Publication date: August 2021

Download the print version

Preliminary page

Creative Commons

You are free to share, copy, redistribute, adapt, transform and build upon the materials in this plan with the exception of the Commonwealth Coat of Arms.

Please attribute the content of this publication as:
Office of the Australian Information Commissioner Corporate Plan 2021–22.

Contact

Mail: Director, Strategic Communications
Office of the Australian Information Commissioner
GPO Box 5218
Sydney, NSW 2001
Email:oaic.gov.au/enquiry
Websitewww.oaic.gov.au
Twitter: @OAICgov
Phone: 1300 363 992

Non-English speakers

If you speak a language other than English and need help, please call the Translating and Interpreting Service on 131 450 and ask for the Office of the Australian Information Commissioner on 1300 363 992.

Accessible formats

All our publications can be made available in a range of accessible formats. If you would like this report in an accessible format, please contact us.

Acknowledgement of Country

We acknowledge the traditional custodians of Australia and their continuing connection to land, sea and community. We pay our respects to the people, the cultures and the elders past, present and emerging.

Statement of preparation

I, Angelene Falk, Australian Information Commissioner, present the Office of the Australian Information Commissioner’s Corporate Plan 2021–22, for the 2021–22 to 2024–25 reporting periods, as required under section 35(1)(b) of the Public Governance, Performance and Accountability Act 2013.

16 July 2021

About us

The Office of the Australian Information Commissioner is an independent statutory agency within the Attorney-General Department’s portfolio, established under the Australian Information Commissioner Act 2010 (AIC Act).

Our key role is to meet the needs of the Australian community when it comes to the regulation of privacy and freedom of information. We do this by:

  • ensuring proper handling of personal information in accordance with the Privacy Act 1988 (Privacy Act) and other legislation
  • protecting the public’s right of access to documents under the Freedom of Information Act 1982 (FOI Act)
  • performing strategic functions relating to information management in the Australian Government, in accordance with the AIC Act.

Overview

Our corporate plan outlines who we are, what we are here to do, our vision and how we will achieve it.

The plan is broken into 2 parts:

Part 1 – Operating context: Our environment, Capabilities, Risk management, Cooperation and collaboration

Part 2 – Our strategic priorities

Commissioner’s foreword

The past 12 months has been an unprecedented year marked by the impact of the COVID-19 pandemic. But it has also set new benchmarks for practice in privacy and information access, as government and business responded to heightened community awareness and expectations for open and timely information sharing and strong privacy protections in areas of higher risk.

This corporate plan sets out the strategic priorities for the Office of the Australian Information Commissioner (OAIC) and defines how we will measure success in the context of our fast-changing operating environment. More than ever, our success will be the result of collaboration: with our staff, with Australian and international regulators, and across government, the private sector, academia and the community.

Australians’ accelerated adoption of digital technology has transformed the way we do business and go about our daily lives. A number of Australian Government initiatives respond to this trend and will impact on the work of the OAIC throughout 2021–22.

Our ongoing focus on security of personal information and prevention of data breaches contributes to Australia’s Cyber Security Strategy 2020. The government’s new Digital Economy Strategy also seeks to harness digital opportunities and foreshadows the development of an Australian Data Strategy.

The OAIC plays an important regulatory role in several initiatives under the Digital Economy Strategy: in the roll out of the Consumer Data Right to additional sectors; overseeing privacy protections in the next-wave My Health Record; and advising on and regulating privacy in the expansion of the Digital Identity system.

The Digital Economy Strategy also targets fit-for-purpose regulation that builds trust. The current government review of the Privacy Act is an opportunity to update our regulatory framework to meet the challenges and opportunities of the digital age and address the community’s desire for more to be done to protect their personal information. The review is a key focus for the OAIC during the life of this plan, as we draw on our regulatory experience to advise, make recommendations and implement.

Ahead of these changes, the proposed introduction of a new Online Privacy Code and other reforms is an opportunity to strengthen protections in the digital environment, including for children. The development and implementation of the Code will be another key area of focus for the OAIC.

Operating as a contemporary regulator, the OAIC strives to respond to community expectations through our strategic and regulatory priorities, and by enhancing our capability, managing risk effectively, and cooperating and collaborating with other regulators at home and overseas.

In seeking to protect Australians’ data and support innovation, regulatory cohesion and use of data in the public interest, we are closely engaged with domestic regulators such as the Australian Competition and Consumer Commission and the Office of the National Data Commissioner. As the volume and velocity of cross-border data transfers continues to increase, we have also consolidated strong working relationships with international regulators, through forums such as the Global Privacy Assembly, and through direct relationships facilitating cooperation and joint investigation on issues of mutual concern.

In 2021–22, the OAIC will continue to provide privacy advice and guidance to support public health responses to the pandemic, as public trust in information handling and release remains critical to our efforts to prevent and manage COVID-19.

