This document contains information about the various agencies throughout Australia that have some form of regulatory responsibility in relation to privacy:
If you’re reading this with some optimism about Privacy Commissioners in Australia, brace yourself for disappointment.
If you’re looking for oversight agencies in other countries, try these sources:
- the membership list of the Asia Pacific Privacy Authorities (APPA)
- the membership list of the European Art.29 Working Party
- the WorldLII index of Privacy Protection Agencies
If you’re aware of a relevant agency that isn’t listed here, or of a material error in the content, please tell me!
Commonwealth of Australia
The appointment of Privacy Commissioner was established in 1989. The first Commissioner was a Sydney resident, and the office has always been located there. From 1989 until 2010, the office was referred to variously as the Office of the Privacy Commissioner (OPC – which risked confusion with the other Offices with similar names in other jurisdictions), the Office of the Federal Privacy Commissioner (OFPC), or – particularly after the Howard Government changed the style of federal government agencies in about 2000 – the Office of the Australian Privacy Commissioner (OAPC). Some aspects of privacy also came within the ambit of the Australian Human Rights Commission (HRC) – with which the Privacy Commissioner had varying relationships 1989-2010.
In November 2010, the OAPC was disestablished, and absorbed into the new Office of the Australian Information Commissioner (OAIC). This encompassed information policy generally, including new FOI supervisory functions and the existing privacy functions. The Privacy Commissioner retained a few powers, but most were ceded to the more senior Information Commissioner. The Privacy Commissioner role operated as a first-level report to the Information Commissioner, with privacy subjugated to information policy more generally. The Privacy Commissioner’s resources were also pillaged (although doubtless the term ‘rationalised’ would be preferred in bureaucratic hallways), as a result of the new Information Commissioner and the new FOI Commissioner being given fewer resources than they’d been promised, and the Privacy Commissioner being the junior player.
The Information Commissioner was the immediate past Ombudsman 2003-10, John McMillan (2010-2015). The first (and only ever?) FOI Commissioner was James Popple (2010-2014). (Because of the very low quality of the web-managers that the public service outsources to, the URLs may well break, again). See below for the attempted disestablishment of OAIC by the new government in 2014, and the forced departures of McMillan and Popple.
On at least some occasions the position of Privacy Commissioner has been advertised. However, a small selection committee of senior public servants recommends the successful applicant to the relevant Minister, who accepts it. There has never been any form of public involvement or consultation. The Privacy Commissioners have been:
- Kevin O’Connor (1989-97) – despite disagreements with privacy advocates, a moderate success
- Moira Scollay (1997-99) – subjected to enormous pressure by the bureaucracy and failed the test
- Malcolm Crompton (1999-2004) – again subjected to enormous pressure, but achieved moderate success
- Karen Curtis (2004-10) – ex government and ACCI, and protected government and business, not privacy
- Timothy Pilgrim (2010-) – continued and deepened Curtis’ protection of government and business
Pilgrim had previously been the Deputy Commissioner for an extended period.
From early 2014, Attorney-General Brandis tried to disestablish OAIC. Faced with a hostile Senate, he was unable to the get the Bill passed, so he withdrew funding for the Information and FoI functions – probably illegally.
From mid-2015, Pilgrim was forced to act as all of Information, FoI and Privacy Commissioners, on successive 3-monthly appointments, each made around the time the previous one ended. It’s as strong a guarantee of ‘loyalty’ as a Minister can impose on an appointee. Greater disregard for convention, not to mention arrogance, hath no Attorney-General.
After the 2016 double-dissolution election failed to provide the Coalition with control of the Senate, Brandis gave up on his plans to disestablish the OAIC. In late 2016, Pilgrim was appointed as both Information and Privacy Commissioners. The role also carries not-inconsequential responsibilities for FoI. The number of senior executives at the end of 2016 was half what it had been 3 years earlier, with only marginal decreases in responsibilities, and considerable increases in the interim. Both the AG’s and the PC’er’s announcements were silent about the term(s) of the appointments – constituting yet another breach by Brandis, at least of norms, and quite possibly of law.
Particularly since 2004, the Privacy Commissioner’s role has been anything but a privacy watchdog. The Office functions as a protection device for government and business. Since 2004, its existence has resulted in negative disbenefits to the public.
From the time that the Office established a web-site in the mid-1990s, it used the domain privacy.gov.au. By early 2011, the new arrangements probably forced the shifting of the content of the web-site to a sub-site within http://www.oaic.gov.au. Assurance was provided by OAIC on 15 November 2010 that “current deep links to the www.privacy.gov.au site will be maintained through a redirect function to the relevant documents after it’s migrated to the new site”. That turned out not to be a ‘core promise’, and many links were broken when the privacy.gov.au site was eventually closed down in 2013.
Here are relevant laws.
N.S.W.
