Documents Relating to the MyService Vulnerability Managed by Services Australia
Dear FOI Officer,
I make this request for access to documents under the Freedom of Information Act 1982 (Cth).
I am seeking access to records held by Services Australia concerning a security vulnerability identified within the MyService platform between 1 October 2024 and the date your office processes this request. This vulnerability reportedly allowed unauthorized access to veterans’ personal and sensitive information by altering certain parameters in MyService’s web addresses. As Services Australia provides information and communications technology support for the Department of Veterans’ Affairs, including the MyService platform, I request any documents you hold that pertain to the discovery, investigation, and remediation of this vulnerability, as well as the decisions made regarding notifications to affected individuals and the Office of the Australian Information Commissioner (OAIC).
More specifically, I seek documents that record when and how Services Australia became aware of the vulnerability, including any correspondence between Services Australia staff and Department of Veterans’ Affairs personnel, or any other agencies or service providers, where the existence or nature of this vulnerability was discussed. I request any technical assessments, investigation reports, internal briefings, risk assessments, or incident response records that detail the causes of the vulnerability, the scope of information potentially exposed, the corrective steps taken to address it, and any security or code changes applied to prevent similar incidents.
I also seek documents that discuss Services Australia’s role in advising the Department of Veterans’ Affairs on whether this incident constituted an “eligible data breach” under the Privacy Act 1988 (Cth). If you hold any records in which Services Australia considered, commented on, or recommended particular actions regarding notifying the OAIC or veterans whose data may have been exposed, I request access to those as well. This includes any internal deliberations, guidance notes, or communications with external parties about meeting the DVA’s or Services Australia’s responsibilities under the Notifiable Data Breaches scheme.
If Services Australia maintains policies, guidelines, or standard operating procedures that were consulted or applied in handling this vulnerability or determining the appropriate response, I request copies of these documents. I also seek any records that reflect final decisions, conclusions, or lessons learned, such as after-action reviews or improvement plans relating to cybersecurity and privacy controls following this incident.
If you hold documents that contain non-relevant information or sensitive personal details unrelated to the vulnerability itself, I am prepared to receive redacted copies that preserve the integrity of the requested information. I request that you provide documents in electronic form, such as PDF format, wherever possible. If you consider that any portions of this request may lead to a practical refusal, I invite you to consult with me under section 24AB of the FOI Act so we can refine the scope if necessary.
I believe releasing these documents is in the public interest, as it will shed light on the adequacy of the controls and oversight exercised by Services Australia over a critical government platform that manages sensitive personal and medical information for veterans. Disclosure will contribute to public understanding of the processes for identifying, remediating, and reporting serious security incidents within government systems and will help maintain trust in these services.
If there are any charges associated with this request, I respectfully request that you consider reducing or waiving them, given the significance of the matter and its relevance to public interest and government accountability. I look forward to your acknowledgment and decision within the statutory timeframes set forth by the FOI Act. Should you require clarification or further details, please contact me at the information provided below.
Yours sincerely,
Nosey
Thank you for contacting the Freedom of Information (FOI) team in Services
Australia (the Agency).
This email acknowledges your correspondence and provides some general
information in relation to FOI.
FOI – Extension of time request
Under the Freedom of Information Act 1982 (FOI Act) you have a right, with
limited exceptions, to access documents the Agency holds. The Agency has
30 days to process an FOI request. Please note this period may be extended
if we need to consult third parties or for other reasons. We will advise
you if this happens.
Due to the Agency’s reduced activity period over 24 December 2024 – 1
January 2025. We are seeking your agreement to extend the processing time
by an additional 30 days. If you agree to this additional time we would
appreciate if you could reply to this email with ‘I agree’.
Administrative release of documents
The Agency has administrative access arrangements ('the arrangements') for
the release of certain documents without the need for a formal FOI
request. If you agree to the release of documents under these
arrangements, we may provide you with documents under the arrangements,
where appropriate.
