Information Commissioner releases corporate plan for 2024 – 2025
September 30, 2024 |
Agencies release corporate plans. They are of variable quality and often drafted in vague enough terms to avoid criticism. The good plans say something even if there is a enough plausible deniability buried into its dense prose. The Information Commissioners’ media release keeps with this approach.
It provides:
As the accountable authority, I am pleased to present the 2024–25 Office of the Australian Information Commissioner (OAIC) corporate plan for the 2024–25 to 2027–28 reporting periods, as required under paragraph 35(1)(b) of the Public Governance, Performance and Accountability Act 2013.
As an independent statutory agency, our office regulates privacy and freedom of information (FOI) under the Commonwealth Privacy Act 1988 and the Freedom of Information Act 1982 (FOI Act) and has information policy functions under the Australian Information Commissioner Act 2010. This corporate plan sets out our key activities and how we measure our performance.
So far, 2024 has been a year of significant changes at the OAIC. Among them was the return to the OAIC having 3 commissioners in February, when I commenced as FOI Commissioner and Ms Carly Kind as Privacy Commissioner. It was then my great honour to be appointed as Australian Information Commissioner from 16 August 2024 for a 5-year term. Following a merit-based selection process, Ms Toni Pirani was appointed as FOI Commissioner commencing 16 August. Commissioner Pirani brings a wealth of experience and expertise in FOI and the promotion of information access rights, as well as a strong record of service on behalf of the Australian public.
I would also like to acknowledge the contribution of my predecessor Angelene Falk who led the office over many years as both Information Commissioner and Privacy Commissioner. Commissioner Falk expertly steered the office through a time of growth, technological development, heightened community expectations and great change in the regulatory landscape. It brings me great pleasure and gratitude to build on Commissioner Falk’s work and lead the OAIC at this critical juncture with Commissioner Pirani and Commissioner Kind.
This enhancement to our leadership structure coincided with a strategic review of the OAIC. The review was designed to ensure the office is best positioned to deliver our functions and respond to future challenges. The review made 9 recommendations to the OAIC, including around our regulatory posture, governance, structure, culture and values, and process change. The OAIC has accepted all recommendations directed to the office and has begun implementing them to ensure our future success.
A key recommendation was for the office to accelerate our shift to a more risk-based and education and enforcement-focused posture. Our stakeholders and the community can expect to see this reflected in a greater focus on directing our regulatory effort towards where it has the greatest impact, including areas where there is a high risk of harm to the community. Our focus on harm and outcomes will be driven by evidence and data, and we will make the best use of our resources, maximising opportunities for our people.
The shift in our regulatory posture is underway and changes to our strategic plan, governance, structure, processes, capability, culture and leadership will all ensure our success. These seminal changes, many of which are detailed in this plan, are designed to deliver our future priorities and maximise our impact as Australia’s information access and privacy regulator. Our implementation of these changes and a revised regulatory action plan has only just commenced, but already we are achieving a significant impact.
Future priorities
We are advancing our effectiveness in privacy regulation by taking a strategic approach. We are committed to clearly defining and effectively communicating our regulatory expectations to provide the community with the safeguards they are entitled to expect.
We are focused on identifying the unseen harms that curtail privacy rights in the digital environment. This means implementing a program of targeted, proactive investigations that will not only uncover latent harms and provide avenues for remediation, but will also set the standard for industry practice.
The proposed reforms to the Privacy Act will provide a greater range of enforcement powers to the OAIC, establish stronger privacy protections for children and enhance requirements in relation to the security of personal information and its destruction when information is no longer needed. The OAIC is well prepared and committed to lending our expertise to the next phase of this much anticipated reform. These reforms are urgent, particularly in an environment where we continue to see large data breaches and technology advance at a rapid pace. We stand ready to assist the regulated community with the transition.
Even ahead of reforms, the regulated community should be alert that the OAIC will ensure compliance with the law, and where there are egregious privacy breaches, we will hold organisations to account. An example of this is our civil penalty proceedings on foot against Medibank Private Limited, Australian Clinical Labs Limited and Meta Platforms Inc and Meta Platforms Ireland Ltd.
We also use guidance and education to effect behaviour change. A particular focus for the OAIC in this regard will be our new role as privacy regulator for the Digital ID system as it is expanded across the Australian economy.
Access to information underpins open government and is essential to a participative democracy. Our aim is to promote open government to better serve the Australian community. We aim to increase public participation in government decision making and ensure information held by government is managed for public purposes and is a national resource.
A key focus in 2023–24 was the 5-yearly Information Publication Scheme review. We look forward to applying the results of this review, to promote proactive publication of government-held information and ease of compliance with FOI obligations.
