Skip to main content
About the OAIC
  • On this page

Publication date: August 2020

Download the print version

Preliminary page

Creative Commons

You are free to share, copy, redistribute, adapt, transform and build upon the materials in this plan with the exception of the Commonwealth Coat of Arms.

Please attribute the content of this publication as:
Office of the Australian Information Commissioner Corporate Plan 2020–21.

Contact

Mail:Director, Strategic Communications
Office of the Australian Information Commissioner
GPO Box 5218
Sydney, NSW 2001
Email:enquiries@oaic.gov.au
Websitewww.oaic.gov.au
Twitter:@OAICgov
Phone:1300 363 992

Non-English speakers

If you speak a language other than English and need help, please call the Translating and Interpreting Service on 131 450 and ask for the Office of the Australian Information Commissioner on 1300 363 992.

Accessible formats

All our publications can be made available in a range of accessible formats. If you would like this report in an accessible format, please contact us.

Statement of preparation

I, Angelene Falk, Australian Information Commissioner, present the Office of the Australian Information Commissioner’s Corporate Plan 2020–21, for the 2020–21 to 2023–24 reporting periods, as required under section 35(1)(b) of the Public Governance, Performance and Accountability  Act 2013.

28 August 2020

About us

The Office of the Australian Information Commissioner is an independent statutory agency within the Attorney-General Department’s portfolio, established under the Australian Information Commissioner Act 2010 (AIC Act).

Our key role is to meet the needs of the Australian community when it comes to the regulation of privacy and freedom of information. We do this by:

  • Ensuring proper handling of personal information in accordance with the Privacy Act 1988 (Privacy Act) and other legislation
  • Protecting the public’s right of access to documents under the Freedom of Information Act 1982 (FOI Act)
  • Performing strategic functions relating to information management in the Australian Government, in accordance with the AIC Act.

Overview

Structure of our plan

Our Corporate Plan outlines who we are, what we are here to do, our vision and how we will achieve it. The plan is broken into two parts:

  • Part 1 – Operating context – Our environment, Capabilities, Risk management, Cooperation and collaboration
  • Part 2 – Our strategic priorities – Corporate Plan overview

Commissioner’s foreword

This year’s Corporate Plan sets out how the OAIC will achieve our core purpose — to promote and uphold privacy and information access rights — in the context of a vastly different environment to that of a year ago. The COVID-19 pandemic has transformed the way we work and live, and how we communicate with one another, in ways we could have not imagined at the start of 2020.

Australia has fared better than many other nations due to swiftly implemented public health measures, but the pandemic has brought enormous social and economic impacts. It has also focused attention on the right to privacy, and the need for transparency across both personal information handling and government decision-making.

As governments and businesses seek solutions to halt the spread of the coronavirus, there is a heightened need to use personal information to achieve public health and economic outcomes.

This is critical. But the use of personal information must be demonstrably necessary, reasonable and proportionate. We must also emerge from the pandemic with rights protected.

The OAIC has a central role to play in supporting these outcomes, as they are realised most effectively where privacy is safeguarded and decision-making processes are transparent. We know that protecting personal information and minimising privacy impacts is essential for the community trust and confidence needed to find and adopt solutions at speed. To maintain that trust over time, access to the information used by governments to shape their pandemic response will continue to be fundamental, in providing transparency and accountability.

Over the next four years, the OAIC will continue our regulatory efforts to achieve our vision of increased public trust and confidence in the protection of personal information and access to government-held information.

We are focused on action that increases individuals’ ability to manage their privacy choices and exercise control, and enhances the accountability of regulated entities. This underpins not only our approach to privacy reform, but to regulating and enforcing existing privacy protections.

We will continue to advance online privacy protections for Australians, influence and uphold privacy and information access rights frameworks, and encourage and support proactive release of government-held information.

Our regulatory priorities respond to the needs of our domestic environment and are informed and influenced by activity across the global regulatory landscape. We are taking a leadership role in promoting globally interoperable regulatory approaches, and coordinated and joint enforcement activities.

In achieving our purpose, the OAIC is guided by our key principles: we are targeted, engaged, agile,

independent and expert in exercising our regulatory functions. Operating as a contemporary regulator, our effective risk management, performance measurement framework, and highly engaged and capable workforce underpin our effort.

As the pandemic continues and the recovery emerges, both public health, policy and economic outcomes can be supported through promoting and upholding privacy and information access rights. It is that objective that the OAIC seeks to achieve, in the public interest.

Angelene Falk

Australian Information Commissioner and Privacy Commissioner

28 August 2020

The year ahead

COVIDSafe contact tracing app and the pandemic response

The Australian Government’s COVIDSafe contact tracing app was supported by a detailed Privacy Impact Assessment and amendments to the Privacy Act 1988 which provided transparency and accountability in relation to its use of personal information. The OAIC has an expanded regulatory role and powers in relation to the app and National Data Store, including the handling of COVIDSafe app data by state and territory health authorities. Any unauthorised collection, use or disclosure of COVIDSafe app data is not only a criminal offence under the amendments, but also triggers the regulatory powers of the OAIC.

The OAIC has convened a National COVID-19 Privacy Team to bring regulators together to respond to proposals with national implications. Over the coming year, the OAIC will monitor the handling of personal information in the COVIDSafe system and report in November 2020.

The OAIC will also continue to provide guidance to entities that are handling personal information in order to prevent and manage the spread of COVID-19. We will also pursue related regulatory activities where necessary, where personal information is at risk through practices related to the pandemic.

Privacy law reform

The year ahead will be a significant one for privacy law reform in Australia, with a government review of the Privacy Act providing a landmark opportunity to ensure our privacy framework can respond to new challenges in the digital environment. The OAIC will play a key role through exercising our function to advise on the need for legislative action in the interests of the privacy of individuals.

