The OAIC releases its corporate plan for 2024-25

What you need to know

• The Office of the Australian Information Commissioner (OAIC) released its Corporate Plan for 2024-25 which sets out the OAIC's future priorities, including its regulatory expectations and enforcement priorities.
• The OAIC notes it will have a greater focus on directing regulatory effort towards areas where there is a high risk of harm to the community.
• The OAIC's key activities will include:
  • Influencing and upholding privacy and information access rights frameworks
  • Advancing online privacy protections for Australians
  • Encouraging and supporting proactive release of government information
  • Taking a contemporary, harms-based approach to regulation of privacy and Freedom of Information (FOI) laws

In 2024-25, the major areas of focus for the OAIC will be:

• Ensuring emerging technologies (such as AI and facial recognition technology) align with community expectations and regulatory requirements. This involves targeting current and emerging harms effectively and proportionately while continuing to proactively guide compliance in a dynamic digital environment.
• Supporting the development of a privacy-protecting digital economy through regulating compliance and supporting entities under the Notifiable Data Breaches (NDB) scheme, Digital ID system and co-regulation of the Consumer Data Right (CDR). The OAIC notes it will:
  • publish guidance material and respond to enquiries on Digital ID privacy safeguards;
  • exercise its compliance and enforcement role by making determinations, conducting assessments and investigating any alleged failures to comply with the data breach notification requirements (including in relation to the My Heath Record system);
  • ensure the data protection and privacy framework remains robust and consumers continue to be protected by effective accountability mechanisms as the CDR expands beyond the banking and energy sectors into other sectors (e.g. the non-bank lending sector).
• Leading the promotion of open government and cultivating the FOI capabilities of Australian Government agencies and ministers to secure timely access to and proactive release of government-held information. OAIC seeks to:
  • prioritise the delivery of timely Information Commissioner reviews and finalise matters received in 2020 and 2021;
  • expedite applications for review of access grants, matters involving ministers as the respondent, deemed access refusals, imposition of a charge, practical refusal decisions, adequacy of searches and secrecy provisions.
• Strengthening and enforcing protections for personal information and contributing to privacy law reform. The OAIC will:
  • As part of its work to raise credit reporting issues with government, participate in the statutory reviews of Part IIIA of the Privacy Act 1988 (Cth) (Privacy Act) and the National Consumer Credit Protections Act 2009 (Cth), which are both due to be completed before 1 October 2024;
  • Progress the Australian Government’s response to the review of the Privacy Act;
  • Engage with the Australian Government to uplift cyber security in Australia, including the proposed new cyber security legislation and changes to the Security of Critical Infrastructure Act 2018;
  • Support and contribute to the Australian Government’s interim response to the safe and responsible AI in Australia consultation;
  • Finalise its review of the National Health (Privacy) Rules 2021 to ensure they remain fit for purpose to regulate how Australian Government agencies use, store, disclose and link Medicare Benefits Schedule and Pharmaceutical Benefits Schedule claims information. The OAIC will lodge new rules to commence on 1 April 2025;
  • Continue implementing proposals from the 2021 independent review of the Privacy (Credit Reporting) Code 2014, including considering and publicly consulting on an application from the industry code developer to vary the Code.

• Building internal capability and culture to advance the OAIC’s reputation as an innovative, harms-focused regulator delivering demonstrably efficient and effective regulatory action. For example, the OAIC's guiding principles will now include:
  • being proactive (i.e. adopting a risk-based, education and enforcement-focused posture);
  • being proportionate (i.e. prioritising regulatory effort based on risk of harm to the community).

Regulatory focus and updates

Security and the Notifiable Data Breaches scheme

The OAIC is investigating the personal information handling practices of several organisations in relation to data breaches.

These enforcement actions are examples of how the OAIC will prioritise regulatory action where there is a high risk of harm to the community. The OAIC notes that this "sends a strong message to the regulated community that keeping personal information secure and meeting the requirements of the NDB scheme must be priorities."

Facial recognition technology and AI

The OAIC is also investigating the information handling practices of Bunnings Group Limited and Kmart Australia Limited, focusing on the companies' use of facial recognition technology.

The OAIC notes that it will focus on regulating the online environment and emerging technologies that have a large impact on privacy, including facial recognition technology and AI.

Other areas of regulatory focus

The OAIC notes that it will also focus on:

• taking regulatory action to address the harms arising from the practices of online platforms and services that impact individuals’ choice and control, either through opaque information sharing practices or in the terms and conditions of service
• ensuring compliance with the law and taking enforcement action where there are 'egregious' privacy breaches (for example, the OAIC commenced civil penalty proceedings against Meta Platforms Inc and Meta Platforms Ireland Ltd in relation to Cambridge Analytica)

Authors: Hong-Viet Nguyen, Partner; Justin Ho, Senior Associate and Mansi Gupta, Associate.