FOIREQ24 00523 Decision S2.pdf

2. Any further relevant correspondence regarding the disclosure of agency names
post-decision.

Please exclude the fol owing information:

i) OAIC reference numbers and details of individual breach reports. Material that was
exempt from disclosure in the above-mentioned requests.
Following consultation with you on the scope of your request, on 16 October 2024
you updated the scope of the FOI request as follows:
I prefer to access al  consultation responses. You can exclude your emails to agencies
that did not respond, provided you list them.

I acknowledge the large volume of material. Please exclude the personal information
and names of public servants. Please let me know if I can help facilitate processing in
any other way.
On 7 November 2024, the OAIC wrote to you seeking further agreement as to the
scope of the FOI request:
However by way of background, when processing FOIREQ24/00423:

1. the OAIC sent one email to a large number of agencies whose name and details
were captured in the document at issue.

  2. The OAIC did not prepare separate courtesy consultation bundles to each agency
due to the large number of agencies involved.

3. In response that courtesy consultation email, some agencies requested the
specific details of the information captured in that document at issue that relates to
their agency (i.e. the rows that relate to them).

4. In response to these queries, the OAIC then sent separate emails to these agencies
with relevant extracts of the document at issue that relate to them.

5. The agencies then emailed OAIC their position as to whether they had any
objections to the disclosure of this information or not.

I just want to seek your views as to whether you are willing to exclude emails
described in point 4 above, and if you would like these emails too, consider granting
the OAIC an extension of time of two weeks?

2

On the same day, you responded as follows:
I confirm my wish to exclude the emails described in parts 3 and 4.
I have taken into account the above information in making my decision.

Request timeframe
Your request was made on 14 October 2024.
This means that a decision on your request is due by 13 November 2024.
Reasons for decision
Material taken into account
In making my decision, I have had regard to the following:
•  your FOI request dated 14 October 2024 and subsequent revised scope dated
16 October 2024
•  the FOI Act, in 3, 11, 11A, 15, 17, 22, 26, 47C and 47E(d) of the FOI Act
•  the Guidelines issued by the Australian Information Commissioner under
section 93A of the FOI Act to which regard must be had in performing a
function or exercising a power under the FOI Act (FOI Guidelines)
Access to edited copies with irrelevant and exempt matter deleted (section 22)
In accordance with section 22 of the FOI Act, an agency must consider whether it
would be reasonably practicable to prepare an edited copy of documents subject to
an FOI request where material has been identified as exempt or irrelevant to the
request.
I have determined that FOI Act exemptions apply to this material. Accordingly, the
exempt material has been removed in accordance with s 22(1)(a)(i) of the FOI Act.
I have also identified the following material within the documents to be irrelevant or
out of scope of your request in accordance with s 22(1)(a)(ii) of the FOI Act:
•  material not related to the consultation undertaken in FOIREQ24/00352 and
FOIREQ24/00423
•  OAIC reference numbers and details of individual breach reports. Material
that was exempt from disclosure in the above-mentioned requests.
•  personal information and names of public servants.
3

•  Emails received by the OAIC in processing FOIREQ24/00423 from agencies
where the agencies requested the specific details of the information
captured in that document at issue that relates to their agency (i.e. the rows
that relate to them).
•  Emails sent by the OAIC in processing FOIREQ24/00423 OAIC to agencies that
raised a query with the OAIC as to which rows relate to them, with relevant
extracts of the document at issue that relate to them.
Accordingly, I have made an edited copy of the document which removes this
material in accordance with s 22 of the FOI Act and otherwise grants you access in
part to the material in scope of your request.
Searches Undertaken (s 24A)
The FOI Act requires that all reasonable steps have been taken to locate documents
within scope of an FOI request.
The following line areas of the OAIC conducted reasonable searches for documents
relevant to you request:
•  OAIC Legal Services Team (which processes FOI requests)
Searches were conducted across the OAIC’s various document storage systems
including:
•  the OAIC’s case management system - Resolve
•  the OAIC’s document holding system – Content Manager
•  OAIC’s email system - Microsoft Outlook, including calendar used
•  general computer files
Having reviewed the searches conducted and the relevant files on FOIREQ24/00352
and FOIREQ24/00423, and having undertaken a review of the records of the various
search and retrieval efforts, I am satisfied that a reasonable search has been
undertaken in response to your request and all relevant documents in scope of the
request has been identified in the schedule of documents.
Deliberative processes exemption (section 47C)
I have found material in a number of documents to be exempt under s 47C of the FOI
Act. For a list of the documents to which this exemption was applied, please refer to
the schedule of documents.
4

