Dear Office of the Australian Information Commissioner,

I request access to the following documents under the Freedom of Information Act 1982:

1. Data breach reports for the period 1 January 2020 to 1 March 2024 where the respondents' sector is government (local, state, and federal government).
o The document I require is similar to document 52 released in FOIREQ24/00047.
+ If it is not too much trouble, please include dates in the report.
o Respondent names are to be included in the scope of this request.

Since three‑quarters (74%) of Australians feel data breaches are one of the biggest privacy risks they face today, it goes without saying that there is significant public interest in favour of disclosure.

Yours faithfully,

CR

OAIC - FOI, Office of the Australian Information Commissioner

Your email has been received by the Office of Australian Information
Commissioner.

 

FOI requests to the OAIC

 

Please note that this email address is only used for making requests to
obtain access to a document held by the OAIC pursuant to the Freedom of
Information Act 1982 (Cth) (FOI Act). We will only action and respond to
emails making FOI requests to the OAIC. For information on how to make an
FOI request to the OAIC, and to ensure that your request complies with the
requirements of the FOI Act, please refer to the FOI page on the OAIC’s
website at:
[1]https://www.oaic.gov.au/about-us/access-...
Once your request has been assessed by the OAIC, and registered on our
system, a separate acknowledgement email will be sent to you with a
reference number.

 

The OAIC does not hold all documents of other Commonwealth government
agencies, other state government agencies, or private organisations.

 

Accordingly:

1)     if you are seeking to access documents of a particular Commonwealth
agency, you will need to make your request directly to the relevant
agency. For example, if you are requesting a copy of your visa records,
please make an FOI request and send it to the Department of Home Affairs.

2)     if you are seeking to access documents of a state or local
government agency, as each Australian state and territory also have
separate FOI legislation that governs information held by state government
agencies, please contact the relevant agency as to how to make an
application to access the documents. For example, if you are seeking
access to police report from NSW Police Force, it is governed by the
Government Information (Public Access) Act 2009 (NSW) (GIPA Act), and you
will need to contact NSW police to find out how to make a GIPA application
for the police report.

3)     if you are seeking to access documents of a private organization,
which the FOI Act does not apply to, please contact the organization
directly to find out how to access the documents you are seeking. For
example, if you are seeking to access to hospital records or your medical
centre records, please contact these organisations directly. 

 

Enquiries and other matters

 

If your email relates to any of the following, please utilise our online
forms instead, which are available at
[2]https://www.oaic.gov.au/about-us/contact...

-               Enquiry

-               Privacy  Complaint

-               Notifiable Data Breach

-               Consumer Data Right Complaint

-               FOI Complaint

-               Freedom of Information Review

-               Agency FOI Extension of Time Requests

-               Speech requests.

Notice:

The information contained in this email message and any attached files may
be confidential information, and may also be the subject of legal
professional privilege. If you are not the intended recipient any use,
disclosure or copying of this email is unauthorised. If you received this
email in error, please notify the sender by contacting the department's
switchboard on 1300 488 064 during business hours (8:30am - 5pm Canberra
time) and delete all copies of this transmission together with any
attachments.

References

Visible links
1. https://www.oaic.gov.au/about-us/access-...
2. https://www.oaic.gov.au/about-us/contact...

OAIC - FOI, Office of the Australian Information Commissioner

3 Attachments

Our reference: FOIREQ24/00132

 

Dear CR

 

Freedom of Information request

 

I refer to your request for access to documents made under the Freedom of
Information Act 1982 (Cth) (FOI Act).

You FOI request was received by the Office of the Australian Information
Commissioner (OAIC) on 1 March 2024. This means that a decision on your
FOI request is currently due on 2 April 2024.

Scope of your request

Your FOI request was made in the following terms:

1. Data breach reports for the period 1 January 2020 to 1 March 2024 where
the respondents' sector is government (local, state, and federal
government).

o The document I require is similar to document 52 released in
FOIREQ24/00047.

+ If it is not too much trouble, please include dates in the report.

o Respondent names are to be included in the scope of this request.

 

In order to process your request as efficiently as possible, I will
exclude duplicates and early parts of email streams that are captured in
later email streams from the scope of this request, unless you advise me
otherwise.

I will not identify you as the FOI applicant during any consultation
process. However, documents that are within the scope of your request that
the OAIC may need to consult third parties about may contain your personal
information.

