Download original attachment
(PDF file)

This is an HTML version of an attachment to the Freedom of Information request 'Documents Related to the MyService Security Vulnerability at the Department of Veterans’ Affairs'.


LEX 73440 
MR25/00089 
 
 
Decision and Statement of reasons issued under the Freedom of 
Information Act 1982  
Decision and reason for decision of Zoey (Position Number 62214764),  
Senior Information Access Officer, Information Access Unit,  
Client and Information Access Branch, Department of Veterans’ Affairs 
 
 
Applicant: 
NoseyRosey 
 
Decision date: 
 
17 April 2025 
 
FOI reference number: 
LEX 73440 
 
Sent by email: 
 
xxxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx 
 
Dear NoseyRosey, 
Information Access Request: LEX 73440 
 
Purpose of this notice 
 
1. 
I am writing to notify you that a decision under LEX 73440 was not made within the statutory 
time frames required under the Freedom of Information (FOI) Act and that in these 
circumstances the principle officer of the agency has made a decision personally refusing to 
give access to the document.  
 
2. 
Paragraph 3.161 of the FOI Guidelines issued by the Australian Information Commissioner 
under section 93A of the Freedom of Information Act 1982 states:   
 
“Where an access refusal decision is deemed to have been made before a 
substantive decision is made, the agency or minister continues to have an obligation 
to provide a statement of reasons on the FOI request. This obligation to provide a 
statement of reasons continues until the deemed decision is finalised.” 
 
 
 

Scope of your request 
 
3. 
On 14 December 2024, you made a request for access to documents in the possession of the 
Department. Your request sought access to: 
 
‘…..I am seeking access to any documents held by the Department of 
Veterans’ Affairs that relate to a security vulnerability discovered in 
the MyService platform between 1 October 2023 and the date your 
office processes this request. The vulnerability I refer to involves a 
method by which unauthorised individuals could access veterans’ 
personal information, including but not limited to initial liability 
claims, rehabilitation claims, travel claims, and other sensitive data, 
through the manipulation of certain web address parameters. I am 
specifically interested in documents that discuss any aspect of this 
vulnerability, its discovery, investigation, remediation, and any 
related internal deliberations or notifications. 
 
More specifically, I request documents that address the initial 
reporting of the vulnerability, such as records of the notification 
provided to the DVA by the individual who discovered it. I also seek 
documents detailing any actions taken in response, including 
technical assessments, internal discussions about the scope of the 
vulnerability, and any correspondence with service providers such as 
Services Australia. I request records that describe attempts to identify 
root causes, as well as any instructions, briefings, meeting minutes, 
or emails between DVA staff and service providers regarding 
remediation measures. 
 
I also ask for any documents that relate to the decision-making 
process about whether and how the DVA complied with its 
mandatory reporting obligations under the Privacy Act 1988 (Cth) 
and the Notifiable Data Breaches scheme. This includes records of 
discussions or correspondence between DVA officials that consider 
whether the vulnerability constituted an eligible data breach and 
thus triggered the requirement to notify the Office of the Australian 
Information Commissioner. Furthermore, I am seeking documents 
that clarify whether the DVA intended to, attempted to, or decided 
not to inform the affected veterans whose personal and sensitive 
information may have been exposed. This includes any drafts or final 
versions of notifications, risk assessments, legal advice (if 

disclosable), and any instructions or guidelines that may have guided 
staff on how to handle such breaches. 
 
If the DVA possesses documents that outline general policies or 
procedures governing how staff should respond to data breaches or 
vulnerabilities of this nature, I request access to these materials as 
well. This may include internal manuals, policy frameworks, standard 
operating procedures, or incident response plans relied upon by DVA 
staff when managing the discovered vulnerability...’ 
 
4. 
On 16 December 2024, you contacted the department again via email stating: 
 
‘…I request that you provide the documents in electronic form, such 
as PDF files, unless they are only available in another format. Should 
any documents contain sensitive personal information about 
individuals not directly relevant to the subject matter, I understand 
that you may redact those details in accordance with the FOI Act. I 
ask that you consider the strong public interest in the transparency 
and accountability of government agencies, particularly where the 
personal data of a vulnerable community, in this case the veteran 
community, is concerned. The disclosure of these documents will 
serve the public interest by enabling a better understanding of how 
the DVA protects personal information, and how it complies with 
legal obligations when serious vulnerabilities arise. 
 
If you consider that this request is too broad or is likely to lead to a 
practical refusal, I ask that you consult with me under section 24AB 
of the FOI Act. I am willing to discuss the scope of this request to 
ensure it can be processed efficiently. If there are any charges 
associated with this request, I respectfully ask you to consider a 
reduction or waiver of fees in the public interest, given the 
importance of the matter and its direct impact on the welfare of 
veterans. 
 
I look forward to receiving acknowledgment of this request and a 
decision within the statutory timeframes…’ 
 

5. 
On 16 December 2024, the Department acknowledged your request via email. Within this 
email we sought your agreement to an Extension of Time. You replied on the same date 
stating you do not agree to an Extension of Time. 
 
6. 
On 14 January 2025, you contacted the Department to advised you had lodged an 
application with the Office of the Australian Information Commissioner. 
 