Any parts of your FOI request that are addressed by documents being
released under the arrangements will be considered withdrawn. The
arrangements do not extend to information or materials of third parties.
You will be notified when documents are released to you under the
arrangements.
Personal information of Agency staff
We consider staff details to be personal information of those staff
members. As part of the FOI application process, we will seek your consent
to exclude the following information from documents that may be captured
by your request:
•names of Services Australia staff below the Senior Executive level
(junior staff)
•direct staff telephone numbers, signatures, logon identifiers and email
addresses.
If you consent to exclude this information, we will treat it as outside
the scope of your request and therefore irrelevant under Section 22 of the
FOI Act.
Charges
No charge is payable for providing a person with their own personal
information.
If you are requesting non-personal information the Agency will advise you
as soon as practicable if a charge is payable to process your request, and
the amount of any such charge.
How we will send documents to you
We typically use this email address to send documents related to your FOI
request unless you have specifically requested to receive them via post.
However, we might seek your consent to deliver the documents
electronically if it is deemed more suitable.
How long do I have to wait?
We are required to answer your request within 30 days unless the time
frame is extended under the FOI Act.
Dear FOI Officer,
Thank you for your acknowledgment of my Freedom of Information (FOI) request. I have carefully reviewed your request to extend the statutory timeframe for processing my FOI application by an additional 30 days due to the Agency’s reduced activity period over 24 December 2024 – 1 January 2025.
I wish to advise that I do not consent to the proposed extension of time. The reason you have provided—the Agency’s reduced activity during its designated holiday period—is not a matter for which I, as the applicant, bear any responsibility, nor does it constitute a valid justification under the Freedom of Information Act 1982 (Cth) (“the FOI Act”).
Under section 15(5)(b) of the FOI Act, an agency is required to make a decision on an FOI request within 30 days of receiving the request. While the Act does allow for extensions of time under certain circumstances, including consultation requirements with third parties (section 15(6)) or where an extension is agreed to by the applicant (section 15AA), your request for additional time due to internal reduced activity is not explicitly supported by the provisions of the FOI Act.
Further, the Guidelines issued by the Australian Information Commissioner under section 93A of the FOI Act (“the FOI Guidelines”) make it clear that agencies are expected to allocate sufficient resources to ensure statutory timeframes are met, even during holiday periods. The Guidelines state:
“Agencies should ensure that staffing and resources are managed to comply with the statutory timeframes for processing FOI requests, including during periods of peak leave, such as Christmas and New Year.”
The FOI Act places a statutory obligation on agencies to provide timely access to government-held information as part of the broader principle of open government. The holiday period does not exempt an agency from this obligation. Any delay caused by internal resource management issues is not a valid reason for the Agency to seek consent for an extension.
If the Agency believes it cannot meet the statutory deadline, it may apply to the Office of the Australian Information Commissioner (OAIC) under section 15AB of the FOI Act for an extension of time. The OAIC has the authority to grant such extensions if satisfied that the request involves a complex or voluminous volume of work that would otherwise prevent timely processing. However, such an application would require the Agency to demonstrate that its reduced activity period constitutes a valid ground for an extension under the Act.
If the Agency proceeds to apply to the OAIC for an extension, I request to be notified and consulted on the matter, as required under the provisions of the FOI Act.
In summary, I do not consent to an extension of time under section 15AA of the FOI Act. I encourage the Agency to allocate the necessary resources to process my FOI request within the statutory timeframe. If the Agency believes it cannot meet the deadline, it should seek an extension under section 15AB from the OAIC, as outlined above.
I look forward to receiving your decision within the statutory timeframe required under the FOI Act. Should you require any further clarification from me to assist with processing my request, please do not hesitate to contact me.
Yours sincerely,
Dear Nosey Rosey,
The Agency will not be in a position to finalise your FOI request by the current due date of 13 January 2025.
A number of business areas not originally identified as relevant to your request, have now been identified as potentially holding documents, and the FOI team requires additional time to engage with them. Identification of these business areas has been delayed by the availability of relevant business area subject matter experts during the Agency's reduced activity period over 24 December 2024 to 1 January 2025.
