Our reference: FOIREQ20/00245
Mr Warrick Alexander
By email: xxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx
Your Freedom of Information Request – FOIREQ20/00245
I refer to your request for access to documents made under the
Freedom of Information Act
1982 (Cth) (the FOI Act) and received by the Office of the Australian Information
Commissioner (OAIC) on 20 December 2020.
Scope of your request
In your email of 20 December 2020, you sought access to the fol owing:
I would like to see all data breach notifications to date (including all email
correspondence and associated attachments to date) lodged by or with respect to
1Form (REA-Group), including but not limited to breaches pertaining to:
- Shead Property
- Raine and Horne Green Square
- Metropole Property Management.
On 24 December 2020, I wrote to you and acknowledged receipt of your FOI request.
On 14 January 2021, I wrote to you informing you that the scope of your request included
documents which contain information concerning an organisation’s business or professional
affairs and third party personal information, and the OAIC was required to consult the
individuals and organisation under ss 27 and 27A of the FOI Act before making a decision to
release the documents. No document containing your name or other personal information
was disclosed as part of this process.
The period for processing your request was extended by 30 days to al ow time to consult
pursuant to s 15(6) of the FOI Act.
Decision
I am an officer authorised under s 23(1) of the FOI Act to make decisions in relation to FOI
requests.
I have identified 45 documents within the scope of your request. I have decided to grant you
access to 45 documents in part, with the redaction of material found to be exempt under
ss 45, 47E(d), 47F and 47G of the FOI Act.
1300 363 992
T +61 2 9284 9749
GPO Box 5218
www.oaic.gov.au
xxxxxxxxx@xxxx.xxx.xx
F +61 2 9284 9666
Sydney NSW 2001
ABN 85 249 230 937
My reasons for this decision fol ow.
Reasons for decision
Material taken into account
In making my decision, I have had regard to the fol owing:
• your freedom of information request dated 20 December 2020
• the documents at issue
• the FOI Act, in particular ss 11A(5), 45, 47E(d), 47G and 47F
• the Guidelines issued by the Australian Information Commissioner under s 93A of the FOI
Act (the FOI Guidelines), to which regard must be had in performing a function or
exercising a power under the FOI Act.
Section 45 – Material obtained in confidence exemption
The documents that I have identified within scope of your request can be characterised as
data breach notification reports made to the OAIC by third parties in Notifiable Data Breach
(NDB) forms. I have also identified file notes from the OAIC’s case management system,
Resolve, and email correspondence from third parties to the OAIC.
I have decided that material in 17 documents is exempt in part under s 45 of the FOI Act.
The material that I have described above and have identified within the scope of your
request is information that has been provided to the OAIC in confidence and has not been
released publicly at this time.
Section 45 of the FOI Act provides that a document is an exempt document if its disclosure
would found an action by a person (other than an agency or the Commonwealth) for breach
of confidence.
The FOI Guidelines explain the elements of the cause of action for breach of confidence at
[5.159]:
To found an action for breach of confidence (which means s 45 would apply), the
fol owing five criteria must be satisfied in relation to the information:
• It must be specifical y identified
• It must have the necessary quality of confidentiality
• It must have been communicated and received on the basis of a mutual
understanding of confidence
• It must have been disclosed or threatened to be disclosed, without authority
2
• Unauthorized disclosure of the information has or wil cause detriment
[footnote omitted].
The FOI Guidelines provide at [5.162]:
For the information to have the quality of confidentiality it must be secret or only
known to a limited group. Information that is common knowledge or in the public
domain will not have the quality of confidentiality. For example, information that is
provided to an agency and copied to other organisations on a non-confidential or
open basis may not be considered confidential [footnote omitted].
Part two of the NDB form provides a check box option for an entity to request that the
information provided in part two of the form is held by the OAIC in confidence.
The form states:
The OAIC will respect the confidence of commercial y or operational y sensitive
information provided voluntarily in support of a data breach notification, and wil
only disclose this information after consulting with you, and with your agreement or
where required by law.
Where notifying entities have requested that the information provided in part two of the NDB
form is held by the OAIC in confidence, by checking the aforementioned check box, I am
satisfied that the information is specifical y identified, has the necessary quality of
confidentiality and was received on the basis of a mutual understanding of confidence. I am
also satisfied that unauthorised disclosure of this information would cause detriment.
Therefore, I find that material in these document is exempt under s 45 of the FOI Act.
Section 47F – Conditional Exemption for Personal Information
I have decided that material in 42 documents within scope of your request is also
conditional y exempt under s 47F of the FOI Act.
The material that I have found to be conditional y exempt under s 47F can be described as
the names and contact details of third party individuals.
Section 47F of the FOI Act conditional y exempts documents where disclosure would involve
the unreasonable disclosure of personal information of any person. This exemption is
intended to protect the personal privacy of individuals.
