Documents relating to notification of privacy breach by Commonwealth Bank (CBA) to OAIC and OAIC’s advice to CBA that it did not intend to inquire further about breach
Dear Office of the Australian Information Commissioner,
Jenny Noyes, a journalist with Fairfax Media, had her article published by Fairfax Media on 2 May 2018, about 20 million bank account records having been ‘lost’ by the Commonwealth Bank (CBA) in 2016, circumstances that CBA could not verify had not fallen into third party hands.
In that article Ms Jenny Noyes writes:
“CBA says it discussed the decision not to inform customers with the Office of the Australian Information Commissioner, and that OAIC advised it would not pursue the issue further.
But this week, the OAIC [after having been contacted by the media about the privacy breach] contacted CBA again, requesting additional information on the matter and the course of action undertaken by the bank”
Under FOI I seek copy of the RESOLVE case management record that relates to this enquiry/notification by CBA to the OAIC.
I also seek separately copy of any document from the OAIC to the CBA that advises the CBA of the OAIC’s views on this breach (especially the referred to advice that the OAIC “would not pursue the issue further” and requests from the OAIC to the CBA for indormation or documents relating to the circumstances of this breach/notification).
If there are any internal executive briefings to the Commissioner on the CBA privacy breach, I seek copy of that too.
Yours faithfully,
Verity Pane
Dear Ms Pane
Your Freedom of Information request
I refer to your request for access to documents, made under the Freedom of
Information Act 1982 (Cth) (FOI Act) and received by the Office of the
Australian Information Commissioner (OAIC) on 3 May 2018 (attached).
You sought access to the following documents:
… copy of the RESOLVE case management record that relates to [the CBA data
breach in 2016] by CBA to the OAIC.
… copy of any document from the OAIC to the CBA that advises the CBA of
the OAIC’s views on this breach (especially the referred to advice that
the OAIC “would not pursue the issue further” and requests from the OAIC
to the CBA for indormation [sic] or documents relating to the
circumstances of this breach/notification).
… any internal executive briefings to the Commissioner on the CBA privacy
breach, …
Timeframes for dealing with your request
Section 15 of the FOI Act requires the OAIC to process your request no
later than 30 days after the day we receive it.
The OAIC received your request on 3 May 2018 and must therefore process it
by Monday 4 June 2018 (because the due date is Saturday 2 June 2018, s
36(2) of the Acts Interpretation Act 1901 has effect so that the decision
is due on the next working day after the due date).
Section 15(6) of the FOI Act allows the OAIC a further 30 days if we need
to consult with third parties about certain information, such as business
documents or documents affecting their personal privacy. We will advise
you if this is necessary.
Disclosure Log
Information released under the FOI Act may later be published online on
our [1]disclosure log, subject to certain exceptions (for example,
personal information will not be published where this would be
unreasonable.)
If you have any questions, please feel free to contact me.
Kind regards
Brandon Chen | Investigation and Review Officer | FOI Dispute Resolution
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY NSW 2001 | [2]www.oaic.gov.au
Phone: +61 2 9284 9726 | Email: [3][email address]
Protecting information rights – advancing information policy
[4]OAIC banner for email sig
***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************
References
Visible links
1. https://oaic.gov.au/about-us/access-our-...
2. http://www.oaic.gov.au/
3. mailto:[email address]
Dear Brandon Chen,
Thank you for your acknowledgement. I suspect this application may also be similar or identical to other recent FOI requests, but due to the recent nature of the article, have not finished and therefore are not in the FOI Disclosure log.
Yours sincerely,
Verity Pane
Dear Ms Pane
Freedom of information request no. FOIREQ18/00045
I refer to your request, made under the Freedom of Information Act 1982
(FOI Act) and received by the Office of the Australian Information
Commissioner (OAIC) on 3 May 2018.
Because your request covers documents which contain information concerning
an organisation’s business or professional affairs and personal
information, the OAIC is required to consult the individuals and
organisations under ss 27 and 27A of the FOI Act before making a decision
on release of the documents.
