Assessment of contractual provisions for services in regional processing centres — Department of Immigration and Border Protection

Date: 1 March 2018

Assessment report

Assessment undertaken: September 2016
Draft report issued: June 2017
Final report issued: March 2018

Part 1: Introduction and summary of findings

Introduction

1.1 This report sets out the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of the Department of Immigration and Border Protection (DIBP)[1] contracts with contracted service providers (CSPs) for services related to DIBP’s regional processing centres (RPCs). At the time of this assessment, the RPCs included facilities in Nauru and Manus Island (Papua New Guinea).

1.2 This assessment considered the following contracts:

  • the Garrison and Welfare Services contract (GWS)
  • the Regional Processing Countries Health Services contract (HS)
  • the Settlement Services contract (SS).

1.3 Services provided under the GWS and HS contracts are provided within the Nauru and Manus Island RPCs. Services provided under the SS contract are provided to individuals who have been settled outside the RPC in Nauru. While DIBP does not have direct responsibility for these individuals, DIBP continues to provide some services, such as welfare payments to these individuals.

1.4 During the course of the OAIC’s assessment, the Australian National Audit Office (ANAO) completed two audits of DIBP’s procurement and contract management in relation to garrison and welfare services in Nauru and Manus Island.[2] These audits considered whether DIBP had met the requirements of the Commonwealth Procurement Rules (CPR)[3] and the Public Governance, Performance and Accountability Act 2013 (Cth) (the PGPA Act).

1.5 The ANAO’s audits and the OAIC’s assessment considered similar aspects of DIBP’s activities, namely DIBP’s contractual management relating to RPCs. There are also similarities between the findings of the ANAO and the findings of the OAIC. However, the ANAO audits and the OAIC assessment considered DIBP’s contractual arrangements from different perspectives. Where the ANAO considered the CPR and the PGPA Act, the OAIC’s focus was on the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APP). The OAIC focused on DIBP’s contract management as it related to privacy and information security, rather than procurement and contract management considerations, such as competitive tendering, value for money, and contract risk management.

Summary of findings

1.6 This assessment finds that:

  • DIBP did not appear, at the time of the assessment, to have in place adequate formal policies for engaging DIBP’s privacy staff
  • however, in practice, it appeared that privacy staff were consulted on relevant matters, albeit on an ad hoc basis
  • DIBP’s should include additional provisions relating to privacy and information security in its contracts for services in its regional processing centres
  • incident management processes under DIBP’s contracts for services in its regional processing centres should include specific categories for reporting privacy and information security complaints and breaches
  • DIBP should establish a program of audits to assure itself that its contracted service providers are meeting their obligations with regard to privacy and information security.

1.7 The recommendations, and DIBP’s responses, are set out in Part 4 of this report.

Part 2: Description of assessment

Objective and scope

2.1 The objective of this assessment was to consider whether DIBP was meeting its privacy obligations under Australian Privacy Principles (APP) 1.2 and APP 11. As the focus of the assessment is on DIBP’s contracts for services related to its RPCs, the OAIC also had regard to DIBP’s obligations under s 95B of the Privacy Act 1988 (Cth) (the Privacy Act). In particular, the OAIC considered:

  • DIBP’s privacy management and governance arrangements in relation to its contracts with CSPs
  • whether DIBP had taken reasonable steps to protect personal information handled by CSPs, including reasonable steps to ensure:
    • through their current contractual measures (including assurance processes), a CSP does not do an act, or engage in a practice, that would breach an APP if done or engaged in by DIBP
    • current contracts for its RPCs do not authorise a CSP to do or engage in such an act or practice
    • contracts contain provisions to ensure that such an act or practice is not authorised by a subcontract
    • the establishment of adequate inquiry and complaint mechanisms for individuals to raise issues or concerns to DIBP about the handling of their personal information by a CSP.

2.2 APP 1.2 requires DIBP to take reasonable steps to implement practices, procedures and systems to ensure that DIBP complies with the APPs and to enable DIBP to deal with inquiries or complaints about the APPs.

2.3 APP 11.1 requires DIBP to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, unauthorised modification and unauthorised disclosure. APP 11.2 requires DIBP to take reasonable steps to destroy or de-identify personal information once the information is no longer needed, unless the information is contained in a Commonwealth record or is required to be retained under law. The APP 11 requirements apply to personal information that is held by DIBP, which includes personal information that DIBP has a right or power to deal with.[4]

2.4 Section 95B of the Privacy Act requires DIBP to take contractual measures, in any Commonwealth contract that it enters into, to ensure that a CSP does not do an act or engage in a practice that would breach an APP if done or engaged in by DIBP. DIBP must also ensure that its Commonwealth contracts do not authorise a CSP to do or engage in such an act or practice, and to ensure that such an act or practice is not authorised by a subcontract.

