Document Verification Service — Australian Financial Security Authority: Assessment report
Document Verification Service: Privacy assessment of AFSA as a user agency
Australian Financial Security Authority
Final Assessment Report
Australian Privacy Principles Assessment
Section 33C(1)(a) Privacy Act 1988
Assessment undertaken: August 2014
Draft report issued: October 2014
Final report issued: November 2014
The Office of the Australian Information Commissioner (OAIC) conducted a privacy assessment of the Australian Financial Security Authority’s (AFSA) handling of personal information as a user agency of the Document Verification Service (DVS).
The assessors considered how AFSA collected DVS related personal information in accordance with Australian Privacy Principle (APP) 3.1, notified individuals as required under APP 5 and appropriately secured and retained personal information in line with APP 11 obligations.
The assessment was undertaken on 21 August 2014 at AFSA’s national head office located in Canberra, Australian Capital Territory.
The assessors did not identify any particular privacy risks that warranted the making of privacy recommendations.
The assessors have provided AFSA with a number of comments for its further consideration around the notification processes, privacy training, Information and Communication Technology (ICT) security testing, retention policies and privacy impact assessments.
AFSA may find these comments helpful in further improving its privacy practices when handling individual’s personal information through the use of the DVS.
Part 1 — Introduction
1.1 The Document Verification Service (DVS) is a national secure online system, which enables authorised entities to electronically verify Evidence of Identity documents issued by a range of Australian, State and Territory government agencies.
1.2 The OAIC considers the term ‘Evidence of Identity’ best describes the process of identity verification that occurs through the DVS. However, it will use the term Proof of Identity (POI) where an agency or organisation prefers this terminology and uses it in their business, which is the case in this assessment.
1.3 The Attorney General’s Department (AGD) has overall responsibility for the development and oversight of the DVS.
1.4 Documents that can be checked by the DVS are produced by a number of different Australian, State and Territory government agencies. These agencies are known as DVS issuer agencies.
1.5 Authorised government agencies and some private organisations that have client identification obligations under Australian legislation may register to use the DVS to verify relevant documents. These entities are known as DVS user entities.
1.6 The DVS system uses an electronic gateway known as the Hub to securely direct requests and responses between DVS user entities and issuer agencies.
The Office of the Australian Information Commissioner’s role
1.7 The OAIC provides advice and considers privacy issues that arise from the implementation and operation of the DVS.
1.8 The OAIC also undertakes privacy assessments (previously known as audits) under s 33C(1)(a) of the Privacy Act 1988 (Cth)(the Privacy Act). These assessments consider whether personal information held by an entity covered by the Privacy Act is being maintained and handled in accordance with the APPs. This includes assessing aspects of the DVS such as issuer and user interactions with the DVS, and the operation of the DVS Hub.
Reasons for target selection
1.9 This is the ninth audit or assessment of the DVS conducted since 2006. The OAIC chose AFSA as an assessment target as it is a relatively new user agency, having first commenced using the DVS in December 2013. In addition, AFSA is the first government agency to provide a web interface that allows clients to directly input their POI document information into the DVS for verification, without any manual assistance from AFSA staff.
Part 2 — Description of assessment
2.1 The purpose of the assessment was to assess whether AFSA, as a DVS user agency, was maintaining DVS related personal information in accordance with selected APPs contained in Schedule 1 of the Privacy Act. Specifically, the assessment considered issues about AFSA’s collection of solicited personal information, notification it provided to individuals at the point of collection and the security and retention of personal information, in its role as a DVS user agency.
Objective, scope and assessment techniques
2.2 The objective of the assessment was to assess whether AFSA was maintaining DVS related personal information in accordance with the following APPs:
APP 3.1 — which requires AFSA to only collect personal information in its role as a DVS user agency where the information is reasonably necessary for, or directly related to one or more of AFSA’s functions or activities
APP 5 — which requires AFSA to provide notice to individuals’ about certain matters when collecting their personal information as a part of the DVS process
APP 11 — which requires AFSA to take reasonable steps as a DVS user agency to protect the collected information from misuse, interference, loss and unauthorised access, modification or disclosure, as well as destroy or de-identify the information where it is no longer needed.
