Peter A Clarke

It is estimates season and the Privacy Commissioner appeared before Senate Estimates Committee on Tuesday.

• As of 31 March 2026, in the first three quarters of the financial year compared to the same time last year, privacy complaints increased by 73 per cent, and finalisations increased by 38 per cent. There is a backlog
• The OAIC is about to release its Australian community attitudes to privacy survey
• the OAIC remains mealy mouthed about enforcement “We are designing our regulatory approach proportionate to the issues that are raised and the harm that either is potential or has occurred, as indicated by my colleague.”  and  “..how we’re adjusting our regulatory posture through education, through enforcement and through all available measures to ensure we’re able to stem the incoming numbers.” Whatever that means.
• the Privacy Commissioner has some interesting theories for the spike in complaints; complaints about not getting access to personal information and excessive collection.  Both have always been matters of concern so why are people complaining now when they were less inclined to do so previously.
• there is no timetable on the second tranche of reforms.  

                   Senator BLYTH: What date has been set for that second tranche?                               What’s the timeline that you’re working towards?

                    Ms Chidgey : There’s been no specific timing set for that at this point,                        but we’re working towards targeted consultation.

The transcript provides:

CHAIR: The committee’s proceedings today will begin with the Office of the Australian Information Commissioner.

Ms Tydd : Thank you, Chair. I’d like to provide a brief opening statement, if that’s acceptable.

CHAIR: Sure. I’ll just check with the minister first that he doesn’t want to make an opening statement.

Senator Farrell: That’s a very kind offer, but, on this occasion, I don’t have an opening statement.

CHAIR: The committee’s poorer for it, Minister.

Ms Tydd : I appreciate the opportunity to provide a brief opening statement to the committee on behalf of my colleagues the Freedom of Information Commissioner, Alice Linacre, and the Privacy Commissioner, Carly Kind.

The OAIC’s remit is wide, and our regulatory environment is dynamic, as demonstrated by our consistent and significant increase in community contacts, government and industry engagement and capability building, proactive initiatives, and compliance and enforcement activities. Commissioners’ responsibilities extend beyond statutory decision-making to systemic impacts as proactive data driven regulators. To achieve this broad mandate, we have embedded the three-commissioner model and developed shared regulatory priorities. We continue to mature our processes and capabilities. However, our year-on-year improvements confirm that we are achieving improved outcomes for the community and that our leadership is influencing regulators internationally.

As of 31 March 2026, in the first three quarters of the financial year compared to the same time last year, privacy complaints increased by 73 per cent, and finalisations increased by 38 per cent. Eighty-six per cent of privacy complaints were closed within 12 months, an increase from 76 per cent in 2024-25. The average age of privacy complaints on hand has reduced from 7.6 months to 5.5 months. Applications for review by the Australian Information Commissioner increased by 46 per cent compared to the same period last year. Eighty-two per cent of IC reviews are finalised within 12 months, an increase from 79 per cent in Q2. The average time taken to finalise an IC review has reduced to 7.2 months in Q3 from 9.8 months in Q1. The number of FOI complaints received increased by 52 per cent, and our closure rate increased by 26 per cent in 2025-26.

Our approach to the systemic regulatory challenges we face is maximised through collaboration and engagement. We recently led the development of a uniform icon for information access to be shared and promoted by all state and territory information commissioners. This uniform representation of information access can be applied by all government agencies to their websites. This will provide a recognisable common entry point through which the community can engage with agencies. For agencies, our ambition is that friction points are lessened by a single point through which information can be proactively and responsively released.

Our collaboration with regulators and integrity agencies such as the Australian Public Service Commission, the ANAO and digital platform regulators also informs our work program. We approach new and important initiatives, including the social media minimum age reform, through community and industry engagement. This engagement ensures our regulatory approaches are responsive to our dynamic regulatory environment and community expectations.

The OAIC will shortly release our Australian community attitudes-to-privacy surveys. The results confirm that our proactive work is responsive to harm in both information access and privacy. For example, in relation to the use of AI, Australians most frequently prioritise a right to human review, at 81 per cent, and being told when AI is being used, at 79 per cent. These outcomes underscore our work in reporting upon and providing guidance to agencies as they meet their obligations to publicly disclose their use of ADM under the FOI Act and the complementarity of the forthcoming ADM transparency obligation under the Australian Privacy Act reforms commencing in 26 December.

Our investment in capability uplift within the OAIC through staff engagement, wellbeing and learning and development programs has delivered results for the OAIC and the community. I acknowledge the fine work of the OAIC staff and record our thanks for their ongoing commitment. We are actively advancing efforts to maximise the opportunities available to us under these statutory regimes to ensure they operate effectively for the community, industry and government.

