GPO Box 9887
Melbourne VIC 3001
15 May 2024
FN
By email: xxxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx
Reference number: IA-2101
Notice of Decision – Freedom of Information request
Dear FN
I refer to your request submitted to the office of the Fair Work Ombudsman (
OFWO) on 14 March 2024
under the
Freedom of Information Act 1982 (
FOI Act).
This letter sets out my decision in relation to the documents relevant to your request which I am
authorised to make under section 23 of the FOI Act.
Scope of Request
“1. High level evaluations, reviews or reports on the App+IBk-s performance and user feedback
from its launch in March 2017 to the present.
2. Correspondence between the Fair Work Ombudsman and then Minister for Employment,
Senator Michaelia Cash, regarding the app's development, updates, maintenance, operational
concerns, and the strategy for both iOS and Android platforms.
The FOI applicant has clarified that this extends to correspondence between the offices of the
Fair Work Ombudsman and Senator Michaelia Cash, rather than being limited solely to direct
exchanges between the Ombudsman and Senator Cash. This would include any communications
exchanged by staff or representatives of both offices concerning the app’s development,
updates, maintenance, and operational concerns, as well as strategy for both iOS and Android
platforms.
3. Documentation detailing the rationale and decision-making process for the discontinuation of
updates for the iOS app after November 2017, including any discussions regarding challenges or
considerations that influenced this decision.
4. Information on the removal of the Android version of the App from the Google Play Store
including discussions on technical, regulatory, budgetary or operational challenges that led to its
removal.”
Timeframe for processing the request
The statutory period for processing Freedom of Information requests under the FOI Act is 30 days. The
original decision date for processing this request was 15 April 2024.
www.fairwork.gov.au | Fair Work Infoline: 13 13 94 | ABN: 43 884 188 232
On 4 April 2024 the OFWO notified you of a requirement to consult with third parties in accordance with
section 27 of the FOI Act. This consultation requirement extended the processing timeframe by a further
30 days in accordance with s 15(6) of the FOI Act, and the due date for a notice of decision on access is 15
May 2024.
Third party consultation
The OFWO consulted with two third parties under section 27 of the FOI Act on the basis that they may
reasonably wish to make a contention that certain information pertaining to their business and personal
affairs should be exempt.
Matters taken into account in making this decision on access
In making my decision, I took the following matters into account:
• the scope of the request
• the documents
• the FOI Act
• the Australian Information Commissioner’s FOI Guidelines
• internal consultation
• case law
• consultation with relevant third parties.
Searches
I arranged for searches of OFWO records to identify any documents falling within the scope of the FOI
request. Records searched included those held by Technology Branch, Policy Team, BISC Committee,
Records Team and the Behavioural Economics Team. The search identified 23 relevant documents with
attachments (125 pages in total).
DECISION
I have determined that the documents include conditionally exempt material under sections 47F and
47E(d) of the FOI Act and can be released to you in part
.
The relevant documents are outlined in the schedule at
Attachment A to this letter. Attachment A lists
exemptions relied upon under the FOI Act, and detailed reasons for my decision follow.
Section 22 – Irrelevant information
On 18 March 2024 you confirmed the following types of information as irrelevant to the scope request:
• duplicate documents, including duplicate emails. The OFWO will provide emails where they
form a final email chain and the authors/recipients are contained within the final email and
• names of OFWO staff members, direct telephone numbers, email addresses and
signatures of OFWO staff (other than Senior Executives).
Information that does not fall within the scope of the request has been redacted from the documents
under section 22 of the FOI Act as irrelevant information.
The types of information redacted under section 22 include OFWO staff member names and contact
details as well as information relating to other technology projects or matters not included in the
scope of your request.
Exemptions applied and reasons for decision
Section 47E – Public interest conditional exemptions - certain operations of agencies
Section 47E(d) of the FOI Act conditionally exempts a document if disclosure would, or could, reasonably
be expected to have a substantial adverse effect on the proper and efficient conduct of agency operations.
The exemption has been applied to certain cybersecurity information, to the OFWO’s Google Play Account
number and to SES staff phone numbers and internal mailboxes.