2.5 These requirements are related—for instance, the reasonable steps to secure personal information, as required under APP 11, may include the use of appropriate contractual measures.[5] The assessment therefore considered DIBP’s contract management and quality assurance arrangements, as they relate to privacy and information security.

Privacy risks

2.6 The OAIC makes recommendations to address ‘high’ and ‘medium’ privacy risks. For more information about these privacy risk ratings, see the OAIC’s ‘Privacy risk guidance’ at Appendix A. Further detail on this approach can be found in Chapter 7 of the OAIC’s Guide to privacy regulatory action.

2.7 The OAIC has made four recommendations to address one high privacy risk and one medium privacy risk identified during this assessment. A recommendation is a suggested course of action or a control measure that, if put in place by DIBP, will (in the opinion of the OAIC) minimise the privacy risks identified around APPs 1.2 and 11.

Timing, location and methodology

2.8 DIBP provided key documentation to the OAIC for review in August 2016. The assessors conducted interviews with key DIBP staff at DIBP’s Canberra offices in September 2016. Additional documentation was provided by DIBP following the fieldwork, and additional interviews were conducted by teleconference in October and November 2016.

2.9 The assessment was risk based. The focus was on identifying privacy risks to the effective handling of personal information in accordance with the Privacy Act. Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance, the OAIC made recommendations to DIBP about how to address those risks.

2.10 Further information about privacy risk ratings is included in Appendix A. Further information about the OAIC’s risk assessment methodology is provided in chapter 7 of the OAIC’s Guide to privacy regulatory action.[6]

Reporting

2.11 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published in full.

Part 3: Privacy analysis

DIBP’s privacy management

Observations

3.1 DIBP has a Privacy and Reviews Section within its Information Management Branch. The Privacy and Reviews Section provides privacy-related advice to business areas within DIBP, including, for example:

  • publishing guidance material on the DIBP intranet
  • assisting DIBP business areas in responding to privacy breaches
  • providing advice on privacy impact assessments carried out by DIBP business areas
  • developing privacy training material.

3.2 The Privacy and Reviews Section is also responsible for reporting on privacy to the DIBP Executive.

3.3 Business areas may seek advice from the Privacy and Reviews Section because a new policy or project is recognised as having possible privacy impacts, or on referral from DIBP’s legal branch. The assessors were advised that new DIBP policies, not in effect at the time of assessment, would advise business areas to consult with the Privacy and Reviews Section about new policies and procedures involving the handling of personal information. These policies include the Policy and Procedure Control Framework (PPCF), supplemented by Developing Documents for the Policy and Procedure Control Framework (at the time of assessment, both of these policies were awaiting approval within DIBP). The PPCF and supporting documents also advise staff to conduct a threshold assessment to determine whether a Privacy Impact Assessment (PIA) should be conducted.

3.4 DIBP also provided an extract of their Change Management Plan (at the time of assessment, under review within DIBP). However, the assessors were unable to identify any specific privacy requirements in the extract.

3.5 Under the arrangements in effect at the time of this assessment, the Privacy and Review Section’s involvement in RPC contracts appeared to be on a largely informal basis. For example, the assessors were advised that a privacy breach in an RPC would generally be brought to the attention of the Privacy and Reviews Section, and that the Privacy and Reviews Section would likely be involved in committees around the development of future contracts. The assessors understand that, as a matter of practice, the Privacy and Reviews Section is likely to be consulted about and advised of relevant matters, including contract development and privacy issues in RPCs. However, this practice appeared to be due to staff competency rather than a formal requirement.

3.6 The assessors were also advised that the contract provisions relating to privacy and the requirements of s 95B were based on template provisions prepared by DIBP’s legal branch. Contracts for RPC services would be developed in consultation with reference groups and steering committees to discuss issues (which could include privacy issues) that had arisen in previous contracts. Staff within DIBP’s Services Procurement Taskforce advised the assessors that the Privacy and Reviews Section would likely be contacted through the legal branch when new contracts were being developed, although the assessors were not referred to any documented requirement to do so.

3.7 DIBP has developed a Privacy Management Plan (PMP), but the PMP had not received final approval within DIBP at the time of the assessment fieldwork. The version viewed by the OAIC assessors addressed matters such as:

  • privacy roles and responsibilities
  • privacy impact assessments
  • reviews of privacy policies and procedures.

3.8 The assessors also viewed DIBP’s policy document, Privacy breach reporting: template and instructions on how to report a privacy breach. This document sets out key elements to be addressed in a privacy breach report, such as the type of incident, the type of personal information involved, and the action taken in response. Another document, How to respond to a privacy breach, provides steps that DIBP staff should take in response to a breach, including containing the breach, evaluating the risks associated with the breach, notification and taking steps to prevent future breaches.

Issues

3.9 The ‘reasonable steps’ required under APP 1.2 include the appointment of key roles and responsibilities for privacy management.[7] The assigned roles and responsibilities should include (but are not necessarily limited to) a staff member with overall accountability for privacy and staff responsible for handling internal and external privacy enquiries, complaints, and access and correction requests.

3.10 DIBP has, through the Privacy and Reviews Section, established key privacy management roles. However, the assessors found that, in the absence of a specific or targeted requirement to consult with the Privacy and Reviews Section on relevant matters, privacy management generally relied on informal practices. While staff interviewed by the assessors noted that privacy matters would be referred to the Privacy and Reviews Section, this appeared to be on an ad hoc basis. Additionally, referrals to the Privacy and Reviews Section were often indirect, through DIBP’s legal branch.

3.11 This suggests that DIBP may not have established adequate privacy management arrangements, and so may not have in place the reasonable steps required by APP 1.2. In the absence of a formal requirement to consult the Privacy and Reviews Section, there is a medium risk that the Section will not be consulted on relevant matters. The assessors note that the PPCF and supporting documentation advise—but do not require—consulting the Privacy and Reviews Section; DIBP should ensure that consultation with the Privacy and Reviews Section is a requirement during the development of any new policy, procedure or contract that is likely to involve the handling of personal information.

3.12 DIBP should also ensure that the Privacy and Reviews Section is advised of and consulted on privacy issues arising in RPCs, including suspected or actual privacy or information security breaches, and privacy complaints.

3.13 The OAIC’s recommendations reflect the assessors’ observations at the time of the assessment fieldwork. However, the OAIC notes that progressive changes within DIBP since that time, including the introduction of the PMP, may adequately address some aspects of these recommendations.

Recommendation 1

DIBP should ensure that its internal policies and procedures require that the Privacy and Reviews Section be:

  • consulted during the development of new contracts for services relating to RPCs
  • advised of suspected or actual privacy or information security breaches and privacy complaints relating to RPCs when these breaches or complaints are reported to it by CSPs.

Contractual terms

Observations

3.14 The OAIC was provided with extracts of the GWS, HS and SS contracts. Within these contracts, the assessors sought to identify provisions binding CSPs in accordance with s 95B, including:

  • provisions requiring a CSP not to do an act or engage in a practice that would breach the APPs if done or engaged in by DIBP
  • any provisions authorising a CSP to do or engage in such an act or practice
  • provisions ensuring that subcontracts do not authorise such an act or practice.

3.15 The OAIC also sought to identify, within these contracts, provisions around the secure handling of personal information by CSPs, including any:

  • general provisions requiring CSPs to handle personal information securely, in addition to any general provisions requiring CSPs not to do an act or engage in a practice that would breach the APPs if done or engaged in by DIBP
  • particular provisions specifying security standards or controls that CSPs should meet or use
  • particular provisions specifying how and when CSPs should destroy or de-identify personal information
  • specific provisions around security at completion or termination of the contract (including survival of security obligations and procedures for securely transferring personal information to DIBP or another party after the contract ends).

3.16 Several codes of conduct, guidelines and other agreements supplement the contracts. The assessors viewed several codes of conduct, developed by CSPs in consultation with DIBP, which included privacy requirements. For example, the Regional Processing Centre Guidelines: Service Provider—Code of Conduct—Employees require CSP employees to ‘respect privacy and confidentiality’ in their dealings with transferees, and the Regional Processing Centre Guidelines: Transferee Records Guidelines require CSPs to ensure that transferee records are ‘maintained and managed in accordance with … the Privacy Act’, and ‘safeguarded from unauthorised access or use’. The assessors also viewed several deeds, including deeds of confidentiality and deeds of non-disclosure, which CSP personnel and subcontractors may be required to sign.

3.17 DIBP advised the assessors that ‘transition plans’ would be developed at the end of each contract, specifying the arrangements to be put in place where services were to be provided by a new CSP. These transition plans would include controls to protect privacy and information security during transitions.

