Annual Report 2020–21
On this pageOur annual report and performance statement details our activities and key deliverables, and measures our performance against our Portfolio Budget Statement targets and the strategic priorities set out in the OAIC Corporate Plan 2020–21.
Part 1: Overview
About the OAIC
The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency within the Attorney-General’s portfolio, established under the Australian Information Commissioner Act 2010.
Our key role is to meet the needs of the Australian community in relation to the regulation of privacy and freedom of information. We do this by:
- ensuring proper handling of personal information under the Privacy Act 1988 and other legislation
- protecting the public’s right of access to documents under the Freedom of Information Act 1982(FOI Act)
- performing strategic functions relating to information management within the Australian Government under the Australian Information Commissioner Act 2010 (AIC Act).
Outcome and program structure
Our Portfolio Budget Statement describes the OAIC’s outcome and program framework.
Provision of public access to Commonwealth Government information, protection of individuals’ personal information, and performance of information commissioner, freedom of information and privacy functions.
Complaint handling, compliance and monitoring, and education and promotion.
Our annual performance statement details our activities and key deliverables and measures our performance against our Portfolio Budget Statement targets and the strategic priorities set out in our Corporate Plan 2020–21:
- advance online privacy protections for Australians
- influence and uphold privacy and information access rights frameworks
- encourage and support proactive release of government-held information
- take a contemporary approach to regulation.
Our purpose is to promote and uphold privacy and information access rights.
We do this by:
- making sure that Australian Government agencies and Australian Privacy Principles (APP) entities comply with the Privacy Act and other laws when handling personal information
- protecting the public’s right of access to documents under the FOI Act
- carrying out strategic information management functions within the Australian Government under the AIC Act.
- Our regulatory activities include:
- conducting investigations
- handling complaints
- reviewing decisions made under the FOI Act
- monitoring agency administration
- providing advice to the public, organisations and agencies.
In a year dominated by our ongoing response to COVID-19, the OAIC has worked to ensure access to information and privacy protections continue to be upheld. Information sharing by government and the use of personal information to help address the public health risks associated with the pandemic has been a hallmark of the past 12 months. The government and business response to community expectations for information sharing and strong privacy protections in areas of higher risk has set important benchmarks for best practice in privacy and information access.
The OAIC has joined with our domestic and international counterparts to highlight the need to maintain privacy and information access frameworks during the pandemic, through proportionate and pragmatic public health responses, and the proactive release of information.
Advancing our strategic priorities
As a contemporary regulator, we seek to respond to government and community public expectations when exercising our regulatory responsibilities and powers under the Privacy Act 1988 and the Freedom of Information Act 1982 (FOI Act).
Our compliance and enforcement activities hold organisations to account through determinations and other regulatory action. In 2020–21, we issued a record 17 determinations in relation to complaints alleging breaches of the Australian Privacy Principles, providing guidance to regulated entities around the interpretation of individual principles and establishing important precedents.
We finalised a number of Commissioner-initiated privacy investigations (CIIs) during the reporting period, and significantly advanced our joint investigation with the UK Information Commissioner into Clearview AI Inc. over the use of ‘scraped’ data and biometrics for its facial recognition app. Our CII into the Department of Home Affairs’ compliance with statutory timeframes for processing FOI requests for non-personal information resulted in the agency agreeing to implement all our recommendations.
In October 2020, we established our Regulatory Action Committee, a new internal governance mechanism to assist the OAIC in assessing regulatory options for responding to significant and emerging privacy risks.
Our work also shapes the privacy and access to information landscape through detailed submissions and policy advice to the Australian Government and others. In 2020–21, we made 21 submissions and 50 bill scrutiny comments across both privacy and FOI. This includes our submission to the landmark review of the Privacy Act led by the Attorney-General’s Department. Among our recommendations is the need for a new standard to ensure that the collection, use and disclosure of personal information is fair and reasonable.
We continue to influence policy and reform through domestic and international engagement. I had the privilege of leading the adoption of 2 resolutions at the Global Privacy Assembly conference in October 2021 focused on facial recognition and emerging privacy issues. In June 2021, the International Conference of Information Commissioners voted unanimously to adopt the resolution authored by the OAIC in support of proactive publication of information relating to the COVID-19 pandemic. In 2020–21, we led a highly successful Privacy Awareness Week (PAW), signing up a record number of supporters. We also coordinated national campaigns across Australian jurisdictions for both PAW and International Access to Information Day.
Delivering our regulatory functions
The OAIC’s work to deliver our core services to the Australian community has continued through the pandemic, as applications for Information Commissioner (IC) reviews increased by 15% to 1,224 and privacy complaints fell by 7% to 2,474. I am pleased to report that OAIC staff finalised 94% of privacy complaints within 12 months, against a target of 80%. We also closed 1,018 IC reviews, an increase of 23% compared to the previous financial year. Despite this significant improvement, resourcing issues means a gap between incoming FOI work and finalisation rates remains. The appointment of a new FOI Commissioner announced in the May Budget will assist our capacity to manage this growing workload.
COVID-19 was a key theme of new OAIC guidance and advice to drive best practice among agencies and organisations, including harmonising contact tracing orders and privacy protections in relation to vaccinations. We also released two COVIDSafe reports and the first of 5 COVIDSafe assessments in 2020–21.
The Consumer Data Right celebrated its first year of operation in the banking sector on 30 June 2021. This important reform is empowering consumers to take greater control of their data to help them find products and services better suited to their needs. Alongside our co-regulator, the Australian Competition and Consumer Commission, the OAIC is working to embed and enforce the privacy safeguards built into the system and to advise as the Consumer Data Right is applied to additional sectors.
The Notifiable Data Breaches scheme has now been in operation for 3 years, and the OAIC has resolved more than 3,000 data breach notifications since it began in February 2018. The scheme provides greater transparency to consumers whose data is caught up in a breach and keeps organisations accountable for their obligations to protect personal information. As it matures, we see clear trends: malicious or criminal attacks are the leading source of data breaches, followed by human error. Our regular reporting of this data highlights emerging issues and areas for attention by regulated entities.
We also marked the 10th anniversary of the OAIC in November 2020. The creation of the agency elevated the role of information management within the Australian Government, integrating freedom of information, privacy protection and information policy advice functions. Among our many achievements, during the past decade we resolved more than 24,000 privacy complaints and almost 800 FOI complaints, completed almost 6,000 IC reviews and answered more than 212,000 enquiries.
These achievements are the work of our committed and expert staff, who have maintained their efforts to serve the Australian community throughout this challenging 12-month period. In the year ahead, we will continue to employ our regulatory tools and capabilities to build public trust and confidence in access to government-held information and the protection of personal information, as we support proactive publication and help to develop a privacy framework with the protections and flexibility needed to support a thriving digital economy.
Australian Information Commissioner
23 September 2021
Our year at a glance
Part 2: Performance
Annual performance statement
I, Angelene Falk, as the accountable authority of the Office of the Australian Information Commissioner (OAIC), present the 2020–21 annual performance statement of the OAIC, as required under paragraph 39(1)(a) of the Public Governance, Performance and Accountability Act 2013 (PGPA Act). In my opinion, this annual performance statement is based on properly maintained records, accurately reflects the performance of the entity, and complies with subsection 39(2) of the PGPA Act.
During this reporting period, the OAIC delivered on our purpose to promote and uphold privacy and information access rights. We measure our success against the performance indicators outlined in the OAIC Corporate Plan 2020–21 which features 25 indicators grouped under 4 strategic priorities. In 2020–21 we achieved 19 out of our 25 indicators.
Figure 2.1: OAIC indicators by status
Among the highlights of our performance in 2020–21:
- We completed 1,018 Information Commissioner (IC) reviews (compared to 829 in the previous year), finalising more than half within 120 days.
- We finalised 174 freedom of information (FOI) complaints, an increase of 145% on the previous year.
- We completed a Commissioner-initiated investigation (CII) into FOI processes at the Department of Home Affairs, making recommendations which have been accepted and are being implemented by Home Affairs.
- We conducted a joint privacy investigation with the UK Information Commissioner’s Office (ICO) into Clearview AI Inc., with findings to be published in the next reporting period.
- We made 17 privacy determinations, more than in any previous financial year.
- We closed 2,151 privacy complaints, resolving 94% within 12 months.
- We commenced 4 COVIDSafe privacy assessments and completed one assessment of the National COVIDSafe Data Store Access Controls.
- We provided advice on privacy impact assessments (PIAs) related to the COVID-19 vaccination rollout, and published guidance for employers and employees.
- We provided advice to government on its review of the Privacy Act 1988 and in relation to the proposed Online Privacy Code legislation.
- We consulted stakeholders as part of our reviews of the National Health (Privacy) Rules 2018 and Data-matching Program (Assistance and Tax) Guidelines 1994.
- We worked with the Digital Transformation Agency to ensure that privacy is at the centre of new legislation that will enable the expansion of the Digital Identity system.
- We led our biggest Privacy Awareness Week campaign ever, enlisting 629 supporters, and grew our Information Contact Officers Network by 20%, from 573 to 685 members.
- We engaged proactively with domestic and international regulators through a range of forums, working groups and other collaborative mechanisms, including through the Commissioner’s role on the Executive Committee of the Global Privacy Assembly (GPA).
- We chaired the Global Privacy Assembly Strategic Direction Sub-Committee, co-chaired its Digital Citizen and Consumer Working Group, and authored 2 resolutions adopted at the GPA’s annual conference, including one on facial recognition technology.
- We convened a National COVID-19 Privacy Team with state and territory privacy regulators which met regularly throughout the year to respond to proposals with national implications.
- We led work for the International Conference of Information Commissioners (ICIC) that resulted in publication of a joint statement supporting the proactive publication of information relating to the COVID-19 pandemic.
The OAIC Annual Report 2020–21 is available in HTML on the Transparency Portal.
Publication date: 21 October 2021