19 October 2023
The Office of the Australian Information Commissioner (OAIC) delivered work for the Australian community through unprecedented times in 2022–23 as millions of Australians were impacted by the biggest data breaches the country had experienced since the commencement of the Notifiable Data Breaches (NDB) scheme.
Releasing the OAIC’s annual report for 2022–23, Australian Information Commissioner and Privacy Commissioner Angelene Falk said the volatile events of the financial year had underscored the need for the regulator to have the right foundations in place to promote and protect information access and privacy rights.
“Throughout the year, the OAIC has continued to develop and advocate for these foundations to support a proportionate and proactive approach to regulation. This includes appropriate laws, resources, capability – the right people with the right tools – effective engagement with risk, appropriate governance and, importantly, collaboration,” Commissioner Falk said.
“As well as being a wake-up call for Australian organisations, the prominent data breaches emphasised how collaboration by regulators and government can assist in identifying and reducing harms.”
Commissioner Falk said the OAIC had sought to influence quality freedom of information (FOI) decision making by providing guidance to government agencies and working with them to improve the system. However, the OAIC still requires sufficient resources to meet current demand and address backlogs.
This year, applications for Information Commissioner review (IC review) of FOI decisions of agencies and ministers fell 16% to 1,647, a break in the significant increases of recent years, and FOI complaints fell 2% to 212.
The OAIC finalised 1,519 IC reviews in 2022–23, an increase of 10% compared to 2021–22, which followed increases of 35% and 23% in the previous years respectively. But of 2,004 IC reviews on hand at 30 June, over half were more than 12 months old.
“We continued to engage with government agencies on issues of regulatory concern and to promote the principles of open by design, which support agencies to build a culture of transparency and trust by prioritising, promoting and resourcing proactive disclosure,” Commissioner Falk said.
The OAIC performs an important privacy complaint handling role for the community. In 2022–23, it received 34% more privacy complaints (3,402, a record number) than in 2021–22.
In a year in which data breaches were so prominent, the OAIC received a 5% increase in notifications.
“Not surprisingly, our Australian Community Attitudes to Privacy Survey 2023 released soon after the end of the reporting period in August 2023, found that data breaches are seen as the number one privacy concern by the community,” Commissioner Falk said.
During 2022–23, the OAIC launched significant investigations into Optus, Medibank Private, Latitude Group and Australian Clinical Labs in relation to their data breaches. Investigations were also opened into the personal information handling practices of retailers Bunnings and Kmart, focusing on the companies’ use of facial recognition technology.
The OAIC continues to co-regulate the Consumer Data Right (CDR) with the Australian Competition and Consumer Commission. During 2022–23, the OAIC provided advice on the privacy and confidentiality impacts of expanding the CDR to the non-bank lending sector, legislation to establish new functionality in the CDR to allow consumer-directed action and payment initiation, and new and amended data standards.
During the reporting period, the OAIC contributed to the Attorney-General's Department's review of the Privacy Act 1988. The Australian Government released its response to the review in September 2023 and legislation is expected in 2024.
“In the May 2023 Budget, the OAIC received additional funding to bring in expertise to conduct a strategic assessment to ensure we are well placed to meet the regulatory challenges of the future,” Commissioner Falk said.
“This is an opportunity full of promise and will occur alongside a change in the composition of the OAIC following the Australian Government’s announcement that the 3 statutory office holder model will be reinstated, with an Information Commissioner (as agency head), FOI Commissioner and Privacy Commissioner.
“The OAIC has a strong foundation on which to build, and it will move from strength to strength with the leadership of 3 expert commissioners.”
Read the OAIC Annual report 2022–23.
Key 2022–23 statistics
- Received 1,647 applications for IC review of FOI decisions (down 16% compared to 2021–22) and finalised 1,519 (up 10%).
- Received 212 FOI complaints (down 2%) and finalised 124 FOI complaints (down 44%). The fall in complaints finalised was due to a focus on finalising IC reviews received in 2018 and 2019.
- Received 3,402 privacy complaints (up 34%) and finalised 2,576 privacy complaints (up 17%).
- Received 895 notifications under the NDB scheme (up 5%) and finalised 77% of notifications within 60 days against a target of 80%.
- Handled 11,672 privacy enquiries (up 7%) and 1,647 FOI enquiries (down 15%).[1]
Footnotes
[1] During 2022-23, the OAIC ceased classifying certain communications about FOI as ‘enquiries’ where these are more complex, or require a specific response, and are therefore dealt with by the FOI Branch instead of the OAIC’s enquiries team. This has reduced the numbers of FOI enquiries reported this financial year.