Shafran; Secretary, Department of Veterans Affairs and

Case

[2024] AATA 115

5 February 2024


Shafran; Secretary, Department of Veterans Affairs and [2024] AATA 115 (5 February 2024)

Division:FREEDOM OF INFORMATION DIVISION

File Number:          2022/0433

Re:Secretary  , Department of Veterans Affairs

APPLICANT

ShafranAnd  

RESPONDENT

DECISION

Tribunal:Senior Member C. J. Furnell

Date:5 February 2024  

Place:Melbourne

The Information Commissioner’s decision of 8 December 2021 is set aside and, in substitution, it is decided that the applicant’s access refusal decision of 8 June 2018 is affirmed.

..................[SGD].................

Senior Member C. J. Furnell

Catchwords

FREEDOM OF INFORMATION – information sought in relation to an audit log identifying staff and contractors of the Applicant – partial access granted – family names and login details withheld as exempt matter – decision set aside by information commissioner – conditional exemptions – public interest – whether audit log conditionally exempt under s47E or s47F – whether disclosure contrary to the public interest – decision under review set aside and substituted

Legislation
Freedom of Information Act 1982 (Cth)
Privacy Act 1988 (Cth)
Work Health and Safety Act 2011 (Cth)

Cases

Attorney‐General’s Department v Cockcroft (1986) 64 ALR 97


Australian Conservation Foundation Incorporated v Secretary, Department of Climate Change, Energy, the Environment and Water [2023] FCA 1005


Birdseye v Tax Practitioner’s Board [2020] FCA 1235


British Steel Corporation v Granada Television Ltd [1981] AC 1096


Colakovski v Australian Telecommunications Corporation [1991] 23 ALD 1


Cox; Secretary, Department of Agriculture, Water and the Environment and (Freedom of information) [2023] AATA 375


Drake v Minister for Immigration and Ethnic Affairs (1979) 2 ALD 60

Maher and Attorney-General’s Department (1985) 7 ALD 731


News Corporation Ltd v National Companies and Securities Commission (1984) 1 FCR 64


Ocampo Alvarez and Australian Criminal Intelligence Commission (Freedom of information) [2023] AATA 3257


Price and Attorney General’s Department (Freedom of information) [2016] AATA 1044


Re Chandra and Minister for Immigration and Ethnic Affairs [1984] AATA 437


Re Timothy Robin Thies and Department of Aviation [1986] AATA 141
Shi v Migration Agents Registration Authority
(2008) 235 CLR 286
TYGJ and Freedom of Information Division [2017] AATA 1560
Walker Group Holdings Pty Ltd and Secretary, Department of Climate Change, Energy, the Environment and Water (Freedom of information) [2023] AATA 3920


Warren; Chief Executive Officer, Services Australia and (Freedom of information) [2020] AATA 4557

Secondary Materials

Australian Government Office of the Australian Information Commissioner, FOI Guidelines: Guidelines issued by the Australian Information Commissioner under s 93A of the Freedom of Information Act 1982 (November 2023)

REASONS FOR DECISION

Senior Member C. J. Furnell

5 February 2024

  1. These reasons relate to an application for review of a decision made on 8 December 2021 by the Information Commissioner (the “Commissioner”) under the Freedom of Information Act 1982 (Cth) (the “Act”).

  1. The Commissioner decided to set aside an access refusal decision of the applicant with respect to a particular document and, in substitution, decided to grant the respondent access to the document.

  1. The document in question is an audit log identifying staff and contractors of the applicant that had access to a particular file note.[1] The log is said by the applicant to record “…the date and time of access to the file note, the nature of the access… the name of the user accessing the document... user login details used to sign into the Department’s IT systems.”[2]

    [1] T2, 12, the document was described in the decision the subject of review as that identified as document 2 in the applicant’s decision of 8 May 2018. There the document was described as “Document detailing names and dates of access to document 1 –File Note Dated 9 March 2017.”, see T4, 29.

    [2] A SFIC, [16].

  1. The file note (access to which was recorded by the audit log) is a record of a conversation between a staff member of the applicant and the respondent regarding a complaint the respondent had made. It is not submitted that those staff and contractors of the applicant who accessed the file note did so for any purpose other than one related to their work for the applicant.[3]

    [3] Indeed, RSM asserts that those accessing the file note did so on a “need to know” basis, see RSMA [21].

  1. The applicant submits that the audit log contains exempt matter (a concept discussed later), being the family names and log in details[4] of those who accessed the file note.

    [4] References to log in details in these reasons are references to the username used to sign into the Department’s computer systems, see RSMA [13].

  1. For the reasons which follow, I have accepted that submission.

  1. Hence, the decision the subject of review is set aside and substituted by a decision affirming the decision which the Commissioner had set aside.   

    Procedural background



  2. On 8 April 2018, the respondent requested that the applicant provide access to certain documents. In part 4 of the request, he sought access to details of every officer that accessed a particular file note, “showing name and dates.”[5]

    [5] T3, 20.

  1. On 8 May 2018, the applicant advised the respondent that it had identified five documents falling within the scope of the request. In response to part 4 of the request, the identified document was the audit log described earlier. Partial access to that document was granted, with the family names and login details of the relevant departmental staff and contractors being withheld. That information was considered to constitute exempt matter.

10.  On 9 May 2018, the respondent sought internal review of the applicant’s decision.[6]

[6] T5, 35.

11.  On 8 June 2018, the decision on internal review was made, affirming the 8 May 2018 decision.[7]

[7] T6.

