This article was first published in the LexisNexis Privacy Law Bulletin issue 20.10
Just for the record, the Privacy Law Bulletin article was (less whimsically) entitled "Expansion of Data-Subject-Access-Request (DSAR) Rights Under the Privacy Reforms." The article examines how lawyers and privacy practitioners may be able to rely on a concept from Freedom-of-Information (FOI) law (unreasonableness) to guide them in advising on practical strategies to manage expanded DSAR rights under Australia's privacy reforms.
The Commonwealth Government’s planned reforms to the Privacy Act, 1988 (the Act, or Privacy Act) will enable Australians to exert much more control over the use and handling of their personal information (PI). This is reflected in the Government’s Response to the Privacy Act Review Report (CTH Privacy Response) and its agreement-in-principle to significantly enhanced data-subject-access-request (DSAR) rights. Modelled on the EU’s General Data Protection Regulation (GDPR), Australia’s privacy reforms will give data subjects very broad access rights under an expanded set of Australian Privacy Principles (APPs).
The new-look DSARs will include a right to confirm whether an APP entity holds PI about an individual, how an entity has handled, used and shared PI, along with rights to delete or erase PI upon request. These reforms will also mandate that APP entities provide explanations about their use of PI, justify that their practices comply with the Act and outline their reasons for refusing a DSAR request. One proposed refusal ground has particular relevance for APP Clients – and that is the proposal to expand APP 12.3(c), enabling them to refuse DSARs that are “frivolous, vexatious or unreasonable.”
When the privacy reforms come into force, the term “unreasonable” will likely play a critical and practical role for APP entities in their efforts to manage DSARs. Why? It is a near-certainty that APP entities will witness a significant uptick or surge in DSARs. That would mirror experiences in the UK, where organisations saw a sharp increase in DSARs following the GDPR coming into force in 2018 - and particularly with those originating from employees.
Since the GDPR’s enactment, other sources have indicated that DSAR numbers in the EU have not only increased in volume and complexity, but also in terms of processing costs. It follows that APP entities will need to rely on legislative tools and administrative processes to ensure that they are not overwhelmed by the requirement to process this uptick in DSARs. This is particularly the case with complex or vexatious applicants, who tend to monopolise the time, resources and energies of legal teams, HR groups and other business units. Similar issues surround ‘internals’ who may use DSARs as an adjunct to an employment or workplace disputes.
In light of the ever-growing mountains of data held by clients, how will lawyers and their APP Clients manage this almost-certain surge in DSARs? Lawyers should focus their efforts on practical strategies. Those would include tech-based solutions for efficient data management, standardised DSAR-workflow protocols, as well as ‘playbooks’ and easy-to-understand case studies. Those efforts would need to be coupled with regular training-and-awareness programs for customer-facing business units, legal-and-compliance groups and other relevant teams.
To help develop those case studies and training programs, lawyers and privacy practitioners would be well-advised to review section 24AA of the Freedom of Information Act, 1982 and its related provisions. Why, do you ask? And what have FOIs got to do with privacy matters? The FOI framework enables Commonwealth agencies to refuse to process an FOI request on the basis that it is a substantial & unreasonable diversion of resources (SUDR). Arguably, the SUDR principle could be applied – with relative ease, to the privacy reforms’ new (unreasonable) refusal ground under APP 12.3(c). The more difficult question for practitioners is how to define or establish a SUDR?
Cianfrano v Director General, Premier’s Department (Cianfrano Case) is generally considered to be a leading authority in FOI SUDR determinations – and particularly those related to complex or vexatious applicants. At paragraph 62, the Cianfrano Case identified a series of factors that may give rise to a SUDR, including a finding that 40-hours of processing work would tend to be on the upper end of a reasonable request.
However, many subsequent cases have treated the 40-hour benchmark in the Cianfrano Case with caution. This is reinforced by the OAIC’s FOI Guidelines (FOI Guidelines) at 3.119, which provide a detailed summary of key SUDR cases and principles to apply in making a finding of unreasonableness. The FOI Guidelines also highlight that -- "Whether a practical refusal reason exists will be a question of fact in the individual case… Agencies should not adopt a ‘ceiling’ in relation to processing times… Rather, each case should be assessed on its own merits..."
While Commonwealth organisations cannot apply a processing-time ceiling in making a SUDR finding, these FOI cases should not be interpreted as a ban on considering processing-time as a benchmark. Rather, processing-time should be considered a key indicator of unreasonableness in a SUDR determination. As to the specific number of processing-time hours, that would very much depend on the organisation, its structure, budget and staffing levels.
What does seem clear is that the 40-hour ‘standard’ flagged in the Cianfrano Case is insufficient. More importantly, processing-time estimates cannot be considered as the only factor in making a SUDR determination. That begs an important question – how would lawyers and privacy officers apply FOI and SUDR principles and, therefore, refuse to process a DSAR under the (new) APP 12.3(c)? In other words, what would make a DSAR “unreasonable?”
Based on the Cianfrano Case principles, this would depend on the APP entity, its structure, volumes of PI handled and other factors. However, APP entities could and, arguably, should use processing-time as a benchmark in determining that a given DSAR is “unreasonable.” That is a common thread that weaves its way through all the ‘practical, compliance strategies,’ outlined below.
1) Certainty about processing-time estimates - To paraphrase the reasoning in the Cianfrano Case, an organisation’s estimate of processing-time should have a high level of certainty attached to it. Applied to a privacy context, APP entities should be equally certain about their processing-time estimates when contemplating to refuse a DSAR as “unreasonable” under APP 12.3(c). Estimates should also be reinforced by well-established and reliable record-keeping protocols.
The CTH Privacy Response picks up on the above theme – and sets baseline expectations for APP entities when they handle PI, both from a business process and a technical perspective. This is reflected in Proposals 12.1 and 12.2 (Fair & Reasonable PI Handling), which requires entities to handle PI with due care. Proposals 12.1 and 12.2 also seek to establish an objective standard for what constitutes a ‘fair-and-reasonable’ standard when handling PI.
In addition, Proposals 21.1, 21.2 and 21.7 (Security, Retention & Destruction) indicate that ‘reasonable steps’ in APP 11 (Security of PI) should include technical and organisational measures, along with requirements to establish maximum and minimum retention periods. It also follows that OAIC investigators would more readily accept a claim of ‘unreasonableness’ under APP 12.3(c) if an APP entity has clear methodologies for estimating DSAR processing-time. Those estimates would also need to be sense-checked against objective time-keeping standards – and be directly related to essential DSAR processing activities. APP entities might also consider publishing those methodologies on their websites, along with detailing the standards and principles upon which they might refuse a DSAR as “unreasonable.”
2) Staffing & resource availability - The OAIC FOI Guidelines and caselaw make it clear that Commonwealth agencies cannot point to their own ‘fault’ to substantiate a SUDR claim. In other words, having poor records management processes, reduced budgets or unqualified staff will not ‘fly’ with the OAIC if the organisation makes a SUDR claim. The same logic would likely apply to APP entities when refusing to process a DSAR as “unreasonable” under the (new) APP 12.3(c).
The CTH Privacy Response and its Proposals seem to echo the above reasoning. In particular, Proposals 12.1 and 12.2 call for the establishment of an objective standard for the handling of PI. Arguably, the ‘fair-and-reasonable’ standard would implicitly require APP entities to invest sufficient resources in staffing and record-handling processes. In addition, an objective standard would (most likely) require APP entities to benchmark against similar organisations, as well as minimal industry or regulatory standards and guidelines. In a similar vein, Proposals 21.1, 21.2 and 21.7 (Security, Retention & Destruction) would require APP entities to adopt baseline technical capabilities.
With the exponential growth of data held by APP entities, the resourcing equation will surely involve the deployment of ‘smart tools’ that can simplify repeatable, mundane and error-prone tasks. A prime use-case would relate to search tools that can scan most, if not all APP entities’ platforms. Other examples include privacy-by-design solutions, deploying robotic-process-automation (RPA) techniques and solutions that can replicate labour intensive, manual processes.
Another key use-case would be in lifting-and-shifting (en masse) individual files containing PI and transferring them from active to inactive platforms and ‘cold storage,’ before they are ultimately destroyed. This is particularly relevant when dealing with out-of-date and no-longer-needed PI – and developing simple solutions to manage large quantities of customer or PI-related data. Considering that the Privacy Commissioner regularly urges APP entities to conduct data inventories and delete unnecessary PI, it could be viewed as “unreasonable” for them not to deploy smart tools and business processes. It also follows that APP entities would likely struggle to make a claim that a DSAR is “unreasonable” if they have failed to invest in such ‘smart techniques.’
3) Specialist expertise & competing priorities - This factor ties back to the need for certainty in estimating DSAR processing-times. The complexity of a DSAR determines if specialists (like internal or external forensic services) are needed to locate PI in difficult-to-access archives or ICT platforms. Engaging legal or other specialists might also be necessary to assess impacts on third-party privacy, health or safety risks, or grounds to refuse a DSAR under APP 12.
APP entities should also consider developing protocols to accurately assess DSAR processing-time. That would also include APP entities weighing competing priorities and documenting their findings in a standard format (e.g. six-minute increments). The obvious benefit to this approach is that it would provide APP entities with clear evidence in the event of a complaint to the OAIC, or with reviews and appeals. It would also provide APP entities with clear benchmarks for comparing DSAR processing-times across the organisation – or against similar entities, as well as facilitating process improvements and efficiency gains.
4) Impacts on other work & the processing of other DSARs - This is a variation on the ‘specialist’ criterion, with a twist that APP entities would be obliged to identify and measure the impact that a given DSAR would have on other workstreams – or the management of other DSARs. It would also require APP entities to consider – and record, the additional efforts and staff hours diverted from BAU activities to process a given DSAR. APP entities would need to account for the resourcing beyond their legal or governance teams normally tasked to manage and process DSARs. APP entities might also consider taking a forensic approach when accounting for these ‘surge’ efforts and include IT staff and time, individual business units responsible for the given data set related to the DSAR, among others.
However, APP entities should (arguably) refrain from including the time taken to brief executives or prepare stakeholder engagement and communication plans. Including such matters would likely undermine a claim that having to process a given DSAR was “unreasonable.” It would also tend to undermine the first and essential factor mentioned above, i.e. that there should be high level of accuracy or certainty in the APP entity’s processing-time estimates. Rolling stakeholder-engagement-activities into DSAR processing-time might also suggest to the OAIC or investigators that an APP entity may be trying to inflate the estimate – and provide a quick-and-easy basis upon which to refuse ‘troublesome’ DSARs or applicants. Such efforts would almost certainly backfire on the APP entity, leading to increased scrutiny, resource demands and contrary findings.
5) Applicants limiting the scope of DSARs - It would be rare for DSAR applicants to volunteer to limit the scope of their access request – at least without guidance from an APP entity. With that in mind, APP entities should be inclined to assist DSAR applicants to refine the terms of their requests to specific classes of data, such as PI held in active platforms and excluding any PI in digital-deep-freeze. It is not clear how the privacy reforms will balance the rights of an applicant requesting erasure (Recommendation 18.3 in the CTH Privacy Response) vs. an APP entity’s adherence to fair-and-reasonable PI handling (Recommendation 12.1). This issue will become particularly thorny when APP entities raise issues of reasonableness in the context of searching through cloud-based archive platforms, where retrieval costs can be prohibitively expensive. Accepting that this will sound like a broken record, APP entities will need to maintain excellent record-keeping protocols so they can pinpoint a specific individual’s PI in the event of a DSAR. Otherwise, they will expend countless resources to complete a ‘reasonable search.’
6) Level of public (or personal) interest in requested information - This factor harks back to public interest balancing tests in FOI legislation – and determining whether conditionally exempt documents should be released. By its nature, PI relates to a specific individual, meaning that (general) public interest considerations would, arguably, be moot in most cases. However, this would not be the case where DSAR applicants have a keen interest in obtaining their PI because it would assist them in enforcing their legal rights – or where the applicant can demonstrate a significant impact upon their finances, reputation or other adverse consequences.
Similar issues would arise in the context of data breaches affecting significant numbers of Australians. In fact, it could be argued that there is a ‘general public interest’ for individuals to make expansive DSAR applications to ensure that their data has not been mishandled due to the breach – or could be mishandled in the future. In the context of a data breach, APP entities would not likely find the OAIC sympathetic to arguments that it is “unreasonable” to respond to a tsunami of DSARs.
However, APP entities could likely make strong arguments to the OAIC and its investigators to defer the processing of tens-of-thousands of DSARs until after an organisation has contained a data breach, undertaken full remediation efforts and documented its efforts. There would be one rather large caveat to that approach, being that the APP entity may need to demonstrate that its resources were ‘maxed out’ on containment and remediation processes. Plus, the APP entity would (likely) need to produce a well-documented plan and clear timetables for responding to the DSARs. Last but not least, the APP entity would (very likely) need to provide some form of evidence demonstrating that a ‘pause’ in DSAR processing would cause no further harm to those affected by the data breach.
According to the FOI authorities, a practical refusal based on a SUDR – a substantial and unreasonable diversion of resources, is a question of fact in each-and-every (individual) case. That may not fill practitioners with confidence, much less provide them with broad principles that can be applied when refusing a DSAR as “unreasonable” under the Privacy Act’s proposed reforms. However, APP entities can ‘get ahead of the curve’ by establishing clear, data-driven protocols that accurately estimate the time needed to process DSARs. While those efforts could appear daunting, they are likely to be much less of a burden than responding to a complaints and investigations by the Privacy Commissioner or scrambling to ‘reinvent the procedural wheel’ with each new DSAR. And with the privacy reforms, you can bank on the fact that there will be many – DSARs, that is.