The type of material that I have found exempt under s 47C can be described as:
1.  material contained in courtesy consultation emails containing reasons and
submissions from agencies received by the OAIC in processing
FOIREQ24/00423, in response to the courtesy consultation request sent by the
OAIC, objecting to the release of their information, and
2.  material contained in internal consultation emails from the line area within
the OAIC to the FOI delegate, in relation to concerns about the impact on the
disclosure, in response to the FOI delegate comments on sensitivities.
Section 47C of the FOI Act provides for the exemption of deliberative matter as
follows:
(1)
A document is conditional y exempt if its disclosure under this Act would
disclose matter (deliberative matter) in the nature of, or relating to, opinion, advice or
recommendation obtained, prepared or recorded, or consultation or deliberation that
has taken place, in the course of, or for the purposes of, the deliberative processes
involved in the functions of:
(a)
an agency; or
(b)
a Minister; or
(c)
the Government of the Commonwealth.
Exceptions
(2)
Deliberative matter does not include either of the fol owing:
(a)
operational information (see section 8A);
(b)
purely factual material.
Paragraph [6.46] of the FOI Guidelines confirms that section 47C of the FOI Act is
characterised by a 3-stage decision making process reflecting the statutory
requirements. Firstly, the decision maker must be satisfied that information within
the scope of the request includes deliberative matter. Secondly, if the decision
maker is satisfied, they are then required to be satisfied that the deliberative matter
was obtained, prepared or recorded in the course of, or for the purposes of,
deliberative processes. Thirdly, the decision maker must be satisfied that the
deliberative processes were involved in the functions exercised by or intended to be
exercised by an Australian Government agency or minister. The decision maker must
be satisfied that of each of these requirements is met.

5

Paragraph [6.47] provides:
Deliberative matter is content that is in the nature of, or relating to either:
•  an opinion, advice or recommendation that has been obtained, prepared or
recorded or
•  a consultation or deliberation that has taken place, in the course of, or for the
purposes of, a deliberative process of the government, an agency or minister
(s 47C(1)).
Based on my examination of the relevant materials, I am satisfied that the material
meets the definition of deliberative matter, that is not operational information or
purely factual material. I am also satisfied that the relevant material was obtained by
the OAIC either internal y from the line areas, or external y from other agencies, for
the purposes of consultation by the FOI delegate (the deliberative process), involved
in the exercise of FOI decision making function under the FOI Act by the OAIC.
For the reasons given above, I consider the relevant documents identified in the
schedule are conditionally exempt under section 47C of the FOI Act.
As section 47C is a conditional exemption, I am also required to consider the
application of a public interest test.
My consideration of the public interest test, in respect of all the material subject to
conditional exemption in this document is discussed below.
Section 47E(d) – Proper and efficient conduct of the OAIC’s operations
I have found material in a number of documents to be exempt under s 47E(d) of the
FOI Act. For a list of the documents to which this exemption was applied, please refer
to the schedule of documents.
The type of material that I have found exempt under s 47E(d) can be described as:
1.  Material that provides further information about the data breaches, and the
agencies that were involved, that the FOI delegate had found exempt in the
document at issue in FOIREQ24/00423.
2.  Material that I consider is also exempt under s 47C - Courtesy consultation
emails containing reasons and submissions from agencies received by the
OAIC in processing FOIREQ24/00423, in response to the courtesy consultation
request sent by the OAIC, objecting to the release of their information, and
3.  Material that I consider is also exempt under s 47C - One sentence contained
in an internal consultation email from the line area within the OAIC to the FOI
6