12.  On 9 June 2018, the respondent sought review of that internal review decision by the Commissioner.

13. On 8 December 2021, the Commissioner decided to set aside that internal review decision. The Commissioner found that, contrary to the applicant’s submissions, the relevant family names and log in details were not exempt matter under ss 47E(c), 47E(d) or 47F of the Act.

14.  On 6 January 2022, the applicant applied to the Tribunal for review of the Commissioner’s decision.

Legislative context



15.  The Tribunal has jurisdiction to review the Commissioner’s decision as it is a decision “under section 55K on an IC review”.[8]

[8] Act, s 57A.

16. Under s 55K of the Act, the Commissioner may decide to set aside an “IC reviewable decision” and make a substitute decision. That is what the Commissioner did in the 8 December 2021 decision. The decision which the Commissioner decided to set aside (the applicant’s decision of 8 June 2018) was an “IC reviewable decision”.[9]  It was a decision by an agency (the applicant) on internal review of an access refusal decision.[10]

[9] Act, s 54K.

[10] Act, s 54L(2). An access refusal decision includes a decision refusing to give access to a document in accordance with a request, see Act s53A.

17. Under the Act, as a general rule, access to a document must be given if a request for access to it is made to an agency.[11] This is not the case, however, if the relevant document is an exempt document.[12]

[11] Act, s 11A(3).

[12] Act, s 11A(4).

18.  A document may simply be exempt[13] or may be exempt because it is conditionally exempt[14] and access to it would, on balance, be contrary to the public interest.[15]

[13] Act, Part IV, Division 2.

[14] Act, Part IV, Division 3.

[15] Act, s 31B.

19. Matter which causes a document to be exempt is exempt matter for the purposes of the Act. Where practicable to do so, access must be given to an otherwise exempt document edited by the deletion of exempt matter.[16] In this regard, the Tribunal understands that the respondent has been given access to the audit log, edited to redact family names and user log in details.[17]

[16] Act, s 31A.

[17] A SFIC, [17].

20. In exercising its jurisdiction in this proceeding, the Tribunal is required to have regard to any guidelines published by the Commissioner for the purposes of the Act.[18] In November 2023 the Commissioner published an updated version of such guidelines, entitled “FOI Guidelines – Guidelines issued by the Australian Information Commissioner under s 93A of the Freedom of Information Act 1982.”

[18] Act, s 93A(2).

21.  While talk of an onus of proof or evidentiary onus is generally inapt in the context of Tribunal proceedings,[19] this is not so where (as here) the decision under review by the Tribunal is one made under the Act. When such a decision is the subject of review an onus is borne by the person seeking to resist disclosure. Hence, in this proceeding, the applicant has the onus of establishing that the decision under review is not justified or that the Tribunal should give a decision adverse to the respondent (as the person who requested the relevant documentary access).[20]

[19] Birdseye v Tax Practitioner’s Board [2020] FCA 1235 at [23].

[20] Act, s 61.

Questions in issue



22.  In seeking to satisfy that onus, the applicant submits that the family names and log in details specified in the audit log render it a conditionally exempt document and that access to those names and those log in details would, on balance, be contrary to the public interest.

23.  As stated earlier, if that is so, those names and log in details are exempt matter. The audit log would not be a document to which access is required to be given other than in the edited form already provided.[21]

[21] Act, s 11A(5).

24.  Hence, in this proceeding, the questions in issue are whether the audit log is rendered conditionally exempt because of the inclusion in it of the relevant family names and log in details and, if so, whether access to those names or details would, on balance, be contrary to the public interest.

25.  As an aside, when addressing those questions in these reasons, depending on the context, references to the applicant include a reference to the Department of Veterans’ Affairs.

Material before Tribunal

26.  The Tribunal is obliged to make “the correct or preferable decision” on the material before it.[22]

[22] See Drake v Minister for Immigration and Ethnic Affairs (1979) 2 ALD 60 at 68 (Bowen CJ and Deane J); Shi v Migration Agents Registration Authority (2008) 235 CLR 286 at [96]–[98] (Hayne and Heydon JJ).

27.  The material before the Tribunal included evidence adduced at the hearing of this proceeding and certain documentary material lodged with the Tribunal prior to the hearing.

28.  As for evidence adduced at the hearing, the Tribunal heard from an officer of the applicant, Rodger Simon McNally (“RSM”), and from the respondent.

29.  As for documentary material lodged with the Tribunal, it comprised:

a.An 85 page bundle of documents lodged with the Tribunal under s 37 of the Tribunal’s constituent legislation (the “T” documents).

b.A redacted copy of an affidavit of RSM affirmed on 24 January 2023 (“RSMA”).

c.An unredacted, confidential copy of the RSM affidavit.

d.Corrections to the RSMA outlined in a table enclosed with a letter from the applicant’s solicitors of 28 November 2023.

e.Further, albeit clearer, copies of three exhibits to the RSMA (being RM14, 25 and 34), enclosed with that solicitors’ letter.

f.An unredacted copy of the document in issue in these proceedings, being the audit log described earlier.

g.A redacted copy of the file note to which the audit log relates.

30.  Each party lodged submissions about the documentary material that had been lodged with the Tribunal.[23] 

[23] Respondent’s statement of facts and contentions dated 22 May 2023 (“R SFIC”) and applicant’s statement of facts issues and contentions of 24 January 2023 (“A SFIC”). The applicant also lodged, on 17 November 2023, a list of authorities. 

