Cross-border disclosures of personal information: Passenger Name Records

Part 1: Executive summary

1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) 2022 assessment of the Department of Home Affairs’ (Home Affairs) processes governing cross-border disclosures of European Union-sourced Passenger Name Record data (EU PNR data) under Australian Privacy Principle (APP) 8 of the Privacy Act 1988 (Cth).[1]

1.2 International passenger airlines are required to provide Home Affairs certain passenger information upon request, including personal information, for flights travelling to, from or through Australia under s 64AF of the Customs Act 1901 (Cth). This information is known as Passenger Name Record (PNR) data.

1.3 Cross-border disclosures of personal information are regulated under APP 8 of the Privacy Act. APP 8.1 requires an APP entity to take reasonable steps in the circumstances to ensure that an overseas recipient does not breach the APPs (other than APP 1) before disclosing personal information. However, there are exceptions to the reasonable steps requirement at APP 8.1, such as where disclosure to an overseas recipient is required or authorised by law.

1.4 In addition to the obligations regarding Home Affairs’ handling of PNR data under the APPs, disclosures of EU PNR data are governed by the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record data by Air Carriers to the Australian Customs and Border Protection Service[2] (the EU Agreement).[3] The OAIC considers compliance with the EU Agreement to be a reasonable step under APP 8.1.

1.5 Overall, the assessment found that Home Affairs has effective mechanisms in place to safeguard personal information and limit the risk of unauthorised cross-border disclosures of EU PNR data under APP 8. In particular, the assessment found that Home Affairs has taken steps aimed at ensuring that cross-border disclosures of EU PNR data only occur when required or authorised by law. However, more can be done to proactively ensure that overseas recipients comply with obligations in line with APP 8 and the EU Agreement, and support officers procedurally in processing and reviewing cross-border disclosures.

1.6 As no recent cross-border disclosures of EU PNR data were available for review in this assessment, our recommendations primarily relate to the documents, databases, and checklists Home Affairs’ officers utilise when processing requests for the cross-border disclosure of EU PNR data, as well as mechanisms used to govern the handling of disclosed information.

1.7 The OAIC made 8 recommendations and 4 suggestions to Home Affairs to address the privacy risks identified in this assessment. This included recommendations to address 2 high privacy risks. These recommendations and suggestions are listed in Part 4 of this report.

Part 2: Introduction

Passenger Name Records

2.1 International passenger airlines are required to provide certain passenger information to Home Affairs for flights that travel to, from or through Australia under s 64AF of the Customs Act 1901 (Cth). This information is known as PNR data.

2.2 PNR data that is processed in the European Union (EU) or sourced from airline reservation systems located in the EU is referred to as EU PNR data in this assessment.

2.3 The EU Agreement authorises EU PNR data to be used exclusively to prevent, detect, investigate, and prosecute terrorism and serious transnational crimes such as drug trafficking and people smuggling.

2.4 EU PNR data is personal information as it relates to identified individuals. It includes:

• Passenger name and contact information
• Booking details including payment/billing information
• Travel status and itinerary
• Frequent flyer and benefit information

2.5 Cross-border disclosures of PNR data, including EU PNR data, are uncommon. When the assessment fieldwork was conducted,[4] Home Affairs advised that no cross-border disclosures of PNR data had been made in the 2021-2022 financial year. Prior to the COVID-19 pandemic in the 2019 calendar year, only 2 cross-border disclosures of PNR data were made. Neither of these disclosures related to EU PNR data.

2.6 Where PNR data is requested, Home Affairs staff may not provide PNR data in response. Officers are instructed in procedural documentation to consider alternative data that may sufficiently address the request. This mitigates the risk that an inappropriate disclosure of EU PNR data will be made.

Australian Privacy Principle 8

2.7 APP 8.1 requires that, before disclosing personal information such as EU PNR data, APP entities such as Home Affairs must take steps that are reasonable in the circumstances to ensure that overseas recipients do not breach the APPs (other than APP 1) unless an exception under APP 8.2 applies.

2.8 Exceptions include cross-border disclosures:

• required or authorised by an Australian law or court/tribunal order (APP 8.2(c))
• by an agency, such as Home Affairs,[5] and the disclosure is required or authorised by an international agreement relating to information sharing to which Australia is a party (APP 8.2(e))
• by an agency that reasonably believes the disclosure is reasonably necessary for enforcement related activity of an enforcement body, where the overseas recipient performs functions, or exercises powers, like those of an enforcement body (APP 8.2(f)).