For this reason, the period for processing your request has been extended
by 30 days to allow time to consult (see s 15(6) of the FOI Act). The
processing period for your request will now end on Monday 2 July 2018.
The consultation mechanisms under ss 27 and 27A apply when we believe the
person or organisation concerned may wish to contend that the requested
documents are exempt for reasons of personal privacy or may adversely
affect their business or financial affairs. We will take into account any
comments we receive but the final decision about whether to grant you
access to the documents you requested rests with the office of the OAIC.
At this time we do not have your permission to release your name to any
person or business we consult. Please advise if you consent to your name
being disclosed during consultation.
Kind regards,
Brandon Chen | Investigation and Review Officer | FOI Dispute Resolution
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY NSW 2001 | [1]www.oaic.gov.au
Phone: +61 2 9284 9726 | Email: [2][email address]
[3]57328-OAIC---PAW-Design-Work_email-sig_FA_small
***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************
References
Visible links
1. http://www.oaic.gov.au/
2. mailto:[email address]
3. https://www.oaic.gov.au/paw2018/
Dear Brandon Chen,
Prompt and effective consultation with relevant parties about an FOI access request is essential to good administration. Disappointing the OAIC waited two weeks before starting.
Yes, my name can be provided to the Commonwealth Bank, not that it is particularly relevant.
Yours sincerely,
Verity Pane
Dear Ms Pane
The OAIC’s decision in relation to the FOI request you made on 3 May 2018
is attached.
Regards
Raewyn Harlock | Assistant Director | FOI Dispute Resolution
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY NSW 2001 | [1]www.oaic.gov.au
Phone: +61 2 9284 9802 | Email: [2][email address]
Protecting information rights – advancing information policy
[3]OAIC banner for email sig
***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************
References
Visible links
1. http://www.oaic.gov.au/
2. mailto:[email address]
Dear Raewyn Harlock,
You have released a decision granting partial release, yet you have not provided any such partial release with your decision.
It is deeply disappointing that the OAIC, an organisation whose role and purpose is allegedly to promote and protect reasonable personal privacy and freedom of information for individuals, spends far more time undermining those purposes than protecting and preserving them, including in the disreputable practice of issuing decisions without the documents or parts of documents approved for release, which highlights the dangers of a so called watchdog who is far too much in bed with those it is meant to be watching.
For that reason I will be marking this response as a refusal, especially given the excessive delay involved, with extremely late consultation period opened (almost on expiry of statutory period) and a general go slow and friction injection by the OAIC.
There is not much public benefit to the OAIC if it simply makes a mockery of that which it is supposed to set the reference standard for.
Yours sincerely,
Verity Pane
Dear Ms Pane
[1]Section 27(7) of the Freedom of Information Act 1982 (FOI Act) prevents
the OAIC from releasing documents until the affected third party’s
opportunities for review or appeal have run out.
Further information about third party appeal rights can be found on the
OAIC’s website:
1.
[2]https://www.oaic.gov.au/freedom-of-infor....
2.
[3]https://www.oaic.gov.au/freedom-of-infor...
Raewyn Harlock | Assistant Director | FOI Dispute Resolution
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY NSW 2001 | [4]www.oaic.gov.au
Phone: +61 2 9284 9802 | Email: [5][email address]
Protecting information rights – advancing information policy
[6]OAIC banner for email sig
-----Original Message-----
From: Verity Pane <[FOI #4555 email]>
Sent: Monday, 2 July 2018 6:12 PM
To: Raewyn Harlock <[email address]>
Subject: Re: FOIREQ18/00045 - Decision on FOI request [SEC=UNCLASSIFIED]
Dear Raewyn Harlock,
You have released a decision granting partial release, yet you have not
provided any such partial release with your decision.
It is deeply disappointing that the OAIC, an organisation whose role and
purpose is allegedly to promote and protect reasonable personal privacy
and freedom of information for individuals, spends far more time
undermining those purposes than protecting and preserving them, including
in the disreputable practice of issuing decisions without the documents or
parts of documents approved for release, which highlights the dangers of a
so called watchdog who is far too much in bed with those it is meant to be
watching.
