Office of the Australian Information Commissioner

CHAIR: I welcome officers representing the Office of the Australian Information Commissioner. Thank you for joining us today. Would you like to make an opening statement before we go to questions?

Ms Falk : I would, if the committee has the time. I think it would be useful for me to paint a picture of the work of my office, if that's acceptable.

CHAIR: Thank you. Please do.

Ms Falk : Thank you for that opportunity. The committee would be aware that the role and purpose of my office is to promote and uphold privacy and access to information rights, and of course I'm appearing today at a time when there is great focus on the community's access to information held by government and on the individual's right to have their personal information protected. No-one could miss the national Right to Know campaign across the major media outlets this week. The campaign shares its name with the international movement in support of access to government information, which holds Right to Know Day around the world on 28 September each year. That includes Australia, where it's supported by my office and my counterparts across Australia. Just last week the United Nations General Assembly recognised the importance of this global movement and proclaimed 28 September as the International Day for Universal Access to Information.

My office has recently conducted a survey in relation to freedom of information and the community's attitudes, and it also highlights the value that Australians place on their right to access government information. The survey found that 84 per cent of people said their right to access information held by the government was important and 37 per cent had tried to do so using a range of methods, including, of course, agency websites and freedom of information requests. Most respondents who tried to access information were successful in doing so on at least one occasion, but 15 per cent said they did not get all the information that they wanted.

The community are exercising their right to access information from Australian government agencies and ministers and seeking review of decisions under the FOI Act in increasing numbers. As our annual report shows—it was tabled yesterday—the number of FOI requests made to Australian government agencies and ministers grew by 13 per cent last financial year, to 38,879. The percentage of FOI requests granted in full was 52 per cent, partial access was granted for 35 per cent of requests, and 13 per cent of requests were refused. In 2017-18, there was a significant improvement in the proportion of FOI requests processed within the statutory time frame, from 58 per cent to 85 per cent. However, this slipped slightly to 83 per cent in the last financial year, showing that continued focus is required on the part of agencies and ministers to comply with statutory processing time frames.

An important object of the FOI Act is to facilitate and promote public access to information promptly and at the lowest reasonable cost. So we continue to work with agencies to improve these processing times. We're encouraging agencies to make the system work more efficiently for the community by publishing more information proactively, particularly information that's frequently requested, and by making personal information available through administrative access schemes. This will also reduce agencies' administrative load in processing FOI requests.

Turning to applications to my office, the number of applications for Information Commissioner review of FOI decisions grew last year by 16 per cent, to 928, and over the past four years the number of IC review applications to my office has risen by more than 80 per cent. Through our early intervention procedures and other measures, we have improved our finalisation rates in response to these pressures, and in 2018-19 we finalised 659 Information Commissioner reviews, which was an eight per cent increase from the previous year. In fact, over the past four years, we have increased our finalisation rate by 45 per cent. Where possible, we're dealing with applications covering similar issues as a cohort, to provide additional guidance to agencies in handling FOI requests and, of course, to influence better practice.

Since I've been in the role, we have extensively reviewed our processing and implemented further workflow management and process efficiency measures, but the substantial and sustained increase in IC review applications over recent years has widened the gap between incoming work and finalisations, and has resulted in increased delays and backlogs. In order to meet the timeliness objective of the FOI Act and provide faster outcomes for the community, additional resources are required, and the IOC continue to work with government in relation to our resourcing needs.

Turning to privacy issues, we're also finding efficiencies to manage the increasing volume of work, particularly in helping people resolve complaints about the handling of personal information. We received 12 per cent more complaints last year. The majority of complaints were driven by privacy practices in six sectors: finance, government, health, telecommunications, retail and, of course, online services. The most common issues raised with us are about use and disclosure, security, access, collection and quality of personal information. Our early resolution processes are continuing to have a positive impact, and we finalised six per cent more privacy complaints than the previous year.

We're in the process of implementing additional changes to the way we handle privacy complaints to further improve our finalisation rates. We're supported by the additional funding provided in the last budget for timely responses to privacy complaints, and we're addressing delays and backlogs in that area. This additional privacy funding will also support a new privacy regime for social media and online platforms that trade in Australians' personal information. Internally, we're also increasing our proactive enforcement capability.

I welcome the government's commitment to strengthening the Privacy Act to protect personal information through measures including increased enforcement mechanisms, and I've also made submissions around the need for a broader review of the Privacy Act to ensure it remains fit for purpose in our current environment.

The past year's focus on digital platforms both here and overseas has demonstrated the scale of the challenges that we confront in safeguarding personal information, and, taken alongside the consumer data right—a major change to our regulatory framework which we're implementing alongside the ACCC early next year—and other recent developments in technology and artificial intelligence, it's timely to consider the scope and settings of the Privacy Act overall.

Of course, there's a global dimension to the work of my office, and so cooperation with other regulatory authorities around the world is critical to mitigating privacy risks. We're actively engaged with international counterparts on regulatory action. We're making progress towards globally interoperable approaches to privacy so that our citizens' data is protected, wherever it may flow, and so that the economic benefits of data innovation can be safely realised. Thank you. That concludes my opening remarks.

CHAIR: Thank you very much. Senator Chisholm, you have the call.

Senator CHISHOLM: Just for your information, Chair, I've got some specific questions, and then Senator Carr's got some follow-up general questions.

CHAIR: Okay. You know we're working in 10-minute blocks?

Senator CHISHOLM: Yes.

CHAIR: Great.

Senator CHISHOLM: Ms Falk, how long have you been in your role? I heard you say 'since I've been here'; I just don't know what year you started.

Ms Falk : I commenced acting in the role on 24 March 2018 and I was appointed on 16 August 2018.

Senator CHISHOLM: Okay. Could you outline the investigation that was undertaken into Wilson Asset Management?

Ms Falk : In relation to that matter, my office did conduct inquiries. The matter was finalised by way of an enforceable undertaking from that particular entity. The enforceable undertaking made requirements to ensure that any data that may have been collected was deleted and also that process and systems changes were put in place.

Senator CHISHOLM: What prompted the investigation in the first place?

Ms Falk : That investigation, I think, is on the public record and known, in terms of an issue that arose prior to the last federal election in relation to the collection of personal information through a particular website.

Senator CHISHOLM: Sure, but what prompted it? What led the organisation to conduct an investigation?

Ms Falk : I made inquiries in relation to that matter because I had had complaints from members of the public who raised issues around the handling of their personal information by that particular entity.

Senator CHISHOLM: So where that ended was with the enforceable undertaking?

Ms Falk : That's correct.

Senator CHISHOLM: Is there any more information you could provide around the details of what that undertaking was?

