If not delivered return to PO Box 7820 Canberra BC ACT 2610
11 November 2021
Our reference: LEX 64833
Mr Fraser Tweedale
Only by email
: xxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx
Dear Mr Tweedale,
Decision on your Freedom of Information Request
I refer to your correspondence dated 12 October 2021, seeking internal review of the
decision made by Services Australia (the
agency) on 13 September 2021 in relation to your
request for access to documents under the
Freedom of Information Act 1982 (the
FOI Act)
(the
original decision).
Summary of my internal review decision
Consistent with the requirements of section 54C(2) of the FOI Act, I have made a ‘fresh’
decision.
I am satisfied that the documents are exempt under the FOI Act. Furthermore, I have
decided on balance it would be contrary to the public interest to release this information.
Please see the schedule at
Attachment A to this letter for a detailed list of the documents
and the reasons for my decision, including the relevant sections of the FOI Act.
You can ask for a review of our decision
If you disagree with any part of this decision you can ask for an external review by the Office
of the Australian Information Commissioner. See
Attachment B for more information about
how to request a review.
Further assistance
If you have any questions please ema
il xxx.xxxxx.xxxx@xxxxxxxxxxxxxxxxx.xxx.xx.
Yours sincerely
Hannah
Authorised FOI Decision Maker
Freedom of Information Team
Information Access Branch | Legal Services Division
Services Australia
PAGE 1 OF 8
If not delivered return to PO Box 7820 Canberra BC ACT 2610
Attachment A
SCHEDULE OF DOCUMENTS
TWEEDALE, Fraser (RIGHT TO KNOW) - LEX 64833
Doc
Description
Decision
FOI Act
Comments
No.
Exemption
Source Code
Exempt in ful
s 47E(d)
Information that would have a substantial adverse effect on the proper and efficient conduct of
1.
the operations of the agency (section 47E(d)).
Source Code
Exempt in ful
s 47E(d)
Information that would have a substantial adverse effect on the proper and efficient conduct of
2.
the operations of the agency (section 47E(d)).
Proposed Solution Brief
Exempt in ful
s 47E(d)
Information that would have a substantial adverse effect on the proper and efficient conduct of
3.
the operations of the agency (section 47E(d)).
Use Case Documentation Exempt in ful
s 47E(d)
Information that would have a substantial adverse effect on the proper and efficient conduct of
4.
the operations of the agency (section 47E(d)).
Use Case Documentation Exempt in ful
s 47E(d)
Information that would have a substantial adverse effect on the proper and efficient conduct of
5.
the operations of the agency (section 47E(d)).
Use Case Documentation Exempt in ful
s 47E(d)
Information that would have a substantial adverse effect on the proper and efficient conduct of
6.
the operations of the agency (section 47E(d)).
Use Case Documentation Exempt in ful
s 47E(d)
Information that would have a substantial adverse effect on the proper and efficient conduct of
7.
the operations of the agency (section 47E(d)).
PAGE 2 OF 8
Doc
Description
Decision
FOI Act
Comments
No.
Exemption
Use Case Documentation Exempt in ful
s 47E(d)
Information that would have a substantial adverse effect on the proper and efficient conduct of
8.
the operations of the agency (section 47E(d)).
Use Case Documentation Exempt in ful
s 47E(d)
Information that would have a substantial adverse effect on the proper and efficient conduct of
9.
the operations of the agency (section 47E(d)).
Use Case Documentation Exempt in ful
s 47E(d)
Information that would have a substantial adverse effect on the proper and efficient conduct of
10.
the operations of the agency (section 47E(d)).
Use Case Documentation Exempt in ful
s 47E(d)
Information that would have a substantial adverse effect on the proper and efficient conduct of
11.
the operations of the agency (section 47E(d)).
API Documentation
Exempt in ful
s 47E(d)
Information that would have a substantial adverse effect on the proper and efficient conduct of
12.
the operations of the agency (section 47E(d)).
