We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our privacy policy.

News Join our team Contact us

Published 5 September 2024

Read the keynote address prepared for delivery by Australian Information Commissioner Elizabeth Tydd at RIMPA Live on Wednesday 4 September 2024.

Introduction

Thank you for the introduction, Cam, and I appreciate the offer from RIMPA to speak to you. The opportunity is one that I cherish because this is a room of people who are on the same page as me. Your values align with the values we espouse every day at the OAIC.

I am really honoured to have the opportunity to address you all today – I know and value the critical role you all play as records and information management practitioners – whether you are in the private sector or whether you are in the government sector working on behalf of the people of Australia.

I do also want to question the traditional definition of your role.

Let’s apply a broad, all-encompassing and honourable term to your role: information governance. It’s certainly important, and it’s significant, but in practice, what does your role actually deliver?

Let me boldly answer that question through just a few examples:

  • Your role delivers justice to the Australian community through access to evidence.
  • It delivers better healthcare outcomes and educational outcomes because of your role in preserving information.
  • It delivers proper and fair administration through the provision of sources of truth, and in doing so, your role actively combats corruption.
  • And your work delivers the democratic system of government we enjoy through accountability and transparency.

Through your preservation and stewardship of the source of truth, you strengthen the compact between government and the citizens it serves. Your role is paramount to our democratic values and our fundamental human rights.

Now let’s look at your duties as stewards of information – and they are wide and they are equally as important.

Data and information have been called many things. The new oil. Uranium. Precious. Kryptonite. Business gold. In reality, it can be any one of these things, but it comes down to how information is actually managed, how it’s governed.

For me, information is a strategic asset ready to be harnessed. But there is always work to do to ensure its value is realised, and that it’s realised in a way that makes a positive contribution to both society and the economy.

Where we are now

Where are we now and what challenges are we facing in this dynamic environment?

We’re facing the challenges of digital government, of an authorising environment that expects sources of truth, that expects governments to be held to account, it expects the private sector to be held to account in the way it uses and manages information.

In that environment, we see an erosion of trust. You play an incredible role in preserving trust in democratic institutions, because you also enable people to access information and that builds trust.

But there are new challenges in accessing information that arise because of the advances in digital government.

So, what do we need? We really need a holistic approach to information governance.

Information is being generated at an unprecedented rate, which has resulted in the management of information becoming a critical challenge in itself for both the private and public sectors.

The volume and variety of information, and the speed at which it is created, has overwhelmed traditional approaches to information governance.

To illustrate this point, in the Australian Public Service, the volume of digital records held has grown on average by 328% a year since 2013 when we held 51 terabytes of information to over 314,000 terabytes in 2022 – I imagine two years on, that’s grown even further. To put this in perspective, a one terabyte hard drive can hold about 5 million short Microsoft Word documents.

There’s been a considerable increase in the use of technology, including the cloud and a vast range of software (often provided as a service).

More recently, we have seen rapid growth in the use of artificial intelligence, particularly generative AI. In the public sector context, the use of social media platforms and encrypted messaging, such as WhatsApp, has given rise to new challenges for record keeping – for ascertaining where the decision was made and by whom, and that’s a particular challenge for encrypted messaging. Information management and freedom of information practitioners really need to address these new challenges.

Information management obligations don’t cease as organisations and industries embrace new technology. Rather, advances in technology have made it essential that openness, transparency, accountability and integrity are maintained.

Government agencies, but also businesses, are grappling with challenges in ensuring information is accessible and trustworthy in an environment of overload in which both misinformation and disinformation are rife.

When we look at the way we engage with industry between the public sector and the private sector, sometimes we give rise to questions about who actually holds the information and in what form is it held. Is the decision making component that of an algorithm? How can you provide access to an algorithm? And then the very real issue of the provenance of the data set arises, and that’s your space. That’s the space that you need to own and understand and keep abreast of.

I’m going to look at these four dimensions of information governance a little bit further through a case study later on.

Record and information management underpins the OAIC’s privacy and information access mandates, and we are seeing some evidence where these challenges are not being effectively dealt with.

