Al documents should be the most up-to-date versions, without any editing markup.
Exclusions:
1. Duplicate documents
2. FOI Guidelines and other documents published on the OAIC's website (except
those on the OAIC's disclosure log)
3. The FOI Act and IC Reviews
4. Emails (except email templates)
5. Documents tracking IC Reviews or FOI Complaints.
For clarity, the fol owing is provided as guidance only on the scope and intentions of my
request:
I am seeking documents similar to those released in the fol owing FOI requests:
−
FOIREQ23/00196 (excluding Document 4 as it is irrelevant to IC Reviews or FOI
Complaints)
−
FOIREQ2300156, including:
o
The latest version of all documents relevant to IC Reviews and FOI
Complaints o Al relevant documents listed under the 'Sample
letters/guidance' column in Document 57 "IC review process"
−
FOIREQ23/00111 (latest versions)
−
FOIREQ24/00330, including:
o
The template email "Recent charges decision and invitation to make a
revised decision"
o
The template Attachment to document 1 – Letter about charges
My intention is to access the updated versions of the above-mentioned documents, as
well as any similar relevant documents not captured in the previous FOI requests.
On 13 August 2024, we sought to consult upon the scope of your request as follows:
‘Operating Procedures’ or We note that your request uses the term
‘Operating Information’
‘operating procedures or similar documents’.
We have interpreted this to have the same
meaning as ‘operational information’ set out in
section 8A of the FOI Act. ‘Operational
information’ is defined as ‘information held by
the agency to assist the agency to perform or
exercise [its] functions or powers’, and includes
‘rules, guidelines, practices and precedents’ held
by the agency to assist in making decisions. For
the purposes of this request, we consider
2
templates held by the OAIC to be operational
information.
That is, we interpret your request to be seeking
policies, procedures and templates that govern
how the OAIC processes IC reviews and FOI
complaints.
Please kindly confirm whether you agree with this
interpretation of operating procedures or similar
documents.’
Duplicate Provision of
We note that your request expressly excludes ‘FOI
Documents
Guidelines and other documents published on the
OAIC's website’ from scope, however, does not
exclude documents already uploaded onto the
disclosure log.
Specifical y, you provide the fol owing matter
numbers by way of il ustration of documents you
are requesting:
1. FOIREQ23/00111
2. FOIREQ23/00156
3. FOIREQ23/00196
4. FOIREQ24/00330
I note that of these requests, you were the FOI
applicant in FOIREQ23/00156 and
FOIREQ24/00196. This means that, in addition to
these documents being uploaded onto the
disclosure log and thus public information, you
are already in possession of the documents
located as part of this request.
To assist in maintaining efficient practices for FOI
processing, we interpret the scope of your request
as excluding documents already provided to
yourself, and documents already uploaded onto
the disclosure log.
This will enable the OAIC to focus on locating any
updated material and avoid duplicate processing
3
of requests and duplicate provision of
documents.
Updated Versions
In line with the above, our understanding of your
request is that you are only seeking access to
updated versions, if any, of the policies,
procedures and templates previously released
under the fol owing matter numbers:
1. FOIREQ23/00111
2. FOIREQ23/00156
3. FOIREQ23/00196
4. FOIREQ24/00330
Please kindly confirm whether you agree with this
interpretation.
I note that on 13 August 2024, you replied with the following advice regarding scope:
I agree with your first interpretation regarding operational information.
I agree with your second interpretation regarding exclusions, on the condition that you
list each document excluded in this manner and provide its location. For example:
"Document ABC123 is excluded as it is available on FOIREQ12/12345 Document 47."
Please also release the "Schedule of Documents" for FOIREQ23/00111. If this is not
possible, documents already on the disclosure log remain within the scope of my
request.
I partial y agree with your third interpretation. I am seeking updated versions of the
policies, procedures, and templates from the previously released documents (related
to IC Review and FOI Complaints). However, I am also seeking any other similar
documents (if they exist) that were not included in FOIREQ23/00111, FOIREQ23/00156,
FOIREQ23/00196, and FOIREQ24/00330.
Upon assessment of the amended scope, the OAIC made a decision to process your
request based on the terms of your initial request, dated 9 August 2024.
Request timeframe
Your request was made on 9 August 2024.
This means that a decision on your request is due by 9 September 2024.
4
Decision
I am an officer authorised under section 23(1) of the FOI Act to make decisions in
relation to FOI requests on behalf of the OAIC.
