and Investments Commission
Office address (inc courier deliveries):
Level 7, 120 Col ins Street,
Melbourne VIC 3000
Mail address for Melbourne office:
GPO Box 9827,
Brisbane QLD 4001
Tel: +61 1300 935 075
Fax: +61 1300 729 000
By email: foi+request-6877-
23 November 2020
Dear Mr Roddis
Freedom of Information Request No. 226-2020
Notice to Identify Documents under Section 24AB of the Act
I refer to your request dated 7 November 2020 under the Freedom of Information Act
) in which you seek access to documents in the possession of the
Australian Securities and Investments Commission (ASIC
). I apologise for the delay in
responding to you, however this was due to our searches conducted, which is
explained in more detail below.
You seek access to the fol owing:
“I'd like to request documents relating to:
Cyber Security Incidents/Cybercrimes/Data Breaches incurred by companies
and financial services reported to or discovered by ASIC during the period:
1st Nov 2015-1st Nov 2020
The terms "Cyber Security Incidents/Cybercrimes/Data Breaches" for this
request as an act that would fal under 10.7 and 10.8 of the Criminal Code Act
1995 and include:
• Computer intrusions
• Unauthorised modification of data, including destruction of data
• Unauthorised impairment of electronic communications, including
denial of service attacks
This request excludes documents relating to Cyber Security Incidents incurred
by ASIC itself and focus on 3rd parties only.”
Section 15(2)(b) of the FOI Act
I advise that your request does not satisfy the requirement set out in section 15(2)(b)
of the FOI Act which states that a request for access to a document must ‘provide
such information concerning the document as is reasonably necessary to enable a
responsible officer of an agency… to identify it
’. As section 15(2)(b) has not been met
ASIC may, in line with section 24(1)(b) of the Act, refuse to process your application.
In its current form, it would be my intention to refuse access to the documents sought
in the Request on this practical refusal ground. However, to assist you to make a valid
request I make the fol owing comments. Why your request is unclear
In your request you seek ‘documents relating to… the terms "Cyber Security
Incidents/Cybercrimes/Data Breaches"… that would fal under 10.7 and 10.8 of the
Criminal Code Act 1995’.
Your request stating that any ‘documents relating to’ the
terms of your requests in any way is too broad and would capture any document
related to the terms, regardless of how weak that link to the terms might be. This
means it is unclear to me how extensive the scope of your request is because
currently, even documents that simply mention the term ‘cybercrimes’ could
potential y fal into the scope even though the term is incidentally mentioned as part
of a broader discussion. This interpretation renders your request hopelessly broad by
capturing al documents containing any incidental mentions of the matters relevant
to your request.
I find it difficult to identify the documents you are seeking given the broad and
ambiguous nature of your request.
In view of the issues identified above, I consider that your request, in its current form,
does not adequately identify the documents sought and that a practical refusal
reason exists within the meaning of section 24AA(1)(b) of the FOI Act. Section 24AA(1)(a) FOI Act
I am also writing to tell you that I believe that the work involved in processing your
request in its current form would substantial y and unreasonably divert the resources
of this agency from its other operations due to its size and broad scope. This is cal ed
a ‘practical refusal reason’ (section 24AA of the FOI Act).
On this basis, I intend to refuse access to the documents you requested. However,
before I make a final decision to do this, you have an opportunity to revise your
This is cal ed a ‘request consultation process’ as set out under section 24AB of the FOI
Act. You have 14 days to respond to this notice in one of the ways set out below.
I decided that a practical refusal reason exists because I have done preliminary
searches and have considered the work involved in processing your request.
ASIC has undertaken preliminary searches to ascertain the number of documents
that potential y fal within the scope of your request and has identified over 500,000
documents. These searches were conducted by ASIC’s Misconduct & Breach
Reporting team (M&BR
) who handle reports of misconduct and breaches from
companies and financial services licensees using search parameters such as
“cybercrime”, “cyber security” and “data breach” between the timeframe of 2015-
2020. These parameters were used in ASIC’s digital records.
Your request also requires further ASIC teams to conduct additional searches in other
databases not utilised by M&BR to ascertain further documents that may fal within
the scope of your request. To conduct a search across such a large number of
individuals would be excessively burdensome and, in my view, would unreasonably
interfere with ASIC’s day-to-day activities.
The Office of the Australian Information Commissioner recommends that agencies
examine a representative sample of 10-15% of documents to assess the complexity of
the material against whether the work involved in processing the request would
constitute a substantial and unreasonable diversion of resources from the agency’s
other operations. In this instance, the sample size would be approximately 52,000
documents and assessing this sample size alone would constitute a substantial and
unreasonable diversion of resources from the agency’s other operations.
Furthermore, at this point in time, the difficulty in conducting searches that are
responsive to the terms of your request further prevents us from quantifying the effort
required to process your request in its current form.
However, I can further advise that any request that captures information relating to
the affairs of any third parties would require extensive consultation with these parties
under sections 27 and 27A of the FOI Act and that this consultation is likely to
substantial y add to the burden of processing your request. Request consultation process
The purpose of this letter is to provide you with an opportunity to revise your request so
that the practical refusal reason no longer exists before a final decision is made.
Should you wish to submit a revised request please take into consideration the issues
raised in this notice to ensure that they are addressed.
Revising your request can mean narrowing the scope of the request to make it more
You may wish to identify more accurately the documents that you are looking for and
reduce the time frame to search for. You may also wish to consider if it is ASIC
documents that you are interested in, noting that some data breaches are required
to be reported to the Office of the Australian Information Commissioner
incidents to ReportCyber at the Australian Cyber Security Centre.
You may also wish to refer to ASIC’s resources on cyber resilience
which may help
explain the type of documents ASIC may hold about this subject matter and wil assist
you to revise your request.
Before the end of the consultation period, you must do one of the fol owing, in writing:
1. withdraw your request;
2. make a revised request; or
3. tell us that you do not wish to revise your request.
The consultation period runs for 14 days
and starts on the day after you receive this
During this period, you are welcome to seek my assistance. If you revise your request
in a way that adequately addresses the practical refusal grounds outlined above, we
wil start processing it. Please note that the time taken to consult you regarding the
scope of your request is not considered for the purposes of the 30-day time limit for
processing your request.
If you do not do one of the three things listed above during the consultation period or
you do not consult me during this period, your request wil be taken to have been
If you have any questions or wish to discuss, please contact me at email@example.com
(Authorised decision maker pursuant to subsection 23(1) of the FOI Act)
For the Australian Securities and Investments Commission