2.3 The assessment also considered how AFSA meets the terms and conditions of a Memorandum of Understanding (MOU) agreement with AGD for using the DVS. Specifically, the MOU requires AFSA to obtain client consent to their identifying information being verified and inform individuals of the purpose, uses and any legal authority for the collection of their personal information.
2.4 The scope of the assessment was limited to AFSA’s handling of DVS related personal information in accordance with the abovementioned APPs 3.1 (collection), 5 (notification) and 11 (security and retention).
2.5 Assessors employed the following assessment techniques:
- a document review of materials AFSA provided to the OAIC for the assessment
- semi-structured interviews with key AFSA staff to assess relevant processes, procedures, training and staff awareness of these
- direct observation of AFSA’s head office premises and DVS related systems.
Timing and location
2.6 The assessors conducted the fieldwork component of the assessment on 21 August 2014 at AFSA’s national head office in Barton, Canberra.
Information obtained during the audit
2.7 AFSA provided several documents both prior to and after the assessment fieldwork period. A list of this information is available at Appendix A.
2.8 To the extent possible, the OAIC publishes final assessment reports in full or in an abridged version on its website, www.oaic.gov.au. It is sometimes inappropriate to publish all or part of a report because of statutory secrecy provisions or for reasons of privacy, confidentiality, security or privilege.
2.9 This report has been published in full.
Part 3 — Description of assessment target
3.1 AFSA is responsible for the administration and regulation of Australia’s personal insolvency system, proceeds of crime, trustee services as well as the administration of the Personal Property Securities Register.
3.2 In December 2013 AFSA commenced using the DVS to verify clients’ identifying information as a part of the process of registering an individual user account to access AFSA’s creditor Online Services system (OS system).
3.3 AFSA has advised it is considering expanding its use of DVS to support individual user registration for future online services.
3.4 Prior to the introduction of the DVS, AFSA manually verified creditors’ identities as part of the application for the issue of a bankruptcy notice.
3.5 AFSA advised it now receives minimal manual POI verifications.
3.6 On average, AFSA had approximately 152 DVS transactions per month over the period of 1 January 2014 to 30 June 2014.
AFSA areas relevant to the assessment
3.7 The OAIC interviewed staff from the following areas as a part of this assessment:
- External Service Delivery, which was responsible for the process of integrating the DVS into AFSA’s business and developing the associated business rules and policies
- Business Solutions, which built AFSA’s DVS web application interface and is currently responsible for certain operational aspects of the system
- Architecture, which is responsible for AFSA’s information and communication technology (ICT) security and contributes to AFSA’s overall information security framework
- Property, Security and Procurement, which is responsible for AFSA’s physical security (including personnel security) and contributes to AFSA’s overall information security framework
- Legal and Governance, which provides legal advice and support to all areas of AFSA including matters about privacy.
Part 4 — Assessment Issues
4.1 The following findings relate to the assessors’ consideration of AFSA’s handling of DVS related personal information under the APPs within the scope of this assessment.
4.2 The APPs are available at www.oaic.gov.au.
APP 3.1 — collection of solicited personal information
4.3 APP 3.1 states that agencies must not collect personal information unless the information is reasonably necessary for, or directly related to, one or more of its functions or activities.
4.4 According to s 6 of the Privacy Act:
- an entity collects personal information only if the information is collected for inclusion in a record or generally available publication
- personal information includes information about an identified individual or an individual who is reasonably identifiable
- a record includes a document or an electronic or other device.
4.5 Personal information reasonably necessary for a function or activity includes information that an entity needs to effectively pursue a function or activity. A collection based on the possibility that data may become necessary for a function or activity in the future would not be considered reasonably necessary.
4.6 For information to be directly related to one or more of the agency’s functions or activities, a clear and direct connection must exist between the personal information being collected and the agency function or activity.
4.7 AFSA’s OS system allows individuals who are creditors to apply for the issue of a bankruptcy notice. Clients register for a user account on AFSA’s OS system by providing their full name, email address, physical address and phone number.
