Australian Information Commissioner releases the its annual report.

November 24, 2025 |

The Australian Information Commissioner has published its Annual Report.

The media release provides:

The Office of the Australian Information Commissioner (OAIC) upheld and advanced information access and privacy rights throughout 2024-25 as it strengthened its ability to deliver better regulatory outcomes for the Australian community.

Releasing the OAIC’s Annual report 2024-25, Australian Information Commissioner Elizabeth Tydd said: “This report demonstrates the impact and credibility of the OAIC as the national regulator for privacy and freedom of information. Our broad reaching jurisdiction means that we are instrumental in securing democratic rights and promoting a healthy economy.

“This environment requires a proactive contemporary approach to regulation in this complex digital environment; that approach is tethered to regulatory transparency and proportionality.

“We apply a proactive and harm-focused approach to prioritise our efforts. We take regulatory action to encourage and support compliance by regulated entities and to address high-risk matters with the greatest potential for harm.”

During the year the OAIC finalised significant privacy breaches including a $50 million payment program as part of an enforceable undertaking received from Meta Platforms, Inc. (Meta) and an enforceable undertaking offered by Oxfam Australia after the not-for-profit experienced a data breach in January 2021.  Court action commenced the previous year also recently led to Australian Clinical Labs (ACL) paying $5.8 million in civil penalties in relation to a data breach by its Medlab Pathology business, the first civil penalties ordered under the Privacy Act.

“The OAIC’s impact is also well demonstrated by our data and the increase in positive results from our annual stakeholder survey. In 2024–25 we increased our performance in five of our six stakeholder measures. In case work the OAIC finalised 41% more Information Commissioner (IC) reviews than the preceding year, outpacing a 21% increase in IC reviews received,” Commissioner Tydd said.

The OAIC also published a separate FOI volume (PDF, 6006 KB) of the Annual report to improve accessibility of agency performance data and provide more detailed regulatory information. “This approach delivers greater transparency to the community and provides policy makers and agencies with reliable and insightful data regarding agency performance and the operation of the FOI system more broadly,” Commissioner Tydd said.

The OAIC strengthened the effectiveness of its educational and advisory functions during 2024-25, publishing a range of guidance and tools during the year. The privacy foundations self-assessment tool, the FOI self-assessment tool, and a new Freedom of Information (FOI) statistics dashboard all position regulated entities to achieve compliance by clearly articulating better practice and reporting against outcomes.

The results of the OAIC’s annual stakeholder survey demonstrated positive results with five out of six measures increasing, including:

    • advancing online privacy protections increased from 60% to 66%
    • encouraging and supporting proactive disclosure of government information increased from 56% to 65%
    • OAIC’s regulatory activities demonstrate a commitment to continuous improvement and building trust increased from 63% to 66%
    • OAIC’s regulatory activities demonstrate collaboration and engagement increased from 58% to 64%
    • OAIC’s regulatory activities are based on risk and data rose from 56% to 59%.

“The OAIC’s strategic positioning will enable us to further deliver impactful regulatory outcomes to the Australian community in 2025-26,” Commissioner Tydd said.

Key 2024–25 statistics

    • Finalised 2,470 Information Commissioner (IC) reviews in 2024–25, a 41% increase compared to 1,748 in 2023–24.
    • Issued 248 IC review decisions, compared to 207 previous financial year.
    • Finalised 3,123 privacy complaints compared to 3,103 in 2023–24.
    • Issued 10 determinations following investigations of privacy complaints and continued to reduce the number of older complaints on hand.
    • Finalised 1,155 notifications under the NDB scheme, with 86% of notifications finalised within 60 days, exceeding the OAIC target of 80%.

The overview from the Privacy Commissioner provides:

This has been my first full year in the role of Privacy Commissioner, and has been characterised by ever- increasing risks to the protection of Australian’s privacy. With data breaches continuing to mount, AI and other emerging technologies becoming part of our day-to- day reality, and novel scams and online harms creating community concern, the work of the OAIC has never been more important, or more challenging.

The period of 1 July to 31 December 2024 saw the OAIC notified of 595 data breaches, an increase of 15% compared to the previous 6 months. Across the 2024 calendar year, data breach notifications were up 25% year on year. Individual and representative complaints to the OAIC, arising out of data breaches as well as other privacy interferences, also increased this financial year, totalling 3,295. Health service providers, the financial sector and Australian government agencies were the sectors most likely to notify of a data breach, and most likely to be the subject of a complaint.

In response to these building trends, the OAIC has focused on a dual-track regulatory response which prioritises both education and enforcement. Acknowledging the uplift required across the public and private sectors to ensure robust Privacy Act compliance, the OAIC has invested in and developed resources to support businesses and agencies to enhance their privacy governance. For example, in embodying the Privacy Awareness Week 2025 theme of ‘Privacy – It’s Everyone’s Business’ we released the Privacy Foundations self-assessment tool, a simple resource designed to help businesses who want to embed a culture of privacy and improve practices procedures and systems. Throughout the year, we issued new guidance clarifying the application of the Australian Privacy Principles (APPs) to a range of emerging technologies, including tracking pixels, facial recognition and AI, and we updated our charities and non-profits guidance. We launched a blog which we used to share information in a more accessible manner, and to explain the impact of some of the 10 determinations we issued in 2024–25. And together with our Digital Platform Regulators Forum partners, we released a working paper on multimodal foundation models.

In parallel, and in acknowledgment of the expectations of the Australian community, the OAIC has been focused on stepping up enforcement action to address the most egregious, persistent and systemic privacy harms. In December 2024, we reached a landmark settlement with Meta in which the digital platform agreed to establish a payment program worth $50 million for individuals affected by the Cambridge Analytica incident. The OAIC entered into an enforceable undertaking with Oxfam, in relation to a data breach experienced by the charity in 2021, and issued important determinations in relation to the use of facial recognition technology by Bunnings Group and predatory web scraping activities pursued by the Grubisa companies, Property Lovers and Master Wealth Control. Investigations have been commenced in relation to connected cars, ‘rent tech’ apps, the use of tracking pixels, and the development and training of AI models, as well as into major data breaches of significant concern.

Alongside this proactive and strategic work, the OAIC continues to play a vital role providing policy input and regulatory oversight to government digital initiatives, and in administering a range of other responsibilities under more than 30 legislative domains. Three key areas warrant particular mention: the OAIC registered a new Privacy Credit Reporting Code in October 2024, on application of the code developer Arca, which enhanced protections for Australians’ credit information. The OAIC also took up a formal role as the privacy regulator of the government’s Digital ID scheme, which came into effect in December 2024. And after the passage of the Privacy and Other Legislation Amendment Act 2024 in November 2024, the OAIC commenced work on the Children’s Online Privacy Code, which will enhance protections in the online realm for children under the age of 18 when it is registered in late 2026.

With each month that passes in the role of Privacy Commissioner, I gain a greater appreciation of the complexity of privacy issues and the genuine needs of the regulated community in Australia. As we move into the new financial year, I am committed to working alongside my OAIC colleagues to continue to seek to address those issues and meet those needs through our dual approach to education and enforcement. I am convinced there is much we can do as the nation’s privacy regulator to give individuals back some of the control and agency over their personal information that they so need, and at the same time support regulated entities to secure and retain their social licence to be trustworthy stewards of Australian’s data.

The summary of the privacy complaints provides:

 

 

 

 

 

 

Leave a Reply