Subject to the following provisions of the FOI Act, I have made a decision to:
• grant full access to 159 documents, and
• grant access in part to 24 documents.
Searches Undertaken
The FOI Act requires that all reasonable steps have been taken to locate documents
within scope of an FOI request.
The following line area of the OAIC conducted reasonable searches for documents
relevant to you request:
• The Freedom of Information Branch
Searches were conducted across the OAIC’s various document storage systems
including:
• the OAIC’s document holding system – Content Manager
• OAIC’s email system
The following search terms were used when undertaking electronic records
searches:
Having consulted with the relevant line areas and undertaken a review of the records
of the various search and retrieval efforts, I am satisfied that a reasonable search has
been undertaken in response to your request.
Reasons for decision
Material taken into account
In making my decision, I have had regard to the following:
• your FOI request dated 9 August 2024 Month
• the FOI Act, in particular including sections 3, 11, 11A, 15, 22, 26, and 47E of
the FOI Act
5
• the Guidelines issued by the Australian Information Commissioner under
section 93A of the FOI Act to which regard must be had in performing a
function or exercising a power under the FOI Act (FOI Guidelines)
Access to edited copies with irrelevant and exempt matter deleted (section 22)
In accordance with section 22 of the FOI Act, an agency must consider whether it
would be reasonably practicable to prepare an edited copy of documents subject to
an FOI request where material has been identified as exempt or irrelevant to the
request.
I have determined that FOI Act exemptions apply to this material. Accordingly, the
exempt material has been removed in accordance with s 22(1)(a)(i) of the FOI Act.
I have also identified the following material within the documents to be irrelevant or
out of scope of your request in accordance with s 22(1)(a)(i ) of the FOI Act:
• information pertaining to IC Reviews and FOI Complaints which have been
inadvertently left in the templates after use.
Accordingly, I have made an edited copy of the documents which removes this
material in accordance with s 22 of the FOI Act and otherwise grants you
access in
part to the material in scope of your request.
Section 47E(d) – Proper and efficient conduct of the OAIC’s operations
In accordance with section 47E(d) of the FOI Act, I have made a decision to redact
material on the basis that disclosure would or could reasonably be expected to have
a substantial adverse effect on the proper and efficient conduct of the OAIC’s
operations.
Paragraph 6.14-6.16 of the FOI Guidelines explains that the test “would or could
reasonably be expected to”:
6.14 The test requires the decision maker to assess the likelihood of the
predicted or forecast event, effect or damage occurring after disclosure of a
document.
6.15 The use of the word ‘could’ is less stringent than ‘would’ and requires
analysis of the reasonable expectation rather than the certainty of an event,
effect or damage occurring. It may be a reasonable expectation that an effect
has occurred, is presently occurring, or could occur in the future.
6
6.16 The mere risk, al egation, possibility, or chance of prejudice does not
qualify as a reasonable expectation. There must be, based on reasonable
grounds, at least a real, significant or material possibility of prejudice, if they
can be included without disclosing exempt material (s 26, see Part 3).
The material that I have decided is subject to conditional exemption comprises of:
• IT addresses and security credentials, and
• Direct contact details of COMBO staff.
In undertaking an assessment of this conditional exemption, I have had regard to
relevant and recent AAT and Information Commissioner decisions including
Seven
Network Operations Limited and Australian Human Rights Commission [2021] AICmr
66,
Paul Farrel and Department of Home Affairs (Freedom of information) (No 2) [2022]
AICmr 49 (8 April 2022) and
Knight v Commonwealth Ombudsman [2021] AATA 2504.
In
Seven Network Operations Limited and Australian Human Rights Commission [2021]
AICmr 66, a document was found not to be conditionally exempt under
section 47E(d) of the FOI Act in circumstances where the agency argued that
disclosure of the relevant material would or could reasonably be expected to have
result in stakeholders declining to work with the Australian Human Rights
Commission. The decision found that there was not sufficient evidence to support
the conclusion that such harm would occur. Similarly in
Paul Farrel and Department
of Home Affairs (Freedom of information) (No 2) [2022] AICmr 49 (8 April 2022), whilst
the material found within the documents related to the Department of Home Affairs’
operations, the Commissioner determined that the Department had failed to provide
sufficient evidence as to why disclosure would have a substantial and adverse effect
on its operations. These decisions further reinforce the position that this provision
requires a high threshold as to the substantial and adverse effect that disclosure
would have on an agency’s operations.
