Dear Office of the eSafety Commissioner,

I wish to request documents from your office in accordance with the Freedom of Information Act 1982.
I understand your office to be a federal body covered by that act.

I am seeking:
* correspondence, including emails, whether internal to the office or between the office and outside parties;
* diary entries, calendar entries, and notifications of online meetings;
* minutes of meetings;
* discussion of policy, and any draft or final policy papers or proposals;

where those documents discuss or relate (in whole or in part) to:
* the proposed involvement of Mastercard, or any individual or entity closely related to Mastercard, in delivering or influencing the delivery of online age verification services in Australia;

covering the period:
* beginning 1 February 2020, immediately prior to the release of the "Protecting the Age of Innocence" report;
* ending a week prior to your final response to this FOI request.

It seems likely that, given the duties of your office and your record-keeping responsibilities, there should already be a file or folder in your office specifically collecting most of these documents under the topic of either "Mastercard", "Protecting the Age of Innocence" or "online age verification", and I therefore expect it will not be onerous or time-consuming to reproduce that file to satisfy this request.

With thanks,

Greg Tannahill
Canberra, ACT

Dear FOI Coordinator,

Thank you for your response.

I amend my formal FOI request to refer to the dates:
* beginning 1 February 2020, and ending 29 September 2021.

Please note the commencement date is February 2020 (last year) not 2021 (this year).

The remainder of my request, including the scope, remains unchanged.

Please also accept an *administrative* request for documents otherwise meeting the scope of my request that are dated subsequent to 29 September 2021. While you are not required to provide these documents under FOI law, it may save me needing to make a further FOI request at a later date if you were to provide them as a courtesy under the current request.

= Reasoning/Detail =

I referred to the "Protecting the Age of Innocence Report" because it is my understanding that current work to implement online age verification systems in Australia is largely in response to the recommendations of that report. Therefore the appropriate commencement date for this request would be at the time that your Office first became aware of the likely recommendations of that report.

I do not expect to receive the report itself, or any work done on creating or consulting on that report prior to its publication, as I understand that was not the work of your office.

I am not intending to be overly difficult in declining to further narrow my request. It simply seems to me that, given the remit of your office and your legal record-keeping requirements, there should already be a file in your office relating to work done on online age verification, or Mastercard specifically, and the majority of the documents I seek will already be collected in that file, and be relatively easy to reproduce.

If I have misunderstood - i.e., the majority of these documents are in a file, but some subcategory of documents are not, and are disproportionately difficult or time-consuming to identify - I am open to having that drawn to my attention and amending my request accordingly; but you would have to give me more detail as to what these documents are and why they are hard to provide.

You are welcome to give me a larger volume of documents than those I have strictly asked for if it saves you time in responding to the request - and if this is your intention, so as to have a legal request to provide those documents, feel free to say so.

With thanks,

Greg Tannahill.

Dear FOI Coordinator,

I would prefer to resolve the matter in writing, if at all possible, so as to maintain a clear record of what was requested, agreed to, and delivered.

However, if there are strong reasons to speak in person, I can be available by phone, if necessary, at any time during work hours tomorrow. (You may choose a time of your convenience and provide me with a number to contact.)

But before moving to that step I would appreciate knowing what the issue is that requires further clarification. i.e. Is my request still unclear, or is there a difficulty in delivering the requested documents, or is there some privacy or confidentiality concern that you would prefer not to commit to writing?

I have some minor difficulties with phone calls arising from disability, so would genuinely prefer that to be a last resort.

Many thanks,

Greg Tannahill

Dear FOI Coordinator,

Please interpret "individuals closely connected to Mastercard" to mean "employees and representatives of Mastercard, or employees or representatives of companies or organisations that are, to the Commissioner's knowledge, subsidiaries or subcontractors of Mastercard".

As the organisation undertaking the work, the Commissioner is best placed to identify these individuals. If the Commissioner or her officers are not able to immediately generate a short list of the relevant names, I expect it would be sufficient simply to examine your existing file and identify the names of people your office has spoken to from Mastercard that already appear on that file, and then do a further good-faith search on their names.

My intent is to capture communications that are effectively with or about Mastercard (because they are with or about employees or representatives of Mastercard) but which may not specifically mention the word "Mastercard". Or alternatively, I don't know whether Mastercard employs or contributes to lobbyists, but if the Office has had dealings with lobbyists who have directly advocated for Mastercard and named Mastercard as a client or member organisation in their submissions to the Office, then they would also be captured.

