Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Corporate Plan 2017–18

On this page

  1. Preliminary page
    1. Creative Commons
    2. Contact
    3. Non-English speakers
    4. Accessible formats
    5. Design
  2. Introduction
  3. In 2017–18 our key deliverables are:
    1. Promote and uphold privacy rights
    2. Promote and uphold information access rights
  4. We are successful when we:
  5. Commissioner’s message
  6. Accountability and reporting
  7. Changes to the plan
  8. Purpose
    1. Key success factors
  9. Performance
  10. Promote and uphold privacy rights
    1. Our environment
    2. Activity 1.1: Develop the privacy management capabilities of businesses and Australian Government agencies and promote privacy best practice
    3. Activity 1.2: Manage data breach notifications
    4. Activity 1.3: Conduct Commissioner-initiated investigations
    5. Activity 1.4: Resolve privacy complaints
    6. Activity 1.5: Conduct privacy assessments
    7. Activity 1.6: Provide a privacy public information service
    8. Activity 1.7: Promote awareness and understanding of privacy rights in the community
    9. Activity 1.8: Develop legislative instruments
  11. Promote and uphold information access rights
    1. Our environment
    2. Activity 2.1: Develop the FOI capabilities of Australian Government agencies and ministers, and promote FOI best practice
    3. Activity 2.2: Conduct Information Commissioner reviews
    4. Activity 2.3: Investigate FOI complaints and conduct Commissioner-initiated investigations
    5. Activity 2.4: Provide a FOI public information service
    6. Activity 2.5: Promote awareness and understanding of information access rights in the community
  12. Organisation capability
    1. Functions and staffing
    2. Networks
  13. Risk oversight and management

Preliminary page

Creative Commons

You are free to share, copy, redistribute, adapt, transform and build upon the materials in this plan with the exception of the Commonwealth Coat of Arms.

Please attribute the content of this publication as: Office of the Australian Information Commissioner, Corporate Plan 2017–2018.

Contact

Mail:

Director, Strategic Communications and Coordination
Office of the Australian Information Commissioner
GPO Box 5218
Sydney, NSW 2001

Email:

enquiries@oaic.gov.au

Website:

www.oaic.gov.au

Twitter:

@OAICgov

Phone:

1300 363 992

Non-English speakers

If you speak a language other than English and need help, please call the Translating and Interpreting Service on 131 450 and ask for the Office of the Australian Information Commissioner on 1300 363 992.

Accessible formats

All our publications can be made available in a range of accessible formats. If you would like this report in an accessible format, please contact us.

Design

Swell Design Group

Back to Contents

Introduction

I, Timothy Pilgrim, Australian Information Commissioner, present the Office of the Australian Information Commissioner’s Corporate Plan 2017–18, for the 2017–18 to 2020–21 reporting periods, as required under section 35(1)(b) of the Public Governance, Performance and Accountability Act 2013.

The Office of the Australian Information Commissioner is an independent statutory agency within the Attorney‑General Department’s portfolio, established under the Australian Information Commissioner Act 2010 (AIC Act).

Our key role is to the meet the needs of the Australian community when it comes to the regulation of privacy and freedom of information. We do this by:

  • Ensuring proper handling of personal information in accordance with the Privacy Act 1988 (Privacy Act) and other legislation
  • Protecting the public’s right of access to documents under the Freedom of Information Act 1982 (FOI Act).

We are at the forefront of guidance and enforcement of Australia’s privacy and freedom of information laws; shaping how emerging technologies and data practices impact the lives of every Australian.

Back to Contents

In 2017–18 our key deliverables are:

Promote and uphold privacy rights

  • Develop and implement the Australian Public Service Privacy Governance Code and supporting training and resources
  • Prepare for the implementation of the Notifiable Data Breaches scheme in February 2018
  • Host the Asia Pacific Privacy Authorities meeting and Data + Privacy Asia Pacific national conference
  • Trial an early resolution process to assist with more efficient processing of privacy complaints
  • Conduct targeted privacy assessments in areas such as national security, identity management, digital health and the enhanced welfare payment integrity data matching program
  • Celebrate the 30th anniversary of the commencement of the Privacy Act 1988
  • Review the Privacy (Credit Reporting) Code 2014

Promote and uphold information access rights

  • Update tools and guidance for Australian Government agencies to assist them to review their compliance with the FOI Act
  • Develop and publish an FOI regulatory action policy that outlines how we undertake IC reviews, FOI complaints and Commissioner-initiated investigations
  • Conduct a campaign for Right to Know Day 2017

Back to Contents

We are successful when we:

  • Assist businesses and Australian Government agencies to understand their privacy obligations and respect and protect the personal information that they handle.
  • Efficiently and effectively take action against suspected interferences with privacy to improve compliance with the Privacy Act 1988.
  • Assist the community to understand and feel confident to exercise their privacy and information access rights.
  • Assist Australian Government agencies to understand their FOI obligations and respect and promote access to government information.
  • Efficiently and effectively carry out our regulatory functions under the Freedom of Information Act 1982.

Back to Contents

Commissioner’s message

Next year will mark 30 years since the Privacy Act 1988 (Privacy Act) was passed.

In 1988, personal data or information was largely collected and stored on paper. Today the landscape in which our personal information is used is radically different.

We are operating in an unprecedented period of data innovation – with new products and services transforming lives and ways of doing business.

The value of data to business and the broader Australian community continues to grow – offering greater insights into community and consumer needs – and understandably we want to take advantage of the opportunities that new technologies offer.

