Our reference: FOI 22/23-0589
GPO Box 700
Canberra ACT 2601
1800 800 110
16 January 2023
ndis.gov.au
Josh
Right to Know
By email: xxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx
Dear Josh
Freedom of Information request — Notification of Decision
Thank you for your correspondence of 1 October 2022, in which you requested access to
documents held by the National Disability Insurance Agency (NDIA), under the
Freedom of
Information Act 1982 (FOI Act).
The purpose of this letter is to provide you with a decision on your request.
You have requested access to the following information:
“How many personal devices (mobile phones, tablets, etc) are used at the NDIS for the
conduct of government and NDIA business? What I mean is, how many contractors,
public servants and people that work at or for the NDIS use their own devices for
government 'work'?
What has been the total of personal devices used within the NDIS for the past 5
years? (if any)
If personal devices (and email) have been used, have they all been inspected,
monitored and certified to Australian Government cybersecurity standards and
requirements? Please provide specific proof, such as a report or official statement.
If personal devices (and email) have been used (this includes adding personal email
profiles and ID's to MS teams environments, calls, schedules and communications),
has all data, communications and information been captured and retained by the
NDIS, in accordance with the National Archives Act, any public information record
keeping requirements and therefore accessible via FOI, if requested?
How many of the NDIA executive population (SES, EL1, EL2, etc) have, do or did use
a personal device for NDIA/NDIS business and government administration this year
and over the past 5 years? If any.
Have any of these personal devices/profiles (if any) been affected by the Optus hack?
If so, how many?”
I have interpreted your request to be for documents containing the above information.
Extension of time
On 31 October 2022, you agreed to a 30-day extension of time under section 15AA of the
FOI Act, making 30 November 2022 the new date to provide you with a decision on access.
1
Additionally, on 14 December 2022, the Office of the Australia Information Commissioner
(OAIC) granted us a 30-day extension of time under section 15AB of the FOI Act, making 30
December 2022 the new date to provide you with a decision on access.
On 23 December 2022, we sought a further 15-day extension of time from the OAIC. If
granted this will make 14 January 2023 the final deadline to make a decision on your
request. The OAIC will contact you directly with their decision on this extension of time.
Decision on access to documents
I am authorised to make decisions under section 23(1) of the FOI Act. My decision on your
request and the reasons for my decision are set out below.
I have decided to refuse your request for access under section 24A of the FOI Act. The
reasons for my decision are set out below.
In reaching my decision, I took the following into account:
• your correspondence outlining the scope of your request
• the FOI Act
• the FOI Guidelines published under section 93A of the FOI Act
• consultation with relevant officers of the NDIA
• the NDIA’s operating environment and functions.
Reasons for decision
Refuse a request for access (section 24A)
Section 24A of the FOI Act provides that an agency may refuse a request for access to a
document if all reasonable steps have been taken to find the document and the agency is
satisfied that the document cannot be found or does not exist.
I have made enquiries with NDIA staff. These enquiries have revealed that the NDIA is not in
possession of documents recording the use of personal devices. This is because there is no
sanctioned use of personal devices to conduct NDIA business. NDIA staff are issued with
devices for the purpose of conducting NDIA business, and employees at partner
organisations are similarly issued with devices by those organisations to fulfil their work.
I note that some information about the use of personal information within the NDIA is
contained within th
e NDIS Privacy Policy. In particular the privacy policy states, in relation to
the use of email accounts:
All our personnel (including staff and contractors), board members and community
partners are issued with NDIA email addresses. When we need to use personal
information for our business purposes, we will limit this use to only those NDIA
personnel, board members or community partners who need to know that information.
Where business use requires us to email personal information internally to NDIA
personnel, board members or community partners, we will use NDIA email addresses
to send that information.
I am satisfied that all reasonable steps have been taken to locate the documents you have
requested and that the documents cannot be found or do not exist I have, therefore, decided
to refuse access to your request in accordance with section 24A(1)(b)(ii) of the FOI Act.
Rights of review
Your rights to seek a review of my decision, or lodge a complaint, are set out at
Attachment A.
2
Should you have any enquiries concerning this matter, please do not hesitate to contact me
by email
at xxx@xxxx.xxx.xx. Yours sincerely
Jasper
Senior Freedom of Information Officer
Parliamentary, Ministerial & FOI Branch
Government Division
3
Attachment A
Your review rights
Internal Review
The FOI Act gives you the right to apply for an internal review of this decision. The review will
be conducted by a different person to the person who made the original decision.
If you wish to seek an internal review of the decision, you must apply for the review, in writing,
within 30 days of receipt of this letter.
No particular form is required for an application for internal review, but to assist the review
process, you should clearly outline your grounds for review (that is, the reasons why you
disagree with the decision). Applications for internal review can be lodged by email to
xxx@xxxx.xxx.xx or sent by post to:
Freedom of Information Section
Parliamentary, Ministerial & FOI Branch
Government Division
National Disability Insurance Agency
GPO Box 700
Canberra ACT 2601
Review by the Office of the Australian Information Commissioner
The FOI Act also gives you the right to apply to the Office of the Australian Information
Commissioner (OAIC) to seek a review of this decision.
If you wish to have the decision reviewed by the OAIC, you may apply for the review, in writing,
or by using the online merits review form available on the OAIC’s website
at www.oaic.gov.au,
within 60 days of receipt of this letter.
Applications for review can be lodged with the OAIC in the following ways:
Online:
www.oaic.gov.au
Post:
GPO Box 5218, Sydney NSW 2001
Email:
xxxxxxxxx@xxxx.xxx.xx
Phone:
1300 363 992 (local call charge)
Complaints to the Office of the Australian Information Commissioner or the
Commonwealth Ombudsman
You may complain to either the Commonwealth Ombudsman or the OAIC about actions taken
by the NDIA in relation to your request. The Ombudsman will consult with the OAIC before
investigating a complaint about the handling of an FOI request.
Your complaint to the OAIC can be directed to the contact details identified above. Your
complaint to the Ombudsman can be directed to:
Phone:
1300 362 072 (local call charge)
Email:
xxxxxxxxx@xxxxxxxxx.xxx.xx
Your complaint should be in writing and should set out the grounds on which it is considered
that the actions taken in relation to the request should be investigated Division.
4