After the State led the world in the late 1970s, the intransigence of the NSW public service, combined with the deep pit that is NSW politics, has ensured that the State’s privacy protection regime has been a complete basket case for decades. A small privacy role exists within the Information and Privacy Commission (NSW IPC), in recent years it has mostly had no specialist staff, and the Privacy Commissioner has been an appointee from within the public service’s own ranks, working part-time, as a minor player to an Information Commissioner. Details are provided at the end of this section.
The Privacy Commission’s scope extends to the health care sector, although a separate Health Care Complaints Commission (HCCC) also exists. HCCC has earned even less credibility than the IPC.
Here are relevant laws.
History
An oversight agency operated 1975-1998 as a Committee, and since 1999 as a Commission. The Commissioner has only ever been part-time, and for long periods there has be an Acting Commissioner, including 2003-07 and 2009-2011.
The history of the Office is a thorough mess, indicative of the power of the public service to protect itself against nuisances.
The powers of the original Committee were (quite properly, for the time) limited to research and complaint-investigation and conciliation, although some Executive Members, particularly the first, Bill Orme, made effective use of the media, including ‘naming and shaming’ privacy-invaders. The Committee had been intended as a short-term agency, to lay foundations and gather experience; but it remained in its original form for 24 years. The first Executive Member of the Committee was Bill Orme (1975-82), followed by Jim Nolan (1982-87?), …, Maureen Tangney (1990?-93?), …, and Catherine Riordan (1996?-1998).
In 1998, a (very weak) data protection law, commonly called PPIPA, was passed. Among other things, it disestablished the Privacy Committee. The part-time Chair at the time became the part-time Privacy Commissioner, and the full-time Executive Member became the full-time Deputy Privacy Commissioner. The Commission has very limited powers, and has been very poorly resourced throughout its life, but particularly since 2004.
During 2010, the Office of the Information Commissioner was established, with oversight responsibilities in relation to FOI and open government. Deirdre O’Donnell held that position July 2010 to May 2013.
With effect from 1 Jan 2011, the Information and Privacy Commission (NSW IPC) was formed, Privacy NSW was disestablished, its functions were absorbed within NSW IPC, and the Information Commissioner functions swamped the privacy role. Kathrina Lo was Acting Information Commissioner from July 2013 to December 2013. Elizabeth Tydd, a career bureaucrat, was appointed with effect from (curiously) 23 December 2013.
During 1999 to 2013, the (often very) part-time Commissioners have been:
- Chris Puplick (1999-2003). The role was very part-time, in parallel with his primary role as Anti-Discrimination Commissioner. Puplick resigned from the job in May 2003 following an allegation of misconduct.
- John Dickie (2003-07). But Dickie was only ever Acting, and was on successive contracts that were not only part-time but short-term as well. He was almost invisible. During 2003-04, the Carr Labor Government went on a vendetta to dis-establish the Privacy Commission and have its work swallowed up by the Ombudsman’s office. The APF actively opposed the idea, and the Upper House rejected the Government’s attempt
- Ken Taylor (2008-09). Taylor was also largely invisible on privacy matters, and was then appointed to oversee the Government’s changes to the FOI arrangements. Taylor took sick leave from November 2009
- Maureen Tangney (2009-10) – a senior government executive and sometime Executive Member of the Privacy Committee, held the appointment on a nominal basis for over 18 months
- John McAteer (2010-11) – Principal Privacy Officer, was given successive, short-term Acting appointments 1 Jul 2010 to Nov 2011, and was then appointed Deputy Privacy Commissioner 2011-13. McAteer was summarily retrenched in early 2013, after giving (very clear and appropriate) evidence in a case brought by a citizen against Nowra Council’s unjustified CCTV scheme. The citizen won, the Premier immediately changed the law to exempt Councils from a slice of the PPIPA, and the Deputy Commissioner role McAteer had held for 18 months was disestablished, i.e. McAteer was sacked for doing his job
- Elizabeth Coombs (2011-) was given a part-time (0.6) appointment for 5 years from November 2011. The advertisement in October 2010 had included an upbeat and positive statement describing the role, including the stated expectation that the appointee would “operate as an independent advocate/champion in relation to privacy issues”. Coombs was a former senior executive in the Premier’s Department.
The Office was submerged within the Information and Privacy Commission, with the Information Commissioner dominating the power and resources. Coombs appears to have fought internally for some years, seeking sufficient independence and resources to fulfil her function. This became apparent late in her term, as she was forced to become increasingly public about the appalling behaviour of the Department and the Information Commissioner. The impact of her role on public service behaviour during 2011-16 was, unsurprisingly, very muted.
As Coomb’s appointment came to an end, the job was advertised in late October 2016, for the first time ever on a full-time basis. With no appointment made, Coombs appears to have been re-appointed on a short-term Acting basis, and continued to seek appropriate terms and resources even while she had an application for re-appointment before the Selection Committee.
