Corporate Plan 2022–23

Publication date: August 2022

Download the print version

Preliminary page

Creative Commons

You are free to share, copy, redistribute, adapt, transform and build upon the materials in this plan with the exception of the Commonwealth Coat of Arms.

Please attribute the content of this publication as:

Office of the Australian Information Commissioner Corporate Plan 2022–23.

Contact

Mail: Director, Strategic Communications
Office of the Australian Information Commissioner
GPO Box 5288
Sydney, NSW 2001
Email:corporate@oaic.gov.au
Websitewww.oaic.gov.au
Twitter: @OAICgov
Phone: 1300 363 992

Non-English speakers

If you speak a language other than English and need help, please call the Translating and Interpreting Service on 131 450 and ask for the Office of the Australian Information Commissioner on 1300 363 992.

Accessible formats

Our publications can be made available in a range of accessible formats. If you would like this report in an accessible format, please contact us.

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and recognises their continuing connection to lands, waters and communities. We pay our respect to Aboriginal and Torres Strait Islander cultures and to Elders past and present.

Commissioner’s message

I am pleased to present the Office of the Australian Information Commissioner’s (OAIC) Corporate plan 2022–23 for the 2022–23 reporting period, as required under section 35(1)(b) of the Public Governance, Performance and Accountability Act 2013.

As an independent statutory agency, our office seeks to meet the needs of the community in regulating privacy and freedom of information under the Privacy Act 1988, the Freedom of Information Act 1982 and the Australian Information Commissioner Act 2010. This corporate plan sets out our key activities, including how we will measure success in our fast-changing operating environment. Increasingly, our success relies on our collaboration with domestic and international regulators, across government, and with the private sector, academia and the community.

The regulatory reach of the OAIC covers the majority of Commonwealth government agencies and ministers as well as the largest sectors of economic activity. Each day, government produces vast amounts of information that inform decisions and actions that impact individuals, communities and the public interest. The handling of personal information drives the daily provision of goods and services to Australians from government and across the economy, from online platforms to finance, telecommunications and health.

We’ve also seen the trend for accelerated adoption of digital technology continue alongside rapid advances in artificial intelligence (AI), facial recognition technology, machine learning algorithms and biometrics. This has implications for both privacy and information access rights. Indeed, the way in which technology is governed and deployed now will shape our society.

The OAIC regulates the provision of public access to Australian Government information and the protection of personal information for all Australians. This year we continue our important functions of handling privacy complaints and breach notifications, freedom of information complaints and reviewing FOI decisions of government agencies and ministers. But the need for people to bring their concerns to the OAIC should be the backstop.

Australians should be able to expect that their personal information is handled fairly and lawfully and that access to information is timely and at the lowest reasonable cost. This requires entities who may be asking 'could we' to instead ask 'should we?'. And it requires a commitment to enabling privacy and information access by design.

The OAIC will strive for agencies and businesses to take a proactive approach to privacy and access to information. In the past year, we observed a movement towards even greater online government services delivery, which has the potential to further streamline access to information. In the year ahead, we will maintain our efforts to encourage more proactive release of government information, including by facilitating agencies to take an open by design approach.

Similarly, the complexity of information flows, new technologies and the rise of data-driven businesses require a focus on the responsibilities of entities to embed privacy by design and be accountable as data custodians. We will influence entities to take a proactive approach to their online personal information and security obligations through the Notifiable Data Breaches scheme and co-regulation of the Consumer Data Right.

The review of the Privacy Act by the Attorney-General’s Department is a significant focus for the OAIC. This remains a landmark opportunity to ensure that Australia has a fair and flexible privacy framework that can protect the community from privacy harms and meet the challenges of rapidly evolving global digital markets.

And as the work of the OAIC increases, and its relevance to the daily lives of Australians is amplified through the COVID-19 pandemic, I am pleased to be joined by Commissioner Leo Hardiman PSM QC as Freedom of Information Commissioner for a 5-year term. Commissioner Hardiman’s depth of experience advising across the public sector will be invaluable as we continue to handle increasing numbers of requests for review of freedom of information decisions and pursue timely and efficient access to information.

The OAIC’s vision is to increase public trust and confidence in the protection of personal information and access to government-held information. It is this focus that informs our key activities and priorities. We will continue to make the best use of our resources, to sustain and develop our people and to take regulatory action that creates the most value for the Australian community.

I look forward to what we will achieve.

Angelene Falk

Australian Information Commissioner and Privacy Commissioner

Part 1 Operating context

The Office of the Australian Information Commissioner (OAIC) is an independent agency within the Attorney-General’s portfolio. Our primary regulatory functions are privacy, freedom of information and government information policy. We perform these functions in a complex and changing domestic and global environment.

Our environment

Successful, effective, risk-based regulation requires a deep knowledge of our operating environment. We actively monitor this domestically and internationally, while being cognisant that several environmental factors are outside of our control. We also collaborate and share our expertise proactively.

Regulatory function growth

The OAIC continues to experience growth across our regulatory functions. In the freedom of information (FOI) area, applications to review decisions made by agencies on FOI requests have grown by 140% over the last 5 years and many matters are becoming increasingly complex.

On 19 April 2022 Commissioner Leo Hardiman commenced in the role of Freedom of Information Commissioner, having been appointed for a 5-year term.

The Notifiable Data Breaches scheme marked its fourth year of operation in 2022 and the OAIC continues to receive breach reports, with the health and financial sectors remaining the top 2 reporting sectors. The OAIC expects that entities have systems in place to ensure full compliance with the statutory requirements and strong personal information security practices. The OAIC will work closely with notifying organisations to ensure best practice in data breach response, but will also prioritise enforcement actions in instances of serious non-compliance with the requirements of the scheme.