The EU Agreement

2.9 Disclosures of EU PNR data are also governed by the EU Agreement. Article 19 authorises disclosures of EU PNR data to third-party countries subject to certain requirements – many of which align with various APPs. For example, ensuring the security and integrity of the EU PNR data (APP 11), and disclosing EU PNR data only for the purpose it was collected for (APP 6). Several of these requirements are considered in Part 3 below.

2.10 Article 10 of the EU Agreement provides that Home Affairs’ compliance with data protection rules shall be subject to oversight by the Australian Information Commissioner (Commissioner).

Part 3: Summary of findings

3.1 The OAIC’s assessment of Home Affairs’ cross-border disclosures of EU PNR data considered relevant obligations and exceptions under APP 8 and the EU Agreement. The key findings are set out below.

3.2 Overall, the assessment found that Home Affairs has effective mechanisms in place to safeguard personal information when making cross-border disclosures of EU PNR data. However, more can be done to proactively ensure that overseas recipients comply with obligations in line with APP 8 and the EU Agreement, and support officers procedurally in processing and reviewing cross-border disclosures.

3.3 As no recent cross-border disclosures of EU PNR data were available for review in this assessment, our recommendations primarily relate to the documents, databases, and checklists Home Affairs’ officers utilise when processing requests for the cross-border disclosure of EU PNR data, as well as mechanisms used to govern the handling of disclosed information.

3.4 Home Affairs relies upon information sharing agreements to govern how EU PNR data is handled when it is disclosed to an overseas recipient. In this assessment, Home Affairs provided a sample of 3 such agreements for review. Findings in this assessment are based on this sample. However, it may not be representative of all of information sharing agreements that Home Affairs may have with overseas and international entities.

APP 8.2(c): Required or authorised by Australian law

3.5 APP 8.2(c) provides that APP 8.1 does not apply to disclosures of information that are required or authorised by Australian law.

3.6 The assessment found that Home Affairs primarily relies on s 45 of the Australian Border Force Act 2015 (Cth) (ABF Act) when undertaking cross-border disclosures of EU PNR data. Home Affairs advised that it is highly unlikely to disclose EU PNR data under any other legislative provision.

Disclosure under s 45 of the ABF Act

3.7 Home Affairs’ policies instruct staff to first determine whether requests for cross-border disclosures of EU PNR data can be made under s 45 of the ABF Act.

3.8 Subsection 45(2) of the ABF Act allows an authorised ‘entrusted person’ to disclose personal information, such as EU PNR data, to a foreign country, an agency or authority of a foreign country or a public international organisation (overseas recipient). Such a disclosure may only be made where the following elements are satisfied:

• The disclosure is for a purpose outlined in s 46 of the ABF Act, such as the administration of a criminal law, including the prevention, detection, or analysis of criminal conduct.
• The Secretary of the Department[6] is satisfied that:
  • the information will be used in accordance with an agreement between the Commonwealth, or an agency or authority thereof, and a foreign country, an agency or authority of a foreign country and/or a public international organisation
  • the disclosure is necessary for a purpose outlined in s 46.
• The overseas recipient has undertaken to not use or further disclose the information except in accordance with the agreement or otherwise as required or authorised by law.

3.9 Home Affairs’ Instrument of Authorisation (Instrument) authorises all Immigration and Border Protection workers, except Australian Border Force staff, as entrusted persons under s 45 of the ABF Act. For matters that are not authorised under the Instrument, a one-off Authority to Disclose Immigration and Border Protection Information form must be completed by a delegate of the Secretary.

3.10 The requirements under s 45 of the ABF Act are considered in more detail below.

Overseas recipients

3.11 Subsection 45(2) of the ABF Act only authorises disclosures to be made where the overseas recipient is a foreign country, an agency or authority of a foreign country or a public international organisation.

3.12 The Border Intelligence Watch Office (BIWO) receives and processes all requests for EU PNR data. It requires all requests for information to be lodged in a BIWO Request for Information form outlining information such as the requestor’s details, the information requested, and reason that information is required. Home Affairs use this information, in particular the requestor’s email address, to verify that the requestor is an overseas recipient under s 45 of the ABF Act.

