Privacy Oversight Agencies© Xamax Consultancy Pty Ltd, 1995-2024 |
||||||
HOME | eBusiness |
Information Infrastructure |
Dataveillance & Privacy |
Identity Matters | Other Topics | |
What's New |
Waltzing Matilda | Advanced Site-Search |
This document contains information about the various agencies throughout Australia that have some form of regulatory responsibility in relation to privacy:
If you're reading this with some optimism about Privacy Commissioners in Australia, brace yourself for disappointment.
If you're looking for oversight agencies in other countries, try these sources:
If you're aware of a relevant agency that isn't listed here, or of a material error in the content, please tell me!
The appointment of Privacy Commissioner was established in 1989. Appointments are very much an inside job, although on at least one occasion the position has been advertised. However, a small selection committee of senior public servants recommends the successful applicant to the relevant Minister, who accepts it. There has never been any form of public involvement or consultation. The Privacy Commissioners have been:
Since 2004, the Privacy Commissioner's role has been anything but a privacy watchdog. The Office functions as a protection device for government and business. Since 2004, its existence has resulted in significant disbenefits to the public.
The first Commissioner was a Sydney resident, and the office has always been located there. From 1989 until 2010, the office was referred to variously as the Office of the Privacy Commissioner (OPC – which risked confusion with the other Offices with similar names in other jurisdictions), the Office of the Federal Privacy Commissioner (OFPC), or – particularly after the Howard Government changed the style of federal government agencies in about 2000 – the Office of the Australian Privacy Commissioner (OAPC). Some aspects of privacy also came within the ambit of the Australian Human Rights Commission (HRC) – with which the Privacy Commissioner had varying relationships 1989-2010.
In November 2010, the OAPC was disestablished, and absorbed into the new Office of the Australian Information Commissioner (OAIC). This encompassed information policy generally, including new FOI supervisory functions and the existing privacy functions. The Privacy Commissioner retained a few powers, but most were ceded to the more senior Information Commissioner. The Privacy Commissioner role operated as a first-level report to the Information Commissioner, with privacy subjugated to information policy more generally. The Privacy Commissioner's resources were also pillaged (although doubtless the term 'rationalised' would be preferred in bureaucratic hallways), as a result of the new Information Commissioner and the new FOI Commissioner being given fewer resources than they'd been promised, and the Privacy Commissioner being the junior player.
The first Information Commissioner was the immediate past Ombudsman during 2003-10, John McMillan (2010-2015). The first FOI Commissioner was James Popple (2010-2014). (Because of the very low quality of the web-managers that the public service outsources to, the URLs were all broken, again).
From the time that the Office established a web-site in the mid-1990s, it used the domain privacy.gov.au. By early 2011, the new arrangements presumably forced the shifting of the content of the web-site to a sub-site within http://www.oaic.gov.au. Assurance was provided by OAIC on 15 November 2010 that "current deep links to the www.privacy.gov.au site would be maintained through a redirect function to the relevant documents after it was migrated to the new site". That turned out not to be a 'core promise', and many links were broken when the privacy.gov.au site was eventually closed down in 2013.
During 2014, the Coalition government attempted to disestablish the OAIC. It was led in this matter by a hyper-egocentric Attorney-General, George Brandeis (certainly no relation to the famous one). It failed to get the numbers in the Senate, but unlawfully de-funded two of the three positions and forced the departures of McMillan and Popple. For a full decade 2014-24, the Privacy Commissioner role continued to be unlawfully unfunded. The FoI Commissioner role was also left vacant for almost all of that period. Further detail on the period is below.
During that decade, the Information Commissioner was forced to oversee all three functions, with junior executives managing a smaller staff-count. The policy of minimising negative impacts on business and government was continued. Large numbers of amendments to the Privacy Act and other statutes greatly increased the loopholes, the authorisations for privacy-invasive practices and the length and complexity of expressions and cross-references in the primary Act, and reduced the level of privacy protections so low that instances of privacy-protective behaviour by the OAIC have been very difficult to find.
