Publication date: 19 December 2019

Assessment undertaken: 26 March 2018
Draft report issued: 28 June 2019
Final report issued: 19 December 2019

Part 1: Executive summary

1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of the Department of Home Affairs’ (Home Affairs) handling of personal information under the Privacy Act 1988 (Cth).

1.2 This assessment was conducted under s 33C(1)(a) of the Privacy Act and in accordance with the Memorandum of Understanding (MOU) between Home Affairs and the OAIC. The MOU reflects oversight and accountability arrangements contained in the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record data by Air Carriers to the Australian Customs and Border Protection Service (ACBPS) (the EU Agreement).

1.3 The purpose of this assessment was to establish whether Home Affairs is using and disclosing passenger name record (PNR) data in accordance with its obligations under Australian Privacy Principle (APP) 6, and whether it is taking reasonable steps to secure the personal information it holds under APP 11. In particular, the OAIC considered Home Affairs’ APP 6 and 11 obligations in relation to the connected information environment (CIE) that Home Affairs is developing.

1.4 The OAIC has made five recommendations in the report to address medium level privacy risks identified by this assessment. The OAIC has also made a suggestion to assist Home Affairs to further enhance the privacy protective measures it employs.

1.5 These risks and recommendations relate to:

  • Home Affairs’ approach to assessing privacy impacts of the CIE
  • Home Affairs’ implementation of information security risk mitigation strategies identified in a security risk assessment of the CIE
  • continue with implementing additional audit logging measures as identified in the security risk assessment (SRA)
  • Home Affairs’ implementation of Australian Government Information Security Manual controls, including access controls such as automation of access to PNR data and the use of multi-factor authentication
  • managing the privacy obligations of third parties involved in the CIE
  • formalising and documenting a departmental-wide response to data breaches.

Part 2: Introduction

Background

2.1 The transfer of passenger name record (PNR) data[1] to Australia is provided for under the Customs Act 1901 (Cth) and EU PNR data is governed by the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record data by Air Carriers to the Australian Customs and Border Protection Service (ACBPS) (the EU Agreement).[2]

2.2 Home Affairs receives EU PNR data from an air carrier when the information necessary for processing or controlling a passenger’s air travel reservation for a flight to, from, or through Australia, is processed in the EU. This information includes, for example:

  • passenger names
  • all available contact information
  • dates of intended travel
  • date of reservation/issue of ticket
  • all available payment/billing information.[3]

2.3 Article 10, paragraph 1 of the EU Agreement provides that ACBPS’s (later Home Affairs — see paragraph 2.6 below) compliance with data protection rules shall be subject to oversight by the Australian Information Commissioner. Article 10, paragraph 2 of the EU Agreement refers to arrangements for the Australian Information Commissioner to undertake regular formal audits of all aspects of ACBPS’s EU-sourced PNR data use, handling and access policies and procedures.

2.4 These oversight and accountability provisions under the EU Agreement have been implemented, in part, through a Memorandum of Understanding (MOU) between Home Affairs and the OAIC for the conduct of privacy assessments relating to Home Affairs’ handling of EU PNR data.

2.5 Several other provisions of the EU Agreement relate to privacy and security protections for EU PNR data, including storage requirements, retention periods, a right of access, disclosure of EU PNR data to other Australian government agencies, and a prohibition on the processing of any EU PNR data that contains sensitive data (as that term is defined in article 2(h) of the Agreement). Article 3 limits the use of EU PNR data ‘strictly for the purpose of preventing, detecting, investigating and prosecuting terrorist offences or serious transnational crime.’

2.6 ACBPS and the Department of Immigration and Border Protection were integrated by machinery of government changes into a single Department of Immigration and Border Protection (DIBP) on 1 July 2015. On 20 December 2017, the Department of Home Affairs was established and carries out the functions of the former DIBP.

Overview of the connected information environment

2.7 Home Affairs is developing a connected information environment (CIE) to enhance its intelligence capabilities. At the time of the assessment, the implementation of this project was in its early stages, with a range of further capabilities still to be developed. During its assessment, the OAIC focussed primarily on the entity search capabilities that are part of the CIE. In the context of the CIE, an entity search is a search about a person, or an organisation conducted by an intelligence analyst (analyst).

2.8 One of the entity search capabilities within the CIE is the Single View of Entity (SVoE), which is designed to reduce the time it takes analysts to conduct intelligence checks and risk assessments of entities. It integrates 11 different data sources, allowing analysts to search multiple databases at once, rather than having to log-in and access multiple databases separately.

2.9 To access the SVoE, analysts log in to the analyst desktop and then open the SVoE widget[4] on the desktop to access the entity search. Analysts do not need access beyond their standard log-in to use the desktop or the SVoE search functions.

2.10 Due to the limitations that the EU Agreement imposes on using EU PNR data, not all analysts have access to PNR data. Analysts who require access to PNR data must meet security clearance and training requirements before they are granted access, the process for which is explained later in this report. For this reason, Home Affairs advised that it does not plan to integrate PNR data into the SVoE at this stage.

2.11 Instead, Home Affairs is developing a separate desktop widget for PNR data within the CIE analyst desktop, with roll-out anticipated after fieldwork took place. Given that the scope of this assessment was focussed on the handling of PNR data in the CIE, the OAIC did not undertake an in-depth assessment of the other functions of the CIE, such as the SVoE.

Part 3: Findings

Our approach

3.1 This part of the report sets out the OAIC’s observations, our analysis of those observations, followed by suggestions and recommendations to address any risks identified.

3.2 The key findings of the OAIC’s assessments of Home Affairs’ handling of PNR data are set out below under the following headings:

  • APP 6 – use and disclosure of personal information
  • APP 11 – securing personal information.