3.13 The Instrument also identifies entities to which disclosures are ‘authorised’. However, this includes at least one corporate entity, an airline, which apparently does not satisfy the requirements of s 45 of the ABF Act. This is a high privacy risk as disclosures that do not satisfy s 45 of the ABF Act are not authorised by law for the purposes of APP 8.2(c). Unless Home Affairs otherwise satisfies APP 8.1 or another APP 8.2 exception, this would constitute a breach of the Privacy Act.

3.14 The OAIC recommends that Home Affairs must review and update the Instrument of Authorisation as a matter of high priority to ensure that the overseas and international entities listed are ‘a foreign country, an agency or authority of a foreign country or a public international organisation’ within the meaning of s 45 of the ABF Act.

In accordance with an agreement

3.15 Disclosures of EU PNR data are only authorised under s 45(2) of the ABF Act where the Secretary of the Department (including a delegate) is satisfied that the information will be used in accordance with an agreement between the Commonwealth, or an agency or authority thereof, and a foreign country, an agency or authority of a foreign country or a public international organisation. It appears that these agreements generally contain safeguards that Home Affairs relies upon to govern overseas recipients’ handling of personal information.

3.16 Home Affairs provides officers checklists to facilitate their determinations under certain provisions of the ABF Act. The ‘ABF Act Part 6 – s45 – Disclosure in accordance with agreements Intelligence Division Checklist’ (Section 45 Checklist) requires staff to check there is an active and relevant agreement on the MOU Register when considering a request for information. The MOU Register table describes the currency of agreements by ‘status’ (unknown, active, expired). It does not contain the expiry dates of agreements.

3.17 As the MOU Register is updated manually, there is a high privacy risk that the status of an agreement may become inaccurate between updates and staff may incorrectly disclose information in reliance on an expired agreement. Such a disclosure would not satisfy s 45 of the ABF Act and would not be authorised by law as per APP 8.2(c). Unless Home Affairs satisfies APP 8.1 or another APP 8.2 exception, this would constitute a breach of the Privacy Act. The OAIC recommends that the MOU Register be updated as a high priority to capture the expiry dates of agreements to allow staff to confirm that agreements are current before making a disclosure.

3.18 Home Affairs advised anecdotally that some staff may rely on the Instrument to determine whether there is an applicable agreement. However, the few entries in the Instrument that identify an agreement do not state whether and when the agreements expire. As the Instrument is not designed to be regularly maintained and updated, officers should refer to the MOU Register and the agreements themselves to ascertain the currency and relevance of specific agreements.

3.19 As there is a low privacy risk that staff will not check the currency of agreements in the MOU Register, the Instrument could be updated to refer readers to the MOU Register and not include details of information sharing agreements in the Instrument itself.

3.20 In the BIWO Request for Information form, a requestor is also required to declare that they will ‘handle and store any information provided…in accordance with all associated memoranda and legislation’. While some explanatory material about the EU Agreement is included, the form does not identify an agreement to which the overseas recipient may be subject as ‘associated memoranda’.

3.21 Home Affairs relies on terms and safeguards within certain agreements to determine whether a disclosure is authorised under s 45 of the ABF Act. If a relevant agreement is not expressly identified to the overseas recipient, there is a medium risk that the overseas recipient may not understand or be aware of its obligations under that agreement when receiving EU PNR data.

Necessity for s 46 purpose

3.22 A requestor must provide details of the offence relevant to the request and the intended use of the information in the BIWO Request for Information form. This information may be used to determine whether a disclosure of EU PNR data is necessary for a purpose under s 46 of the ABF Act and for a law enforcement purpose under the EU Agreement.[7]

3.23 Home Affairs advised that disclosures of information under s 45(2) of the ABF Act were generally for the prevention, detection, or analysis of criminal conduct under a law of an Australian or foreign jurisdiction.[8] When reviewing matters for disclosure, staff are also instructed to consider the necessity of disclosing PNR data, or whether alternative data might sufficiently address the request.

Limitations on further disclosure

3.24 Home Affairs requires agreements relevant to cross-border disclosures to contain an undertaking that the recipient will not use or further disclose information – except in accordance with the agreement or otherwise as required or authorised by law.[9] All 3 of the agreements reviewed in this assessment contained this undertaking.

