Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
 Download PDFDownload PDF 

Previous Fragment    Next Fragment
Legal and Constitutional Affairs Legislation Committee
Office of the Australian Information Commissioner

Office of the Australian Information Commissioner

CHAIR: The Legal and Constitutional Affairs Legislation Committee will now resume. I will put on the record that it appears the Commonwealth Ombudsman and the Office of the DPP won't be required later today.

Senator WATERS: I've got Ombudsman questions, Chair.

CHAIR: Are they ones you can put on notice? We're trying to catch up 2½ hours worth of running behind.

Senator WATERS: They're not long, but I'd like to ask them in person, if I still can. I had assumed that I would be able to.

Senator PATRICK: For the CDPP, I've got about five minutes.

CHAIR: That's your right, and I can't deny you it, but surely they're things that could be put on notice?

Senator PATRICK: This one is a little bit tricky. It's about discretions.

Senator WATERS: I will undertake to not spool it out and just ask what's strictly necessary, as I always do. I reckon 10 minutes for me, for Ombudsman, would do it.

CHAIR: Okay. Senator Carr, I think that's the best I can do in the circumstances. We have the Office of the Australian Information Commissioner on the telephone, I believe. Senator Carr, you have the call.

Senator KIM CARR: Thank you very much. Could I ask the commissioner about the COVIDSafe app—have you received any complaints about the operation of the app?

Ms Falk : Thank you for the question. The legislation has been in operation since 14 May this year. We've not received any complaints since that time. There was one purported complaint made prior to that occasion, but I didn't have jurisdiction in relation to the matter.

Senator KIM CARR: So—none since the proclamation of the act. Is that the nub of it?

Ms Falk : That's correct. There have been some inquiries made from members of the public, but none of them have led to formal complaints being made to the office.

Senator KIM CARR: So there have been no questions about privacy breaches?

Ms Falk : No, there have not been.

Senator KIM CARR: So I take it, then, you have not undertaken any investigations?

Ms Falk : No, we have not. But I could advise the senator, if it would assist, that we have developed a proactive oversight program for monitoring the handling of personal information by the COVIDSafe app, and we have commenced two audits under the legislation, with a further three to be completed.

Senator KIM CARR: When were the audits concluded?

Ms Falk : The audits have recently commenced—the two that I referred to—one of which I would expect to be near to completion perhaps towards the end of the year.

Senator KIM CARR: When do you expect that they will, in fact, be concluded?

Ms Falk : The first one is expected to be concluded by November this year. The others will follow shortly thereafter.

Senator KIM CARR: Back in October you indicated that you were short-staffed—in fact, you suggested that you may need an additional nine FOI case officers, a 50 per cent increase, to meet existing demands. Does that remain the case?

Ms Falk : We've not received any additional funding in relation to FOI since that occasion.

Senator KIM CARR: Do you still maintain the view that an additional nine officers are required?

Ms Falk : If I might give some perhaps useful context. I think I mentioned, on the last occasion, that we had had some success in increasing our efficiency with FOI throughput, and that continues to be to case. Whilst over the last five years we've had over a 100 per cent increase in the number of reviews to my office, we've also increased our finalisation rate by around 83 per cent. Last financial year we had a 15 per cent increase on the number of IC reviews to my office and we finalised an increase of 26 per cent on the year before. Notwithstanding that, there does remain a gap between the volume of work coming into the office on FOI and that which we can finalise within our key performance indicator of 80 per cent of IC reviews finalised within 12 months.

Senator KIM CARR: Is there a problem in meeting your statutory responsibilities?

Ms Falk : The area where I think that there's a need for additional consideration is the issue that I've raised on previous occasions as to how we can address the growing case load of work. There's a two-pronged approach to that that my office has been implementing. The first is to work constructively with government agencies to provide them with the resources that they need to make good decisions under the FOI Act. This year we've released a new toolkit for FOI officers, aimed at that objective. The second is that we encourage proactive publication of information held by government, and a number of government agencies have well-developed administrative access schemes which do not require recourse to the FOI Act. At the same time, as I said, we work each day to continue to look at our processes and the efficiency in the way in which we deal with FOI matters.

Senator KIM CARR: It's just that, if you were saying to this committee last October that you needed an additional nine, I took it to mean that you were having trouble with meeting your statutory responsibilities at that point—that is, before you were given additional responsibilities in relation to the COVIDSafe app. How are you coping at the moment?

