Australian Federal Police (ACT Policing Branch) Audit Report
An Information Privacy Principles Audit under Section 27(1)(h) of the Privacy Act 1988
Audit undertaken: November 2010
Draft report issued: March 2011
Final report issued: July 2011
TABLE OF CONTENTS
- 2.1 Purpose
- 2.2 Scope
- 2.3 Timing and Location
- 2.4 Description of Auditee
- 2.5 Description of the RAPID system
- 2.6 Information obtained prior to the audit
- 2.7 Information obtained during this audit
- 2.8 Audit Opinion
- 2.9 Follow up review
- 2.10 Reporting
- 3.1 IPPs 1-3 - Collection of personal information
- 3.2 IPP 4 - Storage and security of personal information
- 3.3 IPPs 7-8 - Alteration of records containing personal information and record-keeper to check accuracy etc of personal information before use
- 3.4 IPPs 10-11- Limits on use and disclosure of personal information
A Memorandum of Understanding (MOU) exists between the ACT Government and the Office of the Australian Information Commissioner (OAIC), previously known as the Office of the Privacy Commissioner, to undertake audits of selected ACT agencies, during the 2010-2011 financial year. The MOU is intended to ensure the provision of a regular audit program for agencies throughout the Australian Capital Territory.
Under the terms of the MOU, the OAIC conducts two audits per financial year of ACT agencies, in keeping with section 27(1)(h) of the Privacy Act 1988 (Cth) (the Act).
The purpose of the audit was to assess the ACT Policing branch of the Australian Federal Police's (the AFP) compliance with the Information Privacy Principles (IPPs) contained in section 14 of the Act.
Specifically, in relation to the handling of personal information collected through its Recognition and Analysis of Plates Identified (RAPID) technology. RAPID is an Australian Number Plate Recognition (ANPR) system devised by the AFP primarily to assist it in identifying and apprehending unlicensed drivers and unregistered vehicles on the roads.
The audit focused on assessing ACT Policing's compliance with specific areas of the IPPs, in particular:
- Collection of personal information by the RAPID system, specifically IPPs 1 and 3
- Accuracy of the information used, as described in IPPs 7 and 8
- Use and/or disclosure of the information, as described in IPPs 10 and 11
- Storage and security of personal information, as described in IPP 4
The field work for the audit was conducted on the 8 and 9 November, at Winchester Police Centre in Belconnen, ACT.
The Australian Federal Police Act 1979 provides for the delivery of community policing services by the Australian Federal Police(AFP) to the Australian Capital Territory (ACT).
Policing goods and services are purchased by the ACT from the AFP through the direct police budget appropriation. As such, ACT Policing falls within the jurisdiction of the ACT Government.
The RAPID team consists of three RAPID enabled vehicles and six officers. This team has been operational since 1 July 2010. The vehicles and officers are stationed at Winchester Police Centre in Belconnen.
The RAPID system forms part of Australian Number Plate Recognition (ANPR) technology. The system consists of a scanner attached to the right-hand side exterior of the police vehicle, an in-car screen and a central processing unit located in the boot of the car. RAPID scans licence plates, using information collected from the ACT Motor Registry and links number plate images to registration and licence details.
ACT Policing describes the primary purpose of RAPID technology as being 'the detection of unregistered motor vehicles, as well as other offences including unlicenced or suspended drivers'.
The following documentation was provided prior to the commencement of the OAIC's audit of ACT Policing's RAPID system in November 2010:
- Purchase Agreement between the ACT Minister for Police and Emergency Services, Commissioner of the Australian Federal Police and the Chief Police Officer for the ACT for the provision of policing services to the ACT 2010 - 2011
- Ministerial direction regarding AFP's role in providing community policing services to the ACT
- A current chart of ACT Policing Organisational Structure
- AFP National Guideline on Information Technology
- AFP National Guideline on Information Management
- Copy of letter addressed to the Privacy Commissioner from ACT Minister for Police and Emergency Services, outlining the Minister's reasons for not issuing a Privacy Impact Assessment in relation to RAPID technology
The following documentation was obtained during the audit:
- 'Rapid expansion to make ACT roads safer' - Media Release by Minister for Police and Emergency Services Simon Corbell, Thursday 5 August 2010
- 'Rapid expansion to make ACT roads safer' - ACT Policing News, August 2010 issue, pp 6-7
- Draft copy of RAPID 2 page leaflet, intended for distribution to all ACT drivers upon registration of their motor vehicle to explain the operation and purpose/s of RAPID technology
- 'Getting a RAPID response is easy in the digital age' - Platypus (Journal of the AFP), July 2010 issue, pp 10 - 12
- Copy of ACT Policing banner, advertising RAPID and its primary purpose, used to publicise RAPID technology at ACT community events and on the AFP website
The recommendation arising from this audit is outlined in Section 4 of this report.
The audit revealed that in all the focus areas, ACT Policing generally handles ANPR data in accordance with the IPPs in the Act. Consequently, the opinion of the audit team was that ACT Policing was compliant in meeting its obligations under the Act.
The audit did identify some areas where a recommendation for better privacy practice may be considered by ACT Policing. These suggestions do not arise out of actual risks to personal information but are suggested as best practice privacy control to promote compliance with the Act.
It is the view of the auditors that addressing these recommendations will assist ACT Policing to minimise the risk of future possible breaches of the IPPs.
No risks were identified in the course of this audit which would require a follow-up review of ACT Policing's RAPID system.
Completed audit reports of ACT and Australian government agencies commenced after 1 July 2002 are generally published on the Officeof the Privacy Commissioner's web site (available at http://www.privacy.gov.au/law/apply/audit#reports).
Findings and recommendations from IPP audits, that are considered relevant to good privacy practice across the public sector generally, are also discussed in the OAIC's Annual Report.
- IPP 1 provides that agencies shall not collect personal information unless the collection is for a lawful purpose, directly related to the agency's functions and activities and necessary or directly related to that purpose.
- IPP 3 provides that, where an agency solicits and collects personal information generally, it must take reasonable steps to ensure that, having regard to the purpose for which the information is collected, the information is relevant to that purpose, up to date and complete, and that the collection does not intrude to an unreasonable extent on the individuals' personal affairs.
3.1.1 The auditors were informed that data is collected from the ACT Motor Registry database by ACT Policing systems at approximately 2am every day.
3.1.2 It was noted by the auditors that this data includes the registration/ licensing details of the vehicle owner. It also includes the owner name, date of birth, address and date of registration, for identification purposes.
3.1.3 Auditors observed that RAPID team officers upload this information into the RAPID system, before using the RAPID system in the field, at the beginning of the working day.
3.1.4 Auditors were informed by RAPID officers that the system takes a photo of the number plate and turns it into binary data, which is then able to be read and used by the RAPID system.
3.1.5 Each RAPID scan links the number plate details to the previously obtained ACT Motor Registry data, whether or not the vehicle is registered or the owner is licensed. However, the system will alert ACT Policing if an unregistered vehicle or potentially unlicensed driver has been identified.
3.1.6 In addition to Motor Registry data, auditors were advised by ACT Policing staff that information from the AFP's PROMIS database, which includes data concerning stolen vehicles, outstanding warrants and child sex offender information, is also uploaded into the RAPID system at the beginning of each day, and matched with the Motor Registry data, to form one combined record for each vehicle owner.
3.1.7 ACT Policing staff stated that in terms of mechanics, the RAPID camera automates the process, but the procedure would work the same way if an officer was to manually enter number plate details into the RAPID database. The use of a camera speeds up this process, and allows for collection of up to 6 photos per second.
3.1.8 ACT Policing describes the primary purpose of RAPID technology as being 'removing unlicensed drivers' and 'detecting unregistered/uninsured vehicles' and current publicity campaigns advertising the RAPID system focus chiefly on its primary purpose.
3.1.9 Auditors were also advised, however, that by matching PROMIS and Motor Registry data, the RAPID team can use the RAPID database for crime detection purposes such as tracking stolen vehicles, people on outstanding warrants and keeping track of wanted sex offenders or suspects in criminal investigations.
3.1.10 The personal information collected by RAPID from the Motor Registry database therefore plays an important role in fulfilling the secondary purposes outlined in 3.1.9.
3.1.11 ACT Policing advised auditors that a number of advertising campaigns have been and will be carried out so as to promote greater public awareness of the purposes for which RAPID technology is used. These are as follows:
- from February 2011, every license and registration renewal will enclose a RAPID pamphlet, which will provide people with information about the system, how ACT Policing uses the information, and outlining all purposes for which the information is used
- media releases have been posted on the AFP's external website and in its latest Annual Report. To date, more than 100 media releases have been issued altogether, mentioning the RAPID system
- the ACT Policing website also advertises RAPID and its uses. RAPID has featured a number of times on the local news, and ACT Government advertises the RAPID system on roadside traffic signs (for e.g. 'Licence and Rego checks for your safety')
- finally, ACT Policing frequently publicises RAPID through its branding at community events to market and educate the public
3.1.12 As outlined above, ACT Policing participates in a number of advertising campaigns and activities, in a bid to promote its use of RAPID to the wider community.
3.1.13 To date, however, these publicity campaigns have focussed mainly on the purpose of detecting unregistered vehicles and unlicensed drivers (more broadly termed 'road safety'). The campaigns have not discussed its crime detection purpose, including the tracking stolen vehicles, people on outstanding warrants and keeping track of wanted sex offenders or suspects in criminal investigations. These issues have been addressed in the 'Recommendations' section of this report.
- IPP 4(a) requires an agency, which has possession or control of a record that contains personal information, to ensure that the record is protected by reasonable security safeguards to prevent loss, unauthorised access, use, modification, disclosure and other misuse.
- IPP 4(b) requires that, if it is necessary for the record to be given to a person in connection with the provision of a service to the agency, everything reasonably within the agency's power be done to prevent unauthorised use or disclosure of the information contained in the record.
3.2.11 The auditors were advised by the RAPID team that the only information stored by ACT Policing are the images of number plates. That is, no personal information such as names, dates of birth, etc, are stored by ACT Policing.
3.2.12 ACT Policing informed the auditors that RAPID images are stored for archiving purposes on a normal computer network in a separate location in Weston Creek, ACT.
Destruction of Records
3.2.13 The auditors were informed that images collected by the RAPID cameras are retained and not destroyed, as there is not currently a records destruction authority (RDA) for these records. This needs to be provided by the Department of Archives, upon request by the agency.
3.2.14 These records subsequently become records of the AFP, and need to be retained/destroyed under an RDA provided to the AFP.
3.2.15 ACT Policing told the auditors that further to the above, there is a need to retain certain records that may be required for evidence in court.
3.2.16 Upon arriving at Winchester Police Centre, auditors were met in a secure lobby area by an ACT Policing representative and presented with visitor badges.
3.2.17 Each auditor was asked to sign the visitor's log book by noting their name, visitor badge number, the date and time of their visit, and the organisation which they represent.
3.2.18 Auditors noted that throughout the audit period, they were always escorted by at least one staff member. When auditors needed to use the facilities, an officer would escort them to the appropriate area to ensure that no other areas of the station were being accessed by the auditors without an escort being present.
3.2.19 The auditors noted that they were not required to sign out upon leaving the premises. However, they were asked to return their visitor badges (badge numbers had been logged upon arrival) and were escorted out of the secure lobby of the building by at least one staff member
Security policies and practices
3.2.20 Auditors were advised by RAPID team members that only staff with the appropriate security clearance, and a need to access the system information, have access to the RAPID system and the personal information contained therein, through the use of individual system logins and passwords.
3.2.21 Auditors were further informed that the team has very stringent processes in place to protect RAPID data, in the event of one of the police vehicles being stolen.
RAPID system security features
Auditors observed that there are a number of security features in place to protect the personal information in the RAPID system. These measures were designed to prevent inadvertent disclosure of information and in the event of theft of a RAPID vehicle:
3.2.22 The screen of the RAPID computer located within the RAPID vehicle can only be viewed from a 'straight on' position, so passers-by on either side of the vehicle cannot inadvertently view the information on the screen.
3.2.23 There are 3 levels of security before RAPID information can be viewed by an occupant of the RAPID vehicle:
- Firstly, the officer uses an ARIS card to log on to the RAPID system. Each ARIS card is unique to one of the RAPID vehicles, and is password enabled, with a unique password for each card.
- the transfer of data from the AFP Reporting site (the computer in the Station) to the laptop within the RAPID vehicle is encrypted and can only be accessed by an officer who has the approval/clearance to access this information.
- either the police officer driving the RAPID vehicle, or the accompanying officer must type in their User ID and Password, to gain access to the system. If an incorrect User ID and/or Password is used, the system will lock out the user after the third attempt.
- Auditors were advised that the laptop used within the RAPID vehicle is a hardware encrypted system, rather than software encryption. Consequently, the RAPID system will log the user out after 3 incorrect login attempts. Where software encryption would only require a password reset on a main server, hardware encryption requires the entire computer hardware (laptop) to be taken to the IT specialist to be recalibrated.
3.2.24 Auditors observed that RAPID data is stored on a mounted hard drive in the boot of the vehicle.
3.2.25 Auditors were informed by the RAPID team that the hard drive cannot be removed, and if someone attempts to steal it, the cord is shorter than the tray on which it sits, so when pulled out, the hard drive is automatically disconnected. This automatically locks the RAPID database, which is then inaccessible without successful completion of the numerous security logins outlined above.
3.2.26 Auditors also observed that when the demonstrating officer left the vehicle for a short conversation with his supervising officer, he logged out of the system first. This demonstrated a strong awareness of good privacy practice, as the auditors remained in the vehicle.
3.2.30 Auditors observed that computer systems at the station are user name and password enabled.
3.2.31 RAPID team members interviewed by the auditors advised that data comes across to the AFP from the ACT Motor Registry, via a secure link, at approximately 2am every day (7 days). This data (encrypted) is then run against a script, which makes the data readable.
3.2.32 Auditors observed the officer accessing the AFP Reporting system, using a unique login (provided only via an application process and on a needs basis). The officer accesses the Number Plate Recognition (NPR) system through the AFP Reporting system, using yet another individual login, then runs the PROMIS database script to download the required data to the RAPID system.
3.2.33 Auditors further noted that the above initial steps can only be carried out from the station computer terminal, and that these actions are monitored on an audit log. It is not possible to log on to this system from a RAPID vehicle.
3.2.34 Auditors were also informed and observed that the transfer of data from the AFP Reporting site (station computer terminal) to the RAPID vehicle laptop, and vice-versa, was wireless. This process, therefore, removes the need for external hard drives or USB flash drives, which may create security issues if lost or stolen.
3.2.35 There were no specific issues identified in the audit about the security measures applied by ACT Policing with regard to its RAPID system.
3.2.36 In terms of physical security, security of RAPID and IT systems, and general security policies and processes, ACT Policing demonstrated a very high level of compliance, often using best privacy practice procedures to optimise security.
3.2.37 There are still issues surrounding the destruction of the agency's RAPID records, in accordance with its IPP 4 security obligations. These issues have been dealt with in more detail in the 'Recommendations' section of this report.
3.3 IPP 7 & 8 – Alteration of records containing personal information and record-keeper to check accuracy of personal information before use
- IPP 7 requires an agency, that has possession or control of a record that contains personal information, to take reasonable steps to ensure the record is accurate, and, having regard for the purpose for which the information was collected, relevant, up to date, complete and not misleading.
- Where, despite an individual's request, the agency is not willing to correct, delete or amend personal information in the record and no decision or recommendation under an applicable Commonwealth law applies, the agency shall, following an individual's request, take reasonable steps to attach to the record a statement provided by that individual of the correction, deletion or addition sought.
- IPP 8 provides that an agency, which has possession or control of a record that contains personal information, shall not use that information without taking reasonable steps to ensure that, having regard for the purpose for which the information is proposed to be used, the information is accurate, up to date, and complete.
3.3.1 Auditors observed that once a vehicle is identified as unregistered by the RAPID system, the RAPID team member communicates the details, via secure police radio, to the 'stopper' officers ahead (for example, the car make and model, colour, and details such as 'unregistered vehicle').
3.3.2 The RAPID team informed the auditors that the 'stopper' officers would stop the vehicle and ask the driver to provide their licence for verification purposes.
3.3.3. Auditors observed that when a vehicle is identified as unregistered the RAPID team member conducts an immediate live search of the vehicle registration status by checking the ACT Motor Registry's database. RTA and Promis data are updated on a daily basis and as such, no old data is used by RAPID team members.
3.3.4 This ensures that any update in the registration status of the vehicle, which was not picked up by RAPID (for example, if the owner pays for their registration that day online), is the information that the RAPID team uses when deciding on the course of action to take. As such, the information used will be accurate, up to date and complete.
3.3.5 Auditors also observed and were informed that where the RAPID system tracks a possible unlicensed driver, stopper officers will not take any action against the driver until they conduct a police check to verify the individual's driving status.
3.3.6 If, for example, the car owner is the suspended driver, but the vehicle is being driven by another individual, no action is taken.
