Corporate Plan 2019–20

Last updated: 23 August 2019

Publication date: August 2019

Download the print version

Preliminary page

Creative Commons

You are free to share, copy, redistribute, adapt, transform and build upon the materials in this plan with the exception of the Commonwealth Coat of Arms.

Please attribute the content of this publication as:
Office of the Australian Information Commissioner Corporate Plan 2019–20.

Contact

Mail: Director, Strategic Communications
Office of the Australian Information Commissioner
GPO Box 5218
Sydney, NSW 2001
Email: enquiries@oaic.gov.au
Website www.oaic.gov.au
Twitter: @OAICgov
Phone: 1300 363 992

Non-English speakers

If you speak a language other than English and need help, please call the Translating and Interpreting Service on 131 450 and ask for the Office of the Australian Information Commissioner on 1300 363 992.

Accessible formats

All our publications can be made available in a range of accessible formats. If you would like this report in an accessible format, please contact us.

Commissioner’s foreword

This year’s Corporate Plan is my first as Commissioner and signals a shift in the work of my office and the way in which we operate. While our core purpose — to promote and uphold privacy and information access rights — remains constant, the environment in which we regulate has undergone significant change.

The plan responds to our changing environment and sets a clear vision: to increase public trust and confidence in the protection of personal information and access to government-held information.

We will achieve this vision by strengthening online privacy protections, influencing and upholding privacy and information rights frameworks, and supporting proactive provision of information by government. These priorities are underpinned by our contemporary and active approach to regulation for business, government and individuals, which puts the community at the centre of what we do.

At a time when many believe institutional trust is in decline, our work to promote and uphold privacy and information access rights is critical to restoring community confidence in information handling and management. We are pursuing these goals in a rapidly evolving environment as the value and volume of data held by business and government continues to grow and global information-handling practices become increasingly complex.

This context reinforces the need for Australia’s privacy and information rights frameworks to be fit for purpose in the digital age, protecting the rights of individuals as well as holding organisations to account. In light of domestic and international developments it is an opportune time to make sure we have the settings right. The Office of the Australian Information Commissioner (OAIC) will continue to work constructively with government, business and the community to achieve this, building on the significant work of the Australian Competition and Consumer Commission (ACCC).

As a welcome step, the Australian Government has announced it will legislate for strengthened privacy protections and regulatory tools. Particular focus will be given to online platforms that trade in personal information and have the potential to significantly impact the privacy of Australians. The OAIC intends to develop a binding code to apply to online platforms. We aim to increase individuals’ ability to manage their privacy choices and exercise control, including through transparent policies, notices and clear and specific consent, and will focus on the protection of vulnerable Australians including children.

We also need to increase the accountability of regulated entities who are entrusted with Australians’ personal information and benefit from it, so their information handling and business is worthy of trust. The OAIC will work proactively to help ensure organisations and agencies have processes, systems and procedures in place to build privacy into their practices by design and default. This year the OAIC will also work with the Attorney-General’s Department towards implementing the Cross Border Privacy Rules, a significant step towards global interoperability based upon a system
of certification.

The Notifiable Data Breaches Scheme, which requires regulated entities to notify my office and affected individuals of eligible data breaches, is a significant accountability measure. Together with the requirement under Australian Privacy Principle (APP) 11 to secure personal information, entities must take a proactive approach. After 12 months of the scheme we have clear evidence of the causes of breaches, with compromised credentials and the human element featuring strongly. We will drive a strategy to educate individuals on how to prevent breaches, and focus on regulating entities to uplift their security posture, particularly the finance and health sectors.

We are preparing for significant enhancements to information-sharing practices through the new Consumer Data Right (CDR) to data portability. Supporting participants and consumers within the CDR scheme will be a key focus for my office in 2019–20 and beyond. Our goal is to enable the consumer and economic benefits that can flow from data sharing by ensuring the system has a robust data protection and privacy framework and effective oversight.

We are also witnessing a noticeable shift in community and government expectations of a regulator’s role, impacting our functions across both privacy and freedom of information. Demand for our information, complaint handling and advisory services continues to grow strongly.

In response to this shift, we are working to ensure freedom of information frameworks are efficient and effective and provide advice to government where we see areas for improvement. We will promote greater understanding of the freedom of information regulatory function and the benefits of proactively releasing government-held information, supporting open government and participatory democracy. Reviewing our guidance and advisory materials to encourage more effective and efficient practice is a central priority for the coming year.

We will remain engaged with our counterparts, both domestic and international, through global and local forums. Through these channels we can continue to drive a collective response to our evolving privacy and information access environment. Our international engagement through the International Conference of Information Commissioners, Asia Pacific Privacy Authorities, and as a member of the Executive Committee of the International Conference of Data Protection and Privacy Commissioners, ensures we are at the forefront of emerging issues and their regulatory solutions. In particular, we are championing the need for globally interoperable privacy standards and collaboration across the privacy and consumer protection jurisdictions.

Our commitment to operating as a contemporary regulator to meet these expectations requires a highly engaged and capable workforce, strong data management capabilities, and a clear and coherent regulatory action plan. The strategic priorities set out in our Corporate Plan represents the integration of our functions within my office, and the commitment of staff to promote and uphold privacy and access to information rights.

