13 June 2014

Immigration Data Breach Report

The Department of Immigration & Border Protection (DIBP) has released an edited report by KPMG regarding the breach of sensitive information noted earlier this year and reflected in recent judgments.

The report [PDF] appears in a format apparently aimed at inhibiting copying. Alas, if only the Department had taken similar care regarding safeguarding of information about vulnerable people.

KPMG - somewhat at odds with recent statements by the Department - indicates that  the breached document was downloaded 123 times “from multiple sources” with 104 unique IP addresses. The “potential data access and distribution is widespread”, with scope for dissemination to readers who might not have the best interests of the refugees at heart

The report notes confusion and resultant susceptibility to "human error" within DIBP regarding the clearance checks needed for publishing material on the web, with checking of documents involving scrutiny of hardcopy rather than softcopy.

KPMG indicates that
neither the content authors, nor the director of the responsible reporting team” were aware that they were responsible for assuring material was appropriately monitored and controlled for publication on the web. Authors and approvers were generally unaware that the IT security risk which led to this incident, could occur and were therefore not mindful of checking for indicators of this risk
KPMG recommends that DIBP develop procedures for “cleansing” personal data, update review procedures, develop an IT security training program and incorporate privacy training in connection with the Australian Privacy Principles.

The separate review by the OAIC is apparently still underway.

The data breach of the day meanwhile comes from Optus, which is reported by the SMH to have mistakenly provided Sensis - the White Pages publisher - with the names, mobile numbers and addresses of an undisclosed number of 'silent' customers. The info accordingly appeared in the Sensis online and print directory.

Optus  discovered the problem in April and - of course - " took immediate steps to remove customers’ details from the White Pages online". The telco reportedly began  notifying customers  last week, with a letter  indicating that
Optus can confirm that a system configuration error has resulted in the numbers of some pre-paid mobile and mobile broadband customers being incorrectly listed in the White Pages. 
All necessary steps have been taken to ensure personal information has been removed from online and operator-assisted directory listing services and from all future hard-copy editions of the White Pages.
 Optus is reportedly arranging a free change of mobile number for affected customers. The SMH notes the usual rhetoric -
Optus is focused on making things better for our customers, which means being honest and transparent about our mistakes and fixing them when they occur.
“Optus apologises to all customers who have been affected by this mistake.
Customers who wish to change their number or speak directly with Optus about this matter should contact us ... Monday to Friday 9am-5pm AEST.

Privacy and Data Protection Bill 2014 (Vic)

In Victoria the Privacy and Data Protection Bill 2014 (Vic) has had its first reading.

The Bill is for an Act to provide for responsible collection and handling of personal information in the Victorian public sector, to establish a protective data security regime, to repeal the Information Privacy Act 2000 (Vic) and the Commissioner for Law Enforcement Data Security Act 2005 (Vic) to make consequential amendments to other Acts and for other purposes.

The definition of personal information remains based on the Privacy Act 1988 (Cth) "in the interests of supporting a nationally consistent approach to the protection of information privacy. The definition only applies to information that is recorded in some form. It excludes health information, as defined in Schedule 2 of the Act, in recognition of the tailored treatment afforded to health records under the Health Records Act 2001 (Vic).

Clause 7 sets out rights and liabilities under the Bill, stating that the Bill must be taken not to create any general privacy right or any other rights additional to those which are specifically contained in the Bill. Similarly, nothing in the Bill is to be construed as giving rise to criminal liability except to the extent specifically described.

