We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our privacy policy.

News Join our team Contact us

  • On this page

Publication date: 31 July 2023

Introduction

1 The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to comment on the Data and Digital Government Strategy (the Strategy).

2 The OAIC is an independent Commonwealth regulator, established to bring together three functions: privacy functions (protecting the privacy of individuals under the Privacy Act 1988 (Cth), freedom of information (FOI) functions (access to information held by the Commonwealth Government in accordance with the Freedom of Information Act 1982 (Cth) (FOI Act), and information management functions (as set out in the Australian Information Commissioner Act 2010 (Cth).

3 The Strategy sets out a vision for ‘simple, secure and connected public services for all people and business through world class data and digital capabilities.’[1] It seeks to promote the use of data and digital initiatives across the Australian Government, including for service delivery, policy development and decision-making.[2] The Strategy is centred around five key objectives: delivering for all people and business, simple and seamless services, Government for the future, trusted and secure, and data and digital foundations.

4 The Strategy broadly intersects with the OAIC’s existing regulatory role and responsibilities under several laws and whole-of-government initiatives, including the Privacy Act (and its ongoing review), the FOI Act, the Open Government Partnership, the Data Availability and Transparency Act 2022 (Cth), the Australian Cyber Security Strategy,[3] and the Digital Identity scheme.

5 The Strategy acknowledges that robust privacy and security settings are a driver of trust and will ensure that people and businesses are confident that their data is safe when using public services.[4] Robust privacy protections are critical in relation to data that constitutes personal information, which is subject to specific statutory protection. Privacy issues that are not properly addressed can impact the community’s trust in an entity and undermine the success of new data initiatives. When individuals have confidence in how their data is handled, they are more likely to support the use of that information to provide the services and value promised by data initiatives.

6 This submission focusses on the role that privacy will play in helping to achieve the Strategy’s vision and objectives, and our views on measures that can further support the Strategy’s ambitions by strengthening the existing privacy framework through the ongoing Privacy Act Review (the Review). The submission also highlights the important role the FOI Act will play as part of a comprehensive data and digital government strategy.

Building and maintaining public trust

7 The OAIC’s Australian Community Attitudes to Privacy Survey 2020 (ACAPS) report shows that privacy is a major concern for most Australians (around 70%), particularly as the digital environment and data practices evolve rapidly.[5] The report also showed that 84% of Australians consider privacy extremely or very important when choosing a digital service.

8 The survey results also demonstrated that there has been a general downward trend in trust since 2007. Between 2007 and 2020, there was a 14% decline in trust in how the Australian Government handles personal information.

9 This survey has important findings in the context of the Strategy. It demonstrates that the public’s awareness of privacy issues has increased in recent years and signals the need to increase trust and confidence in privacy and data handling practices.

10 The Privacy Act provides a well-established framework to minimise the privacy risks associated with personal-information handling activities and facilitate community trust and confidence in new technologies and data initiatives. It contains 13 Australian Privacy Principles (APPs) that are structured to reflect privacy obligations across the information lifecycle, as entities collect, hold, use, disclose, and destroy or de-identify personal information.

11 The APPs are legally binding principles, which provide entities with the flexibility to take a risk-based approach to compliance based on their circumstances, including size, resources and business model, while ensuring the protection of individuals’ privacy. Good privacy practices that meet community expectations through compliance with the Privacy Act and the APPs will create the trust and confidence that is needed for the public to engage with the data-driven and digital initiatives contemplated by the Strategy.

Organisational accountability and privacy by design

12 Organisational accountability is globally recognised as a key building block for effective privacy regulation and management.[6] While the concept of ‘accountability’ can mean different things in different contexts, for the present purposes it can be described as the different actions and controls that an entity must implement to comply with the privacy regulatory framework and to demonstrate their compliance.

