This is an HTML version of an attachment to the Freedom of Information request 'Copy of Privacy Impact Assessment ref 21987'.

PO Box 7820 Canberra BC ACT 2610 
27 September 2019  
Our reference:  LEX 46187 
Mr Justin Warren  
Right to Know 
Only by email:  
Dear Mr Warren 
Decision on your Freedom of Information Request 
I refer to your request, dated and received by the Department of Human Services 
(department) on 29 July 2019, for access under the Freedom of Information Act 1982 
(FOI Act) to the following document:  
I request a copy of the Privacy Impact Assessment reference number 21987 titled 
"DHS Response to the Independent Review of Health Providers’ Access to Medicare 
Card Numbers" as listed on the department's Privacy Impact Assessment Register. 
My decision 
The department holds one document (totalling 40 pages) that relates to your request. 
I have decided to grant you part access to the document, because it contains material:  
•  that discloses the department’s lawful methods or procedures for detecting, 
investigating, or dealing with matters arising out of breaches or evasions of law 
(section 37(2)(b) of the FOI Act);   
•  that if disclosed would have a substantial and adverse effect on the proper and 
efficient conduct of the operations of the agency, and disclosure would be contrary to 
the public interest (section 47E(d) of the FOI Act).  
Please see the schedule at Attachment A to this letter for the reasons for my decision, 
including the relevant sections of the FOI Act. 
On 20 August 2019, the department notified you of a preliminary processing charge of 
$106.15. This charge was based on an estimate calculated in accordance with Regulation 9 
of the Freedom of Information (Charges) Regulations 2019 (Charges Regulations).  
On the same day, you paid the deposit of $26.55 and requested reconsideration of the 
preliminary charge.  
PAGE 1 OF 9 

On 19 September 2019, the department notified you of the decision to reduce the charge to 
$27.65 (revised charge). This revised charge reflected 50% of the lowest reasonable 
processing cost to provide you with a decision on access. This revised charge also balanced 
that a portion of the cost of processing FOI requests is to be borne by the Applicant with the 
fact that there are public interest factors associated with this matter.    
In accordance with Regulation 10 of the Charges Regulations, I have considered the actual 
time taken to process your request. I have decided the revised charge of $27.65 is a fair and 
accurate reflection of the time taken to process your request. On this basis, I have decided 
not to adjust the revised charge, and have fixed the charge under Regulation 10.  
I note that the difference between the revised charge and the deposit you have paid is $1.10. 
As the remaining payment will likely incur more than its value to collect, the department is 
waiving the remainder of the revised charge and releasing the document to you today. 
How we will send the document to you 
The document is attached.  
You can ask for a review of our decision 
If you disagree with any part of the decision you can ask for a review. There are two ways 
you can do this. You can ask for an internal review from within the department, or an external 
review by the Office of the Australian Information Commissioner. You do not have to pay for 
reviews of decisions. See Attachment B for more information about how to arrange a 
Further assistance 
If you have any questions please email  
Yours sincerely 
Authorised FOI Decision Maker 
Freedom of Information Team 
Employment Law and Freedom of Information Branch | Legal Services Division  
Department of Human Services 
PAGE 2 OF 9 
Department of Human Services 

If not delivered return to PO Box 7820 Canberra BC ACT 2610 
Attachment A 
WARREN, Justin - LEX 46187 
Certain material exempt under section 37(2)(b) of the FOI 
Sept 2019 
DHS response to the 
Release in part 
s 37(2)(b)  
Independent Review of 
Health Providers’ Access 
Certain material conditionally exempt under section 
to Medicare Card 
s 47E(d)  
47E(d) of the FOI Act.  
Numbers – Privacy Impact 
PAGE 3 OF 9 

If not delivered return to PO Box 7820 Canberra BC ACT 2610 
What you requested 
On 29 July 2019, you requested access under the Freedom of Information Act 1982 
(FOI Act) to the following document:  
I request a copy of the Privacy Impact Assessment reference number 21987 titled 
"DHS Response to the Independent Review of Health Providers’ Access to Medicare 
Card Numbers" as listed on the department's Privacy Impact Assessment Register. 
What I took into account 
In reaching my decision I took into account: 
•  your request dated 29 July 2019;  
•  the documents that fall within the scope of your request; 
•  whether the release of material is in the public interest; 
•  consultations with departmental officers about: 
o  the nature of the documents; 
o  the department's operating environment and functions; 
•  guidelines issued by the Australian Information Commissioner under section 93A of 
the FOI Act (Guidelines); and 
•  the FOI Act.  
Reasons for my decisions 
I am authorised to make decisions under section 23(1) of the FOI Act. 
I have decided that parts of the document you requested are exempt under the FOI Act.  My 
findings of fact and reasons for deciding that the exemptions apply to the document are 
discussed below.  
Section 37(2)(b) of the FOI Act 
I have applied the exemption in section 37(2)(b) to part of the document.  
Section 37(2)(b) of the FOI Act provides that: 
(2) A document is an exempt document if its disclosure under this Act would, or could 
reasonably be expected to: 
(b) disclose lawful methods or procedures for preventing, detecting, 
investigating, or dealing with matters arising out of, breaches or evasions of 
the law the disclosure of which would, or would be reasonably likely to, 
prejudice the effectiveness of those methods or procedures 
Paragraph 5.108 of the Guidelines provides that the exemption under section 37(2)(b) of the 
FOI Act applies where two factors are satisfied. Firstly, there must be a reasonable 
PAGE 4 OF 9 

