Download original attachment
(PDF file)

This is an HTML version of an attachment to the Freedom of Information request 'Documents Related to the MyService Security Vulnerability at the Department of Veterans’ Affairs'.


FOI 73440 
 
 
Request consultation notice due to existence of a practical refusal 
reason under section 24AB of the Freedom of Information Act 1982 
S 24AB consultation notice Zoey (Position Number 62214764),  
Senior Information Access Officer, Information Access Unit,  
Client and Information Access Branch, Department of Veterans' Affairs 
 
 
Applicant: 
 
 
NoseyRosey 
 
Decision date: 
 
15 January 2025 
 
FOI reference number: 
LEX 73440 
 
Sent by email: 
 
xxxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx  
 
 
Dear NoseyRosey ,  
 
Freedom of Information Request: LEX 73440 
 
Purpose of this notice 
 
1. 
The purpose of this notice is to advise you (as required under section 24AB of the Freedom 
of Information Act 1982 (FOI Act) that I intend to refuse your request on the basis that a 
practical refusal reason exist, as defined by section 24AA of the FOI Act.  
 
2. 
Based on the terms of your request, and from initial searches undertaken to respond to your 
request, I am of the view that a practical refusal reason exists because: 
 
a.  your request does not satisfy the requirement in section 15(2)(b) of the FOI Act, in that 
it does not provide sufficient information to enable the department to identify the 
documents you are seeking (section 24AA(1)(b) of the FOI Act).  
 
 
 

Authority to make decision 
 
3. 
I, Zoey (Position Number 62214764), Senior Information Access Officer, Information Access 
Unit, Client and Information Access Branch, am an officer authorised by the Secretary of the 
Department to make decisions about access to documents in the possession of the 
Department in accordance with section 23(1) of the FOI Act.  
 
Scope of your request 
 
4. 
On 14 December 2024 you made a request for access to documents in the possession of the 
Department. Your request sought access to: 
 
‘…...I am seeking access to any documents held by the Department of Veterans’ 
Affairs that relate to a security vulnerability discovered in the MyService platform 
between 1 October 2023 and the date your office processes this request. The 
vulnerability I refer to involves a method by which unauthorised individuals could 
access veterans’ personal information, including but not limited to initial liability 
claims, rehabilitation claims, travel claims, and other sensitive data, through the 
manipulation of certain web address parameters. I am specifically interested in 
documents that discuss any aspect of this vulnerability, its discovery, investigation, 
remediation, and any related internal deliberations or notifications. 
 
More specifically, I request documents that address the initial reporting of the 
vulnerability, such as records of the notification provided to the DVA by the 
individual who discovered it. I also seek documents detailing any actions taken in 
response, including technical assessments, internal discussions about the scope of 
the vulnerability, and any correspondence with service providers such as Services 
Australia. I request records that describe attempts to identify root causes, as well as 
any instructions, briefings, meeting minutes, or emails between DVA staff and 
service providers regarding remediation measures. 
 
I also ask for any documents that relate to the decision-making process about 
whether and how the DVA complied with its mandatory reporting obligations under 
the Privacy Act 1988 (Cth) and the Notifiable Data Breaches scheme. This includes 
records of discussions or correspondence between DVA officials that consider 
whether the vulnerability constituted an eligible data breach and thus triggered the 
requirement to notify the Office of the Australian Information Commissioner. 
Furthermore, I am seeking documents that clarify whether the DVA intended to, 
attempted to, or decided not to inform the affected veterans whose personal and 
sensitive information may have been exposed. This includes any drafts or final 

versions of notifications, risk assessments, legal advice (if disclosable), and any 
instructions or guidelines that may have guided staff on how to handle such 
breaches. 
 
If the DVA possesses documents that outline general policies or procedures 
governing how staff should respond to data breaches or vulnerabilities of this 
nature, I request access to these materials as well. This may include internal 
manuals, policy frameworks, standard operating procedures, or incident response 
plans relied upon by DVA staff when managing the discovered vulnerability... ‘ 
 
5. 
On 16 December 2024, the Department acknowledged your request via email. Within this 
acknowledgement we also requested an Extension of Time (EOT).  
 
