Information Commissioner releases Annual Report

October 25, 2023 |

Its annual report time. And the Information Commissioner is no exception to this exercise ordained by law. And, in the tradition of the Australian Public Service, it was released on a Friday. The 19th October to be exact, even though the Information Commissioner signed the report as being 3 October 2023. That way it avoids serous scrutiny by the traditional media. There is no time to push out a story for the weekend papers and the electronic media would have no interest in that being a weekend story. By Monday the caravan has moved on.

The media release provides:

The Office of the Australian Information Commissioner (OAIC) delivered work for the Australian community through unprecedented times in 2022–23 as millions of Australians were impacted by the biggest data breaches the country had experienced since the commencement of the Notifiable Data Breaches (NDB) scheme.

Releasing the OAIC’s annual report for 2022–23, Australian Information Commissioner and Privacy Commissioner Angelene Falk said the volatile events of the financial year had underscored the need for the regulator to have the right foundations in place to promote and protect information access and privacy rights.

“Throughout the year, the OAIC has continued to develop and advocate for these foundations to support a proportionate and proactive approach to regulation. This includes appropriate laws, resources, capability – the right people with the right tools – effective engagement with risk, appropriate governance and, importantly, collaboration,” Commissioner Falk said.

“As well as being a wake-up call for Australian organisations, the prominent data breaches emphasised how collaboration by regulators and government can assist in identifying and reducing harms.”

Commissioner Falk said the OAIC had sought to influence quality freedom of information (FOI) decision making by providing guidance to government agencies and working with them to improve the system. However, the OAIC still requires sufficient resources to meet current demand and address backlogs.

This year, applications for Information Commissioner review (IC review) of FOI decisions of agencies and ministers fell 16% to 1,647, a break in the significant increases of recent years, and FOI complaints fell 2% to 212.

The OAIC finalised 1,519 IC reviews in 2022–23, an increase of 10% compared to 2021–22, which followed increases of 35% and 23% in the previous years respectively. But of 2,004 IC reviews on hand at 30 June, over half were more than 12 months old.

“We continued to engage with government agencies on issues of regulatory concern and to promote the principles of open by design, which support agencies to build a culture of transparency and trust by prioritising, promoting and resourcing proactive disclosure,” Commissioner Falk said.

The OAIC performs an important privacy complaint handling role for the community. In 2022–23, it received 34% more privacy complaints (3,402, a record number) than in 2021–22.

In a year in which data breaches were so prominent, the OAIC received a 5% increase in notifications.

“Not surprisingly, our Australian Community Attitudes to Privacy Survey 2023 released soon after the end of the reporting period in August 2023, found that data breaches are seen as the number one privacy concern by the community,” Commissioner Falk said.

During 2022–23, the OAIC launched significant investigations into Optus, Medibank Private, Latitude Group and Australian Clinical Labs in relation to their data breaches. Investigations were also opened into the personal information handling practices of retailers Bunnings and Kmart, focusing on the companies’ use of facial recognition technology.

The OAIC continues to co-regulate the Consumer Data Right (CDR) with the Australian Competition and Consumer Commission. During 2022–23, the OAIC provided advice on the privacy and confidentiality impacts of expanding the CDR to the non-bank lending sector, legislation to establish new functionality in the CDR to allow consumer-directed action and payment initiation, and new and amended data standards.

During the reporting period, the OAIC contributed to the Attorney-General’s Department’s review of the Privacy Act 1988. The Australian Government released its response to the review in September 2023 and legislation is expected in 2024.

“In the May 2023 Budget, the OAIC received additional funding to bring in expertise to conduct a strategic assessment to ensure we are well placed to meet the regulatory challenges of the future,” Commissioner Falk said.

“This is an opportunity full of promise and will occur alongside a change in the composition of the OAIC following the Australian Government’s announcement that the 3 statutory office holder model will be reinstated, with an Information Commissioner (as agency head), FOI Commissioner and Privacy Commissioner.

“The OAIC has a strong foundation on which to build, and it will move from strength to strength with the leadership of 3 expert commissioners.”

Read the OAIC Annual report 2022–23.