In pursuing our shared goals we are guided by our key principles. Our efforts are targeted to address emerging and priority issues and meet community expectations. We are engaged and agile in responding to our changing environment. Above all, we are independent, operating fairly and impartially as the expert authority in guiding regulated entities, enforcing compliance and protecting Australians’ privacy and information access rights.

Cooperation and collaboration will be key to our success. I look forward to working constructively with all stakeholders to achieve our ambition to increase public trust and confidence in the protection of personal information and access to government-held information for the benefit of all Australians.

Angelene Falk
Australian Information Commissioner
Privacy Commissioner

5 August 2019

Statement of preparation

I, Angelene Falk, Australian Information Commissioner, present the Office of the Australian Information Commissioner’s Corporate Plan 2019–20, for the 2019–20 to 2022–23 reporting periods, as required under section 35(1)(b) of the Public Governance, Performance and Accountability Act 2013.

5 August 2019

About us

The Office of the Australian Information Commissioner is an independent statutory agency within the Attorney-General Department’s portfolio, established under the Australian Information Commissioner Act 2010 (AIC Act).

Our key role is to meet the needs of the Australian community when it comes to the regulation of privacy and freedom of information. We do this by:

  • Ensuring proper handling of personal information in accordance with the Privacy Act 1988 (Privacy Act) and other legislation
  • Protecting the public’s right of access to documents under the Freedom of Information Act 1982 (FOI Act)
  • Performing strategic functions relating to information management in the Australian Government, in accordance with the AIC Act.

Overview

Structure of our plan

Our Corporate Plan outlines who we are, what we are here to do, our vision and how we will achieve it. The plan is broken into four key sections:

  1. Our environment and the Commonwealth Regulatory Performance Framework (RPF) —outlines the external and internal factors which inform our vision, how we will achieve our vision and what will enable our success in accordance with the RPF
  2. Our ambition — outlines who we are, what success looks like and our guiding principles
  3. How we will achieve our vision — outlines the strategic priorities we will pursue over the life of this plan to achieve our vision
  4. What will enable our success — outlines the key enabling factors to help us deliver our strategic priorities and our vision, focusing on capability and risk oversight.

Our operating environment

Our ambition

Target icon

Purpose
The reason the OAIC exists

Light bulb

Vision
What future success looks like

Compass icon

Guiding principles
Our ideals

How will we achieve our ambition

Strategic priorities

The OAIC's most important priorities over the period of the plan

Challenges and opportunities

The key external and internal challenges relating to each strategic priority and opportunities to respond to these

Our targeted responses

Key focus areas
  • Our targeted responses to our challenges and opportunities to achieve our desired outcomes
  • What we want to achieve over the period of the plan
Key activities
  • Our key activities for 2019–20

Measuring our success

Indicators of success
  • Indicators which will demonstrate progress towards achievement of our outcomes
Measures
  • How we will measure our indicators
Targets
  • Targets to set a clear expectation of success

What will enable our success

Capability

The capability we require to enable our key focus areas and achieve our ambition

Risk oversight

The risk oversight and management systems to enable our key focus areas and achieve our ambition

Our environment

Understanding and responding to our current environment and anticipating our future environment is essential to achieving our vision for greater trust and confidence in personal information protection and access to government-held information.

Our 2019–20 Corporate Plan identifies the key factors shaping our environment and affecting how we apply our guiding principles to deliver on our agency’s purpose.

The core principles of transparency and accountability underpin the privacy and information access frameworks that we regulate. We support these principles through the exercise of all our functions, including our oversight of the Privacy Act 1988 and the Freedom of Information Act 1982 (FOI Act).

Over the past four years, we have experienced sustained growth across our regulatory functions, particularly in our primary functional areas of privacy complaints and reviews of agencies’ freedom of information (FOI) decisions (IC reviews). This reflects heightened awareness and expectations of greater transparency and accountability from the community when it comes to both personal information handling and access to information.

Globalised and rapidly evolving data environment

This heightened awareness is also evident internationally, driven by our globalised and rapidly evolving data environment. Our data has enormous potential for individuals, business and government, and it no longer stops at national borders. This presents complex challenges.

Increased value of data as a commodity

Data-sharing practices are constantly adapting to meet the needs of the global digital economy, as the considerable volume of data held by business and government continues to grow.

Declining public trust in those responsible for handling information, and expectations of greater transparency and accountability

The recent number and serious nature of privacy issues continues to attract scrutiny of data-sharing practices and draw attention to the level of institutional trust in the custodians of our personal information. This trend illustrates the ongoing gap between community expectations and organisational practice.

New policy initiatives — such as the Digital Platforms Response, Consumer Data Right and My Health Record — along with the privacy issues emerging around technology, cybersecurity, profiling and automated decision-making, and our observations of implementation and enforcement of the European Union’s (EU) General Data Protection Regulation (GDPR), present an opportunity to review Australia’s privacy regime more broadly. This would canvass issues of interoperability, effectiveness and cohesion, and evaluate the suitability of the current privacy rights and protections in the Australian context.