Our approach to reform is informed by four key elements: the need for global interoperability to make sure our laws connect around the world and data is protected wherever it flows; enabling privacy self-management, so individuals can exercise meaningful choice and control; ensuring organisational accountability, with sufficient obligations built into the system; and a contemporary approach to regulation providing the right tools to regulate in line with community expectations.

Privacy in the online environment

As the importance of the online environment increases for the economy, education and our connections, we are particularly focused on privacy practices that occur online and as a result of new and emerging uses of technology. We are preparing for the introduction of a binding code of practice for online platforms and social media, supported by legislation. This will improve the ability of Australians to manage privacy choices through transparent policies and better practices around consent, and improve protections for children and other Australians with particular needs.

The innovative use of personal information can lead to positive economic and social outcomes, but it can also result in harms, and we will pursue regulatory activities to mitigate these risks.

Consumer Data Right implementation

The Consumer Data Right (CDR) commenced in the banking sector in July 2020, giving consumers greater choice and control over their data. As co-regulator of the Consumer Data Right, the OAIC will undertake a number of regulatory activities. Our aim is to ensure that providers understand and comply with the privacy safeguards so that consumers can share their data with confidence.

In 2020–21, the OAIC will continue to collaborate closely with the Australian Competition and Consumer Commission to develop a strong privacy framework to support the Consumer Data Right rollout to the energy sector.

Notifiable data breaches

The introduction of the Notifiable Data Breaches scheme in 2018 is driving a greater focus on data breach prevention strategies, including measures to embed training and minimise human error in order to protect personal information.

The OAIC has an effective framework to assess and respond to notifications and provide guidance to businesses, agencies and the community. We will continue to provide statistical reports on the causes of data breaches, to inform prevention strategies.

Our focus on personal information security will also be reflected in our compliance and enforcement activities.

My Health Record

The OAIC oversees the privacy aspects of the My Health Record system which is managed by the Australian Digital Health Agency. In the coming year, we will continue to monitor, regulate and provide advice on the operation of the system, along with guidance for healthcare providers to support good privacy practice. The OAIC will engage with the implementation of the Australian National Audit Office’s recommendations following their report into the My Health Record system, alongside the review of the My Health Records Act 2012.

Proactive publication

The OAIC continues to promote transparency and accountability in government through initiatives that facilitate the proactive provision of government-held information to the community.

These initiatives are aimed at making better use of government-held information to support Australian’s efficient access to information, innovation and engagement, while ensuring appropriate privacy safeguards are in place.

As demand for our access to information services continues to increase, we remain focused on process improvement, and are supporting agencies with updated guidance and resources to help ensure freedom of information frameworks are implemented efficiently and effectively.

We will also continue to engage with the Open Government Partnership, with delivery of the third National Action Plan an opportunity to set goals that strengthen and enhance transparency for all.

Our ambition

Purpose

Our purpose is to promote and uphold privacy and information access rights.

Vision

Our vision is to increase public trust and confidence in the protection of personal information and access to government-held information.

Guiding principles

Engaged — Active contributors and collaborators in the contemporary application of information protection and management legislation and regulation for businesses, government and the community

Targeted — Efficient in the allocation of resources, taking appropriate action and responsive to risk and public expectations of Commonwealth regulators

Expert — Trusted authority on data protection and access to information, advising on policy, legislative reform and regulatory action, and providing education and guidance

Independent — Professional by nature, fair and impartial by application

Agile — Collaborative and responsive to changes in technology, legislation and the expectations of the community and government.

How we will achieve our ambition

We have identified 4 strategic priorities to enable us to deliver on our purpose and achieve our vision.

This corporate plan outlines these priorities and our key activities between 2020–21 and 2023–24.

It also describes our performance measurement framework, including:

  • Indicators – define how we assess our progress towards our strategic priorities
  • Measures – define how we will achieve our indicators
  • Targets – set clear expectations of success.

What will enable our success

This corporate plan describes key enabling factors to help us achieve our strategic priorities.

Capabilities

We constantly review our capabilities to ensure we have the resources needed to drive our key focus areas.

Risk management

We have risk oversight and management systems in place to support the achievement of our strategic priorities.

Cooperation and collaboration

We work with stakeholders to deliver our core regulatory functions and cooperate at domestic and international level to advance our strategic priorities.

OAIC ambition graphic 2020

Part 1: Operating context

The Office of the Australian Information Commissioner promotes and upholds privacy and information access rights. We perform our regulatory functions in a complex global data environment. Our effective risk management and highly capable workforce underpin our efforts. We cooperate with our counterparts and collaborate with other agencies to advance our strategic priorities.

Our environment

Understanding and responding to our environment is essential to achieving our vision of greater trust and confidence in personal information protection and access to government-held information. When that environment is changing rapidly in response to the COVID-19 pandemic, and will continue to change in ways we cannot yet foresee, this poses a significant challenge.

Our Corporate Plan 2020–21 identifies the key factors shaping our environment and affecting how we apply our guiding principles to deliver on our agency’s purpose. The core principles of transparency and accountability underpin the privacy and information access frameworks that we regulate. We support these principles through the exercise of all our functions, including our regulation of the Privacy Act 1988 (Privacy Act) and the Freedom of Information Act 1982 (FOI Act).

Over the past five years, the OAIC has experienced significant growth across our regulatory functions, particularly in our primary functional areas of privacy complaints and reviews of agencies’ freedom of information (FOI) decisions (IC reviews). This reflects heightened awareness and expectations of transparency and accountability from the community when it comes to both personal information handling and access to information.

The introduction of the Notifiable Data Breaches scheme in 2018 expanded the OAIC’s responsibilities and increased protections for consumers at risk of harm from data breaches. The OAIC also plays an important role in relation to the My Health Record system, managing complaints when sensitive and personal information is mishandled and providing assurance over its statutory privacy protections.

In the past 12 months, our responsibilities have been further expanded to include oversight of privacy protections in relation to the COVIDSafe app. We also regulate the privacy safeguards and complaints mechanism built into the new Consumer Data Right which commenced on 1 July 2020.

