3.1
The annual reports for the 2019-20 financial year (the reporting period) from the following agencies were referred to the committee for examination and report between 1 May 2020 to 31 October 2020:
Attorney-General's Portfolio
Administrative Appeals Tribunal;
Australian Commission for Law Enforcement Integrity;
Australian Financial Security Authority;
Australian Human Rights Commission;
Australian Law Reform Commission;
Commonwealth Director of Public Prosecutions;
Family Court of Australia;
Federal Circuit Court of Australia;
Federal Court of Australia, including the report of the National Native Title Tribunal;
Inspector-General of Intelligence and Security;
National Archives of Australia and National Archives of Australia Advisory Council;
Office of Parliamentary Counsel; and
Office of the Australian Information Commissioner.
Australian Transaction Reports and Analysis Centre;
Australian Criminal Intelligence Commission;
Australian Institute of Criminology;
Australian Security Intelligence Organisation; and
Australian Federal Police.
3.2
On this occasion, the committee has examined in more detail the reports of the Office of the Australian Information Commissioner (OAIC) and the Office of Parliamentary Counsel (OPC).
Office of the Australian Information Commissioner
Tabling of the report
3.3
The OAIC's Annual Report 2019-20 was tabled in the Senate on 9 November 2020, after having been tabled in the House of Representatives on 19 October 2020. The annual report was presented to the Attorney-General on 23 September 2020, meeting the requirements under section 46 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act).
Commissioner's review
3.4
In her review, Privacy Commissioner Angelene Falk emphasised the 2019-20 summer bushfire crisis and the COVID-19 pandemic highlighted the importance of maintaining public trust and confidence in the handling of personal information and providing access to government-held information.
3.5
Ms Falk stated that during the pandemic, the OAIC has taken on a number of new initiatives, including:
new responsibilities for overseeing privacy safeguards built into the COVIDSafe app;
providing recommendations on legislative privacy protections to ensure trust and confidence in the community; and
producing guidance for business, Australian government agencies and individuals in relation to the protection of personal information in changed work environments and when venues are collecting information for contact tracing purposes.
3.6
Ms Falk stated that the pandemic had both provided opportunities for greater transparency through proactive release and real-time provision of information, and impacted the ability of agencies to meet statutory timeframes for processing freedom of information requests.
3.7
During the reporting period, the OAIC:
launched its first civil penalty action, against Facebook;
established a team to engage with stakeholders and provide policy advice during the government's review of the Privacy Act 1988 (the Privacy Act);
worked closely with the Australian Competition and Consumer Commission (ACCC) on the implementation of the Consumer Data Right project; and
recorded an 11 per cent increase in notifications to the OAIC and to individuals at risk of harm under the Notifiable Data Breaches scheme.
Performance reporting
3.8
The relevant Attorney-General's Portfolio Budget Statements 2019-20 (PBS) outlined the OAIC's outcome and program, as well as setting out six outcomes-based KPIs. The Corporate Plan 2019-20 (corporate plan) identified four strategic priorities, namely:
Strategic priority 1–Advance online privacy protections for Australians;
Strategic priority 2–Influence and uphold privacy and information access rights frameworks;
Strategic priority 3–Encourage and support proactive release of government-held information;
Strategic priority 4–Contemporary approach to regulation.
3.9
The corporate plan also sets out 31 performance indicators, along with corresponding measures to evaluate success. It indicated which of these measures incorporate the six outcome-based KPIs from the PBS.
3.10
The performance statement in the annual report sets out the agency's performance against the measures in the corporate plan. Read together, the PBS, corporate plan and annual report provide a 'clear read' of the OAIC's performance.
3.11
During the reporting period, the OAIC achieved 16, partially achieved four and did not achieve eight of the 31 indicators. The OAIC explained that three further indicators did not apply during the reporting period due to delays in the commencement of the Consumer Data Right and reforms to the Privacy Act.
