PO Box 7820 Canberra BC ACT 2610
8 March 2023
Our reference: LEX 71778
Rex Banner
By email: xxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx
Dear Mr Banner
Freedom of Information Request – Internal Review Decision
I refer to your correspondence received by Services Australia (the Agency) on 6 February
2023, seeking an internal review of the decision made by the Agency on 6 February 2023 in
relation to your request for access to a document under the
Freedom of Information Act 1982
(FOI Act).
Background
On 22 December 2022, you requested access under the FOI Act to the following document:
. .the Privacy Impact Assessment (PIA) #39159 for the "COVID-19 Immunisation
Readiness Project"
On 6 February 2023, the Agency notified you that it had decided to refuse your request as the
requested material was exempt under the FOI Act (original decision).
On 6 February 2023, you requested an internal review of the original decision.
Summary of my internal review decision
I am authorised to make decisions under section 23(1) of the FOI Act, including internal review
decisions under section 54C of the FOI Act. Consistent with the requirements of section 54C(2)
of the FOI Act, I have made a fresh decision.
I have decided to
refuse your request as it relates to material that is fully exempt under the
FOI Act.
Please refer to
Attachment A for further information regarding the reasons for my decision.
You can ask for a review of our decision
If you disagree with any part of the decision, you can ask for a review by the Australian
Information Commissioner. See
Attachment B for more information about how to request a
review.
Further assistance
If you have any questions please email xxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxxxxxxxx.xxx.xx.
Yours sincerely
PAGE 1 OF 11
PO Box 7820 Canberra BC ACT 2610
Damien
Authorised FOI Decision Maker
Freedom of Information Team
FOI and Ombudsman Branch | Legal Services Division
Services Australia
PAGE 2 OF 11
PO Box 7820 Canberra BC ACT 2610
Attachment A
REASONS FOR DECISION
What you requested
On 22 December 2022, you requested:
…the Privacy Impact Assessment (PIA) #39159 for the "COVID-19 Immunisation
Readiness Project" under the Freedom of Information Act 1982 (Cth).
On 6 February 2023, the Agency notified you that it had decided to refuse your request as
the requested material was exempt under the FOI Act.
On 6 February 2023, you requested an internal review of the original decision, providing
written submissions in which you argued that:
If I read correctly there are two issues that are preventing the release of 1 document.
1: "I am satisfied there is a possibility of real harm resulting from release as the
document contains detailed legal analysis about the Agency’s cyber operations and
environment. Disclosure of this information creates the real risk of third party
actors gaining insight into the Agency systems and architecture, and exploiting this
knowledge for malicious purposes. "
This is not real harm. This is purely hypothetical, unless, that is, Service Australia is
operating such a system that purely knowing Agency systems and architecture would
give a actor access; In which case Services Australia has an obligation to report this
to https:/ www.cyber.gov.au/acsc/report
Keeping systems secret might be an argument in a time bound way to fix a problem
or in the case of Trade Secrets.
Security measures are part of Privacy Impact Assessments that have been routinely
disclosed. eg ht ps://help.abc.net.au/hc/en-
us/article attachments/6199376350863/Platform Modernisation Project -
Privacy Impact Assessment - draft updated 140322.pdf
"I consulted with Agency officers in the Health Programmes Division who
advised me that disclosure of the document poses a real and substantial risk of
compromising the Agency’s cybersecurity measures and exposing the Agency to
greater risk of cyber-attacks"
Could you please release what the advice was?
2 Legal Privilege:
Legal Privilege is not conferred purely by labelling a document as such. There is a
bar that must be met.
I obviously haven't seen the document, however I ask two related questions:
PAGE 4 OF 11
PO Box 7820 Canberra BC ACT 2610
Would Services Australia release *any* of their Primacy Impact Assessments or are
they considered legally privileged?
Is the entire document subject to LPP?
Was the Privacy Impact Assessment done by a lawyer?
What I took into account
In reaching my decision I took into account:
• your original request dated 22 December 2022
• your internal review request dated 6 February 2023
• other correspondence with you
• the document falling within the scope of your request
• whether the release of material would be in the public interest
• consultations with Agency officers about:
o the nature of the document, and
o the Agency's operating environment and functions
• guidelines issued by the Australian Information Commissioner under section 93A of the
FOI Act (the Guidelines), and
• the FOI Act.
Reasons for my decision
I am authorised to make decisions under section 23(1) of the FOI Act, including internal review
decisions under section 54C of the FOI Act.
I have decided to refuse access to the document in full. My findings of fact and reasons for
deciding the exemptions apply to the document are discussed below.
Section 42 of the FOI Act – legal professional privilege
I have applied the exemption in section 42 of the FOI Act to the document in its entirety.
This section of the FOI Act allows the Agency to redact documents or parts of documents
subject to legal professional privilege (LPP).
