Privacy funding in the 2021 Australian Federal Budget

Was privacy a winner in the 2021 Federal budget? Not really …. Unless you think privacy and security are the same thing.

At a time when issues around the collection and use of personal information have never been more important, the Australian government committed little additional or new funding to support the ballooning portfolio of the Office of the Australian Information Commissioner (OAIC).  Meanwhile the cyber tsars in Canberra were showered with largesse, perhaps because their role in keeping fortress Australia safe is more self evident?

How much does privacy get in the 2021 Australian Federal Budget?

In short, the Office of the Australian Information Commissioner gets:

• $1.54m per year over the next two years to support the expansion of the Consumer Data Right (where the OAIC is a co-regulator of the new scheme is part of the government’s Digital Economy Strategy);
• $1m per year to expand the freedom of information functions, including the appointment of an FOI Commissioner.

Funding of $2.070m per year for the next two years for overseeing privacy protections within the My Health Record system is continued, as a direct funding rather than under a Memorandum of Understanding with the Australian Digital Health Agency.

In the 2019 – 2020 report[1], the Commissioner noted the activities of the office included:

• Dealing with COVID-related issues, including the review and privacy impact assessment of the COVID Safe app plus publication of advice for agencies, businesses and the general public;
• Responding to the Digital Platforms enquiry, which is looking at over hauling the Privacy Act;
• Managing an 11% rise in data breaches notified under the Notifiable Data Breach Scheme.
• Working on the introduction of the new Consumer Data Right;
• Launching the first civil penalty action, against Facebook.

Given these priorities, an additional $1.54m, which is ear marked for the CDR in any case, seems somewhat inadequate.

Funding for FOI in the 2021 Australian Federal Budget

Similarly, the $1m for FOI funding seems a drop in the ocean given the issues with that system and certainly not enough to support the long-needed overhaul of the pre-digital approach to accessing information held by government agencies.  Particularly once the costs of actually putting a person into the FOI Commissioner position are deducted.

There has been a dramatic rise in FOI applications, and those requiring reviews.  The OAIC reported a 109% increase in the number of review applications between 2015-2016 and 2019 – 2020. Issues with resourcing to deal with the review applications was included in the 2020 annual report, which noted a 15% increase in review applications plus a significant increase in agency applications for extensions of time to process FOI requests, because of COVID related issues.

Not only are applications to the OAIC for review of FOI decisions steeply rising, in 2019 it was reported that agencies were spending $60 million in dealing with FOI requests, with that cost more than triple that of 15 years when there were 3500 more requests.[2]

Peter Timmins, an FOI expert, is reported s saying: ‘The legislation itself is out of date that sits uncomfortably in a digital age. There is little if any scrutiny of FOI processing, few (if any) published efficiency measures and nothing about best practice or the use of technology for FOI processing,” he said. “We’re hearing a lot about data but FOI is stuck in the pre-digital world.

Proposed amendments to the FOI regime to make it fit for the 21^st century seem to have stalled.  More information here.

The Privacy Commissioner, who has been acting as the FOI Commissioner since , might be seen as accepting that substantial change of FOI laws in the near future is unlikely,  confirming that the additional resources  “will assist the OAIC’s work to uphold Australians’ right of access to government documents.”[3]

Funding for Cyber Security in the 2021 Australian Federal Budget

While the OAIC received an annual increase of $1.54m to support the CDR and $1m for FOI, cyber security was showered with largesse.

As part of the Government’s Digital Economy Strategy, the Government has committed a further $55 million for initiatives related to cyber security, including:

• $31.7 million to enhance the security of Australia’s mobile networks and accelerate the commercialisation of sovereign network and data security solutions;
• $18.8 million to pilot centralised delivery of cyber capabilities and services for government agencies through Whole-of-Government cyber hubs;
• $2.8 million to strengthen Australia’s national system of identity settings;
• $1.8 million to deliver a National Data Security Action Plan co-designed with industry.

Other funding includes:

• $43.8 million over three years to expand the Cyber Security Skills Partnership Innovation Fund, to address the cyber security skills gap;
• $42.4 million over two years from 2021-22 to improve security arrangements for critical infrastructure assets, including those designated as Systems of National Significance, in accordance with SOCI.
• $1.3 billion has been budgeted for the Australian Security Intelligence Organisation (ASIO) over the next decade to support ASIO’s technological capabilities and enhance its ability to address threats to Australia’s national security.
• The Australian National Audit Office will receive $61.5 million over four years from 2021-22 to address rising costs due to more complex financial data and records management arrangements, new audit controls relating to COVID-19 measures, and the need to enhance IT cyber security migration.

All of these initiatives were foreshadowed in 2020 Cyber Security Strategy, a strategy that had little to say about privacy.  We covered this in a previous blog post. As noted in that earlier piece on the Cyber Security Strategy, is it appropriate for Australia’s cyber security focus be so much on national security with so little consideration of the protection of individual freedoms and rights?  How might Australia’s leading government centre of cyber security expertise help the Office of the Australian Information Commissioner (OAIC) administer the mandatory data breach notification scheme? What role should that ACSC play in working with the Australian Competition and Consumer Commission to protect consumers from on-line scammers and misleading and deceptive practices or what about supporting the privacy and security of data to be released as part of the new Consumer Data Rights Scheme?

Conclusion

It seems clear that the OAIC will continue as the chronically underfunded poor cousin of the Australian Cyber Security Centre, struggling to cope with an ever increasing work-load in a rapidly changing environment presenting constantly changing challenges.

How much better might Australia’s Ditigal Economy Strategy be if it involved a properly funded and resourced Office of the Australian Information Commissioner?

More resources:

OAIC welcomes additional funding for data protection and FOI — OAIC

Annual Report 2019–20 — OAIC

Right to Know blog and tweets – Right to Know

[1] Annual Report 2019–20 — OAIC

[2] Your Right to Know: FOI costs blow out to $60m (smh.com.au)

[3] OAIC welcomes additional funding for data protection and FOI — OAIC