Nearly all of these opportunities are dependent on the use of personal information and, while technology has changed the way Australian society operates, the fundamental principle of the protection of individual privacy remains as important as ever.

Another principle that has only strengthened in the data age, is the principle that citizens should be able to access and understand how government held information is informing government decision making.

The OAIC plays a unique role in promoting and protecting both the above principles of open democratic government in the information age.

These are:

  • the right of individuals to access government-held information and understand how it is used for public purposes
  • the right of individuals to exercise choice and control over their personal information.

At the OAIC we work to manage two rights that are of vital importance, and to manage them in the context of the information age. Our task is to protect the two primary methods Australians have to understand how their information is used.

As we look towards 2021, the OAIC will continue to work with Australian government agencies and businesses to realise Australia’s economic and social potential from the ever increasing data-driven economy, and support Australians’ right to privacy, information access and transparency of government decision making.

Above all, the OAIC will continue to provide expert support and guidance to Australian businesses and agencies to help meet their responsibilities to these two principles.

We are assisting businesses and agencies transitioning to the Notifiable Data Breaches (NDB) scheme and working with organisations that will need to comply with the new European Union General Data Protection Regulation (GDPR) requirements.

In the Government sector, our development of an Australian Public Service (APS) Privacy Governance Code scheduled for implementation in 2018 is a key priority. With unparalleled data holdings and methods of data acquisition, the APS should be – and be seen to be – the national leader in personal information protection.

With this aim in mind, the code and its supporting resources will enhance the capability of Commonwealth agencies to deliver data innovation that integrates personal data protection.

Australia is well placed to make a valuable contribution to a global open government movement – the Open Government Partnership (OGP). Australia’s first National OGP Action Plan sets out an agenda for the next two years to promote transparency, empower individuals, fight corruption, and harness new technologies to strengthen governance. It also includes assessing the effectiveness of Australia’s right to information laws across jurisdictions, and raising awareness about the public’s rights to access government information.

In summary, this Corporate Plan outlines the proactive and strategic approach to fulfilling our role as regulator and protector of these two important rights.

I am proud to present a robust outward-looking Corporate Plan that outlines how our work will continue to provide value, impact and influence to the Australian businesses, government agencies and communities we serve, and the measures we will hold ourselves accountable to.

Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner

31 August 2017

Back to Contents

Accountability and reporting

To streamline our reporting requirements, many of the measures listed in this Corporate Plan satisfy the reporting requirements under both the Public Governance, Performance and Accountability Act 2013 and the Commonwealth Regulator Performance Framework (RPF).

The Commonwealth Regulator Performance Framework encourages regulators to undertake their functions with the minimum impact necessary to achieve regulatory objectives and to effect positive ongoing and lasting cultural change within regulators.

The framework consists of six outcomes-based key performance indicators, which can be summarised as:

  1. reducing regulatory burden
  2. effective communications
  3. risk-based and proportionate approaches
  4. efficient and coordinated regulatory action
  5. transparency
  6. continuous improvement.

These indicators have been incorporated into our performance information.

Back to Contents

Changes to the plan

In 2016–17, the OAIC enhanced our reporting framework to:

  • provide greater clarity about the work of the OAIC and how we measure success
  • ensure that we align our reporting under the Public Governance, Performance and Accountability Act 2013 and the Commonwealth Regulator Performance Framework (RPF).

We have made a number of changes to the structure and content of this Corporate Plan, including:

  • amending our purpose
  • articulating our key success factors
  • organising our activities into two ‘priority areas’, which align with our function areas under the Australian Information Commissioner Act 2010
  • providing more granular information about our delivery strategies for each activity
  • revising many of our performance measures to ensure that they closely link to our purpose and key success factors, and to streamline performance reporting. These changes are highlighted throughout the document.

Back to Contents

Purpose

Our purpose is to promote and uphold privacy and information access rights.

Key success factors

We are successful when we:

1. Assist businesses and Australian Government agencies to understand their privacy obligations and respect and protect the personal information that they handle.

Primary activities:

  • Develop the privacy management capabilities of Australian Government agencies and businesses, and promote privacy best practice
  • Manage data breach notifications
  • Conduct privacy assessments
  • Develop legislative instruments.

2. Efficiently and effectively take action against suspected interferences with privacy to improve compliance with the Privacy Act 1988.

Primary activities:

  • Conduct Commissioner initiated investigations
  • Manage privacy complaints.

3. Assist the community to understand and feel confident to exercise their privacy and information access rights.

Primary activities:

  • Provide a public information service
  • Promote awareness and understanding of privacy rights in the community
  • Provide an FOI public information service
  • Promote awareness and understanding of information access rights in the community.

4. Assist Australian Government agencies to understand their freedom of information obligations and respect and promote access to government information.

Primary activity:

  • Develop the FOI capabilities of Australian government agencies and ministers, and promote FOI best practice.

5. Efficiently and effectively carry out our regulatory functions under the Freedom of Information Act 1982.

Primary activities:

  • Conduct Information Commissioner reviews
  • Investigate FOI complaints and conduct Commissioner-initiated investigations.

Back to Contents

Performance

The activities that we undertake to meet our purpose have been mapped to the key success factors on page 7. These activities are grouped into two priority areas.

  • Promote and uphold privacy rights
  • Promote and uphold information access rights

Back to Contents

Promote and uphold privacy rights

We will promote and uphold Australian information privacy rights by undertaking the following activities:

1.1 Develop the privacy management capabilities of businesses and Australian Government agencies, and promote privacy best practice

1.2 Handle data breach notifications

1.3 Conduct Commissioner-initiated investigations

1.4 Handle privacy complaints

1.5 Conduct privacy assessments

1.6 Provide a privacy public information service

1.7 Promote awareness and understanding of privacy rights in the community

1.8 Develop legislative instruments.

Our environment

The Privacy Act 1988 (Privacy Act) regulates how personal information is handled by businesses and government agencies. While not the only dimension of privacy, personal information is a key aspect of our personal identities, and the Australian law protects this accordingly.

