|
|
|
Welcome to the final edition of Information Matters for 2023.
In this edition, we share a message from Australian Information Commissioner and Privacy Commissioner Angelene Falk, and acting Freedom of Information Commissioner Toni Pirani; along with an update on our recently launched, dedicated DP-REG forum website.
We provide details on the Federal Court proceedings against Australian Clinical Labs Limited, an outline of our planned privacy assessments for the 2023-24 and 2024-25 financial years, and detail on the 3-commissioner model that will recommence in 2024.
Read about our consultation work remaking the section 95, 95A and 95AA guidelines, and sign up as an early subscriber for Privacy Awareness Week 2024 and read more about our theme for the campaign.
Learn about our public consultation on the proposed approach to remaking the Privacy (Persons Reported as Missing) Rule 2014.
Find out more about FOI extension of time applications during the holiday period and additional guidance on administrative access for government agencies. Read about our proposed updates to Part 5 and Part 6 of the FOI Guidelines, and the progress of our Information Publication Scheme Review.
We provide additional information on the status of multiple representative complaints received following major data breaches, and share detail on our recently updated Consumer Data Right (CDR) Privacy Safeguard Guidelines.
Read the highlights from the 60th Asia Pacific Privacy Authorities (APPA) forum that we hosted at the end of November, plus more from events we participated in during November and December.
Please note that the OAIC will be closed from Saturday 23 December and will reopen on Tuesday 2 January. During this period, you can visit our website for guidance and resources.
We wish you a happy and safe end to 2023.
|
|
|
|
|
|
|
|
Message from the Information Commissioner and Privacy Commissioner Angelene Falk and acting Freedom of Information Commissioner Toni Pirani
|
|
 |
We finish 2023 looking positively to the future after another year promoting and protecting information access and privacy rights.
This year we helped more than 12,300 people with enquiries and resolved more than 2,800 complaints. We commenced 25 Commissioner-initiated investigations into privacy matters, finalised more than 1,200 Information Commissioner reviews, and released privacy and information access community attitudes surveys. Our work contributed to shaping the privacy and information access landscapes – through the provision of 20 submissions and 49 bill scrutiny comments, including about reform of the Australian Privacy Act.
As we conclude 2023 and turn to the future in 2024, we are looking forward to the reinstatement of the three-commissioner model at the OAIC. This will include an Information Commissioner (as agency head), a Privacy Commissioner and a Freedom of Information (FOI) Commissioner.
Recently the Attorney-General the Hon Mark Dreyfus KC MP announced the appointments of Ms Elizabeth Tydd as FOI Commissioner and Ms Carly Kind as Privacy Commissioner, who will take up their appointments in February 2024.
The three-commissioner model will strengthen our ability to carry out our important statutory functions, and we welcome Ms Tydd and Ms Kind who will bring considerable expertise to promote and uphold privacy and information access rights.
In the freedom of information area in 2023, we have sought to influence quality FOI decision making by providing guidance to government agencies and working with them to improve the system.
We continued to engage with government agencies on issues of regulatory concern and to promote the principles of open by design, which support agencies to build a culture of transparency and trust by prioritising, promoting and resourcing proactive disclosure.
A significant project was the undertaking of the third review of the Information Publication Scheme (IPS) survey, which we carry out every five years. We have been encouraged by the agency response to what is a very valuable exercise in identifying improvements in the scheme and finding ways to promote the proactive publication of Australian government information.
The FOI branch continues to work through the older Information Commissioner (IC) reviews and FOI complaints with a focus on 2019 and 2020 matters. We would strongly encourage agencies involved in these matters to carefully consider them in light of the time that has elapsed since the requests were made.
We also note the report of the Senate Legal and Constitutional Affairs References Committee’s inquiry into the operation of Commonwealth FOI laws and will review it carefully.
While the OAIC has raised the issue of resourcing of FOI functions on numerous occasions, as the independent regulator, we continue to seek ways of working that can bring more efficiency and transparency to the FOI system.
As we head into the summer season, we also note that the community increasingly expects regulators to take a more enforcement-focused approach.
On the privacy front, this has been an expectation that we have sought to actively address with a number of high-profile investigations well progressed into data breaches involving Optus, Medibank, Latitude Financial, among others.
