Our reference: FOIREQ24/00651
Nosey Rosey
By email
: xxxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx
Freedom of Information Request – FOIREQ24/00651
Dear Nosey Rosey,
I refer to your request for access to documents made under the
Freedom of
Information Act 1982 (Cth) (the FOI Act). Your Freedom of Information (FOI request)
was received by the Office of the Australian Commissioner (OAIC) on 14 December
2024.
I am writing to inform you of my decision. I have made the decision to refuse your
request on the basis that documents cannot be found or do not exist.
In accordance with s 26(1)(a) of the FOI Act, the reasons for my decision and findings
on the material questions of fact are provided below.
Background
Scope of your initial FOI request
Your FOI request sought access to the following information:
“…
I seek access to any and all documents, records, data, and supporting
material held by [Name of Agency] concerning the sharing of personal
information originating from the Department of Veterans’ Affairs (DVA) over the
last ten years. This includes any data transfers from or to the DVA, whether they
were one-off exchanges or ongoing, systematic transfers of DVA client
information, including personal, medical, financial, or service-related details
concerning veterans or their dependents.
1300 363 992
T +61 2 9284 9749
GPO Box 5218
www.oaic.gov.au
xxxxxxxxx@xxxx.xxx.xx
F +61 2 9284 9666
Sydney NSW 2001
ABN 85 249 230 937
I am interested in obtaining a comprehensive understanding of what DVA client
information [Authority name] has received or accessed and for what purposes.
Specifically, I request:
All records of data sharing arrangements between DVA and [Authority name],
including but not limited to memoranda of understanding, service-level
agreements, emails, letters, meeting minutes, file transfer logs, internal reports,
and instructions that outline what data was shared, when it was shared, and
the format or system used for the transfer.
Any policies, procedures, guidelines, or frameworks that govern how [Authority
name] requests, obtains, stores, handles, or uses DVA client information. This
includes documents that detail the criteria for approving access to such data,
any consent or authorization processes, security controls, and retention or
destruction policies.
Copies of any ethics committee approvals, privacy impact assessments, internal
review board decisions, or other documents that reflect deliberations or
authorizations for obtaining DVA client information. This includes records that
show the agency considered the ethical, legal, or privacy implications of
receiving or using DVA client data.
Documents that outline the intended uses or practical applications of the DVA
client data, such as project proposals, business cases, internal strategy papers,
or briefings that explain why [Authority name] sought access to this
information, how it was intended to be integrated into the agency’s operations,
and any expected outcomes or benefits.
A representative sample (in a suitably de-identified or redacted form) of the
data or data fields received, so long as providing this sample does not breach
any exemption under the FOI Act. The purpose is to understand the nature and
granularity of the information shared, without disclosing identifiable personal
details.
2
If the only data [Authority name] received pertains solely to data linked to the
Centrelink Confirmation eServices (CCeS) arrangements as described at
https://www.servicesaustralia.gov.au/centrelink-confirmation-eservices-cces,
and there were no other forms of DVA data shared, then no CCeS-related data
needs to be provided under this request.”
On 18 December 2024, we requested that you clarify points of your request, and on
30 December 2024, you responded and stated the following:
“Exclusivity to DVA
My request pertains specifically to documents relating to data sharing or
transfers involving the Department of Veterans’ Affairs (DVA) and the OAIC. It
does not include general information that applies broadly to other agencies.
Particular Client Information
The request does not seek access to any specific individual client information.
Instead, it focuses on systematic or broad data-sharing arrangements and
governance frameworks involving DVA client information.
Data Fields
The reference to "data fields" in my request relates to a de-identified or
redacted sample of the types of data shared between DVA and the OAIC.
Examples might include categories such as name, service status, medical
details, or financial information if applicable to shared datasets.
Timeframe
The timeframe for my request is the last ten years (14 December 2014 to 14
December 2024). I am not limiting this to current policies or procedures.
Specific Documents
While I do not have specific documents in mind, I am seeking any relevant:
3
MOUs or agreements governing data sharing with DVA, Policies or guidelines for
managing DVA client information, Privacy or impact assessments related to
such data, and Internal reports or evaluations outlining the purpose or
implications of receiving DVA client data.
Exclusions
I confirm that the following may be excluded to streamline processing:
Duplicate documents or earlier parts of email chains captured in later
correspondence, Individual-level complaint records or files.”
Your revised FOI request
On 9 January 2025, we advised you that we believed a practical refusal reason
existed in relation to the scope of your request. We advised that this was because we
considered that the work involved in processing your request would substantially
and unreasonably divert the resources of the OAIC from its usual operations. This
was due to the size and scope of the request, and that we could not sufficiently
identify the documents that you were requesting.
On 15 January 2025, the following revised scope for your FOI request was proposed
to you:
“Any documentation, policies and procedures outlining formal and systemic
data-sharing arrangements exclusively between the OAIC and the DVA over the
last 10 years.”
On 19 January 2025, you responded to our correspondence and agreed to proceed
with this revised FOI request.
Request timeframe
Your request was made on 14 December 2024. This means that a decision on your
initial request was due on 13 January 2025.
On 9 January 2025, we consulted with you under s 24AB of the FOI act. During this
time, the due date for the decision was paused. As the consultation period ended on
19 January 2025, a decision on your request is due to be decided by 23 January 2025.
4
Decision and reasons for decision
I am an officer authorised under s 23(1) of the FOI Act to make decisions in relation to
FOI requests on behalf of the OAIC.
I have made the decision to refuse your request on the basis that documents cannot
be found or do not exist.
Material taken into account
In making my decision, I have had regard to the following:
• your FOI request dated 14 December 2024, your comments dated 30
December 2024, and the subsequent revised scope of your FOI request agreed
on 19 January 2025.
