Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

National Document Verification Service — Department of Foreign Affairs and Trade — Audit Report 2012

Final audit report
Information Privacy Principles audit
Section 27(1)(h) of the Privacy Act 1988

Audit undertaken: November 2010
Draft report issued: June 2012
Final report issued: December 2012

Part 1 — Introduction

Background

1.1 The National Document Verification Service (DVS) system allows authorised government agencies, known as User agencies, to verify the authenticity of particular identity documents online and in real time. 

1.2 These documents are known as Evidence of Identity (EOI) documents and are commonly used by individuals when enrolling for government benefits and services.  EOI documents are produced by a range of separate government agencies, known as Issuer agencies.

1.3 Lead responsibility for the development and oversight of the DVS rests with the Attorney-General’s Department (AGD) which also co-chairs the National DVS Steering Committee. 

1.4 The Hub is an electronic gateway that processes EOI verification requests.  It acts as a messaging service through which requests and responses from Issuer and User agencies are channelled. Centrelink is the DVS Hub Operator, and as such is responsible for the operations of the Hub.

1.5 The DVS system enables User agencies to verify that:

  • the EOI document was issued by the relevant Issuer agency
  • the details recorded on the EOI document correspond to the details held by the Issuer agency
  • the document is still valid.

1.6 The Department of Foreign Affairs and Trade (DFAT) agreed to participate in the DVS upon execution of an initial Memorandum of Understanding (MOU) with AGD on 4 October 2007.  DFAT entered into a renewed MOU with the AGD on 1 July 2010. The MOU clarifies the relationship between DFAT and the AGD and provides details about various roles and responsibilities and requirements which are designed to ensure the integrity of the DVS.

1.7 The Office of the Privacy Commissioner, now known as the Office of the Australian Information Commissioner (OAIC), has been funded to provide advice and oversight of privacy issues arising from the DVS.  This funding allows the OAIC to conduct regular audits of the DVS.

1.8 The OAIC has undertaken five previous audits of the DVS system, including:

  • a preliminary audit of the DVS Prototype in June 2006.  The final audit report was published in May 2007
  • an audit of the Department of Immigration and Citizenship’s (DIAC) implementation of the DVS system, undertaken in December 2008.  The final audit report was issued in March 2010
  • an end-to-end audit of the DVS system and its implementation within participating Federal and State agencies, including DFAT, undertaken in February 2008.  The final audit report was published in May 2009
  • an audit of the nine Modules developed by the AGD to guide User and Issuer agencies in their use of the DVS, undertaken in April 2009.  The final audit report was issued in May 2010
  • an audit of Centrelink’s role as the operator of the DVS Hub, undertaken in May 2010. The final audit report was issued in June 2011.

1.9 DFAT was participating in the DVS as an Issuer agency only at the time of this audit. 

Back to Contents

Part 2 — Description of audit

Purpose

2.1 The purpose of the audit was to assess DFAT’s role and operations as an Issuer agency.  Specifically, the audit reviewed how DFAT manages document verification requests and its collection, use, disclosure and security processes in relation to personal information.

2.1 The audit assessed whether these procedures are implemented in accordance with the Information Privacy Principles (IPPs) in section 14 of the Privacy Act 1988 (Cth) (the Act). 

Overview of the DVS system

2.3 The DVS is an online electronic system that allows subscribing authorised Australian, state and territory Government  agencies (User agencies) to verify the details of documents presented to them as evidence of identity (EOI) with the data recorded in the register of corresponding document issuing agencies (Issuer agencies).

2.4 DFAT was formerly a User agency in the early implementation and testing phase of the service but has discontinued in that role.

2.5 At the time of this audit, the following User agencies were participating in the DVS:

  • DIAC
  • NSW Roads and Traffic Authority.

2.6 At the time of this audit, the following Issuer agencies were participating in the DVS:

  • DIAC, which verifies Australian Citizenship Certificates, Declaratory Certificates of Citizenship, Certificates of Evidence of Australian Citizenship, Certificates of Registration by Descent and Australian Visas
  • DFAT, which verifies Australian passport details
  • NSW Births, Deaths and Marriages, which verifies Birth Certificates (via the Certificate Validation Service)
  • Austroads, which verifies NSW driver licences on behalf of the NSW Roads and Traffic Authority (via the National Exchange of Vehicles and Driver Information System (NEVDIS)).

Scope

2.7 The audit reviewed how DFAT handles the verification requests as an Issuer agency. It looked at all the processes involved in returning responses to User Agencies via the Hub.

