Documents relating to security breaches of all electronic records held, maintained and overseen by the ADHA

Richard Smith made this Freedom of Information request to Australian Digital Health Agency

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was refused by Australian Digital Health Agency.

Dear Australian Digital Health Agency,

On your website you have listed that "Some of the key benefits of a National eHealth Security and Access Framework for use in the Australian environment include:

Promotion of a consistent, risk-based approach to eHealth security and access.

...

Contemporary better practice guidance on specific eHealth security and access practices".

The protection of accuracy and privacy of health data is of enormous interest to the Australian population.

I therefore request the following Government Information:

a) Documents relating to any investigations, reviews or routine checks undertaken by the ADHA (or suppliers or subcontractors of ADHA) to determine if any breaches in security have occurred for any electronic records held, maintained or overseen by the ADHA in the years of 2015, 2016, 2017 and 2018; and

b) Documents relating to the procedures currently in use by the ADHA which outline the methods by which the application of updates, upgrades and "patches", both routine and ad-hoc to all hardware used by the ADHA to maintain electronic records are correctly applied and assured; and

c) Documents relating to the procedures currently in use by the ADHA which outline the methods by which the application of updates, upgrades and "patches", both routine and ad-hoc to all software used by the ADHA to maintain electronic records are correctly applied and assured; and

d) Documents relating to the procedures in use in 2016 by the ADHA which outline the methods by which the application of updates, upgrades and "patches", both routine and ad-hoc to all hardware used by the ADHA to maintain electronic records are correctly applied and assured; and

e) Documents relating to the procedures in use in 2016 by the ADHA which outline the methods by which the application of updates, upgrades and "patches", both routine and ad-hoc to all software used by the ADHA to maintain electronic records are correctly applied and assured.

If this can be answered as informal request, please do so.

Otherwise, please proceed with this as a formal request under the Freedom of Information principles & framework, i.e. the Freedom of Information Act 1982 & other associated guidelines and regulations.

Yours faithfully,

Richard Smith

FOI, Australian Digital Health Agency

OFFICIAL

Richard Smith
Via Right to Know

Freedom of information Request 1811001

This email is to say that we have received in this office on 5 November 2018 your application for access to My Health Record documents under the Freedom of Information Act 1982.

We will contact you again to formally acknowledge your application and, if necessary, clarify your application; advise if charges are applicable; or, whether there is a need to consult with third parties.

In the meantime if you have any questions, please email us at [email address].

Kylee
FOI Team
Australian Digital Health Agency
Scarborough House, Level 7, 1 Atlantic Street, Woden ACT 2606

Email [ADHA request email]
Web www.digitalhealth.gov.au
The Australian Digital Health Agency acknowledges the traditional owners of country throughout Australia, and their continuing connection to land, sea and community. We pay our respects to them and their cultures, and to Elders both past and present.

show quoted sections

Dear Kylee,

RE: Freedom of information Request 1811001

Thank you for your reply of 22 November.

I shall await further communication from your office in regards to this matter.

Yours sincerely,

Richard Smith

FOI, Australian Digital Health Agency

2 Attachments

OFFICIAL

 

Dear Mr Smith

 

Good Afternoon.  Please see the attached letter.

 

Regards

FOI TEAM
Freedom of Information Support Officer

Governance, Risk and Secretariat Services Branch
[1]cid:image003.png@01D42F47.442054A0
Australian Digital Health Agency
Scarborough House, Level 7, 1 Atlantic Street, Woden ACT 2606
Email      [2][ADHA request email]
Web        [3]www.digitalhealth.gov.au

 

 

Important: This transmission is intended only for the use of the addressee
and may contain confidential or legally privileged information. If you are
not the intended recipient, you are notified that any use or dissemination
of this communication is strictly prohibited. If you receive this
transmission in error please notify the author immediately and delete all
copies of this transmission.

References

Visible links
2. mailto:[ADHA request email]
3. http://www.digitalhealth.gov.au/

Dear Ms McMahon,

RE: FOI Reference 1811001

Thank you for your reply of 4 December 2018 regarding my request for Government Information.

I have considered your response advising that refusal of my request for government information is being considered

I will now address each of the points raised in your letter in turn.

1) Practical Refusal

In outlining why the Agency believes that a Practical Refusal reason exists, you have said that “It may assist you to know that the Agency does not know what type of documents you are seeking”.