The full-time Deputy Privacy Commissioner post was held by:
- Catherine O’Riordan (1999-2001)
- Anna Johnston (2001-04)
- Unfunded and vacant (2004-11)
- John McAteer (2011-13)
- Abolished c. April 2013
Victoria
From 1999 until 2013/14, the Office of the Victorian Privacy Commissioner (OVPC, or Privacy Victoria) was the most credible Office in the country.
On 17 September 2014, the Commissioner for Law Enforcement Data Security was disestablished, and his responsibilities merged into a replacement Commissioner for Privacy and Data Protection, with more work to do and fewer resources to do them with.
In August 2016, the Commissioner found it necessary to conduct an investigation into apparent, serious breaches of privacy by the office of the State Premier. Open warfare broke out. A January 2017 media report is here. The Premier abused his parliamentary power by introducing a Bill to remove the Commissioner. In May 2017, with connivance of the minority Greens, the office of the Commissioner for Privacy and Data Protection was disestablished.
The vehicle was the Information Commission model. This has been used in Australia specifically to emasculate and muzzle privacy oversight agencies, both at federal level, and at State level in NSW and Queensland, and now Victoria. In Victoria, three Commissioner roles have been merged into a single generic post with deputies, protections for the appointee (which proved to be meaningless anyway) have been stripped, and the incumbent can be sacked by the government with 10 days’ notice. The model involves appointing career public servants to job-titles that include the word ‘commissioner’, and giving them very limited powers, very limited resources, very little incentive to protect privacy, and every incentive to avoid upsetting senior public servants and politicians.
As a result, in mid-2017, there ceased to be even a single one of the nine Australian jurisdictions with a privacy oversight agency that has a shred of credibility. (Caveat: A proportion of individual Privacy Commissioners have gained and retained personal credibility. But, when you’re swimming in treacle, the positive impact you can have is very limited).
The Privacy Commissioners have been:
- Paul Chadwick – July 1999 to July 2006
- Helen Versey – March 2007 to March 2012, the previous Deputy Commissioner (after Acting for 8 months)
- Anthony Bendall – March 2012 to April 2013, the Deputy Commissioner (Acting for 13 months)
- David Watts – April 2013 to September 2014 (Acting for 17 months), but conjointly with his previous full-time appointments, incl. as Commissioner for Law Enforcement Data Security (CLEDS)
- David Watts – September 2014 to May/July 2017, but with increased scope and reduced resources
- unknown, faceless, powerless and ineffective public servants to be appointed as Information Commissioner and deputy data protection and privacy commissioner from July 2017
In contrast to NSW, Privacy Victoria had been regarded reasonably seriously by agencies, and had good standing with privacy advocates for much of its life 1999-2017. The resources provided – although small in comparison with European norms – had been significantly greater than those in NSW, and the effectiveness of the Office had been proportionately much higher throughout its life. The government in due course reduced it to the level of the other ineffectual offices at national level and in NSW and Queensland.
Privacy in the health care sector is partly within the jurisdiction of the Office of the Health Services Commissioner. In common with its equivalent in NSW, it is held in very low regard. It has successfully avoided doing anything of consequence in the privacy area, despite multiple proddings. Its function is quite simply to protect the government agencies within its zone of operations.
From 2005 until 2014, some aspects of privacy in the law enforcement arena were under the purview of the Commissioner for Law Enforcement Data Security. This was created because of the continual leaks of sensitive personal data that occur from law enforcement databases. Once the level of political embarrassment arising from the leaks had subsided to a sufficiently low level, the Office was disestablished in 2014 and its functions merged into the weakened Office of Privacy and Data Protection, with the remnant functions in 2017 drifting into the completely emasculated office of the Information Commissioner, including a privacy and ‘data protection deputy commissioner’.
Some aspects of privacy may also come within the ambit of the Victorian Equal Opportunity and Human Rights Commission.
Here are relevant laws.
Queensland
A Privacy Commissioner, exists, but as a meek public servant low done in the hierarchy of the Office of the Queensland Information Commissioner (OQIC). The Office’s primary functions are Information Policy and FOI (which is referred to in Qld as Right To Information – RTI).
