Part 1: Overview

About the OAIC

The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency within the Attorney-General’s portfolio, established under the Australian Information Commissioner Act 2010 (AIC Act).

Our key role is to meet the needs of the Australian community when it comes to the regulation of privacy and freedom of information. We do this by:

  • ensuring proper handling of personal information under the Privacy Act 1988 (Privacy Act) and other legislation
  • protecting the public’s right of access to documents under the Freedom of Information Act 1982 (FOI Act)
  • performing strategic functions relating to information management within the Australian Government under the AIC Act.

Outcome and program structure

Our Portfolio Budget Statement describes the OAIC’s outcome and program framework.

Outcome Provision of public access to Commonwealth Government information, protection of individuals’ personal information, and performance of information commissioner, freedom of information and privacy functions.
Program 1.1 Complaint handling, compliance and monitoring, and education and promotion.

Our annual performance statement details our activities, key deliverables and performance measures.

Purpose

Our purpose is to promote and uphold privacy and information access rights.

In the OAIC Corporate Plan 2018–19 we determined we would be successful if we:

  • assisted businesses and Australian Government agencies to understand their privacy obligations, and encouraged them to respect and protect the personal information they handle
  • efficiently and effectively took action against suspected interferences with privacy to improve compliance with the Privacy Act
  • helped the community to understand and feel confident to exercise their privacy and information access rights
  • assisted Australian Government agencies to understand their freedom of information (FOI) obligations, and respect and promote access to government information
  • efficiently and effectively carried out our regulatory functions under the FOI Act.

Commissioner’s review

Portrait photo of Angelene FalkIn our data-driven economy there is increasing recognition of the value of personal information. The past year’s focus on digital platforms in Australia and overseas has brought home the scale of the issues we confront in safeguarding personal data. The importance of access to information in underpinning democracy and open and accountable government has also come to the fore this year in political and media discourse around the world.

Our role in promoting and upholding privacy and access to information rights sits at the centre of these debates on how to meet community expectations and ensure organisational accountability.

These are regulatory issues with global reach, and we are working with our international counterparts as part of a worldwide movement to hold organisations to account and enforce greater transparency. Getting privacy right is not only fundamental to creating greater community trust in the exchange of personal information, it also ensures government-held information is used for public benefit, informs evidence-based policy making and supports innovation.

In addressing these challenges nationally, we worked closely with the Australian Competition and Consumer Commission (ACCC) to consider whether existing privacy legislation is fit for purpose in the digital economy. Through my role on the Executive Committee of the International Conference of Data Protection and Privacy Commissioners, we worked globally towards interoperable regulatory frameworks and support cooperative regulatory action between jurisdictions. We are actively engaged with the Asia Pacific Privacy Authorities forum and Global Privacy Enforcement Network. We are also working with the Attorney-General’s Department to implement the Asia-Pacific Economic Cooperation’s cross-border privacy rules system in Australia. The global interoperability of privacy law supports a strong domestic economy and provides robust protections for the privacy rights of all Australians.

In March 2019, the Australian Government announced plans for online protections for personal information and increased penalties for its misuse. Additional funding has been provided to the OAIC to assist us in regulating privacy, particularly in the online environment, which will be a significant focus for us over the next three years. These changes would build upon the significant regulatory reforms implemented in 2018. The Notifiable Data Breaches (NDB) scheme was established in February last year to strengthen consumer protection and elevate the security posture of organisations and agencies who handle personal information. Over 2018–19 we received 1,160 data breach notifications, including 950 under the mandatory NDB scheme. During this reporting period, we have worked with notifying organisations to ensure data breaches were contained and rectified, affected individuals were informed so they can act swiftly, and that measures were put in place to prevent a reoccurrence.

In May 2019, we published the Notifiable Data Breaches Scheme 12-Month Insights Report, which provides a clear evidence base for regulated entities to prevent data breaches. Most breaches exploited a human factor, such as an employee being tricked into providing credentials that allow cyber intrusion into information and systems. We continued to highlight the need for employees to be supported through training, processes and technology to mitigate this known risk.

Significant areas of work for the OAIC in 2018–19 include our ongoing focus on the Australian Government Agencies Privacy Code and preparing for the Consumer Data Right in our regulatory role with the ACCC and the Data Standards Body. We also regulate the privacy aspects of the My Health Record system, which transitioned to an opt-out system at the start of 2019.

These developments, along with several high-profile data breaches brought to light by the NDB scheme and the European Union’s General Data Protection Regulation, have contributed to increased awareness about obligations to protect personal information. They also added to the substance and complexity of many matters brought to us to investigate.