Your letter refers to s24AA of the Act, which, upon reflection, appears that the Agency is specifically referring to s24AA(b):

“(b) the request does not satisfy the requirement in paragraph 15(2)(b) (identification of documents).”

Turning to the specific requirements outlined in s15(2)(b):

“Requirements for request
(2) The request must:

(b) provide such information concerning the document as is reasonably necessary to enable a responsible officer of the agency, or the Minister, to identify it.”

With this specific criteria that needs to be met as per the Act in mind, I will now address each of the points of my request for Government Information. I have restated each point of my request for your convenience.

2) Clarification of Request for Government Information

Point a)

a) Documents relating to any investigations, reviews or routine checks undertaken by ADHA (or suppliers or subcontractors of ADHA) to determine if any breaches in security have occurred for any electronic records held, maintained or overseen by the ADHA in the years of 2015, 2016, 2017 and 2018

This point relates to documents relating to ADHA's activities in conducting audits, checks or investigations to ensure that “eHealth security” is being maintained and that any electronic records or systems it oversees has not been breached.

Considering that the security of electronic records is a prime function of the ADHA, it logically follows that some level of testing and checking of the security of the systems would be undertaken as a matter of course.

Considering the points raised in your reply, I am amenable to a reduction in the scope of this point a) to commence 1 July 2016 up to and including the date of my request on 2 November 2018.

The identification by a responsible officer of the Agency of documents related to checking on security of electronic records, one of the prime functions of the ADHA, should be a trivial matter and I do not believe that there is anything additional that needs to be added.

I believe that with the application of the amendment in scope above, that my request now has sufficient information to satisfy the requirements of s15(2)(b) and therefore the test of s24AA(b) is not met for Point a).

Point b)

b) Documents relating to the procedures currently in use by the ADHA which outline the methods by which the application of updates, upgrades and "patches", both routine and ad-hoc to all hardware used by the ADHA to maintain electronic records are correctly applied and assured

This point is requesting documents containing procedures currently in use detailing how the ADHA ensures that hardware holding electronic records is correctly being updated, upgraded or patched. This point is requesting information that the ADHA (or its subcontractor, if this function is outsourced) uses to systematically keep hardware used by the ADHA to maintain its electronic records properly maintained and up to date. Keeping hardward up to date would be a fundamental part in ensuring “eHealth safety” and would be a core function of the ADHA.

Therefore I believe that my request has sufficient information to satisfy the requirements of s15(2)(b) and therefore the test of s24AA(b) is not met for Point b).

Point c)

c) Documents relating to the procedures currently in use by the ADHA which outline the methods by which the application of updates, upgrades and "patches", both routine and ad-hoc to all software used by the ADHA to maintain electronic records are correctly applied and assured

Again, as above for point b), this point is requesting the documents covering the same aspects of the methods by which ADHA is ensuring that it is keeping its software used to maintain its electronic records maintained and up to date. It is difficult to believe that this request does not contain sufficient information for the Australian Digital Health Agency to identify the documents that I am requesting. The antithesis of this situation would be that the ADHA does not know about the importance of keeping software updated and “patched” nor has it any procedures regarding maintaining software. I am sure this is not the case.

Here I believe that my request has sufficient information to satisfy the requirements of s15(2)(b) and therefore the test of s24AA(b) is not met for Point c).

Point d)

d) Documents relating to the procedures in use in 2016 by the ADHA which outline the methods by which the application of updates, upgrades and "patches", both routine and ad-hoc to all hardware used by the ADHA to maintain electronic records are correctly applied and assured

With my request in Point d), I have requested the 2016 version of the same type of documents as in Point b) i.e. those currently in use, however with the assumption that there had been some change to the procedures to maintain hardware over the 2 years since the establishment of the ADHA in 2016. If that is not the case, then the documents that satisfy my request of point b) will also satisfy this point d).

Therefore I believe that my request has sufficient information to satisfy the requirements of s15(2)(b) and therefore the test of s24AA(b) is not met for Point d).

Point e)

As above, with my request in Point e), I have requested the 2016 version of the same type of documents as in Point c) i.e. those currently in use, however with the assumption that there had been some change to the procedures to maintain software over the 2 years since the establishment of the ADHA in 2016. If that is not the case, and the ADHA is using the same procedures currently as were in place at the Agency’s establishment, then the documents that satisfy my request of point c) will also satisfy this point e).

Therefore I believe that my request has sufficient information to satisfy the requirements of s15(2)(b) and therefore the test of s24AA(b) is not met for Point e).

