Privacy Oversight Agencies

© Xamax Consultancy Pty Ltd,  1995-2024
Photo of Roger Clarke

This document contains information about the various agencies throughout Australia that have some form of regulatory responsibility in relation to privacy:

If you're reading this with some optimism about Privacy Commissioners in Australia, brace yourself for disappointment.

If you're looking for oversight agencies in other countries, try these sources:

If you're aware of a relevant agency that isn't listed here, or of a material error in the content, please tell me!


Commonwealth of Australia

The appointment of Privacy Commissioner was established in 1989. Appointments are very much an inside job, although on at least one occasion the position has been advertised. However, a small selection committee of senior public servants recommends the successful applicant to the relevant Minister, who accepts it. There has never been any form of public involvement or consultation. The Privacy Commissioners have been:

Since 2004, the Privacy Commissioner's role has been anything but a privacy watchdog. The Office functions as a protection device for government and business. Since 2004, its existence has resulted in significant disbenefits to the public.

The first Commissioner was a Sydney resident, and the office has always been located there. From 1989 until 2010, the office was referred to variously as the Office of the Privacy Commissioner (OPC – which risked confusion with the other Offices with similar names in other jurisdictions), the Office of the Federal Privacy Commissioner (OFPC), or – particularly after the Howard Government changed the style of federal government agencies in about 2000 – the Office of the Australian Privacy Commissioner (OAPC). Some aspects of privacy also came within the ambit of the Australian Human Rights Commission (HRC) – with which the Privacy Commissioner had varying relationships 1989-2010.

In November 2010, the OAPC was disestablished, and absorbed into the new Office of the Australian Information Commissioner (OAIC). This encompassed information policy generally, including new FOI supervisory functions and the existing privacy functions. The Privacy Commissioner retained a few powers, but most were ceded to the more senior Information Commissioner. The Privacy Commissioner role operated as a first-level report to the Information Commissioner, with privacy subjugated to information policy more generally. The Privacy Commissioner's resources were also pillaged (although doubtless the term 'rationalised' would be preferred in bureaucratic hallways), as a result of the new Information Commissioner and the new FOI Commissioner being given fewer resources than they'd been promised, and the Privacy Commissioner being the junior player.

The first Information Commissioner was the immediate past Ombudsman during 2003-10, John McMillan (2010-2015). The first FOI Commissioner was James Popple (2010-2014). (Because of the very low quality of the web-managers that the public service outsources to, the URLs were all broken, again).

From the time that the Office established a web-site in the mid-1990s, it used the domain privacy.gov.au. By early 2011, the new arrangements presumably forced the shifting of the content of the web-site to a sub-site within http://www.oaic.gov.au. Assurance was provided by OAIC on 15 November 2010 that "current deep links to the www.privacy.gov.au site would be maintained through a redirect function to the relevant documents after it was migrated to the new site". That turned out not to be a 'core promise', and many links were broken when the privacy.gov.au site was eventually closed down in 2013.

During 2014, the Coalition government attempted to disestablish the OAIC. It was led in this matter by a hyper-egocentric Attorney-General, George Brandeis (certainly no relation to the famous one). It failed to get the numbers in the Senate, but unlawfully de-funded two of the three positions and forced the departures of McMillan and Popple. For a full decade 2014-24, the Privacy Commissioner role continued to be unlawfully unfunded. The FoI Commissioner role was also left vacant for almost all of that period. Further detail on the period is below.

During that decade, the Information Commissioner was forced to oversee all three functions, with junior executives managing a smaller staff-count. The policy of minimising negative impacts on business and government was continued. Large numbers of amendments to the Privacy Act and other statutes greatly increased the loopholes, the authorisations for privacy-invasive practices and the length and complexity of expressions and cross-references in the primary Act, and reduced the level of privacy protections so low that instances of privacy-protective behaviour by the OAIC have been very difficult to find.

Pilgrim, the only one of the Commissioners to survive, was promoted to Information Commissioner, 2015-18. Then his deputy, Angelene Falk, was appointed, 2018-24. Both performed well for the government of the day, the AGD which exercised budgetary control over them, the public service as a whole, and the private sector.

The Coalition lost government in May 2022. The Labor government took 18 months, but eventually restored the budget for the Privacy Commissioner role. The position was filled in early 2024 by Carly Kind, recently returned from relevant roles in Europe. A replacement for the all-powerful Information Commissioner role, Eizabeth Tydd, commenced at the same time, nominally as FOI Commissioner, but moving upstairs within a few months. The Information Commissioner role will very likely be ruled with an iron fist for the foreseeable future, and the impact of the Privacy Commissioner accordingly muted.