Pilgrim, the only one of the Commissioners to survive, was promoted to Information Commissioner, 2015-18. Then his deputy, Angelene Falk, was appointed, 2018-24. Both performed well for the government of the day, the AGD which exercised budgetary control over them, the public service as a whole, and the private sector.
The Coalition lost government in May 2022. The Labor government took 18 months, but eventually restored the budget for the Privacy Commissioner role. The position was filled in early 2024 by Carly Kind, recently returned from relevant roles in Europe. A replacement for the all-powerful Information Commissioner role, Eizabeth Tydd, commenced at the same time, nominally as FOI Commissioner, but moving upstairs within a few months. The Information Commissioner role will very likely be ruled with an iron fist for the foreseeable future, and the impact of the Privacy Commissioner accordingly muted.
During 2014, Attorney-General Brandis tried to disestablish OAIC. Faced with a hostile Senate, he was unable to the get the Bill passed, so he withdrew
funding for the Information and FoI functions – probably illegally. From mid-2015, Pilgrim and then Falk were required to act as all of Information, FoI and Privacy Commissioners. Pilgrim began on successive 3-monthly appointments, each made around the time the previous one ended. This was as strong a guarantee of 'loyalty' as a Minister could impose on an appointee to a position established by statute. Attorneys-General had long since lost the qualms that their predecessors had felt about the inappopriateness of the person who is nominally the first law officer of the land, openly flouting it. After the 2016 double-dissolution election failed to provide the Coalition with control of the Senate, Brandis gave up on his plans to disestablish the OAIC. In late 2016, Pilgrim was appointed as both Information and Privacy Commissioners, with the role also carrying the responsibilities for FoI. The number of senior executives at the end of 2016 was half what it had been 3 years earlier, with only marginal decreases in responsibilities, and considerable increases in the interim. Both the AG's and the PC'er's announcements were silent about the term(s) of the appointments – constituting yet another breach by Brandis, at least of norms, and quite possibly of law. Pilgrim gave notice of retirement, presumably some time in 2017, although it only became publicy-known in February 2018, and he left in March 2018. The AG of the day nonetheless took until 16 August to change the previous, longstanding Deputy from an Acting role to a substantive appointment. The dependency of the Commissioner on the Department and Minister was again made clear, in that the appointment was limited to 3 years, far less than the norm of 5 or 7 years for a pseudo-independent post. This parlous situation remained in place throughout the somewhat tumultuous years of the Coalition government, and for the first 18 months of the Labor government that replaced it.
Here are relevant laws. After the State led the world in the late 1970s, the intransigence of the
NSW public service, combined with the deep pit that is NSW politics, has ensured that the State's privacy protection regime has been a complete basket case for decades. A small privacy role exists within the Information
and Privacy Commission (NSW IPC), in recent years it has mostly
had no specialist staff, and the Privacy Commissioner has been an appointee
from within the public service's own ranks, working part-time, as
a minor player to an Information Commissioner. Details are provided at the end of this section. The Privacy Commission's scope extends to the health care sector, although
a separate Health Care Complaints Commission (HCCC) also exists. HCCC has earned even less credibility than the IPC. Here are relevant laws. History The NSW Privacy Committee operated as an oversight agency 1975-1998 as Committee, and was replaced from 1999 with a Commission. From 1999 to 2017, however, the Commissioner was part-time post, and for a third of the 18 years the position was filled only on an acting basis (2003-07 and 2009-2011). The history of the Office is a thorough mess, indicative of the power of the public service to protect itself against nuisances.
The powers of the original Committee were (quite properly, for the time) limited to research and complaint-investigation and conciliation, although some Executive Members, particularly the first, Bill Orme, made effective use of the media, including 'naming and shaming' privacy-invaders.
The Committee had been intended as a short-term agency, to lay foundations and gather experience; but it remained in its original form for 24 years. The first Executive Member of the Committee was Bill Orme (1975-82), followed by Jim Nolan (1982-87?), ..., Maureen Tangney (1990?-93?), ..., and Catherine Riordan (1996?-1998). In 1998, a (very weak) data protection law, commonly called PPIPA, was passed. Among other things, it disestablished the Privacy Committee. The part-time Chair at the time became the part-time Privacy Commissioner, and the full-time Executive Member became the full-time Deputy Privacy Commissioner. The Commission has very limited powers, and has been very poorly resourced throughout its life, but particularly since 2004. During 2010, the Office of the Information Commissioner was established, with oversight responsibilities in relation to FOI and open government.
