-
On this page
Part 1: Executive Summary
1.1. This report presents the findings of the Office of the Australian Information Commissioner’s (OAIC) June 2025 privacy assessment of the Department of Home Affairs’ (Home Affairs). We conducted this assessment under s 33C(1)(a) of the Privacy Act 1988 (Cth) (Privacy Act).
Why we did this assessment
1.2. Access to European Union (EU) Passenger Name Record data (PNR) by Home Affairs informs Australia's intelligence-led, risk-based approach to border protection. It enables Home Affairs to identify possible persons of interest in relation to terrorism and serious transnational crimes.
1.3. An agreement between Australia and the EU[1] permits Home Affairs to collect PNR data from the EU: passenger booking information from airline reservation systems located in the EU for flights travelling to, from, or through Australia.
1.4. The agreement sets out data protection rules Home Affairs must follow when handling EU PNR data. Under the Agreement, the OAIC oversees Home Affairs’ compliance with data protection rules, and this oversight includes regular formal audits.
What we concluded
1.5. Home Affairs has established measures in place to ensure that staff access to EU PNR data complies with the assessed Australian Privacy Principles (APPs) and the EU Agreement.
1.6. However, we found some areas that Home Affairs could improve in relation to monitoring access to EU PNR data and providing better guidance to staff on PNR related practices. We identified one high-level privacy risk, 3 medium-level privacy risks, and made recommendations to Home Affairs to address these.
Objective and Scope
1.7. Our objective was to identify any privacy risks relevant to Home Affairs’ access to EU PNR data and the subsequent monitoring of access requirements.
1.8. We assessed Home Affairs’ policies, procedures and systems relating to access to and monitoring of EU PNR data. We considered whether Home Affairs was taking reasonable steps to ensure only staff with a legitimate operational reason have access to EU PNR data.
Key findings and risks
1.9. We found that generally Home Affairs had appropriate processes to grant and monitor access to EU PNR data. Specifically, we found that Home Affairs had taken reasonable steps to ensure that access to PNR data was limited to staff who had completed the mandatory PNR training, had a robust business case for ongoing access and was authorised by the Commissioner to access the data. We also found access levels were limited based on role requirements.
1.10. However, we identified one high privacy risk and 3 medium privacy risks.
- Quarterly behavioural internal audits had not been completed since 2022. These audits aim to confirm that staff use and disclose PNR data in a manner consistent with both their business case and EU PNR usage limitations. The pause in conducting these audits greatly limits the opportunity for Home Affairs to identify EU PNR misuse and was a high privacy risk .
- The PNR Policy Statement, a foundational document that staff rely on for PNR guidance, contained outdated information about responsibilities to grant PNR data access, and which teams were authorised to access PNR data. This was a medium privacy risk as staff could rely on this incorrect information.
- Staff were provided minimal detail regarding operational processes for removing access to PNR data and other PNR information. This increased the likelihood that staff who no longer required PNR data access could fail to take necessary steps to remove PNR access and was a medium privacy risk .
- Home Affairs conducted quarterly reviews to assess PNR access but did not follow a documented process, and did not record the reviews. This was a medium privacy risk as it increased the risk that reviews cannot be completed should key staff become unavailable. It also increased the risk of confusion as to whether a review had been conducted, when no action was required following a review.
Recommendations
1.11. To address these risks, and to improve its EU PNR data staff access processes and overall oversight arrangements, we recommended that Home Affairs:
- reinstate the quarterly behavioural audits focused on identifying misuse of PNR data
- review and update its PNR Policy Statement to reflect current team operations for PNR data, in particular which team grants access to PNR data and which teams can access the data
- document the processes around removal of access to PNR data
- document process to support its quarterly access checks to confirm all users continue to meet access requirements (and record when those reviews occur).
Part 2: Introduction
2.1. ‘PNR data’ describes certain passenger information that international passenger airlines must provide to Home Affairs for flights that travel to, from or through Australia. ‘EU PNR data’ describes PNR data that is processed in the EU or sourced from airline reservation systems located in the EU.