31.  As will become apparent, I have attributed significant probative value to opinions expressed by RSM, both in his oral evidence and in his affidavit. While the respondent contended that RSM was not an information technology (IT) expert, I consider that opinions he expressed related to matters in issue with respect to which he has specialised knowledge, garnered by way of both education and experience.[24] As at the date of the RSMA, RSM was Assistant Secretary of the Integrity, Information and Security Branch within the Department of Veterans’ Affairs, the Chief Information Security Officer for the Department and was responsible for the management of security (both cyber and protective security), fraud, integrity and information/records management within the Department.[25] While an officer engaged by the applicant, RSM endeavoured and, I find, largely succeeded in giving his opinions impartially.

[24] Prior to the hearing of this proceeding RSM has spent around four years acting in the role of assistant secretary to the branch of the Department of Veterans’ Affairs whose functions were directed to ensuring, amongst other things, the confidentiality of the Department’s information and the protection of Department staff, as well as the provision of cyber security. In that role he was personally responsible for the management of both cyber security and protective security. Prior to undertaking that role, for around 11 years, he was responsible for or managed security related matters for the Department, albeit in different roles. Amongst other qualifications, RSM holds an Advanced Diploma Government (Investigations) and an Advanced Diploma Government (Security). In his oral evidence RSM stated that he had been working in areas involving cyber security for around 22 years.  

[25] RSMA, [4].

Conditionally exempt - General



32. According to the applicant, the family names and login details specified in the audit log render it conditionally exempt under each of ss 47E(c), 47E(d) and 47F of the Act.

33. Under s 47E(c) a document is conditionally exempt if its disclosure under the Act would, or could reasonably be expected to, have a substantial adverse effect on the management or assessment of personnel by the Commonwealth or by an agency.

34. Under s 47E(d) a document is conditionally exempt if its disclosure under the Act would, or could reasonably be expected to, have a substantial adverse effect on the proper and efficient conduct of the operations of an agency.

35.  As is apparent from their terms, the words “would or could reasonably be expected to” are employed in both ss 47E(c) and 47E(d), as are the words “substantial adverse effect”.

36.  The former words “…convey something more than an outcome…that ‘could’ be expected….”[26]It is not enough that the decision-maker considers that there is a possibility that the relevant disclosure would result in the requisite outcome.[27] The words “…require a judgment to be made by the decision-maker as to whether it is reasonable, as distinct from something that is irrational, absurd or ridiculous, to expect…It is preferable to confine the inquiry to whether the expectation claimed was reasonably based.”[28] The decision-maker ought to have “…real and substantial grounds for thinking that the production of the document could …[have the requisite outcome]. But, stringent though that test may be, it does not go so far as to require the decision-maker to be satisfied upon a balance of probabilities that the production of the document will in fact…” have that outcome.[29]

[26] Australian Conservation Foundation Incorporated v Secretary, Department of Climate Change, Energy, the Environment and Water [2023] FCA 1005 at [65].

[27] Ibid at [72]-[73]. See also Maher and Attorney-General’s Department (1985) 7 ALD 731 at 742.

[28] Attorney‐General’s Department v Cockcroft (1986) 64 ALR 97 at 106; Cox; Secretary, Department of Agriculture, Water and the Environment and (Freedom of information) [2023] AATA 375 at [62].

[29] Ibid, at 112.

37.  In the FOI Guidelines it is noted that “…the word ‘could’ in this qualification is less stringent than ‘would,’ and requires analysis of the reasonable expectation rather than certainty of an event, effect or damage occurring. It may be a reasonable expectation that an effect has occurred, is presently occurring, or could occur in the future.”[30]

[30] FOI Guidelines, [5.17]; Cox; Secretary, Department of Agriculture, Water and the Environment and (Freedom of information) [2023] AATA 375 at [67].

38.  As for the “substantial adverse effect” words, they are said in the FOI Guidelines to encompass an adverse effect which is sufficiently serious or significant to cause concern to a properly informed reasonable person.[31] It must arise from disclosure of the relevant document[32] and particulars of it need to be identified.[33]

[31] Re Timothy Robin Thies and Department of Aviation [1986] AATA 141 at [24]; FOI Guidelines [5.20], where, apparently in error (given the express reliance on Re Thies), reference is made to a properly “concerned’ person.

[32] FOI Guidelines, [6.116].

[33] FOI Guidelines, [6.103].

39. Under s 47F a document is conditionally exempt if its disclosure under the Act would involve the unreasonable disclosure of personal information about any person.

40.  In determining whether such unreasonable disclosure would be involved, regard is required to be had to:

a.the extent to which the relevant information is well known;

b.whether the person to whom the information relates is known to be (or to have been) associated with the matters dealt with in the document;

c.the availability of the information from publicly accessible sources;

d.any other matters considered relevant.[34]

[34] Act, s 47F(2).

41.  Unlike the provisions of s 47E just discussed, the word “could” is not used in s 47F. Rather, the word “would” is used “…to express an outcome that, as a matter of probability, ‘involve[s] the unreasonable disclosure of personal information’ ie that entails or has as its necessary corollary unreasonable disclosure of personal information.”[35]

[35] Warren; Chief Executive Officer, Services Australia and (Freedom of information) [2020] AATA 4557 at [44].

42.  Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable.[36]  It includes a person’s name.[37]  

[36] Act, s 4(1) provides that personal information has the same meaning as in the Privacy Act 1988 (Cth). There, the concept is defined in s 6(1).

[37] Price and Attorney General’s Department (Freedom of information) [2016] AATA 1044 at [39]. Warren; Chief Executive Officer, Services Australia and (Freedom of information) [2020] AATA 4557 at [36]. Cox; Secretary, Department of Agriculture, Water and the Environment and (Freedom of information) [2023] AATA 375 at [113]. FOI Guidelines, [6.130], “Personal information can include a person’s name…”.