Timeframes for dealing with your request

Section 15 of the FOI Act requires the OAIC to process your request no
later than 30 days after the day we receive it. However, section 15(6) of
the FOI Act allows us a further 30 days in situations where we need to
consult with third parties about certain information, such as business
documents or documents affecting their personal privacy.

The current decision due date for your request is 2 April 2024. We will
advise you if this timeframe is otherwise extended.

Disclosure Log

Documents released under the FOI Act may be published online on our
disclosure log, unless they contain personal or business information that
would be unreasonable to publish.

If you would like to discuss your FOI request, please contact me on my
contact details set out below.

Yours sincerely

 

[1][IMG]   Ben Wilson

Lawyer

Office of the Australian Information Commissioner

Sydney

E [2][OAIC request email] 
 
The OAIC acknowledges Traditional Custodians of Country across
Australia and their continuing connection to land, waters and
communities. We pay our respect to First Nations people,
cultures and Elders past and present.  

 

[3]Subscribe to Information Matters

 

 

 

 

 

Notice:

The information contained in this email message and any attached files may
be confidential information, and may also be the subject of legal
professional privilege. If you are not the intended recipient any use,
disclosure or copying of this email is unauthorised. If you received this
email in error, please notify the sender by contacting the department's
switchboard on 1300 488 064 during business hours (8:30am - 5pm Canberra
time) and delete all copies of this transmission together with any
attachments.

References

Visible links
1. https://www.oaic.gov.au/
2. mailto:[OAIC request email]
3. https://www.oaic.gov.au/engage-with-us/n...

OAIC - FOI, Office of the Australian Information Commissioner

6 Attachments

Our reference: FOIREQ24/00132

 

Dear CR

 

Please find attached correspondence in relation to your below FOI request.

 

Regards

 

[1][IMG]   Ben Wilson

Lawyer

Office of the Australian Information Commissioner

Sydney

E [2][OAIC request email] 
 
The OAIC acknowledges Traditional Custodians of Country across
Australia and their continuing connection to land, waters and
communities. We pay our respect to First Nations people,
cultures and Elders past and present.  

 

[3]Subscribe to Information Matters

 

 

show quoted sections

Dear Office of the Australian Information Commissioner,

I am writing in regard to my FOI request 'Government data breach reports from 2020' (FOIREQ24/00132). I understand that the statutory timeframe for requesting an internal review has passed.

I have prepared a detailed request for internal review, which I believe presents compelling arguments in favour of disclosing the redacted information. However, before submitting it, I would like to inquire whether the OAIC would be willing to accept a late request for internal review or if it would be preferable to submit a new, duplicate FOI request.

I would appreciate your guidance on the best course of action.

Thank you for your time and consideration.

Yours sincerely,

CR

OAIC - FOI, Office of the Australian Information Commissioner

Your email has been received by the Office of Australian Information
Commissioner.

 

FOI requests to the OAIC

 

Please note that this email address is only used for making requests to
obtain access to a document held by the OAIC pursuant to the Freedom of
Information Act 1982 (Cth) (FOI Act). We will only action and respond to
emails making FOI requests to the OAIC. For information on how to make an
FOI request to the OAIC, and to ensure that your request complies with the
requirements of the FOI Act, please refer to the FOI page on the OAIC’s
website at:
[1]https://www.oaic.gov.au/about-us/access-...
Once your request has been assessed by the OAIC, and registered on our
system, a separate acknowledgement email will be sent to you with a
reference number.

 

The OAIC does not hold all documents of other Commonwealth government
agencies, other state government agencies, or private organisations.

 

Accordingly:

1)      if you are seeking to access documents of a particular
Commonwealth agency, you will need to make your request directly to the
relevant agency. For example, if you are requesting a copy of your visa
records, please make an FOI request and send it to the Department of Home
Affairs.

2)      if you are seeking to access documents of a state or local
government agency, as each Australian state and territory also have
separate FOI legislation that governs information held by state government
agencies, please contact the relevant agency as to how to make an
application to access the documents. For example, if you are seeking
access to police report from NSW Police Force, it is governed by the
Government Information (Public Access) Act 2009 (NSW) (GIPA Act), and you
will need to contact NSW police to find out how to make a GIPA application
for the police report.