The shift to providing more government services online also brings new opportunities to streamline our access to information system. In the year ahead, we will maintain our efforts to encourage more proactive release of government information where appropriate, including through administrative access arrangements such as self-service schemes, and by building on the information Publication Scheme.

We will also welcome a new Freedom of Information Commissioner to the OAIC, to assist with the increasing number of requests for review of freedom of information (FOI) decisions by agencies and ministers, and other strategic access to information work.

As we look to a future in which new businesses are ‘born’ digital and more government services are available online, increasing public trust and confidence in digital interactions through the protection of personal information and access to government-held information remains at the heart of our vision.

I look forward to delivering on this plan for all Australians.

Angelene Falk

Australian Information Commissioner and Privacy Commissioner

16 July 2021

The year ahead

Online privacy

The importance of data to the digital economy continues to increase as we conduct more of our lives online than ever before. Technological advances, encompassing artificial intelligence (AI) and machine learning algorithms through to biometrics, mean that personal information is being used in ways that can support innovation but may also lead to harm. The OAIC is focused on regulating the online environment and high privacy impact technologies. Other challenges come in the form of cross-border data flows and data storage.

Our vision is to achieve a balance between organisational accountability and effective privacy self-management that protects personal information and supports innovation and economic growth. We are preparing for the introduction of legislation that will require the development of an Online Privacy Code to improve the ability of Australians to manage privacy choices through transparent policies and better practices around consent. The code will also enhance protections for children and other Australians with particular needs.

Privacy law reform

The review of the Privacy Act is a significant focus for the OAIC in 2021–22, as a landmark opportunity to ensure that Australia has a fair and flexible privacy framework that can meet the challenges of rapidly evolving global digital markets. We are providing advice and submissions to support reforms that deliver a regulatory system that protects privacy, holds regulated entities to account and builds public trust to support a strong economy.

Supporting the COVID-19 pandemic response

Personal information handling in the context of the COVID-19 pandemic remains a key regulatory priority for the OAIC. We are engaging with the Australian Government in relation to the collection, use and disclosure of personal information in connection with public health measures that respond to the pandemic. The National COVID-19 Privacy Team, convened by the OAIC in March 2020, brings together privacy regulators from around Australia to monitor and respond to initiatives that involve the use of personal information.

Under our COVIDSafe app and National Data Store assessment program we are examining compliance and risk throughout the information lifecycle of COVIDSafe app data. We will also continue to report every 6 months on the privacy aspects of the COVIDSafe system and how we exercise our powers.

Notifiable Data Breaches scheme

As individuals and businesses across Australia engage more heavily in the digital economy, personal information security is a critical element in the nation’s cyber security defences. Through mandatory reporting of data breaches, the Notifiable Data Breaches (NDB) scheme drives stronger security standards for protecting personal information and enhances transparency for consumers.

In 2021–22, the OAIC will continue to issue guidance to help regulated entities prevent and mitigate data breaches, and will take appropriate regulatory action where required. The OAIC actively engages with notifying entities to ensure breaches are contained and rectified, and affected individuals receive adequate notification so they can take steps to prevent harm. We are also preparing an updated Guide to securing personal information, and highlighting areas for action by organisations and agencies through our 6-monthly NDB reports.

Enhancing access to information

Promoting proactive release and a right of access to documents held by government remains a core focus for the OAIC as we work to support efficient access to information while ensuring appropriate privacy safeguards are in place. Through the outcomes of Information Commissioner reviews, FOI complaints, extension of time applications and education we provide guidance on the application of the law and promote best practice when processing FOI requests. These efforts will be further supported by the appointment of an FOI Commissioner in 2021.

We will continue to support agencies and ministers by providing guidance and resources to help ensure FOI frameworks are implemented efficiently and effectively. We will also continue to engage with the Open Government Partnership, in relation to the third National Action Plan by setting goals that strengthen and enhance access to information for all.

Consumer Data Right

The introduction of the Consumer Data Right in the banking sector in July 2020 signalled greater choice and control over their data for consumers. As co- regulator of the Consumer Data Right alongside the Australian Competition and Consumer Commission (ACCC), our focus is to ensure that participants understand the privacy safeguards in place so that consumers can share their data with confidence.

In the coming year, the OAIC will collaborate with the Treasury, the ACCC and the Data Standards Body to develop a strong, globally interoperable privacy framework to support the rollout of the Consumer Data Right to the next sector, energy.

My Health Record system

The OAIC will continue to monitor, regulate and provide advice on the privacy aspects of the My Health Record system. We will develop additional guidance for healthcare providers to support good privacy practice. We will also conduct further audits of the privacy protections within the system and the Healthcare Identifiers Service. We are engaging with the Australian Digital Health Agency regarding its implementation of the Australian National Audit Office’s recommendations from their Review of the My Health Records Legislation: Final Report. In the year ahead we will also complete our review of the National Health (Privacy) Rules 2018.