We continued to take an evidence-based and proportionate approach to exercising the range of regulatory tools available to us. In 2018–19 we assessed privacy practices in the finance, telecommunications and government sectors, as well as the digital health sector. We engaged regularly with businesses and Australian Government agencies on good privacy practice and provided advice on a wide range of matters such as credit reporting, government-related identifiers, digital identity systems, de-identification and data-matching. We also made detailed submissions on issues relating to national security, artificial intelligence, cooperative intelligent transport systems and telecommunications.

The privacy issues raised direct us to consider closely whether community expectations, and the current scope and settings of our Privacy Act, are aligned. These issues will also be considered as part of Government’s response to the Digital Platforms Inquiry report.

International cooperation to strengthen public access to information is also critical. Through our engagement this year with the International Conference of Information Commissioners, we continued to promote the importance of global action on open government. We also continued our work as part of the Open Government Partnership Australia to develop the third National Action Plan to improve transparency in the public sector.

This year I was appointed as a founding member of the National Data Advisory Council, looking at ways to streamline the sharing and release of government data while ensuring the protection of privacy and confidentiality. This is one of many areas where personal data handling and information management considerations converge.

We remain committed to promoting the management and use of government-held information as a national resource for public purposes. As part of this work, in June 2019 we released a survey of government agencies’ compliance with the Information Public Scheme (IPS). The results confirmed a continued commitment across government to the IPS’s requirements and principles. However, a decline was observed in key areas of compliance compared to our first survey in 2012.

These findings are assisting both the OAIC and government agencies to identify improvements to support the proactive publication of government information.

Day to day, our skilled and dedicated staff continued to assist the community and regulated entities in providing information and resolving a growing number of privacy and FOI complaints and requests for Information Commissioner reviews.

We received 3,306 privacy complaints in 2018–19, an increase of around 12% on the previous financial year. We assisted 2,920 complainants in resolving these issues, nearly 6% more than in 2017–18. Complaints were resolved in an average time of 4.4 months. We also handled 17,445 privacy enquiries.

The number of FOI enquiries rose by almost half in 2018–19 to 2,881 and applications for Information Commissioner (IC) reviews of FOI requests grew by almost 16% to 925. We finalised 8% more IC reviews than in the previous year. IC review decisions continue to provide important guidance to agencies.

We also launched our new website for public feedback in June 2019. Its new architecture improves navigation and search functionality and features a wide range of updated information and advice, particularly for individuals.

Across our core functions, we continued to seek ways to improve our efficiency and effectiveness so we can meet the community’s needs. Through our strategic priorities, we are working on behalf of the Australian community to achieve our long-term vision of increasing public trust and confidence in the protection of personal information and access to government-held information.

Angelene Falk
Australian Information Commissioner
Privacy Commissioner
20 August 2019

Our year at a glance

Privacy highlights*

Infographic of privacy highlights. Link to long text description follows.

* Percentages have been rounded to the nearest whole number. End-of-year statistics may differ from quarterly publication statistics.

Second infographic of privacy highlights. Link to long text description follows.

* Corrected to take account the NDB scheme only commenced on 22 February 2018.

FOI highlights*

Infographic of FOI highlights. Link to long text description follows.Second infographic of FOI highlights. Link to long text description follows.

* Percentages have been rounded to the nearest whole number.

Our structure

The OAIC is headed by the Australian Information Commissioner, a statutory officer appointed by the Governor-General. The Commissioner has a range of powers and responsibilities outlined in the AIC Act, and also exercises powers under the FOI Act, the Privacy Act and other privacy-related legislation.

The Australian Information Commissioner is the agency head accountable for strategic oversight and the OAIC’s regulatory, strategic, advisory and dispute resolution functions, as well as financial and governance reporting.

Angelene Falk was appointed by the Governor-General to the roles of Australian Information Commissioner and Privacy Commissioner on 16 August 2018. She was acting Australian Information Commissioner and Privacy Commissioner from 24 March 2018 to 15 August 2018.

Photo of the 4 members of the OAIC Executive team

Angelene Falk

Angelene Falk has held senior positions in the OAIC since 2012, including serving as Deputy Commissioner from 2016 to March 2018.

Over the past decade, she has worked extensively with Australian Government agencies, across the private sector and internationally, at the forefront of addressing regulatory challenges and opportunities presented by rapidly evolving technology and potential uses of data. Her experience extends across industries and subject matter, including data breach prevention and management, data sharing, credit reporting, digital health and access to information.

She holds a Bachelor of Laws with Honours and a Bachelor of Arts from Monash University and a Diploma in Intellectual Property Law from Melbourne University.

