LEX72135 Decision Decision letter final.pdf

PO Box 7820 Canberra BC ACT 2610

27 March 2023

Our reference:  LEX 72135
Mr Rex Banner (Right to Know)

By email: xxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx

Dear Mr Banner

Freedom of Information Request - Internal Review Decision

I refer to your request for internal review of the Freedom of Information (FOI) decision notified
by  an  Authorised  Decision  Maker  of  Services  Australia  (the  Agency)  under  the  Freedom  of
Information Act 1982 (FOI Act) on 27 February 2023 (LEX 71601) (the original decision).

Background

On 27 January 2023, you made a request under the FOI Act for the following document:

I request the Privacy Impact Assessment:
Reference Number: 38354
Title: myGov Enhancement Beta

On 27 February 2023, an Authorised Decision Maker of the Agency notified you of a decision
to refuse access to this document on the basis that it was an exempt document under the
FOI Act (original decision).

On 27 February 2023, you wrote to the Agency seeking internal review of the original
decision on the basis that:

> I have applied the exemption in section 42 of the FOI Act to Document 1 in its
entirety.

There is no way the entire document is subject to LPP, it's a privacy impact
assessment, we know what for, tenders show who it's from, so we know that the title
page can't be subject to LPP.

> Further, I am satisfied the Agency’s ability to obtain legal advice on
> issues would be
substantially prejudiced if this document were to be made publicly available through
FOI processes. In my view, real harm is likely to result from release of the document
as doing so would waive privilege and disclose the particular legal provider’s
approach to the interpretation, analysis and application of legislation, systems and
processes administered by the Agency.

This is not real harm, a simple Google search will show plenty of PIAs that have been
either published after a FOI request or proactively published.
https://www.digitalidentity.gov.au/sites/default/files/2021-
11/DTA%20TDIF%20PIA3.pdf
https://www.digitalhealth.gov.au/sites/default/files/documents/adha-
my health record mobile applications project-privacy impact assessment.pdf

PO Box 7820 Canberra BC ACT 2610

https://www.digitalhealth.gov.au/sites/default/files/2020-11/ADHA-
My Health Record Mobile Applications Project-Privacy Impact Assessment.pdf
https://www.righttoknow.org.au/request/559/response/2178/attach/3/MyGov%20PIA%
20with%20attachments%20Redacted%20for%20release.pdf?cookie passthrough=1

None of them have ever been marked as LPP or confidential.

>The document identifies privacy and secrecy compliance risks
for the Agency and includes recommendations for managing or eliminating identified
risks and maximising opportunities for enhancing privacy protection.

[...]

>. However, I also consider disclosure could reasonably be
expected to prejudice the Agency’s ability to obtain comprehensive legal advice in the
future and would destroy or diminish the commercial value of the provider’s PIA
methodology and approach, ultimately impede the full and frank disclosure between a
lawyer and client to the benefit of the effective administration of justice.

See above, this doesn't make sense if other PIAs (including a mygov one) have been
released. The MyGov PIA appears to have been proactively been released.

>The document identifies privacy and secrecy compliance risks
for the Agency and includes recommendations for managing or eliminating identified
risks and maximising opportunities for enhancing privacy protection. I am also
satisfied the document is not operational information or purely factual information

Furthermore, a PIA contains purely factual information, that is discussing the state of
such a project and privacy and secrecy compliance risks for the Agency and includes
recommendations for managing or eliminating identified risks and maximising
opportunities for enhancing privacy protection.

In addition, whilst PIAs can be conducted for any project, a PIA is required for high
risk projects. Service Australia is required to do a PIA for projects that involve a
significant change to how they manage personal information, or, might have a
significant impact on the privacy of individuals; or if directed to by OAIC.

Unless Services Australia has done the PIA on their on accord, this is a high risk
project or (OAIC has determined that a PIA is required) and this is a project that the
Australian public uses, a high risk project for all Australians sounds like it would be in
the public interest that the public knows any privacy and secrecy compliance risks for
the Agency and includes recommendations for managing or eliminating identified
risks and maximising opportunities for enhancing privacy protection.

Lastly, I request Services Australia proactively release the document as it is in the
public interest to do so.

