Publication date: August 2019
Preliminary page
Creative Commons
You are free to share, copy, redistribute, adapt, transform and build upon the materials in this plan with the exception of the Commonwealth Coat of Arms.
Please attribute the content of this publication as:
Office of the Australian Information Commissioner Corporate Plan 2019–20.
Contact
| Mail: | Director, Strategic Communications Office of the Australian Information Commissioner GPO Box 5218 Sydney, NSW 2001 |
|---|---|
| Email: | enquiries@oaic.gov.au |
| Website | www.oaic.gov.au |
| Twitter: | @OAICgov |
| Phone: | 1300 363 992 |
Non-English speakers
If you speak a language other than English and need help, please call the Translating and Interpreting Service on 131 450 and ask for the Office of the Australian Information Commissioner on 1300 363 992.
Accessible formats
All our publications can be made available in a range of accessible formats. If you would like this report in an accessible format, please contact us.
Commissioner’s foreword
This year’s Corporate Plan is my first as Commissioner and signals a shift in the work of my office and the way in which we operate. While our core purpose — to promote and uphold privacy and information access rights — remains constant, the environment in which we regulate has undergone significant change.
The plan responds to our changing environment and sets a clear vision: to increase public trust and confidence in the protection of personal information and access to government-held information.
We will achieve this vision by strengthening online privacy protections, influencing and upholding privacy and information rights frameworks, and supporting proactive provision of information by government. These priorities are underpinned by our contemporary and active approach to regulation for business, government and individuals, which puts the community at the centre of what we do.
At a time when many believe institutional trust is in decline, our work to promote and uphold privacy and information access rights is critical to restoring community confidence in information handling and management. We are pursuing these goals in a rapidly evolving environment as the value and volume of data held by business and government continues to grow and global information-handling practices become increasingly complex.
This context reinforces the need for Australia’s privacy and information rights frameworks to be fit for purpose in the digital age, protecting the rights of individuals as well as holding organisations to account. In light of domestic and international developments it is an opportune time to make sure we have the settings right. The Office of the Australian Information Commissioner (OAIC) will continue to work constructively with government, business and the community to achieve this, building on the significant work of the Australian Competition and Consumer Commission (ACCC).
As a welcome step, the Australian Government has announced it will legislate for strengthened privacy protections and regulatory tools. Particular focus will be given to online platforms that trade in personal information and have the potential to significantly impact the privacy of Australians. The OAIC intends to develop a binding code to apply to online platforms. We aim to increase individuals’ ability to manage their privacy choices and exercise control, including through transparent policies, notices and clear and specific consent, and will focus on the protection of vulnerable Australians including children.
We also need to increase the accountability of regulated entities who are entrusted with Australians’ personal information and benefit from it, so their information handling and business is worthy of trust. The OAIC will work proactively to help ensure organisations and agencies have processes, systems and procedures in place to build privacy into their practices by design and default. This year the OAIC will also work with the Attorney-General’s Department towards implementing the Cross Border Privacy Rules, a significant step towards global interoperability based upon a system
of certification.
The Notifiable Data Breaches Scheme, which requires regulated entities to notify my office and affected individuals of eligible data breaches, is a significant accountability measure. Together with the requirement under Australian Privacy Principle (APP) 11 to secure personal information, entities must take a proactive approach. After 12 months of the scheme we have clear evidence of the causes of breaches, with compromised credentials and the human element featuring strongly. We will drive a strategy to educate individuals on how to prevent breaches, and focus on regulating entities to uplift their security posture, particularly the finance and health sectors.
We are preparing for significant enhancements to information-sharing practices through the new Consumer Data Right (CDR) to data portability. Supporting participants and consumers within the CDR scheme will be a key focus for my office in 2019–20 and beyond. Our goal is to enable the consumer and economic benefits that can flow from data sharing by ensuring the system has a robust data protection and privacy framework and effective oversight.
We are also witnessing a noticeable shift in community and government expectations of a regulator’s role, impacting our functions across both privacy and freedom of information. Demand for our information, complaint handling and advisory services continues to grow strongly.
In response to this shift, we are working to ensure freedom of information frameworks are efficient and effective and provide advice to government where we see areas for improvement. We will promote greater understanding of the freedom of information regulatory function and the benefits of proactively releasing government-held information, supporting open government and participatory democracy. Reviewing our guidance and advisory materials to encourage more effective and efficient practice is a central priority for the coming year.
We will remain engaged with our counterparts, both domestic and international, through global and local forums. Through these channels we can continue to drive a collective response to our evolving privacy and information access environment. Our international engagement through the International Conference of Information Commissioners, Asia Pacific Privacy Authorities, and as a member of the Executive Committee of the International Conference of Data Protection and Privacy Commissioners, ensures we are at the forefront of emerging issues and their regulatory solutions. In particular, we are championing the need for globally interoperable privacy standards and collaboration across the privacy and consumer protection jurisdictions.