In the FOI Act, personal information has the same meaning as in the
Privacy Act 1988 (Cth)
(Privacy Act). Under s 6 of the Privacy Act, personal information means:
…information or an opinion about an identified individual, or an individual who is
reasonably identifiable:
a) whether the information or opinion is true or not; and
3
b) whether the information or opinion is recorded in a material form or not
I am satisfied that the name and contact details of individuals is personal information for the
purposes of the FOI Act.
In determining whether disclosure of personal information would be unreasonable, s 47F(2)
of the FOI Act requires me to have regard to the fol owing matters:
• the extent to which the information is wel known
• whether the person to whom the information relates is known to be (or to have been)
associated with the matters dealt with in the document
• the availability of the information from publicly accessible sources
• any other matters I consider relevant.
The documents contain the names and contact details of individuals who have
communicated with the OAIC in relation to data breach notifications. I am satisfied that
disclosure of this material would be an unreasonable disclosure of personal information.
Therefore, I am satisfied that the names and contact details of the third party individuals
who have communicated with the OAIC in relation to data breach notifications are
conditional y exempt under s 47F of the FOI Act.
Business affairs conditional exemption – s 47G(1)(a)
I have decided that material in 44 documents within scope of your FOI request is
conditional y exempt in part under s 47G of the FOI Act.
The material that I have found to be conditional y exempt under s 47G can be described as
information released to the OAIC as part of the submission of data breach notification
reports by third parties. This includes information that is not publicly available about how
third parties detect and respond to data incidents and security protocols that have been
implemented.
A document is conditional y exempt under s 47G(1)(a) of the FOI Act where disclosure would
disclose information concerning a person in respect of his or her business or professional
affairs, or concerning the business, commercial or financial affairs of an organisation or
undertaking (business information), where the disclosure of the information would, or could
reasonably be expected to, unreasonably affect the person adversely in respect of his or her
lawful business or professional affairs or that organisation or undertaking in respect of its
lawful business, commercial or financial affairs.
The FOI Guidelines explain that the test ‘would, or could reasonably be expected’ requires
the decision maker to assess the likelihood of the predicted or forecast event, effect or
damage occurring after disclosure of a document ([5.16]). The word ‘could’ is less stringent
4
than ‘would’ and requires analysis of the reasonable expectation rather than certainty of an
event, effect or damage occurring. It may be a reasonable expectation that an effect has
occurred, is presently occurring, or could occur in the future ([5.17]).
The FOI Guidelines explain that the term ‘unreasonably’ implies a need to balance public
and private interest factors to decide whether disclosure is unreasonable ([6.187]). The test
of reasonableness applies not to the claim of harm but to the objective assessment of the
expected adverse effect ([6.188]).
The document contains information pertaining to the operation of third parties’ security
systems that is not in the public domain. I consider that release of this information could
reasonably be expected to compromise IT systems and increase susceptibility to a
cyberattack.
I find that release of the information could reasonably be expected to have an unreasonably
adverse effect on the third party in respect of its business, commercial or financial affairs as
disclosure of the information could make the third party vulnerable to future data breaches.
In addition to this, the third party’s competitors may not employ similar security measures.
The release of the information could reasonable be expected to have an unreasonable
adverse effect on that third party.
Therefore, I am satisfied that the material pertaining to the operation of the IT systems of the
third party is conditional y exempt under s 47G(1)(a) of the FOI Act.
Certain operations of agencies exemption – s 47E(d)
I have decided that material in 7 documents within scope of your request is also
conditional y exempt in part under s 47E(d) of the FOI Act.
OAIC’s internal assessment processes
The material that I have found to be conditional y exempt under s 47E(d) can be described as
information about the way in which the OAIC assesses NDBs reported under the NDB scheme
and recommendations and decisions made resulting from this assessment.
Under s 47E(d) of the FOI Act, a document is conditional y exempt if its disclosure could
reasonably be expected to have a substantial adverse effect on the proper and efficient
conduct of the operations of an agency.
Section 47E(d) of the FOI Act states:
A document is conditional y exempt if its disclosure under this Act would, or could
reasonably be expected to, do any of the fol owing:
…
5
(d) have a substantial adverse effect on the proper and efficient conduct of the
operations of an agency.
The FOI Guidelines at [6.101] provides:
For the grounds in ss 47E(a)–(d) to apply, the predicted effect needs to be reasonably
expected to occur. The term ‘could reasonably be expected’ is explained in greater
detail in Part 5. There must be more than merely an assumption or al egation that
damage may occur if the document were to be released.