3)      if you are seeking to access documents of a private organization,
which the FOI Act does not apply to, please contact the organization
directly to find out how to access the documents you are seeking. For
example, if you are seeking to access to hospital records or your medical
centre records, please contact these organisations directly. 

 

Enquiries and other matters

 

If your email relates to any of the following, please utilise our online
forms instead, which are available at
[2]https://www.oaic.gov.au/about-us/contact...

-               Enquiry

-               Privacy  Complaint

-               Notifiable Data Breach

-               Consumer Data Right Complaint

-               FOI Complaint

-               Freedom of Information Review

-               Agency FOI Extension of Time Requests

-               Speech requests.

Notice:

The information contained in this email message and any attached files may
be confidential information, and may also be the subject of legal
professional privilege. If you are not the intended recipient any use,
disclosure or copying of this email is unauthorised. If you received this
email in error, please notify the sender by contacting the department's
switchboard on 1300 488 064 during business hours (8:30am - 5pm Canberra
time) and delete all copies of this transmission together with any
attachments.

References

Visible links
1. https://www.oaic.gov.au/about-us/access-...
2. https://www.oaic.gov.au/about-us/contact...

OAIC - FOI, Office of the Australian Information Commissioner

1 Attachment

Dear CR

 

Thank you for your email below.

 

If you would like to seek internal review of the original decision, even
though the timeframe for requesting an interview has passed, you can make
submissions to the OAIC reasons why an internal review was not sought
during the 30 day timeframe and why additional time should be granted. The
OAIC will then consider whether to grant you that extension of time for
the internal review matter to proceed. You can find out further about
internal review in Part 9 of the FOI Guidelines.

 

If you would like to make a new FOI request, this would capture data up to
the date of your new FOI request.

 

It really is a matter of preference which option you would like to proceed
with.

 

Please do kindly let us know how you would like to proceed.

 

Kind regards

Margaret

 
[1][IMG]   Margaret Sui (she/her)

Principal Lawyer

Office of the Australian Information Commissioner

Sydney | GPO Box 5288 Sydney NSW 2001

P +61 2 9942 4145   E [2][email address
 
The OAIC acknowledges Traditional Custodians of Country
across Australia and their continuing connection to land,
waters and communities. We pay our respect to First Nations
people, cultures and Elders past and present.  

 

[3]Subscribe to Information Matters

 

 

 

show quoted sections

Dear Margaret Sui,

I hope this message finds you well.

Following our recent correspondence, I have decided to submit a new FOI request. I request access to the following documents under the Freedom of Information Act 1982:

1. Data breach reports from 1 January 2020 to 5 July 2024 where the respondent's sector is government (local, state, and federal government).
- The required document is similar to the one released in FOIREQ24/00132.
- Respondent names are to be included in the scope of this request.

I respectfully submit that disclosing agency names is strongly aligned with the public interest, as evidenced by the OAIC's Australian Community Attitudes to Privacy Survey 2023:

- Only two in five Australians feel most organisations they deal with are transparent about how they handle their information. Disclosing the agency names would serve the public interest by providing transparency and accountability around how government agencies are managing data breaches.
- 82% of Australians actively care about protecting their personal information. Knowing which agencies have experienced breaches empowers them to make informed decisions about their interactions with those agencies.
- Three-quarters of Australians feel data breaches are one of the biggest privacy risks they face today. Identifying the agencies involved allows for more nuanced public debate and scrutiny of this critical issue.
- After quality and price, data privacy is the third most important factor when choosing a product or service. Disclosing the agency names would further empower Australians to make well-informed decisions when accessing government services.

For these reasons, I believe the public interest factors strongly favour the disclosure of the respondent names in the requested data breach reports. I hope you will give this new FOI request your careful consideration. Please let me know if you require any further information from me.

Yours faithfully,

CR

OAIC - FOI, Office of the Australian Information Commissioner

1 Attachment

Our reference: FOIREQ24/00352
 
Dear CR,
 
Freedom of Information request
 
I refer to your request for access to documents made under the Freedom of
Information Act 1982 (Cth) (FOI Act).
 
Your FOI request was received by the Office of the Australian Information
Commissioner (OAIC) on Friday 5 July 2024. This means that a decision on
your FOI request is currently due on Monday 5 August 2024.
 
Consultation on the scope of your request
 
Your FOI request was made in the following terms:
 
I request access to the following documents under the Freedom of
Information Act 1982:
1. Data breach reports from 1 January 2020 to 5 July 2024 where the
respondent's sector is government (local, state, and federal government).
- The required document is similar to the one released in FOIREQ24/00132.
- Respondent names are to be included in the scope of this request.
 
