Back to Insights

The privacy reforms' 'fair-and-reasonable' principle - What's that got to do with FOIs?

Fair-and-reasonable (FAR). That's the standard, the test for organisations handling personal information (PI) under the proposed privacy reforms. The FAR principle is also found in the 'Objects' section of the FOI Act at Section 3(4), outlining that FOI functions "are to be performed and exercised, as far as possible, to facilitate and promote public access to information, promptly and at the lowest reasonable cost."
Related Topics:
Rethinking work
20 November 2024
David Mesman - Special Counsel at Synergy Law
7 minutes

Fair-and-reasonable (FAR). That's the standard, the test for organisations handling personal information (PI) under the proposed privacy reforms. The FAR principle is also found in the 'Objects' section of the FOI Act at Section 3(4), outlining that FOI functions "are to be performed and exercised, as far as possible, to facilitate and promote public access to information, promptly and at the lowest reasonable cost."

And yes - fair call, I was pushing the envelope with the 'FAR' reference, but Commonwealth agencies may need to re-examine their approaches to what is fair-and-reasonable and what constitutes the lowest-reasonable-cost (LRC) when managing access-to-information (ATI) or data-subject-requests (DSARs), regardless if they arise under the FOI or Privacy acts.

Why? in FY23, Commonwealth FOI programs ran up a bill of $70 million, with APS and other salary costs taking the lion's share of those resources (+$65 million) for processing almost 35,000 FOIs. However, most FOI practitioners would likely admit that the $70 million price tag significantly underestimates the actual cost to their agencies. This is particularly the case when dealing with complex or vexatious applicants, who can monopolise an FOI unit's time form months or years, along with HR, legal and other business units. My own, unscientific estimates are that agencies can often double their reported FOI costs when accounting for the actual time-and-resources spent on FOIs.

And then there's the small matter of privacy reforms. Under these reforms, Commonwealth organisations will need to provide some documentation when responding to requests for PI. Agencies will need to provide details of searches, third-party consultations and the reasons for not disclosing or deleting certain PI. In other words, the privacy reforms will likely require agencies to produce FOI-like determinations.

The effect? Negating or reducing the practical benefit and resource-savings of processing PI-focused access requests under the Privacy Act. Judging from the EU's experience after the passage of General Data Protection Regulation - where the numbers of DSARs reportedly doubled, agencies will likely get a huge uptick in PI-related requests after the privacy reforms come into force. It follows that this 'uptick' in DSARs will demand additional spending and efforts by resource-constrained agencies already struggling with their FOI workloads.

Or will it? Stated another way - are there other options that could help agencies manage access requests in a FAR manner, or even streamline FOI and privacy procedures that won't require legislative changes and additional costs? Possible, but that would require some challenging conversations around some of the following points - and hopefully more!

  • FOI charging processes - Commonwealth agencies are generally loath to charge FOI applicants for processing costs - or are barred from doing so because the requests relate to PI. Arguably, a key reason for this is simple practicalities. It is grossly inefficient for Government agencies to collect small amounts of money when they are not in the business of collecting fees. Plus, charging fees can seem mean-spirited or be viewed as a disincentive for FOi applicants to pursue a request. That's reflected in the OAIC's FY23 Agency FOI Data Summary - almost 90% of agencies collect no FOI charges. Setting aside the requests for PI, are there administrative pathways for centralising FOI fee collection processes? And can charges be levied in a way that's not a disincentive for FOI applicants? Or could those fees be channelled into an agency, like the OAIC, to offset funding deficits?
  • Quantifying time-spent - I think it's fair to say that many Commonwealth agencies do not accurately capture the time they spend on FOI matters. In part this can be traced to the charging practices, i.e. Commonwealth agencies don't. So, why bother tracking the time? Plus, many Commonwealth agencies use page-numbers as a key benchmark to quantify their efforts, i.e. 5 pages x 5 minutes = 25 minutes of decision-making time. The difficulty is that these tools don't allow for the increasing complexity in making FOI decisions - an issue that the December/23 Senate Report into the Operation of FOI Laws (DEC/23 FOI Report) highlighted repeatedly. Adding to the complexity is the sheer volume of documents that FOI units must search-for, organise, review and consider before drafting a meaningful FOI decision. In that context, could agencies re-examine how they quantify the actual 'time spent' on FOIs? And can these efforts help in streamlining agencies' handling of DSARs in the lead up to the enactment of the privacy reforms?
  • Setting FAR limits - the Dec/23 FOI Report also recommended establishing fixed deadlines for determining FOIs, with the goal of limiting FOI processing delays. With respect, I think that adopting fixed timelines would be untenable without first improving FOI time-estimation tools that can account for the growing complexity of FOIs and increased document volumes. Those tools and guidance could help agencies establish clear limits on what is FAR. This is particularly relevant with limited budgets and resources - and when agencies should apply with substantial or unreasonable diversion of resources (SUDR) principle (24 and following in the FOI Act). the SUDR principle could also assist agencies in dealing with an uptick in DSARs. Under the current Privacy Act, organisations can only refuse a DSAR request if it's 'frivolous or vexatious.' However, the reforms add a new term to the miss - 'unreasonable.' This was, arguably, by design, and to bring DSARS in line with the FOI Act's SUDR principle, while helping agencies to avoid the pitfalls, delays and complaints experienced under the FOI regime.

Again, these comments and questions are meant to be a starting point, an entrée for Commonwealth agencies to start thinking about how best to manage increasingly complex, voluminous and challenging FOIs and DSARs in the face of ever-shrinking budgets. Arguable the lowest-reasonable-cost or LRC principle should not only be considered from the perspective of FOI and DSAR applicants, but also from that of Commonwealth agencies and the taxpayers who fund these programs. Why? It's only fair-and-reasonable.

Related Insights
Insight

Defence Industry and net assessment: How much is enough?

In a 1979 interview with Ray Bradbury, the acclaimed science-fiction author lamented that he was often asked to play the role of futurist: "People ask me to predict the future when all I want to do is prevent it. Better yet, build it. Predicting the future is much too easy, anyway. You look at the people around you, the street you stand on, the visible air you breathe, and predict more of the same. To hell with more. I want better."
Read More
Insight

The Untapped Genius of Artemis: Why Your Organisation Needs to Think Wildly

If you forgive the travel into Greek mythology for a moment, I'd like you to meet Apollo and Artemis. Two symbols that stand as a profound contradiction. Apollo, the god of reason, logic, and order, contrasts sharply with his twin sister Artemis, the goddess of the wild, creativity, and intuition. A distinction I remember well through my studies of art history, just as much as in the shaping of contemporary culture.
Read More
Insight

5 Take-Aways on privacy reform that you must know now

The International Association of Privacy Professionals (IAPP) opened its 2023 ANZ Summit in Sydney on 28 November with a keynote address from the Office of the Australian Information Commissioner (OAIC) who is also the Privacy Commissioner - Angelene Falk. Commissioner Falk sang from a familiar hymn sheet with a simple message about accountability - that organisations need to embed strong privacy practices, to make it a core part of their DNA. And if they haven't invested in privacy yet, they need to start now - and to speak to boards, executives and management in earnest about funding their privacy programs. And why, you ask?
Read More