Issues

3.18 The ‘reasonable steps’ required to secure personal information under APP 11 include, in the case of agencies, the use of contractual measures as required by s 95B.

3.19 The assessors identified general provisions in each of the contract extracts requiring CSPs not to do an act or engage in a practice that would breach the APPs if done or engaged in by DIBP. For example, cl 17.4.4(a) of the GWS contract requires the CSP to

comply with the Australian Privacy Principles set out in the Privacy Act with respect to any act done or practice undertaken by the Service Provider for the purposes of this Contract, in the same way and to the same extent as if it were the Department[.]

3.20 Furthermore, the assessors did not identify any provisions (within the extracts provided by DIBP) that would authorise such an act or practice. However, it should be noted that the assessors did not view the entirety of the contracts.

3.21 The OAIC generally expects that, in meeting its obligations under APP 11 and s 95B, an agency will go beyond a simple contractual provision requiring the contractor not to do an act or engage in a practice that would breach the APPs if done or engaged in by the agency. Specific provisions may be required, for example, requiring the CSP to take particular steps to protect privacy after the conclusion or termination of the contract.[8]

3.22 Having regard to s 95B and the OAIC’s Guide to securing personal information, the assessors consider that these ‘reasonable steps’ required under APP 11 would include (but would not be limited to) contractual measures dealing with the following issues:

  • compliance with relevant standards
  • depending on the circumstances, specific security controls to address any particular risks
  • managing subcontracts
  • security at completion or termination of contracts
  • destruction and de-identification of personal information.

3.23 The assessors were not able to locate provisions dealing with these issues in the contract extracts provided by DIBP. In the assessors’ view, this represents a risk that DIBP may not be meeting its obligations under APP 11. (Note that there is an associated risk under APP 1.2, i.e. that DIBP does not have in place reasonable practices, procedures and systems to ensure its compliance with APP 11.)

3.24 The privacy-related provisions in the codes of conduct viewed by the assessors were general in nature. For example, a requirement that CSPs, their personnel and subcontractors ‘respect privacy and confidentiality’ (as in the Regional Processing Centre Guidelines: Service Provider—Code of Conduct—Employees) does not establish specific obligations, nor does it establish requirements around privacy governance, reporting, or access and correction rights, as the APPs do. In contrast, a code of conduct providing more specific obligations may be considered part of the reasonable steps that must be taken under APP 11.particularly if suitable monitoring and enforcement arrangements were in place. The assessors also note the incident reporting frameworks in place between DIBP and its CSPs may be a useful basis for monitoring and enforcing such codes. DIBP’s monitoring and enforcement arrangements are considered below.

3.25 The assessors acknowledge that the deeds of confidentiality and non-disclosure may provide some privacy and security protections—for example, the deed of non-disclosure viewed by the assessors would bind the signatory to a number of obligations reflecting individual APPs. As such, they may contribute to reasonable steps under APP 11. However, as the deeds bind individual CSP personnel and subcontractors, rather than the CSP organisations, the deeds do not in themselves, work towards the organisation-wide privacy and security measures required by APPs 1.2 and 11.

3.26 Key issues arising from the assessors’ review of DIBP’s contractual provisions are discussed below.

Standards and security controls

3.27 The assessors found that the contractual requirements for CSPs to secure personal information did not include sufficient detail about the security standard that CSPs are required to meet. The extracts of the GWS contract viewed by the assessors included no security requirements beyond a general requirement for the CSP to comply with the APPs and OAIC guidelines. The extracts of the HS contract went further only by requiring the CSP to ‘take all reasonable steps’ to secure personal information and by requiring other parties to sign a deed of non-disclosure before accessing confidential information. The SS contract did not appear to include any security controls, beyond the broad requirement that the CSP comply with the APPs.

3.28 DIBP has not met the requirement under APP 11 to take ‘reasonable steps’ to secure personal information by merely requiring a CSP to comply with the APPs in the contract or requiring a CSP to take its own ‘reasonable steps’ to secure personal information in a deed.

3.29 In some circumstances, it may be unnecessary for a contract to set out specific technical controls, especially if DIBP has policies and procedures in place that would ensure the application of specific controls. However, in other circumstances, it may be appropriate to include contractual provisions requiring specific security controls, for example in order to address known privacy and information security risks that have been uncovered by any internal and external reviews, audits or risk assessments.