2.8 The auditors considered the collection, use, disclosure and security practices of personal information during DFAT’s DVS transactions.

2.9 It was apparent at the time of this audit that DFAT was receiving a small number of verification requests. Therefore, the information assessed during the audit was limited by the low levels of DVS usage.

2.10 The audit scope did not extend to any assessment of the effectiveness, advantages or disadvantages of the DVS system.

Timing, Location and Methodology

2.11 The auditors conducted the audit onsite on Wednesday 24 November and Thursday 25 November 2010 at DFAT’s Head Office:

  •   RG Casey Building, John McEwen Crescent, Barton, ACT.

2.12 The auditors reviewed documents provided by DFAT prior to the fieldwork component of the audit.  During the fieldwork visit the auditors conducted both an opening and closing conference with DFAT staff and discussed the audit process and privacy considerations.

2.13 Between the conferences, the auditors spoke with DFAT staff and obtained further details about DFAT’s DVS operations, including additional documents.  The auditors also observed user test queries run by DFAT.  These queries using test data modelled the sorts of queries DFAT would receive from User agencies via the DVS.

Information obtained prior to the audit

2.14 The following documentation was provided by DFAT and formed the basis of the OAIC’s audit:

  • brief overview statement of DFAT as an Issuer Agency
  • a copy of the Australian Passport Office organisational chart showing the management and operational structure relating to the DVS
  • a copy of DFAT’s Passports System Quality Assurance – DVS – Issuer agency system overview and technical requirements
  • a copy of an Outline of personal information data flows within DFAT as it relates to the handling of DVS requests
  • a copy of an adult passport application form
  • written responses to audit questions.

2.15 In addition, the following documents were supplied during the fieldwork phase of the audit:

  • a copy of the MOU between AGD and DFAT for participation in the DVS dated 1 July 2010
  • a sample screen printout of a the format of a verification response
  • a list of DVS enquiries performed in all offices between 1 October 1010 and 31 October 2010.

DVS Verification request process

2.16 DVS verification requests from User agencies seek to verify, in real time, DFAT issued Australian Passports presented by individuals when making an application directly to a User agency.

2.17 DFAT responds to DVS requests for verification of DFAT issued EOI documents.   The verification requests are transmitted from the User Agency via the Hub to DFAT via ‘ICON’, which is a secure fibre optic network carrying an IBM application messaging tool known as ‘MQ series’.

2.18 DVS verification requests are received through the secure network into DFAT’s database which is called the Passport Issue and Control System (PICS).  PICS is a live passport production environment which holds details of about 23 million Australian passports issued since 1980.

2.19 The verification requests received electronically by DFAT are handled in a partitioned environment linked to PICS called the Passport Issue Control and Verification (PICV).  Staff using PICS cannot view PICV and cannot view verification requests.  (Access to the verification log is discussed below.)

2.20 Personal information contained in the passport must be matched exactly with the personal information contained in the request during the verification process.  This includes the holder name, both given name and family names, gender and date of birth. The passport must also be valid or have expired within the last two years.

2.21 A ‘YES’ response is returned to the User Agency via the Hub if the passport is deemed to be valid or expired within the last two years and if all data matches exactly.

2.22 Any data variation will result in a ‘N’ response to the User Agency via the Hub to indicate that the passport could not be verified as valid EOI document.  No details are provided about why the EOI document did not pass the verification process.

2.23 If DFAT experiences a systems error in its own electronic environment, an ‘S’ response is returned.  At the time of the audit, no ‘S’ responses had been returned.

2.24 At the time of the audit, DFAT was receiving about 130 DVS requests for EOI verifications per month, many of which were test messages only.  Of this figure 50 requests were received from the NSW Roads and Traffic Authority (NSW RTA).

2.25 All verification requests are logged with their Virtual Reference Numbers (VRN).  If required, DFAT can then review the request and the reason why the passport was not verified as a valid EOI document. A User agency can make an enquiry of DFAT to ascertain why a ‘N’ was returned. While DFAT will not disclose the reasons for the response nor any details of personal information, depending on the type of error DFAT may suggest that the agency check the accuracy of the data entered. For example, DFAT advised that transpositions of first and middle name or misspelling of names during data entry could cause an N to be returned.  Suggesting that the User agency check the source document and re-enter the data could resolve the error and result in a ‘Y’ being returned.

2.26 Access to the DVS verification request log is limited and only available to a small number of authorised staff, including DFAT’s fraud team.  Access to the PICV database is password protected and all access is logged.

