OFFICIAL: Sensitive
Our reference: FOIREQ24/00047
By email
: xxxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx
Dear Daniel M
Freedom of Information Request – FOIREQ24/00047
I refer to your request for access to documents made under the
Freedom of Information Act
1982 (Cth) (the FOI Act). Your Freedom of Information (FOI request) was received by the
Office of the Australian Commissioner (OAIC) on 20 January 2024.
I am writing to consult with you on the basis that you request gives rise to a practical
refusal reason.
Background
Scope of your request
Your FOI request sought access to the following information:
1. Data breach reports/notifications received by the OAIC for the period 1 October
2023 to 31 December 2023.
2. Copies of communications from and to the OAIC in relation to the aforementioned
data breach reports/notifications for the same date period.
Notice of intention to refuse your request
I am an officer authorised under s 23(1) of the FOI Act to make FOI decisions on behalf of
the OAIC.
I am writing to consult with you under section 24AB of the FOI Act, because:
• I believe that the work involved in processing your request will substantially and
unreasonably divert the resources of the OAIC from its other operations due to its
size and scope (s 24AA(1)(a)(i));
For the purposes of the FOI Act, this is called a ‘practical refusal reason/s’ (s 24AA(1)(a)(i)
of the FOI Act).
On this basis, I intend to refuse your request for access to documents unless the terms of
your request are revised, so as to remove the practical refusal reason.
OFFICIAL: Sensitive
OFFICIAL: Sensitive
However, before I proceed to a refusal decision, you have an opportunity to revise your
request again. This is called a ‘request consultation process’ as set out under s 24AB of the
FOI Act. You have 14 days to respond to this notice in one of the ways set out at the end of
this letter.
Why I intend to refuse your request
Calculation of the processing time – substantial diversion
Based on searches conducted by the relevant line area, and a preliminary review of the
documents contained on Case Management system Resolve, I estimate it will take the
OAIC at least 237 hours to process your FOI request in its current form.
I consulted with the following line areas in relation to your request;
• Notifiable Data Breaches (NDB) team
They have identified 317 notifications relevant to your request. They estimate it will take
conservatively 45 minutes per notification to check the file and download the application
and any communication to and from the OAIC. As such, it will take at least 237 hours to
process your FOI request and that does not include time need for the review of the
documents and decision making.
I consider that the processing of your request would be a substantial diversion of the
OAIC’s resources, for the purposes of section 24AA(1)(a)(i) of the FOI Act.
Unreasonable diversion of resources
An estimate of processing time is only one of the considerations to be taken into account
when deciding whether a practical refusal reason exists. As well as requiring a request to
substantially divert an agency’s resources, s 24AA also requires the request to
unreasonably divert an agency’s resources from its other functions before it can be
refused under s 24.
The Guidelines issued by the Australian Information Commissioner under s 93A of the FOI
Act (FOI Guidelines) identify matters that may be relevant when deciding whether
processing the request will unreasonably divert an agency’s resources from its other
functions. These include:
• the staffing resources available to the OAIC for FOI processing
• the impact that processing the request may have on other tasks and functions of
the OAIC
• whether an applicant has cooperated in revising the scope of the request
• whether there is a significant public interest in the requested documents
OFFICIAL: Sensitive
OFFICIAL: Sensitive
• other steps taken by an agency or minister to publish information of the kind
requested by an applicant.
The OAIC is a small agency, employing approximately 140 (head count) staff. I consider
that processing a request of this size would substantially impact on the OAIC’s operations
because of the limited number of people the OAIC has available to process FOI requests of
this size and nature.
On the basis that your request will require at least 237 hours to process, it is likely that the
processing of your request would divert OAIC staff away from their other work, including
the OAIC’s:
• ability to process its ongoing FOI request load
• regulatory functions in both FOI and privacy
• activities set out in the OAIC’s 2020/2021 Corporate Plan such as:
o conciliating and investigating privacy complaints, responding to notifiable
data breaches, and overseeing the privacy aspects of the My Health Record
system
o monitoring the handling of personal information in the COVIDSafe system.
o implementation of the Consumer Data Right scheme
o monitoring compliance with new legislation and providing guidance and
education
o improvement of processes for managing FOI requests
o engage with the Open Government Partnership, with delivery of the third
National Action Plan.
For these reasons I have formed the view that processing your request would substantially
impact the OAIC’s operations.
I also consider that the processing of your request would be an unreasonable diversion of
the OAIC’s resources.
Request consultation process
You now have an opportunity to revise your request so as to remove the practical refusal
reason.
There are a number of ways that you can reduce the scope of your request so as to remove
the practical refusal reason. These include limiting and/or further revising the scope of
your request by:
• removing your request for the notification and correspondence to and from the
OAIC
• narrowing the request to sample of 10 notifications
OFFICIAL: Sensitive
OFFICIAL: Sensitive
By way of assistance, we have also drafted the following revised scope for your
consideration:
Data breach reports (for notifications to the OAIC) for the period 1 October 2023 to
31 December 2023.
If you would like to proceed with the above revised scope of your request or proceed with
another revision of scope you should advise us in a reply email.
Before the end of the consultation period, you must do one of the following, in writing:
• withdraw your request
• make a revised request
• tell us that you do not wish to revise your request.
The consultation period runs for
14 days and starts on the day after you receive this
notice. Therefore, you must respond to this notice by 16 February 2024.
During this period, you can ask the contact person (see below) for help to revise your
request. If you revise your request in a way that adequately addresses the practical refusal
reasons outlined above, we will recommence processing it.
Please note that the time taken to consult you regarding the scope of your request is not
taken into account for the purposes of the 30 day time limit for processing your request.
If you do not do one of the three things listed above during the consultation period or you
do not consult the contact person during this period, your request will be taken to have
been withdrawn.
Contact officer
If you would like to revise your request, or have any questions, you can contact me at
xxx@xxxx.xxx.xx.
Yours sincerely,
Emily Elliott
Senior Lawyer
1 February 2024
OFFICIAL: Sensitive