Overview

About the OAIC

The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency in the Attorney-General’s portfolio, established under the Australian Information Commissioner Act 2010(AIC Act).

Our purpose is to promote and uphold privacy and information access rights.

We do this by:

• ensuring proper handling of personal information under the Privacy Act 1988and other legislation
• protecting the public’s right of access to documents under the Freedom of Information Act 1982 (FOI Act)
• carrying out strategic information management functions within the Australian Government under the AIC Act.

Our regulatory activities include:

• conducting investigations
• handling complaints
• reviewing decisions made under the FOI Act
• monitoring agency administration
• providing advice to the public, organisations and Australian Government agencies.

Our vision is to increase public trust and confidence in the protection of personal information and access to government-held information.

Our guiding principles across 2023–24:

• Engaged – We are active contributors and collaborators in the contemporary application of information protection and management legislation and regulation for businesses, government and the community.
• Targeted – We allocate resources efficiently, taking appropriate action in responding to risk and public expectations of Commonwealth regulators.
• Expert – We are a trusted authority on data protection and access to information, advising on policy, legislative reform and regulatory action, and providing education and guidance.
• Independent – We are professional by nature, and fair and impartial by application.
• Agile – We are collaborative in our response to changes in technology, legislation and the expectations of the community and government.

Outcome and program structure

Our Portfolio Budget Statement describes the OAIC’s outcome and program framework.

Outcome 1: Provision of public access to Commonwealth Government information, protection of individuals’ personal information, and performance of Information Commissioner, freedom of information and privacy functions.

Program 1.1 Complaint handling, compliance and monitoring, and education and promotion.

Our annual performance statement details our activities and key deliverables and measures our performance against our Portfolio Budget Statement targets and the key activities set out in our Corporate plan 2023–24.

Our key activities are to:

• influence and uphold privacy and information access rights frameworks
• advance online privacy protections for Australians
• encourage and support proactive release of government information
• take a contemporary approach to regulation.

Regulatory focus

The OAIC identified 4 areas for regulatory focus in 2023–24:

• online platforms, social media and high privacy impact technologies
• security of personal information
• ensuring the privacy safeguards in the Consumer Data Right are effectively implemented by participants
• the timely and proactive release of government-held information.

In discharging our regulatory functions, we adhere to the following principles of regulatory best practice:

Continuous improvement and building trust – adopting a holistic view, continuously monitoring and seeking to improve our performance, capability and culture, and building trust and confidence in our regulatory functions.

Adopting a risk-based and data-driven approach to our activities – to manage risks proportionally and maintain essential safeguards by leveraging data, evidence-based methods and digital technology, to support our activities and reduce administrative burden on those we regulate.

Collaboration and engagement – being transparent and responsive to the needs of the community and those we regulate, genuinely engaging with and seeking feedback from our stakeholders on our performance, and implementing regulation in a modern and collaborative way.

The OAIC monitors our performance against the principles of regulatory best practice through our performance measurement framework – specifically measures 4.1, 4.2 and 4.3.

Overview from the Australian Information Commissioner

It has been a busy and important year for the OAIC. We have returned to a true, three-commissioner model, with the appointment of a standalone privacy commissioner, Carly Kind, who joined the OAIC in February 2024, together with Freedom of Information Commissioner Elizabeth Tydd. It has been my great privilege and pleasure to work alongside the FOI and privacy commissioners, who bring exceptional expertise to the OAIC.

This has been a very positive move to bolster the OAIC to carry out our important statutory functions, alongside our consideration of our forward structure. This followed the strategic review undertaken across November to February. It comes at a critical time, ahead of long-sought improvements to the Privacy Act to be introduced into Parliament, and a clear continuing imperative to help drive better access to information practices across government.

Privacy has been very much in the spotlight, with the continuing incidence of major data breaches. In 2023–24, we received 13% more notifications under the Notifiable Data Breaches (NDB) scheme than the year prior, when there was a 4% increase. We lifted our response rate, closing 84% of notifications within 60 days (compared to 77% last reporting year).

In the 2022–23 financial year we received a 34% increase in privacy complaints. This year, complaints have remained relatively high, with a slight decrease of 5% year on year. We successfully responded to this high demand, finalising 20% more privacy complaints (3,104 in total), building on last year’s increase of 17% (2,576 finalised in total).

