Privacy and data security

• 86 privacy complaints were made to OVIC (down 19% from previous year)
  • 69% of which were finalised by OVIC
  • 31% were referred to VCAT

• 159 data breach notifications were made to OVIC (up 66%)
• 373 security incident notifications were made to OVIC
  • 73% involved soft copies (information format)
  • 82% impacted confidentiality (security attribute)
  • 74% compromised personal information (type of information)

Freedom of Information

A record 42,249 FOI requests were made to Victorian agencies (127 in total)

• 607 OVIC reviews, taking an average of 118 days to finalise
• 739 OVIC complaints, taking an average of 61 days to finalise
• The top 30 agencies received 84% of all requests

Common matters / exemptions raised:

• s 25A(5) – where a request can be refused because it is apparent from the nature of the request that all of the documents sought are exempt
• s 25A(1) – where a request can be refused because the work involved in processing it would substantially and unreasonably divert the resources of the agency from its other operations
• s 38 – documents to which secrecy provision of enactments apply (including as a response to the treatment of confidential information under the Local Government Act 2020)
• s 33 - documents affecting personal privacy
• s 30 - internal working documents
• s 31 - law enforcement documents
• s 35 - documents containing materials obtained in confidence

OVIC was notified of 68 VCAT review applications (up 19.3%), 48% of which were by agencies.

However, separate data provided to OVIC by agencies indicated that there were 190 VCAT review applications. This suggests that agencies are not notifying OVIC of all VCAT applications as required by s 50(3F) and (3FA) of the FOI Act. The data also indicated that VCAT made 32 decisions, of which the agency decision was confirmed in 26 of them, varied in five and overturned in only one.