Our reference: FOI 22/23-0600
GPO Box 700
Canberra ACT 2601
1800 800 110
ndis.gov.au
25 October 2022
Beverly
By email: xxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx
Dear Beverly
Freedom of Information request — Request consultation process
Thank you for your correspondence of 1 October 2022, in which you requested access
under the Freedom of Information Act 1982 (FOI Act) to documents held by the National
Disability Insurance Agency (NDIA).
Scope of your request
You have requested access to the fol owing documents:
As of today (1 Oct 22) how may APIs (application programming interfaces) are there
at the NDIA/NDIS? Are they al 'secure by design'? Have they al been cybersecurity
tested and certified? Have they al be risk assessed and approved? Can I please
have a copy of the report that confirms and sums al this up? Along with some
information on the qualifications and experience of the individuals/vendors that
conducted this recent, ongoing analysis.
Noting the NDIS/NDIA is not obligated, nor complies with the Australian
Government's Protective Security Policy Framework (PSPF), can you please provide
details on which/what specific cybersecurity standards and government level security
standard(s) are used at the NDIS?
This includes al APIs used for bridging between applications, payments processing,
connecting to participants bank accounts and details, provider bil ing, government
integration, internal systems, data estate query, payment/shopping, accommodation,
GST, etc connections.
Practical refusal
I am authorised to make decisions under section 23(1) of the FOI Act.
I am writing to advise that the work involved in processing your request in its current form
would substantial y and unreasonably divert the resources of the NDIA from its other
operations due to its size and complexity. This is cal ed a ‘practical refusal reason’ under
section 24AA of the FOI Act.
On this basis, I intend to refuse your request. However, before I make a final decision, I am
writing to provide you with an opportunity to revise your request. This is cal ed a ‘request
consultation process’ as set out under section 24AB of the FOI Act. You have 14 days to
respond to this notice in one of the ways set out below.
1
Why I intend to refuse your request
Through consultation with the relevant line area, I have been advised that the Agency has
hundreds of APIs, each with multiple documents, which are likely to be relevant to your
request.
The line area has estimated that it would take analysts more than 4 weeks to sort through
and col ate any relevant documents. We would also need to consider whether we would
need to create a document pursuant to section 17(1) of the FOI Act, to provide some of the
information you are seeking. An FOI Officer wil then need to review each document for any
sensitivities and possible exemption under the FOI Act, schedule each document, consider if
any third-party consultations are required and carry these out as needed, a decision wil
need to be made on each document, and a decision letter prepared.
As a result, I am of the view that the work involved in the processing of this request would
substantial y and unreasonably divert the resources of the NDIA from its other operations.
Request consultation process
You now have an opportunity to revise your request to enable it to proceed.
Revising your request can mean narrowing the scope of the request to make it more
manageable or explaining in more detail the documents you wish to access. For example, by
providing more specific information about exactly what documents you are interested in, the
NDIA wil be able to pinpoint the documents more quickly and avoid using excessive
resources to process documents you are not interested in.
To reduce the scope of your request, you might like to consider seeking access to
documents in relation to a specific API.
You have 14 days to contact me and do one of the fol owing:
a. withdraw your request
b. make a revised request
c. indicate that you do not wish to revise the request.
During this period, you are welcome to seek assistance to revise your request. If you revise
your request in a way that adequately addresses the practical refusal reason outlined above,
we wil recommence processing it.
Please note that the time taken to consult with you regarding the scope of your request is not
taken into account for the purposes of the timeframe for processing your request.
You can contact me by email at xxx@xxxx.xxx.xx.
Alternatively, you can reply in writing to the fol owing address:
Freedom of Information Section
Parliamentary, Ministerial & FOI Branch
Government Division
National Disability Insurance Agency
GPO Box 700
CANBERRA ACT 2601
If you do not contact me within this period, that is by 8 November 2022, your FOI request
wil be taken to have been withdrawn under subsection 24AB(7) and wil not be dealt with
any further.
2
Please do not hesitate to contact me if you have any questions.
Yours sincerely
Carolyn
Assistant Director FOI
Parliamentary, Ministerial & FOI Branch
Government Division
3