Introduction

1.1 The Freedom of Information Act 1982 (FOI Act) is the legislative basis for open government in Australia at the Commonwealth level. Each person has legally enforceable rights under and subject to the FOI Act to obtain access to government documents and to apply for the amendment or annotation of records of personal information held by government. The FOI Act also requires agencies to publish specified categories of information and encourages the proactive release of other government held information.

1.2 In 2024–25, 43,456 Freedom of Information (FOI) requests were received by agencies and ministers, a 25 per cent increase on 2023–24. According to the Office of the Australian Information Commissioner (OAIC)⁴, the number of requests received in 2024–25 was the highest received on record. FOI complaints and applications for review in 2024–25 also increased significantly (by 26 per cent and 21 per cent respectively). In addition, 93 applications for review of FOI decisions were filed with the Administrative Review Tribunal (ART), which was a four per cent decrease on 2023–24 (after a 20 per cent increase between 2022–23 and 2023–24). The OAIC reported in its 2024–25 Annual Report that:

• ‘agencies continue to face challenges meeting processing timeframes against a rising trend in FOI request numbers’ with the percentage of FOI requests decided outside the applicable statutory timeframe remaining unchanged from the previous year at 27 per cent;
• 25,211 decisions were made on FOI requests: 25 per cent of decisions were to refuse access in full; 54 per cent granted access in part; and 21 per cent granted full access; and
• 62 per cent of Information Commissioner decisions ‘set aside’⁵ the decisions under review. The OAIC stated that this ‘high set-aside rate indicates there is more work to do to embed a pro-disclosure approach. This work is important to ensure proper alignment with the objects of the FOI Act, to increase public participation in Government processes and to increase scrutiny, discussion, comment and review of the Government’s activities’.

Rationale for undertaking the audit

1.3 The purpose of the FOI Act is to give the Australian community access to Australian Government information. Parliament intended that the functions and powers under the FOI Act are to be performed and exercised, as far as possible, to facilitate and promote public access to information, promptly and at lowest reasonable cost.

1.4 As illustrated by Figure 1.1, the proportion of FOI requests reported by entities as granted in full has declined significantly over the last 15 years.⁶ Up to 2018–19, the majority of requests were granted in full whereas that figure has been below 25 per cent since 2022–23.⁷ Just over half of requests now result in partial release of information (up from around one third in the first nine years after the 2010–11 reforms to the FOI Act) with refused requests having more than doubled to now be around one quarter of all requests that are decided each year. Full refusals have risen since 2018–19 and were above 20 per cent of decisions in 2022–23 and have continued to increase. Further, over this 15-year period, there has been a marked increase in the proportion of Information Commissioner reviews that result in a decision to set aside the original decision taken by the agency or minister, a situation that the OAIC has identified as being inconsistent with a pro-disclosure approach by entities.⁸

Figure 1.1: FOI access decisions and Information Commissioner decisions to set aside original access decisions: 2010–11⁹ to 2024–25

Source: ANAO analysis of OAIC annual reports.

1.5 A December 2023 Senate inquiry report concluded that the ‘system is not working effectively and for some time has not functioned as it was intended.’¹⁰ The Government responded to Parliament in September 2025, noting the introduction of a Bill to amend the FOI Act.¹¹ This Bill was discharged from the Senate Notice Paper on 5 March 2026.¹² The audit provides assurance to Parliament over the effectiveness of entity administration of FOI Act requests in achieving the objects of the FOI Act.¹³

Audit approach

Audit objective, criteria and scope

1.6 The objective of this audit was to assess whether the selected entities’ administration of Freedom of Information Act 1982 requests is effective in giving the community access to Australian Government information.

1.7 To form a conclusion against the objective, the following high-level criteria were adopted:

• Did entities facilitate prompt access to requested documents?
• Was decision-making transparent, accountable and pro-disclosure?

1.8 The ANAO audited three entities: the Department of the Prime Minister and Cabinet (PM&C); the Department of the Treasury (Treasury); and the Department of Infrastructure, Transport, Regional Development, Communications, Sports and the Arts (Infrastructure). The audit also engaged with the Office of the Australian Information Commissioner in light of the preliminary audit findings and potential recommendations.

1.9 The scope of the FOI requests examined was those seeking access to documents other than those containing the applicants own personal information, which were active at any time during 2024. Specifically, FOI requests each auditee:

• had on hand at 1 January 2024 or received during 2024;
• had received directly or via transfer, assessed as a valid or invalid request, or transferred to another agency or a minister;
• had or had not made a decision on by 31 December 2024;
• had conducted an internal review of during 2024, regardless of the date of the original request; and/or
• had been contacted about by the OAIC, Commonwealth Ombudsman, Administrative Review/Appeals Tribunal or Federal Court during 2024, regardless of the date of the original request.

1.10 ANAO identified 1,111 FOI requests within scope of the audit, across the three entities (see Table 1.1). When undertaking testing and analysis, ANAO applied a representative sampling methodology, in line with ANAO audit standards.

Table 1.1: Number of in scope FOI request on hand in 2024 for each of the three audited entities

Note a: ANAO has reflected the three largest cohorts of applicants in these figures. As such these figures do not add to the total number of requests received in 2024.

Note b: Included in these figures are 10 FOI requests submitted by a single applicant to PM&C on a single day and subsequently transferred to Infrastructure, see Footnote 38. The outcome for all 10 requests was for access to be refused in full.

Source: ANAO analysis of entity records.

Audit methodology

1.11 The audit method included:

• consideration of the FOI Act, the Freedom of Information (Charges) Regulations 2019, and the ‘FOI Guidelines’ issued by the Australian Information Commissioner under section 93A of the FOI Act¹⁴;
• examination of entity procedures, policies and guidance relevant to the performance of functions, or exercise of powers, under the FOI Act;
• examination of records for samples of FOI requests and correspondence, including correspondence between the entity and applicant, internal entity correspondence regarding a request, briefs or minutes to decision-makers, decision letters, and information published by the entity about FOI and FOI requests; and
• consultation with staff, including entity FOI coordination teams, FOI decision-makers, and the senior responsible officers for FOI administration.

1.12 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $725,000.

1.13 The team members for this audit were Hannah Conway, William Mussared, Tracey Bremner, Tomislav Kesina, and Brian Boyd.

2.1 Section 3 of the Freedom of Information Act 1982 states:

(1) The objects of this Act are to give the Australian community access to information held by the Government of the Commonwealth, by:

(a) requiring agencies to publish the information; and

(b) providing for a right of access to documents …

(4) The Parliament also intends that functions and powers given by this Act are to be performed and exercised, as far as possible, to facilitate and promote public access to information, promptly and at the lowest reasonable cost.

2.2 Effective administration of the FOI Act is a cornerstone of integrity in the Australian Public Service and trust in government. In this context, the Commonwealth Integrity Strategy was released in December 2025. The Strategy was developed by the Attorney-General’s Department and the Australian Public Service Commission to strengthen integrity across the Commonwealth public sector.¹⁵ The Strategy included a number of FOI related metrics (as distinct from performance measures, see Appendix 3) to measure progress with improving transparency and accountability, being the percentage of:

• FOI requests finalised in accordance with statutory timeframes;
• FOI requests refused; and
• OAIC reviews of decisions and FOI complaints finalised each financial year.

Do the entities have appropriate policies and procedures?

2.3 Consistent with requirements under the PGPA Act for entities to establish systems of internal control, documented policies and procedures are important as they provide a clear, consistent framework for operations, behaviour, and decision-making which, in turn, helps ensure legal compliance, promotes efficiency, and manages risks.

2.4 As outlined in Table 2.1, the three audited entities have adopted different approaches to establishing policies and procedures to administer their obligations under the FOI Act. Only the Department of Infrastructure, Transport, Regional Development, Communications, Sport and the Arts’ (Infrastructure) policy, dated June 2024, includes version control, release date and endorsement from a delegate.

Table 2.1: Overview of FOI Act policies, procedures and templates in operation during audit period

Note a: On 20 October 2022, PM&C released these business rules on its public facing webpage. The document released publicly, as with the internal held version, has no date, no version control and no executive sign off or endorsement (https://www.pmc.gov.au/resources/freedom-information-business-rules).

Note b: In February 2026, Treasury provided ANAO with a finalised FOI Policy albeit with no version control or executive sign off or endorsement.

Source: ANAO analysis of entity records.

2.5 There were various shortcomings in the policies, procedures and guidance of each of the three entities.

Prime Minister and Cabinet

2.6 Prime Minister and Cabinet (PM&C) has a five page ‘Business Rules’ document. It is located on the department’s intranet page. The document states that it was developed to:

• ensure staff are aware of PM&C’s legal obligations under the FOI Act
• set out the structure of FOI processing at PM&C, and
• provide guidance for line area staff who are involved in the processing of an FOI request

2.7 The document contains no executive endorsement or sign off, with the last recorded approval being via email in June 2022. The document has no recorded release or publication date within it, only the public facing website’s record of publication as 20 October 2022. There is also no version control table.

2.8 The ‘Business Rules’ set the expectations for how the subject matter areas within PM&C will engage and work with the FOI team to meet the obligations of the FOI Act. These rules make no reference to the objectives of the FOI Act.¹⁶ They do not provide a link to the legislation, but do reference and link to the FOI Guidelines.

2.9 PM&C also has 10 standard operating procedures, user guides and fact sheets as well as five checklists. These documents are all undated, with no version control. There is no order or structure to the supporting documents, for example to align with a workflow, and support staff to refer to and apply the right procedure at the right time in the right circumstance.

Treasury

2.10 At the time of audit, the Department of the Treasury (Treasury) had a draft policy, last edited in December 2023.

2.11 The December 2023 document had substantial elements not yet finalised. It also included various margin comments from Treasury officials offering suggestions and asking questions about the contents.

2.12 The draft policy promoted some practices that are inconsistent with the FOI Act. For example, it stated that it ‘is the Department’s policy to send FOI decisions that include documents for release on Fridays’. This approach, which the ANAO observed was being implemented by Treasury in relation to various requests examined as part of the audit, delays release until Friday of each week. It is not consistent with the FOI Act which requires that decision notification be done ‘as soon as practicable’.¹⁷

2.13 Treasury’s draft policy had not been finalised or approved and was out of date with changes to the FOI Act and case law.¹⁸ In October 2025, Treasury advised the ANAO that the December 2023 draft policy was the ‘most advanced’ version and that it ‘nevertheless governs our operating framework’.

2.14 The procedures document under the December 2023 draft policy continued to advise Treasury staff, that ‘The application of the FOI Act to documents ‘in the possession of a minister’ excludes by implication documents held by a former minister’ and that ‘If the requested document is not in the possession of the new minister, the FOI Act will not apply as the document is no longer an ‘official document of the minister’. The correct position, following a 2024 decision of the Federal Court of Australia¹⁹, has been reflected in an update by the OAIC to its Guidelines to recognise that a document does not cease to be an ‘official document of a minister’ if the incoming minister does not have possession of the document.

2.15 Treasury’s draft policy listed five FOI ‘procedures’ documents. Those five procedure documents do not exist. Rather, Treasury has a single draft procedure. That document attempts to encompass the whole FOI process. It was last edited in November 2022.

2.16 None of the Treasury documents included: executive endorsement or sign off; recording of the release or drafting date; or a version control table.

2.17 In February 2026, Treasury finalised its FOI Policy. Treasury removed the reference to former guidance from PM&C on being consulted when entities process Freedom of Information (FOI) requests for documents that contain Cabinet material (see paragraph 3.39). The policy was amended to address this issue which was raised by the ANAO during the course of the audit. The finalised policy also removed some important requirements that were in the draft policy. For example, the finalised policy does not require a record be made of document searches that were undertaken. As discussed at paragraph 2.59, Treasury had not maintained a record of searches for 73 per cent of requests examined by the ANAO notwithstanding that guidance from the OAIC identifies the importance of this being done (see paragraph 2.57).

Infrastructure

2.18 Infrastructure’s current policy was endorsed by its Chief Counsel on 24 June 2024. This document included improvements²⁰ on the previous document, from May 2022.²¹

2.19 The June 2024 policy is recorded as Version 1.0. It links to: the FOI Act; the Charges Regulations (made under the FOI Act); and the FOI Guidelines. This version of the policy also makes reference to the objects of the FOI Act, and the department’s records management framework including obligations under the Archives Act 1983.

2.20 The department’s FOI team also maintain a range of quick reference guides. They are numbered in a sequence equivalent to the steps of administering an FOI request.

2.21 None of the quick reference guides include any version control, or endorsement dates.

2.22 Not all of the guides have been finalised. For example, some end with ‘to be continued’.

2.23 The oldest of the guides is dated March 2023. There is evidence of updates, with some created or updated in 2024, and one updated in March 2025.

Did entities take reasonable steps to assist applicants to make FOI requests?

2.32 An agency has a duty to take reasonable steps to assist a person to make a request so that it complies with the formal requirements of the FOI Act (subsection 15(3)). The formal requirements include that a request must be in writing (paragraph 15(2)(a)) and must state that it is a request for the purposes of the FOI Act (paragraph 15(2)(aa)). The FOI Guidelines state that this duty applies both when a person wishes to make a request and when they have made a request that does not meet the formal requirements.

2.33 Each of the three audited entities maintain a ‘freedom of information’ webpage on their public facing websites.²² Each of the three audited entities include on their website details on how to contact, via email, the relevant department’s FOI team to make an FOI request. Of the three audited entities, only Treasury has an online form option for submitting FOI requests.

2.37 When submitting a request via email, no template is provided for applicants to ensure the FOI request complies with the formal requirements of an FOI as set out in the FOI Act.

2.38 Two of the audited entities (Treasury and Infrastructure) are not able to report on the number of requests received that do not meet the formal requirements of an FOI request under the FOI Act. While PM&C records all requests, the other two audited entities advised ANAO that they only generate an FOI request number and track receipt of FOI requests deemed ‘valid’ under the FOI Act.²³ Treasury and Infrastructure each cited not being required to report this data to OAIC as a reason for not recording all requests received, although some requests assessed as invalid were recorded in each entity’s case management system.

2.41 The FOI policies of each of the audited entities recognise the requirement to assist applicants make a valid request:

• PM&C’s FOI policy states that ‘If required, assist applicant to make a valid request’;
• The Treasury draft policy states ‘FOI team refines scope with Applicant (if applicable)’; and
• Infrastructure’s policy states that ‘Where an applicant submits and invalid FOI request, the Applicant must be given reasonable assistance to make a valid request.’

2.42 None of the audited entities include in their FOI policies information on what is considered reasonable steps to assist an FOI applicant to make a valid request.

2.43 Further, only two of the three audited entities make reference to ‘administrative release’ of information, as a potential response to an FOI request:

• Treasury’s draft FOI policy states that ‘In certain circumstances, it may be appropriate to respond to an FOI request by providing information or documents outside the FOI Act (i.e. ‘administratively’). However, where this is being considered, it should first be discussed with the [Information Law Unit] before any documents are provided’; and
• Infrastructure’s FOI Policy states that ‘Documents and information should be released informally through administrative access arrangements (i.e. outside the formal FOI process) wherever possible. If documents can be released administratively, this should be discussed with the Applicant and written confirmation of the withdrawal of their FOI request (or relevant part of their request) should be obtained.’

2.44 Not outlining what each entity will do to ensure applicants are reasonably assisted to make valid requests, or how prioritisation of administrative access to records will be supported, and coordinated, is not in keeping with the objects of the FOI Act, and is not pro-disclosure.

High volume of standardised, or templated, requests

2.45 As part of discussions about potential changes to the FOI Act, Parliament has asked questions and heard from departments on FOI request challenges, including volume, scope, repetitiveness and potential use of Artificial Intelligence bots to submit requests.²⁴ In this respect:

• there was no evidence in entity records of automated mechanisms being used to submit requests; and
• there have been FOI requests where the FOI applicant employs a template. ANAO analysis identified 11 such instances within the sampled population. In these instances, the requestor has typically been a Parliamentarian or staff member of a Parliamentarian. These requests have sought greater information on particular programs, often grant programs, with a template used to seek documents for different program participants/grant recipients. More proactive release of information, including through GrantConnect, may assist in reducing the volume of these types of requests.

Submissions from third party freedom of information requesting organisations

2.46 In addition to applicants submitting directly to the entities, entities also receive requests from organisations such as ‘Right to Know’ or ‘Transparency Warrior’. These organisations offer applicants assistance with managing the engagement with the Australian Government entities and applying their understanding of the FOI Act to increase the likelihood that applicant will get a full response. In the case of ‘Right to Know’, the website provides a form to submit, and coordinates between the department and FOI applicant. Of the three audited entities, Treasury and Infrastructure maintain data on the source of the request, including whether a request was sent from the ‘Right to Know’ portal.²⁵ Table 2.2 sets out the frequency and outcomes of FOI requests submitted by third party FOI requesting organisations for requests in the audit population.

Table 2.2: Frequency and outcomes of FOI requests submitted by third party FOI requesting organisations

Note a: PM&C does not separately classify in its case management system if an FOI request is submitted by Right to Know. None of the three audited entities separately identify in their case management systems whether an FOI request is received from Transparency Warrior.

Note: Numbers in this table do not sum as not all requests were resolved through these three decision types during the period.

Source: ANAO analysis of entity records

2.47 In January 2026, the OAIC advised the ANAO that:

There may be a number of motivators for applicants to utilise such services that may not directly correlate with compliance with the FOI Act. Examples include ease of anonymity, support of public interest goals or enabling easy and immediate publication. However, the manner in which the third-party services record-keep and publish correspondence may assist applicants in engaging with agencies generally.

Practical refusal process

2.48 After an application has been determined to be valid under the FOI Act, the department may still refuse an FOI request if a ‘practical reason’ exists (under section 24 of the FOI Act). This decision can only be made following a ‘request consultation process’, as set out in section 24AB of the FOI Act. Two practical refusal reasons exist within the FOI Act:

• a request does not sufficiently identify the requested documents (paragraph 24AA(1)(b)); or
• the work involved in processing the request would substantially and unreasonably divert the resources of the agency from its other operations (subparagraph 24AA(1)(a)(i)).

2.49 The FOI Guidelines support the Act by setting out that, in circumstances where a practical refusal reason exists, the contact persons should take all reasonable steps to assist the applicant to revise the scope of the request so that a practical refusal reason no longer exists (for example, by suggesting what would be a reasonable request in the circumstances). As outlined in Table 2.3, where a practical refusal consultation occurred, information was not provided in response to a request in 59 per cent of cases.

Table 2.3: Practical refusals by audited entities

Note a: FOI applications are able to be ‘deemed withdrawn’ under the FOI Act, where an applicant fails to respond to a practical refusal process within the consultation period (14 days unless agreed otherwise).

Note b: Of these templated requests, 18 were submitted by a single Parliamentarian’s office within the space of three days. PM&C combined the administration of these 18 requests into one practical refusal consultation process. None of the 18 requests were resolved through the provision of information. The applicant later re-requested the same documents under 30 separate FOI requests.

Source: ANAO analysis of entity records.

Had all reasonable steps been taken to find the requested documents?

Refusing requests where documents cannot be found or do not exist

2.50 An agency may refuse a request if it has taken ‘all reasonable steps’ to find the document requested, and is satisfied that the document cannot be found or does not exist (subsection 24A(1)). The FOI Guidelines support the Act by outlining that there are two elements that must be established before an agency or minister can refuse a request for access to a document under subsection 24A:

• the agency or minister must have taken all reasonable steps to find the document; and
• the agency or minister is satisfied that the document cannot be found or does not exist.

2.51 Each of the three audited entities record, to vary levels of detail, decisions to refuse access because they could not locate records (or records did not exist); or if the information was located, and refused for other reasons. Those records reveal that each entity does not maintain accurate records on the extent to which it is making these types of refusal decisions, leading to inaccurate reporting to the OAIC. For example, in relation to requests received or on hand in 2024:

• Infrastructure’s case management system that underpins reporting to the OAIC recorded 24 uses of the section 24 (practically refused) or section 24A (no documents) clauses within the audit sample (12 per cent). ANAO analysis identified 36 notices to applicants citing section 24 or section 24A, a figure 50 per cent higher than that recorded in the case management system.
• Treasury’s case management system that underpins reporting to the OAIC, records 17 uses of section 24A (no documents) and six uses of section 24 (practically refused) within the audit sample (13 per cent). ANAO analysis identified:
  • one additional FOI request where the notification of outcome to the applicant made clear that the application was refused under practical refusal grounds; and
  • one additional FOI request where Treasury did not provide an official decision notice to the applicant, rather they advised the applicant that ‘We think it likely that you are seeking documents that would not be ordinarily held by the Treasury’, and advised the applicant that the matter would be considered ‘closed’ if no response was received. This does not meet the FOI Act requirements of a practical refusal notification, nor a decision notice.
• PM&C’s case management system that underpins reporting to the OAIC, records 40 uses of sections 24 or 24A within the audit sample (19 per cent). ANAO analysis identified
  • 48 notices to applicants citing section 24 or section 24A, (a figure 20 per cent higher than that reported to OAIC) of which nine are not recorded in the case management system as having used either of these clauses²⁶; and
  • of the 40 PM&C report instances of section 24 or section 24A used, ANAO identified 16 instances where records in the record management system did not support the reporting from the case management system. In February 2026, PM&C provided ANAO with records from their FOI group mailbox confirming use of these clauses.

2.52 PM&C advised ANAO in January 2026 that ‘In 2025, we reviewed and updated our monitoring and assurance protocols surrounding quarterly reporting to identify and correct missing entries.’

2.53 There is complexity in how many decisions may be issued against a single FOI request. The audited entities each adopted their own approach, and there were also internal inconsistencies. This has implications for the accuracy of reporting to the OAIC.

Recording the extent of searches undertaken

2.57 The FOI Guidelines state that ‘A record of searches to plan and keep track of the steps taken to search for a document will be useful, particularly when managing complex requests for many documents or in later explaining the search that was undertaken.’²⁷

2.58 To assist entities, the OAIC has published a checklist and search minute which sets out the steps that an agency should follow to locate documents within the scope of an FOI request and the steps taken when searching for documents.²⁸ To varying extents, each of the three audited entities incorporated the OAIC Checklist and Search Minute into their processes and procedures.²⁹

2.59 As illustrated in Figure 2.1, none of the three audited entities maintained sufficient and appropriate records against their own requirements to evidence the reasonableness of the searches undertaken. Infrastructure did not maintain the two records (a checklist and schedule of documents) required of its internal policy in 40 per cent of the sampled requests. For 65 per cent of requests examined in Treasury, the required checklist and record of searches was not maintained on file. In PM&C, a record of searches on the prescribed template was not maintained for 97 per cent of sampled requests.

Figure 2.1: Records maintained by audited entities demonstrating reasonableness of searches undertaken for each FOI request in testing sample

Source: ANAO analysis of entities records for sampled requests.

Had proposed charges been assessed at the lowest reasonable cost?

2.66 Section 29 of the FOI Act provides a discretion for an agency or minister to impose a charge for processing a request or providing access to a document. Imposition of a charge must be assessed at the lowest reasonable cost under the Freedom of Information (Charges) Regulations 2019 (Charges Regulations). The OAIC’s FOI Guidelines, in recognising that imposing a charge can deter members of the public from seeking access to documents and can delay access state that ‘A charge must not be used to unnecessarily delay access or to discourage an applicant from exercising the right of access conferred by the FOI Act.’

2.67 According to OAIC data, Commonwealth agencies collected $73,067 and $65,181 in charges from applicants respectively in 2023–24 and 2024–25. This represented 0.08 per cent and 0.07 per cent of the estimated whole of government cost of administering the FOI Act. The average cost of administering an FOI request was $2,485 and $2,255 in 2023–24 and 2024–25 respectively.

2.68 In 2024, the OAIC finalised 261 reviews of FOI decisions, of which five related to charges.³⁰ The OAIC did not uphold a single charge appealed. Rather, agency decisions were consistently set aside with the Information Commissioner referencing a previous decision explaining that:

a charge should not be imposed in circumstances where the cost of assessing, imposing and collecting a charge is likely to be greater than the charge itself. In those circumstances, imposing a charge will generally only serve to delay or discourage access while incurring a net cost to the Commonwealth.

2.69 The total value of the charges considered in these five decisions was $2,355. None of these five decisions were for charges notified by any of the three audited entities.

2.70 Of the three entities audited PM&C did not impose any charges for matters on hand in 2024.

2.71 The discretion to notify and collect charges was used on a small number of occasions in 2024 by Treasury and Infrastructure (see Figure 2.2).

• Treasury: Of the 291 FOI applications received or on hand in 2024, Treasury notified 30 applicants of charges, totalling $11,413. Of the 30 applications notified of charges, 16 were subsequently withdrawn, 12 of which were considered withdrawn by Treasury when the applicant failed to respond to the charges notification. The OAIC Guidelines recognise that there is a risk imposing a charge may have a deterrent effect.³¹
• Infrastructure: Of the 398 FOI applications received or on hand in 2024 for Infrastructure, one FOI applicant (for two FOI applications) was notified of charges. In May 2025, Infrastructure advised the ANAO that it frequently received FOI requests from this applicant who it considered to ‘meet the normally understood definition of “vexatious”’ but that it considered a vexatious applicant declaration ‘draconian’ and ‘not the preferable course of action’.³² This applicant submitted 25 FOI requests during 2024.³³ ANAO analysis is that there were at least a further five applicants each submitting more than 12 FOI requests during the same period, for which Infrastructure did not notify of charges, or consider the applicants potentially vexatious. Neither of the two charges were subsequently collected by Infrastructure. One application was withdrawn, the other was granted in part. Infrastructure’s approach was not consistent with the FOI Guidelines (see paragraph 2.66) which state that ‘A charge must not be used to unnecessarily delay access or to discourage an applicant from exercising the right of access conferred by the FOI Act.’ In January 2026, Infrastructure advised the ANAO that:

the comment that a vexatious applicant declaration being ‘draconian’ was intended to reflect the department’s reluctance to utilise that process due to the serious consequences of doing so for the applicant (that is, inability to make further FOI applications).³⁴

Figure 2.2: Value of charges notified and collected according to outcome of request

Source: ANAO analysis of entity records

2.72 None of the three audited entities have systematically tracked costs for each FOI application received. The FOI Charges Regulations requires charges to be assessed at the lowest reasonable cost, and the FOI Guidelines provide a range of principles relevant to charges, including that charges ‘should be justified on a case by case basis’. In the case management systems of each of the audited entities, costs are not calculated for each application, nor are there time or effort records for each application. Where charges have been reviewed by the OAIC, charges have rarely been considered justified, as demonstrated by the OAIC’s 100 per cent set aside rate in 2024 of decisions by departments to apply charges to applicants.

Were disclosed documents provided to the applicant and published?

2.73 Where a decision has been made to give an applicant access to a requested document, that access should be given as soon as practicable, but only after:

• any charges the applicant is liable to pay are paid (paragraph 11A(1)(b) and regulation 11, Charges Regulations), and
• all opportunities a third party may have to seek review of the decision have run out, and the decision still stands or is confirmed (subsections 26A(4), 27(7) and 27A(6)).

2.74 As illustrated in Figure 2.3, in the majority of cases the three audited entities made a decision to provide partial access (including those incorrectly reported to OAIC as released in full), or refuse access.

Figure 2.3: Decision outcomes for sample of FOI requests received or on hand in 2024

Source: ANAO analysis of entity records.

2.75 As outlined in Table 2.4, the three audited entities made a decision to provide full access to documents identified for seven per cent of FOI requests. Access to documents was restricted or refused in 73 per cent of requests. In the 41 per cent of FOI requests where partial access was granted to the request documents, access was not partially granted to all the identified documents, rather 14 per cent of identified documents were refused in full, with other documents for the same FOI request released in part or in full.

Providing applicants with access to released documents

2.76 The FOI Guidelines, Part 3, describe how a document is to be provided to an applicant. This includes: providing information stored in electronic form as a written document; in the particular form requested by the applicant; and the expectation ‘to make reasonable use of available technology to facilitate access to documents … Access to documents by means that do not require physical inspection in an agency office should generally be preferred’.

2.77 Entity policies and procedures, where they were in place, provide limited instruction as to how documents are to be released to applicants. Across the three audited entities, a decision to release information to an FOI applicant was made for 43 per cent of applications examined by the ANAO. As illustrated by Table 2.5, the most common means of releasing information was via email attachment. It was less common for entities to release documents via links to publicly available information being provided to the applicant (10 requests in Treasury) or using a secure file transfer online facility (two requests in Infrastructure).

Table 2.5: Release of documents by audited entities

Source: ANAO analysis of departmental records.

Providing public access to released documents

2.78 Agencies and ministers must publish the released information to members of the public generally on a website, subject to certain exceptions (section 11C). This publication is known as a ‘disclosure log’. The FOI Act requires that the disclosure log reporting occur within 10 working days of the applicant being given access to the document. The FOI Commissioner has identified disclosure logs as an ‘effective strategy for agencies to reduce the likelihood of receiving multiple FOI requests for the same information’, thereby reducing the FOI impact on agencies.³⁵

2.79 Each of the three audited entities maintain a website as their disclosure log.³⁶ The PM&C and Treasury websites are more useable and searchable than Infrastructure’s. PM&C and Treasury each provide a single website with a searchable data base, while Infrastructure provide a list of recent disclosures, and links to previous lists of disclosures. None of the audited entities provided a single downloadable list which could be used by applicants to filter and search before submitting requests, potentially reducing repeat requests.

2.83 The FOI Guidelines recommend that to ‘provide transparency in relation to the time of publication and [an entity’s] compliance’ with the disclosure log requirements that ‘both the date the FOI applicant was given access to the documents and the date the documents were published is listed on the disclosure log.’

2.84 Of the three audited entities, PM&C’s disclosure log included the two dates that the OAIC’s FOI Guidelines recommended. Infrastructure and Treasury each provides the date that the FOI applicant was given access to the documents (referred to as ‘disclosure date’ by Infrastructure in its log and ‘release date’ by Treasury in its log).

2.85 From examination of a sample of requests, it was evident that the dates provided by Treasury and Infrastructure in their logs are accurate. This was not consistently the case for PM&C.

2.86 As illustrated by Table 2.6, the disclosure logs of the three audited entities are not complete (eight per cent of required disclosures had not been made). Publication was also not timely, with 26 per cent of disclosures (where records were available) outside the 10 day timeframe specified in the FOI Act. PM&C’s disclosures were the least complete, with that department and Infrastructure exhibiting the highest non-compliance with the timeframe requirement. When PM&C did not meet the timeframe requirement, the delays were significant with disclosures on average 53 days late.

Table 2.6: Disclosure log uploading by audited entities

Note a: This figure is impacted by deficiencies in PM&C record keeping. This figure does not include 12 requests for which there is no record of a decision outcome to release information, yet information has been included on the disclosure log.

Note b: This figure is impacted by deficiencies in Treasury’s record keeping. This figure does not include one request for which there is no record of a decision outcome to release information, yet information has been included on the disclosure log. Further, for 54 the 68 disclosed requests, Treasury maintained records of an internal email approving the release of documents on the disclosure log. For 35 (65 per cent) of those with internal approvals, the instructions provided to the Information Technology team requested that the release not occur until after or near close of business (see paragraphs 2.12, 2.95 and 3.23).

Note c: Treasury’s disclosure log does not reflect when a disclosure on the log has been updated. In two instances the ‘release date’ reported on the disclosure log does not accurately reflect that the disclosure was made in two parts. For one FOI request, a review decision by the OAIC decided more information be released, yet the release date is for the initial release only, with no annotation that an update had been made to the record; and for a second FOI request, a part of the disclosure was initially withheld to allow for third party review rights with the OAIC. This review right was not enacted and the remaining document loaded to the disclosure log. Only the secondary release date is included on the disclosure log.

Note d: Determining timeliness of upload for this cohort is impacted by deficiencies in Infrastructure’s record keeping. This figure includes 10 requests for which there is no record confirming when information was uploaded to Infrastructure’s disclosure log.

Note e: Infrastructure’s disclosure log does not reflect whether or when a disclosure on the log has been updated, recording only the notification date to applicant. There were seven FOI requests where information was released in two parts, as a result of third-party review rights, and led to revised decisions to provide increased access to information by the department. There is no record for any of these seven requests that the disclosure log was updated to reflect the additional provision of information.

Note: Figures for compliance with the 10-day timeframe relate to those requests where records were available.

Source: ANAO analysis of departmental records.

2.87 The FOI Guidelines state that ‘agencies and minister should seek to make all documents released in response to an FOI request available for download from the disclosure log or another website … This approach is consistent with the objects of the FOI Act.’ Consistent with this, where a record is included on the disclosure log (92 per cent of sampled records), all three audited entities included downloadable records as released to the applicant for each of the FOI requests.

Were statutory timeframes met?

2.95 The FOI Act (Part 2 subsection 15(5)) involves two key timeframes:

• notification of receipt of request: all reasonable steps are to be taken to provide notification as soon as practical but in any case not later than 14 days after the day on which the request was received; and
• notification of decision: all reasonable steps are to be taken to provide notification of a decision as soon as practical but in any case not later than 30 days after the request was received, pending any allowable extensions.

2.96 In its administration of FOI requests, it was evident that Infrastructure was interpreting the decision-making timeframe as being 30 days rather than, as set out in the FOI Act, ‘as soon as practicable’ but in any case not later than 30 days. For example, in January 2026, the department advised the ANAO that the requirement for decision notification involved an ‘initial 30-day processing timeframe’ (see Table 2.7 and Figure 2.6 for statistics on timeliness of responses).

Notification of receipt

2.97 The audited entities had different approaches to recording in their case management systems the date requests are received.

• The case management system used by Infrastructure does not have a specific field to record the date an acknowledgement of the FOI request is made to an applicant. In January 2026, Infrastructure advised the ANAO that it records the dispatch of the formal acknowledgement in its case management system as a file note. The department’s approach makes monitoring of compliance with the statutory timeframe more difficult.³⁷
• Receipt dates recorded by PM&C in their case management systems was not always accurate. Underlying records for a sample of requests identified accurate records of the receipt date for 89 per cent of PM&C requests sampled.
• The ANAO was able to confirm the receipt dates in the Treasury case management system for all sampled requests.

2.98 Each of the entities on occasion failed to meet the statutory timeframe of ‘as soon as practicable but in any case not later than 14 days’ (see Figure 2.4).

• In Infrastructure, ANAO examination of 197 requests received or on hand in 2024 identified that 12 requests (six per cent) were acknowledged later than the statutory period, an average of 18 days overdue.
• A key shortcoming in PM&C was the high proportion of requests where no acknowledgment to the applicant was maintained on file by the department. This affected 123 of the 210 requests sampled by the ANAO (59 per cent).³⁸ Of the remaining 87 sampled requests, ten (11 per cent) were later than 14 days, averaging 17 days overdue.
• Missing records was also a shortcoming within Treasury, with no acknowledgment on file for eight per cent of the 169 Treasury requests sampled by the ANAO. Of those where an acknowledgment was on file, there were nine of 153 (six per cent) acknowledged outside of the statutory period, averaging 11 days overdue.

Figure 2.4: Timeliness of acknowledging FOI request

Note: Where a request was received prior to 1 January 2024, the ANAO has included this within the 31 December 2023 date to support readability of receipt of requests across the 2024 year.

Source: ANAO analysis of entity records

Notification of decision on the request

2.99 None of the case management systems used by the three audited entities clearly record whether: extensions have been sought or provided; or revised due dates where there has been an extension. As outlined in Table 2.7, analysis of each entity’s case management system indicates that there are a significant number of FOI requests processed later than 30 days. Being processed later than 30 days does not mean that statutory timeframes have not been met, due to the frequency with which entities employ statutory provisions to extend the timeframe for decision.

Table 2.7: Timeliness of acknowledgements and responses to FOI requests

Source: ANAO analysis for entity records.

2.100 The FOI Act allows for extensions to the ‘not later than’ 30 day decision notification period for up to 30 days when: agreed with the applicant; when the department determines that third party consultations are required on the information potentially to be released; and on approval from the Information Commissioner where a request is considered ‘complex or voluminous’ (see further in Table 2.8). There are also provisions within the FOI Act that ‘stop the clock’ on the statutory period, including: the practical refusal process, where the statutory period is recommenced when an agreement is reached between applicant and department on a revised scope; and when charges are notified to the applicant, the clock is ‘stopped’ until at least a deposit is paid. Where the department failed to provide a response within the statutory period, or where all extensions have elapsed and the department knows it will be unable to deliver a response in the statutory period, the department may seek approval for an extension to remediate a ‘deemed refusal’ and be given a revised time period, determined by the Information Commissioner, in which to deliver the response.

Table 2.8: Extensions used by departments within FOI requests sampled for audit testing

Note a: This includes one request where Infrastructure received two extensions to enable ‘courtesy’ consultations with PM&C’s Cabinet Division (see paragraphs 3.34 to 3.42).

Note b: Not included in this figure is one instance where Treasury extended the due date of a request by 30 days after an applicant altered the scope of the request. When ANAO queried this, Treasury advised that it chose to calculate ‘processing time from the date of the supervening event (the changed request) that fundamentally changed the request, but for which the FOI Act made no provision’, citing a 2013 Information Commissioner review as precedent. This is not an extension type available under the Act.

Note: This table does not include extensions where the department sought to apply an extension and the extension was not agreed to or was declined.

Source: ANAO analysis of entity records.

2.101 Figure 2.5 shows that the three audited entities are not always maintaining adequate records to demonstrate compliance with statutory timeframes for processing FOI applications.

Figure 2.5: Existence of records of FOI request processing from receipt date to outcome notice

Source: ANAO analysis of entity records.

2.102 Figure 2.6 shows that the frequent use by the audited entities of extensions and clock stops mean that the statutory processing timeframe for FOI applications is often more than 30 days.

• Of the 488 FOI applications cross the three audited entities where the records enabled the ANAO to analyse the time taken to make a decision, 346 (71 per cent) were assessed as meeting the statutory timeframes. A significant proportion of those 346 applications (217 or 63 per cent) had a processing time of more than 30 days.
• The average response time from receipt of FOI request to outcome notice was 57 days (where records were maintained). PM&C response times were, on average, significantly longer (82 days compared with 48 days for Treasury and 48 days for Infrastructure). Response times ranged from one day to 583 days.

2.103 After allowing for extensions, and excluding those requests where the audited entity had not maintained adequate records to demonstrate compliance with statutory timeframes, there remained a number of instances in each entity where the decision-making was in breach of the statutory timeframes.³⁹ This was the case for 142 of 488 (29 per cent) sampled requests across the three audited entities, comprising:

• 64 of the 137 (47 per cent) sampled requests where records existed in PM&C;
• 61 of the 156 (39 per cent) sampled requests where records existed in Treasury; and
• 17 of the 197 (nine per cent) sampled requests in Infrastructure.

Figure 2.6: Timeliness of FOI request processing from receipt date to outcome notice

Note a: This marker represents three FOI requests, two of which are overdue taking 496 and 553 days to process; and one within statutory timeframe, that took 583 days to process. These were all restricted to 400 days for readability of the chart, and all were received prior to 1 January 2024. Three further FOI requests, not included in this chart, had no initial decision record on file, only review decisions. These review decisions were made 601 to 1335 days after receipt of the request.

Note: Where a green mark is recorded above the not later than 30 day line, there is evidence to support the extension of the statutory period in line with the FOI Act (see Table 2.8).

Note: Where a red mark is recorded, there is evidence to support that the request was either overdue, or that the request was not decided ‘as soon as practicable’, as required by the FOI Act (see paragraphs 2.12, 2.95 and 3.23)

Note: For readability, this chart has been restricted to a maximum of 400 days on the y-axis.

Source: ANAO analysis of entity records

Consequence of failure to meet the statutory deadline

2.104 Where no decision is provided within the statutory period this is considered a ‘deemed refusal’ (subsection 15AC(3)).

2.105 The FOI Act allows an agency to seek an extension from the Information Commissioner where a request has a deemed refusal. None of the three audit entities record in their case management systems where such deemed refusals have occurred.

2.106 The FOI Act (subsection 15AC(17)), states that a deemed refusal ‘does not apply, and is taken never to have applied’ if, when an extension of this type is granted by the Information Commissioner, the department then issues a decision within the revised time, and complies with any other conditions imposed by the Information Commissioner. In this way, the recordkeeping in the case management systems not identifying that a deemed refusal has occurred, and a specific approval is required from the Information Commissioner, does not accurately reflect the status, and actions against an FOI request.⁴⁰

2.107 There were also inconsistent practices evident in the handling of statutory timeframes where the statutory timeframe is not met. Of note:

• In Infrastructure the ANAO identified two instances in the sampled population where the department requested applicants withdraw and resubmit requests. This has the effect of impacting OAIC reporting, by making the initial request be reported as withdrawn and/or completed within the statutory timeframe. This also has the effect of restarting all process and timeframes, essentially providing a further 30 day statutory timeframe, and reopening all allowable extension clauses.
• PM&C adopted a different approach, advising applicants that ‘Where a decision is not made within time, the Department follows the Guidelines issued by the Information Commissioner … Accordingly, we will process your request as quickly as possible and we will update you once we have a firm indication of when a decision is likely to be issued.’ In January 2026 PM&C advised the ANAO that ‘PM&C follows the [FOI] Guidelines and continues to process [an FOI request] until a decision is issued.’

3.1 The FOI Guidelines outline that:

The public expects agencies and ministers to act fairly, transparently and consistently in their administrative decision making and to be accountable for the decisions they make. The quality of decisions under the FOI Act is particularly important given the integral role freedom of information requests can have in securing open government.

Decisions made under the FOI Act must be consistent both with the requirements of the Act and with general principles of good decision making. Those general principles are explained in five best practice guides published by the Administrative Review Council (ARC).

Were decision-makers appropriately informed?

3.2 There are various decisions to be made when processing an FOI request. In line with subsection 23(1) of the FOI Act⁴¹, the Secretary of each agency has delegated officials in the entity to make decisions and undertake actions required under the FOI Act.

3.3 In Infrastructure and Treasury, the officials that have been delegated to make FOI access decisions are Senior Executive Service (SES) officers. In PM&C, the delegated officials are SES officers as well as Senior Advisers, Legal Policy Branch in the Government Division of the department. While none of the delegation instruments require that the SES officer be from the relevant subject matter area to make a decision on the FOI request, each entity has established this expectation through their respective policies and practices.

3.6 Each entity, upon receipt of an FOI request, identifies the relevant SES officer in the relevant subject matter area, and seeks confirmation that the identified SES officer will assume the role as decision-maker. Once confirmed, each FOI Team requests the decision-maker to appoint an action officer. The action officers selected by the decision-maker is typically an executive level officer already working to the decision-maker. It is the role of the action officer to work with the agency’s FOI team to complete the FOI searches, provide the FOI team with advice and recommendation on potential sensitivities, redactions, or exemptions to FOI material, and provide input to the FOI team on the draft decision presented to the decision-maker. The FOI team within each of the audited entities are not privy to all engagements between the action officer and the decision-maker. Across the sample of FOI requests tested by ANAO, it was usual practice in all three audited entities for the action officer to operate as a conduit between the decision-maker and the FOI team, including forwarding formal execution of decisions and sign offs for processes stages from the decision-maker to the FOI team. No records of meetings between the FOI officer, action officer and decision-maker were maintained for any of the tested FOI requests.

3.7 Decision-makers are required to make decisions on: application of exemptions and redactions; need for third party consultations; and access. In the sample tested by ANAO for each of the three entities, it was uncommon for the FOI team to have a record of anything more than a decision notice (or a draft decision notice) being agreed to by the decision-maker. These decision notices (as issued to applicants) are templated, and where exemptions or redactions have been applied to information, the templated record of how a decision was arrived at are included. There were few instances of any record of a decision-maker being separately informed of, or participating in, decisions regarding exemptions, redactions or third-party consultation. Where records did exist regarding this part of the process, this was most frequently between the action officer and the FOI officer.

3.8 The policies of the three audited entities vary on requirements of decision-making artefacts. The common feature was that each required: the FOI team to provide a draft decision to the decision-maker for approval; the decision-maker to approve or amend a draft decision; and the decision-maker’s e-signature to be affixed to a decision notice.

3.9 PM&C has a multi-stage approval process. This process first requires that upon the decision-maker agreeing to the draft decision this decision be circulated to ‘senior officers and the PMO [Prime Minister’s Office]’ (see paragraphs 3.23 to 3.33).⁴² Once circulated, this is then required to be ‘noted’ by the senior executive officer responsible for the FOI team.⁴³ Once ‘noting’ is received, the FOI team then affix the decision-maker’s electronic signature to the decision notice and issuing the decision notice to the applicant. This process usually takes one to two days.

3.10 Treasury’s policy only requires the FOI team to provide a draft decision to the decision-maker. ANAO analysis of a sample of FOI requests did not locate evidence of any additional briefings to the decision-maker, no other evidentiary requirements, or information consultation or noting with other senior officers or with the Minister through his office.

3.11 Infrastructure’s FOI policy:

• addresses the department’s practice of informing senior officers and the Minister through her office of the receipt of ‘sensitive issue’⁴⁴ FOI requests prior to any consideration of the request. This tailoring of approach after consideration of the applicant’s identify is in contrast to the OAIC’s advice to ANAO in January 2026 that, in the context of the FOI requests from third party freedom of information requesting organisations (see paragraph 2.46), ‘the identity of the requester or the platform of request should not be considered by entities when processing FOI requests (unless it is relevant to an access decision — such as for personal information)’;
• requires the decision-maker review the ‘Decision Pack’ prepared by the FOI team and to complete a ‘Decision Maker checklist’ to be returned to the FOI team once a decision is finalised. This checklist requires the decision-maker’s confirmation and sign off that:
  • ‘all reasonable searches have been undertaken’;
  • where documents have been identified the list is complete (that the ‘Schedule of Documents … are all the documents relevant to the request’);
  • the decision is the decision-maker’s own and was arrived at ‘in an independent manner and in accordance with the FOI Act’; and
  • the decision has ‘taken into account all relevant information … has regard to the objects of the FOI Act and OAIC’s FOI Guidelines [and] considered any legal advice provided by Legal Services’.
  • These checklists are rarely completed.
• addresses the department’s practice of advising the same senior officers and ministers though their office of the decision at least two days prior the applicant being notified (see paragraphs 3.23 to 3.33).⁴⁵

3.16 The FOI Guidelines outline principles of good decision-making under the FOI Act, including: lawfulness; procedural fairness; the importance of decisions being based on facts and evidence; and the giving of reasons to applicants.

3.17 The ANAO examined a sample of FOI requests on hand in 2024. As illustrated by Table 3.1, entity records did not demonstrate that decisions are being adequately informed.

Table 3.1: Records of advice to and decision made by the decision-maker

Note a: Not all FOI requests are expected to have an associated decision pack and/or decision notice. The ANAO has determined this population based on a review of individual FOIs sampled for each of the three entities. Each of the three entities operate slightly differently and depending on the timing of events for an FOI request a decision pack may or may not be expected. Examples include when the FOI request has been: withdrawn by the applicant; deemed withdrawn after an applicant failed to respond to a practical refusal notice or charges notification; transferred to another agency; or deemed refused when no decision notice has been issued within the statutory time period.

Note b: The PM&C FOI team has a process of decision approval where, after the draft decision is agreed by the decision-maker, the senior executive officer of the FOI team ‘notes’ the decision prior to broader circulation to other senior executive officers and the Prime Minister through their office. After this circulation, the decision-maker is advised that noting and circulation has occurred, with no issues raised, and the decision-maker is asked for approval to affix their e-signature to the decision. A further four requests only have the post-noting agreement from the decision-maker recorded.

Source: ANAO analysis of entity records.

Consultations made outside the FOI Act

3.23 The FOI Act sets out requirements, and associated extensions to the statutory decision-making timeframe, to respond to requests where the request relates to information requiring consultation with third parties. These parties, and their connection with the information under request, is established within the FOI Act as:

• paragraph 15(7)(a): foreign governments, authority of a foreign government, and/or an international organisation;
• section 26A: State and Territory governments as it relates to documents affecting Commonwealth-State relations;
• section 27: a person, organisation or proprietor of an undertaking as it relates to business documents of the person, organisation or undertaking; and
• section 27A: a person or their legal representative as it relates to documents affecting personal privacy.

3.24 Where third party consultation occurs it remains the case that decisions under the FOI Act must remain the independent judgement of the delegate.

3.25 The FOI Act does not accommodate for or require any other consultations.

3.26 The FOI requests examined as part of the audit included two particular types of consultations that are not specifically addressed by the FOI Act and where records did not clearly demonstrate that the decisions had remained the independent judgment of the delegate. These relate to consultations by entities with their minister (through the minister’s office), and consultation with PM&C in relation to Cabinet material. Additional ‘courtesy’ consultations also bring a risk of increasing the time taken to make a decision on FOI requests, noting that the Act requires those decisions be made as soon as practicable.

Consultation with ministers through their offices

3.27 The FOI Guidelines identify it to be ‘good practice to consult other relevant agencies’ particularly when ‘the agency does not intend to disclose the document’ as through the consultation process the ‘decision-maker may discover that another agency has already disclosed the document in response to an FOI request, or made it publicly available.’ That is, the focus of such consultations is to be reflective of a pro-disclosure approach to FOI requests. The Guidelines also note that consultation with other relevant agencies may assist an agency in managing requests ‘where an FOI applicant has requested access to the same or similar documents from several agencies’.

3.28 Neither the FOI Act, nor the FOI Guidelines, address ‘courtesy consultations’ with ministers through their offices on FOI requests. Notwithstanding this, each of the three audited entities has undertaken such consultations with their respective Ministers through their offices on FOI requests focussed on departmental matters. ANAO identified 129 such consultations by the three audited entities (see Table 3.2).

Table 3.2: Records of courtesy consultations with Ministers (through their offices)

Note: An imminent release notice is advice to internal stakeholders, including media teams and the minister through their office, advising that a decision is to be provided the following day to an FOI applicant, and where applicable records released to the public disclosure log. This notice is not required by the FOI Act or the FOI Guidelines. The APSC’s guidance to the APS on working with ministers advises the APS to provide advice to ministers on policy and brief ministers on policy implementation challenges, which does not extend to FOI Act decision-making within agencies.

Source: ANAO analysis of entity records.

3.29 Infrastructure’s internal FOI policy advises staff that ‘informal inter-agency consultation’ ‘can include Minister’s offices (including Ministers within and outside the Department’s portfolio)’ and that this informal consultation be on a document originating with or relating to the ‘functions of another Commonwealth agency or Minister, that other agency or Minister should be consulted about the potential release of the documents.’⁴⁶ In each of the 78 instances where ANAO identified that Infrastructure undertook consultation with its Minister through their offices (see Table 3.2), the documents originated with the department, not within the Minister’s office. Where there was a record of the response from the Minister through her office, the response either advised no concerns, queried whether this type of information had been provided before, or recommended further redactions. In January 2026, Infrastructure advised the ANAO that ‘A document relating to the functions of the Minister’s Office does not have to be a document which originated with the Minister’s office’.

3.30 PM&C’s internal policy states that the subject matter area will ‘consult internal stakeholders’. It provides no guidance on how to determine stakeholders and whether this would include ministers. In January 2026, PM&C advised the ANAO that ‘a minister as well as agencies or external third parties’ are intended to be included under the consultation with ‘external parties’, and that ‘PM&C consult with a minister or agency when the requested document (or material in that document) was created by or originated from that minister or agency’. According to PM&C’s internal policy, the Prime Minister’s office is to be notified of the FOI decision, one day before release to the applicant.

3.31 ANAO identified 42 instances where PM&C consulted its Minister (through their office):

• in 28 of the instances the consultation was to ‘notify’ the office of the receipt of the request, providing a copy of the request only;
• in the remaining 14 cases advice was sought. Of those 14 cases, four document packs included at least one letter originating from the Minister’s office; and
• the ANAO identified 62 requests where the Minister’s office was notified of an outcome, including 22 of the requests for which a courtesy consultation with the Minister’s office had also made been.

3.32 Treasury’s draft policy includes ‘courtesy consultation’, being consultations with relevant Commonwealth agencies. No mention is made of the minister or their office. There were five instances where ANAO identified that Treasury consulted its Minister through their office (see Table 3.2). In each instance, the documents originated with the department itself. There was no record of the Treasurer’s office responding to any consultation.

3.33 There was a lack of records in all three audited entities to be able to determine whether advice or feedback led to a change in decision by the decision-maker.

Consultation with Cabinet Division of PM&C

3.34 As set out in Table 3.5, the exemption provided by section 34 relating to Cabinet documents, was the most common exemption in Division 2 of the FOI Act relied upon by the three audited entities. Section 34 provides that the Cabinet documents exemption applies to:

• documents that: have been submitted to Cabinet; are or were proposed by a minister to be submitted to Cabinet; were proposed to be submitted but were not submitted to Cabinet and were brought into existence for the dominant purpose of submission for the consideration of Cabinet;
• official records of the Cabinet;
• documents prepared for the dominant purpose of briefing a minister on a Cabinet submission; and
• drafts of a Cabinet submission, official records of the Cabinet or a briefing prepared for a minister on a Cabinet submission.

3.35 In October 2020, PM&C issued a Cabinet Circular (Number 4) to all departments and agencies placing a responsibility on ‘all agencies to consult with [PM&C] when processing Freedom of Information (FOI) requests for documents that contain Cabinet material.’ There is no requirement in the FOI Act for this to occur, and it is also not addressed in the FOI Guidelines issued by OAIC.

3.36 PM&C advised all departments and agencies that each agency is ‘responsible in the first instances for identifying Cabinet-related material failing within scope of an FOI request, including identifying all possible relevant Cabinet reference numbers or titles.’ This is largely consistent with the FOI Act, where agencies may then consider whether the information amounts to Cabinet documents, and could be considered to be exempt from disclosure under section 34.

3.37 The PM&C circular requests all agencies to ‘Please ensure your agency does not make any FOI decisions relating to access or release of Cabinet-related documents until and unless consultation has occurred with, and advice has been received from, PM&C.’ As a consultation with PM&C does not meet the third party consultation definition, there is no additional time provided to an entity under the FOI Act when responding to FOI requests for compliance with the PM&C direction (see paragraph 3.23). In one case, PM&C took 59 days to provide an incomplete response to a consultation request from Treasury.

3.38 PM&C also provided agencies with a ‘Quick Reference Guide’ outlining how this consultation was to occur.

3.39 PM&C has relied on paragraph 5.57 of the FOI Guidelines issued by the OAIC, stating that ‘agencies should refer to the Cabinet Handbook [Edition 13] issued by DPMC for guidance about Cabinet processes and underlying principles of the Cabinet system’, and paragraph 140 of that Cabinet Handbook advising requests for access to Cabinet documents under the FOI Act ‘must be handled in consultation with the Freedom of Information Coordinator of PM&C.’ This requirement was removed in the August 2024 update (Edition 15) of the Cabinet Handbook. As illustrated in Table 3.3, consultation with PM&C continued after edition 15 of the Cabinet Handbook was released in August 2024. In January 2026, PM&C advised the ANAO that:

while the current Cabinet Handbook does not reflect a request to consult on FOI decisions, footnote 52 to para 5.67 [of the OAIC’s FOI Guidelines] does retain PM&C’s request that agencies consult us on Cabinet related material identified as part of an FOI request. I would observe the removal of this reference from the Cabinet Handbook (which I note is issued under the authority of the Prime Minister, not the department, as per ie the Caretaker guidelines) should not be read to mean we no longer wish to be consulted. We welcome the continued consultation which has occurred since 2024 and we emphasise this in our engagement with departments.

Table 3.3: Consultations with PM&C Cabinet Division on FOI requests

Note a: Of the 16 FOI requests for which the Cabinet document exemption under section 34 of the FOI Act was applied, there was no record of consultation with PM&C Cabinet Division on two of the FOI requests. Of the nine consultations with PM&C, for two requests the use of section 34 was not supported, and not used. For one request, there was no response within the statutory period, and the request was deemed refused and, for two requests, there was no record of a decision notice.

Note b: This number is greater than the number of FOI requests to which a section 34 exemption was applied for two reasons: firstly, PM&C did not support the use of section 34 exemption for seven of the FOI requests, instead suggesting section 47C be applied; and secondly, four were deemed withdrawn after the applicant did not respond to a charges notification, and a further two were recorded as withdrawn in the case management system, with no records available to confirm how the withdrawal was arrived at.

Note c: This number is greater than the number of FOI requests for which a section 34 exemption was applied as seven of the FOI requests consulted on were not supported to use a section 34 exemption. There is also no record of consultation with PM&C on two of the FOI requests against which a section 34 exemption was applied.

Source: ANAO analysis of entity records.

3.40 In January 2026, the OAIC advised the ANAO that:

The OAIC notes that the FOI Guidelines at paragraphs 3.82 and 3.83⁴⁷ currently capture information relating to informal consultations. The OAIC undertakes to reviewing the Guidelines to ensure it is clear that the decision must ultimately be the independent judgement of the delegate.

It is concerning that record-keeping practices around these courtesy consultations are inadequate and inconsistent, clarification in the Guidelines may assist in ensuring records are maintained.

Was decision-making on exempt documents pro-disclosure?

3.43 Where an FOI request has been made and any required charges have been paid, an agency must give access to a document unless at that time of its decision it is an ‘exempt document’. Documents may be exempted under with Division 2 (see paragraph 3.46) or Division 3 (see paragraph 3.50) of the FOI Act. Where the decision-maker has decided to apply an exemption to an FOI document, they may choose to:

• exempt the whole document; or
• apply a redaction (as allowed under paragraph 22(1)(b) of the FOI Act) to the document where exempt information is and allow the release of the remaining information in the document.⁴⁸

3.44 The FOI Act provides the decision-maker with discretion to release a document, even where an exemption may apply.

3.45 None of the three audited entities record decisions on the application of exemptions separate to the decision-maker’s approval of the draft decision notice. This is reflected Table 3.4, where only 15 per cent of FOI requests examined during the audit included records evidencing the decision-maker’s consideration of exemptions and redactions, separate to signing the final decision notice. Records of considerations to apply some of the exemptions or redactions for individual FOI requests were able to be identified elsewhere for a further 50 per cent of applications examined. For 17 per cent of applications examined, there was no record of the consideration of exemptions or redactions.

Table 3.4: Records of decisions on exemptions and redactions

Note a: Given none of the three entities record where a decision was made not to apply an exemption or redaction, it was not possible for ANAO to examine decisions not to apply exemptions or redactions. As such, this population is determined based on a record or the case management system noting an exemption was applied.

Source: ANAO analysis of entity records.

Documents exempt under Division 2

3.46 If a document is exempt under Division 2 of Part IV of the FOI Act, an agency is not required to give access to a document. This is discretionary, and the decision-maker may decide to disclose the information.

3.47 Exemptions specified in Division 2 include documents:

• affecting national security, defence or international relations (section 33);
• affecting Cabinet documents (section 34) ⁴⁹;
• affecting enforcement of law and protection of public safety (section 37);
• to which secrecy provisions of enactments apply (section 38);
• subject to legal professional privilege (section 42);
• containing material obtained in confidence (section 45);
• Parliamentary Budget Office documents (section 45A);
• of which the disclosure would be contempt of Parliament or contempt of court (section 46);
• disclosing trade secrets or commercially valuable information (section 47); and
• being Electoral rolls and related documents (section 47A).

3.48 The FOI Act sets out individual definitions for each of these exemptions, including for some exemptions ‘general rules’ and also ‘exceptions’ to these exemptions. As illustrated by Table 3.5, where an exemption or redaction decision had been made, this was most often due to the requested items being Cabinet documents (see paragraph 3.34).

3.49 Entity records did not include consideration of the merit or otherwise of exercising the discretion to not apply these exemptions. Where a decision was to be made to apply an exemption, the decision was either to apply the proposed exemptions, or apply an alternative exemption clause. The decision notices, provided to applicants, explain why an exemption was applied. Where there were entity records other than the decision notice (15 per cent of requests, see Table 3.4) these largely amount to the decision-maker agreeing to exemptions drafted by the FOI team in response to the Action Officer raising sensitivities. There were no records of advice, deliberations and decisions not to apply an exemption in favour of increased disclosure. Reviews on the decisions, including applications of exemptions were undertaken through internal review, Information Commissioner reviews and Administrative Review Tribunal reviews, see Table 3.11 and paragraphs 3.78 to 3.82).

Documents conditionally exempt under Division 3

3.50 Division 3 of Part IV of the FOI Act establishes eight conditional exemptions, including where information related to:

• Commonwealth-State relations (section 47B);
• deliberate processes (section 47C);
• financial or property interests of the Commonwealth (section 47D);
• ‘certain operations of agencies’ (section 47E);
• ‘personal privacy’ (section 47F);
• ‘business’ (section 47G);
• ‘research’ (section 47H); and
• ‘the economy’ (section 47J).

3.51 If a document meets a conditional exemption under Division 3 of Part IV of the FOI Act, the agency must decide if disclosing the document or the information would be against the public interest. The public interest test under subsection 11A(5) is weighted in favour of disclosure. As illustrated by Table 3.6, conditional exemptions were applied to 62 per cent of relevant FOI requests examined as part of the audit.

3.52 Entity records did not include discussions and decisions on the application of these conditional exemptions beyond what was included in the decision notice provided to the applicant. These decision notices explained why an exemption was applied. Where there were records of decision-making processes beyond approval of the decision notice (15 per cent of cases, see Table 3.4), these records did not evidence advice, deliberations and decisions not to apply an exemption, that is where the public interest of disclosure outweighed the considerations to apply the exemption.

3.53 There were no records of advice, deliberations and decisions not to apply a conditional exemption in favour of increased disclosure. Reviews on the decisions, including applications of exemptions, were undertaken through internal review, Information Commissioner reviews and Administrative Review Tribunal reviews (see Table 3.11 and paragraphs 3.78 to 3.82).

Applying section 22 of the FOI Act to redact information

3.54 Entities may also redact information within a relevant document to an FOI request when ‘to give access to a document would disclose information that would reasonably be regarded as irrelevant to the request for access’ and after making the redactions ‘the edited copy would not disclose any information that would reasonably be regarded as irrelevant to the request’.

3.55 As outlined in Table 3.7, the three audited entities used section 22 to redact information in 70 per cent of instances examined as part of the audit.

Table 3.7: Use of section 22 to redact information

Source: ANAO analysis of entity records.

3.56 The OAIC released a position paper in August 2020, on the ‘Disclosure of public servants’ names and contact details’. The OAIC stated that:

• In general it will only be appropriate to delete public servants’ names and contact details as irrelevant under section 22 of the FOI Act if the FOI applicant states, clearly and explicitly, that they do not require this information. Agencies may ask this question of applicants in an access request form.
• It is not generally appropriate to treat non-response to advice that, unless told otherwise the agency or minister will treat this information as being irrelevant to the FOI request, as agreement to this revision of scope (unless the exclusion of names and contact details is apparent on the face of the request). …
• Specific concerns about the health, safety and wellbeing of staff are most appropriately addressed under the conditional exemption in section 47E(c) of the FOI Act, which is subject to the public interest test.

3.57 Each audited entity has adopted approaches that are not consistent with this guidance (see Table 3.8). In this context, agencies have not used an access request form to clarify if public servant names and contact details are outside the scope of the request. Rather, the entities, in acknowledging receipt of a valid FOI request, include wording advising applicants that certain matters are considered outside of the scope of a request, unless advised otherwise (see Table 3.8). Application of a subsection 47E(c) exemption is not a scope consideration, and instead the FOI Guidelines published by the OAIC requires ‘An assessment conducted on a case-by-case basis, based on objective evidence’.

Table 3.8: Matters automatically deemed by the audited entities outside of scope

Source: ANAO analysis of entity records.

3.58 After the August 2020 position paper, the OAIC’s December 2021 update to Part 3 of the FOI Guidelines included:

A request should be interpreted as extending to any document that might reasonably be taken to be included within the description the applicant has used. … There have been instances of agencies using s 22 to delete the names of government officials below the Senior Executive Service (SES) rank on the basis that those names are irrelevant to the scope of an FOI request. There is no apparent logical basis for treating the names of SES officials as being within the scope of a request, but other officials as being irrelevant to the request. Without further explanation as to why the names of government officials are irrelevant to the scope of an applicant’s request, it is unlikely that the application of s 22 is appropriately justified.

3.59 Of the 211 instances where section 22 was used to redact staff member names and details there was no recorded decision to specifically state why names of staff members were considered outside the scope of an FOI request.⁵⁰ Redactions, a task carried out by FOI staff, were either applied without recorded discussion as a matter of standard process, or were applied at the request of the subject matter team.

3.60 Part 6 ‘Conditional exemptions’ of the FOI Guidelines in place since May 2024 includes:

Previous IC review decisions, and previous versions of these Guidelines, expressed the view that where a public servant’s personal information is included in a document because of their usual duties or responsibilities, it will not be unreasonable to disclose it unless special circumstances exist. Further, previous versions of the FOI Guidelines considered that agencies and ministers should start from the position that including the full names of staff in documents released in response to FOI requests increases transparency and accountability of government and is consistent with the objects of the FOI Act …

When considering whether it would be unreasonable to disclose the names of public servants, there is no basis under the FOI Act for agencies to start from the position that the classification level of a departmental officer determines whether their name would be unreasonable to disclose …

3.61 For each of the 211 instances where section 22 was used to redact staff member names and details there was no recorded decision on applying subsection 47E(c)⁵¹.

3.62 In 48 instances where section 22 was applied, the agencies reported the release of information as ‘full release’ (see Table 3.7). This means that statistics published by the OAIC have overstated the extent of full release by the three audited entities.

3.63 The OAIC FOI Guidelines note that in ‘some circumstances it may be appropriate to address concerns about the work health and safety impacts of disclosing public servants’ personal information (such as names and contact details’ and, consistent with the FOI Guidelines, advised that ‘An assessment conducted on a case-by-case basis, based on objective evidence, is required’. Entity records did not include evidence of such considerations for any of the applications of section 22 to redact staff details.

3.64 In response to queries from ANAO regarding the use of section 22 to redact staff information, PM&C advised that:

The department takes its WHS obligations to maintain the well-being and safety of its staff seriously. The department’s approach to the treatment of staff names in the FOI context is managed to meet our WHS obligations. The policy relies on an opt out position which is clearly stated as part of the Department’s acknowledgement to the applicant … Where the application of the policy becomes subject to a decision by the Information Commissioner, and may be set aside, we consider the circumstances of each case and will work with both the Office of the Australian information Commissioner and FOI applicant to mitigate and manage the disclosure of the information.

Were decisions taken properly recorded and communicated to the applicant?

Providing a statement of reasons to the applicant

3.72 Section 26 of the FOI Act requires that where a decision is made to refuse access, or deferring access to a document, the decision-maker must give the applicant notice, in writing, that states:

• the findings on any material facts (and refer to the material on which the findings were based),
• the reasons for the decision; and
• the public interest reasons taken into account when deciding the information was exempt (if the document was conditionally exempt).

3.73 If access is refused in respect to any part of a request for access, the decision-maker must provide a statement of reasons under section 26 of the FOI Act. That provision also applies in relation to a decision to refuse to amend or annotate a record (subsection 51D(3)).

3.74 The three audited entities each draft decision notices using entity specific templates. As outlined in Table 3.9, each of the templates used by the audited entities include information that would be expected in a decision notice.

• Infrastructure has a streamlined and advanced template, using only one template that includes the required information elements, and associated templated wording options for each element, including use of exemptions and public interest test.
• Treasury has five templates, and 10 ‘sample exemption text’ documents, used to draft together a single response for an FOI request.
• PM&C has five templates for decision notice drafting, but no equivalent ‘exemption text’ templates or samples was in its records.

Table 3.9: Content of decision notice templates used to notify applicants of outcomes

Note: Shaded cells align with requirements of the FOI Act for a decision notice to refuse or defer access.

Source: ANAO analysis of entity records

3.75 As outlined in Table 3.4 the three audited entities do not often record how decisions on applying exemptions or redactions are arrived at by the decision-maker. The decision notice only records where a decision has been made to apply an exemption or redaction. There is no record of where decision has been made not to apply an exemption or redactions. In a highly templated environment, entities need to manage the risk that the template dictates the behaviour rather than reflecting a considered decision-making process, taking into account the objects of the FOI Act.

Recording of decisions

3.76 ANAO experienced challenges with lack of records in record management systems, incomplete information in case management systems, and misalignment between information in records and case management systems across the three audited entities. As outlined in Table 3.10, ANAO analysis of a sample of FOI requests was that a complete record of decision, including evidence that the decision notice was provided to the applicant, existed in 89 per cent of cases (see Table 3.7 on frequency with which entities have incorrectly attributed outcomes as ‘full release’ despite using section 22 to redact information). Records were consistent with information in the case management system in 74 per cent of cases.

Table 3.10: Alignment between decision notices and record keeping by audited entities

Source: ANAO analysis of entity records.

3.77 Inconsistent and contradictory information between records and case management systems reduces the reliability of the case management system to accurately reflect the status and decision of FOI requests. This has contributing implications for the reliability of reporting out of such systems, including statistics published by the OAIC.

Did entities engage appropriately with complaints and review mechanisms?

3.78 The FOI Act (paragraph 26(1)(c)), requires the decision notice to also include information regarding the applicant’s rights regarding review of the decision (including internal review options), to make a complaint to the Information Commissioner in relation to the decision; and how to exercise these rights. As outlined in Table 3.9, each of the three audited entities include information in their decision notice to applicants on how to make a complaint to the Information Commissioner, and how to seek an internal review, or contact the OAIC to seek a review by the Information Commissioner. Infrastructure and PM&C include the information within their template decision notice. Treasury includes an attachment to its decision notice, setting out a page of details on review options, and how to make a complaint to the Information Commissioner.

3.79 ANAO’s testing of the FOIs sampled across the three entities identified 89 FOI requests that had records of at least one type of review (see Table 3.11).

3.80 ANAO’s examined the 41 internal reviews for which there were records. The records demonstrated appropriate internal reviews were undertaken. An SES officer different to the decision-maker was appointed to undertake the review, and reconsider the decision. Of the 41 recorded internal reviews, there were 10 decisions (24 per cent) to provide more information to the applicant.

3.81 ANAO examined the 67 FOI requests for which records of Information Commissioner reviews were maintained. The records demonstrated that each of the three entities appropriately engaged with the OAIC. Timeliness of OAIC reviews was an issue⁵², with the relevant department often completing either an internal review, or issuing a section 55G revised decision, prior to the OAIC undertaking a review⁵³:

• The entities issued 16 section 55G revised decisions (24 per cent of OAIC reviews) prior to the OAIC issuing a decision on a review. These decisions provided more information, either through the removal of some redactions or locating and providing additional records. It was not clear from entity records why they decided to reconsider the decision prior to the OAIC completing its review, when other reviews continued to wait for the OAIC to conclude;
• The OAIC discontinued reviews for 11 FOI requests as a result of the relevant entity issuing section 55G revised decisions; and
• The entities have not recorded outcomes for five OAIC reviews, despite issuing section 55G revised decisions. It was not clear if this information gap was the result of the OAIC not formally discontinuing the reviews, or if the reviews remain underway.

3.82 Where there was a request for an Information Commissioner review of a decision, and there was a record of a revised decision or outcome from the OAIC, the decision was to provide further information in 20 of the 37 instances (54 per cent).

3.83 The records held for FOI progress at the Administrative Review Tribunal (previously Administrative Appeals Tribunal) are not well maintained in each entity. These cases are managed by the legal teams within each entity, with limited⁵⁴ to no records of engagement between the FOI team and the legal team on these matters.

Did entities provide accurate information and statistics to the Information Commissioner?

3.84 Under section 93 of the Freedom of Information Act (1982), agencies and ministers ‘must give to the Information Commissioner the information that the Information Commissioner requires to prepare reports’. Part 15 of the FOI Guidelines specifies the information required to be reported by agencies to the OAIC. Part 15 of the FOI Guidelines requires that agencies and ministers provide data to the OAIC on information regarding:

• The number of FOI Requests made;
• The number of decisions to grant, partially grant or refuse access;
• The number and outcome of requests to amend personal records under s48 of the FOI Act;
• Charges collected for processing FOI Requests; and
• The number and outcome of applications for internal review under s54 of the FOI Act.

3.85 The OAIC uses the data provided by agencies and ministers to prepare its annual report. All three audited entities have dedicated case management software that is used to manage and report on FOI requests. Each of the three audited entities extract reports from these case management systems to provide to the OAIC. These reports to the OAIC reflect the level of accuracy of the information in the case management systems. The OAIC does not undertake an assurance review of the data provided by agencies.

3.86 As outlined in Table 3.12, there are inaccuracies in the information held in the case management systems. ANAO analysis of a sample of FOI requests received or on hand in 2024 identified 271 instances (47 per cent) where the information that was used to generate the reporting for the OAIC was not supported by the records. This included 111 instances (19 per cent) where the reported outcome in the case management system was different to that recorded in the decision notice. In addition, there is an issue regarding the accurate reporting of partial release of information were section 22 redactions were applied to information, and recorded as ‘released in full’ (see paragraphs 3.54 to 3.55).

Table 3.12: Divergence between records and information in case management system

Note: These results do not include where records are missing from the electronic document record management systems of the audited entities. As such the numbers in this table may be understated.

Source: ANAO analysis of entity records.

Appendix 1 Entity responses

Department of the Prime Minister and Cabinet

Department of the Treasury

Department of Infrastructure, Transport, Regional Development, Communications, Sport and the Arts

Office of the Australian Information Commissioner

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s corporate plan states that the ANAO’s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines or administrative processes; and
• initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.

• The Department of the Prime Minister and Cabinet, in acknowledging that record keeping was an area for improvement undertook a ‘new weekly process to remind staff to save records appropriately’ including:
  • a weekly calendar appointment to schedule and remind staff to complete record keeping. This is in addition to a one-off records management day where a senior adviser paid for lunch for the staff who spent the entire day saving records for FOI requests to the official record repository; and
  • ‘create and maintain SOPs [standard operating procedures] for repeated aspects of the FOI process’.
• The Department of the Treasury advised ANAO in December 2025 that it:
  • ‘has instituted regular filing time twice a week, and staff are regularly reminded to file their FOI matters completely and promptly’; and
  • is ‘also considering how we can make our record keeping more robust, including by investigating options for dealing with technical barriers to easier record management’.
• The Department of the Treasury issued its first Freedom of Information (FOI) policy on 17 February 2026 with a planned review date of February 2027. Version 1.1 of the policy was issued on 23 February 2026, to address an issue identified by the ANAO in relation to the content of the first version. The finalised policy removed some important requirements that were in the draft policy. For example, the finalised policy does not require a record be made of document searches that were undertaken.
• The Department of the Treasury’s disclosure log is now searchable.
• The Office of the Australian Information Commissioner released an updated set of FOI Guidelines in March 2026. The updates were reported as largely relating to updating the references from the Administrative Appeals Tribunal to the Administrative Review Tribunal.

Appendix 3 Commonwealth Integrity Strategy — Freedom of Information metrics