Our reference: FOIREQ20/00129
Dear Mr Alexander
By Email: xxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx
Your Freedom of Information Request – [FOIREQ20/00129]
Freedom of Information request
I refer to your request for access to documents made under the
Freedom of Information Act
1982 (Cth) (the FOI Act) and received by the Office of the Australian Information
Commissioner (OAIC) on 16 July 2020.
Scope of your request
In your email you sought access to the following:
I would like to see al data breach notifications (including all email correspondence and
associated attachments) lodged by or with respect to 1Form (REA-Group), including but not
limited to breaches pertaining to:
- Shead Property
- Raine and Horne Green Square
- Metropole Property Management
On 4 August 2020, Ms McKenna, Lawyer, wrote to you informing you that because your
request covered documents which contain information concerning an organisation’s business
or professional affairs and personal information, the OAIC was required to consult the
individuals and organisations under ss 27 and 27A of the FOI Act before making a decision on
release of the documents.
The period for processing your request was extended by 30 days to al ow time to consult
pursuant see s 15(6) of the FOI Act.
1300 363 992
T +61 2 9284 9749
GPO Box 5218
www.oaic.gov.au
xxxxxxxxx@xxxx.xxx.xx
F +61 2 9284 9666
Sydney NSW 2001
ABN 85 249 230 937
Decision
I am an officer authorised under s 23(1) of the FOI Act to make decisions in relation to FOI
requests.
I have identified twelve documents within the scope of your request. I have decided to refuse
access to each of the documents within scope under subsection 53A(b) (
a decision giving
access to a document but not giving, in accordance with the request, access to al documents
to which the request relates) due to the application of the exemption under section 45, and
conditional exemptions under sections 47F and 47G of the FOI Act to some of the
information contained in the documents.
A schedule describing the documents and the access decisions I have made is at Appendix A
to this decision.
Reasons for decision
Material taken into account
In making my decision, I have had regard to the following:
• your freedom of information request dated 16 July 2020
• the documents at issue
• the FOI Act, in particular sections 11A(5), 22, 45, 47G, 47F and 53A
• the Guidelines issued by the Australian Information Commissioner under s 93A of the FOI
Act (the FOI Guidelines), to which regard must be had in performing a function or
exercising a power under the FOI Act.
• The submissions of a party consulted in relation to the application of the conditional
exemptions under sections 47F and 47G of the FOI Act
• The availability in the public domain of the information or documents over which the
exemptions in sections 47F and 47G of the FOI Act have been applied.
Section 45 – Material obtained in confidence exemption
Section 45 of the FOI Act provides that a document is an exempt document if its disclosure
would found an action by a person (other than an agency or the Commonwealth) for breach
of confidence.
The FOI Guidelines explain the elements of the cause of action for breach of confidence at
]5.159]:
2
To found an action for breach of confidence (which means s 45 would apply), the following
five criteria must be satisfied in relation to the information:
• It must be specifically identified
• It must have the necessary quality of confidentiality
• It must have been communicated and received on the basis of a mutual
understanding of confidence
• It must have been disclosed or threatened to be disclosed, without
authority
• Unauthorized disclosure of the information has or will cause detriment
[footnote omitted].
The FOI Guidelines provide at [5.162]:
For the information to have the quality of confidentiality it must be secret or only
known to a limited group. Information that is common knowledge or in the public
domain will not have the quality of confidentiality. For example, information that is
provided to an agency and copied to other organisations on a non-confidential or
open basis may not be considered confidential.
Part 2 of the Notifiable Data Breach form (NDB) provides a check box option for an entity to
request that the information provided in part two of the form to be held by the OAIC in
confidence.
The form states:
The OAIC wil respect the confidence of commercially or operational y sensitive information
provided voluntarily in support of a data breach notification, and will only disclose this
information after consulting with you, and with your agreement or where required by law.
The notifying entity requested part two of the NDB forms be held in confidence, by checking
the check box, I am satisfied that the information is specifically identified, has the necessary
quality of confidentiality, and was received on the basis of a mutual understanding of
confidence. I am also satisfied that unauthorised disclosure of this information would cause
detriment.
Therefore, I find that Parts II of the NDB forms are exempt in part under s 45 of the FOI Act.
Section 47F – Conditional Exemption for Personal Information
Section 47F of the FOI Act conditionally exempts documents where disclosure would involve
the unreasonable disclosure of personal information of any person. This exemption is
intended to protect the personal privacy of individuals.
3
In the FOI Act, personal information has the same meaning as in the
Privacy Act 1988 (Cth)
(Privacy Act). Under s 6 of the Privacy Act, personal information means:
…information or an opinion about an identified individual, or an individual who is reasonably
identifiable:
a) whether the information or opinion is true or not; and
b) whether the information or opinion is recorded in a material form or not
4
I am satisfied that the name and contact details of individuals is personal information for the
purposes of the FOI Act.
In determining whether disclosure of personal information would be unreasonable, s 47F(2)
of the FOI Act requires me to have regard to the following matters:
• the extent to which the information is well known
• whether the person to whom the information relates is known to be (or to
have been) associated with the matters dealt with in the document
• the availability of the information from publically accessible sources
• any other matters I consider relevant.
