Annual Report 2019–20
On this page
Publication date: October 15 2020
Part 1: Overview
About the OAIC
The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency within the Attorney-General’s portfolio, established under the Australian Information Commissioner Act 2010.
Our key role is to meet the needs of the Australian community in relation to the regulation of privacy and freedom of information. We do this by:
- ensuring proper handling of personal information under the Privacy Act 1988 (Privacy Act) and other legislation
- protecting the public’s right of access to documents under the Freedom of Information Act 1982 (FOI Act)
- performing strategic functions relating to information management within the Australian Government under the Australian Information Commissioner Act 2010 (AIC Act).
Outcome and program structure
Our Portfolio Budget Statement describes the OAIC’s outcome and program framework.
Provision of public access to Commonwealth Government information, protection of individuals’ personal information, and performance of Information Commissioner, freedom of information and privacy functions.
Complaint handling, compliance and monitoring, and education and promotion.
Our annual performance statement details our activities and key deliverables, and measures our performance against our Portfolio Budget Statement targets and the strategic priorities set out in the OAIC Corporate Plan 2019–20:
- Advance online privacy protections for Australians
- Influence and uphold privacy and information access rights frameworks
- Encourage and support proactive release of government-held information
- Take a contemporary approach to regulation.
Our purpose is to promote and uphold privacy and information access rights.
We do this by:
- making sure that Australian Government agencies and Australian Privacy Principles (APP) entities comply with the Privacy Act and other laws when handling personal information
- protecting the public’s right of access to documents under the FOI Act
- carrying out strategic information management functions within the Australian Government under the AIC Act.
Our regulatory activities include:
- conducting investigations
- handling complaints
- reviewing decisions made under the FOI Act
- monitoring agency administration
- advising the public, organisations and agencies.
The past 12 months have brought unprecedented challenges, with Australia’s worst bushfire season on record soon followed by the COVID-19 pandemic. These seismic events have had a significant impact on the everyday lives of us all.
They have also highlighted the importance of maintaining public trust and confidence in the handling of personal information and in providing access to government-held information, both vital tools in our emergency response.
The OAIC’s Corporate Plan for 2019–20 outlined a vision to increase public trust and confidence in the protection of personal information and access to government-held information. This has never been so important, as we sought solutions to halt the spread of the virus.
As the use of both personal information and digital solutions became necessary to respond to the pandemic and adjust to remote work, learning and social engagement, privacy issues also came to the fore.
Our engagement allowed us to harness the experience of data protection authorities around the world in grappling with the privacy impacts of new and emerging responses to COVID-19. Our international perspective and understanding informed and strengthened our advice to government, regulated entities and the community.
The OAIC has also taken on new responsibilities for overseeing privacy safeguards built into the COVIDSafe app system. We advised the Australian Government as it considered the privacy implications of the app and recommended legislative privacy protections to instil the highest level of trust and confidence in the community.
The amendments to the Privacy Act 1988 provide strong privacy protections and expand our regulatory oversight role to cover state and territory access to COVIDSafe data. The publication of the Privacy Impact Assessment for the app and the government’s response was an important transparency measure and sets a benchmark for government initiatives involving personal information.
In response to the challenges created by the pandemic, we have produced a range of privacy guidance for business, Australian Government agencies and individuals, including how to safeguard personal information in changed work environments and when venues are collecting information for contact tracing purposes.
The health and economic crisis caused by the coronavirus has created opportunities for greater transparency through proactive release and real-time provision of information. This approach by government demonstrates how transparency can increase community confidence and influence behaviour.
At the same time, the impact of the outbreak had the potential to affect agencies’ ability to meet statutory timeframes for processing freedom of information requests. We have recommended a range of measures to ensure agencies continue to meet their obligations, along with advice for people lodging FOI requests.
Earlier this year, we joined with our international and domestic counterparts to reinforce the importance of documenting decisions and providing access to government-held information through the pandemic and beyond. Our contribution to global transparency efforts includes our ongoing role in Australia’s Open Government Partnership, as a member of the working group for the third Open Government National Action Plan.
In operating as a contemporary regulator, our regulatory posture and approach is evidence-based, proportionate and seeks to respond to community expectations in addressing risk. In privacy, as in access to information, we exercise our regulatory functions in a way that helps entities to understand and voluntarily comply with obligations. We also take action that deters and remediates breaches of privacy and information access rights where they occur.
Following a detailed investigation, including cooperation with international authorities, in 2019–20 the OAIC launched our first civil penalty action, against Facebook. This action is part of the OAIC’s ambition to advance online privacy protections for all Australians.
The government’s response to the Digital Platforms Inquiry, carried out by the Australian Competition and Consumer Commission (ACCC) and informed by the OAIC’s submissions and advice on privacy-related issues, has committed to a review of the Privacy Act. We have established a dedicated project team to engage with stakeholders and provide policy advice to government. We look forward to working cooperatively over the year ahead to advance a privacy law framework that is fit for purpose for the digital age.
We also worked closely with the ACCC in carrying out a significant program of work to implement the Consumer Data Right, which commenced on 1 July 2020. Our joint compliance and enforcement policy outlines how we will apply the CDR Rules and uphold the privacy safeguards to ensure consumer data is protected as the system expands.