Ms Falk : The details of the undertaking that was entered into are on the public record on my website.

Senator CHISHOLM: As far as the organisation is concerned, is the issue now finalised, or, as part of that enforceable agreement, is there ongoing action that the commission has to be participating in?

Ms Falk : In relation to enforceable undertakings, there are generally requirements to report on compliance with the undertaking and, subject to that report being made, that would conclude the matter.

Senator CHISHOLM: So that requires you to make that report, or the organisation?

Ms Falk : The organisation—to make the report.

Senator CHISHOLM: Has that been completed yet?

Ms Falk : The last part of the reporting to my office is due in November.

Senator McKIM: Good afternoon. I wanted to ask a couple of questions about the MOU that your office has with the department about the National Facial Biometric Matching Capability. Firstly, can I just confirm this is the latest copy of the MOU, updated on 21 May 2019? That was the most recent one I could find. Is that the most recent version of the MOU?

Ms Falk : I'd need to confirm that.

Senator McKIM: Just for your office's reference, that's the one I'm going to be relying on for my questions. For context, I should say that this MOU talks about the interoperability hub, which we can shorten to mean the hub, which is the router that facilitates the, hopefully, secure exchange of biometric data between Commonwealth, state and territory governments. After the section that deals with the hub, it says 'other face matching services may be added over time'. Can I ask firstly whether any other face matching services have been added over time?

Ms Falk : I think that those questions would be best directed to the department. I understand that the Department of Home Affairs is the agency that administers the hub.

Senator McKIM: In fact, this is an MOU between the AGD and your office.

Mr Moraitis : That was before the machinery of government changes. That would have been the situation, but we no longer run anything to do with that stuff.

Senator McKIM: So why is the Office of the Australian Information Commissioner not able to answer that question?

Ms Falk : In relation to the MOU that you've have referred to, my office did enter into an MOU. The arrangements were that my office would undertake two privacy assessments of the management of the system. That has been deferred.

Senator McKIM: Did you say deferred?

Ms Falk : It has been deferred on the basis that the system is not fully functioning. The legislation has not passed, so it is deferred until such time as it would be appropriate for us to assess the way in which the system is operating in accordance with the privacy safeguards.

Senator McKIM: Would you expect those privacy safeguards to be contained in the legislation? Please, if it's not a fair question for you, just say so.

Ms Falk : The way in which it would operate is that the handling of the information would be authorised by law, and therefore the way in which that information is to be handled would be set out in the enabling legislation. To the extent to which the Privacy Act might still apply, it would apply in terms of data breach notifications that might occur and so on.

Senator McKIM: Thank you. That's helpful. When you say that it's been deferred, had your office done any work in regard to those privacy assessments before the deferral?

Ms Falk : We had not undertaken any assessments, no.

Senator McKIM: Has your office been consulted during the development of the legislation?

Ms Falk : Yes, it has.

Senator McKIM: Is that an ongoing process, or do you think the consultation with your office is now complete?

Ms Falk : In terms of the interaction with my office, we have been engaged with, firstly, the Attorney-General's Department and now the Department of Home Affairs since around 2015, in terms of the development of the capability. There were a series of privacy impact assessments that were undertaken in developing the proposal. My office had some interaction in relation to those privacy impact assessments. We have also commented on the draft bill. I have made submission to the relevant committee in relation to it. My office also participates in committees in terms of the governance of this particular—

Senator McKIM: You mean intergovernmental committees, with other agencies.

Ms Falk : That's right.

Senator McKIM: Thanks. That's really helpful. Mr Moraitis, can I just ask you a quick follow-up. By the way, I should indicate, Commissioner, that that MOU was downloaded off your office's website this morning, so you might want to have a look at that with a view to possibly changing it if it has in fact been superseded. That's what I wanted to check with Mr Moraitis: is it right that this MOU, which was signed between the Attorney-General's Department and the Office of the Australian Information Commissioner, has now been superseded by a new one that's been signed, presumably, by the home affairs department?

Mr Moraitis : It's almost two years since that transition happened. I assume that's what happened.

Senator McKIM: This was last updated on 21 May this year, which was actually after the machinery-of-government changes. I'm just wondering if we can have an explanation.

Mr Moraitis : I don't know. We had an MOU and, as Ms Falk mentioned, we worked very closely back in 2015-16 on this and, in particular, the privacy impact statement dimension of all this. Since the middle of 2017, we haven't been involved in facial biometrics anyway. I can't really speak on how or why the MOU, on the OAIC side, has us as one of the parties. I assume the new MOU—as they say in the law, mutatis mutandis—is the same; it's just that the title's changed. That's my assumption.

Senator McKIM: Thanks. Ms Falk, could you please take on notice whether this MOU that I'm referring to, which is between your office and the Attorney-General's Department and was last updated on 21 May this year, has been superseded by an MOU between your office and Home Affairs. Are you able to answer that now?

Ms Falk : I will take it on notice. I'm advised that the MOU was varied, and it is with the Department of Home Affairs at this point, but I will check the details and make sure I give you an accurate description.

Mr Moraitis : Can I just add that usually, with machinery-of-government changes, things transition to the receiving agency. There are a lot of transitional things, but the instrument and the content of the instrument are transferred. So, irrespective of the title, the mutual obligations and responsibilities continue. But you're right: it should have a change of title.

Senator McKIM: That's fine. Thanks, Mr Moraitis. Ms Falk, I want to ask questions about another matter. This is a complaint which has been lodged with your office—not about your office, by the way—and I've been asked to raise this by the complainant, Mr Nauroze Anees, who's put a complaint in to your office about Minister Peter Dutton. Mr Anees informs me that he still, despite lodging the complaint many months ago, doesn't understand how he can provide evidence to your office to substantiate his complaint. Are you aware of that complaint?

Ms Falk : In relation to individual complaints, there are of course secrecy provisions in my enabling legislation which seek to protect the confidentiality of parties to matters. The particular issue that you raise is not one that I have particular information to hand about.

Senator McKIM: I think given that answer I will write to you about that, which will enable me to share with you the complainant's concerns in a way that's not public.

Ms Falk : Thank you, Senator. I appreciate that.

Senator KIM CARR: The commission put out a press release on 26 September, the International Right to Know Day. Given that it's an international event, do you have any view about whether or not there is a problem with the right to know in Australia?

Ms Falk : That's a broad question.

Senator KIM CARR: It is. It gives you a chance to give us a broad answer.

Senator Payne: You are asking the commissioner in her capacity as commissioner and not for her personal opinion presumably?