Our commitment to operating as a contemporary regulator to meet these expectations requires a highly engaged and capable workforce, strong data management capabilities, and a clear and coherent regulatory action plan. The strategic priorities set out in our Corporate Plan represents the integration of our functions within my office, and the commitment of staff to promote and uphold privacy and access to information rights.
In pursuing our shared goals we are guided by our key principles. Our efforts are targeted to address emerging and priority issues and meet community expectations. We are engaged and agile in responding to our changing environment. Above all, we are independent, operating fairly and impartially as the expert authority in guiding regulated entities, enforcing compliance and protecting Australians’ privacy and information access rights.
Cooperation and collaboration will be key to our success. I look forward to working constructively with all stakeholders to achieve our ambition to increase public trust and confidence in the protection of personal information and access to government-held information for the benefit of all Australians.
Angelene Falk
Australian Information Commissioner
Privacy Commissioner
5 August 2019
Statement of preparation
I, Angelene Falk, Australian Information Commissioner, present the Office of the Australian Information Commissioner’s Corporate Plan 2019–20, for the 2019–20 to 2022–23 reporting periods, as required under section 35(1)(b) of the Public Governance, Performance and Accountability Act 2013.
5 August 2019
About us
The Office of the Australian Information Commissioner is an independent statutory agency within the Attorney-General Department’s portfolio, established under the Australian Information Commissioner Act 2010 (AIC Act).
Our key role is to meet the needs of the Australian community when it comes to the regulation of privacy and freedom of information. We do this by:
- Ensuring proper handling of personal information in accordance with the Privacy Act 1988 (Privacy Act) and other legislation
- Protecting the public’s right of access to documents under the Freedom of Information Act 1982 (FOI Act)
- Performing strategic functions relating to information management in the Australian Government, in accordance with the AIC Act.
Overview
Structure of our plan
Our Corporate Plan outlines who we are, what we are here to do, our vision and how we will achieve it. The plan is broken into four key sections:
- Our environment and the Commonwealth Regulatory Performance Framework (RPF) —outlines the external and internal factors which inform our vision, how we will achieve our vision and what will enable our success in accordance with the RPF
- Our ambition — outlines who we are, what success looks like and our guiding principles
- How we will achieve our vision — outlines the strategic priorities we will pursue over the life of this plan to achieve our vision
- What will enable our success — outlines the key enabling factors to help us deliver our strategic priorities and our vision, focusing on capability and risk oversight.
Our operating environment
Our ambition
Purpose
The reason the OAIC exists
Vision
What future success looks like
Guiding principles
Our ideals
How will we achieve our ambition
Strategic priorities
The OAIC's most important priorities over the period of the plan
Challenges and opportunities
The key external and internal challenges relating to each strategic priority and opportunities to respond to these
Our targeted responses
Key focus areas
- Our targeted responses to our challenges and opportunities to achieve our desired outcomes
- What we want to achieve over the period of the plan
Key activities
- Our key activities for 2019–20
Measuring our success
Indicators of success
- Indicators which will demonstrate progress towards achievement of our outcomes
Measures
- How we will measure our indicators
Targets
- Targets to set a clear expectation of success
What will enable our success
Capability
The capability we require to enable our key focus areas and achieve our ambition
Risk oversight
The risk oversight and management systems to enable our key focus areas and achieve our ambition
Our environment
Understanding and responding to our current environment and anticipating our future environment is essential to achieving our vision for greater trust and confidence in personal information protection and access to government-held information.
Our 2019–20 Corporate Plan identifies the key factors shaping our environment and affecting how we apply our guiding principles to deliver on our agency’s purpose.
The core principles of transparency and accountability underpin the privacy and information access frameworks that we regulate. We support these principles through the exercise of all our functions, including our oversight of the Privacy Act 1988 and the Freedom of Information Act 1982 (FOI Act).
Over the past four years, we have experienced sustained growth across our regulatory functions, particularly in our primary functional areas of privacy complaints and reviews of agencies’ freedom of information (FOI) decisions (IC reviews). This reflects heightened awareness and expectations of greater transparency and accountability from the community when it comes to both personal information handling and access to information.
Globalised and rapidly evolving data environment
This heightened awareness is also evident internationally, driven by our globalised and rapidly evolving data environment. Our data has enormous potential for individuals, business and government, and it no longer stops at national borders. This presents complex challenges.
Increased value of data as a commodity
Data-sharing practices are constantly adapting to meet the needs of the global digital economy, as the considerable volume of data held by business and government continues to grow.