Additional y, at [6.103] the FOI Guidelines further explain:
An agency cannot merely assert that an effect would occur following disclosure. The
particulars of the predicted effect should be identified during the decision making
process, including whether the effect could reasonably be expected to occur. Where
the conditional exemption is relied upon, the relevant particulars and reasons
should form part of the decision maker’s statement of reasons, if they can be
included without disclosing exempt material (s 26, see Part 3).
In order to determine whether disclosure would, or could reasonably be expected to, have a
substantial adverse effect on the proper and efficient conduct of the operations of the OAIC, I
have taken into consideration the functions and activities of the OAIC.
The OAIC is an independent statutory agency within the Attorney-General’s portfolio,
established under the
Australian Information Commissioner Act 2010 (Cth). The OAIC
comprises the Australian Information Commissioner and the Privacy Commissioner (both
offices currently held by Angelene Falk) and the staff of the OAIC.
Due to the nature of the documents at issue, I have had regard to the Australian Information
Commissioner’s regulatory functions and powers under the Privacy Act, and the
performance of those functions and exercise of those powers under the Notifiable Data
Breaches Scheme (NDB scheme).
The OAIC has a number of roles under the NDB scheme in the Privacy Act. These include:
• receiving notifications of eligible data breaches
• encouraging compliance with the scheme, including by handling complaints,
conducting investigations, and taking other regulatory action in response to
instances of non-compliance
• offering advice and guidance to regulated entities, and providing information to the
community about the operation of the scheme.
The NDB scheme, which is facilitated by the OAIC is a key contributor to safeguarding the
privacy of individuals under the Privacy Act. In order for the OAIC to administer this scheme
and ensure that organisations are in compliance with this, we need to conduct our
assessment processes to ensure organisations are in compliance. If the OAIC were to release
6
the contents of our NDB assessment processes, this could jeopardise the integrity of our
processes. As such, it is my view that the release of documents related to the OAIC’s NDB
assessment process at this time may have a substantial and adverse impact on our ability to
administer the NDB scheme.
I find that release of information about the way in which the OAIC assesses NDBs reported
under the NDB scheme and recommendations and decisions made resulting from this
assessment could reasonably be expected to have a substantial adverse effect on the proper
and efficient conduct of the operations of the OAIC’s NDB scheme and is conditionally
exempt from disclosure under s 47E(d) of the FOI Act.
OAIC’s network address
I have decided that material is conditional y exempt from disclosure under s 47E(d) of the
FOI Act. The relevant material that I have found to be conditional y exempt is the network
address for the OAIC’s IT system.
In the Information Commissioner review (IC review) case of
‘AW’ and Australian Taxation
Office (Freedom of information) [2014] AICmr 1 (‘AW’), the then Freedom of Information
Commissioner considered the decision by the Australian Taxation Office (ATO) to exempt
user IDs under s 47E(d) of the FOI Act. The user IDs are used by ATO staff to access the ATO’s
IT system. The Commissioner found that disclosing the user IDs ‘would have an adverse
effect on the security of the ATO’s IT systems, and could reasonably be expected to have a
substantial adverse effect on the proper and efficient conduct of the ATO’.
In a series of subsequent IC review decisions, the former Australian Information
Commissioner agreed with the reasoning given by the Commissioner in ‘AW’ to find that user
IDs used by ATO staff to access the ATO’s IT system are exempt under s 47E(d).
In deciding whether disclosure of the network address of the OAIC’s IT system, would or
could reasonably be expected to, have a substantial adverse effect on the operation of the
OAIC, I have had regard to the OAIC’s functions and responsibilities.
The OAIC col ects and stores a range of personal and financial information about members
of the public. The network address contains information about the OAIC’s IT system
(including the network location and storage of information). I consider that disclosure of this
information could compromise the safety and security of the storage of the information held
by the OAIC. The impact of any compromise to the safety and security of the OAIC’s
information systems would result in a serious adverse impact on the functions and
responsibilities of the OAIC.
I consider that the disclosure of the network address of the OAIC’s computer system could
reasonably be expected to have a substantial adverse effect on the proper and efficient
conduct of the OAIC’s operations.
7
I have decided that the network address of the OAIC’s IT system is conditional y exempt from
disclosure under s 47E(d) of the FOI Act.
Section 11A(5) – Public Interest Test
Section 11A(5) of the FOI Act provides that access must be given to a conditional y exempt
document unless in the circumstances giving access would, on balance, be contrary to the
public interest.
The public interest factors that would favour disclosure is that the disclosure would inform
debate on a matter of public importance.
Against these factors I must balance any factors against disclosure. The FOI Act does not
specify any factors against disclosure, however the FOI Guidelines, at paragraph [6.22],
provide a non-exhaustive list of factors against disclosure.
This includes factors such as when disclosure could:
• reasonably be expected to prejudice the protection of an individual’s right to privacy
• reasonably be expected to impede the flow of information to the OAIC in its capacity as a
privacy regulator
• reasonably be expected to prejudice the OAIC’s ability to obtain confidential information
in the future and to engage effectively with regulated entities
• reasonably be expected to impede the administration of justice general y, including
procedural fairness.