The OAIC conducts a longitudinal survey of Australians’ perceptions of and concerns about their privacy, which informs our regulatory approach. This year, the Australian Community Attitudes to Privacy Survey will once again be conducted using a nationally representative sample of unique respondents aged 18 years and over. This helps us to collect data to assist our work across policy, compliance and communications initiatives.

Transparency initiatives

The continued growth in applications for review of FOI decisions provides further evidence of the community’s growing expectations for release of government-held information and proactive disclosure. This focus on greater transparency is not an issue unique to Australia.

The OAIC engages widely with information access practitioners across Australia and overseas. The breadth of our regulatory engagement is consistent with our intention to advance domestic and international access to information laws to support a vibrant participative democracy.

Key areas of this work include facilitating and encouraging practices that are ‘open by design’. In Australia, the open by design principles were endorsed by the Australian information access commissioners ahead of last September’s International Access to Information Day, calling on all governments and public institutions to commit to being open by design. This recognises that information held by government is a national resource.

Promoting proactive release and a right of access to documents held by government remains a focus for the OAIC as we work to support efficient access to information while ensuring appropriate privacy safeguards are in place.

We continue to provide guidance, advice and a range of resources to FOI practitioners, ministers and government agencies to assist them to engage positively with the Freedom of Information Act 1982 (FOI Act).

The OAIC also contributed to the development of Australia’s third Open Government National Action Plan by co-designing a commitment to access to government information.

Digital economy

The acceleration of the digital world has opened the door to both increased innovation and economic opportunity along with exponential growth in the collection of personal information. It has also increased practices such as data sharing, tracking and monitoring. Digital economy initiatives present challenges to privacy regulation as they can involve handling personal information in new and opaque ways.

These challenges have the potential to amplify existing privacy risks and create new privacy harms. A growing digital economy may also present data security risks such as increased cyber security threats. A globalised digital economy calls for a global regulatory approach to protect Australians’ data wherever it flows.

Realising the economic and social opportunities of the modern digital economy requires public trust and confidence in the data handling activities of government and business, and in the appropriateness of regulatory settings. The OAIC works to promote best practice in the handling of personal information by using a range of regulatory tools. This includes awareness-raising initiatives, education and the provision of advice to government and industry as well as enforcement. The OAIC has also been actively engaging in the review of the Privacy Act 1988.

Online privacy and technology

The OAIC continues to focus on regulating the online environment and high privacy impact technologies. A recurring regulatory challenge is ensuring that personal information is used in ways that both support innovation and do not lead to harm.

This year the OAIC’s civil penalty proceedings against Facebook Ireland Limited and US-based Facebook Inc will continue. The Information Commissioner commenced proceedings in the Federal Court of Australia in March 2020, alleging that the personal information of Australian Facebook users was disclosed to the ‘This is Your Digital Life’ app for a purpose other than that for which the information was collected, in breach of the Privacy Act. The Commissioner alleges that information was exposed to the risk of being disclosed to Cambridge Analytica for political profiling purposes and to other third parties.

The OAIC will continue leading the Global Privacy Assembly International Enforcement Working Group initiative on data scraping. We will also monitor and actively consider emerging issues relating to high privacy impact technologies that may be appropriate to take forward to regulatory action, such as artificial intelligence and facial recognition technology.

Continued support for the COVID-19 pandemic response

We are continuing to monitor the public health response and advise government in relation to any measures concerning the collection, use and disclosure of personal information as the phases of the COVID-19 pandemic unfold. Two years on, the COVID-19 pandemic response and recovery has become a normalised component of the work undertaken by the OAIC.

Under our COVIDSafe assessment program, we examine compliance and risk throughout the information lifecycle of COVID app data. We will complete the final 6 monthly report on the privacy aspects of the COVIDSafe system.

Consumer Data Right

Operational in the banking sector since July 2020, the Consumer Data Right (CDR) supports innovation and economic growth by providing consumers with greater ability to authorise access to their data within a secure system.

As co-regulator of the Consumer Data Right with the Australian Competition and Consumer Commission (ACCC), the OAIC’s focus is to ensure that participants understand and comply with the system's privacy safeguards. We do this through education and awareness strategies, and by investigating complaints and assessing compliance. We also advise on the privacy implications of proposed amendments to the CDR framework, including the designation of new sectors and making of new rules. Our activities ensure that consumers can share their data within the CDR system with confidence.

The CDR was first implemented in the banking sector and is being expanded to new sectors, including the energy and telecommunications sectors, with expansion to open finance currently being assessed.

The OAIC contributed to the statutory review of the CDR system and has an ongoing role supporting the implementation of the Australian Government's response to the inquiry into the future directions for the CDR.

The OAIC will continue collaborating with the Treasury, ACCC and Data Standards Body in developing and maintaining a robust privacy framework as the CDR expands to cover additional sectors. This includes ensuring the privacy framework continues to support the CDR as it is expanded to allow consumer directed action and payment initiation.

Digital health

The OAIC will revise the National Health (Privacy) Rules 2021 to ensure that they remain fit for purpose to regulate how Australian Government agencies use, store, disclose and link Medicare Benefits Schedule and Pharmaceutical Benefits Schedule claims information.

Health-related personal information is particularly sensitive and the assurance of privacy controls for its protection remain a priority for the OAIC this year. We monitor, regulate and provide advice on the privacy aspects of the My Health Record system. We are working with the Australian Digital Health Agency to develop additional guidance for healthcare providers to support good privacy practice. We will also conduct further privacy assessments of the privacy protections within the system and the Healthcare Identifiers Service.

Credit reporting

The OAIC regulates credit reporting in Australia. A key objective of the Privacy Act is to facilitate an efficient credit reporting system while ensuring individuals' privacy is protected. The OAIC will monitor, regulate and provide advice on obligations and rights under Australia’s credit reporting framework. We will work with industry stakeholders and consumer advocate groups to support good privacy practice. We will also continue our enforcement work in credit reporting, both through conciliating complaints and by appropriately using our regulatory powers, to ensure compliance with obligations under the Privacy Act and the Privacy (Credit Reporting) Code 2014 version 2.3 (CR Code).

