Our reference: FOIREQ23/00081
Attention: FOI Requestor
By email:
xxxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx
Freedom of Information Request – FOIREQ23/00081
Dear FOI Requestor
I refer to your request for access to documents made under the
Freedom of
Information Act 1982 (Cth) (the FOI Act). Your Freedom of Information request (FOI
request) was received by the Office of the Australian Commissioner (OAIC) on 28 April
2023.
I am writing to inform you of my decision.
Under section 25(2) of the FOI Act, I have decided to neither confirm nor deny the
existence of the document the subject of your request, due to finding that, if the
document existed, it would be an exempt document under section 37(1) of the FOI
Act.
In accordance with section 26(1)(a) of the FOI Act, the reasons for my decision and
findings on material questions of fact are provided below.
Background
Scope of your request
Your original FOI request sought access to the following information:
In relation to the Medibank*(1) Data Breach, please release any report and
information provided by Medibank* to the OAIC, including if held, the "Deloitte"
report(2,3) on it's Cyberattack, as reported:
1. https://www.oaic.gov.au/newsroom/oaic-opens-investigation-into-
medibank-over-data-breach
1300 363 992
T +61 2 9284 9749
GPO Box 5218
www.oaic.gov.au
xxxxxxxxx@xxxx.xxx.xx
F +61 2 9284 9666
Sydney NSW 2001
ABN 85 249 230 937
2. https://www.medibank.com.au/livebetter/newsroom/post/cybercrime-
update-deloitte-incident-review
3. https://www.afr.com/companies/healthcare-and-fitness/medibank-to-keep-
cyberattack-report-findings-from-customers-public-20230428-p5d3yt
* Medibank includes any parent or subsidiary companies, including any
representatives of those companies.
Personal data of individuals (names, contacts details etc) is not required.
Duplicate content is not required (for example, email trails outlining the same
content).
On 22 May 2023, we wrote to you under section 24AB of the FOI Act to advise you of
our intention to refuse your request under section 24(1) of the FOI Act. This was
because the work involved in processing your request in its then-current form would
substantially and unreasonably divert the resources of the OAIC from its other
operations, as per section 24AA(1)(a)(i) of the FOI Act. In the letter, we advised that
you could:
• withdraw your request
• revise the scope of the request (a number of options for revising the scope
were provided to you), or
• not respond and your FOI request would be taken to have been withdrawn.
On 30 May 2023, you wrote to the OAIC advising of your consultation response. In
your response you revised your request to be as follows:
In relation to the Medibank(1) Data Breach, please release, if held, the
"Deloitte" report(2,3) on it's Cyberattack, as reported publicly:
1. https://www.oaic.gov.au/newsroom/oaic-op..
medibank-over-data-breach
2. https://www.medibank.com.au/livebetter/n...
update-deloitte-incident-review
3. https://www.afr.com/companies/healthcare...
cyberattack-report-findings-from-customers-public-20230428-p5d3yt
2
To assist narrow scope:
A-I define report as a single word or PDF document relating to the report
mentioned in public media (2,3).
B-I do not require the contents of any emails where the responsive document
may be attached.
C- I do not require physical records.
Request timeframe
Your request was made on 28 April 2023.
On 22 May 2023, we sent you a request consultation notice under section 24AB of the
FOI Act. Due to this notice, the processing time for your request was paused under
section 24AB(8) of the FOI Act. On 30 May 2023, we received your consultation
response revising the scope.
This means that a decision on your request is due by 6 June 2023.
Reasons for decision
Material taken into account
In making my decision, I have had regard to the following:
• your FOI request dated 28 April 2023 and subsequent revised scope dated 30
May 2023
• the FOI Act, in particular sections 3, 11, 11A, 15, 25, 26 and 37 of the FOI Act,
and
• the Guidelines issued by the Australian Information Commissioner under
section 93A of the FOI Act to which regard must be had in performing a
function or exercising a power under the FOI Act (FOI Guidelines)
Decision
I am an officer authorised under section 23(1) of the FOI Act to make decisions in
relation to FOI requests on behalf of the OAIC.
Subject to the following provisions of the FOI Act, I have made a decision to:
3
• Neither confirm nor deny the existence of the document the subject of your
request under section 25(2) of the FOI Act, on the grounds that, if the
document did exist, it would be exempt under section 37(1) of the FOI Act.