In order to determine whether disclosure would, or could reasonably be expected to,
have a substantial adverse effect on the proper and efficient conduct of the
operations of the OAIC, I have taken into consideration the functions and activities of
the OAIC.
The OAIC is an independent statutory agency within the Attorney-General’s portfolio,
established under the
Australian Information Commissioner Act 2010 (Cth). The OAIC
comprises the Australian Information Commissioner (office currently held by
Elizabeth Tydd), the Privacy Commissioner (office currently held by Carly Kind), the
FOI Commissioner (office currently held by Toni Pirani), and the staff of the OAIC.
7
I consider that the disclosure of the material would or could reasonably be expected
to have an adverse effect on the OAIC’s functions.
IT Addresses and Security Credentials
The IT addresses and security credentials included in some process documentations
are used to provide staff members with access to OAIC resources, to enable staff to
undertake their duties. The OAIC collects and stores a range of personal and financial
information about members of the public. IT addresses and security credentials
contain information about the OAIC’s IT system and may facilitate an adverse actor
to gain access to a range of internal IT information. I consider that disclosure of this
information could compromise the safety and security of the storage of the
information held by the OAIC. The impact of any compromise to the safety and
security of the OAIC’s information systems would result in a serious adverse impact
on the functions and responsibilities of the OAIC.
In
‘AW’ and Australian Taxation Office (Freedom of information) [2014] AICmr 1, the
then FOI Commissioner considered the decision by the Australian Taxation Office
(ATO) to exempt user IDs under section 47E(d) of the FOI Act. The user IDs are used by
ATO staff to access the ATO’s IT system. The Commissioner found that disclosing the
user IDs ‘would have an adverse effect on the security of the ATO’s IT systems and
could reasonably be expected to have a substantial adverse effect on the proper and
efficient conduct of the ATO’. In a series of subsequent IC review decisions, the
former Australian Information Commissioner agreed with the reasoning given by the
Commissioner in ‘AW’ to find that user IDs used by ATO staff to access the ATO’s IT
system are exempt under section 47E(d) of the FOI Act.
I consider that the disclosure of the IT addresses and security credentials within the
OAIC’s case management system could reasonably be expected to have a substantial
adverse effect on the proper and efficient conduct of the OAIC’s operations. I have
decided that the addresses and security credentials are conditionally exempt from
disclosure under section 47E(d) of the FOI Act.
Direct Contact Details of COMBO Staff
In order to determine whether disclosure would, or could reasonably be expected to,
have a substantial adverse effect on the proper and efficient conduct of the COMBO, I
have taken into consideration the functions and activities of the agency.
Primarily, the COMBO is the oversight body for complaints made to Commonwealth
Agencies or Departments. The COMBO works to assist to resolve complaints made by
investigating the process if the agency, provider or organisation does not change
their decision or offer a better explanation of the decision. The role of the COMBO is
8
to facilitate a genuine complaint process within the Commonwealth government,
promoting accountability and procedural fairness.
I consider that the disclosure of direct contact details and last names of COMBO staff
would or could reasonably be expected to have an adverse effect on COMBO’s ability
to effectively manage the communications it receives from the public.
The recent decision of Chief Executive Officer, Services Australia v Justin Warren
[2020] AATA 4557 discusses the issue of the disclosure of public servants’ names and
contact details. The FOI Guidelines and the Information Commissioner’s 2020 Policy
Paper Disclosure of public servants’ names and contact details in response to FOI
requests also discuss this issue.
We consider that the disclosure of direct contact details, full names and job titles of
COMBO staff contained in this bundle of documents would have a substantial
adverse effect on their operations as it may circumvent the dedicated contact
mediums established by the COMBO to manage contact with the public. Specifically,
in light of the nature of matters the COMBO manages, we consider the disclosure of
this information would have a significant impact on the COMBO’s ability to
effectively undertake their duties, and that this may put staff at an increased risk of
abuse, harassment and intimidation.
In addition, we consider that the release of direct contact details may also adversely
impact the COMBO’s ability to effectively undertaken their day-to-day work, as
irrelevant communications would need to be directed to the appropriate area for
response. This would require each impacted staff member to review communication
made and make a determination as to the most appropriate line area to allocate this
communication to. We consider that this would infringe upon the named staffer’s
ability to undertake their regular duties.