PAGE 3 OF 8
Department of Human Services
3180049_004.xml
If not delivered return to PO Box 7820 Canberra BC ACT 2610
REASONS FOR DECISION
What you requested
On 13 July 2021, you made a request under the FOI Act for access to the following:
‘(1). Source code of the myGov Code Generator iOS and Android apps, including
build scripts, manifests, software license terms, and media assets (icons, audio files,
etc).
(2). Technical documentation describing the operation of the myGov Code Generator
app, such as design documents, architecture diagrams, API documentation, security
assessments, technical presentation slides, and similar documents.
If it assists in the expeditious processing of my request, source code may be
delivered as a "snapshot" or export of source repositories, in ZIP, "tarball" or similar
format. However, the full development history is preferred.’
On 13 September 2021, the agency provided you with the original decision, refusing access
in full to 12 documents.
On 12 October 2021, you requested an internal review of the original decision.
You made extensive submissions in support of your request stating, in summary, that release
of the source code would not pose significant security risks and outlining additional public
interest factors in favour of disclosure of the documents.
What I took into account
In reaching my decision I took into account:
• your original request dated 13 July 2021;
• the documents that fall within the scope of your request;
• your submissions dated 12 October 2021;
• whether release of the material is in the public interest;
• consultations with agency officers about:
o the nature of the documents;
o the agency's operating environment and functions;
• guidelines issued by the Australian Information Commissioner under section 93A of
the FOI Act (the
Guidelines); and
• the FOI Act.
Reasons for my decisions
I am authorised to make decisions under section 23(1) of the FOI Act.
PAGE 4 OF 8
I have decided that the documents you requested are exempt under the FOI Act. My
findings of fact and reasons for deciding that the relevant exemption applies to those
documents are discussed below.
Operations of the Agency
I have applied the conditional exemption in section 47E(d) to the documents.
This section of the FOI Act allows the agency to redact material from a document if its
disclosure would have a serious or significant effect on the agency’s ability to conduct its
operations efficiently and properly.
The documents in question contain information on source code and other technical
documentation relating to the myGov Code Generator application. I am satisfied this
information is relevant to the operations and management of programs administered by the
agency, and therefore relevant to the conduct of the agency’s operations.
I have considered your submissions regarding the nature of the documents and your
contentions that (in summary):
• source code and technical documentation is not a prerequisite to developing
counterfeit applications or finding vulnerabilities or security risks in the software;
• distribution via ‘app stores’ offer a level of safeguarding against counterfeit
applications and your assertion that users wil largely download the app from an
‘app store’;
• the original decision did not provide you with sufficient information to adequately
describe the predicted effect of disclosure, and the reasons given were generic
to all documents rather than individual documents.
Whilst the release of source code and technical documentation is not a prerequisite for the
development of counterfeit applications, or for members of the public to find vulnerabilities
with the software, I consider that providing the exempt material to you would negatively affect
the conduct of the operations of the agency. Having regard to the content of the documents
and advice from subject matter experts from within the agency, I have found that the release
of the information could have a serious and significant effect on the agency’s ability to
conduct its operations efficiently and properly.
This is because the information contained within the documents is not publicly available, and
disclosure of the information would significantly increase the risk of others creating
counterfeit applications. Disclosure would also al ow nefarious actors to circumvent security
features and potentially gain unauthorised access to third party information.
In my view, the fact that the applications are distributed via ‘app stores’ which list the
publisher of the application does not mitigate the significant risks outlined above, given that
the agency provides services to the most vulnerable members of the Australian community
who have varying levels of technological literacy.
Having carefully reviewed all of the material falling within scope of the request I am satisfied
that release of the documents would disclose information about the code and technical
information for the myGOV code generator application and put the agency at risk of
counterfeiting and unauthorised access, leaving the agency vulnerable to cyber-attack and
privacy breaches.
PAGE 5 OF 8
Public interest considerations
Access to conditionally exempt material must be given unless I am satisfied it would not be in
the public interest to do so.
I have considered your contentions that there are additional public interest considerations
favouring disclosure of the documents.
I agree with the following public interest considerations you outlined favouring disclosure:
• promote the objects of the FOI Act, including:
o Increase public participation in Government processes; and
o increase recognition that information held by the Government is to be
managed for public purposes, and is a national resource.
