Download original attachment
(PDF file)

This is an HTML version of an attachment to the Freedom of Information request 'NDIS - Personal Devices (BYOD) usage, control, protection and public accountability'.



Our reference: FOI 22/23-0589 
GPO Box 700 
Canberra   ACT   2601 
1800 800 110 
16 January 2023 
 
ndis.gov.au 
Josh  
Right to Know 
 
By email: xxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx 
 
 
Dear Josh 
 
Freedom of Information request — Notification of Decision 
 
Thank you for your correspondence of 1 October 2022, in which you requested access to 
documents held by the National Disability Insurance Agency (NDIA), under the Freedom of 
Information Act 1982 (FOI Act). 
 
The purpose of this letter is to provide you with a decision on your request. 
 
You have requested access to the following information: 
 
“How many personal devices (mobile phones, tablets, etc) are used at the NDIS for the 
conduct of government and NDIA business? What I mean is, how many contractors, 
public servants and people that work at or for the NDIS use their own devices for 
government 'work'? 
 
What has been the total of personal devices used within the NDIS for the past 5 
years? (if any) 
 
If personal devices (and email) have been used, have they all been inspected, 
monitored and certified to Australian Government cybersecurity standards and 
requirements? Please provide specific proof, such as a report or official statement. 
 
If personal devices (and email) have been used (this includes adding personal email 
profiles and ID's to MS teams environments, calls, schedules and communications), 
has all data, communications and information been captured and retained by the 
NDIS, in accordance with the National Archives Act, any public information record 
keeping requirements and therefore accessible via FOI, if requested? 
 
How many of the NDIA executive population (SES, EL1, EL2, etc) have, do or did use 
a personal device for NDIA/NDIS business and government administration this year 
and over the past 5 years? If any. 
 
Have any of these personal devices/profiles (if any) been affected by the Optus hack? 
If so, how many?” 
 
I have interpreted your request to be for documents containing the above information. 
 
Extension of time 
On 31 October 2022, you agreed to a 30-day extension of time under section 15AA of the 
FOI Act, making 30 November 2022 the new date to provide you with a decision on access. 
 
 

 
 
Additionally, on 14 December 2022, the Office of the Australia Information Commissioner 
(OAIC) granted us a 30-day extension of time under section 15AB of the FOI Act, making 30 
December 2022 the new date to provide you with a decision on access. 
 
On 23 December 2022, we sought a further 15-day extension of time from the OAIC. If 
granted this will make 14 January 2023 the final deadline to make a decision on your 
request. The OAIC will contact you directly with their decision on this extension of time. 
 
Decision on access to documents 
I am authorised to make decisions under section 23(1) of the FOI Act.  My decision on your 
request and the reasons for my decision are set out below.  
 
I have decided to refuse your request for access under section 24A of the FOI Act. The 
reasons for my decision are set out below. 
 
In reaching my decision, I took the following into account: 
•  your correspondence outlining the scope of your request 
•  the FOI Act 
•  the FOI Guidelines published under section 93A of the FOI Act  
•  consultation with relevant officers of the NDIA 
•  the NDIA’s operating environment and functions. 
 
Reasons for decision 
Refuse a request for access (section 24A) 
Section 24A of the FOI Act provides that an agency may refuse a request for access to a 
document if all reasonable steps have been taken to find the document and the agency is 
satisfied that the document cannot be found or does not exist.  
 
I have made enquiries with NDIA staff. These enquiries have revealed that the NDIA is not in 
possession of documents recording the use of personal devices. This is because there is no 
sanctioned use of personal devices to conduct NDIA business. NDIA staff are issued with 
devices for the purpose of conducting NDIA business, and employees at partner 
organisations are similarly issued with devices by those organisations to fulfil their work. 
 
I note that some information about the use of personal information within the NDIA is 
contained within the NDIS Privacy Policy. In particular the privacy policy states, in relation to 
the use of email accounts: 
 
All our personnel (including staff and contractors), board members and community 
partners are issued with NDIA email addresses. When we need to use personal 
information for our business purposes, we will limit this use to only those NDIA 
personnel, board members or community partners who need to know that information.  
Where business use requires us to email personal information internally to NDIA 
personnel, board members or community partners, we will use NDIA email addresses 
to send that information. 
 
I am satisfied that all reasonable steps have been taken to locate the documents you have 
requested and that the documents cannot be found or do not exist I have, therefore, decided 
to refuse access to your request in accordance with section 24A(1)(b)(ii) of the FOI Act. 
 
Rights of review 
Your rights to seek a review of my decision, or lodge a complaint, are set out at Attachment A
 
 
 
2  
 

 
Should you have any enquiries concerning this matter, please do not hesitate to contact me 
by email at xxx@xxxx.xxx.xx. 
 
Yours sincerely 
 
 
Jasper 
Senior Freedom of Information Officer 
Parliamentary, Ministerial & FOI Branch 
Government Division 
 
 
3  
 
 
Attachment A 
Your review rights 
 
Internal Review  
The FOI Act gives you the right to apply for an internal review of this decision. The review will 
be conducted by a different person to the person who made the original decision. 
 
If you wish to seek an internal review of the decision, you must apply for the review, in writing, 
within 30 days of receipt of this letter. 
 
No particular form is required for an application for internal review, but to assist the review 
process,  you  should  clearly  outline  your  grounds  for  review  (that  is,  the  reasons  why  you 
disagree  with  the  decision).  Applications  for  internal  review  can  be  lodged  by  email  to 
xxx@xxxx.xxx.xx or sent by post to: 
 
Freedom of Information Section 
Parliamentary, Ministerial & FOI Branch 
Government Division 
National Disability Insurance Agency 
GPO Box 700 
Canberra   ACT   2601 
 
Review by the Office of the Australian Information Commissioner 
The  FOI  Act  also  gives  you  the  right  to  apply  to  the  Office  of  the  Australian  Information 
Commissioner (OAIC) to seek a review of this decision. 
 
If you wish to have the decision reviewed by the OAIC, you may apply for the review, in writing, 
or by using the online merits review form available on the OAIC’s website at www.oaic.gov.au, 
within 60 days of receipt of this letter.  
 
Applications for review can be lodged with the OAIC in the following ways: 
 
Online: 
www.oaic.gov.au  
Post:  
GPO Box 5218, Sydney NSW 2001 
Email: 
xxxxxxxxx@xxxx.xxx.xx 
Phone: 
1300 363 992 (local call charge) 
 
Complaints to the Office of the Australian Information Commissioner or the 
Commonwealth Ombudsman 
You may complain to either the Commonwealth Ombudsman or the OAIC about actions taken 
by the NDIA in relation to your request. The Ombudsman will consult with the OAIC before 
investigating a complaint about the handling of an FOI request. 
 
Your complaint to the OAIC can be directed to the contact details identified above. Your 
complaint to the Ombudsman can be directed to: 
 
Phone: 
1300 362 072 (local call charge) 
Email:  
xxxxxxxxx@xxxxxxxxx.xxx.xx 
 
Your complaint should be in writing and should set out the grounds on which it is considered 
that the actions taken in relation to the request should be investigated Division. 
 
4