In my view, the adverse effects from the disclosure of the relevant documents at this
time is more than merely an assumption and would impact upon the proper and
efficient operations of the COMBO.
For the reasons given above, I consider the relevant documents identified in the
schedule are conditionally exempt under section 47E(d) of the FOI Act.
As section 47E is a conditional exemption, I am also required to consider the
application of a public interest test.
My consideration of the public interest test, in respect of all the material subject to
conditional exemption in this document is discussed below.
9
Application of the public interest test – (section 11A and 11B)
As provided above, I have considered that material within the documents is subject
to conditional exemption under section 47E.
Section 11A(5) provides that where a documents is considered to be conditionally
exempt, an agency
must give the person access to those documents unless the FOI
decision maker would, on balance, would be contrary to the public interest.
This means that I must balance factors for and against disclosure in light of the
public interest.
In Chapter 6, the FOI Guidelines provide the following guidance:
6.4
There is a single public interest test to apply to each of the conditional
exemptions. This public interest test is defined to include certain factors that
must be taken into account where relevant, and some factors which must not
be taken into account.
6.5
The public interest test is considered to be:
•
something that is of serious concern or benefit to the public, not merely
of individual interest
•
not something of interest to the public, but in the public interest
•
not a static concept, where it lies in a particular matter wil often depend
on a balancing of interests
•
necessarily broad and non-specific, and
•
related to matters of common concern or relevance to al members of the
public, or a substantial section of the public.
6.6
It is not necessary for a matter to be in the interest of the public as a whole. It
may be sufficient that the matter is in the interest of a section of the public
bounded by geography or another characteristic that depends on the
particular situation. A matter of public interest or benefit to an individual or
small group of people may also be a matter of general public interest.
In the AAT case of
Utopia Financial Services Pty Ltd and Australian Securities and
Investments Commission (Freedom of information) [2017] AATA 269, at paragraph 133
of the Decision Deputy President Forgie explained that:
… the time at which I make my decision for section 11A(5) requires access to be
given to a conditionally exempt document “
at a particular time” unless doing so is,
on balance, contrary to the public interest. Where the balance lies may vary from
10
time to time for it is affected not only by factors peculiar to the particular
information in the documents but by factors external to them.
The FOI Act sets out four factors favouring access, which must be considered if
relevant. Of these factors, we consider the following to be relevant:
• promote the objects of the FOI Act.
In addition to these factors favouring disclosure, I have also considered that the
following factor in favour of disclosure would apply:
• disclosure would enhance scrutiny around government decision making.
Section 11B(4) of the FOI Act provides factors which are not to be taken into account
in making a decision, which I have had regard to. Section 11B does not further
prescribe the factors against disclosure to be considered. In considering the
documents subject to this request, I consider that the following factors do not favour
disclosure:
• disclosure would have an adverse effect on the OAIC’s proper and efficient
operations by adversely impacting upon the OAIC’s IT security, and
• disclosure of direct contact details of COMBO staff would or could reasonably
be expected to have a substantial adverse effect on their operations.
Whilst the release of this information may further facilitate transparency within
government, I have placed greater weight on the protection of the OAICs IT security
systems, role of the COMBO, and the privacy of third parties.
I consider that there is little public interest in the disclosure of internal IT security
credentials which do not relate to the substance of the material with which the file
relates. This is because the IT security credentials are for internal use to provide OAIC
staff with access to resources which enable them to effectively undertake their
decision-making duties. This information does not impact or otherwise relate to the
file which has been requested. All other material stored on the file has been
provided. I also consider there to be little public interest in the disclosure of internal
IT addresses which do not relate to the substance of the material to which the file
relates. This is because the IT address is merely for internal use in back-end systems,
and do not impact or otherwise relate to the file which has been requested. I
consider the protection of the OAIC’s information security management to be of
great public interest. This is because, as the regulator of the Privacy Act 1988 (Cth)
(Privacy Act) and its implementation across Commonwealth Government agencies,
the OAIC must emulate best practice, and cannot be in breach of the very instrument
it regulates. To act in a manner inconsistent with the purpose of the Privacy Act
11
would be contrary to the public interest and diminish the OAIC’s ability to effectively
manage privacy across other Commonwealth agencies and private entities.
In relation to direct contact details of COMBO staff, I consider there to be a significant
public interest in facilitating the proper and efficient conduct of the COMBO due to
the importance of the work they engage with for the Australian community at large.
