The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency in the Attorney-General’s portfolio, established to promote and uphold privacy and information access rights. It does this by ensuring proper handling of personal information, protecting the public’s right of access to documents, and carrying out strategic information management functions within the Australian Government.
Regulatory activities of the OAIC include conducting investigations, handling complaints, reviewing decisions made under the Freedom of Information Act 1982 (FOI Act), monitoring agency administration, and providing advice to the public, organisations and Australian Government agencies.
In its 2022-23 Annual Report, the OAIC provides insight into its work and key activities over the year, and whether it has achieved its aims.
The OAIC’s year at a glance
Privacy complaints
The OAIC received 34% more privacy complaints (3,402) and finalised 17% more privacy complaints (2,576) throughout 2022-23 than in 2021-22.
84% of privacy complaints were finalised within 12 months against a target of 80%, and the average time taken to finalise a privacy complaint was 6.4 months.
The top 5 sectors by privacy complaints received were:
- Finance (incl. superannuation) – 656
- Health service providers – 330
- Telecommunications – 286
- Australian Government – 284
- Retail – 217
Privacy enquiries
The OAIC handled 11,672 privacy enquiries, representing a 7% increase from 2021-22.
8,407 privacy enquiries were received by phone, and 3,265 were written enquiries.
Notifiable Data Breaches scheme
The OAIC received 5% more notifications under the Notifiable Data Breaches scheme in 2022-23 (895) compared to 2021-22 (853).
In 2022–23, notifications made to the OAIC under the NDB scheme primarily involved data breaches arising as a result of a malicious or criminal attack (628) such as phishing or ransomware. This was followed by data breaches as a result of human error (299).
77% of notifications were finalised within 60 days against a target of 80%. The average time taken to finalise a data breach notification was 55 days.
The top 5 sectors by data breach notifications received were:
- Health service providers – 135
- Finance (incl. superannuation) – 120
- Recruitment Agencies – 68
- Insurance – 66
- Legal, accounting and management services – 63
Freedom of Information (FOI) enquiries and complaints
The OAIC handled 1,647 FOI enquiries, representing a 15% decrease from 2021-22.
1,029 FOI enquiries were received by phone and 618 were written.
The OAIC received 2% fewer FOI complaints (212) and finalised 44% fewer FOI complaints (124) compared to 2021-22.
94% of FOI complaints were finalised within 12 months against a target of 80%. The average time taken to finalise an FOI complaint was 4.1 months.
Information Commissioner (IC) reviews
The OAIC received 16% fewer applications for IC review of FOI decisions (1,647) and finalised 10% more IC reviews (1,519) compared to 2021-22.
78% of applications for IC reviews were finalised within 12 months against a target of 80%. The average time taken to finalise an IC review was 9.8 months.
The top 5 agencies involved in IC reviews were:
- Department of Home Affairs – 699
- National Disability Insurance Agency – 89
- Australian Federal Police – 87
- Services Australia – 83
- Department of Veterans’ Affairs – 67
Key activities
Key activities and aims of the OAIC are to influence and uphold privacy and information access rights frameworks, advance online privacy protections for Australians, encourage and support proactive release of government information, and take a contemporary approach to regulation.
In its annual report, the OAIC provides further information about their activities and whether their aims have been achieved. Below is a summary of the OAIC’s activities to influence and uphold privacy and information access rights frameworks.
Influence and uphold privacy and information access rights frameworks
The OAIC promotes access to government-held information through the regulation of the FOI Act and its role in information policy. It regulates the collection and management of personal information by organisations and Australian Government agencies to ensure it is handled responsibly. The OAIC has a wide range of regulatory functions and powers under the Privacy Act 1988 and over 30 pieces of additional legislation. It also regulates the privacy aspects of the Consumer Data Right (CDR).
Intended results and associated measures and targets for 2022-2023 were:
- The OAIC’s activities support the effective regulation of the Consumer Data Right.
- Effectiveness of the OAIC’s contribution to the regulation of the Consumer Data Right as measured by stakeholder feedback (achieved).
- The OAIC’s regulatory outputs are timely.
- Time taken to finalise privacy complaints – 80% of privacy complaints are finalised within 12 months (achieved).
- Time taken to finalise privacy and FOI Commissioner-initiated investigations (CIIs) – 80% of CIIs are finalised within 8 months (not achieved).
- Time taken to finalise Notifiable Data Breaches (NDBs) – 80% of NDBs are finalised within 60 days (not achieved).
- Time taken to finalise My Health Record notifications – 80% of My Health Record notifications are finalised within 60 days (achieved).
- Time taken to finalise Information Commissioner (IC) reviews of FOI decisions made by agencies and ministers – 80% of IC reviews are finalised within 12 months (not achieved).
- Time taken to finalise FOI complaints – 80% of FOI complaints are finalised within 12 months (achieved).
- Time taken to finalise written privacy and information access enquiries from the public – 90% of written enquiries are finalised within 10 working days (not achieved).
Key takeaways
The OAIC played a significant role in protecting privacy and information access during 2022-23. It experienced a large increase in privacy complaints, and notable increases in privacy enquiries and data breach notifications, emphasising the importance of data protection. The OAIC remains dedicated to influencing privacy and data protection frameworks and advancing online privacy protections for Australians.