Support to the Commissioner

The Commissioner is supported by an Executive team of three substantive Senior Executive Services (SES) positions, and expert staff, working within the Dispute Resolution, Regulation and Strategy, and Legal and Governance branches.

Generally, the Dispute Resolution branch is responsible for resolving privacy complaints, FOI Information Commissioner reviews, Commissioner initiated privacy and FOI investigations and the OAIC’s public information service. The Regulation and Strategy branch provides guidance, examines and drafts submissions on proposed legislation, conducts assessments, and provides advice on inquiries and proposals that may have an impact on privacy. The Legal and Governance branch provides legal and corporate services and strategic communications functions.

Communication and collaboration

We used a range of networks and communication channels during this reporting period to raise awareness across businesses, government agencies and the public about privacy and information access rights and responsibilities.

We have highlighted some of these activities below and give more detail in Part 2.

Our networks

We hosted and participated in a number of domestic and international privacy and information access networks which provided opportunities to collaborate and share expertise with stakeholders.

Privacy Professionals Network

The Privacy Professionals Network (PPN) is for public and private sector privacy professionals. Its membership grew during this reporting period from 3,442 to 3,623 members.

We sent regular updates to PPN members on topics such as: agencies we recently recognised to handle particular privacy-related complaints (an external dispute resolution scheme); our recent submissions about privacy-related matters to the Australian Government or other entities; a new or updated resource on a topic of interest, such as the My Health Record system; and relevant national or international developments.

The majority of PPN events in 2018–19 were fully subscribed and provided PPN members with an opportunity to hear from experts and network with colleagues.

PPN events during this reporting period included:

  • a presentation on privacy issues at the GRC Institute in Perth in November 2018
  • a Privacy Awareness Week (PAW) business breakfast in Sydney in May 2019, where the Commissioner shared insights from the first 12 months of the NDB scheme
  • a Privacy Authorities Australia panel discussion in Brisbane in April 2019, that focused on the challenges each jurisdiction faced and opportunities for cross-border collaboration.

Information Contact Officer Network

Our Information Contact Officer Network (ICON) for Australian Government FOI contact officers was given regular updates on topics such as: recent IC review decisions; a new or update resource on a topic of interest, such as updates to the FOI Guidelines; and relevant national or international developments.

At the end of this reporting period there were 527 ICON members.

We held two ICON information sessions in Canberra during this reporting period to update members on recent FOI activity, decision review trends and our priorities:

  • In September 2018, the Commissioner and the Executive team were joined by representatives of the Department of the Prime Minister and Cabinet and the Department of Finance.
  • In April 2019, our ICON session featured representatives of the National Archives of Australia and an introduction to the Open Australia Foundation’s Right to Know website.

Consumer Privacy Network

The Consumer Privacy Network (CPN) furthers the privacy community’s understanding of current privacy issues affecting consumers. Members were appointed for a two-year period:

  • Australian Communications Consumer Action Network
  • Australian Privacy Foundation
  • Consumer Action Law Centre
  • Consumer Credit Law Centre South Australia
  • Consumers Health Forum of Australia
  • Electronic Frontiers Australia Inc
  • Financial Rights Legal Centre Inc (NSW)
  • Internet Australia
  • Legal Aid New South Wales
  • Legal Aid Queensland
  • The Foundation for Young Australians
  • National LGBTI Health Alliance
  • Federation of Ethnic Communities’ Councils of Australia
  • National Mental Health Consumer & Carer Forum.

Domestic networks

Privacy Authorities Australia

Privacy Authorities Australia (PAA) is a group of Australian privacy authorities who meet regularly to promote best practice and consistency of privacy policies and laws. We joined privacy representatives from all states and territories as a member of PAA.

Association of Information and Access Commissioners

This Australian and New Zealand network is for information access authorities who administer FOI legislation. In September 2018, we hosted a meeting of the Association of Information and Access Commissioners (AIAC) members at our office in Sydney.

International networks

Asia Pacific Privacy Authorities forum

The Asia Pacific Privacy Authorities (APPA) forum is the principal forum for privacy authorities in the Asia-Pacific region for exchanging ideas about privacy regulation, emerging technologies, and managing privacy enquiries and complaints.

Common Thread Network

This network brings together data protection and privacy authorities from Commonwealth countries.

Global Privacy Enforcement Network

The Global Privacy Enforcement Network is designed to facilitate cross-border cooperation in enforcing privacy laws.