We will build on the substantial progress we made in 2023–24 in effective case management to eradicate the backlog that has developed over many years and ensure our regulatory currency and therefore effectiveness.
The OAIC’s sharpened intelligence-led approach will also inform our information access priorities; we will apply our intelligence to identify and target areas of non-compliance. We are committed to identifying and uplifting capability gaps within agencies and ministers’ offices in exercising their functions under the FOI Act. Timeliness in their decision making is a key risk to the right to access information, and we will focus our regulatory action towards halting the decline in timeliness that has occurred over past years.
We remain energised in our work monitoring the FOI framework as a measure of the health of our democracy, by analysing agency and OAIC statistics. In harnessing this information and through examining optimal features for FOI legislation, we will also advocate to ensure the FOI Act is responsive to the digital environment and secures community expectations.
We continue to navigate work of increasing volume and complexity across our regulatory functions. Our collaborative work – with peers both on home soil and abroad – is an important channel for sharing information, cooperating on mutual issues and opportunities, and ensuring our regulatory efforts are efficient. This work is particularly impactful in our region, and our collaboration with our neighbouring sovereign states well serves human rights and our democratic and economic stability.
The commonality of information access and privacy as fundamental human rights is deeper and more powerful than their origins. Transparency and trust are enlivened and preserved by our effective regulation of these rights, and so we are committed to meeting the expectations of the Australian community as a credible and effective regulator.
Never before have we seen such focus on the importance of privacy protection and information access – from individuals, businesses and government alike. This is a pivotal moment for the OAIC and our country, and it is an honour to lead the agency in promoting and upholding these critical rights for the Australian community at this time.
Based on the 45 page Corporate Plan, as far as privacy is concerned:
- The OAIC’s will prioratise:
- Influencing and upholding privacy access rights frameworks
- Advancing online privacy protections for Australians
- Taking a contemporary, harms-based approach to regulation of privacy and Freedom of Information (FOI) laws
- the major areas of focus will be:
- ensuring emerging technologies (such as AI and facial recognition technology) align with community expectations and regulatory requirements. .
- supporting the development of a privacy-protecting digital economy through regulating compliance and supporting entities under:
- the Notifiable Data Breaches (NDB) scheme,
- Digital ID system and
- co-regulation of the Consumer Data Right (CDR).
- publishing guidance material and responding to enquiries on Digital ID privacy safeguards as a way of enforcing compliance;
- making determinations, conducting assessments and investigating any alleged failures to comply with the data breach notification requirements (including in relation to the My Heath Record system);
- ensure the data protection and privacy framework remains robust and consumers continue to be protected by effective accountability mechanisms as the CDR expands
- participate in the statutory reviews of Part IIIA of the Privacy Act 1988 (Cth) (Privacy Act) and the National Consumer Credit Protections Act 2009 (Cth), which are both due to be completed before 1 October 2024;
- progress the Australian Government’s response to the review of the Privacy Act;
- engage with the Australian Government to uplift cyber security in Australia, including changes to the Security of Critical Infrastructure Act 2018;
- support and contribute to the Australian Government’s interim response to the safe and responsible AI in Australia consultation;
- finalise its review of the National Health (Privacy) Rules 2021 to ensure they remain fit for purpose to regulate how Australian Government agencies use, store, disclose and link Medicare Benefits Schedule and Pharmaceutical Benefits Schedule claims information. The OAIC will lodge new rules to commence on 1 April 2025;
- implementing proposals from the 2021 independent review of the Privacy (Credit Reporting) Code 2014.
-
- building internal capability and culture to delivering demonstrably efficient and effective regulatory action. OAIC’s guiding principles will now include:
- being proactive (i.e. adopting a risk-based, education and enforcement-focused posture);
- being proportionate (i.e. prioritising regulatory effort based on risk of harm to the community).
- investigating the information handling practices of Bunnings Group Limited and Kmart Australia Limited, focusing on the companies’ use of facial recognition technology.
- focus on regulating the online environment and emerging technologies that have a large impact on privacy, including facial recognition technology and AI.
- taking regulatory action to address the harms arising from the practices of online platforms and services that impact individuals’ choice and control, either through opaque information sharing practices or in the terms and conditions of service
- ensuring compliance with the law and taking enforcement action where there are ‘egregious’ privacy breaches (for example, the OAIC commenced civil penalty proceedings against Meta Platforms Inc and Meta Platforms Ireland Ltd in relation to Cambridge Analytica)
- building internal capability and culture to delivering demonstrably efficient and effective regulatory action. OAIC’s guiding principles will now include: