacy impacts.

Advice is provided to government agencies and guidance to business on emerging privacy issues.

How we measure results

Quantitative data, including website analytics, published submissions, consultations, speeches delivered, media enquiries handled and policy advices given.

Develop methodology for the intended outcomes above.

Measure against existing methodology.

Measure against existing methodology.

Measure against existing methodology.

6. Promote awareness and understanding of privacy rights in the community

Awareness raising activities to ensure the public is well informed of issues that impact these rights and that businesses and government agencies understand their privacy obligations.

 

2016–17

2017–18

2018–19

2019–20

Intended outcomes

Privacy Awareness Week campaign is held, with an increase in the number of participating private and public sector entities and an increase in wider community engagement.

Understand and respond to the needs of culturally and linguistically diverse (CALD) communities so we can assist and educate all Australians about their privacy rights.

The public has an increased awareness about their privacy rights.

Businesses and government agencies are aware of their obligations under the Privacy Act.

Understand and respond to the needs of CALD communities so we can assist and educate all Australians about their privacy rights.

The public has an increased awareness about their privacy rights.

Businesses and government agencies are aware of their obligations under the Privacy Act.

Understand and respond to the needs of CALD communities so we can assist and educate all Australians about their privacy rights.

The public has an increased awareness about their privacy rights.

Businesses and government agencies are aware of their obligations under the Privacy Act.

Understand and respond to the needs of CALD communities so we can assist and educate all Australians about their privacy rights.

How we measure results

Develop methodology for measuring the intended outcomes above.

Measure against existing methodology.

Measure against existing methodology.

Measure against existing methodology.

7. Develop legislative instruments

Powers under the Privacy Actand other legislation to make or approve legally binding guidelines and rules.

 

2016–17

2017–18

2018–19

2019–20

Intended outcomes

Applications for Public Interest Determinations and Australian Privacy Principles codes are considered.

Legislative instruments are appropriate and up-to-date.

Applications for Public Interest Determinations and Australian Privacy Principles codes are considered.

Legislative instruments are appropriate and up-to-date.

Applications for Public Interest Determinations and Australian Privacy Principles codes are considered.

Legislative instruments are appropriate and up-to-date.

Applications for Public Interest Determinations and Australian Privacy Principles codes are considered.

Legislative instruments are appropriate and up-to-date.

How we measure results

Develop methodology for measuring the intended outcomes above.

Measure against existing methodology.

Measure against existing methodology.

Measure against existing methodology.

Back to Contents

Challenge two: Promote and uphold Australian information access rights

Our environment

Our FOI function operates in a more stable and defined environment than our privacy function as the Freedom of Information Act 1982 (FOI Act) is well-established, and operates exclusively within Australian Government agencies and ministers.

As announced by the Australian Government, the decision in the Budget 2014-15 to disband the OAIC and re-distribute FOI functions will not proceed. Therefore, the following FOI functions will be carried out by the OAIC from 1 July 2016.

  • Information Commissioner reviews
  • providing FOI advice including about the Information Publication Scheme, maintaining and developing the FOI guidelines and collating annual reporting of FOI statistics by government agencies
  • FOI complaints handling including Commissioner initiated investigations.

The past two years have been challenging for FOI as a public information right, with some public commentary reflecting perception challenges that information access rights often face across jurisdictions — such as impact on advice and decision making.

Accordingly, we will work with key government agencies in the FOI space to reinforce the value of FOI rights, and will re-engage with communication, education and outreach — both within government agencies and with the Australian community — to promote the value of government-held information as a national public resource.

Our capability

The FOI functions for developing guidance materials under the FOI Act for government agencies and the complaints function moved back to the OAIC on 1 July 2016. Therefore, we are working towards building our capacity, to ensure we have the resources to assist the Australian Government manage its FOI requirements and handle individuals FOI complaints.

In addition to the growth areas mentioned above, we will be expanding on our work and jurisprudence in the Information Commissioner review space.

Our action plan

We will uphold and shape Australian information access rights by undertaking the following activities.

1. Provide a timely and effective Information Commissioner review function

Information Commissioner reviews can be applied for if a person is dissatisfied with the decision of a government agency or minister under the Freedom of Information Act 1982.

 

2016–17

2017–18

2018–19

2019–20

Intended outcomes

80% of Information Commissioner reviews are completed within 12 months.

Reduction of the number of matters over 12 months’ old.

Increase the number of matters finalised by informal resolution without proceeding to a decision.

Build on the existing jurisprudence which shapes the FOI jurisdiction.

Ensure the timeliness and quality of the Information Commissioner review function.

Reduction of the number of matters over 12 months’ old.

Increase the number of matters finalised by informal resolution without proceeding to a decision.

Build on the existing jurisprudence which shapes the FOI jurisdiction.

Ensure the timeliness and quality of the Information Commissioner review function.

Reduction of the number of matters over 12 months’ old.