The Explanatory Memo states that
Clause 12 grants an exemption in respect of specified types of information that are regarded as publicly available information, including public registers. With limited exceptions, the Bill seeks only to regulate personal information and public sector data that is not publicly available. 
Subclause (2) refers to the use of information held on a public register. It is intended that the Bill will apply so far as is reasonably practicable to personal information held on public registers. Such information stores are collected and held for particular purposes. While public register information should be able to be used for the, or one of the, legitimate purposes for which it was collected, it is intended that the Bill will in most cases treat uses outside those purposes as interferences with personal privacy, unless the handling is the subject of a mechanism in effect pursuant to Divisions 5, 6 and 7 of Part 3. 
For example, it may be an interference with the privacy of an individual for a person to search the titles register at Land Victoria in order to identify and market products or services to a section of the Register that meets a particular socioeconomic profile. In these circumstances the organisation using that information may contravene the Act. 
It is envisaged that organisations having responsibility for maintaining public registers that are made available over the internet will maintain a high standard of currency and accuracy of information on their website. In addition, it is expected that these organisations will ensure that other search engines that tap into the site, and archives that store information on it, do not retain any inaccurate data.
The Memo goes on to state that
Clause 18 states that the IPPs are set out in Schedule 1. The Victorian IPPs were originally adapted from the former federal National Principles for the Fair Handling of Personal Information (the National Principles). The IPPs in Schedule 1 are reproduced from the Victorian Information Privacy Act 2000, in order to maintain the continuity and consistency of Victoria's privacy regime governing public sector organisations as far as possible. The IPPs must now be interpreted in light of section 13 of the Charter of Human Rights and Responsibilities Act 2006, which gives individuals a right not to have their privacy, family, home or correspondence unlawfully or arbitrarily interfered with. 
The 13 Australian Privacy Principles (APPs), which came into force on 12 March 2014, have now replaced both the federal IPPs that previously applied to Australian and Norfolk Island Government agencies, and the National Privacy Principles (NPPs) that previously applied to private sector organisations. 
The APPs regulate the handling of personal information, including health information, by Australian government agencies and some private sector organisations. A number of the APPs are significantly different from the previous federal principles, including APP 7 on the use and disclosure of personal information for the purpose of direct marketing, and APP 8 on cross-border disclosure of personal information. The ACT will enact new privacy legislation in 2014. 
Victoria's IPPs do not include provisions specifically for health information. Health information privacy in Victoria continues to be regulated by the Health Records Act 2001. Nothing in the IPPs is intended to be taken to override any exemption in Part 2 of the Bill. 
Clause 19 The Information Privacy Principles apply in relation to all personal information, whether collected by the organisation before or after the commencement of this section. It is intended that there be no gap between the operation of the Information Privacy Act 2000 and this Bill.
The Memo also states that -
Clause 85 provides that the Commissioner must develop the Victorian protective data security framework. It is recognised that a number of public sector entities have previously adapted other existing guidance on protective data security to their entity's needs. For this reason, the Victorian protective data security framework is required to be as consistent as possible with recognised existing guidance in this field as prescribed. 
Both the framework and the related standards provided for in clause 86 are expected to draw on the principal elements of existing whole of Victorian government security policies, Australian and international security standards, policies, schemes, frameworks and benchmarks including alignment with the Australian Government Protective Security Policy Framework (PSPF) in relation to data security specifically. However the Victorian standards will depart from the PSPF in a number of ways designed to support State government service delivery functions and reflect contemporary security standards. 
Clause 86 provides that the Commissioner may issue general protective data security standards or customised protective data security standards tailored to specific circumstances. A customised protective data security standard will prevail over a general one to the extent of any inconsistency. 
However, the Commissioner must not issue a protective data security standard unless it has been agreed by both the Attorney-General and the Minister for Technology. It is intended that ongoing consultation between relevant government departments will occur to assist in consistent future development and implementation of the framework and standards. 
Clause 87 provides that protective data security standards may be amended, revoked or reissued in accordance with the procedures set out in clause 86. 
Clause 88 provides that a public sector body Head for an agency or body to which Part 4 applies must ensure that that agency or body does not do an act or contravene a protective data security standard in respect of the public sector data collected, held, managed or disclosed by it or public sector data systems kept by it. 
This obligation extends to ensuring that these requirements are also met by any contracted service provider for the relevant agency or body. Accordingly the public sector body Head must ensure that its contract with a contracted service provider imposes appropriate obligations on the contracted service provider to comply with any relevant protective data security standards. The Commissioner does not have direct authority over contracted service providers in respect of protective data security. However, it is considered that the general powers of the Commissioner under clause 104 would allow for the publication of model terms in respect of this obligation that are capable of being adopted into a State contract. 
Clause 89 provides that within 2 years after the issue of protective data security standards, public sector body Heads must ensure that a security risk profile assessment is undertaken for their agency or body; and that a protective data security plan is developed for the agency or body that addresses the standards applicable to their agency or body. Because it is recognised that not all agencies or bodies subject to Part 4 have equal capacity or resources to meet their obligations under this Part, the Bill's head of power for the making of regulations provided for at clause 125 will enable differential application as required. 
Under subclauses (2) and (3) the public sector body Head must ensure that the security risk profile assessment and plan developed for their agency or body covers its contracted service providers to the extent that the contracted service providers handle public sector data for the public sector body. 
Public sector body Heads are required to ensure that the protective data security plan is reviewed if there is a significant change to their body or agency's operating environment or applicable security risks, or otherwise every 2 years. A copy of each protective data security plan must also be given to the Commissioner. 
Clause 90 provides that protective data security plans are not subject to the FOI Act, because it is not considered to be in the public interest to make details of relevant entities' data security arrangements available to the public.
The Bill provides for establishment of a Commissioner for Privacy and Data Protection.