3.25 The BIWO Request for Information form requests that recipients do not further disclose information received unless Home Affairs grants written permission, or the disclosure is required or authorised by law. The caveat template for disclosures of EU PNR data also states that the information cannot be further disclosed without the prior written consent of Home Affairs. Compliance with such caveats is a condition of the agreements reviewed in this assessment.

Recording decisions

3.26 Complete and accurate records of determinations of cross-border requests for EU PNR data are necessary to verify whether information has been handled lawfully and appropriately.[10] Although Home Affairs does record requests and the outcome of each determination, for matters authorised under the Instrument, the assessment found that there is no record of Home Affairs’ substantive considerations when deciding whether to disclose EU PNR data.[11]

3.27 Officers should record their considerations when deciding whether to disclose information, including EU PNR data. This could be by expanding officer checklists, such as the Section 45 Checklist, to allow staff to explain whether and how the requirements of s 45 of the ABF Act have been satisfied. Additional procedural items should also be included in officer checklists to ensure that this information and requisite supporting documentation are consistently saved on Home Affairs’ record management system and the BIWO portal.[12]

Other means of cross-border disclosure

3.28 Where s 45 of the ABF Act does not apply, Home Affairs’ policy documents suggest that staff consider whether a disclosure may be made in accordance with s 42(2)(b) of the ABF Act. Paragraph 42(2)(b) may not ‘authorise or require’ a disclosure to be made as required under APP 8.2(c). It provides that an entrusted person does not commit an offence when making a disclosure in the course of their employment or service.

3.29 Disclosures of EU PNR data that are not authorised by s 45 of the ABF Act may fall under other APP 8.2 exceptions, such as APPs 8.2(e)[13] and 8.2(f).[14] Home Affairs noted that disclosures that may fall under these exceptions are highly unlikely to arise. These exceptions have therefore not been considered in this assessment.

3.30 Home Affairs have developed an ‘ABF Act Part 6 – s42(2)(b) – Disclosure in the course of employment Intelligence Division Checklist’ (Section 42(2)(b) Checklist) to assist officers when processing requests for information under that provision.

3.31 While the Section 42(2)(b) Checklist does refer to matters such as relevant APPs and the need to consider ‘treaty’ obligations, the information provided is limited. There is a low privacy risk that officers will not understand their obligations under the APPs and EU Agreement when disclosing EU PNR data. Home Affairs could include links to the APPs, APP guidelines and the EU Agreement in the checklist to assist staff.

APP 8.1 Reasonable steps

3.32 As noted above, the information provided in this assessment indicates that Home Affairs’ cross-border disclosures of EU PNR data will likely be authorised by law. As this is an exception under APP 8.2(c), APP 8.1 will not apply to most cross-border disclosures of EU PNR data.

3.33 Nonetheless, Home Affairs’ policies and procedures contemplate that cross-border disclosures of EU PNR data may occur in circumstances where APP 8.2(c) does not apply. APP 8.1 may apply in these instances.

3.34 APP 8.1 requires Home Affairs to take reasonable steps in the circumstances to ensure that an overseas recipient does not breach the APPs (other than APP 1) prior to disclosing personal information. These steps are also important in strengthening Home Affairs’ privacy posture generally.

Caveats

3.35 Home Affairs’ policies and procedures most often refer to the inclusion of caveats in disclosure documents as a mechanism to ensure that overseas recipients appropriately handle the information disclosed.

3.36 Home Affairs have prepared a template caveat for all disclosures of EU PNR data. However, this caveat may not be suitable for cross-border disclosures. For example, the caveat states that the reader is governed by the APPs which is incorrect where the recipient is not subject to Australian legal jurisdiction. There is a medium privacy risk that the overseas recipient will not adequately understand their obligations as outlined in the caveat.

Request for Information form

3.37 The BIWO Request for Information form contains commentary for requestors about restrictions when handling EU PNR data. For example, the form advises potential overseas recipients that EU PNR data can only be processed to detect, investigate, and prosecute terrorism offences or serious transnational crime.

3.38 While Home Affairs requests that overseas recipients only use and disclose information for the purpose for which it was provided (APP 6), it should also refer to obligations that arise in line with other APPs under APP 8.1 such as the security and deletion of the information disclosed (APP 11).

Internal mechanisms

3.39 Home Affairs has various internal mechanisms to facilitate compliance with APP 8 when considering cross-border disclosures of EU PNR data. These include conducting compliance checks and providing annual staff training.

Compliance checks

3.40 Home Affairs conduct quarterly compliance checks to assess compliance with Home Affairs’ policies and legislative requirements. These compliance checks ensure that staff are aware of their obligations when handling EU PNR data, may detect instances where EU PNR data was inappropriately disclosed, and can effectively identify process improvements.

3.41 Home Affairs advised that it has not identified any significant issues in compliance checks but has made recommendations and suggestions, all of which have been accepted by the business area. Home Affairs also advised that it has mechanisms to track, follow up and escalate recommendations and suggestions that are yet to be implemented.

3.42 Although procedural instructions indicate that PNR requests are sampled for compliance checks randomly, it was advised in fieldwork that compliance checks are generally targeted at issues identified in previous checks. This may enhance the deterrent effect of these checks. However, random compliance checks allow previously unknown issues to be identified. The OAIC suggests that Home Affairs also undertake random compliance checks in accordance with its policy and procedural documentation.

Training

3.43 Home Affairs provides annual privacy, information sharing and PNR data handling training to relevant staff. Completion of the latter training is a prerequisite for all staff to access PNR data. This ensures that staff are aware of their obligations when disclosing EU PNR data.

3.44 APP 8 is referred to in the training programs with limited detail. Home Affairs’ primary ‘privacy essentials’ training focuses on scenarios that are potential exceptions under APP 8.2 but does not appear to outline the APP 8.1 requirements when an exception does not apply. Nor does it advise that a breach of an APP by an overseas recipient may be taken to be a breach by Home Affairs for cross-border disclosures under APP 8.1.[16] The Intelligence Information Sharing training briefly refers to APP 8 but does not outline the substantive requirements and exceptions of the APP.

3.45 It is important that officers understand the requirements of the Privacy Act when disclosing information overseas, particularly where there is no valid APP 8.2 exception. This creates a medium privacy risk that a disclosure of EU PNR data may breach APP 8.

The EU Agreement

3.46 While the assessment has found that Home Affairs does not disclose information solely in reliance on the EU Agreement, the OAIC considers that the protections contained in the EU Agreement are relevant to all disclosures of EU PNR data.

3.47 As stated above, compliance with the EU Agreement is a reasonable step for the purposes of APP 8.1.

3.48 Home Affairs makes consistent reference to Article 19 of the EU Agreement in policy documentation. However, while officer checklists require officers to consider ‘treaty obligations’ in their determinations, they do not make explicit reference to the EU Agreement and its additional requirements when disclosing EU PNR data.

3.49 As cross-border disclosures of EU PNR data are so infrequent, staff may be less familiar with the EU Agreement and any obligations it imposes. For disclosures made under s 45 of the ABF Act, there is a medium privacy risk that an officer will not consider and apply the safeguards required by the EU Agreement when making a cross-border disclosure of EU PNR data.

Sensitive information

3.50 Article 8 of the EU Agreement prohibits processing ‘sensitive data’ which is ‘any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or health or sex life.’

3.51 In fieldwork, Home Affairs advised that some fields containing sensitive information are blocked when PNR data is received, but sensitive data such as the titles (e.g., Reverend) of individuals may be received in free text notes. Home Affairs staff must delete sensitive information from disclosure documents when processing requests for information prior to making a disclosure.

3.52 As this is a manual process, this creates a low privacy risk that officers may not remove sensitive information. Home Affairs could update officer checklists to require staff to confirm that all sensitive information has been removed from the disclosure document prior to disclosing EU PNR data.

Oversight and redress

3.53 Home Affairs records all requests for PNR data in accordance with Article 17 of the EU Agreement. This enables oversight of cross-border disclosures of EU PNR data.

3.54 Articles 13 and 14 of the EU Agreement also require individuals be provided a right of rectification and erasure in relation to EU PNR data, and a right to redress if their rights under the EU Agreement are violated.

3.55 The Australian Border Force’s online notice regarding PNR data[18] outlines mechanisms for individuals to request access to, or the correction of, their PNR data. However, it is unclear how those mechanisms operate where a cross-border disclosure has occurred.