Senator KIM CARR: No, I'm not asking for a personal opinion. The commission put out a press release on 26 September, International Right to Know Day—

Senator Payne: I haven't seen the press release, but I will take your word for it.

Senator KIM CARR: and I'm asking: does the commission have a view that there's a problem about the right to know in this country.

Ms Falk : Perhaps I could take the question in this way: in terms of my role, it's to have the ability to handle Information Commissioner reviews and complaints and to publish statistics on the operation of the FOI Act as it applies to government agencies. In my opening statement, I drew attention to some statistics about the health of the system in terms of Australians exercising their right to know or their right to request government-held information. That right is one that is enshrined in the FOI Act. Individuals do have the right to access documents held by government and ministers in their official capacity in relation to official documents relating to agencies unless an exemption applies. The numbers of matters that go through the system give you a sense of what's happening on the agency side. For the operation of my office, I've set out some workload statistics about the issues that my office is dealing with. But, perhaps to take it at a broader level, the Right to Know Day was an opportunity for me to remind all government agencies of the importance of access to government-held information and the important role of FOI practitioners in ensuring that they're assisting applicants in defining the scope of what they're requesting and ensuring that they're taking a proactive or pro-disclosure approach to providing information.

Senator KIM CARR: Your opening statement said that the percentage of FOI requests granted in full was 52 per cent.

Ms Falk : That's correct.

Senator KIM CARR: Do you regard that as satisfactory?

Ms Falk : As I said, there's a legally enforceable right to access government-held information, subject to the operation of exemptions. What the statistics indicate is that, in a number of cases, agencies are applying exemptions in relation to the requests that are made.

Senator KIM CARR: That's not the question I asked you. Do you think 52 per cent is satisfactory?

Ms Falk : It's difficult to answer the question in a binary way, because of the qualifications that I've set out.

Senator KIM CARR: You've made the statement. You put out a press statement saying that government agencies could do more to make information available for the benefit of citizens. I've asked you if you think we've got a problem, and I didn't hear an answer to that question. So I then asked you if you thought the figure of 52 per cent of FOI requests was good enough, and I don't think I heard an answer there. You said you couldn't answer in a binary way. What's the point of your office?

Ms Falk : In terms of your question around the statement that I put out, it was to encourage the pro-disclosure approach to providing information. You've also asked me whether or not there's a problem with the FOI system. There's always room for improvement and, indeed, they're the messages that I also put out around the Right to Know day. The areas that I have drawn to agencies' attention are the ones that I've outlined; in particular is assisting applicants and ensuring that agencies don't take an overly technical approach to the scope of FOI requests. Also there's room for improvement in terms of timeliness, and I've asked agencies to give that particular focus.

The other aspect of that is for agencies to look at what information is being requested and to look at whether or not that could be made available through administrative access systems—for instance, self-service online portals. Also there's the kind of information that's being requested: can that be grouped and then proactively provided? So we're looking at ways in which the resourcing that's required for FOI processing across government can be mitigated through those proactive mechanisms.

Senator KIM CARR: Let's have a look at this. Do you have any sense in which some departments were better than others in responding to FOI requests?

Ms Falk : The issue around timeliness does vary amongst departments. There are a number of departments, if you take the issue of timeliness, that are 100 per cent compliant. There are processing times that are set out in the FOI Act that must be adhered to. Some of the agencies are not adhering to those time frames, and that's of concern. The FOI Act also sets out mechanisms whereby, if delay is going to be experienced, an applicant can be asked for their agreement to extend time. Alternatively, an application can be made to my office to determine an extension of time request where it's particularly complex or voluminous.

Senator KIM CARR: Which is the worst department for compliance with the FOI Act?

Ms Falk : In terms of all of the departments, the top 20 departments are listed in my annual report. Each of those agencies reports a number of statistics in terms of its FOI processing. The Department of Home Affairs receives the most requests for FOI across the whole of the Commonwealth, currently at around 17,725. So that's a significant number. Timeliness has been an issue with that department. In 2016-17, only 25 per cent of requests were processed within the statutory time frame. That has been significantly improved over the last two years to 74 per cent processed within time. One of the key factors in relation to that, as I reported last financial year, was that the Department of Home Affairs instituted an administrative access program. So it shows you the value of those proactive administrative access programs, but more work needs to be done in relation to timeliness with that particular department.

Senator KIM CARR: I've been advised that in the 2018-19 period there were 4,274 occasions of FOI requests for the Department of Home Affairs and there was a failure to make decisions within the 30-day statutory period on all occasions. Is that the case?

Ms Falk : I'm not familiar with that particular statistic. The statistics that are set out in my annual report refer to financial year, and at the conclusion of the financial year the Department of Home Affairs provided decisions in relation to FOI requests in 74 per cent of matters.

Senator KIM CARR: According to the department's own statistics, in 2013-14 there were 160 failures—that's one per cent of the total number. But according, as I say, to their own figures this has now risen to 98,000 requests, and the failure to make decisions in the 30-day statuary period had increased to some 24,358 occasions, 25 per cent of all requests over that same period. So it's gone from one per cent in 2013 to 25 per cent over the five-year period. That strikes me as a very substantial deterioration.

Ms Falk : The statistics that I have provided today are drawn from the annual reports from my office, and those statistics are required to be provided by agencies under the FOI Act.

Senator KIM CARR: It's not just a guidance matter, though, is it? These provisions that you're referring to are not just there as a bit of a guide; they're actually a requirement at law.

Ms Falk : They're statutory requirements.

Senator KIM CARR: Yes, so in fact it could be said that there have been breaches of the law in at least 25 per cent of cases.

Ms Falk : In relation to how the FOI Act works, where there is going to be a delay in a matter, I've set out the process that needs to be followed. Where that's not followed, an individual can make a complaint to my office.

Senator KIM CARR: Could it be the case that it's a question not just of a culture of secrecy but of a culture of lawlessness in that department?

Ms Falk : That's not a question that I feel I'm able to answer.

Senator KIM CARR: Minister, perhaps you could help me. It goes beyond just a culture of secrecy; it goes to a question of lawlessness.

Senator Payne: Is that a proposition you're putting to me, Senator?

Senator KIM CARR: Yes, I'm putting it to you.

Senator Payne: I don't agree with that. I think you, having formerly been a minister involved in directing and administering departments, would be aware that from time to time there are issues.

Senator KIM CARR: I'd like to think my record was better than that.

Senator Payne: They are not necessarily desirable, I absolutely acknowledge, but from time to time there may be issues around reporting processes and things like that. We would hope that they are addressed and rectified and that reporting comes back to the centre, where it should be and where the commissioner has every right to expect it should be. But I don't have the detail available to me on those instances that the commissioner obviously has had and that you may also have—I'm not sure. I don't have the detail available to me on those instances to make a sweeping generalisation such as you have suggested or particularly to use a word like 'lawlessness'.