4.8 To access all of the services available on the OS system and lodge an application for a bankruptcy notice, clients must pass POI verification by meeting a 60-point check. This POI verification can be completed either electronically or manually.
4.9 AFSA has developed a Proof of Identity web application interface (POI system) that is separate from its OS system and links to the DVS. AFSA’s POI system allows its clients to electronically complete the POI process by personally inputting their POI document information for verification through the DVS.
4.10 If clients are unable to complete the POI process electronically, AFSA provides an alternate process where clients email or mail copies of the relevant POI documents to AFSA for sighting by AFSA staff. However, the DVS is not used at any point in this manual POI process.
4.11 AFSA staff members at its National Service Centre (NSC) provide procedural support to clients using AFSA’s OS and POI system. However, NSC staff do not collect clients’ personal information to input into the DVS and do not appear to collect any DVS related personal information from clients who contact them for assistance.
The electronic POI process
4.12 AFSA provided the assessors with the opportunity to observe the completion of AFSA’s online POI process using a test environment in its POI system.
4.13 After registering for a user account on AFSA’s OS system, clients are provided with a link titled ‘COMPLETE PROOF OF IDENTITY’ and advised they need to complete POI to obtain full access to Online Services.
4.14 By clicking on the provided link, clients are directed to AFSA’s POI system. Clients are then able to select the document/s (such as Australian passport, Medicare card and Australian driver’s licence) they want to use to verify their identity and input document details into set fields. For example, for an Australian passport the set fields are the document number, given names, family name, date of birth and gender.
4.15 The inputted information is then verified using the DVS. Subsequently, the client is advised that their document has either i) been verified, ii) not been verified or iii) there has been a system error.
4.16 If a client receives either of these latter two responses, they either reattempt the verification process or undertake AFSA’s manual POI verification process. AFSA advised it does not follow up not verified or system error responses for clients.
4.17 The personal information flow is depicted in the diagram below.
4.18 Clients are provided with three attempts to verify each document type. However, if they are unable to do so they become ‘locked out’ of that document type and cannot further attempt to verify their POI with that document.
4.19 Clients can contact the NSC to have the document type unlocked. NSC staff can activate a lock override to double the number of failed attempts allowed per document. However, NSC staff can only do this once per user account.
DVS-related personal information AFSA collects
4.20 As a result of the electronic POI verification process, AFSA creates two separate records of clients’ personal information.
4.21 The first record is contained on the ‘DVS Verification Request’ screen connected to users’ accounts. It contains the following personal information:
- client’s name
- account creation date
- date POI verification attempts began
- date of the last POI verification attempt
- account username
- what stage of the 60 point check the individual has completed
- details of DVS verification attempts, which include document type used in the process, date and time of attempt, DVS response (eg verified or not verified), DVS response time and error type (if any).
4.22 The second record is the audit log and information of DVS transactions. This record contains verification request IDs for each DVS transaction, clients’ names and other details about the DVS transaction such as transaction date.
4.23 AFSA advised the assessors it collects and stores all of this information for the following purposes:
monitoring and reporting purposes. AFSA provides monthly reports to the DVS manager about AFSA’s DVS usage such as the number of transactions, average response times and numbers of each type of response received.
to further investigate any identified issues of fraud, which do occur, although rarely. AFSA advised that where there is a need to investigate allegations of fraud, the stored information (particularly the client name provided during the POI verification process and audit log) is the starting point of the investigation. Further, it also provides a point of reference where clients use different names for registration purposes compared to names on identification documents (eg married name compared to maiden name).
4.24 The assessors consider that AFSA’s collection of clients’ personal information during its POI verification process using the DVS is directly related to its functions and activities as the administrator of Australia’s personal insolvency system.
4.25 The assessors did not identify any particular privacy risks regarding AFSA’s collection of DVS related personal information and do not make any privacy recommendations in relation to this aspect of the assessment.
APP 5 — notification
4.26 APP 5 requires APP entities at the point of collection (or before the time, or as soon as practicable after) to take reasonable steps (if any) in the circumstances to notify individuals about a range of matters, including (but not limited to):
- the Australian law under which the information is required or authorised to be collected, if any
- the purposes for which the APP entity collects the personal information
- the main consequences (if any) for the individual if all or some of the personal information is not collected by the APP entity
- any other entities to which the APP entity usually discloses personal information of the kind collected
4.27 To become a DVS user, an agency is required to comply with specific terms and conditions of use under an MOU with AGD. According to the terms and conditions, AFSA is specifically required to obtain clients’ consent to verifying the details of their POI documents and must inform clients of the following:
- that the details are being collected to confirm the integrity of the POI information
- the POI information they are supplying may be checked with the issuing agencies
- any legal authority under which AFSA is collecting the POI information.
4.28 By observing the completion of AFSA’s user account registration for the OS system and online POI process, the assessors observed the notification AFSA provides to clients when collecting DVS related personal information.
User account registration
4.29 During the user account registration process, clients are required to indicate they accept the terms and conditions of using AFSA’s online system. AFSA provides clients with a link to the terms and conditions.
4.30 The terms and conditions contain a privacy section that outlines the following:
- legal authorities under which AFSA may collect personal information through its OS system including the Bankruptcy Act 1966 (Cth) (the Bankruptcy Act) and the Bankruptcy (Estate Charges) Act 1997 (Cth)
- usual disclosures AFSA may make such as disclosures to enforcement bodies for enforcement-related purposes
- that information may be disclosed to overseas recipients (that is, overseas creditors or overseas law enforcement bodies) in certain circumstances. Specific overseas recipients are not identified.
4.33 After initially registering for a user account, clients are advised to complete registration by completing their POI verification online. Clients are advised that if they do not complete the POI process they can draft and save applications using the OS system but they will be unable to submit them.
4.34 Clients are also provided with links to more information about AFSA’s POI process available on its website. This information details:
- AFSA’s reasons for conducting POI on its clients
- accepted POI documents clients can use to complete their POI check
- the alternate manual POI process clients can use if electronic POI is unsuccessful.
4.35 When clients select the POI document type they want to use at the start of the POI process on AFSA’s POI system, the following is displayed at the bottom of the screen:
By proceeding you consent to information provided as evidence of your identity being checked with the document issuing agency.
4.36 Prior to submitting document details for verification, clients are required to confirm that the identity document they are verifying is theirs and that the user account registered in the name they have provided is for their use only.
4.37 The OAIC holds the view that APP 5 notification may be provided in layers. For example, brief privacy notices on forms may be supplemented by longer notices made available online.
4.39 The assessors considered that AFSA’s collection of clients’ POI information was not likely to be required or authorised by or under specific AFSA legislation, such as the Bankruptcy Act. Rather, the collection of DVS related personal information appeared to be for the specific purpose of identity verification, which (if successful) would then provide AFSA with the opportunity to collect personal information from the individual, including information that may be required or authorised under specific AFSA legislation. As such, the assessors considered the current POI notification was appropriate, and should not have to state (in line with the requirements of APP 5.2(c) and the DVS usage terms and conditions) whether the collection of POI information was required or authorised by specific AFSA legislation.
4.42 Notwithstanding this, the assessors consider that AFSA has taken reasonable steps to notify clients using its POI systems of the matters required under APP 5.2. The assessors also consider that AFSA obtains clients’ consent to their details being verified and informs them that their details are being collected to confirm the integrity of the identifying information and may be checked with the issuing agencies, in accordance with its obligations as a DVS user.
4.43 The assessors did not identify any particular privacy risks regarding the notification AFSA provides to clients when collecting DVS related personal information and do not make any privacy recommendations in relation to this aspect of the assessment.
APP 11 — security and retention
4.44 APP 11.1 states that entities that hold personal information must take steps that are reasonable in the circumstances to protect the personal information from misuse, interference and loss; and from unauthorised access, modification or disclosure.
4.45 Generally, security safeguards and measures to protect personal information as required under APP 11.1 should manage the following areas:
governance: entities should establish clear procedures and lines of authority for decisions regarding information security. All entities, especially those that manage large and complex projects involving the handling of personal information, should have effective governance processes to ensure information security is consistently maintained.
policies and procedures: privacy and information security protections have the best chance of being effective if they are integrated into an entity’s internal practices and procedures. Entities should document internal practices and procedures that they use to protect personal information.
Information and Communication Technology (ICT): effective ICT security requires protecting both computer hardware and the data it holds.
access security: access security and monitoring controls help entities protect themselves against internal and external risks by ensuring that personal information is only accessed by authorised persons.
physical security: entities should consider what steps, if any, are necessary to ensure that physical copies of records containing personal information are secured appropriately.
staff training: it is important that all staff members (including contractors and service providers) understand their general APP obligations and what constitutes good information handling and security practices. Privacy training helps AFSA staff to identify and avoid practices that may breach AFSA’s privacy obligations.
4.46 APP 11.2 requires APP entities to take reasonable steps to destroy or de-identify personal information they are no longer using, unless certain exceptions apply. One of these exceptions is where the personal information is part of a Commonwealth record.
4.47 What constitutes reasonable steps for the purposes of APP 11 will depend upon circumstances that include the amount and sensitivity of personal information held, the nature of the entity, possible adverse consequences to individuals, entities’ information handling practices and whether a security measure is itself privacy invasive.
Observations — Governance
4.48 AFSA developed a Proof of Identity Security Risk Management Plan to assess the risks arising from the implementation of the POI system and identify any appropriate mitigation strategies. This plan was certified by AFSA’s Chief Information Security Officer.
4.49 AFSA advised that its risk management plans are re-accredited every 12 months.
4.50 AFSA advised it is subject to a number of internal and external audits. For example, it advised that the Australian National Audit Office recently reviewed its information security systems.
4.51 AFSA also has an Audit Committee that determines AFSA’s internal audit plan. Recently, AFSA engaged a third party to review its systems, including privileged user account access.
4.52 AFSA advised it has not completed a privacy impact assessment (PIA) of the POI system it developed and uses to collect DVS related personal information.
4.54 AFSA advised it has not received any complaints to date about its use of the DVS or collection of clients’ DVS related personal information.
Observations — Policies and procedures
4.55 All of AFSA’s policies and procedural documents are made available to staff through its intranet.
Information security policies and procedures
4.56 AFSA appears to have detailed policy and procedural documents regarding how staff members are to handle information security and the processes for dealing with system issues including staff role responsibilities. Examples of these AFSA documents are:
Information security policy (ISP), which sets out AFSA’s overarching information security approach such as its system accreditation process.
The assessors note that paragraph 7.4 of AFSA’s ISP advises staff that they must comply with the Privacy Act, which applies to the ‘gathering, securing and dissemination of personal data via any media....’
Further information is stated to be provided in the User standard operating procedure documents, which describe the security responsibilities of system users.
The assessors note that paragraph 7.4 of the ISP needs to be updated as it refers to amendments from 2000 and 2004 rather than 2014.
ICT Change Management Process Reference Guide, which details AFSA’s change management process and the responsibilities of different roles.
ICT Incident Management Process Reference Guide, which details the process for handling incidents that AFSA’s internal areas and external clients are experiencing with its systems (which may include the POI system).
ICT Request Fulfilment Process Reference Guide, which sets out approval processes to ensure that service requests for AFSA’s ICT services are fulfilled following the appropriate governance structure.
4.57 AFSA advised the assessors that any issues with the POI system are handled in accordance with AFSA’s set procedures including the incident management process. This results in any POI system issues being escalated to the appropriate staff to address.
4.58 AFSA also has detailed policy and procedural documents for its NSC staff about the OS and POI system to enable them to provide appropriate assistance to clients.
4.59 The assessors note in particular that NSC staff have a Client ID Matrix that sets out the identity requirements clients need to fulfil when calling over the phone, or submitting written requests, about different issues such as unlocking a DVS POI document. The matrix also provides links to detailed process information.
