OFFICIAL
PO Box 457
CANBERRA ACT 2601
dta.gov.au
Our ref: 223/2021
26 May 2020
Richard Nelson
via email:
xxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx
Freedom of Information Decision
Dear Mr Nelson,
The Digital Transformation Agency (DTA) received your request on 26 March 2021, in which you
sought access to documents under the provisions of the
Freedom of Information Act 1982 (FOI Act).
The documents you requested were:
1. Monthly cost breakdowns for Amazon Web Services spend related to COVIDSafe server-side
components; and
2. Architecture diagrams and related resource requirements for COVIDSafe Amazon Web
Services components.
You provided additional justification for your request as follows:
1. To understand why this is being requested as a matter of public interest; I believe taxpayers
deserve to know how an application that is of dubious value, and where the vast majority of
application data is stored on end users’ phones, costs a reported $100k/month in hosting.
The AWS bil , resourcing requirements and architecture diagrams would help explain this -
and/or clarify if the reporting is misleading.
2. I don’t believe that publishing either of these items would be of concern with regards to
security of the application or data. Already published design of COVIDSafe data encryption,
transport and existing security controls are sufficient; hiding architecture details or cost
breakdowns would simply be obscurity.
The DTA identified 4 documents within scope of your request. I have examined these documents,
and decided they are exempt from release under sections 45, 47E and 47G of the FOI Act as:
• The documents requested are subject to a confidentiality agreement with a third party,
• The third party has raised legitimate objections to the release of the documents requested;
and
• Aspects of the Privacy Act intended to protect the integrity of the COVIDSafe app prevent
DTA from releasing the requested information.
OFFICIAL
OFFICIAL
Section 26 of the FOI Act requires the DTA to provide a statement of reasons in support of a
decision. In depth reasons for my decision are in
Attachment A.
The FOI Act also provides a number of avenues for review set out in
Attachment B if you are
dissatisfied with any aspect of this decision.
If you have any questions or require further information, please contact the FOI Officer on
02 6120 8595 or via email at xxx@xxx.xxx.xx.
Yours sincerely
George-Philip de Wet
Authorised Decision Maker
Digital Transformation Agency
Digital Transformation Agency
2
OFFICIAL
OFFICIAL
ATTACHMENT A -
STATEMENT OF REASONS
Decision
I, George-Philip de Wet, am an officer authorised to make decisions under subsection 23(1) of the
Freedom of Information Act 1982 (FOI Act)
I have examined the documents subject to this request and have decided to exempt them from
release.
Reasons for decision
In exempting the requested documents from release, I have applied sections 45, 47E and 47G of the
FOI Act.
Section 45 - Documents containing material obtained in confidence
(1) A document is an exempt document if its disclosure under this Act would found an action,
by a person (other than an agency or the Commonwealth), for breach of confidence.
(2) Subsection (1) does not apply to a document to which subsection 47C(1) (deliberative
processes) applies (or would apply, but for subsection 47C(2) or (3)), that is prepared by
a Minister, a member of the staff of a Minister, or an officer or employee of an agency, in
the course of his or her duties, or by a prescribed authority or Norfolk Island authority in
the performance of its functions, for purposes relating to the affairs of an agency or a
Department of State unless the disclosure of the document would constitute a breach of
confidence owed to a person or body other than:
(a) a person in the capacity of Minister, member of the staff of a Minister or officer of
an agency; or
(b) an agency or the Commonwealth
In assessing if section 45 of the FOI Act applies, I have considered:
• the nature of the information and whether the information was obtained in confidence;
• the objective of the FOI Act, which encourages a right of access to documents held
by government agencies, subject to certain exemptions; and
• the extent to which the information is already a matter of public knowledge and/or
well known.
I have also taken the below factors against disclosing the information into consideration:
• whether the release of this information would be found by a person, other than an agency,
to be a breach of confidence; and
• the information is not a matter of public knowledge and/or wel known.
As the documents requested are not public knowledge, are subject to a confidentiality agreement,
and if released would be considered by the third party as a breach of confidence, I have decided to
exempt the documents from release in full.