2.2. The transfer of EU PNR data is governed by the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record data by Air Carriers to the Australian Customs and Border Protection Service[2] (ACBPS) (the EU Agreement).
2.3. The EU Agreement authorises Home Affairs to collect EU PNR data, strictly for the purpose of preventing, detecting, investigating, and prosecuting terrorism and serious transnational crimes (such as drug trafficking and people smuggling).
2.4. EU PNR data contains personal information. It includes:
- passenger name and contact information
- booking details including payment/billing information
- travel status and itinerary
- frequent flyer and benefit information.
The EU Agreement
2.5. The EU Agreement is necessary to overcome the conflict between the Customs Act 1901 and European Union data protection laws. The Customs Act 1901 requires airlines to provide Australia with PNR data for all passengers before their arrival. However, EU data protection laws prevent the transfer of personal information from the EU to other countries without a formal agreement that adequately protects that personal information. The EU Agreement reconciles these requirements.
2.6. Australia and the EU entered into the EU Agreement in 2011. The EU Agreement sets the standards for allowing the transfer of EU PNR data from EU member states to Australia. It requires Home Affairs to establish and maintain an adequate level of protection for EU PNR data.
2.7. Chapter 2, Article 7 of the EU Agreement states:
PNR data shall be subject to the provisions of the Australian Privacy Act 1988 (Cth) (Privacy Act) which governs the collection, use, storage and disclosure, security and access and alteration of personal information held by most Australian Government departments and agencies.
Oversight of Home Affairs’ handling of PNR data
2.8. Article 10 of the EU Agreement states that Home Affairs’ compliance with data protection rules shall be subject to oversight by the Australian Information Commissioner and that Home Affairs must have arrangements in place under the Privacy Act for the Australian Information Commissioner to undertake regular formal audits of all aspects of Australian Customs and Border Protection Service's EU-sourced PNR data use, handling and access policies and procedures.
2.9. PNR data is also subject to International Civil Aviation Organisation (ICAO) external compliance reviews.[3] These compliance checks generally inspect the teams’ governance processes and procedures, and their handling of PNR data relating to its use, disclosure, retention and destruction. Additionally, the EU may undertake external compliance activities on EU PNR data.
Part 3: Summary of findings
3.1. The objective of this assessment was to identify any privacy risks relevant to Home Affairs’ handling of EU PNR data and its privacy obligations. Specifically, we considered whether Home Affairs was taking reasonable steps to ensure only staff with a legitimate operational reason have access to EU PNR data.
3.2. We did this by assessing how Home Affairs:
- authorises staff to access EU PNR data[4] and limits access based on operational need and position requirements, and
- takes steps to protect EU PNR data through monitoring access.
3.3. We examined whether Home Affairs was performing these functions in accordance with APP 6 (use and disclosure of personal information – particularly the use of information), APP 11 (security of personal information) and was authorising access in line the manner set out in the EU Agreement.
Authorisation for staff access to PNR data
3.4. Home Affairs staff performing a range of functions may require access to PNR data. Such employees can include department staff and contractors who require access for routine functions, IT staff and also SES staff who require access as part of their management role.
3.5. The EU Agreement states that Access to the PNR system shall be limited to a restricted number of officials within the Australian Customs and Border Protection Service who are specifically authorised by the Chief Executive Officer of the Australian Customs and Border Protection Service to process PNR data for the purpose of this Agreement.
The authorisation process
3.6. Staff must complete 3 steps to be granted IT access to PNR data. First, the individual must demonstrate a clear ongoing business need to directly access PNR data. Second, they must complete a mandatory online PNR data training course. Third, in compliance with the EU Agreement, the Comptroller-General of Customs (the Commissioner of the Australia Border Force)must authorise staff to access EU PNR data, which is recorded on a legal authorisation instrument. The second and third steps may occur in either order, however no one is granted IT system access to PNR data until all 3 steps are complete.
