Our reference: FOIREQ24/00047
Daniel M
By emai
l: xxxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx
Dear Daniel
Freedom of Information Request – FOIREQ24/00047
I refer to your request for access to documents made under the
Freedom of Information
Act 1982 (Cth) (the FOI Act). Your Freedom of Information (FOI request) was received
by the Office of the Australian Commissioner (OAIC) on 20 January 2024.
I am writing to inform you of my decision.
Background
Scope of your request
Your FOI request sought access, via 2 emails on 20 January 2024, to the following
information:
I hereby submit a request under the FOI Act for the following document/s:
1. Data breach reports/notifications received by the OAIC for the period 1
October 2023 to 31 December 2023.
…
I hereby amend my request under the FOI Act to include:
2. Copies of communications from and to the OAIC in relation to the
aforementioned data breach reports/notifications for the same date period.
The same agreement to redact/exclude information applies in the event where
inclusion of the information would result in a refusal of the request.
Following consultation with you under s 24AB of the FOI Act, on 1 February 2024 you
revised your request to be as follows:
1300 363 992
T +61 2 9284 9749
GPO Box 5218
www.oaic.gov.au
xxxxxxxxx@xxxx.xxx.xx
F +61 2 9284 9666
Sydney NSW 2001
ABN 85 249 230 937
I would be willing to revise my request to a random sample of 10 as per your
suggestion, under the same requirements as my initial request (i.e. notifications
submitted to the OAIC, and communications from/to the OAIC in relation to said
notifications).
Request timeframe
Your request was made on 20 January 2024. This means that a decision on your
request is due by 19 February 2024.
Decision
I am an officer authorised under section 23(1) of the FOI Act to make decisions in
relation to FOI requests on behalf of the OAIC.
I have identified 52 documents relevant to your request. Subject to the following
provisions of the FOI Act, I have made a decision to:
• create and grant access in part to 1 document;
• grant access in part to 8 documents; and
• refuse access in full to 43 documents.
In accordance with section 26(1)(a) of the FOI Act, the reasons for my decision and
findings on material questions of fact are provided below.
Searches Undertaken
The FOI Act requires that all reasonable steps have been taken to locate documents
within scope of an FOI request.
The following line areas of the OAIC conducted reasonable searches for documents
relevant to your request:
• Notifiable data breaches team.
Searches were conducted across the OAIC’s various document storage systems
including:
• the OAIC’s case management system - Resolve
• the OAIC’s document holding system – Content Manager
• OAIC’s email system
2
• general computer files
• paper files
Having consulted with the relevant line area and undertaken a review of the records
of the various search and retrieval efforts, I am satisfied that a reasonable search has
been undertaken in response to your request.
Reasons for decision
Material taken into account
In making my decision, I have had regard to the following:
• your FOI request dated 20 January 2024 and subsequent revised scope dated
1 February 2024;
• the FOI Act, in particular, including sections 3, 11, 11A, 15, 24AB, 26, 47E(d) and
47G of the FOI Act;
• the Guidelines issued by the Australian Information Commissioner under
section 93A of the FOI Act to which regard must be had in performing a function
or exercising a power under the FOI Act (FOI Guidelines); and
• consultation with the relevant line area of the OAIC in relation to your request.
Access to edited copies with irrelevant and exempt matter deleted (section 22)
In accordance with section 22 of the FOI Act, an agency must consider whether it
would be reasonably practicable to prepare an edited copy of documents subject to
an FOI request where material has been identified as exempt or irrelevant to the
request. I have determined that FOI Act exemptions apply to this material.
Accordingly, I have made an edited copy of the documents which removes this exempt
material and otherwise grants you
full access to the material in scope of your request.
Creation of a document in response to your FOI request (section 17)
Pursuant to section 17 of the FOI Act, I have made a decision to create 1 document in
response to your request. I have made a decision to grant partial access to this
document.
Under section 17 of the FOI Act, if an FOI request is made for a document that could be
produced by using a computer ordinarily available to the agency for retrieving or
3
collating stored information, an agency is required to deal with the request as if it was
a request for written documents to which the FOI Act applies.
The FOI Guidelines [at 3.204] explain that section 17 may require an agency to produce
a written document of information that is stored electronically and not in a discrete
written form, if it does not appear from the request that the applicant wishes to be
provided with a computer tape or disk on which the information is recorded. The
obligation to produce a written document arises if:
• the agency could produce a written document containing the information by
using a computer or other equipment that is ordinarily available’ to the agency
for retrieving or collating stored information (section 17(1)(c)(i)), or making a
transcript from a sound recording (section 17(1)(c)(ii)); and
• producing a written document would not substantially and unreasonably
divert the resources of the agency from its other operations (section 17(2)).