In the year ahead we will finalise and begin implementation of the findings from our independent review of the CR Code. We will also be actively monitoring the implementation of the recent amendments to the Privacy Act and the CR Code to introduce reporting of financial hardship information.

Capability

The OAIC will use resources strategically to provide the greatest benefit for the community and continuously improve processes to ensure we perform our regulatory functions effectively and efficiently. We will strive to develop and sustain a capable, multidisciplinary workforce with a breadth of technical skills to provide guidance and advice, and to take appropriate regulatory action.

Capability development

Our people are our most valuable resource. We are committed to the attraction, development and retention of talent to maintain a highly engaged, skilled and professional workforce.

To ensure we deliver our key activities, we are focused on strengthening our leadership and people-management capability. We are investing in the development of our people by equipping them with the tools to perform at their best. We have demonstrated this by providing our people with new ICT equipment and systems to enable them to work securely from any location. We have delivered training and development programs using hybrid (face-to-face and virtual) delivery methods to ensure that inclusive learning opportunities are provided agency wide, regardless of location.

We are building a future-ready and agile workforce that aligns with the APS Workforce Strategy 2025 by ensuring we have the depth of knowledge, experience and ability to adapt to a changing environment. The OAIC’s own workforce strategy is complemented by a learning and development strategy that positions us to respond to workforce challenges.

Recruitment, Retention and Culture

During the COVID-19 pandemic, the OAIC broadened its recruitment approach to capture the best people from across Australia, inviting applications from around the country to work with us in a virtual environment. The OAIC continues to engage with Australian Public Service (APS) and non-APS agencies to promote, support and encourage staff mobility. We have a strong employee value proposition as a small and agile agency that offers an employee focused hybrid way of working into the future.

We support diversity and flexibility. We will partner with our portfolio agencies to update our workforce diversity strategy to ensure it aligns with our vision to strengthen our inclusive and diverse workplace culture.

The landscape for the future of work continues to evolve. The OAIC has engaged with and responded to employee feedback to fully support a permanent hybrid way of working to retain and attract talent.

The OAIC has consolidated office space to support our new hybrid way of working and provides financial support to ensure a safe and healthy home-based work set up. Our commitment to the health and wellbeing of our staff is a fundamental priority and is reflected by our ongoing engagement with the OAIC Consultation Forum. In 2022–23, we will continue to consult with staff to successfully embed the hybrid operating model.

System capability

Our system capability has been enhanced through the transition of ICT services to the Department of Employment and Workplace Relations (DEWR), the upgrade of the OAIC computer fleet from desktops to laptops and a new ICT platform that provides a protected security platform with an increased range of services. The transition to DEWR offers enhanced ICT support that is essential for our hybrid working arrangement. The transition of finance and payroll services to the Service Delivery Office (SDO) has improved the end-user experience for our people and delivered increased system capability for payroll and finance services.

Cooperation and collaboration

The OAIC works closely with a range of Australian Government agencies and other organisations, including domestic and international regulators. The OAIC also engages with integrity agencies such as the Inspector-General of Intelligence and Security and the Commonwealth Ombudsman.

In the resolution of privacy and FOI matters and in performing its regulatory functions, the OAIC is procedurally fair, transparent and responsive in ways that are consistent with the principles of regulator best practice. Publication of OAIC priorities, guidelines and decisions provides transparency to regulated entities. The OAIC publishes high-level outcomes of conciliated privacy complaints and recommendations made in FOI complaints on its website.

Privacy regulation

The OAIC, together with the Australian Communications and Media Authority (ACMA), the ACCC and Office of the eSafety Commissioner, have formed the Digital Platform Regulators Forum to share information about, and collaborate on, cross-cutting issues and activities to address the risks and harms faced by Australians in the online environment.

This includes consideration of how competition, consumer protection, privacy, online safety and data issues intersect. The forum will support a streamlined and cohesive approach to the regulation of digital platforms as we advance online privacy protection for Australians. The OAIC has 2 memorandums of understanding with the ACCC. The first supports the co-regulation of the CDR. The second guides and facilitates collaboration, information sharing, cooperation and mutual assistance in areas other than the CDR. There is a similar memorandum of understanding in place between the OAIC and ACMA.

As the review of the Privacy Act progresses, we will bring our regulatory experience to the Attorney-General’s Department to design a privacy framework that is fit for purpose in the digital age.

We also work to improve privacy protections and promote best practice with agencies such as the Australian Digital Health Agency, Services Australia, the Department of Foreign Affairs and Trade, the Department of Home Affairs and the Department of Health and Aged Care. We engage regularly with our network of privacy officers and champions across the Australian Government.

As data sharing under the Data Availability and Transparency Act 2022 is implemented, we will continue to engage with the National Data Commissioner on supporting use of government-held information and protecting personal information within the scheme.

The OAIC collaborates with the Australian Cyber Security Centre regarding data breaches. The OAIC is actively supporting the implementation of Australia’s Cyber Security Strategy 2020 to support the security of personal information.

The OAIC also cooperates with state and territory privacy regulators to share information and insights through the Privacy Authorities Australia group.

Access to information

The OAIC assists Australian Government agencies and ministers to improve processes and increase knowledge and understanding of the FOI Act, including through Information Contact Officer Network events, which bring together FOI practitioners from across the Commonwealth. We continue to promote proactive release of information through the Information Publication Scheme under the FOI Act and informal release of information through administrative access processes. This year, we will work with agencies to review their compliance with their IPS obligations. Compliance with the IPS is an ongoing statutory responsibility for agencies under the FOI Act and must be reviewed every 5 years.