A strong foundation of privacy and data protection supports innovation and underpins the growth of the Australian digital economy. It also reinforces our data protection standing in relation to international trade. In this context, globally interoperable data protection laws are increasingly important to protect all consumers online and reduce any unnecessary burdens on business.

In addition to our regulatory role, we are a key advisory body on privacy and information management, drawing on our domestic and international networks to shape how organisations and Australian Government agencies harness emerging technologies and data practices to actively participate in the global economy and improve the lives of Australians.

Community expectations for greater transparency and accountability in handling personal information are mirrored in the access to information sphere. This is reflected in an increasing number of applications for Information Commissioner review of agency FOI decisions.

We undertake our FOI regulatory functions through a legislative framework that promotes proactive publication of government-held information, with the objective of increasing public participation in our democracy, encouraging better-informed decision-making and providing confidence in the integrity of our government and the Australian Public Service.

Government transparency initiatives

Our information management landscape is also rapidly evolving within the digital environment. In partnership with other information management agencies, the OAIC has a key leadership role to play in delivering on Australia’s commitment to Open Government.

In the international environment, new access to information initiatives are also emerging. We continue to explore ways in which the FOI Act should be applied to support the government’s Open Government commitment and meet community expectations about the accountability and transparency of federal institutions.

Shift in government and community expectations of a regulator’s role

More generally, we are observing a shift in community and government expectations of regulators. In response, we are taking a contemporary approach to the way we regulate, engaging with and being responsive to these expectations.

This requires us to continue to build our capability and improve the efficiency and effectiveness of our processes. We are also assessing our regulatory frameworks and compliance and enforcement powers in light of these changing expectations.

Commonwealth Regulator Performance Framework

Our Corporate Plan is delivered under the Public Governance, Performance and Accountability Act 2013. Many of the measures detailed in this Corporate Plan also satisfy the reporting requirements under the Commonwealth Regulator Performance Framework (RPF).

The RPF encourages regulators to carry out their functions with the minimum impact necessary, to reduce the burden of unnecessary or inefficient regulation imposed on individuals, business and community organisations; and to effect positive ongoing and lasting cultural change within regulators.

To streamline our reporting requirements, we have indicated within our measurement matrix if the measure is also reporting under the RPF, and which key performance indicators (KPIs) it relates to under the RPF.

The outcomes-based KPIs are referred to numerically within the measurement matrix:

  1. Reducing regulatory burden
  2. Effective communications
  3. Risk-based and proportionate approaches
  4. Efficient and coordinated regulatory action
  5. Transparency
  6. Continuous improvement.

Our ambition

The Office of the Australian Information Commissioner has outlined four strategic priorities for 2019–2023 which we will pursue in line with our guiding principles. Through this work we will deliver on our purpose and achieve our long-term vision.

Purpose

Our purpose is to promote and uphold privacy and information access rights.

Vision

Our vision is to increase public trust and confidence in the protection of personal information and access to government-held information.

Guiding principles

Our guiding principles are:

  • Engaged — Active contributors and collaborators in the contemporary application of information protection and management legislation and regulation for businesses, government and the community
  • Targeted — Efficient in the allocation of resources, taking appropriate action and responsive to risk and public expectations of Commonwealth regulators
  • Expert — Trusted authority on data protection and access to information, advising on policy and legislative reform and regulatory action and providing education
  • Independent — Professional by nature, fair and impartial by application
  • Agile — Collaborative and responsive to changes in technology, legislation and the expectations of the community and government.

Strategic priorities 2019–2023

Our strategic priorities over the life of this plan are:

  1. Advance online privacy protections for Australians
  2. Influence and uphold privacy and information access rights frameworks
  3. Encourage and support proactive release of government-held information
  4. Contemporary approach to regulation.

Our ambition

The Office of the Australian Information Commissioner has outlined four strategic priorities for 2019–2023, which we will pursue in line with our guiding principles. Through this work, we will deliver on our purpose and achieve our long-term vision.

Our vision infographic

How we will achieve our ambition

We will deliver on our purpose, and pursue our vision to increase public trust and confidence in the protection of personal information, and access to government-held information, through our four strategic priorities.

Strategic priority 1

Advance online privacy protections for Australians

The OAIC will advance online privacy protections for Australians which support the Australian economy, influencing the development of legislation, applying a contemporary approach to regulation (including through collaboration) and raising awareness of online privacy protection frameworks. This strategic priority will significantly contribute to achieving our purpose of promoting and upholding privacy rights.

Challenges and opportunities

We have considered the key challenges for this strategic priority over the next four years and identified a number of opportunities to address these challenges.