The Non-Existent Privacy Commissioner 2014-24

During 2014, Attorney-General Brandis tried to disestablish OAIC. Faced with a hostile Senate, he was unable to the get the Bill passed, so he withdrew funding for the Information and FoI functions – probably illegally.

From mid-2015, Pilgrim and then Falk were required to act as all of Information, FoI and Privacy Commissioners. Pilgrim began on successive 3-monthly appointments, each made around the time the previous one ended. This was as strong a guarantee of 'loyalty' as a Minister could impose on an appointee to a position established by statute. Attorneys-General had long since lost the qualms that their predecessors had felt about the inappopriateness of the person who is nominally the first law officer of the land, openly flouting it.

After the 2016 double-dissolution election failed to provide the Coalition with control of the Senate, Brandis gave up on his plans to disestablish the OAIC. In late 2016, Pilgrim was appointed as both Information and Privacy Commissioners, with the role also carrying the responsibilities for FoI. The number of senior executives at the end of 2016 was half what it had been 3 years earlier, with only marginal decreases in responsibilities, and considerable increases in the interim. Both the AG's and the PC'er's announcements were silent about the term(s) of the appointments – constituting yet another breach by Brandis, at least of norms, and quite possibly of law.

Pilgrim gave notice of retirement, presumably some time in 2017, although it only became publicy-known in February 2018, and he left in March 2018. The AG of the day nonetheless took until 16 August to change the previous, longstanding Deputy from an Acting role to a substantive appointment. The dependency of the Commissioner on the Department and Minister was again made clear, in that the appointment was limited to 3 years, far less than the norm of 5 or 7 years for a pseudo-independent post.

This parlous situation remained in place throughout the somewhat tumultuous years of the Coalition government, and for the first 18 months of the Labor government that replaced it.

Here are relevant laws.


N.S.W.

After the State led the world in the late 1970s, the intransigence of the NSW public service, combined with the deep pit that is NSW politics, has ensured that the State's privacy protection regime has been a complete basket case for decades. A small privacy role exists within the Information and Privacy Commission (NSW IPC), in recent years it has mostly had no specialist staff, and the Privacy Commissioner has been an appointee from within the public service's own ranks, working part-time, as a minor player to an Information Commissioner. Details are provided at the end of this section.

The Privacy Commission's scope extends to the health care sector, although a separate Health Care Complaints Commission (HCCC) also exists. HCCC has earned even less credibility than the IPC.

Here are relevant laws.

History

The NSW Privacy Committee operated as an oversight agency 1975-1998 as Committee, and was replaced from 1999 with a Commission. From 1999 to 2017, however, the Commissioner was part-time post, and for a third of the 18 years the position was filled only on an acting basis (2003-07 and 2009-2011). The history of the Office is a thorough mess, indicative of the power of the public service to protect itself against nuisances.

The powers of the original Committee were (quite properly, for the time) limited to research and complaint-investigation and conciliation, although some Executive Members, particularly the first, Bill Orme, made effective use of the media, including 'naming and shaming' privacy-invaders. The Committee had been intended as a short-term agency, to lay foundations and gather experience; but it remained in its original form for 24 years. The first Executive Member of the Committee was Bill Orme (1975-82), followed by Jim Nolan (1982-87?), ..., Maureen Tangney (1990?-93?), ..., and Catherine Riordan (1996?-1998).

In 1998, a (very weak) data protection law, commonly called PPIPA, was passed. Among other things, it disestablished the Privacy Committee. The part-time Chair at the time became the part-time Privacy Commissioner, and the full-time Executive Member became the full-time Deputy Privacy Commissioner. The Commission has very limited powers, and has been very poorly resourced throughout its life, but particularly since 2004.

During 2010, the Office of the Information Commissioner was established, with oversight responsibilities in relation to FOI and open government.

Deirdre O'Donnell (2010-2013) first held the position. With effect from 1 Jan 2011, the Information and Privacy Commission (NSW IPC) was formed. Privacy NSW was disestablished, its functions were absorbed within NSW IPC, and the Information Commissioner functions swamped the privacy role.

Kathrina Lo (2013) was Acting Information Commissioner from July to December.

Elizabeth Tydd (2014-2024), a career bureaucrat, was appointed with effect from (curiously) 23 December 2013. Tydd totally dominated the privacy function. She then transferred to the role of federal FOI Commissioner, and, one fears, to a future role as federal Information Commissioner, where she would without any doubt protect government and business, and further mutilate the remnants of privacy protections in Australia.

