As part of the 2023/24 Budget, the Federal Government has allocated $45.2 million over four years (and $8.4 million per year ongoing) to strengthen privacy protection and enforcement.
On 9 May 2023, the Treasurer delivered the 2023/24 Budget (discussed more generally here), which outlines the Federal Government’s further investment into the privacy activities and initiatives of the Office of the Australian Information Commissioner (OAIC) and the Attorney-General’s Department.
OAIC areas of focus and funding breakdown in 2023/24
The Budget set out the major areas of focus for the OAIC in 2023/24, which include:
- regulating compliance and supporting entities to take a proactive approach to their obligations under the Australian Privacy Principles and the Notifiable Data Breaches scheme, and co-regulating the Consumer Data Right; and
- strengthening and enforcing protections for personal information and contributing to privacy law reform.
More specifically, $17.8 million of the $45.2 million will be provided to the OAIC in 2023/24 to support privacy activities, such as the reinstatement of a dedicated Privacy Commissioner (as a distinct commissioner from the Information Commissioner and the Freedom of Information Commissioner), which was announced by the Attorney-General on 3 May 2023.
The funding will also be dedicated to progressing investigations and enforcement action in response to privacy and data breaches, and enhancing the OAIC’s data and analytics capability.
The additional $17.8 million in funding combined with the $10.7 million that was previously allocated for the 2023/24 year (under the March and October 2022/23 Budgets) represents an increase in privacy investment. For 2022/23, only $11.7 million was set aside, $3 million of which is dedicated solely for the purposes of investigating and responding to the Optus data breach.
Approximately $900,000 has also been allocated over two years to the Attorney-General’s Department for the purposes of progressing the Government’s response to the recent review of the Privacy Act 1988 (Cth) and supporting a separate independent statutory review of Part IIIA of the Act, which regulates consumer credit reporting.
Performance measures and indicators
The four key performance measures of the OAIC will remain the same for 2023/24, which are to:
- influence and uphold privacy and information access rights frameworks;
- advance online privacy protections for Australians;
- encourage and support proactive release of government information; and
- take a contemporary approach to regulation.
The performance indicators by which the OAIC will be measured against will also largely remain the same.
In relation to influencing and upholding privacy and information access rights frameworks, the OAIC will be measured against certain benchmark targets, including:
- finalising 80% of privacy complaints within 12 months;
- finalising 80% of notifiable data breaches within 60 days;
- finalising 80% of Commissioner-initiated investigations within 8 months; and
- finalising written enquiries within ten working days.
The OAIC’s effectiveness in advancing online privacy protections for Australians will also be measured based on stakeholder feedback, while its ability to take a contemporary approach to regulation will in part be measured based on the extent to which, based on stakeholder assessment, its regulatory activities are risk-based and data-driven and demonstrate collaboration and engagement.
The increase in funding for the OAIC and the extra funding for the Attorney-General’s Department under the longer-term funding plan outlined by the 2023/24 Budget demonstrates the Federal Government’s increased focus on ensuring that Australia is positioned to deal with the growing threats and increasing volume and complexity of privacy issues in a more holistic way.
It is hoped that the proposed separation of functions in the OAIC and the additional funding will lead to greater efficiencies in the way investigations and complaints are dealt with.
The increased funding will also assist in efforts to reform the Privacy Act, which will aim, in part, to bolster privacy protections in Australia so they are fit for purpose in the current digital age.
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.