CHAIR: Thank you very much for that opening statement. We’ll proceed to questions and begin with Senator Blyth.

Senator BLYTH: Thank you, Commissioner, for that opening statement. I will start by referring to the current budget and taking you through portfolio Budget Paper No. 4. On page 43, it shows that the OAIC’s departmental appropriation is at $36.576 million for 2026-27, which is down from $39.753 million in 2025-26. Is that correct, an eight per cent reduction?

Ms Tydd : Yes, there has been a reduction. It’s largely attributable to terminating measures. Those terminating measures are work that we’ve acquitted through the social media minimum age and also through our litigation fund, which is available for us to draw upon for matters, such as Bunnings, that have now concluded. So the majority of that reduction is attributable to terminating measures. There is, in addition to those terminating measures, the proportion of savings that we are delivering through labour hire, contractor use and also travel.

Senator BLYTH: Can I ask about the OAIC’s monitoring services and what Australia’s progress in implementing the ANAO’s recommendations regarding data management and risk practices is.

Ms Tydd : I’m sorry—the ANAO’s report into data management and risk practices?

Senator BLYTH: Yes.

Ms Tydd : That’s not within my program at the moment, but it is something that we will engage with the ANAO on as we are engaging with them in relation to their general work program and reporting. At a corporate level, I can say that we have implemented or are in the process of implementing an approach to governance in relation to data usage and tech more broadly and expanding our program of work at a corporate level to ensure that we’re responsive to both the opportunities and challenges presented by AI.

Senator BLYTH: Has the OAIC provided Services Australia with any additional guidance on public notification obligations in the event of a data breach?

Ms Tydd : I think the Privacy Commissioner will take that matter forward. However, we have been engaged with Services Australia in relation to their approaches to data breaches, responsive to the ANAO report in that regard. If that was the report you were referring to in terms of data matching, yes, we are familiar with that report and it is informing our work program. I’m sorry I misunderstood you.

Senator BLYTH: Fantastic. Thank you very much. From 1 July 2026, more than 100,000 small businesses will be required to comply with the Privacy Act for the first time. What guidance and support has the OAIC provided to these businesses, and how confident is the OAIC that they will be ready?

Ms Tydd : My colleague has been really influential in ensuring that appropriate guidance is available to support industries through both tranche 1 and tranche 2 as we work through the additional obligations that are imposed on those entities. And you’re correct in saying that up to 120,000 new entities are to be covered. Those entities have been provided with direct engagement, guidance and ongoing updates of guidance to ensure that they are ready to comply with their additional obligations, particularly as they relate to the issue of privacy. And, with your leave, I might turn to my colleague to see if she would like to offer anything else in this specific domain.

Senator BLYTH: Please.

Ms Kind : I’d just add to the information commissioner’s commentary, which indeed correctly states we’ve done an extensive program of engagement with peak bodies and others in relation to the AML/CTF reforms, which, as you rightly say, will bring more than 120,000 new entities under the OAIC’s regulatory remit. We published guidance in February 2026. We revised that guidance after we received engagement from the stakeholder community, and I’ll just add we also published in April 2026 a template privacy collection notice that entities can use. It is essentially an off-the-shelf template that they can use to ensure they’re in compliance with their obligations.

Senator BLYTH: And you’re confident that these businesses are going to be ready?

Ms Kind : We’re certainly providing all the support we can. We note that the obligations under the combination of the AML/CTF regime and the new Privacy Act obligations are responsive to the circumstances of the entities, and we have already indicated that we’ll be taking into consideration the size of the compliance burden against the size of the entities and their capabilities to comply. We’ve provided guidance in that context, and we’re certainly committed to supporting them to be in compliance.

Senator BLYTH: That leads into the next question in terms of any enforcement action for anyone who’s not compliant. It sounds like you’re going to look at that on a case by case and—

Ms Kind : Absolutely.

Senator BLYTH: A grace period—is that a good way to describe it?

Ms Kind : Indeed. We would always think proportionately about how to use our regulatory powers. We acknowledge the circumstances in which entities are working to comply and will certainly take that into consideration, as well as the size of the transition many of them will need to make in order to be in compliance.

Senator BLYTH: In terms of that, say, grace period—for want of a better description of it—how long do you think you will take that approach? Do you have a timeline? It is a large number of—

Ms Kind : The Privacy Act is helpful in this regard in that it mentions often reasonable steps and the circumstances relevant to those reasonable steps. We’ve indicated in guidance that the circumstances we’ll consider include the size of the entity, the resources they have to draw on in order to comply, the type of personal information they’re handling and the volume of that personal information, and the size of the compliance obligation that they’ll need to transition towards. We’ve not been explicit about applying a grace period per se so much as said, ‘In all the circumstances, consider what an entity is required to do and how much change they’re going through.’ I would say that, the larger an entity is and the more resources they have available to them, the more likely we would be to take enforcement action sooner after the obligations come into effect.

