NSW Information Commissioner's 10 Year GIPA Data Analysis Overview 2010-2020

View the document below or download it here: NSW Information Commissioner's 10-Year GIPA Data Analysis Overview 2010-2020 September 2021

Introduction

Our governments must embrace openness and transparency and must forever relinquish their habitual instinct to control information.[1]

The introduction of the Government Information (Public Access) Act 2009 (GIPA Act) was intended to ensure that members of the public have access to the widest possible range of information to give them confidence in government decision making.  This ambitious commitment heralded the transformation of what was then the Freedom of Information (FOI) regime in NSW.  The commitment was to turn the FOI regime on its head.[2]

To achieve this ambition the new legislation put in place a framework built upon the principles of:

1. proactive disclosure
2. a presumption in favour of public interest disclosure, and
3. oversight by an independent champion of open government in the form of a new Information Commissioner.[3]

This framework operates within the context of NSW agencies:

• Government Departments,
• Local Councils,
• Universities,
• State-Owned Corporations, and
• Ministers offices.

Within each of these regulated agencies different processes, systems and cultures will impact the operation of the GIPA Act.

We now have 10 years of data to examine the operation of the GIPA Act against these principles and within the prevailing context and culture.  After 10 years it is reasonable to expect a level of maturation of processes, systems and the ultimate operational determiner - culture.

The intent to achieve significant cultural change was unequivocally expressed by the legislators: Our public sector must embrace openness and transparency and governments must forever relinquish their habitual instinct to control information.[4]

The legislators’ ambition to give New South Wales the nation's best freedom of information laws will only be fully realised if accompanied by a profound cultural shift to openness.[5] 

Lessons derived from 10 years of data 2010 to 2020

An examination of the well-established measures applicable to each of the elements of the legislative framework provides valuable insights into the degree of achievement of the legislators’ ambitions.  This approach, augmented by an analysis of the significant changes operating in a 2020 agency context, enables a more rigorous examination of the extent to which the GIPA Act remains responsive to new challenges and risks and continues to represent the nation's best freedom of information laws. 

Agencies make decisions using vastly different information and processes than they did in 2010.  In 2020, government and agency decision-making is supported not only by data but in many instances real-time data.  Likewise, machine enhanced decision-making is increasingly prevalent.  The GIPA Act requires agencies to identify and report on the kinds of information held by the agency and to describe the ways in which decision-making functions affect members of the public.[6]

In 2020, agencies must respond to these mandatory requirements by specifying their information assets and outlining decision-making functions especially when those functions are informed by machine enhanced processes.

Information must be preserved, and access promoted to realise the NSW Government’s digital transformation agenda and current endeavours to value information assets.  The operation and cultural adoption of the best information access laws are critical to the successful achievement of these goals.

1. Proactive Disclosure

To achieve this ambition, a cornerstone of the GIPA Act was its emphasis on proactive disclosure, mandating the publication of open access information.[7]

Open access information was tailored to address risks of corruption and serve a pro-integrity purpose unique to the sectors regulated under the GIPA Act. In 2020, the interface with industry is more proximate and reporting requirements are more crucial to combat the risk of corruption.

The legislators tailored open access information to address risks of corruption and serve a pro-integrity purpose unique to the sectors regulated under the GIPA Act.

Open access information includes:

• details of an agency's structure and functions
• policy documents to assist members of the public in understanding the decisions made by government about the services they will receive and/or their rights and obligations 
• a register of significant private sector contracts and a list of each Department’s major assets, including major acquisitions together with the total number and total value of properties disposed of by the Department during the previous financial year to promote transparency in respect of the expenditure of public funds 
• specific disclosures to combat corruption such as pecuniary and other interests in the Local Council Sector.

How have agencies fulfilled their proactive disclosure requirements?

From an all-time low of 60% in 2010, compliance with proactive disclosure requirements by government departments and sampled smaller agencies fluctuated markedly.  This may be influenced by of levels of compliance by sampled smaller agencies that may be newly established and therefore their levels of maturity of systems, processes and culture are variable.