delegate, in relation to concerns about the impact on the disclosure, in
response to the FOI delegate comments on sensitivities.
In accordance with section 47E(d) of the FOI Act, I have made a decision to redact
material on the basis that disclosure would or could reasonably be expected to have
a substantial adverse effect on the proper and efficient conduct of the OAIC’s
operations.
Paragraph [6.90] of the FOI Guidelines explains that:
For the grounds in ss 47E(a)–(d) to apply, the predicted effect needs to be
reasonably expected to occur. The term ‘could reasonably be expected’ is
explained in greater detail in Part 5. There must be more than merely an
assumption or al egation that damage may occur if the document were to be
released.
Additionally, at [6.92] the FOI Guidelines further explain:
An agency cannot merely assert that an effect would occur following disclosure.
The particulars of the predicted effect should be identified during the decision
making process, including whether the effect could reasonably be expected to
occur. Where the conditional exemption is relied upon, the relevant particulars
and reasons should form part of the decision maker’s statement of reasons, if
they can be included without disclosing exempt material (s 26, see Part 3).
The term ‘substantial adverse effect’ is explained in the Guidelines (at [6.18]) and it
broadly means ‘an adverse effect which is sufficiently serious or significant to cause
concern to a properly concerned reasonable person’. The word ‘substantial’, taken in
the context of substantial loss or damage, has been interpreted as ‘loss or damage
that is, in the circumstances, real or of substance and not insubstantial or nominal’.
In Paul Farrel and Department of Home Affairs (Freedom of information) (No 2) [2022]
AICmr 49 (8 April 2022), whilst the material found within the documents related to the
Department of Home Affairs’ operations, the Commissioner determined that the
Department had failed to provide sufficient evidence as to why disclosure would have
a substantial and adverse effect on its operations. This decision further reinforces the
position that this provision requires a high threshold as to the substantial and adverse
effect that disclosure would have on an agency’s operations.
In order to determine whether disclosure would, or could reasonably be expected to,
have a substantial adverse effect on the proper and efficient conduct of the operations
of the OAIC, I have taken into consideration the functions and activities of the OAIC.
7

The OAIC is an independent statutory agency within the Attorney-General’s portfolio,
established under the Australian Information Commissioner Act 2010 (Cth). The OAIC
comprises the Australian Information Commissioner (office currently held by
Elizabeth Tydd), the Privacy Commissioner (office currently held by Carly Kind), the
FOI Commissioner (office currently held by Toni Pirani), and the staff of the OAIC.
Material relevant to the data breaches
While you have agreed to exclude “OAIC reference numbers and details of individual
breach reports. Material that was exempt from disclosure in the above-mentioned
requests.”, I have taken a conservative interpretation of this, as to limit the s 22 out of
scope material to the document at issue in FOIREQ24/00423 only. For example, where
the name of an agency appears in the consultation document, and that name of the
agency was previously found in FOIREQ24/00423 as exempt, I have made a separate
FOI decision in relation to the name of the agency, instead of assuming that you have
agreed to exclude that material in this FOI request.
The OAIC’S functions and powers in administering the NDB Scheme include:
•  receiving notifications of eligible data breaches (EDBs);
•  encouraging compliance with the NDB Scheme, including by handling
complaints, conducting investigations and taking other regulatory action;
•  offering advice and guidance to regulated entities; and
•  providing information to the community about the operation of the NDB
Scheme.

Under the NDB Scheme, any organisation or agency covered by the Privacy Act must
notify the OAIC when a data breach is likely to result in serious harm to an individual
whose personal information is involved. While there is a mandatory element to the
NDB scheme, the OAIC also receives notifications from entities of data breaches which
are not EDBs and which are therefore made on a voluntary basis. For example, entities
may wish to notify the OAIC where they are unsure of whether a data breach is an EDB,
or for guidance and reporting purposes even though:
•  the entity is not subject to the Privacy Act (such as state or territory
government agencies where the data breach does not involve a tax file
number);
•  an exception under ss 26WM, 26WM, 26WP or 26WQ of the Privacy Act applies;
or
•  serious harm is not likely to occur as a result of the data breach (per s
26WE(2)(a)(ii) of the Privacy Act).
8

