This means that you are required to be notified of a decision on your request by 2
April 2024.
Decision
I am an officer authorised under section 23(1) of the FOI Act to make decisions in
relation to FOI requests on behalf of the OAIC.
Subject to the following provisions of the FOI Act, I have made a decision to create
and grant access in part to 1 document.
Reasons for decision
Material taken into account
In making my decision, I have had regard to the following:
• your FOI request dated 1 March 2024;
• the FOI Act, in particular sections 3, 11, 11A, 15, 17, 26 and 47E(d) of the FOI
Act;
• the Guidelines issued by the Australian Information Commissioner under
section 93A of the FOI Act to which regard must be had in performing a
function or exercising a power under the FOI Act (FOI Guidelines);
• consultation with line areas of the OAIC in relation to your request; and
• document 52 released in FOIREQ24/00047.
Requests involving the use of computers (s 17)
Under section 17 of the FOI Act, if an FOI request is made for a document that could
be produced by using a computer ordinarily available to the agency for retrieving or
collating stored information, an agency is required to deal with the request as if it
was a request for written documents to which the FOI Act applies.
The FOI Guidelines [at 3.204] explain that section 17 may require an agency to
produce a written document of information that is stored electronically and not in a
discrete written form, if it does not appear from the request that the applicant
wishes to be provided with a computer tape or disk on which the information is
recorded. The obligation to produce a written document arises if:
• the agency could produce a written document containing the information by
using a computer or other equipment that is ordinarily available to the
agency for retrieving or collating stored information (section 17(1)(c)(i)), or
making a transcript from a sound recording (section 17(1)(c)(ii)); and
2
• producing a written document would not substantially and unreasonably
divert the resources of the agency from its other operations (section 17(2)).
If those conditions are met, the FOI Act applies as if the applicant had requested
access to the written document and it was already in the agency’s possession.
Your request sought access to data breach reports for the period 1 January 2020 to 1
March 2024 where the respondent’s sector is government. Your request also
specified that the material requested is to be similar to document 52 released in
FOIREQ24/00047. The material sought is not available in a discrete form but instead
is able to be produced in a written document through the use of a computer. In light
of this, a document has been created under section 17 in response to your request
and is included in the schedule of documents
attached.
Access to edited copies with irrelevant and exempt matter deleted (section 22)
In accordance with section 22 of the FOI Act, an agency must consider whether it
would be reasonably practicable to prepare an edited copy of documents subject to
an FOI request where material has been identified as exempt or irrelevant to the
request.
I have determined that FOI Act exemptions apply to this material.
Accordingly, I have made an edited copy of the documents which removes this
exempt material.
Section 47E(d) – Proper and efficient conduct of the OAIC’s operations
In accordance with section 47E(d) of the FOI Act, I have made a decision to redact
material on the basis that disclosure would or could reasonably be expected to have
a substantial adverse effect on the proper and efficient conduct of the OAIC’s
operations.
Paragraph [6.101] of the FOI Guidelines explains that:
For the grounds in ss 47E(a)–(d) to apply, the predicted effect needs to be
reasonably expected to occur. The term ‘could reasonably be expected’ is
explained in greater detail in Part 5. There must be more than merely an
assumption or allegation that damage may occur if the document were to be
released.
Additionally, at [6.103] the FOI Guidelines further explain:
3
An agency cannot merely assert that an effect would occur following disclosure.
The particulars of the predicted effect should be identified during the decision
making process, including whether the effect could reasonably be expected to
occur. Where the conditional exemption is relied upon, the relevant particulars
and reasons should form part of the decision maker’s statement of reasons, if
they can be included without disclosing exempt material (s 26, see Part 3).
The term ‘substantial adverse effect’ is explained in the Guidelines (at [5.20]) and it
broadly means ‘an adverse effect which is sufficiently serious or significant to cause
concern to a properly concerned reasonable person’. The word ‘substantial’, taken in
the context of substantial loss or damage, has been interpreted as ‘loss or damage
that is, in the circumstances, real or of substance and not insubstantial or nominal’.
The material that I have decided is subject to the conditional exemption comprises
of information given by government entities to the OAIC in the course of notifying the
OAIC of a data breach, as well as the OAIC’s unique identification numbers for them.
In order to determine whether disclosure would, or could reasonably be expected to,
have a substantial adverse effect on the proper and efficient conduct of the
operations of the OAIC, I have taken into consideration the functions and activities of
the OAIC.
The OAIC is an independent statutory agency within the Attorney-General’s portfolio,
established under the
Australian Information Commissioner Act 2010 (Cth). The OAIC
comprises the Australian Information Commissioner (office currently held by
Angelene Falk), the Privacy Commissioner (office currently held by Carly Kind), the
FOI Commissioner (office currently held by Elizabeth Tydd), and the staff of the OAIC.
