4 December 2018
Our reference: 1811001
Richard Smith
Richard Smith
xxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx
Dear Mr Smith,
I refer to your request under the
Freedom of Information Act 1982 (
the FOI Act) for access to documents
relating to:
a) Documents relating to any investigations, reviews or routine checks undertaken by ADHA (or
suppliers or subcontractors of ADHA) to determine if any breaches in security have occurred for any
electronic records held, maintained or overseen by the ADHA in the years of 2015, 2016, 2017 and
2018; and
b) Documents relating to the procedures currently in use by the ADHA which outline the methods by
which the application of updates, upgrades and "patches", both routine and ad-hoc to all hardware
used by the ADHA to maintain electronic records are correctly applied and assured; and
c) Documents relating to the procedures currently in use by the ADHA which outline the methods by
which the application of updates, upgrades and "patches", both routine and ad-hoc to all software
used by the ADHA to maintain electronic records are correctly applied and assured; and
d) Documents relating to the procedures in use in 2016 by the ADHA which outline the methods by
which the application of updates, upgrades and "patches", both routine and ad-hoc to all hardware
used by the ADHA to maintain electronic records are correctly applied and assured; and
e) Documents relating to the procedures in use in 2016 by the ADHA which outline the methods by
which the application of updates, upgrades and "patches", both routine and ad-hoc to all software
used by the ADHA to maintain electronic records are correctly applied and assured.
I, Bettina McMahon, am an officer authorised under section 23(1) of the FOI Act to make decisions in
relation to FOI requests.
Section 15 of the FOI Act gives a right to access documents held by the Australian Digital Health Agency (the
Agency). Such a request must provide information about those documents sufficient to enable a
responsible officer of the Agency to identify them (section 15(2)(b)).
Australian Digital Health Agency ABN 84 425 496 912, Level 25, 175 Liverpool Street, Sydney, NSW 2000
Phone
+61 2 8298 2600 Facsimile +61 2 8298 2666
www.digitalhealth.gov.au
OFFICIAL
I am writing to tell you that I believe that you have not provided enough information about the documents
you are seeking to allow officers of this Agency to identify them. This is called a ‘practical refusal reason’
(section 24AA).
On this basis, I intend to refuse access to the documents you requested. However, before I make a final
decision to do this, you have an opportunity to revise your request. This is called a ‘request consultation
process’ as set in section 24AB of the FOI Act. You have 14 days to respond to this notice in one of the ways
described below.
Request consultation process
You now have an opportunity to revise your request to enable it to proceed.
Revising your request means providing more information about the documents you wish to access. For
example, by providing more specific information about exactly what documents you are interest in, we will
be able to identify the documents that interest you.
It may assist you to know that the Agency does not know what type of documents you are seeking.
In relation to point a, the Agency was established in early 2016 and commenced operations on 1 July 2016.
The Agency is the system operator of the My Health Record (MHR) system as defined in the
My Health
Records Act 2012. These functions were taken over from the Department of Health. You have asked about
breaches in security for electronic records from 2015-2018. As 2015 would be referring to the time when
work was undertaken by the Department of Health prior to the establishment of the Agency, this enquiry
would have to be referred to that Department. You would be required to either lodge a separate FOI
request for this component of your inquiry with the Department of Health. Information about submitting
an application form can be found at
http://www.health.gov.au/internet/main/publishing.nsf/content/foi-
about. Alternatively, we could request a partial transfer of this data on your behalf. Please advise your
preference.
In relation to points b to e, can you please be more specific if you are referring to all electronic
health records, or all electronic records held by the Agency?
Before the end of the consultation period, you must do one of the following, in writing:
• withdraw your request
• make a revised request
• tell us that you do not wish to revise your request.
The consultation period runs for 14 days and starts on the day after you receive this notice.
During this period, you are welcome to seek assistance from the contact person I have listed below to
revise your request. If you revise your request in a way that adequately addresses the practical refusal
grounds outlined above, we will recommence processing it. (Please note that the time taken to consult you
about the scope of your request is not included in the 30 day time limit for processing your request.)
If you do not do one of the three things listed above during the consultation period or you do not consult
the contact person during this period, your request will be taken to have been withdrawn.
Contact officer
If you would like to revise your request or have any questions, the contact officer for your request is Cecilia
who can be telephone on (02) 6223 0780 or email at
xxx@xxxxxxxxxxxxx.xxx.xx.
Yours sincerely
Bettina McMahon
Chief Operating Officer