13 The concept of accountability focuses on whether a regulated entity has translated its privacy obligations into internal privacy management processes that are commensurate with, and scalable to, the risks and threats associated with its personal information-handling activities. It is closely linked with the concept of ‘privacy by design’, which encourages entities to address privacy-related issues and privacy compliance during the initial design of projects, activities and initiatives, as well as throughout the information lifecycle.[7]

14 Under the Privacy Act, accountability is at the core of APP 1, which seeks to ensure that entities manage personal information in an open and transparent way. APP 1 requires entities to:

  • take reasonable steps to establish and maintain internal practices, procedures and systems that ensure compliance with the APPs (APP 1.2), and
  • have a clearly expressed and up to date APP privacy policy describing how they manage personal information (APP 1.3).

15 Australian Government agencies are also required to comply with the Privacy (Australian Government Agencies – Governance) APP Code 2017 (the Code). Among other measures, the Code requires that agencies maintain a privacy management plan, designate privacy officers and champions, conduct privacy impact assessments for high privacy risk projects, provide appropriate privacy training for staff and regularly review and update their privacy practices, procedures and systems.

16 The OAIC has published a suite of guidance materials to assist entities in embedding accountability measures and implementing a privacy by design approach.[8]

17 Strong privacy organisational accountability measures will facilitate the Strategy’s objectives to maximise the use of data and ‘foster a culture of privacy, security, and proactive monitoring across its workforce, including partners that operate within or have access to the digital ecosystem.’[9] By embedding strong accountability measures, the Australian Public Service will also be well placed to proactively address privacy-related risks and to build their reputation as trusted stewards of personal information, which is essential to realising the objectives of the Strategy.

Keeping data secure

18 The Strategy observes that cyber security breaches significantly damage the public’s trust that organisations, including the APS, can adequately manage and secure the personal information they hold.[10] It is important to note that privacy and data security are intrinsically linked, and that the protection of personal information is an essential part of data security.

19 The Privacy Act includes well-established security requirements, particularly through APP 1 (Open and transparent management of personal information), APP 11 (Security of personal information), and the Notifiable Data Breaches (NDB) scheme:

  • Under APP 1, entities must take steps beyond technical security measures to ensure the protection of personal information throughout the information lifecycle, including by implementing strategies in relation to governance, internal practices, processes and systems, and dealing with third party providers.
  • Under APP 11, entities are required to take reasonable steps to protect the personal information they hold, which includes actively monitoring their risk environment for emerging cyber security threats and implementing appropriate mitigation strategies.
  • The NDB scheme requires APP entities to notify the OAIC and affected individuals about data breaches that are likely to result in serious harm to an individual whose personal information is involved in the breach. The scheme is designed to enable individuals whose personal information has been compromised to take remedial steps to lessen the adverse impact that might arise from the breach. The NDB scheme also incentivises entities to improve security standards in relation to the protection of personal information.

20 In the OAIC’s view, while the Privacy Act applies specifically to the handling of personal information, in practice, strong privacy compliance is likely to uplift the data security capability of entities generally. This is because most entities collect and hold some personal information, and many are likely to have information handling processes or systems that cover all types of information that they hold.

Regulatory coordination and cooperation

21 The Strategy notes that the Government ‘is modernising and streamlining the patchwork of policies, laws and frameworks that oversee and guide how governments and business safeguard people against harm and what they are required to do when these systems fail.’[11]

22 The OAIC has observed growing intersections between domestic frameworks relating to data and digital technologies, including privacy, competition and consumer law, and online safety and online content regulation. While there are synergies between these frameworks, there are also variances given that each regulatory framework is designed to address different economic and societal issues. In this way, each regime is an essential and complementary component in the ring of defence that is being built to address the risks and harms faced by Australians in the digital environment.

23 Where different regulators exercise different functions under various laws it is important for regulators to work together to avoid any unnecessary or inadvertent overlap and uncertainty for consumers and industry. At the same time, we do not consider that regulatory overlap is necessarily a negative outcome, particularly where it is well managed. It is more problematic if regulatory gaps expose individuals to harm or lead to inconsistent and inefficient regulatory approaches.