expectation that a document will disclose a lawful method or procedure, and secondly, there 
is a reasonable expectation or a real risk of prejudice to the effectiveness of that method or 
The document you requested contains material that relates to the review that was 
undertaken into the vulnerabilities of the systems health providers use to access Medicare 
information, particularly card numbers. The document contains information that discloses the 
security verification process used by the department to authenticate a health professional 
before allowing them access to a patient’s Medicare card number. Medicare card numbers 
can be used to access a range of health services and benefits, and importantly can be used 
to access personal information. As such, the verification process used by the department 
when interacting with health professionals forms a significant part of the security measures 
aimed at preventing fraudulent activity and protecting personal privacy.   
I am satisfied that there is a reasonable expectation that disclosure of the department’s 
verification security processes contained in this document would disclose a key fraud 
prevention and privacy protection methodology used by the department.   
I am also satisfied that there is a reasonable expectation that the disclosure of this 
information would prejudice the effectiveness of the department’s fraud prevention and 
privacy protection procedures. Disclosure of the verification process has the capacity to 
undermine the department’s fraud prevention and privacy protection strategies by providing 
individuals with forewarning of the information used by the department to confirm a health 
provider’s identity and consequently be granted access to Medicare records. As such, 
individuals that are intent on perpetrating fraud or accessing information without lawful 
authority may be better positioned to do so as they are able to better prepare prior to an 
unauthorised access attempt.  
I further note that the FOI Act does not control or restrict any subsequent use or 
dissemination of information released under the FOI Act. Accordingly, noting that the 
information could be released to a wide audience, disclosure would substantially inhibit the 
department’s methods for mitigating personal privacy breaches and preventing Medicare 
fraud, and compromise the department’s ability to effectively administer correct payments.   
For the reasons set out above, I am satisfied that the material is exempt under section 
37(2)(b) of the FOI Act and cannot be released.  
Section 47E(d) of the FOI Act  
I have also applied section 47E(d) to part of the document.  
Section 47E(d) of the FOI Act provides that:  
A document is conditionally exempt if its disclosure under this Act would, or could 
reasonably be expected to have a substantial adverse effect on the proper and 
efficient conduct of the operations of an agency. 
I have found that part of the document contains material that is conditionally exempt from 
release under section 47E(d) of the FOI Act. The material to which I have refused access 
refers to the specific, verification process of health providers used by the department’s 
Medicare Provider Enquiries Line and the PBS General Enquires line in preventing 
unauthorised Medicare activity.  
Releasing this information would, or could reasonably be expected to, have an adverse effect 
on the proper and efficient conduct of the operations of the department. In particular, the 
PAGE 5 OF 9 
Department of Human Services 

disclosure of information about the verification process would disclose part of the 
department’s fraud prevention and personal privacy methodology which, if released to the 
public, may allow some individuals to take steps to minimise detection of fraudulent activities. 
Individuals may be better positioned to make certain enquiries with the aim of ascertaining 
Medicare customer information. The disclosure of this information would increase the risk of 
illegitimate access and reduce the effectiveness of the department’s security protections.   
Accordingly, I am satisfied that the document contains material that is conditionally exempt 
from disclosure under section 47E(d) of the FOI Act, to the extent that it contains material 
which, if disclosed, would or could reasonably be expected to have a substantial adverse 
effect on the proper and efficient conduct of the department. 
Public interest considerations  
Section 11A(5) of the FOI Act provides the following:  
The agency or Minister must give the person access to the document if it is 
conditionally exempt at a particular time unless (in the circumstances) access to the 
document at that time would, on balance, be contrary to the public interest. 
When weighing up the public interest for and against disclosure under section 11A(5) of the 
FOI Act, I have taken into account relevant factors in favour of disclosure. In particular, I 
have considered the extent to which disclosure would promote the objects of the FOI Act, 
including to:  
•  inform the community of the government’s operations; 
•  reveal the reasons for government decisions and any background or contextual 
information that informed the decisions related to the handling of Medicare 
•  enhance the scrutiny of government decision making; and 
•  facilitate access to government information generally. 
I have also considered the relevant factors weighing against disclosure, indicating that 
access would be contrary to the public interest. In particular, I have considered the extent to 
which disclosure could reasonably be expected to:  
•  prejudice security measures in place by the department to prevent fraud and 
illegitimate access to Medicare records;   
•  impede the department’s ability to protect the personal information of Medicare 
•  compromise the department’s ability to effectively administer correct payments in the 
future; and 
•  prejudice the department’s ability to collect and obtain Medicare information from the 
public in the future. 
Based on these factors, I have decided that in the circumstances of this particular matter, the 
public interest in disclosing the information in the above-mentioned documents is outweighed 
by the public interest against disclosure.  
PAGE 6 OF 9 
Department of Human Services 