3.3 In determining whether Home Affairs is handling personal information in accordance with its obligations under APPs 6 and 11, the OAIC has considered its:

  • APP Guidelines, which outline the mandatory requirements of the APPs, how the OAIC will interpret the APPs and matters the OAIC may take into account when exercising functions and powers under the Privacy Act, in the privacy analysis below
  • Guide to Securing Personal Information (the Guide), which provides guidance on the reasonable steps entities are required to take under the Privacy Act to protect the personal information they hold. The Guide is not legally binding. However, the OAIC refers to the Guide when exercising its Privacy Act functions, such as undertaking a privacy assessment. As noted in the Guide, one of the reasonable steps entities may be required to take under APP 11 is compliance with relevant standards. For government agencies such as Home Affairs, this includes the Australian Government’s Information Security Manual (ISM).

3.4 The OAIC also has regard to the EU Agreement, as discussed in Part 2 of this report.

APP 6 — use and disclosure of personal information

Observations

3.5 Due to the scope of this assessment, the OAIC was primarily concerned with the use and disclosure of PNR data, including EU PNR data, within the CIE. As noted above, a separate PNR widget for the CIE intelligence desktop was scheduled for completion after the fieldwork.

3.6 Home Affairs expects analysts will use the CIE, including the SVoE and the PNR widget, to complete database searches on entities.

3.7 When an analyst accesses the intelligence desktop and performs an entity search, they can create an intelligence report or other intelligence products using a clipboard widget. Home Affairs generally uses email to distribute these reports and products internally, sometimes with dissemination limiting markers where appropriate. The reports and products can also be sent over a security-classified network for documents classified as Secret or above or distributed by hand. Some intelligence products are circulated daily to an internal distribution list.

3.8 Home Affairs advised that there are no automated disclosures of information sourced from the CIE, and that other agencies do not receive feeds of information.

3.9 A range of legislation sets out the authorised uses and disclosures of information, including personal information, by Home Affairs staff. For the purposes of Home Affairs’ use and disclosure of PNR data, including EU PNR data, this legislation includes the Customs Act and the Australian Border Force Act 2015 (Cth) (ABF Act).

3.10 In particular, Part 6 of the ABF Act contains a range of provisions that dictate how immigration and border protection (IBP) information can be disclosed and distinguishes between IBP information that is and is not also personal information.

3.11 Home Affairs has developed a range of internal documents to explain how these legislative obligations apply to staff. Some of these specifically seek to elaborate on the relationship between Privacy Act and ABF Act obligations. For example, one document titled ‘Disclosing protected information that contains personal information’ sets out requirements for staff when handling personal information as a subset of ‘protected information’, which is information obtained by IBP workers acting in that capacity. The document emphasises that IBP workers must only disclose personal information that is also protected information where that disclosure is authorised by law, such as by the ABF Act, the Migration Act 1958 (Cth) or the Australian Citizenship Act 2007 (Cth). The document highlights some key provisions of those Acts that authorise disclosure in certain circumstances.

3.12 Staff who work in the Intelligence Division must follow a policy statement document called ‘Collecting, using and disclosing information in intelligence division’, which contains a specific section on relevant APP obligations, as well as a section setting out use and disclosure limitations on PNR data, including the purpose limitations on EU PNR data from the EU Agreement.

3.13 The OAIC was also provided with training module documentation relating to disclosures under Part 6 of the ABF Act. The document includes a detailed flowchart to help staff determine where the disclosure is permitted, and what legislation applies to that disclosure. Information about authorised disclosures can also be found on several intranet pages.

Analysis

3.14 Under APP 6, an entity can only use or disclose personal information for a purpose for which it was collected, or for a secondary purpose if an exception applies. Such exceptions include where the use or disclosure is authorised by an Australian law, or where the entity reasonably believes the secondary use or disclosure is reasonably necessary for one or more enforcement related activities conducted by an enforcement body.

3.15 The documents provided to the OAIC set out how legislative obligations apply to the use and disclosure of information, including PNR data, by Home Affairs staff. Based on these documents, the use and disclosure of PNR data most commonly appears to be authorised by law.

APP 11 — securing personal information

Personnel security and training

Observations

3.16 All staff, including contractors, who require access to non-public departmental assets must have, at a minimum, a baseline security clearance. Depending on the role and business area needs, some staff require a higher level of clearance. IBP workers, including secondees, contractors and consultants, must also hold and maintain an employment suitability clearance.

3.17 All staff, including those who handle PNR data, must complete privacy induction training when they commence with Home Affairs. There is no program for mandatory refresher privacy training; however, additional privacy training is available where the business area or the Privacy Team identifies a need for such training to be delivered.

3.18 Staff who handle PNR data must complete a PNR eLearning training module before they are granted access to PNR data. The introduction of the PNR widget for the CIE will not change this requirement. As well as providing information about PNR data generally, the eLearning module includes information about the access, use, disclosure and retention requirements for EU PNR data, as set out in the EU Agreement. Staff with access to PNR data are encouraged (though not required) to refresh this training annually.

3.19 IT staff who access PNR data for IT support reasons also receive the PNR training, as well as standard induction training and IT training.

Analysis

3.20 Human error is regularly claimed as the cause of privacy incidents;[5] consequently Home Affairs should assume that human error will occur and design for it in its programs and systems.[6] Research has shown that human error can be seen as a trigger rather than a cause of an incident. [7] Staff also need to be aware of the risk of malicious or criminal attacks, including phishing, social engineering and impersonation.[8]

3.21 It is therefore important that staff receive appropriate privacy and security training to ensure they understand the importance of good information handling and security practices. Whilst Home Affairs staff must complete mandatory privacy training as part of their induction process, it is important that staff are reminded of their obligations on a regular basis throughout their time at Home Affairs. Refresher training also provides an opportunity to update staff on any changes to their obligations or to the information handling and security procedures within their organisation.