Ms Falk : The two functions that I'm administering are as you set out. One is under the Privacy Act, which includes the COVIDSafe work. The other is under the FOI Act, and we haven't received additional funding for the FOI functions. This is a matter that I continue to keep government appraised of in terms of the workload of the office.

Senator KIM CARR: In fact, the way I read it, if you look at the portfolio budget statement, it would appear that across the forward estimates there is a drop from $23.5 million this financial year to $21.1 million in 2021-22 and then to $13.3 million in 2022-23. Have I read the PBS correctly?

Ms Falk : There is a change in the funding over the forward estimates, if I can perhaps just step it through for the committee. The office has been given additional funding in the 2018-19 budget of $12.91 million over the forward estimates for our role in the very important new consumer data right that's recently been rolled out in the banking sector. In addition, in the 2019-20 budget, we were provided $25.1 million over three years including $2 million for capital for enhancing our privacy complaint resolution and also undertaking strengthened enforcement action in relation to the online environment and social media.

In the forward estimates, what you'll see is that that appropriation for the privacy functions is a terminating measure, hence you will see a diminution in the appropriation proffered.

Senator KIM CARR: So your responsibilities have grown but your resourcing has declined?

Ms Falk : The resourcing has been increased on the privacy functions, in relation to the consumer data right that I mentioned, of $12.9 million. And also—

Senator KIM CARR: Sorry—what you've just said is that for 2019-20 it's $25 million, but from 2021-22 it goes to $21 million and then to $13 million. Is that correct?

Ms Falk : Yes. In terms of the figures that you're referring to in 2021-22, the change there is that we—sorry, I'm going to start again and ensure that I've got the right figures in front of me while I'm answering this question.

Senator PATRICK: Are we on page 298 of the PBS, Senator Carr?

Senator KIM CARR: This was on page 293.

Ms Falk : In terms of the forward estimates and the decrease that I think you've called out for the 2021-22 year, that's as a result of funding that we received for carrying out my functions under the My Health Records legislation. That money comes to me through an MOU arrangement with the Australian digital health authority of around $2.07 million. That's a 12-month arrangement. Therefore, you see that part of the funding diminish over 2021-22. In the next year, for 2022-23, that's when the $25.1 million over the three years that I referred to—for privacy complaints and the online environment—terminates.

Senator KIM CARR: Therefore you have a figure of $13 million as a result of the termination, as you put it. That's actually less money in the forward estimates, is it not?

Ms Falk : It is, and I certainly would be making representations to government about the need for funding to continue.

Senator KIM CARR: Absolutely no doubt about that. It is a remarkable drop. And, given the amount of money in this budget, I'm surprised that you have to wait to have that funding renewed in the period presumably out to 2022-23. Is that a fair reading of the budget statement? It's a terminating program. Presumably you'll go to the ERC and ask for additional support, given that you've got extra responsibilities. I imagine the case you'll put is: 'I'm not able to meet my statutory responsibilities.' Would that be correct?

Ms Falk : The issue is yet to arise. It will be a matter that I will continue to work through with the government, and I can perhaps draw the committee's attention also to the proposed review of the Privacy Act, which is to be undertaken by the Attorney-General's Department. As part of that, it will be looking at the legislative framework and also my functions and powers in relation to the Privacy Act, and I would envisage that the resourcing that's required to deliver on any reforms would be part of the discussions that would need to occur at that time.

Senator KIM CARR: The investigations you have on the Cambridge Analytica matter have been underway now for two years?

Ms Falk : Since the last occasion we met—I think the last committee hearing was in March—and a couple of days after that hearing, I lodged proceedings in the Federal Court in relation to Facebook for what I'm alleging are serious and/or repeated interferences with the privacy of Australians.

Senator KIM CARR: What's happened to those proceedings that you've lodged?

Ms Falk : Those proceedings are on foot. Facebook contended my jurisdiction to be able to lodge proceedings in relation to Facebook, Inc, the US based company. They've not contended that I lack jurisdiction in relation to Facebook, Ireland. The court has determined, at first instance, that I do have jurisdiction—that is, Facebook, Inc is carrying on a business in Australia. But, subsequent to that, Facebook lodged an appeal and it's that appeal proceeding which is currently on foot.

Senator KIM CARR: How long do you anticipate that will take?

Ms Falk : That will be a matter for the court. We're yet to have hearing dates for the leave to appeal to the Full Court of the Federal Court to be heard.

Senator KIM CARR: What exactly is the nature of those proceedings? What are you seeking to have resolved by the court?