Information as to existence of certain documents (section 25)
I am satisfied that a document of the kind you have requested would be an exempt
document for the purposes of section 25(2) of the FOI Act. If the document the
subject of your request existed and was held by the OAIC, it would be an exempt
document under section 37(1) of the FOI Act.
Section 25 of the FOI Act states:
(1) Nothing in this Act shal be taken to require an agency or Minister to give
information as to the existence or non-existence of a document where
information as to the existence or non-existence of that document, if included in
a document of an agency, would cause the last-mentioned document to be:
(a) an exempt document by virtue of section 33 or subsection 37(1) or
45A(1); or
(b) an exempt document to the extent referred to in subsection 45A(2) or
(3).
(2) If a request relates to a document that is, or if it existed would be, of a kind
referred to in subsection (1), the agency or Minister dealing with the request
may give notice in writing to the applicant that the agency or the Minister (as
the case may be) neither confirms nor denies the existence, as a document of
the agency or an official document of the Minister, of such a document but that,
assuming the existence of such a document, it would be:
(a) an exempt document by virtue of section 33 or subsection 37(1) or
45A(1); or
(b) an exempt document to the extent referred to in subsection 45A(2) or
(3).
The FOI Guidelines at [3.93]-[3.95] explain:
The act of confirming or denying the existence of a document can sometimes
cause damage similar to disclosing the document itself. For example, merely
knowing that an agency has a current telecommunications interception
warrant in connection with a specific telephone service would be sufficient
4
warning to a suspect who could modify their behaviour and possibly undermine
an investigation into serious criminal activity.[1]
(...)
Agencies and ministers should use s 25 only in exceptional circumstances. For
the purposes of IC review, a notice under s 25 is deemed to be notice of a
decision to refuse access on the grounds that the document sought is exempt
under s 33, 37(1) or 45A, as the case may be (s 25(2))
As per [3.105] of the FOI Guidelines, the OAIC is not required to
“search for or conduct
an inquiry into the nature of the document being sought.” Instead, section 25(2) of the
FOI Act only requires an
“assessment of whether a document of the kind requested is,
or would be, an exempt document under… 37(1) (documents affecting enforcement of
law and protection of public safety) For the reasons to follow, I am satisfied that a
document of the kind request would be exempt under this section 37(1) of the FOI
Act.
Documents affecting enforcement of law and protection of public safety (section
37(1))
I have found that a document of the kind requested is, or would be, an exempt
document under section 37(1) of the FOI Act. I have found that release of such a
document would, or could reasonably be expected to, prejudice the conduct of a
current investigation. I have therefore found that 37(1)(a) of the FOI Act applies in
this instance.
Section 37(1)(a) of the FOI Act states:
37 Documents affecting enforcement of law and protection of public safety
(1) A document is an exempt document if its disclosure under this Act
would, or could reasonably be expected to:
(a) prejudice the conduct of an investigation of a breach, or
possible breach, of the law, or a failure, or possible failure, to
comply with a law relating to taxation or prejudice the
enforcement or proper administration of the law in a particular
instance;
The FOI Guidelines at [5.82] provide:
To be exempt under ss 37(1)(a) or 37(1)(b), the document in question should
have a connection with the criminal law or the processes of upholding or
5
link to page 6
enforcing civil law or administering a law… This is not confined to court action
or court processes, but extends to the work of agencies in administering
legislative schemes and requirements, monitoring compliance, and
investigating breaches.
The FOI Guidelines at [5.86] – [5.87] further explain:
Section 37(1)(a) applies to documents only where there is a current or pending
investigation and release of the document would, or could reasonably be
expected to, prejudice the conduct of that investigation. Because of the phrase
‘in a particular instance’, it is not sufficient that prejudice wil occur to other or
future investigations: it must relate to the particular investigation at hand. In
other words, the exemption does not apply if the prejudice is about
investigations in general.
(…)
The exemption is concerned with the conduct of an investigation. For example,
it would apply where disclosure would forewarn the applicant about the
direction of the investigation, as wel as the evidence and resources available to
the investigating body — putting the investigation in jeopardy. The section wil
not apply if the investigation is closed or if it is being conducted by an overseas
agency.