3.22 Noting the scope of the assessment, and that staff accessing PNR data receive specific training before they are granted access to PNR data, the lack of privacy refresher training is a low privacy risk from a CIE perspective. However, to effectively manage privacy risks at a departmental level, the OAIC suggests that Home Affairs review its privacy training program and consider implementing a mandatory refresher training program.

Privacy impacts assessments and security risk assessments

Observations

3.23 Home Affairs’ privacy management plan (PMP) 2016-17 states that privacy impact assessments (PIAs) ‘must be conducted for projects which involve significant changes in the scope of collection, use and/or disclosure of personal information.’ Home Affairs advised that, at the time of the assessment, a PIA had not been conducted in relation to any aspect of the CIE. The OAIC was advised that Home Affairs was determining the appropriate scope of a PIA for the CIE.

3.24 Home Affairs conducted a security risk assessment (SRA) in February 2017 that considered the security risks that the implementation of the CIE would pose for the Home Affairs portfolio. At the time of the assessment, the SRA document provided to the OAIC had last been updated in March 2017. The CIE SRA notes that a separate SRA was conducted for the analyst desktop; however, the OAIC was not provided with this document.

3.25 The SRA identified 11 risks that the CIE poses for Home Affairs. The SRA states that prior to the application of any risk treatments, the overall security risk rating of the CIE was calculated to be high. The risks primarily relate to compromise or unavailability of data, and access to systems or data by unauthorised or uncleared staff, including access to PNR data. In the SRA, Home Affairs anticipates that once it applies the treatments it has identified, the residual risk rating will reduce to medium.

3.26 The SRA included an assessment of compliance against Information Security Manual (ISM) identified controls. The SRA states that the CIE is not compliant with eight mandatory ISM controls. Home Affairs noted that some of the identified non-compliant controls require a review, whilst others require remediation activities to address these areas of non-compliance.

3.27 Overall, the SRA identified 14 recommended risk treatment options. Some of these included:

  • implementing remaining encryption measures
  • undertaking specific software security risk treatments
  • developing additional network security controls
  • utilising additional access security measures
  • implementing a role-based access model so that roles, rather than individuals, are provisioned to access Teradata
  • implementing additional audit logging measures within the CIE.

3.28 Home Affairs advised at the time of the assessment that there was an interim authority to operate with the CIE while the department continued to implement the 14 risk treatment options. During fieldwork, the OAIC was provided with a document (dated 26 March 2018) outlining updates on risk treatments, which shows that some treatments are underway, others have been completed, and the remainder require no immediate action.

3.29 More detail about the SRA, including the risks and treatments, is set out in the ICT security and access security sections below.

Analysis

3.30 PIAs can assist entities to identify any personal information security risks, as well as the reasonable steps that can be taken to protect personal information. As well as being a requirement under Home Affairs’ PMP, the OAIC also recommends that entities conduct a privacy threshold assessment (PTA), and if necessary, a PIA, for any project that will involve the handling of personal information. The greater the project’s complexity and privacy scope, the more likely it is that a comprehensive PIA will be required.

3.31 PIAs should be an integral part of the project planning process and should be undertaken early enough in the development of a project that it is still possible to influence the project design. A PIA works most effectively when it evolves with, and helps to shape, the project’s development.

3.32 It is important that Home Affairs identifies privacy risks as early in the project as possible. Given the size and scope of the CIE, and the volume of personal information it contains, the OAIC considers there is a medium risk that Home Affairs has not taken reasonable steps to identify or mitigate privacy risks in the development and design of the CIE. The OAIC therefore recommends that Home Affairs utilise its PIA process to conduct a PTA, and if necessary, a PIA on the CIE as soon as possible. As with Home Affairs’ approach to the SRA process, it will be appropriate for a PIA to be iterative and reflect changes to the development of the CIE over time.

3.33 More information about conducting PTAs and PIAs can be found in the OAIC’s Guide to undertaking privacy impact assessments. From 1 July 2018 Australian Government Agencies Privacy Code requires agencies to conduct a PIA on all high privacy risk projects or initiatives that involve new or changed ways of handling personal information.[9]

Recommendation 1

Home Affairs conduct a PTA of the CIE and, if determined necessary, a PIA, as soon as possible.

ICT security

3.34 The ISM, issued by the Australian Signals Directorate, is ‘designed to assist Australian government agencies in applying a risk-based approach to protecting their information and ICT systems.’[10] The OAIC considers that complying with relevant standards, such as the ISM, is a reasonable step for an entity to take to meet its obligations under APP 11. Where an entity decides not to adopt a widely used standard, the reasons for this decision should be clearly documented.[11]

3.35 Home Affairs provided the OAIC with a document outlining updates on the implementation of the risk treatments identified in the SRA (risk treatment document). The risk treatment document identifies a number of treatments that were underway at the time of the assessment, others that have already been completed, and others for which no immediate action will be taken.

Observations

3.36 The CIE will leverage data stored in the enterprise data warehouse (EDW), which primarily comprises data from the Teradata and Hadoop databases.[12] The EDW includes PNR data.

Software security

3.37 The CIE SRA refers to an existing patch strategy as an existing security control. The OAIC was not provided with a copy of that strategy.

3.38 The risk treatment document sets out specific software security risk treatments to be undertaken for the CIE which will be progressively implemented.

Encryption

3.39 The SRA identified specific ISM mandatory and non-mandatory controls the CIE is non-compliant with.

3.40 The risk treatment document notes that encryption measures had been partially implemented, with plans in place to complete their implementation.

Network security

3.41 During fieldwork, Home Affairs advised that it uses firewalls to protect the EDW and has other controls in place to protect the CIE and has not identified any issues in this area.

3.42 The risk treatment document makes a recommendation for a network security treatment specifically related to the CIE though it is marked as not requiring immediate action.

Testing

3.43 During fieldwork, Home Affairs advised that if PNR data is to be used in testing, then a waiver is required for permission to do this. If the waiver is issued, it lasts for the duration of the project, and includes the purge of test data at the end of the project.

