RIP OAIC: New Office for the Privacy Commissioner

June 30, 2014 / Corporate & Commercial

As a result of the cost-cutting measures in the Australian Government’s Budget, the Office of the Australian Information Commissioner [OAIC] will be disbanded by 1 January 2015.

The OAIC is an amalgam of 3 Commissioners:

• The Australian Information Commissioner, John McMillan
• The Freedom of Information Commissioner, James Popple
• The Privacy Commissioner, Timothy Pilgrim.

In a statement released by the OAIC, it appears that:

• The Freedom of Information Act 1982 will be administered jointly by the Attorney-General’s Department (advice, guidelines, annual reporting), the Administrative Appeals Tribunal (merits review) and the Commonwealth Ombudsman (complaints)
• The Privacy Act 2003 will continue to be administered by the Privacy Commissioner with supporting staff from an office based in Sydney.

The information policy advice function of the OAIC will cease, and presumably it will cease to publish information in relation information and privacy areas.  The Privacy Commissioner will no doubt still seek to enforce the provisions of the Privacy Act but the level of activity may depend on the resourcing of the office available to the Commissioner.

Some businesses have been slow to take heed of the warnings of the Privacy Commissioner and the need to comply with the new Australian Privacy Principles [APPs] and credit reporting requirements in operation since 14 March 2014, but the Act and the APPs are still very much in force.

Some of the statistics released by the OAIC in announcing its impending disbandment include that it has:

• Closed 5,003 privacy complaints
• Dealt with 34,739 phone enquiries and 5,845 written enquires about privacy
• Conducted 91 own motion investigations and 10 audits
• Received 193 data breach notifications,

as well as publishing numerous guidelines and information statements.

If the same level of complaints in relation to privacy and credit reporting matters continue to be received by the new office of the Privacy Commissioner, it can be anticipated that he will continue his announced policy of working with entities to ensure they understand the requirements and have systems to meet them, but will not “shy away” from using his extended powers and penalties (up to $220,000 for individuals and $1.1 million for companies).

Entities required to comply with the APPs (including any provider of health services) and the credit reporting rules (including any business allowing more than 7 days for payments) must ensure that they are compliant and have the necessary policies and systems.

For more information, please contact:

This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied upon as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Should you wish to discuss any matter raised in this report, or what it means for you, your business or your clients' businesses, please feel free to contact us.