Globalised and rapidly evolving data environment

While countries around the world impose entry restrictions, our personal information continues to travel across national borders. Physical distancing requirements and remote working arrangements are driving an increase in online engagement. In a rapidly evolving data environment, a global regulatory approach is needed to protect Australians’ data wherever it flows.

Increased value of data as a commodity

In a digital economy, the volume of data held by government and business is growing exponentially. Business is increasingly sophisticated in its use of personal data to offer more tailored products and drive financial returns. Physical distancing requirements and remote working environment are fuelling the expansion of ecommerce.

Public trust in information handling and expectations of greater transparency and accountability

The OAIC works to align community expectations and organisational practice in handling personal information and implementing new technologies. Community expectations regarding transparency  and accountability of government agencies and ministers are reflected in an increasing number of applications for review of FOI decisions.

The impact of the COVID-19 pandemic has brought unprecedented challenges for Australian society and the Australian Government has had to make significant decisions affecting public health and the economy. The right of the public to access information about these decisions is vital. Promoting the proactive disclosure and publication of information will help to build trust in government and has the potential to reduce the impact of processing FOI requests on agency resources.

The COVID-19 pandemic has heightened public awareness of privacy as a critical issue and the need to carefully balance the protection of individuals with other public benefits. The Bushfire Disaster Emergency Declaration also illustrated the need to balance different public goods.

The review of Australia’s privacy law will focus attention on privacy issues around emerging technologies, profiling and automated decision-making. A strong foundation of privacy and data protection supports innovation and drives the growth of the digital economy. Globally interoperable data protection laws are increasingly important to protect all consumers online and reduce unnecessary burdens on business.

Shift in expectations of regulators

The contemporary approach to regulation expected by the community is that government regulators utilise the full range of compliance and enforcement tools available in the law. As a regulator, we engage with these expectations by taking an approach that drives more efficient processes and greater effectiveness. We are enhancing our people capability to ensure capacity across our full suite of compliance and enforcement powers. We will also support reform measures that provide greater regulatory flexibility and deterrent capacity to the OAIC.

Enabling innovation and growth

Strong privacy and data protection frameworks support innovation and growth in the Australian digital economy and international trade. Globally interoperable data protection laws are increasingly important to protect all consumers online and reduce regulatory friction for business.

Government transparency initiatives

New access to information initiatives are emerging internationally, aimed at building effective, accountable and inclusive institutions at all levels. Working in partnership with other information management agencies, the OAIC has a role to play in delivering on Australia’s commitment to Open Government. We will explore ways to apply the FOI Act to help meet community expectations about the accountability and transparency of government agencies and ministers. Making information held by government publicly available as a national resource supports innovation and growth.

International regulatory collaboration

Cooperation among privacy and data protection authorities is accelerating in response to shared challenges including the COVID-19 pandemic. Australia is at the forefront of international collaboration including through our leadership role in the Global Privacy Assembly.

Capabilities

As a small agency the OAIC accesses shared service arrangements for the provision of services that support our capability. Information and communication technology (ICT), financial and some human resources services are provided by the Australian Human Rights Commission.

The OAIC Executive, with support from dedicated OAIC staff in key capability areas, takes a strategic approach to growing and stabilising our capabilities to enable us to deliver our core business effectively.

Strategies and plans associated with our capability are outlined within Strategic Priority 4.

People capability

The OAIC’s committed workforce of more than 120 staff is central to achieving our strategic priorities. To enhance and develop our people capability, we have specialist programs in the areas of leadership development, culture, workforce planning, staff attraction and retention, training and organisational learning. The OAIC also implements a comprehensive approach to improving diversity and inclusion.

Our current people capability is tested by an increase in our workload and responsibilities including the implementation of new legislative schemes, such as the Consumer Data Right and the COVIDSafe system.

The OAIC recognises that a multidisciplinary approach is necessary for a contemporary regulator. We are implementing strategies to attract new staff with expertise from other sectors to broaden our skill set and perform our regulatory functions more effectively. We also obtain temporary specialist expertise to help address short-term workloads and workload peaks.

Infrastructure capability

The OAIC infrastructure is substantially located in the Sydney central business district. Office space was recently consolidated to bring together staff located on multiple floors, as the OAIC expanded in recent years.

We will finalise the second phase of our building works and undertake a review of our infrastructure framework in light of lessons learned from the rapid implementation of remote work arrangements for all staff as a result of the COVID-19 pandemic.

ICT capability

The OAIC’s ICT capability encompasses operating systems, software applications, networking components and digital devices. The OAIC promotes a strong ICT security culture through training and awareness initiatives.

The OAIC has an ICT framework which is flexible and agile to meet the demands of the dynamic work environment. We have quickly adapted to the requirements of remote working and will continue to respond to the technology needs of our workforce, including the evaluation of new technology solutions.

Human resources, information management and finance systems upgrades will be considered to ensure they support the OAIC’s needs.

Risk management

Positive risk management culture

The effective management of risks plays an important role in shaping the OAIC’s strategic priorities, contributes to well-informed organisational decision making and is critical to the delivery of our purpose – to promote and uphold privacy and information access rights.

Risk management framework

Our Risk Management Policy defines the OAIC’s approach to risk management and supports effective risk management across the business.

Our Risk Management Framework and Procedures document:

  • outlines practices and actions to embed risk management into business practices and cultivate a positive risk culture
  • assigns clear roles and responsibilities across the OAIC organisational and management structure
  • details the OAIC’s shared risk management agreements
  • identifies the stakeholders with whom we communicate about risk.

Risk mitigation

Risk mitigation (or control activities) are well managed through regular review of organisational plans for identified risk areas, and in preparation for the introduction of new projects, programs and schemes. We review all control activities associated with implementation to ensure that any identified risks are mitigated and we actively monitor potential risks associated with the project or program.