Further, even where an entity is required to report an EDB to the OAIC, the OAIC’s NDB
form allows for further information to be provided in addition to the information
required under the NDB Scheme. The OAIC’s NDB form states that:
The OAIC encourages entities to provide additional information to assist us in
understanding the eligible data breach. Part two of the form is optional… and
you may request that it be held in confidence by the OAIC.
…
The OAIC wil  respect the confidence of commercial y or operational y sensitive
information provided voluntarily in support of a data breach notification, and
wil  only disclose this information after consulting with you, and with your
agreement or where required by law.1
I consider that it is reasonably likely that if this information were disclosed, reporting
entities would be less detailed and forthcoming in how they disclose this information
to the OAIC. I consider that this would substantially adversely affect the OAIC’s ability
to:
•  assess whether the entity has met its obligations under the NDB Scheme, such
as notifying affected individuals;
•  assess whether further regulatory action is needed in response to the
notification (for example, commencement of an investigation under the
Privacy Act);
•  provide further assistance to affected entities; and
•  collect broader information on the causes and impacts of data breaches which
is required for the OAIC to provide timely and effective guidance to entities and
the public.
Material relevant to the consultation process
The OAIC performs a range of functions pursuant to both the Privacy Act 1988 (Cth)
(‘Privacy Act’), and the Freedom of Information Act 1982. As a Commonwealth
government agency, the OAIC is also subject to the FOI Act, and processes FOI requests
received by the OAIC in accordance with the requirements of the FOI Act, which
involves:

1 OAIC Notifiable Data Breach form - for training purposes only
9

•  receiving FOI requests
•  conducting search and retrieval for documents which fall in scope of the FOI
requests
•  undertaking third party consultation with external stakeholders where the
documents in scope contains business information or personal information of
third parties
•  undertaking courtesy consultation with external government agencies where
the documents in scope contains information concerning these other agencies
•  undertaking internal consultation with the relevant business areas or line
areas of the OAIC to understand the impacts of disclosure on the operations of
the OAIC and its relationships with stakeholders and the community, and
•  based on the information and consultation responses received, make an FOI
decision within the statutory timeframe.
In my view, the disclosure of the courtesy consultation responses from relevant
agencies  and internally  would,  or could reasonably be expected to undermine the
OAIC’s ability to receive fulsome expressions of concern from entities including
government agencies either at the Commonwealth or state level, that the FOI delegate
at the OAIC need to consider in making a preferred FOI decision. The FOI delegate, in
processing FOI requests received by the OAIC, requires as much information as
possible from  its line  areas and from  other government agencies, where the
documents in scope contain information of a sensitive nature or belonging to another
government agency, so that the impact of disclosure at the time of each FOI decision
can be weighed and considered careful y, and wholistical y, before the final decision
is made.
With internal correspondence, I have made a decision to release majority of the
material to you to assist with the understanding of the OAIC’s decision making process
and concerns from the line areas which were echoed in the FOI delegate’s final state
of reasons to her decision in FOIREQ24/00423.
However, where the consultation correspondences came from other agencies, I have
a real concern as to whether disclosure of material of this nature would have a chil ing
effect on the courtesy consultation process, and the engagement with the OAIC by
these external agencies, to assist the FOI delegate in making a comprehensive and the
most appropriate FOI decision under the FOI Act, in the future.
I also consider that where a recent FOI decision was made by an FOI delegate (for
example, here in the internal review decision of FOIREQ24/00423),  where the FOI
internal review decision maker made  a  clear  finding that certain material in a
document is exempt, the disclosure of the consultation responses in an immediately
subsequent FOI request by the same applicant which contain either the exempt
10

material, or discussions about the exempt material either as to the identify of the
relevant agencies or the details of the data breaches, would circumvent the FOI
decision making process and render the initial FOI decision where a clear finding,
along with a statement of reasons on why that finding was made, pointless. I do not
consider this is the intended effect of the FOI Act. There are established review
mechanisms to FOI decisions that one can fol ow.
For these reasons, I consider that disclosure of the relevant material in this case would,
or could reasonably be expected to substantial y and adversely affect the proper and
efficient conduct of the OAIC’s functions under FOI Act in the future. As such, I consider
this material is conditionally exempt under s 47E(d) of the FOI Act.
As section 47E of the FOI Act is a conditional exemption, I am also required to consider
the application of a public interest test.
My consideration of the public interest test, in respect of the material subject to
conditional exemption in the documents is discussed below.
Application of the public interest test – (section 11A and 11B)
As provided above, I have considered that material within the document is subject to
conditional exemption under s 47E(d).

