NDIS: Security Plan, Security Quality Assurance Policy & Personnel Security - PSPF

Florence made this Freedom of Information request to National Disability Insurance Agency

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was refused by National Disability Insurance Agency.

Dear National Disability Insurance Agency,

Please provide a copy of the NDIA's:

- Agency Security Plan (Physical, Security, Personnel, Information, etc)
- Security Quality Assurance Policy
- Personnel Security Policy
- Accountable Authority's expressed declaration the NDIA will/won't follow the Commonwealth Protective Security Policy Framework (PSPF)

Especially noting the NDIA's repeated reference and seeming benchmarking against the PSPF over the past 2 years of the NDIA's Annual Reporting:

"Protective security: The Australian Government provides mandated requirements and advice for corporate Commonwealth entities about their security requirements via the Protective Security Policy Framework (PSPF) and Information Security Manual. New PSPF arrangements came into effect on 1 July 2018." - NDIA Annual Report 2019–20, page 48
https://www.ndis.gov.au/about-us/publica...

"Protective security: The Agency is committed to increasing maturity and awareness of Protective Security to assist staff and partners in the delivery of the Scheme.
The Protective and Cyber Security Branch is responsible for implementing the requirements of the Australian Government Security Frameworks and associated legislation, including the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM). This is achieved by providing strategic and operational information, guidance and advice across: • Security Governance • Information Security • Personnel Security • Physical Security • Cyber Security." - NDIA Annual Report 2020-21, page 50
https://www.ndis.gov.au/about-us/publica...

Yours faithfully,

Florence

foi, National Disability Insurance Agency

Thank you for your email to the National Disability Insurance Agency
(NDIA) Freedom of Information (FOI) team.  

 

If your email relates to an FOI application made under the Commonwealth
Freedom of Information Act 1982 (FOI Act), the Agency will respond to you
as soon as practicable. 

 

This email address is for applications under the FOI Act only. The Agency
is unable to respond to non-FOI related enquiries sent to this email
address. Any correspondence received that is not an information access
request will not be responded to or forwarded.  

 

If you are seeking to access your personal documents, please consider
submitting your request through our [1]Participant Information Access
(PIA) web-form, which will allow the matter to be processed
administratively. 

 

Should you have a query unrelated to FOI, please contact us by emailing at
[2][email address] or via webchat at [3]NDIA Web Chat (ndis.gov.au).
Alternatively you can also contact us by phoning 1800 800 110. 

 

If you have any questions about making an FOI request, or to enquire about
a current FOI request, please email us with your phone number and a
preferred time for us to call you, and an FOI Decision Maker will call you
back. 

 

Kind regards 

 

Freedom of Information team 

Parliamentary, Ministerial & FOI Branch  

Government  

National Disability Insurance Agency 

Email: [4][NDIA request email]  

**********************************************************************
IMPORTANT: This e-mail is for the use of the intended recipient only and
may contain information that is confidential, commercially valuable and/or
subject to legal or parliamentary privilege. If you are not the intended
recipient you are notified that any review, re-transmission, disclosure,
dissemination or other use of, or taking of any action in reliance upon,
this information is prohibited and may result in severe penalties. If you
have received this e-mail in error please notify the sender immediately
and delete all electronic and hard copies of this transmission together
with any attachments. Please consider the environment before printing this
e-mail
**********************************************************************

References

Visible links
1. https://aus01.safelinks.protection.outlo...
2. mailto:[email address]
3. https://aus01.safelinks.protection.outlo...
4. mailto:[NDIA request email]

hide quoted sections

foi, National Disability Insurance Agency

1 Attachment

Dear Florence

 

Freedom of Information Request: Acknowledgement

Thank you for your request of 28 March 2022, made under the Freedom of
Information Act 1982 (FOI Act), for copies of documents held by the
National Disability Insurance Agency (NDIA).

 

Scope of your request

You have requested access to the following documents:

 

“Please provide a copy of the NDIA's:

 

 

- Agency Security Plan (Physical, Security, Personnel, Information, etc)

 

- Security Quality Assurance Policy

 

- Personnel Security Policy

 

- Accountable Authority's expressed declaration the NDIA will/won't follow
the Commonwealth Protective Security Policy Framework (PSPF)

 

 

Especially noting the NDIA's repeated reference and seeming benchmarking
against the PSPF over the past 2 years of the NDIA's Annual Reporting:

 

 

"Protective security: The Australian Government provides mandated
requirements and advice for corporate Commonwealth entities about their
security requirements via the Protective Security Policy Framework (PSPF)
and Information Security Manual. New PSPF arrangements came into effect on
1 July 2018." - NDIA Annual Report 2019–20, page 48

 

[1]https://aus01.safelinks.protection.outlo...

 

 

"Protective security: The Agency is committed to increasing maturity and
awareness of Protective Security to assist staff and partners in the
delivery of the Scheme.

 

The Protective and Cyber Security Branch is responsible for implementing
the requirements of the Australian Government Security Frameworks and
associated legislation, including the Protective Security Policy Framework
(PSPF) and Information Security Manual (ISM). This is achieved by
providing strategic and operational information, guidance and advice
across: • Security Governance • Information Security • Personnel Security
• Physical Security • Cyber Security." - NDIA Annual Report 2020-21, page
50

 

[2]https://aus01.safelinks.protection.outlo...

 

Unless you advise otherwise, we will take it that you agree to the names
and contact details of NDIA staff being excluded from the scope of your
request (that is, the information will be treated as irrelevant).

 

Processing timeframes

A 30-day statutory period for processing your request commenced from 29
March 2022, in accordance with section 15(2A)(c) of the FOI Act. You
should, therefore, expect a decision from us by 27 April 2022.

 

Charges

We may apply a processing charge to your request and will advise you as
soon as practicable if a charge is payable.

 

Disclosure Log

Information released under the FOI Act may be published on the NDIA’s
disclosure log located on our website, subject to certain exceptions.

If you have any concerns about the publication of information you have
requested, please contact us.

 

Further help

Please contact us at [3][NDIA request email] if you have any questions or need
help.

We will contact you using the email address you provided. Please advise if
you would prefer us to use an alternative means of contact.

 

Yours sincerely

 

Freedom of Information Officer

Parliamentary, Ministerial & FOI Branch

Government Division

National Disability Insurance Agency

E: [4][NDIA request email]

 

[5]cid:image001.png@01D7885F.100EE040

 

The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging. 

 

 

**********************************************************************
IMPORTANT: This e-mail is for the use of the intended recipient only and
may contain information that is confidential, commercially valuable and/or
subject to legal or parliamentary privilege. If you are not the intended
recipient you are notified that any review, re-transmission, disclosure,
dissemination or other use of, or taking of any action in reliance upon,
this information is prohibited and may result in severe penalties. If you
have received this e-mail in error please notify the sender immediately
and delete all electronic and hard copies of this transmission together
with any attachments. Please consider the environment before printing this
e-mail
**********************************************************************

References

Visible links
1. https://aus01.safelinks.protection.outlo...
2. https://aus01.safelinks.protection.outlo...
3. mailto:[NDIA request email]
4. mailto:[NDIA request email]

hide quoted sections

foi, National Disability Insurance Agency

3 Attachments

Dear Florence

 

Thank you for your request for information.

 

Please find attached correspondence and documents in relation to your
request.  If you require these in a different format, please let us know.

 

Please contact us at [1][NDIA request email] if you have any questions or
require help.

 

Thank you.

 

Kind regards

 

Freedom of Information Officer

Parliamentary, Ministerial & FOI Branch

Government Division

National Disability Insurance Agency

E: [2][NDIA request email]

 

[3]Title: NDIS delivered by the National Disability Insurance Agency

The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging. 

 

**********************************************************************
IMPORTANT: This e-mail is for the use of the intended recipient only and
may contain information that is confidential, commercially valuable and/or
subject to legal or parliamentary privilege. If you are not the intended
recipient you are notified that any review, re-transmission, disclosure,
dissemination or other use of, or taking of any action in reliance upon,
this information is prohibited and may result in severe penalties. If you
have received this e-mail in error please notify the sender immediately
and delete all electronic and hard copies of this transmission together
with any attachments. Please consider the environment before printing this
e-mail
**********************************************************************

References

Visible links
1. mailto:[NDIA request email]
2. mailto:[NDIA request email]

hide quoted sections

Florence left an annotation ()

"As a corporate Commonwealth entity, the Agency is required to
adhere to the PSPF." NDIS Agency Security Plan, Sep 20, p.5

Dear foi,

Thank you for the response and supporting document(s).

"As a corporate Commonwealth entity, the Agency is required to adhere to the PSPF.", page 5, NDIS/NDIA Agency Security Plan, Sep 2020 seems somewhat at odds with the NDIS' declaration that "The NDIA is a Corporate Commonwealth Entity (CCE) which means that the Agency is NOT required to adhere to the PSPF", page 3, FOI 21/22-1320 - Notification of Decision, 2 May 22.

No doubt public servants and contractors are aware of their obligation under the PGPA and criminal codes. Especially,

Sections 137.1 of the Commonwealth Criminal Code states:
(1) A person is guilty of an offence if:
(a) the person gives information to another person; and
(b) the person does so knowing that the information:
(i) is false or misleading; or
(ii) omits any matter or thing without which the information is misleading and
(c) any of the following subparagraphs apply:
(i) the information is given to a Commonwealth entity;
(ii) the information is given to a person who is exercising powers or performing functions under, or in connection with, a law of the Commonwealth;
(iii) the information is given in compliance or purported compliance with a law of the Commonwealth.

Yours sincerely,

Florence

Jasmin Clarke,

6 Attachments

Our reference: RQ22/01580

Agency reference: FOI 21/22-1320

Florence

By email: [1][FOI #8667 email]

Notification to: [2][NDIA request email]

Extension of time under s 15AB

Dear Applicant and FOI Contact Officer

 

Please see attached a decision regarding the NDIA’s application for an
extension of time to process FOI request FOI 21/22-1320.

 

Sincerely

 

[3][IMG]   Jasmin Clarke  |  Review and
Investigation Advisor

Investigations and Compliance

Freedom of information
Regulatory Group

Office of the Australian
Information Commissioner

GPO Box 5218 Sydney NSW 2001  |
 [4]oaic.gov.au
[8]Subscribe [9]Subscribe to
[5]Facebook | [6]LinkedIn | [7]Twitter |   icon Information
Matters

 

 

***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************

References

Visible links
1. mailto:[FOI #8667 email]
2. mailto:[NDIA request email]
3. https://www.oaic.gov.au/
4. http://www.oaic.gov.au/
5. http://www.facebook.com/OAICgov
6. https://www.linkedin.com/company/office-...
7. https://twitter.com/OAICgov
9. https://www.oaic.gov.au/media-and-speech...

hide quoted sections

Gladys left an annotation ()

Business continuity management in Australian Government entities is governed by the Protective Security Policy Framework (PSPF), which requires entities to use a risk management approach to cover all areas of protective security activity. The PSPF applied to all former Financial Management and Accountability Act 1997 (FMA Act) agencies, and to those former Commonwealth Authorities and Companies Act 1997 (CAC Act) bodies that have received a Ministerial Direction. (ANAO Audit, Business Continuity, 2015)