3.7. To satisfy the first step and demonstrate a clear ongoing need to access PNR data, a business case must be submitted either for an entire team or an individual staff member. A business case must demonstrate how the nature of the team’s or individual’s work requires direct ongoing access to PNR data.
3.8. A business case must also confirm that staff will access and use PNR data as per the EU PNR requirements. Business case applications are reviewed by the PNR Policy team before being submitted for formal approval to the Assistant Secretary, Intelligence Governance and Engagement Branch.
3.9. Teams and staff without a business case for direct ongoing access can formally request that the Border Intelligence Watch Office (BIWO) team conduct PNR searches on their behalf. These requests must include a basis for the disclosure request and are vetted, recorded, and maintained by the BIWO team, consistent with external law enforcement disclosure requests.
3.10. The second step is to complete mandatory PNR training. Once staff complete their training, they send an access request to the PNR policy team. This team verifies their training compliance and business case approval. While PNR training was not a focus of this assessment, Home Affairs advised that PNR training is completed online and must be undertaken annually. The online training system creates an auditable record of completion.
3.11. The third step is for approval by the Comptroller-General of Customs. The legal team prepares a legal authorisation instrument, which is signed by the Comptroller-General of Customs (the Commissioner of the Australia Border Force).
3.12. Once a staff member has established a business case, completed mandatory PNR training and has been authorised to access PNR data by the Comptroller-General of Customs, only then they can request system access to EU PNR data via an internal online form. The PNR Policy team ultimately grants access to PNR data, they demonstrated to us that they confirm that each requestor completed all required steps before they grant access.
3.13. The current authorisation instrument identifies 6 teams whose members must have direct access to PNR data.[5] Home Affairs advised that some members of these teams (such as administration staff and some managers) do not require access for their roles. These staff do not complete the mandatory PNR training and are not granted access to PNR data.
3.14. We found that the authorisation process served to actively consider and restrict the number of Home Affairs staff with EU PNR access, and the process was consistent with the requirements of the EU Agreement.[6]
Documentation of authorisation processes
3.15. Home Affairs indicated that its PNR Policy Statement was the only document that outlined to staff its PNR access and operational processes and requirements, including its authorisation processes and procedures. The document indicated its most recent update was 22 September 2021. We observed the policy was outdated in several ways, such as superseded names of work areas, incorrect frequency of OAIC assessments referencing obsolete internal documents.
3.16. We found the outdated team information in the PNR Policy Statement (section 4 accountabilities and responsibilities) creates a lack of clarity around role responsibilities including identifying the director responsible for administering application access to PNR data. There is also lack of consistency between the team names listed in schedule 2 of the authorisation instrument and those listed as being authorised to access PNR data in the PNR Policy Statement. This could potentially cause confusion over which teams have an accepted business case in place as part of the requirements for PNR data access. We considered this to be a medium privacy risk .
Recommendation 1: Review and update the PNR Policy Statement to reflect authorisation processes
The PNR Policy Statement should be updated to reflect current team names and accountabilities/responsibilities following the Home Affairs restructure, particularly in relation to which team is responsible for granting access to PNR data, and which teams are authorised to access PNR data. Generally, the PNR Policy Statement should be reviewed annually (or sooner in the event of a major event, such as a PNR-related data breach or a corporate restructure).
3.17. Additionally, and outside of the scope for this assessment, the outdated PNR policy contained incorrect information and did not provide access to necessary reference documents. This increases the risk that they could mishandle or misuse EU PNR data.
Protecting PNR data by recording and monitoring access
3.18. Staff must log in to the Home Affairs system using multi-factor authentication, together with complex passwords and unique user identifications. PNR data requires an additional level of access beyond regular Home Affairs network access. Staff who access PNR data must additionally log in to these systems with a unique user identification and password.
3.19. The PNR data system creates a record of all access to PNR data, including user details, location, search requests, as well as every key stroke entered into the system. A record is created that identifies the work area of the individual users when they were granted PNR access. Staff who handle PNR data are also subject to internal and external compliance reviews for usage and access.