Commonwealth Risk Management Policy

The OAIC proactively addresses all elements of the Department of Finance Risk Management Policy requirements. The goal of the policy is to embed risk management into the culture of the OAIC so the shared understanding of risk leads to well informed, evidence-based decision making.

Audit and Risk Committee

The OAIC Audit and Risk Committee oversees the OAIC’s organisational and strategic risk. The committee has historically comprised senior members of staff from within the OAIC and Australian Government. The OAIC is welcoming new members from outside government to the committee in August 2020.

Risk review

The OAIC has commenced a comprehensive review of its risk management approach through the first half of the 2020–21 financial year. This work began in the 2019–20 financial year with the development of a revised strategic risk framework and consideration of key risk factors in our domains of responsibility. Planned work includes the review of our risk policies and procedures and the development of detailed risk profiles for specific areas of high risk, including significant new regulatory responsibilities in relation to the Consumer Data Right and the COVIDSafe app.

The OAIC is also working closely with our co-regulator, the ACCC, to ensure that privacy risks in the Consumer Data Right are managed effectively.

Strategic risks

Enhancing risk management capability and approach

The OAIC has expanded its risk management capability, appointing an Assistant Commissioner, Corporate and bringing on board senior staff to provide advice and guidance.

The OAIC has developed its strategic risk profile by focusing on what we must get right to deliver on our strategic priorities. Early in this planning period, we will review our strategic risk control framework. These strategic risks fall into a number of themes.

Our people: We must ensure our current and future workforce has the skill set needed to enable us to be a contemporary regulator. We are committed to ensuring the safety and wellbeing of our staff, which brings new challenges in a remote working environment.

To be successful we must:

  • attract, grow and retain our staff
  • place the safety and wellbeing of our staff at the centre of our operations.

Good governance and infrastructure: Good governance and secure, reliable infrastructure are fundamental to a high-performing agency. We strive to have best practice governance processes and systems, and a quality framework. We must also be leaders in relation to security, privacy and confidentiality.

To be successful we must:

  • invest in and regularly review our ICT and adhere to a quality framework
  • have appropriate fraud, probity and risk management infrastructure
  • be an exemplar in the domains of security, privacy and confidentiality.

Focus on outcomes: We must use our resources strategically to provide the greatest benefit for the community. This requires prioritisation of activities which will be most effective in delivering on our purpose.

To be successful we must:

  • strategically prioritise work and be able to de-prioritise less important work.
  • scan the landscape and identify emerging challenges.
  • strive for whole OAIC, timely responses.

Be community-centric and stakeholder focused: Building and maintaining positive relationships with the community and our stakeholders is critical to our success.

To be successful we must:

  • be a respected and trusted regulator, influential in the debate about privacy and information access
  • be an agency which is defined by being accessible, understanding, empathetic and in touch with community sentiment
  • work to increase community trust and confidence in privacy and information access rights, and communicate our work effectively to stakeholders

Cooperation and collaboration

The OAIC works closely with a range of Australian Government agencies and other organisations, including domestic and international regulators, to deliver our core regulatory functions and advance our strategic priorities.

Privacy regulation

The OAIC works in collaboration with a number of agencies and regulators such as the Attorney-General’s Department, the Australian Cyber Security Centre, the Australian Competition and Consumer Commission (ACCC) and the Office of the eSafety Commissioner to advance online privacy protection for Australians. The OAIC will also engage with the Attorney-General’s Department and other stakeholders in the review of the Privacy Act, bringing our regulatory experience to help ensure that Australia’s privacy framework is fit for purpose in the digital age.

The OAIC will continue to work with key agencies to improve privacy protections and promote best practice. This includes the Attorney-General’s Department, Australian Public Service Commission, Australian Government Solicitor, Australian Digital Health Agency, Australian Government Department of Health and our network of privacy officers and champions across government. We also have a Memorandum of Understanding with the Australian Communications and Media Authority in relation to sharing information for investigations to better inform regulatory outcomes.

Consumer Data Right

The OAIC is collaborating with our co-regulator, the ACCC, to implement the Consumer Data Right and embed processes to ensure the safe and effective operation of the system. This includes taking an integrated approach to developing compliance and enforcement policies, project planning and risk management activities. We are also working with the ACCC to establish a framework for data portability in the energy sector.

Access to information

The OAIC works with Australian Government agencies to improve processes, increase knowledge and understanding of the FOI Act, and enhance access to information. We work with agencies to achieve informal outcomes where possible, consistent with the FOI Act requirement to facilitate and promote public access to information promptly and at the lowest reasonable cost. Our Information Contact Officer Network brings together nearly 500 people from government agencies and deepens FOI practitioners’ expertise through information sharing, meetings and alerts.

Cooperating with local and international counterparts

The OAIC cooperates with state and territory privacy and information access regulators to share information and insights and to collaborate on issues of national significance, including through our participation in the Association of Information Access Commissioners and Privacy Authorities Australia.

The OAIC also collaborates with international regulators to share information, develop strategies and take regulatory action to protect Australians’ personal information across jurisdictions.

The OAIC has established Memorandums of Understanding with international regulators to support greater cooperation, including with the Information Commissioner for the United Kingdom, the Data Protection Commissioner for Ireland and the Personal Data Protection Commission of the Republic of Singapore. We are actively engaged with other international regulators through forums such as the Global Privacy Assembly, Asia Pacific Privacy Authorities Forum and the International Conference of Information Commissioners.

Part 2: Our strategic priorities

We will deliver on our purpose and increase public trust and confidence in the protection of personal information and access to government-held information through our strategic priorities.

Strategic Priority 1: Advance online privacy protection for Australians

The OAIC will advance online privacy protections for Australians to support the Australian economy, influencing the development of legislation, applying a contemporary approach to regulation (including through collaboration) and raising awareness of online privacy protection frameworks.

Background

In parallel with exponential growth in the use of data to drive the digital economy, the regulatory framework needed to protect Australians’ privacy online is expanding. Global data regulation also continues to evolve creating greater opportunities for international cooperation and collaboration.