Whilst there has been an overall increase to a compliance level to 72% in 2020, that figure also reflects a downward trend from an all-time high of 83% in 2017/18.

Overall, the most significant finding from 10 years of data relates to the low levels of compliance by government departments in respect of their five additional open access requirements.  The results of compliance varied depending on the requirement.  However, given the significant role government departments perform, their acquisition and disposal of public assets and their inherent risk of corruption, it is concerning that in 2020 only:

• 22% (two departments) had a full or partial list of major assets and acquisitions (consistent with 2018/19)
• 11% (one department) partially met the requirement in relation to both the total number and the total value of properties the department disposed of during the previous financial year, while another 67% (six departments) had information only on the value of properties disposed of, mostly included in the department’s annual report
• 11% (one department) had the department’s guarantee of service (consistent with 2018/19).

Additionally, year-on-year data demonstrates that a significant proportion of complaints finalised by the IPC concern open access information with the highest level reported (23%) in 2019/20.

Equally, low levels of compliance by Local Councils in respect of their requirement to make available on their websites disclosures of pecuniary and other interests, represents a failure of systems, process, and culture.

Contract disclosure requirements have also been a consistent focus of our regulatory efforts with our first compliance report regarding contract reporting published in 2015 followed by an additional three reports.  These reports are publicly available to promote the IPC’s recommendations regarding measures to achieve compliance.

Ten years on context and culture - how is proactive disclosure operating in 2020?

After more than 10 years, systems, process and culture maturation would be expected within government departments sufficient to uniformly achieve 100% compliance with these mandated proactive disclosure requirements.  

Likewise, continuing low levels of compliance by the Local Council sector must be addressed in order to equip that sector to combat ongoing corruption.[8]  The corruption impacting local communities must be treated with transparency to preserve our democratic systems.

Both sectors are entrusted with acquisition, development and disposal of public assets. The current public sector context is characterised by an increasingly commercial environment and interface with industry.  In this context the mandatory proactive disclosure requirements serve a pro-integrity purpose that equips agencies to prevent and, where identified, combat corruption. These requirements serve the interests of both citizens and agencies.  Continuing low levels of compliance demonstrate starkly that there is work to be done within agencies to realise the benefits of the proactive disclosure requirements under the GIPA Act.

In contrast, agencies have developed their authorised proactive release programs to high levels of maturity and the trajectory of increasing compliance which commenced in 2017 has delivered  commendable outcomes in all sectors in 2020 with compliance ranging from 97% in government departments to 86% in state-owned corporations. 

2. A presumption in favour of public interest disclosure

The legislation gave primacy to the presumption in favour of disclosure: The public's right to know must come first.[9]  To achieve this outcome the GIPA Act:

• requires the public interest test to be applied on a case by case basis
• specifies that decisions by agencies are to be made independently of political considerations
• expressly prohibits decision makers from taking into account any possible embarrassment to the Government that might arise if information is released
• stipulates that public servants are not subject to ministerial direction and control in dealing with an application to access government information.[10]

How have agencies adopted the presumption in favour of disclosure?

The growth trajectory for access applications reflects a relatively consistent growth in applications to an all-time high in 2020 (17,246).  Increases in applications have continued from 2010 to 2020 in all sectors with the exception of the State-Owned Corporation sector.

Growth in applications by members of the public is unparalleled in any other applicant type.  Applications from members of the public have increased from 6,000 in 2010 to 13,690 in 2020.  This growth is also confirmed by successive Community Attitudes Surveys which consistently reveal that over 85% of members of the public value their right to access information.[11]  On any measure the public are increasingly valuing and exercising their right to access information under the GIPA Act.

There has been a steady and sustained increase in the number of applications seeking personal information.  Applications for personal information have grown from about 3,000 in 2010 to over 10,000 in 2020.  This represents a 230% increase over the 10 years of reporting.