Declining public trust in those responsible for handling information, and expectations of greater transparency and accountability
The recent number and serious nature of privacy issues continues to attract scrutiny of data-sharing practices and draw attention to the level of institutional trust in the custodians of our personal information. This trend illustrates the ongoing gap between community expectations and organisational practice.
New policy initiatives — such as the Digital Platforms Response, Consumer Data Right and My Health Record — along with the privacy issues emerging around technology, cybersecurity, profiling and automated decision-making, and our observations of implementation and enforcement of the European Union’s (EU) General Data Protection Regulation (GDPR), present an opportunity to review Australia’s privacy regime more broadly. This would canvass issues of interoperability, effectiveness and cohesion, and evaluate the suitability of the current privacy rights and protections in the Australian context.
A strong foundation of privacy and data protection supports innovation and underpins the growth of the Australian digital economy. It also reinforces our data protection standing in relation to international trade. In this context, globally interoperable data protection laws are increasingly important to protect all consumers online and reduce any unnecessary burdens on business.
In addition to our regulatory role, we are a key advisory body on privacy and information management, drawing on our domestic and international networks to shape how organisations and Australian Government agencies harness emerging technologies and data practices to actively participate in the global economy and improve the lives of Australians.
Community expectations for greater transparency and accountability in handling personal information are mirrored in the access to information sphere. This is reflected in an increasing number of applications for Information Commissioner review of agency FOI decisions.
We undertake our FOI regulatory functions through a legislative framework that promotes proactive publication of government-held information, with the objective of increasing public participation in our democracy, encouraging better-informed decision-making and providing confidence in the integrity of our government and the Australian Public Service.
Government transparency initiatives
Our information management landscape is also rapidly evolving within the digital environment. In partnership with other information management agencies, the OAIC has a key leadership role to play in delivering on Australia’s commitment to Open Government.
In the international environment, new access to information initiatives are also emerging. We continue to explore ways in which the FOI Act should be applied to support the government’s Open Government commitment and meet community expectations about the accountability and transparency of federal institutions.
Shift in government and community expectations of a regulator’s role
More generally, we are observing a shift in community and government expectations of regulators. In response, we are taking a contemporary approach to the way we regulate, engaging with and being responsive to these expectations.
This requires us to continue to build our capability and improve the efficiency and effectiveness of our processes. We are also assessing our regulatory frameworks and compliance and enforcement powers in light of these changing expectations.
Commonwealth Regulator Performance Framework
Our Corporate Plan is delivered under the Public Governance, Performance and Accountability Act 2013. Many of the measures detailed in this Corporate Plan also satisfy the reporting requirements under the Commonwealth Regulator Performance Framework (RPF).
The RPF encourages regulators to carry out their functions with the minimum impact necessary, to reduce the burden of unnecessary or inefficient regulation imposed on individuals, business and community organisations; and to effect positive ongoing and lasting cultural change within regulators.
To streamline our reporting requirements, we have indicated within our measurement matrix if the measure is also reporting under the RPF, and which key performance indicators (KPIs) it relates to under the RPF.
The outcomes-based KPIs are referred to numerically within the measurement matrix:
- Reducing regulatory burden
- Effective communications
- Risk-based and proportionate approaches
- Efficient and coordinated regulatory action
- Transparency
- Continuous improvement.
Our ambition
The Office of the Australian Information Commissioner has outlined four strategic priorities for 2019–2023 which we will pursue in line with our guiding principles. Through this work we will deliver on our purpose and achieve our long-term vision.
Purpose
Our purpose is to promote and uphold privacy and information access rights.
Vision
Our vision is to increase public trust and confidence in the protection of personal information and access to government-held information.
Guiding principles
Our guiding principles are:
- Engaged — Active contributors and collaborators in the contemporary application of information protection and management legislation and regulation for businesses, government and the community
- Targeted — Efficient in the allocation of resources, taking appropriate action and responsive to risk and public expectations of Commonwealth regulators
- Expert — Trusted authority on data protection and access to information, advising on policy and legislative reform and regulatory action and providing education
- Independent — Professional by nature, fair and impartial by application
- Agile — Collaborative and responsive to changes in technology, legislation and the expectations of the community and government.
Strategic priorities 2019–2023
Our strategic priorities over the life of this plan are:
- Advance online privacy protections for Australians
- Influence and uphold privacy and information access rights frameworks
- Encourage and support proactive release of government-held information
- Contemporary approach to regulation.
Our ambition
The Office of the Australian Information Commissioner has outlined four strategic priorities for 2019–2023, which we will pursue in line with our guiding principles. Through this work, we will deliver on our purpose and achieve our long-term vision.