Backing up and system availability

3.44 As part of the CIE infrastructure, there is a backup, archive and recovery platform that supports Teradata. This is set to take regular backups every week, or nightly for some systems.

3.45 The SRA identifies that the CIE is non-compliant with ISM control 0118, which requires agencies to determine availability requirements for their systems and implement appropriate security measures to support those requirements.

Other

3.46 The SRA states that the CIE is non-compliant with ISM control 0393, which mandates that databases or their contents be associated with protective markings. The risk treatment document indicates that discussions with various vendors to help implement this treatment were underway at the time of the assessment, but further action is required.

Analysis

3.47 The OAIC considers security risk assessments, along with privacy impact assessments, to be key elements in assessing risks to the security of personal information, informing personal information security frameworks and identifying mitigation strategies.

3.48 The SRA identifies several mandatory controls in the ISM with which the CIE was non-compliant at the time of the most recent update to that document in March 2017. Non-compliance with mandatory ISM controls represents a medium privacy risk for PNR data held within the CIE. Given the volume of personal information that will be handled in the CIE, non-compliance with mandatory ISM controls indicates that Home Affairs may not be taking reasonable steps under APP 11 to protect the personal information that it holds.

3.49 While implementation of many of the recommendations in the SRA, including those relating to mandatory ISM controls, was underway at the time of the assessment, much of this remained incomplete. The OAIC recommends that Home Affairs continue planned implementation of mandatory ISM controls, for example those relating to encryption and protective markings.

3.50 For risk treatments identified in response to non-mandatory controls, the OAIC also recommends that Home Affairs continue implementing these treatments.

3.51 Where Home Affairs has chosen not to implement certain non-mandatory controls, these decisions should be documented, and should include alternative approaches to managing the risks associated with non-implementation, such as other compensatory controls in place.

3.52 For projects such as the CIE, which is a long-term project involving various stages of development and implementation, it is important for risk assessments and treatments to be iterative and reflect changes and learnings from the project as it develops. Implementation of risk treatments should be regularly monitored, and progress recorded to ensure risks are mitigated as the project develops. Home Affairs should continue to identify new risks and treatment strategies as the roll-out of the CIE continues.

Recommendation 2

Home Affairs:

  • continue to monitor and implement the risk treatments identified in the CIE SRA, including those that address mandatory ISM controls
  • document decisions not to implement mandatory ISM controls, including details of alternative approaches to managing the risks associated with non-compliance
  • identify new risks and treatment strategies as the CIE evolves.

Access security

Observations
Access to PNR data

3.53 Access to PNR data requires an additional level of access, beyond regular network access. Currently, this provisioning process is handled manually. Staff requesting access must complete the PNR eLearning module discussed above. These staff include department staff and contractors who require access for business as usual functions, IT staff and some external IBM staff who require access to facilitate back-end processes. Contractor access lasts for 12 months.

3.54 Once the training has been completed, a request for access must be sent to the PNR policy team, who check compliance with training requirements, as well as security clearance, employment suitability screening, and the need for the staff member’s access to PNR data. The staff member is manually recorded on a spreadsheet. The request is then sent to Legal to prepare a legal instrument, which must be signed by the ABF Commissioner. Once approval is granted, the request is sent to IT. The administrator then checks the spreadsheet and the legal instrument, and then provides approval for access to be granted. Home Affairs advised that there are plans to automate this process, and to create role-based access. However, at the time of the assessment, the process remained manual.

3.55 Aside from contractors, whose access expires after 12 months, automated processes are not in place for de-provisioning access when a staff member no longer requires access to PNR data. Home Affairs advised that there is a process to revoke accounts that have not been accessed for a period of 30 days or more due to inactivity or for staff who are on long term leave or whose employment has been terminated. While some indication was given during fieldwork that a future move to an automated, role-based provisioning system would also automate the de-provisioning process, the department relies on users to submit an online form to have access removed when it is no longer required.

3.56 PNR data can be accessed remotely, for example when staff work from home. As well as going through the usual provisioning process for access to PNR data, Home Affairs’ working from home policy imposes certain security requirements on working from home arrangements, including a security assessment of an employee’s residence.

Multi-factor authentication

3.57 The SRA notes that multi-factor authentication (MFA) is not used for any users within Home Affairs. The SRA identifies that Home Affairs is non-compliant with several ISM controls relating to MFA. These include control 0974 which provides that agencies should use MFA for all users, and control 1173, which states that agencies must use MFA for system and database administrators, privileged users, positions of trust, and remote access users. Control 1384 also states that agencies must ensure that all privileged actions must have passed through at least one MFA process.

3.58 The SRA identified a treatment to ensure only approved administrators can gain administrative access to systems through controlled channels.

Audit logging and monitoring

3.59 Home Affairs staff advised that access to PNR data is logged, but there is no regular or proactive monitoring of those logs. A small number of people within the internal professional integrity and standards group can check logs, but this is only done on request. The SRA recommends additional treatments concerning audit logging to ensure that security incidents are properly identified and investigated.

Analysis

3.60 Home Affairs’ process for provisioning access to PNR data helps to ensure that staff undertake appropriate training to understand their obligations when handling PNR data, including EU PNR data.

3.61 While contractor access has a limited duration, the current manual process for provisioning access to PNR data does not facilitate proactive de-provisioning of access. There is a medium risk that staff, particularly those that have moved roles or left the department, continue to have access to PNR data even when they no longer require such access. The OAIC recommends that Home Affairs continue with its planned implementation of an automated provisioning system for PNR access, including a transition to role-based access, which may help to mitigate this risk.

