Searches undertaken
Section 24A requires that an agency take ‘all reasonable steps’ to find a requested document
before refusing access to it on the basis that it cannot be found or does not exist.
The FOI Guidelines at [3.89] explain:
“Agencies and ministers should undertake a reasonable search on a flexible and
common-sense interpretation of the terms of the request. What constitutes a
reasonable search wil depend on the circumstances of each request and wil be
influenced by the normal business practices in the agency’s operating environment.
At a minimum, an agency or minister should take comprehensive steps to locate
documents, having regard to:
•
the subject matter of the documents
•
the current and past file management systems and the practice of destruction or
removal of documents
•
the record management systems in place
•
the individuals within an agency who may be able to assist with the location of
documents, and
•
the age of the documents”
I note that your request is limited only to communications that occurred in the
“week
starting September 19”. In light of this, I confirm that the only documents that I have held to
be within the scope of your request are those that were created between Monday 19
September and 25 September 2022, inclusive.
To locate documents within the scope of your request, a staff member of the Legal Services
team contacted relevant members of the OAIC’s Privacy line area, which including members
of the OAIC’s Notifiable Data Breach (NDB), Privacy Investigations, Major Investigations,
Enquiries, and Dispute Resolution teams. Staff members of these teams searched their
systems and located 3 documents within the scope of your request. I am satisfied that all
reasonable searches have been conducted to locate documents within the scope of your
request.
Investigation of a possible breach of law (s 37(1)(a))
I have found the documents subject to your request are exempt under s 37(1)(a) of the FOI
Act.
Under s 37(1)(a), a document is exempt if its disclosure would, or could reasonably be
expected to, prejudice the conduct of a current investigation.
Section 37(1)(a) of the FOI Act states:
2
37 Documents affecting enforcement of law and protection of public safety
(1) A document is an exempt document if its disclosure under this Act would, or
could reasonably be expected to:
(a) prejudice the conduct of an investigation of a breach, or possible breach,
of the law, or a failure, or possible failure, to comply with a law relating to
taxation or prejudice the enforcement or proper administration of the law in
a particular instance;
The FOI Guidelines at [5.82] provide:
To be exempt under ss 37(1)(a) or 37(1)(b), the document in question should have a
connection with the criminal law or the processes of upholding or enforcing civil law or
administering a law… This is not confined to court action or court processes, but extends to
the work of agencies in administering legislative schemes and requirements, monitoring
compliance, and investigating breaches.
The FOI Guidelines at [5.86] further explain:
Section 37(1)(a) applies to documents only where there is a current or pending investigation
and release of the document would, or could reasonably be expected to, prejudice the
conduct of that investigation. Because of the phrase ‘in a particular instance’, it is not
sufficient that prejudice will occur to other or future investigations: it must relate to the
particular investigation at hand. In other words, the exemption does not apply if the
prejudice is about investigations in general.
Additional y, at [5.87] the FOI Guidelines state:
The exemption is concerned with the conduct of an investigation. For example, it would
apply where disclosure would forewarn the applicant about the direction of the investigation,
as well as the evidence and resources available to the investigating body — putting the
investigation in jeopardy. The section will not apply if the investigation is closed or if it is
being conducted by an overseas agency.
In order to determine whether disclosure of the documents would, or could reasonably be
expected to prejudice the conduct of a current investigation, the FOI Guidelines at [5.16] -
[5.17] note:
The test requires the decision maker to assess the likelihood of the predicted or forecast
event, effect or damage occurring after disclosure of a document.
The use of the word ‘could’ in this qualification is less stringent than ‘would’, and requires
analysis of the reasonable expectation rather than certainty of an event, effect or damage
occurring. It may be a reasonable expectation that an effect has occurred, is presently
occurring, or could occur in the future.
3
The document at issue pertains to a current and open investigation on foot.
1
I am satisfied that the material within the scope of your request relates to issues that are
currently being investigated by the OAIC, and release of such material prematurely could
impact the flow of information to the OAIC in this matter, through reducing Optus’s
confidence in the confidentiality of the OAIC’s investigative processes.
Accordingly, I have decided that the document at issue is exempt under s 37(1)(a) of the FOI
Act. I consider that disclosure of this document would, or could reasonably be expected to,
prejudice the conduct of an open OAIC investigation.
Certain operations of agencies exemption (s 47E(d))
I have decided that the documents at issue which I have found exempt under s 37(1)(a) are
alternatively exempt under s 47E(d) of the FOI Act.
