PO Box 7820 Canberra BC ACT 2610
13 September 2021
Our reference: LEX 63435
Mr Fraser Tweedale
Only by email: xxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx
Dear Mr Tweedale
Decision on your Freedom of Information Request
I refer to your request to Services Australia (the agency) dated 13 July 2021 for access under
the
Freedom of Information Act 1982 (FOI Act) to the following documents:
(1). Source code of the myGov Code Generator iOS and Android apps, including
build scripts, manifests, software license terms, and media assets (icons, audio files,
etc).
(2). Technical documentation describing the operation of the myGov Code Generator
app, such as design documents, architecture diagrams, API documentation, security
assessments, technical presentation slides, and similar documents.
If it assists in the expeditious processing of my request, source code may be
delivered as a "snapshot" or export of source repositories, in ZIP, "tarball" or similar
format. However, the full development history is preferred.
My decision
The agency holds 12 documents that relate to your request.
I have decided to
refuse access to these documents (documents 1 - 12).
I have decided the documents you have requested are exempt in their entirety under the FOI
Act on the basis disclosure of the documents would, or could reasonably be expected to,
have a substantial adverse effect on the proper and efficient conduct of the operations of the
agency and release is contrary to the public interest (section 47E(d) of the FOI Act).
Please see the schedule at Attachment A to this letter for a detailed list of the documents and
the reasons for my decision, including the relevant sections of the FOI Act.
You can ask for a review of our decision
If you disagree with any part of the decision you can ask for a review. There are two ways
you can do this. You can ask for an internal review from within the agency, or an external
review by the Office of the Australian Information Commissioner. You do not have to pay for
a review of the decision. See At achment B for more information about how to request a
review.
PAGE 1 OF 10
Further assistance
If you have any questions please email
xxx.xxxxx.xxxx@xxxxxxxxxxxxxxxxx.xxx.xx.
Yours sincerely
Philippa
Authorised FOI Decision Maker
Freedom of Information Team
Information Access Branch | Legal Services Division
Services Australia
PAGE 2 OF 10
Attachment A
SCHEDULE OF DOCUMENTS
TWEEDALE, Fraser (Right to Know) - LEX 63435
Doc
Description
Decision
Exemption
Comments
No.
1. S
ource Code
Exempt in full
s 47E(d)
Information that would have a substantial adverse effect on the proper and
efficient conduct of the operations of the agency (section 47E(d)).
2. S
ource Code
Exempt in full
s 47E(d)
Information that would have a substantial adverse effect on the proper and
efficient conduct of the operations of the agency (section 47E(d)).
3. Pr oposed Solution Brief
Exempt in full
s 47E(d)
Information that would have a substantial adverse effect on the proper and
efficient conduct of the operations of the agency (section 47E(d)).
4. Us e Case Documentation
Exempt in full
s 47E(d)
Information that would have a substantial adverse effect on the proper and
efficient conduct of the operations of the agency (section 47E(d)).
5. Us e Case Documentation
Exempt in full
s 47E(d)
Information that would have a substantial adverse effect on the proper and
efficient conduct of the operations of the agency (section 47E(d)).
6. Us e Case Documentation
Exempt in full
s 47E(d)
Information that would have a substantial adverse effect on the proper and
efficient conduct of the operations of the agency (section 47E(d)).
7. Us e Case Documentation
Exempt in full
s 47E(d)
Information that would have a substantial adverse effect on the proper and
efficient conduct of the operations of the agency (section 47E(d)).
PAGE 3 OF 10
Doc
Description
Decision
Exemption
Comments
No.
8. Us e Case Documentation
Exempt in full
s 47E(d)
Information that would have a substantial adverse effect on the proper and
efficient conduct of the operations of the agency (section 47E(d)).
9. Us e Case Documentation
Exempt in full
s 47E(d)
Information that would have a substantial adverse effect on the proper and
efficient conduct of the operations of the agency (section 47E(d)).
10. Us e Case Documentation
Exempt in full
s 47E(d)
Information that would have a substantial adverse effect on the proper and
efficient conduct of the operations of the agency (section 47E(d)).
11. Us e Case Documentation
Exempt in full
s 47E(d)
Information that would have a substantial adverse effect on the proper and
efficient conduct of the operations of the agency (section 47E(d)).
12. A
PI Documentation
Exempt in full
s 47E(d)
Information that would have a substantial adverse effect on the proper and
efficient conduct of the operations of the agency (section 47E(d)).
PAGE 4 OF 10
REASONS FOR DECISION
What you requested
(1). Source code of the myGov Code Generator iOS and Android apps, including
build scripts, manifests, software license terms, and media assets (icons, audio files,
etc).
(2). Technical documentation describing the operation of the myGov Code Generator
app, such as design documents, architecture diagrams, API documentation, security
assessments, technical presentation slides, and similar documents.