I'm not attempting to trip you up here or alleging secret under-the-table dealings. I just don't want to miss out on a meeting or communication that is substantially with or about Mastercard simply because it refers to some individual contact person or representative rather than the company as a whole.

(You'd be aware that it's common that if you've had extensive dealings with a contact person called (random example) Fred Smith, that there may then be a trail of internal communication featuring phrases like "Fred says X" or "copy Fred in on this" or "let's get back to Fred with an answer". They should fall within the scope of this request. I realise it can be difficult to run a word search that adequately identifies all such documents based solely on a first name or nickname. I'm willing to accept the Office's good-faith attempt to include such documents without needing to onerously trawl your entire database. If your officers have been performing their record-keeping duties diligently, all such correspondence should already be on the relevant file.)

I note your advice as to my proposed "administrative" extension of the proposed timeframe. I am willing to accept 7 October as a compromise cut-off for my formal FOI request. Thank you for the flexibility. If I feel it is necessary after receipt of the current documents, I will consider a further FOI at a later date.

Yours sincerely,

Greg Tannahill

Dear FOI Coordinator,

Thank you. Your understanding of my request is correctly. Please proceed with processing it.

Yours sincerely,

Greg Tannahill

Dear FOI Coordinator,

Thank you. I acknowledge your statement of potential charges per the FOI Act.

Digital delivery of documents is fine. I do not (at this time) require photocopying, transcribing, postage, or physical access to the documents. I expect that the work required to process the request will be minimal, as I expect that the majority of these documents will be already be collected in an existing file or folder, given the duties of your office and your record-keeping requirements.

I look forward to receiving the documents.

Yours sincerely,

Greg Tannahill

Dear FOI Coordinator,

I am just following up regarding my FOI request of 29 September relating to Mastercard and online age verification, as it has been two weeks since the last contact from your office, and I had expected that, due to your office's remit and record-keeping requirements, the majority of these documents would already be collected in a relevant file or folder.

I note that under the FOI legislation, the Commissioner's response to this request is due, at the latest, on Friday 29 October (Friday of this week).

I look forward to receiving these documents shortly, along with a schedule of fees incurred in relation to what I expect would be a relatively simple FOI request to fulfil.

Thank you for your continued expertise and cooperation on this request.

Yours sincerely,

Greg Tannahill

Dear FOI Coordinator,

Good morning!

I am checking in on the status of my FOI request relating to provision of online age verification services by Mastercard.

I note that today is the statutory deadline for delivery of this material by your office, and I note that I have received no reply to my email of earlier this week, or indeed any correspondence from your office for over two weeks, nor has there been any notification of a need to extend the statutory deadline.

As digital identity schemes have been so recently in the news, it's unfortunate that the documents the subject of this request have not yet been available to inform public debate and submissions on the topic, and there is clearly a public interest in their prompt and full disclosure.

I look forward to the receipt of the documents described in the request by close of business today.

Yours sincerely,

Greg Tannahill

Dear FOI Coordinator,

Thank you for your provision of documents today.

However, this response does not appear to fulfil the terms of my request, and does not comply with the terms of the Freedom of Information Act in several substantive ways.

I realise that I am entitled to access formal rights of review (both internal and external), and/or make a further FOI request. However, given that the solution may be quite simple, I'd request that you take another look at this matter on an informal administrative level before requiring me to proceed to formal processes.

(1) Scope of the request / irrelevant information

I am seeking access to the entirety of documents 3, 4 and 5.

Documents 3, 4, and 5 are quite heavily redacted. Your statement of reasons indicates the redactions are entirely on the grounds that the redacted information is irrelevant to or does not fall within the scope of my request, pursuant to Section 22 of the FOI Act. It does not specify any other ground of exemption relating to these documents.

The intent of the FOI Act as a whole is to make public as much public sector information as *can* be made public, and the specific intent of the provision in section 22 is to assist the applicant by removing information that may obscure the specific information they are seeking, having regard to the intent of their request. For example, if they requested "the phone number of Joe Smith", and the number was contained in a 500-page phonebook, the agency would be entitled to merely provide the phone number requested, to avoid requiring the applicant to trawl through excess information that they may not have the professional training to parse.