International Conference of Data Protection and Privacy Commissioners

The largest and longest standing network for data protection and privacy authorities, the International Conference of Data Protection and Privacy Commissioners (ICDPPC) brings together organisations from around the world to provide leadership at international level in data protection and privacy.

The Commissioner was elected to the ICDPPC Executive Committee in October 2018 and is a co-chair of the ICDPPC Digital Citizen and Consumer Working Group.

International Conference of Information Commissioners

The International Conference of Information Commissioners (ICIC) comprises information commissioners and ombudsmen from around the world. The ICIC provides an opportunity for information commissioners, practitioners and advocates to exchange ideas, to identify emerging trends and challenges and to strengthen public access to information.

Events

During this reporting period, our Executive team and senior staff delivered speeches and presentations and took part in panel discussions at 36 external events, including:

  • Australian Communications Consumer Action Network ACCANect National Conference, Sydney, September 2018
  • Australian Information Security Association Cyber Conference, Melbourne, October 2018
  • the keynote address for the International Association of Privacy Professionals Australia and New Zealand Summit, Melbourne, November 2018
  • International Institute of Communications Digital Platforms seminar, Sydney, February 2019
  • a panel discussion on ‘Privacy and openness — is the balance right?’ for the Australian Banking Association, Sydney, March 2019
  • Australian Government Solicitor FOI and Privacy Forums, Canberra, November 2018 and May 2019
  • Australian Insurance Law Association National Conference, Perth, November 2018
  • a panel discussion on the ‘Increasing importance of the interrelationship between information access and data protection, including open data’ at the ICIC, Johannesburg, March 2019
  • a panel discussion on ‘Privacy — what patient and hospital information can be shared?’ at the Australian Private Hospitals Association National Conference, Melbourne, March 2019
  • a presentation on ‘Trust in the data economy: the role of stakeholders’ at the International Seminar on Personal Data, a G20 Summit Side Event, Tokyo, June 2019.

Privacy Awareness Week

Privacy Awareness Week (PAW) is an annual initiative of the APPA forum. It is held every year to promote and raise awareness of privacy issues and the importance of protecting personal information.

In 2019, PAW ran from 12 to 18 May, promoting a range of privacy priorities through the theme ‘Don’t be in the dark on privacy’. This message was supported by a digital campaign that directed businesses, agencies and consumers to useful resources and the PAW website.

Events included a sold-out business breakfast, attended by approximately 150 representatives from business and government. Members of the Executive team and senior staff also represented the OAIC at events throughout the week, including at the Australian Government Solicitor FOI and Privacy Forum in Canberra, the Deloitte Privacy Index launch in Sydney and an Information Integrity Solutions event in Melbourne.

A record number of organisations signed up as official supporters of PAW (500, up from 360 in 2017–18) and promoted the importance of good privacy practice to their stakeholders, customers and staff. PAW supporters were given a wide range of resources to share through internal and external communication channels, including posters, social media posts and digital assets; as well as the presentation’s slides which included useful information for agencies on the Australian Government Agencies Privacy Code and the NDB scheme.

We also launched a new online game, Privacy Challenge, for PAW 2019 to raise public awareness of how to protect personal information in the digital and real-world environment. The Privacy Challenge features three different scenarios that explore a range of situations including smart phone security, social media privacy, credit reports and scams. The scenarios in this community e-learning resource were launched 2,678 times between 17 May to 30 June 2019.

Our ability to prevent, detect, deter and remedy relies on cooperation and collaboration, across regulatory regimes, across borders, with the community, business, government and academics.

This is central to our approach to regulating in the global economy: developing regulatory policy and guidance that takes account of global developments, creating interoperable regulatory frameworks, and cooperative international regulatory action.

Angelene Falk, Australian Information Commissioner and Privacy Commissioner, keynote address to the PAW Business Breakfast, ‘Making privacy the priority: privacy and data protection in our interconnected world’, 13 May 2019.

PAW snapshot

There were 16,045 PAW website views, 500 PAW supporters and 865 PAW posts on social media. The PAW campaign poster says Don’t be in the Dark on Privacy

Right to Know Day

Our Right to Know Day campaign aimed to raise awareness about the public’s right to access government-held information through a dedicated website, digital promotion and events in the lead up to international Right to Know Day on 28 September 2018.

The Right to Know website hosted a new series of FOI videos, event listings, resources and promotional materials. Our events to mark Right to Know Day included an ICON information session in Canberra on the role of the FOI practitioner in promoting accountability and transparency and a community event in Sydney on 27 September 2018 where our staff engaged with more than 500 people about access to information issues.

We also hosted a meeting of the AIAC from 20 to 21 September 2018, where members collaborated on a joint statement to promote Right to Know Day and the importance of open government.