Digital Transformation Agency
3
OFFICIAL
OFFICIAL
Section 47E – Public interest conditional exemptions – certain operations of agencies
A document is conditionally exempt if its disclosure under this Act would, or could reasonably be
expected to, do any of the following:
(a) prejudice the effectiveness of procedures or methods for the conduct of tests,
examinations or audits by an agency;
(b) prejudice the attainment of the objects of particular tests, examinations or audits
conducted or to be conducted by an agency;
(c) have a substantial adverse effect on the management or assessment of personnel by
the Commonwealth or by an agency;
(d) have a substantial adverse effect on the proper and efficient conduct of the
operations of an agency.
Note: Access must generally be given to a conditionally exempt document unless it would be contrary to the public
interest (see section 11A).
In assessing if section 47E(a) and 47E(d) of the FOI Act applies, I have considered:
• whether the information contained in the documents would prejudice the effectiveness of a
procedure or method for the conduct of a test or examination;
• whether the information if released would have substantial adverse effect on the proper
and efficient conduct of the operations of an agency; and
• the extent to which the information is already a matter of public knowledge.
I have also taken the below factors against disclosing the information into consideration:
• the information contained in the documents would prejudice the effectiveness of
a procedure or method for the conduct of a test or examination;
• the information contained in the documents, if released, would have substantial
adverse effects on the proper and efficient conduct of the operations of an agency; and
• the information is not a matter of public knowledge.
The purpose of the
COVIDSafe app is to assist state and territory health officials to quickly identify
and contact people who may have been exposed to COVID-19. To improve public confidence in the
app, the Government made amendments to the
Privacy Act 1988 to provide strong protections for
users of the
COVIDSafe app and information col ected through the app.
The DTA needs to ensure that elements of the COVIDSafe system including the National COVIDSafe
Data Store are protected from malicious actors who seek to obtain insight into COVIDSafe app
operation. If insight is given into the COVIDSafe system, it heightens the risk that COVIDSafe app and
National COVIDSafe Data Store operations could be compromised or sabotaged.
Given the detail relating to the COVIDSafe system that can be derived from the documents
requested, the potential for misuse of that information, and that the information contained in the
documents are not a matter of public knowledge, I have decided to exempt the documents from
release in full.
Digital Transformation Agency
4
OFFICIAL
OFFICIAL
47G Public interest conditional exemptions – business
(1) A document is conditionally exempt if its disclosure under this Act would disclose information
concerning a person in respect of his or her business or professional affairs or
concerning the business, commercial or financial affairs of an organisation or
undertaking, in a case in which the disclosure of the information:
(a) would, or could reasonably be expected to, unreasonably affect that person
adversely in respect of his or her lawful business or professional affairs or that
organisation or undertaking in respect of its lawful business, commercial or
financial affairs; or
(b) could reasonably be expected to prejudice the future supply of information to the
Commonwealth or an agency for the purpose of the administration of a law of the
Commonwealth or of a Territory or the administration of matters administered by
an agency.
In assessing if section 47G of the FOI Act applies, I have considered:
• the nature of the information and whether the disclosure would cause no
serious consequences;
• the object of the FOI Act, which encourages a right of access to documents held
by government agencies, subject to certain exemptions; and
• the extent to which the information is already a matter of public knowledge and/or wel
• known.
I have also taken the below factors against disclosing the information into consideration:
• the disclosure of information relating to the business, commercial or financial affairs of the
third party could be considered as unreasonable disclosure; and
• the information is not a matter of public knowledge and/or wel known.
In examining the documents, I am satisfied that releasing the information within the
document could involve the unreasonable disclosure of the financial or business affairs of a
third party.
Accordingly, I have decided that the information within the documents is conditionally exempt
under section 47G of the FOI Act.
Digital Transformation Agency
5
OFFICIAL
OFFICIAL
Public interest conditional exemption considerations
In relying on the public interest conditional exemptions under section 47E and 47G, I considered the
public interest factors under section 11A – Access to documents on request.
Section 11A
(5) The agency or Minister must give the person access to the document if it is conditionally exempt
at a particular time unless (in the circumstances) access to the document at that time would, on
balance, be contrary to the public interest.
Note 1: Division 3 of Part IV provides for when a document is conditionally exempt.
Note 2: A conditional y exempt document is an exempt document if access to the document would,
on balance, be contrary to the public interest (see section 31B (exempt documents for the purposes of
Part IV)).
Note 3: Section 11B deals with when it is contrary to the public interest to give a person access to
the document.