Ms Falk : Under the relevant provisions, section 13G of the Privacy Act makes it a civil penalty provision for an entity covered by the Privacy Act to engage in serious and/or repeated interference with the privacy of individuals. We allege that such interference with privacy has occurred, and it warrants the imposition of a fine by the Federal Court.

Senator KIM CARR: Does your funding situation affect your capacity to undertake those proceedings?

Ms Falk : Pleasingly, the particular funding that was provided in last financial year's budget for the $25.1 million, including the capital money I mentioned of $2 million, is enabling me to take regulatory action in relation to the online environment.

Senator KIM CARR: How many concurrent investigations are you undertaking at the moment?

Ms Falk : In addition to my statutory function to handle complaints lodged by individuals, I also have the jurisdiction to handle notifiable data breaches from regulated entities and the ability to undertake investigations on my own initiative. I currently have 19 investigations or preliminary inquiries that are open on my own initiative that range across matters across the economy.

Senator KIM CARR: Is your funding situation affecting any capacity to undertake investigations other than the ones that you've mentioned so far?

Ms Falk : Your question is in relation to investigations of privacy—is that correct?

Senator KIM CARR: Privacy matters, yes.

Ms Falk : At present, as I said, we welcomed additional funding last year. We've had this 12 months where we've been able to put that funding to good use to eradicate a backlog of privacy complaints. To give you a sense of that work, we had over 1,400 matters on hand at the end of the previous financial year, at the end of June 2019. At the end of the most recent financial year that had dropped to 785 matters on hand. The previous 12 months we also had more than 300 matters awaiting allocation. We now, in essence, have very few matters awaiting allocation. It ranges on a daily basis, but at present we have around 79 so that's been very pleasing. We've also had the opportunity to start to increase our enforcement capability for investigations on my own initiative, and that includes intelligence-gathering capabilities. I'd say the last 12 months has really been seeding that capability and we're continuing to build on it over the next two years based on the funding that's been provided.

Senator KIM CARR: What I might do is ask if I could get on notice a chart across the forward estimates, going back from 2018-19, of the number of investigations you initiated and anticipated that you would be able to fund over that period. I presume you can't tell me precisely about inquiries that you're undertaking, but you could tell me how many you could fund out of the forward estimates—I'll put those questions on notice. I want to ask you specifically: do you agree that there's a growing use of online services and mobile applications which has meant that the volume of personal information about Australians being collected and the number of organisations collecting personal information about Australians are continuing to increase dramatically; and does that not mean a higher level of risk with regard to privacy breaches for Australians?

Ms Falk : The volume of personal information that's being handled has increased exponentially over recent years and continues to do so. I think we're at an important time in the development of privacy law and I see a real opportunity with the review of the Privacy Act, which is imminent, to ensure that we have the legislative constructs that are able to deal with these issues into the next decade. But, notwithstanding that, we currently have a good strong foundation in our privacy law. It might assist the committee for me to simply outline my regulatory priorities for the next 12 months based on the issues that you've raised around, if you like, the very widespread handling of personal information across the economy.

Senator KIM CARR: I understand the point you're making, so you'd agree there's a higher level of risk. I'm advised that in financial year 2019-2020 there were over 1,000 data breaches notified to you under the mandatory data breach notification scheme but over half of those were actually caused by malicious or criminal attacks, including cyberincidents. How many of those cyberinstances did the OAIC undertake as an investigation into whether they were notifying organisations or take reasonable steps to protect the personal information they hold from misuse, interference, loss and unauthorised access, modification or disclosure required under the Privacy Act?

Ms Falk : Last financial year, as you say, there were over 1,000 data breaches—1,050 to be precise—that were notified to my office. There are two objectives with this scheme. The first is that individuals are notified where their personal information has been compromised and are therefore afforded the opportunity to take steps on their own initiative to protect themselves from further risk—for example, that might mean changing passwords, checking accounts, putting stops on credit reports and so on. The second is: it does provide transparency and accountability by reporting those matters to my office and it's also a source of intelligence as to the risks across the economy for personal information and where our efforts should be put to elevate the security posture.

In relation to each of those 1,050 matters, we have ensured that individuals have been notified and that they have been provided with information about the steps that they can take to mitigate their risk. We've also ensured that we're confident that the cause of the breach has been identified and appropriately rectified and steps have been put in place to mitigate the occurrence recurring. There is then an opportunity, where there are repeated notifiable data breaches or issues where a failure to take reasonable steps might be more egregious, for me to undertake an investigation on my own initiative.

Senator KIM CARR: How many enforcement actions did you undertake as a result of your own initiated investigations?

