Download original attachment
(PDF file)

This is an HTML version of an attachment to the Freedom of Information request 'MyGovID: source code and technical documentation'.


 
 
GPO Box 4889 Sydney, NSW 2001 
 
 
 
 
 
 
 
 
 
Mr Fraser Tweedale 
Our reference:
1-Q1HU99Q
 
 
 
By email only:  
 
xxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx 
 
28 July 2021
 
 
 
 
 
 
Dear Mr Tweedale 
 
 
Notice of intention to refuse your request for access to documents 1-Q1HU99Q 
 
I refer to your request for documents under the Freedom of Information Act 1982 (FOI Act) dated 13 July 
2021. 
 
I am an officer authorised under subsection 23(1) of the FOI Act to make decisions in relation to FOI 
requests.  
 
I am writing to tell you that I believe the work involved in processing your request in its current form would 
substantially and unreasonably divert the resources of the ATO from its other operations. This is called a 
‘practical refusal reason’ (section 24AA of the FOI Act). 
 
On this basis, I intend to refuse you access to the documents requested. However, before I make a final 
decision to do this, you have an opportunity to revise your request. This is called a ‘request consultation 
process’ as set out in section 24AB of the FOI Act. You have 14 days to respond to this notice in one of the 
ways set out below. 
 
Your request 
 
The scope of your FOI request is as follows: 
 
(1). Source code of the MyGovID iOS and Android apps, and server applications that form part of the MyGovID 
system, including build scripts, manifests, software license terms, and media assets (icons, audio files, etc). 
 
(2). Technical documentation about the MyGovID system, such as API documentation, architecture diagrams, 
security assessments, technical presentation slides, "whitepapers" and similar documents. 
 
This request effectively covers documents spanning from the time development of the program 
commenced (approximately 2015) to today. 
 
Practical Refusal reason 
 
Section 24 of the FOI Act provides that, if an agency is satisfied that a practical refusal reason exists in 
relation to a request, the agency must undertake a request consultation process under section 24AB of the 
 
FOI Act. If, after the request consultation process, the agency is satisfied that the practical refusal reason 
still exists, the agency may refuse to give access to any documents in accordance with the request.  
 
Section 24AA of the FOI Act defines the circumstances in which a practical refusal reason exists. Subsection 
24AA(1)  provides  that  for  the  purposes  of  section  24,  a  practical  refusal  reason  exists  in  relation  to  a 
document if the work involved in processing the request would substantially and unreasonably divert the 
resources of the agency from its other operations.  
 
Subsection 24AA(2) of the FOI Act provides that, in deciding whether a practical refusal reason exists, an 
agency must have regard to resources used for: 
  identifying, locating or collating the documents within the filing system of the agency; 
  deciding whether to grant, refuse or defer access to a document to which the request relates, or to 
grant access to an edited copy of such a document; 
  making a copy, or an edited copy, of the document; 
  notifying any interim or final decision on the request.  
I have made initial enquiries with the most relevant business area of the ATO and have decided a practical 
refusal reason exists.  
 
Identifying, locating and collating documents within the scope of your request 
 
I understand the documents would likely include PDFs, emails, spreadsheets and extracts from databases. 
While  the  business  area  is  uncertain  as  to  exact  number  of  documents  that  would  be  captured  by  your 
request,  they  would  at  least  number  in  the  hundreds,  and  potentially  into  the  thousands.  Each  of  those 
documents would range in size from a couple of pages to a couple of hundred pages.  
 
Given the lengthy time frame over which the documents were developed, and the number of different 
systems that would need to be canvassed, they estimate it would take between one and three weeks to 
locate the documents required, and would require resources from both system architecture and security 
teams to complete the search.   
 