Documents contain names and contact details of individuals who have lodged and received
data breach notifications with the OAIC.
Based on internet searches I have conducted, I am satisfied that the person to whom the
information relates is not known to be associated with the matters dealt with in the
documents and the information is not available from publicly accessible sources or well
known. I am satisfied that disclosure of the documents would be an unreasonable disclosure
of personal information.
Therefore, I am satisfied that the names and contact details of the individuals who have
lodged data breach notifications, and or entered into correspondence in regard to the forms,
with the OAIC are conditionally exempt under s 47F of the FOI Act.
Section 11A(5) – Public Interest Test
Section 11A(5) of the FOI Act provides that access must be given to a conditionally exempt
document unless in the circumstances, giving access would, on balance, be contrary to the
public interest.
I have considered the factors set out at section 11B(3) of the FOI Act and find that the most
relevant public interest factor that would favour disclosure is that the disclosure relates to
an important matter of public debate – that being the cyber security of REA, its subsidiaries,
stakeholders and clients.
The FOI Act does not specify any factors against disclosure, however the FOI Guidelines, at
paragraph [6.22], provide a non-exhaustive list of factors against disclosure.
This includes factors such as when disclosure could:
• reasonably be expected to prejudice the protection of an individual’s right to privacy
5
• reasonably be expected to impede the flow of information to the OAIC in its capacity as a
privacy regulator
• reasonably be expected to prejudice the OAIC’s ability to obtain confidential information
in the future and to engage effectively with regulated entities
• reasonably be expected to impede the administration of justice generally, including
procedural fairness.
The predominate factor against disclosure is, that disclosure could reasonably be expected
to interfere with an individual’s right to privacy. I consider that the specific harm in
disclosing an individual’s name, signature and contact details without agreement, and
where this information has not been previously disclosed, would be an interference with an
individual’s right to privacy.
In considering where the public interest lies, I must consider the factors that favour
disclosure balanced against the factors that favour non-disclosure.
On balance, I find that the factor against disclosure, that is, that disclosure could reasonably
be expected to interfere with an individual’s right to privacy, outweighs the factor in favour
of disclosure. I have determined that disclosing the information, conditionally exempt under
s 47F of the FOI Act, would be contrary to the public interest.
Therefore the information is exempt from disclosure under s 47F of the FOI Act.
Section 47G – Conditional Exemption for Business Information
A document is conditionally exempt under s 47G(1)(a) of the FOI Act where disclosure would
disclose information concerning a person in respect of his or her business or professional
affairs, or concerning the business, commercial or financial affairs of an organisation or
undertaking (business information), where the disclosure of the information would, or could
reasonably be expected to, unreasonably affect the person adversely in respect of his or her
lawful business or professional affairs or that organisation or undertaking in respect of its
lawful business, commercial or financial affairs.
The FOI Guidelines explain that the test ‘would, or could reasonably be expected’ requires
the decision maker to assess the likelihood of the predicted or forecast event, effect or
damage occurring after disclosure of a document ([5.16]).
The word ‘could’ is less stringent than ‘would’ and requires analysis of the reasonable
expectation rather than certainty of an event, effect or damage occurring. It may be a
reasonable expectation that an effect has occurred, is presently occurring, or could occur in
the future ([5.17]).
6
The FOI Guidelines explain that the term ‘unreasonably’ implies a need to balance public
and private interest factors to decide whether disclosure is unreasonable ([6.187]). The test
of reasonableness applies not to the claim of harm but to the objective assessment of the
expected adverse effect ([6.188]).
The documents contain information pertaining to the operation of the IT systems of the
relevant entities, including specifics relating to vulnerabilities of those systems, and detailed
information relating to the countermeasures employed by the entities to address the causes
of the eligible data breach.
Release of the information described above could reasonably be expected to compromise
the relevant entity’s IT system and increase the entity’s susceptibility to a cyberattack.
I therefore find that release of the information could reasonably be expected to adversely
affect the organization(s) in respect of its business, commercial or financial affairs as
disclosure of the information would be unreasonable and could make the entity vulnerable
to future breaches.
The documents also contain information relating to the contractual affairs and internal
operations of the relevant entities, including specifics relating to products used by those
entities to deliver their services, and the structure of their organizational affairs which is
claimed to be information that grants them a competitive advantage, or would put them at a
disadvantage if disclosed.
I accept that the release of the information described above could reasonably be expected to
reveal elements of the entities’ business and professional affairs that are not in the public
domain, and doing so could cause them to lose their competitive advantage over their
competitors thereby causing adverse effect.
I am satisfied that the information pertaining to the contractual affairs and internal
operations of the entities is conditionally exempt under s 47G(1)(a) of the FOI Act.
Section 11A(5) – Public Interest Test
Section 11A(5) of the FOI Act provides that access must be given to a conditionally exempt
document unless in the circumstances giving access would, on balance, be contrary to the
public interest.
The public interest factors that would favour disclosure is that the disclosure would inform
debate on a matter of public importance.