Ms Falk : I think in answer to your last question on notice in that regard I advised that there was one, and since that time I've opened an additional two matters, for three significant investigations that arise out of the Notifiable Data Breaches scheme directly.

Senator KIM CARR: I take it that you remain concerned about malicious and criminal attacks, including these cyber incidents. That seems to be the major cause of the data breaches. Does that remain the case? Is that your understanding?

Ms Falk : It has been a consistent cause since the scheme commenced in February 2018. But what's interesting about that is that in many of the cases there's also a human element connected to that cyber intrusion. For instance, many of those malicious and criminal attacks have been facilitated by the use of phishing emails, where an individual—say, an employee—is tricked into entering their credentials into a system and therefore allowing the system to be compromised. So, the response needs to be not only in terms of hardening of the cybersecurity borders of organisations but also internally, with processes and training for the people who are dealing with personal information every day.

Senator KIM CARR: But there remains the question about whether or not your enforcement powers can take a higher priority in driving organisations to take the necessary steps to protect personal information and—I guess the point I'm making about all of this—whether or not you're adequately resourced to undertake investigations and enforcement proceedings so that you're able to act as an effective deterrent against organisations failing to take reasonable steps to protect personal information that they control. What do you say to that?

Ms Falk : I don't think there's been any regulator who would say that they wouldn't welcome additional resources. But, as I said, we have been provided with additional resources in relation to privacy. It's incumbent upon me to prioritise activity according to risk and impact, and the three matters I've mentioned seek to achieve that objective of deterrence. Of course, they'd need to be fully investigated and worked through, and then regulatory outcomes can range from the acceptance of a publicly enforceable undertaking. I can make a determination, which would be an administrative decision, imposing declarations that certain conduct cease or rectification measures be put in place. Alternatively, as in the Facebook matter, I can seek civil penalty actions.

Senator KIM CARR: Well, let me take you to a specific case. On 14 September The Australian Financial Review reported on a leak of the database known as the Overseas Key Individuals Database, including the personal information on more 35,000 Australians and their families. Are you investigating this incident and the potential breaches of the Privacy Act?

Ms Falk : Could you inform me of the name of the entity you're referring to?

Senator KIM CARR: It is the Overseas Key Individuals Database, reported in The Australian Financial Review on 14 September this year.

Ms Falk : That is a matter that's currently being considered by my office.

Senator KIM CARR: So, 'considered'. I was seeking something perhaps a little stronger than that. When you say 'considered', do you mean that you're looking at or investigating this as a potential breach of the Privacy Act?

Ms Falk : There's no current investigation at this point, but, as I said, in relation to all the breaches that are notified to my office, we make preliminary inquiries in relation to them to seek to understand it and ensure that it's not repeated. It's then a matter of deciding, amongst all of the matters that we receive, which warrant further regulatory action.

Senator KIM CARR: Well, let me look at this then. Could the scraping of personal information about an individual from an online platform, in a way that is contrary to the platform's terms of service, constitute a breach of the Privacy Act?

Ms Falk : Under the Privacy Act there are a number of different provisions at play, but, in essence, if a platform is seeking to use or disclose personal information on the basis of having received consent from an individual, that consent needs to be fully informed and freely given, and to not do so could amount to a contravention of the Privacy Act.

Senator KIM CARR: So I presume that information about an individual that's seized by hacking, through unauthorised access to a computer system, that would clearly constitute a breach of the Privacy Act?

Ms Falk : There might be criminal actions there which would be outside my regulatory remit if there's unauthorised access using such means. In terms of my regulatory remit, the onus is on the regulated entity to have in place reasonable steps to protect that personal information from unauthorised access. The question then becomes: what are the reasonable steps in these circumstances? That is circumstantial. It does depend on the nature of the information that the entity holds, the volume of the information, its sensitivity and so on. My inquiries would go to not only what ICT steps are in place but also whether those personnel matters that I raised are also in place to ensure that personal information is protected overall.

Senator KIM CARR: I guess the point I'm coming to here is: how far in your investigations have you got with regard to the leak of this matter referred to as the Overseas Key Individuals Database, which was contained in the Financial Review's coverage of this matter on 14 September?

Ms Falk : I don't have before me any further information on that matter other than that which I've already provided to the committee, I'm sorry.

Senator KIM CARR: I see. Have you sought further advice from the Department of Home Affairs, ASD or ASIO with regard to the role in protecting Australians that Australia's data privacy and security framework has with regard to this matter?

Ms Falk : I think I'd need to take that one on notice and come back with an accurate response for you.

