Information law and policy: the reform agenda

John McMillan, Australian Information Commissioner: Keynote address to the Australian Government Solicitor National Information Law Conference 2011, Canberra, 23 March 2011 (updated June 2011)

Government and information

Control of information is one of the great powers of government.

Used wisely, government information supports sound policy that stimulates economic growth, alleviates inequality and disadvantage, and points to emerging environmental challenges. Managed effectively, information provides government with a reliable record of its communication with the public and transactions with other governments, and builds an enduring record of a nation’s history. Shared freely, government information can educate the public, facilitate informed public participation in government, and stimulate business and social innovation.

The converse is also true. When mishandled, government information can cause great damage to government clients who are misidentified, who become lost in the system, or who are wrongly suspected of acting in a way that invites government coercion. If guarded too vigorously, information can harbour secret and unaccountable government, and breed mistrust and cynicism in the community. If managed ineffectively, information can shield corruption and abuse of power and allow them to flourish.

The power of information is well understood. A traditional and resilient chord in political and legal theory is that transparency and democracy go hand in hand, just as secrecy and dictatorship are intertwined. We have long had laws that control government information practices, requiring government to collect information of various kinds and to preserve or destroy information. Other laws penalise unauthorised or inappropriate disclosure.

That legislative framework has been strengthened in the last three decades by new laws that guarantee public access to government information, control how personal information is handled by government agencies, regulate archival preservation of government records, and police government collection of information using electronic surveillance and interception. Standards and protocols have been developed that provide guidance on information management and embody information policy settings. We have also adopted international treaties that take up those themes.

Only in recent years, however, has government made a concerted attempt to bring those information initiatives together. This has been done at both a policy level and a legislative level. At the policy level, the Australian Government has commissioned numerous inquiries and reports that have examined information policy. Among the better known reports was the Gov 2.0 Taskforce report in 2009.[1] Common themes in recent reports are the need for greater coordination in government information management, more strategic use of government information through publication of public sector information, and greater reliance by government on Web 2.0 tools to facilitate community engagement.

At the legislative level, a new independent agency – the Office of the Australian Information Commissioner (‘OAIC’) – has been established,[2] with a broad responsibility covering freedom of information, privacy and information policy. This has been accompanied by reform of the Freedom of Information Act 1982 (Cth) (‘FOI Act’) and a government commitment to reform the Privacy Act 1988 (Cth).

Freedom of information developments

When enacted in 1982, the FOI Act was a small but vital part of a revolution in government. The backdrop to the Act was a century long tradition of government secrecy, anchored in the unreviewable discretionary power of government to decide what information to release. The FOI Act fundamentally changed that tradition, with a new set of principles: all members of the public enjoy an equal right of access to government documents; this right is a legal right that can be enforced in an independent tribunal; and the onus is upon government to justify non-disclosure by reference to settled exemption criteria.

The Act changed government by engineering the disclosure of far more information, including the routine disclosure of personal and case files to members of the public. Even so, a series of reports from the Australian Law Reform Commission, the Administrative Review Council, the Commonwealth Ombudsman and the non-government Right to Know Coalition pointed to serious problems that undermined the effectiveness of FOI laws. Problems exposed included the high cost of obtaining information, delay in being granted access, impediments to the exercise of appeal rights, uneven commitment to openness across government, and lack of leadership in promoting open government.

Those problems have been squarely addressed in the legislative reforms that commenced in 2010.

Improved FOI request process

It is now far easier for a person to make an FOI request. A request can be made by email; there is no application fee; the charge for decision making time has been reduced; agencies face greater pressure to handle requests within 30 days, or to discuss an extension with the applicant or the OAIC; agencies are required to spell out how public interest factors are balanced in denying access; and applicants can choose whether to seek internal review of an access denial or proceed directly to external review by the OAIC.