A person is not eligible for appointment as Commissioner if the person is a member of the Parliament of Victoria, or of the Commonwealth or of another State or Territory. The Public Administration Act 2004 does not apply to the Commissioner in respect of the office of Commissioner, except as provided in section 16 of that Act in relation to employees.The Commissioner ceases to hold office if he or she becomes insolvent, is convicted of an indictable offence or nominates for election for either House of the Parliament of Victoria, the Commonwealth or of any other State or Territory.

Clause 100 contains the procedure for suspension of the Commissioner if the Governor in Council is satisfied on any ground that the Commissioner is unfit to hold to hold office. If the Governor in Council uses the power in subclause (1) to suspend the Commissioner, the Minister must provide each House of Parliament with a full statement of the grounds of suspension within 7 sitting days (subclause (2)). Under subclause (3), the Commissioner must be removed from office by the Governor in Council if each House of Parliament within 20 sitting days after the day when the statement was laid before it declares by resolution that the Commissioner ought to be removed from office. If the declaration by resolution is not made within the specified time period the Governor in Council must restore the Commissioner to office (subclause (4)). Subclause (5) provides that if the Commissioner is suspended from office under subsection (1), he or she is taken not to be the Commissioner during the period of suspension. Clause 101 provides that the Governor in Council may appoint a person to act in the office of the Commissioner during a vacancy in that office, or where the Commissioner is absent or otherwise unable to perform the functions of the office. The person appointed must not be a member of any Parliament in Australia. Appointment is for a period not exceeding 6 months, and the Governor in Council may remove the acting Commissioner at any time (subclause (3)). A person appointed as the acting Commissioner has all the powers and must perform all the duties of that office, and is entitled to the same remuneration and allowances as the Commissioner.

Clause 103 outlines the functions of the Commissioner. Clause 104 gives the Commissioner the general power to perform his or her functions. Clause 105 provides that the Commissioner must have regard to the objects of the Bill in performing his or her functions. The objects of the Bill are set out in Clause 5 of the Bill. Clause 106 provides that the Commissioner may require access to data and data systems in respect of protective data security. Though the Commissioner does not have direct statutory authority in respect of the CSP, it is expected that public sector entities to which Part 4 applies could give a contractual direction to their CSP to produce data or give access to data systems to the Commissioner or otherwise cooperate with the Commissioner. Clause 107 provides that the Commissioner may require the Chief Commissioner of Police to give the Commissioner access to law enforcement data or the Victoria Police law enforcement data system. The Chief Commissioner of Police may refuse to comply with the requirement. This provision has been included to ensure that in meeting the requirements of the Commissioner, the provision of access to data or systems does not impede the capacity of Victoria Police to carry out its law enforcement functions. The grounds upon which the Chief Commissioner may refuse to comply include instances in which giving access to law enforcement data or systems is reasonably likely to prejudice an investigation, prejudice a fair trial, disclose the identity of a confidential source of information or endanger the lives or physical safety of persons.