3.62 Authentication is a key part of ensuring only authorised persons can access systems. As Home Affairs does not currently employ MFA, there is a medium risk of unauthorised access to personal information, including PNR data, in the CIE. As identified in the SRA, and in accordance with the ISM, MFA must be implemented for system and database administrators, privileged users, positions of trust, and remote access users, where these positions relate to PNR data within the CIE. The SRA, as of March 2017 stated that the department was treating the risks associated with the lack of MFA.[13] Therefore, Home Affairs should ensure that MFA is implemented in accordance with ISM control 1173 or as noted above under ‘ICT Security’, where Home Affairs has chosen not to implement certain controls (such as control 1173), these decisions should be documented, and should include alternative approaches to managing the risks associated with non-implementation, such as other compensatory controls in place.

3.63 Unauthorised access to personal information can be detected by reviewing records of system activities, such as audit logs. Proactive monitoring of such logs to identify unauthorised access or disclosure is a reasonable step for Home Affairs to undertake in relation to PNR data, given the large amount of personal information available.

3.64 While Home Affairs advised it keeps audit logs, there is little indication that these are used proactively. Home Affairs should implement a program of regular proactive monitoring of access to PNR data to make sure that access is maintained in accordance with staff need-to-know requirements and internal policies for use and disclosure of PNR data. Continued implementation of additional treatments in the SRA regarding audit logging may assist with addressing this recommendation.

Recommendation 3

Home Affairs:

  • conduct regular proactive monitoring of audit logs, especially for PNR data
  • continue with implementing additional audit logging measures as identified in the SRA
  • continue with its planned automation of provisioning access to PNR data
  • implement MFA in accordance with ISM control 1173 or document a decision not to implement this control and include details of alternative approaches to managing the risks associated with non-implementation.

Third party providers

Observations

3.65 Home Affairs uses some third-party vendors in the operation of its systems, including the CIE. During fieldwork, the OAIC asked for a sample third party contract in order to gain insight into how Home Affairs oversees and manages its privacy obligations in relation to third parties.

3.66 Home Affairs engages contractors under panel arrangements and each panel arrangement has an overarching agreement which is signed at the vendor level, typically known as a Deed of Standing Offer.[14] In addition, each individual working under these arrangements is required to sign a Deed of Confidentiality.

Analysis

3.67 APP 11 imposes obligations on Home Affairs to protect personal information it holds, including where that personal information is being handled by a third party. Reasonable steps can include influencing the third party’s conduct. Section 95B of the Privacy Act also imposes obligations for agencies to ensure that a contracted service provider (as defined in s 6 of the Privacy Act) does not do an act, or engage in a practice, that would breach an APP.

3.68 Sample Deed of Confidentiality and Deed of Standing Offer documents were provided to the OAIC and both include clauses covering security and privacy. The Deed of Standing Offer also covers general security obligations (including compliance with the Australian Government’s Protective Security Policy Framework) as well as specific information, physical and personnel security requirements. However, the privacy clauses in both documents contain outdated references to repealed privacy legislation such as Information Privacy Principles with the Deed of Standing Offer document also referring to the National Privacy Principles.[15]

3.69 Based on the information provided, the OAIC considers that there is a medium risk that Home Affairs has not taken reasonable steps to adequately ensure the security of personal information handled by third parties involved in the CIE as the use of these contractual terms could lead to a failure to protect personal information in accordance with current legislative obligations found in the APPs. Home Affairs should review these documents to ensure they reflect the current obligations found in the Privacy Act. The OAIC therefore recommends that Home Affairs implement measures to ensure all third parties involved in the CIE, including vendors and contractors, are taking reasonable steps to protect personal information.

Recommendation 4

Home Affairs implement appropriate measures to ensure third parties involved in the CIE, and in particular those involved in handling PNR data, meet their obligations under the Privacy Act. This should include explicitly incorporating privacy and personal information handling obligations into third party contracts.

Data breaches

Observations

3.70 The OAIC viewed a number of useful documents and policies in place to support operational-level staff in responding to a suspected data breach. One of these documents is a procedural instruction for staff about responding to suspected privacy breaches created to assist Home Affairs with its obligations under the notifiable data breaches (NDB) scheme. It includes information about taking steps to contain the breach, reporting the breach to immediate line managers, completing a reporting form to be sent to the Privacy Team and awaiting further guidance from the Privacy Team. This document is also summarised in a one-page flow chart quick reference guide.

3.71 Home Affairs has also prepared a frequently asked questions document for staff about the NDB scheme, which repeats some of the information in the procedural instruction, as well as providing some additional information such as examples of remedial action. An overview of data breach and NDB scheme information is also available to staff on Home Affairs’ intranet.

3.72 Home Affairs advised that any breach response would be coordinated by the Privacy Team, who would work with the relevant business unit and identify relevant notification obligations. This process is not documented. Home Affairs advised that they do not have a dedicated data breach response team or designated response roles for relevant team members.

3.73 Home Affairs’ PMP also contains some information about management of data breaches in the department. However, once an incident is reported to the Privacy Team, the process for managing, responding to, and if necessary, reporting the data breach at an organisational level is not documented.

3.74 The OAIC was also provided with a policy on security incident responses. This includes steps for handling suspected data spills and other cyber security incidents. However, the document makes no reference to privacy or Home Affairs’ obligations under the NDB scheme.

Analysis

3.75 Home Affairs’ current data breach guidance clearly sets out information to help staff identify a data breach and how to report it. However, data breach response plans should also include a strategy for containing, assessing and managing data breaches. At the time of the assessment, Home Affairs lacked a documented process for what happens once a data breach is reported to the Privacy Team, including how it should be assessed, contained, notified and reviewed at an organisational level.

3.76 A failure to identify and document organisational level procedures for handling a data breach represents a risk that the impact of data breach will not be promptly contained. As a result, there is a medium risk to the security of personal information that Home Affairs holds, including in the CIE. The OAIC recommends that Home Affairs expand on its operational guidance on responding to data breaches and document its organisational data breach response plan. Developing and documenting Home Affairs’ organisational-level data breach response can assist the department to meet any relevant notification obligations, such as the requirement to notify affected individuals and the OAIC if it suffers an eligible data breach.[16] In addition, it can help ensure a coordinated response across the department, facilitate a quicker response that may help minimise the consequences of the breach, and help to preserve corporate knowledge.