3.30 The OAIC found no evidence that DIBP had considered the steps that it expected CSPs to take to secure personal information, and the contract extracts viewed by the assessors provided no guidance to CSPs about the standard of protection that DIBP expected. DIBP could refer CSPs to the OAIC’s guidance on APP 11 and security or to particular security standards that CSPs must meet, such as the Australian Government Protective Security Policy Framework[9] and the Information Security Manual.[10]

3.31 Although specifying a required security standard that CSPs may be a reasonable step for the purposes of APP 11, it should be noted that it is not the only step and may, by itself, be insufficient to satisfy the requirements of APP 11.

Subcontracts

3.32 The assessors identified provisions in the HS contract to ensure that CSPs did not authorise subcontractors to do or engage in an act or practice that would breach the APPs. However, the assessors were not able to identify such provisions in the GWS or SS contracts, suggesting that DIBP may not be meeting its obligations under s 95B(3) in respect of these two contracts.

3.33 Noting that DIBP is required, under s 95B, to ensure that its Commonwealth contracts contain provisions to ensure that subcontracts do not authorise acts or practices that would breach the APPs if done or engaged in by DIBP, the assessors consider that the inclusion of such provisions is also a reasonable step required under APP 11. Consequently, the lack of such provisions in the GWS and SS contracts represents a risk that DIBP is not taking reasonable steps under APP 11, in that there is a risk of a subcontractor failing, or not being required, to secure personal information.

Privacy and information security at completion and termination of contract

3.34 Obligations on CSPs to protect any personal information collected or held under the contract continue after the completion or termination of the contract.[11]This means a CSP is required to handle personal information collected or held under the contract consistently with the contract, even after the contract ends. DIBP’s contracts should therefore include measures to ensure that personal information held by CSPs is handled appropriately at the completion or termination of contracts.

3.35 The assessors identified clauses in the HS and SS contracts (but were unable to identify a similar provision in the GWS contract) noting that privacy and security obligations survived the completion or termination of the contracts. However, the assessors could not identify specific provisions setting out how CSPs should handle personal information at the end of contracts.

3.36 These provisions should include adequate direction around the steps that CSPs must take to ensure that the requirements of APP 11.2 are met. APP 11.2 requires an entity that holds personal information to take reasonable steps to destroy or de-identify that personal information once it is no longer needed for a purpose permitted under the APPs. Accordingly, DIBP should take reasonable steps (including appropriate contractual measures) to ensure that personal information it holds (which may include personal information held by its CSPs) is destroyed or de-identified once it is no longer required for a permitted purpose. Any such requirements should be consistent with DIBP’s and the CSPs’ obligations under the Archives Act 1983 (Cth).

3.37 Although DIBP staff stated that ‘transition plans’ would be developed as contracts neared completion, the OAIC considers that contractual provisions should be included to ensure that privacy and security expectations are made clear from the beginning of the contractual relationship and are also considered in these transition plans. The assessors were unable to identify any provisions in the extracts provided that would ensure personal information was handled in accordance with the APPs when being transferred from one CSP to another, or from a CSP back to DIBP.

Recommendation 2

DIBP should ensure that future contracts:

  • provide guidance to CSPs as to the reasonable steps that CSPs should take to secure personal information. This could include (but should not be limited to) any security standards that CSPs should meet.
  • include provisions ensuring that subcontractors handle personal information in a manner consistent with DIBP’s privacy and information security obligations.
  • include provisions setting out CSPs’ obligations concerning privacy and information security at the completion or termination of the contract. This should include, as appropriate, destruction and de-identification of personal information, in accordance with APP 11.2 and the Archives Act 1983 (Cth).

Incident reporting

Observations

3.38 For the purposes of this assessment, the OAIC considered contract governance arrangements for the GWS, HS and SS contracts, with a particular emphasis on the reporting of privacy and information security incidents to DIBP by CSPs.

3.39 The contract governance arrangements for these contracts include an incident reporting framework, under which CSPs are required to report certain types of incidents within the RPCs to the relevant contract management team within DIBP. The Regional Processing Incident Reporting Protocol sets out the information that should be included in an incident report, the timeframes for reporting different categories of incidents, and procedures for updating or closing incident reports. This protocol is supported by an Incident Reporting Categories document setting out various types of incidents and the category they fall under (minor, major or critical).

3.40 The assessors were advised that the incidents reported under this framework could include, but are not limited to, actual or suspected privacy or information security breaches. However, the incident reporting framework did not include a category for privacy and information security incidents. DIBP staff advised the assessors that a privacy or information security incident would most likely fall into a more general category (such as a breach of a code of conduct).

3.41 Each of the three contracts reviewed by the OAIC assessors includes a provision requiring the CSP to notify DIBP if the CSP becomes aware of an actual or possible breach of its privacy and security obligations. For example, under cl 17.4.2 of the SS contract, the CSP ‘agrees to notify [DIBP] immediately if it becomes aware of a breach or possible breach’ of its privacy obligations. Clause 48.6 of the HS contract includes a similar obligation, for the CSP to notify DIBP immediately if it becomes aware of ‘any actual, suspected, likely or threatened theft, loss, damage or unauthorised access, modification, use or disclosure’ of personal information.

3.42 Incidents within the RPCs are reported by CSPs to a contract management team within DIBP’s Services Management Branch. The assessors were advised by contract management staff that the contract management team would advise the Privacy and Reviews Section of the incident (possibly indirectly, by advising DIBP’s legal branch who would in turn advise the Privacy and Reviews Section). However, as noted earlier in this report, this appeared to be a matter of practice rather than a formal requirement set out in a written policy or procedure.

Issues

3.43 Having regard to the OAIC’s Privacy Management Framework, the reasonable steps required under APP 1.2 include processes to evaluate the effectiveness of privacy programs. The OAIC’s Guide to Securing Personal Information also states that the reasonable steps required under APP 11 include steps to monitor the effectiveness of security controls.

3.44 The OAIC considers that DIBP should have in place robust practices, procedures and systems to ensure that CSPs report actual or suspected privacy or information security breaches. Such reporting would allow DIBP to evaluate the effectiveness of the privacy and information security controls it has in place for RPCs, including, in particular, the effectiveness of the relevant contractual provisions.

3.45 DIBP staff advised the assessors that CSPs would generally report privacy and information security incidents to DIBP. However, in order to meet the requirements of APPs 1.2 and 11, we recommend that DIBP ensure that incident reporting frameworks treat privacy and information security incidents as a separate category of incident, rather than relying on more general categories (such as breaches of codes of conduct). Noting that the codes of conduct viewed by the assessors contained only broad privacy requirements, the implementation of specific reporting for privacy and information security incidents may allow for more detailed evaluation of DIBP’s and CSPs’ practices, procedures and systems against the requirements of the APPs.

3.46 The OAIC also notes that a privacy or security breach may occur without a CSP breaching its obligations—for example, where a breach occurs despite a CSP taking reasonable steps to secure personal information it holds. The OAIC considers that requiring a CSP to report actual or suspect privacy or information security breaches may be more effective than requiring a CSP to self-report breaches of their obligations, particularly when determining whether a breach of the obligations has occurred may require an assessment of whether the CSP had in place ‘reasonable steps’. The assessors therefore recommend that contracts should require CSPs to notify DIBP of an actual or possible breach of privacy or security (as in the HS contract), in addition to an actual or possible breach of CSPs’ obligations.

Recommendation 3

DIBP’s incident management arrangements under contracts for services relating to regional processing centres should include an incident category for privacy, including privacy complaints and actual or suspect privacy or information security breaches.

Monitoring and reviewing

Observations

3.47 As a ‘reasonable step’ under both APP 1.2 and APP 11, the OAIC would expect that assurance mechanisms (such as regular audits of CSPs’ information handling practices) be put in place to ensure that privacy and information security obligations are being met.

3.48 DIBP and its CSPs meet at regular intervals to discuss the operation of the contracts, including the effectiveness of contract governance arrangements, risks and emerging issues. While the meetings provide one avenue for DIBP to consider the effectiveness of its contractual arrangements in relation to privacy, DIBP did not refer the assessors to any instances of privacy matters being discussed at these meetings.

3.49 A Detention Assurance Team (DAT) within DIBP conducts reviews following incidents in RPCs. These reviews may be referred or self-selected by DAT. DAT staff noted that DAT was, at the time of this assessment, conducting a review relating to privacy and information security following breaches reported to the OAIC (as the review was in progress at the time of the assessment, the OAIC assessors did not view any outcomes of the review.) Reports and recommendations from a DAT review are provided to the relevant DIBP business area, and a follow-up review may be conducted, subject to availability of resources.

3.50 DIBP had also engaged a consulting firm to assist with DIBP’s internal audits as well as reviews initiated from time to time by DIBP management. This firm’s activities within DIBP include the development of an annual Strategic Internal Audit Plan (SIAP). The OAIC assessors were informed that DIBP and the consulting firm anticipate carrying out one privacy-related review each year. The assessors were provided with a draft of the DIBP Strategic Assurance Programme, including the SIAP, however the SIAP had not been finalised at the time of the assessment.

3.51 There appeared to be some uncertainty as to whether or not the Privacy and Reviews Section would be involved in, or advised of the outcome of, privacy audits. Staff from the Privacy and Reviews Section noted that they might not be consulted on the outcomes of an audit that was driven by the DIBP Executive.

Issues

3.52 Entities should regularly monitor and review their privacy and information security practices, procedures, systems and controls. The ‘reasonable steps’ required by APP 1.2 include regularly and systematically evaluate the effectiveness and appropriateness of an entity’s privacy protections (see the OAIC’s Privacy management framework[12]), and the ‘reasonable steps’ required by APP 11 include regular reviews of an entity’s security controls (see the OAIC’s Guide to securing personal information[13]).

3.53 The assessors found that DIBP’s assurance activities with regard to privacy and information security in RPCs were limited and were generally reactive (i.e. in response to a breach or an incident) rather than proactive and carried out on a regular basis. In the view of the assessors, there is a risk that this reactive approach to assurance fails to satisfy the requirements of APPs 1 and 11. Under these APPs, the reasonable steps that DIBP must take to secure personal information in RPCs should include regular, proactive assurance activities.

3.54 The OAIC recommends that DIBP establish a program of proactive privacy and information security assurance activities of CSP’s arrangements relating to privacy and information security in RPCs. These activities could include, for example, regular audits or inspections of CSPs’ procedures and systems in its RPCs to assure DIBP that privacy and security requirements are being met. DIBP should also ensure that the Privacy and Reviews Section is involved in planning these activities, and advised of their findings.

Recommendation 4

DIBP should:

  • establish a program of proactive privacy and information security assurance activities of CSP’s arrangements relating to privacy and information security in RPCs. These activities could include, for example, regular audits or inspections of CSPs’ procedures and systems in its RPCs to assure DIBP that privacy and security requirements are being met
  • ensure that the Privacy and Reviews Section is involved in planning these activities, and advised of their findings.

Part 4: Summary of recommendations

Recommendation 1

DIBP should ensure that its internal policies and procedures require that the Privacy and Reviews Section be:

  • consulted during the development of new contracts for services relating to regional processing centres
  • advised of suspected or actual privacy or information security breaches and privacy complaints in its RPCs when these breaches or complaints are reported to it by CSPs.

DIBP response.

  • Agree. The Department agrees that consultation with the Privacy Section (formerly Privacy and Reviews Section) should be improved in the development of new contracts. There are currently a number of contracts being negotiated and the Privacy Section is actively being consulted as part of the process.
  • Agree. Under the Garrison and Welfare Contract, the CSP must report when suspected Code of Conduct breaches occur at the time of the event, and report monthly on actual breaches. In addition, any suspected privacy or information security breaches are reported through situation reports and investigated by the contract management team.
  • Additionally, during end of contract transition, the Department engages ICT resources to ensure that all systems and data is protected and sanitised. All hard copy records are similarly managed. Any suspected privacy breaches are reported immediately to privacy, IT security and records management teams.

Recommendation 2

DIBP should ensure that future contracts:

  • provide guidance to CSPs as to the reasonable steps that CSPs should take to secure personal information. This could include (but should not be limited to) a security standard that CSPs should meet.
  • include provisions ensuring that subcontractors handle personal information in a manner consistent with DIBP’s privacy and information security obligations.
  • include provisions setting out CSPs’ obligations concerning privacy and information security at the completion or termination of the contract. This should include, as appropriate, destruction and de-identification of personal information, in accordance with APP 11.2 and the Archives Act 1983 (Cth).

DIBP response.

  • Agree. The Department agrees to consider the scope of guidance and requirements in future contracts with CSPs in relation to securing personal information.
  • Agree. Irrespective of the issues that OAIC has noted in the documentation provided to the OAIC for the assessment, the Department confirms that future contracts require subcontractors to handle personal information in a manner consistent with the Department’s privacy and information security obligations.
  • Agree. The Department agrees to consider the obligations and requirements for each CSP in relation to information security at the completion or termination of the respective contracts. Privacy and Records Management Sections have been involved in the current transition/end of contract processes. In addition, oversight by the National Archives of Australia to ensure that all Commonwealth material and privacy considerations are managed. The Department has in place processes to manage the electronic and paper records/data as part of transition including destruction on authority of the National Records Manager.

Recommendation 3

DIBP’s incident management arrangements under contracts for services relating to regional processing centres should include an incident category for privacy, including privacy complaints and actual or suspect privacy or information security breaches.

DIBP response.