If it assists in the expeditious processing of my request, source code may be
delivered as a "snapshot" or export of source repositories, in ZIP, "tarball" or similar
format. However, the full development history is preferred.
What I took into account
In reaching my decision I took into account:
• your request dated 13 July 2021
• the documents that fall within the scope of your request
• whether the release of material is in the public interest
• consultations with agency officers about:
o the nature of the documents
o the agency's operating environment and functions
• guidelines issued by the Australian Information Commissioner under section 93A of
the FOI Act (the Guidelines), and
• the FOI Act.
Reasons for my decisions
I am authorised to make decisions under section 23(1) of the FOI Act.
Section 47E(d) of the FOI Act – operations of the agency
I have applied the conditional exemption in section 47E(d) of the FOI Act to documents 1 –
12.
Section 47E(d) of the FOI Act provides:
A document is conditionally exempt if its disclosure under this Act would, or could
reasonably be expected to have a substantial adverse effect on the proper and
efficient conduct of the operations of an agency.
PAGE 5 OF 10
link to page 6 link to page 6
Proper and efficient conduct of the operations of an agency
In
Re James and Australian National University (1984) 6 ALD 687 (Re James) the phrase
‘conduct of operations’ was interpreted to extend ‘to the way in which an agency discharges
or performs any of its functions.’
The agency is responsible for the delivery of advice and high-quality, accessible social,
health and child support services and payments through the Medicare, Centrelink and Child
Support programs. In order to undertake its core functions, the agency uses myGov, which is
a simple, secure way for customers to access government online services. This includes
linking and accessing government services, accessing letters and messages, and updating
personal information while being confident their personal information is secure.
Relevant to the above, the myGov Code Generator app creates a one-time access code
customers can use to sign into their myGov account, instead of using secret questions and
answers or SMS codes. This app gives myGov customers a secure option to sign into their
myGov account, especially for customers who are not able to receive an SMS code.
I am satisfied the information contained in the documents is relevant to the implementation,
delivery and management of the myGov Code Generator app created by the agency, and
therefore is relevant to the conduct of the agency’s operations.
Could reasonably be expected to have a substantial adverse effect
Paragraph 5.20 of the Guidelines provides:
The term ‘substantial adverse effect’ broadly means ‘an adverse effect which is
sufficiently serious or significant to cause concern to a properly concerned
reasonable person’. The word ‘substantial’, taken in the context of substantial loss or
damage, has been interpreted as ‘loss or damage that is, in the circumstances, real
or of substance and not insubstantial or nominal’.
In Re James it was held the term ‘substantial adverse effect’ meant the effect had to be
‘serious’ or ‘significant’. Further, in
Re Thies and the Department of Aviation (1986) 9 ALD
454, the plurality held the term ‘connotes an adverse effect which is sufficiently serious or
significant to cause concern to a properly informed reasonable person’.
1
Further, paragraph 6.101 of the Guidelines provides:
… There must be more than merely an assumption or allegation that damage may
occur if the document were to be released.
Chief Justice Bowen and Beaumont J in A
ttorney-General’s Department v Cockcroft (1986)
64 ALR 97 held the words ‘could reasonably be expected to’ should hold their ordinary
meaning, that is, the decision maker should make a judgement as to whether it is
reasonable, ‘as distinct from something that is irrational, absurd or ridiculous’.
2
The myGov Code Generator app is critical to the proper and efficient delivery of government
services through myGov. The information within the documents, to which the conditional
exemption has been applied, includes source codes, API documentation, solution brief and
use case documentation. Release of this information could allow for duplication of the app
1 (1986) 9 ALD 545 at 463.
2 (1986) 64 ALR 97 at 107.
PAGE 6 OF 10
design, lead to an increase in phishing attacks, be reused and processed and ultimately
threaten the security of government information systems. I am satisfied release of the
information could reasonably be expected to increase the risk of unauthorised access to the
agency’s computer systems and customer records.
As the FOI Act does not control or restrict any subsequent use or dissemination of
information, disclosure is considered to be to the world at large. Disclosing the documents to
the world at large under the FOI process could reasonably be expected to increase the risk
of duplication of the design of the app, and further, result in this information being used by
nefarious actors to circumvent security features and allow access to personal information of
third parties. This in turn would have a substantial adverse effect on the proper and efficient
conduct of the operations of the agency by compromising myGov system security and
integrity, as well as the confidentiality of customers’ information and record keeping systems.
Public interest considerations
Section 11A(5) of the FOI Act provides:
The agency or Minister must give the person access to the document if it is
conditionally exempt at a particular time unless (in the circumstances) access to the
document at that time would, on balance, be contrary to the public interest.
