Part 1: Executive summary
1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy performance assessment of the Department of Immigration and Border Protection’s (DIBP) handling of personal information under Schedule 6 of the Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014 (Foreign Fighters Act). Schedule 6 of the Foreign Fighters Act expanded the Advance Passenger Processing arrangement to departing air and maritime travellers (also known as ‘outward AdPP’).
1.2 The purpose of this assessment was to consider whether DIBP is handling personal information collected through the AdPP arrangement (AdPP data) for individuals departing Australia, mandated by Schedule 6 of the Foreign Fighters Act, in accordance with the Australian Privacy Principles (APPs), and where appropriate, make recommendations to assist DIBP to do so.
1.3 OAIC assessors examined DIBP’s relevant internal policies and procedures and conducted interviews with staff to determine the impact of the new power to collect and use personal information through the outward AdPP arrangement.
1.4 The fieldwork component of this assessment was conducted at Sydney Airport and DIBP’s offices in Canberra. The assessors inspected or made enquiries about the operations of key areas involved in the outward AdPP arrangement, including conducting interviews with Virgin Australia check-in staff at Sydney Airport and DIBP’s technical, operational and policy staff in Canberra. The assessors also conducted a teleconference with the third party provider of the AdPP system, SITA. However, this assessment did not include a detailed inspection of SITA’s facilities or ICT security.
1.5 The OAIC identified four medium privacy risks with DIBP’s personal information handling practices relating to Schedule 6 of the Foreign Fighters Act and has made four recommendations to address these risks.
1.6 The first recommendation (see 7.25) relates to the security arrangements in place to protect AdPP data when DIBP discloses that data to airlines in the form of missing AdPP reports and infringement notices. While a number of safeguards are taken to secure AdPP data when it is collected using the AdPP system, these reports and notices do not receive the same level of protection, thereby raising a medium risk of breaching APP 11.
1.7 The other three recommendations raise a medium risk of breaching APP 11, and relate to:
- delays in responding to security recommendations for SITA, made by DIBP’s security adviser (see 7.37)
- the absence of a documented data breach response plan for DIBP (see 7.65)
- a lack of documented policies on the destruction or de-identification of information collected through the outward AdPP arrangement (see 7.76).
Part 2: Description of assessment
2.1 Section 245L of the Migration Act places an obligation on airlines to report on all passengers and crew travelling into Australia from January 2003 via an approved reporting system — the AdPP system. This reporting obligation requires airlines to provide passenger data, including a traveller’s name, nationality and passport number, through the AdPP system.
2.2 The Foreign Fighters Act amended the Migration Act 1958 (Migration Act) and other legislation to introduce a range of measures designed to strengthen and improve Australia’s counter-terrorism legislative framework. The amendments commenced on 4 November 2014.
2.3 Schedule 6 of the Foreign Fighters Act amended provisions in the Migration Act and Customs Act 1901 to extend the AdPP arrangement to passengers and crew departing Australia. Specifically, Schedule 6 outlines the obligations of airlines to report AdPP data, the deadlines for such reporting to occur, the circumstances in which a fall-back system may be used, and offences for failure to comply with the reporting obligations.
2.4 The Secretary of DIBP may prescribe the reporting systems and fall-back systems to be used under AdPP. Currently, the approved reporting system is operated by a third party provider, SITA.
2.5 DIBP commenced mandatory AdPP reporting for airline departures on 4 November 2015. Mandatory AdPP reporting for maritime departures is scheduled to be developed and implemented in 2017.
2.6 In its advisory report of October 2014, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) recommended that the Privacy Commissioner undertake a privacy assessment of the data collected and stored by DIBP whilst exercising powers under the Foreign Fighters Act. It particularly asked the Privacy Commissioner to consider the collection, storage, sharing and use of that data.
2.7 This assessment was conducted under s 33C(1)(a) of the Privacy Act 1988 (Cth) (the Privacy Act), which allows the OAIC to assess whether personal information held by an APP entity is being maintained and handled in accordance with the APPs.
Objective and scope
2.8 The objective of this assessment was to establish whether DIBP is handling personal information throughout the outward AdPP arrangement in accordance with the APPs while exercising its new powers under Schedule 6 of the Foreign Fighters Act.
2.9 This assessment considered the handling of personal information in accordance with selected APPs. These APPs were APP 3 (collection of personal information), APP 5 (notification of the collection of personal information), APP 6 (use or disclosure of personal information) and APP 11 (security of personal information).
2.10 The assessors focused on the powers introduced by Schedule 6 of the Foreign Fighters Act in this assessment. The decision to focus on the new powers was driven by issues raised in the PJCIS report on the Foreign Fighters Bill, including the quantity of personal information that was proposed to be collected and handled by DIBP. This decision also enabled the OAIC to gain an understanding of the new processes for outward AdPP, and any privacy risks that may arise from those processes, as DIBP collects and handles AdPP data from airlines, through the AdPP system operated by SITA and into their existing databases.
2.11 In the course of understanding the new processes for outward AdPP, the assessors note that DIBP’s collection of AdPP data is supported by the airlines, who collect the AdPP data from their customers and staff, and transmit this data into the AdPP system. Further, the AdPP system is provided and operated by a third party provider, SITA. While this assessment focussed on DIBP’s responsibilities in relation to the powers introduced by Schedule 6, the OAIC may conduct assessments of airlines and SITA in the future.
2.12 As such, this report makes comment on the supporting processes and infrastructure provided by the airlines and SITA in relation to how DIBP manages its relationship and responsibilities with these parties, and to provide context on the AdPP arrangement. The identification of privacy risks within this report is therefore framed from the perspective of DIBP as the assessment target.
2.13 A detailed examination of SITA’s data centre which houses the AdPP data was outside the scope of this assessment. This may form the basis of a secondary assessment in the 2016-17 financial year.
2.14 Additionally, the scope of this assessment did not include:
- the handling of personal information through the AdPP arrangement for individuals arriving in Australia
- the use of outward AdPP data after it enters DIBP’s systems mainframe
- the security of airline systems that initially capture outward AdPP data
- AdPP for maritime departures.
Timing, location and assessment techniques
2.15 The assessors conducted the fieldwork component of this assessment on:
- 9 May 2016 at Sydney Airport, New South Wales
- 10 May 2016 at DIBP’s offices in Civic and Belconnen, Australian Capital Territory
2.16 During the fieldwork, the assessors undertook an inspection of Virgin Australia’s check-in processes at Sydney airport. The assessors also undertook a site inspection of DIBP’s Border Operations Centre (BOC) in Canberra.
2.17 The fieldwork also involved semi-structured interviews with Virgin Australia staff, DIBP BOC staff, technical support staff and DIBP policy staff to assess DIBP’s arrangements for handling personal information under the outward AdPP arrangement.
2.18 Assessors also conducted a teleconference with SITA and DIBP’s contract manager, on 13 May 2016.
Information obtained during this assessment
2.19 DIBP provided a range of documents before, during, and after the fieldwork relating to the outward AdPP arrangement. These documents are listed at Appendix A.
2.20 The OAIC makes recommendations to address ‘high’ and ‘medium’ privacy risks. For more information about these privacy risk ratings, see the OAIC’s ‘Privacy risk guidance’ at Appendix B. Further detail on this approach can be found in Chapter 7 of the OAIC’s Guide to privacy regulatory action.
2.21 The assessors have made four recommendations to address medium privacy risks identified during the course of this assessment. A recommendation is a suggested course of action or a control measure that, if put in place by DIBP, will (in the opinion of the OAIC) minimise the privacy risks identified around how personal information is handled throughout the outward AdPP arrangement.
2.22 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege.
2.23 This report has been published in an abridged version.
Part 3: Assessment context
Overview of the AdPP arrangement for departing passengers
3.1 The assessor’s observations on the passenger check-in process are informed by observation and interviews of Virgin Australia check-in agents at Sydney Airport and BOC staff in Canberra. Observations on the information flows through the AdPP system are informed by interviews of DIBP staff and SITA staff.
3.2 For the purposes of this assessment, the outward AdPP arrangement comprises the collection of AdPP data at airline check-in, the processing of this data by the AdPP system to determine an individual’s authority to depart Australia and the transmission of this data to DIBP’s systems.
3.3 The outward AdPP arrangement also involves the provision of support services by the BOC in establishing an individual’s authority to depart Australia when this is not established automatically by the AdPP system.
3.4 Figure 1 (below) provides a simplified outline of the outward AdPP system and connecting systems within the scope of this assessment. Figure 1 shows the information flows as AdPP data is collected by airline systems and transmitted into the outward AdPP system via either the SITA Carrier portal (primarily used for airline crew) or the Government gateway. The outward AdPP system attempts to match AdPP data against Australian and New Zealand passport data and Australian visa data, which is received from DIBP’s mainframe. The results of attempted matches are transmitted back through to the airline systems and the AdPP data is transmitted into DIBP’s mainframe. As the BOC assists airlines to navigate the outward AdPP system and manages the infringements regime, BOC staff have access to AdPP data and DIBP’s mainframe. Further detail on the information flows is described below.
Figure 1 — Outward AdPP
Visas and passports
3.5 Outward AdPP broadly begins before an individual arrives at an airport. For Australian passport holders, passport information is transmitted from the Department of Foreign Affairs and Trade to DIBP four times per day. Information on New Zealand passport holders is transmitted from the New Zealand Department of Internal Affairs to DIBP twice per day. This information is stored in DIBP databases and also provided to the AdPP system to enable matching against the information that an individual presents when attempting to check-in at an airport or online.
3.6 For non-Australian or New Zealand passport holders, personal information is provided to DIBP at the time a visa is applied for, before entry into Australia. This information is provided to the AdPP system to enable matching against AdPP transactions. When the individual checks-in for their flight into Australia, their passport details are collected through inward AdPP and linked to the visa they are travelling on. The visa and passport details are subsequently used to match against outward AdPP transactions when the individual departs Australia.
3.7 An AdPP transaction is generated when an individual checks-in for a flight departing Australia. Where an individual checks-in online, the AdPP data is entered by the individual, which is sent directly to the AdPP system through the airline’s Departure Control System (DCS). If the AdPP system is unable to match the information entered by the individual against the visa and passport information in the AdPP system, the individual will be directed to check-in at the appropriate airline counter at the airport. If the AdPP system is able to match the individual’s AdPP data, they will be able to complete the online check-in process, print their boarding pass and proceed directly to the immigration processing point at the airport.
3.8 Where an individual checks-in at an airport, AdPP data may be captured by the airline’s DCS via a passport scanner and transmitted into the AdPP system. If the data submitted by the airline matches SITA’s copy of DIBP visa or Australian or New Zealand passport information, the airline receives an ‘OK TO BOARD’ message (see 3.14). Alternatively, the individual’s travel agent may have entered the required information into the airline’s DCS when the ticket was purchased, which is verified by an airline check-in agent against the passport presented at an airport.
3.9 The minimum data that check-in agents are required to enter into the outward AdPP system are: passport number, nationality code, the first four letters of their family name and the flight details. Supplementary information, such as travel document type and transit field information may also be added. If a match cannot be made, check-in agents are prompted to enter the individual’s full details. That is, also providing their full given and family names and date of birth.
3.10 Importantly, for outward AdPP the validity of the passport or visa is not verified, so long as a match against a known passport or visa in DIBP’s databases is made. This is to ensure that an individual who is a person of interest (for example, an individual presenting a stolen passport) will be processed by a trained DIBP officer at the immigration processing point, rather than a check-in agent.
3.11 If a check-in agent has difficulties checking-in an individual, they are instructed to contact the BOC, who assists the agent to navigate the AdPP system (see 3.20‑3.22).
The AdPP system
3.12 The AdPP system is operated by SITA. AdPP data is received by the AdPP system via the SITA Government Gateway or the SITA Carrier Portal. The SITA Carrier Portal is primarily used to provide airline crew data, or as a backup if the Government Gateway is not operational.
3.13 The AdPP system is operated out of SITA’s two data centres in Sydney. The system receives regularly updated information from DIBP on Australian passports, New Zealand Passports, and Australian visas. This information is used to match against the AdPP data provided during the check-in processes described above. Visa information is linked to the passport information supplied when the individual entered Australia.
3.14 Once an individual’s AdPP data has been entered into the AdPP system, the three main responses the AdPP system may return to the check-in agent are:
- OK TO BOARD
- DO NOT BOARD
- CONTACT EOC (the BOC is also known as the Entry Operations Centre (EOC))
3.15 An ‘OK TO BOARD’ response means that the passport information collected matches passport and visa information stored on the AdPP system, and confirms that the individual is allowed to proceed to the immigration processing point.
3.16 If a ‘CONTACT EOC’ message is returned, check-in agents are required to contact the BOC to seek confirmation of the individual’s authority to depart Australia. The BOC is ordinarily contacted by telephone, but a text format electronic messaging service (SITATEX) is also available. However, this is primarily used by overseas check-in agents for inward AdPP.
3.17 After contacting the BOC, check-in agents are advised to attempt another AdPP transaction, given permission to use an override code to allow the individual to proceed to the immigration processing point, or instructed to advise the individual of action they must take before another AdPP transaction is attempted (e.g. apply for an electronic travel authorisation to travel into the U.S.A). For an individual to proceed to the immigration processing point, the AdPP system must return an ‘OK TO BOARD’ or ‘OVERRIDE ACCEPTED’ message.
3.18 If a ‘DO NOT BOARD’ response is returned, the check-in agent will not be able to issue a boarding pass, as the individual is not authorised to depart Australia.
3.19 If an individual is given authority to depart Australia, the AdPP data is transmitted from the SITA AdPP system to DIBP in the form of an ‘expected movement record’ (EMR). Otherwise, the AdPP data is transmitted in the form of a ‘denied movement record’ (DMR). The flow of data from the AdPP system to DIBP’s systems mainframe, via an EMR or DMR, is considered the end point of the AdPP arrangement and the end of the scope of this assessment. An EMR triggers subsequent processes within DIBP’s mainframe system, the Travel and Immigration Processing System (TRIPS), to analyse the individual’s passport information to determine whether they need to be further interviewed by DIBP staff at the immigration processing point. For example, the EMR information will be matched against watchlists for known persons of interest or stolen passports. An individual with a DMR does not have authority to depart Australia and would not proceed to the immigration processing point.
3.20 Part of the BOC’s responsibilities is to respond to queries from check-in agents when a ‘CONTACT EOC’ response is received from the AdPP system. The BOC is operational 24 hours a day, seven days a week.
3.21 When a check-in agent contacts the BOC, the agent discloses the individual’s passport number to assist the BOC to search the visa and passport information that DIBP holds. Once the BOC locates the individual in DIBP’s visa or passport database, they review the database information against the AdPP data provided. For this reason, BOC staff have access to the visa and passports databases on TRIPS via ‘TRIPS Utilities’.
3.22 BOC staff do not provide personal information to check-in agents during the call. Instead, they will request relevant information to assist their queries. In most cases, BOC staff will update DIBP’s databases and advise the check-in agent to submit another AdPP transaction. For example, a common reason is where an individual has dual passports and is attempting to use a different passport from the one used to enter Australia. Another common reason is where an individual is presenting a new passport.
AdPP Infringements team
3.23 DIBP’s AdPP Infringements team (within the BOC) issues daily reports to airlines who have missing AdPP data. These reports contain the AdPP data of individuals who presented at the immigration processing point, but did not have a corresponding AdPP transaction recorded. The daily missing AdPP reports are intended to assist airlines to identify and correct gaps in their AdPP reporting.
3.24 The AdPP Infringements team also issues infringement notices to airlines who do not meet the threshold for AdPP reporting. Infringements for outward AdPP will commence on 1 January 2017.
3.25 Missing AdPP reports and infringement notices are sent via email to designated email addresses for each airline.
Part 4: Assessment issues — Collection of solicited personal information
4.1 Under APP 3, an APP entity may only collect solicited personal information (other than sensitive information) where it is reasonably necessary for, or directly related to, an agency’s functions or activities.
Observations on the collection of personal information
4.2 DIBP collects personal information contained in an individual’s passport through the AdPP arrangement as part of the check-in process for individuals departing Australia. The information collected includes passport number, nationality, the first four letters of the family name and flight details (see 3.9). Should this information be insufficient to successfully conclude an AdPP transaction, more information, such as the full given and surnames may be provided until the system can verify the individual and provide an appropriate response.
4.3 The purpose for the collection of personal information under the outward AdPP arrangement is to provide advance notice that ‘allows appropriate security response to persons of interest’. This purpose is consistent with DIBP’s function in ensuring ‘strong national security—protect Australia’s sovereignty, security and safety by managing its border’.
4.4 AdPP data is collected directly from individuals departing Australia by airlines operating international flights from Australia, who disclose the data to DIBP via the AdPP system, which is operated by a third party provider, SITA.
Privacy issues in relation to the collection of personal information
4.5 DIBP does not collect AdPP data directly from individuals, but from the airlines through the AdPP system. APP 3.6 states that an APP entity must collect personal information about an individual only from the individual, unless the entity is required or authorised by or under an Australian law to collect from someone other than the individual. Schedule 6 to the Foreign Fighters Act requires airlines to report on individuals departing Australia to DIBP using an approved reporting system — the AdPP system.
4.6 The assessors note that the introduction of outward AdPP does not expand the types of personal information collected by DIBP. Prior to outward AdPP, an individual’s passport information would be collected at the airport immigration processing point via an electronic gate or DIBP staff. However, outward AdPP does collect a greater amount of personal information by collecting passport information at both check-in and immigration processing. This is acknowledged both by the Explanatory Memorandum to the Foreign Fighters Bill and in the OAIC’s submission to the PJCIS.
4.7 That said, the assessors consider that the collection of passport information through the AdPP arrangement is directly related to DIBP’s border management functions and the collection of that information through the AdPP system is required under the Migration Act. As a result, the assessors did not identify any issues in relation to the collection of personal information in this assessment.
4.8 The assessors also note that outward AdPP collects the surname and nationality details of an individual which may indicate that individual’s racial or ethnic origin. An individual’s racial or ethnic origin is considered to be sensitive information under the Privacy Act. Unless an exception applies, APP 3 requires the individual concerned to provide consent if sensitive information is being collected from them. However, APP 3.4(a) provides an exception to the requirement to obtain consent if the collection of the information is required or authorised by or under an Australian law. As the collection of AdPP data is required by the Migration Act following the amendments made by the Foreign Fighters Act, the assessors did not identify any privacy issues relating to the collection of personal information.
Part 5: Assessment issues — Notification of the collection of personal information
5.1 Under APP 5, an APP entity that collects personal information about an individual must take reasonable steps either to notify the individual of the matters under APP 5.2 or to ensure the individual is aware of those matters. The APP entity must take these reasonable steps at or before the time of the collection, or if that is not practicable, as soon as practicable after the collection.
5.2 The requirement to notify or ensure awareness of the APP 5 matters applies to all personal information collected about an individual, either directly from the individual or from a third party.
Observations on the notification of the collection of personal information
5.3 The assessors noted that AdPP data for individuals departing Australia is collected directly from the individuals by airlines operating international flights from Australia, who disclose the data to DIBP via the AdPP system, which is operated by a third party provider, SITA. As a result of the collection of AdPP data being first through an airline before ultimately being collected by DIBP, assessors observed a layered notification structure provided by the two APP entities.
5.4 The first instance when an individual may be notified of the collection of AdPP data occurs if the individual applies for a visa. Visa application forms refer individuals to a Form 1442i privacy notice available on DIBP’s website. This notice informs passengers that personal information may be collected and used on DIBP’s behalf by contractors (in this case, SITA), including for outward AdPP by airlines. As Australian and New Zealand passports are not issued by DIBP, we did not consider any equivalent referral to Form 1442i provided by the relevant issuing agencies.
5.6 In regards to notice provided to individuals at the point of airport check-in, where individuals generally engage with the AdPP arrangement, the assessors did not observe any signage at, or prior to, the check-in counter at Sydney Airport that notified individuals that their personal information may be collected by DIBP. This is in contrast to the draft Privacy Impact Assessment (PIA) on Schedule 6 of the Foreign Fighters Act, which states that travellers are notified about the collection of personal information through signs located and on display at airports. The assessors note that the immigration processing point, which an individual passes through after completing outward AdPP at check-in, was not observed in the course of this assessment. Assessors have seen signage at this point in previous assessments, which may be the signage that the PIA refers to.
5.7 As a final notification layer, the assessors noted that outgoing passenger cards (OPCs) refer individuals to Form 1442i. OPCs may be provided by an airline check-in agent at the time of check-in at an airport but in many instances would only be provided when an individual is at the immigration processing point.
Privacy issues in relation to the notification of the collection of personal information
5.8 Under APP 5, an APP entity must take reasonable steps to notify individuals, or ensure they are aware of, APP 5 matters before or at the time it collects personal information. If this is not practicable, reasonable steps must be taken as soon as practicable after collection.
5.9 As DIBP is indirectly collecting AdPP data through the airlines, the first opportunity to provide notification to all individuals departing Australia is when an air ticket is purchased (noting that visa applicants are referred to Form 1442i). Although the personal information is collected by the airlines, APP 5 requires DIBP to ensure that individuals are aware of the matters under APP 5.2, including that DIBP collects their personal information from the airlines rather the individuals themselves (APP 5.2(b)(i)), and that DIBP is authorised or required to do so by law (APP 5.2(c)).
5.10 Given the importance of the notification provided at the time an air ticket is purchased, a reasonable step for DIBP is to ensure that the airlines notify or make individuals aware of the relevant APP 5.2 matters on its behalf. This may be done through mechanisms such as an enforceable contractual arrangement. DIBP was unable to identify any formal mechanism to ensure that the airlines provide this notice, although Form 1442i implies that airlines are contracted to DIBP, and notes that DIBP collects personal information from those airlines.
5.11 The next opportunity to notify individuals that their personal information is collected for the purposes of AdPP by DIBP, via the airlines, is at the point of check-in at an airport. Currently, this notification is located solely within the Form 1442i privacy notice. The OAIC is aware that individuals are referred to Form 1442i when applying for a visa and through a reference on OPCs, but did not observe any signage referring to Form 1442i at the point of check-in for individuals (noting that signage may be present at the immigration processing point).
5.12 The OAIC is also conscious of the potential timing of an individual engaging with these notification mechanisms, and the impact this timing has on ensuring an individual is aware of the matters under APP 5.2 — either well before airport check-in (at the time of ticket purchase), or after an AdPP transaction takes place at the time of check-in (when the individual may first receive an OPC). Therefore, signage at airports before airline check-in counters would provide another layer of notification before an AdPP transaction is submitted.
5.13 Overall, the assessors consider that, in light of the current availability of some layers of notification, there is a low risk of breaching APP 5 resulting from the lack of a privacy notification at the point of check-in at Sydney airport. The OAIC suggests that DIBP consider whether individuals can be more clearly notified of DIBP’s collection of personal information for outward AdPP purposes prior to check-in at an airport, e.g. through the inclusion of signage at airport check-in counters.
5.14 Additionally, the OAIC suggests that DIBP undertake more formal arrangements with airlines to ensure that individuals are aware of the relevant APP 5.2 matters on its behalf. This would allow individuals a greater opportunity to understand how their personal information collected at check-in will be handled by DIBP. The OAIC also suggests that DIBP advise airlines to review their conditions of sale to ensure appropriate notice is provided to individuals regarding the outward AdPP arrangement.
Part 6: Assessment issues — Use or disclosure of personal information
6.1 APP 6 outlines when an APP entity may use or disclose personal information. An APP entity can only use or disclose personal information for a purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if an exception applies.
6.2 The assessors understand that the personal information captured by the outward AdPP arrangement is used and disclosed for the primary purpose of protecting Australia’s security and safety by managing its border (see 4.3). The AdPP arrangement contributes to this by providing:
forewarning of a person’s intention to travel at the point that they check-in for their flight. In the context of the foreign fighter threat and persons intending to depart Australia to engage in foreign conflicts, this advance notice allows appropriate security response to persons of interest.
6.3 Outward AdPP data, once collected by DIBP from an airline Departure Control System, is used by SITA, on behalf of DIBP, to match against DIBP passport and visa database information to confirm an individual’s authority to depart Australia. In most instances this is an automatic process run by the AdPP system operated by SITA. However, this process may also require BOC staff to search the existing DIBP databases in order to update the passport or visa records, which is also considered a use of the AdPP data. These processes support the intention of the Schedule 6 amendments to provide forewarning of an individual’s intention to travel.
6.4 Once an individual’s authority to depart Australia is confirmed or denied, outward AdPP data is used to generate an EMR or DMR, which are used by DIBP for a range of additional border protection mechanisms that are outside the scope of this assessment.
6.5 Assessors were advised that AdPP data is disclosed by DIBP to airlines as part of missing AdPP reports — see 3.23-3.25. Assessors note that Schedule 6 introduced an infringement regime for airlines and maritime vessels that fail to comply with their outward AdPP reporting requirement. The disclosure of missing AdPP reports by DIBP helps enforce the AdPP reporting obligations by informing airlines of the instances in which they have not met their AdPP reporting obligations, and implementing the infringement regime established by the introduction of Schedule 6.
6.6 The assessors did not identify any privacy risks associated with use and disclosure of personal information during this assessment. Assessors acknowledge that the personal information collected by the outward AdPP arrangement is required by the Migration Act following the amendments made by the Foreign Fighters Act.
Part 7: Assessment issues — Security of personal information
7.1 Under APP 11, an APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.
7.2 The OAIC’s Guide to securing personal information outlines various operational areas in which entities can take reasonable steps to protect personal information in accordance with APP 11. The assessors considered several of these areas in this assessment, including governance, culture and training; internal practices, procedures and systems; ICT security; access security; third party providers; data breaches; physical security; and destruction and de-identification.
7.3 As noted at 2.9, AdPP data is handled by DIBP, SITA and airlines as part of the outward AdPP arrangement. As the scope of this assessment is to examine the reasonable steps that DIBP takes to protect personal information, this report examines how DIBP secures AdPP data, including how it manages the third party provider contract with SITA to ensure that DIBP’s obligations under APP 11 are met. Whilst this report notes some information regarding SITA and airline security mechanisms obtained during this assessment, a secondary assessment of SITA’s or an airline’s security of AdPP data may be conducted in the 2016-17 financial year.
Governance, culture and training
Observations — governance, culture and training
7.4 The assessors note that several sections of DIBP have responsibility for governance, culture and training in relation to outward AdPP, some of which overlap.
7.5 The assessors were advised that the Traveller Policy section has implementation and ongoing policy responsibility for outward AdPP. This includes undertaking a PIA and providing policy advice to the Border Operations Systems and Support (BOSS) section who are responsible for creating guidance material and manuals. More broadly, the Privacy and Reviews section has responsibility for monitoring changes in the way DIBP handles personal information, including requests to access information on DIBP’s databases. The section also has responsibility for raising awareness about privacy issues and PIAs, and provides input into the drafting of PIAs.
7.6 Where a section is to undertake a PIA, they have the option of conducting it internally, or contracting a third party provider. Consequently, the first draft of the PIA for Schedule 6 of the Foreign Fighters Act was produced by the third party provider on 21 March 2016. The Traveller Policy section and Privacy and Reviews section have provided feedback to the third party provider on the draft PIA. The PIA was provided to the OAIC in draft form for comment in April 2016. At the time of this assessment, the PIA had not yet been finalised.
7.7 From an operational perspective, the assessors observed that BOC staff generally have an understanding of the importance of security when handling personal information. The assessors observed BOC staff answering AdPP-related calls from airlines and noted that BOC staff would prompt airline staff for a passport number, and request passport information where required to identify the individual. BOC staff did not disclose any personal information when handling these queries.
7.8 The assessors were advised that BOC staff receive extensive training before being allowed to independently take calls from airline staff. Training includes working together with experienced staff, ICT training and understanding legislation such as the Privacy Act. A training day for BOC staff is held every eight weeks. BOC staff also have access to training material and standard operating procedures through the DIBP intranet.
7.9 The BOC is supported by the BOSS section. BOSS is responsible for training BOC staff, authorising systems access, managing systems requirements and providing systems support.
Privacy issues – governance, culture and training
7.10 The assessors acknowledge that DIBP has governance structures and training established in relation to the handling and security of AdPP data. Particularly, the Traveller Policy section has policy oversight of the outward AdPP arrangement, while the BOSS section provides systems and governance support to enable BOC staff to operate in a privacy respecting manner.
7.11 However, assessors note that though the outward AdPP arrangement commenced in November 2015, the planned PIA had not been completed ahead of the commencement date. Furthermore, the PIA was not finalised at the time of this assessment.
7.12 The OAIC’s Guide to undertaking privacy impact assessments provides guidance on PIAs and notes that, to be effective, a PIA should be an integral part of the planning process, and undertaken early enough in the development of a project that it is still possible to influence the project design. The PIA process provides an opportunity to identify information flows and privacy risks for the outward AdPP arrangement and develop appropriate strategies to mitigate those risks, including risks related to the security of the AdPP arrangement.
7.13 The OAIC acknowledges that governance, culture and training initiatives have been taken in the absence of a PIA. Also, a number of challenges have arisen from the merger of the Australian Customs and Border Protection Service and DIBP on 1 July 2015. However, the OAIC considers there is a low risk of breaching APP 11 (and potentially, other APPs) due to the delay in conducting a PIA.
7.14 As such, the OAIC suggests that DIBP develops mechanisms to ensure a privacy by design approach is conducted for future projects or policies that impact the handling of AdPP data, and personal information more broadly. The OAIC also suggests that DIBP update the Schedule 6 PIA should any future changes occur to the AdPP arrangement.
Internal practices, procedures and systems
Observations — internal practices, procedures and systems
7.15 Assessors were advised that, within DIBP, the BOSS section has primary responsibility for key documentation that supports the internal practices, procedures and systems for DIBP’s interaction with AdPP data.
7.16 As such, the assessors examined a number of specific procedural documents relating to the AdPP arrangement developed for both internal (e.g. the BOC) and external (e.g. airlines) audiences. These documents included process manuals, standard operating procedures and presentation materials (see Appendix A).
7.17 Within the suite of documents provided by DIBP, assessors examined the ‘AdPP Infringements Manual’ which outlines the infringement and missing AdPP reporting process to airlines. As part of the practical implementation this manual, the AdPP Infringements team advised that missing AdPP reports are generated and emailed daily to airlines in the form of a spreadsheet (also see 3.23-3.25). These reports contain the same AdPP data as what was required to be sent by the airline, except that the minimum data required for an AdPP transaction is the first four letters of the family name, while the reports include the individual’s full name. Reports are sent to a designated airline email address or group email address. From 1 July 2016, monthly infringement notices will also be sent to airlines if the percentage of missing AdPP transactions exceeds a pre-determined threshold.
Privacy issues — internal practices, procedures and systems
7.18 The assessors acknowledge that DIBP has a suite of documented internal practices and procedures to support the outward AdPP arrangement. These documented practices and procedures are largely procedural or operational in focus, and seek to provide detailed instructions on procedural steps and use of electronic tools, such as instructions on generating daily missing AdPP reports or identifying when and how to issue an AdPP override code.
7.19 However, the documents provided to the OAIC do not draw attention to privacy risks relating to the flow of information through the AdPP arrangement. As a result, whilst assessors noted certain mechanisms are employed to provide privacy safeguards for the handling of AdPP data by BOC staff (e.g. training on disclosure), assessors considered that the lack of privacy advice more generally in DIBP’s documentation may have contributed to the failure to provide appropriate security for the transmission of missing AdPP reports.
7.20 The assessors note that the collection of AdPP data through the AdPP system provides a number of security safeguards to appropriately protect that data, including data encryption and transmission over a secure private network (see 7.38-7.45). However, DIBP advised that similar security safeguards are not applied to the missing AdPP reports.
7.21 In particular, DIBP advised that the missing AdPP reports, which are generated by comparing AdPP data against passenger movement information that DIBP receives from other sources, are not encrypted when they are emailed to airline staff. Further, the email is sent in an unsecured format to a mailbox nominated by each airline. It is also unclear what, if any, action is taken by DIBP to ensure the security of the mailbox, or to confirm it as the appropriate email address beyond the initial nomination.
7.22 The OAIC’s Guide to securing personal information notes that email is not a secure form of communication and that procedures should be developed to manage the transmission of personal information via email. The Guide also provides suggestions to assist in securing email transmissions, such encrypting or password protecting attachments, or using a secure online mailbox.
7.23 Therefore, the assessors consider the use of unsecured email to send missing AdPP reports, which contain the information that should have been transmitted by the airlines via the security managed AdPP system, is a medium risk of breaching APP 11.
7.24 More broadly, the OAIC suggests that DIBP update its documented practices and procedures to include references to privacy matters, where relevant. This should include contact details for a nominated Privacy Contact Officer for internal documents, which provides DIBP staff with a highly visible avenue to raise any privacy concerns. Greater discussion of privacy matters in DIBP’s guidance materials will help increase privacy awareness amongst DIBP staff, and also airline staff.
7.25 The assessors recommend that DIBP review the security arrangements for the transmission of missing AdPP reports and infringement notices and establish safeguards to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure.
Third party providers
7.26 Section 95B of the Privacy Act requires an agency entering into a Commonwealth contract to take contractual measures to ensure that a contracted service provider for the contract does not do an act, or engage in a practice, that would breach an APP if done or engaged in by the agency.
Observations — Third Party Providers
7.27 The AdPP system is operated by SITA under a contract with DIBP. The contract is in its second year of operation out of a term of five years, with three options to extend for an extra three years each. The contract requires SITA to comply with the APPs, the Australian Government Protective Security Policy Framework (PSPF) and the Information Security Manual (ISM). The AdPP system is run from two SITA data centres in Sydney, operated by a sub-contractor, Orange Business services.
7.28 The assessors interviewed DIBP’s SITA contract manager while in Canberra. The contract manager advised that a Service Delivery Committee, Management Committee and Executive Committee provide governance mechanisms between SITA and DIBP, and meet monthly, quarterly and semi-annually respectively. These committees provide a mechanism to deal with a range of issues at varying staff levels, including level of service performance and strategic direction.
7.29 In addition to DIBP’s contract management section, DIBP’s Agency Security Adviser has a role in verifying SITA’s compliance with its obligations under the PSPF and ISM. The Security Adviser inspected SITA’s data centres in August 2013 and made several recommendations regarding non-compliance with the required physical security standards. The inspection reports conclude that, for final certification of the data centres meeting the contracted requirements under the PSPF and ISM, SITA must take remedial action in response to the recommendations and show evidence that such action has been taken.
7.30 Further, as part of SITA’s regular ICT testing program, performed every two years, an external party to SITA inspected the AdPP system in 2015, and produced a gap analysis report against the ISM controls. This analysis outlined a series of recommendations to achieve Information Security Registered Assessors Program certification.
7.31 SITA advised that remedial action has been taken to meet the recommendations under both inspections, and is currently liaising with DIBP to finalise the responses to the recommendations. DIBP advised that SITA had completed remedial action in January 2015, but that DIBP’s security adviser has not yet reinspected the data centres to verify compliance with the PSPF and ISM.
7.32 The contract between DIBP and SITA also stipulates requirements regarding the protection of personal information in accordance with the APPs, and action required in response to data breaches (see 7.60-7.61).
7.33 DIBP advised that SITA has implemented internal measures around ensuring the privacy of DIBP data. This includes a government vetting process to ensure all SITA employees who have access to the data have an appropriate level of security clearance. SITA also ensures that new officers are aware of their APP obligations and require officers to sign a Personal Information Undertaking.
7.34 Assessors note that the issue of SITA’s compliance with the physical and logical security requirements of its contract with DIBP was also raised in the draft PIA for Schedule 6. The PIA recommended that DIBP undertake ongoing assurance activity within the existing contract management process to maintain appropriate oversight of these security controls.
Privacy Issues — Third Party Providers
7.35 Although the scope of this assessment is DIBP’s personal information handling practices, the use of a third party provider carries a responsibility under s 95B of the Privacy Act to take contractual measures to ensure that the provider does not do an act, or engage in a practice, that would breach an APP if done or engaged in by DIBP.
7.36 The assessors note that DIBP has a contract management section that oversees its contract with SITA, including the reasonable steps taken by SITA to protect the security of AdPP data in accordance with APP 11. However, the assessors also note that whilst SITA has taken remedial action in response to the recommendations made by DIBP’s security adviser in 2013, and completed them in January 2015, DIBP has not taken steps to confirm that SITA’s activities are appropriate to protect AdPP data. The OAIC considers this to raise a medium risk of breaching APP 11, as a delay in verifying that remedial action has appropriately addressed the issues increases the risks that security of the AdPP data may be compromised. This risk is also raised in the draft PIA for Schedule 6.
7.37 The assessors recommend that DIBP undertakes appropriate contract performance assurance activities to ensure SITA is compliant with APP 11, and ensure those assurance activities are completed within more appropriate timeframes in the future.
Observations — ICT security
Airlines to SITA
7.38 The AdPP data is transmitted from airlines into the AdPP system either via the Government Gateway or the carrier portal.
7.39 [redacted] The Gateway uses an algorithm to determine an individual’s departure and arrival countries and transmits the AdPP data to those countries if an arrangement is in place to provide the data to that country. For outward AdPP, the data is transmitted from the Gateway into the AdPP system and is secured by a firewall throughout the transmission.
7.40 The networks that airlines use to access the Government Gateway must be approved by SITA. The approval process involves testing of the network by SITA to verify compatibility with SITA’s systems and the ability to transmit data securely.
7.41 The carrier portal is a web-based portal that is used primarily for airline crew AdPP data, and as an emergency back-up in the event of the Government Gateway not being operational. AdPP data is also encrypted before transmission through the carrier portal, using SSL encryption, and firewalls are used to prevent unauthorised access.
7.42 DIBP’s contract with SITA stipulates that SITA must maintain, enforce and comply with all safety procedures, and technology and physical security procedures as required under the PSPF and ISM and DIBP’s security policies and procedures.
7.43 The data centres that the AdPP system operates on utilise boundary security devices to prevent unauthorised electronic access to the database. Unauthorised access to the database is also protected against by the use of firewalls, as are all connections between the AdPP system and external networks. Tapes are used to back-up the AdPP data and are stored within the data centres.
7.44 SITA uses hardware equipment that is of a type approved by the Australian Signals Directorate (formerly the Defence Signals Directorate). SITA conducts testing of its security systems every two years using external service providers, including penetration testing. When performing testing, external provider staff do not have access to the AdPP data, but perform testing on the system’s devices.
SITA to DIBP/DIBP to SITA
7.45 Outward AdPP data is transmitted from the AdPP system to DIBP in the form of an EMR or DMR. Updated visa and passport information from DIBP’s databases is also transmitted into the AdPP system. The private network used to transmit these data flows is protected by a firewall. [redacted]
Privacy issues — ICT security
7.46 Noting that the scope of this assessment did not extend to a detailed consideration of DIBP’s ICT systems beyond the AdPP system or a site inspection of SITA’s data centres, the assessors did not identify any privacy risks associated with ICT security (other than the issue addressed in Recommendation 1), as it was described by DIBP and SITA. DIBP’s ICT systems and SITA’s data centres have been identified as the subject of separate assessments proposed for the 2016-17 financial year.
Observations — Access security
BOC staff and DIBP’s systems
7.47 DIBP advised that AdPP data received by DIBP in the form of an expected movement record is stored in TRIPS. TRIPS comprises 14 separate databases that each have their own access controls. Access to ‘TRIPS Utilities’ (which provides read, write and modify access to DIBP’s passport and visa information databases) allows BOC staff to compare an AdPP transaction against DIBP’s record of the individual’s passport information and to add a new passport to the database. Passport information cannot be added to TRIPS without using TRIPS Utilities.
7.48 BOC staff request access to TRIPS Utilities and other systems access via a service request catalogue. Approval of systems access is granted by BOSS, who assess the requested access against a DIBP staff position. If approved, IT personnel build the user’s access according to the approved specification. Access to TRIPS Utilities is removed once an individual no longer requires access, e.g. upon termination of employment or a transfer out of the BOC. BOC managers have a higher level of access than other BOC staff.
7.49 BOC staff also have access to the reporting function of the AdPP system, which allows them to view the AdPP transactions made by airline staff. DIBP staff cannot manipulate data on the AdPP system.
7.50 TRIPS Utilities is accessed through a separate log-in from the computer log-in. The same user log-in cannot be used across multiple computers. BOC staff are reminded through regular internal newsletters to not share passwords, and to lock their computer screens when they are away from their desk. The assessors were advised that DIBP uses passwords and unattended screen lock protection for all computers. DIBP’s passwords must contain at least 10 characters with a minimum of one upper case letter, one lower case letter and one number.
7.51 Audit trails are available for all aspects of DIBP’s ICT system, including access to databases, emails, computer log-ins and printing. Unauthorised access or use of DIBP systems and databases by BOC staff is monitored by BOSS and may be reported to the Integrity and Professional Standards section for investigation.
SITA AdPP system
7.52 As required under the DIBP’s contract with SITA, only authorised SITA staff with a baseline security clearance have access to the AdPP data on SITA’s systems.
7.53 Airline staff only have access to submit AdPP transactions and do not have access to the AdPP data on the AdPP system.
7.54 Third parties that SITA engages to perform testing on the AdPP system do not have access to the AdPP data, but perform testing on the system’s devices.
7.55 Audit trails are also available from end-to-end of the AdPP system. These audit trails include:
- access to the Government Gateway by ‘privileged account holders’
- Carrier portal logs which identify when specific users have logged in to access the carrier portal, and the data that users have transmitted
- Audit logs which record user credentials of any access to AdPP data.
7.56 SITA advised that it’s edge firewalls are configured to ‘block and alert’ should there be any attempts to breach the firewall or in the event of denial-of-service attacks. These alerts are monitored by SITA’s Operations team.
Privacy issues — Access security
7.57 The assessors did not identify any privacy risks associated with access security during this assessment.
Observations — data breaches
7.58 Assessors were advised by DIBP staff that in the event of a data breach, Department-wide instructions are available to staff on the intranet. Further, BOC staff are trained to report any incidences of a data breach to a BOC manager. The assessors also note that staff in the newly established Privacy and Reviews Team act as DIBP Privacy Contact Officers.
7.59 The assessors were not provided with documentation by DIBP that indicated a formalised response plan for data breaches in relation to border clearance processes. However, DIBP advised that the Privacy and Reviews section is currently drafting data breach response policies.
7.60 The assessors were advised by SITA staff that a documented data breach response plan was in place for data held by SITA and had been provided to DIBP for review. Under the contract, SITA must promptly notify DIBP of any breach or potential breach of security relating to Departmental information, and is required to assist DIBP in investigating and undertaking remediation of the effects of such a breach or potential breach. However, there has not been a data breach to-date.
7.61 A data breach of the SITA system would also amount to a breach of contract. A breach would be raised at a committee meeting between DIBP and SITA representatives, which would be followed by an ICT review and report.
Privacy issues — data breaches
7.62 Although SITA has a documented data breach response plan, DIBP relies on general procedures and staff training to guide staff in the event of a data breach. Under APP 11, an APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. As outlined in the OAIC’s Data breach notification: a guide to handling personal information security breaches, those reasonable steps may include the preparation and implementation of a data breach policy and response plan.
7.63 Although the risk of a data breach is mitigated by SITA having a data breach response plan for their handling of AdPP data, the impact of a breach may increase as the outward AdPP arrangement continues and the quantity of personal information retained by DIBP increases. Having a documented response plan that includes procedures and clear lines of authority can assist in containing a breach and managing DIBP’s response in a consistent manner.
7.64 The assessors therefore consider that there is a medium level privacy risk of DIBP breaching APP 11 as a result of not having documented procedures to respond to potential data breaches. The assessors note that the Privacy and Reviews section has advised that data breach response policies are currently being drafted. DIBP may wish to consider the OAIC’s Guide to developing a data breach response planin order to develop its own plan.
7.65 The assessors recommend that DIBP implement a breach response plan, or adapt existing policies, to deal with data breaches.
Observations — physical security
7.66 The BOC operating space is shared with other DIBP officers in the Strategic Border Command section.
7.67 The assessors observed that access to the BOC operating space requires a security pass with the required level of access. Entry to the operating space is controlled by two security doors separated by a corridor. Visitors must carry a visitor pass, be escorted by DIBP staff and leave mobile phones in a locker outside the first security door.
7.68 Access to the BOC operating space is restricted to staff with at least a Negative Vetting Level 1 security classification. However, new staff may commence training with an interim baseline clearance. The BOC operating space is lit by a blue light when a visitor does not have the required security classification. The blue light signifies to staff that they are to be mindful of the information that they are accessing and to keep information close to hand, to prevent the visitor from sighting restricted information. The layout of the operating space also allows the duty inspector to have visibility of the entire space.
7.69 BOC staff are subject to a clean desk policy, and operate in a ‘paperless office’. The assessors observed that BOC staff may write down passport numbers to allow quick reference when switching between different screens. BOC staff advised that a policy is in place for each BOC staff member to shred their notes at the end of the day.
7.70 The assessors note that this assessment did not involve an inspection of SITA’s data centres.
Privacy issues — physical security
7.71 The assessors did not identify any privacy risks associated with physical security during this assessment.
Destruction and de-identification
Observations — destruction and de-identification
7.72 DIBP staff advised that personal information captured by the outward AdPP arrangement is retained indefinitely and may be used as a reference for future border crossings by an individual. DIBP staff advised that this policy was a result of the AdPP data forming part of a Commonwealth record for the purposes of the Archives Act 1983.
7.73 SITA staff advised that they do not destroy AdPP data, and retain data in accordance with the Archives Act 1983. SITA consider the information to belong to DIBP, and that it will be handed over to DIBP at the end of their contract.
Privacy issues — destruction and de-identification
7.74 The assessors acknowledge that the AdPP data retained may have continued use as a reference for future border crossings. However, the assessors note that the risk of attacks to DIBP’s databases may increase with the increase in volume of personal information held in these databases. Further, DIBP advised that outward AdPP data is transmitted to DIBP as an EMR or DMR, while SITA also retains the AdPP data, intending to hand it over to DIBP end of their contract. The retention of the same personal information in both the AdPP system and in TRIPS also increases the volume of personal information.
7.75 Therefore, the assessors consider that there is a medium risk of breaching APP 11 resulting from the absence of a destruction policy that considers the appropriateness of retaining all outward AdPP data indefinitely in multiple locations. The assessors note that a destruction policy would need to take into account requirements under the Archives Act 1983 and any other legal requirements.
7.76 The assessors recommend that DIBP reviews and creates documentation for policies on the destruction or de-identification of information collected through the outward AdPP arrangement.
Part 8: Summary of recommendations
Recommendation 1 — security of missing AdPP reports and infringement notices
8.1 The assessors recommend that DIBP review the security arrangements for the transmission of missing AdPP reports and infringement notices and establish safeguards to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure.
8.2 DIBP is willing to explore options, in consultation with the airline industry.
Recommendation 2 — contract performance assurance
8.3 The assessors recommend that DIBP undertakes appropriate contract performance assurance activities to ensure SITA is compliant with APP 11, and ensure those assurance activities are completed within more appropriate timeframes in the future.
8.4 DIBP agrees that assurance activities should be completed within reasonable timeframes and will continue to work with the service provider to ensure these are met.
Recommendation 3 — data breach response plan
8.5 The assessors recommend that DIBP implement a breach response plan, or adapt existing policies, to deal with data breaches.
8.6 DIBP’s Privacy Management Plan 2016-17 has identified as a key action a review of the Department’s Privacy Breach Management Framework (Data Breach Response Plan) and reporting instructions. This is due for completion by 30 September 2016.
Recommendation 4 — policies on the destruction or de-identification of personal information
8.7 The assessors recommend that DIBP reviews and creates documentation for policies on the destruction or de-identification of information collected through the outward AdPP arrangement.
8.8 DIBP agrees there needs to be policy on the de-identification and destruction of information collected in the long term. However, the information collected is required for an extended period of time as the records collected determine the location of a person; assist with the facilitation of travel if the departure or arrival has been recorded incorrectly; and the time spent onshore, which can determine eligibility for visas, return to Australia or citizenship. These records also assist external agencies, such as the Department of Human Services, to calculate eligibility for government services for Australian citizens as well as non-citizens.