Senator BLYTH: In terms of the resources—and it sounds like there is going to be a large resource burden on your office—If we’re looking at this case by case, there are a very large number of businesses that range in size. How are you going in terms of being able to regulate an additional 120,000-plus new entities from July, given that the complaint volume is already very high?

Ms Tydd : We are designing our regulatory approach proportionate to the issues that are raised and the harm that either is potential or has occurred, as indicated by my colleague. We’re also informed by our budgetary parameters. However, in terms of privacy, litigation and enforcement, we have access to discrete funding that we are allowed to draw upon when we undertake that significant and costly enforcement action. Drawing upon those funds has allowed us to deal with matters that have been quite significant for us and are currently significant for us in terms of expenditure through litigation.

Senator BLYTH: How much is that fund that you have access to?

Ms Tydd : Our funding is in relation to those litigation funds derived from three different sources. One is our internal funding, and the other two are acquittable fundings—one for enforcement and one for litigation. They have varied because they have applied over a period of three years. I’ll just grab the precise figures for you. There was $6.1 million of contingent litigation funding over the period of 2023-24 to be used for litigation in relation to data breach investigation matters. There was $2.6 million for equitable privacy enforcement funding. That was Bunnings and Kmart. We of course retain the ability to draw upon that quantum of money for matters that are still on foot, like Kmart. There’s also acquittable privacy litigation funding—a total of $6.05 million, which is $3 million in 2025-26 and $3.05 million in 2026-27. That can be applied to any privacy litigation matter, either enforcement or defending our decisions that are taken. The estimated amount that remains uncommitted in the last month or so is about $5.5 million.

CHAIR: Senator Shoebridge.

Senator SHOEBRIDGE: Thanks, all, for your attendance. First, can I express my gratitude for the action on the Property Lovers bottom-feeding corporate structure that you’ve been undertaking, Commissioner Kind. Can you give us an update on where that’s up to? And what about the principal involved, Ms Grubisa—what’s the status there?

Ms Kind : As you’ll recall, we issued two determinations in relation to Property Lovers and a related entity owned or controlled by Ms Grubisa or her husband in 2024. Then, last year, we had concerns that there was noncompliance with one of those determinations, which was with respect to Property Lovers, so we opened a new investigation to both monitor compliance with the determination and extend the investigation to another new entity, which appeared to be under the control of the same people, fastproperty.ai.

We conducted an extremely thorough investigation of those entities, much of which was focused on establishing the corporate structures that were related to them and which were very opaque. We were able to establish that Ms Grubisa herself was involved in fastproperty.ai. However, the investigation revealed that the tools being used by Property Lovers and fastproperty.ai did not involve any personal information and that, therefore, the Privacy Act did not apply to those entities for those particular purposes.

Acknowledging the concerns you have, Senator, and the concerns that the Australian people had, we thought it was important to publish a report on that investigation, which we did in May 2026. We’ve also referred relevant practices uncovered during the investigation to other relevant regulators.

Senator SHOEBRIDGE: Which regulators have you referred it to, and has it been a hot handover, showing all the detailed investigation you’ve been doing about corporate structure and poor behaviour as directors and office holders in corporations? Has that been a hot handover?

Ms Kind : We’ve provided the full investigation report to the ACCC. We’ve also met with their staff on numerous occasions to brief them on the investigation and our concerns that might be relevant to their remit.

Senator SHOEBRIDGE: Alright.

CHAIR: Senator Shoebridge, can I just interrupt you for a second? We’ve just had media walk into the room, so I want to seek the permission of the committee.

Senator SHOEBRIDGE: A standard resolution?

CHAIR: Yes, thank you. I remind media that permission can be revoked at any time, that the media must follow the direction of the secretariat staff and that the usual rules apply.

Senator SHOEBRIDGE: Is there any current ongoing work involving Property Lovers or Dominique Grubisa in the office, or is that concluded for the moment?

Ms Kind : Not at this stage—not at the OAIC.

Senator SHOEBRIDGE: We saw privacy complaints increase by 73 per cent and finalisations increase by 38 per cent. Obviously, it’s a huge amount of effort to increase the finalisations by 38 per cent, but the numbers aren’t matching. What does that look like in terms of workflow and in terms of backlog?

Ms Kind : Yes, you’re right: the increase in numbers has not been matched by the increase in finalisation rates, despite the very, very hard work and good effort of the OAIC. And I would acknowledge that that effort extends not only to case-handling processes but also, more broadly across the organisation, to how we’re adjusting our regulatory posture through education, through enforcement and through all available measures to ensure we’re able to stem the incoming numbers.