If those conditions are met, the FOI Act applies as if the applicant had requested access
to the written document and it was already in the agency’s possession.
Part of your FOI request sought access to data breach reports. The Notifiable Data
Breach team advised me that this material is not available in a discrete form but
instead is able to be produced in a written document through the use of a
computer. In light of this, a document has been created under section 17 in response
to your request and is included in the schedule of documents attached.
Proper and efficient conduct of the OAIC’s operations (s 47E(d))
In accordance with section 47E(d) of the FOI Act, I have made a decision to exempt
material on the basis that disclosure would or could reasonably be expected to have
a substantial adverse effect on the proper and efficient conduct of the OAIC’s
operations.
Paragraph 6.101 of the FOI Guidelines explains that:
For the grounds in ss 47E(a)–(d) to apply, the predicted effect needs to be
reasonably expected to occur. The term ‘could reasonably be expected’ is
explained in greater detail in Part 5. There must be more than merely an
assumption or allegation that damage may occur if the document were to be
released.
Additionally, at 6.103 the FOI Guidelines further explain:
4
An agency cannot merely assert that an effect would occur following disclosure.
The particulars of the predicted effect should be identified during the decision
making process, including whether the effect could reasonably be expected to
occur. Where the conditional exemption is relied upon, the relevant particulars
and reasons should form part of the decision maker’s statement of reasons, if
they can be included without disclosing exempt material (s 26, see Part 3).
The material that I have decided is subject to conditional exemption comprises of
details of the affected organisation and data breaches (including communication
between the OAIC and the organisation) that may allow the affected organisation and
the particular breach to be identified.
Functions and Powers of the OAIC
In order to determine whether disclosure of the documents would, or could
reasonably be expected to, have a substantial adverse effect on the proper and
efficient conduct of the operations of the OAIC, I have taken into consideration the
functions and activities of the OAIC.
Due to the nature of the relevant documents and material, I have had regard to:
• the Australian Information Commissioner’s investigative powers under the
Privacy Act 1988 (Cth) (Privacy Act); and
• the OAIC’s Notifiable Data Breaches investigation processes.
The OAIC is an independent statutory agency within the Attorney-General’s portfolio,
established under the
Australian Information Commissioner Act 2010 (Cth) (AIC Act).
The OAIC comprises the Australian Information Commissioner and the Privacy
Commissioner, the FOI Commissioner and the staff of the OAIC.
The OAIC is established under s 5 of the AIC Act. Section 5 also provides that the
Information Commissioner is the Head of the OAIC for the purposes of the
Public
Service Act 1999 (Cth). Section 5 further provides that for the purposes of the
Public
Governance, Performance and Accountability Act 2019 (Cth) the Information
Commissioner is the accountable authority of the OAIC.
Under the AIC Act and the Privacy Act, the Information Commissioner has a range of
functions and powers under the Notifiable Data Breaches (NDB) scheme, including to:
• receive notifications of eligible data breaches;
• encourage compliance with the scheme, including by handling complaints,
conducting investigations and taking other regulatory action;
5
• offer advice and guidance to regulated organisations; and
• provide information to the community about the operation of the NDB scheme.
While organisations are required to report data breach incidents to the OAIC, the
extent of information provided is voluntary. At a minimum, organisations must
provide the following information:
• the organisation or agency’s name and contact details;
• a description of the data breach;
• the kinds of information involved; and
• recommendations about the steps individuals should take in response to the
data breach.
However, as noted on the OAIC’s website, 1 the OAIC recommends reporting
organisations provide the following information to assist the OAIC to fully investigate
the breach:
• the circumstances of the data breach;
• what the organisation has done to contain the data breach; and
• whether any remedial action has been taken.
The OAIC website also advises reporting organisations that “…The more information
you tell us about the circumstances of the data breach, what you’ve done to contain
the data breach and any remedial action you’ve taken, will help us respond to your
notification”. The OAIC relies on the information provided by the organisations in
order to consider whether further regulation action, if any, is required.