The Notifiable Data Breaches scheme remains a focus for our agency. The scheme was introduced in February 2018 to strengthen consumer protection and elevate the security posture of organisations and agencies who handle personal information. In 2019–20 we recorded an 11% increase in notifications to the OAIC and to individuals at risk of harm.
We are engaging closely with notifying entities to understand the causes of breaches and ensure measures are put in place to rectify them and mitigate future incidents. We have also opened a number of Commissioner-initiated investigations to examine serious or systemic issues and evaluate compliance with the requirements of the scheme and the Privacy Act.
A highlight of 2019–20 is the success of our program to eliminate a backlog of privacy cases created by sustained increases in complaints over recent years. By implementing additional efficiency measures, and with the support of additional funding, we closed 3,366 privacy complaints during the financial year – a 15% improvement on 2018–19.
In a reversal of the recent trend, the number of incoming privacy complaints declined by 19% in 2019–20. The significant drop recorded in the second half of the reporting period is likely to be due to the COVID-19 pandemic.
Applications for Information Commissioner (IC) review of FOI decisions continued to grow in 2019–20, increasing by 15% to 1,066. Following the COVID-19 outbreak, we also recorded a significant increase in agency applications for extensions of time to process FOI requests.
While the OAIC continues to face resourcing challenges in the FOI area, we implemented further process improvements and resolved more IC reviews during the reporting period than ever before. We achieved a 26% improvement, resolving 829 IC reviews in 2019–20.
The significant increase in the number of applications after sustained increases in previous years, along with our focus on reducing the number of cases over 12 months old, meant we finalised 72% of IC reviews within 12 months, short of our target of 80%.
The OAIC also delivered a wide range of guidance for regulated entities and the community during 2019–20 to improve awareness and practice across our core regulatory functions. We led campaigns for Privacy Awareness Week and Right to Know Day, engaging the public, practitioners and regulated entities to promote privacy and access to information rights and responsibilities.
Building trust and confidence
Australia’s response to the pandemic has demonstrated what can be achieved at speed when there is a common goal in the public interest. I would like to express my appreciation to the staff of the OAIC, who have consistently shown great commitment, flexibility and focus in working to advance privacy rights and access to information throughout this period.
The regulatory areas that we oversee are a key part of the solution to navigating through these challenging times. The examples of privacy by design, strong privacy protections and government transparency during this period not only support a sense of optimism about our path to recovery, they also set an encouraging precedent for the future of information management.
Australian Information Commissioner
16 September 2020
Our year at a glance
Part 2: Performance
I, Angelene Falk, as the accountable authority of the Office of the Australian Information Commissioner (OAIC), present the 2019–20 annual performance statement of the OAIC, as required under paragraph 39(1)(a) of the Public Governance, Performance and Accountability Act 2013 (PGPA Act). In my opinion, this annual performance statement is based on properly maintained records, accurately reflects the performance of the entity, and complies with subsection 39(2) of the PGPA Act.
During this reporting period, we worked to achieve the 31 indicators outlined in the OAIC Corporate Plan 2019–20. We measure our success against our performance indicators which are grouped under our 4 strategic priorities.
We delivered on our purpose to promote and uphold privacy and information access rights.
In 2019–20, the OAIC achieved 16 of our 31 performance indicators and partially achieved 4 indicators. We did not achieve 8 indicators, and this result largely reflects increased volumes of work and our systematic efforts to reduce the backlog created by a sustained increase in privacy complaints and Information Commissioner (IC) review applications over recent years.
Three further indicators did not apply during this reporting period, as the commencement of the Consumer Data Right and reforms to the Privacy Act 1988 (Privacy Act) were delayed.
Among the highlights of our performance in 2019–20:
- We assisted 3,366 complainants in resolving privacy issues, about 15% more than in 2018–19, with an average finalisation time of 4.7 months
- We handled 14,842 privacy enquiries and 2,297 FOI enquiries, down 15% and 20% respectively on 2018–19
- We finalised 26% more IC reviews than in 2018–19
- We cooperated with our co-regulator, the Australian Competition and Consumer Commission (ACCC), to implement the Consumer Data Right on 1 July 2020
- For the first time in the history of the OAIC, we commenced civil proceedings in the Federal Court. Proceedings are against Facebook Inc. and Facebook Ireland
- Following the outbreak of COVID-19, we convened a COVID Taskforce and provided a significant volume of policy advice, including in relation to the important privacy safeguards that were built into the Australian Government’s COVIDSafe app
- We released a Guide to health privacy to help providers understand their obligations and embed good privacy practice
- We launched a new e-learning course to support good privacy practice in Australian Government agencies
- We attracted a record number of supporters for our Privacy Awareness Week campaign
- We led a campaign for Right to Know Day to raise awareness of access to information rights and responsibilities.
The OAIC Annual Report 2019–20 is available in HTML on the Transparency Portal:
- Part 1: Overview
- Part 2: Performance
- Part 3: Management and accountability
- Part 4: Financial statements
- Appendices A-G
- Appendix H: List of requirements
Publication date: October 15 2020