2.27 In the event that fraud is suspected, DFAT may ask the User agency to either retain the passport and/or contact its fraud department.

2.28 At the time of the audit, DFAT was receiving requests from NSW RTA, specifically, from its 3-4 offices in the Newcastle area, as the only active User agency.  In addition, the auditors were advised that DIAC very occasionally makes requests, with fewer than 10 received by DFAT in the last 12 months.  NSW Birth Deaths and Marriages has just signed up and was not operational at the time of the audit. DFAT was not participating as a User agency at the time of the audit.

Audit opinion

2.29 The auditors’ observations show that DFAT handles personal information relating to the DVS in accordance with the IPPs in the Act.

2.30 The auditors did not identify any privacy risks in relation to DFAT’s handling of personal information when responding to verification requests facilitated by the Hub.

2.31 The audit team holds the opinion that DFAT is generally compliant in meeting its obligations under the Act.  However, it was noted that DFAT has not given the Commissioner a personal information digest since 2009. While this omission would not pose any particular privacy risks in terms of the handling of personal information, it is a requirement under IPP 5.4(b). 

2.32 In order to assist passport applicants to understand what is happening to their personal information, the auditors have suggested that DFAT determine the precise location of the list of agencies to which DFAT may disclose personal information it collects when processing passport applications, and ensure that this list can be located by members of the public on its website.

Follow up review

2.33 A follow up review may be undertaken after six months has elapsed from the date of the final report.

Reporting

2.34 Generally the OAIC will publish final audit reports on its website, except where there are concerns with commercial in confidence material. For example, where the audit relates to material involving national security or law enforcement, it may be appropriate to redact some information from the report prior to it being published or not to publish the report at all.

2.35 Before publishing the final report, the lead auditor in conjunction with the agency, should determine whether there is any commercial in confidence material in the report. Where such material exists, the lead auditor must determine whether the material is such that it can be redacted or the report should not be published in total.

2.36 Where final reports of audits of ACT, Australian and Norfolk Island government agencies are published, they will be available on the OAIC’s website, www.oaic.gov.au.

2.37 Information Privacy Principle audit findings and recommendations that are considered relevant to be good privacy practices across the public sector are also generally discussed in our annual report.

Back to Contents

Part 3 — Audit issues

The following findings and recommendations relate to the auditors’ consideration of the process by which DFAT handles verification requests in accordance with the Act.

The IPPs are produced in full in Appendix A.

IPPs 1–3: Collection of personal information

IPP 1 provides that personal information shall not be collected unless the collection is for a lawful purpose directly related to the collector’s functions and activities and necessary or directly related to that purpose.

IPP 2 provides that, where a collector solicits and collects personal information directly from an individual, it must inform the individual of the purpose of collection, any legal authorisation or requirement for the collection, and any person, body or agency to which it usually discloses that information.

IPP 3 provides that, where a collector solicits and collects personal information generally it must take steps reasonable in the circumstances to ensure that, having regard to the purpose for which the information is collected, the information is relevant to that purpose, up to date and complete, and that the collection does not intrude to an unreasonable extent on the individuals’ personal affairs.

Observations

3.1 The auditors noted that DFAT validates the information in the request and returns a response in real time.

3.2 If the response to the verification request is ‘N’, DFAT logs details about the likely reason the request did not verify. 

3.3 The auditors were informed that DFAT only passes back a ‘Y, ‘N’ or ‘error’ response to the User agency. The auditors observed a request where the data was validated and a request where the data was not validated and confirmed that responses returned by DFAT were consistent with the stated practice.

3.4 DFAT collects personal information for a lawful purpose when processing passport applications from individuals. However, it does not solicit any personal information directly from individuals for the purpose of EOI verification in its capacity as an Issuer agency.

3.5 The auditors noted that it is the responsibility of User agencies to provide individuals with information about the collection of their personal information from EOI documents presented for verification, as required by IPP 2.

Privacy Issues

3.6 The User agencies registration and enrolment procedures should include advice to applicants that information provided in relation to the application including EOI documents will be checked with relevant sources to verify its accuracy and seek their consent to this.

3.7 The auditors reviewed information made available to the general public on DFAT’s passport application form and in its Protecting Your Privacy brochure. Auditors noted that despite references to it in the brochure, none of the DFAT staff was able to find the complete list of agencies to which DFAT may disclose personal information it has collected when processing passport applications. 