Focus in scope to “electronic health records”

Finally, to assist the Agency further, I confirm that the scope of my request for Government Information covers electronic health records, not records of a general office or administrative nature, such as emails or administration files. Therefore I am amenable for an amendment to my request to be made to insert the word “health” wherever I have requested “electronic records” in my requested points a) through e).

I trust this clarifies my request.

I look forward to hearing from the ADHA.

Yours faithfully,

Richard Smith

FOI, Australian Digital Health Agency

Dear Mr Smith,

Thank you for your clarification email. I will start the search for documents.

I will be in touch about the next steps in the Freedom of Information process.

Regards,

FOI Officer

FOI Team
Governance, Security and Secretariat Services
Australian Digital Health Agency
Scarborough House, Level 6, 1 Atlantic Street, Woden ACT 2606
Email
[ADHA request email]
Web
www.digitalhealth.gov.au

The Australian Digital Health Agency acknowledges the traditional owners of country throughout Australia, and their continuing connection to land, sea and community. We pay our respects to them and their cultures, and to Elders both past and present.

show quoted sections

FOI, Australian Digital Health Agency

1 Attachment

Dear Mr Smith,

 

Good afternoon. Please see the attached decision letter from the
Australian Digital Health Agency.

 

Regards,

 

FOI Officer 

FOI Officer, FOI Team 
Governance, Security and Secretariat Services

Australian Digital Health Agency 
Scarborough House, Level 6, 1 Atlantic Street, Woden ACT 2606

Phone [1]+61 22230780
Mobile [2]+61
Email [3][ADHA request email]
Web [4]www.digitalhealth.gov.au

 

The Australian Digital Health Agency acknowledges the traditional owners
of country throughout Australia, and their continuing connection to land,
sea and community. We pay our respects to them and their cultures, and to
Elders both past and present.

 

Important: This transmission is intended only for the use of the addressee
and may contain confidential or legally privileged information. If you are
not the intended recipient, you are notified that any use or dissemination
of this communication is strictly prohibited. If you receive this
transmission in error please notify the author immediately and delete all
copies of this transmission.

References

Visible links
1. file:///tmp/tel:+6122230780
2. file:///tmp/tel:+61
3. mailto:[ADHA request email]
4. https://www.digitalhealth.gov.au/

Dear Ms McMahon,

RE: FOI Request 1811001

Thank you for your letter of 18 December regarding my request for Government Information.

I have considered your letter which when read, whilst being mindful of my reply to you of 12 December 2018, there appear to be some discrepancies in the detail of the amended scope of my request.

Whilst the ADHA acknowledge that, in my letter of 12 December, I had agreed to restate the scope of my request, the restated description of the request's scope in your letter has not, in fact, included any amendments.

For example, in regards to point a) of my request, I had agreed to amend the timeframe from the years 2015 - 2018 to the period 1 July 2016 to 2 November 2018. However in your letter of 18 December, the scope of the request of point a) remains as "the years of 2015, 2016, 2017 and 2018".

Similarly, in my letter of 12 December, I had agreed to narrow the scope of each of my points b) through e) from "electronic records" to "electronic health records". However in your letter of 18 December each point b) through e) the scope of each points remains as "electronic records".

This error in amending the scope of each of those points is surprising as I had stated my agreement to that amendment under the heading "Focus in scope to “electronic health records”".

Reduction in size of request

I note the recommendation, amongst others, to consider limiting my request to final versions of documents.

I have no objections to agreeing to that recommendation.

Scope of Revised Request for Government Information:

In light of the points described above relating to the amendment of my request for Government Information, for the avoidance of doubt I will now restate the scope of my request as agreed to be amended according to both my letter of 12 December and your letter of 18 December.

I am now therefore requesting the following Government Information:

a) Documents relating to any investigations, reviews or routine checks undertaken by the ADHA (or suppliers or subcontractors of ADHA) to determine if any breaches in security have occurred for any electronic records held, maintained or overseen by the ADHA in the period 1 July 2016 to 2 November 2018 inclusive; and

b) Documents relating to the final version of procedures currently in use as at 2 November 2018 by the ADHA which outline the methods by which the application of updates, upgrades and "patches", both routine and ad-hoc to all hardware used by the ADHA to maintain electronic health records are correctly applied and assured; and

c) Documents relating to the final version of procedures currently in use as at 2 November 2018 by the ADHA which outline the methods by which the application of updates, upgrades and "patches", both routine and ad-hoc to all software used by the ADHA to maintain electronic health records are correctly applied and assured; and

d) Documents relating to the final version of procedures in use as at 1 July 2016 by the ADHA which outline the methods by which the application of updates, upgrades and "patches", both routine and ad-hoc to all hardware used by the ADHA to maintain electronic health records are correctly applied and assured; and

e) Documents relating to the final version of procedures in use as at 1 July 2016 by the ADHA which outline the methods by which the application of updates, upgrades and "patches", both routine and ad-hoc to all software used by the ADHA to maintain electronic health records are correctly applied and assured.

