Download original attachment
(PDF file)

This is an HTML version of an attachment to the Freedom of Information request 'NDIS - Optus Hack and Trustwave Cybersecurity Services/Support'.



Our reference: FOI 22/23-0590 
GPO Box 700 
Canberra   ACT   2601 
1800 800 110 
27 October 2022 
 
ndis.gov.au 
 
 
 
Gladys 
 
By email: xxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx  
 
 
Dear Gladys 
 
Freedom of Information request — Notification of Decision 
 
Thank you for your correspondence of 1 October 2022 in which you requested access to 
documents held by the National Disability Insurance Agency (NDIA), under the Freedom of 
Information Act 1982 (FOI Act). 
 
The purpose of this letter is to provide you with a decision on your request. 
 
Scope of your request  
You have requested access to the following documents: 
 
1. Has the NDIA/NDIS every used or paid Trustwave for any form of support, 
services, consulting, analysis or 'work'? 
 
2. Has Trustwave conducted any work or services for the NDIA/NDIS in the past 2 
years? 
 
3. Has Trustwave conducted or provided any form or cybersecurity services to the 
NDIA/NDIS, such as threat assessments, penetration testing, network assurance, 
etc? 
 
4. Has Optus ever provided cybersecurity advice, products or services to the 
NDIS/NDIA? 
 
5. Has SingTel, or any company they own or control ever provided cybersecurity 
advice, products or services to the NDIS/NDIA? 
 
6. If so, can I request a copy of the vendor, 3rd party risk assessment/analysis? This 
includes the project risk assessment and procurement risk assessment. 
 
Decision on access to documents 
I am authorised to make decisions under section 23(1) of the FOI Act.  My decision on your 
request and the reasons for my decision are set out below.  
 
I have decided to refuse your request for access under section 24A of the FOI Act. The 
reasons for my decision are set out below. 
 
 

 
In reaching my decision, I took the following into account: 
  your correspondence outlining the scope of your request 
  the FOI Act 
  the FOI Guidelines published under section 93A of the FOI Act  
  consultation with relevant officers of the NDIA 
  the NDIA’s operating environment and functions. 
 
Reasons for decision 
Refuse a request for access (section 24A) 
Section 24A of the FOI Act provides that an agency may refuse a request for access to a 
document if all reasonable steps have been taken to find the document and the agency is 
satisfied that the document cannot be found or does not exist.  
 
The relevant line areas have conducted searches of the NDIA’s document management 
systems and made enquiries with NDIA staff who could be expected to identify documents 
that fall within the scope of your request. These searches and enquiries have revealed that 
the NDIA is not in possession of documents matching the scope of your request. This is 
because the NDIA do not hold a document, or documents, that contain the information you 
have requested. 
 
Section 17(1)(c) of the FOI Act provides that an agency can produce a written document 
containing the requested information, by the use of a computer or other equipment that is 
ordinarily available for retrieving or collating stored information. I have considered whether 
the Agency could create a document that fulfils the scope of your request through the use of 
a computer or other equipment. The line area has advised that senior analysts would need 
to manually review every vendor the Agency has ever used to ascertain if those companies 
are connected in any way to Singtel or any of their subsidiaries. This task would take the 
analysts several weeks, which would, in my view, substantially and unreasonably divert the 
resources of the Agency from its other operations.  
 
Section 17(2) of the FOI Act provides that an Agency is not required to comply with section 
17(1) if compliance would substantially and unreasonably divert the resources of the Agency 
from its other operations. As such, I have decided that in accordance with section 17(2) of 
the FOI Act, the task of manually reviewing every vendor would substantially and 
unreasonably divert the resources of the Agency from its other operations, so the Agency is 
not required to comply with section 17(1) of the FOI Act. 
 
I am satisfied that all reasonable steps have been taken to locate the documents you have 
requested and that the documents do not exist. I have, therefore, decided to refuse access 
to your request in accordance with section 24A(1)(b)(ii) of the FOI Act. 
 
Rights of review 
Your rights to seek a review of my decision, or lodge a complaint, are set out at 
Attachment A
 
 
2  
 

Should you have any enquiries concerning this matter, please do not hesitate to contact me 
by email at xxx@xxxx.xxx.xx. 
 
Yours sincerely 
 
 
Carolyn 
Assistant Director FOI 
Parliamentary, Ministerial & FOI Branch 
Government Division 
 
 
 
3  
 
Attachment A 
Your review rights 
 
Internal Review  
The FOI Act gives you the right to apply for an internal review of this decision. The review 
will be conducted by a different person to the person who made the original decision. 
 
If you wish to seek an internal review of the decision, you must apply for the review, in 
writing, within 30 days of receipt of this letter. 
 
No particular form is required for an application for internal review, but to assist the review 
process, you should clearly outline your grounds for review (that is, the reasons why you 
disagree with the decision). Applications for internal review can be lodged by email to 
xxx@xxxx.xxx.xx or sent by post to: 
 
Freedom of Information Section 
Parliamentary, Ministerial & FOI Branch 
Government Division 
National Disability Insurance Agency 
GPO Box 700 
Canberra   ACT   2601 
 
Review by the Office of the Australian Information Commissioner 
The FOI Act also gives you the right to apply to the Office of the Australian Information 
Commissioner (OAIC) to seek a review of this decision. 
 
If you wish to have the decision reviewed by the OAIC, you may apply for the review, in 
writing, or by using the online merits review form available on the OAIC’s website at 
www.oaic.gov.au, within 60 days of receipt of this letter.  
 
Applications for review can be lodged with the OAIC in the following ways: 
 
Online: 
www.oaic.gov.au  
Post:  
GPO Box 5218, Sydney NSW 2001 
Email: 
xxxxxxxxx@xxxx.xxx.xx 
Phone: 
1300 363 992 (local call charge) 
 
Complaints to the Office of the Australian Information Commissioner or the 
Commonwealth Ombudsman 
You may complain to either the Commonwealth Ombudsman or the OAIC about actions 
taken by the NDIA in relation to your request. The Ombudsman will consult with the OAIC 
before investigating a complaint about the handling of an FOI request. 
 
Your complaint to the OAIC can be directed to the contact details identified above. Your 
complaint to the Ombudsman can be directed to: 
 
Phone: 
1300 362 072 (local call charge) 
Email:  
xxxxxxxxx@xxxxxxxxx.xxx.xx 
 
Your complaint should be in writing and should set out the grounds on which it is considered 
that the actions taken in relation to the request should be investigated. 
 
4