TrendChallengesOpportunities
Declining public trust in those responsible for handling information, and expectations of greater transparency and accountability
  • Increased complexity of the online environment and diversity of people who engage in that environmen
  • Enhance online privacy protections, particularly for vulnerable people
  • Enhance awareness of online privacy risks
  • Provide guidance on protecting online privacy
  • Ensure an appropriate regulatory balance between organisational accountability and effective privacy self-management
Globalised and rapidly evolving data environment
  • Data breaches are becoming more frequent, more sensitive and affect more people, owing to the nature of personal information held by online entities and the number of people who engage with the platforms
  • Prevent data breaches by raising awareness
    of their causes with regulated entities
  • Reduce the impact of data breaches by informing the public about how to protect themselves online
Increased value of data as a commodity
  • Australian businesses’ capacity to take advantage of the benefits of data while minimising privacy risks
  • Support innovation through a strong foundation of privacy and data protection
Increased international cooperation and collaboration
  • Global data regulation is evolving
  • Globally interoperable data protection laws reduce the burden on business and protect consumers
  • Influencing the international debate towards developing globally interoperable privacy protection
  • Work towards the interoperability, effectiveness and cohesion of Australia’s privacy regime

Our targeted responses

To guide our work in addressing these challenges and opportunities we have identified three key focus areas for the OAIC from 2019–20 to 2022–23.

1. Influence development of legislation

The OAIC will work with international and domestic regulators, government, entities and civil society to help ensure that privacy policy and legislation is globally aligned, addresses contemporary risks to online privacy protections for Australians, particularly for vulnerable people, and supports the Australian economy.

OutcomesIndicators of success
  • Greater global alignment of Australian privacy protections
1.1 The OAIC has influenced the development of globally aligned privacy protections
  • Stakeholders are engaged in process of developing stronger online privacy protections
1.2 The OAIC has worked with stakeholders to develop online privacy protections
2. Develop a code of practice for digital platforms

The OAIC will develop a binding code of practice for digital platforms that provides stronger privacy protections for Australians in the online environment, particularly for vulnerable groups such as children.

OutcomesIndicators of success
  • Stronger privacy protections for Australians engaging in the online environment
1.3 Protections are enforced through regulatory conduct
3. Identify and take appropriate regulatory actions

The OAIC will effectively regulate the protection of personal information in the online environment and make regulated entities aware of their obligations. This includes auditing compliance, engaging with regulated entities about the development of new online products, and taking appropriate regulatory action to address deficiencies. We will also work to raise public awareness of the privacy risks of engaging in the online environment.

OutcomesIndicators of success
  • Greater awareness of the risks of engaging online

1.4 Community is aware of the risks of engaging online

1.5 Individuals take action to protect their online privacy

Measuring our success

Indicator*MeasureTargetsRPF RefPBS KPI
2019–202020–212021–222022–23

1.1 The OAIC has influenced the development of globally aligned privacy protections

The OAIC is actively engaged in global privacy forums

Qualitatively demonstrated

As for 2019–20

As for 2019–20

As for 2019–20

6

Greater alignment between Australian protections and global best practice

Qualitatively demonstrated

As for 2019–20

As for 2019–20

As for 2019–20

6

1.2 The OAIC has worked with stakeholders to develop online privacy protections

Active engagement with stakeholders

Qualitatively demonstrated

As for 2019–20

As for 2019–20

As for 2019–20

2,6

1.3 Protections are enforced through regulatory conduct

Commissioner’s determinations, directions and enforceable undertakings are complied with; civil penalties are awarded; assessment recommendations are accepted

90% compliance

As for 2019–20

As for 2019–20

As for 2019–20

3

1.4 Community is aware of the risks of engaging online

Privacy awareness is tracked through longitudinal survey

Community awareness of privacy risks increases compared to previous surveys

Not measured

Not measured

Community awareness of privacy risks increases compared to previous surveys

1,2,4

1.5 Individuals take action to protect their online privacy

Online privacy behaviour is tracked through longitudinal survey

Community is more likely to adjust online privacy settings

Not measured

Not measured

Community is more likely to adjust online privacy settings

1,2,4

* Beneficiary = Australians, Australian businesses and Australian Government agencies.

Strategic priority 2

Influence and uphold privacy and information access rights frameworks

The OAIC regulates the collection and management of personal information by organisations and agencies to ensure it is handled responsibly. It promotes access to government-held information through the regulation of the Freedom of Information Act and its role in information policy. The OAIC will continue to promote and uphold these rights and regulatory frameworks through its core functions. This includes influencing global and domestic legislative and regulatory developments to advance the national interest.

Challenges and opportunities

We have considered the key challenges for this strategic priority over the next four years and identified a number of opportunities to address these challenges.

TrendChallengesOpportunities

Declining public trust in those responsible for handling information, and expectations of greater transparency and accountability

  • Maintaining strong privacy protections in an evolving landscape while supporting innovation that strengthens the Australian economy
  • Community expectations of increased transparency of government data and
    decision-making
  • To increase public trust in government by enhancing the transparency of personal information handling and government-held information decision-making processes

Focus on the role of the regulator

  • Ensuring that the OAIC meets government and community expectations of an Australian regulator
  • Review regulatory action policies and procedures to ensure alignment with government and community expectations

Increased recognition of the value of data

  • Ensuring effective management of privacy risks across people, systems and technology
  • Ensure Australia’s information rights frameworks are informed by international developments
  • Regulatory functions support Australian businesses in harnessing the benefits of data while minimising privacy risks
  • Support individuals in making decisions about their personal information and ensure regulated entities protect personal information and are accountable for how it is handled
  • Support Australian Government agencies in providing access to government information

Increased international cooperation and collaboration

  • Evolution of international privacy regulation and its potential impact upon Australia’s privacy regime
  • Work with other data protection authorities to develop global consistency and predictability in the standards for modern privacy protection

Our targeted responses

To guide our work in addressing these challenges and opportunities we have identified three key focus areas for the OAIC from 2019–20 to 2022–23.