The OAIC continues to be notified of a high number of data breaches under the Notifiable Data Breaches scheme. We will soon be releasing our latest statistics covering the period January to June 2024, and they show we received 527 data breach notifications – that’s the highest number in a six-month period since July to December 2020, and it represents a nine per cent increase compared to the previous six months. Australian Government agencies reported the second most data breaches of all industry sectors with 63 data breaches, which represents 12% of all notifications.

Often data breaches are a result of organisations failing to effectively consider and apply privacy principles, such as data minimisation and security, across the entire information lifecycle. Recently, the OAIC has taken an economy-wide interest in data retention practices after several high-profile breaches of information held by organisations for several years, and in some cases, decades.

We know that the Australian community thinks organisations can do a much better job applying privacy principles across the information lifecycle.

Our 2023 survey of the Australian community’s attitudes to privacy found there is a high level of distrust that organisations will do the right thing by Australians when it comes to the handling of personal information. Less than half of people trust organisations:

  • to store their information securely
  • to use and share their information only for the purposes stated
  • to collect only the information needed
  • to give people access to all their personal information stored
  • and to delete their information when no longer needed.

Unfortunately, there have been some damaging trends in the performance of our access to information laws in recent years.

Our agency freedom of information statistics between 2014 and 2023 demonstrate that the percentage of FOI decisions made by Australian Government agencies within the required timeframe of 30 days plummeted from 95% to 70%, followed by an uptick to 74%. The percentage of decisions in which access to information was refused in full rose from 10% in to 23%. Significantly, the number of FOI applications made has actually remained steady throughout this period.

So, it’s not necessarily the volume of applications that’s leading to some of these outcomes particularly in terms of timeliness, rather there’s issues of capacity and capability, and that’s where your expertise and knowledge can promote information access rights and in doing so, promote human rights and contribute to a healthy democracy.

We recently published the report on our third five-yearly review of the Information Publication Scheme that’s contained under the Freedom of Information Act. The IPS requires and provides the authority for government agencies to proactively publish information.

The results indicated the intent of the scheme is not being fully realised. Of note:

  • Only 29% of agencies have adopted a strategy for increasing open access to information they hold – that’s down from 35% in 2018.
  • Only 20% of agencies reported maintaining an IPS information register, down from 38% in 2018. IPS registers are a crucial tool for identifying documents for publication, recording decisions made in relation to publication, and systematically reviewing published information for accuracy, currency and completeness.

Australians value their fundamental right to access information, including compared to other fundamental human rights.

Clearly there are some challenges that need to be addressed, and there are opportunities as well.

I am going to take a moment to examine some of these challenges through one particular case study. This case study involves a social housing tenant who was in receipt of a social housing rental subsidy. The social housing at the time was provided by what was the NSW Department of Housing, it later became the Department of Communities and Justice.

To stimulate interest in managing social housing properties and in owning social housing properties through private-public partnerships and developing that sector, one small incentive was the outsourcing of an algorithm through a private software provider to calculate the rental subsidy for social housing tenants. It made the task of the landlords much easier.

It was used effectively to make a decision about the liability of that tenant, about how much rent she owed by virtue of how much subsidy was being provided by the government sponsor.

The question came down to who actually held that information and whether it was a decision or a service. That’s a really important question because under both the NSW and the Commonwealth legislation, the provisions that bind third-party providers apply to the provision of services, they don’t expressly apply to decision making. So, while there’s not a case that goes directly to this decision-making function, which we will increasingly harness technology to assist us with, we don’t actually know whether or not the right of access to information will be provided under the statute that’s responsible for enshrining that right.

So, then we go to the question of ‘Who?’ Who holds that information? Is it the third-party provider? Is it the social housing provider? Is it the software company who manage the information and originally used the test suites of data from the department to train their algorithm?

Who holds that information is important to the exercise of the fundamental right to access information because it applies largely to government agencies, but by virtue of a nexus with the private sector, there is an ability to bring that information into the control of government and therefore provide access. But that’s limited to the provision of services.

