Our reference: FOI 21/22-1290
GPO Box 700
Canberra ACT 2601
1800 800 110
23 May 2022
ndis.gov.au
Lesley
By email: xxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx
Dear Lesley
Freedom of Information request — Notification of Decision
Thank you for your correspondence of 23 March 2022, in which you requested access to
documents held by the National Disability Insurance Agency (NDIA), under the
Freedom of
Information Act 1982 (FOI Act).
The purpose of this letter is to provide you with a decision on your request.
Scope of your request
You have requested access to documents about the National Disability Insurance Scheme
(NDIS). Specifically, you requested access to:
…a copy of all Salesforce communication to the NDIA related to the security
vulnerability Apache Log4j2, post 13 Dec 21. Including any formal
statement/declaration that all NDIA data is secure and protected within Salesforce,
since 13 Dec 21. Preferably not more marketing holding statements.
Extension of time
On 21 April 2022, we wrote to you advising a 30-day extension of time was required to
consult with a third party, bringing the new due date to 22 May 2022.
I apologise for the delay in providing you with a decision.
Decision on access to documents
I am authorised to make decisions under section 23(1) of the FOI Act. My decision on your
request and the reasons for my decision are set out below.
I have identified 6 documents, which fall within the scope of your request.
The documents were identified by conducting searches of NDIA’s systems, using all
reasonable search terms that could return documents relevant to your request, and
consulting with relevant NDIA staff who could be expected to be able to identify documents
within the scope of the request.
I have decided to 6 documents in part.
In reaching my decision, I took into account the following materials:
• your correspondence outlining the scope of your request
• the nature and content of the documents falling within the scope of your request
• the FOI Act
• the FOI Guidelines published under section 93A of the FOI Act
• consultation with relevant NDIA staff
1
• factors relevant to my assessment of whether or not disclosure would be in the public
interest
• the NDIA’s operating environment and functions.
Access to edited copies with exempt or irrelevant material deleted (section 22)
I have decided that documents 1-6 contain material that is exempt from disclosure under the
FOI Act.
I have also identified that documents falling within the scope of your request contain material
that is irrelevant to your request. The irrelevant material relates to names and contact details
of staff and information which is not relevant to the subject matter of your request.
In accordance with section 22 of the FOI Act, I have considered whether it is possible to
delete the exempt and irrelevant material from the documents and have concluded that it is
reasonably practicable to do so. Accordingly, I have prepared an edited copy of the
documents with the exempt and irrelevant material removed.
Reasons for decision
Personal privacy (section 47F)
Section 47F of the FOI Act conditionally exempts a document if its disclosure would involve
the unreasonable disclosure of personal information about any person (including a deceased
person).
I have identified material in the documents falling within scope of your request which
contains personal information of a third party / third parties.
Under section 47F(2) of the FOI Act, in determining whether the disclosure of documents 1-6
would involve unreasonable disclosure of personal information, regard must be had to:
a. the extent to which the information is well known;
b. whether the person to whom the information relates is known to be (or to have been)
associated with the matters dealt with in the document;
c. the availability of the information from publicly accessible sources; and
d. any other matters that the agency considers relevant.
Against these criteria, I take the view that:
a. it is apparent from the information that an individual is identifiable; and
b. the information referred to above is not readily available from publicly accessible
sources.
With reference to the assessment above, it would be unreasonable to disclose publicly this
personal information and is therefore conditionally exempt under section 47F(1) of the FOI
Act.
Public interest considerations – section 47F
Section 11A(5) of the FOI Act provides that access to a document covered by a conditional
exemption must be provided unless disclosure would be contrary to the public interest.
I have not considered any of the irrelevant factors as set out under section 11B(4) of the FOI
Act in making this decision.
In favour of disclosure, I have considered the factors outlined in section 11B(3) of the FOI
Act and I have determined that disclosure of the information in Documents 1-6 would
promote the objects of the FOI Act by providing access to information held by the
government.
2
Against disclosure, I consider that disclosure of the information in Documents 1-6:
• would not contribute to the publication of information of sufficient public interest to justify
the likely harm caused by release;
• would not enhance Australia’s representative democracy in the ways described in
section 11B(3) of the FOI Act; and
• would not inform any debate on a matter of public importance or promote oversight of
public expenditure.
While there is limited public interest in the disclosure of information conditionally exempt
under section 47F of the FOI Act, the harm that would result from disclosure is that it could
reasonably be expected to affect an individual’s right to privacy by having their personal
information in the public domain.
In summary, I am satisfied that the factors against disclosure of the information outweigh the
factors in favour of disclosure and that, on balance, it would be contrary to the public interest
to release this information to you.
Release of documents
The documents for release, as referred to in the Schedule of Documents at
Attachment A,
are enclosed.
Rights of review
Your rights to seek a review of my decision, or lodge a complaint, are set out at
Attachment B.
Should you have any enquiries concerning this matter, please do not hesitate to contact me
by email at
xxx@xxxx.xxx.xx.
Yours sincerely
Kylie
Acting Assistant Director FOI
Parliamentary, Ministerial & FOI Branch
Government Division
3
Attachment A
Schedule of Documents for FOI 21/22-1290
Document Page
Description
Access Decision
Comments
number
number
1
1-3
Email
PARTIAL ACCESS
Irrelevant material removed
Subject: CAUTION: Email may contain
under section 22 of the FOI
unverified link [be careful if proceeding]Re: Exemption(s) claimed:
Act.
Log4j2 vulnerability
s47F – personal privacy
Date: 15 December 2021
2
4
Email
PARTIAL ACCESS
Irrelevant material removed
Subject: ACTION REQUIRED: MuleSoft
under section 22 of the FOI
Security Update
Exemption(s) claimed:
Act.
s47F – personal privacy
Date: 16 December 2021
3
5
Email
PARTIAL ACCESS
Irrelevant material removed
Subject: ACTION REQUIRED: MuleSoft
under section 22 of the FOI
Security Update
Exemption(s) claimed:
Act.
s47F – personal privacy
Date: 16 December 2021
4
6
Email
PARTIAL ACCESS
Irrelevant material removed
Subject: ACTION REQUIRED: MuleSoft
under section 22 of the FOI
Security Update
Exemption(s) claimed:
Act.
s47F – personal privacy
Date: 16 December 2021
4
5
7
Email
PARTIAL ACCESS
Irrelevant material removed
Subject: ACTION REQUIRED: MuleSoft
under section 22 of the FOI
Security Update
Exemption(s) claimed:
Act.
s47F – personal privacy
Date: 16 December 2021
6
8
Email
PARTIAL ACCESS
Irrelevant material removed
Subject: ACTION REQUIRED: MuleSoft
under section 22 of the FOI
Security Update
Exemption(s) claimed:
Act.
s47F – personal privacy
Date: 16 December 2021 – 1:02:25am
5
Attachment B
Your review rights
Internal Review
The FOI Act gives you the right to apply for an internal review of this decision. The review
wil be conducted by a different person to the person who made the original decision.
If you wish to seek an internal review of the decision, you must apply for the review, in
writing, within 30 days of receipt of this letter.
No particular form is required for an application for internal review, but to assist the review
process, you should clearly outline your grounds for review (that is, the reasons why you
disagree with the decision). Applications for internal review can be lodged by email to
xxx@xxxx.xxx.xx or sent by post to:
Freedom of Information Section
Parliamentary, Ministerial & FOI Branch
Government Division
National Disability Insurance Agency
GPO Box 700
CANBERRA ACT 2601
Review by the Office of the Australian Information Commissioner
The FOI Act also gives you the right to apply to the Office of the Australian Information
Commissioner (OAIC) to seek a review of this decision.
If you wish to have the decision reviewed by the OAIC, you may apply for the review, in
writing, or by using the online merits review form available on the OAIC’s website at
www.oaic.gov.au, within 60 days of receipt of this letter.
Applications for review can be lodged with the OAIC in the following ways:
Online:
www.oaic.gov.au
Post:
GPO Box 5218, Sydney NSW 2001
Email:
xxxxxxxxx@xxxx.xxx.xx
Phone:
1300 363 992 (local call charge)
Complaints to the Office of the Australian Information Commissioner or the
Commonwealth Ombudsman
You may complain to either the Commonwealth Ombudsman or the OAIC about actions
taken by the NDIA in relation to your request. The Ombudsman wil consult with the OAIC
before investigating a complaint about the handling of an FOI request.
Your complaint to the OAIC can be directed to the contact details identified above. Your
complaint to the Ombudsman can be directed to:
Phone: 1300 362 072 (local call charge)
Email:
xxxxxxxxx@xxxxxxxxx.xxx.xx
Your complaint should be in writing and should set out the grounds on which it is considered
that the actions taken in relation to the request should be investigated
1