Accessing personal information: Department of Immigration and Border Protection

Publication date: 9 May 2018

Assessment undertaken: 1 July 2017

Part 1: Executive summary

1.1 In July 2017, the Office of the Australian Information Commissioner (OAIC) conducted a privacy assessment of the Department of Immigration and Border Protection (DIBP).[1]

1.2 This report outlines the findings of the OAIC’s privacy assessment of DIBP’s handling of personal information. DIBP collects this personal information using powers conferred to it under Schedule 5 of the Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014 (Foreign Fighters Act).

1.3 This assessment focuses on the arrangements that DIBP has put in place to respond to an individual’s request for access to personal information that DIBP holds about them.

1.4 Specifically, the purpose of this assessment was to establish whether DIBP could, on request, give an individual access to personal information collected by a SmartGate (SmartGate data) that relates to that individual, in accordance with Australian Privacy Principle (APP) 12.

1.5 This assessment finds that:

no individual has yet submitted an APP 12 request to DIBP for access to SmartGate data relating to them
DIBP would mostly likely be able to provide the individual with access to SmartGate data relating to them, upon receiving this request
the process of receiving and facilitating this request would involve communication between the team that receives the request, the team that is able to retrieve the SmartGate data, and the team that would provide the SmartGate data to the individual
this process has room for improvement
the overall process of receiving and completing (or refusing) a request is not documented.

1.6 The OAIC has made one recommendation in this assessment to address a medium level privacy risk. The recommendation relates to the creation and implementation of a documented process for facilitating requests for access to SmartGate data under APP 12.

Part 2: Findings

Access to personal information

Background

2.1 Under the Foreign Fighters Act, automated border processing control systems such as SmartGates are authorised to collect personal information from individuals. SmartGate data includes an image of an individual’s face and shoulders, as well as identifying data scanned from their passport chip, and a biometric template that is generated from their passport photograph.

2.2 In its ‘Assessment of Schedule 5 of the Foreign Fighters Act — Department of Immigration and Border Protection’ report , the OAIC assessed DIBP’s handling of personal information throughout the arrivals and departures border clearance processes, including through the use of SmartGates.[2] The OAIC also previously assessed the security arrangements that are in place to protect personal information collected by SmartGates in its ‘Assessment of departures SmartGates systems — Department of Immigration and Border Protection’ report (SmartGates Report). In that assessment, the OAIC learned about DIBP’s systems that process and store SmartGate data, including scanned passport images and biometric templates.

2.3 Under APP 12, if an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information. As DIBP holds SmartGate data in its databases, it is required to give an individual access to the SmartGate data that relates to them.

2.4 APP 12 also sets out minimum access requirements, including the time period for responding to a request for access, how access is to be given and when it can be refused. For example, DIBP would have to respond to a request for access within 30 calendar days, commencing on the day after it receives the request.

Observations

How an individual would request access to SmartGate data

2.5 Individuals can request access to personal information that DIBP holds about them by submitting a Form 424A (‘Request for access to documents or information’). Form 424A is available online and DIBP’s Privacy Policy also points individuals to the form.

2.6 SmartGate data is one of the kinds of personal information that individuals can request access to using Form 424A. Individuals can also use Form 424A to submit a request for access to personal information held about them under the Freedom of Information Act 1982 (FOI Act). DIBP directs individuals to send their completed Form 424A to its Freedom of Information (FOI) Section.

2.7 Form 424A requires individuals to include certified copies of photographic identification so DIBP can verify their identity before processing an APP 12 request for access to that individual’s personal information.

2.8 Individuals can also request access to SmartGate data directly via email or letter. The OAIC understands that these emails or letters could be sent to a number of sections within DIBP, such as the FOI Section, the Global Feedback Unit, or the Privacy Section.

2.9 The section that receives the APP 12 request would then forward it to the section that can perform the next stage of the process, which is the Traveller, Cargo and Trade (TCT) Delivery Management Section. The OAIC observed that the FOI Section had documentation, including the FOI Departmental Contacts organisation chart, which generally guides them in directing FOI requests to the relevant sections.

2.10 The TCT Delivery Management Section would receive the APP 12 request in their central mailbox. This section would then forward the request to the section that is ultimately responsible for locating and extracting the SmartGate data. The OAIC understands that there is no documentation that outlines this process.

How DIBP locates and extracts SmartGate data

2.11 While no individual has yet submitted an APP 12 request to DIBP for access to SmartGate data relating to them, the OAIC understands that SmartGate data has been located and extracted for other purposes, such as technical troubleshooting, internal investigations or audits.