In November, we commenced civil penalty proceedings in the Federal Court against Australian Clinical Labs following an investigation of its privacy practices that arose from a data breach.
The formation and strengthening of our Major Investigations branch has been a notable step for the OAIC. That team has already progressed more than 50 evidentiary hearings and examined thousands of documents.
These investigations are large and complex, reflecting the complexity of systems and the personal information handling landscape.
Our Australian Community Attitudes to Privacy survey 2023, released in the second half of the year underscored this, reporting that of the people surveyed, 47% reported being affected by a data breach in the 12 months prior, and 76% reported experiencing harm as a result.
Unsurprisingly, Australians surveyed reported data breaches as their number one privacy concern.
The continuing progress of reforms to the Australian Privacy Act promises to be a significant step in strengthening the regulatory enforcement powers available to the OAIC and will be a focus in the year ahead.
As the year reaches to a close, our focus for the new year is firmly set on protecting the personal information of our community by encouraging business and government to act responsibly and in line with their obligations. Equally, we look forward to a year where transparency and proactive information sharing of government information builds trust with the community.
We look forward to working together with you to achieve these goals in 2024.
Angelene Falk
Australian Information Commissioner and Privacy Commissioner
Toni Pirani
Acting Freedom of Information Commissioner
|
|
|
|
|
|
|
|
|
|
|
DP-REG, a forum made up of the Australian Competition and Consumer Commission (ACCC), the Australian Communications and Media Authority (ACMA), the eSafety Commissioner (eSafety) and the OAIC, has published working papers on algorithms and the large language models (LLMs) used in generative artificial intelligence (AI) to mark the launch of its new website.
The papers support DP-REG’s 2023–24 strategic priorities, which include a focus on understanding the impact of algorithms and evaluating the benefits, risks and harms of generative AI.
Updates on DP-REG will be published on the DP-REG website and through DP-REG member regulators’ media pages and social media channels.
|
|
|
|
|
|
|
|
|
|
|
OAIC Federal Court proceedings against Australian Clinical Labs Limited
|
|
The Australian Information Commissioner has commenced civil penalty proceedings in the Federal Court against Australian Clinical Labs Limited (ACL) resulting from an investigation of its privacy practices. The investigation arose as a result of a February 2022 data breach of ACL’s Medlab Pathology business that was notified to the OAIC on 10 July 2022. Our investigation commenced in December 2022.
The Commissioner alleges that from May 2021 to September 2022, ACL seriously interfered with the privacy of millions of Australians by failing to take reasonable steps to protect their personal information from unauthorised access or disclosure in breach of the Privacy Act 1988. The Commissioner alleges that these failures left ACL vulnerable to cyberattack.
Read more information on the matter via the link below. |
|
|
|
|
|
|
|
|
|
|
Privacy assessments forward plan for 2023-24 and 2024-25
|
|
The OAIC has published an outline of our planned privacy assessments for the 2023-24 and 2024-25 financial years, as well as those underway.
We use privacy assessments (or audits) as a regulatory tool to facilitate legal and best practice compliance. They are also an important tool for achieving our vision of increasing public trust and confidence in the protection of personal information and access to government-held information.
Privacy assessments identify, and make recommendations to address, privacy risks and areas of non-compliance. Planned assessments will examine agencies and organisations, including entities across government, the digital economy and the health sector.
Please visit the dedicated privacy assessments forward plan page on our website for further information. |
|
|
|
|
|
|
|
Appointment of new OAIC commissioners
|
|
At the end of November the Attorney-General the Hon Mark Dreyfus KC MP announced the appointment of Ms Elizabeth Tydd as FOI Commissioner and Ms Carly Kind as Privacy Commissioner.
Incoming FOI Commissioner Tydd will commence in her role on 19 February 2024 and Privacy Commissioner Kind on 26 February 2024.
“This is a significant and welcome step for the Office of the Australian Information Commissioner and the Australian community as we move to a three-commissioner model at a time when access to information and the protection of privacy has never been more important,” Commissioner Falk said. |
|
|
|
|
|
|
|
|
|
Public consultation: Remaking the section 95, 95A and 95AA guidelines
|
|
In certain circumstances, the Australian Privacy Act permits the handling and disclosure of health information, including genetic information, for health and medical research purposes without individuals’ consent.