A full history of my FOI request and all correspondence is available on the Internet at
this address:
https://www.righttoknow.org.au/request/38354 mygov enhancement beta pri

PO Box 7820 Canberra BC ACT 2610

Summary of my internal review decision

I am authorised to make decisions under section 23(1) of the FOI Act, including internal review
decisions under section 54C of the FOI Act. Consistent with the requirements of section 54C
of the FOI Act, I have reviewed this matter and made a fresh decision.

I have decided to refuse your request as it relates to material that is fully exempt under the
FOI Act.

Please see Attachment A for further information regarding the reasons for my decision.

You can ask for a review of our decision

If  you  disagree  with  any  part  of  the  decision  you  can  ask  for  a  review  by  the  Office  of  the
Australian Information Commissioner. See Attachment B for more information about how to
request a review.

Further assistance

If you have any questions please email xxx.xxxxx.xxxx@xxxxxxxxxxxxxxxxx.xxx.xx.

Yours sincerely

Maria
Authorised FOI Decision Maker
Freedom of Information Team
FOI and Ombudsman Branch | Legal Services Division
Services Australia

PO Box 7820 Canberra BC ACT 2610

REASONS FOR DECISION
What you requested

On 27 January 2023, you requested access to the following document under the FOI Act:

I request the Privacy Impact Assessment:
Reference Number: 38354
Title: myGov Enhancement Beta

On 27 February 2023, the Agency notified you of the original decision.

Your request for internal review

On 27 February 2023, you requested an internal review of the original decision. You submitted
the following reasons for seeking internal review:

> I have applied the exemption in section 42 of the FOI Act to Document 1 in its
entirety.

There is no way the entire document is subject to LPP, it's a privacy impact
assessment, we know what for, tenders show who it's from, so we know that the title
page can't be subject to LPP.

> Further, I am satisfied the Agency’s ability to obtain legal advice on
> issues would be
substantially prejudiced if this document were to be made publicly available through
FOI processes. In my view, real harm is likely to result from release of the document
as doing so would waive privilege and disclose the particular legal provider’s
approach to the interpretation, analysis and application of legislation, systems and
processes administered by the Agency.

This is not real harm, a simple Google search will show plenty of PIAs that have been
either published after a FOI request or proactively published.
https://www.digitalidentity.gov.au/sites/default/files/2021-
11/DTA%20TDIF%20PIA3.pdf
https://www.digitalhealth.gov.au/sites/default/files/documents/adha-
my health record mobile applications project-privacy impact assessment.pdf
https://www.digitalhealth.gov.au/sites/default/files/2020-11/ADHA-
My Health Record Mobile Applications Project-Privacy Impact Assessment.pdf
https://www.righttoknow.org.au/request/559/response/2178/attach/3/MyGov%20PIA%
20with%20attachments%20Redacted%20for%20release.pdf?cookie passthrough=1

None of them have ever been marked as LPP or confidential.

>The document identifies privacy and secrecy compliance risks
for the Agency and includes recommendations for managing or eliminating identified
risks and maximising opportunities for enhancing privacy protection.

[...]

>. However, I also consider disclosure could reasonably be
expected to prejudice the Agency’s ability to obtain comprehensive legal advice in the
future and would destroy or diminish the commercial value of the provider’s PIA
PAGE 5 OF 11

PO Box 7820 Canberra BC ACT 2610

methodology and approach, ultimately impede the full and frank disclosure between a
lawyer and client to the benefit of the effective administration of justice.

See above, this doesn't make sense if other PIAs (including a mygov one) have been
released. The MyGov PIA appears to have been proactively been released.

>The document identifies privacy and secrecy compliance risks
for the Agency and includes recommendations for managing or eliminating identified
risks and maximising opportunities for enhancing privacy protection. I am also
satisfied the document is not operational information or purely factual information

Furthermore, a PIA contains purely factual information, that is discussing the state of
such a project and privacy and secrecy compliance risks for the Agency and includes
recommendations for managing or eliminating identified risks and maximising
opportunities for enhancing privacy protection.

In addition, whilst PIAs can be conducted for any project, a PIA is required for high
risk projects. Service Australia is required to do a PIA for projects that involve a
significant change to how they manage personal information, or, might have a
significant impact on the privacy of individuals; or if directed to by OAIC.