1. Influence policy and legislative change to ensure frameworks remain appropriate

The OAIC will provide advice to government about policy and legislative change that responds to the changing environment and maintains or enhances information access and privacy rights. This includes influencing global regulatory developments to advance the national interest.

OutcomesIndicators of success
  • Regulatory frameworks uphold information access and privacy rights
2.1 Policy and legislative reform proposals are identified, scrutinised and advanced
2. Identify and take appropriate regulatory action

The OAIC regulates the handling of personal information by organisations and agencies. We also regulate access to government-held information under the FOI Act and review decisions made by agencies and ministers. The OAIC will continue to promote and uphold these rights and regulatory frameworks through its core functions.

We will maintain an effective and efficient complaints, review, investigations, notifiable data breaches, assessment and public information service. We will ensure that compliance risks and significant or systemic issues are identified, and appropriate regulatory action is taken to change practices.

Over the coming year we will monitor and provide guidance and advice to mitigate impacts on privacy and access to government-held information. We will also measure community attitudes to information access rights and privacy and undertake awareness and education activities to help Australians manage privacy risks and access government-held information.

OutcomesIndicators of success
  • Timely and effective outcomes of complaints and reviews

2.2 Handling privacy complaints

2.3 Conducting Privacy Commissioner-initiated investigations

2.4 Handling data breach notifications

2.5 Providing an Information Commissioner review function

2.6 Handling FOI complaints

2.7 Conducting FOI Commissioner-initiated investigations

  • Risk-based approach is taken to monitor, guide and advise on mitigating impacts on privacy and access to government information
2.8 Targeted monitoring, guidance and
advice provided
  • Community is aware of their privacy and information access rights and how to exercise them

2.9 Providing a public information service

2.10 Community awareness of privacy and information access rights

3. Implement the Consumer Data Right

The OAIC will support the implementation of the Consumer Data Right (CDR) to provide greater choice and control for Australians over how their data is used and disclosed. This includes implementing the CDR in the financial sector, establishing an effective privacy complaints system, and delivering guidance and education materials to support participants and consumers.

OutcomesIndicators of success
  • Privacy is protected under new data portability rights

2.11 Open Banking is implemented with strong privacy protections

2.12 The OAIC promotes awareness of CDR
privacy rights

2.13 Community uses complaints mechanism to protect their privacy rights

Measuring our success

Indicator*MeasureTargetsRPF RefPBS KPI
2019–202020–212021–222022–23

2.1 Policy and legislative reform proposals are identified

The OAIC has identified and advanced proposals

Qualitatively demonstrated

As for 2019–20

As for 2019–20

As for 2019–20

6

 

2.2 Handling privacy complaints

Time taken to finalise privacy complaints

80% of privacy complaints are finalised within
12 months

As for 2019–20

As for 2019–20

As for 2019–20

2,5

Yes

2.3 Conducting Privacy Commissioner-initiated investigations (CIIs)

Time taken to finalise privacy CIIs

80% of privacy CIIs are finalised within eight months

As for 2019–20

As for 2019–20

As for 2019–20

2

Yes

2.4 Handling data breach notifications

Time taken to finalise data breach notifications (DBNs)

80% of DBNs are finalised within 60 days

80% of My Health Record DBNs are finalised within 60 days

As for 2019–20

As for 2019–20

As for 2019–20

2

Yes

2.5 Providing an Information Commissioner (IC) review function

Time taken to complete IC reviews

80% of IC reviews are completed within 12 months

As for 2019–20

As for 2019–20

As for 2019–20

1,3,4

Yes

2.6 Handling FOI complaints

Time taken to finalise FOI complaints

80% of FOI complaints are finalised within 12 months

As for 2019–20

As for 2019–20

As for 2019–20

1,3,4,5

Yes

2.7 Conducting FOI Commissioner-initiated investigations

Time taken to finalise FOI CIIs

80% of FOI CIIs are finalised within eight months

As for 2019–20

As for 2019–20

As for 2019–20

1,3,4

Yes

2.8 Targeted monitoring, guidance and advice provided

Submissions, guidance, advice and monitoring provided that effect change to protect privacy and access to information rights

Qualitatively demonstrated

As for 2019–20

As for 2019–20

As for 2019–20

4

 

2.9 Provide a public information service

Time taken to finalise written enquiries

90% of written enquiries are finalised within 10 working days

As for 2019–20

As for 2019–20

As for 2019–20

2

Yes

2.10 Increase in community awareness and understanding of privacy and information access rights

Visits to OAIC website

Increase in website traffic

As for 2019–20

As for 2019–20

As for 2019–20

2

 

Social media engagement

Qualitatively demonstrated

As for 2019–20

As for 2019–20

As for 2019–20

2

 