Personal information is being used in new ways, across rapidly developing platforms, complex structures and multiple jurisdictions. This makes it more difficult for individuals to effectively manage their personal information.

In this context, achieving an appropriate regulatory balance between organisational accountability and effective privacy self-management is challenging.

The considerable volume of data held by business and government continues to grow, alongside the value of data as a commodity, as we increasingly rely on data for technological innovation – through artificial intelligence (AI), machine learning, algorithms, biometrics and more.

Data-sharing practices are constantly adapting to meet the needs of the global economy. This can create vulnerabilities for entities, as it may increase their susceptibility to a data breach through malicious attack, human error or system fault.

Online privacy is increasingly important for Australians, particularly as we rely more on digital communication due to physical distancing requirements. In April this year, the Information Commissioner was granted leave to bring legal proceedings against Facebook in the Federal Court, alleging that the personal information of Australian Facebook users was disclosed to the This is Your Digital Life app for a purpose other than that for which the information was collected in breach of the Privacy Act 1988. The information was exposed to the risk of being disclosed to Cambridge Analytica for political profiling purposes and to other third parties.

In July, the OAIC joined with the Information Commissioner of the UK to conduct an investigation into the personal information handling practices of Clearview AI Inc., focusing on the company’s use of ‘scraped’ data and biometrics of individuals.

In 2020–21, the OAIC will provide policy advice to the Australian Government on privacy law reform with the goal of achieving a framework that is fit for purpose in the digital age. We will work to enhance online privacy protections, including people with particular needs, such as children. The OAIC will continue to promote awareness of privacy risks and provide guidance for individuals and regulated entities on how to protect personal information online.

The OAIC will support innovation and Australian businesses’ capacity to benefit from using data while minimising privacy risks for the community. We will also seek to influence the development of policy for globally interoperable privacy protection.

Key activities

We have identified three key focus areas in 2020–21 to 2023–24 specific to Strategic Priority 1.

Key activity 1: Influence development of privacy policy and legislation

The OAIC will work with international and domestic regulators, government, entities and civil society to help ensure that privacy policy and legislation are globally interoperable, address contemporary risks to online privacy protections for Australians, including people with particular needs, and support the Australian economy.

 2020-212021-222022-232023-24

Provide expert advice to government so that Australians’ data is protected by a strong, globally interoperable privacy law framework

Key activity 2: Oversee the development of a code of practice for digital platforms

The OAIC will work with stakeholders to develop a binding code of practice for online platforms and social media that provides stronger privacy protections for Australians in the online environment, including people with particular needs, such as children.

 2020-212021-222022-232023-24

Develop a code of practice for digital platforms

   

Provide guidance and support

  ✓ ✓ 

Utilise a range of compliance and enforcement tools

   ✓ ✓

Key activity 3: Identify and take appropriate regulatory action

The OAIC will effectively regulate the protection of personal information in the online environment and increase regulated entities’ awareness of their obligations. This includes auditing compliance, engaging with regulated entities about new projects or initiatives that have privacy impacts, and taking appropriate regulatory action to address identified deficiencies. We will also work to raise public awareness of online privacy risks and mitigation strategies.

 2020-212021-222022-232023-24

Implement governance arrangements in support of strategic regulatory posture

Take a proportionate and evidence-based approach to privacy risks using the suite of regulatory tools

 ✓ ✓ ✓ ✓

Undertake joint investigations or tactics and intelligence sharing with international privacy regulators

 ✓ ✓ ✓ ✓

Promote awareness of online privacy risks and mitigation strategies

 ✓ ✓ ✓ ✓

Strategic Priority 1: Advance online privacy protections for Australians

 

Indicator

Measure

Target

2020–21

2021–22

2022–23

2023–24

1.1

Australians’ personal information is protected wherever it flows

The OAIC supports
mechanisms that
facilitate international
data flows while
protecting personal
information

Qualitatively
and
quantitatively
demonstrated

  

The OAIC engages
in international
regulatory
compliance and
enforcement

Qualitatively
and
quantitatively
demonstrated

 ● ● ● ●
1.2

Australia's privacy
frameworks are fit for
purpose in the digital
age

The OAIC provides

policy advice to
the Australian
Government

Qualitatively
and
quantitatively
demonstrated

 ● ● ● ●
1.3

The OAIC is a leader in the global privacy community to strengthen protection of Australians’ personal information

The OAIC has a
leadership role in key
international forums

Qualitatively

demonstrated

  ● ● ●
1.4

The OAIC engages
with stakeholders
in the development
of online privacy
protections

Views of stakeholders

have been sought
and considered

Qualitatively

demonstrated

 ● ● ● ●
1.5

A code of practice for digital platforms increases the privacy protection of Australians in the online environment

Code of practice for

digital platforms is
developed

Code is registered ● ● ● ●

Strategic Priority 2: Influence and uphold privacy and information access rights frameworks

The OAIC promotes access to government-held information through the regulation of the Freedom of Information Act 1982 (FOI Act) and our role in information policy. The OAIC will continue to promote and uphold these rights and regulatory frameworks through delivery of our core functions. This includes influencing domestic legislative and regulatory developments to advance the rights of all members of the community to access government-held information.

Our regulatory responsibilities for privacy have expanded with the introduction of the COVIDSafe app. The OAIC also has a new co-regulation role for the Consumer Data Right which began in the banking sector on 1 July 2020.

Background

As the importance of data grows rapidly and the global regulatory framework continues to evolve, community expectations about how entities manage personal information have also increased. This is demonstrated by the steady number of privacy complaints received by the OAIC. It is also evident in the growing number of applications for review of agency FOI decisions (IC reviews) as people seek access to government-held information.

The ever-expanding volumes of data holdings across the public and private sectors, and constantly adapting data practices, are also creating greater exposure to potential data breaches.