Unless Services Australia has done the PIA on their on accord, this is a high risk
project or (OAIC has determined that a PIA is required) and this is a project that the
Australian public uses, a high risk project for all Australians sounds like it would be in
the public interest that the public knows any privacy and secrecy compliance risks for
the Agency and includes recommendations for managing or eliminating identified
risks and maximising opportunities for enhancing privacy protection.

Lastly, I request Services Australia proactively release the document as it is in the
public interest to do so.

A full history of my FOI request and all correspondence is available on the Internet at
this address:
https://www.righttoknow.org.au/request/38354 mygov enhancement beta pri

What I took into account

In reaching my decision I took into account:

  your original request dated 27 January 2023

  the original decision dated 20 February 2023

  your request for internal review dated 27 February 2023

  the document falling within the scope of your request

  whether the release of material would be in the public interest

  consultations with Agency officers about:

o  the nature of the document, and

o  the Agency's operating environment and functions
PAGE 6 OF 11

PO Box 7820 Canberra BC ACT 2610

  guidelines issued by the Australian Information Commissioner under section 93A of the
FOI Act (Guidelines), and

  the FOI Act.

Reasons for my decision

I am authorised to make decisions under section 23(1) of the FOI Act, including internal review
decisions under section 54C of the FOI Act.

I have decided to refuse access to the document. My findings of fact and reasons for deciding
that exemptions apply to the document are discussed below.

Section 42 of the FOI Act – legal professional privilege
I have applied the exemption in section 42 of the FOI Act to the document in its entirety.
This  section  of  the  FOI  Act  allows  the  Agency  to  redact  documents  or  parts  of  documents
subject to legal professional privilege (LPP).
The FOI Act does not define LPP. However, courts have decided whether a communication is
privileged requires a consideration of:
  whether there is a legal adviser-client relationship
  whether the communication was for the purpose of giving or receiving legal advice, or
use in connection with actual or anticipated litigation
  whether the advice given is independent, and
  whether the advice given is confidential.

The  document  you  requested  is  a  Privacy  Impact  Assessment  (PIA)  prepared  by  an
independent external legal adviser for the purpose of providing the Agency confidential legal
advice. Accordingly, I am satisfied LPP attaches to this document.
I am also satisfied LPP has not been waived, as the document has not been distributed further
than reasonably necessary for internal operational purposes, and the substance of the legal
advice contained in the document has not been used in any way which is inconsistent with the
maintenance of the confidentiality of the advice.
Further, I am satisfied there is a possibility of real harm resulting from release of the document.
In  particular,  I  consider  the  Agency’s  ability  to  obtain  independent  external  legal  advice  on
issues would be substantially prejudiced if it were to waive privilege over this document (which
sets out the particular legal provider’s PIA methodology, together with their approach to the
interpretation, analysis and application of legislation, systems and processes administered by
the Agency) and make it publicly available through FOI processes.
Your request for internal review provides examples of other PIAs that have been made publicly
available. While LPP may have been waived in relation to other PIAs, that does not mean that
it has been waived, or should be waived, in this instance. Each FOI decision is made on its
own merits. In this instance, LPP has not been waived and I consider there is a possibility of
real harm resulting from release of the document.
PAGE 7 OF 11

