Our reference: FOI 21/22-1320
GPO Box 700
Canberra ACT 2601
1800 800 110
ndis.gov.au
2 May 2022
Florence
By email: xxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx
Dear Florence
Freedom of Information request — Notification of Decision
Thank you for your correspondence of 28 March 2022, in which you requested access to
documents held by the National Disability Insurance Agency (NDIA), under the
Freedom of
Information Act 1982 (FOI Act).
The purpose of this letter is to provide you with a decision on your request.
Scope of your request
You have requested access to documents about the National Disability Insurance Scheme
(NDIS). Specifically, you requested access to:
“…
Please provide a copy of the NDIA's:
- Agency Security Plan (Physical, Security, Personnel, Information, etc)
- Security Quality Assurance Policy
- Personnel Security Policy
- Accountable Authority's expressed declaration the NDIA wil /won't follow the
Commonwealth Protective Security Policy Framework (PSPF)
Especially noting the NDIA's repeated reference and seeming benchmarking against the
PSPF over the past 2 years of the NDIA's Annual Reporting:
"Protective security: The Australian Government provides mandated requirements and
advice for corporate Commonwealth entities about their security requirements via the
Protective Security Policy Framework (PSPF) and Information Security Manual. New
PSPF arrangements came into effect on 1 July 2018." - NDIA Annual Report 2019–20,
page 48
https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ndis.gov.au
%2Fabout-us%2Fpublications%2Fannual-report%2Fannual-report-2019-
1
20&data=04%7C01%7Cfoi%40ndisgovau.mail.onmicrosoft.com%7C29b776a9e6cb
4cb2cec908da109525b0%7Ccd778b65752d454a87cfb9990fe58993%7C0%7C0%7C63
7840530437036146%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIj
oiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=V85I51s8SGXL
DB6zED136BmLCsjVCylUStt86dD1Dfc%3D&reserved=0
"Protective security: The Agency is committed to increasing maturity and awareness of
Protective Security to assist staff and partners in the delivery of the Scheme.
The Protective and Cyber Security Branch is responsible for implementing the
requirements of the Australian Government Security Frameworks and associated
legislation, including the Protective Security Policy Framework (PSPF) and Information
Security Manual (ISM). This is achieved by providing strategic and operational
information, guidance and advice across: • Security Governance • Information Security •
Personnel Security • Physical Security • Cyber Security." - NDIA Annual Report 2020-21,
page 50
https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ndis.gov.au
%2Fabout-us%2Fpublications%2Fannual-
report&data=04%7C01%7Cfoi%40ndisgovau.mail.onmicrosoft.com%7C29b776a9e
6cb4cb2cec908da109525b0%7Ccd778b65752d454a87cfb9990fe58993%7C0%7C0%7
C637840530437036146%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLC
JQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=fmO6kqif7R
gXwe843ZZus44d%2FKOPCs82QYylIRLrMGs%3D&reserved=0”
Decision on access to documents
I am authorised to make decisions under section 23(1) of the FOI Act. My decision on your
request and the reasons for my decision are set out below.
I have decided to refuse access to Part 4 of your request under section 24A of the FOI Act.
The reasons for my decision are set out below.
I have identified 3 documents, which fall within the remaining parts of your request.
The documents were identified by conducting searches of NDIA’s systems, using all
reasonable search terms that could return documents relevant to your request, and
consulting with relevant NDIA staff who could be expected to be able to identify documents
within the scope of the request.
I have decided to grant access to 2 documents in full and 1 document in part.
I apologise for the delay in providing this information to you.
In reaching my decision, I took into account the following:
• your correspondence outlining the scope of your request
• the nature and content of the documents falling within the scope of your request
• the FOI Act
• the FOI Guidelines published under section 93A of the FOI Act
• consultation with relevant NDIA staff
• the NDIA’s operating environment and functions.
2
Reasons for decision
Certain operations of agencies (section 47E(d))
Section 47E(d) of the FOI Act conditionally exempts a document if its disclosure would, or
could reasonably be expected to, have a substantial adverse effect on the proper and
efficient conduct of the operations of an agency.
Document 1 contains information relating to certain operations of the NDIA. The disclosure
of this information would disclose the internal processes the NDIA uses to assist in its review
of physical security controls, so that the Agency is protected from unexpected changes to
the Agency’s threat.
I have decided that the release of this information would result in the public disclosure of
internal processes and information that, through improper use, would, or could compromise
the security of the NDIS which would substantially and adversely affect the proper and
efficient conduction of the operations of the Agency.
I am satisfied that the release of this information would potentially result in the public
disclosure of internal security processes that, through improper use, would, or could,
compromise the security of the NDIS which would substantially and adversely affect the
proper and efficient conduction of the operations of the NDIS. Accordingly, I have decided
that the relevant information in Document 1 is conditionally exempt under section 47E(d) of
the FOI Act.
Refuse a request for access (section 24A)
Section 24A of the FOI Act provides that an agency may refuse a request for access to a
document if all reasonable steps have been taken to find the document and the agency is
satisfied that the document cannot be found or does not exist.
The relevant line areas have conducted searches of the NDIA’s documents management
systems and made enquiries with NDIA staff. These searches have revealed that the NDIA
is not in possession of documents matching Part 4 of your request. This is because no
document exists in relation to
Accountable Authority's expressed declaration the NDIA
wil /won't follow the Commonwealth Protective Security Policy Framework (PSPF). The
NDIA is a Corporate Commonwealth Entity (CCE), which means that the Agency is not
required to adhere to the PSPF.
I am satisfied that all reasonable steps have been taken to locate the documents in relation
to Part 4 of your request, and that the documents do not exist. I have, therefore, decided to
refuse access to Part 4 of your request in accordance with section 24A(1)(b)(i ) of the FOI
Act.
Public interest considerations – section 47E(d)
Section 11A(5) of the FOI Act provides that access to a document covered by a conditional
exemption must be provided unless disclosure would be contrary to the public interest.
I have not considered any of the irrelevant factors as set out under section 11B(4) of the FOI
Act in making this decision.
In favour of disclosure, I have considered the factors outlined in section 11B(3) of the FOI
Act, and I have determined that disclosure of the relevant information in Document 1 would
promote the objects of the FOI Act by providing access to documents held by the
government.
Against disclosure, I consider that disclosure of the relevant information in Document 1:
3
• would not contribute to the publication of information of sufficient public interest to justify
the likely harm caused by release
• would not enhance Australia’s representative democracy in the ways described in
section 11B(3) of the FOI Act
• would not inform any debate on a matter of public importance, or promote oversight of
public expenditure.
While there is limited public interest in the disclosure of information conditionally exempt
under section 47E(d) of the FOI Act, the harm that would result from disclosure is that it
could reasonably be expected to prejudice the ability of the Agency to protect the security
and integrity of information held in the Agency.
In summary, I am satisfied that the factors against disclosure of the information outweigh the
factors in favour of disclosure and that, on balance, it would be contrary to the public interest
to release this information to you. Accordingly, I have decided that the relevant information in
Document 1 is exempt under section 47E(d) of the FOI Act.
Release of documents
The documents for release, as referred to in the Schedule of Documents at
Attachment A,
are enclosed.
Rights of review
Your rights to seek a review of my decision, or lodge a complaint, are set out at
Attachment B.
Should you have any enquiries concerning this matter, please do not hesitate to contact me
by email at
xxx@xxxx.xxx.xx.
Yours sincerely
Erin
Senior Freedom of Information Officer
Parliamentary, Ministerial & FOI Branch
Government Division
4
Attachment A
Schedule of Documents for FOI 21/22-1320
Document
Page
Description
Access Decision
number
number
1
1-24
Agency Security Plan
PARTIAL ACCESS
Date: September 2020
Exemption claimed:
s47E(d) – certain operations of agencies
2
25-27
Security Quality Assurance Policy
FULL ACCESS
Date: 2 November 2021
3
28-34
Personnel Security Policy
FULL ACCESS
Date: 20 November 2021
5
Attachment B
Your review rights
Internal Review
The FOI Act gives you the right to apply for an internal review of this decision. The review
wil be conducted by a different person to the person who made the original decision.
If you wish to seek an internal review of the decision, you must apply for the review, in
writing, within 30 days of receipt of this letter.
No particular form is required for an application for internal review, but to assist the review
process, you should clearly outline your grounds for review (that is, the reasons why you
disagree with the decision). Applications for internal review can be lodged by email to
xxx@xxxx.xxx.xx or sent by post to:
Freedom of Information Section
Parliamentary, Ministerial & FOI Branch
Government Division
National Disability Insurance Agency
GPO Box 700
CANBERRA ACT 2601
Review by the Office of the Australian Information Commissioner
The FOI Act also gives you the right to apply to the Office of the Australian Information
Commissioner (OAIC) to seek a review of this decision.
If you wish to have the decision reviewed by the OAIC, you may apply for the review, in
writing, or by using the online merits review form available on the OAIC’s website at
www.oaic.gov.au, within 60 days of receipt of this letter.
Applications for review can be lodged with the OAIC in the following ways:
Online:
www.oaic.gov.au
Post:
GPO Box 5218, Sydney NSW 2001
Email:
xxxxxxxxx@xxxx.xxx.xx
Phone:
1300 363 992 (local call charge)
Complaints to the Office of the Australian Information Commissioner or the
Commonwealth Ombudsman
You may complain to either the Commonwealth Ombudsman or the OAIC about actions
taken by the NDIA in relation to your request. The Ombudsman wil consult with the OAIC
before investigating a complaint about the handling of an FOI request.
Your complaint to the OAIC can be directed to the contact details identified above. Your
complaint to the Ombudsman can be directed to:
Phone: 1300 362 072 (local call charge)
Email:
xxxxxxxxx@xxxxxxxxx.xxx.xx
Your complaint should be in writing and should set out the grounds on which it is considered
that the actions taken in relation to the request should be investigated.
1