Recent News in FOI and Privacy from OVIC and OAIC
Here is a snapshot of recent news in FOI and Privacy from the Office of the Victorian Information Commissioner (OVIC) and the Office of the Australian Information Commissioner (OAIC).
OVIC’s Regulatory Priorities
OVIC has released its regulatory priorities for this financial year.
These regulatory priorities guide OVIC’s regulatory action, which seeks to promote fair public access to information while ensuring its proper use and protection, in accordance with OVIC’s Regulatory Action Policy.
The priorities include:
- compliance with the FOI Professional Standards
- prompt FOI decision making and information release
- identification and assessment of the security value of information
- privacy and security in Victorian law enforcement
- the protection of personal information in the Victorian higher education sector
- privacy and outsourcing.
These priorities are said to reflect existing and emerging issues that OVIC considers significant or requires attention.
Here are some takeaways:
- know your obligations under the FOI Professional Standards, particularly with respect to timeframes
(e.g. acknowledging receipt of a request, notifying if a request is invalid or incapable of being processed, notifying if timeframes have been extended etc), record keeping (e.g. third party consultation, searches, etc) and resources (e.g. procedures, training, etc)
- review your practices around the disclosure of law enforcement information and how law enforcement records are kept
- review your outsourcing practices, including whether your contracts have a suitable privacy clause.
OAIC’s Position Paper on FOI disclosure of public servants’ names and contact details
OAIC has issued a position paper on the disclosure of public servants’ names and contact details in documents sought under FOI.
While acknowledging that transparency and accountability are fundamental to Australian democracy and that public servants should be accountable for their actions, OAIC also recognises that public servants have a right to be safe at work and safe from harm as a result of their work.
The position paper accepts that advances in digital communications have changed the environment in which public servants work and that, in some cases, disclosure of their names and contact details has the potential to expose them to work health and safety risks. Those risks include the traceability of personal lives and the risk of physical and online harassment, particularly where contact details are published online to a wider audience for a longer period of time.
As a result, agencies are advised to start from the position that staff names be released unless work health and safety risks associated with disclosure of staff names and contact details have been identified.
In those circumstances, agencies may consider whether the only way to mitigate these risks is by removing this information from documents before release, either because it is outside the scope of the request or because it is exempt from disclosure under the FOI Act.
The information would be out of scope where a request expressly states that names and contact details are not sought. If not, agencies can ask the FOI applicant whether they seek access to this information.
If a FOI applicant indicates that they do seek access to names and contact details, then a decision must be made as to whether that information is exempt.
Here are some takeaways:
- Check your FOI application form to see if it already asks FOI applicants to state if they do not seek the names and contact details of staff members or any other form of personal affairs information. If it doesn’t, you could amend it so that it does but take care with the wording used. An FOI applicant needs to understand what they are being asked to exclude from their request. For example, is it staff names and contact details, other third party’s names and contact details, or other specific types of personal affairs information that would be excluded?
- Ascertain whether your agency has identified work health and safety risks associated with disclosure of staff names and contact details. For example, these may include:
- staff being approached and harassed, abused, physically assaulted and stalked
- staff being subject to online abuse and harassment
- social media being used to identify and pursue staff and their families outside their workplace.
- If an FOI request seeks access to staff members’ names and contact details, consider whether this information is exempt under s 33 of the FOI Act 1982 (Vic). Relevant considerations may include whether disclosure would pose a risk to the health and safety of their staff, for example because of the nature of the work performed. This will need to be determined objectively on a case-by-case basis.
International Access to Information Day – 28 September
International Access to Information Day (formerly known as Right to Know Day) is on 28 September. It recognises the importance of the community’s ‘right to know’ and to access information from government sources. This year’s theme is Building trust through transparency.
Both OVIC and OAIC will be participating in various events that week.
Managing climate change-related risks in the financial system
By Patrick Ibbotson & Jessica Dorricott
Risks posed by climate change to the stability of the US financial system.
GDPR decision slaps down Privacy Shield and imposes strict conditions on Standard Contractual Clauses – implications for Australian organisations
Impacts for Australian entities who are either directly subject to the GDPR or receiving personal data from the EEA.
What is in a name? The disclosure of public servants’ names and contact details under FOI
The OAIC has issued a position paper on the disclosure of public servants’ names and contact details in documents.