Dear Department of Defence,

Please forward this request to the appropriate FOI officer for the Australian Government Security Vetting Agency.

* The request (summary):

I am seeking technical/architectural/service & system design documentation and status reports to executives the Department holds about a project known as "ICT 2270 - 21st Century Security Vetting" for the Australian Government Security Vetting Agency.

* Limiting the scope of the request:

In particular, I am seeking:
[Item 1] Requirements documents provided to external systems integrators on the provisioning of the ICT 2270 system

[Item 2] Approved (i.e. signed off by a DoD executive) overarching “System Design” and/or “Enterprise Architecture” document for ICT 2270

[Item 3] Documentation/results of user research and Service Design consultations especially for the externally-facing ePack component.
This document must exist, as for the project to meet Criterion 1 of the Digital Service Standard as mandated by cabinet (see MT15/0199/DTC)
If this document does not exist, the exemption signoff will suffice.

[Item 4] Any interim formal or self-assessments against the Digital Service Standard

[Item 5] The most recent report provided to AGSVA executives and the AGSVA Governance Board regarding the progress of ICT 2270

* Helping you administer this request:

I imagine this request sits with COIG, you will have to contact a suitably informed director or enterprise architect.

Item 2
- this document might be prepared internally or by the external systems integrator, I'm unsure
- it would normally include all the systems an end-to-end vetting process would touch

EA/system design documents are often long and often contain sensitive security information.

I am keenly aware of the need to comply with s 33(a)(i) and s 24AA(1)(a)(i) and want to ensure my request does not fall foul of these FOI exemptions. A significant proportion of the documents requested should relate to frontend (i.e. public-facing) or describing logical links between systems that are not sensitive (i.e. Item 4 and Item 3)

If you could assist me, that would be greatly appreciated. I am more than happy to call - or take a call from - someone in CTOD or ICTSDRD to help narrow the scope, particularly around sensitive areas.

Given the complexity and sensitivity, I'm also willing to give an extension right off the bat, if you require and ask.

* Background information (why I'm requesting this information):

I noticed a reference to ICT 2270 in a Defence submission to the "Inquiry into the Impact of Changes to Service Delivery Models on the Administration and Running of Government Programs".

My understanding is that this is a rebuild of the PSAMS and ePack systems which has publicly been outed as an underperforming multimillion-dollar program by the ANAO.

As this is a new project and a component of the ePack system is public-facing, it comes under the scope of the Digital Service Standard, as mandated by Cabinet, MT15/0199/DTC unless an exemption has been given. Thus, I am requesting that information in Item 3 and 4.

The administration of security vetting is an expensive affair. As ANAO noted: "The ePack system remains a frustrating and difficult system for individual users to navigate, raising efficiency and productivity issues in the vetting process."

The audit identified “shortcomings in project planning, insufficient application of ICT expertise and major changes in project scope”. I want to see evidence of AGSVA working towards a system that rectifies this and acknowledgement from the AGSVA Governance Board.

Keep COVID safe! Yours faithfully,
ClearPsedudonym

FOI, Department of Defence

OFFICIAL

Good afternoon,

Thank you for contacting Freedom of Information at the Department of Defence.

We have received your email and you will be advised of the status of your inquiry by a FOI team member.

Chris Simon | Freedom of Information
Enterprise Reform Branch | Governance and Reform Division | Department of Defence
a CP1-6-005 Campbell Park Offices ACT 2600
t (02) 6266 2200| e [email address]

IMPORTANT: This email remains the property of the Department of Defence. Unauthorised communication and dealing with the information in the email may be a serious criminal offence. If you have received this email in error, you are requested to contact the sender and delete the email immediately.

show quoted sections

FOI Case Management, Department of Defence

OFFICIAL

Dear Sir/Madam

 

I refer to your correspondence of 11 September 2020 seeking access under
the Freedom of Information Act 1982 (FOI Act) to documents held by the
Department of Defence (Defence). This email is to advise you that your
request has been received and allocated to a Case Manager.

 

The scope of your request is:

 

I am seeking technical/architectural/service & system design documentation
and status reports to executives the Department holds about a project
known as "ICT 2270 - 21st Century Security Vetting" for the Australian
Government Security Vetting Agency.

 

In particular, I am seeking:

 

[Item 1] Requirements documents provided to external systems integrators
on the provisioning of the ICT 2270 system

 

[Item 2] Approved (i.e. signed off by a DoD executive) overarching “System
Design” and/or “Enterprise Architecture” document for ICT 2270

 

[Item 3] Documentation/results of user research and Service Design
consultations especially for the externally-facing ePack component. This
document must exist, as for the project to meet Criterion 1 of the Digital
Service Standard as mandated by cabinet (see MT15/0199/DTC) If this
document does not exist, the exemption signoff will suffice.

 

[Item 4] Any interim formal or self-assessments against the Digital
Service Standard

 

[Item 5] The most recent report provided to AGSVA executives and the AGSVA
Governance Board regarding the progress of ICT 2270.”

 

Please note that Defence does not release information that is considered
‘personal information’ of individuals other than the applicant; this
includes private email addresses, signatures, personnel (PMKeyS) numbers
and mobile telephone numbers, unless you specifically request such
details. Defence excludes duplicates of documents and any documents sent
to or from you. Furthermore, Defence only considers final versions of
documents.

 

If you are seeking personal details of other individuals, please advise
this office by 18 September 2020 so that the decision maker can consider
your request.

 

Defence may impose a charge for the work involved in providing access to
the documents in accordance with the Freedom of Information (Charges)
Regulations. You will be notified separately if your request attracts a
charge. Please note that there is no charge for documents that contain the
personal information of the applicant.

 

The statutory deadline for you to receive a response to your request is 11
October 2020. Please note that where the due date falls on a Saturday,
Sunday or public holiday, the timeframe will expire on the next working
day – Monday 12 October 2020.  This is in accordance with the FOI
Guidelines issued by the Office of the Australian Information
Commissioner.

 

I am the Case Manager for this request. Should you have any questions
relating to your request, please do not hesitate to contact me via email
to [1][email address].

 

Regards

 

 

Rose

FOI Case Management

Department of Defence

[2][email address]

 

IMPORTANT: This email remains the property of the Department of Defence.
Unauthorised communication and dealing with the information in the email
may be a serious criminal offence. If you have received this email in
error, you are requested to contact the sender and delete the email
immediately.

 

 

References

Visible links
1. mailto:[email address]
2. mailto:[email address]

FOI Case Management, Department of Defence

2 Attachments

UNOFFICIAL

Dear  ‘ClearPsedudonym’

 

Please find attached the decision relating to Defence FOI 112/20/21.

 

Rights of Review

Under section 54 of the FOI Act, you are entitled to request a review of
this decision. Your review rights are attached.

 

Should you have any questions in regard to this matter please contact this
office.

 

Regards

 

FOI Case Management

Department of Defence

[1][email address]

 

References

Visible links
1. mailto:[email address]

Hello Rose, Joanne and FOI team,

Sorry for the late reply, I hope I'm still within the 30 day reply period.

I accept Item 5 being struck out under 47E(d) of the FOI Act.

As for the other items, I'm quite surprised your team were unable to find documents related to items, particularly Items 1-3. I have it on good authority that the project is under active development. I find it very hard to believe that a project could be under development but not have these key documents, which I believe form the basis for software developers to get started.

Could it be that the project has been renamed?
Were you doing exact matches for the document titles? Maybe the team uses different tech lingo for the documents in question.

As such, I'm interested to know what package/questions you put to the Defence IT/Architecture teams to help you administer my request. Could I call you/the FOI team?

I rather not send my request for review at this stage, as I'm sure its just a miscommunication. I am confident the documents I am asking for do exist.

If I'm unable to call your team, could I request an extension for my reply/decision to review? I will use that time to manually inspect the Harradine Report https://www.defence.gov.au/Publications/... (which currently 404s) and request the exact document/s.

Yours sincerely,
ClearPseudonym

FOI Case Management, Department of Defence

UNOFFICIAL
Dear ClearPseudonym

With reference to your email below, if you do not agree with the reason for decision, 'Section 47E Certain operations of agency', please forward your query to the FOI Review Team.

Regards

Rose
FOI Case Management
Department of Defence
[email address]

Please be advised the Department is subject to a stand-down period from 24 Dec 20 – 3 Jan 21 (inclusive) The FOI Directorate will endeavour to finalise requests prior to this period where possible, however all applications received which will have a due date in this period will have a 30 day extension applied to the statutory timeframe.

show quoted sections