SES staff contact details and internal group mailboxes
I consider the release of SES staff phone numbers and internal group emails would have a substantial
adverse effect on the proper and efficient conduct of the OFWO’s operations. The public disclosure of
direct telephone numbers and work mobile numbers of staff which fall outside of the OFWO’s integrated
service platform could lead to enquiries and requests for assistance not being electronically recorded,
adversely affecting accountability, transparency, quality assurance and the provision of support in
relation to those calls1.
The OFWO maintains two main channels for contacts from the Australian public (MyAccount and
Infoline). The two channels are published on the OFWO’s website. The OFWO does not publish the
phone numbers of individual staff. As a public agency providing advice and assistance as well as
investigating workplace compliance, it is vital that the OFWO can track all communications and
transactions with members of the public. The disclosure of Senior Executive Staff member’s phone
numbers could result in the escalation of requests and enquiries to those staff resulting in certain
requests not being tracked within the integrated service platform. This would have a substantial and
adverse impact on the ability of the OFWO to conduct its operations effectively and efficiently.
“Would or could reasonably be expected to”
Paragraph 5.15 of the FOI Guidelines provides that, there must, based on reasonable grounds, be at least
a real, significant or material possibility in order to satisfy the test for ‘would or could reasonably be
expected to’. Not all Senior Executive Staff have access to the integrated service platform and/or have
received the training to allow them to do so. I consider there is a real, significant possibility that the
publication of SES phone numbers could lead to those channels receiving public enquiries and requests
for assistance and that this could lead to matters not being captured in the integrated service platform.
This would have a substantial and adverse impact on the OFWO’s ability to respond to requests for advice
and assistance and to monitor the compliance of workplaces in Australia.
Public interest test
Where documents are found to be exempt under this section s11A(5) of the FOI Act requires that access
be granted to the personal information unless access would, on balance, be contrary to the public interest.
The dislosure of the SES phone numbers would promote the objectives of the FOI Act by informing the
community of the OFWO’s operations. Against this I have balanced the fact that to operate effectively
the OFWO must be able to channel enquiries and requests for assistance through an integrated service
platform. This allows the OFWO to effectively and efficiently carry out its core functions of providing
1 ‘WN’ and Inspector-General of Taxation (Freedom of Information) [2020] AICmr 71 (22 December 2020).
education, assistance, advice and guidance and to promote and monitor compliance with workplace
laws.
I am satisfied that the publication of SES phone numbers would provide an alternative pathway for
enquiries and requests for assistance which would have a substantial adverse effect on the proper and
efficient conduct of agency operations and accordingly, this information is exempt under section 47E(d).
Certain cybersecurity information and Google Play Account number
The documents you requested contain the OFWO’s Google account ID which is used by the OFWO to
access the app developer account. The disclosure of such information would have an adverse effect on
the security of the OFWO’s apps and information security systems, and could reasonably be expected
to have a substantial impact on the proper and efficient conduct of the agency’s operations.
The documents contain information relevant to the OFWO’s information security posture, including
information on cybersecurity risks, vulnerabilities and risk treatments associated with the Record My
Hours app. They also include information on a third party supplier providing current cybersecurity
advisory services to the OFWO. I have determined that this information is conditionally exempt as the
disclosure would or could reasonably be expected to have a substantial adverse effect on the proper
and efficient conduct of the operations of the OFWO.
As part of the agency’s cybersecurity program, the OFWO regularly and systematically tests its ICT
infrastructure so that any vulnerabilities are identified and mitigated before they can be exploited. It is
vital that the OFWO can undertake this program without fear of public disclosure of identified
vulnerabilities and the actions the FWO takes to mitigate threats to its systems. This information could
be used by adversaries to exploit vulnerabilities and conduct cyber attacks which would have a
substantial adverse effect on the proper and efficient conduct of the operations of the OFWO.
“Would or could reasonably be expected to”
Paragraph 5.15 of the FOI Guidelines provides that, there must, based on reasonable grounds, be at
least a real, significant or material possibility in order to satisfy the test for ‘would or could reasonably
be expected to’.
Commonwealth Government agencies are operating in a heightened risk environment due to the
increasing prevlance of cybersecurity threats. The Australian Signals Directorate reported that in the
2023-2024 financial year, one in five vulnerabilities were exploited within 48 hours despite patching or
mitigation advice being available2. Public disclosure of certain cybersecurity information could increase
the entity’s threat level by assisting adversaries to understand:
• vulnerabilities in FWO’s systems and applications
• actions the FWO routinely takes or proposes to take to address vulnerabilities
• third parties currently engaged by the FWO to advise on information security.