Senator KIM CARR: It just strikes me that there have been breaches of the law in at least 25 per cent of cases. That's what I thought the commissioner was saying.

Senator Payne: It's what you are saying.

Senator KIM CARR: Is that not a fair—

Senator Payne: I really wish you would not put words in the mouths of officials or, for that matter, of me.

Senator KIM CARR: You know I wouldn't do that. I thought that was the clear implication: that there'd been breaches of the law—a statutory obligation—in 25 per cent of cases by the Department of Home Affairs. Is that not the case, Commissioner?

Ms Falk : It is a statutory requirement to process FOI requests within 30 days. If they cannot be processed in that time, there is a mechanism to seek agreements or else to seek a decision from my office in relation to that.

Senator KIM CARR: Let me be clear, because you can see I'm having difficulty with this quite startling statistic that you've revealed. Is there not a breach of the law in 25 per cent of cases with the Department of Home Affairs?

Ms Falk : I think it's the use of the word 'breach' that I'm—

Senator KIM CARR: Well, how would you like to describe it? If we say that there's a failure to meet their statutory obligation, would that be a nicer way to put it?

Ms Falk : There has been a failure to meet the statutory obligation.

CHAIR: Senator Carr, we're at more than the 10-minute block. Do you have a lot more?

Senator KIM CARR: I want to pursue this just a little bit in regard to another aspect.

CHAIR: I understand that. Can you be a bit more precise about how much you have to go?

Senator KIM CARR: I've been very precise, actually. The question of lawlessness was a very precise issue.

CHAIR: Precise about the time, Senator Carr.

Senator KIM CARR: I will seek to finish this section in a few minutes if I could.

CHAIR: That is less than five?

Senator KIM CARR: Yes, that's what I believe, but it'll depend on the answers, Madam Chair. As you know, I say this again and again. I just want to be clear about this: the culture of openness across departments and Commonwealth agencies is an expectation, of your office, isn't it, Commissioner? You would expect that?

Ms Falk : The FOI Act has a prodisclosure approach embedded in it, and the objects of the act are to provide access to government-held information in a timely manner at the lowest reasonable cost.

Senator KIM CARR: The Australian Information Commissioner Act 2010 did provide for three separate information officers: Information Commissioner, Freedom of Information Commissioner and Privacy Commissioner. You've actually got to do all of that, don't you? Is that still the way it works, or has it changed?

Ms Falk : I exercise all of the functions that you've outlined.

Senator KIM CARR: Yes. But there was a requirement under the act for there to be three separate officers undertaking that work; is that correct? Certainly that's what the explanatory memorandum set out when the bill was dealt with in 2010.

Ms Falk : The act makes provision for the appointment of up to three commissioners.

Senator KIM CARR: So what's happened? Why has there been a refusal to appoint a Freedom of Information Commissioner? Can you help me understand that?

Ms Falk : I think that's a question for government.

Senator KIM CARR: Minister, can you help me with that? Why has there been no Freedom of Information Commissioner appointed?

Senator Payne: I'll take that on notice.

Senator KIM CARR: It would be a clear breach of the will of parliament, wouldn't it, that that event that has not taken place?

Senator PAYNE: I said I would take that on notice.

Senator KIM CARR: Perhaps you could answer this question on notice as well: is this not a clear breach of the will of the parliament, given the explanatory memorandum and the original intent of this bill? We're now some years after the government has had an opportunity to fulfil this bill. The home affairs department is having a little trouble fulfilling its statutory obligations. Surely this is a case where the government's leading on this issue as well. It's failing to meet its obligations, its statutory obligations.

Senator Payne: As I said, I don't have those details with me. I will take that on notice. I might also ask Ms Chidgey or Mr Moraitis if they have anything to add.

Mr Moraitis : I'll just mention a few things. A few years ago there was a suggestion that the commission be abolished and incorporated into the Human Rights Commission. That didn't proceed. Since then—

Senator KIM CARR: You should be pleased about that. Who made that suggestion?

Mr Moraitis : It was around 2014-15 if I recall correctly.

Senator KIM CARR: Yes, but who made that suggestion? Was that the government's suggestion, was it?

Mr Moraitis : Yes, not a departmental one. Since that period, the positions have existed technically; it's just that the same person has been fulfilling those functions. I'll ask Ms Chidgey to elaborate on how that's worked. Some funding that was withdrawn was returned, but there were also some back office functions that were merged, which meant that there was $2 million returned, rather than $3 million.

Ms Chidgey : I'd just add that the act allows the Information Commissioner to perform all the functions and powers of the FOI Commissioner. That model has been operating effectively since July 2015.

Senator KIM CARR: Right. But it's hardly a good model, is it? You can't actually ask departmental officers across the Commonwealth to meet their obligations when the government doesn't meet its obligations under the act.

Ms Chidgey : It is meeting the obligations under the act.

Mr Moraitis : Senator, Ms Chidgey just explained that.

Senator Payne: Ms Chidgey just explained what the act says.

Senator KIM CARR: It's an interpretation you put on it. Did the explanatory memorandum set out three positions to be filled by three separate people? Is that a fact or not?

Ms Chidgey : There are three positions in the act, but they can all be performed by the Information Commissioner.

Senator KIM CARR: Yes, and that's a latter date interpretation.

CHAIR: Senator Carr, let the witness finish her answers before you start speaking over her.

Senator Payne: I'm not sure that it's an interpretation. If it's a provision of the act, it's not an interpretation of the act; it's a provision.

Senator KIM CARR: Was it set out in the explanatory memorandum that these positions be filled by three separate people?

Mr Moraitis : I don't recall.

Ms Chidgey : I don't have the explanatory memorandum.

Senator KIM CARR: Perhaps you could take that on notice for me.

Mr Moraitis : We'll take it on notice.

Senator KIM CARR: You could perhaps correct me if I'm wrong. I'll come back to that, because obviously we're going to need to spend some more time on this. I'll come back in my next round.

Senator HENDERSON: Commissioner, I'd like to ask you about the funding for the Office of the Australian Information Commissioner; in particular, the amount of additional funding committed by the government for the office in the last budget.

Ms Falk : In terms of the operating budget of the Office of the Australian Information Commissioner, the total revenue for this financial year is $23.234 million. That includes appropriation of $20.941 million and a sum which comes to the office through memorandums of understanding of around $2.3 million. In terms of the second part of your question, around the additional funding provided to the office, the 2019-20 budget allocated $25.121 million over three years to undertake functions around the handling of personal information and taking enforcement action. The purpose of the funding is to ensure timely handling of privacy complaints, also particularly focused on regulating the online environment. It is envisaged that my office would create a regulatory code that would apply to online providers such as social media companies, and it would set out particular protections in terms of vulnerable Australians, including children.

