In our data-driven economy there is increasing recognition of the value of personal information. The past year’s focus on digital platforms in Australia and overseas has brought home the scale of the issues we confront in safeguarding personal data. The importance of access to information in underpinning democracy and open and accountable government has also come to the fore this year in political and media discourse around the world.
Our role in promoting and upholding privacy and access to information rights sits at the centre of these debates on how to meet community expectations and ensure organisational accountability.
These are regulatory issues with global reach, and we are working with our international counterparts as part of a worldwide movement to hold organisations to account and enforce greater transparency. Getting privacy right is not only fundamental to creating greater community trust in the exchange of personal information, it also ensures government-held information is used for public benefit, informs evidence-based policy making and supports innovation.
In addressing these challenges nationally, we worked closely with the Australian Competition and Consumer Commission (ACCC) to consider whether existing privacy legislation is fit for purpose in the digital economy. Through my role on the Executive Committee of the International Conference of Data Protection and Privacy Commissioners, we worked globally towards interoperable regulatory frameworks and support cooperative regulatory action between jurisdictions. We are actively engaged with the Asia Pacific Privacy Authorities forum and Global Privacy Enforcement Network. We are also working with the Attorney-General’s Department to implement the Asia-Pacific Economic Cooperation’s cross-border privacy rules system in Australia. The global interoperability of privacy law supports a strong domestic economy and provides robust protections for the privacy rights of all Australians.
In March 2019, the Australian Government announced plans for online protections for personal information and increased penalties for its misuse. Additional funding has been provided to the OAIC to assist us in regulating privacy, particularly in the online environment, which will be a significant focus for us over the next three years. These changes would build upon the significant regulatory reforms implemented in 2018. The Notifiable Data Breaches (NDB) scheme was established in February last year to strengthen consumer protection and elevate the security posture of organisations and agencies who handle personal information. Over 2018–19 we received 1,160 data breach notifications, including 950 under the mandatory NDB scheme. During this reporting period, we have worked with notifying organisations to ensure data breaches were contained and rectified, affected individuals were informed so they can act swiftly, and that measures were put in place to prevent a reoccurrence.
In May 2019, we published the Notifiable Data Breaches Scheme 12-Month Insights Report, which provides a clear evidence base for regulated entities to prevent data breaches. Most breaches exploited a human factor, such as an employee being tricked into providing credentials that allow cyber intrusion into information and systems. We continued to highlight the need for employees to be supported through training, processes and technology to mitigate this known risk.
Significant areas of work for the OAIC in 2018–19 include our ongoing focus on the Australian Government Agencies Privacy Code and preparing for the Consumer Data Right in our regulatory role with the ACCC and the Data Standards Body. We also regulate the privacy aspects of the My Health Record system, which transitioned to an opt-out system at the start of 2019.
These developments, along with several high-profile data breaches brought to light by the NDB scheme and the European Union’s General Data Protection Regulation, have contributed to increased awareness about obligations to protect personal information. They also added to the substance and complexity of many matters brought to us to investigate.
We continued to take an evidence-based and proportionate approach to exercising the range of regulatory tools available to us. In 2018–19 we assessed privacy practices in the finance, telecommunications and government sectors, as well as the digital health sector. We engaged regularly with businesses and Australian Government agencies on good privacy practice and provided advice on a wide range of matters such as credit reporting, government-related identifiers, digital identity systems, de-identification and data-matching. We also made detailed submissions on issues relating to national security, artificial intelligence, cooperative intelligent transport systems and telecommunications.
The privacy issues raised direct us to consider closely whether community expectations, and the current scope and settings of our Privacy Act, are aligned. These issues will also be considered as part of Government’s response to the Digital Platforms Inquiry report.
International cooperation to strengthen public access to information is also critical. Through our engagement this year with the International Conference of Information Commissioners, we continued to promote the importance of global action on open government. We also continued our work as part of the Open Government Partnership Australia to develop the third National Action Plan to improve transparency in the public sector.
This year I was appointed as a founding member of the National Data Advisory Council, looking at ways to streamline the sharing and release of government data while ensuring the protection of privacy and confidentiality. This is one of many areas where personal data handling and information management considerations converge.
We remain committed to promoting the management and use of government-held information as a national resource for public purposes. As part of this work, in June 2019 we released a survey of government agencies’ compliance with the Information Public Scheme (IPS). The results confirmed a continued commitment across government to the IPS’s requirements and principles. However, a decline was observed in key areas of compliance compared to our first survey in 2012.
These findings are assisting both the OAIC and government agencies to identify improvements to support the proactive publication of government information.
Day to day, our skilled and dedicated staff continued to assist the community and regulated entities in providing information and resolving a growing number of privacy and FOI complaints and requests for Information Commissioner reviews.
We received 3,306 privacy complaints in 2018–19, an increase of around 12% on the previous financial year. We assisted 2,920 complainants in resolving these issues, nearly 6% more than in 2017–18. Complaints were resolved in an average time of 4.4 months. We also handled 17,445 privacy enquiries.
The number of FOI enquiries rose by almost half in 2018–19 to 2,881 and applications for Information Commissioner (IC) reviews of FOI requests grew by almost 16% to 925. We finalised 8% more IC reviews than in the previous year. IC review decisions continue to provide important guidance to agencies.
We also launched our new website for public feedback in June 2019. Its new architecture improves navigation and search functionality and features a wide range of updated information and advice, particularly for individuals.
Across our core functions, we continued to seek ways to improve our efficiency and effectiveness so we can meet the community’s needs. Through our strategic priorities, we are working on behalf of the Australian community to achieve our long-term vision of increasing public trust and confidence in the protection of personal information and access to government-held information.
Australian Information Commissioner
20 August 2019