Media and social media

Media interest in our work remained strong throughout 2018–19, reflecting continued community awareness of privacy and information access rights. Media coverage of personal information security issues was also driven by mandatory notifications of data breaches to affected individuals and the OAIC, and our regular statistical reports on the NDB scheme.

We responded to 238 media enquiries in 2018–19 (compared to 317 in 2017–18) from a range of mainstream, business and digital publications.

We actively promoted awareness of privacy and information access rights through the social media channels, increasing followers and page likes across Facebook and Twitter. We also regularly shared privacy and information access updates through our e-newsletter, which was relaunched in May 2019 as ‘Information Matters’ to a combined subscriber base of almost 7,800 people.

emptyFacebook

Almost 60,000 people actively engaged with our campaign posts to promote awareness of privacy controls within the My Health Record system.

Page likes grew by almost 10% to 2886.

emptyTwitter

More than 913,000 tweet impressions.

Followers grew by almost 10% to more than 5,200.

Webinars and podcasts

We partnered with the Royal Australian College of General Practitioners (RACGP) to present three webinars on the NDB scheme in February 2019, which attracted 222 attendees and 145 downloads. The webinars were part of a broader communications campaign with the RACGP to promote good privacy and personal information handling practices to their members.

For PAW 2019, we partnered with Wolters Kluwer to present a webinar on the NDB scheme that highlighted the findings and recommendations from our Notifiable Data Breaches Scheme 12-Month Insights Report. The webinar attracted almost 400 registrations, and 95% of attendees rated the session as ‘excellent’ or ‘very good’.

This webinar has filled some gaps and clarified the major grey areas. The questions session gave a great opportunity to clarify any uncertainty. I am more confident in my knowledge now.

PAW webinar attendee

We also collaborated with Legal Aid NSW to create a podcast on consumer credit reporting issues for PAW, which has since been downloaded more than 250 times.

Long text descriptions

Privacy highlights long text description

In this infographic, percentages have been rounded to the nearest whole number. End-of-year statistics may differ from quarterly publication statistics.

We received 12% more privacy complaints in 2018–19: 3,306 in total. In 2017–18, there were 2,947 in total.

Most complaints came from the following sectors:

  • Finance (including superannuation): 13%
  • Australian Government: 12%
  • Health service providers: 10%
  • Telecommunications: 7%
  • Retail: 5%
  • Online services: 5%

We finalised 6% more privacy complaints in 2018–19: 2,920 in total, compared to 2,766 in 2017–18.

In 2018–19, the average time taken to finalise a complaint was 4.4 months, compared to 3.7 months in 2017–18.

In 2018–19, 95% of all privacy complaints were finalised within 12 months of receipt, compared to 97% in 2017–18.

We handled 17,445 privacy enquiries in 2018–19, a 10% decrease from 2017–18. These comprised of:

  • 13,457 by phone;
  • 3,966 written and
  • 22 in person.

We received 9% more notifications under the Notifiable Data Breaches (NDB) scheme (corrected to take account the NDB scheme only commenced on 22 February 2018): in 2018–19, there were 950 in total, compared to 305 in 2017–18. 79% of all notifications under the NDB scheme were finalised within 60 days.

Back to Privacy highlights

FOI highlights long text description

In this infographic, percentages have been rounded to the nearest whole number.

We received 928 applications for Information Commissioner reviews of FOI requests, a 16% increase on the previous year. In 2018–19, there were 928 in total, compared to 801 in 2017–18.

We finalised 73% of applications for an Information Commissioner review within 12 months of receipt.

The top five agencies involved in Information Commissioner reviews were:

  1. Department of Home Affairs (198)
  2. Department of Human Services (104)
  3. Department of Veterans’ Affairs (47)
  4. Australian Federal Police (46)
  5. Department of Defence (44)

We finalised 8% more Information Commissioner reviews: in 2018–19, 659 were finalised, compared to 610 in 2017–18.

The average time taken to finalise an Information Commissioner review in 2018–19 was 7.8 months, compared to 6.7 months in 2017–18.

In 2018–19 we handled 2,881 FOI enquiries, which is a 49% increase on 2017–18. These comprised:

  • 2,051 by phone;
  • 824 written and
  • 6 in person.

We received 61 FOI complaints in 2018–19 which was a similar number to last year’s 62.

The average time taken to close FOI complaints in 2018–19 was 7.2 months compared to 5.8 months in 2017–18.

82% of FOI complaints were finalised within 12 months of receipt, compared to 83% in 2017–18.

Back to FOI highlights