Senator KIM CARR: I presume, though, when you've had a proper assessment of the material that's in the public arena, you'll take your own steps to actually ascertain its veracity. Can you advise the committee, when determining whether to take enforcement action, does your office consider the potential for Privacy Act breaches to enable espionage or foreign interference?

Ms Falk : We consider the harm that might be occasioned. The seriousness of the matter is one of the factors that we would consider if further regulatory action is warranted.

Senator CHANDLER: I just have one very quick supplementary question on Senator Carr's line of questioning. We heard that the office has been funded for $27.1 million in the financial year 2019-20. What was the funding provided to the office in the financial year 2013-14, the last year of the Labor government?

Ms Falk : I don't have that figure before me at present, I'm sorry. I could take that on notice.

Senator CHANDLER: That would be very much appreciated. Thank you.

Senator PATRICK: I do wonder about the last question, noting that the Abbott government tried to shut down the entire office in 2014. Thankfully the Senate stopped that. In relation to the Facebook matter, is that a criminal matter or a civil matter?

Ms Falk : It's a civil matter.

Senator PATRICK: Where does the funding for that litigation come from?

Ms Falk : It comes from the appropriation that is provided to my office.

Senator PATRICK: I am going to look at the Secretary now and say Facebook and Google possibly have bigger banks than the Commonwealth government and a strategy that seems to get played out in places like Europe is that these matters get appealed, there are interlocutories and just grinding down. If I look at the OAIC's budget, I suspect there might be a strategy at play here to just run this down. Is there any way in which the department could assist the office if indeed that sort of scenario played out?

Mr Moraitis : I think that's a fair enough observation of litigation tactics. Insofar as Angelene Falk has pointed out, the process in the Federal Court seems to follow that game, as it were. There has been a decision by a senior judge of the Federal Court to say that jurisdiction does apply and there are also issues about where it is domiciled and whether it is Facebook Ireland. This has been a global issue. That has now been appealed as of six weeks ago and this is the beginning of a process.

In that context, we will certainly work very closely with the office to ensure that they have the resources they need to pursue this. I don't know how long it will go, but you are right to observe the global tactics therefore we would expect something to be drawn out, as it were. As Angelene Falk has pointed out, funding has been provided—$27 million over the next two years. She is comfortable with that and that supports litigation matters. Going into the future, depending how long this process continues, we will continue to engage very closely with the office because this is a matter of some significance to us.

Senator PATRICK: Minister, may I suggest that your level be alive to that possibility, particularly in the circumstances where we know there are more FOIs, for example, and no additional funding, which I will now come to. I just ask the minister to at least be aware of that.

Commissioner, in an answer to a question on notice given in February 2019—I don't expect you to necessarily have it there—you estimated that the number of IC reviews in 2019-20 would be 1,322. What did you end up having?

Ms Falk : The number of IC reviews that we had last financial year was 1,066.

Senator PATRICK: There was a prediction this financial year of the number rising to 1,703. On the basis of what you have just told me, have you modified those predictions?

Ms Falk : Yes. The projections that we envisaged at the time have not quite come to fruition. Nonetheless, as I said, we continue to have year-on-year increases. At the end of quarter 1, so at the end of September this year, we had on hand 1,124 IC reviews.

Senator PATRICK: Okay, but that includes obviously ones from previous years. I direct you to a question at estimates, AE19-11 on resourcing levels, and ask that you might update that on notice. You provided some forward estimates on the number of IC reviews you thought you might be undertaking.

Ms Falk : Yes, I'm familiar with the matter. It was based on the modelling that I think we have discussed previously. I will take that on notice.

Senator PATRICK: Thank you. At the last estimates you told me that the number of IC reviews that you have had on hand that are more than a year old was 443. For those that were more than two years old, it was 59. Can you provide an update on those two numbers.

Ms Falk : At the end of the first quarter of this financial year, we had 479 matters that were over 12 months old and, of those, 161 were more than 24 months.

Senator PATRICK: This is blowing out isn't it? I say that in the context, particularly, for two years, that it has more than doubled and almost trebled.

Ms Falk : It's an area of concern. Last financial year we focused on resolving some of the older matters and, as I said, we improved our finalisation rate by 26 per cent. But, notwithstanding that, with the volume of matters that we are handling we're unable, unfortunately, to fully keep on top of our 12-month benchmark of 80 per cent matters resolved within that time frame.