Until mid-2010, there was no oversight agency in Queensland, and since then the post of Privacy Commissioner has been problematic, even chaotic, throughout its life. The Privacy Commissioner has almost no staff (3 of 25 in 2014, 4 of 33 in late 2016). The level of interest by successive governments, particularly the LNP, is amply demonstrated by the long delays in creating the role, in making an initial appointment, and in appointing a successor to the first Commissioner. During the role’s first 5-1/2 years of its nominal existence, it was formally filled only 20% of the time, and all since the first have been career public servants given cross-appointments from other roles. Unlike the senior Information Commissioner and the job-sharing RTI Commissioners, all of whom have 7 year terms, the current Privacy Commissioner has a 3-year appointment. A better formula for ensuring loyalty to the public service is difficult to contrive:
- Vacant – 1 Jul 2009 until 15 Jun 2010 (12 months)
- Linda Matthews – 15 Jun 2010 to Oct 2011 (16 months)
- Lemm Ex (Acting) – Oct 2011 to Oct 2013 (2 years)
Lemm was the previous Deputy Commissioner, and was Acting for the maximum time that the law permits - Clare Smith – (Acting, half-time?) – Nov 2013 to Nov 2015 (2 years)
Clare was the (substantive) Right To Information (RTI) Commissioner (half-time), and again an appointment was made only when the Act was about to be breached. - Philip Green – appointed to a 3-year term on 10 Dec 2015
Philip is a government lawyer, previously in Premier’s and in Tourism.
The history of the post of Information Commissioner is also chequered:
- Vacant – 2005-2009 (4 years)
- Julie Kinross – 30 Jul 2009 to mid-2012 (3 years)
- (unsure) (Acting) – mid-2012 to Sep 2013 (15 months)
- Rachael Rangihaeata – appointed to a 7-year term on 20 Sep 2013
Privacy in the health care sector is partly within the jurisdiction of the Health Quality and Complaints Commission.
Here are relevant laws.
Western Australia
There is no privacy oversight agency.
After years of promises, an Information Privacy Bill was finally introduced into the Parliament in March 2007. It did not progress. It would have created a (very) part-time Privacy and Information Commissioner, but the function was to be very limited, and instead of being assigned to the Information Commissioner, it was to be assigned to the the Ombudsman (aka the Parliamentary Commissioner for Administrative Investigations), where it would have paled into insignificance.
Privacy in the health care sector is partly within the jurisdiction of the Office of Health Review.
Here are relevant laws.
South Australia
There is no privacy oversight agency.
There is a Privacy Committee of South Australia, run out of the State Records Office, but it is unclear whether it has ever actually done anything that could be reasonably regarded as being privacy-protective. An unenforceable set of Principles exists, but the primary function of the Committee is to exempt agencies from complying with it.
Privacy in the health care sector is partly within the jurisdiction of the Health and Community Services Complaints Commissioner.
Here are relevant laws
Tasmania
There is no privacy oversight agency.
The Tasmanian Ombudsman is empowered to receive and investigate complaints, but the scope of the powers is extremely limited.
Despite the Office having had the responsibility since September 2005, i.e. for well over a decade, and despite queries being raised with the incumbent, the term ‘privacy’ is almost completely absent from the web-site and the Annual Reports. It’s even possible that the Ombudsman may have successfully avoided ever having to handle a privacy complaint. It’s hard to see the situation as anything other than a substantial abuse of parliamentary authority and public trust; but it’s consistent with the arrogance of public servants nationwide, not just in Tasmania.
Privacy in the health care sector is partly within the jurisdiction of the Health Complaints Commissioner.
Here are relevant laws.
A.C.T.
The A.C.T. adopted the Privacy Act (Cth) 1994-2014.
In 2014, it passed its own Information Privacy Act.
This adopted (the relevant parts of) the Commonwealth’s approach and of the Clth APPs.
The A.C.T. government has an MOU with the Australian Privacy Commissioner.
The Act is administered by the ACT Justice and Community Safety Directorate.
However, it appears that the entire ACT Government offers absolutely no information about privacy protections, even under human rights (other than, of course, the ritual ‘privacy statements’ on each agency’s site).
And it appears that very little has ever happened. For example, Personal Information Digests were nominally published by the ACT Dept of Justice, but when checked in August 2010, the site failed to provide access to them.
The Privacy Commissioner provides an information page
Privacy in the health care sector is partly within the jurisdiction of the Community & Health Services Complaints Commissioner (since apparently either folded inside the Human Rights Commission, or folded completely).
Some aspects of privacy may also come within the ambit of the A.C.T. Human Rights Commission (HRC).
Some aspects of privacy may also come within the ambit of the A.C.T. Public Advocate (since defunct?).
Here are relevant laws.
N.T.
As appropriate for a small Territory, a single person fulfils a range of functions, in this case including those of the Northern Territory Information Commissioner, which covers FoI and privacy, and Public Interest Disclosures.
The Privacy Commissioners have been:
- Peter Shoyer – 2003-07
- Zoe Marcham – 2007-09, Acting throughout
In late 2008, the post was reduced to a part-time role, with the IC covering FOI, Privacy and Public Interest Disclosures, i.e. Corruption and Whisteblowing - Robert Bradshaw – 2009-10, Acting throughout
- Brenda Monaghan – since February 2010
Privacy in the health care sector is partly within the jurisdiction of the Health and Community Services Complaints Commission.
Here are relevant laws.