Documents Relating to the MyService Vulnerability Managed by Services Australia
Dear FOI Officer,
I make this request for access to documents under the Freedom of Information Act 1982 (Cth).
I am seeking access to records held by Services Australia concerning a security vulnerability identified within the MyService platform between 1 October 2024 and the date your office processes this request. This vulnerability reportedly allowed unauthorized access to veterans’ personal and sensitive information by altering certain parameters in MyService’s web addresses. As Services Australia provides information and communications technology support for the Department of Veterans’ Affairs, including the MyService platform, I request any documents you hold that pertain to the discovery, investigation, and remediation of this vulnerability, as well as the decisions made regarding notifications to affected individuals and the Office of the Australian Information Commissioner (OAIC).
More specifically, I seek documents that record when and how Services Australia became aware of the vulnerability, including any correspondence between Services Australia staff and Department of Veterans’ Affairs personnel, or any other agencies or service providers, where the existence or nature of this vulnerability was discussed. I request any technical assessments, investigation reports, internal briefings, risk assessments, or incident response records that detail the causes of the vulnerability, the scope of information potentially exposed, the corrective steps taken to address it, and any security or code changes applied to prevent similar incidents.
I also seek documents that discuss Services Australia’s role in advising the Department of Veterans’ Affairs on whether this incident constituted an “eligible data breach” under the Privacy Act 1988 (Cth). If you hold any records in which Services Australia considered, commented on, or recommended particular actions regarding notifying the OAIC or veterans whose data may have been exposed, I request access to those as well. This includes any internal deliberations, guidance notes, or communications with external parties about meeting the DVA’s or Services Australia’s responsibilities under the Notifiable Data Breaches scheme.
If Services Australia maintains policies, guidelines, or standard operating procedures that were consulted or applied in handling this vulnerability or determining the appropriate response, I request copies of these documents. I also seek any records that reflect final decisions, conclusions, or lessons learned, such as after-action reviews or improvement plans relating to cybersecurity and privacy controls following this incident.
If you hold documents that contain non-relevant information or sensitive personal details unrelated to the vulnerability itself, I am prepared to receive redacted copies that preserve the integrity of the requested information. I request that you provide documents in electronic form, such as PDF format, wherever possible. If you consider that any portions of this request may lead to a practical refusal, I invite you to consult with me under section 24AB of the FOI Act so we can refine the scope if necessary.
I believe releasing these documents is in the public interest, as it will shed light on the adequacy of the controls and oversight exercised by Services Australia over a critical government platform that manages sensitive personal and medical information for veterans. Disclosure will contribute to public understanding of the processes for identifying, remediating, and reporting serious security incidents within government systems and will help maintain trust in these services.
If there are any charges associated with this request, I respectfully request that you consider reducing or waiving them, given the significance of the matter and its relevance to public interest and government accountability. I look forward to your acknowledgment and decision within the statutory timeframes set forth by the FOI Act. Should you require clarification or further details, please contact me at the information provided below.
Yours sincerely,
Nosey
Thank you for contacting the Freedom of Information (FOI) team in Services
Australia (the Agency).
This email acknowledges your correspondence and provides some general
information in relation to FOI.
FOI – Extension of time request
Under the Freedom of Information Act 1982 (FOI Act) you have a right, with
limited exceptions, to access documents the Agency holds. The Agency has
30 days to process an FOI request. Please note this period may be extended
if we need to consult third parties or for other reasons. We will advise
you if this happens.
Due to the Agency’s reduced activity period over 24 December 2024 – 1
January 2025. We are seeking your agreement to extend the processing time
by an additional 30 days. If you agree to this additional time we would
appreciate if you could reply to this email with ‘I agree’.
Administrative release of documents
The Agency has administrative access arrangements ('the arrangements') for
the release of certain documents without the need for a formal FOI
request. If you agree to the release of documents under these
arrangements, we may provide you with documents under the arrangements,
where appropriate.
Any parts of your FOI request that are addressed by documents being
released under the arrangements will be considered withdrawn. The
arrangements do not extend to information or materials of third parties.
You will be notified when documents are released to you under the
arrangements.
Personal information of Agency staff
We consider staff details to be personal information of those staff
members. As part of the FOI application process, we will seek your consent
to exclude the following information from documents that may be captured
by your request:
•names of Services Australia staff below the Senior Executive level
(junior staff)
•direct staff telephone numbers, signatures, logon identifiers and email
addresses.
If you consent to exclude this information, we will treat it as outside
the scope of your request and therefore irrelevant under Section 22 of the
FOI Act.
Charges
No charge is payable for providing a person with their own personal
information.
If you are requesting non-personal information the Agency will advise you
as soon as practicable if a charge is payable to process your request, and
the amount of any such charge.
How we will send documents to you
We typically use this email address to send documents related to your FOI
request unless you have specifically requested to receive them via post.
However, we might seek your consent to deliver the documents
electronically if it is deemed more suitable.
How long do I have to wait?
We are required to answer your request within 30 days unless the time
frame is extended under the FOI Act.
Dear FOI Officer,
Thank you for your acknowledgment of my Freedom of Information (FOI) request. I have carefully reviewed your request to extend the statutory timeframe for processing my FOI application by an additional 30 days due to the Agency’s reduced activity period over 24 December 2024 – 1 January 2025.
I wish to advise that I do not consent to the proposed extension of time. The reason you have provided—the Agency’s reduced activity during its designated holiday period—is not a matter for which I, as the applicant, bear any responsibility, nor does it constitute a valid justification under the Freedom of Information Act 1982 (Cth) (“the FOI Act”).
Under section 15(5)(b) of the FOI Act, an agency is required to make a decision on an FOI request within 30 days of receiving the request. While the Act does allow for extensions of time under certain circumstances, including consultation requirements with third parties (section 15(6)) or where an extension is agreed to by the applicant (section 15AA), your request for additional time due to internal reduced activity is not explicitly supported by the provisions of the FOI Act.
Further, the Guidelines issued by the Australian Information Commissioner under section 93A of the FOI Act (“the FOI Guidelines”) make it clear that agencies are expected to allocate sufficient resources to ensure statutory timeframes are met, even during holiday periods. The Guidelines state:
“Agencies should ensure that staffing and resources are managed to comply with the statutory timeframes for processing FOI requests, including during periods of peak leave, such as Christmas and New Year.”
The FOI Act places a statutory obligation on agencies to provide timely access to government-held information as part of the broader principle of open government. The holiday period does not exempt an agency from this obligation. Any delay caused by internal resource management issues is not a valid reason for the Agency to seek consent for an extension.
If the Agency believes it cannot meet the statutory deadline, it may apply to the Office of the Australian Information Commissioner (OAIC) under section 15AB of the FOI Act for an extension of time. The OAIC has the authority to grant such extensions if satisfied that the request involves a complex or voluminous volume of work that would otherwise prevent timely processing. However, such an application would require the Agency to demonstrate that its reduced activity period constitutes a valid ground for an extension under the Act.
If the Agency proceeds to apply to the OAIC for an extension, I request to be notified and consulted on the matter, as required under the provisions of the FOI Act.
In summary, I do not consent to an extension of time under section 15AA of the FOI Act. I encourage the Agency to allocate the necessary resources to process my FOI request within the statutory timeframe. If the Agency believes it cannot meet the deadline, it should seek an extension under section 15AB from the OAIC, as outlined above.
I look forward to receiving your decision within the statutory timeframe required under the FOI Act. Should you require any further clarification from me to assist with processing my request, please do not hesitate to contact me.
Yours sincerely,