You’re right that we’re receiving somewhere in the ballpark of around 100 complaints a week currently. We’ve received 4,648 complaints this financial year to date, and we have 4,209 on hand. So that is, in your words, our current backlog, of which about a third are over 12 months old.

Senator SHOEBRIDGE: If you are looking at these numbers, do you see that backlog holding; do you see it growing—what do you see?

Ms Kind : I think the experience of recent months has been that, despite all of the tools we’ve brought to bear upon the incoming numbers and our own backlog, we’re not able to, at this stage, meet, par for par, the exact incoming numbers, so it’s likely that that backlog will continue to grow as complaints continue to rise.

Senator SHOEBRIDGE: When you look at the broad array of complaints you’re getting, what do you see is driving that rise? Is it people concerned about AI hoovering up their data? Is it people concerned about their kids’ data? What’s driving that rise in complaints?

Ms Kind : I have a few theories as to the increase, but I’d say there’s no specific trend in the case numbers themselves. We’re certainly analysing the cases in that way. We don’t see any particular entity or any particular practice giving rise to huge bumps. I think there are higher levels of awareness and concern around privacy in the community. As Commissioner Tydd said, we have a forthcoming privacy attitude survey that will be published this week which shows that 86 per cent of people are more concerned about their privacy now than they were five years ago. I think we’re seeing that reflected in the complaints. I think privacy is in the public discourse more because of AI and so people are, again, more attuned. But I wouldn’t say that our incoming complaints reflect AI related complaints per se. I think that’s because AI is in many circumstances obfuscated from individuals, but I think the generalised concern is there. We still see a large number of people, and probably an increasing number of people, wanting access to their personal information and not being able to get that access because they’ve been refused access, because they’re being charged extortionate fees or for other reasons. Then other concerns relate to excessive collection of personal information and then secondary uses and disclosures of personal information.

Senator SHOEBRIDGE: One of the big issues that’s alive in privacy reform that this parliament has still not grappled with is somebody having given consent maybe a decade ago or maybe consent in certain circumstances and then finding that their data is being used and repurposed for often commercial gains that were never in their contemplation when they gave their consent. Is that part of what people are seeing?

Ms Kind : I think that’s right. I think that’s captured by the concern around use and disclosure. People feel that their data collected for one purpose, whether they gave consent or not, is then later repurposed for another reason or is being passed on, often because they’re receiving targeted advertising from an unknown entity, for example. We see a lot of concern around disclosure to other entities, particularly overseas entities.

Senator SHOEBRIDGE: Your office has put out a statement titled ‘Handling privacy complaints—a new approach for a new era’. What does that actually mean for people approaching the office?

Ms Kind : I think the objective there was, in one sense, to manage the expectations of complainants who are facing lengthy waits to have their complaints resolved and who are often surprised when we exercise our discretion not to take forward complaints for a range of reasons. So we wanted to provide more information as to what factors feed into that discretion. We also wanted to make clear that the reason we’re focusing on enforcement and education initiatives is to address issues at a more systemic level rather than on a complaint-by-complaint basis.

Senator SHOEBRIDGE: But is that also just a recognition of the sheer number of complaints that are coming to you? If you’re looking at your team, how do you fairly triage this firehose of complaints? Is that part of why you’re looking at moving towards more strategic work?

Ms Kind : That is a strategic decision we’ve taken, absolutely—that we can have more effect and more proportionate effect at that strategic level. I’d also say, if I may, that we are working really hard to increase our expectations on the regulated sector to deal with complaints in the first instance, as the Privacy Act requires them to do. That’s part of that strategy.

Senator SHOEBRIDGE: Did you make a budget request for additional funding for the office? It would appear you need additional funding. That would be one solution, wouldn’t it, to this mismatch between incoming work and actual capacity inside?

Ms Tydd : I might take that. We’re in constant engagement with AGD in relation to our budgetary situation and also in relation to opportunities through the terminating funding process to look at an uplift to our budget. It is pleasing that Digital ID has become part of our ongoing budget through this particular budget cycle, but we will continue to engage. We’re particularly engaged on the issue of ensuring that respondents meet their requirements under APP 1 to actually engage with complainants to resolve matters at first instance, because a number of these complaints are successfully being resolved through early dispute resolution schemes or through the respondent’s contact.

Senator SHOEBRIDGE: But in December of this year you’re going to have a whole raft of new work, with new entities covered by privacy legislation. Has there been a funding package given to deal with that surge of new work that’s going to come in?

Ms Tydd : Parallel to the discussions around tranche 2 will be discussions around the budget impact for the OAIC and our regulatory remit.