3.77 As part of ensuring a coordinated departmental response to a data breach, the OAIC also recommends that Home Affairs review its documentation related to data breaches and cyber security incidents, which are maintained by the Privacy and Cyber Security Teams respectively and consider ways that these documents should complement each other.

3.78 Further detail about what the plan should contain, including a data breach response plan quick checklist, can be found in the OAIC’s Data breach preparation and response – A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth).

Recommendation 5

Home Affairs:

  • expand on its operational guidance on responding to data breaches and document its organisational data breach response plan
  • consider ways it can promote better coordination between Privacy and Cyber security data breach response documentation.

Part 4: Recommendations and response

Recommendation 1 — privacy threshold assessment and privacy impact assessment

OAIC recommendation

Home Affairs conduct a privacy threshold assessment of the CIE and, if determined necessary, a privacy impact assessment, as soon as possible.

Response by Home Affairs to the recommendation

Home Affairs agrees with the intent of OAIC’s recommendation to ensure data and applications using the CIE platform are assessed for privacy impacts. However, rather than a single PIA for the CIE, Home Affairs will be taking the approach to assess privacy impacts in relation to individual data products and use cases, rather than the CIE as a whole.

This approach is designed to recognise that the CIE is a platform that stores and supports many data products for a variety of business functions and activities, and these products may access the same data within the CIE for different purposes and levels of detail. Home Affairs recognises nuance is required in managing privacy risks as products using the same data may require different controls to manage different risks that emerge from different contexts.

For this reason, Home Affairs seeks to treat risks at two stages: firstly, as a data asset while data is ‘at rest’ and simply being stored within the CIE, and secondly as an application when data is exposed by and used within a business context to make decisions.

To assist in managing Home Affairs’ obligations for privacy and data security, it has implemented a Data Security & Access Management (DSAM) function under the Chief Data Officer. DSAM’s purpose is to assess applicable legislative obligations and restrictions for data assets within the CIE, and ensure appropriate controls are in place. This includes ensuring implementation of the Department’s Privacy Policy which requires the completion of TPA and PIAs as appropriate.

The DSAM function is currently finalising the documentation of its processes, but has already implemented mandatory privacy management steps for the ingestion, creation, or use of data products within the CIE.

As part of the established DSAM process, all CIE data product projects are required to undertake at minimum, a PTA. Where a PTA indicates the need for a PIA, this requirement is identified and established as a mandatory deliverable before the Chief Data Officer will authorise the project to proceed to the build phase, or for access to an existing data product to be granted to a new user group.

Recommendation 2 — ICT security

OAIC recommendation

Home Affairs:

  • continue to monitor and implement the risk treatments identified in the CIE SRA, including those that address mandatory ISM controls
  • document decisions not to implement mandatory ISM controls, including details of alternative approaches to managing the risks associated with non-compliance
  • identify new risks and treatment strategies as the CIE evolves.

Response by Home Affairs to the recommendation

Home Affairs employs a team in the Data Warehouse section which monitors and manages the risk treatments in order to ensure that the treatments identified are implemented or alternatively, acceptable solutions are found to the risk treatments. If there is a valid reason why a treatment cannot be implemented, the risk of not implementing the treatment needs to be signed off by the Assistant Secretary (IIBS) and the Chief Information Security Officer (CISO). Risks will not be accepted without valid reasons.

  • Continue to monitor and implement the risk treatments identified in the CIE SRA, including those that address mandatory ISM controls:
    • Of the 14 risk treatments identified in the SRA the status is as follows:
      • Solutions for 8 risk treatments are fully implemented
      • The solution for 1 risk treatment is partially implemented with the remainder of the implementation scheduled for the 4th quarter 2019
      • The solution for 1 risk treatment will be implemented in the 3rd quarter 2019
      • Solutions for 3 risk treatments are under development with no definite implementation date but they are scheduled to be implemented in the current financial year
      • The solution for 1 risk treatment is being addressed but it will be ongoing as is involves the development of processes and protocols
  • Document decisions not to implement mandatory ISM controls, including details of alternative approaches to managing the risks associated with non-compliance:
    • No decision has been made to not implement mandatory ISM controls at this point. Should this occur all reasons and applied mitigations will be noted.
    • It should be noted that the SRA /SRMP has evolved over the last 2 years since the SRA that this assessment was based on. The Statement of Applicability (which detailed the applicable ISM controls) is no longer a part of the SRMP and the assessments are managed differently now using an iterative approach to implementing the controls. Since this document was drafted there have been multiple iterations of the evolving SRA / SRMP.
  • Identify new risks and treatment strategies as the CIE evolves:
    • As the CIE evolves the Data Warehouse team updates the Solution Security Architecture (SSA) document. This document, once approved by the Architectural Working Group (AWG) and the Architectural Review Board (ARB), is submitted to the Cyber Risk Management and Engagement branch for a Security Risk Management Plan (SRMP). At this point any new risks are identified and risk treatments recommended.

Recommendation 3 — access security

OAIC recommendation

Home Affairs:

  • conduct regular proactive monitoring of audit logs, especially for PNR data
  • continue with implementing additional audit logging measures as identified in the SRA
  • continue with its planned automation of provisioning access to PNR data
  • implement MFA in accordance with ISM control 1173 or document a decision not to implement this control and include details of alternative approaches to managing the risks associated with non-implementation.