Applications seeking personal information are not currently reported against categories that distinguish applicants seeking their own personal information and applications seeking the personal information of others.  Current reporting requirements recognise by way of a notation that the only category of personal information to be collected is the personal information of the application. The two differing categories are not distinguished, and further clarity is recommended.  Whilst these factors may be considered by decision makers in dealing with an access application in the absence of express reporting requirements, useful insights are not available to policy makers or operators to inform better systems for managing access to information.

It is therefore important to recognise that notwithstanding a dramatic increase in this application type, there has not been an increase in release rates in respect of applicants seeking personal information.

Over the years, the combined (full and partial) release rates have remained steady at around 65%.  Agencies are required to respond in a timely manner to access applications.  In the face of increasing application numbers, the decision-making process will be increasingly subject to time pressures. These factors should provide an impetus for agencies to consider how they might make the personal information of an applicant more accessible particularly through examination of the proactive and informal release pathways.

Release rates in response to access applications is an internationally accepted measure of government openness.  In New South Wales we measure this according to a National Dashboard established by all Information Commissioners/Ombudsmen commencing in 2014/15 and through the tabling of the Report on the Operation of the GIPA Act by the Information Commissioner.

Ten years of data regarding release rates in NSW demonstrates that after reaching a peak of 80% in 2012/13, the combined release rate has remained static at an average of 69% over the six years since 2014/15.  One significant trend is the switch to a predominance of partial release as distinct from release in full that has occurred over the 10 years of reporting. This may indicate a greater reliance upon redactions by agencies and on one view provides an indication of maturation of agencies’ understanding of the mechanisms available to them under the GIPA Act to provide access to information in a redacted form or by creating a new record.[12]

There are vastly different release rates operating between sectors.  This variance may be driven, in part, by the type of information held and the conclusive presumption of overriding public interest against disclosure (CPOPIADs) that it may attract. 

However, concerningly release rates for all sectors have trended downwards over the 10 years of reporting with the exception of the University sector which have fluctuated but overall demonstrated an increase in release rates.  This largely uniform and ongoing decline is concerning.

Significant variations in release rates have occurred in:

• the Local Council sector – in the early years of reporting this sector was releasing around 75% of information sought in full and around 20% in part.  In recent years these release rates have changed dramatically with around 50% of information released in full and around 25% in part and has been accompanied by a rise in other outcomes. 
• The State-Owned Corporations sector has also dramatically changed over the 10 years.  In the early years of reporting, this sector was releasing around 45% of information sought in full and around 40% in part.  In recent years, these release rates have changed dramatically with around 68% of information released in full and around 15% in part again accompanied by a rise in other outcomes from around 5% to around 18%. 

The National Dashboard results provide a range of release rates for each jurisdiction over the years 2014 to 2018/19 of 67% to 98%.  The NSW release rate is consistently 86%.  Refusal rates over the same time period also confirm that refusal rates in NSW remain relatively high.

Interestingly, Queensland release and refusal rates are relatively similar.  This may reflect the proactive approach to release of information which may stimulate the application of considerations against disclosure of the information applied for under the formal application pathway. 

However, review rates per capita in NSW are in general half those of Queensland.  Accordingly, the measure of review outcomes in NSW may provide a greater insight in the quality of decision-making and application of the public interest test by NSW agencies.  This issue is dealt with below in examining the role and function of the Information Commissioner.

Significantly, applicants with the highest release rates are private sector businesses.  These applicants have secured combined release rates of around 75% and they have maintained these rates over the last four years.  Accordingly, they are consistently exceeding release rates secured by members of the public (70%).  This finding is significant in determining if presumption in favour of access to information is operating as intended – to ensure that the publics’ right to know comes first.

Likewise, rates of release for members of parliament and members of the media remain low.

Over the 10 years there has been a notable increase in two CPOPIADs:

• excluded information, and
• Cabinet in Confidence.