How we will achieve our ambition
We will deliver on our purpose, and pursue our vision to increase public trust and confidence in the protection of personal information, and access to government-held information, through our four strategic priorities.
Strategic priority 1
Advance online privacy protections for Australians
The OAIC will advance online privacy protections for Australians which support the Australian economy, influencing the development of legislation, applying a contemporary approach to regulation (including through collaboration) and raising awareness of online privacy protection frameworks. This strategic priority will significantly contribute to achieving our purpose of promoting and upholding privacy rights.
Challenges and opportunities
We have considered the key challenges for this strategic priority over the next four years and identified a number of opportunities to address these challenges.
| Trend | Challenges | Opportunities |
|---|---|---|
| Declining public trust in those responsible for handling information, and expectations of greater transparency and accountability |
|
|
| Globalised and rapidly evolving data environment |
|
|
| Increased value of data as a commodity |
|
|
| Increased international cooperation and collaboration |
|
|
Our targeted responses
To guide our work in addressing these challenges and opportunities we have identified three key focus areas for the OAIC from 2019–20 to 2022–23.
1. Influence development of legislation
The OAIC will work with international and domestic regulators, government, entities and civil society to help ensure that privacy policy and legislation is globally aligned, addresses contemporary risks to online privacy protections for Australians, particularly for vulnerable people, and supports the Australian economy.
| Outcomes | Indicators of success |
|---|---|
| 1.1 The OAIC has influenced the development of globally aligned privacy protections |
| 1.2 The OAIC has worked with stakeholders to develop online privacy protections |
2. Develop a code of practice for digital platforms
The OAIC will develop a binding code of practice for digital platforms that provides stronger privacy protections for Australians in the online environment, particularly for vulnerable groups such as children.
| Outcomes | Indicators of success |
|---|---|
| 1.3 Protections are enforced through regulatory conduct |
3. Identify and take appropriate regulatory actions
The OAIC will effectively regulate the protection of personal information in the online environment and make regulated entities aware of their obligations. This includes auditing compliance, engaging with regulated entities about the development of new online products, and taking appropriate regulatory action to address deficiencies. We will also work to raise public awareness of the privacy risks of engaging in the online environment.
| Outcomes | Indicators of success |
|---|---|
| 1.4 Community is aware of the risks of engaging online 1.5 Individuals take action to protect their online privacy |
Measuring our success
| Indicator* | Measure | Targets | RPF Ref | PBS KPI | |||
|---|---|---|---|---|---|---|---|
| 2019–20 | 2020–21 | 2021–22 | 2022–23 | ||||
1.1 The OAIC has influenced the development of globally aligned privacy protections | The OAIC is actively engaged in global privacy forums | Qualitatively demonstrated | As for 2019–20 | As for 2019–20 | As for 2019–20 | 6 | – |
Greater alignment between Australian protections and global best practice | Qualitatively demonstrated | As for 2019–20 | As for 2019–20 | As for 2019–20 | 6 | – | |
1.2 The OAIC has worked with stakeholders to develop online privacy protections | Active engagement with stakeholders | Qualitatively demonstrated | As for 2019–20 | As for 2019–20 | As for 2019–20 | 2,6 | – |
1.3 Protections are enforced through regulatory conduct | Commissioner’s determinations, directions and enforceable undertakings are complied with; civil penalties are awarded; assessment recommendations are accepted | 90% compliance | As for 2019–20 | As for 2019–20 | As for 2019–20 | 3 | – |
1.4 Community is aware of the risks of engaging online | Privacy awareness is tracked through longitudinal survey | Community awareness of privacy risks increases compared to previous surveys | Not measured | Not measured | Community awareness of privacy risks increases compared to previous surveys | 1,2,4 | – |
1.5 Individuals take action to protect their online privacy | Online privacy behaviour is tracked through longitudinal survey | Community is more likely to adjust online privacy settings | Not measured | Not measured | Community is more likely to adjust online privacy settings | 1,2,4 | – |
* Beneficiary = Australians, Australian businesses and Australian Government agencies.
Strategic priority 2
Influence and uphold privacy and information access rights frameworks
The OAIC regulates the collection and management of personal information by organisations and agencies to ensure it is handled responsibly. It promotes access to government-held information through the regulation of the Freedom of Information Act and its role in information policy. The OAIC will continue to promote and uphold these rights and regulatory frameworks through its core functions. This includes influencing global and domestic legislative and regulatory developments to advance the national interest.
Challenges and opportunities
We have considered the key challenges for this strategic priority over the next four years and identified a number of opportunities to address these challenges.
| Trend | Challenges | Opportunities |
|---|---|---|
Declining public trust in those responsible for handling information, and expectations of greater transparency and accountability |
|
|
Focus on the role of the regulator |
|
|
Increased recognition of the value of data |
|
|
Increased international cooperation and collaboration |
|
|
Our targeted responses
To guide our work in addressing these challenges and opportunities we have identified three key focus areas for the OAIC from 2019–20 to 2022–23.