Since the Privacy Act was introduced three decades ago, a great deal has changed in the way new technologies are being integrated into data handling practices and management. The Australian economy is more data-driven than ever.

Large and small companies are harnessing the power of ‘big data’ to discover even more detail about customer habits and trends. Ever more devices are becoming connected and wearables will continue to evolve in their intelligence and capabilities, through artificial intelligence and biometric technologies.

The expansion of the collection and use of personal information in both public and private sectors continues to present challenges to Australians’ privacy, which we will actively engage in.

This conversation about privacy and its relationship to the evolution of technologies needs to happen urgently, as these technologies continue to rapidly take hold in everyday transactions.

We are working with government agencies, political and community leaders, researchers and academics, businesses and the public in ensuring that as Australia continues to embrace new ideas, good privacy management and great innovation remain synonymous.

Members of the Australian community are increasingly exercising their privacy rights. The number of privacy complaints made to the OAIC each year has increased by almost 150 per cent over the last decade.

Meeting community expectations of privacy requires understanding them first – and our 2017 Australian Community Attitudes to Privacy Survey (ACAPS) has provided valuable insights. While Australians remain early-adopters of new technologies (most of which are reliant on personal information), they perceive greater risks in interacting with businesses online.

Another significant finding was that while privacy is attracting concern from Australian consumers and communities, many of us are not converting that concern into using basic privacy protections that are already available.

While many of the privacy breaches that the OAIC deals with are offline and low-tech, the survey showed that 83 per cent of Australians think that online environments are inherently more risky than offline. Clearly this reflects a real perception of risk to be addressed by businesses, agencies and regulators alike.

Notifiable Data Breaches scheme

The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established a Notifiable Data Breaches (NDB) scheme in Australia.

From 22 February 2018, businesses and agencies with existing obligations under the Privacy Act will be required to notify the individuals whose personal information is involved in a data breach which, as described in the legislation is ‘likely to result in serious harm’. There is also a requirement to notify the OAIC.

The NDB scheme will strengthen the protections afforded to Australians’ personal information, and will improve transparency in the way that organisations respond to serious data breaches. This in turn supports consumer and community confidence that personal information is being respected and protected. It also gives individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information.

The OAIC is recommending that all organisations review their practices, procedures and systems for securing personal information in preparation for the scheme and we are developing additional resources to assist businesses and agencies. These resources act as a guide to best practice, including on how to handle personal information security breaches, and how to develop a data breach response plan.

Government

Australian Public Service Privacy Governance Code

The OAIC will develop a new Australian Public Service (APS) Privacy Governance Code, in collaboration with the Department of the Prime Minister and Cabinet (PM&C). The Code will apply to all Australian Government agencies subject to the Privacy Act, and will play a key role in building public trust in the APS, support the Australian Government’s public data agenda and enhance privacy governance and capability.

We look forward to working with the APS and data stakeholders on the implementation of the Code which will take effect in 2018.

The OAIC will provide resources to support transition to the Code, and will monitor the success of implementation and its effect on building privacy management capability.

Productivity Commission – Data and Availability and Use

Innovation is at the heart of a strong economy and we welcome the Government’s commitment to ensuring that Australia is positioned to benefit from the greater use of data.

As the regulator of the Privacy Act 1988 and Freedom of Information Act 1982, the OAIC is supportive of proposals that seek to advance both data use, and the protection of privacy rights.

The Productivity Commission recently recommended an overhaul of Australia’s data policy framework. Their Data Availability and Use report looked into potential means of making public and private sector data more readily available for use, while at the same time increasing consumer’s control over their data.

The OAIC agrees with the principle of the Productivity Commission’s recommendation for a comprehensive right for consumers, and has provided submissions as to the most effective regulatory frameworks to achieve this.

Pending the Government’s response to the Commission’s recommendations, we stand ready to assist in the implementation of any additional privacy or data protection rights.

International

The global flow of data now means that strong and efficient data protection regulation has to be viewed from a global perspective.

From 25 May 2018 Australian organisations of any size may need to comply with the European Union’s General Data Protection Regulation (GDPR) requirements, if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.

The GDPR includes many requirements similar to those in the Privacy Act 1988, and additional measures that aim to foster transparent information handling practices and business accountability around data handling.

The OAIC has published guidance materials for Australian businesses on how to best interact with the GDPR framework.

We also participate in a number of international forums with members meeting to discuss enforcement priorities to drive a global approach to privacy regulation.

  • The Asia Pacific Privacy Authorities (APPA) is the principal forum for privacy and data protection authorities in the Asia Pacific region to form partnerships and exchange ideas about privacy regulation, new technologies, and to support the global management of privacy data breaches in the Asia Pacific region.
  • The International Conference of Data Protection and Privacy Commissioners provides leadership at an international level in data protection and privacy.
  • The International Conference of Information Commissioners is an opportunity for commissioners, practitioners and advocates to exchange ideas for the advancement of access to information.

Activity 1.1: Develop the privacy management capabilities of businesses and Australian Government agencies and promote privacy best practice

The OAIC provides guidance and support to develop the privacy management capabilities of businesses and Australian Government agencies and promote privacy best practice.