We are seeking your agreement to extend the processing time by an additional 11 days. If you agree to this extension, the due date of your request would become 24 January 2025.
If you agree to this additional time we would appreciate if you could reply to this email with 'I agree' by 13 January 2025.
Kind regards,
Hannah
FOI and Reviews Branch, Legal Services Division
********************************************************************** IMPORTANT: This e-mail is for the use of the intended recipient only and may contain information that is confidential, commercially valuable and/or subject to legal or parliamentary privilege. If you are not the intended recipient you are notified that any review, re-transmission, disclosure, dissemination or other use of, or taking of any action in reliance upon, this information is prohibited and may result in severe penalties. If you have received this e-mail in error please notify the sender immediately and delete all electronic and hard copies of this transmission together with any attachments. Please consider the environment before printing this e-mail **********************************************************************
Dear FREEDOMOFINFORMATION,
As previously stated your poor time management is not an issue that I need to resolve for you and as such this is rejected.
Yours sincerely,
noseyrosey
Thank you for contacting the Freedom of Information (FOI) team in Services
Australia (the Agency).
This email acknowledges your correspondence and provides some general
information in relation to FOI.
FOI – Extension of time request
Under the Freedom of Information Act 1982 (FOI Act) you have a right, with
limited exceptions, to access documents the Agency holds. The Agency has
30 days to process an FOI request. Please note this period may be extended
if we need to consult third parties or for other reasons. We will advise
you if this happens.
Administrative release of documents
The Agency has administrative access arrangements ('the arrangements') for
the release of certain documents without the need for a formal FOI
request. If you agree to the release of documents under these
arrangements, we may provide you with documents under the arrangements,
where appropriate.
Any parts of your FOI request that are addressed by documents being
released under the arrangements will be considered withdrawn. The
arrangements do not extend to information or materials of third parties.
You will be notified when documents are released to you under the
arrangements.
Personal information of Agency staff
We consider staff details to be personal information of those staff
members. As part of the FOI application process, we will seek your consent
to exclude the following information from documents that may be captured
by your request:
•names of Services Australia staff below the Senior Executive level
(junior staff)
•direct staff telephone numbers, signatures, logon identifiers and email
addresses.
If you consent to exclude this information, we will treat it as outside
the scope of your request and therefore irrelevant under Section 22 of the
FOI Act.
Charges
No charge is payable for providing a person with their own personal
information.
If you are requesting non-personal information the Agency will advise you
as soon as practicable if a charge is payable to process your request, and
the amount of any such charge.
How we will send documents to you
We typically use this email address to send documents related to your FOI
request unless you have specifically requested to receive them via post.
However, we might seek your consent to deliver the documents
electronically if it is deemed more suitable.
How long do I have to wait?
We are required to answer your request within 30 days unless the time
frame is extended under the FOI Act.
Dear Nosey Rosey
Please find attached important correspondence concerning your FOI request
to Services Australia.
Kind regards,
Hannah
FOI & Reviews Branch, Legal Services Division
[1]Visual brand element showing Services Australia progress symbol to left
with Services Australia wording to the right of the symbol. Underneath is
servicesaustralia.gov.au and icons representing our social media accounts.
To follow us on social media go to servicesaustralia.gov.au/socialmedia
Aligning the bottom of the signature block is the Services Australia
indigenous artwork strip consisting of cultural elements depicting our
agency’s progress story for First Nations people.
Services Australia acknowledges the Traditional Custodians of the lands we
live on. We pay our respects to all Elders, past and present, of all
Aboriginal and Torres Strait Islander nations.
References
Visible links
Dear FREEDOMOFINFORMATION,
This is now a deemed decision. I have already referred this to OAIC as this email came outside of office hours.
I do not consent to the change of the scope. This is not a hard request and as such veteran privacy though you guys and your system is upmost important.
Yours sincerely,
noseyrosey
Thank you for contacting the Freedom of Information (FOI) team in Services
Australia (the Agency).
This email acknowledges your correspondence and provides some general
information in relation to FOI.
FOI – Extension of time request
Under the Freedom of Information Act 1982 (FOI Act) you have a right, with
limited exceptions, to access documents the Agency holds. The Agency has
30 days to process an FOI request. Please note this period may be extended
if we need to consult third parties or for other reasons. We will advise
you if this happens.
Administrative release of documents
The Agency has administrative access arrangements ('the arrangements') for
the release of certain documents without the need for a formal FOI
request. If you agree to the release of documents under these
arrangements, we may provide you with documents under the arrangements,
where appropriate.
Any parts of your FOI request that are addressed by documents being
released under the arrangements will be considered withdrawn. The
arrangements do not extend to information or materials of third parties.
You will be notified when documents are released to you under the
arrangements.
Personal information of Agency staff
We consider staff details to be personal information of those staff
members. As part of the FOI application process, we will seek your consent
to exclude the following information from documents that may be captured
by your request:
•names of Services Australia staff below the Senior Executive level
(junior staff)
•direct staff telephone numbers, signatures, logon identifiers and email
addresses.
If you consent to exclude this information, we will treat it as outside
the scope of your request and therefore irrelevant under Section 22 of the
FOI Act.
Charges
No charge is payable for providing a person with their own personal
information.
If you are requesting non-personal information the Agency will advise you
as soon as practicable if a charge is payable to process your request, and
the amount of any such charge.
How we will send documents to you
We typically use this email address to send documents related to your FOI
request unless you have specifically requested to receive them via post.
However, we might seek your consent to deliver the documents
electronically if it is deemed more suitable.
How long do I have to wait?
We are required to answer your request within 30 days unless the time
frame is extended under the FOI Act.
Dear Nosey Rosey
Please find attached the decision letter relating to your request for
access to documents held by Services Australia.
I acknowledge your email yesterday advising you considered the Agency was
deemed to have refused your request as you received a consultation notice
outside of “business hours”. Please note, there is no provision in the FOI
Act or the Acts Interpretation Act that states an FOI decision must be
notified by a certain time of day. I also wish to explain that the email
was sent at 4.24pm according to the FOI Officer’s time zone.
Therefore, the matter is not considered to have been deemed to be refused
yesterday. Noting the time taken to consult with you yesterday was not
included in calculating the processing period for your request (s 24AB(8)
of the FOI act), we are providing you with a notice of decision today,
within the statutory processing timeframe prescribed in the FOI Act.
Kind regards,
Cherie
Senior FOI Officer
FOI & Reviews Branch, Legal Services Division
[1]Visual brand element showing Services Australia progress symbol to left
with Services Australia wording to the right of the symbol. Underneath is
servicesaustralia.gov.au and icons representing our social media accounts.
To follow us on social media go to servicesaustralia.gov.au/socialmedia
Aligning the bottom of the signature block is the Services Australia
indigenous artwork strip consisting of cultural elements depicting our
agency’s progress story for First Nations people.
Services Australia acknowledges the Traditional Custodians of the lands we
live on. We pay our respects to all Elders, past and present, of all
Aboriginal and Torres Strait Islander nations.
References
Visible links
Dear Hannah,
I am writing to request an internal review of your decision dated 14 January 2025 regarding my Freedom of Information (FOI) request, reference number LEX 82937. I do not agree with your decision to refuse my request under section 24(1) of the Freedom of Information Act 1982 (Cth) (“the FOI Act”), and I am providing detailed reasons for seeking a review below.
First, your refusal rests on claims that processing the request would involve substantial and unreasonable diversion of the agency’s resources under section 24AA(1)(a)(i). However, the resource estimates provided—118 hours for processing 2,201 pages—lack substantiation. The assertion that every page would require line-by-line review for redactions assumes all documents contain sensitive or exempt information, which is unlikely. A more targeted review could likely identify key documents or categories with minimal redactions.