Under s 47E(d) of the FOI Act, a document is conditional y exempt if its disclosure could
reasonably be expected to have a substantial adverse effect on the proper and efficient
conduct of the operations of an agency.
Section 47E(d) of the FOI Act states:
A document is conditionally exempt if its disclosure under this Act would, or could reasonably
be expected to, do any of the following:
…
(d) have a substantial adverse effect on the proper and efficient conduct of the operations of
an agency.
The FOI Guidelines at [6.101] provides:
For the grounds in ss 47E(a)–(d) to apply, the predicted effect needs to be reasonably
expected to occur. The term ‘could reasonably be expected’ is explained in greater detail in
Part 5. There must be more than merely an assumption or allegation that damage may occur
if the document were to be released.
Additional y, at [6.103] the FOI Guidelines further explain:
An agency cannot merely assert that an effect would occur following disclosure. The
particulars of the predicted effect should be identified during the decision making process,
including whether the effect could reasonably be expected to occur. Where the conditional
exemption is relied upon, the relevant particulars and reasons should form part of the
decision maker’s statement of reasons, if they can be included without disclosing exempt
material (s 26, see Part 3).
1 https://www.oaic.gov.au/updates/news-and-media/oaic-opens-investigation-into-optus-over-data-
breach
4
The term ‘substantial adverse effect’ is explained in the Guidelines [at 5.20] and it broadly
means ‘an adverse effect which is sufficiently serious or significant to cause concern to a
properly concerned reasonable person’.
The word ‘substantial’, taken in the context of substantial loss or damage, has been
interpreted as ‘loss or damage that is, in the circumstances, real or of substance and not
insubstantial or nominal’.
In deciding whether disclosure would, or could reasonably be expected to, have a
substantial adverse effect on the OAIC’s operations, I have considered the functions and
responsibilities of the OAIC.
The OAIC has a range of functions and powers directed towards protecting the privacy of
individuals by ensuring the proper handling of personal information. These functions and
powers are conferred by the
Privacy Act 1988 (Privacy Act) and by other legislation containing
privacy protection provisions. Investigating privacy breaches, either in response to a
complaint from a member of the public or on the Commissioner’s own initiative, is one of the
OAIC’s primary functions.
Consideration
The documents at issue relate to an ongoing OAIC investigation. Following internal
consultations with relevant stakeholders, I am satisfied that, as this investigation remains
open, the release of the documents at issue at this time would be reasonably likely to disrupt
or prejudice the OAIC’s ability to exercise its regulatory functions. I consider that at this time,
disclosure of the documents at issue could reasonably be expected to have an adverse
substantial impact on the proper and efficient conduct of the OAIC’s operations, through
reducing confidence in the confidentiality of the OAIC’s investigative processes.
In the AAT case of
Utopia Financial Services Pty Ltd and Australian Securities and Investments
Commission (Freedom of information) [2017] AATA 269, Deputy President Forgie found
documents concerned with ASIC’s investigation and surveillance functions to be exempt
under s 47E(d). Deputy President Forgie found that the subject-matter of the documents was
directed to the investigations associated with Utopia and that:
… disclosure would give insight into an aspect or aspects of the way in which ASIC goes
about its task of investigating or conducting surveillance on those who come within its
regulatory responsibilities. Utopia itself might have some idea of them as it has been the
subject of such surveillance and examination of its affairs. Others would not. To disclose
them under the FOI Act would, I find, have an adverse effect on the proper and efficient
conduct of ASIC’s operations. I am also satisfied that the adverse effect would be
substantial.
2
2
Utopia Financial Services Pty Ltd and Australian Securities and Investments Commission (Freedom of
information) [2017] AATA 269 [103].
5
I find that this reasoning is also relevant in this matter. I note also that the AAT has
recognised that the conduct of an agency’s regulatory functions can be adversely affected in
a substantial way when there is a lack of confidence in the confidentiality of the investigation
process.
3
Accordingly, in this case, I am satisfied that giving you access to the documents at issue
would, or could reasonably be expected to, substantial y adversely affect the proper and
efficient conduct of the operations of the OAIC.
The public interest (s 11A(5))
An agency cannot refuse access to conditional y exempt documents unless giving access
would, on balance, be contrary to the public interest (s 11A(5)).
In the AAT case
of Utopia Financial Services Pty Ltd and Australian Securities and Investments
Commission, Deputy President Forgie explained that:
… the time at which I make my decision for s 11A(5) requires access to be given to a
conditionally exempt document “
at a particular time” unless doing so is, on balance, contrary
to the public interest.