In these circumstances, I find it is likely that disclosure of the documents would
decrease the willingness of organisations affected by data breaches to make full
disclosure to the OAIC. If organisations reporting a data breach to the OAIC believe
their sensitive business information may be publicly disclosed, they will be less likely
to engage with the OAIC and provide the necessary information for the OAIC to
conduct its NDB scheme functions. This will have a substantial adverse effect on the
proper and efficient conduct of the OAIC as the body responsible for overseeing the
NDB scheme.
1 Report a data breach - Home (oaic.gov.au)
6
Accordingly, based on the information before me at this time, I am satisfied that the
disclosure of the relevant documents in a notifiable data breach reported to the OAIC
at this time, where the FOI applicant is not the reporting organisation, would, or could
be reasonably expected to have a substantial adverse effect on the proper and
efficient operations of the OAIC in investigating NDBs.
For these reasons, I am satisfied that the relevant documents and material are
conditionally exempt.
As section 47E is a conditional exemption, I am also required to consider the
application of a public interest test.
My consideration of the public interest test, in respect of all the material subject to
conditional exemption in this document is discussed below.
Business information conditional exemption (section 47G(1)(a))
In the alternative, I have made a decision to redact material contained within the
documents in accordance with section 47G(1)(a) of the FOI Act.
Section 47G(1) of the FOI Act provides:
(1)
A document is conditionally exempt if its disclosure under this Act would disclose
information concerning a person in respect of his or her business or professional
affairs or concerning the business, commercial or financial affairs of an
organisation or undertaking, in a case in which the disclosure of the information:
(a)
would, or could reasonably be expected to, unreasonably affect that
person adversely in respect of his or her lawful business or professional
affairs or that organisation or undertaking in respect of its lawful
business, commercial or financial affairs; or
(b)
could reasonably be expected to prejudice the future supply of
information to the Commonwealth or an agency for the purpose of the
administration of a law of the Commonwealth or of a Territory or the
administration of matters administered by an agency.
In undertaking an assessment of this conditional exemption, I have had regard to
relevant and recent AAT and Information Commissioner decisions including
‘ABH’ and
Australian Transport Safety Bureau (Freedom of information) [2022] AICmr 27,
Bell and
Secretary, Department of Health (Freedom of information) [2015] AATA 494 and
‘E’ and
National Offshore Petroleum Safety and Environmental Management Authority [2012]
AICmr 3.
7
I also note the AAT case of
Re Secretary, Department of Employment and Besser and
Others (2017) 166 ALD 343 which discussed the exemption of material which identified
businesses who were the subject of investigation. I consider this case relevant to my
consideration of the business material identified in the documents subject to this
request, which relate to investigations undertaken by the OAIC. I note at paragraph
[28] the Tribunal found:
[28]
A hypothetical neutral reader of the documents might not ascribe any
weight to those unsubstantiated allegations. But I think that disclosure of
the documents could reasonably be expected to have an adverse effect
on providers by naming them as having been the subject of allegations to,
or investigations by, the Department. That effect would be a reduction in
the number of employers or unemployed people seeking to use a
provider’s services, and a consequential reduction in the provider’s
access to funding under the program. The documents do not reveal
whether the allegations have been substantiated.29 In those
circumstances, I think that the adverse effect, upon the providers, of
disclosure would be unreasonable for the purposes of s 47G.
Under s 47G(1)(a) of the FOI Act, a document is conditionally exempt from disclosure
if its release would disclose information concerning the business, commercial or
financial affairs of an organisation or undertaking, in circumstances where disclosure
of such information would unreasonably affect an organisation in the undertaking of
its lawful business or commercial affairs. As noted in
Seven Network Operations
Limited and Australian Human Rights Commission [2021] AICmr 66 [156-157]:
… the business information exemption is intended to protect the interests of third
parties dealing with the government. The operation of s 47G depends on the
effect of disclosure rather than the precise nature of the information itself.
Notwithstanding this, the information must have some relevance to a person in
respect of their business or professional affairs or to the business, commercial
and financial affairs of the organisation… The term ‘business affairs’ has been
interpreted to mean ‘the totality of the money-making affairs of an organisation
or undertaking as distinct from its private or internal affairs’.
In this instance, the exempt documents contain information from several third-party
organisations including software used within the organisation’s internal systems and
network environments, the cause of the data breach, and internal organisational
emails sent to affected persons.
I am therefore satisfied that this is information concerning the business affairs of the
affected third-party organisations.
8
As section 47G is a conditional exemption, I am also required to consider the
application of a public interest test.
My consideration of the public interest test, in respect of all the material subject to
conditional exemption in this document is discussed below.