We actively collaborate with other domestic information access regulators through the Association of Information Access Commissioners (AIAC), which promotes best practice in information access policies and laws across Australia and New Zealand.

These efforts will be further supported by our newly appointed Freedom of Information Commissioner, Leo Hardiman.

International cooperation

Australia continues to lead international regulatory collaboration, particularly through our involvement in the Global Privacy Assembly (GPA) and the International Conference of Information Commissioners (ICIC). The OAIC will continue as a member of the GPA Executive Committee and chair of the Strategic Direction Sub-Committee until October 2022.

We will remain as a leader on global privacy issues, through our roles as co-chair of the Digital Citizen and Consumer Working Group, membership of the International Enforcement Working Group and the Data Protection and Ethics in Artificial Intelligence Working Group.

The OAIC’s engagement in the GPA supports our international strategy to protect Australians’ personal information wherever it flows. We actively engage with other international regulators through forums such as the Asia Pacific Privacy Authorities forum, the Global Privacy Enforcement Network and the Common Thread Network.

The OAIC has established memorandums of understanding with the UK Information Commissioner’s Office, the Irish Data Protection Commissioner and the Personal Data Protection Commission of Singapore. We use these relationships to identify opportunities for regulatory and enforcement cooperation, information sharing and joint investigations.

The OAIC is also active in promoting information access rights internationally and working with fellow agencies. We will continue to collaborate to assist emerging jurisdictions to develop FOI capability and fit-for-purpose frameworks by sharing experience and best practice.

This includes providing national leadership in the ICIC through speaking engagements and sharing jurisdictional updates on information access developments in the Oceania region.

We will also continue to share information about Australian FOI laws and regulatory practice in bilateral and multilateral engagements in our region. This builds upon recent engagement with the Philippines and Samoa, including participating in UN programs to support Pacific Island countries to strengthen their national integrity systems.

Risk management

Positive risk management culture

The OAIC supports the continuous development of a positive risk culture in which staff at every level appropriately manage risk as an intrinsic part of their day-to-day work.

Effective risk management is embedded into the OAIC’s everyday practices, procedures and governance. Risk is managed by investing in the skills of our people, who are supported by governance frameworks, policies and technology to identify and manage risk.

Risk management framework

The OAIC’s risk management policies have been consolidated and updated to reflect the current operating environment, including the recent transition of shared services to DEWR and SDO. Our Risk Management Policy and Framework details our approach to risk management and outlines how the OAIC puts the policy into practice and complies with the Commonwealth Risk Management Policy.

Risk mitigation

The OAIC has defined enterprise risks and ensures it has risk mitigation strategies for all major projects and programs. Throughout the COVID-19 pandemic the OAIC updated its COVID-19 Business Continuity and Response Plan and established a COVID-19 Management Committee to ensure risks were identified and mitigated to protect staff health and wellbeing.

Risk profiles have been developed and recently reviewed that identify risk owners, current controls and treatment actions. Risk reports are regularly considered by our Audit Committee, Operations Committee and project governance committees.

The OAIC is proactive in its identification of risk and mitigation activities. This is demonstrated in our suite of documents that support our ongoing management of the Protective Security Policy Framework and associated workplan to review and update those documents. We recently undertook a security threat and risk assessment along with a revision of our Security Plan.

Audit Committee

The OAIC Audit Committee assists the Australian Information Commissioner in discharging statutory responsibilities. This includes risk oversight and the management of and compliance with relevant laws and policies. The committee meets quarterly and has an independent chair and 2 independent members. More details are available in the Audit Committee Charter available on our website.

Risk appetite

Our risk appetite is the amount and type of risk the OAIC is prepared to accept in pursuit of our objectives. The OAIC acknowledges that risk is a part of our operational posture and necessary to maximise outcomes for the Australian community. The OAIC encourages prudent risk taking and, should circumstances warrant, higher levels of risk may be tolerated with appropriate consideration, executive endorsement, monitoring and review. The OAIC’s appetite and tolerances for risk are defined in our Risk Appetite Statement.

Our enterprise risks

Risk management is an important part of our compliance with the Public Governance, Performance and Accountability Act 2013 (PGPA Act). In June 2022, the OAIC held a Senior Executive Service–level risk workshop to review the OAIC's enterprise risks. The following table outlines some of our key enterprise risks and internal controls. The OAIC will continue to regularly review these enterprise risks to ensure they remain current and to ensure appropriate controls are in place to manage emerging risks.

The OAIC has quality regulatory processes, systems and products

The OAIC has robust governance

The OAIC contributes to increased trust and confidence in privacy and information access

The OAIC protects the information entrusted to it

The OAIC meets expectations for contemporary regulation

Information management policy and resources

Controlled document framework

Protective Security Policy Framework

Internal review and quality assurance processes

Continuous improvement of systems and processes

Reporting framework business intelligence

Legislative compliance framework

Controlled document framework

Audit Committee

Executive Committee and Operations Committee mechanisms

Specialist boards and committees for significant projects

Publication of Commissioner decisions and complaint outcomes

Range of regulatory functions and powers exercised

Publication of regulatory priorities

Interagency cooperation and coordination

Public awareness campaigns and stakeholder communications

Information management policy

Privacy Management Plan system controls

Privacy impact assessments Data Breach Response Plan

Protective Security Policy Framework

Appointment of chief security officer, privacy champion and privacy officers

Information security

Proportionate regulatory action taken in line with published policies

Proactively engages with stakeholders

Responds to relevant media inquiries

Collaborates with other regulators domestically and internally

Provides guidance on emerging issues such as the COVID-19 response

The OAIC is agile, responsive and risk informed

The OAIC is able to build and maintain strong influence and positive relationships

The OAIC is able to attract, grow and retain its people

The OAIC is a safe and healthy working environment

The OAIC is able to strategically prioritise its work to deliver statutory functions