24 An effective approach must address the importance of institutional coordination between different regulatory bodies in different areas, given the need for complementary expertise.

25 To this end, the OAIC is a member of the Digital Platform Regulators Forum (DP-REG), together with the ACCC, ACMA and Office of the eSafety Commissioner. DP-REG is an initiative of Australian independent regulators to share information about, and collaborate on, cross-cutting issues and activities on the regulation of digital platforms. This includes consideration of how competition, consumer protection, privacy, online safety and data issues intersect and provides members with an opportunity to promote proportionate, cohesive, well-designed and efficiently implemented digital platform regulation.

26 The OAIC is also a member of the Cyber Security Regulators Network (CSRN), along with the Australian Securities and Investment Commission (ASIC), the Australian Prudential Regulation Authority (APRA), ACMA and the ACCC. The purpose of the CSRN is to enable Australian regulators to work together to understand, respond to and share information about cyber security risks and incidents. Ongoing collaboration and information sharing across government agencies is key to reducing the regulatory burden on entities and ensuring a consistent, whole-of-government approach to addressing harms.

Information access under FOI framework

27 The Strategy notes that key indicators of success include integrity and transparency in service delivery – which increases trust in the Australian Government – as well as greater usability and availability of public sector data. The FOI Act will be a key enabler of this success by encouraging transparency and accountability in government processes and activities and promoting public participation in government and representative democracy.[12] It does this by providing legally enforceable rights for the Australian community to obtain access to government documents, requiring agencies to publish certain categories of information, and encouraging the proactive release of other government held information. This recognises that data held by the Australian Government is a national resource which should be managed for public purposes.

28 Part II of the FOI Act is particularly relevant in relation to transparency and data availability, establishing an Information Publication Scheme (IPS) for Australian government agencies subject to the FOI Act. Part II is complemented by legally binding guidelines made under s 93A: Part 13 of the FOI Guidelines – Information Publication Scheme.[13] The IPS requires agencies to publish a minimum range of information and to regularly consider and publish other information that is of value to the public. Agencies must also publish a plan that explains how they intend to implement and administer the IPS.

29 The IPS is a key mechanism that underpins the pro-disclosure goals of the FOI Act. It is intended to facilitate and promote public access to information promptly and at the lowest reasonable cost. We consider that the benefits of proactive publication and the IPS include

  • stimulating innovation and economic prosperity
  • enhancing participatory democracy by assisting the public to better understand how government makes decisions and administers programs
  • reducing the risk that people will be disadvantaged in dealings with government through lack of knowledge, and
  • reducing the need for applicants to seek release of documents through FOI requests. For example, statistics are often requested under the FOI Act, and this is the kind of information that can be valuable for individuals, or to research and the digital economy, and that agencies should proactively take steps to publish.

30 The culture of transparency facilitated by proactive release of information is critical to building public trust. While the IPS is a key mechanism in this regard, other important mechanisms to make data available include: the ability of agencies to release information administratively,[14] the publication of information released through an FOI request on agencies’ disclosure logs[15] and self-service options which allow people to access their own personal information (for example, MyGov). Generally, we consider that agencies should proactively take steps to make data available rather than imposing access charges under FOI.

31 The integrity and usefulness of government data is predicated on robust record-keeping practices. A key component of proactive disclosure involves preparing documents with an expectation that information will be disclosed or – where appropriate – preparing an additional version that can be disclosed. Record-keeping practices should be underpinned by an understanding that government-held information is a public resource.

32 Generally, promoting and upholding information access rights and supporting the proactive release of government-held information are key strategic priorities for the OAIC. The OAIC is currently preparing for a review of agencies’ IPS compliance – as required under s 9(1) of the FOI Act – and we are also revising the Part 13 of the FOI Guidelines on the Information Publication Scheme, completing a public consultation earlier this year.[16] The OAIC has also engaged in other initiatives promoting proactive release of information including  working with other Australian information access commissioners and ombudsmen to publish Open by Design Principles.[17] An ‘Open by Design’ approach builds a culture of transparency by prioritising, promoting and resourcing proactive disclosure of government-held information.