Key 2022–23 statistics

    • Received 1,647 applications for IC review of FOI decisions (down 16% compared to 2021–22) and finalised 1,519 (up 10%).
    • Received 212 FOI complaints (down 2%) and finalised 124 FOI complaints (down 44%). The fall in complaints finalised was due to a focus on finalising IC reviews received in 2018 and 2019.
    • Received 3,402 privacy complaints (up 34%) and finalised 2,576 privacy complaints (up 17%).
    • Received 895 notifications under the NDB scheme (up 5%) and finalised 77% of notifications within 60 days against a target of 80%.
    • Handled 11,672 privacy enquiries (up 7%) and 1,647 FOI enquiries (down 15%).

The overview provides:

In 2022–23 the OAIC delivered our work for the  Australian community through unprecedented times, as tens of millions of Australians were impacted by the biggest data breaches the country had experienced since the commencement of the Notifiable Data Breaches (NDB) scheme in 2018.
With the welcome support of additional government funding for privacy, we commenced and have
substantially progressed major investigations into these breaches. They have brought into sharp relief the requirement for boards across corporate Australia, Ministers and Secretaries of Departments, to prioritise investment in protecting personal information and limiting its collection and retention. As cyber-attacks become increasingly prevalent and impactful, it’s individuals who are at risk of harm but business and others with custody of personal information at risk of serious reputational damage.
This is why the OAIC seeks to serve the Australian people by putting the individual at the centre of our approach. We focus on applying our regulatory tools to promote access to government-held information and protect personal information. This means assessing where potential community impacts are most significant, being targeted in our approach, maximising the use of our resources, and adapting to a rapidly changing and increasingly complex environment.
Achieving that goal requires certain foundations to be in place: appropriate law, resources, capability – the right people with the right tools – effective engagement with risk, appropriate governance and
importantly, collaboration.
The OAIC has developed these foundations to take a proportionate and proactive approach to identifying and reducing harms. We have sought to influence quality Freedom of Information (FOI) decision-making by providing guidance to agencies and working with them to improve the system. However, to achieve the vision for the OAIC’s role in FOI requires sufficient resources to meet current demand and address backlogs which have arisen since the office’s establishment, resulting in a legacy case load that persists and continues to grow.
This year applications for Information Commissioner review (IC review) of FOI decisions of agencies and ministers fell 16% to 1,647, a break in the significant increases of recent years primarily attributable to the Department of Home Affairs; and FOI complaints fell 2% to 212.
We finalised 1,519 IC reviews in 2022–23, an increase of 10% compared to 2021–22, which followed increases of 37% and 23% in the previous years respectively. But of 2,004 IC reviews on hand at 30 June, over half were more than 12 months old.
In 2018 the OAIC began efforts to garner support for a review of its functions and resourcing requirements, to ensure the organisation is positioned to meet the needs of the community. We have been consistent and persistent in our representations across all our functions. In the May 2023 Budget we were pleased to receive additional funding to bring in expertise to conduct a strategic assessment to ensure we are well placed to meet the regulatory challenges of the future.

While the funding had its genesis in ensuring the OAIC is able to regulate a reformed Privacy Act, it is essential that all our functions and operations form part of the review. Because we are one OAIC.
This is an opportunity full of promise. It will occur alongside a change in the composition of the OAIC at Commissioner level, following the Australian Government’s announcement that the OAIC will return to the 3 statutory office holder model: the Australian Information Commissioner (as agency head), Privacy Commissioner and Freedom Information (FOI) Commissioner.
This will strengthen our ability to carry out our important statutory functions. It recognises the
complexity and volume of matters dealt with by the OAIC and will provide welcome specialisation and capacity to address this workload.
Effective and efficient regulation also requires law that is fit for purpose. The major data breaches were also a catalyst for the strengthening of the OAIC’s regulatory powers and available penalties, which was a precursor to expected wider legislative change resulting from the review of the Privacy Act 1988. Amendments were also made to the Australian Information Commissioner Act 2010 in line with the OAIC’s advice, to allow IC review decisions to be delegated to Senior Executive Service (SES).
During the year, we continued to engage with government agencies on issues of regulatory concern,
and to promote the principles of Open by Design, which supports government agencies to build a
culture of transparency and trust by prioritising, promoting and resourcing proactive disclosure. In doing so, we highlighted the importance of agencies developing robust digital systems that strengthen the community’s access to information.
Mr Leo Hardiman PSM KC served as the FOI Commissioner from 19 April 2022 to 19 May 2023. During his term Commissioner Hardiman worked to advance the objectives of the FOI Act to promote timely access to government-held information. Mr Hardiman further developed FOI jurisprudence and his service to the Commonwealth is acknowledged.