Section 11A(5) provides that where a document is considered to be conditionally
exempt, an agency must give the person access to that document unless the FOI
decision maker would, on balance, would be contrary to the public interest.

This means that I must balance factors for and against disclosure in light of the
public interest.

In the AAT case of Utopia Financial Services Pty Ltd and Australian Securities and
Investments Commission (Freedom of information) [2017] AATA 269, at paragraph 133
of the Decision Deputy President Forgie explained that:

… the time at which I make my decision for section 11A(5) requires access to be
given to a conditional y exempt document “at a particular time” unless doing so is,
on balance, contrary to the public interest. Where the balance lies may vary from
time to time for it is affected not only by factors peculiar to the particular
information in the documents but by factors external to them.

The FOI Act sets out 4 factors favouring access that must be considered if relevant.
They are that disclosure would:
a. promote the objects of the FOI Act
11

b.  inform debate on a matter of public importance
c.  promote effective oversight of public expenditure
d.  allow a person to access his or her personal information (s 11B(3)).

Of these factors, I consider the following to be relevant in this case:
•  promote the objects of the FOI Act, and
•  inform debate on a matter of public importance.
In addition to these factors favouring disclosure, I have also considered that the
following factors in favour of disclosure apply:
•  disclosure would enhance scrutiny around government decision making, and
•  disclosure would better inform a matter of public importance or debate.
Section 11B(4) of the FOI Act provides factors which are not to be taken into account
in , which I have had regard to. Section 11B does not further prescribe the factors
against disclosure to be considered. In considering the documents subject to this
request, I consider that the follow factors do not favour disclosure:
•  disclosure could reasonably be expected to prejudice the OAIC’s ability to
obtain confidential information;
•  disclosure could reasonably be expected to prejudice the OAIC’s ability to
obtain similar information in the future; and
•  disclosure could reasonably be expected to prejudice the OAIC’s ability to
administer the NDB Scheme.
•  disclosure would have an adverse effect on the OAIC’s proper and efficient
operations relating to receiving comprehensive submissions and responses
from Australian Government agencies as part of the courtesy consultation
response in processing FOI requests.
I have also considered FOI Guideline material provided at paragraphs [6.46] to [6.78],
relevant AAT decisions including Secretary, Dept of Prime Minister and Cabinet and
Secretary, Dept of Infrastructure and Regional Development and Sanderson [2015]
AATA 361, and the recent Information Commissioner decisions of Seven Network
Operations Limited and Australian Human Rights Commission [2021] AICmr 66 (10
November 2021) which discuss the application of this conditional exemption
provision. In both decisions whilst the material itself was identified as deliberative,
there was not sufficient evidence to prove that disclosure of the material would be
contrary to the public interest, particularly in circumstances where a significant
passage of time had passed since the material was the subject of active deliberation.
This is distinguished from the current case where there has not been a significant
12