PO Box 7820 Canberra BC ACT 2610

For the reasons set out above, I am satisfied the document is exempt in full under section 42
of the FOI Act.
Section 47C of the FOI Act – deliberative material
I have applied the conditional exemption in section 47C of the FOI Act to the document in its
entirety.
Section 47C of the FOI Act provides a document is conditionally exempt if it would disclose
deliberative  matter.  Deliberative  matter  is  an  opinion,  advice  or  recommendation,  or  a
consultation or deliberation that has taken place in the course of, or for the purposes of, the
deliberative processes of an agency. Material which is operational or purely factual information
is  not  deliberative  matter.  Further,  the  deliberative  exemption  does  not  apply  to  reports  of
scientific or technical experts, reports of a body or organisation prescribed by the regulations,
or a formal statement of reasons.
I am satisfied the document comprises deliberative matter, being advice and recommendations
obtained by the Agency from its independent legal adviser for the purposes of the deliberative
process involved in delivering myGov.
I am also satisfied the document is not operational information or purely factual information,
and is otherwise not of a kind specifically excluded by the FOI Act.
Accordingly, I find the document is conditionally exempt, in full, under section 47C(1) of the
FOI Act.
Public interest considerations
Access to conditionally exempt material must be given unless I am satisfied it would not be in
the public interest to do so.
When weighing up the public interest for and against disclosure under section 11A(5) of the
FOI Act, I have taken into account relevant factors in favour of disclosure. In particular, I have
considered the extent to which disclosure would generally promote the objects of the FOI Act.
I have also considered relevant factors weighing against disclosure, indicating access would
be contrary to the public interest. In particular, I have considered the extent to which disclosure
could reasonably be expected to:
  destroy  or  diminish  the  commercial  value  of  the  legal  provider’s  PIA  methodology
approach
  impede the full and frank disclosure between a lawyer and client, which facilitates the
effective administration of justice, and
  prejudice the Agency’s ability to obtain comprehensive legal advice in the future.
Based on these factors, I have decided, in this instance, the public interest in disclosing this
document is outweighed by the public interest against disclosure.
I have not taken into account any of the irrelevant factors set out in section 11B(4) of the FOI
Act in making this decision.
PAGE 8 OF 11

PO Box 7820 Canberra BC ACT 2610

Conclusion
I am satisfied the document sought is conditionally exempt under section 47C of the FOI Act.
Further, I have decided that on balance it would be contrary to the public interest to release
the document.
Summary of decision
I have decided to refuse access to the document on the basis the document:
  is subject to legal professional privilege and therefore exempt in full under section 42 of
the FOI Act, and
  comprises deliberative material, and disclosure would be contrary to the public interest
and the document is therefore exempt in full under section 47C of the FOI Act.

PAGE 9 OF 11

PO Box 7820 Canberra BC ACT 2610

Attachment B

INFORMATION ON RIGHTS OF REVIEW
FREEDOM OF INFORMATION ACT 1982

Asking for a full explanation of a Freedom of Information decision
Before  you  ask  for  a  formal  review  of  an  FOI  decision,  you  can  contact  us  to  discuss  your
request.  We  will  explain  the  decision  to  you.  This  gives  you  a  chance  to  correct
misunderstandings.
Asking for a formal review of a Freedom of Information internal review decision
If you still believe a decision is incorrect, the FOI Act gives you the right to apply for a review
of the internal review decision. Under section 54L of the FOI Act, you can apply for a review of
an FOI decision by the Australian Information Commissioner. There are no fees for this review.
You  will  have  60  days  to  apply  in  writing  for  a  review  by  the  Australian  Information
Commissioner.
You can lodge your application:
Online:
www.oaic.gov.au
Post:
Australian Information Commissioner

GPO Box 5218
SYDNEY NSW 2001
Email:
xxxxxxxxx@xxxx.xxx.xx

Important:
  If you are applying online, the application form the 'Merits Review Form' is available at
www.oaic.gov.au.
  If  you  have  one,  you  should  include  with  your  application  a  copy  of  the  Services
Australia decision on your FOI request
  Include your contact details
  Set out your reasons for objecting to the Agency's decision.
Complaints  to  the  Australian  Information  Commissioner  and  Commonwealth
Ombudsman
Australian Information Commissioner

You may complain to the Australian Information Commissioner concerning action taken by an
agency in the exercise of powers or the performance of functions under the FOI Act, There is
no fee for making a complaint. A complaint to the Australian Information Commissioner must
be made in writing. The Australian Information Commissioner's contact details are:

Telephone:      1300 363 992
Website:          www.oaic.gov.au

PAGE 10 OF 11

PO Box 7820 Canberra BC ACT 2610

Commonwealth Ombudsman

You  may  also  complain  to  the  Commonwealth  Ombudsman  concerning  action  taken  by  an
agency in the exercise of powers or the performance of functions under the FOI Act. There is
no fee for making a complaint. A complaint to the Commonwealth Ombudsman may be made
in person, by telephone or in writing. The Commonwealth Ombudsman's contact details are:

Phone:             1300 362 072
Website:          www.ombudsman.gov.au

The  Commonwealth  Ombudsman  generally  prefers  applicants  to  seek  review  before
complaining about a decision.

PAGE 11 OF 11