Senator HENDERSON: Could you go into a bit more detail as to why you are particularly focused on investing more in the online environment? Obviously that has added to the demands on the role of the office. Could you expand on that a bit more?

Ms Falk : It has. We can see globally the use of personal information increasing exponentially. Of course there are great economic benefits to be achieved by the use of personal information, but at the same time it needs to be kept secure and handled appropriately. In terms of the online environment, a number of incidents have occurred that have heightened the community's awareness about the collection of personal information, some relating to Facebook, for example. Also the ACCC conducted an extensive inquiry into digital platforms. That report was released earlier this year. I understand that the government is considering those recommendations.

Senator HENDERSON: In regard to the particular challenge faced by the online platforms, how have you been able to combat that challenge and, in particular, better safeguard the privacy of Australians in this difficult global environment?

Ms Falk : For this financial year and the coming years one of the key regulatory focuses of my office, outlined in the corporate plan, is regulating the online environment. In terms of how we intend to tackle the issue, firstly, at the global level I am a member of the executive committee of an international grouping of my counterparts around the world. My deputy commissioner is currently in Albania at our annual meeting. What I am seeking to do there is to ensure that we have information-sharing frameworks and cooperation in place so that I can regulate and enforce privacy with my global counterparts internationally.

On the domestic front, I should go back one step: we undertake education in terms of the community understanding how their information is being handled, and we work with other government agencies or regulators in increasing the community's knowledge so that they can take control of their personal information, and at the same time educating entities in terms of their obligations. The government has announced earlier this year its intention that there be legislation so that a code particular to the online environment will be made. That's a code that my office would be tasked with developing. It would involve extensive consultation, both with the community and with the online social media and other regulated platforms. Then there would of course be regulatory action that could flow, should the requirements of that code not be met.

So one of the big shifts in my office at present is shifting from an organisation that has predominantly been, in terms of privacy, an alternative dispute resolution body focused on conciliation, with administrative decisions being made in only some cases. It's clear that the community expectation of regulators—also the government has announced its intention to increase penalties under the Privacy Act and the enforcement mechanisms available to me—that a strong enforcement approach is required. That means increasing our capability. We are increasing the ASL, up to 124 staff, this financial year. We are currently at around 90 and we will be looking particularly at increasing our capability to act in that enforcement role.

Senator HENDERSON: In terms of your enforcement, you're talking about breaches of individual privacy, but also in relation to failure to comply with FOI requests?

Ms Falk : I'm particularly talking about privacy in relation to what I've just said. In relation to FOI, I also have the ability to deal with complaints around processing and also to conduct investigations on my own initiative. But in terms of the budget funding, it was specific for privacy regulation. The enforcement that I'm talking about can range from, for instance, working with regulated entities to have enforceable undertakings, to improve practice and ensure that the handling of personal information is improved, through to me being able to make a determination that's enforceable in the Federal Court, through to seeking civil penalties in the Federal Court. All of those enforcement actions can exist in a systemic way, and I can take that action on my own initiative.

Senator KIM CARR: In terms of the review of FOI decisions, you'll notice that there's been an increase in the number of direct requests to you. How many concern the Minister for Home Affairs?

Ms Falk : In relation to Information Commissioner reviews and the requests for those reviews that involve the Minister for Home Affairs, I don't have that information to hand. I'd need to take that on notice.

Senator KIM CARR: I take it that these were matters in regard to what's termed deemed refusals? Is that right?

Ms Falk : In relation to deemed refusals, what that is referring to is that where an agency does not meet the statutory time frame they are deemed to have made a decision refusing access to documents. Some of those decisions come to my office for Information Commissioner review, but they are one part of the matters that come to my office for Information Commissioner review.

Senator KIM CARR: So you can't tell me how many have come before you relating to the failure to meet the 30-day statutory period? Do you have that figure with you?

Mr Solomon : No.

Ms Falk : I don't have that to hand. I'd need to take that on notice.

Senator KIM CARR: So you don't have a ballpark figure on you?

Ms Falk : I don't. I'm sorry.

Senator KIM CARR: You'll be able to tell me if there's been any occasion where the minister has actually met his 30-day statutory obligation?

Ms Falk : My annual report reports statistics in terms of the Department of Home Affairs. I don't have specific statistics in relation to the minister. I'd need to look at whether we could provide you with those statistics under notice.

Senator KIM CARR: You deal with ministerial offices all the time, don't you? That's part of your role?

Ms Falk : In what regard?

Senator KIM CARR: I take it that before you have to make decisions, wouldn't it be the case you engage with ministerial officers to find out what's happening with an FOI request?

Ms Falk : Staff of my office would engage with whoever the decision-maker was in relation to FOI requests.

Senator KIM CARR: Is the Minister for Home Affairs' office cooperative?

Ms Falk : I don't have information to hand in relation to that. I don't engage specifically with ministers or government agencies specifically in relation to matters. I'm the independent decision-maker.

Senator KIM CARR: How do you gather information, then?

Ms Falk : Staff of my office would issue information requests from the decision-maker, and that would be provided.

Senator KIM CARR: So they'd gather information for you to make an independent decision?

Ms Falk : That's right.

Senator KIM CARR: Did I hear you correctly in your opening statement? Did you actually say that you're under-funded?

Ms Falk : I did raise the issue of resourcing in terms of FOI. It's a matter that's been discussed before this committee on a number of occasions, where I've indicated that really where the stresses in the system lie, from the OAIC's perspective, are with the need for more staffing. I've set out the fact that we've had an 80 per cent increase in Information Commissioner reviews and I have worked very purposefully since being in the role on looking at how we can increase our efficiency. Over that same period of time—the four-year period—we have increased our efficiency by 45 per cent. But I've formed the view, having conducted a number of reviews of the way in which we're carrying out our work, that the only way in which the gap is to be bridged is for additional staffing resources to be provided.

Senator KIM CARR: I see. I was just trying to reconcile the line of questioning from Senator Henderson with your statement, that's all. When was the first time you requested additional funding?

Ms Falk : I'd need to take that on notice.

Senator KIM CARR: Are you sure you need to? Most officers in your position would be able to tell very quickly when they first sought additional resources, given the growth in the workload.

CHAIR: The question's asked and answered. She's taken it on notice.