The OAIC will have achieved its purpose if the guidance and support that we have provided has assisted businesses and Australian Government agencies to understand their privacy obligations and encouraged them to respect and protect the personal information that they handle.

Delivery strategy

In 2017–18 we will:

  • Develop and implement an Australian Public Service (APS) Privacy Governance Code
  • Develop a maturity model to assist agencies to self-assess their privacy compliance under the APS Privacy Code
  • Consult with Australian Government agencies on additional support required to implement the APS Privacy Code
  • Host the Asia Pacific Privacy Authorities meeting and the Data + Privacy Asia Pacific national conference, targeted at professionals across the public and private sector
  • Develop a toolkit, community of practice and training program for privacy officers in Australian Government agencies
  • Work with agencies, particularly the Department of Prime Minister and Cabinet, to ensure that the Australian Government’s Public Data Policy Statement is implemented in a way that upholds the highest standards of privacy for individuals.

Over the next four years we will:

  • Monitor the success of the APS Privacy Governance Code implementation and its effect on building privacy management capability
  • Continue to expand the OAIC’s Privacy Professionals’ Network (PPN) and hold regular stakeholder meetings of the PPN and the Consumer Privacy Network
  • Continue to identify, develop and promote key privacy resources to build privacy management capability in Australian Government agencies and businesses
  • Continue to monitor proposed enactments and government programs for privacy impacts
  • Continue to provide advice and guidance to Australian Government agencies and businesses on emerging privacy issues.

Performance

We will demonstrate our performance through the following measures:

Activity 1.1: Develop the privacy management capabilities of businesses and Australian Government agencies and promote privacy best practice

No.

Measure[1]

2017 to 20182018 to 20192019 to 20202020 to 2021

RPF measure

RPF
KPI

1.1.1

The OAIC applies a risk-based, proportionate approach to facilitate compliance with privacy obligations and promote privacy best practice

Yes Yes Yes Yes

Yes

3

1.1.2

Guidance and educational materials are amended to incorporate learnings from regulatory activities such as assessments and investigations

Yes Yes Yes Yes

Yes

1,2

1.1.3

Regular dialogue and consultation with businesses and Australian Government agencies is undertaken

Yes Yes Yes Yes

Yes

1,2, 6

1.1.4

The number of participating partners for Privacy Awareness Week is increased

Yes Yes Yes Yes

Yes

6

[1] Activity 1.1 is a new activity in the 2017–18 Corporate Plan. The delivery strategies listed under this activity incorporate the performance outcomes from Challenge 1, Activity 5 of the 2016–17 Corporate Plan. New performance measures have been developed for Activity 1.1, as outlined in the table above.

Activity 1.2: Manage data breach notifications

The OAIC manages data breach notifications from businesses and Australian Government agencies.

The OAIC will have achieved its purpose if our response to data breach notifications has assisted businesses and Australian Government agencies to understand their privacy obligations and encouraged them to respect and protect the personal information that they handle.

Delivery strategy

In 2017–18 we will:

  • Prepare for the implementation of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Notifiable Data Breaches scheme) on 22 February 2018
  • Continue to administer the legislated My Health Records data breach notification scheme
  • Develop guidance and support tools for businesses and Australian Government agencies in relation to the Notifiable Data Breaches scheme and the My Health Records data breach notification scheme
  • Provide information to the community about the commencement and operation of the Notifiable Data Breaches scheme
  • Revise the OAIC’s Data Breach Notification — a guide to handling personal information security breaches.

Over the next four years we will:

  • Continue to provide assistance and advice to businesses and Australian Government agencies when they notify the OAIC about data breaches
  • Conduct activities to ensure compliance under the Notifiable Data Breaches scheme
  • Conduct activities to promote best practice in data breach management, including voluntary notification of data breaches
  • Review the OAIC’s systems and processes for handling data breach notifications.

Performance

We will demonstrate our performance through the following measures:

Activity 1.2: Manage data breach notifications

No.

Measure[2]

2017 to 20182018 to 20192019 to 20202020 to 2021

RPF measure

RPF
KPI

1.2.1

80% of data breach notifications finalised within 60 days

Yes Yes Yes Yes

Yes

2

1.2.2

80% of My Health Records data breach notifications finalised within 60 days

Yes Yes Yes Yes

Yes

2

1.2.3

Guidance and support tools for the Notifiable Data Breach scheme are published

Yes      

Yes

2, 5

1.2.4

Statistics on data breach notifications are published to inform the community about the operation of the data breach notification scheme

Yes Yes Yes Yes

No

N/A

[2] The OAIC’s 2016–17 Corporate Plan contained one outcome in relation to data breach notifications that we will no longer report against: ‘Increase awareness about the voluntary data breach notification scheme with the OAIC.’

From February 2018, the voluntary data breach notification scheme will be replaced by the mandatory Notifiable Data Breach scheme. From 2017 onwards, the OAIC will be supporting businesses and Australian Government agencies to comply with this scheme, and does not consider it necessary to continue to increase awareness of the voluntary scheme at this time.

The 2016–17 performance outcome regarding incorporating key learnings into guidance and educational materials has been incorporated into the table of measures under Activity 1.

Activity 1.3: Conduct Commissioner-initiated investigations

The Australian Information Commissioner has the power to investigate an incident that may be an interference with privacy, without first receiving a complaint from an individual. These investigations are known as Commissioner-initiated investigations (CIIs).

The OAIC will have achieved its purpose if the action we have taken against suspected interferences with privacy has improved compliance with the Privacy Act 1988, and assisted businesses and Australian Government agencies to understand their privacy obligations.

