Commencement date: 15 November 2017
Please note the variations commencing 8 May 2019 and 30 June 2020 between the Department of Home Affairs and the Office of the Australian Information Commissioner.
Memorandum of Understanding between the Attorney-General’s Department (‘AGD’) and the Office of the Australian Information Commissioner (‘OAIC’) for the provision of privacy assessments in relation to the National Facial Biometric Matching Capability (‘NFBMC’)
This Memorandum of Understanding (MOU) provides for the funding arrangements between the Attorney-General’s Department (‘AGD’) and the Office of the Australian Information Commissioner (‘OAIC’) for the provision of privacy assessments by the OAIC in relation to the National Facial Biometric Matching Capability (‘NFBMC’).
1. Parties
1.1 The Parties to this MOU are the Attorney-General’s Department (‘AGD’) and the Office of the Australian Information Commissioner (‘the OAIC’).
2. Commencement and term
2.1 This MOU commences on the date it is signed by both Parties to this MOU and will continue until 31 December 2019 unless this MOU is extended in accordance with clause 15.
3. About the Attorney-General’s Department
3.1 AGD is the Australian Government agency leading development and implementation of the NFBMC.
3.2 AGD manages the Interoperability Hub (‘the Hub’), which acts as a router to facilitate the secure and auditable exchange of biometric data between Commonwealth, State and Territory agencies participating in the NFBMC.
3.3 The Hub supports the following Face Matching Services:
- the Face Verification Service (FVS) which enables searching or matching of facial images on a one-to-one basis to help verify the identity of a known person
- the Face Identification Service (FIS) which enables agencies to search or match images on a one-to-many or one-to-few basis to help determine the identity of a known or unknown person, or to detect instances where a person may hold multiple fraudulent identities.
3.4 Other Face Matching Services may be added over time.
3.5 AGD will also manage a National Driver Licence Facial Recognition Solution (NDLFRS), on behalf of the states and territories, to make available driver licence images via the Face Matching Services. The NDLFRS will support the following additional matching services specific to road agencies:
- the One Person Once Licence Service (OPOLS) to enable road agencies to match facial images within the NDLFRS to help establish the person’s identity, or to detect instances where a person holds multiple fraudulent licences in different jurisdictions
- the Facial Recognition Analysis Utility Service (FRAUS) to enable road agencies to conduct facial biometric matching of their own data.
3.6 Agencies participating in the Face Matching Services must enter into an interagency data sharing arrangement (IDSA), based on a template developed by AGD. The IDSAs set out the terms and conditions on which the entities will share identity information and comply with privacy safeguards in accordance with their obligations under the relevant Access Policy for the Face Matching Service.
3.7 Each agency participating in the Face Matching Services must also have an MOU with AGD which sets out the terms under which personal information will be shared via the Hub and the safeguards agencies will employ to protect the information.
3.8 Over time, the IDSAs and Hub MoUs are expected to be replaced by a common Face Matching Services Participation Agreement which outlines the roles, right and obligations of all participating agencies including AGD as the operator of the Hub.
3.9 These will be complemented by an NDLFRS Hosting Agreement between AGD and the states and territories that will outline the arrangements, including privacy safeguards, for the management or personal information within the NDLFRS and the provision of facial recognition services to participating state and territory agencies.
4. About the Office of the Australian Information Commissioner
4.1 The OAIC is a statutory agency established by section 5 of the Australian Information Commissioner Act 2010 (‘AIC Act’).
4.2 The Information Commissioner is the head of the OAIC (for the purpose of the Public Service Act 1999).
4.3The Information Commissioner (‘the Commissioner’) has the privacy functions as set out under sections 9 and 10(1) of the AIC Act. Under the Privacy Act, the Commissioner has the following functions relevant to this MOU:
- to promote an understanding and acceptance of the Australian Privacy Principles (APPs) and the objects of those principles (s 28(1)(c));
- to provide advice (on request or on the Commissioner’s own initiative) to a Minister or entity about any matter relevant to the operation of the Act (s 28B(1)(a));
- informing the Minister of action that needs to be taken by an agency in order to comply with the APP (s 28B(1)(b));
- providing reports and recommendations to the Minister in relation to a matter concerning the need for, or the desirability of, legislative or administrative action in the interests of the privacy of individuals (s 28B(1)(c));
- to conduct an assessment of whether personal information held by an APP entity (as defined in the Privacy Act) is being maintained and handled in accordance with the APPs (s 33C); and
- to examine a proposed enactment that would require or authorise acts or practices of an entity that might otherwise be interferences with the privacy of individuals, or which may otherwise have any adverse effects on the privacy of individuals (s28A(2)(a)).
5. Purpose
5.1 The purpose of this MOU is to set out the operational arrangements between AGD and the OAIC by which the OAIC will conduct privacy assessments of AGD’s privacy practices in connection with the NFBMC.
5.2 This MOU specifies the Activities the OAIC agrees to undertake and the level of resources that AGD undertakes to provide to the OAIC for the period of this MOU.