For that reason I will be marking this response as a refusal, especially
given the excessive delay involved, with extremely late consultation
period opened (almost on expiry of statutory period) and a general go slow
and friction injection by the OAIC.
There is not much public benefit to the OAIC if it simply makes a mockery
of that which it is supposed to set the reference standard for.
Yours sincerely,
Verity Pane
-----Original Message-----
Dear Ms Pane
The OAIC’s decision in relation to the FOI request you made on 3 May 2018
is attached.
Regards
Raewyn Harlock | Assistant Director | FOI Dispute Resolution
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY NSW 2001 |
[1][7]https://apac01.safelinks.protection.outl...
Phone: +61 2 9284 9802 | Email: [2][email address]
Protecting information rights – advancing information policy
[3]OAIC banner for email sig
References
Visible links
1.
[8]https://apac01.safelinks.protection.outl...
2. [9]mailto:[email address]
-------------------------------------------------------------------
Please use this email address for all replies to this request:
[10][FOI #4555 email]
This request has been made by an individual using Right to Know. This
message and any reply that you make will be published on the internet.
More information on how Right to Know works can be found at:
[11]https://apac01.safelinks.protection.outl...
If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.
-------------------------------------------------------------------
***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************
References
Visible links
1. http://www8.austlii.edu.au/cgi-bin/viewd...
2. https://www.oaic.gov.au/freedom-of-infor...
3. https://www.oaic.gov.au/freedom-of-infor...
4. http://www.oaic.gov.au/
5. mailto:[email address]
7. https://apac01.safelinks.protection.outl...
8. https://apac01.safelinks.protection.outl...
9. mailto:[email
10. mailto:[FOI #4555 email]
11. https://apac01.safelinks.protection.outl...
Dear Raewyn Harlock,
Gaming, and nothing more - the OAIC has ensured the slowest possible path by gaming when it enters each respective stage, starting the the third party consultation stage only being commenced by the OAIC at the last second, leading to further knock on delays, for what ultimately be releases do meaningless as to be useless due to heavy handed redactions (not unlike earlier OAIC FOI decisions).
The hub of the matter is that Australia’s FOI Act has large exploit holes, which a hostile culture within the public service take advantage, to defeat the aims, objectives and purposes of the Freedom of Information Act. The extremely low standards that the OAIC and other agencies set make a mockery of the concept of transparency and accountability, and are mired in what is effectively a closed information access system.
Even our nearest neighbours New Zealand have a vastly superior scheme and orientation to open information access, unlike Australia, not to mention a regulator that, unlike the OAIC, lifts standards and does not actively take part in subverting them.
The conclusion to be draw is that despite the intentions behind the creation of the OAIC, history has shown the OAIC has quickly abandoned the objectives and aims that were its purpose, and effectively has betrayed them, becoming little more than a PR puff piece whose sole objective is keeping industry and the public service comfortable and happy with it, while the OAIC becomes the most opaque and ineffective body in the FOI/Privacy field.
Lowering standards, not lifting them. I think that is most disappointing and a waste of taxpayer resources (especially given the OAIC has been also ineffective at reducing the number of data breaches in industry and public sector fields and again plays little more than a PR role here, to allude to a level of reassurance to the public that simply does not exist).
Yours sincerely,
Verity Pane
Dear Raewyn Harlock,
I should also like to add the scope of my FOI made quite clear, contrary to the way your FOI decision (sans documents) framed it, that I was not interested in any document or details of CBA staff given to the OAIC by CBA (included the ‘secret’ folder), but was solely and explicitly centering the scope of my FOI on the communications from the OAIC to CBA, specifically:
* The OAIC documents from the OAIC to the CBA that originally told the CBA not to worry about the data breaches and that the OAIC would not be enquiring further (as reported in the media);
* OAIC documents relating to the logic/reasoning of that decision;
* OAIC documents that relate or detail the reversal of that decision following the media having contacted the OAIC on the CBA data breach, and documents that relate to the the renewed notice from the OAIC to CBA that it now sought additional information (reopening of the data breach enquiries);
* OAIC documents relating to or detailing the logic or reasoning of reversal of that original decision not to enquire.