1. Influence policy and legislative change to ensure frameworks remain appropriate
The OAIC will provide advice to government about policy and legislative change that responds to the changing environment and maintains or enhances information access and privacy rights. This includes influencing global regulatory developments to advance the national interest.
| Outcomes | Indicators of success |
|---|---|
| 2.1 Policy and legislative reform proposals are identified, scrutinised and advanced |
2. Identify and take appropriate regulatory action
The OAIC regulates the handling of personal information by organisations and agencies. We also regulate access to government-held information under the FOI Act and review decisions made by agencies and ministers. The OAIC will continue to promote and uphold these rights and regulatory frameworks through its core functions.
We will maintain an effective and efficient complaints, review, investigations, notifiable data breaches, assessment and public information service. We will ensure that compliance risks and significant or systemic issues are identified, and appropriate regulatory action is taken to change practices.
Over the coming year we will monitor and provide guidance and advice to mitigate impacts on privacy and access to government-held information. We will also measure community attitudes to information access rights and privacy and undertake awareness and education activities to help Australians manage privacy risks and access government-held information.
| Outcomes | Indicators of success |
|---|---|
| 2.2 Handling privacy complaints 2.3 Conducting Privacy Commissioner-initiated investigations 2.4 Handling data breach notifications 2.5 Providing an Information Commissioner review function 2.6 Handling FOI complaints 2.7 Conducting FOI Commissioner-initiated investigations |
| 2.8 Targeted monitoring, guidance and advice provided |
| 2.9 Providing a public information service 2.10 Community awareness of privacy and information access rights |
3. Implement the Consumer Data Right
The OAIC will support the implementation of the Consumer Data Right (CDR) to provide greater choice and control for Australians over how their data is used and disclosed. This includes implementing the CDR in the financial sector, establishing an effective privacy complaints system, and delivering guidance and education materials to support participants and consumers.
| Outcomes | Indicators of success |
|---|---|
| 2.11 Open Banking is implemented with strong privacy protections 2.12 The OAIC promotes awareness of CDR 2.13 Community uses complaints mechanism to protect their privacy rights |
Measuring our success
| Indicator* | Measure | Targets | RPF Ref | PBS KPI | |||
|---|---|---|---|---|---|---|---|
| 2019–20 | 2020–21 | 2021–22 | 2022–23 | ||||
2.1 Policy and legislative reform proposals are identified | The OAIC has identified and advanced proposals | Qualitatively demonstrated | As for 2019–20 | As for 2019–20 | As for 2019–20 | 6 | |
2.2 Handling privacy complaints | Time taken to finalise privacy complaints | 80% of privacy complaints are finalised within | As for 2019–20 | As for 2019–20 | As for 2019–20 | 2,5 | Yes |
2.3 Conducting Privacy Commissioner-initiated investigations (CIIs) | Time taken to finalise privacy CIIs | 80% of privacy CIIs are finalised within eight months | As for 2019–20 | As for 2019–20 | As for 2019–20 | 2 | Yes |
2.4 Handling data breach notifications | Time taken to finalise data breach notifications (DBNs) | 80% of DBNs are finalised within 60 days 80% of My Health Record DBNs are finalised within 60 days | As for 2019–20 | As for 2019–20 | As for 2019–20 | 2 | Yes |
2.5 Providing an Information Commissioner (IC) review function | Time taken to complete IC reviews | 80% of IC reviews are completed within 12 months | As for 2019–20 | As for 2019–20 | As for 2019–20 | 1,3,4 | Yes |
2.6 Handling FOI complaints | Time taken to finalise FOI complaints | 80% of FOI complaints are finalised within 12 months | As for 2019–20 | As for 2019–20 | As for 2019–20 | 1,3,4,5 | Yes |
2.7 Conducting FOI Commissioner-initiated investigations | Time taken to finalise FOI CIIs | 80% of FOI CIIs are finalised within eight months | As for 2019–20 | As for 2019–20 | As for 2019–20 | 1,3,4 | Yes |
2.8 Targeted monitoring, guidance and advice provided | Submissions, guidance, advice and monitoring provided that effect change to protect privacy and access to information rights | Qualitatively demonstrated | As for 2019–20 | As for 2019–20 | As for 2019–20 | 4 | |
2.9 Provide a public information service | Time taken to finalise written enquiries | 90% of written enquiries are finalised within 10 working days | As for 2019–20 | As for 2019–20 | As for 2019–20 | 2 | Yes |
2.10 Increase in community awareness and understanding of privacy and information access rights | Visits to OAIC website | Increase in website traffic | As for 2019–20 | As for 2019–20 | As for 2019–20 | 2 | |
Social media engagement | Qualitatively demonstrated | As for 2019–20 | As for 2019–20 | As for 2019–20 | 2 | ||