We continued our focus on clearing longer-standing, generally more complex and resource-intensive complaints, finalising 84% (271) of the 322 matters that were over 12 months old as at June 2023. At the same time, more recent complaints increased in age over the reporting period. The volume of complaints, combined with the focus on the longest-standing, meant that by the year’s end there was an overall increase in matters older than 12 months to 729. The OAIC will continue to focus on aging cases through process efficiencies and the strategic application of resources.

We commenced civil penalty proceedings into Australian Clinical Labs and Medibank Private following investigations of their data breaches. Our view is that both companies seriously interfered with the privacy of millions of Australians by failing to take reasonable steps to protect their personal information from unauthorised access or disclosure.

We also continued to progress significant investigations into Optus and the Latitude group of companies in relation to their data breaches, and commenced an investigation into HWL Ebsworth Lawyers following theirs.

It came as no surprise that the results from our three-yearly Australian Community Attitudes to Privacy Survey (ACAPS), released in August 2023, showed a sharp increase in the number of Australians who feel data breaches are the biggest privacy risk they face today.

The findings point to several areas where organisations can do more to build trust in the community, and it is increasingly clear that good privacy practices are a community expectation, as well as being required by law. The survey findings also show the strong community support for privacy law reform, and the OAIC looks forward to seeing the very necessary updates to the Privacy Act come to fruition.

Another notable highlight of 2023–24 has been our work in support of the implementation of the Digital ID program, as the OAIC gears up to regulate the privacy aspects of the Digital ID system. The new system has important privacy safeguards for Australians to digitally verify their ID online and reduce the need for collection and retention of identity information.

Our collaborative work with other regulators, both domestically and internationally has continued, with a notable highlight being the OAIC’s election to the Executive Committee of the International Conference of Information Commissioners (ICIC), where the OAIC will be working with other ICIC members to foster the protection and the promotion of access to public information as a fundamental pillar of social, economic and democratic governance.

Our FOI functions have benefitted across 2023–24 from the energy, focus and expertise brought by Acting FOI Commissioner Toni Pirani and FOI Commissioner Elizabeth Tydd, who have implemented a range of measures to help the OAIC address the FOI backlog and assist agencies to better support the community’s right to access information.

The OAIC’s dedicated push to clear FOI complaints resulted in a 204% increase in FOI complaints finalised in 2023–24, despite a 27% increase in the number received. We also saw an increase (7%) in the number of Information Commissioner (IC) reviews requested this reporting year (1,766 compared to 1,649 the year prior). People can request IC reviews if they are not happy with an agency’s decision in response to their FOI request, or if the agency has not made a decision within the time the FOI Act allows.

We achieved a 15% increase in IC reviews finalised – finalising 1,748 in total, compared to 1,518 last year.

We continued our focus on clearing longer-standing IC reviews. We finalised 42% (510) of the 1,217 matters that were over 12 months old as at June 2023, clearing the bulk of those that were the oldest, and generally more complex. However with additional IC reviews coming in over the year, this brought us to a total of 1,157 matters on hand at 30 June 2024 that were over 12 months old at that date. The year also saw 207 s 55K IC review decisions being made, a record number for the history of the OAIC and an increase from 68 the previous year.[1]

The FOI team, and those across the OAIC who assisted, are to be commended for the notable strides the OAIC has taken over this period, which represents a very positive position for the OAIC to continue its important work in this regulatory domain.

The completion and release of the OAIC’s third five-yearly review of the Information Publication Scheme (IPS) was another highlight of the year. The IPS requires Australian government agencies to publish a broad range of information and authorises agencies to release other information to the public proactively, to support greater openness and transparency. The OAIC is asking agencies to review the results and trends in order to improve proactive release and foster an ‘open by design’ culture.

The end of 2023–24 marks a transition for the OAIC, with a new Information Commissioner, Elizabeth Tydd, starting at the end of my term in August 2024. Commissioner Tydd brings exceptional expertise and deep experience to the role. The transition has been made all the more seamless through our work together over the past months.