The FOI Act does not define LPP. However, courts have held that deciding whether a
communication is privileged requires a consideration of:
• whether there is a legal adviser-client relationship
• whether the communication was for the purpose of giving or receiving legal advice, or
use in connection with actual or anticipated litigation
• whether the advice given is independent, and
PAGE 5 OF 11
PO Box 7820 Canberra BC ACT 2610
• whether the advice given is confidential.
The document you requested is a Privacy Impact Assessment (PIA) prepared by an
independent external legal provider for the purpose of providing the Agency confidential
professional legal advice in relation to the development of the COVID-19 Immunisation
Readiness Project.
Accordingly, I am satisfied that LPP attaches to this document. I am also satisfied that LPP
has not been waived, as the document has not been distributed further than reasonably
necessary for internal operational purposes, and the substance of the legal advice contained
in the document has not been used in any way which is inconsistent with the maintenance of
the confidentiality of the advice.
Further, I am satisfied there is a possibility of real harm resulting from release of the document.
First, I consider that the Agency’s ability to obtain independent external legal advice on issues
would be substantially prejudiced if it were to waive privilege over this document (which sets
out the particular legal provider’s PIA methodology, together with their approach to the
interpretation, analysis and application of legislation, systems and processes administered by
the Agency) and make it publicly available through FOI processes. I also consider, for the
reasons set out in more detail below, that disclosure of the document would give rise to a real
risk of prejudice to the confidentiality, integrity and availability of the Agency’s systems and
data (including customers’ personal information).
For the reasons set out above, I am satisfied the document is exempt in full under section 42
of the FOI Act.
Section 47C of the FOI Act – deliberative material
I have applied the conditional exemption in section 47C of the FOI Act to the document in its
entirety.
This section of the FOI Act provides a document is conditionally exempt if it would disclose
deliberative matter. Deliberative matter is an opinion, advice or recommendation, or a
consultation or deliberation that has taken place in the course of, or for the purposes of, the
deliberative processes of an agency. Material which is operational or purely factual information
is not deliberative matter. The deliberative exemption also does not apply to reports of scientific
or technical experts, reports of a body or organisation prescribed by the regulations, or a formal
statement of reasons.
I am satisfied the document comprises deliberative matter, being advice and
recommendations, which have been prepared by the Agency’s legal services provider in the
course of undertaking the PIA. The document identifies privacy and secrecy compliance risks
for the Agency and includes recommendations for managing or eliminating identified risks and
maximising opportunities for enhancing privacy protection. I am also satisfied the document is
not operational information or purely factual information, and is otherwise not of a kind
specifically excluded by the FOI Act.
Accordingly, I find that the document is conditionally exempt, in full, under section 47C(1) of
the FOI Act.
Public interest considerations
PAGE 6 OF 11
PO Box 7820 Canberra BC ACT 2610
Access to conditionally exempt material must be given unless I am satisfied it would not be in
the public interest to do so.
When weighing up the public interest for and against disclosure under section 11A(5) of the
FOI Act, I have taken into account relevant factors in favour of disclosure. In particular, I have
considered the extent to which disclosure would promote the objects of the FOI Act.
I have also considered relevant factors weighing against disclosure, indicating that access
would be contrary to the public interest. In particular, I have considered the extent to which
disclosure could reasonably be expected to:
• prejudice to the confidentiality, integrity and availability of the Agency’s systems and
data
• destroy or diminish the commercial value of the provider’s PIA methodology approach
• impede the full and frank disclosure between a lawyer and client, which assists the
effective administration of justice, and
• prejudice the Agency’s ability to obtain comprehensive legal advice in the future.
Based on these factors, I have decided that, in this instance, the public interest in disclosing
this document is outweighed by the public interest against disclosure.
I have not taken into account any of the irrelevant factors set out in section 11B(4) of the FOI
Act in making this decision.
Conclusion
I am satisfied that the document sought is conditionally exempt under section 47C of the FOI
Act. Further, I have decided that on balance it would be contrary to the public interest to release
the document.
Section 47E(d) of the FOI Act – operations of the Agency
I have applied the conditional exemption in section 47E(d) of the FOI Act to parts of the
document.
This section of the FOI Act provides a document is conditionally exempt if its disclosure would,
or could reasonably be expected to, have a substantial adverse effect on the Agency’s ability
to conduct its operations efficiently and properly.
The document requested contains information about and insights into Agency architecture and
ICT systems, interactions with its systems, underlying infrastructure and software applications,
and also the exchange of information with third party applications.
As outlined in the original decision, Agency officers in the Health Programmes Division were
consulted in relation to sensitivities associated with the document and provided advice to the
effect that releasing this information ‘could compromise the security, or be vulnerable to cyber-
attacks, malicious or criminal actors’ and that ‘this information should remain secure to protect
the confidentiality, integrity and availability of systems and data’.
I consider that the confidentiality, integrity and availability of the Agency’s systems and data
are integral to the efficient and proper conduct of its operations.