The OAIC’s role in holding entities accountable is exercised through our core regulatory functions, including conciliating and investigating privacy complaints, responding to notifiable data breaches, and overseeing the privacy aspects of the My Health Record system and Consumer Data Right scheme. As the Consumer Data Right becomes more established, the OAIC has an important role to play in providing guidance to participants and consumers about the privacy safeguards in the system and how we will exercise our regulatory powers.

The COVID-19 pandemic has brought significant changes to our operating context and regulatory role. In response to the coronavirus, the Australian Government developed the COVIDSafe app to augment contact tracing to help contain the spread of the virus. The OAIC is responsible for monitoring compliance with privacy protections, and for providing guidance and education materials to support participants in the COVIDSafe system.

By facilitating access to government-held information the OAIC supports public scrutiny of government processes and participation in democracy. We also take targeted action across both regulatory areas based on proactive monitoring of the environment and responses to intelligence received.

Key activities

We have identified four key focus areas in 2020–21 to 2023–24 specific to Strategic Priority 2.

Key activity 1: Influence policy and legislative change to ensure frameworks remain appropriate

The OAIC will provide advice to government about policy and legislative change that responds to the contemporary environment and enhances information access rights. This includes influencing global regulatory developments to advance the national interest. The OAIC will engage with the Attorney-General’s Department and other stakeholders in the review of the Privacy Act, to help ensure that Australia’s privacy framework is fit for purpose in the digital age.

 2020-212021-222022-232023-24

Provide policy advice to government on review of Privacy Act

   

Implement Privacy Act
amendments

  ✓ ✓ ✓

Deliver guidance and education materials to support implementation of Privacy Act amendments

  ✓ ✓ ✓

Key activity 2: Identify and take appropriate regulatory action

The OAIC regulates the community’s access to government-held information under the FOI Act, conducts independent merits review of FOI decisions made by Australian Government agencies and ministers, and investigates complaints about action taken by Australian Government agencies under the FOI Act. The OAIC also regulates the handling of personal information by organisations and agencies. The OAIC will continue to promote and uphold these rights and regulatory frameworks through delivery of our core functions.

We will maintain effective and efficient complaints, review, investigations, notifiable data breaches and assessment functions and a public information service. We will ensure that compliance risks and significant or systemic issues are identified, and appropriate regulatory action is taken to change practices.

Over the coming year, the OAIC will monitor and provide guidance and advice to mitigate action that impacts on the public’s right to access government-held information and have their personal information protected. We will also undertake awareness and education activities to help Australians access government-held information and manage privacy risks.

 2020-212021-222022-232023-24

Take appropriate regulatory
action in relation to privacy and FOI complaints and risks

Administer the NDB scheme

 ✓ ✓ ✓ ✓
Regulate privacy aspects of the My Health Record system ✓ ✓ ✓ ✓
Conduct IC reviews of FOI

decisions

Improve compliance with

FOI and privacy legislation
supported by education

Promote awareness of privacy and access to information rights

Key activity 3: Regulate the Consumer Data Right

The OAIC will work collaboratively with the Australian Competition and Consumer Commission (ACCC) to ensure the effective regulation of the Consumer Data Right (CDR) gives Australians greater choice and control over the use and disclosure of their data.

The OAIC will provide clear guidance for both consumers and participants about their rights and obligations under the Consumer Data Right system. We will provide an effective complaints handling service for individual and small business consumers to ensure the privacy safeguards and related CDR Rules are upheld.

The OAIC will also undertake strategic enforcement in relation to the protection of privacy and confidentiality. The OAIC will use the range of its regulatory powers as appropriate, including the power to conduct Commissioner-initiated investigations and assessments of compliance with the privacy safeguards and rules.

 2020-212021-222022-232023-24

Provide information about privacy safeguards under the Consumer Data Right

Regulate privacy safeguards
under the Consumer Data Right

 ✓ ✓ ✓ ✓

Key activity 4: Monitor the COVIDSafe system

The OAIC will deliver its new regulatory responsibilities to ensure the statutory privacy safeguards for COVIDSafe app data protect personal information within the COVIDSafe system.

This includes monitoring compliance with the new legislation and providing guidance and education materials to support participants in the COVIDSafe system. We will meet our reporting obligations in relation to the Commissioner’s functions and powers under Part VIIIA of the Privacy Act.

 2020-212021-222022-232023-24

Effectively regulate the
COVIDSafe system

  

Report on the privacy aspects of the COVIDSafe app

 ✓ ✓  

Strategic Priority 2: Influence and uphold privacy and information access rights frameworks

 

Indicator

Measure

Target

2020–21

2021–22

2022–23

2023–24

2.1

The OAIC identifies,
scrutinises and
advances policy and
legislative reform
proposals

The OAIC influences
policy and law makers
to support privacy and
information rights

Number of submissions
published and number
of bill scrutiny tasks
completed

2.2 Respond to privacy

and information
access enquiries from
the public

Time taken to finalise
written enquiries

90% of written

enquiries are finalised
within 10 working
days*

 ● ● ● ●
2.3

Resolve privacy
complaints

Time taken to finalise

privacy complaints

80% of privacy

complaints are
finalised within
12 months*

2.4

Ensure timely handling
of Notifiable Data
Breaches (NDBs)

Time taken to resolve
Notifiable Data
Breaches (NDBs)

80% of NDBs are
finalised within
60 days*

  Time taken to resolve

My Health Record
NDBs

80% of My Health

Record NDBs are
finalised within
60 days*

 ● ● ● ●
2.5

Strategic assessment
and advice provided
to the Commissioner
in relation to all
significant privacy risks

Commissioner
receives strategic
advice regarding the
appropriate regulatory
response to significant
privacy risks

Establish strategic

advisory committee

 ● ● ● ●
2.6

Conduct
Commissioner-initiated
investigations
(CIIs)

Time taken to finalise
privacy and FOI CIIs

80% of CIIs are
finalised within
8 months*

 ● ● ● ●
2.7 Provide merits review

of FOI decisions made
by agencies

Time taken to finalise

IC reviews

80% of IC reviews are

completed within
12 months*

 ● ● ● ●
2.8

Improve agencies’
processes for managing
FOI requests

Time taken to resolve
FOI complaints

80% of FOI complaints
are finalised within
12 months*

  

