Office of the Australian Information Commissioner

We are at the forefront of guidance, monitoring and enforcement of Australia’s privacy and freedom of information law.

Through this, we aim to shape how emerging technologies and data practices impact the lives of every Australian.

Our
performance

We are successful when we:

1. Assist businesses and Australian Government agencies to understand their privacy obligations and respect and protect the personal information that they handle.

Primary activities:

  • Develop the privacy management capabilities of Australian Government agencies and businesses, and promote privacy best practice
  • Manage data breach notifications
  • Conduct privacy assessments
  • Develop legislative instruments.

2. Efficiently and effectively take action against suspected interferences with privacy to improve compliance with the Privacy Act 1988.

Primary activities:

  • Conduct Commissioner-initiated investigations
  • Manage privacy complaints.

3. Assist the community to understand and feel confident to exercise their privacy and information access rights.

Primary activities:

  • Provide a public information service
  • Promote awareness and understanding of privacy rights in the community
  • Provide an FOI public information service
  • Promote awareness and understanding of information access rights in the community.

4. Assist Australian Government agencies to understand their freedom of information obligations and respect and promote access to government information.

Primary activity:

  • Develop the FOI capabilities of Australian government agencies and ministers, and promote FOI best practice.

5.  Efficiently and effectively carry out our regulatory functions under the Freedom of Information Act 1982.

Primary activities:

  • Conduct Information Commissioner reviews
  • Investigate FOI complaints and conduct Commissioner-initiated investigations.

Promote and uphold privacy rights

Develop the privacy management capabilities of businesses and Australian Government agencies and promote privacy best practice

  • The OAIC applies a risk-based, proportionate approach to facilitate compliance with privacy obligations and promote privacy best practice
  • Guidance and educational materials are amended to incorporate learnings from regulatory activities such as assessments and investigations
  • Regular dialogue and consultation with businesses and Australian Government agencies is undertaken
  • The number of participating partners for Privacy Awareness Week is increased.

Manage data breach notifications

  • 80% of data breach notifications finalised within 60 days
  • 80% of My Health Records data breach notifications finalised within 60 days
  • Guidance and support tools for the Notifiable Data Breach scheme are published
  • Statistics on data breach notifications are published to inform the community about the operation of the data breach notification scheme.

Conduct Commissioner-initiated investigations (CIIs)

  • 80% of CIIs finalised within 8 months
  • CIIs result in improvements in the privacy practices of investigated entities
  • CII outcomes and lessons learnt are publicly communicated.

Manage privacy complaints

  • 80% of privacy complaints finalised within 12 months
  • Complaint handling service is promoted to the community.

Conduct privacy assessments

  • Assessments are completed in accordance with the schedule developed in consultation with the assessment target
  • Monitoring and compliance approaches are coordinated with the business and operational needs of the assessment targets
  • High proportion of recommendations accepted by assessment targets
  • Key assessment outcomes and lessons learnt are publicly communicated where appropriate.

Provide a privacy public information service

  • 90% of written enquiries are finalised within 10 working days
  • New community, legal and other networks are identified for targeted promotion of the public information service.

Promote awareness and understanding of privacy rights in the community

  • Increase in media and social media mentions about privacy rights
  • Awareness and understanding about privacy rights and the role of the OAIC is improved
  • Increase in attendance numbers and positive feedback from public facing events
  • The OAIC’s website is accessible for individuals and contains targeted content about privacy rights.

Develop legislative instruments

  • Applications for Public Interest Determinations and Australian Privacy Principles codes are considered and responded to in a timely manner
  • Legislative instruments are reviewed when necessary.

Promote and uphold information access rights

Develop the FOI capabilities of Australian Government agencies and ministers, and promote FOI best practice

  • Tools and guidance are updated to assist Australian Government agencies to comply with the IPS
  • Guidance and resources are reviewed and updated to assist Australian Government agencies and ministers to apply the FOI Act
  • The majority of OAIC’s stakeholders receiving information are satisfied with the content and delivery.

Conduct Information Commissioner reviews

  • 80% of IC reviews are completed within 12 months.

 

 

Manage FOI complaints and investigations

  • 80% of FOI complaints finalised within 12 months
  • 80% of FOI Commissioner initiated-investigations finalised within 8 months.

Provide a FOI public information service

  • 90% of FOI written enquiries are finalised within 10 working days
  • New community, legal and other networks are identified for targeted promotion of the public information service.