Operations Committee and Regulatory Action Committee informed by data analysis

Media, domestic and international environment, and parliamentary monitoring and advice capability

Strategic planning

Workflow management informed by business reporting systems and process reviews

Range of regulatory functions and powers exercised

Active participation in domestic and international forums

Effective management of stakeholder relationships

Media monitoring and response

Support for professional training and development

Comprehensive induction program

Alignment to the APS Workforce Strategy 2025

Interagency engagement and opportunities to support recruitment

Engagement with staff through consultation forum, staff meetings and exit interviews

Establishment of hybrid work environment to support staff

Providing initiatives to support safe hybrid work environments

Work Health and Safety Policy

OAIC Health and Safety Committee

Employee Assistance Program

Protective Security Policy Framework

COVID-19 working from home guidance

Diversity Committee initiatives

Internal communications and engagement

Strategic and corporate planning processes

Publication of regulatory priorities

Regular reporting to Executive Committee and Operations Committee

Effective team planning and workflow management

Part 2: Our vision, purpose and key activities

This corporate plan describes the key enabling factors that will help us achieve our vision.

Our purpose

To promote and uphold privacy and information access rights

Our vision

To increase public trust and confidence in the protection of personal information and access to government-held information

Guiding principles

Engaged – Active contributors and collaborators in the contemporary application of information protection and management legislation and regulation for businesses, government and the community

Targeted – Efficient allocation of resources, taking appropriate action and responsive to risk and public expectations of Commonwealth regulators

Expert – Trusted authority on data protection and access to information, advising on policy, legislative reform and regulatory action, and providing education and guidance

Independent – Professional by nature, fair and impartial by application

Agile – Collaborative and responsive to changes in technology, legislation and the expectations of the community and government

Key Activity 1

Influence and uphold privacy and information access rights frameworks

The OAIC has a wide range of regulatory functions and powers under the Privacy Act 1988, Freedom of Information Act 1982 and regulates the privacy aspects of the Consumer Data Right.

The OAIC regulates the community’s access to government-held information under the Freedom of Information Act 1982 (FOI Act). Our freedom of information (FOI) functions include conducting independent merits review of FOI decisions made by Australian Government agencies and ministers and investigating complaints about action taken by Australian Government agencies under the FOI Act.

The OAIC monitors the FOI system through analysis of agency statistics, Information Commissioner review applications and complaints to inform education and regulatory activity. The OAIC promotes timely and proactive access to information when making decisions about extensions of time, issuing guidelines under s 93A of the FOI Act and providing practical guidance, including in relation to the Information Publication Scheme.

The OAIC also regulates the handling of personal information by organisations and Australian Government agencies under the Privacy Act. We conciliate and investigate privacy complaints made by individuals against organisations and agencies, and act in partnership with recognised external dispute resolution schemes.

We receive notifications of eligible data breaches, conduct Commissioner-initiated investigations and provide guidance to organisations and agencies to help them embed accountable and compliant privacy practices. We use our assessments powers to help entities achieve legal and best practice compliance by identifying – and making recommendations to address – privacy risks and areas of non-compliance.

We will take appropriate regulatory action to address the information security practices of the finance and health sectors, as they continue to be the top 2 sectors reporting breaches. We will also prioritise regulatory action where entities fail to comply with reporting obligations or take reasonable steps to protect personal information, particularly where risks and mitigations have previously been publicised by our office.

The OAIC also regulates the privacy aspects of the CDR. The CDR provides consumers with greater access to and control over their data and will improve consumers' ability to compare and switch between products and services.

The OAIC’s CDR regulation is underpinned by coordinated compliance and enforcement activities with the ACCC. Our focus will be on ensuring that the fundamental privacy and security protections provided by the system are upheld by participants to protect consumers’ information and maintain public confidence in, and the integrity of, the CDR system.

We will issue updated privacy safeguard guidelines and advice on the CDR tailored to the energy sector. The OAIC will also continue collaboration with Treasury, the ACCC and the Data Standards Body to ensure that the fundamental privacy protections that are central to consumer trust and confidence in the CDR are embedded as it expands into additional sectors.

The OAIC will continue to advise on the privacy aspects of the My Health Record system and respond to risks identified through enquiries and complaints, privacy assessments and mandatory data breach notifications relating to the My Health Record system.

The OAIC will also continue to meet its regulatory responsibilities under Part VIIIA of the Privacy Act in relation to the COVIDSafe app, monitoring compliance with the legislation and completing the final 6 monthly report on the privacy aspects of the COVIDSafe system.

The OAIC will continue activities aimed at ensuring Australia’s frameworks are fit for purpose in protecting the personal information of Australians.

The OAIC will achieve this through reviewing and updating statutory instruments for which we have regulatory responsibility. The OAIC will also undertake monitoring activities and provide advice to agencies who are undertaking initiatives that have an impact on privacy.

We will engage with organisations and agencies through multiple channels including consultations, meetings, our Information Contact Officers Network and Privacy Professionals Network, annual Privacy Awareness Week and International Access to Information Day campaigns, and privacy officer training.

Key Activity 2

Advance online privacy protection for Australians

The OAIC will advance online privacy protections for Australians to support the Australian economy, influencing the development of legislation, applying a contemporary approach to regulation (including through collaboration) and raising awareness of online privacy protection frameworks.

As a founding member of the Digital Platform Regulators Forum, in collaboration with the ACCC, Australian Communications and Media Authority and Office of the eSafety Commissioner, we will bring an increased regulatory focus to key areas of risk arising from Australians’ increasing engagement with the digital economy. We will prioritise regulatory action to address the harms arising from the practices of online platforms and services that impact individuals’ choice and control, through opaque information sharing practices or terms and conditions of service.

We will focus on technologies and business practices that record, monitor, track and enable surveillance and the use of algorithms to profile individuals in ways they may not understand or expect, with adverse consequences.