3.3.7 Auditors observed that where the RAPID system performs a partial scan of a number plate and the identifying numbers are unclear, the RAPID officer will discard this scan and move on to the next, in order to avoid the use of inaccurate information.
3.3.8 The RAPID team advised the auditors that there have been no requests by members of the public to correct, delete or amend personal information in RAPID related records.
3.3.9 There were no specific issues identified in the audit concerning the accuracy of RAPID related personal information.
- IPP 10.1 provides that an agency, which has possession or control of a record that contains personal information that was obtained for a particular purpose, shall not use the information for any other purpose, unless one of the exceptions at IPP 10.1(a) to (e) apply.
- IPP 10.2 provides that, where personal information is used in accordance with IPP 10.1(d) (the use of the information is reasonably necessary for the secondary purpose of enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of public revenue), the agency shall include in the record a note of the use.
- IPP 11 provides that an agency, which has possession or control of a record that contains personal information, shall not disclose the information to a third party, unless one of the exceptions at IPP 11.1(a) to (e) apply.
- IPP 11.2 provides that, where personal information is disclosed under IPP 11.1(e) (the disclosure of the information is reasonably necessary for the secondary purpose of enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of public revenue), the agency shall include in the record a note of the disclosure.
- IPP 11.3 provides that a where personal information is disclosed under IPP 11.1, the third party in receipt of that information shall not use or disclose the information for a purpose other than the purpose for which the information was given to them.
Use of RAPID information
3.4.1 The RAPID team explained to auditors that RAPID information is only used for the purposes outlined in 3.1.8 and 3.1.9 of this report.
3.4.2 When observing the use of the RAPID system, auditors did not find any uses of RAPID information outside of ACT Policing's stated uses.
Disclosure of RAPID information
3.4.3 RAPID officers informed auditors that RAPID information is not disclosed to any parties outside of the AFP.
3.4.4 There were no specific issues identified in the audit in relation to ACT Policing or the AFP potentially using or disclosing RAPID data inappropriately.
- ACT Policing ensure best privacy practice within its organisation, by providing notice in relation to the range of purposes for which RAPID technology is used, including the tracking of stolen vehicles, child sex offenders and persons with outstanding ACT warrants.
- It was recommended that ACT Policing provide such notice through wider advertising campaigns to inform the general public of the broad scope of its purpose for the use of information collected through RAPID.
The auditee accepted this suggestion in part and made the following comments:
4.1.1 the auditee notes our suggestion and is grateful for the feedback provided to ACT Policing as a result of our audit.
4.1.2 ACT Policing's policy, from the inception of RAPID, has been to be as transparent about the technology and its uses as possible and that the branding of RAPID vehicles (painted in bright identifiable colours, with licence plates RAPID 1, RAPID 2, RAPID 3), as well as media releases and articles, have contributed greatly towards informing the general public about the use of RAPID technology by ACTPolicing.
4.1.3 ACT Policing does not consider these additional purposes for the use of the technology as constituting 'function creep', as these purposes were not identified after the fact. ACT Policing had always anticipated that RAPID would also be used to fulfil these functions.
4.1.4 ACT Policing will take steps to clarify that the purposes of RAPID technology to include not only 'removing unlicensed drivers' and 'detecting unregistered/ uninsured vehicles', but also crime detection.
4.1.5 While ACT Policing is willing to increase awareness of the purposes for which RAPID technology is used, it is not willing to advertise its methods of crime detection too widely, as this may impede its ability to achieve optimal results in that area.
That the AFP make a request to the Department of Archives, on behalf of ACT Policing, to implement a records destruction policy for RAPID data, in keeping with its IPP 4 obligations.
The auditee accepted this suggestion and made the following comments:
4.2.1 The AFP will seek legal advice on the destruction of RAPID records, specifically focussing on meeting its IPP 4 obligations, while maintaining compliance with the Archives Act 1983 (Cth).
4.2.2 The AFP will use this advice to liaise with the National Archives of Australia on an appropriate records destruction policy for RAPID data.
 Primary purpose as described in the AFP information leaflet, soon to be provided to members of the public. This description of RAPID's primary purpose was supported by statements made by ACT Policing staff, during the course of the RAPID privacy audit
 Primary purpose as described in the AFP information leaflet, soon to be provided to members of the public. This description of RAPID's primary purpose was supported by statements made by ACT Policing staff, during the course of the RAPID privacy audit
 ACT Policing banner used to publicise RAPID technology at community events and on the AFP website