Delivery strategy

In 2017–18 we will:

  • Undertake CIIs in line with our Regulatory action policy, using a proportionate and risk-based approach to identify CII targets.

Over the next four years we will:

  • Continue to conduct CIIs that improve the personal information handling practices of the entities that are investigated.

Performance

We will demonstrate our performance through the following measures:

Activity 1.3: Conduct Commissioner initiated investigations

No.

Measure[3]

2017 to 20182018 to 20192019 to 20202020 to 2021

RPF measure

RPF
KPI

1.3.1

80% of CIIs finalised within 8 months

Yes Yes Yes Yes

Yes

2

1.3.2

CIIs result in improvements in the privacy practices of investigated entities

Yes Yes Yes Yes

No

N/A

1.3.3

CII outcomes and lessons learnt are publicly communicated

Yes Yes Yes Yes

Yes

1,2

[3] Measure 1.3.2 rephrases the 2016–17 performance outcome ‘Entities change practices and implement recommendations from enforceable undertakings and determinations.’ The OAIC considers that the new wording will enable us to report a broader range of activities than the previous measure.

The 2016–17 performance outcome regarding incorporating key learnings into guidance and educational materials has been incorporated into the table of measures under Activity 1.

Activity 1.4: Resolve privacy complaints

The OAIC administers a free service for individuals to make a privacy complaint about a business or Australian Government agency covered by the Privacy Act 1988.

The OAIC will have achieved its purpose if we have efficiently and effectively resolved privacy complaints received.

Delivery strategy

In 2017–18 we will:

  • Trial an early resolution process to assist more efficient processing of privacy complaints.

Over the next four years we will:

  • Continue to resolve privacy complaints in line with our service standards
  • Review and improve our complaint handling processes to reduce the wait times and improve efficiency
  • Undertake activities to assess the efficiency and effectiveness of our complaint handling service.

Performance

We will demonstrate our performance through the following measures:

Activity 1.4: Manage privacy complaints

No.

Measure[4]

2017 to 20182018 to 20192019 to 20202020 to 2021

RPF measure

RPF
KPI

1.4.1

80% of privacy complaints finalised within 12 months

Yes Yes Yes Yes

Yes

2

1.4.2

Complaint handling service is promoted to the community

Yes Yes Yes Yes

No

N/A

[4] Measure 1.4.2 provides more specificity to the 2016–17 performance outcome ‘Raise awareness about our complaints handling function.’

The OAIC’s 2016–17 Corporate Plan contained one outcome in relation to handling privacy complaints that we will no longer report against: ‘Resolve the majority of complaints by conciliation with both parties.’

Activity 1.5: Conduct privacy assessments

The Australian Information Commissioner has the power to conduct an assessment of any business or Australian Government agency covered by the Privacy Act 1988.

The OAIC will have achieved its purpose if its assessments have assisted businesses and Australian Government agencies to understand their privacy obligations and encouraged them to respect and protect the personal information that they handle.

Delivery strategy

In 2017–18 we will:

  • Conduct assessments of Australian Government agencies in accordance with our commitments under Memorandums of Understanding
  • Conduct targeted assessments in the following areas: national security, identity management, the data retention scheme, digital health and the enhanced welfare payment integrity data matching program.

Over the next four years we will:

  • Continue to provide a professional, independent and systemic risk assessment of compliance with the Privacy Act by businesses and Australian Government agencies.

Performance

We will demonstrate our performance through the following measures:

Activity 1.5: Conduct privacy assessments

No.

Measure[5]

2017 to 20182018 to 20192019 to 20202020 to 2021

RPF measure

RPF
KPI

1.5.1

Assessments are completed in accordance with the schedule developed in consultation with the assessment target

Yes Yes Yes Yes

Yes

1,2

1.5.2

Monitoring and compliance approaches are coordinated with the business and operational needs of the assessment targets

Yes Yes Yes Yes

Yes

1,2,4

1.5.3

High proportion of recommendations accepted by assessment targets

Yes Yes Yes Yes

Yes

1,2,
3,4

1.5.4

Key assessment outcomes and lessons learnt are publicly communicated where appropriate

Yes Yes Yes Yes

Yes

5

[5] Measure 1.5.1 replaces the 2016–17 performance outcome ‘The median for the completion of assessments is within six months’. In the current environment, the OAIC considers that this measure will more appropriately take account of the business needs of different entities and sectors that it assesses.

Measure 1.5.2 replaces the 2016–17 performance outcome ‘Provide a professional, independent and systematic appraisal of how well government agencies and businesses comply with the Privacy Act’. The 2016–17 outcome has been included as a delivery strategy under this activity.

Measure 1.5.3 replaces the 2016–17 performance outcome ‘Entities change practices to ensure compliance with the Privacy Act’. The OAIC considers that this new outcome will assist to demonstrate the changes in personal information handling practices that result from the OAIC’s assessments.

The 2016–17 performance outcome regarding incorporating key learnings into guidance and educational materials has been incorporated into the table of measures under Activity 1.

Activity 1.6: Provide a privacy public information service

The OAIC offers a free public information service on any privacy related matter. Our service is mainly delivered through telephone and written enquiries.

The OAIC will have achieved its purpose if our public information service has helped the community to understand and feel confident to exercise their privacy rights, and assists businesses and Australian Government agencies to understand their privacy obligations and respect and protect the personal information that they handle.

Delivery strategy

In 2017–18 we will:

  • Review our Service Charter to ensure it reflects our commitment to the timeliness and quality of our public information service.

Over the next four years we will:

  • Continue to raise awareness about our public information service
  • Review and enhance our communications channels to maximise the accessibility of our public information services.