Then we have the question of how do you provide access? What access is going to make sense to anyone in terms of the history of rental payments and subsidies when it’s held in a database that was trained on a test suite of data where the calculations are made through an algorithm. And how can you look at what technology is being applied, because who is holding that technology itself, particularly through an outsourced service provision? In some circumstances, individuals, members of the Australian community like Ms O’Brien, might not even know that that technology was not owned and operated by government because it didn’t hit the threshold to be reported on a tender site where you can look at who the service provider was and how much was paid for it. So, there is opacity right the way through this system.

Then the most important feature for me, going forward, is our whole system of administrative review is based on people being able to approach a court and say, ‘Here’s an error. I’ve identified an error here, there’s an error of law, an error of fact, and through that error, I want justice, I want compensation, I am seeking to assert my rights.’ How do we identify an error in that circumstance? More importantly, as we increasingly use technology and large language models where there are data sets held in various domains, which data set contains the error? How do I access that data to prove the error when I don’t even know its provenance?

It's through examples like this, that took place a couple of years ago, that we are now seeing advances in technology presenting challenges to how we hold and govern information, and importantly, how the Australian community can assert their rights. These developments are at the front and centre of all the work you do, and that’s the thinking that you take forward in the work you do everyday, because what you’re actually doing is managing information for a purpose, and that purpose serves a much higher order.

Where we want to be

So, let’s look at where we want to be and how we get there.

For the OAIC, we are looking to be a regulatory entity that approaches these issues in as holistic a manner as possible.

In the Australian Public Service context, the Freedom of Information Act recognises that information government holds is a national resource to be managed for public purposes, however there is work to be done to achieve this ambition, particularly in the context of digital government.

My vision is to see information – whether in the public or private sector – be recognised, managed and harnessed as the strategic asset it is.

My goal is to increase the understanding outside this room of the importance and value of effective information governance, and by extension, the importance of the work you do and the people who do it.

There is an opportunity – and in many cases, a requirement – for organisations and government agencies to step up as stewards of information.

How we get there

The modern information environment necessitates a proactive approach, from organisations and agencies, and also the regulator.

The OAIC is committed to clearly defining and communicating our regulatory priorities, approach and expectations to help the regulated community and demonstrate best practice that can be adopted and modelled, and to ensure the community have the safeguards they are entitled to expect.

Following a strategic review of the office, our stakeholders and the community can expect to see the OAIC accelerate our shift to a more proactive, risk-based and enforcement and education-focused posture.

This will be reflected in a greater focus on directing our regulatory effort towards where it has the greatest impact, including areas where there is a high risk of harm to the community.

It is also reflected in our strategic priorities.

For our FOI work, it’s about promoting open government to better serve the Australian community, and increasing our FOI regulatory and case management effectiveness.

The OAIC has operated with significant backlogs of cases in which people are waiting for decisions that will enliven their rights. We are methodically working through those cases, and I am relieved to say the pace has increased significantly. When I commenced my first appointment to the OAIC as Freedom of Information Commissioner, our backlog was 2,200 cases. We have been able to reduce that by over 400 cases in 6 months, and we will continue our actions to reduce that number. Pleasingly, especially for the staff of the OAIC and the Australian community, in some of those decisions, the positions of the parties are less entrenched, and therefore we’re able to move more swiftly to reduce that backlog and be a contemporary and effective regulator.

To do that though, we need to uplift agency capability in the exercise of their FOI functions, and they are underpinned by information management functions, so the functions that you perform within agencies allow people to access information.

And we want to make FOI compliance easier. For those who aren’t familiar with it, the Freedom of Information Act is a pretty prescriptive legislative statute, and it injects a number of procedural steps that make it quite legalistic. Our objective is to make compliance easier by providing the tools, by providing the insights, by providing guidance so compliance is much easier for agencies so that they can be part of the better stewardship of the right to access information.

In the privacy sphere, we are prioritising work to promote privacy in the context of emerging technologies and digital initiatives. We are increasing out privacy case management effectiveness in the same way as I outlined in relation to FOI.

We’re developing a cohesive regulatory and enforcement strategy.

And we want to improve compliance through articulating what good looks like.

An essential component of effective regulation is fit-for-purpose legal frameworks, so another area of focus is promoting timely legislative reform and ensuring it is informed by our regulatory expertise.