Clause 109 provides that the Commissioner may copy or take extracts from any data or documents accessed under clauses 106, 107 or 108 despite anything to the contrary in any other Act except the Charter of Human Rights and Responsibilities Act 2006. Clause 110 provides that the Commissioner may request that a public sector body Head as defined in the Public Administration Act 2004 provide him or her with any assistance that the Commissioner reasonably considers appropriate to perform his or her functions under this Bill relating to protective data security and law enforcement data security. Clause 111 provides that at the request of the Minister, the Commissioner must provide the Minister with reports on any matter relating to information privacy, protective data security, crime statistics data security or law enforcement data security functions. The Minister may table a copy of such a report before each House of Parliament. The Commissioner, in the public interest, is able to publish reports and recommendations relating to any act or practice that the Commissioner considers to be an interference with the privacy of an individual or generally to the Commissioner's functions, whether or not the matters to be dealt with in any such report have been the subject of a report to the Minister.

Victorian Archives Law

The Public Records Amendment Bill 2014 (Vic) amends the Public Records Act 1973 (Vic) to provide for the annual public release of Cabinet records 30 years after the year in which they were created. The Bill includes minor amendments to improve the operation of and update references in the Public Records Act.

Key provisions are -
Clause 4 amends section 2 of the Public Records Act 1973 (Vic) to amend the definition of public record, insert new definitions of Cabinet and Cabinet record and make consequential amendments to several existing definitions. 
Clause 5 amends section 5 of the Act to provide an additional advisory function to the Public Records Advisory Council in relation to public records management. 
Clause 6 amends section 8A of the Act to provide that public records that no longer need to be readily available for the purposes of a public office must be transferred to the Public Record Office as soon as practicable after the records have been in existence for 10 years, rather than 25 years as is currently provided. 
Clause 7 inserts a new section 8B into the Act. This new section provides for the public release of Cabinet records transferred to the Public Record Office after the commencement of the section following a fixed closure period. The Secretary of the Department of Premier and Cabinet must, by notice published in the Government Gazette, declare Cabinet records to not be available for public inspection until a period of 30 years has elapsed since the last day of the year in which the Cabinet record was created. Such a declaration cannot be varied or revoked. 
Clause 8 amends section 9 of the Act as it applies to Cabinet records. The amendments provide that a declaration under section 9(1) may be made in respect of a Cabinet record. However, such a declaration may only provide that a Cabinet record not be available for inspection for a period that is longer than the period required by the new section 8B (as inserted by clause 7 of the Bill). 
Clause 9 amends section 10 of the Act to provide that a declaration under that section may not be made in respect of a Cabinet record. 
Clause 10 amends the operation of section 10AA(2) of the Act as it applies to Cabinet records. New section 10AA(6) provides that a declaration under section 10AA(2) may be made in respect of a Cabinet record. However, such a declaration may only provide that a Cabinet record not be available for inspection for a period that is longer than the period required by the new section 8B (as inserted by clause 7 of the Bill). 
Clause 11 amends section 19(1) of the Act to increase the maximum penalty for the offence of removing, selling, damaging or destroying a public record, from 5 penalty units to 60 penalty units.

12 June 2014

FOI

The Freedom of Information and Victorian Inspectorate Acts Amendment Bill 2014 (Vic) has had its first reading in the Victorian Parliament.

The Bill amends the Freedom of Information Act 1982 (Vic) and the Victorian Inspectorate Act 2011 (Vic). The Bill is described as meant to "support and enhance Victoria's integrity regime, in particular by allowing for the appointment by the Governor in Council of Assistant Freedom of Information Commissioners under the FOI Act", accordingly
  • providing greater guidance in relation to time limits and notification requirements by, and to, the FOI Commissioner; and 
  • facilitating the effective and informal resolution of reviews and complaints; and 
  • ensuring that many of the functions of the FOI Commissioner may be undertaken by, or delegated to, members of staff. 
It also amends the Inspectorate Act  to improve processes associated with obtaining evidence from persons in custody and to set specific penalties for a body corporate that is found guilty of an offence under the Act (and establish that any officers of a body corporate knowingly concerned in the commission of certain offences by the body corporate are also guilty of those offences).

