Information Commissioner’s Compliance Enforcement Policy & Handbook Available

Around this time every year, as part of the Information Commissioner’s oversight, the ICO receives annual updates from government departments and other public authorities with information about their PATI work during the year (called an ‘ICO Annual Return’). An important part of these updates is a public authority’s confirmation that it has made certain information readily available to the public, without the need for a PATI request.

These requirements (in sections 5 and 6 of the PATI Act) mean that a public authority must publish an Information Statement, keep a log available to the public of all PATI requests received (without the requester’s identifying information) and the outcome of these requests, publish gazette notices with the details of contracts for good or services with a total value of $50,000 or more, and have available their quarterly expenditures.

To fulfill the Information Commssioner’s mandate to promote and safeguard public access to information under the PATI Act, the Information Commissioner and her staff may carry out compliance enforcements in situations where a public authority is failing to meet these requirements of the PATI Act.

In September 2023, the ICO published its first Compliance Enforcement Policy and Handbook to explain how and when the ICO will take action to enforce adherence to these PATI Act requirements. The Compliance Enforcement Handbook describes the Information Commissioner’s powers to provide guidance, review and monitor public authorities’ efforts and, when necessary, to issue an order requiring a public authority to comply with the requirements relating to Information Statements and the availability of other information.

By publishing this Compliance Enforcement Handbook, both the public and public authorities can understand how the ICO carries out compliance enforcements, including:

  • how and on what basis enforcement decisions are made;
  • how the ICO communicates with public authorities and what the ICO asks of them; and
  • how the Information Commissioner evaluates and reports on the outcome of the enforcement.

Compliance enforcements can vary from a simple correspondence with a public authority requesting a correction, to issuing an order requiring a public authority to take a particular corrective action. The level of enforcement the Information Commissioner will adopt depends on:

  • whether the failure to comply is deemed minor or more significant,
  • whether the failure to comply is one-off event or recurring, and
  • whether the causes can be easily rectified or are more systemic.

The primary intention of compliance enforcement is not to penalise public authorities for poor practice, but to support them in complying with the requirements under sections 5 and 6 of the PATI Act. However, when a public authority continues to fail to bring itself into compliance, despite being given a reasonable opportunity and assistance by the ICO to do so, the Information Commissioner has the power to issue an order requiring the public authority to take steps to meet the requirements. The Information Commissioner’s order is legally binding and has the effect of an order of the Supreme Court.

The ICO will publish information periodically about the compliance enforcements the Information Commissioner undertakes to keep the public informed about the ICO’s work. Where possible, once an enforcement is closed, the ICO will ensure appropriate learning points are made available for the benefit of other public authorities. The Compliance Enforcement Handbook joins other publications by the ICO that govern and explain how the Information Commissioner makes decisions and how the ICO carries out the Information Commissioner’s mandate.