Response by Home Affairs to the recommendation

  • Conduct regular proactive monitoring of audit logs, especially for PNR data:
    • There is no proactive monitoring of PNR audit logs at this point and any monitoring is reactive. There are plans for the Integrity Intelligence Section to undertake proactive monitoring of PNR data in the future.
  • Continue with implementing additional audit logging measures as identified in the SRA:
    • Additional audit logging measures have been implemented, in compliance with the recommendations of the SRA.
  • Continue with its planned automation of provisioning access to PNR data:
    • This is under investigation for the most feasible method of achieving the desired outcome.
  • Implement MFA in accordance with ISM control 1173 or document a decision not to implement this control and include details of alternative approaches to managing the risks associated with non-implementation:
    • MFA measures have been implemented in relation to CIE platform access.

Recommendation 4 — third party providers

OAIC recommendation

Home Affairs implement appropriate measures to ensure third parties involved in the CIE, and in particular those involved in handling PNR data, meet their obligations under the Privacy Act. This should include explicitly incorporating privacy and personal information handling obligations into third party contracts.

Response by Home Affairs to the recommendation

The Department agrees with this recommendation and advises that all third-party contracts are developed in accordance with the requirements of the Commonwealth Contracting Suite, including adherence to the Commonwealth Contracting Terms and Conditions. These requirements include adequate provisions outlining obligations under the Privacy Act and the handling of protected information, including personal information.

Recommendation 5 — data breaches

OAIC recommendation

Home Affairs:

  • expand on its operational guidance on responding to data breaches and document its organisational data breach response plan
  • consider ways it can promote better coordination between Privacy and Cyber security data breach response documentation.

Response by Home Affairs to the recommendation

Home Affairs accepts this recommendation. The development of a data breach response plan is in progress. It will document roles and responsibilities, and membership of a data breach response team. Key stakeholders, such as Cyber Security, will be consulted in the development of this plan.

Part 5: Description of assessment

Objective and scope of the assessment

5.1 This assessment was conducted under s33C(1)(a) of the Privacy Act 1988 (Cth), which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the Australian Privacy Principles (APPs).

5.2 The objective of this assessment was to determine whether Home Affairs handles personal information, and in particular EU PNR data, in accordance with its obligations under the Privacy Act.

5.3 In particular, the assessment focussed on the handling of PNR data within the CIE.

5.4 The scope of this assessment was limited to the consideration of Home Affairs’ handling of personal information against the requirements of APP 6 (use and disclosure of personal information) and APP 11 (security of personal information). Specifically, the assessment examined whether Home Affairs:

  • uses and discloses personal information in accordance with APP 6
  • is taking reasonable steps to protect the personal information it holds, in accordance with APP 11.

Privacy risks

5.5 The OAIC makes recommendations to address ‘high’ and ‘medium’ privacy risks. For more information about these privacy risk ratings, see the OAIC’s ‘Privacy risk guidance’ at Appendix A. Further detail on this approach can be found in Chapter 7 of the OAIC’s Guide to privacy regulatory action.

5.6 OAIC assessments are conducted as a ‘point in time’ exercise. That is, our observations and opinions are only applicable to the time period during which the assessment was undertaken.

Timing, location and assessment techniques

5.7 The OAIC conducted a risk-based assessment of Home Affairs’ handling of PNR data and focussed on identifying privacy risks to the effective handling of personal information in accordance with privacy legislation.

5.8 The assessment involved the following:

  • review of relevant policies and procedures provided by Home Affairs before and after assessment fieldwork
  • fieldwork, which included interviewing key members of staff and reviewing further documentation at the Home Affairs office in Canberra on 26 March 2018.

5.9 On the completion of fieldwork, the OAIC’s preliminary findings were conveyed to Home Affairs at the assessment’s closing conference. Subsequently, the OAIC received further documents. Upon receiving this additional information, the OAIC’s preliminary findings were updated and sent to Home Affairs in April 2018.

Reporting

5.10 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report is an abridged version.

Appendix A: Privacy risk guidance

Privacy risk rating Entity action required Likely outcome if risk is not addressed

High risk

Entity must, as a high priority, take steps to address mandatory requirements of Privacy legislation

Immediate management attention is required.

This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects

  • Likely breach of relevant legislative obligations (for example, APP, TFN, Credit) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking)
  • Likely adverse or negative impact upon the handling of individuals’ personal information
  • Likely violation of entity policies or procedures
  • Likely reputational damage to the entity, such as negative publicity in national or international media.
  • Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines
  • Likely ministerial involvement or censure (for agencies)

Medium risk

Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation

Timely management attention is expected.

This is an internal control or risk management issue that may lead to the following effects

  • Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation
  • Possible adverse or negative impact upon the handling of individuals’ personal information
  • Possible violation of entity policies or procedures
  • Possible reputational damage to the entity, such as negative publicity in local or regional media.
  • Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities.
  • Possible ministerial involvement or censure (for agencies)

Low risk

Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy legislation

Management attention is suggested.

This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed.

  • Risks are limited, and may be within acceptable entity risk tolerance levels
  • Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit)
  • Minimum compliance obligations are being met

Footnotes

[1] Throughout this report, references to ‘PNR data’ are used when the context relates to all PNR data that Home Affairs handles, including EU PNR data. The term ‘EU PNR data’ is used where the context specifically relates to the handling of that subset of PNR data.

[2] Agreement between the European Union and Australia on the processing and transfer of passenger name record (PNR) data by air carriers to the Australian Customs and Border Protection Service, signed 29 September 2011, [2012] ATS 19, (entered into force 1 June 2012). Compliance with the EU Agreement by Home Affairs constitutes an adequate level of protection for EU PNR data for the purposes of the EU’s data protection law, allowing this data to be transferred from EU member states to Australia: Council Decision 2008/651/CFSP/JHA of 30 June 2008 on the signing, on behalf of the European Union, of an Agreement between the European Union and Australia on the processing and transfer of European Union-sourced passenger name record (PNR) data by Air Carriers to the Australian Customs Service , [2008] OJ L 213/47.

[3] EU Agreement, Annex 1.

[4] In computing terms, a widget is a component of a graphical user interface that displays information or that responds in a specific way to a user action (see Macquarie Dictionary, 2018).