We are currently reviewing the legally binding guidelines, issued by the National Health and Medical Research Council (NHMRC), that researchers, Australian Government agencies and health service providers must follow when handling health information for medical research and other purposes specified in the guidelines without individuals’ consent.
Find out more about the review on our website. |
|
|
|
|
|
|
|
Privacy Awareness Week 2024: 6-12 May
|
|
Privacy Awareness Week (PAW) 2024 will take place from Monday 6 May to Sunday 12 May, and will shine a light on privacy and technology and the ways we can improve transparency, accountability and security.
The key privacy event in the OAIC’s annual calendar, PAW is held every year to promote and raise awareness of privacy issues and the importance of protecting personal information. It provides an opportunity for organisations to highlight the importance of best practice in privacy both internally, in staff training and awareness, and externally, in public-facing communications about your organisation’s privacy policies and values.
We had a record number of organisations sign up as supporters for PAW 2023. Make sure your organisation or agency is on the list for PAW 2024! You can sign up here. Supporter organisations have access to our supporter toolkit, and can be listed on the PAW 2024 website. You’ll also get updates about the week – including the unveiling of our campaign, and news on PAW events. |
|
|
|
|
|
|
|
Remaking of the Privacy (Persons Reported as Missing) Rule 2014
|
|
We are seeking submissions from interested individuals, government agencies and organisations on the remaking of the Privacy (Persons Reported as Missing) Rule 2014 (Rule), which is due to sunset on 1 April 2024. The Rule is a legislative instrument made by the Information Commissioner under subsection 16A(2) of the Privacy Act 1988. It sets out the circumstances in which:
- an APP entity may use or disclose personal information about a person reported as missing; and
- a ‘locating body’ may collect sensitive information about a person reported as missing.
The consultation draft outlines how the Information Commissioner is proposing to remake the Rule. We invite submissions on the proposed approach to remaking the Rule to ensure it remains fit-for-purpose.
Find out more about the consultation, including how you can have your say, on our website. The closing date for submissions is 5 pm AEDT Friday 15 December 2023. |
|
|
|
|
|
|
|
|
|
FOI extension of time applications during the holiday period
|
|
|
Many Australian government agencies close down over late December and early January, which means there may be limited opportunity to process FOI requests. This can impact on an agency’s ability to make decisions on FOI requests within statutory timeframes. If this applies to you – start planning early to ensure you are able to comply with statutory timeframes. |
|
|
|
|
|
|
|
|
|
Administrative access for government agencies
|
|
|
It is open to government agencies to consider administrative access as an option to release information outside of the Freedom of Information Act 1982 (FOI Act). Our guidance on administrative access contains detailed information around when it may be utilised, including Privacy Act 1988 (Privacy Act) considerations. |
|
|
|
|
|
|
|
Consultation on parts 5 and 6 of the FOI Guidelines
|
|
We recently published submissions from stakeholders relating to proposed updates to Part 5 (exemptions) and Part 6 (conditional exemptions) of the FOI Guidelines. The proposed updates relate to content, practical implications, readability and accessibility. We are now considering the feedback from these submissions and will publish new versions when the final content is settled.
We have also updated and published a combined version of the FOI Guidelines as at November 2023. |
|
|
|
|
|
|
|
|
|
Information Publication Scheme (IPS) review
|
|
Section 9 of the FOI Act requires Australian government agencies, in conjunction with the Australian Information Commissioner, to complete a review of their IPS every 5 years.
The OAIC and ORIMA Research recently completed the field work component of the 2023 Review of the Information Publication Scheme (IPS) Survey, in conjunction with Australian Government agencies subject to the FOI Act.
The survey results will assist in identifying improvements and will further promote the proactive publication of Australian government information. We will publish a report on the findings into the IPS review later this year. |
|
|
|
|
|
|
|
|
|
Representative complaints
|
|
The OAIC is providing additional information on our website to provide clarity about the status of multiple representative complaints which we have received following major data breaches.
As at the date of publication, the Australian Information Commissioner (AIC) has accepted two representative complaints; one against Medibank Private Limited in respect of its October 2022 data breach, the other against Singtel Optus Pty Ltd in respect of its September 2022 data breach.