Deirdre O'Donnell (2010-2013) first held the position. With effect from 1 Jan 2011, the Information and Privacy Commission (NSW IPC) was formed. Privacy NSW was disestablished, its functions were absorbed within NSW IPC, and the Information Commissioner functions swamped the privacy role.
Kathrina Lo (2013) was Acting Information Commissioner from July to December.
Elizabeth Tydd (2014-2024), a career bureaucrat, was appointed with effect from (curiously) 23 December 2013. Tydd totally dominated the privacy function. She then transferred to the role of federal FOI Commissioner, and, one fears, to a future role as federal Information Commissioner, where she would without any doubt protect government and business, and further mutilate the remnants of privacy protections in Australia.
Rachel McCallum (2014-) was appointed to the role in March 2024.
The Privacy Commissioner position has been filled since 1999 as follows: The full-time Deputy Privacy Commissioner post was held by: From 1999 until at least 2013 and probably even early 2017, the Office
of the Victorian Privacy Commissioner (OVPC, or Privacy Victoria) was
the most credible Office in the country. During 2012-14, lacking a protector
in Parliament, the Office was progressively strangled by the public service.
On 17 September 2014, a decisive step towards its disestablishment was
undertaken. There was a longstanding Commissioner
for Law Enforcement Data Security (CLEDS), which had been established
in order to paste over Governments' severe embarrassments arising from
continual and substantial
abuses of police databases. (There has seldom been a time in recent decades
when the smell of corruption hasn't been very strong within Victoria
Police). OVPC and CLEDS were merged into a role re-named as the Commissioner
for Privacy and Data Protection, with more work to do
and fewer resources to do them with. In August 2016, the Commissioner found it necessary to conduct an investigation
into apparent, serious breaches of privacy by the office of the State Premier.
Open warfare broke out.
A January
2017
media report
is
here.
The Premier abused his parliamentary power by introducing a Bill to remove
the Commissioner. In May 2017, with connivance of the minority Greens (a
party that has otherwise generally been at least somewhat privacy-aware and
often privacy-active, but in this case acted as deplorably as any other party),
the office of the Commissioner for Privacy and Data Protection
was simply disestablished through passage of the Freedom
of Information Amendment (Office of the Victorian Information Commissioner)
Act 2017. The provisions are complex (by design), but they basically use
the creation of a new Office to neutralise both FOI and Privacy and Data Protection. The new vehicle that was introduced during 2017 was the Information Commission
model. This has been used in Australia specifically to emasculate and muzzle
privacy
oversight
agencies,
both at
federal
level and at State level in all three major States. The model involves appointing
career public servants to job-titles that include the word 'commissioner',
and
giving them very limited powers, very limited resources, very little incentive
to protect privacy, and every incentive to avoid upsetting senior public servants
and politicians. In Victoria, in the space of 3 years, three Commissioner roles were merged
into a single generic post, with deputies. Such protections as existed for
the appointee
(which have proven to be meaningless anyway) have been stripped. The incumbent
is not a Parliamentary appointee, but is instead subject to conditions very
similar to those of any other public servant. Critically, (1) the Commissioner
has all
powers and the other two are commissioners in name only, entirely dependent
on the Commissioner for any powers that they may be permitted to exercise;
and (2) the employment conditions of all three are not in the Act, but are
at the whim
of the Government of the day. There's every expectation that the conditions
are such that they can be sacked by the
Government at short notice. The notion of independence has been destroyed in
a few short years, and incumbents are beholden to the public service and the
relevant Ministers. In contrast to NSW, Privacy Victoria had been regarded reasonably seriously
by agencies, and had good standing with privacy advocates for much of its life
1999-2017. The resources provided – although small in comparison with
European norms – had been significantly greater than those in NSW, and
the effectiveness of the Office had been proportionately much higher throughout
its life. The government in due course reduced it to the level of the other
ineffectual offices at national level and in NSW and Queensland. In mid-2017, there ceased to be even a single one of
the nine Australian jurisdictions with a privacy oversight agency that
has a
shred of credibility. (Caveat: A proportion of individual Privacy Commissioners
have gained and retained personal credibility. But, when you're swimming
in treacle, the positive impact you can have is very limited). The Privacy Commissioners have been: The appointment of an Information Commissioner was
announced
on 29 August 2017: Privacy in the health care sector is partly within the jurisdiction of the Office
of the Health Services Commissioner. In common with its equivalent
in NSW, that Office is held in very low regard. It has successfully avoided
doing anything of consequence in the privacy area, despite multiple proddings.