Senator SHOEBRIDGE: But it’s happening in this financial year. I look at the budget; there’s nothing in the budget for this coming financial year. You might be having discussions, but they haven’t worked, because there’s no money in the budget

Ms Tydd : I can assure you that the work will continue.

Senator SHOEBRIDGE: Alright.

CHAIR: Senator Blyth.

Senator BLYTH: The government has agreed, in principle, to remove the small-business exemption entirely, which would capture approximately 2.3 additional businesses. Has a date been set yet for that exemption?

Ms Kind : I wasn’t sure if that question was for—

Ms Tydd : Sorry, would you mind repeating the question?

Senator BLYTH: The government has agreed, in principle, to remove the small-business exemption entirely, which would capture approximately 2.3 million additional businesses. Has a date been set for this?

Ms Tydd : Perhaps the department can assist with that.

Senator BLYTH: Sure.

Ms Chidgey : The government hasn’t made a decision to remove that exemption.

Senator BLYTH: Okay.

Ms Chidgey : The government is continuing to consider and consult on those issues as part of work that continues on a second tranche of privacy reform.

Senator BLYTH: Is there consultation happening about making a decision on that?

Ms Chidgey : The department is working on proposals with the intention to undertake targeted consultation, but no decision has been made about whether that would include any change to the small-business exemption.

Senator BLYTH: You’re working on proposals currently.

Ms Chidgey : For the second tranche of privacy reform. There have been no decisions on small business specifically.

Senator BLYTH: What date has been set for that second tranche? What’s the timeline that you’re working towards?

Ms Chidgey : There’s been no specific timing set for that at this point, but we’re working towards targeted consultation.

Senator BLYTH: Okay. I guess this is going to go back to the businesses. What’s the estimated compliance cost for a typical small accounting firm or real estate agency to meet the new Privacy Act obligations? Do you have an approximate—has the OAIC conducted or commissioned any analysis into the regulatory burden?

Ms Tydd : In relation to anti money laundering, that might be a question for colleagues or another department. In terms of our engagement with industry, that information is not currently before me.

Senator BLYTH: Are you able to provide that on notice?

Ms Tydd : That would be, I would think, in a regulatory impact statement or assessment.

Ms Jones : In terms of anti-money-laundering and counterterrorism financing reform, that’s the Department of Home Affairs.

Ms Chidgey : And they did do a regulatory impact analysis.

Senator BLYTH: In Privacy Act obligations?

Ms Chidgey : I think it was across the AML/CTF reforms, which is part of Privacy Act obligations. There is an analysis that encompassed all of those reforms.

Senator BLYTH: But in terms of the Privacy Act—I’m not talking about anti money laundering. In terms of just these new businesses and the grace period we were talking about, what’s the burden? Have you done any modelling on a cost of the burden to these businesses?

Ms Tydd : That would not be a matter that we would undertake as a regulator. However, we do engage and seek to ensure that businesses are well equipped to meet their obligation. In terms of the financial impact, that is not something that we would be engaged in once the legislation, obviously, has been passed and the tranches of compliance are being rolled out.

Senator BLYTH: Can I ask then from a business perspective—I understand you go out and you’re trying to equip them to be able to meet the new regulatory burdens that they have, but it doesn’t come up in discussion what that’s going to cost them?

Ms Tydd : That might be part of the dialogue that occurs as we engage with the entity subject to tranche 1 and tranche 2, but it is not a question that I have the answer to before me. Our focus would be ensuring that entities covered have the appropriate guidance to be able to meet their obligations under this legislation as seamlessly as possible.

Senator BLYTH: In that guidance, are there recommendations for additional staff if a business doesn’t necessarily have the capabilities to meet the regulatory requirements? I’m trying to understand if you’re equipping them to meet the burdens that they’ve got to meet. Are you advising them on the types of skills that they’ll need in their personnel?

Ms Kind : Much of our guidance contains information about what reasonable steps look like in the circumstances to comply with various components of the Privacy Act. We certainly do provide advice around properly training, skilling and equipping teams around Privacy Act obligations. We don’t provide specific or bespoke advice to any particular entity but rather focus on our guidance materials, which go towards how entities can comply with various components of the act.

Senator BLYTH: And there’s no cost aspect to that? You’re not able to say to a business, ‘At a minimum your obligations may cost your business an additional X’?

Ms Kind : The obligations scale with the size of the business, the type of personal information they’re handling and the various circumstances in which they sit. If you’re a multimillion dollar business, the expectation is that you’re spending more on Privacy Act compliance, and that scales accordingly. Again, we don’t provide bespoke advice to any particular business but rather provide generalised guidance on what compliance looks like under the act.

Senator BLYTH: You’re not collecting that at all to be able to come back and provide advice? Obviously businesses are doing it so tough at the moment, and you’re adding additional burdens. I would have thought the regulator would have been aware or at least conscious of the impact that this could have on those businesses.