2.12 SmartGate data stored in DIBP’s databases is managed by the Enterprise Data Warehouse (EDW) Section. As such, the EDW Section is the section that has the requisite knowledge and authorisation to locate and extract it.

2.13 The OAIC understands that locating and extracting SmartGate data must be done manually. Once the EDW Section receives an access request, one of the team members would commence this process. The OAIC understands that 10 people within this section have the access required to complete the process, though only three have received the necessary training.

2.14 The EDW Section commences the process of locating and extracting SmartGate data by running a query into a database, using personal information, such as a passport number or name, which relates to the individual. This query generates a system command that, when completed, retrieves passport information collected in text format. The query also retrieves information which, when entered into another database, is used to locate the corresponding image captured by the SmartGate. The EDW Section then extracts the located images. Images are generally stored in JPEG format.

2.15 The OAIC has viewed written instructions which outline this manual process of locating and extracting SmartGate data.

2.16 The OAIC understands that DIBP is developing a system that would enable SmartGate data to be located and extracted automatically. This system will enable all DIBP staff with the requisite authorisation to retrieve SmartGate data through their own desktop computers, on a self-serve basis. In this way, the staff member that receives the request could locate, retrieve, and provide the SmartGate data to the individual. However, this process is in its initial stages and the OAIC has not viewed any documentation relating to it.

How DIBP would provide an individual with SmartGate data

2.17 Once the EDW Section has located the SmartGate data, they extract it from the database in its original JPEG format.

2.18 Dependent on the nature of the APP 12 request, the EDW Section would provide the text information and/or the images back to the TCT Delivery Management Section via email. The TCT Delivery Management Section would then pass the information on to whichever section that initially received the APP 12 request, who would provide it to the individual that initiated the request. The OAIC understands that there is no specific documentation to support this aspect of the process.

2.19 However, the OAIC has viewed documentation which outlines when DIBP staff should give access to personal information under APP 12, and how it should give that access. The documentation refers to the FOI Act, which provides grounds on which an access request can be declined. It also includes template letters for DIBP to respond to an access request under APP 12, provide either full or partial release of the personal information, or refuse the release of the personal information.

Analysis

2.20 In its Privacy Policy, DIBP explains how an individual can access and seek to correct their personal information. For example, there are multiple ways through which individuals can submit a request for access to personal information that relates to them, such as through Form 424A or by corresponding directly with certain sections of DIBP. It is good privacy practice that DIBP does not require an individual to follow one particular procedure. In addition, DIBP’s APP 12 access procedures are integrated with, or linked to, its FOI procedures. These are all good steps towards ensuring that SmartGate data would be provided to an individual on request, in accordance with APP 12.

2.21 An APP entity must be satisfied that a request for an individual’s personal information under APP 12 is made by the individual concerned, or by another person who is authorised to make a request on their behalf, for example, as a legal guardian or authorised agent. DIBP takes reasonable steps to verify the identities of individuals who request access to their personal information by requiring individuals to submit certified copies of their photographic identification. This is good privacy practice.

2.22 There are a number of sections within DIBP that could receive an APP 12 request for access to SmartGate data. These sections could refuse the request, or forward it to the section that would locate and extract the data. Under APP 12, DIBP can refuse access to personal information based on certain grounds in legislation, such as the FOI Act. DIBP’s documentation refers to this refusal of access. As noted at 2.11, as no individual has submitted an APP 12 request to DIBP for access to SmartGate data relating to them, DIBP has not yet refused access.

2.23 The sections that would usually receive and process the request are the regional teams in Melbourne or Parramatta. The FOI Section’s documentation (referred to at 2.9) outlines this process and where to direct the request. However, the OAIC observed that, when asked hypothetically, an FOI staff member was uncertain about which section the access request should be directed to.

2.24 The OAIC was informed that the other sections would likely be aware of, or be able to easily discover, which section is responsible for the SmartGate data. However, it is unclear how each of these sections would be aware of where to direct the request, whether they have received any training on the process of facilitating a request for access to SmartGate data, or whether they have any documented processes on which to rely.

2.25 The EDW Section would be responsible for searching databases for the requested SmartGate data. Once this data is located, the EDW Section would extract the data, and send it to the DIBP staff member who asked them to search for it. While this process has not yet been completed in the context of an APP 12 request, there are technical means to facilitate this type of request in accordance with APP 12.