The AIC is presently a respondent party in Federal Court proceedings in relation to both the Medibank representative complaint and the Optus representative complaint – but for different reasons.
Medibank has commenced proceedings to restrain the AIC from investigating the representative complaint and from making a determination and enforcing the determination in respect of the representative complaint on the basis that a determination made by the AIC and/or enforcement of a determination by the AIC poses a real risk of interference with the administration of justice having regard to the Medibank class action (McClure and Anor v Medibank Private Limited (VID64/2023)).
The AIC received two representative complaints against Optus. The AIC accepted the representative complaint that was lodged first in time by Johnson Winter Slattery as being validly made. Having regard to ss 36-39 of the Privacy Act 1988 (Cth), the AIC declined to accept the representative complaint that was lodged second in time by Maurice Blackburn Lawyers as being validly made. Maurice Blackburn’s client has sought judicial review of the AIC’s decision.
More information on representative complaints and a chronology of events can be found on our website. |
|
|
|
|
|
|
|
|
|
Publication of the CDR Privacy Safeguard Guidelines
|
|
We’ve updated our Consumer Data Right (CDR) Privacy Safeguard Guidelines to reflect the latest version of the CDR Rules.
The guidelines outline the privacy safeguard requirements for accredited persons and data holders when participating in the CDR.
Key updates include
- the introduction of business consumer disclosure consents
- changes to requirements for outsourced service providers and CDR representative arrangements.
|
|
|
|
|
|
|
|
|
|
60th Asia Pacific Privacy Authorities forum
|
|
The OAIC hosted privacy and data protection authorities from across the Asia Pacific region in Sydney for the 60th Asia Pacific Privacy Authorities (APPA) forum on 30 November and 1 December.
APPA members discussed common privacy issues, regulatory experiences and enforcement challenges. It was also a chance for members to build relationships with the goal of enhancing regulatory cooperation in the Asia Pacific region.
Following on from APPA, the Centre for Information Policy Leadership hosted an event titled ‘Cracking the AI code: Insights, privacy and industry outlook’. Commissioner Falk made opening and closing remarks. |
|
|
|
|
|
|
|
|
|
Recent speaking engagements
|
|
The OAIC participated in several events across November and December.
Commissioner Falk was a keynote speaker at the IAPP ANZ Summit on 28 November. In a fireside conversation with an IAPP board member, the Commissioner discussed the OAIC’s achievements in 2023 and what’s ahead in 2024, including privacy law reform and a stronger enforcement focus.
The OAIC participated in the Privacy Authorities Australia meeting hosted by the Office of the Information Commissioner Queensland on 8 November.
On 3 November, Commissioner Falk participated in the Association of Information Access Commissioners (AIAC) meeting hosted by the Office of the Information Commissioner Western Australia (OIC WA). Read the meeting summary.
Commissioner Falk attended the FOI in WA Conference organised by the OIC WA. The Commissioner spoke on a panel about being an open government in the digital age alongside NSW Information Commissioner Elizabeth Tydd, New Zealand Chief Ombudsman Peter Boshier and Commonwealth Ombudsman Iain Anderson. |
|
|
|
|
|
|
|
Information Commissioner decisions
|
|
|
Information Commissioner review decisions are published on AustLII. Recent decisions include:
|
|
|
|
|
|
|
|
|
|
|
|
|
Working at the OAIC will put you at the forefront of data protection and access to information regulation. As an independent statutory agency, the OAIC’s work is of national significance and plays an important role in shaping Australia’s information handling landscape across the economy – from government, digital platforms and the online environment, to health, finance and telecommunications.
We are an agency within the Attorney-General Department’s portfolio with responsibility for:
- privacy functions under the Privacy Act 1988 and other legislation
- freedom of information, in particular review of decisions made by agencies and ministers under the Freedom of Information Act 1982.
|
|
|
|
|
|
|
|
|
|
Latest news and submissions
|
|
|
|
|
|
|
|
|
Please do not reply to this message as you will not get a response. We welcome your feedback at [email protected].
If you would prefer not to continue receiving this monthly newsletter, you can unsubscribe below. If you have been forwarded this newsletter by someone else, we invite you to subscribe.
|
|
|
|
|
|
|
|
|
|
|
|