Upon consultation with the OAIC Data Breach Team, to appropriately action
your request we would be grateful for your confirmation on whether you are
seeking data breach reports made:
 
•       under the Notifiable Data Breaches scheme of the Privacy Act 1988
(Cth)
•       under the My Health Records Act 2012 (Cth)
•       under the National Cancer Screening Register Act 2016 (Cth)
•       voluntarily, or
•       all of the above.
 
Please kindly provide your confirmation by close of business Friday 12
July 2024. If we do not hear from you by this date, we will process your
request on the basis that you are after data breach reports in line with
the ‘all of the above’ option. 
 
Timeframes for dealing with your request
 
Section 15 of the FOI Act requires the OAIC to process your request no
later than 30 days after the day we receive it. However, section 15(6) of
the FOI Act allows us a further 30 days in situations where we need to
consult with third parties about certain information, such as business
documents or documents affecting their personal privacy.
 
The current decision due date for your request is Monday 5 August 2024. We
will advise you if this timeframe is otherwise extended.
 
Disclosure Log
 
Documents released under the FOI Act may be published online on our
disclosure log, unless they contain personal or business information that
would be unreasonable to publish.
 
If you would like to discuss your FOI request, please contact me on my
contact details set out below.
 
Yours sincerely
Tahlia
 

Tahlia Pelaccia (she/her)
[1][IMG] Lawyer
Office of the Australian Information Commissioner
E [2][OAIC request email]

 

The OAIC acknowledges Traditional Custodians of Country across Australia
and their continuing connection to land, waters and communities. We pay
our respect to First Nations people, cultures and Elders past and present.
 

[3]Subscribe to Information Matters  

 

show quoted sections

Dear Tahlia,

I am seeking data breach reports made under the Notifiable Data Breaches scheme. The same document as released in FOIREQ24/00132.

Thank you for reaching out for clarification.

Kind regards,

CR

OAIC - FOI, Office of the Australian Information Commissioner

Our reference: FOIREQ24/00352

Dear CR

Thank you kindly for your prompt response to our request for scope clarification.

I confirm we will process your request for data breach reports made under the Notifiable Data Breach Scheme of the Privacy Act 1999 (Cth).

Timeframes for dealing with your request

Section 15 of the FOI Act requires the OAIC to process your request no later than 30 days after the day we receive it. However, section 15(6) of the FOI Act allows us a further 30 days in situations where we need to consult with third parties about certain information, such as business documents or documents affecting their personal privacy.

The current decision due date for your request is 5 August 2024. We will advise you if this timeframe is otherwise extended.

Disclosure Log

Documents released under the FOI Act may be published online on our disclosure log, unless they contain personal or business information that would be unreasonable to publish.

If you would like to discuss your FOI request, please contact me on my contact details set out below.

Yours sincerely
Tahlia

Tahlia Pelaccia (she/her)
Lawyer
Office of the Australian Information Commissioner
E [OAIC request email]

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

Subscribe to Information Matters

show quoted sections

OAIC - FOI, Office of the Australian Information Commissioner

6 Attachments

Good afternoon

 

Please find attached correspondence related to your FOI request,
FOIREQ24/00352.

 

Kind regards

Tahlia

 

[1][IMG]   Tahlia Pelaccia (she/her)

Lawyer

Office of the Australian Information Commissioner

E [2][OAIC request email]
 
The OAIC acknowledges Traditional Custodians of Country across
Australia and their continuing connection to land, waters and
communities. We pay our respect to First Nations people,
cultures and Elders past and present.  

 

[3]Subscribe to Information Matters

 

 

 

Notice:

The information contained in this email message and any attached files may
be confidential information, and may also be the subject of legal
professional privilege. If you are not the intended recipient any use,
disclosure or copying of this email is unauthorised. If you received this
email in error, please notify the sender by contacting the department's
switchboard on 1300 488 064 during business hours (8:30am - 5pm Canberra
time) and delete all copies of this transmission together with any
attachments.

References

Visible links
1. https://www.oaic.gov.au/
2. mailto:[OAIC request email]
3. https://www.oaic.gov.au/engage-with-us/n...