2.11 Open Banking is implemented with strong privacy protections

1. Project milestones met

2. Ongoing advice is provided and integrated into the scheme

1. 90% of project milestones achieved

2. Qualitatively demonstrated

As for 2019–20

As for 2019–20

As for 2019–20

4,6

 

2.12 The OAIC promotes awareness of CDR privacy rights

Education and awareness materials are developed and promoted

Qualitatively demonstrated

As for 2019–20

As for 2019–20

As for 2019–20

1,2

 

2.13 Community uses complaints mechanism to protect their privacy rights

Complaint handling mechanism for the CDR is operational and actively used

Complaint volumes reflect awareness and accessibility of complaint handling mechanism

As for 2019–20

As for 2019–20

As for 2019–20

1,2,5

 

* Beneficiary = Australians, Australian businesses and Australian Government agencies

Strategic priority 3

Encourage and support proactive release of government-held information

The OAIC will continue to champion government transparency by developing initiatives that facilitate a proactive approach to providing access to government-held information. These will be aimed at making better use of government-held information to support innovation and inform policy while ensuring appropriate privacy safeguards are in place. This strategic priority will significantly contribute to our purpose of promoting and upholding information access rights.

Challenges and opportunities

We have considered the key challenges for this strategic priority over the next four years and identified a number of opportunities to address these challenges.

TrendChallengesOpportunities

Declining public trust in those responsible for handling personal information, and greater expectation for transparency and accountability

  • Changing ways in which people engage with businesses and government
  • Ensure FOI framework is responsive to contemporary public expectations and increasingly digital interactions
  • Engage with public sector agencies in delivering on the objectives of the FOI Act
  • Undertake proactive regulatory activity to guide decision makers and promote public awareness

Government transparency initiatives

  • Complex domestic regulatory environment
  • Use Open Government Partnership to increase transparency
  • Promote understanding of existing statutory mechanisms that support transparency
  • Work with stakeholders to strengthen and improve access to government information

Our targeted responses

To guide our work in addressing these challenges and opportunities we have identified two key focus areas for the
OAIC from 2019–20 to 2022–23.

1. Develop government capability

The OAIC will continue to work with Australian Government agencies to develop their capability in applying and understanding the objects of the FOI Act. The OAIC will take proactive regulatory activity including providing guidance to promote greater access to government-held information.

We will review and update our resources to assist agencies and ministers to apply the FOI Act, and actively promote the Information Publication Scheme (IPS) to support government transparency initiatives.

OutcomesIndicators of success
  • Agencies are making better FOI decisions

3.1 Improvement in FOI review trends and
FOI complaints trends

3.2 Improvement in time taken to respond
to FOI requests

2 . Influence information management framework

The OAIC will work with stakeholders to strengthen and improve access to government information to support public participation and engagement and strengthen trust in government. We will engage with ministers and agencies to promote understanding of obligations under the FOI Act, and help ensure that FOI policy and practice continues to
meet the expectations of the Australian community.

We will continue to work as part of the Open Government Forum to implement the Open Government National Action Plan 2018-20 and engage with domestic and international counterparts to promote information access rights.

OutcomesIndicators of success
Government-held information is managed as a national resource 3.3 More government-held information is published proactive
Access to government-held information promotes Australia’s representative democracy and confidence in public sector integrity 3.4 Increased community awareness of information access rights

Measuring our success

Indicator*MeasureTargetsRPF RefPBS KPI
2019–202020–212021–222022–23

3.1 Improvement in FOI review trends and FOI complaints trends

Number of FOI applications to government agencies and FOI complaints

Implementation underway

Decrease in number of FOI reviews and complaints

As for 2020–21

As for 2020–21

1,2,5

 

3.2 Improvement in time taken to respond to FOI requests

FOI requests determined and processed within the applicable statutory time period

Increase percentage

As for 2019–20

As for 2019–20

As for 2019–20

1,2

 

3.3 More government-held information is published proactively

Information available on agency websites

Benchmark number of agency documents published under IPS and disclosure logs

Increase in number of agency documents published under IPS and disclosure logs

As for

2020–21

As for

2020–21

1,5

 

3.4 Increase in community awareness and understanding of information access rights

Visits to OAIC website

Increase in website traffic

As for 2019–20

As for 2019–20

As for 2019–20

2

 

Social media engagement

Qualitatively demonstrated

As for 2019–20

As for 2019–20

As for 2019–20

2

 

* Beneficiary = Australians, Australian businesses and Australian Government agencies

Strategic priority 4

Contemporary approach to regulation

The OAIC will take a contemporary approach to our regulatory role in promoting and upholding Australia’s privacy and freedom of information laws. This means engaging with and being responsive to the community’s expectations of its regulatory bodies.

Challenges and opportunities

We have considered the key challenges for this strategic priority over the next four years and identified a number of opportunities to address these challenges.