The early evidence is that more FOI requests are being made and far more is being disclosed. Most agencies have informally reported an increase in requests – quantified, in the instance of the Australian Taxation Office, as a 67% increase in requests since 1 November 2010 compared to the same period last year. FOI stories are appearing more commonly in the media, usually on a daily basis. Recent stories in national daily newspapers concern documents obtained under FOI relating to small business debt levels, secondary school student performance, parliamentary allowances, projected mining tax revenue, traffic infringement notices, international student subsidies, regional population movements, indigenous debt, Australian War Memorial funding, Reserve Bank fit-out costs, Paul Hogan’s tax fights, Tony Abbott interviews, and – a perennial favourite – the Governor-General’s flower bill. Many of those stories, as the descriptions indicate, reflect a different style of FOI media reporting. The stories are less about ‘what government tried to hide’, and more about ‘this is government’s response to a particular problem’.

New Office of the Australian Information Commissioner

The second key reform is the creation of the OAIC, headed by three Commissioners with statutory independence. The OAIC has a broad range of functions and powers that include complaint handling, merit review of access denials, publication of guidelines, monitoring, training and advice, legislative reviews, and promotion of open government.

This creation of a new agency to oversight FOI has made a difference. The number of inquiries, complaints and review applications to the OAIC is already at a higher rate than would have been received in the same period by the Ombudsman or the Administrative Appeals Tribunal. By May 2011 the OAIC had received 71 complaints, 140 review applications and 917 extension of time notifications and applications. The FOI guidelines published by the office run to over 160 pages; fact sheets have been prepared for the public on most aspects of FOI; discussion papers have been published on information policy, the information publication scheme and the disclosure log; and a guideline has been published for agencies on website design.[3]

The new website guideline recommended that all agencies adopt a common template for placing information on their website about FOI rights, the Information Publication Scheme (‘IPS’), the disclosure log, and privacy protection. The importance of FOI in Australian government will be substantially enhanced if members of the public visiting agency websites can see on the homepage an FOI icon that links to standard FOI advice that is comprehensive, reliable and uniformly presented. To promote uniformity across government, the OAIC has designed an IPS icon and a Disclosure Log icon for agency adoption.

A great strength of the new oversight model is that it enables flexibility in how we go about the task of enhancing open government. This is a marked departure from the traditional FOI oversight model that relied principally upon tribunal adjudication of access disputes to decide what must be disclosed and what can be withheld. Decisions of the Administrative Appeals Tribunal have played a significant role in developing FOI jurisprudence and advancing open government, yet what is ultimately more important is that government agencies are philosophically or culturally disposed to greater openness.

The OAIC has addressed that challenge by the three Commissioners offering to address the leadership group of the large departments and agencies on the open government reform agenda. Most departments, I am pleased to say, took up that offer. It was probably the first time in the history of most agencies that a statutory officer had been invited to a senior executive meeting to convey the message that a change towards greater disclosure is both inevitable and irresistible.

Proactive disclosure and publication

The third key reform is to FOI architecture. The traditional reactive or pull model that rests on FOI requests to ensure information disclosure is being supplemented by a proactive or push model of publication and disclosure by government agencies.

A key element is the IPS, which commenced on 1 May 2011. It requires publication by agencies of a greater volume and range of government information. The interim guidance that was circulated to agencies late in 2010 explained that more detail and structure will be required than agencies were accustomed to publishing under existing FOI publication requirements. One significant legislative change is the new IPS category of ‘operational information’, which replaces the awkwardly worded requirement in the existing FOI Act to publish the guideline documents used by agency officers in administering legislation or schemes that confer rights, benefits, penalties or detriment on the public.

The IPS requirements have prompted many agencies to undertake considerable work reviewing their document holdings to decide what should be published. Agencies report that they have identified tens of thousands of pages – one agency estimate is of 100,000 pages – that will be published under the IPS.

As noted earlier, the IPS guidance from the OAIC promotes the need for a common structure across agency websites. This assists members of the public to know what is available and how to find it. It is a ‘whole of government’ approach that directly benefits the public, rather than focussing on the needs of government. A key failure in past FOI practice was inconsistency in the approach taken by agencies in dealing with public access requests.