Against these factors I must balance any factors against disclosure. The FOI Act does not
specify any factors against disclosure, however the FOI Guidelines, at paragraph [6.22],
provide a non-exhaustive list of factors against disclosure.
7
This includes factors such as when disclosure could:
• impede the flow of information to the OAIC in its capacity as a privacy regulator,
specifically in relation to data breach notifications where the information was provided
voluntarily
• prejudice the OAIC’s ability to obtain confidential information in the future
• prejudice the fair treatment of individuals and the information is about unsubstantiated
allegations of misconduct or unlawful, negligent or improper conduct
In considering where the public interest lies, I must consider the factors that favour
disclosure balanced against the factors that favour non-disclosure.
On balance, I find that the factors against disclosure, outweigh the factors in favour of
disclosure. I have determined that disclosing the information, conditionally exempt under s
47G(1)(a) of the FOI Act, would be contrary to the public interest. Therefore the information
is exempt from disclosure under 47G(1)(a) of the FOI Act.
Release of the documents
Because a third party was consulted in the making of this decision and objected to the
release of some of the material in the documents, I am required, under ss 27(6) and 27A(6) of
the FOI Act, to advise them of my decision and provide them with an opportunity to seek:
• internal review of my decision, or
• review of my decision by the Information Commissioner.
The third party has
30 days from the date they are notified of my decision in which to seek
review. As a result, the documents for release, cannot be released to you, until this time has
expired, or any internal review or appeal has been completed and my decision to release the
document is upheld or confirmed.
Yours sincerely,
Mark Lindsey-Temple
Mark Lindsey-Temple
FOI Officer
Legal Services
16 September 2020
8
If you disagree with my decision
Internal review
You have the right to apply for an internal review of my decision under Part VI of the
FOI Act. An internal review will be conducted, to the extent possible, by an officer of
the OAIC who was not involved in or consulted in the making of my decision. If you
wish to apply for an internal review, you must do so in writing within 30 days. There
is no application fee for internal review.
If you wish to apply for an internal review, please mark your application for the
attention of the FOI Coordinator and state the grounds on which you consider that
my decision should be reviewed.
Applications for internal reviews can be submitted to:
Office of the Australian Information Commissioner
GPO Box 5218
SYDNEY NSW 2001
Alternatively, you can submit your application by email t
o xxx@xxxx.xxx.xx, or by fax
on 02 9284 9666.
Further Review
You have the right to seek review of this decision by the Information Commissioner
and the Administrative Appeals Tribunal (AAT).
You may apply to the Information Commissioner for a review of my decision
(IC review). If you wish to apply for IC review, you must do so in writing within
60 days. Your application must provide an address (which can be an email address or
fax number) that we can send notices to, and include a copy of this letter. A request
for IC review can be made in relation to my decision, or an internal review decision.
It is the Information Commissioner’s view that it will usually not be in the interests of
the administration of the FOI Act to conduct an IC review of a decision, or an internal
review decision, made by the agency that the Information Commissioner heads: the
OAIC. For this reason, if you make an application for IC review of my decision, and the
Information Commissioner is satisfied that in the interests of administration of the
Act it is desirable that my decision be considered by the AAT, the Information
Commissioner may decide not to undertake an IC review.
9
Section 57A of the FOI Act provides that, before you can apply to the AAT for review
of an FOI decision, you must first have applied for IC review.
Applications for IC review can be submitted online at:
https://forms.business.gov.au/smartforms/servlet/SmartForm.html?formCode=ICR_
10
Alternatively, you can submit your application to:
Office of the Australian Information Commissioner
GPO Box 5218
SYDNEY NSW 2001
Or by email t
o xxxxx@xxxx.xxx.xx, or by fax on 02 9284 9666.
Accessing your information
If you would like access to the information that we hold about you, please
contac
t xxxxx@xxxx.xxx.xx. More information is available on th
e Access our
information page on our website.
Disclosure log
Section 11C of the FOI Act requires agencies to publish online documents released to
members of the public within 10 days of release, except if they contain personal or
business information that it would be unreasonable to publish.
The documents will be published on our
disclosure log shortly after their release to
you
. However, the documents contain certain personal information, business
information and information obtained in confidence that would be
unreasonable to publish and I have decided to delete this information from the
documents before they are published on the OAIC’s disclosure log.
10
APPENDIX A
FOIREQ20/00129
Document Description
Decision on Release
1. a notifiable data breach form
In Part -S45, S47F and 47G
2 file note of a telephone call
In Part - S47F and 47G
3 a notifiable data breach form
In Part -S45, S47F and 47G
4 an email chain
In Part - S47F and 47G
5. an email chain
In Part - S47F and 47G
6 an email chain
In Part - S47F and 47G
7 file notes of telephone calls
In Part - S47F and 47G
8 a transcript of a telephone voice mail
In Part - S47F and 47G
9 a notifiable data breach form
In Part -S45, S47F and 47G
10 an email
In Part - S47F and 47G
11 a transcript of a telephone voice mail
In Part - S47F and 47G
12 an email chain
In Part - S47F and 47G
11
Document Outline