In order to determine whether disclosure of documents would, or could reasonably
be expected to prejudice the conduct of a current investigation, the FOI Guidelines at
[5.16] - [5.17] note:
The test requires the decision maker to assess the likelihood of the predicted or
forecast event, effect or damage occurring after disclosure of a document.
The use of the word ‘could’ in this qualification is less stringent than ‘would’,
and requires analysis of the reasonable expectation rather than certainty of an
event, effect or damage occurring. It may be a reasonable expectation that an
effect has occurred, is presently occurring, or could occur in the future.
The nature of your request relates to a document that, if it exists and is held by the
OAIC, would pertain to a current and open investigation on foot, currently being
undertaken by the OAIC.
1
1 https://www.oaic.gov.au/newsroom/oaic-opens-investigation-into-medibank-over-data-breach
6
Release of a document in the nature of the one you have requested would relate to
issues that are currently being investigated by the OAIC. Release of such material
prematurely could reasonably be expected to impact the flow of information to the
OAIC in this matter, through impacting Medibank’s confidence in the confidentiality
of the OAIC’s investigative processes.
Accordingly, I have decided that such a document would be exempt under section
37(1)(a) of the FOI Act. I consider that disclosure of a such a document would, or
could reasonably be expected to, prejudice the conduct of an open OAIC
investigation.
Further, in consideration the application of s 25, I note that your FOI request relates
to a specific document held by a private organisation. Given the specific nature and
content of your FOI request, and that the FOI request was made on a public forum
such as Right to Know, I am of the view that a disclosure confirming the existence of
any document in the nature of the requested documents on its own could
reasonably be expected to enable members of the public to have knowledge of
ongoing investigations currently on foot at the OAIC, with the potential to cause
harm to the efficiency and effective conduct of the investigation, and prejudice the
investigation accordingly. I am therefore satisfied that to confirm or deny the
existence of the document you are seeking in the decision statement would cause
the decision statement to be an exempt document by virtue of subsection 37(1) in
accordance with s 25(2) and 26(2) of the FOI Act.
Please see the following page for information about your review rights.
Yours sincerely,
Jessica Summerhill
A/g Senior Lawyer
5 June 2023
7
If you disagree with my decision
Internal review
You have the right to apply for an internal review of my decision under Part VI of the
FOI Act. An internal review will be conducted, to the extent possible, by an officer of
the OAIC who was not involved in or consulted in the making of my decision. If you
wish to apply for an internal review, you must do so in writing within 30 days. There
is no application fee for internal review.
If you wish to apply for an internal review, please mark your application for the
attention of the FOI Coordinator and state the grounds on which you consider that
my decision should be reviewed.
Applications for internal reviews can be submitted to:
Office of the Australian Information Commissioner
GPO Box 5288
SYDNEY NSW 2001
Alternatively, you can submit your application by email t
o xxx@xxxx.xxx.xx, or by fax
on 02 9284 9666.
Further review
You have the right to seek review of this decision by the Information Commissioner
and the Administrative Appeals Tribunal (AAT).
You may apply to the Information Commissioner for a review of my decision (IC
review). If you wish to apply for IC review, you must do so in writing within 60 days.
Your application must provide an address (which can be an email address or fax
number) that we can send notices to, and include a copy of this letter. A request for
IC review can be made in relation to my decision, or an internal review decision.
It is the Information Commissioner’s view that it will usually not be in the interests of
the administration of the FOI Act to conduct an IC review of a decision, or an internal
review decision, made by the agency that the Information Commissioner heads: the
OAIC. For this reason, if you make an application for IC review of my decision, and the
Information Commissioner is satisfied that in the interests of administration of the
Act it is desirable that my decision be considered by the AAT, the Information
Commissioner may decide not to undertake an IC review.
8
Section 57A of the FOI Act provides that, before you can apply to the AAT for review
of an FOI decision, you must first have applied for IC review.
Applications for IC review can be submitted online at:
https://forms.business.gov.au/smartforms/servlet/SmartForm.html?formCode=ICR_
10
Alternatively, you can submit your application to:
Office of the Australian Information Commissioner
GPO Box 5288
SYDNEY NSW 2001
Or by email t
o xxxxx@xxxx.xxx.xx, or by fax on 02 9284 9666.
Accessing your information
If you would like access to the information that we hold about you, please contact
xxx@xxxx.xxx.xx. More information is available on the Access our information page
on our website.
9
Document Outline