Where the balance lies may vary from time to time for it is affected not only by factors
peculiar to the particular information in the documents but by factors external to them.
4
Therefore I must consider whether,
at this point in time, disclosure of the documents at issue
would be contrary to the public interest.
The public interest factor favouring disclosure in this case is that:
• disclosure would promote the objects of the FOI Act, and
• disclosure would inform debate on a matter of public importance.
Against these factors I must balance the factors against disclosure. The FOI Act does not
specify any factors against disclosure, however the FOI Guidelines provide a non-exhaustive
list of factors against disclosure. I have considered that disclosure of the documents at issue
at this time could:
• reasonably be expected to impede the flow of information to the OAIC in its capacity as a
privacy regulator
3
Telstra Australian Limited and Australian Competition and Consumer Commission [2000] AATA 71 (7
February 2000) [24].
4
Utopia Financial Services Pty Ltd and Australian Securities and Investments Commission (Freedom of
information) [2017] AATA 269 [133].
6
• reasonably be expected to prejudice the OAIC’s ability to obtain confidential information
in the future,
• reasonably be expected to prejudice the NDB management function of the OAIC
• reasonably be expected to prejudice an ongoing OAIC investigation, and
• reasonably be expected to prejudice the OAIC’s ability to obtain and deliberate regarding
sensitive information.
As this list is non-exhaustive, I have also taken into account that refusing to release the
document at issue is in line with the OAIC’s Regulatory Action Policy, which relevantly states
the fol owing at [58]:
The OAIC generally will not comment publicly about ongoing complaint investigations, complaint
conciliations, CIIs, the content of data breach notifications or the exercise of investigative powers.
In this case, I am satisfied that the public interest factor against disclosure outweighs the
public interest factor in favour of disclosure.
I have decided that
at this time, giving you access to the documents which I have found to be
conditional y exempt under s 47E(d) of the FOI Act, would, on balance, be contrary to the
public interest.
Please see the fol owing page for information about your review rights and information
about the OAIC's disclosure log.
Yours sincerely
Emily Elliot
Senior Lawyer
6 December 2022
7
If you disagree with my decision
Internal review
You have the right to apply for an internal review of my decision under Part VI of the
FOI Act. An internal review wil be conducted, to the extent possible, by an officer of
the OAIC who was not involved in or consulted in the making of my decision. If you
wish to apply for an internal review, you must do so in writing within 30 days. There is
no application fee for internal review.
If you wish to apply for an internal review, please mark your application for the
attention of the FOI Coordinator and state the grounds on which you consider that my
decision should be reviewed.
Applications for internal reviews can be submitted to:
Office of the Australian Information Commissioner
GPO Box 5218
SYDNEY NSW 2001
Alternatively, you can submit your application by email to xxx@xxxx.xxx.xx, or by fax
on 02 9284 9666.
Further Review
You have the right to seek review of this decision by the Information Commissioner
and the Administrative Appeals Tribunal (AAT).
You may apply to the Information Commissioner for a review of my decision
(IC review). If you wish to apply for IC review, you must do so in writing within 60 days.
Your application must provide an address (which can be an email address or fax
number) that we can send notices to, and include a copy of this letter. A request for IC
review can be made in relation to my decision, or an internal review decision.
It is the Information Commissioner’s view that it wil usual y not be in the interests of
the administration of the FOI Act to conduct an IC review of a decision, or an internal
review decision, made by the agency that the Information Commissioner heads: the
OAIC. For this reason, if you make an application for IC review of my decision, and the
Information Commissioner is satisfied that in the interests of administration of the Act
it is desirable that my decision be considered by the AAT, the Information
Commissioner may decide not to undertake an IC review.
8
Section 57A of the FOI Act provides that, before you can apply to the AAT for review of
an FOI decision, you must first have applied for IC review.
Applications for IC review can be submitted online at:
https://forms.business.gov.au/smartforms/servlet/SmartForm.html?formCode=ICR 10
Alternatively, you can submit your application to:
Office of the Australian Information Commissioner
GPO Box 5218
SYDNEY NSW 2001
Or by email to xxxxx@xxxx.xxx.xx, or by fax on 02 9284 9666.
Accessing your information
If you would like access to the information that we hold about you, please
contact xxxxx@xxxx.xxx.xx. More information is available on the Access our
information page on our website.
Disclosure log
Section 11C of the FOI Act requires agencies to publish online documents released to
members of the public within 10 days of release, except if they contain personal or
business information that it would be unreasonable to publish.
Due to this decision being a full refusal there are no documents to be published on the
disclosure log.
9