Ms Toni Pirani commenced as acting FOI Commissioner on 20 May 2023 and has worked to further the objectives of the OAIC.
The OAIC has also embedded regulatory cooperation into our approach to performing our functions.
The OAIC continues to co-regulate the Consumer Data Right (CDR) with the Australian Competition and Consumer Commission (ACCC). During 2022–23, we provided advice on the privacy and confidentiality impacts of expanding the CDR to the non-bank lending sector, legislation to establish new functionality in the CDR to allow consumer-directed action and payment initiation, and new and amended data standards.
The Digital Platform Regulators Forum, comprising the OAIC, the Australian Communications and Media Authority, the ACCC and eSafety, continued work to promote proportionate, cohesive, well-designed and efficient digital platform regulation that best serves the public interest. The forum’s strategic priorities for the year included a focus on the impact of algorithms, seeking to increase transparency of digital platforms’ activities and how they are protecting users from potential harm, and collaboration and capacity building.
We have also been central to the whole of government response to data breaches, and to promoting
regulatory cohesion through our co-chairing of the Cyber Regulators Network with the Australian
Prudential Regulation Authority.
We have continued to engage internationally on privacy and access to information issues of global
concern, including though our membership of working groups of the Global Privacy Assembly and
as a member of the International Conference of Information Commissioners.
The OAIC continues to perform an important privacy complaint role for the community. In 2022–23, we received a 34% increase in privacy complaints (3,402) compared to 2021–22. We are focusing on the age of privacy complaints and have commenced a project to address a backlog of privacy complaints that are more than 12 months old.

In 2022–23, we also opened investigations into the personal information handling practices of certain retailers, focusing on the companies’ use of facial recognition technology.
We sought to promote and improve protections to privacy and access to information rights by providing detailed submissions and policy advice to the Australian Government and others. In 2022–23, we made 16 submissions and 75 bill scrutiny comments across both privacy and FOI.
The OAIC engages with the community as part of our education function and to inform our regulatory approach. We led a successful Privacy Awareness Week, signing up a record number of supporters, and a successful International Access to Information Day.
Not surprisingly, due to the increase in the number and scale of data breaches reported, our Australian Community Attitudes to Privacy Survey 2023 released in August 2023, found that data breaches are seen as the number one privacy concern by the community.
This year we also embedded our hybrid way of working to attract and retain skilled people nationally
and new shared services providers for finance and ICT. This required us to bring capability in house to support these systems as a service.
The OAIC has also grown significantly this year, with 72 new staff joining, requiring investment from our people and culture team to recruit, onboard and support. We also heard what is important to our people through our results in the Australian Public Service Commission (APSC) Census, and successfully implemented a Census Roadmap to uplift the OAIC’s results across all indexes.
We are also critiquing the OAIC’s performance, and for the first time, we commissioned an independent stakeholder survey to seek feedback on key performance measures and set a baseline for the future. There are lessons to be learned and the data will be highly useful as we focus our efforts in the year ahead.
We can say confidently that privacy and access to information are very much in the spotlight and will
continue to be so. Information access and privacy matters to Australians, and the OAIC will continue
our important work to promote and protect these fundamental rights, harnessing the skills and
commitment of our people.
We are one OAIC, delivering collectively for the Australian community. I want to thank the people of
the OAIC for their determination, skill and dedication to delivering across our functions every day. The OAIC has a strong foundation on which to build, and it will move from strength to strength with the leadership of 3 expert commissioners.

The Report reveals that there was an increase of privacy complaints of 34%, 3,402, and finalised 2,576 complaints, 2,576, an increase of 17% over the same period in the previous year.  The Commissioner states that 84% of privacy complaints were finalised within 12 months and that the average time to finalise a complaint was 6.4 months.  Given complaints can be “finalised” by the Commissioner deciding not to investigate complaints in certain circumstances set out in section 41 of the Privacy Act care needs to be taken in considering how effective the complaint closing mechanism is. Those circumstances in section 41(1) are:

   (a)  the act or practice is not an interference with the privacy of an individual; or

                     (c)  the complaint was made more than 12 months after the complainant became aware of the act or practice; or  

                     (d)  the complaint is frivolous, vexatious, misconceived, lacking in substance or not made in good faith; or

                   (da)  an investigation, or further investigation, of the act or practice is not warranted having regard to all the circumstances; or

                   (db)  the complainant has not responded, within the period specified by the Commissioner, to a request for information in relation to the complaint; or

                   (dc)  the act or practice is being dealt with by a recognised external dispute resolution scheme; or

                   (dd)  the act or practice would be more effectively or appropriately dealt with by a recognised external dispute resolution scheme; or

                     (e)  the act or practice is the subject of an application under another Commonwealth law, or a State or Territory law, and the subject-matter of the complaint has been, or is being, dealt with adequately under that law; or

                      (f)  another Commonwealth law, or a State or Territory law, provides a more appropriate remedy for the act or practice that is the subject of the complaint.