• inform debate on a matter of public importance
• contribute to innovation and the facilitation of research
• ensure compliance with Digital Service Standard.
In relation to your submission that the release of the source code would promote effective
oversight of public expenditure, I find that the release of the source code would not contribute
to this in any significant way. I find that the published product and the expenditure used to
create that product are more relevant to this point, and that much of this information is
already available in the public domain.
In your submission you contend that the release of the source code would advance the fair
treatment of individuals and other entities in accordance with the law in their dealings with
agencies. Your submission also contends that release of the source code may facilitate
further accessibility of the application, allowing members of the public to more easily engage
with the agency. However, given the significant security and privacy risks I have identified
above, I do not find that creating any copy or imitation application would reasonable be
considered to advance the fair treatment of members of the public engaging with the agency.
I also consider that release of information relating to the source code and technical
information in the myGOV code generator application would more likely than not:
• prejudice the agency’s ability to properly and efficiently deliver services to the
public;
• prejudice the agency’s ability to meet its obligations to customers under the
Privacy Act 1988 (Cth);
• prejudice the integrity of the myGov Code Generator application; and
• prejudice the security of the agency’s computer systems.
On balance, I find the public interest factors in favour of disclosing the material are
outweighed by the public interest factors against disclosure.
I have not taken into account any of the irrelevant factors set out in section 11B(4) of the FOI
Act in making this decision.
PAGE 6 OF 8
If not delivered return to PO Box 7820 Canberra BC ACT 2610
Attachment B
INFORMATION ON RIGHTS OF REVIEW
FREEDOM OF INFORMATION ACT 1982
Asking for a full explanation of a Freedom of Information decision
Before you ask for a formal review of a FOI decision, you can contact us to discuss your
request. We wil explain the decision to you. This gives you a chance to correct
misunderstandings.
Asking for a formal review of an Freedom of Information decision
If you stil believe a decision is incorrect, the
Freedom of Information Act 1982 (
FOI Act)
gives you the right to apply for a review of the decision. Under sections 54 and 54L of the
FOI Act, you can apply for a further review of an FOI decision by the Australian Information
Commissioner.
Applying for external review by the Australian Information Commissioner
If you do not agree with the original decision or the internal review decision, you can ask the
Australian Information Commissioner to review the decision.
If you do not receive a decision from an Internal Review Officer in the agency within 30 days
of applying, you can ask the Australian Information Commissioner for a review of the original
FOI decision.
You wil have 60 days to apply in writing for a review by the Australian Information
Commissioner.
You can
lodge your application:
Online:
www.oaic.gov.au
Post:
Australian Information Commissioner
GPO Box 5218
SYDNEY NSW 2001
Email:
xxxxxxxxx@xxxx.xxx.xx
Note 3: The Office of the Australian Information Commissioner generally prefers FOI
applicants to seek internal review before applying for external review by the Australian
Information Commissioner.
Important:
• If you are applying online, the application form the 'Merits Review Form' is available
at
www.oaic.gov.au.
• If you have one, you should include with your application a copy of the Services
Australia decision on your FOI request
• Include your contact details
• Set out your reasons for objecting to the agency's decision.
PAGE 7 OF 8
Complaints to the Australian Information Commissioner and Commonwealth
Ombudsman
Australian Information Commissioner
You may complain to the Australian Information Commissioner concerning action taken by
an agency in the exercise of powers or the performance of functions under the FOI Act,
There is no fee for making a complaint. A complaint to the Australian Information
Commissioner must be made in writing. The Australian Information Commissioner's contact
details are:
Telephone: 1300 363 992
Website:
www.oaic.gov.au
Commonwealth Ombudsman
You may also complain to the Commonwealth Ombudsman concerning action taken by an
agency in the exercise of powers or the performance of functions under the FOI Act. There is
no fee for making a complaint. A complaint to the Commonwealth Ombudsman may be
made in person, by telephone or in writing. The Commonwealth Ombudsman's contact
details are:
Phone: 1300 362 072
Website:
www.ombudsman.gov.au
The Commonwealth Ombudsman generally prefers applicants to seek review before
complaining about a decision.
PAGE 8 OF 8
Document Outline