3.20. Home Affairs staff who intentionally breach PNR data security could face sanctions. A breach of EU PNR data usage could be deemed a code of conduct breach with sanctions including termination of employment, reduction in classification, a fine or a reprimand. The misuse or wrongful disclosure of PNR data may also constitute a breach of the Privacy Act and/or the Australian Border Force Act 2015 (Cth) (ABF Act). The ABF Act contains secrecy and disclosure provisions that make punishable by up to 2 years' imprisonment when an entrusted person records or discloses protected information.[7]
Monitoring who accesses PNR data
3.21. At the time of the assessment, the Australian Border Force (ABF) had commissioned a compliance assurance check on data privacy to assess compliance with PNR data requirements and to identify additional mitigation processes. External consultants are undertaking this assurance check.
3.22. Home Affairs stated it undertook a quarterly PNR access review to ensure that only staff permitted access to PNR data were able to access the data. Home Affairs described the review as a manual process that cross-referenced individual staff position numbers and other system access identifications, combined with corporate knowledge of various team and cross team communication. These reviews were key to identifying staff that may have needed to have their PNR access revoked due to, for example, internal transfer or cessation of employment.
3.23. While we understood these reviews to be relatively comprehensive, we found that there was no documented process on how to conduct them. Additionally, review outcomes were not always logged or recorded. We were able to infer that Home Affairs conducted reviews periodically by the removal of staff access to PNR data and removal from the authorisation instrument on certain dates. (There may have been more reviews than we identified, but we were not able to identify them as they did not result in an action.)
3.24. We considered the absence of a documented review process, including the failure to record review outcomes, to be a medium risk. These issues created a risk that the reviews could not be replicated if key staff members left Home Affairs. It also lacked transparency as to whether reviews had occurred when no action was required following a review.
Recommendation 2: Document quarterly PNR access reviews
Home Affairs should document the process to guide staff in conducting its quarterly PNR Policy team’s reviews. This will ensure further reviews can be conducted should key staff members become unavailable. The process should also include a requirement to ensure that each review is recorded, even if a review otherwise required no action.
Monitoring for misuse of PNR data
3.25. The Policy Statement states that the Intelligence Partnerships and Governance Section conducts quarterly internal audits. Home Affairs described these as behavioural audits focussed on verifying whether staff use or disclose PNR data in a manner consistent with both the business case and EU PNR limitations on usage. The audits may also serve a secondary purpose in deterring the misuse of PNR data as staff may be less likely to misuse PNR data if they are aware they could be audited.
3.26. Home Affairs advised that behavioural audits have not been conducted since 2022 due to limited staff availability.
3.27. We consider the pause in conducting these audits to be high risk as they play an important role in proactively identifying and potentially deterring the misuse of EU PNR data. We acknowledge that Home Affairs indicated their intention to hire staff to resume the audits, but this was not in effect during our assessment.
Recommendation 3: Resume internal behavioural audits
Home Affairs must reestablish the quarterly internal audits program to identify potential misuse of PNR data.
3.28. Staff within the Integrity and Professional Standards Branch (IPSB) can independently check PNR access logs to confirm staff are accessing PNR data appropriately. This is generally completed on a reactive basis following a complaint or during an investigation.
3.29. The IPSB is notified if other internal compliance reviews identify any potential misuse of PNR data that would constitute a code of conduct or legislative breach. The Policy Statement requires all staff to report any suspected misuse of PNR data.
Removing system access
3.30. When staff no longer require access to PNR data, PNR users are required to complete an online form to request their access is revoked. There are no automated processes in place for deactivating access when staff no longer require access to PNR data. The online form to revoke access is generally completed by the staff member, however it can also be completed by their supervisor or the PNR Policy Team.
3.31. Staff granted PNR access for their role within a specific team who then transfer within Home Affairs could potentially retain PNR access even if it is no longer required for their new role. Where staff cease working for Home Affairs, the off-boarding process removes their credentials to access the Home Affairs system, which includes PNR data access.