TrendChallengesOpportunities

Shift in Australian Government and community expectations of a regulator’s role

  • Ensuring the OAIC’s regulatory approach reflects government and community expectations of regulators
  • Focus on key regulatory risks and align activities and use of regulatory power to deliver highest impact
  • Review community and government expectations of Australian regulators and ensure the OAIC’s regulatory approach, internal capability, and stakeholder engagement reflect these expectations

Evolution in international landscape in relation to privacy and information access, and increased globalisation of the economy

  • Ensuring that domestic policy and guidance is interoperable with international law to facilitate Australia’s participation in the global economy
  • Active participation in changing global regulatory landscape
  • Work with other data protection authorities towards interoperability of privacy regulation and enforcement
  • Support development and implementation of access to information laws globally
  • Influence the global regulatory environment to ensure the best outcomes for Australians and full participation in the global economy

Expectation from the public that appropriate regulatory action will be taken in respect of breaches of the
relevant law

  • Ensuring that appropriate regulatory action is taken and that regulatory responses are consistent, proportionate, transparent, and evidence and risk-based
  • Demonstrate that the OAIC is an effective regulator

Our targeted responses

To guide our work in addressing these challenges and opportunities we have identified two key focus areas for the OAIC from 2019–20 to 2022–23.

1. Review our regulatory approach

We will review our regulatory approach to ensure it aligns with government and public expectations of domestic regulators, and that it has the necessary statutory powers to meet those expectations. This will focus on refreshing and recalibrating compliance and enforcement policy tools and developing a new service charter. We will also engage with other regulators on shared regulatory matters.

OutcomesIndicators of success
  • The OAIC meets government and community expectations of an effective Australian regulator

4.1 The OAIC has sufficient statutory powers to detect and deter non-compliance

4.2 The OAIC is seen to take appropriate regulatory action in relation to breaches of the relevant law

  • The OAIC is highly regarded globally and domestically

4.3 International regulators actively seek the views of the OAIC in relation to policy development or enforcement activities

4.4 The OAIC has strong and productive relationships with domestic regulators

2. Internal capability development

The OAIC will enhance its internal capability in the areas of people, data management and stakeholder engagement to ensure it efficiently delivers its regulatory responsibilities. We will update our workforce capability plan and undertake recruitment and training in areas of emerging technical capability requirements. We will enter formal arrangements with Australian Government entities for collaboration in relation to regulatory activities. We will also develop and implement a data strategy.

OutcomesIndicators of success
  • Highly engaged and capable workforce with the technical capability to respond to the contemporary environment

4.5 Improved employee engagement

4.6 Reduced staff turnover rate

4.7 Strong competition for vacancies

4.8 Internal capability supports the full range of OAIC functions

  • Strong data management capability supports the OAIC to understand and address emerging privacy and information access risks
4.9 Data analysis identifies enterprise risks

Measuring our success

Indicator*MeasureTargetsRPF RefPBS KPI
2019–202020–212021–222022–23

4.1 The OAIC has sufficient statutory powers to detect and deter non-compliance

Powers are enhanced

Qualitatively demonstrated

-

-

-

4

-

4.2 The OAIC is seen to take appropriate regulatory action in relation to breaches of the relevant law

Media and stakeholder sentiment

Qualitatively demonstrated

As for 2019–20

As for 2019–20

As for 2019–20

3,6

-

4.3 International regulators actively seek the views of the OAIC in relation to policy development or enforcement activities

Engagement with international regulators

Qualitatively demonstrated

As for 2019–20

As for 2019–20

As for 2019–20

1,6

-

4.4 The OAIC has strong and productive relationships with domestic regulators

Regular engagement with other regulators

Qualitatively demonstrated

As for 2019–20

As for 2019–20

As for 2019–20

1,6

-

4.5 Improved employee engagement

Measured through APS Employee Census

Improvement on previous year

As for 2019–20

As for 2019–20

As for 2019–20

-

-

4.6 Reduced staff turnover rate

Staff turnover rate

In line with APS small agency average

As for 2019–20

As for 2019–20

As for 2019–20

-

-

4.7 Strong competition for vacancies

Sufficient high-quality applicants for advertised roles

Qualitatively demonstrated

As for 2019–20

As for 2019–20

As for 2019–20

-

-

4.8 Internal capability supports the full range of OAIC functions

Approved training courses completed

75% of approved courses are completed

As for 2019–20

As for 2019–20

As for 2019–20

3,4

-

4.9 Data analysis identifies enterprise risks

Reports completed

Qualitatively demonstrated

As for 2019–20

As for 2019–20

As for 2019–20

3,4

-

* Beneficiary = Australians, Australian businesses and Australian Government agencies

Corporate Plan overview

Our ambition

The OAIC has outlined four strategic priorities for 2019-23 which we will pursue in line with our guiding principles. Through this work we will deliver on our purpose and achieve our long-term vision

Our vision infographic

Strategic prioritiesKey focus areasOutcomes

Advance online privacy protections for Australians

Influence development of legislation

Greater global alignment of Australian privacy protections

Stakeholders are engaged in process of developing stronger online privacy protections

Develop a code of practice for digital platforms

Stronger privacy protections for Australians engaging in the online environment

Identify and take appropriate regulatory actions

Greater awareness of the risks of engaging online

Influence and uphold privacy and information access rights framework

Influence policy and legislative change to ensure frameworks remain appropriate

Regulatory frameworks uphold information access and privacy rights

Identify and take appropriate regulatory action

Timely and effective outcomes of complaints and reviews

Risk-based approach is taken to monitor, guide and advise on mitigating impacts on privacy and
access to government information

