When applying the law, uncertainty is the last thing you want. If your task is the application of complex rules to unique circumstances and you’re looking for as much assistance as you can to do that, you don’t want to be met with a shrug. It’s no different when it comes to Freedom of Information (FOI) – so it should be a welcome relief that when you search through the FOI Guidelines, you’ll see the word ‘uncertain’ rarely appears in the FOI Guidelines – and one instance concerns the ‘Materials-obtained-in-confidence’ exemption under the FOI Act. But the Office of the Australian Information Commissioner (OAIC) may have added a new layer to that uncertainty in the confidence exemption with recent Information Commissioner (IC) Merit Reviews – and specifically when it comes to a finding of detriment or harm.
Quick recap of the confidence exemption – information in a document is exempt if it meets five criteria, being that it’s 1) identified specifically, 2) remained private, 3) been provided in confidence, 4) confidentiality has not been waived, and 5) disclosure will cause detriment. That last criterion looks pretty clear – “unauthorised disclosure has or will cause detriment.” And that is a direct quote from the FOI Guidelines at section 5.159.
However in March, the OAIC released its fourth IC Merit Review decision of 2024 that considered the exemption’s detriment or harm limb. In those IC decisions, there was no consensus as to whether a given detriment or harm had to reach a level of severity to justify the exemption. In addition, the IC decisions also considered whether the harm needed to be definite, i.e. whether it was an actual harm or detriment or one that was merely likely. Stated another way, the OAIC seems to have introduced new layers of uncertainty in these recent IC reviews.
In its consideration of the confidential documents exemption in 2023, the OAIC didn’t appear to spell out a requirement for agencies to prove a significant detriment to engage that exemption. This differs from the approach this year – at least so far! – with the OAIC providing a ‘mixed bag’ of findings in 2024. In ‘AGQ’ and the Treasury (AGQ), the OAIC accepted that disclosure of confidential documents could “reasonably be expected to cause detriment” and the detriment would “not be of a trivial nature.”
In Ben Butler and ASIC (Butler), the review found that disclosure of confidential materials may cause a detriment “in the form of a degree of reputational harm,” but this was not “significant” harm, of a level sufficient to meet the threshold of the fifth (harm) criterion. The choice of language in these decisions is interesting – why expound on the triviality of the detriment when the criterion doesn’t contain a required harm threshold? Why differentiate between ‘harm-to-a-degree’ and ‘significant-harm’ when the FOI Guidelines’ fifth (harm) criterion doesn’t appear to do so?
The questions about choice of language do not end there. In AGQ, the OAIC was satisfied that because disclosure “could reasonably be expected to cause detriment”, the criterion was satisfied. In Butler, the OAIC was more resolute, being satisfied that disclosure “would not result in detriment” – and, therefore, the confidential-documents-exemption would not apply. The distinction here is clear – could is a possibility, would is a near certainty. What is not clear is the applicable standard. In half of the six most recent IC Merits Reviews, the OAIC did not require a finding of clear harm or detriment. In other words, half the respondents only established the likelihood or a reasonable expectation of a harm. In effect, it appears that the OAIC has elevated the severity of detriment required. At the same time, the OAIC also seems to have softened the necessity that “unauthorised disclosure has or will cause detriment.“ Again, that phrase is drawn directly from the FOI Guidelines.
A burning question is: does this impact our understanding of this exemption? The answer is – in most cases, no. The confidential-documents-exemption does not generally turn on the fifth criterion. Most agencies fail to support this exemption claim because they cannot satisfy one of the first four criteria. In other words, the OAIC hardly ever makes a finding on that fifth and final point (harm or detriment).
But it does beg the question – Are these comments about the required severity of harm or its actual occurrence simply obiter dicta or just passing observations? More pressingly for Commonwealth agencies, will the OAIC demand evidence of a substantial level of detriment before they affirm confidence exemptions in the future?
My personal take is – yes. And why? For the simple reason that it’s difficult to justify not releasing documents based on a hypothetical or remote harm. That is not to say that no hypothetical harm would meet that standard. The lower the probability of a harm occurring, Commonwealth agencies will need to make strong arguments about the severity of the (possible) detriment or harm. What does that mean for agencies – in practical terms? They will likely need to provide some clear evidence demonstrating significant harm or consequences – and if not, they may be met with a shrug from the OAIC. Why? The law really doesn’t like uncertainty.