Senator KIM CARR: I'm just surprised that you need to take that on notice. Because what—

Ms Falk : It's been a matter of discussion with this committee and also, of course, with government during my term. I'm just unable to recall, with accuracy, the first occasion on which that occurred.

Senator KIM CARR: I see what you mean. I do apologise. In my experience, officers in your position are able to identify at least the year in which they asked for additional resources.

Ms Falk : I have asked for additional resources since being appointed to the position in August last year but, in terms of the first occasion subsequent to that date, I would need to check.

Senator KIM CARR: I see. That's where the confusion lies. So, since August last year, you've been seeking additional support?

Ms Falk : Sometime after that date, Senator.

Senator KIM CARR: And what was the government's response?

Ms Falk : The government has acknowledged my request and is working through it in terms of normal budget processes.

Senator KIM CARR: I appreciate that agencies will ask for additional resources and it won't necessarily be the same amount as the ERC thinks you're entitled to, but what is, in your assessment, the requirement? How much do you need to do your job in terms of the report that you've given to us today about the additional demand on your agency?

Ms Falk : The amount of additional resources depends on the objective which is sought to be achieved. Of course, the more staffing resources that you have for processing Information Commissioner reviews and complaints, the quicker they can be processed.

Senator KIM CARR: So you don't have a figure?

Ms Falk : I think that there needs to be an increase in the staffing resources, and the quantum of that does depend on the time in which the backlog is sought to be addressed and also the ultimate goal in terms of how quickly Information Commissioner reviews should be handled.

Senator KIM CARR: So how much did you ask for?

Ms Falk : Senator, you appreciate that the information I've provided to government is through budget processes. I can give you an indication that, at present, my funding envelope allows for around 19 case officers to work on FOI reviews—there are additional staff who work on the FOI function more broadly—but just looking at FOI reviews, there'd need to be at least a half increase in the number of those staff.

Senator KIM CARR: What you mean by 'a half'?

Ms Falk : A half again.

Senator KIM CARR: So—

Ms Falk : Another nine staff.

Senator KIM CARR: What will that cost in terms of your normal profile?

Ms Falk : I'd need to see if we've got any figures to hand in relation to that, but it would be the cost of those staff.

Senator KIM CARR: It depends on what they're paid, doesn't it? Those nine staff are not all SES staff, are they?

Ms Falk : No, they're case officers.

Senator KIM CARR: So you'd be able to indicate roughly what it would cost to fund nine staff.

Ms Falk : I've put forward to government the cost of that and also any capital costs that might be needed to accommodate those staff.

Senator KIM CARR: Can you take that on notice, please?

Ms Falk : Thank you.

Senator KIM CARR: In terms of the data breaches, there's a requirement for six-monthly reporting. Is that the case in terms of agencies to provide you with information on data breaching?

Ms Falk : In relation to notifiable data breaches, there's a requirement for any entity covered by the Privacy Act—which includes many government agencies, and also the private sector—to report to me, and also to notify affected individuals, in certain circumstances. Where there is a likely risk of serious harm to affected individuals occurring, that reporting needs to occur. It needs to occur as soon as practicable after becoming aware of that situation. Sometimes entities need to undertake further investigations to be satisfied that a notifiable breach has occurred. Ordinarily, that should occur within 30 days.

Senator KIM CARR: I see. How many data breaches have been notified under the scheme in the second quarter of 2019?

Ms Falk : The second quarter of 2019 might be something that my colleague has to hand. Otherwise, I can take it on notice—

Senator KIM CARR: Could you, please?

Ms Falk : but I can advise that in the first year of the scheme we received 950 notifiable data breaches.

Senator KIM CARR: Can you outline where these 950 incidents came from?

Ms Falk : Yes. I have produced quarterly reports which set out both the sectors that are reporting and also the main causes of data breaches. The main sector is the health sector, followed by the financial sector. The causes of data breaches are predominantly through malicious and criminal activity, particularly the use of phishing attacks and other methods to compromise credentials such as usernames and passwords.

The second major cause of data breaches is what we've called the human factor, or human element. That's individuals sending information to the wrong recipient in error, or otherwise an error that's caused by human intervention.

Senator KIM CARR: Has there been a growth in the third quarter of 2019?

Ms Falk : My recollection of the numbers we've received each quarter is around 245, but my colleague has advised me that in the quarter ending at the end of September this year we received 134 notifications. So that's quite a decrease.

Senator KIM CARR: Let's just be clear, and I'm sorry if I'm obtuse on this: this is from Commonwealth agencies and the private sector?

Ms Falk : That's correct.

Senator KIM CARR: Right. So are there hospitals? You said health and finance.

Ms Falk : Yes, that's right. I should point out that under the Privacy Act, in general, small business operators are exempt. However, health service providers, regardless of size or annual turnover, are covered. So it would cover all private sector health providers, regardless of size.

Senator KIM CARR: Have you done any benchmarking about how we compare as a country with other countries?

Ms Falk : We have looked internationally. In terms of the reporting per population, the amount of reporting that's happening in Australia is in line with global trends. The health sector is one of the key reporting areas internationally. If you look at the UK position and also the Dutch position, you'll see that's the case.

In terms of international reporting, the threshold for reporting a notifiable data breach differs a little to the Australian threshold. So the requirement to report occurs more frequently under the General Data Protection Regulation, which is in force in the European Union.

Senator KIM CARR: I see. If I can be clear about this: you said there were 134 in the third quarter of 2019—that's 134 incidents?

Ms Falk : Yes.

Senator KIM CARR: How many people do you think might have been affected by that?

Ms Falk : I don't have those statistics to hand, but I can provide that on notice.

Senator KIM CARR: Thank you, if you wouldn't mind. I've asked for the second quarter and the third quarter, and could you follow that up with how many people you think might be affected in those incidents?

Ms Falk : Yes.

Senator KIM CARR: Thank you very much. And in regard to the comparison, the comparative figure per capita, are you able to give us any indication of how we're comparing with, say, the United Kingdom, Canada and comparable countries?

Ms Falk : I do have statistics on comparability. As I said, the system is not directly comparable, but to the extent to which I'd need to put some qualifiers around it, I can still provide you with what I think could be some useful information.

Senator KIM CARR: How many commission led investigations have you undertaken into the data breaches notified under the scheme in 2019?

Ms Falk : Perhaps I'll just quickly explain the context in which we deal with notifiable data breaches. Our first priority is to ensure that individuals are notified and the information that's required to be provided to individuals is so provided. We will then work with the entity to make sure that the incident has been contained and that remedial steps have been put in place to prevent a recurrence. Where the incident raises concerns around the security of the entity, then we may make additional preliminary inquiries. I can also undertake investigations on my own initiative. The number of matters that we have made preliminary inquiries into would be a matter that I might need to take on notice.