Performance

We will demonstrate our performance through the following measures:

Activity 1.6: Provide a privacy public information service

No.

Measure

2017 to 20182018 to 20192019 to 20202020 to 2021

RPF measure

RPF
KPI

1.6.1

90% of written enquiries are finalised within 10 working days

Yes Yes Yes Yes

Yes

2

1.6.2

New community, legal and other networks are identified for targeted promotion of the public information service

Yes Yes Yes Yes

No

N/A

Activity 1.7: Promote awareness and understanding of privacy rights in the community

The OAIC undertakes awareness raising activities to ensure that the community is well informed of issues that impact their privacy rights.

The OAIC will have achieved its purpose if its awareness raising activities have helped the community to understand and feel confident to exercise their privacy rights.

Delivery strategy

In 2017–18 we will:

  • Conduct communication campaigns to target groups such as seniors, students and parents and carers
  • Continue to hold public events across Australia
  • Celebrate Privacy Awareness Week 2018
  • Celebrate the 30th anniversary of the commencement of the Privacy Act 1988
  • Deliver a new OAIC website with revised content for individuals.

Over the next four years we will:

  • Continue to engage with community groups and representatives, including through our Consumer Privacy Network
  • Consider partnerships with specific community interest groups to further promote awareness of privacy rights
  • Continue to conduct the Australian Community Attitudes to Privacy Survey
  • Ensure that our communication products consider the needs of culturally and linguistically diverse groups.

Performance

We will demonstrate our performance through the following measures:

Activity 1.7: Promote awareness and understanding of privacy rights in the community

No.

Measure[6]

2017 to 20182018 to 20192019 to 20202020 to 2021

RPF measure

RPF
KPI

1.7.1

Increase in media and social media mentions about privacy rights

Yes Yes Yes Yes

No

N/A

1.7.2

Awareness and understanding about privacy rights and the role of the OAIC is improved

Yes Yes Yes Yes

No

N/A

1.7.3

Increase in attendance numbers and positive feedback from public facing events

Yes Yes Yes Yes

No

N/A

1.7.4

The OAIC’s website is accessible for individuals and contains targeted content about privacy rights

Yes Yes Yes Yes

No

N/A

[6] Measure 1.7.3 replaces the 2016–17 performance outcome ‘Privacy Awareness Week campaign is held, with an increase in wider community engagement’. The OAIC considers that the new wording will enable us to report a broader range of activities than the previous outcome.

The 2016–17 performance outcome ‘Privacy Awareness Week campaign is held, with an increase in the number of participating private and public sector entities’ has been included as a measure under Activity 1.

The 2016–17 performance outcome ‘Understand and respond to the needs of culturally and linguistically diverse (CALD) communities so we can assist and educate all Australians about their privacy rights’ has been included as a delivery strategy under this activity.

Activity 1.8: Develop legislative instruments

The Australian Information Commissioner has powers under the Privacy Act 1988 and other legislation to make or approve legally binding guidelines and rules.

The OAIC will have achieved its purpose if the legislative instruments that we have developed have assisted businesses and Australian Government agencies to understand their privacy obligations and encouraged them to respect and protect the personal information that they handle.

Delivery strategy

In 2017–18 we will:

  • Register the Australian Public Service (APS) Privacy Governance Code
  • Review the Privacy Guidelines for the Medicare Benefits and Pharmaceutical Benefits Programs under s 135AA of the National Health Act 1953
  • Review the Privacy (Credit Reporting) Code 2014.

Over the next four years we will:

  • Continue to consider and respond to applications for Public Interest Determinations and Australian Privacy Principles codes
  • Continue to ensure that existing legislative instruments are appropriate and up-to-date.

Performance

We will demonstrate our performance through the following measures:

Activity 1.8: Develop legislative instruments

No.

Measure

2017 to 20182018 to 20192019 to 20202020 to 2021

RPF measure

RPF
KPI

1.8.1

Applications for Public Interest Determinations and Australian Privacy Principles codes are considered and responded to in a timely manner

Yes Yes Yes Yes

Yes

1,6

1.8.2

Legislative instruments are reviewed when necessary

Yes Yes Yes Yes

No

N/A

Back to Contents

Promote and uphold information access rights

We will promote and uphold information access rights by undertaking the following activities:

2.1 Develop the FOI capabilities of Australian Government agencies and ministers, and promote FOI best practice

2.2 Conduct Information Commissioner reviews

2.3 Investigate FOI complaints and conduct Commissioner-initiated investigations

2.4 Provide an FOI public information service

2.5 Promote awareness and understanding of information access rights in the community.

Our environment

The Freedom of Information Act 1982 (the FOI Act) expressly recognises that information held by government is a national resource and is to be managed for public purposes, and that public access to information is to be provided promptly and at the lowest reasonable cost.

Improved access to information promotes government transparency and accountability through increased scrutiny, discussion and public participation in government decision making.

Following the transfer back to the OAIC of FOI complaints and guidance functions from July 2016, significant effort has gone into ensuring the OAIC is positioned to assist the Australian Government manage its FOI requirements and handle individuals’ FOI complaints.

Providing advice and guidance to develop the FOI capabilities of public authorities and promote FOI best practice remains a primary activity. Engaging with stakeholders to assist them in their compliance is a focus. This will include the development of an FOI regulatory action policy.

The OAIC continues to review decisions made under the FOI Act and respond to requests that the Australian Information Commissioner (Information Commissioner) review a specific decision made. Of note, the number of Information Commissioner (IC) reviews received by the OAIC has significantly increased. To meet this demand, the OAIC continues to review its internal processes to improve response and turnaround times for these IC review matters, including the development of a practice direction to further consolidate the process to be followed in the production of documents in IC review matters.