Clause 5 inserts a new subsection (4) into section 6C to require that the FOI Commissioner perform functions and exercise powers under any Acts with as little formality and technicality as possible. The intention is to promote a practical and efficient approach to the exercise of the FOI Commissioner's functions.

Clause 6 inserts new sections 6DA, 6DB and 6DC in the FOI Act, which deal with the appointment, functions, powers and responsibilities of Assistant Commissioners.

New section 6DA provides for the appointment of Assistant Commissioners. The Governor in Council may appoint an eligible person to be an Assistant Commissioner. (A person is eligible if they would be eligible for appointment as FOI Commissioner in accordance with section 6D.)  The Governor in Council may appoint as many Assistant Commissioners as are required.

New section 6DB sets out the functions and powers of Assistant Commissioners. The functions of Assistant Commissioners will be to conduct, in accordance with Division 1 of Part VI, reviews of decisions by agencies on requests;  to handle complaints in accordance with Part VIA; to assist the FOI Commissioner in management of the FOI Commissioner's office;  and any other functions conferred under legislation. An Assistant Commissioner must have regard to the object of the FOI Act when performing any function or exercising any power under that Act, and must perform functions and exercise powers under any Acts with as little formality and technicality as possible.

New section 6DC provides that an Assistant Commissioner is responsible to the FOI Commissioner for the due performance of the Assistant Commissioner's functions and exercise of powers. However, the existence of this responsibility does not empower the FOI Commissioner to give an Assistant Commissioner a direction in relation to the conduct of a review under Division 1 of Part VI or the handling of a complaint under Part VIA. Consequently, while an Assistant Commissioner will generally be responsible to the FOI  Commissioner for the due performance of their functions and exercise of their powers, the FOI Commissioner will have no power to intervene in the conduct of specific reviews or the handling of specific complaints by an Assistant Commissioner.

Clause 7 amends sections 6E, 6F and 6G of the FOI Act so that provisions relating to terms and conditions of appointment, remuneration, and vacancy and resignation will apply to Assistant Commissioners as well as the Freedom of Information Commissioner. It also inserts a new section 6H(6) which provides for the removal from office of an Assistant Commissioner by the Governor in Council on the specified grounds of misconduct, neglect of duty, or inability to perform the duties of office, or on any other ground on which the Governor in Council is satisfied that the Assistant Commissioner is unfit to hold office. This process differs from that applying to the FOI Commissioner, who may only be removed from office by resolution of both Houses of Parliament.

Clause 8 inserts a new section 6I(1A) in the FOI Act which provides for the appointment by the Minister of an acting Assistant Commissioner. The Minister may appoint a person eligible to be appointed as an Assistant Commissioner as an acting Assistant Commissioner within 6 months after an Assistant Commissioner ceases to hold office; or during any or all periods when an Assistant Commissioner is absent from duty or from the State or for another reason cannot perform the functions of office, or when an Assistant Commissioner is acting as the Freedom of Information Commissioner.  New section 6I(4A) provides that the Minister may remove an Assistant Commissioner at any time. Section 6I(5) is amended to provide that, where a person is acting as an Assistant Commissioner, that person has and may exercise all the powers of an Assistant Commissioner and must exercise all the functions of an Assistant Commissioner, and is entitled to be paid the remuneration of an Assistant Commissioner.