The above provisions give the Commissioner quite a broad scope not to investigate a complaint but regard it as being finalised.  And deep into the Report that is confirmed where the Commissioner stated:

Where possible, we seek to resolve complaints through early resolution and conciliation. This means
that, in many cases, we exercise the Commissioner’s discretion under s 41 of the Privacy Act to decline to investigate a complaint as a result of those processes, because, for example, the complaint does not involve an interference with the complainant’s privacy, the respondent has dealt with the complaint adequately, or an investigation is not warranted in the circumstances. During the reporting period, 68% of privacy complaints were finalised by exercising the Commissioner’s discretion under s 41 of the Privacy Act.

(My emphasis)

And there is the rub.  While the closure figure may seem impressive the majority is due to the Commissioner declining the investigate the complaint.  What is not provided are a granular review of what category of complaints were rejected for what reasons.  This is disappointing.  It is not a very transparent analysis.,

In terms of complaints made the most common complaints were made under the following APPs:

APP 11 – security of personal information (44%)
• APP 6 – use or disclosure of personal information
(21%)
• APP 12 – access to personal information (14%)

The most common complaints were in the finance, health and telecommunications sectors.

Table 1.2.1: Number of privacy complaints by sector
Issue                                  Number of complaints received      %      % change  from 2021–22
Finance (incl.
superannuation)                 656                                                 19             154
Health service providers      330                                                10              –6
Telecommunications           286                                                  8              240
Australian Government       284                                                  8                6
Retail                                   217                                                  6               21
Insurance                            196                                                  6              172
Online services                   153                                                  4                 0
Personal services
(includes employment,
childcare and
veterinarians)
                                           134                                                    4                 60
Real estate agents              106                                                    3                38
Credit reporting bodies       80                                                     2               –40

The National Data breach notification stats show that the most occurred because of a malicious or criminal attack

Notifications
received                %

Malicious or criminal attack              628                     70
Human error                                     299                     26
System fault                                       38                        4
Total                                                 895                      100

There are aspects of the Report that defy easy, or any, understanding.  I have read and re read the Key activity 2 Advance online privacy protection for Australians and find myself neither the wiser or better informed.

For example Intended Result 2 The OAIC’s activities support innovation and capacity for Australian businesses to benefit from using data, while minimising privacy risks for the community states:

The OAIC delivered guidance and advice to key Australian Government agencies and other stakeholders on privacy in the online environment. We sought to influence the design of legislation and other policy initiatives to address privacy risks in the online environment and promote a best-practice approach to privacy matters, including making 9 submissions that address these issues. We provided advice on areas including the review of the Privacy Act and related legislation, digital health, credit reporting and the CDR.

We also sought to promote proportionate, cohesive, well-designed and efficient digital platform regulation that best serves the public interest as a founding member of the Digital Platform Regulators Forum (DP-REG), together with the ACCC, ACMA and the Office of the eSafety Commissioner.
To determine a baseline for this performance measure, data was collected through the OAIC’s independent annual stakeholder survey. Based on the average performance rating of relevant survey questions, an index score of 61 out of 100 was achieved for this measure, setting the baseline for future measurement.
The highest average scores achieved by the OAIC in terms of this performance measure relate to the OAIC working collaboratively with international regulators to support globally interoperable privacy regulation, and raising awareness of opportunities to enhance online privacy legislation.
Responses were lower in relation to the OAIC’s use of its full range of regulatory functions and powers to pursue breaches of privacy in the digital environment. The OAIC will assess the survey results and consider stakeholder initiatives that can improve performance. In recent years the OAIC has increased its focus on targeted proactive regulation to deliver for the community, and the survey will inform efforts to strengthen that approach through our upcoming strategic review. For more information about the survey results and methodology, see Appendix F.

The art of using a lot of words to say very little.

Leave a Reply





Verified by MonsterInsights