I am satisfied that the information is conditionally exempt under section 47E(d) of the FOI Act.
2 Australian Signals Directorate Cyber-Threat Report 2022-2023.
Public interest test
In balancing the public interest test I have considered the public interest in informing the community of
the Government’s operations and in particular, in informing the community of the steps which the
OFWO takes to protect information. I have balanced this against the public interest in the OFWO
maintaing an information security posture which prioritises the protection of information in the face of
escalating cybersecurity threat, particularly given the types and quantities of personal information which
the OFWO holds.
I have determined that the likelihood of damage that would arise to the OFWO’s ability to effectively
and efficiently carry out its legislative mandate as described in the
Fair Work Act 2009 were this
information to be disclosed publicly outweighs any benefit that would attach to the release of these
documents.
Accordingly, I have decided that the release of the OFWO’s Google Play Account number and certain
cybersecurity information contained in the documents would be contrary to the public interest in
Commonwealth Government agencies securely managing the information of the Australian community
and it is conditionally exempt under s 47E(d) of the FOI Act.
Section 47F – Personal privacy
Section 47F(1) of the FOI Act provides that a document is conditionally exempt if its disclosure under this
Act would involve the unreasonable disclosure of personal information about any person. Personal
information under the FOI Act has the same meaning as outlined in the
Privacy Act 1988; that is
information or an opinion about an identifiable individual, or an individual who is reasonably identifiable.
The section 47F exemption has been applied to the names and contact details of third parties. The
information is about a readily identifiable individual so the information is clearly personal information
within the meaning of s 47F.
In order for the personal privacy exemption to apply I must be satisfied that:
a) disclosure would constitute the unreasonable disclosure of personal information; and
b) access to the relevant information would be contrary to public interest.
Unreasonable disclosure
Whether a disclosure is ‘unreasonable’ requires a consideration of all the circumstances, including the
nature of the relevant information, the circumstances in which the information was obtained, the
likelihood that the person concerned would not wish to have the information disclosed without consent
and whether the information has any current relevance.
The individuals identified in the documents did not provide consent to the OFWO to release their
personal information. I am also not aware of any evidence suggesting that the information is available
from publicly accessible sources.
In these circumstances I have formed the view that release of the documents could cause the relevant
individuals some stress. I have therefore determined that disclosure of the relevant personal
information would be unreasonable in this instance, and that the documents are conditionally exempt
from release under section 47F.
Public interest test
In balancing the public interest test I have considered the public interest in informing the community of
the Government’s operations. I have balanced this against the public interest in an affected individual’s
rights to privacy in circumstances where the appropriate consent for disclosure has not been given.
Access to the documents
An affected third party is entitled to seek review of my decision to release the edited documents to you.
As a result, I am unable to give you access to the edited documents for at least 30 days from the day I
notify them of my decision.
In accordance with section 27(7) of the FOI Act, the documents will be released to you after the
opportunities the third party has to seek review of the decision have run out, and the decision still stands
or is confirmed.
Website Publication
Subject to certain exceptions, section 11C of the FOI Act requires agencies to publish any information
released in response to FOI requests on the online Disclosure Log. Section 11C contains some exceptions
to this general requirement. These exceptions include when the document contains business or personal
information that it would be unreasonable to publish.
As the personal and business information have been redacted, I propose to release the material via the
Fair Work Ombudsman’s Disclosure Log.
Review rights
I have attached a document setting out your rights of review of this decision at
Attachment B.
Contact details
For further information, plea
se email xxx@xxx.xxx.xx.