However, my request specifically refers to documents which refer "in whole or in part" to the provision of online age verification services by Mastercard. I had hoped that this made it clear I was looking for the full text of the documents. Given that there are only three documents involved, none of them more than two pages in length, I am in no danger of being confused or thwarted by the receipt of too much information.

I would refer you to section 3.95 to 3.100 of the OAIC's guidelines on Freedom of Information for federal agencies. Section 3.98 in particular notes that Freedom of Information is usually not complied with where the redactions leave only "the skeleton of a document", and section 3.99 advises agencies to consult the applicant prior to making any such redactions to seek their consent.

(Link:
https://www.oaic.gov.au/__data/assets/pd... )

I would request you to release the full text of documents 3, 4 and 5 for the reasons above, and noting that I appear to be entitled to that text were I to make an FOI request specifically referencing them by name.

(2) Documents 1 and 2

I note that documents 1 and 2 have been rendered exempt by a combination of commercial-in-confidence information and a section 47E exemption relating to "certain operations of agencies".

I wish to clarify the basis on which you believe these documents are exempt.

Do they relate wholly to a tender process?
If so, then I largely agree with your exemption, but note that you are likely nevertheless obligated to release some or all of the following details:
* a general description of the documents and their nature. (e.g. "email relating to a tender process")
* the dates of the documents
* the position or title of government officers sending or receiving those documents, if not their specific names;
* the names of government agencies receiving or authoring those documents.

These details are unlikely to be covered by the exemptions you have specified, and would allow the documents to be more easily identified in a request directed (for example) to the DTA.

However, if these documents do not wholly concern a tender process, then it is possible you may have taken an overly broad reading of section 47E. An agency's documents that are not otherwise covered by commercial-in-confidence are not exempt from FOI merely because they are commercial in nature and that the agency undertakes commercial transactions as part of its work. This reading would render the entirety of government procurement and spending immune from FOI.

I would request that you have regard to section 5.21 of the FOI guidelines referenced above, which require that a decision-maker describe the expected effect and its impact upon the usual operations or activity of the agency, and provide greater clarity around what the redacted information is, and exactly how it will have a "substantial and adverse" impact.

(3) Missing documents

I am surprised to learn that there are apparently only five documents within the Office of the eSafety Commissioner matching the scope of my query, noting that the eSafety Commissioner was specifically tasked to investigate the provision of age verification services in Australia, and that Mastercard are being accredited to provide those services.

Specifically, I would direct your attention to the following classes of documents which you may have overlooked:

(i) emails, diary notes, calendar entries, and supporting documentation relating to the meeting described in Document 3 and 4, such as would be necessary to arrange attendance at the meeting, speak on the topics that it covers, and discuss its results within the Office.

(ii) documents created in the process of responding to this FOI, including lists of potentially relevant files (see section 3.54 of the FOI guidelines).

(iii) communications, such as between the Office of the eSafety Commissioner and the Digital Transformation Agency, about the specifics of the accreditation of Mastercard and its proposed delivery of services, possibly derived from the public consultation the Office undertook on that topic;

(iv) progress reports and timelines for the Office's responsibility to deliver an online age verification service, that may refer to dates for the accreditation of providers, dates for the undertaking and conclusion of a tender process (apparently by the DTA), dates for the commencement and ending of a trial, analysis of the results of that trial, and future steps.

The paperwork referred to in point (ii) above would be of use in understanding why there are not more relevant documents relating to this topic.

(4) Summary

I would be fully satisfied if you were to release the unredacted text of documents 3, 4, and 5; a list of documents identified as potentially within scope, whether ultimately judged as suitable or not; and turn your mind to the question of whether any documents were overlooked.

This would avoid the need to make any further formal request.

I look forward to your response.

Many thanks,

Greg Tannahill

Dear FOI Coordinator,

Could you please confirm that you have received my email of 29 October relating to my FOI request about Mastercard, and advise whether you intend to consider the issues outlined therein in an administrative capacity, or whether I need to proceed to a formal application for review?

Many thanks,

Greg Tannahill

Dear FOI Coordinator,

I am still awaiting a response to my email of 29 October (ten days ago) regarding my FOI request relating to Mastercard and online age verification. I do not want to put us both through the additional work and hassle of initiating formal review processes, so I would appreciate a prompt reply on this matter.