Clause 9 amends section 6K of the FOI Act to clarify that the FOI Commissioner may delegate to staff functions and powers relating to the conduct of a review and the handling of a complaint. For example, these could include attending offices and inspecting documents, conducting preliminary inquiries and referring matters back to an agency for reconsideration. However, the power to make a fresh decision under section 49P on an application for review or to make a recommendation under section 61L in relation to a complaint is not delegable under this section. Clause 9 also inserts a new section 6K(2) which provides that the FOI Commissioner may delegate to an Assistant Commissioner any of the Commissioner's functions and powers except the power to prepare a report under Part VII or the power of delegation conferred by the new section. Given that Assistant Commissioners will share the FOI Commissioner's functions in relation to reviews and complaints pursuant to section 6DB, it is expected that this delegation power would only be used in relation to the Freedom of Information Commissioner's other functions and powers under section 6C.

Clause 9 inserts a new section 6K(3) which provides that an Assistant Commissioner may delegate to a staff member any of the Assistant Commissioner's functions except the power to make a fresh decision under section 49P on a review, the power to make a recommendation under section 61L in relation to a complaint and the power of delegation itself.

Clause 10 inserts a new section 49B(3) which allows the FOI Commissioner to accept an application for review outside the statutory time limit if the Freedom of Information Commissioner is satisfied that the delay in making the application occurred as a result of an act or omission of the agency concerned.

Clause 11 inserts 2 new subsections into section 49D of the FOI Act which allow the FOI Commissioner, at any time during the conduct of a review, to provide a copy of the application for review to the affected agency. The Commissioner must obtain the applicant's consent to provide a copy of the application. The Commissioner may provide a copy of the application on request by the affected agency or on the Commissioner's own initiative.

Clause 12 substitutes new sections 49EA and 49F for current section 49F of the FOI Act. 49EA provides that, on receipt of an application for review, the FOI Commissioner must refer the application to an Assistant Commissioner or determine to deal with the application directly, without referral to an Assistant Commissioner. To facilitate timely and efficient referral of applications, section 49EA(2) provides that the FOI Commissioner is not required to consider the subject-matter of an application for review or to make preliminary inquiries or consult with the parties before making a referral. Substituted section 49F provides that an Assistant Commissioner or, where there has been no referral, the FOI Commissioner, may review a decision that is the subject of the application. In reviewing a decision, the Assistant Commissioner has all the functions, and may exercise all the powers, of the FOI Commissioner. Any reference to the FOI Commissioner in Part VI and Divisions 1 and 2 of Part VII includes a reference to the Assistant Commissioner. A decision of an Assistant Commissioner on review is taken to be a decision of the FOI Commissioner.

Clause 13 inserts new section 49H(4)  which confirms that the FOI Commissioner may rely on the advice and assistance of a member of staff in making preliminary inquiries in relation to a review, conducting a review, and making a fresh decision on a review.

Clause 14 replaces sections 49L and 49M of the FOI Act with new sections 49L, 49M and 49MA, providing greater certainty in relation to timelines and notification requirements for agencies, applicants and the FOI Commissioner for review matters that have been referred back to the agency for reconsideration, or that have been reconsidered by the agency at its own initiative. New section 49L amends the original provision in a number of ways. Section 49L(3) establishes that the required period for completing a review under section 49J is suspended from the time the FOI Commissioner refers the matter back to the agency. If the agency makes a fresh decision, new section 49L(5) requires the agency to revoke the earlier decision, and, when notifying the applicant of the fresh decision, to also inform them of the requirements of subsections (6) and (7). Section 49L(6) requires the applicant to advise the FOI Commissioner in writing within 28 days of being notified by the agency of the fresh decision whether they agree with the decision. If the applicant fails to do so within the required period, section 49L(7) provides that they are taken to have agreed for the purposes of section 49MA(1). New section 49M amends the original provision in a number of ways. Section 49M(1) provides that an agency may notify the FOI Commissioner and applicant that the agency is reconsidering the matter that is the subject of the review at the agency's own initiative, and in doing so may make a fresh decision. Section 49M(2) provides that the agency has 45 days after the notification under section 49M(1) to make a fresh decision, unless the agency and FOI Commissioner agree in writing to another period. Section 49M(3) establishes that the required period for completing the review under section 49J is suspended from the time the agency notifies the FOI Commissioner that it is reconsidering a matter. Subsection 49M(4) requires the agency to notify the FOI Commissioner within 3 business days of making a fresh decision whether or not a fresh decision has been made. If the agency makes a fresh decision, subsection 49M(5) requires the agency to revoke the earlier decision and, when notifying the applicant of the fresh decision, to also inform them the requirements of subsections (6) and (7). Section 49M(6) requires the applicant to advise the FOI Commissioner in writing within 28 days of being notified by the agency of the fresh decision whether they agree with the decision. If the applicant fails to do so within the required period, section 49L(7) provides that they are taken to have agreed for the purposes of section 49MA(1). New section 49MA sets out the procedure after reconsideration under section 49L or 49M. Section 49MA(1) provides that, if the applicant agrees with a fresh decision made by an agency under section 49L or 49M, the FOI Commissioner must dismiss the review. Agreement with a fresh decision includes deemed agreement in accordance with section 49L(7) and 49M(7). Section 49MA(2) provides that, if the applicant does not agree with the fresh decision, the FOI Commissioner must complete the review on the basis of the fresh decision, and the required period for doing so under section 49J is 30 days from when the applicant advises the Commissioner that they do not agree with the fresh decision. Section 49MA(3) sets out the procedure to apply where the agency has not made a fresh decision under section 49L or 49M within the specified period. In these circumstances, the FOI Commissioner must recommence the review and complete it within 14 days after the earlier of the date on which the agency gives notice of the decision having been given, or the date on which that notice is required to be given.