Dear Tahlia,

In your decision letter, you distinguished between 'suspected' and 'actual' reported data breaches. In your view, if my request was only for 'actual' data breaches, would this have impacted 1. your decision to consider information conditionally exempt under s 47E(d), and 2. the public interest test?

Yours sincerely,

CR

OAIC - FOI, Office of the Australian Information Commissioner

Your email has been received by the Office of Australian Information
Commissioner.

 

FOI requests to the OAIC

 

Please note that this email address is only used for making requests to
obtain access to a document held by the OAIC pursuant to the Freedom of
Information Act 1982 (Cth) (FOI Act). We will only action and respond to
emails making FOI requests to the OAIC. For information on how to make an
FOI request to the OAIC, and to ensure that your request complies with the
requirements of the FOI Act, please refer to the FOI page on the OAIC’s
website at:
[1]https://www.oaic.gov.au/about-us/access-...
Once your request has been assessed by the OAIC, and registered on our
system, a separate acknowledgement email will be sent to you with a
reference number.

 

The OAIC does not hold all documents of other Commonwealth government
agencies, other state government agencies, or private organisations.

 

Accordingly:

1)      if you are seeking to access documents of a particular
Commonwealth agency, you will need to make your request directly to the
relevant agency. For example, if you are requesting a copy of your visa
records, please make an FOI request and send it to the Department of Home
Affairs.

2)      if you are seeking to access documents of a state or local
government agency, as each Australian state and territory also have
separate FOI legislation that governs information held by state government
agencies, please contact the relevant agency as to how to make an
application to access the documents. For example, if you are seeking
access to police report from NSW Police Force, it is governed by the
Government Information (Public Access) Act 2009 (NSW) (GIPA Act), and you
will need to contact NSW police to find out how to make a GIPA application
for the police report.

3)      if you are seeking to access documents of a private organization,
which the FOI Act does not apply to, please contact the organization
directly to find out how to access the documents you are seeking. For
example, if you are seeking to access to hospital records or your medical
centre records, please contact these organisations directly. 

 

Enquiries and other matters

 

If your email relates to any of the following, please utilise our online
forms instead, which are available at
[2]https://www.oaic.gov.au/about-us/contact...

-               Enquiry

-               Privacy  Complaint

-               Notifiable Data Breach

-               Consumer Data Right Complaint

-               FOI Complaint

-               Freedom of Information Review

-               Agency FOI Extension of Time Requests

-               Speech requests.

Notice:

The information contained in this email message and any attached files may
be confidential information, and may also be the subject of legal
professional privilege. If you are not the intended recipient any use,
disclosure or copying of this email is unauthorised. If you received this
email in error, please notify the sender by contacting the department's
switchboard on 1300 488 064 during business hours (8:30am - 5pm Canberra
time) and delete all copies of this transmission together with any
attachments.

References

Visible links
1. https://www.oaic.gov.au/about-us/access-...
2. https://www.oaic.gov.au/about-us/contact...

OAIC - FOI, Office of the Australian Information Commissioner

3 Attachments

Dear CR

 

Thank you for your email.

 

The terms of your request were as follows:

 

‘I am seeking data breach reports made under the Notifiable Data Breaches
scheme. The same document as released in FOIREQ24/00132.’

 

A decision was made based on the request submitted to the OAIC and in the
circumstances at that time. As such, we are not in a position to comment
on what decision might have been made if the terms of the request had been
altered to distinguish between ‘suspected’ and ‘actual’ data breaches.

 

If you have any further enquiries in relation to Notifiable Data Breaches,
you can use the online enquiry form so that the data breach team can
directly correspond with you on these matters.  Please kindly use the
online enquiry form: OAIC Online Enquiry Form.

 

Please note that the [1][email address] inbox is only used for the
processing of FOI requests.

 

Kind regards

Tahlia

 

[2][IMG]   Tahlia Pelaccia (she/her)

Lawyer

Office of the Australian Information Commissioner

E [3][OAIC request email]
 
The OAIC acknowledges Traditional Custodians of Country across
Australia and their continuing connection to land, waters and
communities. We pay our respect to First Nations people,
cultures and Elders past and present.  

 

[4]Subscribe to Information Matters

 

 

 

show quoted sections

Dear Office of the Australian Information Commissioner,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of the Office of the Australian Information Commissioner's handling of my FOI request 'Government data breach reports from 2020' (FOIREQ24/00352).