Second, your decision does not adequately address the significant public interest in the disclosure of the requested documents. This request pertains to a critical security vulnerability in the MyService platform that reportedly allowed unauthorized access to veterans' sensitive information. The public has a right to know how Services Australia identified, addressed, and remediated this issue, particularly given the potential implications for the privacy and security of a vulnerable group of individuals. The FOI Act’s purpose, as outlined in section 3, is to promote transparency and accountability, which this decision undermines.
Third, while the consultation letter issued on 13 January 2025 under section 24AB of the FOI Act invited me to revise the scope of my request, it did not meaningfully engage with the specifics of the request or propose viable alternatives. Suggesting broad categories such as "technical assessments" or "investigation reports" fails to address my request for documents concerning decision-making on notifications to the OAIC and affected individuals. I would have expected a more focused discussion on specific documents or narrower timeframes that might allow the request to proceed.
Fourth, the agency appears to preemptively apply the conditional exemption under section 47E(d) of the FOI Act concerning adverse effects on the operations of the agency. This claim is speculative and unsupported by evidence. The FOI Act requires agencies to demonstrate with reasonable specificity how disclosure would cause substantial adverse effects. Generalized concerns about cybersecurity do not meet this standard, especially for historical documents about a vulnerability that has presumably been addressed.
Fifth, your decision cites the need to consult the Department of Veterans’ Affairs (DVA) as part of processing the request. However, such consultations are a routine part of FOI processing and should not be used to justify refusal under section 24AA. The FOI Act and the associated Guidelines issued by the Australian Information Commissioner make it clear that agencies must allocate sufficient resources to comply with their statutory obligations, including conducting third-party consultations.
Finally, I note that your consultation letter acknowledged the potential to revise the scope of the request. While I remain open to a meaningful discussion about narrowing the request, I reiterate that the refusal to process the request outright is inconsistent with the FOI Act’s intent.
I respectfully request that the internal review reconsider this decision and engage more meaningfully on potential scope reductions, if necessary. I look forward to your response within the statutory timeframe.
Yours sincerely,
Nosey Rosey
Thank you for contacting the Freedom of Information (FOI) team in Services
Australia (the Agency).
This email acknowledges your correspondence and provides some general
information in relation to FOI.
FOI – Extension of time request
Under the Freedom of Information Act 1982 (FOI Act) you have a right, with
limited exceptions, to access documents the Agency holds. The Agency has
30 days to process an FOI request. Please note this period may be extended
if we need to consult third parties or for other reasons. We will advise
you if this happens.
Administrative release of documents
The Agency has administrative access arrangements ('the arrangements') for
the release of certain documents without the need for a formal FOI
request. If you agree to the release of documents under these
arrangements, we may provide you with documents under the arrangements,
where appropriate.
Any parts of your FOI request that are addressed by documents being
released under the arrangements will be considered withdrawn. The
arrangements do not extend to information or materials of third parties.
You will be notified when documents are released to you under the
arrangements.
Personal information of Agency staff
We consider staff details to be personal information of those staff
members. As part of the FOI application process, we will seek your consent
to exclude the following information from documents that may be captured
by your request:
•names of Services Australia staff below the Senior Executive level
(junior staff)
•direct staff telephone numbers, signatures, logon identifiers and email
addresses.
If you consent to exclude this information, we will treat it as outside
the scope of your request and therefore irrelevant under Section 22 of the
FOI Act.
Charges
No charge is payable for providing a person with their own personal
information.
If you are requesting non-personal information the Agency will advise you
as soon as practicable if a charge is payable to process your request, and
the amount of any such charge.
How we will send documents to you
We typically use this email address to send documents related to your FOI
request unless you have specifically requested to receive them via post.
However, we might seek your consent to deliver the documents
electronically if it is deemed more suitable.
How long do I have to wait?
We are required to answer your request within 30 days unless the time
frame is extended under the FOI Act.