• the FOI Act, in particular, sections 3, 11, 11A, 15, 26, and 24A of the FOI Act.
• the Guidelines issued by the Australian Information Commissioner under s
93A of the FOI Act to which regard must be had in performing a function or
exercising a power under the FOI Act (FOI Guidelines)
• consultation with line areas and staff of the OAIC in relation to your FOI
request
Documents cannot be found, do not exist or have not been received – Section 24A of
the FOI Act
Section 24A(1) of the FOI Act provides that an agency may refuse a request for access
to documents requested under the FOI Act if all reasonable steps have been taken to
find the document, and the agency is satisfied that the document cannot be found,
or that the documents do not exist.
I have made the decision to refuse your request under s 24A of the FOI Act on the
basis that all reasonable steps have been taken to find the documents you have
requested, and no documents could be found.
The FOI Act requires that all reasonable steps have been taken to locate documents
within scope of an FOI request. I have detailed the relevant searches undertaken by
the OAIC below.
Searches Undertaken
In response to your request, the following line areas and staff of the OAIC conducted
reasonable searches for documents relevant to you request:
• the Compliance Branch
5
• the Information Management Branch, and
• the Enabling Services Branch
Searches were conducted across the OAIC’s various document storage systems
including:
• the OAIC’s case management system – Resolve
• the OAIC’s document holding system – Content Manager
• the OAIC’s email system, and
• general computer files
The following search terms were used when undertaking electronic records
searches:
“DVA”
“Department of Veterans Affairs”
“DVA agreement”
“Department of Veterans Affairs Agreement”
“DVA” and “Data”
“DVA and “Agreement”
The line areas provided the following information as to why documents could not be
found, or do not exist:
“We’re not aware of any such agreements and don’t believe the compliance
team would have any more visibility of such an agreement than any other team
in the agency. We haven’t done any formal assessment programs of the DVA…”
“Reviewed files in Resolve (document type “Legal”, “Guidance”, search terms
“DVA”, Department of Veterans Affairs”) and was unable to locate any
documents that referred to data sharing arrangements with DVA.”
“I understand the FOI request is seeking a data sharing agreement between the
OAIC and DVA. The privacy policy is an overarching policy that applies to all
individuals and entities that engage with OAIC. In this regard, DVA would be
subject to the privacy policy”
Having consulted with the relevant line areas and having undertaken a review of the
records of the various search and retrieval efforts, I am satisfied that a reasonable
search has been undertaken in response to your request and that no relevant
documents could be found.
6
link to page 7
As noted by OAIC staff, DVA would be subject to the OAIC’s privacy polic
y1 and the
Privacy Act 1988 when engaging with the OAIC and providing information and data.
This privacy policy also outlines how the OAIC will handle information obtained from
the DVA and other agencies. The OAIC has not identified any other agreements that
would fall within the scope of your request.
Conclusion
Based on the terms of your request and searches undertaken, I am satisfied that all
reasonable steps have been taken to find documents that fall within the scope of
your request and am satisfied that the documents do not exist.
I have made the decision to refuse your request for access to documents under s
24A(1)(b)(ii) of the FOI Act, on the basis that no documents exist.
Please see the following page for information about your review rights in relation to
this FOI request.
Yours sincerely,
Lachlan Smith-Marks
Governance, Risk and Compliance Officer (FOI and Privacy)
1 Privacy policy | OAIC.
7
If you disagree with my decision
Internal review
You have the right to apply for an internal review of my decision under Part VI of the
FOI Act. An internal review will be conducted, to the extent possible, by an officer of
the OAIC who was not involved in or consulted in the making of my decision. If you
wish to apply for an internal review, you must do so in writing within 30 days. There
is no application fee for internal review.
If you wish to apply for an internal review, please mark your application for the
attention of the FOI Coordinator and state the grounds on which you consider that
my decision should be reviewed.
Applications for internal reviews can be submitted to:
Office of the Australian Information Commissioner
GPO Box 5228
SYDNEY NSW 2001
Alternatively, you can submit your application by email
to xxx@xxxx.xxx.xx, or by fax
on 02 9284 9666.
Further review
You have the right to seek review of this decision by the Information Commissioner
and the Administrative Reviews Tribunal (ART).
You may apply to the Information Commissioner for a review of my decision (IC
review). If you wish to apply for IC review, you must do so in writing within 60 days.
Your application must provide an address (which can be an email address or fax
number) that we can send notices to, and include a copy of this letter. A request for
IC review can be made in relation to my decision, or an internal review decision.
It is the Information Commissioner’s view that it will usually not be in the interests of
the administration of the FOI Act to conduct an IC review of a decision, or an internal
review decision, made by the agency that the Information Commissioner heads: the
OAIC. For this reason, if you make an application for IC review of my decision, and the
Information Commissioner is satisfied that in the interests of administration of the
Act it is desirable that my decision be considered by the ART, the Information
Commissioner may decide not to undertake an IC review.
8
Section 57A of the FOI Act provides that, before you can apply to the ART for review
of an FOI decision, you must first have applied for IC review.
Applications for IC review can be submitted online at:
https://forms.business.gov.au/smartforms/servlet/SmartForm.html?formCode=ICR_
10
Alternatively, you can submit your application to:
Office of the Australian Information Commissioner
GPO Box 5228
SYDNEY NSW 2001
Or by email
to xxxxx@xxxx.xxx.xx, or by fax on 02 9284 9666.
Accessing your information
If you would like access to the information that we hold about you, please contact
xxx@xxxx.xxx.xx. More information is available on the Access our information page
on our website.
9