Part 1: Operating context

The Office of the Australian Information Commissioner promotes and upholds privacy and information access rights. We perform our regulatory functions in a complex global data environment. Our effective risk management and highly capable workforce underpin our efforts. We cooperate with our counterparts and collaborate with other agencies to advance our strategic priorities.

Our environment

Understanding our environment is fundamental to achieving the OAIC’s vision of greater public trust and confidence in personal information protection and access to government-held information. As a contemporary regulator, we monitor our operating environment closely, adopting a proactive risk management strategy. We rely on our people capability, information sharing and collaboration.

Our Corporate Plan 2021–22 identifies the key factors shaping our environment and affecting how we apply our guiding principles to deliver on our agency’s purpose. The core principles of transparency and accountability underpin the privacy and information access frameworks we regulate.

Over the past 5 years, the OAIC has experienced growth across our regulatory functions, including in the freedom of information area, with the number of complaints rising steadily and applications to review decisions made by agencies on FOI requests more than doubling. The reporting of data breaches remains steady as the Notifiable Data Breaches scheme becomes embedded in the data protection landscape. We will use our suite of regulatory powers and respond to emerging privacy issues through our guidance and advice, assessments and targeted Commissioner-initiated investigations.

Digital economy

Digital technologies provide new economic opportunities and continue to drive the significant increase in the amount of personal information collected, used and shared in Australia and beyond. A global regulatory approach is needed to protect Australians’ data wherever it flows.

The Consumer Data Right is a key policy initiative in the Australian Government’s Digital Economy Strategy released in May 2021. Implemented next in the energy sector, the Consumer Data Right is an economy-wide reform that supports innovation and economic growth by providing consumers with greater ability to authorise access to their data within a secure system.

Strong privacy laws enable business to use data to innovate and grow within a framework that protects individual rights. Globally interoperable data protection laws are increasingly important to protect consumers online and reduce regulatory friction for business.

Through its data agenda, the Australian Government has stated that it seeks to expand data sharing to improve service delivery, increase competition between service providers, facilitate evidence-based policy and provide individuals with greater choice and control over their personal information.

Public trust in information handling

Realising the economic and social opportunities of the modern digital economy requires public trust and confidence in the data handling activities of government and business and in the appropriateness of regulatory settings. The OAIC works to promote best practice in the handling of personal information by using a range of tools from education through to enforcement. The OAIC is also engaging actively in the review of the Privacy Act, including through public submissions.

Community expectations regarding transparency and accountability of Australian Government agencies are also reflected in an increasing number of applications for review of FOI decisions.

The COVID-19 pandemic has focused attention on privacy and highlighted the need to protect personal information. The collection, use and disclosure of personal information has been a central feature of Australia’s public health response, facilitating critical data analysis and supporting public health outcomes.

This includes the mandatory collection of personal information by businesses (including via apps and QR codes) for contact tracing purposes, voluntary use of the COVIDSafe app, and as part of the rollout of the Australian Government’s COVID-19 vaccination program. The OAIC continues to provide guidance and advice to government, business and the community on privacy issues arising during the pandemic to support trust and confidence in the handling of personal information.

Community attitudes to privacy

The OAIC’s Australian Community Attitudes to Privacy Survey 2020 shows a steady decline in trust in personal information handling by most organisation types since 2007. Trust in companies in general is down by 13% and trust in Australian Government departments is down 14%. Four out of five Australians would like the government to do more to protect the privacy of their data. The review of Australia’s privacy law is an important opportunity to address declining levels of trust and respond to the community’s desire for more to be done to protect their privacy.

Transparency initiatives

New access to information initiatives are emerging internationally, aimed at building effective, accountable and inclusive institutions at all levels. Making information held by government publicly available as a national resource supports innovation and growth.

Working in partnership with other information management agencies, the OAIC contributes to Australian Government freedom of information policy. We work with the International Conference of Information Commissioners to build capacity in new and emerging FOI systems and embed the principles of the ICIC resolution on proactive publication.

Capabilities

The OAIC continues to deal with a significant number of complaints, reviews and investigations. As a small agency, this requires a strategic approach to manage and grow our capabilities to ensure we can effectively deliver our core business.

A focus on increasing business intelligence and performance reporting capabilities is assisting the OAIC to manage our resources to achieve the targets linked to our key performance indicators.

We are also continuing to strengthen our governance capabilities. Our Regulatory Action Committee ensures we manage emerging risks appropriately, proportionately and efficiently in line with our privacy regulatory priorities and utilising our full range of regulatory tools.

Information and communication technology (ICT), financial and some human resources services are provided under shared services arrangements. The OAIC’s transition of finance and human resources services to another service provider during 2021–22 will require an internal change management process and capability uplift.

Strategies and plans associated with our capabilities are outlined under Strategic Priority 4.

People capability

Our dedicated workforce is fundamental to the OAIC achieving our strategic priorities. To enhance and expand our people capability, we focus on leadership development, workforce planning, and learning and development. The OAIC is committed to building a strong workplace culture with an emphasis on diversity and inclusion.

