Recent News in FOI and Privacy
Here is a snapshot of recent news in FOI and Privacy for Victorian government agencies.
A Reflection on Privacy Awareness Week
As part of Privacy Awareness Week (2-8 May 2022), nationally across our Maddocks offices, we brought you a series of articles and podcasts inspired by the 2022 theme ‘Privacy: The foundation of trust’. You can find these on our website.
Some key prompts included:
- Is privacy and cybersecurity a senior management concern?
- Is your data breach response plan regularly reviewed and kept up to date?
- Do you have appointed privacy and cyber champions throughout the business?
- When was the last time you conducted a data mapping exercise to understand the personal information you actually hold and how it is collected, used, disclosed and handled?
- Do you provide regular training and education which is ‘fit for purpose’ at all levels, from front line staff (such as phishing email campaigns) to the executive (e.g. hypothetical scenarios)?
Recent case on cybersecurity obligations
The Federal Court of Australia has found a company failed to maintain adequate cybersecurity controls in breach of the Corporations Act 2001 (Cth): Australian Securities and Investments Commission v RI Advice Group Pty Ltd  FCA 496.
While not brought under the Privacy and Data Protection Act 2014 (Vic) (PDP Act), which is the key privacy law applying to Victorian government agencies, it is still of note as it deals with what is required to address security risks.
The company held an Australian Financial Services Licence and its business was targeted in cybersecurity attacks. The Australian Securities and Investments Commission (ASIC) brought proceedings against it alleging it had breached its cybersecurity obligations.
Shortly before trial the parties negotiated agreed settlement terms, which were confirmed by the Court. The company acknowledged historic contraventions arising from its delay in implementing adequate cybersecurity risk management systems. The Court stated cybersecurity risk formed a significant risk connected with the conduct of the business and, while it was is not possible to reduce cybersecurity risk to zero, it was possible to materially reduce cybersecurity risk to an acceptable level through adequate documentation and controls.
For Victorian government agencies, there is an obligation under the PDP Act and the Information Privacy Principles to take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. Cyber risks are real and can lead to a loss or unauthorised disclosure of information, so agencies need to take reasonable steps to protect their information from this. Drawing from the RI Advice Group case, this can require the identification and management of risks through different controls and measures, as well as ongoing monitoring and auditing. What is reasonable will be determined by experts with knowledge in the field of cybersecurity and so they may need to be called on when determining an agency’s cybersecurity risk management systems.
OVIC’s Draft FOI Guidelines
The Office of the Victorian Information Commissioner (OVIC) has released draft Freedom of Information Guidelines for public consultation.
The Guidelines deal with Part II of the Freedom of Information Act 1982 (Vic), which relates to the publication of documents and information. They set out the relevant provisions from the Act and FOI Professional Standards, then provide guidelines covering the purpose of the provision and how the information is to be published.
For example, the Guidelines say a practical approach to interpreting and implementing the requirements should be taken, noting the provisions have not undergone any significant reform since they were enacted and are not directly compatible with the way modern government operates making a literal interpretation unworkable. By way of illustration, they suggest information can be made available in a range of ways, including on various webpages and they pose a number of questions which members of the public must be able to answer. They also give examples of the types of documents which must be available for inspection and purchase, such as a policy describe how an agency issues or reviews fines, a manual detailing how an agency handles complaints, or a procedural manual for providing grants.
OVIC has also produced a Part II Checklist.
Once the FOI Guidelines have been published in final form, OVIC will remove any existing duplicate resources from its website.
Feedback can now be provided on the draft Guidelines.
OVIC’s State of FOI in Victoria Report
OVIC has published a special report on the state of FOI in Victoria: THE STATE OF FREEDOM OF INFORMATION IN VICTORIA, A special look at FOI in Victoria from 2019 to 2021, April 2022.
This follows OVIC’s earlier report on the State of FOI in Victoria from 2022. However, OVIC recognised there have been significant changes to the working environment of the Victorian public sector since that time, largely due to the COVID-19 pandemic, so this special report examines FOI data from 2019 to 2021 to identify emerging themes.
This data showed there has been the most change in the following areas:
- the use of exceptions to refuse to process an FOI request under sections 25A(1) and 25A(5)
- agency decision making
- the top 5 most commonly used exemptions relied on by agencies
- reviews received by OVIC
In particular, the report notes:
- The number of times s 25A(5) was cited by agencies nearly tripled and the percentage of s 25A(5) decisions against all decisions where access was refused also increased from 10% to 30%.
- The number of complaints OVIC received from members of the public increased by 46%, mainly attributable to delays in FOI processing.
- While the top 5 most commonly used exemptions remained the same (being ss 33(1), 38, 35(1), s 30(1) and 31(1) and accounting for around 88% of all exemptions claimed), reliance on the s 30 internal working document exemption increased.
- The number of VCAT review applications received increased by over 54%.
In response, OVIC’s recommended actions to agencies included:
- appropriately resource access to information functions
- be open by design through proactive and informal release outside of the formal FOI Act process wherever possible
- design new systems and processes with transparency in mind
OAIC FOI Investigations
Similar to OVIC’s investigative powers, the Australian Information Commissioner can investigate an action taken by an agency in the performance of its functions or the exercise of powers under the Commonwealth Freedom of Information Act 1982. This involves investigating complaints as well as conducting investigations at the Commissioner’s own initiative. The results of investigations are published on the Office of the Australian Information Commissioner’s (OAIC) website.
For example, in November 2021, an investigation was undertaken into the Department of Home Affairs compliance with statutory timeframes for processing FOI requests. The outcome of the investigation was the Department did not comply with the statutory processing period. The recommendations made in response were:
- The Department to prepare and implement an operational manual for processing FOI requests for personal information to be approved by the Information Champion.
- The Department to ascertain the additional resources (human or otherwise) anticipated to be required in order to meet statutory timeframes and provide an action plan to meet those requirements.
- The Department to:
- and complete training on the operational manual for FOI officers, and ensure all new FOI officers are trained within 2 weeks of commencing.
- ensure online training in processing FOI requests for personal information is available to all staff of the Department.
- The Department to undertake an audit of the processing of FOI requests for personal information to assess whether these recommendations have been implemented and are sufficient to address the issues identified, with a copy provided to OAIC.
OAIC privacy guidance on Individual Healthcare Identifiers on COVID-19 digital vaccination certificates
OAIC has issued privacy guidance regarding Individual Healthcare Identifiers (IHIs) on COVID-19 digital vaccination certificates. This guidance is for any entity or individual that collects a person’s COVID-19 digital vaccination certificate which contains an IHI.
Its key privacy tips include:
- don’t collect a COVID-19 digital certificate if it is not required - sight a copy of the certificate instead.
- if a copy of a COVID-19 digital certificate must be collected, do not collect an IHI.
- consider removing or redacting IHIs from any COVID-19 digital certificates that have already been collected and stored in a record.
New point of law: What can be considered as a protected document?
A look at Environment Protection Authority v Sydney Water Corporation  NSWLEC 119.
Society of University Lawyers Conference 2023
Maddocks is a proud platinum sponsor of the Society of University Lawyers Conference 2023.
Implementation of Universities Accord Interim Recommendations passed
On 19 October 2023 the Senate passed a slightly amended version of the Higher Education Support Amendment
Preparing for mandatory data breach notification under NSW privacy laws: Five key actions
By Ooma Khurana & Radhika Bhatia
This is the second instalment in our For Your Information campaign