Per your own formal decision, there is no relevant exemption that applies to the full text of documents 3, 4 and 5, so perhaps a release of those would be an appropriate immediate step while we wait for your advice on the remaining documents.

Then you could take further time, if necessary, to unredact or provide non-exempt metadata relating to documents 1 and 2 , make a review of documents possibly overlooked, and provide the documents created during the fulfilment of the FOI request including a list of documents considered for relevance.

Yours sincerely,

Greg Tannahill

Dear eSafety Commissioner,

Please direct this email to the person who conducts Freedom of Information reviews on behalf of your office.

I am writing to request a formal internal review of eSafety Commissioner's handling of my FOI request 'Provision of online age verification services by Mastercard'.

HISTORY OF REQUEST

The officer handling this request appears to have been Maria Vassiliadis.

My original request was made 29 September 2021.

Some documents were provided in reply on 29 October 2021. These documents were numbered 1 to 5. Documents 1 and 2 were wholly redacted on the basis of a commercial in-confidence claim. Documents 3 to 5 were almost wholly redacted on the basis that the majority of their contents were not within the scope of my request.

On the same date, I asked for an informal administrative review of this delivery, as it did not appear to comply with the terms of the FOI Act or the OAIC's guidelines on agency responses to FOI requests.
On 15 November 2021 I received a reply substantially refusing my request, other than the provision of some additional unredacted parts of Document 3.

I therefore wish to engage my right to a formal review of this FOI response, as I still believe it does not comply with law, or with the OAIC's guidelines.

GROUNDS OF OBJECTION

The grounds of my objection are as follows.

My objections reference the Freedom of Information Act 1982 (the FOI Act) and the Office of the Australian Information Commissioner's FOI Guidelines (the OAIC Guidelines), which are a formal legislative instrument issued under s93A of the Freedom of Information Act.

OBJECTIONS RELATING TO DOCUMENTS 1 AND 2

(1) I am entitled to a better explanation of why Documents 1 and 2 were not provided.
(2) I am entitled to non-exempt metadata relating to Documents 1 and 2.
(3) The explanation of the section 47E exemption for Documents 1 and 2 does not appear to be valid as a matter of law.

Documents 1 to 3 were declared to be exempt due to (a) commercially confidential material, and (b) a 47E exemption relating to "certain operations of agencies".

Firstly, while I note that the decision suggests that section 47 and 47E apply to the whole of the documents, that does not mean that I am not entitled to information *about* the documents.

I am entitled to information relating to these documents that is not covered by the exemptions. This data may include, but is not limited to:
(a) the dates of the documents;
(b) the format of the documents (e.g. file note, email, notes of meeting, etc);
(c) the sender and receiver of the documents, either by name or position or agency;
(d) a rough description of the material covered by the documents (e.g. description of an accreditation process).

Secondly, to the extent it is relevant, the phrasing of the 47E objection does not appear to fully satisfy the grounds of section 47E. The statement of reasons suggests that the originator of the material is the DTA, that the material is commercial, and that the DTA engages in commercial activities, and therefore the material is exempt. However, this broad reading would exempt the majority of the DTA's activities from Freedom of Information, and is plainly not valid. The test under the FOI Act requires that a specific and identifiable substantial adverse consequence from the release of this specific material be identified, and further that that consequence is real and imminent, not hypothetical or distant. The statement of reasons is required to elaborate that specific consequence, which has not occurred here.

I refer you to section 5.21 of the OAIC's guidelines referenced above, which require that a decision-maker describe the expected effect and its impact upon the usual operations or activity of the agency, and provide greater clarity around what the redacted information is, and exactly how it will have a "substantial and adverse" impact.

OBJECTIONS RELATING TO DOCUMENTS 3, 4 AND 5

(4) The decision to edit documents 3, 4, and 5 per section 22 of the FOI Act was invalid.

The power under section 22 of the FOI Act to provide an edited form of documents where parts of the document are irrelevant to the FOI request is a power that can only be exercised by consent of the applicant. See s22(1)(d) of the FOI Act - the power to edit a document is not available if it is apparent that the applicant would decline access to an edited copy.