The volume and complexity of work in privacy, notifiable data breaches and freedom of information, along with the expansion of our responsibilities under the Consumer Data Right and COVIDSafe systems, requires a flexible workforce and the development of new skills and capabilities.

The OAIC recognises that to be a contemporary regulator, we need to employ people who have a broad range of technical skills. We are implementing strategies to recruit staff from different sectors to complement our existing workforce. When necessary, we draw upon temporary staff and consultants with relevant expertise to address workload requirements.

Infrastructure capability

The OAIC occupies 2 floors of a building in the Sydney CBD. In 2021–22 we will review our future accommodation and infrastructure needs in light of changed working patterns including remote working arrangements.

ICT capability

The OAIC promotes a strong ICT culture through training and awareness initiatives. Upgrades to our operating systems, software applications, networking components and digital devices support our work arrangements securely and efficiently. Future upgrades will be made as needed to ensure the OAIC’s ICT capability meets our needs as a contemporary regulator.

Risk management

Positive risk management culture

Effective risk management contributes to improved performance and sound governance and supports good business decision making. The OAIC continues to support our risk management culture through governance and training.

Risk management framework

Following a comprehensive review, the OAIC has revised our Risk Management Policy, which details our approach to risk management and clearly links it to our strategic priorities. It is supported by our Risk Management Framework and Guide, which outlines how the OAIC implements the Risk Management Policy and complies with the Commonwealth Risk Management Policy. Matters covered in the framework include:

  • key risk management responsibilities
  • how the OAIC embeds risk management as business-as-usual
  • the attributes of the OAIC’s desired risk management culture and how these are fostered.

Risk mitigation

The OAIC has defined risks for the enterprise and for major projects. Risk profiles have been developed that identify risk owners, current controls and treatment actions. Residual and emerging risks and treatment activities are actively monitored at the project and enterprise level. Where necessary, the OAIC works with other stakeholders on shared risks. For instance, the OAIC is working closely with our co-regulator, the ACCC, to ensure that privacy risks in the Consumer Data Right are managed effectively. Risk reports are regularly considered by our Audit Committee, Operations Committee and project governance committees.

Audit Committee

The OAIC Audit Committee assists the Australian Information Commissioner in discharging her statutory responsibilities including risk oversight and management and compliance with relevant laws and policies. The committee meets quarterly and has an independent chair and 2 independent members. More details are available in our Audit Committee charter available on our website.

Risk appetite

Our risk appetite is the amount and type of risk the OAIC is prepared to accept in pursuit of our objectives. The OAIC acknowledges that risk is a part of our operational posture and necessary to maximise outcomes for the Australian community. The OAIC encourages prudent risk taking and should circumstances warrant, higher levels of risk may be tolerated with appropriate consideration, executive endorsement, monitoring and review. The OAIC’s appetite and tolerances for risk are defined in our Risk Appetite Statement.

Our enterprise risks

Risk management is an important part of our compliance with the Public Governance, Performance and Accountability Act 2013 (PGPA Act). We refreshed our enterprise risk management framework in 2020 to better identify and manage strategic and operational risk, maximising opportunities and minimising adverse consequences. The following table outlines some of our key risks and controls.

The OAIC has quality processes, systems and products

The OAIC has robust governance and appropriate infrastructure

The OAIC ultimately contributes to increased trust and confidence in privacy and information access

The OAIC protects the information entrusted to it

Information management policy and resources

Controlled document framework

Protective Security Policy Framework

Internal review and quality assurance processes

Continuous improvement of systems and processes

Reporting framework business intelligence

Legislative compliance framework

Controlled document framework

Audit Committee

Executive Committee and Operations Committee mechanisms

Specialist boards and committees for significant projects

Publication of Commissioner decisions and complaint outcomes

Range of regulatory functions and powers exercised

Publication of regulatory priorities

Interagency cooperation and coordination

Public awareness campaigns and stakeholder communications

Information management policy

Privacy management plan System controls

Privacy impact assessments Data breach response plan

Protective Security Policy Framework

Appointment of Chief Security Officer, Privacy Champion and Privacy Officers

Information security audits and reviews

The OAIC is agile and responsive

The OAIC is able to build and maintain strong influence and positive relationships

The OAIC is able to attract, grow and retain its people

The OAIC is a safe working environment

Operations Committee and Regulatory Action Committees informed by data analysis

Media and parliamentary monitoring and advice capability

Strategic planning

Workflow management informed by business reporting systems and process reviews

Range of regulatory functions and powers exercised

Active participation in domestic and international forums

Effective management of stakeholder relationships

Media monitoring and response

Support for professional training and development

Comprehensive induction program

Succession planning for critical positions

Developing people capability plan and strategy

Interagency engagement to support recruitment

Engagement with staff through consultation forum, staff meetings and exit interviews

Work health and safety policy

OAIC Health and Safety Committee

Employee Assistance Program

Protective Security Policy Framework

COVID-19 working from home guidance

Diversity Committee initiatives

Internal communications and engagement

Cooperation and collaboration

The OAIC works closely with a range of Australian Government agencies and other organisations, including domestic and international regulators, to deliver our regulatory functions and advance our strategic priorities.