Yours sincerely
Nicola Forbes
Director Information Governance
Fair Work Ombudsman
Attachment A – Schedule of Documents
Document
Page
Date
Description
Decision
Applicable Provision (s)
Number
1
001-006
06.07.2017
Internal briefing – Record My Hours App
Release in part
s.22
2
007
11.2018
Dashboard Report
Release in part
s.22
3
008-015
25.05.2018
Email thread regarding data export including
Release in part
s.22
attachment
s.47F
4
016-022
07.08.2018
App testing FWO feedback
Release in part
s.47F
5
023-058
03.06.2021
Internal email correspondence- BISC papers
Withheld subject to third
s.22
including attachments
party review (53)
s.47F
s.47E(d)
6
059-063
07.06.2021
BISC Paper (draft) – Record My Hours app
Release in part
s.22
s.47F
7
064
15.07.2021
Internal email correspondence – Apple
Withheld subject to third
s.22
Developer
party review
s.47F
8
065-069
22.12.2021
Internal email correspondence – App on Google Release in part
s.22
Play store
s.47F
s.47E(d)
9
070-078
20.12.2021
Email thread regarding Google play
Withheld subject to third
s.22
to
party review
s.47F
08.02.2022
Document
Page
Date
Description
Decision
Applicable Provision (s)
Number
10
079-080
Undated
Record My Hours information – additional
Release in part
s.22
information
11
081
Undated
Record My Hours Improvement Suggestions
Release in part
s.22
12
082-083
Undated
BISC paper – RMH app
Release in part
s.22
13
084-090
Undated
Record My Hours – Back Pocket Brief
Release in full
14
091-093
01.10.20219
Email from Google Play store
Release in part
s.22
15
094
11.11.2020
Email from Apple developer
Release in part
s.22
16
095-100
2017
Ministerial briefing document
Release in part
s.22
s.47E(d)
s.47F
17
101-102
23.05.2023
Signed Briefing
Release in part
s.22
18
103-105
17.12.2021
Email from Google play store
Release in part
s.22
19
106-108
16.12.2021
Email from Google Play store
Release in part
s.22
20
109
13.01.2022
Email regarding Google Play Developer account
Release in part
s.22
s.47F
21
110-116
22.12.2021
Internal email correspondence
Withheld subject to third
s.22
party review (111-116)
s.47F
Document
Page
Date
Description
Decision
Applicable Provision (s)
Number
22
117-123
06.03.2017
Internal briefing report
Release in part
s.22
23
124-125
28.11.2019
Email regarding risk assessment
Release in part
s.22
s.47F
Attachment B
INFORMATION ON RIGHTS OF REVIEW & COMPLAINTS
Rights of review
If you are dissatisfied with this decision, you can apply for internal review by this agency (Option 1
below) or external review by the Australian Information Commissioner (IC Review) (Option 2 below).
You do not have to apply for internal review before seeking IC review. However, the Information
Commissioner has expressed the view that it is preferable for a person to seek internal review by the
agency before applying for IC Review. If you choose Option 1 (internal review), you can also apply for IC
review of the internal review decision within 60 days after receiving notice of our review decision.
Option 1 – Internal review
You can seek internal review of the decision. An application for internal review must be made in writing
within 30 days after the date you were notified of the decision, or within such further period as the Fair
Work Ombudsman allows. The internal review will be conducted by a senior officer who had no
involvement in the initial decision.
There is no particular form required to make a request for internal review. However, it would help the
reviewer if you said, in writing, why you think the decision should be reviewed. An application for an
internal review of the decision should be sent to:
Email: xxx@xxx.xxx.xx
FOI Manager
GPO Box 9887
MELBOURNE VIC 3001
Option 2 – Review by the Australian Information Commissioner
Alternatively, you can apply to the Australian Information Commissioner for IC review of the decision.
An application for IC Review must be made within 30 days after the day you were given notice of this
decision and the decision relates to an access grant decision (s 54M(2)(a))3 or 60 days where the
decision relates to an ‘access refusal decision’ (s 54L(s)(a)):4
In making your application, you need to provide an address for notices to be sent (this can be an email
address) and a copy of this decision. It would also help the Australian Information Commissioner if you
set out the reasons for seeking IC review in your application.
To apply for IC review, you can file your application vi
a the Information Commissioner review
application form.
Complaints
3 An
“access grant decision” is defined in s 53B of the FOI Act to mean a decision to grant access to a document
where there is a requirement to consult with a third party under ss 26A, 27 or 27A.
4 An
“access refusal decision” is defined in s 53A of the FOI Act and Part 10 of the FOI Guidelines at
https://www.oaic.gov.au/freedom-of-information/foi-guidelines/part-10-review-by-the-information-
commissioner/
You can complain to the Australian Information Commissioner about action taken by the Fair Work
Ombudsman in relation to your freedom of information request. Your complaint must be in writing and
it is the Information Commissioner’s preference that an online complaint form is completed. You can
lodge your compliant via the OAIC’
s FOI complaint form.