7. 
On 15 January 2025 we sent you a consultation notice on the basis that a practical refusal 
reason exists.   
 
8. 
On 16 January 2025, you replied with the following:  
 
‘…This is already a deemed request and as such has been referred to 
the OAIC yesterday, you do not get another wack at this until the IC 
review commences.  
Further however I your questions I suggest you seek the information 
from Kellie Sheriff Acting Assistant Secretary | Chief Information 
Security Officer Digital Operations and Support Branch. 
Furthermore funny thing is that Services Australia were able to find 
the documents and have already done an courtesy consult with your 
office…’ 
 
Reasons for the decision  
 
9. 
I provide this notice to address paragraph 3.161 of the FOI Guidelines to inform you that 
while the decision following a review of your request, that I determine your request to be 
refused on the basis that a practical refusal reason exists. 
 
10.  If the Department is satisfied that a practical refusal reason exists in relation to a request, 
the Department must undertake a consultation process with you, and if, after that 
consultation process, the Department remains satisfied that the practical refusal reason still 
exists, the Department may refuse to give you access to the documents subject to the 
request. 
 
11.  Considering the outcome of this consultation, and the scope of your request, I am satisfied 
that I am unable to identify the specific documents you are requesting. This is because the 
language of your request is unclear and it does not contain sufficient information to enable 
me to undertake reasonable and effective searches to identify relevant documents. 
 
 
 

When does a practical refusal reason exist 
 
12.  I provide this notice to address paragraph 3.161 of the FOI Guidelines to inform you that 
upon review of your scope related to LEX 73440, that I consider a practical refusal reason 
would exist on the basis that: 
 
•  your request does not provide sufficient information to enable the department to 
identify the documents you are seeking.  
 
Identification of documents 
13.  Section 24AA(1)(b) of the FOI Act provides that a practical refusal reason exists in relation to 
a request for a document if the request does not satisfy section 15(2)(b) of the FOI Act. That 
section provides that a request must provide such information concerning the document as 
is reasonably necessary to enable a responsible officer of the agency to identify it.  
 
14.  I am unable to identify the specific documents you are requesting. This is because the 
language of your request is unclear and it does not contain sufficient information to enable 
me to undertake reasonable and effective searches to identify relevant documents.  
 
Request is unreasonable 
 
15.  I have considered whether the substantial resource burden would be unreasonable having 
regard to the following:  
 
•  the Department had approximately 4300 staff (including contractors) as at 31 
December 2023; 
•  the Department's Information Access Unit comprises approximately 43 staff and is 
responsible for processing FOI requests, administrative access requests, subpoenas 
and other notices to produce; 
•  the high volume of FOI requests received by the Department (1944 requests 
received in the 2023-24 financial year); 
•  whether there is a significant public interest in the documents requested; 
•  whether the applicant cooperated in framing a request to reduce the processing 
workload;  
•  the impact on staff with core responsibilities for processing FOI requests having to 
divert a substantial number of hours from other work to focus on this single 
request; and  

•  the impact on staff in the business divisions of the Department having to divert a 
significant number of hours from their business responsibilities to focus on this 
request.  
 
16.  I have also considered whether the substantial resource burden would be unreasonable 
having regard to the following:  
 
•  The would be an unreasonable burden to process this single FOI request, taking into 
account the need to process multiple requests at any given time, and the impact 
such a burden would have on responding to other FOI applicants and for the 
relevant business area to undertake their designated duties.  
•  Due to the broad nature of your request the relevant business areas would be 
required to spend a significant amount of time and resources in document retrieval 
and scoping activities. 
 
17.  Taking the above factors into account, I am of the view that the request as it currently stands 
is unreasonable, as well as substantial. 
 
Summary of Decision  
 
18.  In summary, the decision remains a refusal however I am satisfied that processing your 
request, as best the Department can understand the terms would result in a substantial and 
unreasonable diversion of the Department's resources from its other operations.  
 
Your rights of review 
 
19.  If you are dissatisfied with my decision you may apply for Information Commissioner Review 
of the decision through the Office of the Australian Information Commissioner (OAIC). In 
accordance with section 54E(b) of the FOI Act, internal review is not available as the 
Department did not finalise your FOI request within the prescribed statutory timeframe.  
 
OAIC review  
 
20.  Under section 54L of the FOI Act, you may apply to the OAIC to review my decision. An 
application for review by OAIC must be made in writing within 60 days of the date of this 
letter, and be lodged in one of the following ways: 
 
Online: 
www.oaic.gov.au   
Post:    
Director of FOI Dispute Resolution 
Office of the Australian Information Commissioner 

GPO Box 5218, Sydney NSW 2001 
Facsimile:  
(02) 9284 9666 
Phone: 
1300 363 992 
Email:   
xxxxx@xxxx.xxx.xx  
 
21.  More information about your review rights under the FOI Act is available in Fact Sheet 12 
published by the OAIC: https://www.oaic.gov.au/freedom-of-information/reviews-and-
complaints/information-commissioner-review/  
 
Contact us 
 
22.  If you wish to discuss this decision, please do not hesitate to contact the Information Access 
Unit using the following details: 
 
Online:  
https://www.dva.gov.au/about-us/overview/reporting/freedom-
information/access-information   
Post:  
Information Access Unit 
Department of Veterans' Affairs 
GPO Box 9998, Brisbane QLD 4001 
Phone:  
1800 838 372 
Email:   
xxxxxxxxxxx.xxxxxx@xxx.xxx.xx  
 
 
 
Yours sincerely, 
 
Zoey (Position Number 62214764) 
Senior Information Access Officer  
Information Access Unit 
Client and Information Access Branch 
Department of Veterans’ Affairs 
 
17 April 2025