Relevant to this case, the OAIC has a range of functions and powers in relation to the
Notifiable Data Breaches (NDB) Scheme contained in the
Privacy Act 1988 (Cth)
(Privacy Act). These functions and powers include:
• receiving notifications of eligible data breaches;
• encouraging compliance with the NDB Scheme, including by handling
complaints, conducting investigations and taking other regulatory action;
• offering advice and guidance to regulated entities; and
• providing information to the community about the operation of the NDB
Scheme.
While entities regulated by the Privacy Act are required to report eligible data
breaches to the OAIC, the extent of information provided as part of that report is
voluntary. At a minimum, entities must provide:
4
• the identity and contact details of the entity;
• a description of the eligible data breach;
• the particular kind or kinds of information concerned; and
• recommendations about the steps that individuals should take in response to
the eligible data breach.
However, as noted on the OAIC’s website,1 the OAIC recommends reporting entities
also provide the following information to assist the OAIC to understand the breach:
• the dates the breach occurred and when it was discovered;
• the cause of the breach;
• how the breach occurred;
• the number of individuals whose personal information was involved;
• whether any remedial action has been taken;
• how individuals will be notified; and
• whether the data breach has been reported to any other data protection
authorities, law enforcement bodies or regulatory bodies.
The OAIC website also advises reporting entities that “…[t]
he more information you
tell us about the circumstances of the data breach, what you’ve done to contain the
data breach and any remedial action you’ve taken, will help us respond to your
notification” and that “[t]
he OAIC may need to contact you to seek further information” if this information is not provided. The OAIC then relies on the information provided
by the entities in order to consider whether further regulation action, if any, is
required.
In these circumstances, I consider that the disclosure of the material could
reasonably be expected to undermine the OAIC’s ability to receive timely, frank and
full disclosure of information from entities that have experienced (or have
reasonable grounds to believe that they have experienced) an eligible data breach. I
further consider that the release of this material could reasonably be expected to
delay the OAIC’s consideration of and ability to take further regulatory action in
response to an eligible data breach (if required) as entities could be reticent to
provide timely, frank and full disclosure of information to the OAIC if the information
they provide and their respective identities may be publicly disclosed.
For these reasons, I am of the view that disclosing the material comprising of
information given by government entities to the OAIC in the course of notifying the
OAIC of a data breach, as well as the OAIC’s unique identification numbers for them,
would, or could reasonably be expected to substantially and adversely affect the
1 Report a data breach | OAIC
5
proper and efficient conduct of the OAIC’s functions under the NDB Scheme in the
future. As such, I consider this material is conditionally exempt under s 47E(d) of the
FOI Act.
As section 47E of the FOI Act is a conditional exemption, I am also required to
consider the application of a public interest test.
My consideration of the public interest test, in respect of the material subject to
conditional exemption in the documents is discussed below.
Application of the public interest test – (section 11A and 11B)
As provided immediately above, I have considered that material within the
documents is subject to conditional exemption under s 47E(d) of the FOI Act.
Section 11A(5) provides that where documents are considered to be conditionally
exempt, an agency must give the person access to those documents unless access to
the documents, on balance, would be contrary to the public interest.
This means that I must balance factors for and against disclosure in light of the
public interest.
In Chapter 6, the FOI Guidelines provide the following guidance:
6.4
There is a single public interest test to apply to each of the conditional
exemptions. This public interest test is defined to include certain factors
that must be taken into account where relevant, and some factors which
must not be taken into account.
6.5
The public interest test is considered to be:
•
something that is of serious concern or benefit to the public, not merely
of individual interest
•
not something of interest to the public, but in the public interest
•
not a static concept, where it lies in a particular matter will often depend
on a balancing of interests
•
necessarily broad and non-specific, and
•
related to matters of common concern or relevance to all members of
the public, or a substantial section of the public.
6.6
It is not necessary for a matter to be in the interest of the public as a whole.
It may be sufficient that the matter is in the interest of a section of the public
bounded by geography or another characteristic that depends on the
6
particular situation. A matter of public interest or benefit to an individual or
small group of people may also be a matter of general public interest.
In the AAT case of
Utopia Financial Services Pty Ltd and Australian Securities and
Investments Commission (Freedom of information) [2017] AATA 269, at paragraph [133]
of the Decision Deputy President Forgie explained that:
… the time at which I make my decision for section 11A(5) requires access to be
given to a conditionally exempt document “
at a particular time” unless doing so is,
on balance, contrary to the public interest. Where the balance lies may vary from
time to time for it is affected not only by factors peculiar to the particular
information in the documents but by factors external to them.
The FOI Act sets out four factors favouring access, which must be considered if
relevant. Of these factors, I consider the following to be relevant:
• promote the objects of the FOI Act; and
• inform debate on a matter of public importance.
Section 11B(4) of the FOI Act provides factors which are not to be taken into account
in deciding whether access to the documents, would, on balance, be contrary to the
public interest. I confirm I have not had regard to these factors.