Ms Kind : We do receive information in our engagement with stakeholders across the community, and we certainly attempt to ensure that our guidance addresses any questions and concerns that they have.

Senator BLYTH: Can I ask you to table that correspondence that you’re receiving back from the many small businesses that you’re engaging with—this group of 120,000. I’m assuming a lot of them have had feedback for you, and I’m assuming you’re collating it in some way, shape or form, where the cost burden of this has been raised.

Ms Kind : To reiterate what our colleagues from the department said, this legislation was under the mandate of Home Affairs, so the regulatory impact assessment and the consultation on the legislation was conducted by them. We’re regulating the downstream impact of that.

Senator BLYTH: I get that. But you’re liaising with businesses. You’ve just said you’re getting a whole range of feedback from the businesses you’re liaising with. That’s not coming from Home Affairs; that’s coming from you.

Ms Tydd : We are also engaged with AUSTRAC as another regulator in this space. We engage with them regularly in relation to ensuring that the system is implementable and ensuring that our guidance is responsive to the feedback from industry that may involve the privacy dimension, which is just one dimension.

Senator BLYTH: Can that feedback be provided to the committee on notice.

Ms Tydd : We will make every attempt to look at what information is relevant to your question and provide it.

Senator BLYTH: Fantastic. Thank you.

CHAIR: Senator Polley.

Senator POLLEY: I have some questions in relation to the Children’s Online Privacy Code. How will the Children’s Online Privacy Code better protect the personal information of children?

Ms Kind : The OAIC published the exposure draft of the Children’s Online Privacy Code in March this year, and it’s currently open for consultation until 5 June. The code will require APP entities bound by the code to adopt best-practice approaches when it comes to the handling of children’s personal information. Some of the key provisions in the exposure draft of the code include the following: the collection, use and disclosure of personal information must be consistent with the best interests of the child; direct marketing to children will only be permissible with consent, when it’s in the child’s best interests and when the personal information is collected directly from the child rather than from third parties like data brokers; we propose to introduce more rights and controls for children, including a right to request destruction of their personal information; we propose to require privacy notices and policies to be written in clear, accessible language that is age appropriate; and there’ll be stronger consent mechanisms, including telling a child when a parent consents on their behalf.

Senator Polley, I’m pleased to inform you that we’ve had really wonderful engagement with the code. We’ve consulted with 337 young people and children and their parents about the code, and we continue to receive submissions and consultation responses.

Senator POLLEY: What do you anticipate will be covered by the scope of the code? Can you talk us through that in a little more detail so people can actually have a sense of what it’s going to achieve.

Ms Kind : The threshold for application of the code is, first, that the entity has to be already covered by the Privacy Act. So there won’t be any new entities covered by this new legislation. The second thing is that it applies to services that are likely to be accessed by children. We also propose that services that handle, as a primary purpose, the personal information of children be covered by the code. The code applies at a service level, not at an entity level, which we think is a really important mechanism to ensure that it has a discrete application only to the most concerning and important places that children go online. Generally speaking, the scope of the code is broader than, say, the social media age restriction scheme. Social media platforms will be covered but also apps, streaming platforms, games and any other websites where children are likely to be.

Senator POLLEY: Can you give us an update on the progress of the drafting of the code. Where are you at now?

Ms Kind : The exposure draft is out for consultation. Once that consultation closes, on 5 June, we will revise the code according to the responses received during the consultation. We are also engaged in a regulatory impact assessment currently. Once both of those inputs have been considered, the code will be registered by the Attorney-General by December 2026.

Senator POLLEY: You said you had consultation with 337 children and parents. What is the age of the children that you’ve been consulting with? You can give me a range of ages.

Ms Kind : This is the second round of consultation with children, young people and parents that we’ve undertaken. The first was in 2025. Throughout both, we designed consultation materials that are age appropriate for specific age groups. Those age groups included children as young as eight. The youngest cohort of consulted children was eight to 12. Then we had a 12 to 16 group and a 16 and older cohort as well. We undertook that consultation directly, but we also worked with partner organisations who brought to us the input of children. We also developed curriculum materials that were disseminated throughout schools in order to elicit the input of children, including through drawings and pictures as well as through written consultation responses.

Senator POLLEY: That’s pretty thorough. What was the overall feedback? Was there any difference between the children and the young adults and their parents?

Ms Kind : There was certainly some divergence between children and their parents. For example, we looked at the children’s perspectives on knowing when they’re being subject to geolocation tracking, which is used sometimes by entities but also sometimes by parents to monitor their children. So there was a bit of a divergence in views there. But, broadly speaking, we saw that children and their parents both aligned. They objected to their personal information being shared without consent. Most children and their parents said that they wanted the right to be able to request the deletion of their personal information. Children and their parents were both quite strong on that. Generally speaking, they wanted more control over personal information for children and their parents.