passage of time for me to reach a conclusion that is different to the FOI delegate in
the internal review decision of FOIREQ24/00423, a decision that was provided to you
on 25 September 2024.
While I consider the disclosure of the consultation responses both internally and
those received by the OAIC from external government agencies would increase
transparency in OAIC’s FOI decision making, based on the information before me at
this time, I have concerns that disclosure of the nature and specific details of the
information in a public forum such as via Right to Know, is likely to prejudice the
OAIC’s ability to gather similar information as fulsome and detailed as those
provided, either as part of the NDB reporting scheme, or as part of the consultation
processes to enable the OAIC to make a well-considered FOI decision in the future.
Agencies are likely to be reticent to provide the OAIC with all of this information
where there is a likelihood such information could be published to the world at large.
I also consider that it is of greater public interest that the OAIC is able to fully engage
with agencies whose information is captured in the documents in scope of an FOI
request. I consider the OAIC’s ability to receive timely, ful and frank consultation
responses about the impact of disclosure of certain material and how that affects the
Commonwealth as a whole of high importance in order for the OAIC to discharge its
obligations in quality decision making under the FOI Act. Similarly, I also give
significant weight to minimising the prejudice to the OAIC’s existing NDB reporting
process that is likely to be affected if agencies which is not required to report to the
OAIC under the existing NDB scheme and voluntarily shares more information, has
such information disclosed.
In ‘PD’ and Australian Skil s Quality Authority (Freedom of information) [2018] AICmr 57,
former Information Commissioner Falk affirmed ASQA’s FOI decision where it found
consultation responses received from a third party following a consultation process,
which took place in the course of ASQA processing the FOI request, to be exempt under
s 47C. In assessing public interest factors for and against disclosure, the Commissioner
accepted ASQA’s submissions that “…release of third-party consultation documents
would deter third parties from exercising their right to provide a detailed response and
adequately record their objection should that information then be available under
subsequent FOI requests. The release of information under these circumstances is
liable to have a chil ing effect on the flow of information to ASQA and may frustrate
the intent of the FOI Act in providing the opportunity for consultation.” In that decision,
the former Commissioner gave greater weight to the factors against disclosure, in
particular “the potential detriment to the effectiveness of ASQA’s ongoing decision-
making and deliberative processes regarding the processing of FOI requests” [at
paragraph 36]. I consider a similar finding can be made in relation to the relevant
material in this FOI request.
13

Having balanced the abovementioned factors against the public interest in
protecting the proper and efficient conduct of the OAIC’s function under the NDB
Scheme and the FOI Act, I consider the public interest factors against disclosure to be
more persuasive than the public interest factors favouring disclosure.
Disclosure log decision
Section 11C of the FOI Act requires agencies to publish online document released to
members of the public within 10 days of release, except if they contain personal or
business information that would be unreasonable to publish.
I have made a decision to publish the documents subject to your request on the
OAIC’s disclosure log.
Release of document
The documents are enclosed for release.
Please see the following page for information about your review rights.
Yours sincerely,
Margaret Sui
Principal Lawyer
12 November 2024
14

If you disagree with my decision
Internal review
You have the right to apply for an internal review of my decision under Part VI of the
FOI Act. An internal review will be conducted, to the extent possible, by an officer of
the OAIC who was not involved in or consulted in the making of my decision. If you
wish to apply for an internal review, you must do so in writing within 30 days. There
is no application fee for internal review.
If you wish to apply for an internal review, please mark your application for the
attention of the FOI Coordinator and state the grounds on which you consider that
my decision should be reviewed.
Applications for internal reviews can be submitted to:
Office of the Australian Information Commissioner
GPO Box 5288
SYDNEY NSW 2001
Alternatively, you can submit your application by email to xxx@xxxx.xxx.xx, or by fax
on 02 9284 9666.
Further review
You have the right to seek review of this decision by the Information Commissioner
and the Administrative Review Tribunal (ART).
You may apply to the Information Commissioner for a review of my decision (IC
review). If you wish to apply for IC review, you must do so in writing within 60 days.
Your application must provide an address (which can be an email address or fax
number) that we can send notices to, and include a copy of this letter. A request for
IC review can be made in relation to my decision, or an internal review decision.
It is the Information Commissioner’s view that it will usually not be in the interests of
the administration of the FOI Act to conduct an IC review of a decision, or an internal
review decision, made by the agency that the Information Commissioner heads: the
OAIC. For this reason, if you make an application for IC review of my decision, and the
Information Commissioner is satisfied that in the interests of administration of the
Act it is desirable that my decision be considered by the ART, the Information
Commissioner may decide not to undertake an IC review.

15

Section 57A of the FOI Act provides that, before you can apply to the ART for review
of an FOI decision, you must first have applied for IC review.
Applications for IC review can be submitted online at:
https://forms.business.gov.au/smartforms/servlet/SmartForm.html?formCode=ICR
10
Alternatively, you can submit your application to:
Office of the Australian Information Commissioner
GPO Box 5288
SYDNEY NSW 2001
Or by email to xxxxx@xxxx.xxx.xx, or by fax on 02 9284 9666.
Accessing your information
If you would like access to the information that we hold about you, please contact
xxx@xxxx.xxx.xx. More information is available on the Access our information page
on our website.

16