It has been a great privilege to serve as both Information Commissioner and Privacy Commissioner across 2 terms spanning 6 years. The OAIC is a confident regulator able to use the full range of our regulatory powers, with a number of civil penalty proceedings filed. During that time, the remit of the OAIC has also expanded considerably, with oversight of the privacy aspects of new laws and programs such as the NDB scheme, My Health Record opt out system, Consumer Data Right (CDR) and Digital ID, along with an exponential increase in the demand for the OAIC’s services across FOI and privacy. Now at least 37 different pieces of primary and subordinate legislation confer responsibilities on the OAIC or require other bodies to consult us on privacy matters.

The OAIC is experienced in managing change, with significant changes occurring to its composition and funding over its 14-year span. This change continues, with reduced budget over the forward estimates, while the remit of the OAIC continues in importance. The recent and proposed reforms to the Privacy Act and the exponential increase in demand for FOI services provide a compelling case for the OAIC’s resources to meet the future expectations of organisations, government and the community.

Just as I am confident that there are many more important developments to come, I know that the dedicated staff who have achieved so much on behalf of the Australian community will continue to deliver on the OAIC’s purpose: to promote and protect privacy and information access rights. As always, the achievements in this annual report are theirs.

Angelene Falk
15 August 2024

Our year at a glance

Privacy complaints

Our structure

The OAIC is headed by the Australian Information Commissioner, who is a statutory officer appointed by the Governor-General. This role was held during 2023–24 by Angelene Falk.

The Commissioner has a range of powers and responsibilities outlined in the AIC Act, and also exercises powers under the FOI Act, the Privacy Act and other privacy-related legislation. The Information Commissioner is the OAIC’s accountable authority, with responsibility for strategic oversight, corporate governance and the OAIC’s privacy, freedom of information and government information management functions.

In 2023, the Attorney-General announced that the OAIC would return to a three-commissioner model, with the appointment of a standalone Privacy Commissioner. Prior to this, the roles of Information Commissioner and Privacy Commissioner were combined.

The OAIC is supported by a Deputy Commissioner, Chief Operating Officer, and Assistant Commissioners.

Australian Information Commissioner

Angelene Falk commenced as the Australian Information Commissioner and Privacy Commissioner in August 2018 and was reappointed for a second 3-year term in 2021.

Over the past decade, Commissioner Falk has worked extensively with Australian Government agencies, the private sector and international organisations to address regulatory challenges and opportunities presented by rapidly evolving technology and

potential uses of data. Her experience extends across industries and subject matter, including data breach prevention and management, data sharing, credit reporting, digital health and access to information.

During her term, Commissioner Falk served as a member of the National Data Advisory Council and Digital Platform Regulators Forum. She was admitted as a legal practitioner to the Supreme Court of New South Wales in 1998 and holds a Bachelor of Laws with Honours, a Bachelor of Arts, a Graduate Diploma in Intellectual Property Law and a Graduate Diploma in Legal Practice.

Privacy Commissioner

Carly Kind commenced as Australia’s Privacy Commissioner in February 2024. Prior to taking up this role, she was the inaugural director of the UK-based Ada Lovelace Institute. As a human rights lawyer and leading authority on the intersection of technology policy and human rights, she has advised industry, government and non-profit organisations on digital rights, AI, privacy and data protection, and corporate accountability in the technology sphere.

She has worked with the European Commission, the Council of Europe, numerous United Nations bodies and a range of civil society organisations. She was formerly legal director of Privacy International, a non-governmental organisation dedicated to promoting data rights and governance.

Commissioner Kind has a Masters of Science, International Relations (Hons) from the London School of Economics, a Graduate Diploma in Legal Practice, and a Bachelor of Arts (International Relations) (Hons) and Bachelor of Laws from the University of Queensland.

Commissioner Falk held the position of Privacy Commissioner concurrently with the position of Australian Information Commissioner from August 2018 until February 2024.

Freedom of Information Commissioner

Elizabeth Tydd took up the position of Freedom of Information Commissioner in February 2024. Prior to that, she served two 5-year terms as the Information Commissioner at the Information and Privacy Commission (IPC) of New South Wales.

She has occupied a number of statutory decision- making roles in NSW commissions and tribunals, including deputy president of the Workers Compensation Commission and deputy chairperson of the former Consumer, Trader and Tenancy Tribunal.