Senator POLLEY: You have consultation up until 5 June, and then the process from there is to draft the code to have it implemented by December. Is that right?

Ms Kind : That’s right—to further amend the code. The code is in draft form now. It should be registered by December. I will say that it’s not evident that all provisions in the code will come into force immediately. We’re likely to agree to some transition provisions to ensure that entities are able to comply with some of the more significant changes that will be in the code.

Senator POLLEY: Excellent. Congratulations on your work.

CHAIR: Senator Shoebridge.

Senator SHOEBRIDGE: Could I ask about what the status is for the backlog in FOI reviews, Commissioner Tydd. I see the data you’ve put in your opening statement. Again, it’s not dissimilar to what’s happening in privacy. You’ve increased your output, but what’s coming in has overwhelmed your efficiency increases, as I’m reading the numbers?

Ms Tydd : Certainly, the gap between the increase in our efficiency and incoming to date has delivered an increase in the backlog of FOI matters.

Senator SHOEBRIDGE: But it’s not just a small increase; it’s a 46 per cent increase in one financial year about information reviews. I don’t mind which of the two commissioners answers this—it might be Commissioner Tydd or Commissioner Linacre—but, for a 46 per cent increase in reviews, can we maybe get an understanding of what’s driving that?

Ms Tydd : I’m happy to commence with that and turn to my colleague for further detail. We continue to receive a significant number of deemed refusals that require an investment in our case management expertise to work with agencies to deliver a decision at first instance.

Senator SHOEBRIDGE: This is agencies just failing to meet the statutory timeframe—

Ms Tydd : That’s correct.

Senator SHOEBRIDGE: and therefore pushing work down the funnel to you? Home Affairs was a prime offender in this space. Are they still a prime offender?

Ms Tydd : The most significant number of deemed decisions that we receive and that are on hand come from the Department of Home Affairs. We’re working significantly with the department to examine all options to help them elevate their ability to manage the applications that are made to Home Affairs to ensure that there is a decision at first instance. Some of the approaches, which my colleague might want to elaborate on, ensure that where there is engagement with the applicant to request an extension of time we are able to turn around those extensions of time within 24 hours to enable the department to incentivise that contact and enable that communication that should be occurring directly between the department and the applicant.

Senator SHOEBRIDGE: It’s not your job to run the FOI departments for Home Affairs or to be an outsource for Home Affairs. They’re meant to be meeting their own statutory timeframes. It must be very frustrating being the ‘Home Affairs FOI help desk’?

Ms Tydd : The experience we have with agencies allows us to elevate our overall engagement across the broader FOI agency cohort and to take those learnings and apply them through both our complaints mechanisms and our reviews. We are working in earnest with Home Affairs to elevate their levels of compliance.

Senator SHOEBRIDGE: Do you have a breakdown of the 2,206 information review applications? How many were deemed refusals, and how many were substantive applications?

Ms Linacre : The broad breakdown is that 80 per cent of the incoming IC review applications are for deemed decisions. We’ve seen Home Affairs have a 34 per cent increase in their deemed decisions coming to us for review over the last financial year. We’ve seen a general increase in deeming of 48 per cent. For the financial year to date we have received applications for review of 1,765 deemed decisions, so that is the majority of our increase. We are—

Senator SHOEBRIDGE: Apart from Home Affairs, are there any other principal offenders in that list?

Ms Linacre : The three most significant offenders sit in Home Affairs, the National Disability Insurance Agency and the Department of Veterans’ Affairs, and Services Australia and the AFP are in that top bundle too. We’ve done a lot of work with Department of Veterans’ Affairs to look at administrative access. The majority of that increase arose from personal information requests, so administrative access schemes are the mechanisms we ask agencies to engage in to allow individuals to receive their own information.

Senator SHOEBRIDGE: Putting deemed refusals to one side, what about the other cohort and the more substantive reviews that are coming? Are you seeing an increase in that, or is that static?

Ms Linacre : There is a broad increase across applications—a 46 per cent increase. I haven’t got the breakdown in front of me of the cohort outside of the deemed, but applications to agencies, primary applications, are steady, if not decreasing slightly, quarter on quarter. So, from the same time last year, there’s a slight decrease at this point. It is the deeming applications that are causing the pressure on our system.

Senator SHOEBRIDGE: Perhaps you could just give as much granular breakdown as you can—

Ms Linacre : Certainly.

Senator SHOEBRIDGE: about that flow of work on notice—numbers by department or agency, if you’ve got them—and also the breakdown into deemed and substantive.

Ms Linacre : Absolutely.