Prejudice future supply of information (s 47G(1)(b))
Section 47G(1)(b) applies where disclosure could reasonably be expected to prejudice
the future supply of information to the OAIC for the purpose of the administration of
matters administered by the OAIC. The FOI Guidelines provide, at [6.198]:
This limb of the conditional exemption comprises two parts:
•
a reasonable expectation of a reduction in the quantity or quality of
business affairs information to the government
•
the reduction will prejudice the operations of the agency
The FOI Guidelines further provide, at [6.200] – [6.201]:
Where the business information in question can be obtained compulsorily, or is
required for some benefit or grant, no claim of prejudice can be made. No
prejudice will occur if the information in issue is routine or administrative (that is,
generated as a matter of practice).
The agency will usually be best placed to identify, and be concerned about the
circumstances where the disclosure of documents might reasonably be expected
to prejudice the future supply of information to it.
The term ‘prejudice’ is not defined in the FOI Act. The FOI Guidelines provide the
following definition, at [5.22] – [5.23]:
… The Macquarie Dictionary definition of ‘prejudice’ requires:
a. disadvantage resulting from some judgement or action of another
b. resulting injury or detriment
A prejudicial effect is one which would cause a bias or change to the expected
results leading to detrimental or disadvantageous outcomes. The expected
outcome does not need to have an impact that is ‘substantial and adverse’.
9
As above, although reporting eligible data breaches is compulsory, the extent of
information provided by an organisation is voluntary. The OAIC recommends the
reporting organisation provide additional information relating to the circumstances
of the data breach, what the organisation has done to contain the data breach and
what, if any, remedial action has been taken to assist the OAIC to investigate the data
breach.
As previously mentioned above, the documents contain details third-party
organisations’ software used to provide business services, the storage of data relating
to business operations, and affected persons within the organisations’ clientele. In my
view, disclosure of the relevant documents in this case could reasonably be expected
to prejudice the future supply of information to the OAIC if third-party organisations’
sensitive business information which was provided to the OAIC for the purpose of
assisting OAIC in assessing a NDB incident is disclosed. I also consider disclosure of
such information could reduce the quantity or quality of information regarding the
data breach provided to the OAIC by reporting organisations in the future and could
hinder the ability of the OAIC to conduct a full investigation, which may lead to the
disadvantageous outcome that an appropriate determination is not made.
For the above reasons, based on the information before me at this time, I am satisfied
that disclosure of the documents at this time could reasonably be expected to
prejudice the future supply of information to the OAIC for the purposes of reporting
NDBs.
As section 47G is a conditional exemption, I am also required to consider the
application of a public interest test. My consideration of the public interest test is
discussed below.
Application of the public interest test – (section 11A and 11B)
As provided above, I have considered that material within the documents is subject to
conditional exemption under s 47E(d) and s 47G(1) of the FOI Act.
Section 11A(5) provides that where a documents is considered to be conditionally
exempt, an agency
must give the person access to those documents unless the FOI
decision maker would, on balance, would be contrary to the public interest.
This means that I must balance factors for and against disclosure in light of the public
interest.
In Chapter 6, the FOI Guidelines provide the following guidance:
6.4
There is a single public interest test to apply to each of the conditional
10
exemptions. This public interest test is defined to include certain factors that
must be taken into account where relevant, and some factors which must not
be taken into account.
6.5
The public interest test is considered to be:
•
something that is of serious concern or benefit to the public, not merely
of individual interest
•
not something of interest to the public, but in the public interest
•
not a static concept, where it lies in a particular matter will often depend
on a balancing of interests
•
necessarily broad and non-specific, and
•
related to matters of common concern or relevance to all members of the
public, or a substantial section of the public.
6.6
It is not necessary for a matter to be in the interest of the public as a whole. It
may be sufficient that the matter is in the interest of a section of the public
bounded by geography or another characteristic that depends on the
particular situation. A matter of public interest or benefit to an individual or
small group of people may also be a matter of general public interest.
In the AAT case of
Utopia Financial Services Pty Ltd and Australian Securities and
Investments Commission (Freedom of information) [2017] AATA 269, at paragraph 133
of the Decision Deputy President Forgie explained that:
… the time at which I make my decision for section 11A(5) requires access to be
given to a conditionally exempt document “at a particular time” unless doing so
is, on balance, contrary to the public interest. Where the balance lies may vary
from time to time for it is affected not only by factors peculiar to the particular
information in the documents but by factors external to them.