Increase the number of matters finalised by informal resolution without proceeding to a decision.

Build on the existing jurisprudence which shapes the FOI jurisdiction.

Ensure the timeliness and quality of the Information Commissioner review function.

Reduction of the number of matters over 12 months’ old.

Increase the number of matters finalised by informal resolution without proceeding to a decision.

Build on the existing jurisprudence which shapes the FOI jurisdiction.

How we measure results

Develop methodology for the intended outcomes above.

Measure against existing methodology.

Measure against existing methodology.

Measure against existing methodology.

2. Provide promotion and information to the Australian community on information access rights

Free public information service on any FOI related matter. Our service includes in-person, telephone and email enquiries.

 

2016–17

2017–18

2018–19

2019–20

Intended outcomes

90% of written enquiries are finalised within 10 working days.

Raise public awareness about FOI rights and our information service.

Ensure the timeliness and quality of the public information service.

Raise public awareness about our information service.

Ensure the timeliness and quality of the public information service.

Raise public awareness about our information service.

Ensure the timeliness and quality of the public information service.

Raise public awareness about our information service.

How we measure results

Develop methodology for the intended outcomes above.

Measure against existing methodology.

Measure against existing methodology.

Measure against existing methodology.

3. Assist government agencies and ministers with FOI advice and maintain guidelines and resources to promote best practices

We offer Australian Government agencies and ministers advice and guidance on complying with the FOI Act.

 

2016–17

2017–18

2018–19

2019–20

Intended outcomes

Key resources and guidelines under the FOI Act revised where necessary.

Consultations are undertaken with stakeholders where relevant.

Engage with government agencies and the public on FOI matters.

Understand and respond to the needs of CALD communities so we can assist and educate all Australians about their FOI rights.

Resources and guidelines under the FOI Act continue to be reviewed, revised and promoted.

Engage with government agencies and the public on FOI matters.

Understand and respond to the needs of CALD communities so we can assist and educate all Australians about their FOI rights.

Resources and guidelines under the FOI Act continue to be reviewed, revised and promoted.

Engage with government agencies and the public on FOI matters.

Understand and respond to the needs of CALD communities so we can assist and educate all Australians about their FOI rights.

Resources and guidelines under the FOI Act continue to be reviewed, revised and promoted.

Engage with government agencies and the public on FOI matters.

Understand and respond to the needs of CALD communities so we can assist and educate all Australians about their FOI rights.

How we measure results

Develop methodology for the intended outcomes above.

Measure against existing methodology.

Measure against existing methodology.

Measure against existing methodology.

4. Handle FOI complaints and investigations

Our free service for complaints about the handling of FOI matters by a government agency. The Commissioner may also initiate investigations about the FOI actions of government agencies.

 

2016–17

2017–18

2018–19

2019–20

Intended results

80% of FOI complaints finalised within 12 months.

Uphold the effectiveness of FOI processing within government agencies.

Ensure the timeliness and quality of complaint resolutions.

Uphold the effectiveness of FOI processing within government agencies.

Ensure the timeliness and quality of complaint resolutions.

Uphold the effectiveness of FOI processing within government agencies.

Ensure the timeliness and quality of complaint resolutions.

Uphold the effectiveness of FOI processing within government agencies.

Ensure the timeliness and quality of complaint resolutions.

Measurement

Develop methodology for the intended outcomes above.

Measure against existing methodology.

Measure against existing methodology.

Measure against existing methodology.

Back to Contents

Challenge three: Develop the personal information management capabilities of Australian businesses and government agencies

Our environment

In recent years the value of strong privacy governance has become well understood within Australian businesses and government agencies. At the same time, the complexity of privacy governance challenges has increased.

These factors in combination have created a rapid demand in both the public and private sector to build and constantly update and improve personal information management capability.

While this challenge has initially been addressed by established private sector and Australian Government training organisations, our unique expertise and capacity as the privacy regulator is increasingly being called upon to directly build, support, or provide this capability under commercial or policy imperatives to utilise personal information more effectively.

As a regulator, our longstanding preference is, wherever possible, to build the capacity within regulated entities to manage privacy well and avoid the need for regulatory action or sanction.

We will respond to the emerging need by working with business, government and educational sectors to assess, as a priority, the best use of our unique skillset and knowledge to increase the privacy governance capability of Australian businesses and government agencies — and test business cases to expand the OAIC’s role in education, training, fee-for-service and advisory spaces, including through exploring partnerships with others.

Our capability

To deliver enhanced personal information management capabilities across Australia, we must invest in our people. The workforce planning necessary to deliver this function will be finalised as we select our approach over forward estimates. Our people are crucial to the success of educating and guiding the public and private sectors.

Our action plan

We will develop the personal information management capabilities of Australian businesses and government agencies by undertaking the following activities.