Senator KIM CARR: If you wouldn't mind. In the case of the United Kingdom, the United Kingdom information office imposed a fine of $223 million on British Airways over circumstances where 500,000 customers' details were stolen following a web hack in 2018. And in the United States there was a $123 million fine issued to the Marriott Hotel as a result of data breach with its Starwood subsidiary. Do we have any similar circumstances in Australia?

Ms Falk : There have been breaches notified to my office that have affected large numbers of Australians, and I have a number of investigations that are currently active.

Senator KIM CARR: Yes, active investigations, but the credit reporting agency Equifax, for instance, reached a settlement with the US Federal Trade Commission and their Consumer Financial Protection Bureau for a data breach within its organisation which cost the company more than half a billion US dollars. Are we looking at any similar matters at law within Australia?

Ms Falk : I do have a number of active investigations that are in hand. I previously outlined some of my regulatory powers. They include making a determination, which can make declarations around agencies or organisations changing their practices.

Senator KIM CARR: I'm sorry to labour this, but you have said now a couple of times that you have investigations. What enforcement options are available other than to investigate?

Ms Falk : I'm outlining those. I can make an enforceable determination that's enforceable in the Federal Court that would require the organisation, for instance, to improve its security practices. I can also take an enforceable undertaking from an entity that would also be enforceable in the Federal Court if it's not complied with. I can also seek civil penalties from the Federal Court.

Senator KIM CARR: Have you undertaken any action at law through courts to have an enforceable action undertaken?

Ms Falk : Not at present. I mentioned the additional funding that's been provided to the office from 1 July and the fact that I'm increasing the enforcement capability of the office. It's very important that we're able to exercise all of the regulatory powers, and it's that capability that I'm looking to develop.

Senator KIM CARR: Is it your intention to actually seek legally enforceable undertakings with penalties such as of the type that I've indicated that are occurring in the United Kingdom and the United States?

Ms Falk : I would take the most appropriate regulatory outcome in the case. Sometimes that can be achieved through an enforceable undertaking. At other times it's more appropriate to make a binding decision or to seek enforceable penalties. I have a regulatory action policy that sets out all of that regulatory action that I might take. I would decide which was most appropriate given the facts and circumstances. In all cases I'm looking for what is going to be of the most benefit to the Australian community.

Senator KIM CARR: So you have the legal capacity to have fines imposed of the type that I've indicated?

Ms Falk : I can seek civil penalties through the courts. I cannot impose a fine myself.

Senator KIM CARR: Not individually, but through the court system. That exists?

Ms Falk : Yes.

Senator KIM CARR: And it is a matter that you are actively considering now?

Ms Falk : Yes.

Senator KIM CARR: You've moved to a six-monthly reporting requirement—is that correct?

Ms Falk : Yes.

Senator KIM CARR: Why?

Ms Falk : I made an administrative decision, an operational decision, to report quarterly for the first year of the operation of the notifiable data breaches scheme, so that I could give transparency to how the scheme was operating, the causes, the sectors. The real purpose for that was to identify where the effort needs to be put by regulated entities in improving their security posture. What we found is great consistency through that 12 months, and I determined that we could move to a six-monthly reporting requirement, which would still give that transparency, given that the issues that we're seeing remain constant, and that our efforts be put into our educative efforts in terms of prevention, which is always better than cure.

Senator KIM CARR: So is it a funding constraint?

Ms Falk : No, it's not. It's an operational decision in terms of the best utilisation of the resources of the office.

Senator PATRICK: Just to get an idea in terms of performance or delays in terms of IC reviews, do you have the numbers there for IC reviews that have taken more than 12 months? Just the outstanding ones at this point in time? The number of IC reviews that are currently on your books that have taken longer than 12 months?

Ms Falk : The statistics that I have at hand will tell me the 2018-19 financial year statistics in terms of the numbers that were more than 12 months that we finalised, which was 177 matters and 27 per cent.

Senator PATRICK: I'm interested in the ones that haven't been finalised. You might recall that at one time I asked for statistics on those that were still outstanding after a year, still outstanding after two years, and I remember there was one that was really quite lengthy in that you'd had the matter for a number of years.

Ms Falk : May I take the specific question on notice? I might be able to provide you with some other information that goes partway to answering that question.

Senator PATRICK: Okay.

Ms Falk : At the end of quarter 1 we had 850 matters on hand. In terms of the numbers awaiting allocation, you'll recall that when we receive a matter, it's triaged and we seek to resolve the matter through earlier resolution. For those matters that are unsuccessful and require a deeper analysis through to potentially a decision by myself, we have 330 matters awaiting allocation.

Senator PATRICK: I might put some questions on notice to get the exact statistics that I'm after. It'll be consistent with the previous question on notice that I asked. In a previous estimates you talked about a company called Synergy coming in to do a review. Can you tell the committee about the output of that review and what's happened?

Ms Falk : There have been a number of endeavours undertaken by my office to review processing times and the way in which we handle IC reviews and complaints in order to increase efficiencies. One of the things that we've done—and I will certainly come to your question specifically about the Synergy report—is to conduct some modelling so that we're very clear around case management times. The second thing that we have done is some internal restructuring. The third thing that we have done is have an external consultant come in to give an external view of our processes. We've mapped those processes, looked for areas for efficiencies, and instituted some changes as a result. The report has been finalised and the team has undertaken a three-month trial. The focus of the trial has been to focus our efforts on both the early resolution but also the older matters that you mentioned. We sought to resolve as many of the older matters as possible within that three-month time period.

Senator PATRICK: And how did you go?

Ms Falk : We didn't quite meet our goal. My deputy would describe it as an ambitious or stretch goal. We wished to seek to resolve 50 per cent of the older matters within three months, and we managed to resolve 25 per cent of those matters.

Senator PATRICK: I think it's fair to say that the statistics show there are improvements, but your case load is increasing and that's led in some sense to the call for greater resources?

Ms Falk : Yes. Over the past four years, there's been the 80 per cent increase in Information Commissioner review applications to my office. If I compare that same period of time in terms of increasing efficiencies, we've increased efficiencies by 45 per cent. But notwithstanding our very best efforts and the very best efforts of my staff, to whom I'm very grateful and appreciative, a gap remains between the volume of the work coming into the office and the staff that's needed in order to process those matters.

Senator PATRICK: Ms Chidgey, you mentioned that all was fine and dandy before in response to Senator Carr's question about three commissioners.

CHAIR: I don't remember that language, but I like it!