When weighing up the public interest for and against disclosure under section 11A(5) of the
FOI Act, I have taken into account relevant factors in favour of disclosure. In particular, I
have considered the extent to which disclosure would promote the objects of the FOI Act.
I have also considered the relevant factors indicating access would be contrary to the public
interest. In particular, I have considered the extent to which disclosure could reasonably be
expected to:
• increase the likelihood that the information wil be used by nefarious actors, to
circumvent security features
• increase the risk that the myGov Code Generator app could be duplicated,
leading to a phishing attack on the agency or individuals.
• prejudice the agency’s ability to properly and efficiently deliver services to the
public
• prejudice the agency’s ability to meet its obligations under the
Privacy Act 1988
(Cth) (specifically, Australian Privacy Principal 11)
• prejudice the myGov Code Generator app’s integrity, and
• prejudice the security of the agency’s computer systems.
Based on these factors, I have decided in this instance, the public interest in disclosing
documents 1 – 12 in their entirety is outweighed by the public interest against disclosure of
the exempted material. This is because I considered there is a persuasive public interest in
ensuring the agency is able to efficiently provide services to the Australian public.
I have not taken into account any of the irrelevant factors set out in section 11B(4) of the FOI
Act in making this decision.
PAGE 7 OF 10
Conclusion
In summary, I am satisfied documents 1 – 12 in their entirety, as set out in the Schedule, are
conditionally exempt under section 47E(d) of the FOI Act. Furthermore, I have decided on
balance it would be contrary to the public interest to release this information.
PAGE 8 OF 10
Attachment B
INFORMATION ON RIGHTS OF REVIEW
FREEDOM OF INFORMATION ACT 1982
Asking for a ful explanation of a Freedom of Information decision
Before you ask for a formal review of a FOI decision, you can contact us to discuss your
request. We wil explain the decision to you. This gives you a chance to correct
misunderstandings.
Asking for a formal review of an Freedom of Information decision
If you stil believe a decision is incorrect, the
Freedom of Information Act 1982 (FOI Act)
gives you the right to apply for a review of the decision. Under sections 54 and 54L of the
FOI Act, you can apply for a review of an FOI decision by:
1. an Internal Review Officer in Services Australia (the agency), and/or
2. the Australian Information Commissioner.
Note 1: There are no fees for these reviews.
Applying for an internal review by an Internal Review Officer
If you apply for internal review, a different decision maker to the agency delegate who made
the original decision wil carry out the review. The Internal Review Officer wil consider all
aspects of the original decision and decide whether it should change. An application for
internal review must be:
• made in writing
• made within 30 days of receiving this letter
• sent to the address at the top of the first page of this letter.
Note 2: You do not need to fil in a form. However, it is a good idea to set out any relevant
submissions you would like the Internal Review Officer to further consider, and your reasons
for disagreeing with the decision.
Applying for external review by the Australian Information Commissioner
If you do not agree with the original decision or the internal review decision, you can ask the
Australian Information Commissioner to review the decision.
If you do not receive a decision from an Internal Review Officer in the agency within 30 days
of applying, you can ask the Australian Information Commissioner for a review of the original
FOI decision.
You wil have 60 days to apply in writing for a review by the Australian Information
Commissioner.
PAGE 9 OF 10
You can
lodge your application:
Online:
www.oaic.gov.au
Post:
Australian Information Commissioner
GPO Box 5218
SYDNEY NSW 2001
Email:
xxxxxxxxx@xxxx.xxx.xx
Note 3: The Of ice of the Australian Information Commissioner generally prefers FOI
applicants to seek internal review before applying for external review by the Australian
Information Commissioner.
Important:
• If you are applying online, the application form the 'Merits Review Form' is available
at
www.oaic.gov.au
• If you have one, you should include with your application a copy of the Services
Australia decision on your FOI request
• Include your contact details
• Set out your reasons for objecting to the agency's decision.
Complaints to the Australian Information Commissioner and Commonwealth
Ombudsman
Australian Information Commissioner
You may complain to the Australian Information Commissioner concerning action taken by
an agency in the exercise of powers or the performance of functions under the FOI Act,
There is no fee for making a complaint. A complaint to the Australian Information
Commissioner must be made in writing. The Australian Information Commissioner's contact
details are:
Telephone: 1300 363 992
Website:
www.oaic.gov.au
Commonwealth Ombudsman
You may also complain to the Commonwealth Ombudsman concerning action taken by an
agency in the exercise of powers or the performance of functions under the FOI Act. There is
no fee for making a complaint. A complaint to the Commonwealth Ombudsman may be
made in person, by telephone or in writing. The Commonwealth Ombudsman's contact
details are:
Phone: 1300 362 072
Website:
www.ombudsman.gov.au
The Commonwealth Ombudsman generally prefers applicants to seek review before
complaining about a decision.
PAGE 10 OF 10
Document Outline