Privacy regulation

The OAIC collaborates with the Australian Communications and Media Authority (ACMA), ACCC, Australian Cyber Security Centre and Office of the eSafety Commissioner to advance online privacy protection for Australians. The OAIC also engages with integrity agencies such as the Inspector General of Intelligence and Security and the Commonwealth Ombudsman.

As the review of the Privacy Act progresses, we will continue to engage with the Attorney-General’s Department in support of a privacy framework that is fit for purpose in the digital age. We will engage with government and industry on the development and implementation of the Online Privacy Code.

The OAIC has a memorandum of understanding with the ACCC to guide and facilitate collaboration, cooperation and mutual assistance. There is a similar memorandum of understanding in place between the OAIC and ACMA.

We also work to improve privacy protections and promote best practice with agencies such as the Australian Digital Health Agency and the Australian Government Department of Health. We engage regularly with our network of privacy officers and champions across government.

The OAIC is actively supporting the implementation of Australia’s Cyber Security Strategy 2020 as it relates to the security of personal information and the role of domestic regulators.

The OAIC also cooperates with state and territory privacy regulators to share information and insights through the Privacy Authorities Australia group and the National COVID-19 Privacy Team.

In performing our regulatory functions, the OAIC is procedurally fair, transparent and responsive, consistent with the Regulator Performance Guide. Publication of OAIC strategic priorities, guidelines and decisions provides transparency to regulated entities. The OAIC publishes high-level outcomes of conciliated and determined privacy complaints and recommendations made in FOI complaints on its website.

Consumer Data Right

The OAIC works closely with our co-regulator, the ACCC, to encourage compliance with the CDR privacy safeguards and ensure consistent management of any breaches of the Consumer Data Right regulatory framework. We are working with the Treasury, ACCC and Data Standards Body to establish a framework for data portability in the energy sector.

Access to information

The OAIC engages with Australian Government agencies and ministers to improve processes and increase knowledge and understanding of the FOI Act. We promote proactive release of information through the Information Publication Scheme and informal release of information through administrative access processes.

Our Information Contact Officer Network (ICON) brings together nearly 500 people from government agencies and deepens FOI practitioners’ capability through information sessions and updates.

We are also a member of the Association of Information Access Commissioners (AIAC) which promotes best practice in information access policies and laws across Australia and New Zealand.

International cooperation

Cooperation between international privacy and data protection authorities is accelerating in response to the COVID-19 pandemic and the increasingly rapid transfer of data across borders. Australia is at the forefront of international collaboration, including through our leadership role in the Global Privacy Assembly – as a member of the Executive Committee, chair of the Strategic Direction Subcommittee, co-chair of the Digital Citizen and Consumer Working Group, and membership of its working groups on International Enforcement, Policy Strategy (Global Frameworks and Standards), Ethics and Data Protection in Artificial Intelligence, and COVID-19.

Our engagement in the Global Privacy Assembly supports the OAIC International Strategy 2020–22 which seeks to protect Australians' personal information wherever it flows. We engage actively with other international regulators through forums such as the Asia Pacific Privacy Authorities and the International Conference of Information Commissioners. We will continue to collaborate to assist emerging jurisdictions to develop FOI capability by sharing experience and best practice.

The OAIC has established memorandums of understanding with the UK Information Commissioner’s Office, the Office of the Privacy Commissioner Canada, the Data Protection Commissioner Ireland and the Personal Data Protection Commission of the Republic of Singapore. We use these relationships to identify opportunities for regulatory and enforcement cooperation, information sharing and joint investigations.

Regulator Performance Guide

Our corporate plan is delivered under the PGPA Act and outlines how the OAIC will achieve regulator best practice across our functions. This approach is in line with the Regulator Performance Guide which came into effect on 1 July 2021, and details the Australian Government's expectations of regulators in moving to a more outcomes-focused and principles-based approach. In the 2021–22 transitional year, the OAIC will undertake work to further embed our pursuit of best practice in our performance reporting framework.

Principles of regulator best practice
  1. Continuous improvement and building trust – regulators adopt a whole-of-system perspective, continuously improving their performance, capability and culture, to build trust and confidence in Australia’s regulatory settings.
  2. Risk-based and data-driven – regulators maintain essential safeguards, using data and digital technology to manage risks
    proportionately to minimise regulatory burden and to support those they regulate to comply and grow.
  3. Collaboration and engagement – regulators are transparent and responsive, implementing regulations in a modern and collaborative way.

The OAIC Strategic Priorities and Key Performance Indicators were set prior to finalisation of the guide. The following table indicates how our 2021–22 Key Performance Indicators contribute to achieving the best practice principles outlined in the guide.