The purpose of section 22 of the FOI Act is not to prevent the disclosure of information to an applicant but rather to assist the applicant to understand the information they have been provided by excising material that may be confusing or serve to frustrate the applicant through its volume or technical nature.

I refer you to sections 3.95 to 3.100 of the OAIC guidelines which detail the circumstances under which an agency can and should make use of section 22 and the general policy underlying the section.

There was no power for the Office to edit these documents to remove "irrelevant" information in the absence of my consent and in the absence of another relevant legislative exemption.

(5) No other exemption was identified relating to documents 3, 4, and 5.

The reasons for decision did not identify any legislative provision preventing my access to these documents other than s22.

When I requested an informal review, the FOI coordinator said that their s22 decision "does not mean the material would not have also been exempt under the Freedom of Information Act 1982 (FOI
Act). However, as the redacted information was not within the scope of your request, we did not outline these exemptions in our decision document."

This is an incorrect reading of the Act and the Guidelines. Having identified that some portion of the document was relevant to my request, it was incumbent upon the decision maker to identify all relevant exemptions that prevented my access to the whole of the document, and set them out in proper form in the statement of reasons. The decision maker cannot subsequently rely upon additional reasons not identified or considered in the statement of reasons, when it was within the power of the decision maker to identify and enumerate those reasons at the time of the initial decision. The decision must be justified at the time of the decision, not by further rationale after the fact that attempts to retroactively preserve the decision-maker's desired outcome.

(6) The redaction of document 3, 4 and 5 was excessive.

In redacting a document, an agency is required to retain sufficient information to understand the context and meaning of the remaining information.

I refer you to section 3.98 of the OAIC guidelines, which notes that Freedom of Information is usually not complied with where the redactions leave only "the skeleton of a document", and section 3.99, which advises agencies to consult the applicant prior to making any such redactions to seek their consent.

(7) I am entitled to metadata relating to documents 3, 4 and 5.

As described above, unless it is specifically covered by a legislative exemption, I am entitled to metadata relating to these documents, including but not limited to:
* the dates of the documents;
* the sender and receiver of the documents, by name or by position;
* a description of the nature of the documents, e.g. meeting notes.

OBJECTIONS RELATING TO THE FORMAT OF THE DECISION

(8) I am entitled to a description of the evidence taken into account in the making of this decision.

The reasons for decision make it clear that the eSafety Commissioner has corresponded with the Digital Transformation Agency in making a decision relating to these documents. The eSafety Commissioner is required to set out the nature of the evidence received through this correspondence, to the fullest extent possible without disclosing material which may itself be exempt from FOI, and describe specifically the facts in that correspondence that it has relied on in coming to its decision.

It is also required to have regard to any other facts or evidence it has relied on in coming to its decision that that the material is exempt.

If the decision-maker has sought the advice of the eSafety Commissioner Julie Inman-Grant in making this decision, or of any other officer of the office, I am entitled to know what advice was provided, and how the decision-maker took that advice into account in arriving at their decision.

I refer you to 3.171 to 3.173 of the OAIC guidelines.

(9) I am entitled to documents created in the fulfilment of this FOI, including a schedule of documents considered by the agency, and a list of systems, folders, or archives queried to prepare that list.

I refer you to section 3.170 of the OAIC Guidelines.

Specifically, the final form of this schedule should only remove exempt material, not exempt documents. That is to say the schedule is not required to contain material such as names, email addresses etc that itself may be exempt, but it should still contain a description of documents considered but not released, including documents that may have been deemed irrelevant after initial examination.

(10) The decision does not take into account public interest factors in favour of the release of the documents.

The reasons for decision only cite public interest reasons *against* the release of the documents. They do not consider public interest reasons in favour of the release, and the decision is therefore invalid.

These documents relate to a substantial transformation of Australia's digital community, and they are being requested during a period where the government is seeking active public comment on further legislation in this space. There is a strong public interest in transparency around this process, and an immediate benefit to the public in that information being released in a timely fashion.

In addition, the procurement of national online age verification services for Australia from a large multinational company presents significant procurement, probity, policy and security questions that there is a clear public interest in discussing from an informed and transparent manner.

The decision maker was required to specifically take into account the public interest in favour of the release, and weigh that against other factors, and give specific reasons as to their resulting judgement.

I refer you to section 3.177 of the OAIC guidelines.

(11) The list of documents provided is manifestly incomplete.