I have not taken into account any of the irrelevant factors set out in section 11B(4) of the FOI 
Act in making this decision.  
In summary, I am satisfied that part of the document is  
•  exempt under section 37(2)(b) of the FOI Act; and  
•  conditionally exempt under section 47E(d) of the FOI Act, and that it would be 
contrary to the public interest to release this information.  
Accordingly, I have decided not to release the document in full to you. 
PAGE 7 OF 9 
Department of Human Services 

If not delivered return to PO Box 7820 Canberra BC ACT 2610 
Attachment B 
Asking for a full explanation of a Freedom of Information decision 

Before you ask for a formal review of a FOI decision, you can contact us to discuss your 
request. We will explain the decision to you. This gives you a chance to correct 
Asking for a formal review of an Freedom of Information decision 
If you still believe a decision is incorrect, the Freedom of Information Act 1982 (FOI Act
gives you the right to apply for a review of the decision. Under sections 54 and 54L of the 
FOI Act, you can apply for a review of an FOI decision by: 
1.  an Internal Review Officer in the Department of Human Services (department); 
2.  the Australian Information Commissioner. 
Note 1: There are no fees for these reviews. 
Applying for an internal review by an Internal Review Officer 
If you apply for internal review, a different decision maker to the departmental delegate who 
made the original decision will carry out the review. The Internal Review Officer will consider 
all aspects of the original decision and decide whether it should change. An application for 
internal review must be: 
•  made in writing 
•  made within 30 days of receiving this letter 
•  sent to the address at the top of the first page of this letter. 
Note 2: You do not need to fill in a form. However, it is a good idea to set out any relevant 
submissions you would like the Internal Review Officer to further consider, and your reasons 
for disagreeing with the decision.  
Applying for external review by the Australian Information Commissioner 
If you do not agree with the original decision or the internal review decision, you can ask the 
Australian Information Commissioner to review the decision.  
If you do not receive a decision from an Internal Review Officer in the department within 30 
days of applying, you can ask the Australian Information Commissioner for a review of the 
original FOI decision.  
You will have 60 days to apply in writing for a review by the Australian Information 
You can lodge your application
PAGE 8 OF 9 

Australian Information Commissioner 
GPO Box 5218 
Note 3: The Office of the Australian Information Commissioner generally prefers FOI 
applicants to seek internal review before applying for external review by the Australian 
Information Commissioner. 
•  If you are applying online, the application form the 'Merits Review Form' is available 
•  If you have one, you should include with your application a copy of the Department of 
Human Services' decision on your FOI request  
•  Include your contact details 
•  Set out your reasons for objecting to the department's decision. 
Complaints to the Australian Information Commissioner and Commonwealth 

Australian Information Commissioner 
You may complain to the Australian Information Commissioner concerning action taken by 
an agency in the exercise of powers or the performance of functions under the FOI Act, 
There is no fee for making a complaint. A complaint to the Australian Information 
Commissioner must be made in writing. The Australian Information Commissioner's contact 
details are: 
Telephone:      1300 363 992 
Commonwealth Ombudsman 
You may also complain to the Commonwealth Ombudsman concerning action taken by an 
agency in the exercise of powers or the performance of functions under the FOI Act. There is 
no fee for making a complaint. A complaint to the Commonwealth Ombudsman may be 
made in person, by telephone or in writing. The Commonwealth Ombudsman's contact 
details are: 
Phone:             1300 362 072 
The Commonwealth Ombudsman generally prefers applicants to seek review before 
complaining about a decision. 
PAGE 9 OF 9 
Department of Human Services 

Document Outline