Deciding whether to grant access to documents 
 
Once documents are gathered, each page of each document would need to be reviewed for information 
that needs to be redacted. However, would not be as simple as reviewing each page in isolation, because 
while information on one page in of itself may be harmless, and information on another page when 
reviewed in isolation may also be considered harmless, combining the information on both pages could 
pose a cyber security risk. This means that each page will need to reviewed in isolation, and then against 
the other pages (in a simplistic example, for a 500 page document, page 1 will need to be reviewed by 
itself, and then against pages 2 – 500, then page 2 will need to be reviewed against pages  3 – 500).  
 
To complete a review of this magnitude would require resources (potentially multiple) from our IT security 
team working on reviewing these documents over a lengthy period. It is estimated this could take three or 
more months. These resources would be taken away from critical work securing the system from malicious 
damage or the intent to commit fraud against individuals or the Commonwealth.  
 
Impact on the ATO’s operations 
 
In addition to the above, the ATO is currently in a critical phase of the myGovID project, with a major 
upcoming release. Resources would be taken from completing critical build and security work that would 
potentially jeopardise the delivery of the next major release, and put at risk the Federal Government’s 
delivery schedule for the digital identity ecosystem, including the schedules for relying services such as 
Services Australia’s myGov. 
 
Page 2 of 4 
I consider that the onerous search and col ation process that would need to be undertaken by these ATO 
officers would substantially and unreasonably divert these officers from their usual duties, as would the 
consultation process. 
 
For the reasons outlined above, I have decided that processing your request in its current form would 
amount to a substantial and unreasonable diversion of ATO resources. As such, I am satisfied that a 
practical refusal reason exists in relation to your request. 
 
Request consultation process 
 
You now have an opportunity to revise your request to enable it to proceed. 
 
As I am unfamiliar with the intricacies of the subject matter your request for documents relates to, at best I 
could make rough guesses as to what documents you require access to and make general suggestions on 
how to refine your request. However, to best assist you, I invite you to identify exactly what documents you 
require access to.   
 
The fol owing are examples of ways you may narrow your request to make it more manageable: 
•  provide a limited time period for which you seek documents; 
•  narrow the scope of your request to more specific issue/s or topic/s/. 
 
Please note that even if you agree to these suggestions they may not, by themselves, sufficiently reduce 
the scope of your request so as to remove the practical refusal reason. 
 
Before the end of the consultation period, you must do one of the fol owing, in writing: 
•  withdraw your request 
•  make a revised request, or 
•  tel  us that you do not wish to revise your request. 
The consultation period runs for 14 days and starts on the day after you receive this notice. During this 
period you are welcome to seek assistance from me, the contact person for the purposes of this request 
consultation process. If you revise your request in a way that adequately addresses the practical refusal 
grounds outlined above, I wil  recommence processing it. Please note that the time taken to consult you 
regarding the scope of your request is not taken into account for the purposes of the statutory time limit 
for processing your request. 
 
If you do not do one of the three things listed above during the consultation period, or you do not consult 
the contact person during this period, your request wil  be taken to have been withdrawn. 
 
If you need more time to respond to this notice, please contact me within the 14 day consultation period to 
discuss your need for an extension of time. 
 
Previously released information 
 
You may wish to consider that the ATO has previously processed and granted access to documents that 
relate to the Trusted Digital Identity Framework's accreditation process of myGovID. Copies of these 
documents can be found on the ATO’s FOI Disclosure Log at http://foi.iorder.com.au/ (search reference 
number 1-MH44ZTM). 
 
Nominated contact 
 
I am the nominated contact person with whom you may consult during this period. You can contact me via 
email to xxx@xxx.xxx.xx. 
Page 3 of 4 

 
Extension of time request 
 
Should you respond to this notice with a revised scope that would not require an unreasonable diversion of 
ATO resources to process, I will need likely further time to then process it.  
 
As such, I seek your consent to a 30 day extension of time pursuant to section 15AA of the FOI Act. If you 
agree, please advise by email to xxx@xxx.xxx.xx.  
 
Yours Sincerely  
 
 
R Durnan 
Senior Lawyer 
ATO General Counsel 
Australian Taxation Office 
Page 4 of 4