The list of documents considered is obviously incomplete on the face of it. Document 3 in particular appears to be related to a meeting that eSafety attended which discussed, among other things, the provision of age verification services by Mastercard, and includes actionable items for eSafety resulting from that meeting.

It seems implausible that none of the following documents falling within the scope of my request exist:
* correspondence inviting eSafety to that meeting;
* an agenda of the meeting;
* documents prepared or obtained by eSafety to inform their contribution to that meeting;
* documents provided to eSafety at that meeting for discussion;
* correspondence following up on that meeting;
* diary or calendar entries relating to the attendance of an eSafety officer at that meeting;
* internal correspondence relating to the actionable item for eSafety arising from that meeting.

Further, it seems implausible, given that the eSafety Commissioner was specifically tasked by the government with exploring age verification options for Australia, and that Mastercard are undertaking an accreditation process for that work, that there would not be further documents within the eSafety Commissioner's office relating to that topic generally.

Specifically, my request included reference to policies, and discussions of policy, whether draft or final, and it seems implausible that the Commissioner could be specifically tasked to do something by government and yet not create a single internal document detailing how they plan to approach or achieve that task.

It further seems unlikely that an accreditation process could be developed by the DTA for Mastercard to undertake without seeking input from the eSafety Commissioner into what that process should involve and what capabilities or competencies Mastercard would be required to demonstrate.

If there are not such documents, it seems reasonable in the interests of transparency and the public trust in the Commissioner and the FOI process that some good faith explanation be offered for the absence of those documents.

(12) The decision takes a narrow reading of relevance rather than a broad one.

The specific intent of the FOI Act is to release as much information to the public as can reasonably be released, rather than to release the minimum that can legally be released.

See section 3 of the FOI Act, section 1.7 and 1.8 of the Guidelines, 1.44 and 1.45 of the Guidelines.

Specifically see 3.54 to 3.56 of the Guidelines, which require an agency to construe relevance in the broadest possible terms, except where a narrower construal better achieves the intent of the applicant.

In construing relevance narrowly, the decision-maker has not complied with the requirements of the Act and the Guidelines.

I note in further support of this point that across a long history of public requests to this office on RightToKnow.org.au, the office has routinely taken an approach of attempting to overly narrow the scope of requests, and eventually delivering very few documents or refusing requests entirely.

CONCLUSION

I request that a formal review be conducted into the response to my FOI, considering each of the 12 points set out above, having regard to the relevant legislation including the FOI Act and the OAIC Guidelines, and I suggest that the result of that review should be, at minimum:

* The full text of documents 3, 4 and 5, to which no relevant exemptions apply.
* Metadata relating to documents 1 and 2.
* Documents created in the fulfilment of the FOI, including a full list of documents considered and systems searched.
* Documents which inevitably must exist but which have not been delivered, as identified above.
* Evidence received and considered by the decision-maker in making their decision, including correspondence from the DTA and any advice provided by the Commissioner herself or other officers.
* A full and more complete statement of reasons, having regard to my arguments above, and taking into account the public interest in favour of disclosure.

I look forward to your prompt resolution of this matter.

With thanks,

Greg Tannahill
Canberra, ACT

Dear eSafety Commissioner,

I am seeking confirmation that you have received my email of 15 November 2021 seeking a formal internal review of the decision in my FOI request relating to age verification services.

Given the statutory timelines around review processes, I would appreciate knowing that my email has been received and the appropriate processes are underway.

Many thanks,

Greg Tannahill

Dear Office of the eSafety Commissioner,

Could you please advise of the status of my formal review of your FOI decision relating to online age verification? The request for formal review was dated 15 November 2021, so the statutory timeframe to complete the review expires next week.

The requirement upon agencies is to decide reviews as soon as practicable, and no later than the statutory deadline.

Could you please advise as to what work has occurred on this review, and when I should expect a decision?

With thanks,

Greg Tannahill

Dear eSafety,

Thank you for your robust and comprehensive response to my FOI review request relating to age verification services, and for the release of additional documents and portions of documents.

Without conceding the correctness of any specific decisions in the review, I am satisfied overall with this response, and with the documents now released. Thank you for the time and care you have taken with this matter.

I do not intend to seek further review in relation to this FOI, and you may consider this request closed.

Yours sincerely,

Greg Tannahill