2.26 The OAIC notes that only a small portion of the EDW Section possesses the requisite training, authorisation, and access to be able to locate, extract, and forward the SmartGate data.

2.27 Under APP 12, DIBP must respond to a request for access to SmartGate data within 30 days and in the manner requested by the individual. It is likely that an individual making this type of request would request a copy of the image of them captured by the SmartGate. As DIBP stores SmartGate images in JPEG format, DIBP would be able to easily provide access to the image to the individual, in accordance with APP 12.

2.28 There are ways for an individual to request access to SmartGate data that DIBP holds about them, and there are ways for the section that initially receives that request to direct it to the EDW Section. From that point, there are ways for the EDW Section to locate and extract the requested SmartGate data. However, the processes of receiving and facilitating an APP 12 request for access to SmartGate data involves a number of sections within DIBP, and is not documented. The OAIC has not observed documentation relating to any training provided on these processes.

2.29 Should DIBP receive an APP 12 request for access to SmartGate data, the OAIC considers that it would be possible for DIBP to respond to the request. However, an APP entity should endeavour to provide access in a manner that is as prompt and uncomplicated as possible. In the absence of any written policies or processes that are specifically tailored to guiding the various sections of DIBP through the process of providing access to SmartGate data, the OAIC considers that there is a medium risk of breaching APP 12. Specifically, the OAIC considers that there is a medium risk that DIBP would not be able to allocate the request to the correct section, locate and extract the SmartGate data, and provide the data to the individual within 30 days.

2.30 The OAIC understands that, at the time of writing this report, DIBP was drafting documentation which will outline the end-to-end process of receiving, facilitating, and responding to an APP 12 request for access to SmartGate data.

2.31 The OAIC recommends that DIBP continues to create documentation that outlines the end-to-end process of responding to an APP 12 request, and that DIBP provides a copy of this documentation to the OAIC. This documentation should outline:

where the APP 12 request is to be directed once received by any section of DIBP
which section is responsible for locating and extracting the SmartGate data
how access is to be given under APP 12
the timeframe for responding to a request for access under APP 12.

2.32 The OAIC also recommends that DIBP disseminate this documentation to the sections most likely to receive or facilitate a request for access to SmartGate data under APP 12, such as the FOI section, Global Feedback Unit, the Privacy Section, the TCT Delivery Management Section and the EDW Section.

2.33 DIBP’s creation and dissemination of this documentation within a reasonable timeframe will (in the opinion of the OAIC) help to mitigate privacy risks around how DIBP would handle SmartGate data under an APP 12 access request.

2.34 The OAIC suggests that DIBP tests this process to ensure that it can facilitate a request for access to SmartGate data within 30 days, in accordance with APP 12. At the time of writing this report, DIBP was not able to advise an expected timeframe for the completion and dissemination of this documentation. The OAIC will follow-up on DIBP’s implementation of this recommendation in the 2018/19 financial year.[3]

Recommendation 1

DIBP:

creates documentation that outlines the end-to-end process for responding to an individual request for access to SmartGate data under APP 12
disseminates this documentation to the relevant sections within DIBP
provides the OAIC with a copy of this documentation.

Part 3: Recommendations and responses

Recommendation 1 – documented processes on SmartGate data access requests under APP 12

3.1 DIBP:

creates documentation that outlines the end-to-end process for responding to an individual request for access to SmartGate data under APP 12
disseminates this documentation to the relevant sections within DIBP
provides the OAIC with a copy of this documentation.

3.2 DIBP accepts this recommendation.

Follow up

3.3 DIBP provided a copy of an appropriate process document to the OAIC in December 2019. DIBP also provided evidence that the document had been circulated amongst staff.

3.4 The OAIC considers that DIBP has addressed Recommendation 1.

Part 4: Description of assessment

Background

4.1 The Foreign Fighters Act amended the Migration Act 1958 (Cth) and other legislation to introduce a range of measures designed to strengthen and improve Australia’s counter-terrorism legislative framework. The amendments commenced on 4 November 2014.

4.2 In its advisory report of October 2014, the Parliamentary Joint Committee on Intelligence and Security recommended that the Privacy Commissioner undertake a privacy assessment of the data collected and stored by DIBP whilst exercising powers under the Foreign Fighters Act. It particularly asked the Privacy Commissioner to consider the collection, storage, sharing and use of that data.