Reform of the Privacy Act

33 The Strategy notes that the Attorney-General’s Department is conducting a review of the Privacy Act, which presents an important opportunity to ensure that the Australia’s Privacy Act remains fit for purpose in an increasingly global and digital world. We take this opportunity to highlight some of the Privacy Act Review proposals that have direct relevance to achieving the Strategy’s vision and objectives and the effective delivery of data and digital initiatives.

Increased accountability for APP entities

34 The Strategy considers that the APS should ‘support transparent and open processes through activities such as improved consent models and fair information handling practices that are accessible for all.’[18]

35 Notice and choice are foundational principles in privacy law across the world, including in the Privacy Act. However, our 2020 Australian Community Attitudes to Privacy Survey found that while the majority (84%) of Australians believe that their privacy is important, only 31% of individuals normally read privacy policies. The primary reason given as to why individuals do not read privacy policies was their length and complexity.[19]

36 Even where individuals do read privacy policies and collection notices, they may feel resigned to consent to the use of their information to access online services because they do not feel there is an alternative. As digital products and services become more entrenched in individuals’ lives and in the way in which they work, study and socialise, it is increasingly difficult to avoid personal information handling practices that do not align with their preferences. In these circumstances, it is inappropriate for entities to place the full responsibility on individuals to protect themselves from harm.

37 In recognition of these challenges, the Privacy Act Review Report has proposed the establishment of a positive obligation that would require entities to handle personal information in a manner that is ‘fair and reasonable in the circumstances.’[20]

38 The proposal would require entities to proactively consider whether their personal information handling activities are proportionate, as well as the reasonable expectations of individuals and possible risks of unjustified adverse impact or harm, among other matters.

39 The fair and reasonable test will provide a baseline level of privacy protection and will allow individuals to engage with products and services with confidence that—like a safety standard—privacy protection is a given. It would also prevent consent from being used to legitimise handling of personal information in a manner that is, objectively, unfair or unreasonable.

40 The OAIC views this proposed reform as a new keystone for the Privacy Act. The fair and reasonable test would provide individuals with greater confidence that they will be treated fairly when they choose to engage with a service and would help to build trust in relation to an entity’s personal information handling practices, which is essential to realising the Strategy’s vision.

41 The Privacy Act Review Report has also put forward proposals that are directed at improving the transparency of personal information handling practices and the level of control that individuals have over how their information is handled. These proposals seek to improve the clarity of collection notices and consent requests, as well as recommend the introduction of new individual privacy rights, including a right to erasure.[21]

Enhancing security and notifiable data breach requirements

42 Recent major data breaches have highlighted the importance of securing personal information. We note the high level of community concern about the protection of personal information and period for which it is retained.[22]

43 The Privacy Act Review Report has put forward several proposals that support the Strategy’s objective of ensuring that all data and digital activities be underpinned by a commitment to privacy and security,[23] including:

  • strengthening the NDB scheme, including through amendments to the notification requirements and timeframes[24] and an express requirement for entities to take reasonable steps to implement practices, procedures and systems to enable them to respond to data breaches.[25] The OAIC has recommended that these proposals be strengthened through an express obligation on entities to take reasonable steps to prevent or reduce the harm that is likely to arise for individuals as a result of a data breach.[26] The OAIC has observed that best practice entities take responsibility for the costs and impacts of data breaches when they occur, and support individuals to mitigate the impact of a data breach. This may include setting up support lines to provide customers with a centralised channel to ask questions, paying for a credit monitoring service that alerts affected individuals if there are changes to their credit report, monitoring the dark web to identify if personal information compromised in a data breach is being traded online, assisting individuals to replace compromised credentials such as passports and drivers licences, and engaging providers such as IDCARE to provide post-incident support to individuals.[27] However there is currently no statutory obligation to do so.
  • enhancing the OAIC’s Guidelines on APP 11 in relation to what ‘reasonable steps’ are for the purpose of securing personal information, drawing on technical advice from the Australian Cyber Security Centre (ACSC).[28]
  • requiring entities to establish (and publish) their own maximum and minimum retention periods for the personal information that they hold and the review of all Commonwealth legislation that requires the retention of personal information to determine if those provisions appropriately consider privacy and cyber security risks.[29]