Regulator best practice principle

OAIC Key Performance Indicator

Continuous improvement and building trust

1.1, 1.2, 2.2, 2.3, 2.4, 2.6, 2.7, 2.8, 2.11, 3.1, 4.2, 4.3

Risk-based and data-driven

2.1, 2.5 3.2, 4.1, 4.4

Collaboration and engagement

2.9, 2.10

Part 2: Our strategic priorities

The Office of the Australian Information Commissioner will deliver on our purpose and increase public trust and confidence in the protection of personal information and access to government-held information through our strategic priorities.

Strategic Priority 1

Advance online privacy protections for Australians

The OAIC will advance online privacy protections for Australians to support the Australian economy, influencing the development of legislation, applying a contemporary approach to regulation (including through collaboration) and raising awareness of online privacy protection frameworks.


In 2021–22, the OAIC will support innovation and Australian businesses’ capacity to benefit from using data while minimising privacy risks for the community. We will work to enhance online privacy protections, and take into account the needs of vulnerable groups, such as children. The OAIC will continue to provide advice to the Australian Government on privacy law reform with the goal of achieving a framework that is fit for purpose in the digital age.

The OAIC will continue to promote awareness of privacy risks and provide guidance for individuals, organisations and agencies about how to protect personal information online. In partnership with Privacy Authorities Australia and the Asia Pacific Privacy Authorities forum, we promote Privacy Awareness Week each May, raising awareness about the importance of protecting personal information among agencies, business and consumers.

We will collaborate with international regulators to influence the development of globally interoperable privacy regulation. Through our membership of the Global Privacy Assembly, we will continue to share knowledge, exchange ideas and identify solutions to emerging issues.

We will use the full range of our regulatory functions and powers appropriately and proportionately to pursue serious breaches of privacy in the digital environment.

The OAIC will also continue to engage in joint regulatory actions including cross-border investigations.

Key activities

Key activity 1: Influence development of privacy policy and legislation

 

2021–22

2022–23

2023–24

2024–25

Provide expert advice to government to support a strong, globally interoperable privacy law framework

Collaborate with government and industry to develop and register Online Privacy Code

   

Key activity 2: Raise awareness and take regulatory action on online privacy issues

 

2021–22

2022–23

2023–24

2024–25

Promote awareness of online privacy risks and mitigation strategies

Exercise regulatory powers in relation to online data breaches

Coordinate or undertake joint investigations and intelligence sharing with international and domestic privacy regulators

Key Performance Indicators

Indicators

Measure

Target

2021–22

2022–23

2023–24

2024–25

1.1

Australia’s privacy frameworks are fit for purpose in the digital age

(1) The OAIC advises government on privacy in the online environment and global interoperability where appropriate

Qualitative: The OAIC identifies where online issues and global interoperability are referenced and makes submissions where appropriate

*

*

*

*

  

(2) Online Privacy Code is developed

Code is registered

*

   

1.2

The OAIC is a leader in the global privacy community to support the development and enforcement of strong international online privacy protections

(1) The OAIC has a leadership role in key international policy forums

Active participation in the Global Privacy Assembly and the Asia Pacific Privacy Authorities forum

*

*

*

*

  

(2) The OAIC actively participates in international compliance and enforcement meetings and regulatory activities to which we commit

Active participation in international enforcement and regulatory activities

*

*

*

*

Strategic Priority 2

Influence and uphold privacy and information access rights frameworks

The OAIC has a wide range of regulatory functions and powers under the Privacy Act 1988. These were expanded in 2020 to cover the COVIDSafe app introduced by the Australian Government in response to the pandemic. The OAIC also regulates the privacy aspects of the Consumer Data Right, which began in the banking sector on 1 July 2020 and will be rolled out to the energy sector next.

The OAIC promotes access to government-held information through the regulation of the Freedom of Information Act 1982 (FOI Act) and our role in information policy. The OAIC will continue to perform our regulatory functions and promote the rights of all members of the community to access government-held information.


The OAIC regulates the handling of personal information by organisations and Australian Government agencies under the Privacy Act. We investigate privacy complaints, conduct privacy assessments and provide guidance to organisations and agencies to help them embed a culture of privacy. We engage with these organisations and agencies through multiple channels including consultations, meetings, our Information Contact Officers Network and Privacy Professionals Network, annual Privacy Awareness Week and International Access to Information Day campaigns, and Privacy Officer training.

We also regulate the community’s access to government-held information under the FOI Act. Our FOI functions include conducting independent merits review of FOI decisions made by Australian Government agencies and ministers, and investigating complaints about action taken by agencies under the FOI Act.

The OAIC will continue to oversee the privacy aspects of the My Health Record system, providing advice on making complaints and the investigations process.