I am seeking a review on the following grounds:

1. I disagree with the decision-maker's decision to redact material on the basis that disclosure would or could reasonably be expected to have a substantial adverse effect on the proper and efficient conduct of the OAIC's operations. Please refer to the decision-maker's statements.
i. It is possible that disclosing this information would encourage the OAIC to act more quickly, as it would be subject to public scrutiny.
ii. The decision-maker's concern that government agencies might be reticent to provide information if their identities are revealed is unfounded, as the legal obligation to report eligible data breaches would remain unchanged.
iii. The decision-maker implies that disclosure could discourage government agencies from providing voluntary information beyond the minimum requirements. The reliance on voluntary information is misplaced. The FOI Act aims to ensure access to information, not incentivise voluntary disclosure. The public's right to know should not be contingent on the goodwill of government agencies. Furthermore, the OAIC can address any concerns about voluntary disclosure through other means, such as providing guidance or incentives for comprehensive reporting.
iv. If there was an actual impact on the proper and efficient conduct of the OAIC's operations, it would not rise to the level of 'substantial and adverse'.

2. The decision-makers application of the public interest test was flawed for the following reasons:
2.1 The decision-maker failed to consider the following factors in favour of disclosure:
i. Disclosure would allow the public to make better-informed decisions about their interactions with government agencies. Currently, there is no way an individual can consider an individual government agency's track record of data privacy and security when deciding whether to share their personal information or not. I note that the OAIC publishes aggregate data in its Notifiable Data Breaches Report. However, the public interest in understanding the specific risks associated with individual agencies is not adequately served by aggregate data alone.
ii. Disclosure would allow or assist inquiry into possible deficiencies in the conduct or administration of an agency. [FOI Guidelines 6.231]
iii. Disclosure could reveal deficiencies in privacy legislation. [FOI Guidelines 6.231]

2.2 The decision-maker incorrectly considered the following factors that do not favour disclosure:
A) The decision maker states, "Disclosure would have an adverse effect on the OAIC's proper and efficient operations relating to receiving full and frank disclosure of actual or suspected data breaches from Australian Government agencies."
i. The frankness and candour argument in the FOI context has been discussed in numerous previous decisions of the Information Commissioner, the AAT, and the courts. Public servants 'are expected to operate within a framework that encourages open access to information and recognises Government information as a national resource to be managed for public purposes'. The FOI Guidelines refer to the FOI Act recognising that Australia's democracy is strengthened when the public is empowered to participate in Government processes and scrutinise Government activities. The FOI Guidelines further state that ‘In this setting, transparency of the work of public servants should be the accepted operating environment and fears about a lessening of frank and candid advice correspondingly diminished.’

B) The decision maker states, "Disclosure would undermine the confidence and trust in the OAIC as a regulator to deal with matters it regulates in a sensitive and timely manner."
i. 'Access to the document could result in embarrassment to the Commonwealth Government, or cause a loss of confidence in the Commonwealth Government' is an irrelevant factor as described in s 11B(4) of the FOI Act and therefore was incorrectly considered in the public interest test.

C) The decision maker states, "Disclosure would reasonably be expected to delay the OAIC's consideration of, and ability to, take further regulatory action in response to an eligible data breach if entities are reluctant to provide timely, full and frank information if their respective identities may be disclosed."
i) As previously stated, government agencies should start with the assumption that public servants are obliged by their position to always provide robust and frank advice and that obligation will not be diminished by the transparency of government activities.

D) The decision maker states, "In case of a breach which meets the requisite threshold of 'serious harm', entities regulated by the Privacy Act are required to notify individuals affected by an eligible data breach of the nature of the breach, inclusive of the type of information captured in their reporting to the OAIC."
i. This is not relevant to the public interest test.
ii. I note that the decision-maker explains that individuals directly affected by data breaches are notified of the breach, however, the public interest extends beyond individual impact. Data breaches have systemic consequences, such as undermining public trust in government agencies or exposing vulnerabilities in critical infrastructure. By disclosing agency names, the public can engage in informed discussions about these broader implications and advocate for policy changes to improve data security.

2.3 The public interest in transparency and accountability outweighs any potential harm to the OAIC's operations. Given the high level of public concern about data breaches and the importance of government transparency, the public interest in knowing which agencies are responsible for these breaches is significant. This interest outweighs any speculative harm to the OAIC's operations. This information is crucial for informed public debate, holding agencies accountable, and assessing the effectiveness of government data protection measures. The OAIC's role is to protect the privacy of Australians, and this includes providing them with the information they need to make informed decisions about their interactions with government agencies.

3. The decision-maker states, "As outlined in my decisions above, in my view based on the information before me at this time, I have concerns that disclosure of the nature and specific details of the information in a public forum such as via Right to Know, is likely to prejudice the abilities of these agencies in responding to the data breaches, and the OAIC's ability to gather similar information to assess these breaches in the future."
i) The forum of an FOI request is irrelevant to the decision to deny access to information. FOI applicants have the right to publish disclosed information, and the disclosed documents become accessible to the public via the OAIC's disclosure log.

I am prepared to escalate this matter to the AAT if necessary. Therefore, I respectfully request that this internal review be conducted by a more senior decision-maker, such as a Principal or Senior Officer.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.righttoknow.org.au/request/g...

Yours faithfully,

CR

OAIC - FOI, Office of the Australian Information Commissioner

Our reference: FOIREQ24/00423

Dear CR

I refer to your email of 26 August 2024, in which you requested an internal review of the OAIC’s FOI decision 5 August 2024 (FOIREQ24/00352).

Your request FOIREQ24/00352, was made in the following terms:

1. Data breach reports from 1 January 2020 to 5 July 2024 where the respondent's sector is government (local, state, and federal government).
- The required document is similar to the one released in FOIREQ24/00132.
- Respondent names are to be included in the scope of this request.

I respectfully submit that disclosing agency names is strongly aligned with the public interest, as evidenced by the OAIC's Australian Community Attitudes to Privacy Survey 2023:

- Only two in five Australians feel most organisations they deal with are transparent about how they handle their information. Disclosing the agency names would serve the public interest by providing transparency and accountability around how government agencies are managing data breaches.
- 82% of Australians actively care about protecting their personal information. Knowing which agencies have experienced breaches empowers them to make informed decisions about their interactions with those agencies.
- Three-quarters of Australians feel data breaches are one of the biggest privacy risks they face today. Identifying the agencies involved allows for more nuanced public debate and scrutiny of this critical issue.
- After quality and price, data privacy is the third most important factor when choosing a product or service. Disclosing the agency names would further empower Australians to make well-informed decisions when accessing government services.

For these reasons, I believe the public interest factors strongly favour the disclosure of the respondent names in the requested data breach reports. I hope you will give this new FOI request your careful consideration. Please let me know if you require any further information from me.

Section 54C of the Freedom of Information Act 1982 (Cth) requires the OAIC to make a fresh decision on your FOI request within 30 days after the day we received your application.

Because we received your application on 26 August 2024 we must make a fresh decision by 25 September 2024.

Your application has been allocated to a review officer with no previous involvement with the earlier decision.

If you have any questions, please contact me.

Regards

Emily Elliott
Senior Lawyer
Office of the Australian Information Commissioner
Sydney | GPO Box 5288 Sydney NSW 2001
E [OAIC request email]

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

Subscribe to Information Matters
 

show quoted sections

OAIC - FOI, Office of the Australian Information Commissioner

5 Attachments

OAIC ref: FOIREQ24/00423

 

Dear CR

 

Please find attached a decision, schedule and document in relation to the
above matter.

 

Kind regards

 

Molly

 

[1][IMG]   Molly Cooke

A/g Senior Lawyer

Office of the Australian Information Commissioner

E [2][OAIC request email]

 
The OAIC acknowledges Traditional Custodians of Country across
Australia and their continuing connection to land, waters and
communities. We pay our respect to First Nations people,
cultures and Elders past and present.  

 

[3]Subscribe to Information Matters

 

Notice:

The information contained in this email message and any attached files may
be confidential information, and may also be the subject of legal
professional privilege. If you are not the intended recipient any use,
disclosure or copying of this email is unauthorised. If you received this
email in error, please notify the sender by contacting the department's
switchboard on 1300 488 064 during business hours (8:30am - 5pm Canberra
time) and delete all copies of this transmission together with any
attachments.

References

Visible links
1. https://www.oaic.gov.au/
2. mailto:%20[OAIC request email]
3. https://www.oaic.gov.au/engage-with-us/n...

CR left an annotation ()

The Guardian ran a story based on the information obtained via this request. https://www.theguardian.com/australia-ne...