Another proactive publication feature is the Disclosure Log. This will be a public register of information that an agency has released under the FOI Act. The Disclosure Log gives substance, thirty years on, to a foundation FOI principle that disclosure to one person is disclosure to the world at large. All members of the public have the same presumptive right of access to government documents. The OAIC published a disclosure log discussion paper, to ensure that this will be a robust mechanism that keeps FOI at the forefront of government practice and community engagement with government.

A third proactive publication featured in the FOI Act is a radical declaration in the new objects clause (Section 3), that government information is a national resource that must be managed for public purposes. We rely heavily on this declaration in our discussions with agencies and highlight the marked departure from previous thinking. Until now, agencies often regarded information they held as being created for a singular operational purpose – such as advising the government, providing guidance to their own staff, or in joint planning with another agency or government. That may explain the original collection of the information, but it now has an additional quality in the hands of government, that it is a national resource that must be used for public purposes.

Inherent in that statement is a presumption of openness. Government information, as a national resource, has been placed on the same legislative footing as beaches, forests and public parks. The public can expect to have unhindered access unless there is a convincing justification for a barrier to be erected.

The new objects clause has added force when combined with the IPS. The Act encourages agencies to go beyond the minimum IPS disclosure rules and to publish other information held by the agency. The new objects clause requires them to ask the question, ‘why not?’ Why is information that is published on the intranet not also published on the web so that it is publicly accessible? Why are internal reports that evaluate the agency’s performance not shared with the public? Why are internal data sets that support agency research not a public resource?

Open government in the future

The changes to the Australian FOI Act are significant. Not only have the rules changed, but strong enforcement mechanisms have been added to make those rule changes effective. It is now relatively easy for a member of the public to bring a document disclosure dispute to a head and to get a binding ruling from the OAIC. Agencies must explain to the applicant or the OAIC their inability to meet the 30-day processing time limit. The office has a constant oversight and monitoring role of agency administration.

We can expect the reformed FOI Act to change government practice in Australia. Already there are signs of changed thinking and changed practices. The publication, albeit in a redacted form, of the Red Books of agency advice to the incoming government is an example.

Each instance of disclosure of that kind sends a message within government that it can function with a higher level of disclosure than has been past practice. Each instance of disclosure makes it harder for an agency, on the next occasion, to justify non-disclosure if the only concern is that agency business cannot be conducted in the same manner as previously. In particular, each instance of disclosure makes it progressively harder to maintain that frankness and candour in government deliberations will be impaired by disclosure.

Already we know, as we reflect on government trends over the past thirty years, that policy formulation and decision making are now more open and that public administration has adjusted to this change. The recent FOI Act reforms will accelerate that transformation of government. This will not occur without tension, nor will practice across government be consistent or linear.

The concern is regularly put to me by senior agency officers – and put persuasively – that increased disclosure will make it harder internally to debate tough policy choices. Briefing papers will either not be written or will be censored and understate the gravity of an issue. The minutes of meetings will be written with an eye to disclosure that robs them of value as an historical record. The business community will be reluctant to share views with government that could become publicly known, and communication between the public service and the political branch of government will not be as uncomplicated and trusting as it should be.

We will work through those issues in the years ahead, and from one FOI case to another. There is no doubt that increased disclosure can cause complexity and discomfort for government. Equally, there is no doubt that the business of government is changing in the direction of greater openness and that the change is unstoppable.

Privacy

A second area of responsibility in the OAIC is privacy protection, under the Privacy Act and related legislation. This is a well-established area of government oversight, supervised for over twenty years by an independent Office of the Privacy Commissioner that has been merged into the OAIC.

Privacy protection is a vibrant area of activity, spanning the private as well as the public sector. In the last year the Privacy Commissioner and OAIC received over 20,000 privacy inquiries and nearly 1,200 written complaints. It conducted 70 own motion investigations, and received 60 data breach notifications. The office publishes extensive guidelines and fact sheets, and is a frequent commentator on privacy issues in the media.

The proper management of personal information in compliance with privacy laws is nowadays a central concern of management in both the public and private sectors. The implementation or adoption of government programs can depend on whether agencies can reassure the community that privacy guarantees will be met. Many proposals, the most notorious being the Australia Card, have founded on this shoal. Senior corporate managers are also well aware of the sensitivity of privacy issues and the damage that can be caused to business reputation when a privacy breach is publicised.

Why privacy protection is important

One reason for the growing importance of privacy issues is the considerable and expanding volume of sensitive personal information that is held in government and business databases. Agencies hold extensive information about people’s financial and taxation affairs, family and medical history, employment record, and transactions with agencies.

Another reason is that individuals take privacy protection seriously. They regard their privacy as a human right that should be properly respected. People are concerned with how much is recorded about them in the files of government and industry; with the inconvenience and damage that can result if that information is incorrect, out-of-date or incomplete; and with the danger that personal information will be misused within an agency, wrongly disclosed, merged inappropriately with other personal information, or revived at a time when it would be better buried or destroyed.

A third reason why privacy protection and personal information management are of growing importance is that privacy breaches can be damaging to the individual, costly to government and industry, and they can arise from simple programming and clerical mistakes.

Recent highly publicised privacy breaches that the OAIC has investigated illustrate these points. One was a Telstra mail-out in which 220,000 letters containing personal information about customers were sent to the wrong address. More than 23,000 of those letters concerned customers with silent numbers.

A second was a privacy lapse by Vodafone, which did not have effective security measures to protect the personal information it held on 4 million customers. Staff at Vodafone outlets could access the personal database using shared logins and passwords, thus making it difficult to audit or control improper access to the database.

A third example was the collection by Google Street View cameras, in Australia and overseas, of unsecured Wi-Fi payload data from personal wireless networks. A fine of 100,000 euros was imposed on Google by a French privacy regulator, even though the collection of information by Google was not intentional, the personal information was destroyed, and there was a fulsome Google apology. Far higher penalties, as high as $4.3 million in one case, have been imposed elsewhere for corporate privacy breaches.

Legislative reform of privacy protection

The importance of effective privacy protection is reflected in the large number of legislative reform proposals that are currently under consideration in Australia. Some of these stem from the three volume report of the Australian Law Reform Commission in 2008, containing 295 recommendations for reform.[4]

The first Bill to emerge from that process is an exposure draft Bill that is currently before the Australian Parliament.[5] The Bill will create a new set of Australian Privacy Principles (‘APPs’), to replace the Information Privacy Principles that apply to government agencies and the National Privacy Principles that apply to the business sector. The adoption of a universal set of 13 privacy principles will sharpen privacy protection in Australia, while making it simpler for government contractors to comply with legal obligations.

Looking ahead, the Australian Government has announced its intention to strengthen the powers exercisable by the OAIC and Commissioners.[6] The Privacy Commissioner will be empowered to make enforceable determinations in an own motion inquiry, to seek (through a court) a civil penalty for serious or repeated privacy offences, and to accept and enforce undertakings given by government agencies and private entities. The prospect of civil penalties for privacy breaches will provide an added incentive for organisations to take their privacy responsibilities seriously.

Other reform proposals being discussed between the OAIC and government point to the information privacy dimension that is part of a diverse range of government programs. Matters under discussion include reform of credit reporting, airport body scanning, consolidated e-health records and individual healthcare identifiers, cross-border data flows, and service delivery integration in Centrelink and Medicare.

Information policy

The third area of responsibility in the OAIC is the newer area of information policy. The scope of this responsibility is not settled, except that, broadly, the role of the office is to advise government on any aspect of information policy and practice. The OAIC is taking steps to engage with other agencies, and to highlight issues that should be addressed in government information policy. Though this role is emerging and open-ended, we find that it is generating as much interest within and outside government as our more recognised responsibilities in FOI and privacy.

The emerging issues are defined in numerous reports that have recently been commissioned by government into all aspects of information policy. This activity acknowledges that every decision and every activity of government uses information. It is a valuable and powerful resource. Government success will depend on how effectively information is collected, stored, managed, used and disclosed.

We mapped the themes in a discussion paper published last year, Towards an Australian Government Information Policy. Four themes stood out:

• There is a need for a coordinated approach to government information management. Many agencies have a role in this space; these include my own office, the Australian Government Information Management Office, the Australian National Archives, the Australian Bureau of Statistics, the Defence Signals Directorate, and the Departments of Broadband and Communications, the Prime Minister and Cabinet and Attorney-Generals. There is a larger number of policies and standards on information policy and management. What is lacking is a clear and settled framework for integrating and harmonising that work.
• Agencies need guidance and assistance to implement new information policy requirements. For example, agencies need guidance in preparing for the IPS and on the matter of disclosure logs. As well, agencies must develop a sound governance structure that ensures effective internal leadership on information policy and management, and is broader than the more traditional focus on information technology.
• Australia has much to learn from other countries. Though Australia is firmly committed to open government and to Web 2.0 innovation, we lag behind our international peers in web publication of government data, and in providing online access to government information and services.
• Australian Government agencies must publish a greater amount of public sector information on terms that allow re-use by the community. To that end, the OAIC Issues Paper proposed ten draft principles on open public sector information. After a public consultation process, in which there was strong endorsement of the principles by many of the government agencies and members of the public who participated, the principles were revised and launched in May 2011 as the Principles on Open Public Sector Information.

There are many innovative projects underway within government that illustrate those themes:

• The revamped data.gov site has recently been launched. It provides access to more than 200 data sets of government economic, taxation, environmental and social data, covering topics such as crime patterns, BBQ locations, water consumption, regional funding, taxation statistics, employment patterns and Australian wetlands.
• The new My School 2.0 website attracted 186,000 visitors in the first 24 hours. The aggregation on a single site of all information held by government on school performance and funding has stimulated a broad community debate that is certain to change educational delivery in Australia.
• Other innovative data publication projects described in the OAIC Issues Paper include the National Statistical Service, the Australian Early Development Index, the Australian Spatial Data Directory, the Environmental Resources and Information Network, the Australian Social Science Data Archive, the Mapping our ANZACs project, and the National Toilet Map.

Integration

The OAIC integration model

The conferral of those three responsibilities upon the OAIC – FOI, privacy and information policy – was itself an innovation. There was no precedent in Australia for a single oversight agency having so many roles and functions in relation to government information.

The first issue we faced was whether to develop privacy and FOI along separate paths, as they had grown until then. This is the approach adopted in some other countries where FOI and privacy were merged in the same office.

Instead, from the outset we adopted an integrated model. The three Commissioners take joint responsibility for managing all office functions; many staff work across all three areas; there is a single telephone, email, web address, and protocol for agency contact; and the OAIC logo and tag line convey a message of integration.

The office can be more effective and develop a higher profile if its resources can be targeted at issues of greatest need or immediate demand. We would not, for example, have been able to complete some existing publications and projects without that staffing flexibility.

The integrated approach underscores the importance within government of treating information policy and practice as a core function that requires senior leadership within agencies. The need for a coordinated approach across government to information management will only be addressed if we join all the information dots.

In practice there is a high degree of overlap between FOI, privacy and information policy issues. Most FOI requests seek documents that contain personal information of one kind or another. Personal information will only be properly protected within agencies if information systems are expertly developed and managed. The new FOI theme of proactive publication is also a central theme in many of the recent reports on information policy. The IPS will not work within agencies unless managed by a multi-disciplinary team that hosts legal skills, technical understanding, data capability, public relations experience, and policy and research expertise.

Technology – shaping issues

Another compelling reason for adopting an integrated approach is that the same pressure – technology – is shaping many of the issues and driving the need for change within government. The FOI, privacy and information policy issues that are thrown up by technological developments and innovation are extensive and challenging. They include:

• Technology has increased the volume of information held by government. More information is collected, assembled, downloaded and stored. More information is available to be requested, to be considered for IPS publication, and to be secured against inappropriate dealings or disclosure.
• Information is recorded in many different forms. Hard copy filing systems are now joined by other data repositories, such as mainframe computers, backup files, desktop and portable computer hard-drives, USB pins, smartphones, central government sites such as govdex and data.gov, on social networking sites such as Facebook, and in the form of metadata, email exchanges and twitter messages. A host of new access and security questions arise that were not issues when FOI and privacy laws were conceived in the age of hard copy documentation.
• Those and other developments place pressure on agencies to move to electronic records management. Agencies will not be able to comply with their FOI obligations unless they can quickly locate, retrieve and publish information from an electronic data base. Privacy laws throw up other issues. How, for instance, do you destroy personal information that has been digitised, or how do you restrict the circulation of personal information that has reached an online environment?
• Information is stored differently in an electronic age. Many agencies are moving to cloud computing, where their information is housed by a contractor, including a contractor outside the jurisdiction. Special controls must be put in place to ensure that FOI and privacy rights are not foregone in that process.
• Technology enables government to use information differently. The MySchool website is an example. It will soon be joined by MySuper, and at State level we have MyTrain, MyBus and MyFerry. The logical span, some suggest, is for government to cover the full spectrum from MyBirth to MyFuneral! Even the use of ‘My’ as a prefix to describe a government database paints a different picture of the purpose and operation of the database.
• Technology creates new threats to information security. A disclosure of Wikileaks proportion is possible only because one person can download large of volumes of information and transfer it to others before being detected. Privacy breaches that arise through technological oversight tend to be more serious and affect thousands or millions of people simultaneously.
• Communication between government and the community now occurs in a different fashion. Most communication now occurs online, whether through email, online lodgement such as e-Tax, or through discussion blogs.
• There is greater use of social media by government agencies. Over 260 agencies and councils, for example, have a Twitter account. Most political leaders have embraced both Twitter and Facebook.
• Community and business expectations of government are transformed by technology. Businesses expect a right of free access to, and the right to re-use, information obtained from a government website. The community expects a quicker and fuller response when they engage an agency online.
• There can also be contradictory expectations of government that stem from technology. People expect greater privacy protection from government but also increased transparency in government. There are equal calls for more and for less government regulation of communication through the internet.

The technological pressures on government are changing not only the way that government uses information, but are causing a subtle change to government itself. Our traditional model of government is one of central planning. The experts control the levers. They decide what information to collect, how to use that information, and what to disclose. Control of information enables experts to craft the justification for the policies which, in their view, are socially required.

Technology is changing that. The web is by nature an open forum, and it creates an open market in information and ideas. The principles that underpin the web are the antithesis of a central planning model.[7] Those principles include universality – web users or participants can enter the web from any location, link to any site, and participate equally with other web users. A second principle is decentralisation – no approval is needed or government licence required to access material, post material or communicate with others. A third principle is open standards – the tools needed to participate on the web are available free of charge and can be applied by anyone.

The community has already embraced the idea of the open market in information. People are more likely to consult Wikipedia, the community encyclopaedia, than Britannica, the expertly authored text. People are as likely to obtain medical advice by googling their symptoms as by consulting a medical specialist.

There are clear implications for government. People expect government to use web technology in innovative ways to share information, consult the community and conduct conversations. Better policy will arise from that process.

Conclusion

We are undergoing the most active phase of open government and information policy reform in Australia in over twenty years. There is strong government commitment to this reform and there is agency leadership in bringing it about. That in itself differentiates the present from earlier reform waves. Technology imposes an irresistible pressure for change that was not there in the past. We also have a better oversight framework in place to ensure that the reform is lasting.

It will not all be plain sailing. Information laws make life more difficult and challenging for the executive branch and for political leaders. There has been backsliding in the past and there may be again. But any counter-tensions will, I expect, have limited impact. The forces that are driving the open government and information policy reform process are now numerous, stronger and more compelling.