This is an HTML version of an attachment to the Freedom of Information request 'Data breach notifications submitted for 2019'.

Our reference: FOIREQ20/00032 
Ms Lisa Nagi 
By email:   
Your Freedom of information request – FOIREQ20/00032 
Dear Ms Nagi,  
I refer to your request for access to documents, made under the Freedom of 
Information Act 1982
 (Cth) (the FOI Act), dated 6 February 2020 and received by the 
Office of the Australian Information Commissioner (OAIC) on the same date. 
I am an authorised officer under s 23(1) of the FOI Act to make decisions in relation to 
freedom of information (FOI) requests.  
On 6 February 2020, you requested access to:  
the data breach notifications submitted for 2019 
 On 27 February 2020, I wrote to you to advise you that I believed that a practical 
refusal reason, under s 24AA of the FOI Act existed, as the work involved in 
processing your request in its current form will substantially and unreasonably divert 
the resources of the OAIC from its other operations due to its size and broad scope. I 
explained that a failure to comply with this requirement is a ‘practical refusal’ reason 
under s 24AA(1)(a)(i) of the FOI Act. 
You were given an opportunity to consult me to revise your request to remove the 
practical refusal reason and I asked you to state whether you wanted to revise your 
request, withdraw your request or whether you did not want to revise your request. 
On 28 February 2020, you responded, and you revised the scope of you request to the 
the time from of September 1, 2019 - December 31, 2019 
On 11 March 2020, the OAIC advised you that although you had revised the scope of 
your request a practical refusal still existed. This is because the OAIC received 
approximately 360 data breach notifications under the Notifiable Data Breach 
Scheme between 1 September 2019 and 31 December 2019. Further, as the 
1300 363 992 
T +61 2 9284 9749 
GPO Box 5218 
F +61 2 9284 9666 
Sydney NSW 2001 
ABN 85 249 230 937 

information you are seeking relates to a number of third parties those third parties 
will need to be consulted under s 27 of the FOI Act. 
On 12 March 2020, you advised the OAIC that you were willing to revise the scope of 
your request to the following: 
Data breach notifications sent in February of 2020 
On 17 March 2020, I advised you that the term ‘Data Breach Notifications’ apply to 
two categories of data breaches: Voluntary Data Breach notifications and Eligible 
Data Breach notifications which are subject to the Notifiable Data Breach provisions 
in the Privacy Act 1988 (Cth) (Privacy Act). 
In February 2020, the OAIC received 84 Eligible Data Breach notifications and 20 
Voluntary Data Breach notifications. This equates to 104 notifications received in 
February 2020. Working on the premise that you seek access to the Eligible Data 
Breach notifications only, processing your request will take approximately 147 hours 
or four (4) working weeks. This will still be considered an unreasonable diversion of 
I asked if you would like to proceed with you request you would need to reduce the 
scope further to remove the practical refusal reason. I asked you to provide a 
response by 20 March 2020. 
To date I have not received a response to my 17 March 2020 email. As such, I have 
taken your request as withdrawn. 
Request consultation process 
A request is taken to be withdrawn under s 24AB(7) of the FOI Act if the applicant 
does not consult the contact person during the consultation period in accordance 
with the notice or:  
•  withdraw their request 
•  make a revised request, or 
•  tell us that you do not wish to revise your request. 
Because no response was received by the end of the consultation period, this matter  


has been treated as withdrawn. 
Yours sincerely, 
Delaney Smith   
Legal Services Officer   
27 March 2020