PAGE 7 OF 11
PO Box 7820 Canberra BC ACT 2610
Having regard to my review of the requested document and advice received from the Health
Programmes Division, I also consider that the disclosure of certain information contained in
this document would compromise the security of these systems and data and render them
vulnerable to cyber-attacks and malicious actors.
While I have no reason to believe you would misuse the conditionally exempt material in this
way, the FOI Act does not control or restrict use or dissemination of the information once
released in response to an FOI request, so I must consider actions any member of the public
might take once the information enters the public domain.
Accordingly, I am satisfied that disclosure of parts of this document could reasonably be
expected to have a substantial and adverse effect on the proper and efficient conduct of the
Agency’s operations.
Public interest considerations
As outlined above, access to conditionally exempt material must be given unless I am satisfied
it would not be in the public interest to do so.
When weighing up the public interest for and against disclosure under section 11A(5) of the
FOI Act, I have taken into account relevant factors in favour of disclosure. In particular, I have
considered the extent to which disclosure would promote the objects of the FOI Act.
I have also considered relevant factors weighing against disclosure, indicating that access
would be contrary to the public interest. In particular, I have considered the extent to which
disclosure could reasonably be expected to:
• prejudice to the confidentiality, integrity and availability of the Agency’s systems and
data
• destroy or diminish the commercial value of the provider’s PIA methodology approach
• impede the full and frank disclosure between a lawyer and client, which assists the
effective administration of justice, and
• prejudice the Agency’s ability to obtain comprehensive legal advice in the future.
Based on these factors, I have decided that, in this instance, the public interest in disclosing
the conditionally exempt parts of the document is outweighed by the public interest against
disclosure.
I have not taken into account any of the irrelevant factors set out in section 11B(4) of the FOI
Act in making this decision.
Conclusion
I am satisfied that parts of the document sought are conditionally exempt under section 47E(d)
of the FOI Act. Further, I have decided that on balance it would be contrary to the public interest
to release this information.
Summary of decision
I have decided to refuse your request on the basis that:
• the document is subject to legal professional privilege and therefore exempt in full under
section 42 of the FOI Act
PAGE 8 OF 11
PO Box 7820 Canberra BC ACT 2610
• the document comprises deliberative material, and disclosure would be contrary to the
public interest and the document is therefore exempt in full under section 47C of the FOI
Act, and
• disclosure of parts the document could reasonably be expected to have a substantial
and adverse effect on the Agency’s operations, and disclosure would be contrary to the
public interest and the document is therefore exempt in part under section 47E(d) of the
FOI Act.
PAGE 9 OF 11
PO Box 7820 Canberra BC ACT 2610
Attachment B
INFORMATION ON RIGHTS OF REVIEW
FREEDOM OF INFORMATION ACT 1982
Asking for a ful explanation of a Freedom of Information decision
Before you ask for a formal review of a FOI decision, you can contact us to discuss your
request. We wil explain the decision to you. This gives you a chance to correct
misunderstandings.
Asking for a formal review of an Freedom of Information internal review decision
If you stil believe a decision is incorrect, the FOI Act gives you the right to apply for a review
of the internal review decision. Under section 54M of the FOI Act, you can apply for a review
of an FOI decision by the Australian Information Commissioner. There are no fees for this
review.
You wil have 60 days to apply in writing for a review by the Australian Information
Commissioner.
You can
lodge your application:
Online:
www.oaic.gov.au
Post:
Australian Information Commissioner
GPO Box 5218
SYDNEY NSW 2001
Email:
xxxxxxxxx@xxxx.xxx.xx
Important:
• If you are applying online, the application form the 'Merits Review Form' is available at
www.oaic.gov.au.
• If you have one, you should include with your application a copy of the Services
Australia decision on your FOI request
• Include your contact details
• Set out your reasons for objecting to the Agency's decision.
Complaints to the Australian Information Commissioner and Commonwealth
Ombudsman
Australian Information Commissioner
You may complain to the Australian Information Commissioner concerning action taken by an
agency in the exercise of powers or the performance of functions under the FOI Act, There is
no fee for making a complaint. A complaint to the Australian Information Commissioner must
be made in writing. The Australian Information Commissioner's contact details are:
PAGE 10 OF 11
PO Box 7820 Canberra BC ACT 2610
Telephone: 1300 363 992
Website: www.oaic.gov.au
Commonwealth Ombudsman
You may also complain to the Commonwealth Ombudsman concerning action taken by an
agency in the exercise of powers or the performance of functions under the FOI Act. There is
no fee for making a complaint. A complaint to the Commonwealth Ombudsman may be made
in person, by telephone or in writing. The Commonwealth Ombudsman's contact details are:
Phone: 1300 362 072
Website: www.ombudsman.gov.au
The Commonwealth Ombudsman generally prefers applicants to seek review before
complaining about a decision.
PAGE 11 OF 11