In the first three years of operation reliance upon Cabinet in Confidence was 8.46% combined for government departments and the State-Owned Corporation sectors.  In the last three years government departments reliance upon this CPOPIAD remained stable at around 9%.  However in 2016/17, the IPC decoupled reporting state-owned corporation data from government departments and a significant trend became apparent.  Notably the State-Owned Corporation sector increased its reliance upon Cabinet in Confidence dramatically from 33% to 50% and 67% over the last three years of reporting.

Whilst the application numbers remain low in the State-Owned Corporation sector the trend is irrefutable.  Likewise, the State-Owned Corporation sector has dramatically increased its reliance upon the business interests of agencies and other persons as a dominant overriding public interest consideration against disclosure (OPIAD).

In the context of increasing commercialisation of government functions these trends provide a strong indicator of potential contemporary threats to the right to access information.

Ten years on context and culture - how is the presumption in favour of disclosure operating in 2020?

The public sector context has changed dramatically since 2010. As I reported in the 2018/19 Report there are now three immutable features of the government sector:

1. Digital government - increasing reliance upon data to inform decisions and digital service delivery and associated treatment of government information as an asset
2. Increasing partnerships and outsourcing of traditional government services
3. Administrative arrangements and service delivery models that transcend agencies and sectors.

There is also a further dramatic transformation - the increasing reliance upon temporary and casual labour within the public sector.  In 2010, 18.6% of employees were temporary and casual contractors and in 2020 that percentage had increased to 23.5%.[13]  This is a significant increase in the context of those employees being aware of and adequately trained in the public sector requirement to create, preserve and provide public access to information. These requirements are not shared by the private sector unless specifically provided for in a contract with government.[14]  

This new government paradigm brings new challenges as government increasingly applies technology and partners and/or outsources functions.  In the absence of a new compact with citizens their expectation is that government will continue to ensure that their right to access information is preserved.

There are two choices here:

1. Government engages in meaningful dialogue with citizens regarding the loss or modification of extant rights when services are outsourced or otherwise commercialised; and/or
2. Government contracts preserve those rights through their express inclusion in contractual terms for specific services including those involving machine learning.^[15]

The significant changes in the Government sector present new risks and opportunities for the publics’ right to access information when determining applications on: a case by case basis, independently of political considerations by public servants not subject to ministerial direction and control in dealing with an application to access government information.

1. Digital Government:

• Release Rates and application types:
  • There has been a 128% increase in the number of applications from members of the public in the 10 years of reporting.
  • Likewise, we have seen a 230% increase over the 10 years of reporting in members of the public seeking access to personal information.
  • However, the release rates for this type of application by this applicant type has stagnated at 65%.
  • The increase in digital government and ability to aggregate and disaggregate data should increase release rates particularly for members of the public. However, we have seen a stagnation in release rates to members of the public. In contrast, we have seen a rise in release rates for private sector businesses.
  • In the context of recognising the new compact between government and citizens low cost access to personal information of the applicant must be further explored.  Likewise release rates for applicants seeking their own information should be reported and measured.  It is reasonable to expect that release rates for this type of applicant should be equal to and not second to private sector business release rates.  This situation provides a unique opportunity for government to ensure that the publics’ right to know to come[s] first.[16] The development of a customer dashboard or access portal unique to each individual represents an opportunity for government to further realise the ambitions of the GIPA Act.
  • Similarly, the storage and retrieval costs associated with access applications should decrease in the context of digital government.

2. Increasing partnerships and outsourcing of traditional government services:   

• Reliance upon CPOPIADs and OPIADs:
  • The rise in a reliance upon the Cabinet in Confidence CPOPIAD by State-Owned Corporations (enterprises that are wholly or majority government-owned companies that engage in activities on behalf of the state) requires further examination.  These entities are established along private sector governance arrangements and accordingly it is expected that prior to establishment the Cabinet in Confidence CPOPIAD may be relied upon.  However there has been a dramatic increase in reliance upon that CPOPIAD by this sector since 2010 and this CPOPIAD is claimed following the establishment of the entity.  In circumstances where the State-Owned Corporations are further removed from the public sector reporting and accountability requirements, reliance upon a strictly government based CPOPIAD is concerning and requires further examination.

3. Administrative arrangements and service delivery models that transcend agencies and sectors:

• Transfers of applications have been facilitated by 2018 legislative amendments which enable agencies to split applications and then transfer part of an application to another agency.  This has delivered a significant increase in transfers from 75 in 2014/15 when we commenced measuring this feature to 727 in 2020.  This new legislative provision has streamlined and enhanced ease of access by applicants who may not be aware of the agency that holds the information sought.  It has also engaged agencies in providing advice and assistance to applicants.
• Additionally, these persuasive statistics provide an opportunity for government to consider administrative measures that might further ease access to information held in digital form and on shared platforms - particularly personal information of the applicant. 
• Likewise, the proactive release of personal and other information should be enhanced by digital records and the new paradigm of digital government provides opportunities to maximise information release.

3. Oversight by an independent champion of open government

The role and functions of the Information Commissioner are secured by both the GIPA Act and the Government Information (Information Commissioner) Act 2009 (GIIC Act).  The regulatory model established under these statutes is one that relies upon influencing practices and culture.  Coercive powers are therefore limited.

Since 2014, the Information Commissioner has been firmly established as the dominant avenue for independent review of agency decisions.  There is a relatively stable and proportionate Information Commissioner review rate between all sectors with the exception of the University and Ministerial sectors where fluctuations occur.

After four years of operation, the percentage of reviews by the Information Commissioner that recommended that the agency make a new decision has remained reasonably stable at around 50%.

A lesser proportion of around 40% of agencies upheld the original decision on review following a recommendation by the Information Commissioner.  This rate has remained stable over the last four years.  Accordingly, in approximately 60% of cases agencies will vary their original decision in response to the guidance provided by the Information Commissioner.

Formal applications national metrics

As Information Commissioner I led a national project to develop national metrics that provide a lens into the operation of the right to access information legislation in each jurisdiction.  These metrics are complimented by a jurisdictional compendium outlining the features of the legislation operating in each jurisdiction.

Since 2014/15 when the national dashboard was first established, reviews by the NSW Information Commissioner have ranged from third most prevalent to fifth most prevalent metric when compared to national and interstate/territory counterparts.

Pleasingly, access refused in full by NSW agencies has decreased from third highest in 2014/15 to fifth highest in 2018/19.  Likewise, combined access granted rates (full or in part) has risen from fifth highest in 2014/15 to third highest in 2018/19. These comparative statistics provide a meaningful insight into a maturation of agency systems and decision-making in respect of the formal access to information pathway. 

In an environment in which applications have risen significantly and reviews by the New South Wales Civil and Administrative Tribunal (NCAT) have also risen, it may be opportune to consider the legislative model adopted in respect of the Information Commissioner’s non-determinative role.  There may be matters that readily lend themselves to the issuance of a notice to comply by the Information Commissioner in respect of both reviews and complaints.  Similarly, enhanced administrative practices and legislative amendments may be warranted to safeguard low cost access to information and ensure that New South Wales [has] the nation's best freedom of information laws.

IPC risk-based proactive regulatory approach

The proactive regulatory work of the IPC has matured significantly since 2010 with targeted risk-based audits now a regular feature of our compliance program.  Six information access compliance audits were undertaken in 2020 - a record high.  All recommendations made by the Information Commissioner have been adopted by agencies subject to these audits.

I have also examined the operation of the offence provisions of the GIPA Act in two investigations and observed that in an environment that recognises information as a public asset that asset should, like all public assets, be preserved against reckless destruction or inference.

The offence provisions of the GIPA Act do not currently recognise the reckless destruction, concealment or alteration of government information.  This presents a real risk to the publics’ right to access information particularly when coupled with the increasing proportion of contract labour in the public sector.

