Office of the Australian Information Commissioner

We are looking to fill two new senior executive service (Band 2) roles. The Executive General Manager, Regulatory Action will lead our team of experts in enforcement, investigations and compliance to ensure the OAIC can regulate proactively and strategically: https://lnkd.in/gDH9YwS8 The Executive General Manager, Information Rights will lead our FOI case management, privacy case management, and intake and triage branches. Importantly, this will involve enhancing approaches to delivery while balancing competing demands on resources and engaging with risk to deliver the best outcomes for the community and position the OAIC for the future: https://lnkd.in/gf4w-rWq Applications for both roles close Thursday 21 November. #PrivacyJobs #FOIJobs

Privacy Commissioner Carly Kind attended the 46th Global Privacy Assembly (GPA) last week hosted by the Jersey Office of the Information Commissioner. The GPA annual conference brings together global privacy and data protection authorities, along with representatives from the community, businesses and not-for-profit organisations, and academics. Commissioner Kind spent the week connecting with peers in the privacy community, exchanging insights and learning from how other regulators are tackling shared challenges. She also spoke on 2 panel discussions. One was around accessible privacy and how to protect the disabled, vulnerable and socially marginalised in a digitised world. The second panel focused on unlawful data scraping and the use of mass-collected user data for training of AI models, highlighting the work of the International Enforcement Cooperation Working Group on this issue.

We’ve published new guidance on tracking pixels and privacy obligations. It’s the responsibility of the organisation seeking to deploy a third-party tracking pixel on their website to ensure it’s configured and used in a way that is compliant with the Privacy Act. Media release: https://lnkd.in/g9gGu8pQ

Our annual report for the 2023–24 financial year is now available to read on our website. Australian Information Commissioner Elizabeth Tydd said, ‘With strong foundational work undertaken across 2023–24, we see 2024–25 as an important opportunity to further position the OAIC as a proactive and purpose-driven regulator and an effective contributor to Australia’s integrity framework.’ ‘We are seeing a welcome focus on privacy and access to information in Australia, and the OAIC will continue our work to foster better awareness and better practices in these crucial areas, that are integral to accountability and integrity. ‘That will require targeted and effective enforcement that can minimise harms in the community and assist in strengthening trust and transparency in the digital economy.’ 📰 Media release: https://lnkd.in/gcPYzXeH 📒 Annual report: https://lnkd.in/gbrGAnrg

It’s not Halloween that’s truly frightening in 2024, but instead it’s businesses and government agencies operating without privacy in mind. A strong privacy focus can help to build trust and confidence with your customers and mitigate business, regulatory and reputational risk. Read more: https://lnkd.in/gHQpd2_X

Today we joined 16 of our international data protection and privacy counterparts in making a statement with further expectations for how social media companies can better protect personal information from data scraping. Our expectations include that social media companies and other organisations that host publicly accessible personal information: – comply with privacy and data protection laws when using personal information, including from their own platforms, to develop AI large language models – deploy a combination of safeguarding measures and regularly review and update them to keep pace with advances in scraping techniques and technologies – ensure that permissible data scraping for commercial or socially beneficial purposes is done lawfully and in accordance with strict contractual terms. This follows a previous letter to industry suggesting they identify and implement controls to protect against, monitor for, and respond to data scraping activities on their platforms. 📰 Media release: https://lnkd.in/gNv4eH3H  

Are you using personal information to develop or train an AI model, such as a generative AI product? Swipe for the top 5 privacy considerations from our new guidance: https://lnkd.in/gvNgpYJy

Privacy Commissioner Carly Kind spoke on a panel alongside ASIC Deputy Chair Sarah Court at the Australian Women Lawyers National Conference last week. The pair discussed leadership in the regulatory space and striking a balance between education and enforcement, and shared their advice for lawyers hoping to move into leadership roles in the future. 

International Access to Information Day recognises the community’s right to access government-held information.   In the spirit of open government, we have published the video, transcript and slides from the event we held in Canberra last month to mark this important day.   Watch the event: https://lnkd.in/gEcC5r_D   #IAID2024 #RightToKnow#AccessToInfoDay #AccessToInfo #IDUAI2024

This week, in addition to new AI guidance, we updated our privacy guidance for charities and other not-for-profits. One area we’ve really focussed on is more detailed guidance around APP 11.2, which relates to entities’ obligations with respect to retention, destruction and de-identification of personal information. This is a critical area for charities to pay attention to as it relates to how they handle donor data. Although many charities may be inclined to hold onto donor data for as long as possible - including for years after they’ve had any contact with donors - to support fundraising objectives, this raises real concerns about compliance with 11.2, and more broadly may exacerbate the risk or impact of data breaches. We’re urging charities to pay particular attention to their policies and procedures around deleting or deidentifying the personal information of donors where there is no ongoing need or requirement to retain it. Indefinite retention of all personal information is unlikely to satisfy an entity’s APP obligations. Having worked in the not-for-profit sector myself for a long time I understand the difficult and competing issues charities are dealing with, often in a resource-constrained environment. I’ve also seen, however, the risks that flow to charities through poor privacy practices. By publishing this guidance we’re hoping we can support charities to review and improve their compliance efforts.