Senator PATRICK: It was along those lines. That seems inconsistent with some evidence that was taken by the Legal and Constitutional Affairs References Committee in relation to a proposed bill, where Mr Walter said that there are undoubtedly stresses in the system. You seem to have an optimistic view about the situation.

Ms Chidgey : I'm not sure what Mr Walter was referring to. My evidence was that the Australian Information Commissioner Act allows the Information Commissioner to perform the functions of the other commissioner roles and that that was working.

Mr Moraitis : I think Mr Walter was correctly alluding to what are stresses, as Ms Falk has pointed out. She's been in consultations with us about her budget pressures. We're cognisant of those and aware of the parameters of her needs. Ultimately it's a matter for government to deal with resources. That's the best I can say at this stage.

Senator PATRICK: Sure. I was just querying the comment that had been made.

Mr Moraitis : We didn't say it was 'fine and dandy'.

Senator PATRICK: It was working.

Ms Chidgey : It was very specifically about the ability of the Information Commissioner to perform the functions of the FOI Commissioner.

Senator PATRICK: So you don't think that if you had additional resources to make independent decisions—like an FOI Commissioner—that, indeed, some of the backlog that we've just discussed wouldn't be resolved?

Ms Chidgey : There's a question about the resources for the office as a whole, whether that's an extra commissioner or other staff.

Mr Moraitis : Conversely, you could argue that you could have nine extra FTE and you have a single person doing all three functions, and that achieves the objective. That's an alternative.

Senator PATRICK: I think I FOIed the commissioner's diary at some stage. She looked pretty busy and didn't seem to have a lot of time to do independent decisions, actually. Going back to the matter that was raised by Senator Carr in respect of Home Affairs, Home Affairs did provide statistics that said they had received applications in 2017-18 and had—I'm just rounding here—15,000 applications; and closer to 19,000 applications in 2019-20. And they were running, in both those years, 3,721 and 3,746 deemed refusals. That goes to the question Senator Carr was asking. In some respects it isn't a breach of law in the context that there's a statutory provision that says it is a deemed refusal. It's at that point that people are now entitled to come to you, to conduct a review, with an understanding that they've been denied access. Is that the correct interpretation of the act?

Ms Falk : If the FOI request is not processed within the statutory time frame, the agency or minister is deemed to have refused access, and that triggers the ability for my office to conduct a review for—

Senator PATRICK: So, in some sense, the statute cleans up the mess from Home Affairs. However, in many instances, the person FOIing Home Affairs wouldn't necessarily be privy to or understand their rights, in relation to a deemed refusal, or wouldn't understand the concept. They'd just say, 'It's late. They're not responding and they are really hard to get hold of. For me to get access to the status of an FOI I've had to ring the minister's office for them to get in contact with us, because they only have an FOI email address.' Is there anything you can do, by way of training or other mechanisms, particularly in relation to Home Affairs, to either encourage extensions of time, for which everyone is informed, and/or some intervention that allows, in the case of a 30-day deemed refusal, a letter to go out to advise people of their rights?

Ms Falk : Thank you, and I'll give close consideration to the matters you have raised. I had a recent meeting of information contact officers in September, which was all of the FOI practitioners across the Commonwealth. A number of the issues that you've raised we've sought to lay out to practitioners, in terms of the importance of communication to the public around where their application is up to and ensuring that individuals do understand their rights. In terms of issues of training, I'll take those matters on notice and give it close thought.

Senator PATRICK: It goes to my next round of questions, which relate to the activities of Professor McMillan, the first Information Commissioner, who had a program of training for FOI officers across each of the agencies. Would it be fair to say that the effort that he put in, at the time, is not being replicated by your office, perhaps on account of a lack of resources?

Ms Falk : I mentioned the information contact officers network. We meet twice a year. My staff, then, convene a round of meetings with all of the 20 top agencies, individually, discussing their issues and making clear the expectations of my office. That has proved to be very effective. In between those times, we use our online mechanisms to ensure that IC reviews, updates to the guidelines and other guidance is provided to information officers. We do think that there's more that can be done from a proactive, educative position of the office. We are particularly looking at the kind of induction that's provided to new recruits across the APS, in terms of their FOI responsibilities. One of the things that's important, I think, to remember is that FOI is a whole-of-agency obligation, including line areas who have to provide the documents. It's not just the FOI practitioners who are responsible for ensuring the timeliness issue, in particular, is addressed. These are matters we are moving forward with, and we're doing that in the best way we can on the resources we have.

Senator PATRICK: Once again, this is not a criticism; I'm just trying to understand the situation. You'd be aware of a couple of media reports. I'll just go to two of them. One was in relation to an SBS journalist who sought application to the Department of Defence on some costs associated with Minister Price's travel. They got a response back, saying: 'We'll give you that answer if you front up $2½ thousand.' That sort of thing, I would have thought, would disturb you. They weren't asking for invoices, just an adding of the total cost. I think section 15 allows someone to go in and add up a number and send that number to an FOI applicant.

Ms Falk : Charges do not need to be levied. They are a discretionary matter for government agencies and ministers to consider. My guidelines set out the kinds of factors that should be considered when deciding whether to levy a charge—for instance, the information that's sought and the public interest, the nature of the request and so on. When I look at the agency statistics in terms of charges overall across government agencies, there has been a decrease, if you look at the holistic scale, in the amount of charges that have been levied by government agencies. However, there has been an increase in the collection of those charges by agencies.

Senator PATRICK: I just wonder, if you see a media article like that, whether it doesn't raise your eyebrow and make you think, 'Right: I'd better go and have a bit of a look at that.'

Ms Falk : I was concerned about the matters that were raised, and I was pleased to see that they were rectified. I should say, in terms of broader messages to the APS, that we are updating our FOI guidelines in relation to charges, in relation to drawing out those matters that I've particularly raised in terms of the discretionary nature of charges and how they should be used.

Senator PATRICK: Finally, you will have seen an article about a whistleblower inside PM&C who had basically initiated a PID stating that across 25 FOIs there was basically flagrant disregard for the law in responding to FOI applicants and that had caused the department to conduct a review. Are you privy to the outcome of that review? Have you looked at what happened, noting that it is a PID and there are secrecy provisions around PIDs? But, once again, it is an alarming allegation, and I'm just wondering whether or not you pick up the phone, whether you execute a power of some sort to go and also examine what might be going on.

Ms Falk : I've not had any personal involvement in relation to the matter you raise.

Senator PATRICK: But you're aware of it?

Ms Falk : There's been a lot of media in recent times. I have some recollection of the matters you're talking about, but I'd need to consider it more carefully.

Senator PATRICK: All right. Thank you.

CHAIR: On that optimistic note, I thank the officers from the Office of the Australian Information Commissioner who are at the table.