In 2021–22, the OAIC will continue to work collaboratively with the ACCC to ensure the effective regulation of the Consumer Data Right in the banking sector and the energy sector. We will issue new guidance and advice on the Consumer Data Right tailored to the energy sector. We will provide an effective enquiry and complaints handling service to ensure the privacy safeguards embedded in the Consumer Data Right are upheld. The OAIC will conduct assessments of compliance with CDR data privacy requirements applicable in the banking sector.

As the COVID-19 pandemic continues, we will provide guidance and advice on privacy and freedom of information for individuals, agencies and organisations in relation to regulatory responses to the pandemic.

The OAIC will meet our regulatory responsibilities under Part VIIIA of the Privacy Act, monitoring compliance with the legislation and publishing reports on the COVIDSafe system twice a year.

Key activities

Key activity 1: Influence policy and legislation to ensure frameworks remain appropriate

 

2021–22

2022–23

2023–24

2024–25

Provide advice to government on its review of the Privacy Act

   

Implement Privacy Act amendments

 

Deliver guidance and education materials to support implementation of Privacy Act amendments

 

Key activity 2: Identify and take appropriate regulatory action

2021–22

2022–23

2023–24

2024–25

Take appropriate regulatory action in relation to privacy and FOI complaints

Administer the Notifiable Data Breaches scheme

Regulate privacy aspects of the My Health Record system

Conduct Information Commissioner reviews of FOI decisions

Improve compliance with FOI and privacy legislation supported by education

Promote awareness of privacy and access to information rights

Key activity 3: Regulate the Consumer Data Right

 

2021–22

2022–23

2023–24

2024–25

Provide information about privacy safeguards under the Consumer Data Right

Regulate privacy safeguards under the Consumer Data Right

Key activity 4: Monitor and support compliance with the COVIDSafe system

 

2021–22

2022–23

2023–24

2024–25

Regulate the COVIDSafe system

  

Report on the privacy aspects of the COVIDSafe system

  

Key Performance Indicators

Indicators

Measure

Target

2021–22

2022–23

2023–24

2024–25

2.1

The OAIC identifies, scrutinises and advances policy and legislative reform proposals

The OAIC influences policy and lawmakers to support privacy and information access rights

Qualitative: The OAIC makes submissions and completes bill scrutiny tasks

*

*

*

*

2.2

Respond to privacy and information access enquiries from the public

Time taken to finalise written enquiries

90% of written enquiries are finalised within 10 working days*

*

*

*

*

2.3

Resolve privacy complaints

Time taken to finalise privacy complaints

80% of privacy complaints are finalised within 12 months*

*

*

*

*

2.4

Ensure timely handling of data breach notifications

(1) Time taken to resolve Notifiable Data Breaches (NDBs)

80% of NDBs are finalised within 60 days*

*

*

*

*

  

(2) Time taken to resolve My Health Record notifications

80% of My Health Record notifications are finalised within 60 days*

*

*

*

*

  

(3) Time taken to resolve National Cancer Screening Register Act (NCSRA) notifications

80% of NCSRA notifications are finalised within 60 days

*

*

*

*

2.5

Conduct Commissioner- initiated investigations

Time taken to finalise privacy and FOI CIIs

80% of CIIs are finalised within 8 months*

*

*

*

*

2.6

Provide Information Commissioner review of FOI decisions made by agencies and ministers

Time taken to finalise Information Commissioner reviews

80% of IC reviews are finalised within 12 months*

*

*

*

*

2.7

Resolve FOI complaints

Time taken to resolve FOI complaints

80% of FOI complaints are finalised within 12 months*

*

*

*

*

2.8

Improve agencies’ processes for managing FOI requests

Agencies accept and implement recommendations made following complaint investigations

90% of recommendations made are accepted

*

*

*

*

2.9

The OAIC promotes awareness of privacy and access to information

The OAIC leads campaigns such as International Access to Information Day and Privacy Awareness Week

2 major campaigns undertaken each year

*

*

*

*

2.10

The OAIC promotes awareness of Consumer Data Right (CDR) privacy rights

Education and awareness materials are developed and promoted

Information on the OAIC website is updated when required by CDR developments

*

*

*

*

2.11

Australians are confident about the system of oversight of privacy and security of the COVIDSafe app

(1) Assessment program identifies any privacy risks

2 assessments conducted and outcomes published

*

*

  
  

(2) Effective enquiry, complaint and data breach notification systems

Enquiry, complaint and data breach systems available

*

*

  

* OAIC Portfolio Budget Statements target.

Strategic Priority 3

Encourage and support proactive release of government information

The OAIC will continue to promote a proactive approach to the publication of government-held information. We will focus on making better use of government-held information to support efficient access to information and facilitate innovation and engagement while ensuring privacy is protected.


Australians expect government to make decisions and deliver services in an accountable and transparent way. The OAIC will continue to work to ensure that agencies provide access to information not only on request, but proactively publish information of interest to the community where appropriate.