In the circumstances of this case, one public interest factor that weighs against disclosure of
the third party personal information is that disclosure could reasonably be expected to
interfere with an individual’s right to privacy. I have placed significant weight on this factor
as I consider that the specific harm in disclosing an individual’s name and contact details
without agreement, and where this information has not been previously disclosed, would be
an interference with an individual’s right to privacy.
I have also considered that disclosure of information pertaining to the operation of a third
party’s security systems that is not in the public domain would unreasonably adversely
affect the business affairs of the third party for the reasons above. Disclosure of this
information in these circumstances would reasonably be expected to impede the flow of
information to the OAIC in its capacity as a privacy regulator, and reasonably be expected to
prejudice the OAIC’s ability to obtain confidential information in the future and to engage
effectively with regulated entities. This would reasonably be expected to prejudice the
efficient management of the OAIC’s regulatory function if entities are less likely to voluntarily
provide fulsome information to the OAIC with respect to their responses fol owing a
notifiable data breach.
8
In considering where the public interest lies, I must balance the factors that favour
disclosure against the factors that favour non-disclosure.
On balance, I find that the factors against disclosure, outweigh the factors in favour of
disclosure. I have determined that disclosing material that is conditional y exempt under ss
47F, 47G(1)(a) and 47E(d) of the FOI Act would be contrary to the public interest. Therefore,
this material is exempt from disclosure under ss 47F, 47G(1)(a) and 47E(d) of the FOI Act.
Release of the document
Because a relevant third party was consulted in the making of this decision and has objected
to the release of the documents, I am required, under ss 27(6) and 27A(6) of the FOI Act, to
advise them of my decision and provide them with an opportunity to seek:
• internal review of my decision, or
• review of my decision by the Information Commissioner.
The third party has 30 days from the date they are notified of my decision in which to seek
review. As a result the document cannot be released to you until this time has expired, or any
internal review or appeal has been completed and my decision to release the document is
upheld or confirmed.
Yours sincerely
Joseph Gouvatsos
Lawyer
18 February 2021
9
If you disagree with my decision
Internal review
You have the right to apply for an internal review of my decision under Part VI of the FOI Act.
An internal review will be conducted, to the extent possible, by an officer of the OAIC who
was not involved in or consulted in the making of my decision. If you wish to apply for an
internal review, you must do so in writing within 30 days. There is no application fee for
internal review.
If you wish to apply for an internal review, please mark your application for the attention of
the FOI Coordinator and state the grounds on which you consider that my decision should be
reviewed.
Applications for internal reviews can be submitted to:
Office of the Australian Information Commissioner
GPO Box 5218
SYDNEY NSW 2001
Alternatively, you can submit your application by email
to xxx@xxxx.xxx.xx, or by fax on
02 9284 9666.
Further Review
You have the right to seek review of this decision by the Information Commissioner and the
Administrative Appeals Tribunal (AAT).
You may apply to the Information Commissioner for a review of my decision (IC review). If
you wish to apply for IC review, you must do so in writing within 60 days. Your application
must provide an address (which can be an email address or fax number) that we can send
notices to, and include a copy of this letter. A request for IC review can be made in relation to
my decision, or an internal review decision.
It is the Information Commissioner’s view that it will usual y not be in the interests of the
administration of the FOI Act to conduct an IC review of a decision, or an internal review
decision, made by the agency that the Information Commissioner heads: the OAIC. For this
reason, if you make an application for IC review of my decision, and the Information
Commissioner is satisfied that in the interests of administration of the Act it is desirable that
my decision be considered by the AAT, the Information Commissioner may decide not to
undertake an IC review.
Section 57A of the FOI Act provides that, before you can apply to the AAT for review of an FOI
decision, you must first have applied for IC review.
10
Applications for IC review can be submitted online at:
https://forms.business.gov.au/smartforms/servlet/SmartForm.html?formCode=ICR_10
Alternatively, you can submit your application to:
Office of the Australian Information Commissioner
GPO Box 5218
SYDNEY NSW 2001
Or by email
to xxxxx@xxxx.xxx.xx, or by fax on 02 9284 9666.
Accessing your information
If you would like access to the information that we hold about you, please
contac
t xxxxx@xxxx.xxx.xx. More information is available on th
e Access our
information page on our website.
Disclosure log
Section 11C of the FOI Act requires agencies to publish online documents released to
members of the public within 10 days of release, except if they contain personal or business
information that it would be unreasonable to publish.
The document I have decided to release to you does not contain business or personal
information that would be unreasonable to publish. As a result, the document wil be
published on our disclosure log shortly after being released to you.
11
Document Outline