We don't know whether the most recent response to this request contains information or not – if you are O Wendell please sign in and let everyone know.

OAIC and Hotjar

O Wendell made this Freedom of Information request to Office of the Australian Information Commissioner

This request has an unknown status. We're waiting for O Wendell to read a recent response and update the status.

From: O Wendell

Delivered

Dear Office of the Australian Information Commissioner,

I understand that the OAIC uses services provided by https://www.hotjar.com/ presumably after having entered into a contract with Hotjar to use its services.

Section 95B of the Privacy Act imposes a range of obligations on Commonwealth agencies, including in relation to the taking of certain contractual measures, when agencies enter into contracts with service providers such as Hotjar.

Under the FOI Act, and noting the OAIC's role in providing best practice Privacy Act compliance for all Cth agencies, I seek a copy of the OAIC’s contract with Hotjar.

Yours faithfully,

O Wendell

Link to this

From: Megan McKenna
Office of the Australian Information Commissioner


Attachment image001.jpg
2K Download

Attachment image002.png
0K Download

Attachment image003.png
0K Download

Attachment image004.png
0K Download

Attachment image005.png
0K Download


Our reference: FOIREQ19/00041

Dear O Wendell

Freedom of Information request

I refer to your request for access to documents made under the Freedom of
Information Act 1982 (Cth) (the FOI Act) and received by the Office of the
Australian Information Commissioner (OAIC) on 15 February 2019.

Scope of your request

In your email you seek access to the following:

                Under the FOI Act, and noting the OAIC's role in providing
best practice Privacy Act compliance for all Cth agencies, I seek a copy
of the OAIC’s contract with Hotjar.

 

Timeframes for dealing with your request

Section 15 of the FOI Act requires this office to process your request no
later than 30 days after the day we receive it. However, section 15(6) of
the FOI Act allows us a further 30 days in situations where we need to
consult with third parties about certain information, such as business
documents or documents affecting their personal privacy.

As we received your request on 15 February 2019, we must process your
request by Monday, 18 March 2019.

Disclosure Log

Documents released under the FOI Act may be published online on our
disclosure log, unless they contain personal or business information that
would be unreasonable to publish.

If you would like to discuss this matter please contact me on my contact
details set out below.

Regards

[1]cid:image001.jpg@01D4453F.0FED8EB0   Megan McKenna |  FOI Officer

Legal Services

Office of the Australian Information Commissioner

GPO Box 5218 Sydney NSW 2001  |  [2]oaic.gov.au

+61 2 8231 4292  |  [3][email address]
[8]Subscribe
[4]cid:image002.png@01D4453F.0FED8EB0 | [5]cid:image003.png@01D4453F.0FED8EB0 | [6]cid:image004.png@01D4453F.0FED8EB0 |   [7]cid:image005.png@01D4453F.0FED8EB0 to OAICnet
newsletter

 

 

 

show quoted sections

References

Visible links
1. https://www.oaic.gov.au/
2. http://www.oaic.gov.au/
3. mailto:[email address]
4. http://www.facebook.com/OAICgov
5. https://www.linkedin.com/company/office-...
6. https://twitter.com/OAICgov
8. https://www.oaic.gov.au/media-and-speech...

Link to this

From: Megan McKenna
Office of the Australian Information Commissioner


Attachment image001.jpg
2K Download

Attachment image002.png
0K Download

Attachment image003.png
0K Download

Attachment image004.png
0K Download

Attachment image005.png
0K Download

Attachment FOIREQ1900041.pdf
310K Download View as HTML


Dear O Wendell

Please find attached correspondence in relation to your FOI request.

 

Kind regards

 

 

[1]cid:image001.jpg@01D4453F.0FED8EB0   Megan McKenna |  FOI Officer

Legal Services

Office of the Australian Information Commissioner

GPO Box 5218 Sydney NSW 2001  |  [2]oaic.gov.au

+61 2 8231 4292  |  [3][email address]
[8]Subscribe
[4]cid:image002.png@01D4453F.0FED8EB0 | [5]cid:image003.png@01D4453F.0FED8EB0 | [6]cid:image004.png@01D4453F.0FED8EB0 |   [7]cid:image005.png@01D4453F.0FED8EB0 to OAICnet
newsletter

 

 

show quoted sections

References

Visible links
1. https://www.oaic.gov.au/
2. http://www.oaic.gov.au/
3. mailto:[email address]
4. http://www.facebook.com/OAICgov
5. https://www.linkedin.com/company/office-...
6. https://twitter.com/OAICgov
8. https://www.oaic.gov.au/media-and-speech...

Link to this

From: O Wendell

Delivered

Dear OAIC

Thank you for your decision on my FOI request.

In response, I'm writing to make a complaint under the Privacy Act - that the OAIC has contravened section 95B of the Privacy Act including by failing to take contractual measures with Hotjar to ensure that Hotjar does not do an act, or engage in a practice, that would breach an Australian Privacy Principle if done or engaged in by the OAIC.

Yours sincerely,

O Wendell

Link to this

From: Megan McKenna
Office of the Australian Information Commissioner


Attachment image001.jpg
2K Download

Attachment image002.png
0K Download

Attachment image003.png
0K Download

Attachment image004.png
0K Download

Attachment image005.png
0K Download


Dear O Wendell

 

Thank you for your email.

 

I understand that you wish to make a privacy complaint to the OAIC. I note
that the Right to Know website is a platform used by individuals to make
freedom of information requests to government agencies. Your privacy
complaint is not a request for information under the Freedom of
Information Act 1982 (Cth).

 

If you wish to complain to the OAIC about how we have handled your
personal information you should complain to the OAIC in writing.
Information about how to make a privacy complaint to the OAIC can be found
at
[1]https://www.oaic.gov.au/about-us/corpora....
 

 

If you have any questions please contact the OAIC enquiries line on 1300
363 992 or via email at [email address].

 

Kind regards

 

 

[2]cid:image001.jpg@01D4453F.0FED8EB0   Megan McKenna |  FOI Officer

Legal Services

Office of the Australian Information Commissioner

GPO Box 5218 Sydney NSW 2001  |  [3]oaic.gov.au

+61 2 8231 4292  |  [4][email address]
[9]Subscribe
[5]cid:image002.png@01D4453F.0FED8EB0 | [6]cid:image003.png@01D4453F.0FED8EB0 | [7]cid:image004.png@01D4453F.0FED8EB0 |   [8]cid:image005.png@01D4453F.0FED8EB0 to OAICnet
newsletter

 

 

 

 

show quoted sections

Link to this

Locutus Sum left an annotation ()

The original request in the very first email, is for a copy of a contract. The request has been refused. Section 24A of the Act: Documents do not exist or cannot be found.

Link to this

From: O Wendell

Delivered

Thank you for your email Ms McKenna.

In accordance with your advice, I lodged a complaint with the OAIC on 20 March 2019 regarding the OAIC’s failure to comply with the Privacy Act in respect of its contractual relationship with Hotjar.

The facts of the case were straight forward:

(1) Subsection 95B(1) of the Privacy Act requires government agencies such as the OAIC, when entering into Commonwealth contracts (with entities such as Hotjar) to take contractual measures “to ensure that a contracted service provider for the contract does not do an act, or engage in a practice, that would breach an Australian Privacy Principle if done or engaged in by the agency”.

(2) By its own admission, the OAIC entered into a Commonwealth contract with Hotjar, but notwithstanding the requirements of subsection 95B(1) of the Privacy Act, the OAIC’s contract with Hotjar did not contain contractual measures to ensure that Hotjar does not do an act, or engage in practices, that would amount to a breach of the Australian Privacy Principles, if done or engaged in by the OAIC.

On 18 April, 2019. Acting Principal Lawyer at the OAIC, Ms Cate Cloudsdale, responded to my complaint, on behalf of the Information Commissioner stating “I do not consider that the OAIC has breached s 95B in this instance”.

Noting that Ms Cloudsdale did not provide any reasoning to justify the Information Commissioner’s finding, I requested reasons to support that decision.

Some 14 weeks later (!!!), Ms Cloudsdale responded to my request for reasons by indicating that because the OAIC’s contract with Hotjar did not contain a provision authorising Hotjar to engage in acts or practices that would breach the Australian Privacy Principles, the OAIC complied with subsection 95B(1) of the Privacy Act.

I note this constitutes a novel and convenient approach to compliance with subsection 95B(1) of the Privacy Act, where compliance with s.95B(1) can be achieved by passivity as to contractual measures, rather than by agencies taking active contractual measures. I note this approach is the opposite to that of previous findings, declarations and guidance made/given by the Information Commissioner in respect of subsection 95B(1) of the Privacy Act (although I acknowledge that those findings/declarations etc were made at a time when the OAIC was run as if it were an independent, impartial and apolitical organisation) as well as advice given to me on numerous occasions by OAIC staff in relation to the requirements of subsection 95B(1).

Example 1: In the Information Commissioner’s submission to the Australian Senate on the National Cancer Screening Register Bill 2016 made in September 2016 (here: https://oaic.gov.au/engage-with-us/submi... the former Commissioner advised in relation to subsection 95B(1) that “Agencies will generally need to include specific or practical provisions in their contracts and where particular information handling practices are required to comply with an APP, these should also be addressed in the contract.”

Example 2: in the OAIC’s assessment of the Department of Immigration and Border Protection’s contracts for services in regional processing centres (conducted in September 2016), the OAIC found that “The OAIC generally expects that, in meeting its obligations under […] s 95B, an agency will go beyond a simple contractual provision requiring the contractor not to do an act or engage in a practice that would breach the APPs if done or engaged in by the agency. Specific provisions may be required, for example, requiring the CSP to take particular steps to protect privacy after the conclusion or termination of the contract.” In other words, to comply with subsection 95B(1) of the Privacy Act, agencies must actively include contractual terms within Commonwealth contracts.

Example 3: In his submission to the Digital Transformation Agency made in December 2017, here: https://oaic.gov.au/engage-with-us/submi... the former Information Commissioner advised in relation to subsection 95B(1), that “The OAIC generally considers this requirement, taken together with APP 11, to require the agency to take positive steps to assure itself that the contracted service provider is handling personal information in accordance with the APPs.”

I note that one consequence of the Information Commissioner’s new and convenient interpretation and application of subsection 95B(1) of the Privacy Act is that a service provider who is contracted to a Commonwealth agency and who is not subject to an express contractual term that prohibits that provider from contravening the Australian Privacy Principles will be able to breach the privacy of Australian citizens (by contravening an APP) and the relevant agency will not be able to immediately terminate the contract for breach. That’s an outcome that is clearly not in the public interest. Nor does it accord with the intentions of Parliament.

I’m also aware of at least five Commonwealth agencies (including two large central agencies) that will now need to change their written procurement and privacy procedures so as to incorporate the Information Commissioner’s revised and less onerous guidance in respect of the requirements of subsection 95B(1) of the Privacy Act.

Under the FOI Act, I request a copy of Ms Cate Cloudsdale’s email to me, O Wendell, at my email address: [email address] of 26 July 2019 with subject “AR19/00029 - Reasons for finding in PRIV COMP 19/00001 [SEC=UNCLASSIFIED]”. There’s a strong public interest in the release of this document because it will serve to advise all Commonwealth agencies of the Information Commissioner’s new, convenient and far less onerous interpretation and application of subsection 95B(1) of the Privacy Act (albeit that this new interpretation necessarily involves far less protection of the personal information of Australian citizens). I consent to the release of my personal information in the granting of access to the document sought.

Thanks
O Wendell

Link to this

From: O Wendell

Delivered

Dear Office of the Australian Information Commissioner,

I’m aware that in approximately April – July 2019, the OAIC engaged lawyers at Holding Redlich and HWL Ebsworth to investigate a complaint that the OAIC had contravened the Privacy Act in entering into a contract with Hotjar.

I note that:
- certain OAIC staff have personal relationships with lawyers at those firms;
- those firms charge at rates approximately 30% - 50% greater than those charged by more ethical legal service providers, such as the Australia Government Solicitor; and
- Commonwealth agencies tend to engage more expensive legal service providers when they want legal advice that is politically convenient, but not necessarily accurate at law.

Under the FOI Act, I seek access to copies of invoices given to the OAIC by Holding Redlich and HWL Ebsworth in respect of their services related to consideration of whether the OAIC’s contractual arrangements with Hotjar comply with the requirements of the Privacy Act.

There’s a strong public interest in the information contained in the documents I seek because:

- taxpayers have a right to know the quantum of public monies spent by the Privacy regulator in determining whether its own staff have contravened the Privacy Act; and
- the documents will shed light on whether OAIC staff have adhered to the Commonwealth Procurement Rules and the Public Service Act.
Yours faithfully,

O Wendell

Link to this

From: Amanda Nowland
Office of the Australian Information Commissioner


Attachment image001.jpg
2K Download

Attachment image002.png
0K Download

Attachment image003.png
0K Download

Attachment image004.png
0K Download

Attachment image005.png
0K Download


Our Reference: FOIREQ19/00187

 

Dear O Wendell,

 

Freedom of Information request

I refer to your request for access to documents made under the Freedom of
Information Act 1982 (Cth) (the FOI Act) and received by the Office of the
Australian Information Commissioner (OAIC) on 16 August 2019.

Scope of your request

In your email you seek access to the following:

a copy of Ms Cate Cloudsdale’s email to me, O Wendell, at my [personal]
email address of 26 July 2019 with subject “AR19/00029 - Reasons for
finding in PRIV COMP 19/00001 [SEC=UNCLASSIFIED]”. There’s a strong public
interest in the release of this document because it will serve to advise
all Commonwealth agencies of the Information Commissioner’s new,
convenient and far less onerous interpretation and application of
subsection 95B(1) of the Privacy Act (albeit that this new interpretation
necessarily involves far less protection of the personal information of
Australian citizens). I consent to the release of my personal information
in the granting of access to the document sought.

Timeframes for dealing with your request

Section 15 of the FOI Act requires this office to process your request no
later than 30 days after the day we receive it. However, section 15(6) of
the FOI Act allows us a further 30 days in situations where we need to
consult with third parties about certain information, such as business
documents or documents affecting their personal privacy.

As we received your request on 16 August 2019, we must process your
request by 16 September 2019.

Disclosure Log

Documents released under the FOI Act may be published online on our
disclosure log, unless they contain personal or business information that
would be unreasonable to publish.

If you would like to discuss this matter please contact me on my contact
details set out below.

Regards

Amanda

 

[1]O A I C logo   Amanda Nowland |  Senior Lawyer

Legal Services

Office of the Australian
Information Commissioner

GPO Box 5218 Sydney NSW 2001  |
 oaic.gov.au

+61 2 9284 9646| 
[2][email address]
[6]Subscribe [7]Subscribe to
[3]Facebook | [4]LinkedIn | [5]Twitter |   icon OAICnet
newsletter

 

 

show quoted sections

References

Visible links
1. https://www.oaic.gov.au/
2. mailto:[email address]
3. http://www.facebook.com/OAICgov
4. https://www.linkedin.com/company/office-...
5. https://twitter.com/OAICgov
7. https://www.oaic.gov.au/media-and-speech...

Link to this

From: Amanda Nowland
Office of the Australian Information Commissioner


Attachment image001.jpg
2K Download

Attachment image002.png
0K Download

Attachment image003.png
0K Download

Attachment image004.png
0K Download

Attachment image005.png
0K Download


Our reference: FOIREQ19/00188

Dear O Wendell

Freedom of Information request

I refer to your request for access to documents made under the Freedom of
Information Act 1982 (Cth) (the FOI Act) and received by the Office of the
Australian Information Commissioner (OAIC) on 16 August 2019.

Scope of your request

In your email you seek access to the following:

              copies of invoices given to the OAIC by Holding Redlich and
HWL Ebsworth in respect of their services related to consideration of
whether the OAIC’s contractual arrangements with Hotjar comply with the
requirements of the Privacy Act.

 

In order to process your request as efficiently as possible, I will
exclude duplicates and early parts of email streams that are captured in
later email streams from the scope of this request, unless you advise me
otherwise.

Timeframes for dealing with your request

Section 15 of the FOI Act requires this office to process your request no
later than 30 days after the day we receive it. However, section 15(6) of
the FOI Act allows us a further 30 days in situations where we need to
consult with third parties about certain information, such as business
documents or documents affecting their personal privacy.

As we received your request on 16 August 2019, we must process your
request by 16 September 2019.

Disclosure Log

Documents released under the FOI Act may be published online on our
disclosure log, unless they contain personal or business information that
would be unreasonable to publish.

If you would like to discuss this matter please contact me on my contact
details set out below.

Regards

Amanda

 

[1]O A I C logo   Amanda Nowland |  Senior Lawyer

Legal Services

Office of the Australian
Information Commissioner

GPO Box 5218 Sydney NSW 2001  |
 oaic.gov.au

+61 2 9284 9646| 
[2][email address]
[6]Subscribe [7]Subscribe to
[3]Facebook | [4]LinkedIn | [5]Twitter |   icon OAICnet
newsletter

 

 

 

show quoted sections

References

Visible links
1. https://www.oaic.gov.au/
2. mailto:[email address]
3. http://www.facebook.com/OAICgov
4. https://www.linkedin.com/company/office-...
5. https://twitter.com/OAICgov
7. https://www.oaic.gov.au/media-and-speech...

Link to this

From: Amanda Nowland
Office of the Australian Information Commissioner


Attachment image001.jpg
2K Download

Attachment image002.png
0K Download

Attachment image003.png
0K Download

Attachment image004.png
0K Download

Attachment image005.png
0K Download


Our reference: FOIREQ19/00188

Dear O Wendell

Freedom of information request no. FOIREQ19/00188

I refer to your request made under the Freedom of Information Act 1982
(Cth) (FOI Act) and received by the Office of the Australian Information
Commissioner (OAIC) on 16 August 2019.

Because your request covers documents which contain information concerning
an organisation’s business or professional affairs and personal
information, the OAIC is required to consult the individuals and
organisations under ss 27 and 27A of the FOI Act before making a decision
on release of the documents.

For this reason, the period for processing your request has been extended
by 30 days to allow time to consult (see s 15(6) of the FOI Act). The
processing period for your request will now end on 15 October 2019.

The consultation mechanisms under ss 27 and 27A apply when we believe the
person or organisation concerned may wish to contend that the requested
documents are exempt for reasons of personal privacy, or may adversely
affect their business or financial affairs. We will take into account any
comments we receive but the final decision about whether to grant you
access to the documents you requested rests with the office of the OAIC.

Regards

 

Amanda

 

 

[1]O A I C logo   Amanda Nowland |  Senior Lawyer

Legal Services

Office of the Australian
Information Commissioner

GPO Box 5218 Sydney NSW 2001  |
 oaic.gov.au

+61 2 9284 9646| 
[2][email address]
[6]Subscribe [7]Subscribe to
[3]Facebook | [4]LinkedIn | [5]Twitter |   icon OAICnet
newsletter

 

 

 

 

show quoted sections

References

Visible links
1. https://www.oaic.gov.au/
2. mailto:[email address]
3. http://www.facebook.com/OAICgov
4. https://www.linkedin.com/company/office-...
5. https://twitter.com/OAICgov
7. https://www.oaic.gov.au/media-and-speech...

Link to this

From: O Wendell

Delivered

Dear Amanda Nowland,

In relation to my FOI request of 16 August 2019 with OAIC reference: FOIREQ19/00188, I consent to the OAIC redacting the personal information of Angela Flannery and Bede Gahan and any other person from any relevant document/invoice who is not/was not an OAIC staff member and/or public servant. I also consent to the OAIC redacting the hourly rates charged by Holding Redlich and HWL Ebsworth and the amount of time spent by those law firms on matters to which the invoices relates. Rather, I’m interested and the taxpaying public has an interest in the total amount of public money (as billed/listed on the relevant invoices) the OAIC gave to these law firms to investigate the allegedly unlawful activities of OAIC staff.

Yours sincerely,

O Wendell

Link to this

From: Amanda Nowland
Office of the Australian Information Commissioner


Attachment image001.jpg
2K Download

Attachment image002.png
0K Download

Attachment image003.png
0K Download

Attachment image004.png
0K Download

Attachment image005.png
0K Download

Attachment FOIREQ1900187 Document.pdf
1.3M Download View as HTML


Our Reference: FOIREQ19/00187

 

Dear O Wendell

 

Your Freedom of Information request

I refer to your request for access to documents under the Freedom of
Information Act 1982 (Cth) (the FOI Act), received by the Office of the
Australian Information Commissioner (OAIC) on 16 August 2019.

 

You requested access to

a copy of Ms Cate Cloudsdale’s email to me, O Wendell, at my [personal]
email address of 26 July 2019 with subject “AR19/00029 - Reasons for
finding in PRIV COMP 19/00001 [SEC=UNCLASSIFIED]”. There’s a strong public
interest in the release of this document because it will serve to advise
all Commonwealth agencies of the Information Commissioner’s new,
convenient and far less onerous interpretation and application of
subsection 95B(1) of the Privacy Act (albeit that this new interpretation
necessarily involves far less protection of the personal information of
Australian citizens). I consent to the release of my personal information
in the granting of access to the document sought.

Decision

I am an officer authorised under s 23(1) of the FOI Act to make decisions
in relation to FOI requests.

 

I have identified the document within the scope of your request and have
decided to grant you access in full. I have attached the relevant document
to this email.

 

Your review rights follow my signature below.

 

Regards,

 

[1]O A I C logo   Amanda Nowland  |  Senior
Lawyer

Legal Services

Office of the Australian
Information Commissioner

GPO Box 5218 Sydney NSW 2001  |
 oaic.gov.au

+61 2 9284 9646  |  
[2][email address]
[6]Subscribe [7]Subscribe to
[3]Facebook | [4]LinkedIn | [5]Twitter |   icon OAICnet
newsletter

 

If you disagree with my decision

 

Internal review

You have the right to apply for an internal review of my decision under
Part VI of the FOI Act. An internal review will be conducted, to the
extent possible, by an officer of the OAIC who was not involved in or
consulted in the making of my decision. If you wish to apply for an
internal review, you must do so in writing within 30 days. There is no
application fee for internal review.

 

If you wish to apply for an internal review, please mark your application
for the attention of the FOI Coordinator and state the grounds on which
you consider that my decision should be reviewed.

 

Further Review

You have the right to seek review of this decision by the Information
Commissioner and the Administrative Appeals Tribunal (AAT).

 

You may apply to the Information Commissioner for a review of my decision
(IC review). If you wish to apply for IC review, you must do so in writing
within 60 days. Your application must provide an address (which can be an
email address or fax number) that we can send notices to, and include a
copy of this letter. A request for IC review can be made in relation to my
decision, or an internal review decision.

 

It is the Information Commissioner’s view that it will usually not be in
the interests of the administration of the FOI Act to conduct an IC review
of a decision, made by the agency that the Information Commissioner heads:
the OAIC. For this reason, if you make an application for IC review of my
decision, it is likely that the Information Commissioner will decide
(under s 54W(b) of the FOI Act) not to undertake an IC review on the basis
that it is desirable that my decision be considered by the AAT.

Section 57A of the FOI Act provides that, before you can apply to the AAT
for review of an FOI decision, you must first have applied for IC review.

 

Applications for internal review or IC review can be submitted to:

Office of the Australian Information Commissioner

GPO Box 5218

SYDNEY NSW 2001

 

Alternatively, you may submit your application by email to
[8][email address] or by fax on 02 9284 9666.

 

 

 

show quoted sections

References

Visible links
1. https://www.oaic.gov.au/
2. mailto:[email address]
3. http://www.facebook.com/OAICgov
4. https://www.linkedin.com/company/office-...
5. https://twitter.com/OAICgov
7. https://www.oaic.gov.au/media-and-speech...
8. mailto:[email address]

Link to this

We don't know whether the most recent response to this request contains information or not – if you are O Wendell please sign in and let everyone know.

Things to do with this request

Anyone:
Office of the Australian Information Commissioner only: