If not delivered return to PO Box 7820 Canberra BC ACT 2610
8 August 2024
Our reference: LEX 80659
Andrew Brewster
Right to Know
By email: xxxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx
Dear Andrew
Decision on your Freedom of Information Request
I refer to your request, received by the Department of Social Services (DSS) on 16 July 2024
and transferred to Services Australia (the Agency) on 18 July 2024 for access under the
Freedom of Information Act 1982 (the FOI Act) to the following documents:
You have SAS Code which given the digits of a Centrelink Customer Reference
Number calculates the check letter. Please provide it.
My decision
The Agency holds a document that relates to your request.
I have decided to
refuse access to the document on the basis the disclosure would or could
reasonably be expected to have a substantial adverse effect on the proper and efficient
conduct of the operations of the Agency and disclosure is contrary to the public interest
(section 47E(d) conditional exemption).
Please see the schedule at
Attachment A to this letter for a description of the document and
the reasons for my decision, including the relevant section of the FOI Act.
You can ask for a review of our decision
If you disagree with any part of the decision you can ask for a review. There are two ways
you can do this. You can ask for an internal review from within the Agency, or an external
review by the Office of the Australian Information Commissioner. See
Attachment B for
more information about how to request a review.
Further assistance
If you have any questions, please email xxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxxxxxxxx.xxx.xx.
PAGE 1 OF 7
Yours sincerely
Cherie
Authorised FOI Decision Maker
Freedom of Information Team
FOI and Reviews Branch | Legal Services Division
Services Australia
PAGE 2 OF 7
If not delivered return to PO Box 7820 Canberra BC ACT 2610
REASONS FOR DECISION
What you requested
You have SAS Code which given the digits of a Centrelink Customer Reference
Number calculates the check letter. Please provide it.
On 22 July 2024, I wrote to you seeking further information about the scope of your request.
The Agency did not receive a response from you.
On 25 July 2024, the Agency acknowledged your request.
What I took into account
In reaching my decision I took into account:
• your request dated 16 July 2024 and transferred to the Agency on 18 July 2024
• the material that falls within the scope of your request
• whether the release of material is in the public interest
• consultations with Agency officers about:
o the nature of the material
o the Agency's operating environment and functions
• guidelines issued by the Australian Information Commissioner under section 93A of
the FOI Act (the Guidelines), and
• the FOI Act.
Reasons for my decisions
I am authorised to make decisions under section 23(1) of the FOI Act.
I have decided the material you requested is exempt under the FOI Act. My findings of fact
and reasons for deciding that the exemption applies are discussed below.
Operations of the Agency
I have applied the conditional exemption in section 47E(d) of the FOI Act to the document.
This section of the FOI Act allows the Agency to redact material from a document or consider
an entire document exempt if its disclosure would have a serious and significant effect on the
Agency’s ability to conduct its operations efficiently and properly.
The material you requested relates to a code and internal system functionality. I am satisfied
this information is relevant to the operations and management of systems and programs
administered by the Agency and is therefore relevant to the conduct of the Agency’s
operations. I consider that providing this material to you, which is not publicly available, would
negatively affect the conduct of the Agency’s operations.
This is because release of the coding logic for the CRN validation check functionality could
reasonably be expected to assist external malicious actors to gain inside knowledge of the
PAGE 4 OF 7
Agency’s core systems, and in turn increase the threat of fraud and exploitation of customer
records and payments. Specifically, release could allow a person to generate valid CRNs and
attempt to access, modify or steal personal information.
I am of the view that disclosure of the code presents a severe risk to the security of the
Agency’s core systems and the information it holds. Release of the documents in my view
could reasonably be expected to increase the risk of malicious cyber incidents.
While I have no reason to believe you would misuse the exempt material in this way, the FOI
Act does not control or restrict use or dissemination of the information once released, so I must
consider actions any member of the public might take if the information is in the public domain.
For the reasons detailed above, I am satisfied that the material is conditionally exempt, in full,
under section 47E(d) of the FOI Act.
Public interest considerations
Access to conditionally exempt material must be given unless I am satisfied it would not be in
the public interest to do so.
I consider that disclosure of the material would generally promote the objects of the FOI Act,
which is in the public interest. However, I also consider the disclosure of this material would
present a serious risk to the Agency’s cyber security and the personal information of customers
and individuals it holds within.
As such, I find the public interest factor in favour of disclosing the material is outweighed by
the public interest factors against disclosure.
I have not taken into account any of the irrelevant factors set out in section 11B(4) of the
FOI Act in making this decision.
Conclusion
In summary, I am satisfied that the material is conditionally exempt in full under section 47E(d)
of the FOI Act. Furthermore, I have decided that on balance it would be contrary to the public
interest to release this information. Accordingly, I have decided not to release the document to
you.
PAGE 5 OF 7
If not delivered return to PO Box 7820 Canberra BC ACT 2610
Attachment B
INFORMATION ON RIGHTS OF REVIEW
FREEDOM OF INFORMATION ACT 1982
Asking for a full explanation of a Freedom of Information decision
Before you ask for a formal review of a FOI decision, you can contact us to discuss your
request. We will explain the decision to you. This gives you a chance to correct
misunderstandings.
Asking for a formal review of a Freedom of Information decision
If you still believe a decision is incorrect, the
Freedom of Information Act 1982 (FOI Act)
gives you the right to apply for a review of the decision. Under sections 54 and 54L of the
FOI Act, you can apply for a review of an FOI decision by:
1. an Internal Review Officer in Services Australia (the Agency), and/or
2. the Australian Information Commissioner.
Applying for an internal review by an Internal Review Officer
If you apply for internal review, a different decision maker to the Agency delegate who made
the original decision will carry out the review. The Internal Review Officer will consider all
aspects of the original decision and decide whether it should change. An application for
internal review must be:
• made in writing
• made within 30 days of receiving this letter
• sent to the address at the top of the first page of this letter, or by email to
xxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxxxxxxxx.xxx.xx
Note: You do not need to fill in a form. However, it is a good idea to set out any relevant
submissions you would like the Internal Review Officer to further consider, and your reasons
for disagreeing with the decision.
Applying for external review by the Australian Information Commissioner
If you do not agree with the original decision or the internal review decision, you can ask the
Australian Information Commissioner to review the decision.
If you do not receive a decision from an Internal Review Officer in the Agency within 30 days
of applying, you can ask the Australian Information Commissioner for a review of the original
FOI decision.
You will have 60 days to apply in writing for a review by the Australian Information
Commissioner.
PAGE 6 OF 7
You can lodge your application:
Online:
www.oaic.gov.au
Post:
Australian Information Commissioner
GPO Box 5218
SYDNEY NSW 2001
Email:
xxxxxxxxx@xxxx.xxx.xx
Note: The Office of the Australian Information Commissioner generally prefers FOI
applicants to seek internal review before applying for external review by the Australian
Information Commissioner.
Important:
• If you are applying online, the application form the 'FOI Review Form' is available at
Information Commissioner Review Application form
• If you have one, you should include with your application a copy of the Agency's
decision on your FOI request
• Include your contact details
• Set out your reasons for objecting to the Agency's decision.
Complaints to the Australian Information Commissioner and Commonwealth
Ombudsman
Australian Information Commissioner
You may complain to the Australian Information Commissioner concerning action taken by
an agency in the exercise of powers or the performance of functions under the FOI Act,
There is no fee for making a complaint. A complaint to the Australian Information
Commissioner must be made in writing. The Australian Information Commissioner's contact
details are:
Telephone: 1300 363 992
Website: www.oaic.gov.au
Smart Form: FOI Complaint Form
Commonwealth Ombudsman
You may also complain to the Commonwealth Ombudsman concerning action taken by an
agency in the exercise of powers or the performance of functions under the FOI Act. There is
no fee for making a complaint. A complaint to the Commonwealth Ombudsman may be
made in person, by telephone or in writing. The Commonwealth Ombudsman's contact
details are:
Phone: 1300 362 072
Website: www.ombudsman.gov.au
The Commonwealth Ombudsman generally prefers applicants to seek review before
complaining about a decision.
PAGE 7 OF 7