2.11 Open Banking is implemented with strong privacy protections | 1. Project milestones met 2. Ongoing advice is provided and integrated into the scheme | 1. 90% of project milestones achieved 2. Qualitatively demonstrated | As for 2019–20 | As for 2019–20 | As for 2019–20 | 4,6 | |
2.12 The OAIC promotes awareness of CDR privacy rights | Education and awareness materials are developed and promoted | Qualitatively demonstrated | As for 2019–20 | As for 2019–20 | As for 2019–20 | 1,2 | |
2.13 Community uses complaints mechanism to protect their privacy rights | Complaint handling mechanism for the CDR is operational and actively used | Complaint volumes reflect awareness and accessibility of complaint handling mechanism | As for 2019–20 | As for 2019–20 | As for 2019–20 | 1,2,5 | |
* Beneficiary = Australians, Australian businesses and Australian Government agencies
Strategic priority 3
Encourage and support proactive release of government-held information
The OAIC will continue to champion government transparency by developing initiatives that facilitate a proactive approach to providing access to government-held information. These will be aimed at making better use of government-held information to support innovation and inform policy while ensuring appropriate privacy safeguards are in place. This strategic priority will significantly contribute to our purpose of promoting and upholding information access rights.
Challenges and opportunities
We have considered the key challenges for this strategic priority over the next four years and identified a number of opportunities to address these challenges.
| Trend | Challenges | Opportunities |
|---|---|---|
Declining public trust in those responsible for handling personal information, and greater expectation for transparency and accountability |
|
|
Government transparency initiatives |
|
|
Our targeted responses
To guide our work in addressing these challenges and opportunities we have identified two key focus areas for the
OAIC from 2019–20 to 2022–23.
1. Develop government capability
The OAIC will continue to work with Australian Government agencies to develop their capability in applying and understanding the objects of the FOI Act. The OAIC will take proactive regulatory activity including providing guidance to promote greater access to government-held information.
We will review and update our resources to assist agencies and ministers to apply the FOI Act, and actively promote the Information Publication Scheme (IPS) to support government transparency initiatives.
| Outcomes | Indicators of success |
|---|---|
| 3.1 Improvement in FOI review trends and 3.2 Improvement in time taken to respond |
2 . Influence information management framework
The OAIC will work with stakeholders to strengthen and improve access to government information to support public participation and engagement and strengthen trust in government. We will engage with ministers and agencies to promote understanding of obligations under the FOI Act, and help ensure that FOI policy and practice continues to
meet the expectations of the Australian community.
We will continue to work as part of the Open Government Forum to implement the Open Government National Action Plan 2018–20 and engage with domestic and international counterparts to promote information access rights.
| Outcomes | Indicators of success |
|---|---|
| Government-held information is managed as a national resource | 3.3 More government-held information is published proactively |
| Access to government-held information promotes Australia’s representative democracy and confidence in public sector integrity | 3.4 Increased community awareness of information access rights |
Measuring our success
| Indicator* | Measure | Targets | RPF Ref | PBS KPI | |||
|---|---|---|---|---|---|---|---|
| 2019–20 | 2020–21 | 2021–22 | 2022–23 | ||||
3.1 Improvement in FOI review trends and FOI complaints trends | Number of FOI applications to government agencies and FOI complaints | Implementation underway | Decrease in number of FOI reviews and complaints | As for 2020–21 | As for 2020–21 | 1,2,5 | |
3.2 Improvement in time taken to respond to FOI requests | FOI requests determined and processed within the applicable statutory time period | Increase percentage | As for 2019–20 | As for 2019–20 | As for 2019–20 | 1,2 | |
3.3 More government-held information is published proactively | Information available on agency websites | Benchmark number of agency documents published under IPS and disclosure logs | Increase in number of agency documents published under IPS and disclosure logs | As for 2020–21 | As for 2020–21 | 1,5 | |
3.4 Increase in community awareness and understanding of information access rights | Visits to OAIC website | Increase in website traffic | As for 2019–20 | As for 2019–20 | As for 2019–20 | 2 | |
Social media engagement | Qualitatively demonstrated | As for 2019–20 | As for 2019–20 | As for 2019–20 | 2 | ||
* Beneficiary = Australians, Australian businesses and Australian Government agencies
Strategic priority 4
Contemporary approach to regulation
The OAIC will take a contemporary approach to our regulatory role in promoting and upholding Australia’s privacy and freedom of information laws. This means engaging with and being responsive to the community’s expectations of its regulatory bodies.