I trust that the ADHA will now reconsider my request for Government Information in light of my restatement of our previously agreed scope.

I look forward to hearing from the ADHA.

Yours sincerely,

Richard Smith

Cecilia Pattison-Levi, Australian Digital Health Agency

1 Attachment

Dear Mr Smith,

 

Good afternoon. Please see the attached charges letter from the Australian
Digital Health Agency.

 

Regards,

 

FOI Officer 

FOI Officer, FOI Team 
Governance, Security and Secretariat Services

Australian Digital Health Agency 
Scarborough House, Level 6, 1 Atlantic Street, Woden ACT 2606

Phone [1]+61 22230780
Mobile [2]+61
Email [3][ADHA request email]
Web [4]www.digitalhealth.gov.au

 

The Australian Digital Health Agency acknowledges the traditional owners
of country throughout Australia, and their continuing connection to land,
sea and community. We pay our respects to them and their cultures, and to
Elders both past and present.

Important: This transmission is intended only for the use of the addressee
and may contain confidential or legally privileged information. If you are
not the intended recipient, you are notified that any use or dissemination
of this communication is strictly prohibited. If you receive this
transmission in error please notify the author immediately and delete all
copies of this transmission.

References

Visible links
1. file:///tmp/tel:+6122230780
2. file:///tmp/tel:+61
3. mailto:[ADHA request email]
4. https://www.digitalhealth.gov.au/

Dear Mr Lilley,

RE: FOI-1811001

Thank you for your letter of 20 December 2018.

I have reviewed the estimated charges that the ADHA has suggested is required to process my request for Government Information held by the ADHA on behalf of all Australians.

Before I detail my response to the ADHA’s estimate of charges of $8,851.85, I would first like to remind the ADHA that section 3 of the FOI Act outlines the intention and purpose of the Commonwealth FOI legislation currently in force.

This is, that the Commonwealth of Australia Parliament intends for the public to have a legislated “right to information”.

The Parliament also intends that this information is to be provided “promptly and at the lowest reasonable cost”.

For your convenience I have reproduced the relevant section of the Act below:

FREEDOM OF INFORMATION ACT 1982 - SECT 3
Objects--general
(1) …
(2) The Parliament intends, by these objects, to promote Australia's representative democracy by contributing towards the following:
(a) increasing public participation in Government processes, with a view to promoting better-informed decision-making;
(b) increasing scrutiny, discussion, comment and review of the Government's activities.

(4) The Parliament also intends that functions and powers given by this Act are to be performed and exercised … to facilitate … public access to information, promptly and at the lowest reasonable cost.

I would also take this opportunity to provide an extract of a Commonwealth Departmental Guideline:

GUIDELINES FOR PROCESSING FREEDOM OF INFORMATION REQUESTS
“Following the 2010 amendments to the FOI Act, it is government policy that agencies are not expected to exercise the discretion to impose charges unless the agency considers it appropriate to do so in the circumstances. In exercising this discretion, the department should also be guided by the ‘lowest reasonable cost’ objective of the FOI Act, i.e that the functions and powers of the Act are to be performed and exercised “to facilitate and promote public access to information, promptly and at the lowest reasonable cost” (s.3(4)).”

I will now turn my attention to the specifics of your letter of 20 December 2018.

Estimate of Charges

In your letter of 20 December 2018, the ADHA’s estimate of charges has been broken down into 3 categories, namely Search and Retrieval, Decision Making and Access and Delivery charges.

The break-up of the charges are:

$141.50 => Search and Retrieval
$8,810.35 => Decision Making
$0 => Access and Delivery charges

In regards to the Decision Making portion of the estimate of charges, I put it to the ADHA that the estimate of 440.52 hours of decision making is bordering on the realm of complete and utter farce.

Under the Australian Public Service Enterprise Award 2015, 440.52 hours is just short of 12 weeks of full time work (considering 36.75 is the ordinary weekly hours of work for a full-time employee under the APS Enterprise Award 2015).