In this regard, we very much hope we will see reform of the Privacy Act soon. It is critical that we all contribute to the push for the completion of this significant body of work, which began more than a decade ago, to strengthen the protection of privacy under Australian law.

One measure I want to highlight, which the government has agreed to in principle, is a requirement that data collection, use and disclosure be fair and reasonable, which the OAIC would like to see become the new keystone of the Australian privacy framework.

This will require organisations and government agencies to ensure personal information handling practices are fair and reasonable in the first place. In other words, that privacy is built in by design.

Several accountability mechanisms that are already requirements for government agencies under the Australian Government Agencies Privacy Code are proposed to be extended to the private sector. This includes requirements to conduct a privacy impact assessment for all high privacy risks projects, and appoint a senior employee responsible for privacy.

We stand ready to assist in the elevation of capability and to assist industry and the public sector in that transition.

There is significant work underway at the OAIC to support the shift in our regulatory posture and ensure we are a contemporary regulator.

We’re in the process of restructuring the organisation to support our move to a more harm-focused proactive regulatory posture, with an increased emphasis on education and enforcement and using the full range of our regulatory powers. We’re also designing our future to ensure the OAIC is directing our efforts and resources strategically to achieve the best regulatory outcomes for the community.

We are also sharpening our intelligence gathering approach, which will continue to inform our priorities and help us to identify and target areas of non-compliance.

Sharing this unique intelligence and regulatory expertise that’s held within the OAIC will allow it to be applied to inform regulatory reform, policy reform, as well as the regulatory action we take. For example:

  • We have a data strategy focused on making high-quality data analyses integral to our decision making.
  • We have completed a survey to better understand agency FOI practices and the needs of practitioners. We will use this information – together with the results of the IPS review – to inform updates, guidance and the resources we provide. This is an example of how we are operationalising our objective to promote understanding and make compliance easier.
  • As part of our focus on identifying unseen privacy harms, my colleague Privacy Commissioner Carly Kind will be implementing a program of targeted, proactive investigations that will not only uncover latent harms and provide avenues for remediation, but will also set the standard for industry practice. You can expect a similar approach in the FOI domain as well.

We continue to increase our focus on regulatory cooperation and collaboration – both domestically and internationally. The OAIC works closely with a range of organisations, including Australian Government agencies, domestic and international regulators, and industry, research and community organisations. This assists us to keep informed of the challenges and opportunities in information governance, with a particular focus on privacy and access to information

We operate in a global, not just a national, environment and maintaining a deep understanding of emerging harms, for example, in big tech, will enable us to look at international developments at the cutting edge of prevention and deterrence of harmful practices. Those learnings are essential to the preservation of rights in Australia.

Through the OAIC’s recent appointment to the Executive Committee of the International Conference of Information Commissioners, we provide international leadership to foster the protection and promotion of access to information as a fundamental pillar of social, economic and democratic governance.

In Australia, we enjoy the benefits of a representative democracy, and by working with our Indo-Pacific and ASEAN neighbours, we can promote stability in our region.

I spent 48 hours in Malaysia last week where they’ve been working on the introduction of an information access statute for 23 years. It’s starting to come to fruition. It’s part of their recognition of a fundamental tenet of democracy, of sound governance, of holding administration to account after some of the turbulent years that country has been through.

Advancing that culture is important to our domestic and geographic security, to peace and to democracy in our region.

Advancing a culture and practice of treating information as a strategic asset is a shared responsibility.

Our objective is to engage widely with all actors in this rich and rewarding quest. Meeting that objective will better equip us to act with focus and purpose to promote and protect our fundamental human rights in what is a most dynamic environment.

It’s these partnerships that strengthen our individual roles and galvanise our shared responsibilities.

Conclusion

I want to reiterate the integral role you play in promoting democracy and in preserving our fundamental human rights. It’s your broad expertise and commitment to information governance that makes you first responders to current threats to democracy, including mis and disinformation

We work in a symbiotic and principled partnership. You preserve the bedrock of information that underpins the rights that all information commissioners, freedom of information commissioners and privacy commissioners strive to promote in this increasingly complex environment.

And we are honoured to work in partnership with you, and I sincerely thank you.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia