IT security guidelines, standards and instructions
Dear Australian Taxation Office,
Please provide the ATO's IT security guidelines and standards, including those in relation to ensuring that software developed in-house or acquired from outside the agency do not contain security flaws.
Yours faithfully,
Patrick Conheady
Dear Mr Conheady,
We have received your email of 2 May 2016 requesting copies of documents
under the Freedom of Information Act 1982 (FOI Act). You have requested a
copy of the ATO’s IT security guidelines and standards. Our reference for
this request is 1-82ZZDXS.
We will consider your request and respond as soon as possible. FOI
requests are required to be processed within 30 days from the date we
receive an application. While we aim to achieve this timeframe, certain
requests that are large or involve complex issues may take longer. If this
is the case we will contact you to discuss when the material can be made
available.
Further, unless your request is for personal information, charges may
apply depending on the size and complexity of your case. We will notify
you if there are charges and what those charges will be. We will obtain
your consent to any additional charges before processing the request.
Regards,
Julie Galeotti
Senior Legal Adviser, General Counsel
Australian Taxation Office
P 03 9285 1810
Think digital before you print
Dear Mr Conheady
Re: Freedom of Information request dated 2 May 2016
Applicant: Patrick Conheady
Reference: 1-82ZZDXS
Request for an extension of time under section 15AA of the FOI Act.
The processing time for the above mentioned FOI request is due to expire
on 1 June 2016. I am writing to obtain your consent to an extension of
time until 10 June 2016 to process your request. I am currently in the
process of consulting with the relevant business line in relation to this
request.
If you consent to the extension of time, would you please copy and paste
the below paragraph into a reply email to me as soon as possible:
I, Patrick Conheady, confirm that I agree to the ATO’s request for an
extension of time to process my FOI request dated 2 May 2016 for a further
9 days. The new date on which the ATO is required to make a decision is
10 June 2016.
If you have any questions please don't hesitate to contact me by return
email.
Nicole Dann
Legal Adviser, General Counsel, ATOC
Australian Taxation Office
P 03 8632 4788
Think digital before you print
Dear Nicole,
I, Patrick Conheady, confirm that I agree to the ATO’s request for an
extension of time to process my FOI request dated 2 May 2016 for a further
9 days. The new date on which the ATO is required to make a decision is
10 June 2016.
Yours sincerely,
Patrick Conheady
Dear Mr Conheady,
Please find attached the decision letter for your Freedom of Information
(FOI) request made on 2 May 2016.
Kind regards,
Monica Kim
Lawyer, General Counsel, ATOC
Australian Taxation Office
P 02 9374 2663 E [1][email address]
References
Visible links
1. mailto:[email address]
Dear Australian Taxation Office,
Please pass this on to the person who conducts Freedom of Information reviews.
I am writing to request an internal review of Australian Taxation Office's handling of my FOI request 'IT security guidelines, standards and instructions'.
You state that in your letter the ATO's IT security guidelines and standards are all published on the ATO website and I can find them by searching for 'IT security'.
First, this is an unacceptable way to describe a document or set of documents. You must specify a document and its location if you wish to claim that it is publicly available. You cannot wave your hand in a general way and say 'oh they are on the website somewhere'.
Second, a search for 'IT security' on ato.gov.au does not result in any documents related to detecting or preventing security flaws in software developed or acquired by the ATO. Not one.
Third, the ATO website does not contain all of the security guidelines and standards, including those used by the ATO to ensure that software developed in-house or acquired from outside the agency do not contain security flaws, which is what I requested.
If your decision letter was accurate and truthful, that would mean that the ATO does not have any of its own policies or processes for ensuring the security of the software it runs, instead relying on ATO officers to refer directly to the PSPF and ISM. Yet that would be a flagrant breach of the PSPF itself (see PSPF Mandatory Requirements GOV-5 and INFOSEC 4, and ISM Controls (2014), p 27ff).
Please fulfil the request properly.
I also note that your decision letter states 'I understand your request to be for access to the general, high level IT security guidelines and standards'. You inserted the words 'general' and 'high level', which were not present nor implied in my request. It is not acceptable for you to re-write my FOI requests without consulting me first. If you find an FOI request ambiguous or difficult to satisfy, ask for clarification, don't take it upon yourself to re-write the request.
It is appalling that you made the decision you did without consulting me or affording me the natural justice or even simple decency of a hearing first. You even contacted me to request an extension of time. You had seven days up your sleeve when you issued your decision letter. You could have picked up the phone and spoken to me, and I could have told you that your proposed response was wrong and inadequate.
A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.righttoknow.org.au/request/i...
Yours faithfully,
Patrick Conheady
Dear Mr Conheady,
Thank you for your email of 29 June 2016. We will consider your request
for review and will respond as soon as possible.
FOI internal review requests are required to be processed within 30 days
from the date we receive an application. While we aim to achieve this
timeframe, certain requests that are large or involve complex issues may
take longer. If this is the case we will contact you to discuss when the
material can be made available.
Regards,
Julie Galeotti
Senior Legal Adviser, General Counsel
Australian Taxation Office
Dear Mr Conheady,
Please find enclosed a notice regarding the internal review of your FOI
request for ‘IT security guidelines and standards’.
Regards,
FOI Team
Dear Mr Conheady,
I refer to your request for an internal review of our FOI decision dated 3
June 2016 regarding IT security guidelines and standards. This matter is
considered to be withdrawn as no response has been received to our notice
of 15 July 2016.
Regards,
FOI Team