Among many other failings, it has successfully avoided ever advertising
information about the conduct of PIAs to organisations in the sector. Its
function
is quite
simply
to
protect the government agencies within its
zone of operations. From 2005 until 2014, some aspects of privacy in the law enforcement arena
were under the purview of the Commissioner
for Law Enforcement Data Security. This was created because of the continual
leaks of sensitive personal data that occur from law enforcement databases.
Once the level of political embarrassment arising from the leaks had subsided
to a sufficiently low level, the Office was disestablished in 2014 and its
functions merged into the weakened Office
of Privacy
and Data Protection, with the remnant functions in 2017 drifting into the completely
emasculated office of the Information Commissioner, including a privacy and
'data protection
deputy
commissioner'. Some aspects of privacy may also come within the ambit of the Victorian
Equal Opportunity and Human Rights Commission. Here are relevant laws. A Privacy Commissioner, exists, but as a meek public servant low down in the
hierarchy of the Office of the
Queensland Information Commissioner (OQIC). The Office's primary
functions are Information Policy and FOI (which is referred to in Qld as Right
To Information – RTI). Until mid-2010, there was no oversight agency in Queensland, and subsequently
the post of Privacy Commissioner was problematic, even chaotic. The Privacy Commissioner has had almost no staff (3 of 25 in 2014, 4 of 33 in late 2016). The level of interest by successive governments, particularly the LNP, is amply demonstrated by the long delays in creating the role, in making an initial appointment, and in appointing a successor to the first Commissioner.
During the role's first 5-1/2 years of its nominal existence, it was formally
filled only 20% of the time, and appointees have generally been career public servants given cross-appointments from other roles. Unlike the senior Information Commissioner and the job-sharing RTI Commissioners, all of whom have 7 year terms, Privacy Commissioners have had a 3-year appointment.
A better formula for ensuring loyalty to the public service is difficult to
contrive. Despite this, a couple of privacy-positive initiatiives and public
statements have been evident, and one project was conducted in secret and came
to light only as a result of an FoI request: The history of the post of Information Commissioner is also, to speak kindly, chequered: Privacy in the health care sector is partly within the jurisdiction of the Health
Quality and Complaints Commission. Here are relevant laws. There is no privacy oversight agency. After years of promises, an Information
Privacy Bill was finally introduced into the Parliament in March 2007.
It would have created a (very) part-time Privacy and Information Commissioner,
but the function was to be very limited, and instead of being
assigned to the Information Commissioner,
it was to be assigned to the the
Ombudsman (aka the Parliamentary Commissioner for Administrative Investigations),
where it would have paled into insignificance. But the 2007 Bill
did not progress in any case, and there has been no sign of life since then. Privacy in the health care sector is partly within the jurisdiction of the
Office of Health Review. Here are relevant laws. There is no privacy oversight agency. There is a Privacy
Committee of South Australia, run out of the State Records Office,
but it is unclear whether it has ever actually done anything that could be reasonably
regarded as being privacy-protective. An unenforceable set of Principles exists,
but the primary function of the Committee is to exempt agencies from complying
with it. Privacy in the health care sector is partly within the jurisdiction of the
Health and Community Services Complaints Commissioner. Here are relevant laws There is no privacy oversight agency. The Tasmanian
Ombudsman is empowered to receive and investigate complaints,
but the scope of the powers is extremely limited. Despite the Office having had the responsibility since September 2005, i.e.
for well over a decade, and despite queries being raised with the incumbent,
the term
'privacy'
is
almost
completely
absent from the web-site and the Annual Reports. It's even possible that
the Ombudsman may have successfully avoided ever having to handle
a privacy
complaint.
