Welcome to our first Information Matters for 2022, in what we expect to be another significant year for privacy and information access rights.

The Office of the Australian Information Commissioner (OAIC) has just published our latest submission to the Attorney-General’s Department’s review of the Privacy Act 1988. It responds to the proposals developed by the department through its consultation process, which provide a sound basis for advancing privacy reform in Australia. Our response outlines recommendations grounded in our regulatory experience of how these reforms can work in practice.

At the core of our approach is a set of recommendations aimed at reducing the burden on individuals to navigate increasingly complex personal information handling practices by introducing a positive duty for regulated entities to handle data fairly and reasonably.

We see this positive obligation as a new keystone for Australia’s privacy framework which can protect and empower consumers to engage in the digital environment. Backed by the right regulatory tools, it will also help business and government build trust with the community so they can continue to use personal information to innovate and grow the digital economy.

In practice, this means organisations entrusted with personal information must protect this data upfront and consider how their activities will impact individuals, and whether there are less privacy intrusive options. Just as we have a positive duty to ensure a safe system of work and reduce health and safety risks, a positive duty to ensure personal information handling is fair and reasonable can prevent privacy harms.

Today, 28 January, is also Data Privacy Day, an international effort to encourage organisations and the community to respect and value privacy. The OAIC has a wealth of resources for businesses, government agencies and the community to explore to help you protect personal information, including during the COVID-19 pandemic.

Over the coming year, the OAIC will continue to drive forward our strategic priorities: to advance online privacy protections, influence and uphold privacy and information access rights frameworks, encourage and support proactive release of government information, and operate as a contemporary regulator. Our new Regulator Statement of Intent outlines how we will deliver these functions for the benefit of the Australian community.

Our collaboration and joint regulatory actions with international regulators will remain central to ensure Australians' data is protected wherever it flows. We will be active in forums such as the Global Privacy Assembly, Asia Pacific Privacy Authorities Forum and International Conference of Information Commissioners.

Collaboration with domestic regulators will also be critical as we co-regulate the Consumer Data Right with the ACCC, and prepare for an Online Privacy Code following the government's release of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill) .

On access to government-held information, the OAIC will continue to support government agencies to reduce freedom of information (FOI) applications through proactive publication and through our resources to support good decision making. We are also focusing on increasing the timeliness of FOI processing by agencies.

We recently updated Part 3 of the FOI Guidelines to provide further guidance on requests for an extension of time under s 15AA and 15AB of the FOI Act. At the end of last year, we also released 8 new guides for business operating in the Consumer Data Right (CDR) system who need to comply with the CDR privacy safeguards and version 3 of the CDR Rules.

And look out for our upcoming Notifiable Data Breaches report in February, when the scheme will mark 4 years in operation. As cyber risks continue to increase its critical that entities double down on efforts to protect the personal information of Australians with which they are entrusted.

If you haven’t already, take a moment this Data Privacy Day to check your own privacy settings and any device and software updates you need to get 2022 off on the right foot.

My best wishes for a productive, safe and secure year ahead.

Angelene Falk
Australian Information Commissioner and Privacy Commissioner

Submissions to our consultation on the operation of the Privacy (Credit Reporting) Code 2014 close on Friday 4 February 2022.

We are seeking stakeholder feedback on whether the code is achieving its purpose and is easy to read, understand and apply in practice. We have also published a consultation paper as part of our independent review, which considers a range of issues relating to the code.

As part of the OAIC’s work to deliver on the Australian Government’s new Regulator Performance Guide, we have published a Statement of Intent which outlines how we will deliver our regulatory functions to meet government and community expectations.

Commissioner Falk’s statement responds to the Attorney-General’s Statement of Expectations of the OAIC and the principles of best practice which underpin the new regulator performance framework.

‘The OAIC will exercise our functions and powers in good faith and to the best of our abilities. We will prioritise our regulatory functions and ensure we adopt a contemporary and proportionate approach to our regulatory role in promoting and upholding privacy and freedom of information laws.

'The OAIC will use our resources strategically to provide the greatest benefit for the community and drive more efficient processes to ensure we perform our regulatory functions effectively and efficiently. We will strive to develop and sustain a capable, multidisciplinary workforce with a breadth of technical skills to provide guidance and advice, and to take appropriate regulatory action.’

Our guidance can help businesses regulated by the Privacy Act understand their obligations when handling information about customer and visitor COVID-19 vaccination status.

Our advice encourages businesses to consider whether they are required to collect vaccination information – which is considered sensitive health information and attracts higher privacy protections – and storing it in a record or whether they can sight the evidence instead.

Businesses should collect, use and disclose only the minimum information needed to achieve the purpose, and take steps to secure the information and destroy it when it’s no longer required.

Learn how to comply with these privacy obligations on our website, where we’ve also published guidance for employers and employees on collecting proof of COVID vaccination status.

The OAIC is pleased to support Safer Internet Day on Tuesday 8 February 2022.

Safer Internet Day encourages people across the world to make the internet a safer, more positive place and is coordinated in Australia by the eSafety Commissioner.

Through simple actions like being safe, respectful and kind, we can all #PlayItFairOnline.

Find out more about Safer Internet Day. Read our tips for protecting your personal information online.

A reminder that FOI statistical returns for October to December 2021 were due by 21 January 2022. If your agency has not done so, please submit your return at foistats.oaic.gov.au.

Statistical returns are required under the Freedom of Information (Prescribed Authorities, Principal Offices and Annual Report) Regulations 2017.

The data is collated to provide a picture of how FOI requests are administered across the Australian Government, and published in the OAIC’s annual reports and on data.gov.au.

Information contact officers can email questions about their returns to [email protected].

Working with the OAIC will put you at the forefront of data protection and access to information regulation. As an independent statutory agency, the OAIC’s work is of national significance and plays an important role in shaping Australia’s digital economy and access to information.

Information Commissioner review decisions are published in full on AustLII. Recent decisions include:

• ZR’ and Australian Criminal Intelligence Commission (Freedom of Information) [2022] AICmr 1
• Nicolaus Lange and Department of Foreign Affairs and Trade (Freedom of information) [2022] AICmr 2.

Stay up to date with the latest OAIC news and resources through our Twitter, Facebook and LinkedIn pages.

You can catch up with our submissions on a range of legislative and other issues through our website.

We also publish information released by the OAIC under the Freedom of Information Act 1982 on our disclosure log.