Rachel McCallum (2014-) was appointed to the role in March 2024.

The Privacy Commissioner position has been filled since 1999 as follows:

The full-time Deputy Privacy Commissioner post was held by:


Victoria

From 1999 until at least 2013 and probably even early 2017, the Office of the Victorian Privacy Commissioner (OVPC, or Privacy Victoria) was the most credible Office in the country.

During 2012-14, lacking a protector in Parliament, the Office was progressively strangled by the public service. On 17 September 2014, a decisive step towards its disestablishment was undertaken. There was a longstanding Commissioner for Law Enforcement Data Security (CLEDS), which had been established in order to paste over Governments' severe embarrassments arising from continual and substantial abuses of police databases. (There has seldom been a time in recent decades when the smell of corruption hasn't been very strong within Victoria Police). OVPC and CLEDS were merged into a role re-named as the Commissioner for Privacy and Data Protection, with more work to do and fewer resources to do them with.

In August 2016, the Commissioner found it necessary to conduct an investigation into apparent, serious breaches of privacy by the office of the State Premier. Open warfare broke out. A January 2017 media report is here. The Premier abused his parliamentary power by introducing a Bill to remove the Commissioner. In May 2017, with connivance of the minority Greens (a party that has otherwise generally been at least somewhat privacy-aware and often privacy-active, but in this case acted as deplorably as any other party), the office of the Commissioner for Privacy and Data Protection was simply disestablished through passage of the Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017. The provisions are complex (by design), but they basically use the creation of a new Office to neutralise both FOI and Privacy and Data Protection.

The new vehicle that was introduced during 2017 was the Information Commission model. This has been used in Australia specifically to emasculate and muzzle privacy oversight agencies, both at federal level and at State level in all three major States. The model involves appointing career public servants to job-titles that include the word 'commissioner', and giving them very limited powers, very limited resources, very little incentive to protect privacy, and every incentive to avoid upsetting senior public servants and politicians.

In Victoria, in the space of 3 years, three Commissioner roles were merged into a single generic post, with deputies. Such protections as existed for the appointee (which have proven to be meaningless anyway) have been stripped. The incumbent is not a Parliamentary appointee, but is instead subject to conditions very similar to those of any other public servant. Critically, (1) the Commissioner has all powers and the other two are commissioners in name only, entirely dependent on the Commissioner for any powers that they may be permitted to exercise; and (2) the employment conditions of all three are not in the Act, but are at the whim of the Government of the day. There's every expectation that the conditions are such that they can be sacked by the Government at short notice. The notion of independence has been destroyed in a few short years, and incumbents are beholden to the public service and the relevant Ministers.

In contrast to NSW, Privacy Victoria had been regarded reasonably seriously by agencies, and had good standing with privacy advocates for much of its life 1999-2017. The resources provided – although small in comparison with European norms – had been significantly greater than those in NSW, and the effectiveness of the Office had been proportionately much higher throughout its life. The government in due course reduced it to the level of the other ineffectual offices at national level and in NSW and Queensland.

In mid-2017, there ceased to be even a single one of the nine Australian jurisdictions with a privacy oversight agency that has a shred of credibility. (Caveat: A proportion of individual Privacy Commissioners have gained and retained personal credibility. But, when you're swimming in treacle, the positive impact you can have is very limited).

The Privacy Commissioners have been:

The appointment of an Information Commissioner was announced on 29 August 2017:

Privacy in the health care sector is partly within the jurisdiction of the Office of the Health Services Commissioner. In common with its equivalent in NSW, that Office is held in very low regard. It has successfully avoided doing anything of consequence in the privacy area, despite multiple proddings. Among many other failings, it has successfully avoided ever advertising information about the conduct of PIAs to organisations in the sector. Its function is quite simply to protect the government agencies within its zone of operations.

From 2005 until 2014, some aspects of privacy in the law enforcement arena were under the purview of the Commissioner for Law Enforcement Data Security. This was created because of the continual leaks of sensitive personal data that occur from law enforcement databases. Once the level of political embarrassment arising from the leaks had subsided to a sufficiently low level, the Office was disestablished in 2014 and its functions merged into the weakened Office of Privacy and Data Protection, with the remnant functions in 2017 drifting into the completely emasculated office of the Information Commissioner, including a privacy and 'data protection deputy commissioner'.

Some aspects of privacy may also come within the ambit of the Victorian Equal Opportunity and Human Rights Commission.

Here are relevant laws.