3.56 Only 1 of the 3 information sharing agreements provided by Home Affairs for review included clauses addressing the accuracy, correction and retention of information, and redress for individuals regarding the handling of their personal information. This agreement was also the only one that provided for oversight arrangements, including requiring parties to notify each other where information disclosed is subject to accidental or unauthorised access, use, modification or disposal.

3.57 Where an agreement does not address certain safeguards in line with the EU Agreement, there is a medium privacy risk that an overseas recipient will not apply those safeguards.

3.58 The OAIC recommends that Home Affairs should update the ‘Memorandums of Understanding and Other Collaborative Instruments’ procedural instructions to require that information sharing agreements, to the extent that they are relevant to the disclosure of EU PNR data, contain safeguards with the same effect as those in the EU Agreement. These safeguards may be relevant to disclosures generally under APP 8.1 and are important privacy protections for individuals.

Retaining information

3.59 When disclosing EU PNR data, the EU Agreement requires Home Affairs to be satisfied that an overseas recipient will not retain the information longer than necessary to facilitate the investigation, prosecution or penalty for which it was disclosed.[19]

3.60 The assessment found a medium privacy risk that a cross-border disclosure may not accord with the EU Agreement. Restrictions on the retention of information are not stated in caveats included with disclosures of EU PNR data. Nor are they proactively addressed in information sharing agreements and the request for information form. For example, only 1 of the 3 agreements reviewed contained a requirement to assess and dispose of information when it is no longer necessary for the purpose of the disclosure.

Part 4: Recommendations and responses

Recommendation 1

Home Affairs’ response

Recommendation 2

Home Affairs’ response

Recommendation 3

Home Affairs’ response

Recommendation 4

Home Affairs’ response

Recommendation 5

Home Affairs’ response

Recommendation 6

Home Affairs’ response

Recommendation 7

Home Affairs’ response

Recommendation 8

Home Affairs’ response

Suggestion 1

Home Affairs’ response

Suggestion 2

Home Affairs’ response

Suggestion 3

Home Affairs’ response

Suggestion 4

Home Affairs’ response

Part 5: Description of assessment

5.1 In accordance with a Letter of Exchange with Home Affairs, the OAIC conducted an assessment under s 33C(1)(a) of the Privacy Act.[22]

5.2 EU PNR data is personal information and subject to the provisions of the Privacy Act under Article 7 of the EU Agreement.

5.3 Article 10 of the EU Agreement also provides that the Commissioner has oversight of Australian government authorities’ processing of EU PNR data and refers to arrangements for the Commissioner to undertake regular formal audits of Home Affairs’ handling of EU PNR data.

5.4 In 2019, the EU and Australia conducted a joint review of the EU Agreement under Article 24(2) of the EU Agreement. In its subsequent report to the European Parliament and Council of the European Union,[23] the European Commission’s recommendations included:

For the periodical assessments made by the Office of the Australian Information Commissioner, to include also compliance to other relevant principles in the context of the processing of PNR data like cross-border disclosure of personal data...[24]

5.5 This recommendation was considered in deciding the objective and scope of this assessment.

Objective and scope

5.6 The objective of this assessment was to identify privacy risks (if any) relevant to Home Affairs’ handling of EU PNR data and its obligations relating to cross-border disclosures under APPs 8.1 and/or 8.2.

5.7 The scope of the assessment included consideration of Home Affairs’ processes and mechanisms relating to cross-border disclosures of EU PNR data, including:

• the process of making cross-border disclosures of EU PNR data, including any relevant policies, procedures, systems, governance, and training
• steps taken by Home Affairs to ensure the overseas recipient does not breach the APPs (other than APP 1), such as contractual or non-contractual arrangements with overseas recipients
• the grounds and circumstances of PNR cross-border disclosures, and any arrangements, policies and procedures relating to the applicability of relevant APP 8.2 exception(s).

Methodology

5.8 This assessment involved:

• a review of documents provided by Home Affairs’, including policies and procedures relevant to its handling of EU PNR data
• interviews, including case studies, with Home Affairs staff responsible for the privacy and operational handling of EU PNR data.

5.9 As this was a risk-based assessment, the OAIC applied its privacy risk guidance to identify risks and make recommendations and suggestions to address those risks.

5.10 This was a point-in-time assessment and the findings in this report are based on information provided, and represented to be current, at the time of the assessment. The OAIC did not directly observe Home Affairs’ policies and procedures in practice.