3.8 The MOU between the AGD and DFAT dated 1 July 2010 reinforces the requirements of IPP 2 by stipulating that, when it is operating as a User agency, DFAT agrees to implement measures to seek consent from individuals to verify the details of the identifying information provided and to inform them of what will happen with their personal information.  The MOU includes the following points:

  1. that the details are being collected to confirm the integrity of the Identifying Information
  2. the Identifying Information may be checked with the issuing agencies
  3. of any legal authority under which the details of the Identifying Information is being collected.

Best Privacy Practice Suggestion

3.9 The OAIC suggests that DFAT determine the precise location of the list of agencies to which DFAT may disclose personal information it collects when processing passport applications, and ensure that this list can be located by members of the public on its website.

IPP 4: Storage and Security of Personal Information

IPP 4(a) requires a record keeper who has possession or control of a record that contains personal information to ensure that the record is protected by security safeguards reasonable in the circumstances against loss, unauthorised access, use, modification, disclosure and other misuse.

IPP 4(b) requires that, if it is necessary for the record to be given to a person in connection with the provision of a service to the record keeper, everything reasonably within the record keeper’s power be done to prevent unauthorised use or disclosure of information contained in the record.

Observations

3.10 The auditors observed the physical security arrangements in place at DFAT’s Head Office, RG Casey Building, John McEwen Crescent, Barton, ACT.

3.11 Visitors cannot enter the building without being met by a DFAT staff member and issued with a visitor’s tag upon arrival on the ground floor DFAT’s office is patrolled by security guards 24 hours seven days a week.

3.12 Entry to the lift foyer area is by swipe card access only.  Access to the floors of the building also requires swipe card access.  Visitors are accompanied by a DFAT staff member during visits.

3.13 DFAT observes a ‘clean desk policy’ which is strictly adhered to and monitored.  DFAT also has a strictly implemented policy for locking cabinets and other physical storage facilities.  When staff members are absent, signs are left in their in-trays to prevent documents being left unattended.  The security guards conduct onsite checks and monitor compliance.  If they identify any security breaches involving the compactus and desks, they place a breach notice on the unsecured equipment.  Any such security breaches are reported to the DFAT Secretary as they are linked to the Heads of Divisions’ performance agreements and must not exceed three per individual in a financial year.

3.14 DFAT has the following controls in place for the security of personal information in the electronic environment.

3.15 The auditors were advised that DFAT employees are only provided with access to PICV on a very limited basis.  Access is currently limited to four programmers in the IT section and not general PICS users.

3.16 As an additional layer of security, authorised users can only access PICV via a separate logon. Passwords have a total of eight characters containing upper and lower case and must be changed monthly.

3.17 Access to PICV is not automatically granted to DFAT staff. For a user to be able to log on and access PICV, the icon must be specifically added to their desktop profile.    

3.18 A limited number of DFAT staff are ‘Superusers’ which means that they have broad IT access.  At the time of the field work visit there were five Superusers.

3.19 The auditors were advised that one dedicated position is responsible for the creation of operational IDs which are signed off by the Director, Fraud. These IDs have levels of access and profiles appropriate to the positions, and are subject to annual Australian National Audit Office (ANAO) checks.

3.20 DFAT demonstrated to the auditors that regular checking takes place and that a fix has been implemented to ensure that certain fields are blanked out to prevent data containing personal information from being transmitted back to the User agency when a DVS enquiry is made.

3.21 The auditors noted that DFAT uses validation codes internally to protect and prevent unauthorised disclosure of information.

3.22 The auditors were advised that the PICV verification system has the capacity to accommodation 50 000 – 100 000 ‘hits’ a day as it was built in anticipation of the’ Australia Card’[1] which did not proceed.  While this capacity has not been utilised for DVS, it demonstrates the potential capacity of the system.

3.23 Auditors noted that there was a potential for a problem to arise in the event of a transmission problem.  Specifically, where a request could not be received by DFAT due to a transmission error, all requests would continue to queue outside the PIVS environment rather than be removed.

3.24 However, DFAT advised that where transmission problem arose, Centrelink, as the DVS Hub operator, would contact DFAT by phone or email.

3.25 As indicated, should a request return an ‘N’ response, the agency seeking to verify the outcome may make contact with DFAT.  If this occurs, s DFAT’s staff adhere to strict guidelines which prohibit them from disclosing details of individuals’ personal information. 

3.26 Currently, it is the responsibility of the fraud liaison officer within the fraud team to deal with enquiries regarding the accuracy of identity information on documents issued by DFAT. 

3.27 Currently there are 1-2 fraud liaison officers performing this function in the Canberra office with others in the states and territories, giving a total of eight officers.