1. Promote the relationship between strong privacy governance and improved business effectiveness

Promotion of the risk and governance management advantages of proactive privacy approaches in Australian government agencies and businesses.

 

2016–17

2017–18

2018–19

2019–20

Intended outcome

Develop advice, guidance and promotion on the business and government agency advantages of proactive privacy-by-design management approaches.

Increased awareness within Australian businesses and government agencies of privacy management as a vital and central risk/governance function for business success.

Increased awareness within Australian businesses and government agencies of privacy management as a vital and central risk/governance function for business success.

Increased awareness within Australian businesses and government agencies of privacy management as a vital and central risk/governance function for business success.

Measurement

Develop methodology for the intended outcome above.

Measure against existing methodology.

Measure against existing methodology.

Measure against existing methodology.

2. Assess education and training capacity and market demand

Explore business case options for educating and training government and the business community.

 

2016–17

2017–18

2018–19

2019–20

Intended outcomes

Assess current gaps and risks in public and private sector knowledge of privacy management.

Develop business case analysis for the OAIC’s engagement and service delivery to address known gaps or opportunities, including on a fee basis.

Determine forward programs for projects.

Promotion and delivery of approved training, education and fee-for-service programs.

Increased uptake of programs over time.

Increased awareness and skill within Australian government agencies and businesses leads to reduced regulator intervention and increased community trust.

Increased awareness and skill within Australian government agencies and businesses leads to reduced regulator intervention and increased community trust.

How we measure results

Australian Information Commissioner sign-off on accepted or rejected business cases by June 2017.

Establish measures to reflect programs approved in 2016/17 year.

Measure against existing methodology.

Measure against existing methodology.

Back to Contents

Mapping our performance

Portfolio Budget Statement 2016–17

Purpose

The OAIC’s mission is to promote and uphold information privacy and information access rights through organisational excellence. The OAIC is successful when it:

  • assists entities covered by the Privacy Act 1988 to meet their privacy obligations while encouraging better privacy practice
  • influences government policy makers to consider privacy impacts when drafting legislation and new policy proposals
  • handles FOI regulatory functions under the Freedom of Information Act 1982 in an efficient and timely manner.

Outcome statement

Provision of public access to Commonwealth Government information, protection of individuals’ personal information, and performance of information commissioner, freedom of information and privacy functions.

Program

Program 1.1: Complaint handling, compliance and monitoring, and education and promotion.

Delivery

  • Providing a privacy complaint handling service for the public
  • Promoting awareness and understanding of privacy rights in the community including the production of educational materials and a public information service on privacy-related matters
  • Conducting performance assessments and investigations and handling voluntary and mandatory data breach notifications for entities covered under the Privacy Act 1988
  • Assisting entities covered under the Privacy Act 1988 to improve understanding of privacy compliance
  • When necessary, developing legislative instruments that are in the public interest
  • Managing Information Commissioner reviews and complaints under the Freedom of Information Act 1982

Corporate Plan 2016–17

Purpose

Our purpose is to promote and uphold information privacy and information access rights through organisational excellence. We are successful when we:

  • promote and uphold information privacy rights for individuals
  • assist businesses and government agencies covered by the Privacy Act to meet their privacy obligations while encouraging better privacy practice
  • influence government policy makers to consider privacy and FOI impacts when drafting legislation and new policy proposals
  • undertake regulatory functions under the FOI Act 1982 in an efficient and timely manner
  • assist entities improve their information management capabilities in relation to privacy and FOI.

Challenge one: Promote, uphold and shape information privacy rights

Activities
  • Handle privacy complaints
  • Conduct privacy assessments
  • Conduct Commissioner initiated investigations and handle voluntary and mandatory data breach notifications
  • Provide a public information service
  • Assist entities improve their understanding of privacy compliance and promote privacy best practice
  • Promote awareness and understanding of privacy rights in the community
  • Develop legislative instruments.

Challenge two: Promote and uphold Australian information access rights

Activities
  • Provide a timely and effective Information Commissioner review function
  • Provide promotion and information to the Australian community on information access rights
  • Assist government agencies and ministers with FOI advice and maintain guidelines and resources to promote best practice
  • Handle FOI complaints and investigations

Challenge three: Develop the personal information management capabilities of Australian businesses and government agencies

Activities
  • Promote the relationship between strong privacy governance and improved business effectiveness
  • Assess education and training capacity and market demand.

Back to Contents

Footnotes

[1] The Privacy Act, 1988, applies to Australian Government agencies and to businesses that fall within the scope of the Act. The Freedom of Information Act, 1982 applies to Australian Government agencies and ministers.

[2] Australian Government and Norfolk Island agencies covered by the Privacy Act.

[3] Prime Minister Turnbull, letter to OPG co-chairs, 24 November 2015.

[4] Please refer to the mapping our performance section of this plan for the relationship between our Corporate Plan and the 2016–17 Portfolio Budget Statements.

Back to Contents