My purpose is to identify why the OAIC first decided to not investigate the CBA data breach, until the media started asking questions, which then prompted the OAIC to reopen the matter and make further enquiries (it appears, simply because what was not known to anyone other than the CBA and the OAIC, had suddenly been leaked to the media by a concerned party within the OAIC).
I think it is a relevant question the OAIC needs to come clean on, and yet instead the OAIC has misleading tried to reframe my FOI and cause it to be repeatedly delayed and frustrated. Which only gives rise to the inference that the OAIC is covering up a breach of its statutory duties.
Yours sincerely,
Verity Pane
Dear Ms Pane
I refer to your freedom of information request of 3 May 2018.
I attach the documents in relation to your request.
If you have any queries, please contact us.
Regards
Caitlin Emery
Caitlin Emery | Senior Lawyer | Legal Services
Office of the Australian Information Commissioner
Level 3, 175 Pitt Street, SYDNEY NSW 2000
GPO Box 5218 SYDNEY NSW 2001| [1]www.oaic.gov.au
Phone: +61 2 8231 4225 | E-mail: [2][email address]
Protecting information rights – advancing information policy
[3]OAIC banner for email sig
***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************
References
Visible links
1. http://www.oaic.gov.au/
2. mailto:[email address]
Dear Office of the Australian Information Commissioner,
Please pass this on to the person who conducts Freedom of Information reviews.
I am writing to request an internal review of Office of the Australian Information Commissioner's handling of my FOI request 'Documents relating to notification of privacy breach by Commonwealth Bank (CBA) to OAIC and OAIC’s advice to CBA that it did not intend to inquire further about breach'.
The long delayed and very limited FOI release, which has copious s 47E(d) redactions, simply does not provide sufficient evidence to justify the very global and diffuse claims referred to in the earlier FOI decision letter, that their release would, or could reasonably be expected to, have a substantial adverse effect on the proper and efficient conduct of the operations of an agency.
It is insufficient to merely assert that the OAIC can pick and choose that which it wants to release, on the basis that future reporting may be impaired, without giving reasons as to how the each specific redaction would impair that (having released information on this matter previously, including in coordinating with CBA for media release responses to journalist enquiries, it cannot be said to be a confidential matter, and no personal information component has been shown either).
The OAIC states in its own policy documents that it will act with transparency and accountability in its activities, yet in practice pays only lip service, having secret arrangements with the parties it is meant to investigate/supervise.
I therefore seek internal review to obtain a proper statement of reasons that addresses the evidentiary grounds for each specific s 47E(d) redaction and why it qualifies (what nature of the information disclosed in each individual s 47E(d) redaction would prevent disclosure in future).
I am also curious why it appears the OAIC lets the data breach notifier determine the risk of breach, without further enquiries or independent investigation (given the impartiality of the breach notifier is obviously impaired, given their self interest).
A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.righttoknow.org.au/request/d...
Yours faithfully,
Verity Pane
Dear Ms Pane
I refer to your application for internal review received on 2 August 2018. The reference number for this review is FOIREQ18/00103.
The processing period will expire on 3 September 2018.
Regards
Cate Cloudsdale | Senior Lawyer | Legal Services
Office of the Australian Information Commissioner
Level 3, 175 Pitt Street, SYDNEY NSW 2000
GPO Box 5218 SYDNEY NSW 2001| www.oaic.gov.au
Phone: +61 2 8231 4249 | E-mail: [email address]
Protecting information rights – advancing information policy
-----Original Message-----
From: Verity Pane <[FOI #4555 email]>
Sent: Thursday, 2 August 2018 6:04 PM
To: FOIDR <[email address]>
Subject: Internal review of Freedom of Information request - Documents relating to notification of privacy breach by Commonwealth Bank (CBA) to OAIC and OAIC’s advice to CBA that it did not intend to inquire further about breach
Dear Office of the Australian Information Commissioner,
Please pass this on to the person who conducts Freedom of Information reviews.
