Our reference: FOIREQ20/00032
Ms Lisa Nagi
By email: xxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx
Your Freedom of information request – FOIREQ20/00032
Dear Ms Nagi,
I refer to your request for access to documents, made under the
Freedom of
Information Act 1982 (Cth) (the FOI Act), dated 6 February 2020 and received by the
Office of the Australian Information Commissioner (OAIC) on the same date.
I am an authorised officer under s 23(1) of the FOI Act to make decisions in relation to
freedom of information (FOI) requests.
On 6 February 2020, you requested access to:
the data breach notifications submitted for 2019
On 27 February 2020, I wrote to you to advise you that I believed that a practical
refusal reason, under s 24AA of the FOI Act existed, as the work involved in
processing your request in its current form will substantially and unreasonably divert
the resources of the OAIC from its other operations due to its size and broad scope. I
explained that a failure to comply with this requirement is a ‘practical refusal’ reason
under s 24AA(1)(a)(i) of the FOI Act.
You were given an opportunity to consult me to revise your request to remove the
practical refusal reason and I asked you to state whether you wanted to revise your
request, withdraw your request or whether you did not want to revise your request.
On 28 February 2020, you responded, and you revised the scope of you request to the
following:
the time from of September 1, 2019 - December 31, 2019
On 11 March 2020, the OAIC advised you that although you had revised the scope of
your request a practical refusal still existed. This is because the OAIC received
approximately 360 data breach notifications under the Notifiable Data Breach
Scheme between 1 September 2019 and 31 December 2019. Further, as the
1300 363 992
T +61 2 9284 9749
GPO Box 5218
www.oaic.gov.au
xxxxxxxxx@xxxx.xxx.xx
F +61 2 9284 9666
Sydney NSW 2001
ABN 85 249 230 937
information you are seeking relates to a number of third parties those third parties
will need to be consulted under s 27 of the FOI Act.
On 12 March 2020, you advised the OAIC that you were willing to revise the scope of
your request to the following:
Data breach notifications sent in February of 2020
On 17 March 2020, I advised you that the term ‘Data Breach Notifications’ apply to
two categories of data breaches: Voluntary Data Breach notifications and Eligible
Data Breach notifications which are subject to the Notifiable Data Breach provisions
in the
Privacy Act 1988 (Cth) (Privacy Act).
In February 2020, the OAIC received 84 Eligible Data Breach notifications and 20
Voluntary Data Breach notifications. This equates to 104 notifications received in
February 2020. Working on the premise that you seek access to the Eligible Data
Breach notifications only, processing your request will take approximately 147 hours
or four (4) working weeks. This will still be considered an unreasonable diversion of
resources.
I asked if you would like to proceed with you request you would need to reduce the
scope further to remove the practical refusal reason. I asked you to provide a
response by 20 March 2020.
To date I have not received a response to my 17 March 2020 email. As such, I have
taken your request as withdrawn.
Request consultation process
A request is taken to be withdrawn under s 24AB(7) of the FOI Act if the applicant
does not consult the contact person during the consultation period in accordance
with the notice or:
• withdraw their request
• make a revised request, or
• tell us that you do not wish to revise your request.
Because no response was received by the end of the consultation period, this matter
2
has been treated as withdrawn.
Yours sincerely,
Delaney Smith
Legal Services Officer
27 March 2020
3