3.12
The performance indicators not achieved included (but were not limited to):
conducting Commissioner-initiated investigations (CIIs) related to privacy matters–measured by the time taken to finalise privacy CIIs.
handling data breach notifications (DBNs) – measured by the time taken to finalise DBNs and the time taken to finalise My Health Record DBNs.
providing an Information Commissioner (IC) review function – measured by the time taken to complete IC reviews;
handling FOI (freedom of information) complaints – measured by the time taken to finalise FOI complaints;
conducting CIIs relating to FOI – measured by the time taken to finalise FOI CIIs.
3.13
The OAIC explained that where performance indicators were not achieved, this result largely reflected increased volumes of work and efforts to reduce the backlog created by a sustained increase in privacy complaints and IC review applications over recent years.
3.14
The committee acknowledges the consistent efforts of the OAIC and the government to clear the backlog of cases, and the successes achieved by the OAIC over the reporting period in this regard. The committee encourages the OAIC and the government to work together to ensure that the agency's increasing workload is managed in a timely manner while also adequately serving its intended purpose.
Other matters
3.15
While the annual report largely meets the requirements of the PGPA Act and Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) (collectively referred to as the Commonwealth performance framework) for annual reports, this report appears to be lacking with respect to a number of mandatory requirements, including:
a discussion and analysis of the entity's financial performance (PGPA Rule 17AF(1)(a));
the entity's web address (PGPA Rule 17AJ(f)) and the electronic address for the report (PGPA Rule 17AJ(g));
a direct electronic address for the charter determining the functions of the entity's audit committee (PGPA Rule 17AG(2A)(a));
statistics on staff location (PGPA Rules 17AG(4)(aa) and 17AG(4)(b)); and
an outline of the ways in which the procurement practices of the entity support small and medium enterprises (PGPA Rule 17AG(1)(b).
3.16
The committee acknowledges that the annual report provides a detailed discussion and analysis of the OAIC's financial performance, and commends the OAIC for doing so. It encourages the OAIC to include a brief summary of the actual financial position of the agency over the reporting period in its overview. Doing so would assist in clarifying the agency's position prior to considering the more detailed information in the financial statements.
3.17
The committee notes that the OAIC's web address and the electronic address for the report appear to have been omitted from the report, while reference is made to the annual report being available free of charge on the OAIC's website. The committee encourages adherence to the Commonwealth performance framework, which requires explicit reference to both addresses.
3.18
The committee commends the OAIC for its efforts in complying with recent additional reporting requirements with respect to audit committees. The committee notes that while most required information was provided, the report did not include the web address for the audit committee's charter. The committee encourages the OAIC to comply with all requirements in relation to the audit committee.
3.19
While the committee understands that the OAIC may be based in one location, it encourages the agency to include a statement to this effect, or an outline of staff locations in its staffing profile in order to comply with all requirements in PGPA Rules 17AG(4)(aa) and 17AG(4)(b).
3.20
The OAIC's annual report does not appear to outline the ways in which the procurement practices of the agency support small and medium enterprises. The committee encourages the OAIC to include this information to the extent possible in order to comply with the mandatory obligations under the PGPA Rule.
Conclusion
3.21
While the committee has identified a number of shortcomings with OAIC's report, on balance it considers the report to be 'apparently satisfactory'. The committee encourages the OAIC to address the matters outlined above in order to comply to the fullest extent possible with the requirements of the annual reporting framework under the PGPA framework.
Office of Parliamentary Counsel
Tabling of the report
3.22
The OPC's Annual Report 2019-20 was tabled in the Senate on 9 November 2020, after having been tabled in the House of Representatives on 19 October 2020. The annual report was presented to the Attorney-General on 30 September 2020, meeting the requirements under section 46 of the PGPA Act.