It's hard to see the situation as anything other than a substantial abuse of
parliamentary authority
and public
trust; but it's consistent with the arrogance of public servants nationwide,
not just in Tasmania. Privacy in the health care sector is partly within the jurisdiction of the
Health Complaints Commissioner. Here are relevant laws. The A.C.T. adopted the Privacy Act (Cth) 1994-2014. However, it appears that the entire ACT Government
offers absolutely no information about privacy protections, even
under human
rights (other than, of course, the ritual 'privacy statements' on each
agency's site). And it appears that very little has ever happened. For example, Personal
Information Digests were nominally published by the ACT Dept of Justice,
but when checked in August 2010, the site failed to provide access to them. The Privacy Commissioner provides an information page Privacy in the health care sector is partly within the jurisdiction of the
Community &
Health Services Complaints Commissioner (since apparently either folded inside the
Human Rights Commission, or folded completely). Some aspects of privacy may also come within the ambit of the A.C.T.
Human Rights Commission (HRC). Some aspects of privacy may also come within the ambit of the
A.C.T. Public Advocate (since defunct?). Here are relevant laws. As appropriate for a small Territory, a single person fulfils a range of functions,
in this case including those of the Northern
Territory Information Commissioner, which covers FoI,
Privacy,
and Public Interest Disclosures. Judging by the web-site, not a lot happens there. The Information Commissioners have been: Privacy in the health care sector is partly within the jurisdiction of the
Health and Community Services
Complaints Commission. Here are relevant laws.
The Non-Existent Privacy Commissioner 2014-24
N.S.W.
The Office was submerged within the Information and Privacy Commission, with the Information Commissioner dominating the power and resources. Coombs sought sufficient independence and resources to fulfil her function, and was forced to become increasingly public about the appalling behaviour of the Department and the Information Commissioner. The impact of her role on public service behaviour during 2011-16 was, unsurprisingly, muted. As Coomb's appointment came to an end, the job was advertised in late October 2016. It took until June 2017 for an appointment to be made, with Coombs (an applicant) continuing on an Acting basis.
The appointment was full-time, but the budget was reportedly unchanged, meaning that one of very few junior staff-posts had to be sacrificed in order to convert the Commissioner's role to full-time. The role was in any case completely dominated by the Information Commissioner, whose role is to protect agencies.
The appointee clearly did the job she was hired to do. Gavel was almost entirely invisible throughout her 6 years, and not only to the public and to privacy advocacy organisations. She made very few public appearances or utterances, and issued very few media releases, none of any consequence. She left the sinecure in August 2023. It appears Sonia Minutillo acted in the invisible role for 6 months, then briefly covered the vacant Information Commissioner position.
Victoria
Queensland
Lemm was the previous Deputy Commissioner, and was Acting for the maximum time that the law permits
Clare was the (substantive) Right To Information (RTI) Commissioner (half-time), and again an appointment was made only when the Act was about to be breached.
Western Australia
South Australia
Tasmania
A.C.T.
In 2014, it passed its own Information Privacy Act.
This adopted (the relevant parts of) the Commonwealth's approach and of the Clth APPs.
The A.C.T. government has an MOU with the Australian Privacy Commissioner.
The
Act is administered by the ACT Justice
and Community Safety Directorate.
N.T.
Personalia |
Photographs Presentations Videos |
Access Statistics |
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax. From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021. Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer |
Xamax Consultancy Pty Ltd ACN: 002 360 456 78 Sidaway St, Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 6916 |
Created: 17 December 1998 - Last Amended: 12 June 2024 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/POA.html
Mail to Webmaster - © Xamax Consultancy Pty Ltd, 1995-2022 - Privacy Policy