(6) Despite subsection (5), the agency or Minister is not required to give access to the document at a
particular time if, at that time, the document is both:
(a) a conditionally exempt document; and
(b) an exempt document:
(i) under Division 2 of Part IV (exemptions); or
(i ) within the meaning of paragraph (b) or (c) of the definition of exempt
document in subsection 4(1).
Section 11B (3), (4) and (5) – Public interest exemptions – factors
(3) Factors favouring access to the document in the public interest include whether
access to the document would do any of the fol owing:
(a) promote the objects of this Act (including all the matters set out in
sections 3 and 3A);
(b) inform debate on a matter of public importance;
(c) promote effective oversight of public expenditure;
(d) allow a person to access his or her own personal information.
(4) The fol owing factors must not be taken into account in deciding whether access to the document
would, on balance, be contrary to the public interest:
(a) access to the document could result in embarrassment to the
Commonwealth Government, or cause a loss of confidence in the
Commonwealth Government;
(aa) access to the document could result in embarrassment to the
Government of Norfolk Island or cause a loss of confidence in the
Government of Norfolk Island;
(b) access to the document could result in any person misinterpreting or
misunderstanding the document;
(c) the author of the document was (or is) of high seniority in the agency to
which the request for access to the document was made;
(d) access to the document could result in confusion or unnecessary debate.
Guidelines
Digital Transformation Agency
6
OFFICIAL
OFFICIAL
(5) In working out whether access to the document would, on balance, be contrary to the public
interest, an agency or Minister must have regard to any guidelines issued by the Information
Commissioner for the purposes of this subsection under section 93A.
In assessing how section 11A and 11B of the FOI Act applies, I have considered that COVIDSafe app
data is protected under the Privacy Act. This data is stored and protected within the National
COVIDSafe Data Store. The requested documents will provide insights into the National COVIDSafe
Data Store’s system infrastructure that stores COVIDSafe app data. The system architecture detail
that can be derived from the release of these documents would present an unreasonable risk to the
protection of COVIDSafe app data.
Although release of documents under the FOI Act is part of the DTA Chief Executive Officer’s (CEO’s)
functions, the seriousness of the penalties which can be imposed for breaches of COVIDSafe app
data under Privacy Act in indicates that Parliament intended that COVIDSafe app data and the
National COVIDSafe Data Store be strongly protected. I have therefore concluded that the release
of this information is not in the public interest.
Digital Transformation Agency
7
OFFICIAL
OFFICIAL
ATTACHMENT B – REVIEW RIGHTS
If you are dissatisfied with this decision, you have certain rights of review available to you.
Firstly, under section 54 of the FOI Act, you may apply to DTA for an internal review of the decision.
Your application must be made by whichever date is the later between:
• 30 days of you receiving this notice; or
• 15 days of you receiving the documents to which you have been granted access.
An internal review will be conducted by a different officer from the original decision-maker.
No particular form is required to apply for review although it will assist your case to set out in the
application the grounds on which you believe that the original decision should be overturned. An
application for a review of the decision should be addressed to: xxx@xxx.xxx.xx
If you choose to seek an internal review, you will subsequently have a right to apply to the Australian
Information Commissioner for a review of the internal review decision.
Review by the Australian Information Commissioner
Alternatively, under section 54L of the FOI Act, you may seek review of this decision by the
Australian Information Commissioner without first going to internal review. Your application must be
made within 60 days of you receiving this notice.
The Australian Information Commissioner is an independent office holder who may review decisions
of agencies and Ministers under the FOI Act. More information is available on the Australian
Information Commissioner's website www.oaic.gov.au.
You can contact the Information Commissioner to request a review of a decision online or by writing
to the Information Commission at:
Director of FOI Dispute Resolution
GPO Box 5218
SYDNEY NSW 2001
Complaints to the Australian Information Commissioner
You may complain to the Australian Information Commissioner about action taken in relation to your
request.
Your enquiries to the Australian Information Commissioner can be directed to:
Phone 1300 363 992 (local cal charge)
Email: xxxxxxxxx@xxxx.xxx.xx
There is no particular form required to make a complaint to the Australian Information
Commissioner. The request should be in writing and should set out the grounds on which it is
considered that the action taken in relation to the request should be investigated and identify the
DTA as the relevant agency.
Contacts
If you have any queries about this notice, please contact the FOI team by ema
il xxx@xxx.xxx.xx.
Digital Transformation Agency
8
OFFICIAL
