Australia’s regulator for privacy and freedom of information missed all but one of its performance goals in the last year, leading to concerns the agency is “severely underfunded” and will be unable to effectively perform its role without a substantial resourcing boost.
The resourcing of the Office of the Australian Information Commissioner (OAIC) has been questioned for several years, with a significantly rising workload and an increasingly prominent role, but with no corresponding increase in funding.
There are particular concerns about a lack of any new funding for the OAIC’s Freedom of Information functions will mean it is unable to address its growing backlog of cases and properly perform its role in overseeing the scheme.
A spokesperson for the OAIC confirmed it will be unable to address lengthy delays if it does not get a funding boost.
Budget documents have revealed that the agency failed to achieve seven of its eight performance goals for the 2019-20 financial year, heightening fears that it is not adequately resourced to conduct its important role.
The office was provided $25 million over three years in last year’s federal budget to respond to privacy complaints and support strengthened enforcement actions in relation to social media platforms breaching privacy regulations.
The only new funding for the OAIC in last week’s budget was just $261,000 to assist with the government’s digital identity scheme, The office did not receive any extra money for its rising workload in the other areas it is tasked with, including FOI.
The total government appropriation for the office is down from last year though, falling from $21.27 million to $20.95 million. The OAIC still has $5.675 million leftover from last year’s appropriation, bringing its overall resourcing to about $4 million more than in 2019-20 to $29.696 million.
Its staffing levels will jump from 95 to 124 in this financial year.
These funding allocations are not sufficient for the OAIC to properly function, Digital Rights Watch’s Lucie Krahulcova said.
“The government is severely underfunding a critical institution. The ACCC’s report on digital platforms released earlier this year outlined that fundamental changes need to be made on the way privacy and data protection are treated in Australia,” Ms Krahulcova said.
“The budget allocation for the OAIC does not suggest that the government will be taking those recommendations seriously. The amount of remote work and study this year has increased our connection to a lot of technologies and really highlighted Australians’ fear about how their privacy is treated – the budget allocation remains deaf to those concerns.”
The OAIC has a number of roles, with its workload being added to each year. It handles privacy complaints, the mandatory data breach notification scheme, FOI complaints and provides public information service. It also conducts Commissioner-initiated investigations of privacy and FOI breaches.
This year it has also been given an important role in overseeing the government’s COVIDSafe contact tracing app and will also have an increasingly prominent role in the Consumer Data Right scheme and with the new Data Availability and Transparency Act.
The office had eight key goals and measurables in the last financial year. It only achieved one of these, successfully finalised 80 per cent of privacy complaints within 12 months.
Of the others, the OAIC partially achieved its goal of finalising 80 per cent of data breach notifications within 60 days and failed to achieve the other six goals.
These included to finalise 80 per cent of Privacy Commissioner-initiated investigations within eight months, for 80 per cent of My Health record data breach notifications to be finalised within 60 days, for 80 per cent of Information Commissioner reviews to be completed within 12 months and for 90 per cent of written enquiries to be finalised within 10 days.
In terms of its FOI role, the OAIC failed to have 80 per cent of FOI complaints finalised within a year, and to get 80 per cent of Commissioner-initiated investigations finalised within eight months.
On the last goal, the OAIC finalised 72 per cent of Information Commissioner-initiated reviews in 2019-20.
The number of FOI complaints and reviews have risen steeply in recent years. In 2019-20 the number of FOI applications to government increased by 6 per cent to 41,333, while in the last five years the number of Commissioner reviews of FOI decisions increased by 186 per cent.
The OAIC has been given the exact same goals it failed to meet in 2019-20 for the current financial year.
With no new funding to oversee the FOI regime, the OAIC has had to implement efficiencies to help deal with the growing backlog. But this will not be enough, and the office will not be able to meet its goals in terms of FOI unless it receives more funding, a spokesperson said.
“The OAIC continues to look for and implement opportunities to further improve productivity in this area to address the increasing volume of incoming work, within the resources available to us,” the OAIC spokesperson told InnovationAus.
“However, efficiencies cannot keep pace with the continuing rise in incoming work. In the absence of supplementary FOI funding, the ability of the OAIC to consistently provide timely outcomes for applicants will continue to be impacted.”
Electronic Frontiers Australia board member Justin Warren said the OAIC is continually underfunded and questioned whether the government wanted it to effectively complete its goals.
“The budget allocation isn’t sufficient. Not even close. The OAIC has been chronically underfunded for years. It failed to achieve seven out of eight of its performance criteria in 2019-20. And the performance criteria aren’t especially ambitious to begin with,” Mr Warren told InnovationAus.
“The government keeps adding to the OAIC’s responsibilities but then doesn’t fund it to do its job. That looks a lot like deliberate sabotage. A government that cared about Australians’ privacy would fund the OAIC properly.”
Deakin University senior lecturer Dr Monique Mann also questioned the OAIC’s performance targets and their focus on retrospective action, rather than acting to prevent privacy breaches.
“The bigger question is about the role of the OAIC. We’ve seen other regulatory bodies really stepping up to take on the role of the privacy regulator, like the ACCC’s digital platforms inquiry. It’s all very retroactive,” Dr Mann told InnovationAus.
“They’re responding to privacy complaints and data breach notifications – they’re not taking an active role in terms of advocating for or really trying to shape the policy in terms of the regulatory framework for privacy protections.
The OAIC should be tasked with doing more to curb problematic actions by tech companies and the government, and would need substantially more funding to do this, Dr Mann said.
“Where is the ambition in terms of the digital environment? The bureaucratic measures of performance are interesting in terms of what agencies do and how they’re measured against that. If these are the performance criteria, we need to ask what the question is, and what the OAIC should be doing,” she said.