Agencies accept
and implement
recommendations
made following
complaint investigations

90% of
recommendations
made are accepted

2.9

The OAIC promotes
awareness of privacy
and access to
information

The OAIC leads
campaigns such as
International Access to
Information Day and
Privacy Awareness Week

Qualitatively
demonstrated

2.10

The OAIC promotes
awareness of
Consumer Data Right
privacy rights

Education and
awareness materials
are developed and
promoted

Qualitatively and
quantitatively
demonstrated

2.11

Australians are
confident about the
system of oversight of
privacy and security of
the COVIDSafe app

Assessment program
identifies any privacy
risks

Assessment program
conducted and
outcomes published

  
  

Guidance to
government, businesses
and the community
regarding COVIDSafe related
privacy law

Guidance material
prepared and
published

  
  

Effective enquiry,
complaint and data
breach notification
systems

Enquiry, complaint and
data breach systems
utilised

  

* Asterisk indicates PBS measure.

Strategic Priority 3: Encourage and support proactive release of government-held information

The OAIC will continue to champion government transparency by developing initiatives that proactively provide access to government-held information. These will be aimed at making better use of government-held information to support Australians’ efficient access to information, innovation and engagement while ensuring appropriate privacy safeguards are in place.

Background

Members of the public continue to have high expectations that government will make decisions and deliver services in an accountable and transparent way. The OAIC will continue to work to ensure that Australian Government agencies provide access to information not only on request, but proactively publish information of interest to the community.

As a result of the COVID-19 pandemic, the Australian Government has made significant decisions in relation to public health and the economy. The public’s access to information about these important government decisions, particularly through the proactive disclosure and publication of information, will support trust in government at this critical time.

The OAIC supports government accountability and transparency by effectively and efficiently delivering our functions, exploring and implementing strategies to meet the increasing demand for FOI reviews, complaints and guidance.

Key activities

We have identified two key focus areas in 2020–21 to 2023–24 specific to Strategic Priority 3.

Key activity 1: Develop government capability

The OAIC will continue to work with Australian Government agencies to help ensure high-quality, timely decision making under the FOI Act. The OAIC will provide guidance – through updated FOI Guidelines and regular interaction with agencies – to promote greater access to government-held information.

We will review and update our resources to assist agencies and ministers to apply the FOI Act, and actively promote the Information Publication Scheme (IPS) to support government transparency initiatives.

 2020-212021-222022-232023-24

Publish guidance on FOI Act
obligations for government agencies

Update IPS resources to support
government agencies to publish
government-held information

 ✓ ✓  ✓ ✓

Key activity 2: Influence information management framework

The OAIC will work with stakeholders to improve access to government information to support public participation and engagement, and to strengthen transparency and accountability.

We will engage with ministers and agencies to promote understanding of the FOI Act, and help FOI policy and practice meet the expectations of the Australian community.

We will continue to work as part of the Open Government Forum and contribute to the development of the third Open Government National Action Plan. The OAIC will engage with domestic and international counterparts to promote information access rights.

 2020-212021-222022-232023-24

Provide policy advice to the
Australian Government about FOI and information management

Contribute to development of third Open Government National Action Plan

 ✓   
Participate in international

information access forums

 ✓ ✓✓ 

Strategic Priority 3: Encourage and support proactive release of government-held information

 

Indicator

Measure

Target

2020–21

2021–22

2022–23

2023–24

3.1

More government-held
information is
published proactively

The OAIC actively
promotes proactive
publication through
agency engagement
and development
of resources and
guidance

The OAIC uses the
Information Contact
Officers Network
to promote the
benefits of proactive
publication of
government-held
information

   

The OAIC develops
resources to help
agencies make more
information available
to the public

  ●  ●  ●  ●
 3.2Increase in

community
awareness and
understanding of
information access
rights

The OAIC develops
resources to help
the community
understand the
right to access
government-held
information

Publish practice
direction to assist
members of the
public better
understand the IC
review process

 ● ● ● ●

Strategic Priority 4: Contemporary approach to regulation

The OAIC will take a contemporary approach to our regulatory role in promoting and upholding Australia’s privacy and FOI laws. This means engaging with and being responsive to the community’s expectations of its regulatory bodies.

The OAIC is committed to developing a capable, multidisciplinary workforce with a breadth of technical skills to provide guidance and advice, and to take regulatory action.

Background

Community and government expectations of regulators are shifting. Australians demand fairness and transparency from government and other entities, and regulators are expected to exercise the extent of their powers for the benefit of the community. In response, the OAIC takes a contemporary approach to the way we regulate, engaging with and being responsive to these expectations.

The regulation of privacy and information access transcends national borders. The OAIC cooperates with other regulators as we move to an increasingly global approach to regulation. Cooperation between regulators creates opportunities for the OAIC to engage with international counterparts to share information and conduct joint investigations. The benefits include efficiency, greater alignment in international interpretation of privacy principles, and benefits to the community and regulated entities through enhanced coordination.

Key activities

We have identified two key focus areas in 2020–21 to 2023–24 specific to Strategic Priority 4.

Key activity 1: Review our regulatory approach

The OAIC will continue to review our regulatory approach to ensure it aligns with government and public expectations of domestic regulators, and that the necessary statutory powers are in place to meet those expectations. This will include the strategic consideration of all available regulatory responses to significant privacy and access to information risks in order to influence the behaviour of the regulated community.

 2020-212021-222022-232023-24

Ensure the strategic use of
compliance and enforcement
tools is informed by regulatory
theory and contemporary
practice

Engage with domestic and
international counterparts on
regulatory policy and practice

 ✓✓ ✓ ✓ 

Key activity 2: Build internal capability

The OAIC will enhance internal capability in the areas of governance, information and people management. We will undertake recruitment and training in areas of emerging technical capability requirements. We will be guided by our staff capability map, together with input from the leadership group, in building our internal capability.