Section 49MA(4) provides that, where the fresh decision of the agency is to refuse to grant access to a document on the basis that it is a Cabinet document or a document affecting national security, the Freedom of Information Commissioner cannot complete a review of that decision.

Clause 15 inserts a new section 49OA which provides clarification in relation to the operation of section 25A(5). Section 25A(5) provides that an agency may refuse a request for access to documents without identifying the documents if it is apparent from the description of the documents in the request that they are exempt documents, and it is apparent from the description that no obligation would arise to provide access to an edited copy of the document, or that the person making the request would not wish to have access to an edited copy. Section 25A(5) does not require the agency to identify the documents to which the request relates. New section 49OA(1) confirms that, in reviewing a decision of an agency to refuse a request under section 25A(5), the FOI Commissioner must determine whether to refuse the request under section 25A(5), without requesting the agency to search for or otherwise identify the documents to which the request relates; that is, only in reliance on the details provided in the request and any other information used by the agency to make the decision. Such information may include consultation with the person making the request regarding the option of having access to an edited copy of the requested document or documents. New section 49OA(2) provides that nothing in section 49OA(1) prevents the Commissioner exercising a power under section 63C (in relation to documents claimed by the relevant agency to be exempt) if the Commissioner determines that the request should not have been refused under section 25A(5).

Clause 16 amends section 49P of the FOI Act which deals with the FOI Commissioner's decision on a review. Section 49P(5) is amended to insert "if practicable" after "must". Current section 49P(5) requires that, where the FOI Commissioner makes a decision to disclose a document that is claimed to be exempt on the basis that it would unreasonably disclose information relating to the personal affairs of a person, or that it would disclose trade secrets or other business, commercial or financial matters the disclosure of which would disadvantage an undertaking, the FOI Commissioner must notify the affected person or undertaking of their right to make an application for review of the decision. The amendment qualifies the requirement so that the FOI Commissioner must only notify the person or undertaking where it is practicable to do so, bringing section 49P(5) into line with sections 33(3) and 53A(1) and (3) of the FOI Act. New section 49P(6) is inserted to provide that an Assistant Commissioner must notify the FOI Commissioner of the Assistant Commissioner's decision under section 49P.

Clause 17 repeals section 50(3E) of the FOI Act and inserts a new section 50(3FA). This provides that the agency must, as soon as practicable, notify the FOI Commissioner of an application for review of a decision by or relating to the Freedom of Information Commissioner to the Victorian Civil and Administrative Tribunal. This amends the current arrangement under existing section 50(3E) which requires the applicant to notify the FOI Commissioner of an application for review in relation to a failure of the Commissioner to make a decision within the relevant time. Clause 18 inserts a new section 61A(5) in the FOI Act which allows the FOI Commissioner to accept a complaint made outside the statutory time limit if the  Commissioner is satisfied that the delay in making the complaint occurred as a result of an act or omission of the agency concerned.