Harmonisation of privacy laws

44 The Strategy seeks to maximise the value from data by, amongst other measures, sharing data between APS agencies, with state and territory governments, and other users.[30] The OAIC acknowledges that data sharing can lead to increased innovation, however, measures to increase the sharing of, and access to, personal information necessarily have privacy impacts.

45 Domestically, Commonwealth, state and territory governments are increasingly working together on national initiatives that involve sharing data across jurisdictions. One of the objects of the Privacy Act is to provide the basis for nationally consistent regulation of privacy and the handling of personal information. Alignment of rights and obligations with the Privacy Act ensures that Australians’ personal information is subject to similar requirements whether that personal information is handled by an Australian Government agency, a state or territory government agency, or private sector organisations.

46 Consistency in regulation across domestic jurisdictions not only reduces compliance burdens and costs but also provides clarity and simplicity for regulated entities and the community. National consistency, therefore, should be a key goal in the design of any state or territory laws that purport to address privacy issues. To assist in achieving this, the OAIC has recommended through the Privacy Act Review that any state or territory laws that concern privacy issues should be commensurate with those under the Privacy Act.[31]

Conclusion

47 We consider that the privacy and FOI frameworks are critical to ensuring public trust and confidence in the use of data and digital technologies for the public benefit. The measures proposed as part of the Privacy Act Review Report will enhance the existing privacy framework, which will further support the Strategy’s vision and objectives. The OAIC welcomes ongoing engagement as the Strategy develops.

Footnotes

[1] Digital Transformation Agency and Department of Finance, Data and Digital Government Strategy, June 2023, accessed 7 July 2023, p 4.

[2] Digital Transformation Agency and Department of Finance, Data and Digital Government Strategy, June 2023, accessed 7 July 2023, p 3-7.

[3] Department of Home Affairs Australia’s Cyber Security Strategy 2020, August 2020, accessed 19 July 2023; Department of Home Affairs, 2023-2030 Australian Cyber Security Strategy Discussion Paper, December 2022, accessed 19 July 2023. For our submission to the 2023-2030 Australian Cyber Security Strategy, see: OAIC, Submission to 2023–2030 Cyber Security Strategy Discussion Paper, April 2023, accessed 19 July 2023.

[4] Digital Transformation Agency and Department of Finance, Data and Digital Government Strategy, June 2023, accessed 7 July 2023, p 15. The OAIC also notes that the Strategy considers one of its measures of success to be that “all data and digital activities [be] underpinned by a commitment to privacy, security and ethical approaches.”

[5] Lonergan Research, Australian Community Attitudes to Privacy Survey 2020, OAIC, September 2020, accessed 7 July 2023.

[6] Information Commissioner’s Office (UK), Guide to Accountability and Governance, May 2023, accessed 11 July 2023; Office of the Privacy Commissioner of Canada, Getting Accountability Right with a Privacy Management Program, April 2012, accessed 11 July 2023; Article 29 Data Protection Working Party, Opinion 3/2010 on the Principle of Accountability, July 2010, accessed 11 July 2023.

[7] Information and Privacy Commission New South Wales (IPC NSW), Fact sheet – Privacy by design, May 2020, accessed 11 July 2023.

[9] Digital Transformation Agency and Department of Finance, Data and Digital Government Strategy, June 2023, accessed 7 July 2023, p 16.