Challenges and opportunities
We have considered the key challenges for this strategic priority over the next four years and identified a number of opportunities to address these challenges.
| Trend | Challenges | Opportunities |
|---|---|---|
Shift in Australian Government and community expectations of a regulator’s role |
|
|
Evolution in international landscape in relation to privacy and information access, and increased globalisation of the economy |
|
|
Expectation from the public that appropriate regulatory action will be taken in respect of breaches of the |
|
|
Our targeted responses
To guide our work in addressing these challenges and opportunities we have identified two key focus areas for the OAIC from 2019–20 to 2022–23.
1. Review our regulatory approach
We will review our regulatory approach to ensure it aligns with government and public expectations of domestic regulators, and that it has the necessary statutory powers to meet those expectations. This will focus on refreshing and recalibrating compliance and enforcement policy tools and developing a new service charter. We will also engage with other regulators on shared regulatory matters.
| Outcomes | Indicators of success |
|---|---|
| 4.1 The OAIC has sufficient statutory powers to detect and deter non-compliance 4.2 The OAIC is seen to take appropriate regulatory action in relation to breaches of the relevant law |
| 4.3 International regulators actively seek the views of the OAIC in relation to policy development or enforcement activities 4.4 The OAIC has strong and productive relationships with domestic regulators |
2. Internal capability development
The OAIC will enhance its internal capability in the areas of people, data management and stakeholder engagement to ensure it efficiently delivers its regulatory responsibilities. We will update our workforce capability plan and undertake recruitment and training in areas of emerging technical capability requirements. We will enter formal arrangements with Australian Government entities for collaboration in relation to regulatory activities. We will also develop and implement a data strategy.
| Outcomes | Indicators of success |
|---|---|
| 4.5 Improved employee engagement 4.6 Reduced staff turnover rate 4.7 Strong competition for vacancies 4.8 Internal capability supports the full range of OAIC functions |
| 4.9 Data analysis identifies enterprise risks |
Measuring our success
| Indicator* | Measure | Targets | RPF Ref | PBS KPI | |||
|---|---|---|---|---|---|---|---|
| 2019–20 | 2020–21 | 2021–22 | 2022–23 | ||||
4.1 The OAIC has sufficient statutory powers to detect and deter non-compliance | Powers are enhanced | Qualitatively demonstrated | – | – | – | 4 | – |
4.2 The OAIC is seen to take appropriate regulatory action in relation to breaches of the relevant law | Media and stakeholder sentiment | Qualitatively demonstrated | As for 2019–20 | As for 2019–20 | As for 2019–20 | 3,6 | – |
4.3 International regulators actively seek the views of the OAIC in relation to policy development or enforcement activities | Engagement with international regulators | Qualitatively demonstrated | As for 2019–20 | As for 2019–20 | As for 2019–20 | 1,6 | – |
4.4 The OAIC has strong and productive relationships with domestic regulators | Regular engagement with other regulators | Qualitatively demonstrated | As for 2019–20 | As for 2019–20 | As for 2019–20 | 1,6 | – |
4.5 Improved employee engagement | Measured through APS Employee Census | Improvement on previous year | As for 2019–20 | As for 2019–20 | As for 2019–20 | – | – |
4.6 Reduced staff turnover rate | Staff turnover rate | In line with APS small agency average | As for 2019–20 | As for 2019–20 | As for 2019–20 | – | – |
4.7 Strong competition for vacancies | Sufficient high-quality applicants for advertised roles | Qualitatively demonstrated | As for 2019–20 | As for 2019–20 | As for 2019–20 | – | – |
4.8 Internal capability supports the full range of OAIC functions | Approved training courses completed | 75% of approved courses are completed | As for 2019–20 | As for 2019–20 | As for 2019–20 | 3,4 | – |
4.9 Data analysis identifies enterprise risks | Reports completed | Qualitatively demonstrated | As for 2019–20 | As for 2019–20 | As for 2019–20 | 3,4 | – |
* Beneficiary = Australians, Australian businesses and Australian Government agencies
Corporate Plan overview
Our ambition
The OAIC has outlined four strategic priorities for 2019–23 which we will pursue in line with our guiding principles. Through this work we will deliver on our purpose and achieve our long-term vision
| Strategic priorities | Key focus areas | Outcomes |
|---|---|---|
Advance online privacy protections for Australians | Influence development of legislation | Greater global alignment of Australian privacy protections |
Stakeholders are engaged in process of developing stronger online privacy protections | ||
Develop a code of practice for digital platforms | Stronger privacy protections for Australians engaging in the online environment | |
Identify and take appropriate regulatory actions | Greater awareness of the risks of engaging online | |
Influence and uphold privacy and information access rights framework | Influence policy and legislative change to ensure frameworks remain appropriate | Regulatory frameworks uphold information access and privacy rights |
Identify and take appropriate regulatory action | Timely and effective outcomes of complaints and reviews | |
Risk-based approach is taken to monitor, guide and advise on mitigating impacts on privacy and | ||
Community is aware of their privacy and information access rights and how to exercise them | ||
Implement the Consumer Data Right | Privacy is protected under new data portability right | |
Encourage and support proactive release of government-held information | Develop government capability | Agencies are making better FOI decisions |
Influence information management framework | Government-held information is managed as a national resource | |
Access to government-held information promotes Australia’s representative democracy and | ||
Contemporary approach to regulation | Review our regulatory approach | The OAIC meets government and community expectations of an effective Australian regulator |
The OAIC is highly regarded globally and domestically | ||
Internal capability development | Highly engaged and capable workforce with the technical capability to respond to the contemporary environment | |
Strong data management capability supports the OAIC to understand and address emerging privacy and information access risks |
What will enable our success
Enhanced capability and effective risk management and oversight will facilitate delivery of our key activities and regulatory functions against our purpose and vision.