  • Agree. For future contracts established by the Department for services that relate to regional processing operations, the Department agrees to include in the incident management arrangements, protocols or procedures for privacy concerns, including privacy complaints and actual or suspected privacy or information security breaches.
  • In addition, and of particular relevance to existing contracts, the Department considers that together, it and CSPs are able to effectively and expediently address privacy and information security risks (as identified in audits or previous incidents) by amendments to operational material and relate to the respective contracts—including standard operating procedures, transition plans, etc.

Recommendation 4

DIBP should:

  • establish a program of proactive privacy and information security assurance activities of CSP’s arrangements relating to privacy and information security in RPCs. These activities could include, for example, regular audits or inspections of CSPs’ procedures and systems in its RPCs to assure DIBP that privacy and security requirements are being met
  • ensure that the Privacy and Reviews Section is involved in planning these activities, and advised of their findings.

DIBP response.

  • Agree. The Department agrees to establish a program of proactive privacy and information security assurance activities of CSPs’ arrangements in RPCs. Compliance audits will be undertaken to ensure that CSPs’ procedures and systems align with privacy and security approaches. During the transition of contracts, data and information activities are planned with the Privacy and the Records Management Sections in collaboration with IT security to ensure that data and records are protected.
  • Agree. The Department agrees that the Privacy Section should be involved from the outset in planning assurance activities.

Appendix A—Privacy risk guidance

Privacy risk rating

Entity action required

Likely outcome if risk is not addressed

High risk

Entity must, as a high priority, take steps to address mandatory requirements of Privacy legislation or other relevant legislation

Immediate management attention is required

This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects

  • Likely breach of relevant legislative obligations (for example, APP, TFN, Credit) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking)
  • Likely adverse or negative impact upon the handling of individuals’ personal information
  • Likely violation of entity policies or procedures
  • Likely reputational damage to the entity, such as negative publicity in national or international media.
  • Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines
  • Likely ministerial involvement or censure (for agencies)

Medium risk

Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation or other relevant legislation

Timely management attention is expected

This is an internal control or risk management issue that may lead to the following effects

  • Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation
  • Possible adverse or negative impact upon the handling of individuals’ personal information
  • Possible violation of entity policies or procedures
  • Possible reputational damage to the entity, such as negative publicity in local or regional media
  • Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities
  • Possible ministerial involvement or censure (for agencies)

Low risk

Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy legislation or other relevant legislation

Management attention is suggested

This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed

  • Risks are limited, and may be within acceptable entity risk tolerance levels
  • Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit)
  • Minimum compliance obligations are being met

Footnotes

[1] Subsequent to this assessment being conducted, the Department of Home Affairs was established and carries out the functions of the former Department of Immigration and Border Protection.

[2] Australian National Audit Office, Offshore Processing Centres in Nauru and Papua New Guinea: Procurement of Garrison Support and Welfare Services, 13 September 2016, <https://www.anao.gov.au/work/performance-audit/offshore-processing-centres-nauru-and-papua-new-guinea-procurement> (viewed 24 February 2017); Australian National Audit Office, Offshore Processing Centres in Nauru and Papua New Guinea: Contract Management of Garrison Support and Welfare Services, 17 January 2017, <https://www.anao.gov.au/work/performance-audit/offshore-processing-centres-nauru-and-papua-new-guinea-contract-management> (viewed 24 February 2017).

[3] <https://www.finance.gov.au/procurement/procurement-policy-and-guidance/commonwealth-procurement-rules/march/>

[4] Privacy Act 1988 (Cth) s 6(1). See also Chapter B of the OAIC’s APP Guidelines, <https://oaic.gov.au/agencies-and-organisations/app-guidelines/>.

[5] <https://oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information>

[6] <https://oaic.gov.au/about-us/our-regulatory-approach/guide-to-privacy-regulatory-action/>

[7] <https://oaic.gov.au/agencies-and-organisations/guides/privacy-management-framework>

[8] The assessors note that in some cases specific provisions were made under the contracts relating to some of the APPs. For example, the GWS contract included a provisions specifically dealing with consent and notification of collection.

[9] <www.protectivesecurity.gov.au/Pages/default.aspx>

[10] <www.asd.gov.au/infosec/ism/>

[11] The definition of CSP set out in s 6(1) of the Privacy Act is expressed to include ’an organisation that is or was a party to the government contract and that is or was responsible for the provision of services to the agency under the government contract’ (emphasis added). The use of the past tense in the definition of CSP ensures that obligations on CSPs to protect any personal information acquired under the contract continue even after the completion or termination of the contract.

[12] <https://oaic.gov.au/agencies-and-organisations/guides/privacy-management-framework>

[13] <https://oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information>

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au