The FOI Act sets out four factors favouring access, which must be considered if
relevant. Of these factors, I consider the relevant factors to be that disclosure would:
• promote the objects of the FOI Act; and
• inform debate on a matter of public importance.
Section 11B(4) of the FOI Act provides factors which are not to be taken into account
in , which I have had regard to. Section 11B does not further prescribe the factors
11
against disclosure to be considered. In considering the documents subject to this
request, I consider that the follow factors do not favour disclosure:
• disclosure of the affected third-party organisations’ business information
could reasonably be expected to have a substantial adverse effect on the
investigative functions of the OAIC by discouraging organisations impacted by
eligible data breaches from providing the OAIC all information relating to the
breach.
• disclosure of the affected third-party organisations’ business information
could reasonably be expected to prejudice the future supply of confidential
information to the OAIC for the purpose of the administration of matters
administered by the OAIC.
• disclosure could reasonably be expected to reduce the quantity of information
provided to the OAIC in the future by reporting organisations who have been
affected by a data breach.
In particular, I have given significant weight to the fact that the documents in scope
have been submitted by third-party businesses or information provided to the OAIC
by third-party businesses, regarding their business information and affairs associated
with a NDB which could impact on the future supply of this information and the
cooperation of the organisations involved in future data breaches.
Whilst I acknowledge the public interest in informing the public about data breaches
and their impact on both the individuals involved and the community as a whole, I
consider that public interest is outweighed in this instance by the need to ensure the
flow of information from organisations to the OAIC to allow the effective oversight of
significant data breaches.
On balance, I consider the public interest factors against disclosure to be more
persuasive than the public interest factors favouring disclosure. I am satisfied that
disclosing the conditionally exempt material would be contrary to the public interest.
Disclosure log decision
Section 11C of the FOI Act requires agencies to publish online document released to
members of the public within 10 days of release, except if they contain personal or
business information that would be unreasonable to publish.
I have made a decision to publish the redacted version of the documents subject to
your request on the OAIC’s disclosure log.
12
Release of documents
The documents are enclosed for release and are identified in the attached schedule of
documents.
Please see the following page for information about your review rights.
Yours sincerely
Emily Elliott
Senior Lawyer
19 February 2024
13
If you disagree with my decision
Internal review
You have the right to apply for an internal review of my decision under Part VI of the
FOI Act. An internal review will be conducted, to the extent possible, by an officer of
the OAIC who was not involved in or consulted in the making of my decision. If you
wish to apply for an internal review, you must do so in writing within 30 days. There is
no application fee for internal review.
If you wish to apply for an internal review, please mark your application for the
attention of the FOI Coordinator and state the grounds on which you consider that my
decision should be reviewed.
Applications for internal reviews can be submitted to:
Office of the Australian Information Commissioner
GPO Box 5218
SYDNEY NSW 2001
Alternatively, you can submit your application by email
to xxx@xxxx.xxx.xx, or by fax
on 02 9284 9666.
Further review
You have the right to seek review of this decision by the Information Commissioner
and the Administrative Appeals Tribunal (AAT).
You may apply to the Information Commissioner for a review of my decision (IC review).
If you wish to apply for IC review, you must do so in writing within 60 days. Your
application must provide an address (which can be an email address or fax number)
that we can send notices to, and include a copy of this letter. A request for IC review
can be made in relation to my decision, or an internal review decision.
It is the Information Commissioner’s view that it will usually not be in the interests of
the administration of the FOI Act to conduct an IC review of a decision, or an internal
review decision, made by the agency that the Information Commissioner heads: the
OAIC. For this reason, if you make an application for IC review of my decision, and the
Information Commissioner is satisfied that in the interests of administration of the Act
it is desirable that my decision be considered by the AAT, the Information
Commissioner may decide not to undertake an IC review.
14
Section 57A of the FOI Act provides that, before you can apply to the AAT for review of
an FOI decision, you must first have applied for IC review.
Applications for IC review can be submitted online at:
https://forms.business.gov.au/smartforms/servlet/SmartForm.html?formCode=ICR_
10
Alternatively, you can submit your application to:
Office of the Australian Information Commissioner
GPO Box 5218
SYDNEY NSW 2001
Or by email to xxxxx@xxxx.xxx.xx, or by fax on 02 9284 9666.
Accessing your information
If you would like access to the information that we hold about you, please contact
xxx@xxxx.xxx.xx. More information is available on the Access our information page on
our website.
15