Senator SHOEBRIDGE: Thank you. To move back to privacy, Commissioner Kind, have you had any complaints referred to you about the way in which VIQ Solutions have been dealing with transcript and deeply personal information that they receive through their contracts with the Federal Circuit and Family Court and the Federal Court?

Ms Kind : We have at least one individual complaint on hand related to VIQ Solutions, and we are also making preliminary inquiries, using our proactive investigations powers, into that matter.

Senator SHOEBRIDGE: One of the issues that are very live at the moment is ensuring that whoever’s in charge of the voluntary administration understands that privacy principles survive administration. Has there been that clear communication with the administrators?

Ms Kind : We’ve now initiated contact with the administrator, and we’re making inquiries in that regard.

Senator SHOEBRIDGE: What does ‘making inquiries’ and ‘initiated contact’ actually mean?

Ms Kind : It means we’re in contact with the administrator. We’re making inquiries as to their understanding around compliance with the Privacy Act and their understanding with respect to any acts or omissions that may have contributed to the breach.

Senator SHOEBRIDGE: Are you looking at whether or not VIQ was feeding transcripts, recordings, into an AI model to train its AI model and whether or not consent was obtained by VIQ from any of the litigants, let alone the courts, for that?

Ms Kind : We’re certainly at an early stage of our information gathering. That’s not an issue that I’m aware has been raised with us to date, but at this early stage—

Senator SHOEBRIDGE: Well, VIQ made a public statement in May of 2022 that its AI product, FirstDraft, was deployed ‘in partnership with courts in Australia’. I haven’t heard the courts talk about their partnership to create an AI model with VIQ. I definitely haven’t seen any evidence that any litigants had been giving consent to being part of training VIQ’s FirstDraft AI model. Is that part of your inquiries?

Ms Kind : As I said, it wasn’t something that I’d been previously aware of. As you know, we’ve engaged extensively on AI model training as an issue, and we know it’s an issue that Australians care a lot about. So it’s certainly something that I will take back to the team and will consider in the context of our preliminary inquiries.

Senator SHOEBRIDGE: I’m not minimising the privacy and personal anxiety people have when their creative works are fed into an AI, but the idea that your deeply personal family court proceedings and the transcript of the family court proceedings are being fed into an AI model without your consent is a pretty extraordinary—I would’ve thought, prima facie, that’s a pretty gross breach of privacy laws. And, if it’s not, there’s something broken with our privacy laws.

Ms Kind : Indeed, your perspective on this issue aligns with that of the Australian public. In our forthcoming attitude survey, we asked specifically about AI model training, and we found that most people, over 90 per cent, are not comfortable with their personal information being used in that way. So it is an issue for us, a regulatory priority for us.

Senator SHOEBRIDGE: Would that be something that would trigger regulatory action from you on the presumption that it would be a breach of privacy principles to have your personal family court transcript fed into an AI model without your consent?

Ms Kind : The Privacy Act requires uses of personal information that are outside of the primary purpose for which that information was collected to meet certain thresholds. In some circumstances, that threshold is consent. In other circumstances, that threshold is reasonable expectations. We are looking at AI model training in a number of different matters and how it interplays with those thresholds. It will change context by context, including what exactly the AI model is doing and how the entity is deploying the model. Whether they’re deploying it as a form of product improvement or whether they’re deploying it in some other circumstance will be a factor that would be taken into consideration.

Senator SHOEBRIDGE: Would it also look at where that data is sitting? If it’s sitting in a cloud server outside of Australia to which Australian regulatory reach doesn’t extend or whether it has been deployed in other jurisdictions—would it look at that in terms of reasonable expectations?

Ms Kind : I think there are two issues there. One is whether it’s disclosed to another entity for the purpose of model training. We would look at that. The second issue is whether there has been a cross-border disclosure of personal data. That we’d look at under APP 8, and that is indeed an issue that we’re looking at in this particular matter.

Senator SHOEBRIDGE: Are some of your initial inquiries now looking at the repeated disclosures, which appear now to have a high degree of confidence in them, that VIQ Solutions was sending? Those were transcripts containing huge amounts of private, personal information offshore.

Ms Kind : That is the primary focus of the preliminary inquiries at this stage.

Senator SHOEBRIDGE: And have those preliminary inquiries led you to any preliminary conclusions?

Ms Kind : Not at this stage.

Senator SHOEBRIDGE: Have VIQ Solutions and the voluntary administrator been cooperating?

Ms Kind : I haven’t heard of any noncooperation at this stage.

Senator SHOEBRIDGE: Thank you.

CHAIR: That’s all the questions we have for you this morning.

Ms Kind : Thank you.

CHAIR: We’re now in a position to release the OAIC. Thank you for your time this morning.