Senator PATRICK: I might just direct this to the minister. Minister, we've got a situation where the Auditor-General's funding has been curbed such that his number of performance audits have gone from 48 down to 32, we've got no ICAC and we've got the FOI build-up, with some people requesting information lasting for well over two years. Clearly, people would be right in the perception that you're simply not interested in oversight and not interested in an open democracy where people can participate and understand what's going on. Do you have any comments about that?

Senator Cash: I'm going to disagree with the final part of that—it was a statement by you. It's not something that I agree with. In relation to the funding issue, my understanding is—and I'm happy for the secretary to provide further evidence—that since we came into office, funding to the commission has actually increased by more than 75 per cent. But I'm also of the understanding that the Attorney-General and the commissioner are engaged in ongoing discussions with respect to the commission's funding positions and needs.

Senator PATRICK: I might make the suggestion that if you don't shift the full-cycle dockings to Western Australia there's a billion dollars you can spread around a whole range of different things. I see the minister nodding there in agreement.

Senator Cash: Please, Hansard should not reflect that! I was acknowledging the comment by Senator Patrick.

Senator PATRICK: Can I now go, Commissioner, to an understanding of those longer-term FOIs. Are they matters related to personal requests—that is, people seeking information about themselves—or are they about more complex access to information about government departments and what they're doing?

Ms Falk : There'll be a range—I might refer to them as a mix of matters. I don't have before me a full analysis of what you've just outlined vis-a-vis personal information versus access to what we call other information—non-personal information. But what I can say is that those matters that have been on hand for longer are often more complex matters which raise multiple exemption applications and complex issues of fact and law.

One of the things that is unfortunate is that the longer matters are with the office, then sometimes parties can become more entrenched. What we're seeking to do is to try to front-load our process, to focus on our early resolution whilst matters are fresh in the door, and to ensure that we are working with parties accordingly. I'm accompanied today by Ms Hampton, the deputy commissioner, who's also on the call. She's been working with the team around a series of pilot projects that we're about to kick off for this financial year which pertain specifically to the matter that you raised.

Senator PATRICK: I might just congratulate you. As you know, I am a user of your review services. The processes you've implemented just recently, on some of the IC reviews that I've been involved in, are very, very helpful. I just make that point. Could you tell me—maybe on notice, or maybe you have a feel for it now—how many of those are delayed? I am interested in the ones of more than a year and more than two years. Could you provide information on notice as to how many of those applications are from journalists and/or politicians? I'm not after names; I would like information by category of the nature or the characteristic of the applicant.

Ms Falk : I'm just pausing to think about my secrecy provisions and the extent to which that would be acceptable. I think if you're after de-identified information, just around category of applicant, I can take that on notice and provide it to you.

Senator PATRICK: Yes—aggregates of journalists and aggregates of politicians.

Ms Falk : I'll take it on notice.

Senator PATRICK: Thank you. The other thing, noting there's been some controversy about the national cabinet and some frustration in the community, is: how many applications have you got on foot at the moment, or have had, that involve requests for documents from the national cabinet?

Ms Falk : There have been, in total, six matters.

Senator PATRICK: Sorry, can you repeat that?

Ms Falk : Six.

Senator PATRICK: Thank you. My final question goes to COVIDSafe. My understanding is that the Inspector-General of Intelligence and Security is providing you with a report on the COVIDSafe app. Have you received that report? Are you aware of it?

Ms Falk : I am aware. I've had engagement with the former IGIS, the Hon. Margaret Stone, in relation to this matter, and we've entered into an arrangement in relation to it. The IGIS will provide me with a report, and it will be an unclassified report and one that I would intend to include in my six-monthly report, which is required under the amended provisions to the Privacy Act, in relation to the COVIDSafe app.

Senator PATRICK: Your office would be equipped to handle national security issues under sections 33 and 34 of the FOI Act. Is there any reason why you're not being granted access to her—I think it is now 'his'—full report? Or is the report being generated by the IGIS simply unclassified?

Ms Falk : You make a point of distinction and I'm not sure that I know that there is such a distinction to be made. I did refer to it as an unclassified report, but I'm not aware that any other report will be developed as a result.

Senator PATRICK: I will ask the IGIS that. Thank you very much.

Senator BROCKMAN: Ms Falk, I want an update, insofar as you can provide one, and I understand you cannot speak about ongoing investigations. On 6 April last year, Aussie Farms became a prescribed organisation under the Privacy Act, and on, I think, 19 November you notified of an investigation. Am I correct in saying that investigation is ongoing?

Ms Falk : Yes, it is. It's nearing finalisation.