4.3 This assessment was conducted under s 33C(1)(a) of the Privacy Act 1988 (Cth), which allows the OAIC to assess whether personal information held by an APP entity is being maintained and handled in accordance with the APPs.

Objective and scope

4.4 The objective of this assessment was to establish whether DIBP can, on request, give an individual access to SmartGate data relating to them, in accordance with APP 12.

4.5 No requests for access to SmartGate data under APP 12 had been made by any individual at the time the OAIC conducted its fieldwork. As a result, the assessment considered how DIBP would respond to any future APP 12 requests for access to SmartGate data. This involved discussions about DIBP’s current processes and procedures for facilitating similar kinds of requests for access to different kinds of personal information, such as those made under the FOI Act.

Privacy risks

4.6 The OAIC makes recommendations to address ‘high’ and ‘medium’ privacy risks. For more information about these privacy risk ratings, see the OAIC’s ‘Privacy risk guidance’ at Appendix A. Further detail on this approach can be found in Chapter 7 of the OAIC’s Guide to privacy regulatory action.

4.7 The OAIC has made one recommendation to address a medium privacy risk identified during this assessment. A recommendation is a suggested course of action or a control measure that, if put in place by DIBP, will (in the opinion of the OAIC) minimise the privacy risks identified around how it handles personal information.

Timing, location and assessment techniques

4.8 DIBP provided the OAIC with copies of relevant policy and procedure documents in response to the OAIC’s information request. The OAIC then conducted the fieldwork component of the assessment at DIBP’s office in Belconnen on 7 July 2017. The fieldwork involved interviewing key members of DIBP staff, and reviewing further documentation.

4.9 The OAIC requested further information via email on 10 July 2017, and received a response on 2 August 2017. The OAIC again requested further information via email on 9 August 2017, and received a response on 5 September 2017.

4.10 The OAIC held a teleconference with additional key members of DIBP staff on 12 September 2017. During that teleconference, the OAIC requested further written information, which was provided on 18 September 2017.

Reporting

4.11 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published in full.

Appendix A: Privacy risk guidance

Privacy risk rating	Entity action required	Likely outcome if risk is not addressed
High risk Entity must, as a high priority, take steps to address mandatory requirements of Privacy legislation	Immediate management attention is required. This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects	Likely breach of relevant legislative obligations (for example, APP, TFN, Credit) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking) Likely adverse or negative impact upon the handling of individuals’ personal information Likely violation of entity policies or procedures Likely reputational damage to the entity, such as negative publicity in national or international media. Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines Likely ministerial involvement or censure (for agencies)
Medium risk Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation	Timely management attention is expected. This is an internal control or risk management issue that may lead to the following effects	Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation Possible adverse or negative impact upon the handling of individuals’ personal information Possible violation of entity policies or procedures Possible reputational damage to the entity, such as negative publicity in local or regional media. Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities. Possible ministerial involvement or censure (for agencies)
Low risk Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy legislation	Management attention is suggested. This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed.	Risks are limited, and may be within acceptable entity risk tolerance levels Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit) Minimum compliance obligations are being met

Privacy risk rating

Entity action required

Likely outcome if risk is not addressed

High risk

Entity must, as a high priority, take steps to address mandatory requirements of Privacy legislation

Immediate management attention is required.

This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects

Likely breach of relevant legislative obligations (for example, APP, TFN, Credit) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking)
Likely adverse or negative impact upon the handling of individuals’ personal information
Likely violation of entity policies or procedures
Likely reputational damage to the entity, such as negative publicity in national or international media.
Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines
Likely ministerial involvement or censure (for agencies)

Medium risk

Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation

Timely management attention is expected.

This is an internal control or risk management issue that may lead to the following effects

Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation
Possible adverse or negative impact upon the handling of individuals’ personal information
Possible violation of entity policies or procedures
Possible reputational damage to the entity, such as negative publicity in local or regional media.
Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities.
Possible ministerial involvement or censure (for agencies)

Low risk

Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy legislation

Management attention is suggested.

This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed.

Risks are limited, and may be within acceptable entity risk tolerance levels
Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit)
Minimum compliance obligations are being met

Footnotes

[1] Subsequent to this assessment being conducted, the Department of Home Affairs was established and carries out the functions of the former Department of Immigration and Border Protection. References in this report to ‘DIBP’ are inclusive of DIBP and Home Affairs, whichever is applicable at the relevant time.

[2] Available at Assessment of Schedule 5 of the Foreign Fighters Act — Department of Immigration and Border Protection.

[3] Refer to Part 3.