3.28 All requests for manual follow up by User agencies are logged when the fraud liaison officer reviews the request to determine why the passport did not verify on that occasion. The VRN operates as the reference number and access to the command is limited by the user’s profile.

3.29 When checking ‘N’ responses for agencies, DFAT checks the verification request which has been stored by passport number and VRN.  The reason for the non-validation is also stored.

3.30 As an additional safeguard, to enable the operation of verification requests, DFAT is provided with the agency’s electronic issuing code which means that DFAT will recognise and process a response to a verification request, that is a ‘Y’ or ‘N’.

3.31 It was noted that DFAT participates with other forms of verification processes, such as businesses providing online identity verification to meet the requirements of Anti-money Laundering and Counter-Terrorism Financing legislation.  However these services operate outside the DVS and do not fall into the scope for this audit.

Privacy issues

3.32 There were no specific issues identified in the audit in relation to security of storage of personal information regarding the DVS system.

IPP 5: Information relating to records kept by record-keeper

IPP 5.1 requires that, where a record keeper has possession or control of records containing personal information, the record keeper will take reasonable steps in the circumstances to enable any person to ascertain the nature of the information held, the main purposes for which the information is used, and the steps a person should take to obtain access to the record.

IPP 5.3 and 5.4 also requires that, where a record keeper has possession or control of records containing personal information, the record keeper will maintain and make available to the public and the Commissioner a listing of the personal information it holds.  The listing will include the nature and purposes of keeping the record, the classes of individuals about whom records are kept, retention periods and access conditions to the records, and steps that should be taken by persons wishing to access the record.  This listing is known as the agency’s Personal Information Digest (PID).

Observations

3.33 The auditors noted that DFAT has not submitted a PID since 2009.

Privacy issues

3.34 IPP 5 requires agencies to submit their PID to the Commissioner on an annual basis. 

Recommendation

3.35 The OAIC recommends that DFAT submit its PIDs to the Commissioner in accordance with IPP 5.4(b).

IPP 6 Issues: Access to records containing personal information

IPP 6 provides that, where a record keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record except where one or more of certain exceptions under Commonwealth law apply.

Observations

3.36 The auditors were advised that DFAT has not received any requests from individuals for access to their information held in the DVS system.

Privacy issues

3.37 The audit did not identify any specific issues about individuals’ access to the personal information held in the DVS system.

IPP 7: Alteration of records containing personal information

IPP 7 requires a record keeper who has possession or control of a record that contains personal information to take such steps that are reasonable in the circumstances to ensure the record is accurate, and, having regard for the purpose for which the information was collected, relevant, up to date, complete and not misleading. 

Where, despite an individual’s request, the record keeper is not willing to correct, delete or amend personal information in the record and no decision or recommendation under an applicable Commonwealth law applies, the record keeper shall, following an individual’s request, take reasonable steps to attach to the record any statement provided by that individual of the correction, deletion or addition sought.

Observations

3.38 In the current operational context, there is little scope for individuals to engage with DFAT about its verification processes as the User agency is the ‘face’ of the process, not DFAT.  In addition, DFAT does not store any personal information which would require amendment.

Privacy issues

3.39 The audit did not identify any specific issues about alteration of personal information verified by DFAT.

IPP 8: Record-keeper to check accuracy etc. of personal information before use

IPP 8 provides that a record keeper who has possession or control of a record that contains personal information shall not use that information without taking steps that are reasonable in the circumstances to ensure that, having regard for the purpose for which the information is proposed to be used, the information is accurate, up to date, and complete.

Observations

3.40 The auditors recognise that the DVS system is a system specifically designed to confirm the accuracy of personal information within documents.  It is a means to check the accuracy of personal information from an EOI document against the database of the issuing agency.  Further, the auditors observed a Y response and an N response by looking at the records that were received. The auditors also noted that DFAT was checking the responses against its records to pick up inaccuracies. The verification process provides a trigger to resolve any non-verification due to a discrepancy between the EOI document and the database held by DFAT.  This demonstrates DFAT’s compliance with IPP 8.

3.41 The auditors noted that the MOU between AGD and DFAT stipulates that DFAT will provide a complaint mechanism as part of being a DVS participant. It is the currently the responsibility of the Communications Unit to respond to any complaints generally.

Privacy issues

3.42 The audit did not identify any specific issues about the steps taken to ensure the accuracy of personal information during the verification process.

IPP 9: Personal information to be used only for relevant purposes

IPP 9 provides that a record keeper who has possession or control of a record that contains personal information shall not use that information except for a relevant purpose.

Observations

3.43 DFAT collects personal information for the processing of passport applications from individuals.

Privacy issues

3.44 The audit did not identify any specific issues about personal information contained in the verification process being used for an irrelevant purpose.

IPP 10 - 11 Issues: Limits on the use and disclosure of personal information

IPP 10.1 provides that a record keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless one or more of certain exceptions apply.
IPP 10.2 provides that, where personal information is used under IPP 10.1(d) the record keeper shall include in the record containing that information a note of the use.

IPP 11.1 provides that a record keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless one or more of certain exceptions apply.

IPP 11.2 provides that, where personal information is disclosed under IPP 11.1(e) the record keeper shall include in the record containing that information a note of the disclosure.

IPP 11.3 provides that, where personal information is disclosed under IPP 11.1, the parties who receive that information must not use or disclose the information for a purpose other than the purpose for which the information was given to them.

Observations

3.45 The auditors are aware that the DVS system is based on the individual giving the User agency consent to use and disclose their personal information into the DVS Hub for verification purposes.

3.46 As such, any disclosure that occurs as a result of the verification process through the DVS Hub will be based on the consent of the individual concerned.

3.47 Consent obtained by the User agency will amount to consent for the DVS transaction. For the User agency that obtains the individual’s consent to verify documentation provided, consent will be express. Issuer agencies and the Hub Manager will not be able to obtain their own consent but can imply consent from the requirement that the User agency obtain consent to the transaction as a whole.

3.48 To limit disclosure and prevent use for a secondary purpose the response message is limited to a Y/N format without disclosing the reasons for non-verification.

3.49 In addition, DFAT’s Australian Passports Determination 2005 provides in section 46 that the Minister may disclose information for particular purposes, including for the purpose of confirming or verifying information relating to an applicant for an Australian travel document or a person to whom an Australian travel document has been issued; and for the purpose of law enforcement. This provides the authority for disclosure in circumstances such as manual verification in the case of non-verification.

Privacy issues

3.50 The auditors did not identify any specific issues regarding the use and disclosure of personal information through the DVS Hub.

Back to Contents

Part 4 — Summary of Recommendations

4.1 The OAIC recommends that DFAT submit its PIDs to the Commissioner in accordance with IPP 5.4(b).

Auditee response

DFAT accepts the recommendation and makes the following comment:

The DFAT Privacy Contact Officer understands that the deadline for submission of 2012 PIDs has passed and that the proposed reforms to the Privacy Act, if implemented in their current form, will remove the need for agencies to submit PIDs in future. However, as the OAIC advised the Privacy Contact Officer by telephone on 22 November that the need to submit PIDs remains current as the reforms are not yet finalised DFAT is happy to indicate its acceptance of the recommendation to submit its PIDs in future, should they be required.

Back to Contents

Part 5 — Best Privacy Practice Suggestions

5.2 The OAIC suggests that DFAT determine the precise location of the list of agencies to which DFAT may disclose personal information it collects when processing passport applications, and ensure that this list can be located by members of the public on its website.

Auditee response

DFAT accepts the best practice suggestion and makes the following comment:

Due to an oversight the list of agencies to which DFAT may disclose personal information has not been prepared.  DFAT will use its best endeavours to compile and publish a list of agencies bound by the Privacy Act to which DFAT may disclose the personal information it collects.

Back to Contents

Acronyms and abbreviations

Acronym or abbreviationMeaning

AGD

Attorney-General’s Department

ANAO

Australian National Audit Office

DFAT

Department of Foreign Affairs and Trade

DIAC

Department of Immigration and Citizenship

DVS

Document Verification Service

EOI     

Evidence of Identity

IPPs

Information Privacy Principles

MOU

Memorandum of Understanding

NEVDIS

National Exchange of Vehicles and Driver Information System

NSW RTA

NSW Roads and Traffic Authority

OAIC

Office of the Australian Information Commissioner

PICS 

Passport Issue and Control System

PICV

Passport Issue Control and Verification

PID

Personal Information Digest

The Act

Privacy Act 1988 (Cth)

User agencies

Australian, state and territory government agencies authorised to use the DVS

VRN 

Virtual Reference Numbers

Back to Contents

Appendix A — Information Privacy Principles

For the full text of the Information Privacy Principles read our Privacy Fact Sheet 1 (.pdf 1 MB)

Back to Contents

Footnotes

[1] The Australia Card was a national identification card proposed during the mid-1980s.

Back to Contents