Senator BROCKMAN: Okay, that's good to know. I take it the change of name would not have impacted your investigation of that particular organisation and its website.

Ms Falk : As that's an active matter, I'd prefer not to speak around the specifics of it, if I may.

Senator BROCKMAN: I will put it as a hypothetical. If you're investigating the 'People's Front of Judea', and they wind up, and the 'Popular Front', with similar people doing similar things arises in their place—and I'll show my age and note that that's a Monty Python reference, for anyone who's interested!—

Senator PATRICK: You're a very naughty boy, Senator Brockman!

Senator BROCKMAN: then do you have the power, I guess, to look through that break in organisational structure? I guess it would be comparable to phoenixing for private companies—companies that wind up and reform immediately with similar people doing similar things. Is the legal framework around your investigations able to cope with that kind of activity?

Ms Falk : Senator, this is an issue that you've raised—the law that generally applies in relation to transfers of business and change in corporate entities and the number of factors that have to be looked at as to whether or not the new entity continues to have liability for the previous one. I think that they're complex issues that no doubt could be considered in the upcoming privacy review.

Senator BROCKMAN: Okay. In previous investigations—completed investigations—have you encountered this kind of issue?

Ms Falk : It's not an issue that I recall generally encountering.

Senator BROCKMAN: Okay, then. Can you just take on notice whether you do have any prior experience. If the answer's no, that's fine; you don't need to get back to me or the committee. But, if you do have prior experience of that kind of phoenixing behaviour, could you outline how you dealt with it in those circumstances. That would be very helpful.

Ms Falk : Thank you.

Senator BROCKMAN: That's all from me, Chair.

CHAIR: Thank you, Senator Brockman. It is much appreciated. I will go to Senator Carr now.

Senator KIM CARR: No, I'm finished.

CHAIR: Okay. Senator Waters wanted to ask some questions.

Senator PATRICK: I'll ask a question in the interim if that's okay.

CHAIR: Okay.

Senator PATRICK: Thank you. Commissioner, last year you indicated you were going to conduct a review of FOI relating to the Department of Home Affairs. Can you please provide an update on what the status of that review is.

Ms Falk : Yes, I opened an investigation on my own initiative into compliance by the Department of Home Affairs with the statutory processing time frames under the FOI Act for applications for non-personal information. That investigation is ongoing. I think I indicated on the last occasion that I had hoped to have it concluded by the end of the financial year, but I had a caveat to that, on the basis that it would depend upon the nature of the information that I was provided with and the work that was required in accordance with that. The investigation is nearing completion, and we are intending to have it finalised with a report by the end of this calendar year.

Senator PATRICK: Any hints on what it might say?

Ms Falk : Sorry, Senator. Not at this stage. The report will analyse the reasons for the noncompliance with the statutory time frames for the processing of non-personal information on a number of occasions by the department—and that's information publicly available through my annual report—and seek to make recommendations to assist the department to address that issue.

Senator PATRICK: Thank you very much.

CHAIR: Senator Waters, you have the call.

Senator WATERS: Thank you very much, Chair. Hi there. Thanks for joining us today remotely. Speaking of your annual report, it mentioned a few interesting things. The number of FOI requests made to Australian government agencies in 2019-20 is the largest number of FOI requests received since 2005, yet the percentage of requests refused has increased to 15 per cent. There was a significant increase in the number of FOI requests decided more than 90 days past the statutory deadline. The PMO was the office with the highest rate of decisions subject to Information Commissioner reviews. Of those 50 reviewed, more than 50 per cent overturned or varied the original decision, and that goal of 80 per cent of reviews being completed within 12 months was not met. Could you please confirm what percentage of review applications made to the Information Commissioner in 2019-20 were finalised?

Ms Falk : The percentage of review applications made to the Office of the Australian Information Commissioner that were finalised?

Senator WATERS: Yes, in 2019-20.

Ms Falk : In 2019-20, we finalised 829 Information Commissioner reviews.

Senator WATERS: What was the percentage of outstanding matters?

Ms Falk : It was around 80 per cent of all matters.

Senator WATERS: It was around 80 per cent. What was the average time taken to finalise a matter?

Ms Falk : It was 8.1 months.

Senator WATERS: Despite the rise in FOI requests and review requests and the failure to meet the 80 per cent target, the budget papers, as we've discussed already today, show a decline in appropriations over the forwards—in fact, a significant drop. What does that funding drop mean for your capacity?

Ms Falk : The funding in relevance to FOI has remained fairly stable in recent years. The additional funding that I was referring to is in relation to the privacy function. There's not been additional funding given in relation to the FOI functions in the most recent budget.