[10] Digital Transformation Agency and Department of Finance, Data and Digital Government Strategy, June 2023, accessed 7 July 2023, p 15.

[11] Digital Transformation Agency and Department of Finance, Data and Digital Government Strategy, June 2023, accessed 7 July 2023, p 17.

[12] Mary Anne Neilsen, Public sector accountability and transparency, October 2010, accessed 20 July 2023.

[14] See s 3A(2)(b) of the FOI Act and Parts [3.2] – [3.5] of the FOI Guidelines: https://www.oaic.gov.au/freedom-of-information/freedom-of-information-guidance-for-government-agencies/foi-guidelines/part-3-processing-and-deciding-on-requests-for-access.

[15] Section 11C of the FOI Act and Part 14 of the FOI Guidelines:  https://www.oaic.gov.au/freedom-of-information/freedom-of-information-guidance-for-government-agencies/foi-guidelines/part-14-disclosure-log

[16] Consultation on draft revisions to Part 13 of the FOI Guidelines: Information Publication Scheme at https://www.oaic.gov.au/engage-with-us/consultations/freedom-of-information/consultation-on-draft-revisions-to-part-13-of-the-foi-guidelines-information-publication-scheme.

[17] Information commissioners and ombudsman across Australia developed a ‘Statement of Principles to support proactive disclosure of government-held information’ in September 2021. The joint statement is available here: https://www.oaic.gov.au/freedom-of-information/freedom-of-information-guidance-for-government-agencies/more-guidance/statement-of-principles-to-support-proactive-disclosure-of-government-held-information.

[18] Digital Transformation Agency and Department of Finance, Data and Digital Government Strategy, June 2023, accessed 7 July 2023, p 15.

[19] Lonergan Research, Australian Community Attitudes to Privacy Survey 2020, OAIC, September 2020, accessed 7 July 2023, p 69.

[20] Attorney-General’s Department (AGD), Privacy Act Review Report, February 2022, accessed 11 July 2023, p 110-121.

[21] AGD, Privacy Act Review Report, February 2022, accessed 11 July 2023, Chapters 10, 11 and 18.

[22] See for example, Professor Nicholas Biddle, Professor Matthew Gray and Associate Professor Steven McEachern, Public exposure and responses to data breaches in Australia: October 2022, Australian National University, November 2022, accessed 19 July 2023; Caroline Riches, Optus faces a customer exodus, calls for compensation amid anger over leaked data, SBS News, September 2022, accessed 19 July 2023.

[23] Digital Transformation Agency and Department of Finance, Data and Digital Government Strategy, June 2023, accessed 7 July 2023, p 7.

[24] The proposed amendments include requiring entities to notify the OAIC within 72 hours of becoming aware of an eligible data breach and that a statement about an eligible data breach must set out the steps the entity has taken or intends to take in response to the breach, including, where appropriate, steps to reduce any adverse impacts on the individuals to whom the relevant information relates.

[25] AGD, Privacy Act Review Report, February 2022, accessed 11 July 2023, Proposals 28.2 and 28.3.

[26] OAIC, Submission to the Privacy Act Review Discussion Paper, December 2021, accessed 11 July 2023, p 221. See also, AGD, Privacy Act Review Report, February 2022, accessed 11 July 2023, Proposal 28.3.

[27] For further information, see OAIC, Submission to the Privacy Act Review Discussion Paper, December 2021, accessed 11 July 2023, p 221.

[28] AGD, Privacy Act Review Report, February 2022, accessed 11 July 2023, Proposal 21.3.

[29] AGD, Privacy Act Review Report, February 2022, accessed 11 July 2023, Proposals 21.6, 21.7 and 21.8.

[30] Digital Transformation Agency and Department of Finance, Data and Digital Government Strategy, June 2023, accessed 7 July 2023, p 9.

[31] OAIC, Submission to the Privacy Act Review Discussion Paper, December 2021, accessed 11 July 2023, p 228.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia