the solution

Other Information

New Staff Member 

Welcome to our new Law Clerk - Waghma Popal!  Waghma is currently in her second year of law school. Her favourite area of law is criminal, however she is particularly interested and excited in widening her scope and exploring FOI and privacy law at FOI Solutions!

FOI Solutions Training Sessions

The upcoming training sessions for August/September are as follows:

  • 1 September 2025 - Basic 1 FOI Training 
  • 3 September 2025 - Basic 2 FOI Training
  • 8 September 2025 - Intermediate 1 FOI Training
  • 11 September 2025 - Intermediate 2 FOI Training

For more information or to register, please view our website or send an email to marketing@foisolutions.com.au requesting a copy of the brochure/registration form.  

Question Time 

Q: I work at a Council, should we have a data breach response plan and how often should it be updated? 

A: Councils hold information and data in relation to employees, individuals and other businesses.  Councils may also be subject to legal obligations regarding collection, use and management of this kind of information.  For instance, the Privacy and Data Protection Act 2014 (Vic) outlines how “personal information” is collected and handled through the Information Privacy Principles (“IPP”).  A data breach may occur if information held by Councils are accessed without authorisation, lost, disclosed inappropriately, or misused.  In such cases, it is likely that the Council has not complied to some degree with a relevant IPP.  In particular, IPP 2 (Use and Disclosure) and IPP 4 (Data Security) often arise in this context. 

 

The purpose of a data breach response plan (“Plan”) is to outline the steps a Council will take in the event of a data breach, including who is responsible for each action and how the response will be managed. 

 

In Victoria, there is no specific legislative mandate requiring how often Councils must update their Plans.  In our view, we recommend reviewing your Plan every 6 to 12 months.  Changes in circumstances could impact on how often your Plan should be reviewed and updated. For instance, you may need to update your Plan if your Council has: 

  • Been restructured
  • New Officers have been appointed or roles changed  
  • Changed contact information or decision-making authorities
  • Introduced new IT systems, data storage solutions, or cloud services
  • Implemented new data handling or cybersecurity software

Given the dynamic nature of data security risks and legal obligations, it is essential that Councils maintain an up to date Plan.  By reviewing and updating the Plan regularly, Councils can better safeguard the personal information they manage and respond quickly and appropriately in the event of a data breach.

 

Q: If an FOI applicant is an agency employee and author of the emails they are seeking to access, should exemptions s33(1), 30(1) and 35(1)(b) be considered?

A:  Where the FOI applicant is employed by your agency (or was previously employed) and is the author of the emails sought, then you should still consider all available exemptions over those emails.  Depending on the circumstances of the case, there are various possible exemption decisions that could be appropriate.  Their own emails sent from their personal (non-agency) email address could be released administratively to them outside the FOI Act, as they would be likely to have a private copy.  However, emails sent using their agency email address should be carefully considered for exemptions based on the content of the email.  You cannot assume the applicant has copies of agency emails.  If they sent a cc to their personal email address, then you might consider administrative release depending on content.  Otherwise, public servants are bound obligations of confidentiality and fidelity to their agency, which do not disappear after they leave their employment.