COMBO has several responsibilities pertinent to overseeing the effectiveness of the
Commonwealth government at large, and enabling their staffers to work efficiently
will serve the public interest more so than releasing this information.
In addition, I consider that the release of the redacted material does not impact the
substance of the material within the documents provided. All other relevant material
has been released; the removal of this information does not alter the information
within the document. I do not consider the release of this information would serve to
further transparency or accountability in decision-making, as the substance of the
material has been released. In addition, and as highlighted in Chief Executive Officer,
Services Australia v Justin Warren [2020] AATA 4557 at paragraphs [70] – [83], the
considerations of ‘accountability in decision-making’ and ‘transparency’ apply most
appropriately at an agency or departmental level, and not necessarily on an
individual public servant level.
As such, I consider that there is little public interest in the disclosure of direct contact
details, last names and job titles of COMBO staff and internal IT addresses and
security credentials related to the back-end processing of a file. I consider that the
disclosure of this material would likely impact upon both COMBO’s and the OAIC’s
ability to effectively and efficiently manage their existing workload, and protect the
OAIC’s network security, respectively.
On balance, I consider the public interest factors against disclosure to be more
persuasive than the public interest factors favouring disclosure. I am satisfied that
the public interest is to withhold the exempt material.
Other Matters
We note that you sought:
Al documents should be the most up-to-date versions, without any editing markup.
Please note that some operating procedures/documents may be the most up to date
versions, however, still contain edits and/or markups.
the OAIC has taken a pro-disclosure approach and made a decision to release these
documents to you for completeness. Documents with editing mark up may include
12
review comments or appear incomplete. The OAIC has made this decision in the
spirit of pro-disclosure.
Disclosure log decision
Section 11C of the FOI Act requires agencies to publish online document released to
members of the public within 10 days of release, except if they contain personal or
business information that would be unreasonable to publish.
I have made a decision to publish the documents subject to your request on the
OAIC’s disclosure log.
Release of document
The documents are enclosed for release.
Please see the following page for information about your review rights.
Yours sincerely,
Tahlia Pelaccia
Lawyer
9 September 2024
13
If you disagree with my decision
Internal review
You have the right to apply for an internal review of my decision under Part VI of the
FOI Act. An internal review will be conducted, to the extent possible, by an officer of
the OAIC who was not involved in or consulted in the making of my decision. If you
wish to apply for an internal review, you must do so in writing within 30 days. There
is no application fee for internal review.
If you wish to apply for an internal review, please mark your application for the
attention of the FOI Coordinator and state the grounds on which you consider that
my decision should be reviewed.
Applications for internal reviews can be submitted to:
Office of the Australian Information Commissioner
GPO Box 5218
SYDNEY NSW 2001
Alternatively, you can submit your application by email to xxx@xxxx.xxx.xx, or by fax
on 02 9284 9666.
Further review
You have the right to seek review of this decision by the Information Commissioner
and the Administrative Appeals Tribunal (AAT).
You may apply to the Information Commissioner for a review of my decision (IC
review). If you wish to apply for IC review, you must do so in writing within 60 days.
Your application must provide an address (which can be an email address or fax
number) that we can send notices to, and include a copy of this letter. A request for
IC review can be made in relation to my decision, or an internal review decision.
It is the Information Commissioner’s view that it will usually not be in the interests of
the administration of the FOI Act to conduct an IC review of a decision, or an internal
review decision, made by the agency that the Information Commissioner heads: the
OAIC. For this reason, if you make an application for IC review of my decision, and the
Information Commissioner is satisfied that in the interests of administration of the
Act it is desirable that my decision be considered by the AAT, the Information
Commissioner may decide not to undertake an IC review.
14
Section 57A of the FOI Act provides that, before you can apply to the AAT for review
of an FOI decision, you must first have applied for IC review.
Applications for IC review can be submitted online at:
https://forms.business.gov.au/smartforms/servlet/SmartForm.html?formCode=ICR
10
Alternatively, you can submit your application to:
Office of the Australian Information Commissioner
GPO Box 5218
SYDNEY NSW 2001
Or by email to xxxxx@xxxx.xxx.xx, or by fax on 02 9284 9666.
Accessing your information
If you would like access to the information that we hold about you, please contact
xxx@xxxx.xxx.xx. More information is available on the Access our information page
on our website.
15