43.  In the FOI Guidelines, it is stated that where “…public servants’ personal information is included in a document because of their usual duties or responsibilities, it would not be unreasonable to disclose unless special circumstances existed.”[38]In a context where the FOI Guidelines are just that, guidelines to which the Tribunal must have regard but which do not bind the Tribunal,[39] I note and adopt the views expressed by Deputy President Forgie in Warren doubting the validity of that statement.[40]  Rather, as the Deputy President said, each exemption must be applied and analysed according to its terms.[41] This is consistent with a more recent endorsement of the proposition that an exemption “…should be interpreted according to the words used, bearing in mind the stated object of the Act.”[42]

[38] FOI Guidelines, [6.153], it is noted that this statement is accompanied by a statement that such “…information may often also be publicly available, such as on an agency website”. This is not the case here in relation to the family names. 

[39] Warren; Chief Executive Officer, Services Australia and (Freedom of information) [2020] AATA 4557 at [87].

[40] Warren; Chief Executive Officer, Services Australia and (Freedom of information) [2020] AATA 4557 at [88]-[95]. See also Cox; Secretary, Department of Agriculture, Water and the Environment and (Freedom of information) [2023] AATA 375 at [110] where the presiding Tribunal member stated that instead “…of applying a test based on special circumstances, I will determine the question of unreasonableness by having regard to the matters in s 47F(2)…”.

[41] Ibid at [96].

[42] Australian Conservation Foundation Incorporated v Secretary, Department of Climate Change, Energy, the Environment and Water [2023] FCA 1005 at [64] citing News Corporation Ltd v National Companies and Securities Commission (1984) 1 FCR 64 at 66.

44.  As for the disclosure of the names of public servants, I note that in the FOI Guidelines there is said to be no starting premise that “…the classification level of a departmental officer determines whether his or her name would be unreasonable to disclose..”[43]  

[43] FOI Guidelines [6.154].

45.  In assessing whether disclosure of personal information would be unreasonable, consideration ought to be given not only to the particular circumstances but also to the public interest in the disclosure of information and the public interest in the protection of personal privacy.[44] Hence, other matters of relevance in determining whether disclosure of personal information would be unreasonable include “that the person concerned would not wish to have the information disclosed without consent, and whether the disclosure would cause stress on a third-party and no public purpose would be achieved.”[45]

[44] FOI Guidelines [6.139] citing Re Chandra and Minister for Immigration and Ethnic Affairs [1984] AATA 437 at [51]-[52].

[45] Ocampo Alvarez and Australian Criminal Intelligence Commission (Freedom of information) [2023] AATA 3257 at [46].

46.  While a person’s right of access to a document is not affected by the person’s reasons for seeking access,[46] disclosure may be unreasonable if it has “…no demonstrable relevance to the affairs of government and was likely to do no more than excite or satisfy the curiosity of people about the person whose personal affairs were disclosed.”[47]

[46] Act, s11(2).

[47] FOI Guidelines [6.144]; Colakovski v Australian Telecommunications Corporation [1991] 23 ALD 1 at 11; Warren; Chief Executive Officer, Services Australia and (Freedom of information) [2020] AATA 4557 at [48].

Public interest - General

47.  As noted earlier, even if the audit log is rendered conditionally exempt because of the inclusion in it of the relevant family names or log in details, those names and details will not be exempt material unless access to those names or details would, on balance, be contrary to the public interest.

48. As to the public interest test provided for in the Act, I gratefully adopt what Deputy President Pascoe recently said in Walker Group[48] as follows:

[48] Walker Group Holdings Pty Ltd and Secretary, Department of Climate Change, Energy, the Environment and Water (Freedom of information) [2023] AATA 3920.

40. The public interest test is set out in section 11B of the FOI Act and states as follows (our emphasis added):

Scope

This section applies for the purposes of working out whether access to a conditionally exempt document would, on balance, be contrary to the public interest under subsection 11A(5).

This section does not limit subsection 11A(5).

Factors favouring access

Factors favouring access to the document in the public interest include whether access to the document would do any of the following:

(a)  promote the objects of this Act (including all the matters set out in sections 3 and 3A);

(b)  inform debate on a matter of public importance;

(c)   promote effective oversight of public expenditure;

(d)  allow a person to access his or her own personal information.

Irrelevant factors

The following factors must not be taken into account in deciding whether access to the document would, on balance, be contrary to the public interest:

(a)  access to the document could result in embarrassment to the Commonwealth Government, or cause a loss of confidence in the Commonwealth Government;

(b)  access to the document could result in any person misinterpreting or misunderstanding the document;

(c)   the author of the document was (or is) of high seniority in the agency to which the request for access to the document was made;

(d)  access to the document could result in confusion or unnecessary debate.

Guidelines

In working out whether access to the document would, on balance, be contrary to the public interest, an agency or Minister must have regard to any guidelines issued by the Information Commissioner for the purposes of this subsection under section 93A

41. The FOI Guidelines provide the following in respect of the public interest test:

The Public interest test

6.4 There is a single public interest to apply to each of the conditional exemptions. This public interest test is defined to include certain factors that must be taken into account where relevant, and some factors which must not be taken into account.
6.6 It is not necessary for a matter to be in the interest of the public as a whole. It may be sufficient that the matter is in the interest of a section of the public bounded by geography or another characteristic that depends on the particular situation. A matter of public interest or benefit to an individual or small group of people may also be a matter of general public interest.