Government-held information is a national resource that should be managed for public purposes. Increased scrutiny and participation in government processes promote better decision making. Through our regulatory functions, including Information Commissioner reviews, investigations of FOI complaints and consideration of extension of time applications, we gain insight into emerging information access trends within our regulatory environment.

We will continue to support a posture within agencies and the offices of Australian Government ministers through the pandemic and beyond that facilitates and promotes public access to information promptly and at the lowest reasonable cost.

The OAIC will engage with agencies and ministers to promote understanding of the FOI Act, and to ensure that FOI practice is consistent with the legislation and meets the expectations of the community. We will develop capability by providing guidance, including new and updated resources on our website.

We will actively promote the Information Publication Scheme (IPS) and ICIC resolution to support proactive publication of government-held information. We will continue to engage with the Open Government Partnership in relation to the third National Action Plan and participate in the Open Government Partnership initiative. We will build on our relationships with domestic and international regulators and promote access to information rights including by assisting emerging FOI jurisdictions.

Key activities

Key activity 1: Develop government capability

 

2021–22

2022–23

2023–24

2024–25

Publish guidance on FOI Act obligations for government agencies

Update IPS resources to support government agencies to publish government-held information

Key activity 2: Influence information management framework

 

2021–22

2022–23

2023–24

2024–25

Provide advice to government about FOI and information management

Participate in international information access forums

Key Performance Indicators

Indicators

Measure

Target

2021–22

2022–23

2023–24

2024–25

3.1

Agencies publish more government-held information proactively

The OAIC actively promotes proactive publication

The OAIC hosts 2 Information Contact Officers Network events and publishes resources

*

*

*

*

3.2

The OAIC identifies and scrutinises policy and legislative reform proposals in relation to Australia’s information management framework

The OAIC influences policy and lawmakers in relation to the information management frameworks

Qualitative: The OAIC makes submissions and completes bill scrutiny tasks

*

*

*

*

Strategic Priority 4

Contemporary approach to regulation

The OAIC will take a contemporary approach to our regulatory role in promoting and upholding Australia’s privacy and FOI laws. This means engaging with and being responsive to community expectations of regulators.

The OAIC is committed to developing a capable, multidisciplinary workforce with a breadth of technical skills to provide guidance and advice and take regulatory action.


Australians expect regulators to exercise their powers fairly and transparently for the benefit of the community. We use data to assess risk and use appropriate regulatory tools to address privacy and information access issues in a proportionate and evidence-based way. Our responsibilities include conducting investigations, reviewing decisions and handling complaints. We provide extensive guidance and advice and undertake assessments to drive best practice compliance.

The OAIC will continue to review our regulatory approach to ensure that it aligns with government and public expectations as detailed in the new Regulator Performance Guide.

Our approach to exercising our regulatory powers is set out in our Privacy Regulatory Action Policy, Guide to Privacy Regulatory Action and our privacy regulatory priorities, as well as our FOI Regulatory Action Policy, which is complemented by the FOI Guidelines.

Strong organisational capability ensures the OAIC delivers on our strategic priorities for government and the community. An engaged, capable and multidisciplinary workforce equips the OAIC to apply best practice and respond to challenges. The OAIC will review and implement a revised capability approach which will enhance job design and support strategic workplace planning and performance management.

The OAIC will enhance internal capability in the areas of leadership, regulatory governance, cyber security and information management. We will build a workforce with strong technical skills through staff training initiatives and targeted recruitment. We will continue to enhance our capability to use data and digital technology to improve processes and identify, prioritise and respond to risk.

Key activities

Key activity 1: Review our regulatory approach

2021–22

2022–23

2023–24

2024–25

Ensure the strategic use of compliance and enforcement tools is informed by regulatory theory and contemporary practice and reflects the range of tools available

Implement governance arrangements in support of OAIC strategic regulatory posture

Key activity 2: Build internal capability

 

2021–22

2022–23

2023–24

2024–25

Finalise and implement revised capability approach

  

Implement data management strategy

  

Embed revised governance approach

  

Build and maintain internal communication

Key Performance Indicators

Indicators

Measure

Target

2020–21

2021–22

2022–23

2023–24

4.1

The OAIC takes timely and effective regulatory action in relation to strategic privacy and access to information risks

Regulatory Action Committee (RAC) meets regularly and provides clear direction

(i) RAC meets 8 times annually

(ii) RAC decisions take into account OAIC stated priorities

*

*

*

*

4.2

Improved employee engagement

Positive rates against APS Employee Census (Strive, Stay, Say index)

Improvement on previous year (positive variance)

*

*

*

*

4.3

Increased staff retention

Reduced staff turnover and increased internal mobility

Align with APS Employee Census rates for workforce mobility

*

*

*

*

4.4

Mature the OAIC’s data capability to understand and address emerging regulatory and enterprise risks

The OAIC leverages data from business systems, complaints and media monitoring

Operational reporting received at each Operations meeting informs regulatory approach

*

*

*

*