Commissioner Tydd holds a Bachelor of Laws and Master of Laws from the University of Technology Sydney, and a Graduate Diploma in Legal Practice. She also holds postgraduate certificates in executive management and governance, together with post graduate qualifications in leadership and policy from Harvard University. In August 2024, she took up the position of Australian Information Commissioner.

Ms Toni Pirani held the role of Acting FOI Commissioner from May 2023 to February 2024. She holds a Bachelor of Laws and has worked in the public service for over 35 years, including roles with royal commissions, the Attorney-General’s Department and the Australian Financial Security Authority. She has since been appointed as the FOI Commissioner, taking up this role in August 2024.

Our branches

Our 6 branches undertake work in relation to our privacy, digital identity, FOI and information management functions.

The Dispute Resolution branch is responsible for resolving privacy disputes. This includes:

• handling privacy and FOI enquiries
• handling privacy complaints, which includes:
  • resolving privacy complaints at the earliest opportunity by assisting parties to reach settlement through conciliation
  • investigating more complex complaints and providing outcomes
  • supporting the Information Commissioner to make determinations, which may include declarations about entities taking remedial action
• administering the Notifiable Data Breaches (NDB) scheme to ensure individuals are notified of data breaches so they can act to protect their personal information and that data breaches are contained and rectified
• conducting Commissioner-initiated preliminary inquiries and investigations into particular acts and practices, which may result in further regulatory action, that may include civil penalty proceedings, determinations and enforceable undertakings
• undertaking enforcement relating to the Consumer Data Right (CDR) system.

The Major Investigations branch was established for 2 years on 31 October 2022 to investigate serious breaches of the Privacy Act, due to the increased complexity, scale and impact of these matters, and to recommend suitable regulatory responses. It is responsible for:

• investigating significant privacy breaches
• recommending suitable regulatory action, which may include civil penalty proceedings, determinations and enforceable undertakings.

The Digital ID Implementation team was established as a short-term taskforce to prepare the OAIC for its new Digital ID function as privacy regulator of the Digital ID system, including preparing areas of the OAIC to carry out the specific Digital ID functions.

Following the team’s preparatory work, Digital ID will be integrated into ‘business-as-usual’ OAIC operations, with Digital ID functions distributed across the office.

The team is responsible for:

• providing strategic advice and developing guidance for individuals, government and businesses
• collaborating with other regulators of the Digital ID system
• developing and delivering training to upskill OAIC staff
• amending the OAIC’s case management system to reflect the OAIC’s expanded role
• developing a regulatory strategy relating to Digital ID
• updating our Regulatory Action Policy and Guide to Privacy Regulatory Action to reflect the new and enhanced powers
• communicating and promoting key privacy messages.

The Regulation and Strategy branch is responsible for:

• providing strategic advice and guidance to individuals, government and businesses, which includes examining legislation and other proposals that may have an impact on privacy, data sharing and open government
• managing the program of work under the OAIC’s international strategy
• auditing privacy practices in industry and government agencies
• strategic policy advice and guidance in relation to the CDR system, monitoring and assessing compliance, and handling CDR enquiries and complaints.

The FOI branch is responsible for undertaking the OAIC’s FOI regulatory functions, including:

• undertaking Information Commissioner reviews
• monitoring, investigating and reporting on compliance through FOI complaints and Commissioner-initiated FOI investigations
• deciding on applications for vexatious applicant declarations and extensions of time
• collecting information and statistics from agencies and ministers about FOI matters
• undertaking the 5-yearly review of the Information Publication Scheme
• providing advice and guidance on FOI and information access, including the Information Publication Scheme.

The Corporate branch provides enabling services across the OAIC. This includes:

• providing the OAIC’s legal services, strategic communications, people and culture, governance, finance, business analytics and reporting, facilities and information management, and executive support functions
• coordinating the OAIC’s identification, assessment and mitigation of strategic and operational risks
• managing the security posture of the office, including compliance with the Protective Security Policy Framework.

^[1] The average time to finalise a FOI complaint increased in 2023–24 due to our focus on finalising complaints received and registered up to 31 December 2022. See page 32.

^[2] The average time taken to finalise an IC review increased in 2023–24 due to our focus on finalising legacy matters more than 12 months old. See pages 30–31.