GPO Box 4889 Sydney, NSW 2001
Mr Fraser Tweedale
Our reference:
1-Q1HU99Q
By email only:
xxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx
28 July 2021
Dear Mr Tweedale
Notice of intention to refuse your request for access to documents 1-Q1HU99Q
I refer to your request for documents under the Freedom of Information Act 1982 (FOI Act) dated 13 July
2021.
I am an officer authorised under subsection 23(1) of the FOI Act to make decisions in relation to FOI
requests.
I am writing to tell you that I believe the work involved in processing your request in its current form would
substantially and unreasonably divert the resources of the ATO from its other operations. This is called a
‘practical refusal reason’ (section 24AA of the FOI Act).
On this basis, I intend to refuse you access to the documents requested. However, before I make a final
decision to do this, you have an opportunity to revise your request. This is called a ‘request consultation
process’ as set out in section 24AB of the FOI Act. You have
14 days to respond to this notice in one of the
ways set out below.
Your request
The scope of your FOI request is as follows:
(1). Source code of the MyGovID iOS and Android apps, and server applications that form part of the MyGovID
system, including build scripts, manifests, software license terms, and media assets (icons, audio files, etc).
(2). Technical documentation about the MyGovID system, such as API documentation, architecture diagrams,
security assessments, technical presentation slides, "whitepapers" and similar documents.
This request effectively covers documents spanning from the time development of the program
commenced (approximately 2015) to today.
Practical Refusal reason
Section 24 of the FOI Act provides that, if an agency is satisfied that a practical refusal reason exists in
relation to a request, the agency must undertake a request consultation process under section 24AB of the
FOI Act. If, after the request consultation process, the agency is satisfied that the practical refusal reason
still exists, the agency may refuse to give access to any documents in accordance with the request.
Section 24AA of the FOI Act defines the circumstances in which a practical refusal reason exists. Subsection
24AA(1) provides that for the purposes of section 24, a practical refusal reason exists in relation to a
document if the work involved in processing the request would substantially and unreasonably divert the
resources of the agency from its other operations.
Subsection 24AA(2) of the FOI Act provides that, in deciding whether a practical refusal reason exists, an
agency must have regard to resources used for:
identifying, locating or collating the documents within the filing system of the agency;
deciding whether to grant, refuse or defer access to a document to which the request relates, or to
grant access to an edited copy of such a document;
making a copy, or an edited copy, of the document;
notifying any interim or final decision on the request.
I have made initial enquiries with the most relevant business area of the ATO and have decided a practical
refusal reason exists.
Identifying, locating and collating documents within the scope of your request
I understand the documents would likely include PDFs, emails, spreadsheets and extracts from databases.
While the business area is uncertain as to exact number of documents that would be captured by your
request, they would at least number in the hundreds, and potentially into the thousands. Each of those
documents would range in size from a couple of pages to a couple of hundred pages.
Given the lengthy time frame over which the documents were developed, and the number of different
systems that would need to be canvassed, they estimate it would take between one and three weeks to
locate the documents required, and would require resources from both system architecture and security
teams to complete the search.
Deciding whether to grant access to documents
Once documents are gathered, each page of each document would need to be reviewed for information
that needs to be redacted. However, would not be as simple as reviewing each page in isolation, because
while information on one page in of itself may be harmless, and information on another page when
reviewed in isolation may also be considered harmless, combining the information on both pages could
pose a cyber security risk. This means that each page will need to reviewed in isolation, and then against
the other pages (in a simplistic example, for a 500 page document, page 1 will need to be reviewed by
itself, and then against pages 2 – 500, then page 2 will need to be reviewed against pages 3 – 500).
To complete a review of this magnitude would require resources (potentially multiple) from our IT security
team working on reviewing these documents over a lengthy period. It is estimated this could take three or
more months. These resources would be taken away from critical work securing the system from malicious
damage or the intent to commit fraud against individuals or the Commonwealth.
Impact on the ATO’s operations
In addition to the above, the ATO is currently in a critical phase of the myGovID project, with a major
upcoming release. Resources would be taken from completing critical build and security work that would
potentially jeopardise the delivery of the next major release, and put at risk the Federal Government’s
delivery schedule for the digital identity ecosystem, including the schedules for relying services such as
Services Australia’s myGov.
Page 2 of 4
I consider that the onerous search and col ation process that would need to be undertaken by these ATO
officers would substantially and unreasonably divert these officers from their usual duties, as would the
consultation process.
For the reasons outlined above, I have decided that processing your request in its current form would
amount to a substantial and unreasonable diversion of ATO resources. As such, I am satisfied that a
practical refusal reason exists in relation to your request.
Request consultation process
You now have an opportunity to revise your request to enable it to proceed.
As I am unfamiliar with the intricacies of the subject matter your request for documents relates to, at best I
could make rough guesses as to what documents you require access to and make general suggestions on
how to refine your request. However, to best assist you, I invite you to identify exactly what documents you
require access to.
The fol owing are examples of ways you may narrow your request to make it more manageable:
• provide a limited time period for which you seek documents;
• narrow the scope of your request to more specific issue/s or topic/s/.
Please note that even if you agree to these suggestions they may not, by themselves, sufficiently reduce
the scope of your request so as to remove the practical refusal reason.
Before the end of the consultation period, you must do one of the fol owing, in writing:
• withdraw your request
• make a revised request, or
• tel us that you do not wish to revise your request.
The consultation period runs for 14 days and starts on the day after you receive this notice. During this
period you are welcome to seek assistance from me, the contact person for the purposes of this request
consultation process. If you revise your request in a way that adequately addresses the practical refusal
grounds outlined above, I wil recommence processing it. Please note that the time taken to consult you
regarding the scope of your request is not taken into account for the purposes of the statutory time limit
for processing your request.
If you do not do one of the three things listed above during the consultation period, or you do not consult
the contact person during this period, your request wil be taken to have been withdrawn.
If you need more time to respond to this notice, please contact me within the 14 day consultation period to
discuss your need for an extension of time.
Previously released information
You may wish to consider that the ATO has previously processed and granted access to documents that
relate to the Trusted Digital Identity Framework's accreditation process of myGovID. Copies of these
documents can be found on the ATO’s FOI Disclosure Log
at http://foi.iorder.com.au/ (search reference
number 1-MH44ZTM).
Nominated contact
I am the nominated contact person with whom you may consult during this period. You can contact me via
email t
o xxx@xxx.xxx.xx.
Page 3 of 4
Extension of time request
Should you respond to this notice with a revised scope that would not require an unreasonable diversion of
ATO resources to process, I will need likely further time to then process it.
As such, I seek your consent to a 30 day extension of time pursuant to section 15AA of the FOI Act. If you
agree, please advise by email to xxx@xxx.xxx.xx.
Yours Sincerely
R Durnan
Senior Lawyer
ATO General Counsel
Australian Taxation Office
Page 4 of 4