With the equivalent of 1 full time person solely devoted to making a decision on the 42 documents estimated to be relevant to the scope of my request, this would a represent a mere 3.5 documents per week over the 12 weeks!

With 6 personnel solely devoted in a full time capacity to making a decision, the 440.52 hours represents 2 full weeks of consideration, with each person considering 7 documents over the 2 week period.

This projected level of manpower is completely ridiculous, when we consider that the subject of my FOI request are just a few technical manuals regarding how often software and hardware upgrades are maintained.

When compared against other FOI requests of a similar scope, I contend that the excessively large estimated hours provided for Decision Making in your letter of 20 December would be seen by any reasonable observer who is familiar with FOI requests as being disproportionate and unreasonable.

Consultation with Third Parties

I would also raise the point that the scope of my request for Government Information, being primarily technical documents concerning maintenance procedures for computer hardware and software, would not conceivably cover any documents containing personal information to require any consultation or Decision Making with third parties as per s27 of the Act.

Conduct of ADHA

In light of the points I have raised above, I contend that it would not be unreasonable for the average person, upon a prima facie reading of all of the correspondence in this matter, to infer that the ADHA is attempting to frustrate my request for Government Information.

Firstly there was an initial attempt to prevent my request proceeding due to the ADHA claiming to not fully understand the scope of my request.

Then, after providing minor clarifications of the scope of my request, the ADHA's understanding of the scope has been solved, however now the ADHA has gone on to provide an estimate of costs that is staggeringly out of proportion to not only what would be required for the processing of my FOI request, but also when compared to the vast majority of FOI requests.

Again, when considered, this can really only be seen as an attempt by the ADHA to frustrate and stop my FOI request.

I contend that the actions of the ADHA demonstrated in this case are deliberately aimed at preventing and disrupting the stated aim of the FOI Act, i.e. that “public access to information” be provided “promptly and at the lowest reasonable cost”.

The estimation provided in your letter of 20 December 2018 for Decision Making involving 440.52 hours is not an example of the ADHA discharging its legislated responsibilities “promptly and at the lowest reasonable cost”. It is the opposite.

Subject of my FOI request is Public Interest

In addition to my comments above, I also contend that access to the documents identified through my FOI request are in the general public interest, and also in the interest of a substantial section of the public due to the following reasons:

· I contend that the information requested relates to a matter of public debate, and disclosure of this information would assist public comment;

· I further contend that the information requested relates to a matter of public discussion and concern, and disclosure of this information would assist in better informing the public on that matter.

For a significant portion of last year, there was significant public debate in the media, via Government press releases, interviews and other published information and through social media of the issues around the deadline for opting out of MyHealthRecord electronic accounts holding health data. Also about the safety and security of any data held in the MyHealth Record database.

The Government Information I have requested goes directly to informing the public about this issue.

Application Charge imposes Financial Hardship

Finally I also contend that the application of a charge for this FOI request would cause financial hardship to me as the applicant.

I therefore request that the calculation of estimated charges required to process my request for Government Information is reassessed, in light of the points I have raised above.

I look forward to hearing from the ADHA in regards to this matter.

Yours sincerely,

Richard Smith

FOI, Australian Digital Health Agency

1 Attachment

Dear Mr Smith,

 

Good afternoon. Please see the attached letter from the Australian Digital
Health Agency.

 

Regards,

 

FOI Team

 

FOI Officer 
FOI Officer, FOI Team 
Governance, Security and Secretariat Services

Australian Digital Health Agency 
Scarborough House, Level 6, 1 Atlantic Street, Woden ACT 2606

Phone [1]+61 22230780
Mobile [2]+61
Email [3][ADHA request email]
Web [4]www.digitalhealth.gov.au

The Australian Digital Health Agency acknowledges the traditional owners
of country throughout Australia, and their continuing connection to land,
sea and community. We pay our respects to them and their cultures, and to
Elders both past and present.

 

Important: This transmission is intended only for the use of the addressee
and may contain confidential or legally privileged information. If you are
not the intended recipient, you are notified that any use or dissemination
of this communication is strictly prohibited. If you receive this
transmission in error please notify the author immediately and delete all
copies of this transmission.

References

Visible links
1. file:///tmp/tel:+6122230780
2. file:///tmp/tel:+61
3. mailto:[ADHA request email]
4. https://www.digitalhealth.gov.au/