 2020-212021-222022-232023-24

Develop staff capability map

   

Implement revised capability
approach

  ✓  ✓ ✓

Implement data management
strategy

 ✓ ✓  
Review work management

and information management
systems

 ✓   
Embed revised governance

approach

 ✓ ✓  
Finalise comprehensive risk

review

 ✓   
Build and maintain internal

communication

 ✓ ✓✓ 

Strategic Priority 4: Contemporary approach to regulation

 

Indicator

Measure

Target

2020–21

2021–22

2022–23

2023–24

4.1

The OAIC takes
appropriate
regulatory action in relation to privacy and access to information risks

The OAIC utilises the
range of regulatory
powers and
outcomes provided
by the Privacy and
FOI Acts

Qualitatively and
quantitatively
demonstrated

4.2

The OAIC engages

with domestic
and international
counterparts on
regulatory policy and practice

 The OAIC

collaborates on policy
development, shares
intelligence and
participates in forums

Qualitatively
demonstrated

  ●  ●  ●  ●
 4.3Improved staff

engagement

Positive rates against
APS Employee
Census (Strive, Stay,
Say index)

Improvement
on previous year
(positive variance)

 ● ● ● ●
4.4Increased staff

retention

Reduced staff

turnover and
increased internal
mobility

Align with APS

Employee Census
rates for workforce
mobility

 ● ● ● ●
4.5Attracting high-quality

applicants

OAIC recruitment

activities result in
appointment of a
candidate and an
order of merit

90% of recruitment

activities result in
appointment and an order of merit

 ● ● ● ●
4.6Staff capability

map supports the
full range of OAIC
functions

 The OAIC uses staff

capability map to
support delivery of
full range of functions

Recruitment and

training aligned to
staff capability map

 ● ● ● ●
4.7

Mature the OAIC
data management
capability to
understand and
address emerging
privacy and
enterprise risks

Timely, accurate and
reliable data supports
core business

Data management

complies with OAIC
data strategy

 ● ●● ● 

Commonwealth Regulator Performance Framework

Our Corporate Plan is delivered under the Public Governance, Performance and Accountability Act 2013. Many of the measures detailed in this Corporate Plan also satisfy the reporting requirements under the Commonwealth Regulator Performance Framework (RPF).

The RPF encourages regulators to carry out their functions with the minimum impact necessary, to reduce the burden of unnecessary or inefficient regulation imposed on individuals, business and community organisations; and to effect positive ongoing and lasting cultural change within regulators.

To streamline our reporting requirements, we have indicated within our measurement matrix if the measure is also reporting under the RPF, and which key performance indicators (KPIs) it relates to under the RPF.

RPF Measurement

Strategic Priority 1 indicators

Strategic Priority 2 indicators

Strategic Priority 3 indicators

Strategic Priority 4 indicators

1. Reducing regulatory
burden

 

2.1, 2.8

  

2. Effective
communications

1.3, 1.4

 2.2, 2.9, 2.10, 2.11  3.1, 3.2 

3. Risk-based and
proportionate
approaches

1.4, 1.5

2.5, 2.6 2.11 4.1, 4.2, 4.7

4. Efficient and
coordinated
regulatory action

1.1, 1.32.3, 2.4, 2.5, 2.6, 2.7,

2.8, 2.11

 4.1, 4.2, 4.7
5. Transparency  2.6, 2.7, 2.8, 2.9 3.1, 3.2 

6. Continuous
improvement

1.1, 1.2, 1.3 2.1, 2.83.1 4.3, 4.4, 4.6, 4.7

Corporate Plan Overview

Strategic Priority

Key Activity

Indicator

Advance online privacy
protections for Australians

  • Influence development of privacy policy and legislation
  • Oversee the development of a code of practice for digital platforms
  • Identify and take appropriate regulatory action

▶ Australians’ personal information is protected wherever it flows
▶ Australia’s privacy frameworks are fit for purpose in the digital age
▶ The OAIC is a leader in the global privacy community to strengthen protection of Australians’ personal information
▶ The OAIC engages with stakeholders in the development of online privacy protections
▶ A code of practice for digital platforms increases the privacy protection of Australians in the online environment

Influence and uphold
privacy and information
access rights frameworks

  • Influence policy and legislative change to ensure frameworks remain appropriate
  • Identify and take appropriate regulatory action
  • Implement the Consumer Data Right
  • Monitor the COVIDSafe system
 ▶ The OAIC identifies, scrutinises and advances policy and legislative reform proposals

▶ Respond to privacy and information access enquiries from the public
▶ Resolve privacy complaints
▶ Ensure timely handling of Notifiable Data Breaches (NDBs)
▶ Strategic assessment and advice provided to the Commissioner in relation to all significant privacy risks
▶ Conduct Commissioner-initiated investigations (CIIs)
▶ Provide merits review of FOI decisions made by agencies
▶ Improve agencies’ processes for managing FOI requests
▶ The OAIC promotes awareness of privacy and access to information
▶ The OAIC promotes awareness of Consumer Data Right privacy rights
▶ Australians are confident about the system of oversight of privacy and security of the COVIDSafe app

Encourage and support
proactive release of
government-held
information

  • Encourage and support proactive release of government-held information
  • Influence information management framework

▶ More government-held information is published proactively
▶ Increase in community awareness and understanding of information access rights

Contemporary approach
to regulation

  • Review our regulatory approach
  • Build internal capability

▶ The OAIC takes appropriate regulatory action in relation to privacy and access to information risks
▶ The OAIC engages with domestic and international counterparts on regulatory policy and practice
▶ Improved staff engagement
▶ Increased staff retention
▶ Attracting high-quality applicants
▶ Staff capability map supports the full range of OAIC functions
▶ Mature the OAIC data management capability to understand and address emerging privacy and enterprise risks