6.5 The public interest test is considered to be:

·     something that is of serious concern or benefit to the public, not merely of individual interest

·     not something of interest to the public, but in the public interest

·     not a static concept, where it lies in a particular matter will often depend on a balancing of interests

·     necessarily broad and non-specific, and

·     related to matters of common concern or relevance to all members of the public, or a substantial section of the public.

49. As just indicated, the Act specifically identifies factors favouring access and factors irrelevant to a consideration of the public interest. In the FOI Guidelines, further factors are identified that may favour access[49] or may weigh against access.

[49] FOI Guidelines, [6.19].

50.  As for factors that may weigh against access, they are said[50] to include a circumstance where disclosure could reasonably be expected to:

a.prejudice the protection of an individual’s right to privacy;

b.harm the interests of an individual or group of individuals; or

c.prejudice the management function of an agency.

[50] FOI Guidelines, [6.22].

Family names

Conditionally exempt?

51. I find that the audit log is conditionally exempt under s 47F of the Act because of the inclusion in it of the relevant family names. The disclosure of those names in the context of granting access to the audit log would constitute the unreasonable disclosure of personal information about the relevant staff and contractors.

52. In terms of the matters to which regard is required to be had in considering s 47F, I note that the family name of a relevant staff member or contractor might be considered to be well known and available from publicly accessible sources. That name would not, however, be generally known by the public,[51] clients of the applicant or by those lodging claims with the applicant to be (or to have been) associated with matters dealt with in the audit log. Nor would the association between that name and those matters be available from publicly accessible sources.

[51] RSMA [142], where it is said that the persons concerned “do not have any public profile in connection with the specifics of this work of the Department”. See also RSMA [145].

53.  Non-disclosure of the relevant family names is clearly consistent with the general public interest in the protection of personal privacy.[52] Set against this, it is difficult to identify any particular public interest supportive of disclosure of those names.[53] The respondent says he wants that access to “hold the staff members to account in the event they wish to seek review of administrative decisions made by the Department.”[54] It is unclear what interests would be served by this holding to account of staff, what it would entail and how it would be achieved. As was the case in Warren,[55] disclosure of the relevant family names would give no insight into the role or responsibility that the relevant staff members and contractors played in the formulation of (and, indeed, execution of) policy.

[52] FOI Guidelines, [6.22].

[53] Even taking into account the broader public interest factors favouring disclosure outlined in [6.19] of the FOI Guidelines.

[54] T2, 15; T7, 51.

[55] Warren; Chief Executive Officer, Services Australia and (Freedom of information) [2020] AATA 4557 at [135].

54. Moreover, it is not submitted, and there is nothing before me which suggests, that disclosure of the relevant family names in the circumstances would serve to promote achievement of the Act’s objectives, in particular the objective of increasing either “public participation in Government processes” or “scrutiny, discussion, comment and review of the Government’s activities”.[56] Instead, disclosure of the family names in the circumstances would appear to have “no demonstrable relevance to the affairs of government” and, hence, be unreasonable, being likely to do no more than satisfy the curiosity of the respondent.

[56] Act, s3(2). This is so even if, as stated in the FOI Guidelines at [6.18], it is a rare case in which disclosure would not promote the Act’s objectives.

55.  A characterisation of disclosure of the family names in the circumstances as unreasonable is reinforced when regard is had to the risk of the relevant staff and contractors being subjected to abusive and aggressive conduct should their family names be disclosed.

56.  According to the applicant, granting access to the staff family names “…exposes staff to inappropriate conduct from members of the public or clients which cannot be fully managed or mitigated once their family names are disclosed.” [57]

[57] A SFIC [5.2], [86].

57.  The applicant makes decisions concerning the eligibility for and quantum of a range of supports administered by it. It has a large number of clients[58] and responds to a large number of claims for support.[59] 

[58] 341,639 as at September 2022, see RSMA [38].

[59] In the financial year it received 63,853 new compensation claims, see RSMA [39]

58.  Some of the applicant’s clients and some claimants will inevitably be dissatisfied with its decisions. Some of that dissatisfaction is expressed:

“…through:

(a) abusive, offensive or harassing words or conduct

(b) threatening words or conduct.”[60]

[60] RSMA, [111].

59. 

RSM gave evidence about the extent of abuse of, and aggression directed towards, the applicant’s staff. He states, and I accept, that:



a.The applicant “deals with security incidents concerning inappropriate words or conduct focussed on Departmental staff nearly every day.”[61]

b.In the four-year period ending 1 September 2022, 1624 security incidents occurred in relation to the applicant, including 455 abusive or aggressive incidents, with 281 incidents involving emergency services such as the police.[62]

[61] RSMA, [118].

[62] RSMA, [121].

60.  RSM provided a number of examples of incidents where a staff member of the applicant was the focus of a security incident.[63]

[63] RSMA, [128]-[130].

61.  The respondent sought to downplay these security incidents suggesting that veterans had valid complaints about the conduct of the applicant and that veterans’ complaints had been validated in the context of the Royal Commission into Defence and Veteran Suicide, so much so that the applicant had apologised to those who had made such complaints. Moreover, according to the respondent, the “issue of an angry voice, a Facebook post and sites being set up by veterans to provide a voice or obtain assistance does not constitute a threat.”[64]

[64] R SFIC, [11].

62.  The applicant did not seek to deny that veterans had valid complaints. Nor, however, did the respondent deny that applicant staff and contractors were regularly the subject of abusive and aggressive conduct and that the provision of family names would increase the risk of staff and contractors being exposed to such conduct. Indeed, on behalf of the respondent, it was acknowledged that there is dissatisfaction with the applicant in the veteran’s community, that staff of the applicant are subject to vicious abuse by certain of its clients and that “many of the effected veterans have psychiatric issues,”[65] which, I infer, was intended to constitute an acknowledgement that some veterans were, on occasion, inclined to act irrationally in dealings with the applicant.

[65] Ibid.

63.  As explained by RSM in his evidence, the capacity to harass a person is significantly enhanced once in possession of the person’s family name. Being in possession of a family name enables or at least facilitates the accessing of information about, for example, the relevant person’s social media profiles, the person’s work and education and the person’s family.[66]

[66] RSMA [144].

64.  According to RSM:

a.“… protecting the family names of our staff is the best and most effective protective measure the Department can do for its staff at the outset;”[67] and

b.“publicly identifying the Department's staff materially increases the risk that…they will be subject to harassment, threats or other inappropriate conduct,”[68] a risk that is “certainly real and… consistent with what has occurred when the family names of other Departmental staff have become publicly released in the context of their work in connection with particular client matters.”[69]

[67] RSMA [141].

[68] RSMA [146], [151].

[69] RSMA [147].

65.  Consistent with there being a risk to staff resulting from the disclosure of their family names to clients is the fact that the applicant has “…sought to manage this issue primarily through the non-disclosure of the family of non SES staff in direct connection with the client facing work they do”,[70] entailing the adoption of “…a number of practices to reduce the likelihood that staff members' identities are revealed”, such as the use of “generic email addresses when communicating with external stakeholders.”[71]

[70] RSMA [152].

[71] RSMA [154].

66.  Given this and given that the family names of applicant staff and contractors need not be known in order to lodge complaints about their conduct,[72] as in Warren, it would be “… contrary to the public interest to expose individuals in that environment to public criticism and attack of the sort directed against the …[applicant] when disclosure of the documents will give no insight into the role or responsibility that …[the relevant staff and contractors] had in the formulation of…[policy] as opposed to simply implementing the decisions of others.”[73]

[72] RSMA [110].

[73] Warren; Chief Executive Officer, Services Australia and (Freedom of information) [2020] AATA 4557 at [135].

67.  In a context where staff and contractors of the applicant regularly suffer from abusive and aggressive conduct of clients and those lodging claims with the applicant, some of whom might well act irrationally and many of whom will have had military training,[74] weighing in favour of a conclusion that disclosure of the relevant family names would be unreasonable in the circumstances is that such disclosure:

[74] RSMA [150].

a.

Is unlikely to be something wished for by any of the relevant staff or contractors.[75]



b.Could reasonably be expected to impact negatively on the capacity of the applicant to fulfil a duty it owes to the relevant staff and contractors, being its duty to ensure, so far as is reasonably practicable, both the health and safety of workers[76] it engages[77]  and the provision and maintenance of a work environment without risks to health and safety. [78]

[75] Noting that opposition to disclosure likely to be held by a person is a matter that has been considered of potential relevance, see Cox; Secretary, Department of Agriculture, Water and the Environment and (Freedom of information) [2023] AATA 375 at [111].

[76] Staff and contractors of the applicant are “workers” of the applicant, see Work Health and Safety Act 2011, s 7(1).

[77] Ibid, s 19(1).

[78] Ibid, s 19(3).

68.  I do not find that the respondent would indulge in such conduct were the relevant family names to be disclosed to him despite some arguably inappropriate expressions of dissatisfaction with applicant staff on his behalf in the past.[79] Nevertheless, once disclosed, there is nothing to prevent the wide-spread dissemination or use of those names. In a context where certain members of the public are, as RSM opined,[80] hostile to the applicant,[81] this would inevitably exacerbate the risk of the relevant staff and contractors being subjected to problematic conduct. RSM considers that risk one which is “reasonably expected to occur”.[82]

[79] RSMA [132(a),(b)]. For example, the respondent accepted that in relation to a previous dealing with the applicant’s staff, he had said words to the effect that “someone should swing for this” albeit that a relatively contemporaneous file note suggests that he stated that he “would make someone swing for this”.

[80] RSMA [127]-[130].

[81] See, for example, TYGJ and Freedom of Information Division [2017] AATA 1560 at [178]-[180].

[82] RSMA [147].

69.  Clearly, no alleviation of that risk is inherent in the respondent’s apparent objective that there be an ability to hold the relevant personnel “to account,” presumably to an extent more than they already are as officers or contractors of the applicant.[83] What holding a worker to account would potentially entail is entirely unclear.

[83] At T7, 51 the respondent states that “[f]undamentally… I believe DVA should have an administrative process in place that provides for the veteran a capacity to identify who wrote, viewed or has contact with a claimant or their documents in order that they can be held to account for it”.

70. Where, as here, no particular public interest in the disclosure of the relevant family names has been identified, any exacerbation of the risk of exposing relevant applicant staff and contractors to problematic conduct likely to be caused by the disclosure weighs in favour of a conclusion that the disclosure would be unreasonable in the circumstances. This is so whether or not the risk is exacerbated to an extent such that it would be sufficiently serious or significant to cause concern to a properly concerned reasonable person so as to amount to a substantial adverse effect for the purposes of provisions such as ss 47E(c) and 47E(d).

71.  It is reasonable to expect that the interests of the relevant staff and contractors would be harmed by disclosure of the relevant family names given that it would exacerbate the risk of their being subjected to abusive and aggressive conduct.[84]

[84] FOI Guidelines [6.22].

72.  The fact that disclosure is made of the family names of more senior staff of the applicant (who typically do not deal with clients of the applicant on a day-to-day basis[85]) and, occasionally, of other staff (after a consideration of risks for the staff member)[86] does not mean that the applicant should be required to make the disclosures currently in issue or render reasonable an otherwise unreasonable disclosure.

[85] RSMA [113].

[86] RSMA [155(c)]. See also RSMA [149].

Public interest

73.  In the circumstances, access to the audit log involving disclosure of the relevant family names would, on balance, be contrary to the public interest.

74. It is not submitted, and the material before me does not suggest, that any of the factors specified in the Act which might be taken to favour a grant of such access in the public interest are of relevance in the circumstances. In particular, as I see it, disclosure of the relevant family names would not serve to:

a.promote the objects of the Act (including all the matters set out in sections 3 and 3A of the Act);

b.inform debate on a matter of public importance;

c.promote effective oversight of public expenditure; or

d.allow a person to access his or her own personal information.

75.  While disclosure of the relevant family names might be of interest to the public (or, at least, to a section of the public) that does not make disclosure of those names something that is in the interest of the public.[87] That disclosure is not something of “serious concern and benefit to the public.”[88]

[87] As the FOI Guidelines make clear at [6.5], the public interest test is ‘not something of interest to the public, but in the interest of the public’.

[88] Price and Attorney General’s Department (Freedom of information) [2016] AATA 1044 at [43] citing British Steel Corporation v Granada Television Ltd [1981] AC 1096, 1113. See also FOI Guidelines at [6.5].

76.  Rather than being in the public interest, disclosure of the relevant family names in the circumstances would be contrary to the public interest for the reasons just outlined in concluding that it would be unreasonable.[89] As already mentioned, it would be prejudicial to the right to privacy of the staff and contractors concerned and harmful to their interests. It would also be contrary to the public interest in a public service employer such as the applicant fulfilling duties owed under the Work Health and Safety Act 2011. As mentioned earlier, one such duty owed by the applicant is to ensure, so far as is reasonably practicable, the provision and maintenance of a work environment without risks to health and safety.[90]

[89] At [6.138] of the FOI Guidelines it is recognised that some factors considered in the context of determining whether disclosure would be unreasonable may also need to be considered again in assessing whether disclosure would on balance be contrary to the public interest. See also Cox; Secretary, Department of Agriculture, Water and the Environment and (Freedom of information) [2023] AATA 375 at [119].

[90] See Warren; Chief Executive Officer, Services Australia and (Freedom of information) [2020] AATA 4557 at [134] where the Tribunal accepted that there was a public interest in APS employers fulfilling their obligations under the Work Health and Safety Act 2011.

Log in details

Conditionally exempt?



77. I find that the audit log is conditionally exempt under s 47E(d) of the Act because of the inclusion in it of the relevant log in details. The disclosure of those details could reasonably be expected to have a substantial adverse effect on the proper and efficient conduct of the operations of the applicant.

78.  Prior to the hearing of this proceeding the respondent had “conceded the matter of the logins being redacted.”[91] That concession was not, however, reflected in an agreement under s 42C of the Tribunal’s constituent legislation. Given this, the hearing of this proceeding was conducted on the basis that that the Tribunal was required to review that aspect of the decision the subject of review which involved rejection of the applicant’s contention that the log in details were exempt matter.

[91] R SFIC [1], [14].

79.  There are real and substantial grounds for thinking that disclosure of the log in details could have an effect on the conduct of the applicant’s operations sufficiently serious or significant to cause concern to a properly informed reasonable person. 

80.  Log in details are used to log into the applicant’s IT system[92] (noting occasional references in the material before the Tribunal to ICT systems, being information and communications technology systems[93]).

[92] A SFIC [16].

[93] RSMA [46].

81. In his affidavit, RSM opined,[94] and I accept, that:

a.“sensitive personal information about many hundreds of thousands of individuals” is stored in the applicant’s IT system;[95]

b.disclosure of the log in details specified in the audit log “…will weaken the Department's IT security by (i) disclosing publicly 1 of the 2 authentication factors required to access the Department's system through those accounts and (ii) allow reliable inferences to be drawn about how the Department constructs certain user logins”;

c.the resultant “…weakness will be exploitable, and given the current cyber threat environment exploited, by any one of a number of different entities for purposes inimical to the Commonwealth and, importantly, the veterans whose sensitive personal information is stored by the Department unless it is able to be mitigated”;

d.inherent in any exploitation of the resultant weakness in the applicant IT system security are a variety of significant risks; and

e.in terms of the ability to mitigate the risk of exploitation of the resultant weakness, the “…only effective mitigatory measure, being an extensive change in user logins would be extremely burdensome on the Department and likely have an adverse impact on the Department's ability to provide services to veterans.”

[94] RSMA [41].

[95] RSMA [74].

82.  As for the disclosure of the relevant log in details giving rise to a weakness in the applicant’s IT system, RSM opined that it “significantly increases the risk of the Department's ICT systems being compromised”, noting that user log in details constitute one factor “of a 2-factor credential system” [96] used by the applicant to grant access to its systems.[97]

[96] RSMA [89].

[97] RSMA [54].

83.  Of particular concern to RSM was that disclosure of the relevant details “…in a group, or together with the names of the users” would allow “… adversaries to draw reliable inferences about how the Department constructs its logins,”[98] especially in relation to staff who commenced working for the applicant prior to 2018.[99]

[98] RSMA [92].

[99] RSMA [93].

84.  As for the risk of any weakness in the applicant’s IT system being exploited, RSM opined, and I accept, that it is “an ongoing, real and genuine” one given “the volume of sensitive and personal information held by the Department, including, in certain instances, about vulnerable clients, and the malevolent cyber activity directed against Government systems and the Department…”.[100]

[100] RSMA [83].

85.  Indeed, while the evidence in the RSMA suggested that the threats posed to cyber security both generally[101] and in relation to the applicant[102] specifically were significant, in his oral evidence RSM stated that, since making his affidavit, the cyber threat environment had worsened.

[101] RSMA [42]-[67].

[102] RSMA [68]-[72].

86.  Hence, disclosure of the log in details would result in the applicant’s IT system being exposed to “…an unacceptably high vulnerability to cyber intrusion.”[103]

[103] RSMA [95].

87.  RSM outlined some of the risks that would be exacerbated by exploitation of the resultant vulnerability. In particular, he opined that:

(b)    If a Departmental account is accessed by an adversary through a compromised login, I consider it could be used maliciously for the following purposes by an adversary (as set out at paragraphs 61-67 above):

i.     to defraud the either Commonwealth, staff of the Department or veterans (i.e. if an adversary obtains unauthorised access to the Department's network, they may be able to change their bank account details in the Department's systems to divert payments intended for the individual into an account controlled by the adversary)

ii.    to identify members of the veteran community who hold valuable information and may be vulnerable to coercion or exploitation as a consequence of their physical or mental health conditions, financial circumstances, or a combination of those factors

iii.    to manipulate people into directly carrying out specific actions, or divulging information in response to a communication from what would internally or externally appear to be a trusted insider i.e. a DVA account holder (also known as spoofing and/or 'social engineering')

iv.    phishing: to trick a veteran into providing personal information such as online banking logins, credit card details or passwords. Phishing can result in the loss of information, money or identity theft·

v.    identity theft: cybercriminal could use DVA's systems to access personal information to steal money or gain other benefits such as by creating fake identity documents in the individual's name, or apply for real identity documents in the individual's name but with another person's photograph and

vi.    ransoming and releasing information: the sensitive information held by the Department about individuals, if obtained by cybercriminals could be held for ransom, and released publicly. This would further increase the risk the data could be accessed by other adversaries.[104]

[104] RSMA [96].

88. 

Effectively managing that vulnerability using administrative measures would, according to RSM, not be possible as the “resources that would need to be dedicated to this extend well beyond those available.”[105] Instead, he opined, and I accept, that the effective management of this enhanced vulnerability would require:

[105] RSMA [94].



a.

The identification of affected staff and the reassignment of their log in details.



b.For a period, restricting access to the applicant’s IT system of a substantial number of applicant staff, something which would result in “significant expense, disruption and lost productivity”[106]  and “substantially adversely affect the Department's ability to perform its role effectively and efficiently.”[107]

[106] RSMA [94].

[107] RSMA [95].

89.  While the respondent sought to discredit the security in place in relation to the applicant’s IT system, noting RSM’s evidence that “…the Department is currently working towards moving to hardening its authentication system…,”[108] he did not dispute the validity or reasonableness of any of the opinions of RSM just mentioned.

[108] RSMA [100].

Public interest

90.  In the circumstances, access to the audit log involving disclosure of the relevant log in details would, on balance, be contrary to the public interest.

91. It is not submitted, and the material before me does not suggest, that any of the factors specified in the Act which might be taken to favour a grant of such access in the public interest are of relevance in the circumstances. In particular, as I see it, disclosure of the relevant log in details would not serve to:

a.promote the objects of the Act (including all the matters set out in sections 3 and 3A of the Act);

b.inform debate on a matter of public importance;

c.promote effective oversight of public expenditure; or

d.allow a person to access his or her own personal information.

92.  Disclosure of the relevant log in details is not something that is in the interest of the public; it is not something of “serious concern and benefit to the public”. Indeed, as RSM suggested, disclosure of the log in details would not appear to be of value for any legitimate use of the details other than in connection with their intended use for security and access purposes.[109]

[109] RSMA [107], [185].

93.  Rather than being in the public interest, disclosure of the relevant log in details in the circumstances would be contrary to the public interest given the substantial adverse effect of that disclosure on the proper and efficient conduct of the operations of the applicant, as just outlined. 

Other bases for conditional exemption

94. As stated earlier, I have concluded that the audit log is conditionally exempt under s 47F because of the inclusion in it of the relevant family names and conditionally exempt under s 47E(d) of the Act because of the inclusion in it of the relevant log in details.

95.  Given those conclusions, it has not been necessary for me to consider, and I have not considered in any detail, any other bases for concluding that the audit log is conditionally exempt because of the inclusion in it of the relevant names and details.

Decision



96.  The Commissioner’s decision of 8 December 2021 is set aside and, in substitution, it is decided that the applicant’s access refusal decision of 8 June 2018 is affirmed. 

I certify that the preceding 96 (ninety-six) paragraphs are a true copy of the reasons for the decision herein of Senior Member C. J. Furnell

..............[SGD]..............

Associate

Dated: 5 February 2024

Date of hearing: 30 November 2023
Date final submissions received: 28 November 2023
Counsel for the Applicant: Irene Sekler
Solicitors for the Applicant: Australian Government Solicitor
Advocate for the Respondent: Michael Quinn

Areas of Law

  • Administrative Law

  • Statutory Interpretation

Legal Concepts

  • Judicial Review

  • Statutory Construction

  • Procedural Fairness

  • Remedies

Actions
Download as PDF Download as Word Document


Cases Citing This Decision

0