We will support innovation and capacity building to allow Australian businesses to benefit from using data, while minimising privacy risks for the community, including for vulnerable groups such as children. The OAIC will continue to provide advice to the Australian Government on privacy law reform with the goal of achieving a framework that is fit for purpose in the digital age.

The OAIC will continue to promote awareness of privacy risks and provide guidance to individuals, organisations and agencies about how to protect personal information online. In partnership with Privacy Authorities Australia and the Asia Pacific Privacy Authorities forum, we promote Privacy Awareness Week each May, raising awareness about the importance of protecting personal information among agencies, businesses and consumers.

We will collaborate with international regulators to influence the development of globally interoperable privacy regulation. Through our membership of the Global Privacy Assembly, we will continue to share knowledge, exchange ideas and identify solutions to emerging issues, such as the use of personal information in facial recognition technology. Our leadership on the Digital Citizen and Consumer Working Group places us at the forefront of developments in cross-regulatory collaboration and intersections between privacy and other regulatory spheres. We will use the full range of our regulatory functions and powers appropriately and proportionately to pursue serious breaches of privacy in the digital environment.

The OAIC will also actively consider opportunities to engage in joint regulatory actions, including cross-border investigations.

Key Activity 3

Encourage and support proactive release of government information

The OAIC will continue to promote a proactive approach to the publication of government-held information. We will focus on efficient access to information and facilitate innovation and engagement while ensuring privacy is protected.

Australians expect government to make decisions and deliver services in an accountable and transparent way. The OAIC will continue to work to ensure that agencies provide information, not only on request, but by proactively publishing information of interest to the community.

Government-held information is a national resource that should be managed for public purposes. Increased scrutiny and participation in government processes promotes better decision making. Through our regulatory functions – including Information Commissioner reviews, investigations of FOI complaints, monitoring of agency information access statistics and consideration of extension of time applications – we gain insight into emerging information access trends within our regulatory environment.

The timely release of government-held information, with a focus on quality decision making and proactive release of information, is consistent with the objects of the FOI Act and supports participative democracy. The OAIC will continue to focus on the need for agencies to make timely decisions and encourage proactive disclosure of information to increase transparency and accountability in decision making and support an efficient FOI system.

We will continue to support an approach within agencies and the offices of Australian Government ministers through the pandemic and beyond that facilitates and promotes the public’s ability to access information quickly and at the lowest reasonable cost. The OAIC will engage with agencies and ministers to promote understanding of the FOI Act and to ensure that FOI practice is consistent with the legislation and meets the expectations of the community. We will develop capability by providing guidance, including new and updated resources on our website.

We will actively promote the Information Publication Scheme to support proactive publication of government-held information. We will contribute to the implementation of the third Open Government National Action Plan and participate in the Open Government Partnership initiative. We will build on our relationships with domestic and international regulators and promote access to information rights, including, assisting emerging FOI jurisdictions.

Key Activity 4

Take a contemporary approach to regulation

The OAIC will take a contemporary approach to our regulatory role in promoting and upholding Australia’s privacy and FOI laws. This means engaging with and being responsive to the community’s expectations of its regulatory bodies.

The OAIC is committed to developing a capable, multidisciplinary workforce with a breadth of technical skills to provide guidance and advice and take regulatory action.

Australians expect regulators to exercise their powers fairly and transparently for the benefit of the community. The OAIC takes a contemporary approach to regulation. We use data to assess risk and use appropriate regulatory tools to address privacy and information access issues in a proportionate and evidence-based way. We are committed to the development and retention of a highly engaged, skilled and professional workforce.

Our responsibilities include conducting investigations, reviewing decisions and handling complaints. We provide extensive guidance and advice and undertake assessments to support and encourage best-practice 18 compliance. The OAIC will continue to review our regulatory approach to ensure that it aligns with government and public expectations.

Our privacy and FOI regulatory action policies explain the OAIC’s approach to using our regulatory powers. They are accompanied by a Guide to privacy regulatory action and FOI Guidelines issued under s 93A of the FOI Act.

The OAIC has identified four broad areas for regulatory focus in 2022-23:

  1. online platforms, social media and high privacy impact technologies
  2. security of personal information
  3. ensuring the privacy and security protections in the Consumer Data Right are effectively implemented by participants
  4. the timely and proactive release of government-held information.

We undertake our regulatory role in accordance with principles of regulator best practice:

  1. Continuous improvement and building trust – adopting a whole-of-system perspective, continuously improving our performance, capability and culture, to build trust and confidence in Australia’s regulatory settings.
  2. Risk-based and data-driven – maintaining essential safeguards, using data and digital technology to manage risks proportionately to minimise regulatory burden and to support those we regulate to comply.
  3. Collaboration and engagement – being transparent and responsive, implementing regulation in a modern and collaborative way.

Part 3: Performance measurement framework

Performance measurement framework

Our performance measurement framework describes how we will measure our progress towards achieving our mission and purpose through:

  • key activities that describe our key functions and areas of work
  • intended results that describe the impact, difference or results we want to achieve in relation to our key activities
  • performance measures that we use to evaluate our progress towards the intended results
  • targets that describe the results we are aiming for in each performance measure
  • methodologies and data sources that describe how our performance information is collected, analysed and reported.

To assess achievement against our key activities, we use a mix of output, effectiveness and efficiency measures. This aims to achieve an appropriate balance in our reported performance information and enable an unbiased assessment of our results at the end of the performance cycle.

Our measures are of the following types:

  • Output measures assess the quantity and quality of the goods and services produced by an activity.
  • Effectiveness measures assess whether the activities have had the intended impact.
  • Efficiency measures assess the cost of producing a unit of output. Measuring efficiency within the OAIC is difficult given the nature of our outputs, which are not standardised. Accordingly, we have used proxy efficiency measures based on enquiry resolution times.
  • Portfolio Budget Statement (PBS) measures are measures that have been included in the OAIC 2022–23 PBS. These are all output (timeliness) measures.

Key Activity 1

Influence and uphold privacy and information access rights frameworks

The OAIC has a wide range of regulatory functions and powers under the Privacy Act 1988. The OAIC will continue to perform our regulatory functions and promote the privacy rights of all members of the community.

The OAIC also regulates the privacy aspects of the Consumer Data Right (CDR). The OAIC will continue to work collaboratively with the ACCC to ensure the ongoing and effective regulation of the CDR. As the CDR continues to expand across the economy, including to the energy sector, the OAIC will promote the inclusion of privacy protections that are central to consumers’ trust and confidence in the CDR. The OAIC will continue to develop and update guidance for CDR participants and consumers about their privacy obligations and rights.

The OAIC promotes access to government-held information through the regulation of the Freedom of Information Act 1982 (FOI Act) and our role in information policy. The OAIC will continue to perform our regulatory functions and promote the rights of all members of the community to access government-held information.

Intended Result 1.1 – The OAIC’s activities support the effective regulation of the Consumer Data Right

Performance measure

22/23 target

23/24 target

24/25 target

25/26 target

Methodology/ data source

Type

1.1 Effectiveness of the OAIC’s contribution to the regulation of the Consumer Data Right as measured by stakeholder feedback

Metric: Average performance rating from stakeholders based on a composite survey-based performance index

Baseline to be established

Baseline result exceeded

Prior years’ results exceeded

Prior years’ results exceeded

Annual stakeholder survey conducted by an independent professional provider

Effectiveness

Intended Result 1.2 – The OAIC’s regulatory outputs are timely

Performance measure

22/23 target

23/24 target

24/25 target

25/26 target

Methodology/ data source

Type

1.2.1 Time taken to finalise privacy complaints

80% of privacy complaints are finalised within 12 months

80% of privacy complaints are finalised within 12 months

80% of privacy complaints are finalised within 12 months

80% of privacy complaints are finalised within 12 months

OAIC management information system

Output

PBS Measure

1.2.2 Time taken to finalise privacy and FOI Commissioner- initiated investigations (CIIs)

80% of CIIs are finalised within 8 months

80% of CIIs are finalised within 8 months

80% of CIIs are finalised within 8 months

80% of CIIs are finalised within 8 months

OAIC management information system

Output

PBS Measure

1.2.3 Time taken to finalise Notifiable Data Breaches (NDBs)

80% of NDBs are finalised within 60 days

80% of NDBs are finalised within 60 days

80% of NDBs are finalised within 60 days

80% of NDBs are finalised within 60 days

OAIC management information system

Output

PBS Measure

1.2.4 Time taken to finalise My Health Record notifications

80% of My Health Record notifications are finalised within 60 days

80% of My Health Record notifications are finalised within 60 days

80% of My Health Record notifications are finalised within 60 days

80% of My Health Record notifications are finalised within 60 days

OAIC management information system

Output

PBS Measure

1.2.5 Time taken to finalise Information Commissioner (IC) reviews of FOI decisions made by agencies and Ministers

80% of IC reviews are finalised within 12 months

80% of IC reviews are finalised within 12 months

80% of IC reviews are finalised within 12 months

80% of IC reviews are finalised within 12 months

OAIC management information system

Output

PBS Measure

1.2.6 Time taken to finalise FOI complaints

80% of FOI complaints are finalised within 12 months

80% of FOI complaints are finalised within 12 months

80% of FOI complaints are finalised within 12 months

80% of FOI complaints are finalised within 12 months

OAIC management information system

Output

PBS Measure

1.2.7 Time taken to finalise written privacy and information access enquiries from the public

90% of written enquiries are finalised within 10 working days

90% of written enquiries are finalised within 10 working days

90% of written enquiries are finalised within 10 working days

90% of written enquiries are finalised within 10 working days

OAIC management information system

Output

PBS Measure

Key Activity 2

Advance online privacy protection for Australians

The OAIC will advance online privacy protections for Australians and minimise the risks of high privacy impact technologies to support engagement in the Australian digital economy, influencing the development of legislation, applying a contemporary approach to regulation (including through collaboration), and raising awareness of online privacy protection.

Intended Result 2 – The OAIC’s activities support innovation and capacity for Australian businesses to benefit from using data, while minimising privacy risks for the community

Performance measure

22/23 target

23/24 target

24/25 target

25/26 target

Methodology/ data source

Type

2.1 Effectiveness of the OAIC’s contribution to the advancement of online privacy protections and policy advice as measured by stakeholder feedback

Metric: Average performance rating from stakeholders based on a composite survey-based performance index

Baseline to be established

Baseline result exceeded

Prior years’ results exceeded

Prior years’ results exceeded

Annual stakeholder survey conducted by an independent professional provider

Effectiveness

Key Activity 3

Encourage and support proactive disclosure of government information

The OAIC will continue to promote a proactive approach to the publication of government-held information. We will focus on making better use of government-held information to support efficient access to information and facilitate innovation and engagement while ensuring privacy is protected.

Intended Result 3 – The OAIC’s activities support Australian Government agencies to provide quick access to information requested and at the lowest reasonable cost, and proactively publish information of interest to the community

Performance measure

22/23 target

23/24 target

24/25 target

25/26 target

Methodology/ data source

Type

3.1 Percentage of OAIC recommendations made following FOI complaint investigations accepted by agencies

90%

90%

90%

90%

OAIC management information system

Effectiveness

3.2 Effectiveness of OAIC’s advice and guidance on FOI obligations and the Information Publication Scheme in supporting government agencies to provide public access to government-held information, as measured by stakeholder feedback

Metric: Average performance rating from stakeholders based on a composite survey-based performance index

Baseline to be established

Baseline result exceeded

Prior years’ results exceeded

Prior years’ results exceeded

Annual stakeholder survey conducted by an independent professional provider

Effectiveness

Key Activity 4

Contemporary approach to regulation

The OAIC will take a contemporary approach to our regulatory role in promoting and upholding Australia’s privacy and FOI laws. This means engaging with and being responsive to the community’s expectations of Australia's regulatory bodies.