Community is aware of their privacy and information access rights and how to exercise them

Implement the Consumer Data Right

Privacy is protected under new data portability right

Encourage and support proactive release of government-held information

Develop government capability

Agencies are making better FOI decisions

Influence information management framework

Government-held information is managed as a national resource

Access to government-held information promotes Australia’s representative democracy and
confidence in public sector integrity

Contemporary approach to regulation

Review our regulatory approach

The OAIC meets government and community expectations of an effective Australian regulator

The OAIC is highly regarded globally and domestically

Internal capability development

Highly engaged and capable workforce with the technical capability to respond to the contemporary environment

Strong data management capability supports the OAIC to understand and address emerging privacy and information access risks

What will enable our success

Enhanced capability and effective risk management and oversight will facilitate delivery of our key activities and regulatory functions against our purpose and vision.

Capability

Our capability requirements are closely related to Strategic Priority 4: Contemporary approach to regulation. To achieve our ambition, we have developed a four-year capability roadmap focused on:

  • People
  • Data management
  • Engagement and influence
  • Efficiency

An assessment of each of these capabilities and planned initiatives for enhancing the capability areas is shown below.

Capability areaAssessment of current capabilityCapability initiativesCapability outcomes
People

The OAIC has a dedicated and expert team of staff who are experienced in carrying out all aspects of our legislative functions, from advice, guidance and communications, to complaint handling, investigations, assessments and Information Commissioner reviews.

Our current people capabilities are tested by an increase in our workload, responsibilities and fast-changing environment. The implementation of new legislative schemes, such as the Notifiable Data Breaches Scheme and the Consumer Data Right, have further increased demand for advice, guidance and regulatory action.

  • Bring in expertise
  • Develop internal capability
  • Elevate base-level understanding

Highly engaged and capable workforce

Data management

The OAIC effectively assesses risk within its key functional areas, but there is an opportunity to systematise the assessment of enterprise risk across those functional areas

  • Analyse and identify emerging themes and intelligence analysis, resources and knowledge-sharing systems

Strong data management capabilities to maximise analysis of data to identify and address enterprise risk

Stakeholder engagement

In recognition of the global nature of the privacy landscape and organisational data flows, we build and maintain strong and productive relationships with privacy authorities in other domestic and international jurisdictions, in order to collaborate on investigations and share information about privacy best practice.

We also participate in two important FOI networks, the Association of Information Access Commissioners and the International Conference of Information Commissioners, which assists us to ensure that our FOI regulatory activities are aligned with global best practice.

We engage across our stakeholder landscape using a variety of mechanisms, such as:

  • our networks (including our Privacy Professionals Network and Information Contact Officers Network)
  • direct interaction via a range of forums and meetings with government, business and
    research bodies
  • our participation in conferences and other stakeholder events.
  • Support global and domestic engagement with relevant regulators
  • Develop and promote effective communications and education products in collaboration with other regulators
  • Participate in joint regulatory action where appropriate

Highly regarded globally and domestically

Efficiency

Sustained increases to our regulatory workload require close examination of how we work and what we can do to deliver improved and more efficient services.

  • Implementation of a technical advisory panel
  • Systematic and regular reviews of business processes

Improved internal efficiency

Risk management and oversight

The OAIC continues to maintain its effective risk processes, which enhance our risk management capability. Our Risk Management Framework and Procedures outline how the OAIC implements the Risk Management Policy and the steps we take to address risk management capability in the OAIC. This includes educating our people and providing a clear understanding of risk appetite to help our staff assess risks, make informed decisions, confidently engage with risk and harness its opportunities, while minimising adverse consequences.

We recognise that commitment to risk management contributes to sound management practice and increasing confidence in performance. The OAIC is proactive in addressing all elements of the Commonwealth Risk Management Policy requirements.

Risk mitigation (or control activities) are well managed through regular review of organisational plans for identified risk areas, and in preparation for the introduction of new projects, programs and schemes. We review all control activities associated with implementation to ensure that any identified risks are mitigated and we actively monitor potential risks associated with the project or program. Risk is also overseen by our Audit Committee.

In our approach to risk management, the OAIC considers factors that may affect our ability to effectively engage with, and manage our relationships with, our stakeholders.

Working under a robust risk management framework helps us to achieve our purpose by promoting and upholding privacy and information access rights in a way that manages risk, and instils confidence in the community and our stakeholders.

Our Risk Management Policy defines the OAIC’s approach to the management of risk and how this approach supports our strategic plans and objectives.

Our Risk Management Framework and Procedures document:

  • outlines practices and actions to embed risk management into business practices and cultivate a positive risk culture
  • assigns clear roles and responsibilities across the OAIC organisational and management structure
  • details the OAIC’s shared risk management agreements
  • identifies the stakeholders we communicate with about risk information.

The OAIC is committed to ensuring that management and staff develop appropriate risk management capabilities through training.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au