The goal of the international Open Government Partnership (OGP) – of which Australia is a member – is that governments will ‘become sustainably more transparent, more accountable and more responsive to their own citizens, with the ultimate goal of improving the quality of governance, as well as the quality of services that citizens receive’.

Australia’s National OGP Action Plan sets out an agenda for the next two years across a broad range of important areas including transparency and accountability in business; open data and digital transformation; access to government information; integrity in the public sector; and public participation and engagement.

The OGP agenda is consistent with Australia’s open data agenda, of which FOI is an integral part.

Activity 2.1: Develop the FOI capabilities of Australian Government agencies and ministers, and promote FOI best practice

The OAIC provides advice and guidance to develop the FOI capabilities of Australian Government agencies and ministers and promote FOI best practice.

The OAIC will have achieved its purpose if the advice and guidance that it has provided to Australian Government agencies has assisted them to understand their freedom of information obligations and encouraged them to respect and promote access to government information.

Delivery strategy

In 2017–18 we will:

  • Review and update the Guidelines issued under s 93A of the Freedom of Information Act 1982 that agencies and ministers must have regard to when performing a function or exercising a power under the FOI Act
  • Review and update resources to assist agencies and ministers apply the FOI Act
  • Update tools and guidance for Australian Government agencies to assist them to review their compliance with the Information Publication Scheme (IPS)
  • Provide information through the Information Contact Officer Network (ICON) on the OAIC’s Information Commissioner review process.

Over the next four years we will:

  • Continue to revise key FOI resources and guidelines when necessary
  • Continue to engage with stakeholders, including through ICON
  • Continue to engage with Australian Government agencies and ministers on FOI matters.

Performance

We will demonstrate our performance through the following measures:

Activity 2.1: Develop the FOI capabilities of Australian Government agencies and ministers, and promote FOI best practice

No.

Measure[7]

2017 to 20182018 to 20192019 to 20202020 to 2021

RPF measure

RPF
KPI

2.1.1

Tools and guidance are updated to assist Australian Government agencies to comply with the IPS

Yes      

Yes

1,2

2.1.2

Guidance and resources are reviewed and updated to assist Australian Government agencies and ministers to apply the FOI Act

Yes      

Yes

1,2

2.1.3

The majority of OAIC’s stakeholders receiving information are satisfied with the content and delivery

Yes Yes Yes Yes

No

N/A

[7] Activity 2.1 is a new activity in the 2017–18 Corporate Plan. The delivery strategies listed under this activity incorporate the majority of the performance outcomes from Challenge 2, Activity 3 of the 2016–17 Corporate Plan. New performance measures have been developed for Activity 2.1, as outlined in the table above.

The 2016–17 performance outcome ‘Understand and respond to the needs of culturally and linguistically diverse (CALD) communities so we can assist and educate all Australians about their FOI rights’ has been included as a delivery strategy Activity 2.5.

Activity 2.2: Conduct Information Commissioner reviews

If an individual is unhappy with the decision of an Australian Government agency or minister under the Freedom of Information Act 1982 (FOI Act), they can request the Australian Information Commissioner to review the decision. This is called an Information Commissioner review (IC review).

The OAIC will have achieved its purpose if it has undertaken its IC review function efficiently and effectively.

Delivery strategy

In 2017–18 we will:

  • Develop and publish an FOI regulatory action policy that outlines our approach to using our IC review powers.

Over the next four years we will:

  • Continue to publish decisions issued under s 55k of the FOI Act
  • Continue to ensure the timeliness and quality of the IC review function
  • Continue to build on existing jurisprudence that shapes the FOI jurisdiction.

Performance

We will demonstrate our performance through the following measures:

Activity 2.2: Conduct IC reviews

No.

Measure[8]

2017 to 20182018 to 20192019 to 20202020 to 2021

RPF measure

RPF
KPI

2.2.1

80% of IC reviews are completed within 12 months

Yes Yes Yes Yes

Yes

1,3,4

[8] Measure 2.2.2 rephrases the 2016–17 performance outcome ‘Reduction of the number of matters over 12 months old.’ The OAIC considers that the new measure represents the OAIC’s new aims regarding the reduction of the number of matters on hand.

The 2016–17 performance outcome ‘Build on the existing jurisprudence which shapes the FOI jurisdiction’ has been included as a delivery strategy under this activity.

The OAIC’s 2016–17 Corporate Plan contained one outcome in relation to IC reviews that we will no longer report against: ‘Increase the number of matters finalised by information resolution without proceeding to a decision.’

The OAIC considers that increasing this number is not sustainable on an ongoing basis, as it is important to make formal decisions in relation to IC reviews.

Activity 2.3: Investigate FOI complaints and conduct Commissioner-initiated investigations

The OAIC provides a free service for individuals to make a complaint about how an Australian Government agency has handled their FOI matter.

The Australian Information Commissioner may also initiate investigations about the FOI actions of Australian Government agencies. These are known as Commissioner-initiated investigations.

The OAIC will have achieved its purpose if it has efficiently and effectively resolved FOI complaints and Commissioner-initiated investigations.

Delivery strategy

In 2017–18 we will:

  • Develop and publish an FOI regulatory action policy that outlines our approach to using our FOI complaint and Commissioner-initiated investigation powers.

Over the next four years we will:

  • Continue to monitor and address the effectiveness of FOI processing within agencies
  • Continue to ensure the timeliness and quality of complaint resolutions.