Clause 19 inserts a new section 61AB in the FOI Act which provides that, on receipt of a complaint, the FOI Commissioner must refer the complaint to an Assistant Commissioner or determine to deal with the complaint directly, without referral to an Assistant Commissioner. To facilitate the timely and efficient referral of complaints, section 61AB(2) provides that the FOI Commissioner is not required to consider the subject-matter of a complaint or to make preliminary inquiries or consult with the parties before making a referral. New sections 61AB(3) and (4) provide that, when dealing with a complaint, the Assistant Commissioner has all the functions, and may exercise all the powers, of the FOI Commissioner. Any reference to the FOI Commissioner in Part VIA and Divisions 1 and 2 of Part VII includes a reference to the Assistant Commissioner. A recommendation of an Assistant Commissioner on a complaint is taken to be a recommendation of the FOI Commissioner.

Clause 20 inserts a new section 61I(5) in the FOI Act which confirms that the FOI Commissioner may rely on advice and assistance of a member of staff in conducting preliminary inquiries into a complaint, otherwise dealing with a complaint, and making recommendations under section 61L in relation to a complaint.

Clause 21 inserts new section 61L(9) in the FOI Act which provides that if the complaint is dealt with by the Assistant Commissioner, the Assistant Commissioner must notify the FOI Commissioner of any recommendations or referrals.

Clause 22 amends section 63C of the FOI Act to confirm that a member of staff of the FOI Commissioner, or contractor, agent or other person engaged by the FOI Commissioner, may inspect or make copies of documents where appropriate.

Clause 23 substitutes a new section 63D of the FOI Act and relates to use of documents produced to the FOI Commissioner in the course of a review or complaint that are claimed to be exempt. It replaces previous section 63D which applies to any document (exempt or otherwise) produced to the FOI  Commissioner in a review or complaint. New sections 63D(2) and (3) provide that the Commissioner must do all things necessary to ensure that only a specified person has access to the document or its contents and that penalties apply to specified persons who intentionally or recklessly disclose the document other than in accordance with the FOI Act.

New section 63D(4) provides that a specified person may, to the extent practicable without disclosing exempt matter, disclose the nature of the document if to do so may assist in the resolution of the review or complaint, and the agency head or nominee gives prior written consent to the disclosure.

New sections 63D(5) and (6) allow the FOI Commissioner to copy exempt documents (unless they are Cabinet documents, documents affecting national security or law enforcement documents), to the extent necessary for the performance of the FOI Commissioner's functions. On completion of the review or complaint process, the FOI Commissioner is required to return to the agency any documents or copies of documents provided by the agency.

Dank

In Dank v Whittaker (No 4) [2014] NSWSC 732 the Supreme Court of New South Wales has stated that the $10 million defamation actions filed by sports scientist Stephen Dank against various media outlets are an abuse of process for non-compliance with the statutory leave requirements and a cap on the award of damages. The Court held that Mr Dank deliberately excluded a corporate media outlet in his defamation suit to defeat the application of the statutory requirements. The Court concluded that it was appropriate to consolidate all defamation suits into three sets and that such a consolidation would not expose Mr Dank to any relevant prejudice.

11 June 2014

InfoLib

'The Right to Information in International Human Rights Law' by Maeve McDonagh in (2013) 13(1) Human Rights Law Review 25 explores
the conceptual basis for the recognition of a right to information. It commences by reviewing developments in the recognition of a right to information in international human rights law. The role of the right to freedom of expression in furthering the recognition of a right to information is highlighted while the engagement of other rights in such recognition is also explored. The article considers the contribution made by the instrumental approach to the recognition of a right to information in international human rights law. Finally it explores whether there might exist an intrinsic right to information independent of other rights.