3.32. The PNR Policy Statement provided minimal detail regarding operational processes for revoking access to PNR data and other PNR information. There were also no internal guides that staff could reference around what to do to ensure their PNR data access was revoked when they no longer needed it.
3.33. As the PNR Policy Statement is a foundational document used by staff across multiple teams, and no other supplementary documentation exists to guide staff on the process, we considered this a medium risk .
3.34. This omission increased the likelihood that staff who no longer required access to PNR data (due to internal transfer or to departure from Home Affairs) could fail to complete the required form to revoke their PNR data access. We note that Home Affairs had already commenced developing draft PNR standard operational procedures and procedural instructions prior to this assessment.
Recommendation 4: Document PNR access revocation process
Home Affairs should document the processes for revoking access to PNR data. This could involve creating operational PNR documents (e.g. PNR standard operating procedures and PNR procedural instructions) or including this information in the existing PNR Policy Statement.
Suggestion 1: Lock accounts
Home Affairs could initiate a process to lock PNR access due to inactivity when they are not accessed for a set period (e.g. 90 days). This suspension of access could potentially identify staff who no longer require access, are on long term leave, or whose employment has ceased.
Part 4: Recommendations and responses
Risk/Reference | Finding | Home Affairs’ response |
|---|---|---|
Medium Risk APP 11.1take reasonable steps to protect the information from misuse, interference and loss (internal practices, procedures and systems). EU Agreement Article 9(b) Access to the PNR system. | Recommendation: Review and update the PNR Policy Statement to reflect authorisation processes The PNR Policy Statement should be updated to reflect current team names and accountabilities/responsibilities following the Home Affairs restructure, particularly in relation to which team is responsible for granting access to PNR data, and which teams are authorised to access PNR data. Generally, the PNR Policy Statement should be reviewed annually (or sooner in the event of a major event, such as a PNR-related data breach or a corporate restructure). Timeframe: Timely management attention is expected (within 3 months) | The Department agrees with this recommendation. The PNR Policy Statement is currently being reviewed and will be finalised by 19 December 2025. |
Medium Risk APP 11.1 take reasonable steps to protect the information from misuse, interference and loss (governance). EU Agreement Article 9(d) PNR data audits | Recommendation: Document quarterly PNR access reviews Home Affairs should document the process to guide staff in conducting its quarterly PNR Policy team’s reviews. This will ensure further reviews can be conducted should key staff members become unavailable. The process should also include a requirement to ensure that each review is recorded, even if a review otherwise required no action. Timeframe: Timely management attention is expected (within 3 months) | The Department agrees with this recommendation. The PNR Policy Statement will include the requirements for reviewing user access to PNR data. The process will be documented in a Standard Operating Procedure (SOP) to be implemented by 1 December 2025. |
High Risk APP 11.1 take reasonable steps to protect the information from misuse, interference and loss (governance). EU Agreement Article 9(d) PNR data audits. | Recommendation: Resume internal behavioural audits Home Affairs must reestablish the quarterly internal audits program to identify potential misuse of PNR data. Timeframe: Immediate management attention is required (within 1 month) | The Department agrees with this recommendation. The process for conducting internal behaviour audits is being reviewed and the audits will re-commence in October 2025. |
Medium Risk APP 11.1take reasonable steps to protect the information from misuse, interference and loss (internal practices, procedures and systems). EU Agreement Article 9 (b) Access to the PNR system. | Recommendation: Document PNR access revocation process Home Affairs should document the processes for revoking access to PNR data. This could involve creating operational PNR documents (e.g. PNR standard operating procedures and PNR procedural instructions) or including this information in the existing PNR Policy Statement. Timeframe: Timely management attention is expected (within 3 months) | The Department agrees with this recommendation. The PNR Policy Statement will include the requirements for revoking access to PNR data. The process will be documented in a Standard Operating Procedure (SOP) to be implemented by 1 December 2025. |
Low Risk APP 11.1 take reasonable steps to protect the information from misuse, interference and loss (access security). EU Agreement Article 9 (b) Access to the PNR system | Suggestion: Lock accounts Home Affairs could initiate a process to lock PNR access due to inactivity when they are not accessed for a set period (e.g. 90 days). This suspension of access could potentially identify staff who no longer require access, are on long term leave, or whose employment has ceased. Timeframe: Management attention is suggested | The Department agrees with this suggestion, however notes that there are likely some technical limitations to implementing an optimal solution. The Department will explore the potential for automating the locking of accounts due to inactivity and absent a technical solution will consider a manual process. The Department will consider options by 30 October 2025, with a view to implementing from 1 December 2025. |
Part 5: About the assessment
Conduct of the assessment
5.1. This assessment was conducted under s 33C(1)(a) of the Privacy Act and in accordance with a Letter of Exchange between Home Affairs and the OAIC. The Letter of Exchange reflects oversight and accountability arrangements contained in the EU Agreement.