Performance

We will demonstrate our performance through the following measures:

Activity 2.3: Manage FOI complaints and investigations

No.

Measure[9]

2017 to 20182018 to 20192019 to 20202020 to 2021

RPF measure

RPF
KPI

2.3.1

80% of FOI complaints finalised within 12 months

Yes Yes Yes Yes

Yes

1,3,4

2.3.2

80% of FOI Commissioner initiated-investigations finalised within 8 months

Yes Yes Yes Yes

Yes

1,3,4

[9] The following 2016–17 performance outcomes have been incorporated into the delivery strategies under this activity:

Uphold the effectiveness of FOI processing within agencies.

Ensure the timeliness and quality of complaint resolutions.

Activity 2.4: Provide a FOI public information service

The OAIC provides a free public information service on FOI related matters. Our service is mainly delivered through telephone and written enquiries.

The OAIC will have achieved its purpose if its public information service has helped the community to understand their information access rights and assisted Australian Government agencies to understand their FOI obligations and respect and promote access to government information.

Delivery strategy

In 2017–18 we will:

  • Review our Service Charter to ensure it reflects our commitment to the timeliness and quality of our public information service.

Over the next four years we will:

  • Continue to raise awareness about our public information service
  • Review and enhance our communications channels to maximise the accessibility of our services.

Performance

We will demonstrate our performance through the following measures:

Activity 2.4: Provide a FOI public information service

No.

Measure

2017 to 20182018 to 20192019 to 20202020 to 2021

RPF measure

RPF
KPI

2.4.1

90% of FOI written enquiries are finalised within 10 working days

Yes Yes Yes Yes

Yes

2

2.4.2

New community, legal and other networks are identified for targeted promotion of the public information service

Yes Yes Yes Yes

Yes

2

Activity 2.5: Promote awareness and understanding of information access rights in the community

The OAIC undertakes awareness raising activities to ensure that the community is well informed about their information access rights.

The OAIC will have achieved its purpose if its awareness raising activities have helped the community to understand their information access rights.

Delivery strategy

In 2017–18 we will:

  • Conduct a campaign for Right to Know Day 2017
  • Continue to engage with other Information Commissions to raise awareness about information access rights
  • Deliver a new OAIC website with revised content for individuals.

Over the next four years we will:

  • Continue to raise public awareness about information access rights
  • Conduct Right to Know Day activities on an annual basis
  • Ensure that our communication products consider the needs of culturally and linguistically diverse groups.

Performance

We will demonstrate our performance through the following measures:

Activity 2.5: Promote awareness and understanding of information access rights in the community

No.

Measure

2017 to 20182018 to 20192019 to 20202020 to 2021

RPF measure

RPF
KPI

2.5.1

Increase in media and social media mentions about information access rights

Yes Yes Yes Yes

No

N/A

2.5.2

The OAIC’s website is accessible for individuals and contains targeted content about information access rights

Yes Yes Yes Yes

No

N/A

Back to Contents

Organisation capability

Functions and staffing

The OAIC has undertaken significant work in recent years to raise awareness amongst the community about their rights and the channels available to them should they feel their rights have been breached.

While our workload and responsibilities grow our challenge is to continue to manage our responsibilities effectively with the resources available.

This necessitates us looking at how we work and what we can do to deliver improved and more efficient services. As an example, in order to deal with the increase in the number of complaints the OAIC is receiving, we are trialling a new early resolution approach to privacy complaints. The model uses a Sprint team approach building new processes for intake, referral and resolution of complaints. We have engaged strategically with respondents, and have reached agreement for fast response times and dedicated contacts with key respondents. While a full review of the trial will be conducted, early indications suggest the model is delivering significant benefits. We are also continuing to identify and implement improvements in our IC review processes.

However, the upcoming implementation of the Notifiable Data Breaches scheme, the Australian Public Service (APS) Privacy Governance Code, the General Data Protection Regulation requirements, the review of the CR Code, and any implementation of the Productivity Commission’s Data Availability and Use report, among other priorities, are expected to increase demand for advice and guidance.

Networks

The OAIC hosts and participates in a number of international and domestic information and best practice sharing forums, initiatives and arrangements.

We coordinate public and private sector privacy networks which provide opportunities for privacy contact officers to meet, collaborate and share expertise.

We also build and maintain productive relationships with privacy organisations and authorities in other jurisdictions through a number of national and international forums and arrangements.

Of note, the input we receive through the Consumer Privacy Network and the Privacy Professionals’ Network ensures that our frameworks align with the rapidly-changing consumer and organisational contexts.

The OAIC also participates in two important FOI networks, the Association of Information Access Commissioners and the International Conference of Information Commissioners.

Back to Contents

Risk oversight and management

In our approach to risk management, we consider factors that may affect our ability to effectively engage with and manage our relationships with our stakeholders. Our risk appetite sets the boundaries within which staff are expected to operate and is vital for effective risk management. A clear understanding of risk appetite helps staff assess risks, make informed decisions, confidently engage with risk and harness its opportunities.

The OAIC Executive regularly considers and reviews the risks faced by the agency and the reports on risk received from the Audit Committee.

Significant resources have been allocated to the identification and management of risks associated with the implementation of the Notifiable Data Breaches scheme. Further resources will be allocated for the successful implementation of the Australian Public Service (APS) Privacy Governance Code in 2018. These activities require effective control activities that are subject to regular review to ensure that the identified risks are mitigated.

Back to Contents

Office of the Australian Information Commissioner

1300 363 992
enquiries@oaic.gov.au
www.oaic.gov.au
@OAICgov