Section 11B of the FOI Act does not further prescribe the factors against disclosure to
be considered. However, in considering the documents subject to this request, I
consider that the following factors do not favour disclosure:
• disclosure could reasonably be expected to undermine the OAIC’s ability to
receive timely, frank and full disclosure of information from entities that have
experienced (or have reasonable grounds to believe that they have
experienced) an eligible data breach;
• disclosure could reasonably be expected to delay the OAIC’s consideration of
and ability to take further regulatory action in response to an eligible data
breach (if required) as entities could be reticent to provide timely, frank and
full disclosure of information to the OAIC if the information they provide and
their respective identities may be publicly disclosed; and
• entities regulated by the Privacy Act are themselves required to notify
individuals affected by an eligible data breach of the contents of information
contained in the report to the OAIC.
7
Further, I note that the OAIC regularly provides a report of the notifications it
receives under the NDB Scheme. These reports are made available to the public on
the OAIC Website and the most recent report was published on 22 February 2024.2
I certainly acknowledge that Australians may feel that data breaches are one of the
biggest privacy risks faced today and that there is public interest then in informing
the public about data breaches and their impact by way of disclosing the information
provided. However, as mentioned above, the OAIC does provide and publish a
regular report of the notifications it receives under the NDB Scheme on its Website
which provides aggregate information. Further, and on an individual level, entities
regulated by the Privacy Act are themselves required to notify individuals affected by
an eligible data breach of the contents of information contained in the report to the
OAIC. Moreover, I consider that there is public interest in protecting the proper and
efficient conduct of the OAIC’s functions under the NDB Scheme from the predicted
adverse effect that the disclosure of this material could reasonably be expected to
have. As discussed above, I consider that disclosure of this material could reasonably
be expected to undermine the OAIC’s ability to receive timely, frank and full
disclosure of information from entities that have experienced (or have reasonable
grounds to believe that they have experienced) an eligible data breach; and that
disclosure could reasonably be expected to delay the OAIC’s consideration of and
ability to take further regulatory action in response to an eligible data breach (if
required) as entities could be reticent to provide timely, frank and full disclosure of
information to the OAIC if the information they provide and their respective
identities may be publicly disclosed.
On balance, I consider the public interest factors against disclosure to be more
persuasive than the public interest factors favouring disclosure. I am therefore
satisfied that it is in the public interest to withhold the exempt material.
Disclosure log decision
Section 11C of the FOI Act requires agencies to publish online document released to
members of the public within 10 days of release, except if they contain personal or
business information that would be unreasonable to publish.
I have made a decision to publish the document subject to your request on the
OAIC’s disclosure log.
2 Notifiable data breaches report July to December 2023 (oaic.gov.au)
8
Release of documents
The document is enclosed for release.
The document is identified in the
attached schedule of documents.
Please see the following page for information about your review rights.
Yours sincerely,
Ben Wilson
Lawyer
2 April 2024
9
If you disagree with my decision
Internal review
You have the right to apply for an internal review of my decision under Part VI of the
FOI Act. An internal review will be conducted, to the extent possible, by an officer of
the OAIC who was not involved in or consulted in the making of my decision. If you
wish to apply for an internal review, you must do so in writing within 30 days. There
is no application fee for internal review.
If you wish to apply for an internal review, please mark your application for the
attention of the FOI Coordinator and state the grounds on which you consider that
my decision should be reviewed.
Applications for internal reviews can be submitted to:
Office of the Australian Information Commissioner
GPO Box 5218
SYDNEY NSW 2001
Alternatively, you can submit your application by email
to xxx@xxxx.xxx.xx, or by fax
on 02 9284 9666.
Further review
You have the right to seek review of this decision by the Information Commissioner
and the Administrative Appeals Tribunal (AAT).
You may apply to the Information Commissioner for a review of my decision (IC
review). If you wish to apply for IC review, you must do so in writing within 60 days.
Your application must provide an address (which can be an email address or fax
number) that we can send notices to, and include a copy of this letter. A request for
IC review can be made in relation to my decision, or an internal review decision.
It is the Information Commissioner’s view that it will usually not be in the interests of
the administration of the FOI Act to conduct an IC review of a decision, or an internal
review decision, made by the agency that the Information Commissioner heads: the
OAIC. For this reason, if you make an application for IC review of my decision, and the
Information Commissioner is satisfied that in the interests of administration of the
Act it is desirable that my decision be considered by the AAT, the Information
Commissioner may decide not to undertake an IC review.
10
Section 57A of the FOI Act provides that, before you can apply to the AAT for review
of an FOI decision, you must first have applied for IC review.
Applications for IC review can be submitted online at:
https://forms.business.gov.au/smartforms/servlet/SmartForm.html?formCode=ICR
10
Alternatively, you can submit your application to:
Office of the Australian Information Commissioner
GPO Box 5218
SYDNEY NSW 2001
Or by email
to xxxxx@xxxx.xxx.xx, or by fax on 02 9284 9666.
Accessing your information
If you would like access to the information that we hold about you, please contact
xxx@xxxx.xxx.xx. More information is available on the Access our information page
on our website.
11