Promote awareness and understanding of information access rights in the community

  • Increase in media and social media mentions about information access rights
  • The OAIC’s website is accessible for individuals and contains targeted content about information access rights.

Our
performance

Environment

The coming years will continue to see rapid change in areas including technology, social and government service delivery. To ensure we are at the forefront of these changes, we will work closely with government and industry to better understand our operating environment, gain best practice and develop suitable processes and policies.

These processes and policies will be developed with both individuals and businesses in mind, with a focus on facilitating the use of data while protecting the personal information rights of individuals and enhancing transparency.

The coming years will also see continuing and increased development in the international space. As personal information continues to cross borders at a substantial rate and privacy becomes an increasingly important matter both politically and in the media, we will look both domestically and internationally to ensure we have the appropriate working relationships to facilitate and enable best practice privacy management and information access for all Australians.

Challenges

The challenges on the left hand side outline the activities that we plan to undertake to meet each of our goals, as set out by our Corporate Plan 2016–17. Following the 2016–17 reporting year, this section will be updated to include our results for each planned challenge.

Challenge 1: Promote, uphold and shape Australian information privacy rights.

Handle privacy complaints

  • 80% of privacy complaints finalised within 12 months
  • Ensure the timeliness and quality of complaint resolution
  • Resolve the majority of complaints by conciliation with both parties
  • Raise awareness about our complaints handling functions

Conduct privacy assessments

  • The median of completion of assessments is within six months
  • Provide a professional, independent and systematic appraisal of how well government agencies and businesses comply with the Privacy Act.
  • Entities change practices to ensure compliance with the Privacy Act.
  • Key learnings from assessments are incorporated into our guidance and educational materials.

Conduct Commissioner initiated investigations and handle voluntary and mandatory data breach notifications

  • 80% of CIIs are finalised within eight months
  • 80% of voluntary data breach notifications are processed or escalated to CII within 60 days
  • 80% of mandatory digital health data breach notifications are processed or escalated to CII within 60 days
  • Increase awareness about the voluntary data breach notification scheme with the OAIC
  • Key learnings are incorporated into our guidance and educational materials.
  • Entities change practices and implement recommendations from enforceable undertakings and determinations

Provide a public information service

  • 90% of written enquires finalised within 10 working days
  • Raise public awareness about our information services for privacy related matters

Assist entities to improve their understanding of privacy compliance and promote privacy best practice

  • Key privacy resources are identified, developed and promoted for business, government and the community
  • Consultations are undertaken with stakeholders on significant privacy resources
  • Proposed enactments and government programs are monitored for privacy impacts
  • Advice is provided to government agencies and guidance to business on emerging privacy issues

Promote awareness and understanding of privacy rights in the community

  • Privacy Awareness Week campaign is held, with an increase in the number of participating private and public sector entities and an increase in wider community engagement
  • Understand and respond to the needs of culturally and linguistically diverse (CALD) communities so we can assist and educate all Australians about their privacy rights

Develop legislative instruments

  • Applications for Public Interest Determinations and Australian Privacy Principles codes are considered.
  • Legislative instruments are appropriate and up-to-date.
  • Develop methodology for measuring the intended outcomes above.

Challenge 2: promote and uphold Australian information access rights.

Provide a timely and effective Information Commissioner review function

  • 80% of Information Commissioner reviews are completed within 12 months
  • Reduction of the number of matters over 12 months’ old
  • Increase the number of matters finalised by informal resolution without proceeding to a decision
  • Build on the existing jurisprudence which shapes the FOI jurisdiction

Provide promotion and information to the Australian community on information access rights

  • 90% of written enquiries are finalised within 10 working days
  • Raise public awareness about FOI rights and our information service

Assist government agencies and ministers with FOI advice and maintain guidelines and resources to promote best practices

  • Key resources and guidelines under the FOI Act revised where necessary
  • Consultations are undertaken with stakeholders where relevant
  • Engage with government agencies and the public on FOI matters
  • Understand and respond to the needs of CALD communities so we can assist and educate all Australians about their FOI rights

Handle FOI complaints and investigations

  • 80% of FOI complaints finalised within 12 months
  • Uphold the effectiveness of FOI processing within agencies
  • Ensure the timeliness and quality of complaint resolutions

Challenge 3: develop the personal information management capabilities of Australian businesses and government agencies.

Promote the relationship between strong privacy governance and improved business effectiveness

  • Develop advice, guidance and promotion on the business and government agency advantages of proactive privacy-by-design management approaches

Assess education and training capacity and market demand

  • Assess current gaps and risks in public and private sector knowledge of privacy management
  • Develop business case analysis for the OAIC’s engagement and service delivery to address known gaps or opportunities, including on a fee basis
  • Determine forward programs for projects.

Promote, uphold and shape Australian information privacy rights.

we helped the community with
19,092
of their privacy questions
18%

15,160
Phone

15160

3,912
Written

3912

20
In person

20

we received 2,128 privacy complaints this year and helped the public resolve
2,038
of their privacy issues
3%

97%
of complaints were resolved within 12 months of receipt

During the year, the majority of complaints came from the following sectors

we reviewed the privacy practices of
67 organisations
through
21 assessments

Skip Organisations

security

Australian Customs and Border Protection Service - Passenger Name Record

Assessment focus

APP 6

Report published

Dec 2015

View Report

security

Department of Immigration and Border Protection - bogus documents

Assessment focus

APP 1

Report published

Apr 2016

View Report

security

Department of Immigration and Border Protection - general privacy

Assessment focus

APP 11

Report published

TBA

security

Department of Immigration and Border Protection - Advanced Passenger Processing

Assessment focus

APP 11

Report published

TBA

security

Department of Immigration and Border Protection - Smartgate

Assessment focus

APP 11

Report published

TBA

government

ACT Revenue Office - protection of personal information

Assessment focus

TPP 11

Report published

Jun 2016

View Report

government

Comcare - open and transparent management of personal information and collection and notification

Assessment focus

APP 3

Report published

Sep 2016

View Report

government

Universal Student Identifier (USI) - general privacy

Assessment focus

APP 1

Report published

TBA

health

My Health Records - National Prescribing and Dispensing Repository

Assessment focus

APP 11

Report published

Assessment discontinued

health

My Health Records - National Repositories Service - follow up

Assessment focus

APP 11

Report published

Sep 2016

View Report

health

My Health Records - Australia Health Practitioner Registration Agency (AHPRA)

Assessment focus

APP 10

Report published

TBA

it

Telstra - records of disclosure

Assessment focus

s 309 - monitoring by the Information Commissioner

Report published

Feb 2016

View Report

it

Optus - records of disclosure

Assessment focus

s 309 - monitoring by the Information Commissioner

Report published

Feb 2016

View Report

it

Vodafone - records of disclosure

Assessment focus

s 309 - monitoring by the Information Commissioner

Report published

Feb 2016

View Report

it

iiNet - records of disclosure

Assessment focus

s 309 - monitoring by the Information Commissioner

Report published

Feb 2016

View Report

it

Telstra - requests for information by law enforcement agencies

Assessment focus

APP 11

Report published

TBA

security

Document Verification Service - business users

Assessment focus

APP 11

Report published

Sep 2016

View Report

security

Document Verification Service - business users

Assessment focus

APP 11

Report published

Sep 2016

View Report

consumer

Coles' Flybuys loyalty program

Assessment focus

APP 1

Report published

Jul 2016

View Report

consumer

Woolworths' Everyday Rewards loyalty program

Assessment focus

APP 1

Report published

Jul 2016

View Report

health

My Health Records - access controls of GP clinics

Assessment focus

APP 11

Report published

Oct 2015

View Report

health

My Health Records - access controls of GP clinics

Assessment focus

APP 11

Report published

Oct 2015

View Report

health

My Health Records - access controls of GP clinics

Assessment focus

APP 11

Report published

Oct 2015

View Report

health

My Health Records - access controls of GP clinics

Assessment focus

APP 11

Report published

Oct 2015

View Report

health

My Health Records - access controls of GP clinics

Assessment focus

APP 11

Report published

Oct 2015

View Report

health

My Health Records - access controls of GP clinics

Assessment focus

APP 11

Report published

Oct 2015

View Report

health

My Health Records - access controls of GP clinics

Assessment focus

APP 11

Report published

Oct 2015

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

health

My Health Records - privacy policies of GP clinics

Assessment focus

APP 1

Report published

Apr 2016

View Report

we received
123
data breaches from businesses
in Australia and across the world

107
voluntary
16
mandatory

Of the data breaches that
we received this year

n/a were malicious or caused due to criminal attacks

n/a were due to system glitches

n/a were caused by human error

Breakdown of data breach notifications will be available from 2016–17

Promote and uphold Australian information access rights.

we helped the community resolve
2,483
of their FOI questions
31%

The top three matters related to:

1 FOI matters outside of our jurisdiction

2 general processing of FOI requests and complaints

3 help and assistance for government agencies and ministers with their FOI processing

1,854
Phone

1854

624
Written

624

5
In person

5
  • we received
    510 requests
    for an Information Commissioner review
    37%

    Information Commissioner reviews give the community an avenue for redress if they approach a government agency or minister for information and are not satisfied with the decision they receive

  • we finalised
    454 Information Commissioner reviews
    84% of applications were resolved within 6 months of receipt

we finalised
82%
of Information Commissioner reviews without proceeding to a formal decision

In turn, only
18%
of Information Commissioner reviews resulted in a formal Commissioner decision

Other Outcomes

Triage
  • 10%

    Out of Scope

  • 7%

    Allowed to go direct to AAT

  • 25%

    Discretion not to review exercised
    for example

    • lacking substance
    • non-cooperative
    • lost contact
Case Management
  • Applicant withdraws after revised decision or for another reason

    38%
  • Formal agreement

    2%
Commissioner decisions
  • 18%
    Commissioner decisions

Freedom of
information statistics

Further information and combined APS agency FOI statistics can be viewed on data.gov.au

View freedom of information statistics

Develop the personal information management capabilities of Australian businesses and government agencies.

we partnered with
246 businesses and agencies
to promote Privacy Awareness Week

we provided
230+ pieces of substantial advice
to public and private sector organisations

we worked with a number of government agencies to ensure that they considered privacy from the start and incorporated it into upcoming policies and legislation. To help achieve this, we provided over
21 submissions to government

Our
performance

Environment

The 2015–16 reporting year was a pivotal period for the office, with opportunities and challenges for both our privacy and information access areas. The year also ended with the office’s status reconfirmed, and funding provided to revitalise and continue a number of our previously reallocated functions.

In our compliance area, we continued to review our current processes and implement changes to improve our services for the community. During the year, we managed to maintain and slightly improve our complaint handling times, with 97% of all complaints resolved within 12 months of receipt.

In our policy area, we continued to work closely with the Australian Government, businesses and international community to improve privacy and information access practices. Our work included providing guidance, advice and support on a range of current and emerging issues and trends.

The 2016–17 year ahead presents significant development opportunities, particularly in enhancing the capacity of Australian government agencies to maximise data utility while protecting personal identity. We will also work to enhance our education and communication functions, to improve privacy and information awareness in the community.

Challenges

The challenges on the left hand side outline the activities that we have agreed to undertake, to meet each of our goals as set out by our Corporate Plan 2015–16. It also highlights our results against each of the planned activities.

Challenge 1: promote and uphold information privacy rights

Handle privacy complaints

  • 97.2% of privacy complaints were finalised within 12 months of their receipt

Conduct performance assessments

  • average time taken to conduct privacy assessments this year was 5.7 months
  • 92.3% of CIIs were finalised within 8 months
  • 87.1% of voluntary data breach notifications were handled or escalated to CII within 60 days
  • 54.5% of mandatory data breach notifications were handled or escalated to CII within 60 days

Provide a public information service

  • 70% of privacy related written enquiries were finalised within 10 working days
  • 100% of phone enquiries were finalised on the day of the call

Assist regulated entities to improve understand of privacy compliance

  • issued 230 pieces of advice on privacy issues
  • completed 27 submissions on privacy related topics
  • released 25 resources for the public and regulated entities with seven opened up for consultation

Promote awareness and understanding of privacy rights in the community

  • new website was launched in October 2015 with new accessibility features
  • increase in Privacy Awareness Week partners this year, with 246 private and public sector organisations
    Develop legislative instruments
  • No applications for Public Interest Determinations and Australian Privacy Principle codes were received

Challenge 2: promote and uphold information access rights

Provide a timely and effective Information Commissioner review function

  • 87% of applications for an Information Commissioner review were finalised within 12 months of receipt

Provide an information service to the community on information access rights

  • 85% of FOI related written enquiries were responded to within 10 working days
  • 100% of phone enquiries were finalised on the day of the call

Challenge 3: organisational excellence

Excellence in people management

  • Results to come