Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

National Document Verification Service, Centrelink - Audit Report

Final audit report
Information Privacy Principles audit
Section 27(1)(h) Privacy Act 1988

Audit undertaken: May 2010
Draft report issued: August 2010
Final report issued: June 2011

Part 1 — Introduction

1.1 Background

The National Document Verification Service (DVS) system allows authorised government agencies (User agencies) to verify the authenticity of particular identity documents both in real time and online.

These documents are known as Evidence of Identity (EOI) documents and are commonly used by individuals when enrolling for government benefits and services. EOI documents are produced by a range of separate government agencies (Issuer agencies).

The DVS system enables User agencies to verify that:

  • the EOI document was issued by the relevant Issuer agency
  • the details recorded on the EOI document correspond to the details held by the Issuer agency; and
  • the document is still valid

Lead responsibility for the development of the DVS rests with the Attorney-General's Department (AGD). The AGD co-chaired the National DVS Steering Committee.

The DVS Project Plan specifies that at least two aspects of the DVS system would be subject to a privacy audit by the Office of the Privacy Commissioner (the Office) during the 2009-10 financial year. This is a report on the first audit undertaken in 2009-10. The Office and AGD were unable to identify a suitable second audit target.

This audit of the DVS focused on Centrelink's role as the operator of the DVS Hub.

The Office has undertaken four previous audits of the DVS system, including:

  • a preliminary audit of the DVS Prototype in June 2006. The final audit report was published in May 2007
  • an end-to-end audit of the DVS system and its implementation within participating Federal and State agencies, undertaken in February 2008. The final audit report was published in May 2009
  • an audit of the Department of Immigration and Citizenship's (DIAC) implementation of the DVS system, undertaken in December 2008. The final audit report was issued in March 2010
  • an audit of the nine Modules developed by the AGD to guide User and Issuer agencies in their use of the DVS, undertaken in April 2009. The final audit report was issued in May 2010

Back to Contents

Part 2 — Description of audit

2.1 Purpose

The purpose of the audit was to assess particular aspects of Centrelink's role as the operator of the DVS Hub. Specifically, the audit reviewed how Centrelink manages document verification requests and responses. Of particular interest is the process by which verification requests and subsequent responses are managed by Centrelink when a response returns to the Hub in 'error'.

The audit assessed whether these procedures are in accordance with the Information Privacy Principles (IPPs) in section 14 of the Privacy Act 1988 (Cth) (the Act).

2.2 Overview of the DVS system

The DVS is an online electronic portal that allows subscribing User agencies to verify the details of EOI documents with the data recorded in the register of the document at the Issuer agency.

At the time of this audit, the following User agencies were particpating in the DVS:

  • DIAC
  • Department of Foreign Affairs and Trade
  • Department of Veterans' Affairs
  • NSW Roads and Traffic Authority

At the time of this audit, the following Issuer agencies were participating in the DVS:

  • DIAC, which verifies Australian Citizenship Certificates, Declaratory Certificates of Citizenship, Certificates of Evidence of Australian Citizenship, Certificates of Registration by Descent and Australian Visas
  • The Department of Foreign Affairs and Trade (DFAT), which verifies Australian passport details
  • NSW Births, Deaths and Marriages, which verifies Birth Certificates (via the Certificate Validation Service)
  • Austroads, which verifies NSW Driver's Licences on behalf of the NSW Roads and Traffic Authority (via the National Exchange of Vehicles and Driver Information System (NEVDIS))

Centrelink operates the DVS Hub, which is an electronic gateway that acts as a messaging service, through which requests and responses from Issuer and User agencies are channelled.

2.3 Scope

The audit consisted of a review of Centrelink's handling of verification requests and subsequent responses when a response returns to the Hub in 'error'.

The auditors considered collection, use, disclosure and security practices of personal information during DVS transactions in relation to the error messages.

The audit scope did not extend to any assessment of the effectiveness, advantages or disadvantages of the DVS system.

2.4 Timing and Location

The auditors conducted the audit on Monday 17 May 2010 at the following sites:

  • Centrelink's Data Centre at Tuggeranong Office Park, Soward Way, Greenway ACT
  • Centrelink's Holwell Offices, 1 Holwell Street, Greenway ACT
  • Centrelink's Head Office, Caroline Chisholm Centre, Soward Way, Greenway ACT.

2.5 Audit opinion

The auditors' observations show that Centrelink handles error messages through the Hub in accordance with the IPPs in the Act.

The audit team holds the opinion that Centrelink is compliant in meeting its obligations under the Act.

The auditors did not identify any privacy risks in relation to Centrelink's handling of personal information through the Hub's error messages.

2.6 Follow up review

A follow up review may be undertaken after six months has elapsed from the date of the final report or as indicated by the Director, Privacy Compliance.

2.7 Reporting

Final reports of audits of ACT and Australian government agencies commenced after 1 July 2002 are generally published on the Office of the Privacy Commissioner's web site (available at http://www.privacy.gov.au/law/apply/audit).

We also generally discuss IPP audit findings and recommendations that are considered relevant to good privacy practice across the public sector in our Annual Report.

Back to Contents

Part 3 — Audit issues

The following findings and recommendations relate to the auditors' consideration of the process by which a verification request and subsequent response is managed by Centrelink, including when the response is returned in 'error'.

3.1 IPPs 1-3: Collection of personal information

IPP 1 provides that personal information shall not be collected unless the collection is for a lawful purpose directly related to the collector's functions and activities and necessary or directly related to that purpose.

IPP 2 provides that, where a collector solicits and collects personal information directly from an individual, it must inform the individual of the purpose of collection, any legal authorisation or requirement for the collection, and any person, body or agency to which it usually discloses that information.

IPP 3 provides that, where a collector solicits and collects personal information generally it must take steps reasonable in the circumstances to ensure that, having regard to the purpose for which the information is collected, the information is relevant to that purpose, up to date and complete, and that the collection does not intrude to an unreasonable extent on the individuals' personal affairs.

Observations

3.1.1 The extent to which the DVS Hub collects information is very limited. The DVS Hub is designed to transmit personal information between User and Issuer agencies to enable document verification. No personal information is retained by the DVS Hub as part of the transmission process.

If an error occurs in the transmission process, the DVS Hub will collect the personal information and hold it for 24 hours while it attempts to resolve the error. After 24 hours, the personal information is permanently deleted.

3.1.2 The DVS Hub collects information for the purpose of faciliating the verification service on behalf of Users and Issuer agencies. The Centrelink DVS Hub Manager collects necessary information on a temporary basis for a lawful purpose consistent with Centrelink's agreement with AGD.

3.1.3 Specifically, personal information is collected in the DVS Hub in a limited number of electronic fields directly linked to the identified purpose of document verification. This information is then transmitted to the agency responsible for issuing the document subject of the verification check. The Issuing agency then transmits its response to the User agency requesting the verification check.

3.1.4 The collection of personal information by the DVS Hub is not governed by a specific piece of legislation particular to that function. The collection of personal information is required to fulfil Centrelink's role as DVS Hub Manager. The role of DVS Hub Manager is directly related to Centrelink's functions and activities.

3.1.5 The auditors noted that it is the responsibility of User agencies to provide individuals with information about the collection of their personal information from EOI documents presented for verification, as required by IPP 2.

3.1.6 A previous audit report issued by this Office in March 2010 noted that there is a Memorandum of Understanding (MoU) entered into between the AGD and agencies for participation in the DVS system. This MOU reinforces the requirements of IPP 2 by clarifying that the agency agrees to implement measures to inform individuals of what will happen with their personal information. In its Final Audit report this Office made the following recommendation:

That the MoU be amended to include details about agencies obligations to ensure that individuals are aware of the bodies to which the agencies usually verify the personal information collected using the DVS system. In particular, ensuring individuals are aware that as part of the verification process their personal information will be sent to the issuing agency of the EOI document.

3.1.7 The auditors noted that the DVS Hub does not solicit any personal information directly from individuals.

3.1.8 The auditors were advised that personal information is only stored in the DVS Hub when there is an 'error' message. If a message is interrupted or fails during the transformation stage within the DVS Hub, the 'error' message will go to the error queue and sit there for 24 hours.

3.1.9 An 'error' message may contain the following personal information:

  • first name
  • last name
  • date of birth
  • gender
  • passport number.

3.1.10 The limited collection of personal information by the DVS Hub is temporary and for a lawful purpose of IT provision in accordance with an agreement with the AGD. The collection of this personal information facilitates the DVS Hub's role as an agent for User agencies in the transmission of POI verification requests and responses. The collection of personal information is consistent with Centrelink's obligations under IPPs 1 and 3

Privacy Issues

3.1.11 The auditors did not identify any specific issues about the collection of personal information from the DVS.

3.2 IPP 4: Storage and Security of Personal Information

IPP 4 (a) requires a record keeper who has possession or control of a record that contains personal information to ensure that the record is protected by security safeguards reasonable in the circumstances against loss, unauthorised access, use, modification, disclosure and other misuse.

IPP 4 (b) requires that, if it is necessary for the record to be given to a person in connection with the provision of a service to the record keeper, everything reasonably within the record keeper's power be done to prevent unauthorised use or disclosure of information contained in the record.

Observations

Security

3.2.1 The auditors observed robust physical security surrounding the DVS Hub server at Centrelink's Data Centre, located at Tuggeranong Office Park, Soward Way, Greenway ACT.

3.2.2 The auditors were advised that the Data Centre was patrolled by security guards 24 hours a day, seven days a week.

3.2.3 The auditors noted there are CCTV security cameras in operation at the Data Centre at all times.

3.2.4 Only the relevant employees who work on site have access to the Data Centre. In order for a visitor to gain access to the DVS Hub server, they must sign in with Data Centre security and will then receive a visitors pass which they must return before leaving the Data Centre. Visitors are accompanied by a Data Centre employee at all times.

3.2.5 The auditors were advised that employee access to the DVS Hub server in the Data Centre is only through the use of a key safe. Each employee has their own individual pin number to access the key safe.

3.2.6 Key safe access is audited three times annually.

3.2.7 Swipe passes are also used by employees to gain access to the Data Centre.

3.2.8 Swipe passes are also audited three times annually.

3.2.9 The auditors were advised that the DVS system uses secure communication lines and encryption.

3.2.10 The auditors were advised that the DVS Application Team's computer access has two levels of password protection. To log on to the DVS System the Application Team must first use a password generator which generates a random password number. This number is then used to access their computer and subsequently the DVS system.

3.2.11 The password generator sysem is administered by the Security Access Management System (SAMS). The auditors were advised every staff member in Centrelink uses this SAMS generated password system.

Storage

3.2.12 The auditors were advised that personal information is only stored in the DVS Hub when there is an 'error' message. If a message is interrupted or fails during the transformation stage within the DVS Hub, the 'error' message will go to the error queue and sit there for 24 hours.

3.2.13 An 'error' message may contain the following personal information:

  • first name
  • last name
  • date of birth
  • gender
  • passport number

3.2.14 Most users will notify the DVS Helpdesk via email when a response is not returned to the user within a period of time. The DVS Helpdesk is 'manned' by the business team in Centrelink. They will raise an incident query with the relevant IT team that will investigate and resolve the issue.

3.2.15 Once resolved the DVS Helpdesk then responds to the User agency with the result of the query. Other Helpdesk responsibilities are to inform users of any outages and resolutions times. This DVS Helpdesk is solely for DVS queries.

3.2.16 The auditors were advised the DVS Hub Manager deletes the personal information from the error queue once it is no longer required. Otherwise personal information will automatically delete from the error queue after 24 hours.

3.2.17 The auditors noted that personal information entered into the DVS system is sent to the Issuer agency for verification via the DVS Hub. The auditors noted that the DVS Hub currently does not retain personal information beyond the transmission of the response to the User agency or for 24 hours, whichever is earlier, with some exceptions. For exmaple, in some instances error messages generated on a weekend may be retained for longer than 24 hours until they are able to be resolved in business hours.

3.2.18 The auditors were advised that a new process will be implemented on 12 June 2010 whereby the current 24 hour wait time allowed for a response to be provided to User agencies will be replaced by a 60 second time out.

3.2.19 This change is being made as the current 24 hour wait time was not considered workable due to the need for User agencies to be able to determine the outcome of their requests for verification within a more immediate timeframe, given customer unavailability over such a long period of time.

3.2.20 The auditors were advised that the impending changes mean that the User agency will be advised within 60 seconds of the outcome of its request and it will be able to then retry and re-enter its request with the customer still in attendance. Also, the changes to the time period will also provide better opportunities to identify any errors in the operation of the Hub.

3.2.21 The soon to be implemented change to the time out period will not apply to error messages and the current 24 hour period will remain in place to enable an investigation of any errors to be actioned.

3.2.22 The auditors were advised that Centrelink is receiving on average less than one 'error' message per month.

Privacy issues

3.2.23 There were no specific issues identified in the audit in relation to security of personal information regarding the DVS system.

3.3 IPP 5: Information relating to records kept by record-keeper

IPP 5.1 requires that, where a record keeper has possession or control of records containing personal information, the record keeper will take reasonable steps in the circumstances to enable any person to ascertain the nature of the information held, the main purposes for which the information is used, and the steps a person should take to obtain access to the record.

IPP 5.3 and 5.4 also requires that, where a record keeper has possession or control of records containing personal information, the record keeper will maintain and make available to the public and the Privacy Commissioner a listing of the personal information it holds. The listing will include the nature and purposes of keeping the record, the classes of individuals about whom records are kept, retention periods and access conditions to the records, and steps that should be taken by persons wishing to access the record. This listing is known as the agency's Personal Information Digest (PID).

Observations

3.3.1 Centrelink, as a Commonwealth agency, already has an existing PID. The auditors noted that Centrelink's PID is available on this Office's website at: http://www.privacy.gov.au/materials/types/pids?sortby=62.

3.3.2 The auditors note that one of Centerlink's core functions is the handling of personal information, as reflected in its PID. Centrelink's role as DVS Hub Manager will not change its IPP 5 obligations.

Privacy issues

3.3.3 There were no issues identified in the audit in relation to Centrelink's PID as it relates to the DVS system.

3.4 IPP 6 Issues: Access to records containing personal information

IPP 6 provides that, where a record keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record except where one or more of certain exceptions under Commonwealth law apply.

Observations

3.4.1 The auditors were advised that Centrelink has not received any requests from individuals for access to their personal information held in the DVS system.

3.4.2 However, the auditors were advised that requests from individuals for access to their personal information would generally be referred to a Centrelink Freedom of Information team.

Privacy issues

3.4.3 The audit did not identify any specific issues about individuals' access to the personal information held in the DVS system.

3.5 IPP 7: Alteration of records containing personal information

IPP 7 requires a record keeper who has possession or control of a record that contains personal information to take such steps that are reasonable in the circumstances to ensure the record is accurate, and, having regard for the purpose for which the information was collected, relevant, up to date, complete and not misleading.

Where, despite an individual's request, the record keeper is not willing to correct, delete or amend personal information in the record and no decision or recommendation under an applicable Commonwealth law applies, the record keeper shall, following an individual's request, take reasonable steps to attach to the record any statement provided by that individual of the correction, deletion or addition sought.

Observations

3.5.1 The DVS Hub retains limited amounts of personal information. This information is contained in 'error' messages.

3.5.2 It appears that any personal information that is retained by the DVS Hub is not altered by Centrelink in any way.

Privacy issues

3.5.3 The audit did not identify any specific issues about alteration of personal information held in the DVS Hub.

3.6 IPP 8: Record-keeper to check accuracy etc of personal information before use

IPP 8 provides that a record keeper who has possession or control of a record that contains personal information shall not use that information without taking steps that are reasonable in the circumstances to ensure that, having regard for the purpose for which the information is proposed to be used, the information is accurate, up to date, and complete.

Observations

3.6.1 The auditors recognise that the DVS system is a system specifically designed to verify the authenticity of particular identity documents. It is a means to check the validity an EOI document against the database of the issuing agency.

3.6.2 Any risk of errors within a document either rests within the document itself or with the Issuing agency. Risks of errors do not rest with Centrelink as the DVS Hub Manager.

Privacy issues

3.6.3 The audit did not identify any specific issues about the steps taken to ensure the accuracy of personal information from the DVS Hub.

3.7 IPP 9: Personal information to be used only for relevant purposes

IPP 9 provides that a record keeper who has possession or control of a record that contains personal information shall not use that information except for a relevant purpose.

Observations

3.7.1 Personal information is solely used to verify if details from an EOI document match the data records of the Issuing agency.

3.7.2 As such, the auditors were satisfied that this use is relevant.

Privacy issues

3.7.3 The audit did not identify any issues about personal information from the DVS Hub being used for an irrelevant purpose.

3.8 IPP 10 - 11 Issues: Limits on the use and disclosure of personal information

IPP 10.1 provides that a record keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless one or more of certain exceptions apply.

IPP 10.2 provides that, where personal information is used under IPP 10.1(d) the record keeper shall include in the record containing that information a note of the use.

IPP 11.1 provides that a record keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless one or more of certain exceptions apply.

IPP 11.2 provides that, where personal information is disclosed under IPP 11.1(e) the record keeper shall include in the record containing that information a note of the disclosure.

IPP 11.3 provides that, where personal information is disclosed under IPP 11.1, the parties who receive that information must not use or disclose the information for a purpose other than the purpose for which the information was given to them.

Observations

3.8.1 The auditors are aware that the DVS system is based on the individual giving the User agency consent to use and disclose their personal information into the DVS Hub for verification purposes.

3.8.2 As such, any disclosure of personal information by Centrelink, which occurs as a result of the verification process through the DVS Hub, will be based on the consent of the indivdiual concerned.

3.8.3 The auditors noted that agencies using the DVS Hub are required to comply with limits on disclosure under IPP 11 as a condition of use.

Privacy issues

3.8.4 The auditors did not identify any specific issues regarding the use and collection of personal information through the DVS Hub.

Back to Contents

Part 4 — Summary of recommendations

4.1 The auditors made no recommendations regarding this audit.

Back to Contents

Part 5 — Auditee's comments

5.1 The Auditee made the following comments in relation to the audit report:

"Since its inception the DVS system has been attentive to the protection of individuals' privacy and the findings detailed in the report indicate that this is reflected in the processing that occurs at the Centrelink DVS Hub. It was pleasing to be advised that there is no recommended action to take as a result of the audit.

Although the Department generally supports the draft report you may be aware that here has been officer level discussion on one aspect of the body of the report. Despite those discussions there remains disagreement on the report's statement that the Centrelink Hub "collects" personal information.

5.2 In response to the revised Audit Reort the Auditee also provided the following attchment:

Procedure for handling failed transactions at the DVS Hub in Centrelink

  • Transaction is received at DVS Hub from authorised User Agency.
  • If transaction does not meet the standard format for a DVS transaction it is immediately returned to User Agency with an N response
  • If transaction meets standard format it is allocated a unique reference number and, where required, reformatted to be acceptable to Issuer Agency
  • The reformatted transaction goes to the queue to be transmitted to Issuer Agency
  • On transmission of the transaction to the Issuer Agency, the transaction is deleted at the DVS Hub
  • If the Issuer Agency is not available to receive transactions, the transaction remains on the transmission queue for up to 60 seconds
  • a) If the transaction is not able to be transmitted after 60 seconds it is deleted at the DVS Hub and an S response (System Error) is returned to the User Agency

If the transaction is unable to be transmitted to the Issuer Agency despite the Issuer Agency being available to receive transactions, the transaction is placed on the error queue at the DVS Hub to permit problem resolution. Transactions remain on this queue for a maximum of 24 hours before being deleted.

(End of report)

Back to Contents