6. 
On 16 December 2024 you replied noting you did not agree to an Extension of Time.   
 
Consultation - what you need to do to help us process your request (Section 24AB) 
 
7. 
You now have an opportunity to revise your request so that the grounds for a practical 
refusal are removed. 
 
8. 
You have requested documents concerning “a security vulnerability discovered in the 
MyService platform between 1 October 2023 and the date your office processes this 
request”. This date would be 14 December 2024. It is unclear from your request what you 
are referring to in several parts. Specifically in relation to:  
 
o  “security vulnerability”,  
o  “method by which unauthorised individuals could access …”  
o  “individual who discovered it “ 
o  ”DVA staff and service providers”. 
 
9. 
Revising your request can mean narrowing the scope of the request to make it more specific 
or explaining in more detail the documents you wish to access. For example, by providing 
more information about the security vulnerability you have referred to, or what documents 
you are seeking, we will be able to identify relevant information more quickly and avoid 
using excessive resources to process documents you are not interested in.   
 
10.  To assist us in processing your request, we need you to clearly identify the documents you 
are requesting. This will assist us in our searches. When telling us what documents you 
require, we ask you to consider: 
 
•  providing further clarification about the information/specific documents you are seeking 
access to; 

 
•  defining the specific terminology used in your request. Specifically please confirm: 
 
▪  What you mean by “Security Vulnerability”. 
▪  What method is meant by “method of unauthorised access” 
 
•  narrowing the scope of documents to a specific theme or type. I note you have asked for 
documents regarding Privacy Policies as well as the above mentioned; 
 
•  providing a more practicable date range for us to conduct searches within; 
 
•  providing the names of the “individual who discovered it” and “DVA staff and service 
providers”, and/or the Business Areas they may be within. 
 
11.  Please note that even if you do modify your request, it is possible that a practical refusal 
reason under section 24AA may still exist and the Department may need further time to 
process your revised request. This will depend on the revision you agree to make. As far as is 
reasonably practicable, we are happy to provide you with further information to assist you in 
revising your request so that it removes the practical refusal grounds.  
 
When does a practical refusal reason exist (section 24AA of the FOI Act) 
 
Identification of documents 
 
12.  Section 24AA(1)(b) of the FOI Act provides that a practical refusal reason exists in relation to 
a request for a document if the request does not satisfy section 15(2)(b) of the FOI Act. That 
section provides that a request must provide such information concerning the document as 
is reasonably necessary to enable a responsible officer of the agency to identify it. 
 
13.  I am unable to identify the specific documents you are requesting. This is because the 
language of your request is unclear and it does not contain sufficient information to enable 
me to undertake reasonable and effective searches to identify relevant documents for the 
following reasons: 
 
Next steps 
 
14.  You have 14 days from the day after you receive this letter to respond in writing and do one 
of the following:  
 
•  withdraw your request 
 
•  make a revised request, or  
 

•  indicate that you do not wish to revise the request. 
 
15.  During this period, you can ask me for help to revise your request. If you revise your request 
in a way that adequately addresses the practical refusal grounds outlined above, we will 
recommence processing it.  
 
16.  If you do not contact the department within this period, your FOI request will be taken to 
have been withdrawn under section 24AB(7) and will not be dealt with any further. 
 
17.  If you need more time to respond, please contact the Information Access Unit via the below 
contacts, within the 14 day period to discuss your need for an extension of time.  
 
18.  You can find further information regarding this process on the Office of the Australian 
Information Commissioner (OAIC) website here. 
 
Suspension of processing time  
 
19.  Please note under section 24AB(8) of the FOI Act, the time for processing your FOI request is 
suspended from the day you receive this notice until the day you do one of the things listed 
above.  
 
Contact us 
 
20.  If you wish to discuss this decision, please do not hesitate to contact the Information Access 
Unit using the following details: 
 
Post:    
Information Access Unit, 
Department of Veterans' Affairs 
GPO Box 9998, Brisbane QLD 4001 
Email:   
xxxxxxxxxxx.xxxxxx@xxx.xxx.xx  
 
Yours sincerely, 
 
Zoey (Position Number 62214764),  
Senior Information Access Officer, 
Information Access Unit 
Client and Information Access Branch 
Department of Veterans' Affairs 
 
15 January 2025