-
On this page
The Office of the Australian Information Commissioner’s (OAIC’s) purpose is to promote and uphold privacy and information access rights. Our vision is to increase public trust and confidence in the protection of personal information and access to government-held information. Our 4 Key Activities are set out in our Corporate plan.
In carrying out our Key Activities, decisions to undertake regulatory action are taken in accordance with the OAIC’s Regulatory action policies[1]. These policies require consideration of a range of factors including the objects of the relevant statute and the risks and impact of non-compliance.
The OAIC has considered the relevant factors in the identification of the following regulatory priorities for 2023–24, to ensure that the OAIC’s resources are focused on the prevention of privacy harm and upholding the community’s access to information rights in the areas of greatest impact and concern.
The OAIC's four areas for regulatory focus in 2023–24 are:
- Online platforms, social media and high privacy impact technologies
- Security of personal information
- Ensuring the privacy safeguards in the Consumer Data Right are effectively implemented by participants
- The timely and proactive release of government-held information.
1. Online platforms, social media and high privacy impact technologies
The OAIC will prioritise regulatory activities to address harms arising from practices of online platforms and services which impact on individual’s choice and control, through opaque information practices or terms and conditions of service.
Priorities within this area include technologies and business practices that record, monitor, track and enable surveillance, and the use of algorithms to profile individuals in ways they may not understand or expect, with adverse consequences. Practices involving the use of generative AI, facial recognition and the use of other biometric information will also be prioritised.
The OAIC will continue to collaborate and share information on cross-cutting issues relating to the regulation of online platforms through the Digital Platform Regulators Forum (DP-REG).
2. Security of personal information
The OAIC will prioritise regulatory action where there may be serious failures to take reasonable steps to protect personal information, the use of inappropriate data retention practices or failures to comply with reporting requirements of the Notifiable Data Breaches Scheme, particularly where risks and mitigations have previously been publicised by the OAIC.
While the personal information security practices of the finance and health sectors will continue to be areas of particular focus, as the top two sectors reporting breaches, the OAIC will take an economy wide interest in data retention practices.
3. Consumer Data Right
Consumer confidence in the Consumer Data Right is underpinned by coordinated compliance and enforcement activities by the OAIC and the ACCC.
The OAIC’s focus is on ensuring that the fundamental privacy safeguards provided by the system are upheld by participants to protect consumers’ information. This year, our regulatory activities will focus on new entrants to the system in the energy sector, oversight of CDR representatives and outsourced service providers by accredited data recipients, and security and quality of consumer data.
4. Proactive and timely disclosure of government-held information
The timely release of government-held information, with a focus on timely decision-making and proactive release of information, is consistent with the objects of the Freedom of Information Act 1982 and supports participative democracy. The OAIC will deliver this regulatory priority through reviewing Guidelines to place further emphasis on a pro-disclosure approach to the provision of access to government-held information.
We will also conduct a review of agencies’ compliance with the Information Publication Scheme which requires agencies to proactively publish certain information. To support timely disclosure of government-held information we will focus on agencies where there is a significant failure to meet statutory timeframes and intervene early in IC review of deemed access refusals.
[1] Privacy Regulatory Action Policy; Freedom of Information Regulatory Action Policy