Queensland

A Privacy Commissioner, exists, but as a meek public servant low down in the hierarchy of the Office of the Queensland Information Commissioner (OQIC). The Office's primary functions are Information Policy and FOI (which is referred to in Qld as Right To Information – RTI).

Until mid-2010, there was no oversight agency in Queensland, and subsequently the post of Privacy Commissioner was problematic, even chaotic. The Privacy Commissioner has had almost no staff (3 of 25 in 2014, 4 of 33 in late 2016). The level of interest by successive governments, particularly the LNP, is amply demonstrated by the long delays in creating the role, in making an initial appointment, and in appointing a successor to the first Commissioner. During the role's first 5-1/2 years of its nominal existence, it was formally filled only 20% of the time, and appointees have generally been career public servants given cross-appointments from other roles. Unlike the senior Information Commissioner and the job-sharing RTI Commissioners, all of whom have 7 year terms, Privacy Commissioners have had a 3-year appointment. A better formula for ensuring loyalty to the public service is difficult to contrive. Despite this, a couple of privacy-positive initiatiives and public statements have been evident, and one project was conducted in secret and came to light only as a result of an FoI request:

The history of the post of Information Commissioner is also, to speak kindly, chequered:

Privacy in the health care sector is partly within the jurisdiction of the Health Quality and Complaints Commission.

Here are relevant laws.


Western Australia

There is no privacy oversight agency.

After years of promises, an Information Privacy Bill was finally introduced into the Parliament in March 2007. It would have created a (very) part-time Privacy and Information Commissioner, but the function was to be very limited, and instead of being assigned to the Information Commissioner, it was to be assigned to the the Ombudsman (aka the Parliamentary Commissioner for Administrative Investigations), where it would have paled into insignificance.

But the 2007 Bill did not progress in any case, and there has been no sign of life since then.

Privacy in the health care sector is partly within the jurisdiction of the Office of Health Review.

Here are relevant laws.


South Australia

There is no privacy oversight agency.

There is a Privacy Committee of South Australia, run out of the State Records Office, but it is unclear whether it has ever actually done anything that could be reasonably regarded as being privacy-protective. An unenforceable set of Principles exists, but the primary function of the Committee is to exempt agencies from complying with it.

Privacy in the health care sector is partly within the jurisdiction of the Health and Community Services Complaints Commissioner.

Here are relevant laws


Tasmania

There is no privacy oversight agency.

The Tasmanian Ombudsman is empowered to receive and investigate complaints, but the scope of the powers is extremely limited.

Despite the Office having had the responsibility since September 2005, i.e. for well over a decade, and despite queries being raised with the incumbent, the term 'privacy' is almost completely absent from the web-site and the Annual Reports. It's even possible that the Ombudsman may have successfully avoided ever having to handle a privacy complaint. It's hard to see the situation as anything other than a substantial abuse of parliamentary authority and public trust; but it's consistent with the arrogance of public servants nationwide, not just in Tasmania.

Privacy in the health care sector is partly within the jurisdiction of the Health Complaints Commissioner.

Here are relevant laws.


A.C.T.

The A.C.T. adopted the Privacy Act (Cth) 1994-2014.
In 2014, it passed its own Information Privacy Act.
This adopted (the relevant parts of) the Commonwealth's approach and of the Clth APPs.
The A.C.T. government has an MOU with the Australian Privacy Commissioner.
The Act is administered by the ACT Justice and Community Safety Directorate.

However, it appears that the entire ACT Government offers absolutely no information about privacy protections, even under human rights (other than, of course, the ritual 'privacy statements' on each agency's site).

And it appears that very little has ever happened. For example, Personal Information Digests were nominally published by the ACT Dept of Justice, but when checked in August 2010, the site failed to provide access to them.

The Privacy Commissioner provides an information page

Privacy in the health care sector is partly within the jurisdiction of the Community & Health Services Complaints Commissioner (since apparently either folded inside the Human Rights Commission, or folded completely).

Some aspects of privacy may also come within the ambit of the A.C.T. Human Rights Commission (HRC).

Some aspects of privacy may also come within the ambit of the A.C.T. Public Advocate (since defunct?).

Here are relevant laws.


N.T.

As appropriate for a small Territory, a single person fulfils a range of functions, in this case including those of the Northern Territory Information Commissioner, which covers FoI, Privacy, and Public Interest Disclosures. Judging by the web-site, not a lot happens there.

The Information Commissioners have been:

Privacy in the health care sector is partly within the jurisdiction of the Health and Community Services Complaints Commission.

Here are relevant laws.



xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021.

Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 17 December 1998 - Last Amended: 12 June 2024 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/POA.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2022   -    Privacy Policy