Objective, scope and methodology
5.2. The objective of this assessment was to identify any privacy risks relevant to Home Affairs’ access to EU PNR data and the subsequent monitoring of access requirements.
5.3. The assessment scope was the acts and practices of Home Affairs in handling and managing staff access to EU PNR data. As part of this we considered the authorisation process set out in the EU Agreement.
5.4. This risk-based assessment involved:
- a document review of Home Affairs’ policies and procedures relevant to its compliance with the APPs and its handling of EU PNR data
- virtual interviews with Home Affairs staff responsible for privacy and/or handling PNR data.
5.5. We conducted fieldwork for this assessment on the 16 and 17 June 2025. This involved interviews with Home Affairs staff responsible for authorising, limiting access and monitoring access to PNR data.
5.6. Where necessary, the OAIC also requested additional information or clarification following the fieldwork.
Privacy risks
5.7. Where we identify privacy risks and consider those risks to be high or medium according to OAIC guidance (see Appendix A), we make recommendations about how to address those risks. Where we identify privacy risks and consider those risks low risks (see Appendix A), we make suggestions to suggestions about how to address those risks. The OAIC identified 1 high risk, 3 medium risks and 1 low risks (4 recommendations and 1 suggestions). These are set out in Table 1 of this report.
5.8. The OAIC assessments are conducted as a ‘point in time’ assessment; that is, our observations and opinion are only applicable to the time period in which the assessment was undertaken.
5.9. For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’. Chapter 9 of the OAIC’s Guide to privacy regulatory action provides further detail on this approach. Appendix A explains the OAIC’s risk ratings.
Part 6: Appendices
Appendix A – Privacy risk guidance
Privacy risk rating | Entity action required | Likely outcome if risk is not addressed |
|---|---|---|
High risk Entity must, as a high priority, take steps to address mandatory requirements of Privacy and related legislation | Immediate management attention is required This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects |
|
Medium risk Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy and related legislation | Timely management attention is expected This is an internal control or risk management issue that may lead to the following effects |
|
Low risk Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy and related legislation | Management attention is suggested This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed |
|
[1] Agreement between the European Union and Australia on the processing and transfer of passenger name record (PNR) data by air carriers to the Australian Customs and Border Protection Service, signed 29 September 2011
[2] The functions of ACBPS are now delivered by the Department of Home Affairs and Australian Border Force.
[3] ICAO conducted a 2025 compliance check under the following legislation: s 64AF of the Customs Act 1901, Schedule 1 of the Privacy Act 1988 and the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record data by Air Carriers.
[4] EU Agreement, Article 9, Para 1(b) requires the agency head to authorise staff access to EU PNR data.
[5] Section 64AF (5) Customs Act 1901 requires an authorised officer to only access PNR data for the purposes of performing his or her functions.
[6] EU Agreement, Article 9, Para 1(b)
[7] Australian Border Force ACT 2015 Section 42
