Download original attachment
(PDF file)

This is an HTML version of an attachment to the Freedom of Information request 'NDIS: Protective Security Policy Framework (PSPF) & Cybersecurity - obligated or not?'.



 
 
Our reference: FOI 22/23-0830 
GPO Box 700 
Canberra   ACT   2601 
1800 800 110 
ndis.gov.au 
5 August 2023 
 
 
Florence 
 
By email: xxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx 
 
 
Dear Florence 
 
Freedom of Information request — Notification of Decision 
 
Thank you for your correspondence of 13 November 2022, in which you requested access to 
documents held by the National Disability Insurance Agency (NDIA), under the Freedom of 
Information Act 1982 (FOI Act). 
 
The purpose of this letter is to provide you with a decision on your request. 
 
Scope of your request 
You have requested access to the fol owing documents: 
  “So, my questions are: 
 
1. Who specifically provided the advice that the NDIA was not required to comply with or 
follow the PSPF? Job title and location wil  suffice 2. Noting all these new roles and 
requirements, was the person(s) consulted at the NDIS at the time qualified and 
competent to answer questions on cyber/security and the PSPF? 
3. As the NDIS seems to have overnight sought to align with and comply with the PSPF, 
please provide a copy of the instruction or directive to do so. 
4. Has there been (or is there) an investigation into providing inaccurate, seemingly false 
or potentially misleading information about the NDIS security (cyber included) 
obligations, compliance and assurance requirements? 
5. Prior to this new found support and embracing of the PSPF, which specific security 
standards and framework did the NDIS/NDIA employ, attest to, report to the Attorney 
General's Department or provide guarantees, compliance or alignment with to any other 
Government/public entity? 
6. Please provide a copy of the requirement and approval for all these new, sudden 
cyber security roles. Has the threat changed? 
7. How many NDIS staff, contractors, providers and participants have been affected or 
compromised as a result of the Medibank, Optus, Australian Clinical Labs, or any other 
data breach, compromise or hack?”  
 
Decision on access to documents 
I am authorised to make decisions under section 23(1) of the FOI Act. My decision on your 
request and the reasons for my decision are set out below.  
 
Section 17(1)(c) of the FOI Act provides that an agency can produce a written document 
containing the requested information, by the use of a computer or other equipment that is 
ordinarily available for retrieving or collating stored information. We have been able to 
produce documents containing some of the information you requested. I have, therefore, 
 


treated your request as if it were a request for access to those documents in accordance 
with section 17(1)(c) of the FOI Act. 
 
I have identified 3 documents, which fall within the scope of your request. Additionally, I have 
provided 1 publicly available link that addresses the scope of your request. 
protective-security-guidance-for-executives.pdf (protectivesecurity.gov.au) 
 
The documents were identified by conducting searches of NDIA’s systems, using all 
reasonable search terms that could return documents relevant to your request, and 
consulting with relevant NDIA staff who could be expected to be able to identify documents 
within the scope of the request. 
 
I have decided to grant access to 3 documents in full. 
 
In reaching my decision, I took the fol owing into account : 
•  your correspondence outlining the scope of your request 
•  the nature and content of the documents falling within the scope of your request 
•  the FOI Act  
•  the FOI Guidelines published under section 93A of the FOI Act 
 
Access to edited copies with exempt or irrelevant material deleted (section 22) 
I have decided that Documents 2 and 3 contains material that is exempt from disclosure 
under the FOI Act.  
 
I have also identified that Documents 2 and 3 contains material that is irrelevant to your 
request. The irrelevant material relates to names and contact details of NDIA staff / 
information which is not relevant to the subject matter of your request. 
 
In accordance with section 22 of the FOI Act, I have considered whether it is possible to 
delete the exempt and irrelevant material from the documents and have concluded that it is 
reasonably practicable to do so. Accordingly, I have prepared an edited copy of the 
documents with the exempt and irrelevant material removed. 
 
Release of documents 
The documents for release, as referred to in the Schedule of Documents at Attachment A
are enclosed. 
 
Rights of review 
Your rights to seek a review of my decision, or lodge a complaint, are set out at 
Attachment B
 
Should you have any enquiries concerning this matter, please do not hesitate to contact me 
by email at xxx@xxxx.xxx.xx. 
 
Yours sincerely 
 
 
 
Ankit 
Senior Freedom of Information Officer 
Parliamentary, Ministerial & FOI Branch 
Government Division 
2 
Attachment A  
Schedule of Documents for FOI 22/23-0830 
 
Document 
Page 
Description 
Access Decision 
Comments 
number 
number 

1-2 
Section 17 Document Created 
FULL ACCESS 
Document created under 
 
 
section 17 of the FOI Act 
Date: Various 


Email 
                      FULL ACCESS 
Irrelevant material removed 
Subject: Approval to Approach 
 
under section 22 of the FOI 
Market - EL2 Director Cyber 
Act 
Security Risk and Compliance 
 
Date:19 October 2022 

4-7 
Email 
FULL ACCESS 
Irrelevant material removed 
Subject: Approval Required: EL1 
 
under section 22 of the FOI 
Assistant Director CSOC Capability 
Act 
Development 
 
Date:13 October 2022 
.
3 

 
Attachment B 
Your review rights  
 
Internal Review 
The FOI Act gives you the right to apply for an internal review of this decision. The review 
wil  be conducted by a different person to the person who made the original decision. 
 
If you wish to seek an internal review of the decision, you must apply for the review, in 
writing, within 30 days of receipt of this letter. 
 
No particular form is required for an application for internal review, but to assist the review 
process, you should clearly outline your grounds for review (that is, the reasons why you 
disagree with the decision). Applications for internal review can be lodged by email to 
xxx@xxxx.xxx.xx or sent by post to: 
  Freedom of Information Section  
Parliamentary, Ministerial & FOI Branch  
Government Division 
National Disability Insurance Agency 
GPO Box 700 
CANBERRA   ACT   2601 
 
Review by the Office of the Australian Information Commissioner 
The FOI Act also gives you the right to apply to the Office of the Australian Information 
Commissioner (OAIC) to seek a review of this decision. 
 
If you wish to have the decision reviewed by the OAIC, you may apply for the review, in 
writing, or by using the online merits review form available on the OAIC’s website at 
www.oaic.gov.au, within 60 days of receipt of this letter.  
 
Applications for review can be lodged with the OAIC in the following ways: 
  Online:  www.oaic.gov.au  
Post:  
GPO Box 5218, Sydney NSW 2001 
Email: 
xxxxxxxxx@xxxx.xxx.xx 
Phone: 
1300 363 992 (local cal  charge) 
 
Complaints to the Office of the Australian Information Commissioner or the 
Commonwealth Ombudsman 
You may complain to either the Commonwealth Ombudsman or the OAIC about actions 
taken by the NDIA in relation to your request. The Ombudsman wil  consult with the OAIC 
before investigating a complaint about the handling of an FOI request. 
 
Your complaint to the OAIC can be directed to the contact details identified above. Your 
complaint to the Ombudsman can be directed to: 
  Phone:  1300 362 072 (local cal charge) 
Email:  
xxxxxxxxx@xxxxxxxxx.xxx.xx  
 
Your complaint should be in writing and should set out the grounds on which it is considered 
that the actions taken in relation to the request should be investigated