Senator WATERS: Yes. I was speaking about the drop from 2020-22 onwards. What will that reduction do for your capacity?

Ms Falk : It will have an impact on the office's capacity across both functions of the office.

Senator WATERS: It looks to me like it's a 50 per cent funding drop; correct me if I'm wrong. Does that mean it will have a significant impact on your functions, on your capacity?

Ms Falk : It has a significant impact on the functions of the agency. Accordingly, I will be in discussions with government well ahead of that time with efforts to ensure that the increased funding that was received in recent years is continued, and, as I foreshadowed, there's a review of the Privacy Act, which is imminent. I think this is an opportunity for us to be looking at the kind of regulator that's required in the digital age and across both functions of the office.

Senator WATERS: The portfolio budget papers state that a major focus for the office in 2020-21 will be promoting the proactive release of government held information. Have you done any calculations on the savings to government that could be made through increasing proactive release? I'm just noting that $63.9 million was spent by agencies in processing FOI requests. So that's the context in which I ask the question. What sort of quantum of potential savings could there be?

Ms Falk : Yes. We are starting to do some work in relation to this. The first aspect of that, as I mentioned, is that many agencies already have administrative access processes that are well developed; they provide information to individuals without the need for an FOI request. At present, that information is not captured by my office, and that's because my statutory remit to require information from agencies pertains to their FOI applications and not those that are made outside. But we have been talking to some of the bigger agencies, who are obviously the largest data holders, to understand that a little more. Our own internal thinking around this is such that we consider that savings can be made.

We saw a couple of years ago that the Department of Home Affairs introduced an online visa system which had a considerable impact on the number of FOI requests that they received. It decreased them by a few thousand. As part of the Open Government Partnership, of which Australia is a member—and we sit on that committee—we're currently looking at a commitment under the third national action plan for government to consider, which would go to the heart of this issue. It would be a commitment for all government agencies to look at their data holdings and, with input from civil society, determine what information is of most value to the citizenry and how it can be made more proactively available.

Senator WATERS: Have you had any sense of whether the government will accept your recommendation to propose that commitment?

Ms Falk : To be clear, it's a recommendation that would come from the national Open Government Partnership committee, and those commitments for the third national action plan are developed through that process of consultation, which includes representatives of government and civil society. There's been consultation that's occurring. For International Access to Information Day, on 28 September, I participated in a webinar with commissioners from around the country and civil society to get input in relation to the commitments. But it's still being developed. It will be refined and then put to government.

Senator WATERS: Thank you. There was a 10 per cent increase in reliance on exemptions to FOI between 2015-16 and 2018-19. This year's annual report says there's little change, so that's effectively a 10 per cent increase in exemptions over the last five years. Does the office have any plans to review the use of exemptions across agencies, perhaps with a view to more uniform application and consistency with the transparency objectives of the act?

Ms Falk : The way we approach that is twofold. The first is our educative remit with government agencies. As part of International Access to Information Day, we released a new toolkit for FOI practitioners, and we seek to ensure that they have the right information to understand the application of the act and to make decisions. The second is that, in terms of the IC review, decisions that I make are publicly available, which goes to the way in which the exemptions need to be applied in particular circumstances.

Senator WATERS: Would you mind providing me, on notice, with a little more detail on the second aspect of that process, please? I note we've got limited time here. I have just a couple more questions. Data reported to the office shows that fees notified for FOI requests are often substantial, but there are also often significant discrepancies between estimated fees and actual fees charged, particularly by different agencies. Since your review of the charges in 2011-12, have all of the recommendations been fully implemented? If not, which ones remain outstanding?

Ms Falk : I'd need to go back and refresh my memory on the charges review. I can provide that answer to you on notice.

Senator WATERS: Thank you very much. Lastly, noting that the information held or transmitted on phones can be classified, under your guidelines, as a document, has the office provided any further guidance to agencies on appropriate processes for filing or accessing texts or WhatsApp messages? If so, what is that process?

Ms Falk : The issue has been raised in some Information Commissioner review decisions, which are publicly available—and I can provide that to the committee if that would assist—and it's also in the guidelines that my office issues, which are issued pursuant to a provision of the act and to which agencies need to have regard when they're making their decisions.

Senator WATERS: Alright. Thank you. I'll await those with great interest. I appreciate your time.

CHAIR: Thank you, Senator Waters. That is the end of the questions that we have for the Office of the Australian Information Commissioner, so we will say thank you and let you go on your way.