Ten years of data demonstrates considerable maturation by agencies in their exercise of functions under the GIPA Act.  The IPC’s regulatory approach has developed to fortify this maturation.

The IPC’s development of Agency Self-audit Tools and the GIPA Dashboard demonstrates that maturity and enables agencies to positively engage with an assessment of their performance and avail themselves of the regulatory guidance provided within these tools.  Agencies must now actively monitor their own performance and apply these tools to improve the adequacy of their systems, policies and practices for exercising their functions under the GIPA Act and preserve the public asset that is government information.[17]  This action signals the cultural change that is necessary to realise the generational change and reform that is long overdue anticipated by the legislators in introducing the GIPA Act.

Ten years on context and culture - how effective is the role of the independent champion of open government and what action is required?

The change that we have witnessed in the 10 years of reporting on the operation of the GIPA Act provides meaningful opportunities to realise the ambition of legislators to ensure that New South Wales the nation's best freedom of information laws.

The GIPA Act provides the Information Commissioner with functions including the:

• monitoring of agency performance,
• provision of advice and the issuance of publications to assist agencies and members of the public,
• power to make recommendations to the Minister/s about proposals for legislative and administrative changes to further the object of the GIPA Act.[18]

In considering 10 years of data and the application of the right to access information in a contemporary government context, I am of the view that action to address the risks presented by our contemporary government is required by agencies, the Information Commissioner, policy makers and legislators. 

Proposals for administrative and legislative change

1. Agencies now have access to efficient and effective regulatory tools including the IPC Agency Self-audit Tools; Essential Guidance Toolkits and e-learning modules.  I recommend that leaders articulate a commitment to managing government information and enhance oversight arrangements informed by these resources.  Training in open government, information management and the right to access information should be calibrated to risk and foundation training should be mandatory.
2. Compliance with mandatory proactive disclosure requirements must be elevated.  This is particularly evident in compliance by:
   • Government departments in respect of their requirements to meet the five additional open access requirements relevant to acquisition and disposal of public assets and their guarantee of service; and
   • Local Councils in respect of disclosures of pecuniary and other interests. 

Closer examination of these lower levels of compliance and associated recommendations to elevate compliance levels is being prioritised by the IPC, as set out in our compliance calendar.[19]  After 10 years, leaders must actively engage with and prioritise these mandatory disclosure requirements according to the guidance provided by the IPC.

3. I recommend that the publics’ right to access their own information is further examined and facilitated in the context of digital government to provide seamless, low cost access to personal information of the applicant.  This can be achieved by:
   • Prioritising administrative solutions that recognise data rights and enable the public to access information about themselves.  This may manifest as a personal information dashboard.[20] The Digital Restart Fund may provide a vehicle for government in this regard.
   • Exploring legislative options to better understand the publics’ use of and experience in exercising their right to know; for example including in the GIPA Regulations a requirement that agencies report on access applications that seek the personal information of the applicant or the personal information of another party and transfers of applications between agencies.  Inclusion of these two additional reporting requirements would inform agencies of the information sought and enable them to better examine options to promote access to information.
   • Standardising government procurement contracts particularly those involving machine enhanced decision-making to preserve the right to access information when government engages third-party providers and/or outsources services. 
4. The IPC has demonstrated 100% compliance with the 2018 legislative requirement to finalise cases within 40 days of receipt of all information.  Our timeliness exceeds comparable jurisdictions.  In the face of increasing applications and the extant threats to information access presented in digital government, I recommend examination of legislative solutions including:
   • additional mechanisms to promptly resolve disputes in a low-cost manner.  Options include engagement and consideration of legislative changes to introduce new regulatory powers such as the power to issue a notice to comply.  This option would support the achievement of a timelier outcome particularly in cases of a failure to meet mandatory proactive disclosure requirements such as contracts, pecuniary and other interest disclosures and management of major assets.[21]
   • examination of additional offence provisions or other deterrents to safeguard the public information asset from reckless destruction, concealment or alteration.