Senior management and organisation
- Angelene Falk: Australian information commissioner and privacy commissioner;
- Elizabeth Hampton: deputy commissioner;
- Andrew Solomon: assistant commissioner, dispute resolution; and
- Melanie Drayton: assistant commissioner, regulation and strategy.
Biographies of the senior management team members can be found at www.oaic.gov.au/about-us/who-we-are/
When was the head of the authority appointed?
How long is their term of office?
What is the process for nominating the head of the authority?
Australia’s governor-general appoints the information commissioner.
What was the authority’s budget for the most recently available financial year?
The budget for the year 2019/2020 is estimated at A$27.1 million.
How many data protection/privacy-focused staff does the authority employ?
This number is estimated to be 124, which includes non-privacy staff.
Contacting the authority
How and where should companies or their advisers contact the authority to notify a data breach?
The information commissioner has a notifiable data breach form, accessible at https://forms.business.gov.au/smartforms/landing.htm?formCode=OAIC-NDB.
Legal and enforcement framework
What are the commission’s investigative powers?
The commissioner can start investigations of their own volition, or after receiving complaints. The commissioner can conciliate complaints if he or she believes it is reasonably possible that they can be conciliated; make determinations that are enforceable in court; agree on enforceable undertakings with respondents; or take no action.
The commissioner can order the disclosure of documents or information, and require individuals to answer questions that are relevant to the investigation. The commissioner can examine individuals under oath. Failing to attend the commissioner’s conferences is punishable by fines of up to A$1,000 or six months’ imprisonment, or fines of up to A$5,000 for corporates. Failing to make affirmations or be sworn in, or submitting false or misleading information, is punishable by fines of up to A$2,000 or 12 months’ imprisonment. Failing to provide information, answer questions, or produce documents or records is punishable by fines of up to A$2,000 or 12 months’ imprisonment, or A$10,000 for corporates, unless there is a reasonable excuse.
The commissioner can authorise members of staff, who are assisting them, to enter premises at a reasonable time of day and inspect documents kept there. For public bodies, the commissioner’s staff can enter without consent, but consent is needed from occupiers or persons in charge of private organisations’ premises. The commissioner’s staff cannot enter private organisations’ premises if their occupier or person in charge asks to see their ID cards, and the staff fails to produce them.
The commissioner can seek search warrants from magistrates to enter private premises without consent if reasonably necessary for the commissioner’s investigation. Search warrants can allow the commissioner’s staff to enter the premises by force if necessary. Warrants can be valid for up to a month after the day on which they are issued.
The commissioner’s determinations are not binding or conclusive. Alongside a statement of facts, they can include the following declarations:
- the conduct or practices must not continue or be repeated;
- respondents must take specified steps within a specified time frame to ensure conduct does not continue or is not repeated;
- respondents must make reasonable acts or courses of conduct to redress loss or damage;
- complainants can be compensated; or
- a declaration would be inappropriate.
Damages can include compensation for humiliation or harmed feelings. If the determination follows a representative complaint, it must describe or identify members of the class.
Both complainants and the commissioner can seek orders to enforce determinations from Australia’s Federal Court or Federal Circuit Court. The courts can make orders as they think fit, including granting interim injunctions while proceedings continue. The courts must conduct de novo hearings on whether respondents have engaged in conduct that interfered with privacy.
Can the authority search premises or force the disclosure of information without having to approach the courts?
No. The commissioner requires search warrants in order to gain access to private organisations’ premises without consent. However, the commissioner does not need warrants to gain access to government bodies’ premises.
What fines can be imposed on companies that breach data protection rules?
The commissioner cannot impose punitive fines as part of determinations, but it can say compensation is necessary, with determinations potentially enforceable by court order. There are penalties for respondents' conduct during investigations, for example if they submit false or misleading information.
Priorities and the future
Is the office working on further data protection/privacy guidelines or guidance, or on amending any of your current guidance?
The office has published binding guidance relating to the following:
- Privacy (Tax File Number) Rule 2015, which regulates the collection, storage, use, disclosure, security and disposal of individuals’ tax-file-number information.
- Privacy (Credit Related Research) Rule 2014, which regulates the use or disclosure of de-identified information by credit reporting bodies.
- Section 95 of the Privacy Act 1988 (2014), which contains requirements for privacy protection in the conduct of medical research.
- Section 95A of the Privacy Act 1988 (2014), which contains a framework for human research ethics committees to assess handling of health information without the consent of data subjects.
- Section 95AA of the Privacy Act 1988 (2014), which governs the use and disclosure of genetic information to relatives. Australia's National Health and Medical Research Council issued the guidelines with the approval of the privacy commissioner.
The office has published advisory guidelines relating to:
- the Australian Privacy Principles;
- data matching in Australian government administration;
- developing codes of conduct; and
- recognising external dispute resolution schemes.
The office has also published multiple guides, including on de-identification, data analytics, data breach preparation and response, undertaking privacy impact assessments and handling privacy complaints.