[5] In the OAIC’s Notifiable Data Breaches Scheme 12-month Insights Report 35% of data breach notifications received by the OAIC were attributed to human error.

[6] See the Own motion investigation report AICmrCN 5. This case illustrates how the failure to put in place adequate policies, procedures and systems to mitigate the risk of human error can result in a data breach. Failures at a number of levels aligned to create circumstances that enabled a breach to occur.

[7] This approach is based on the ‘Swiss cheese’ or ‘cumulative act effect’ model of accident causation which is an illustration of how organisational failures at a number of levels can combine to create a situation in which human error can trigger a data breach. This is a model used in risk analysis and risk management originally propounded by Dante Orlandella and James T. Reason in 1990.

[8] In the Notifiable Data Breaches Scheme 12-month Insights Report, 60% of eligible data breaches reported to the OAIC were the result of a malicious or criminal attack. During the same period, many cyber incidents appeared to have exploited vulnerabilities involving a human factor. Specifically,153 breaches were attributed to phishing and spear phishing.

[9] For more information about code obligations see Australian Government Agencies Privacy Code.

[10] See Australian Government Information Security Manual – Executive Companion, 2016.

[11] See the ‘Standards’ section in the OAIC’s Guide to Securing Personal Information.

[12] Teradata and Hadoop are the two-core data storage and processing platforms used by Home Affairs to deliver the CIE.

[13] Home Affairs advised the OAIC in September 2019 that MFA is now enforced for administrative access.

[14] A panel arrangement is a tool used by many Australian Government agencies for the procurement of regularly acquired goods or services. In a panel arrangement, a number of suppliers are selected, each of which are able to supply identified goods or services to an agency. To establish a panel, an agency enters into contracts or deeds of standing offer, (known as panel arrangements) with each supplier on the panel, setting out the type and cost of the goods or services the supplier will provide and the manner in which the agency will obtain the goods or services from the supplier. For more information see the Department of Finance website, Panel Arrangements [accessed November 2019].

[15] The Privacy Amendment (Enhancing Privacy Protection) Act 2012, which commenced on 12 March 2014, introduced many significant changes to the Privacy Act, including the introduction of the APPs which replaced the Information Privacy Principles and National Privacy Principles.

[16] For more information about what constitutes and ‘eligible data breach’, see the OAIC’s guidance on Identifying eligible data breaches.

Footnotes

[1] Throughout this report, references to ‘PNR data’ are used when the context relates to all PNR data that Home Affairs handles, including EU PNR data. The term ‘EU PNR data’ is used where the context specifically relates to the handling of that subset of PNR data.

[2] Agreement between the European Union and Australia on the processing and transfer of passenger name record (PNR) data by air carriers to the Australian Customs and Border Protection Service, signed 29 September 2011, [2012] ATS 19, (entered into force 1 June 2012). Compliance with the EU Agreement by Home Affairs constitutes an adequate level of protection for EU PNR data for the purposes of the EU’s data protection law, allowing this data to be transferred from EU member states to Australia: Council Decision 2008/651/CFSP/JHA of 30 June 2008 on the signing, on behalf of the European Union, of an Agreement between the European Union and Australia on the processing and transfer of European Union-sourced passenger name record (PNR) data by Air Carriers to the Australian Customs Service , [2008] OJ L 213/47.

[3] EU Agreement, Annex 1.

[4] In computing terms, a widget is a component of a graphical user interface that displays information or that responds in a specific way to a user action (see Macquarie Dictionary, 2018).

[5] In the OAIC’s Notifiable Data Breaches Scheme 12-month Insights Report 35% of data breach notifications received by the OAIC were attributed to human error.

[6] See the Own motion investigation report AICmrCN 5. This case illustrates how the failure to put in place adequate policies, procedures and systems to mitigate the risk of human error can result in a data breach. Failures at a number of levels aligned to create circumstances that enabled a breach to occur.

[7] This approach is based on the ‘Swiss cheese’ or ‘cumulative act effect’ model of accident causation which is an illustration of how organisational failures at a number of levels can combine to create a situation in which human error can trigger a data breach. This is a model used in risk analysis and risk management originally propounded by Dante Orlandella and James T. Reason in 1990.

[8] In the Notifiable Data Breaches Scheme 12-month Insights Report, 60% of eligible data breaches reported to the OAIC were the result of a malicious or criminal attack. During the same period, many cyber incidents appeared to have exploited vulnerabilities involving a human factor. Specifically,153 breaches were attributed to phishing and spear phishing.

[9] For more information about code obligations see Australian Government Agencies Privacy Code.

[10] See Australian Government Information Security Manual – Executive Companion, 2016.

[11] See the ‘Standards’ section in the OAIC’s Guide to Securing Personal Information.

[12] Teradata and Hadoop are the two-core data storage and processing platforms used by Home Affairs to deliver the CIE.

[13] Home Affairs advised the OAIC in September 2019 that MFA is now enforced for administrative access.

[14] A panel arrangement is a tool used by many Australian Government agencies for the procurement of regularly acquired goods or services. In a panel arrangement, a number of suppliers are selected, each of which are able to supply identified goods or services to an agency. To establish a panel, an agency enters into contracts or deeds of standing offer, (known as panel arrangements) with each supplier on the panel, setting out the type and cost of the goods or services the supplier will provide and the manner in which the agency will obtain the goods or services from the supplier. For more information see the Department of Finance website, Panel Arrangements [accessed November 2019].

[15] The Privacy Amendment (Enhancing Privacy Protection) Act 2012, which commenced on 12 March 2014, introduced many significant changes to the Privacy Act, including the introduction of the APPs which replaced the Information Privacy Principles and National Privacy Principles.

[16] For more information about what constitutes and ‘eligible data breach’, see the OAIC’s guidance on Identifying eligible data breaches.