5.3 AGD recognises that the OAIC must be resourced to provide dedicated specialist assistance/support to AGD and to be able to appropriately respond to relevant privacy issues in a timely way. Government funding for the NFBMC includes an allocation to AGD to meet the costs of OAIC conducting annual audits of the Interoperability Hub and NDLFRS.
5.4 This MOU also details how the Parties will work together and itemises overall principles and obligations, while taking account of the OAIC’s role as an independent adviser to the Australian Government and as an independent statutory office with regulatory functions.
5.5 This MOU will not fetter the powers conferred on the Commissioner under the Privacy Act 1988 (Cth).
5.6 The Parties agree that this MOU is neither able nor intended to create legal obligations between them and that its sole purpose is to set out the basis upon which the Activities will be performed, including funding arrangements for those Activities.
6. Definitions and interpretation
6.1 In this MOU, the following definitions apply unless the contrary intention appears:
| Term | Definition |
|---|---|
Activities | means those activities outlined in Schedule 2 to this MOU |
Access policy | means the current version of the documented set of requirements approved by the Governing Body that a Participant must comply with in order to access the Service. |
AGD | means the Attorney-General’s Department |
APP | means the Australian Privacy Principles |
Business Day | means any day other than a Saturday, Sunday or public holiday in the Australian Capital Territory or the State of New South Wales |
Contact Officer | means, in relation to a Party, a person nominated under Schedule 1 of this MOU |
Face Matching Services | means the Identity Matching Services that involve facial biometric matching, namely the Face Verification Service, Face Identification Service, Facial Recognition Analysis Utility Service and One Person One Licence Service. |
FIS | means the Face Identification Service |
FVS | means the Face Verification Service |
IDSA | means the Interagency Data Sharing Arrangements entered into by participating agencies |
IRAP | means the Information Security Registered Assessors Program |
OAIC | means the Office of the Australian Information Commissioner |
PAC | means the Program Advisory Committee |
Parties/Party | means either or both AGD and OAIC as the context requires |
NDLFRS | National Driver Licence Facial Recognition Solution |
NFBMC | National Facial Biometric Matching Capability |
6.2 In this MOU, unless a contrary intention appears:
- words in the singular include the plural and vice versa;
- if a word or phrase is defined its other grammatical forms have corresponding meanings;
- a reference to a schedule or attachment is a reference to a schedule or attachment to this MOU;
- a reference to this MOU includes these terms and conditions and any schedule or attachment;
- the clause headings are for convenient reference only and have no effect in limiting or extending the language of the provision to which they refer;
- a cross reference to a clause number is a reference to all its sub clauses; and
- words importing one gender include the other gender.
7. Contact Officers
7.1 Each Party nominates a Contact Officer to facilitate communication and liaison between the Parties for the purposes of this MOU. Contact Officer details are included in Schedule 1.
7.2 Each Party may, by giving notice in accordance with clause 12.2, nominate replacement or additional Contact Officers in addition to or instead of those nominated in Schedule 1.
8. Resources and activities
8.1 Under this MOU, AGD will provide to the OAIC access to premises, systems, office accommodation and key personnel to support a range of Activities undertaken by the OAIC relating to personal information privacy issues involved in the use of the NFBMC.
8.2 The range of Activities is outlined in Schedule 2.
9. Funding arrangements
9.1 Subject to provision of an invoice under clause 9.3, AGD agrees to pay the OAIC the amount specified in Schedule 2, on the dates specified in Schedule 2.
9.2 The funding referred to in clause 9.1 above and as outlined in Schedule 2 is the total funding to be paid under this MOU. This amount reflects the anticipated costs to the OAIC of undertaking the Activities and the Parties’ understanding that this is a non-commercial arrangement and that GST does not apply.
9.3 AGD will pay the amounts specified in Schedule 2 within 30 days of receipt of an invoice from the OAIC.
10. Activities of the OAIC
10.1 During the term of this MOU, the OAIC will, consistent with the priorities nominated by AGD, provide independent, expert assessments in relation to the Activities.
10.2 The OAIC will:
- ensure that appropriately skilled officers are available to respond, as a priority, to a request by AGD for assistance or advice, in connection with the Activities set out in Schedule 2; and
- respond to a request from AGD consistent with the priority nominated in accordance with clause 10.1, within a reasonable timeframe.
10.3 AGD will:
- ensure that all necessary information is fully accessible to the OAIC for the purposes of the OAIC undertaking the Activities; and
- respond within a reasonable timeframe to any specific requests by the OAIC for any information that it requires to undertake the Activities.
10.4 The Activities can be varied by both parties in accordance with the variation clause set out in clause 15.
11. Undertakings
11.1 Neither Party will represent the other Party as endorsing or approving any proposal in connection with the Activities, unless agreed in writing.
11.2 Each Party will consult the other Party prior to releasing any public document or press release in connection with the Activities which attributes a regulatory or policy position to the other Party.
11.3 Subject to clause 14, clauses 11.1 and 11.2 do not prevent a Party from making a factual public statement that accurately represents previous dealings between the Parties.
11.4 The Parties acknowledge that it is imperative that the OAIC is able to conduct the Activities in an independent and proper manner. The OAIC may decline to undertake an Activity that gives rise to a conflict of interest, actual or perceived. In that case the Parties will negotiate in good faith regarding an alternative Activity or a reduction in that particular Activity.
12. Giving of notices and agency names
12.1 Either Party may replace or nominate additional officers as Contact Officer(s) by giving written notice to the other Party.
12.2 If the name and functions of either of parties changes, this MOU will continue. However, the relevant party should inform the other party of the changes.
13. Confidentiality, disclosure and security
13.1 Either Party may publish this MOU on their websites or release this MOU in response to requests from Parliamentary Committees or under the Freedom of Information Act 1982.
13.2 Both Parties acknowledge that they are subject to certain legislative obligations and restrictions, including any relevant secrecy provisions under Commonwealth legislation, and that both agencies must conduct themselves under this MOU in accordance with those legislative obligations and restrictions.
14. Dispute resolution
14.1 Any dispute arising out of this MOU will be referred to the respective Parties’ Contact Officers nominated in Schedule 1 for resolution. Within five Business Days of a dispute arising, the respective Parties’ Contact Officers will commence discussions, in good faith and by direct communication, in an attempt to resolve the dispute.
15. Variation
15.1 This MOU may be varied in writing at any time with the agreement of AGD and the OAIC.
16. Notice for termination
13.1 Either Party may bring this MOU to an end by giving at least 60 Business Days’ notice in writing and addressed to a Contact Officer nominated in Schedule 1.
16.2 If this MOU is brought to an end under clause 16.1:
- AGD will pay the OAIC any reasonable and unavoidable costs which are incurred by the OAIC as a direct result of this MOU coming to an end (although the OAIC must do all things reasonably necessary to mitigate these costs); and
- the OAIC will, within 30 Business Days of this MOU coming to an end, refund to AGD a proportion of the previous invoiced amount, so that there is an equitable distribution of that invoiced amount between the Parties, taking into account the need for the OAIC to have had staff ready and able to undertake the work, and the nature and extent of work that was undertaken by the OAIC before the MOU came to an end.
16.3 The Parties will negotiate in good faith as to the amounts payable under clause 16. Such negotiations will be between the Contact Officer(s) nominated in Schedule 1.
17. Entire agreement
17.1 This MOU represents the entire agreement between the Parties and supersedes all prior arrangements or agreements whether oral or in writing about the NFBMC.
Signed for and on behalf of AGD, by:
Anna Harmer
First Assistant Secretary
Intelligence and Identity Division
Date: 7 November 2017
Signed for and on behalf of the OAIC, by:
Timothy Pilgrim
Privacy Commissioner
Office of the Australian Information Commission
Date: 15 November 2017
Schedule 1
Contact officer
The OAIC nominates the following officer as its primary point of contact:
Paula Cheng, Director
Regulation and Strategy
Tel: [contact details removed] Email: [contact details removed]AGD nominates the following officer as its primary point of contact:
Duncan Anderson,
Director, Identity Security Policy
Tel: [contact details removed] Email: [contact details removed]
Schedule 2
Activities
| Assessment | Activity scope |
|---|---|
1 Conduct a privacy assessment of AGD’s management of the Hub | OAIC must conduct an assessment of the governance, operation and information security of the Hub. The assessment must focus on compliance with APP 1 and APP 11. Assessment of compliance with APP1The OAIC must:
Assessment of compliance with APP11The OAIC must consider ICT controls, access controls, information security policies and procedures relating to the Hub and the role of any third parties. This may involve assistance from an information security consultant. The OAIC acknowledges that the completion and findings of an extended IRAP assessment in the Hub may impact upon the scope of the OAIC’s assessment of compliance with APP11. AGD will advise any updated scope accordingly. The assessment should include consideration of matters such as the following:
This assessment report should be provided no later than 1 October 2018. |
2 Conduct privacy assessments of AGD’s management of the NDLFRS | OAIC must conduct an assessment of the governance, operation and information security of the NDLFRS. The assessment must focus on compliance with APP 1 and APP 11. Assessment of compliance with APP1The OAIC must:
Assessment of compliance with APP11The OAIC must review the information security controls and procedures put in place by AGD, in a manner similar to the 2017/18 assessment of the NFBMC Hub. This may involve assistance from an information security consultant. The assessment should include consideration of matters such as the following:
While this assessment may consider linkages between the NFBMC Hub and the NDLFRS, it will not seek to revisit any of the matters considered in the 2017/18 assessment. However, any privacy risks or recommendations that may have arisen in the 2017/18 assessment may be revisited in this assessment. This assessment report should be provided no later than 1 October 2019. |
Funding
AGD agrees to pay the OAIC the amount of $150,000 over the term of this MOU as follows:
- $75,000 Year 1 – payable on [30 June 2018];
- $75,000 Year 2 – payable on [30 June 2019].