I am writing to request an internal review of Office of the Australian Information Commissioner's handling of my FOI request 'Documents relating to notification of privacy breach by Commonwealth Bank (CBA) to OAIC and OAIC’s advice to CBA that it did not intend to inquire further about breach'.
The long delayed and very limited FOI release, which has copious s 47E(d) redactions, simply does not provide sufficient evidence to justify the very global and diffuse claims referred to in the earlier FOI decision letter, that their release would, or could reasonably be expected to, have a substantial adverse effect on the proper and efficient conduct of the operations of an agency.
It is insufficient to merely assert that the OAIC can pick and choose that which it wants to release, on the basis that future reporting may be impaired, without giving reasons as to how the each specific redaction would impair that (having released information on this matter previously, including in coordinating with CBA for media release responses to journalist enquiries, it cannot be said to be a confidential matter, and no personal information component has been shown either).
The OAIC states in its own policy documents that it will act with transparency and accountability in its activities, yet in practice pays only lip service, having secret arrangements with the parties it is meant to investigate/supervise.
I therefore seek internal review to obtain a proper statement of reasons that addresses the evidentiary grounds for each specific s 47E(d) redaction and why it qualifies (what nature of the information disclosed in each individual s 47E(d) redaction would prevent disclosure in future).
I am also curious why it appears the OAIC lets the data breach notifier determine the risk of breach, without further enquiries or independent investigation (given the impartiality of the breach notifier is obviously impaired, given their self interest).
A full history of my FOI request and all correspondence is available on the Internet at this address: https://apac01.safelinks.protection.outl...
Yours faithfully,
Verity Pane
-------------------------------------------------------------------
Please use this email address for all replies to this request:
[FOI #4555 email]
This request has been made by an individual using Right to Know. This message and any reply that you make will be published on the internet. More information on how Right to Know works can be found at:
https://apac01.safelinks.protection.outl...
If you find this service useful as an FOI officer, please ask your web manager to link to us from your organisation's FOI page.
-------------------------------------------------------------------
***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************
Dear Ms Pane
Please see attached my decision in relation to your request for internal
review of an FOI decision, dated 2 August 2018 (our reference
FOIREQ18/00103) and related document.
Regards
Cate Cloudsdale | Senior Lawyer | Legal Services
Office of the Australian Information Commissioner
Level 3, 175 Pitt Street, SYDNEY NSW 2000
GPO Box 5218 SYDNEY NSW 2001| [1]www.oaic.gov.au
Phone: +61 2 8231 4249 | E-mail: [2][email address]
Protecting information rights – advancing information policy
[3]OAIC banner for email sig
***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************
References
Visible links
1. http://www.oaic.gov.au/
2. mailto:[email address]
Dear Cate,
I acknowledge your decision of today, which made slight reduction of the a few of the previous many redactions.
As stated in the scope of this FOI, which excluded any CBA documents received by the OAIC and was solely focused on what the OAIC did in response, the purpose was to understand the reasons why:
a) the OAIC originally decided no further enquiries where to be made about the loss of a large volume of the personal information of CBA account holder, but then
b) reversed that position following media enquiries (only to drop it again after the media moved on).
While redactions were heavy handed, it was useful to identify that the OAIC worked collaboratively with the CBA on their press response, to support the CBA’s position (which is a role I did not know the OAIC did for APP entities).
However, despite seeking these global and vague exemption statements to be linked specifically to each particular redaction, and to give some logic to how the claimed outcomes would arise from the specific redactions, you simply repeated the same global and vague exemption claims.
It is apparent the OAIC wish to be opaque here, and will not provide any transparency, which undermines the OAIC really (especially given the criticisms of the OAIC as being far too in bed with APP entities, lacking the balance needed by a regulator).
While it could be taken further, the time and resources involved (which is years now at the AAT) would far outweigh that to be gained, so you may now close this FOI.
Yours sincerely,
Verity Pane
Verity Pane left an annotation ()
It’s taken over two months to effectively get nothing - and even that which has been partially marked for release is so censored that it may as well be nothing anyway. Compared to Europe (and even the US) freedom of information practice in this country should be charged with misleading conduct abuse (because it is so frequently abused by agencies, and is more aptly freedom FROM information).