Review by the First Parliamentary Counsel
3.23
In his annual review, First Parliamentary Counsel, Mr Peter Quiggin PSM, QC reflected on the OPC's 50th anniversary, and the successes it has achieved so far. Mr Quiggin reflected on the impact of the summer bushfire crisis, a large hailstorm in Canberra and the COVID-19 pandemic on the staff of the OPC. He remarked that, in particular, the pandemic placed extra pressures on the OPC, with most of its workforce transitioning to working from home arrangements. He also stated that substantial demands arose for urgent legislation to facilitate Australia's response to the medical and economic crises that arose.
3.24
Mr Quiggin's review highlighted OPC's work in partnership with the Department of Agriculture, Water and Environment on the export control legislation project, which included drafting a new principal Act that passed Parliament in February 2020, as well as supporting rules and regulations that are scheduled to commence on 28 March 2021. Mr Quiggin identified this as the latest in a series of large legislative reform projects that OPC has undertaken with the Department of Agriculture.
3.25
Mr Quiggin stated that, in accordance with his obligation to encourage high standards in the drafting of legislative instruments, OPC continued to run courses for people involved in drafting legislative instruments. He said that due to the COVID-19 pandemic, these courses had to be suspended during the second half of the reporting period, however, these courses will be able to be presented remotely.
Performance reporting
3.26
OPC's performance framework is underpinned by two purposes which reflect its outcome in the PBS. They are:
Purpose 1 – Legislative drafting: Enable the government to carry out its legislative program by drafting bills, legislative instruments to be made or approved by the Governor-General (Federal Executive Council (ExCo) instruments) and a range of other instruments; and
Purpose 2 – Publication: Ensure Commonwealth laws and instruments are freely available and accessible to everyone by publishing those laws and instruments on the Legislation Register website.
3.27
Under these two purposes, OPC measures its performance against seven criteria. OPC met six out of the seven criteria. The one criteria that was not met related to the proportion of Act and legislative and notifiable instrument compilations required to be prepared by OPC that are registered on the Legislation Register 28 days after commencement of the prospective amendments. OPC's target for this criterion is 90 per cent, compared to its actual result of 88 per cent. The annual report states that this result was attributable to the substantial increase in the number of compilations prepared on a user-pays basis, which had an impact on compilation output.
3.28
The committee acknowledges OPC's strong performance against its targets, and encourages it to continue its efforts in meeting them.
Other matters
3.29
While OPC's annual report largely met the requirements of the Commonwealth performance framework, it appears to omit three requirements:
a certification by the accountable authority in respect of the OPC's fraud systems (PGPA Rules 17AG(2)(b)(i), (ii) and (iii));
statistics on employees and APS employees (PGPA Rules 17AG(4)(aa) and (b)); and
an outline of mechanisms on disability reporting, including a reference to the relevant website for further information (PGPA Rule 17AH(1)(c)).
3.30
The committee acknowledges that the annual report outlined the mechanisms in place for risk management and fraud control, and includes statements that reflect the substance of the information required under the Commonwealth performance framework. However, it does not make explicit reference to a certification from the accountable authority as to the existence of fraud processes. The committee encourages OPC to be fully compliant with the requirements of the Commonwealth performance framework.
3.31
While the OPC has provided a substantial level of detail in relation to staffing statistics, the committee encourages it to ensure that it presents the information in such a way as to allow for comprehensive analysis of employee data. The committee also understands that the OPC may be based in one location, but it encourages it to include a statement to this effect, or an outline of staff locations in its staffing profile in order to comply with all requirements in PGPA Rules 17AG(4)(aa) and 17AG(4)(b).
3.32
The annual report does not appear to include a statement that outlines mechanisms for disability reporting, or a reference to a website for further information, which is a mandatory obligation under the PGPA framework. The committee encourages OPC to address this omission in its subsequent annual reports.
Conclusion
3.33
While the committee acknowledges that the annual report appears to omit information required under the PGPA framework, these omissions are not substantial. Therefore, the committee considers the OPC's annual report to be 'apparently satisfactory'.
Senator the Hon Sarah Henderson
Chair