Intended Result 4 – The OAIC’s approach to its regulatory role is consistent with better practice principles

Performance measure

22/23 target

23/24 target

24/25 target

25/26 target

Methodology/ data source

Type

4.1 Stakeholder assessment of the extent to which the OAIC’s regulatory activities demonstrate a commitment to continuous improvement and building trust

Metric: Average performance rating from stakeholders based on a composite surveybased performance index

Baseline to be established

Baseline result exceeded

Prior years’ results exceeded

Prior years’ results exceeded

Annual stakeholder survey conducted by an independent professional provider

Effectiveness

4.2 Stakeholder assessment of the extent to which the OAIC’s regulatory activities demonstrate collaboration and engagement

Metric: Average performance rating from stakeholders based on a composite survey-based performance index

Baseline to be established

Baseline result exceeded

Prior years’ results exceeded

Prior years’ results exceeded

Annual stakeholder survey conducted by an independent professional provider

Effectiveness

4.3 Stakeholder assessment of the extent to which the OAIC’s regulatory activities are risk based and data driven Metric: Average performance rating from stakeholders based on a composite survey-based performance index

Baseline to be established

Baseline result exceeded

Prior years’ results exceeded

Prior years’ results exceeded

Annual stakeholder survey conducted by an independent professional provider

Effectiveness

4.4 Number of stakeholder engagement activities

Metric: Number delivered via different engagement mechanisms

Targets not appropriate due to fluctuations in nature and complexity of policy environment in any given year

Targets not appropriate due to fluctuations in nature and complexity of policy environment in any given year

Targets not appropriate due to fluctuations in nature and complexity of policy environment in any given year

Targets not appropriate due to fluctuations in nature and complexity of policy environment in any given year

Data snapshot demonstrating key formal engagements supplemented by case studies to demonstrate breadth, variety and effectiveness of engagement activities and modes of delivery.

Effectiveness

4.5 Average call duration of telephone enquiries to the OAIC public enquiry line

Baseline to be established

Lower than baseline result

Lower than prior years’ results

Lower than prior years’ results

OAIC management information system

Efficiency

Alignment between PBS 2022-23 and Corporate plan 2022-23

The following table describes the alignment between our outcome and program structure described in the PBS and our Corporate plan purposes and key activities.

Outcome statement (PBS 2022-23)

Program (PBS 2022-23)

Purposes (Corporate Plan 2022-23)

Key activities (Corporate Plan 2022-23)

Outcome 1: Provision of public access to Commonwealth Government information, protection of individuals’ personal information, and performance of information commissioner, freedom of information and privacy functions.

Program 1.1: Complaint handling, compliance and monitoring, and education and promotion.

To promote and uphold privacy and information access rights.

Influence and uphold privacy and information access rights frameworks

Advance online privacy protections for Australians

Encourage and support proactive release of government information

Take a contemporary approach to regulation

Figure 1

Figure 1 is an infographic displaying the OAIC's performance measures and performance indicators. Figure 1 long text description

Long text descriptions

Figure 1

Figure 1 is an infographic displaying the OAIC's performance measures and performance indicators.

We will measure our performance in 2022-23 against our set of 16 indicators grouped by 4 key activities.

1 – Influence and uphold privacy and information access rights frameworks

Intended result 1.1 The OAIC’s activities support the effective regulation of the Consumer Data Right

1.1 Effectiveness of the OAIC’s contribution to the regulation of the Consumer Data Right as measured by stakeholder feedback Intended result

1.2 The OAIC’s regulatory outputs are timely

1.2.1 Time taken to finalise privacy complaints

1.2.2 Time taken to finalise privacy and FOI Commissioner-initiated investigations (CII’s)

1.2.3 Time taken to finalise Notifiable Data Breaches (NDBs) 1.2.4 Time taken to finalise My Health Record notifications

1.2.5 Time taken to finalise Information Commissioner (IC) reviews of FOI decisions made by agencies and Ministers

1.2.6 Time taken to finalise FOI complaints

1.2.7 Time taken to finalise written privacy and information access enquiries from the public

2 – Advance online privacy protections for Australians

Intended Result 2 – The OAIC’s activities support innovation and capacity for Australian businesses to benefit from using data, while minimising privacy risks for the community

2.1 Effectiveness of the OAIC’s contribution to the advancement of online privacy protections and policy advice as measured by stakeholder feedback

3 – Encourage and support proactive release of government information

Intended Result 3 – The OAIC’s activities support Australian Government agencies to provide access to information on request promptly and at the lowest reasonable cost, and proactively publish information of interest to the community

3.1 Percentage of OAIC recommendations made following FOI complaint investigations accepted by agencies

3.2 Effectiveness of OAIC’s advice and guidance on FOI obligations and the Information Publication Scheme (IPS) in supporting government agencies to provide public access to government-held information, as measured by stakeholder feedback

4 – Take a contemporary approach to regulation

Intended Result 4 – The OAIC’s approach to its regulatory role is consistent with better practice principles

4.1 Stakeholder assessment of the extent to which the OAIC’s regulatory activities demonstrate a commitment to continuous improvement and building trust

4.2 Stakeholder assessment of the extent to which the OAIC’s regulatory activities demonstrate collaboration and engagement

4.3 Stakeholder assessment of the extent to which the OAIC’s regulatory activities are risk based and data driven

4.4 Number of stakeholder engagement activities

4.5 Average call duration of telephone enquiries to the OAIC public enquiry line

For more information:

Web: oaic.gov.au/corporate-plans Email: corporate@oaic.gov.au