Capability
Our capability requirements are closely related to Strategic Priority 4: Contemporary approach to regulation. To achieve our ambition, we have developed a four-year capability roadmap focused on:
- People
- Data management
- Engagement and influence
- Efficiency
An assessment of each of these capabilities and planned initiatives for enhancing the capability areas is shown below.
| Capability area | Assessment of current capability | Capability initiatives | Capability outcomes |
|---|---|---|---|
| People | The OAIC has a dedicated and expert team of staff who are experienced in carrying out all aspects of our legislative functions, from advice, guidance and communications, to complaint handling, investigations, assessments and Information Commissioner reviews. Our current people capabilities are tested by an increase in our workload, responsibilities and fast-changing environment. The implementation of new legislative schemes, such as the Notifiable Data Breaches Scheme and the Consumer Data Right, have further increased demand for advice, guidance and regulatory action. |
| Highly engaged and capable workforce |
| Data management | The OAIC effectively assesses risk within its key functional areas, but there is an opportunity to systematise the assessment of enterprise risk across those functional areas |
| Strong data management capabilities to maximise analysis of data to identify and address enterprise risk |
| Stakeholder engagement | In recognition of the global nature of the privacy landscape and organisational data flows, we build and maintain strong and productive relationships with privacy authorities in other domestic and international jurisdictions, in order to collaborate on investigations and share information about privacy best practice. We also participate in two important FOI networks, the Association of Information Access Commissioners and the International Conference of Information Commissioners, which assists us to ensure that our FOI regulatory activities are aligned with global best practice. We engage across our stakeholder landscape using a variety of mechanisms, such as:
|
| Highly regarded globally and domestically |
| Efficiency | Sustained increases to our regulatory workload require close examination of how we work and what we can do to deliver improved and more efficient services. |
| Improved internal efficiency |
Risk management and oversight
The OAIC continues to maintain its effective risk processes, which enhance our risk management capability. Our Risk Management Framework and Procedures outline how the OAIC implements the Risk Management Policy and the steps we take to address risk management capability in the OAIC. This includes educating our people and providing a clear understanding of risk appetite to help our staff assess risks, make informed decisions, confidently engage with risk and harness its opportunities, while minimising adverse consequences.
We recognise that commitment to risk management contributes to sound management practice and increasing confidence in performance. The OAIC is proactive in addressing all elements of the Commonwealth Risk Management Policy requirements.
Risk mitigation (or control activities) are well managed through regular review of organisational plans for identified risk areas, and in preparation for the introduction of new projects, programs and schemes. We review all control activities associated with implementation to ensure that any identified risks are mitigated and we actively monitor potential risks associated with the project or program. Risk is also overseen by our Audit Committee.
In our approach to risk management, the OAIC considers factors that may affect our ability to effectively engage with, and manage our relationships with, our stakeholders.
Working under a robust risk management framework helps us to achieve our purpose by promoting and upholding privacy and information access rights in a way that manages risk, and instils confidence in the community and our stakeholders.
Our Risk Management Policy defines the OAIC’s approach to the management of risk and how this approach supports our strategic plans and objectives.
Our Risk Management Framework and Procedures document:
- outlines practices and actions to embed risk management into business practices and cultivate a positive risk culture
- assigns clear roles and responsibilities across the OAIC organisational and management structure
- details the OAIC’s shared risk management agreements
- identifies the stakeholders we communicate with about risk information.
The OAIC is committed to ensuring that management and staff develop appropriate risk management capabilities through training.