4.60 Where clients require NSC staff to unlock a DVS POI document, the matrix indicates staff are to confirm clients’ particular username and the associated full name. The assessors note that these criteria are likely sufficient in the circumstances for security purposes because at this point in the process clients would not have verified their identity and would only have created their user account including their username and password.
Observations — Access security
4.61 Access to AFSA’s POI system and DVS related personal information is subject to defined security roles and responsibilities controls.
4.62 AFSA staff members are given access to the POI system only if required for their roles and their levels of access are also limited according to their specific role requirements.
4.63 For example, as mentioned above, NSC staff are able to view the information on the ‘DVS Verification Request’ screen and activate the lock override for a locked POI document. However, NSC staff cannot access any other parts of the POI system or input any information into the system.
4.64 AFSA advised that only Database Administrators (currently four staff) and Domain Administrators (currently 15 staff) have full access to the POI system and the associated information.
4.65 These staff members possess security clearances of ‘negative vetting 1’, which means they are cleared to access classified information/resources up to and including documents that have a ‘SECRET’ classification.
4.66 AFSA advised that its POI system and DVS related personal information are not accessible remotely except by the four Database Administrators.
4.67 AFSA’s User Access Management Process Reference Guide (UAM guide) sets out the general processes for providing required systems access for all new staff members, managing system access changes required when a staff member moves within AFSA and what should occur when a staff member leaves AFSA.
4.68 AFSA’s Cessation Clearance form indicates that a leaving staff member’s supervisor should complete the form two to four weeks prior to the staff member’s last day of work. By submitting this completed form, Human Resources and the security area are notified of the staff member’s employment end. These areas then remove the staff member’s accesses as appropriate.
4.69 However, there does not appear to be explicit information in the UAM guide that sets out the timeframes for when actions need to be completed, especially regarding staff who are leaving AFSA. AFSA may wish to take steps to ensure that staff are aware of the timeframe for when the Cessation Clearance form needs to be submitted prior to staff members’ last day. This will ensure that departing staff members’ accesses such as any access to AFSA’s POI system are revoked at the earliest possible appropriate time.
Access logs and monitoring
4.70 Staff are required to log into AFSA’s system via AFSA’s ‘Active Directory’ system using their own username and password. AFSA keeps access logs for all of its systems.
4.71 Due to the wide ranging access that Database Administrators are given to AFSA systems due to the nature of their roles, their access logs are subjected to monthly monitoring. This is to ensure they are only accessing and using AFSA’s systems for proper purposes. This monitoring is conducted by an AFSA staff member who is independent from the Database Administrators.
4.72 AFSA also advised that it undertakes audits every six months on ‘privileged user’ accounts and their access to AFSA’s systems (to ensure that the access grants are still appropriate).
4.73 AFSA has advised that it is currently undertaking a project to implement automated monitoring of its systems including access logs.
Observations — ICT security
4.74 AFSA advised that information that is transferred between the DVS and POI systems as well as between the POI system and the HUB is encrypted.
4.75 AFSA advised that it had not undertaken penetration or vulnerability testing of its POI system at the time of the assessment. However, it has scheduled these as part of a future testing cycle, due to be held in January 2015.
4.76 AFSA has a number of appropriate strategies and limits in place to protect the POI system against phishing and external attacks.
4.77 The AFSA system also automatically logs a user out if there is no activity on the account for a specified and appropriate period of time.
4.78 AFSA staff members’ computer screens also have an automatic screen lockout feature after a specified and appropriate period of inactivity.
4.79 AFSA advised that staff members are only allowed to use official AFSA USBs (which are encrypted) in AFSA computers. AFSA has detection software that blocks any data download onto unauthorised USBs.
4.80 AFSA advised that there had been no DVS related security incidences from December 2013 to the time of the assessment fieldwork period.
Observations — Physical Security
4.81 The assessors observed that AFSA’s head office premises are a secure premises where swipe card access is required at the entry doors. AFSA staff are advised not to ‘tailgate’ at entry points. Visitors are required to sign in prior to being escorted into AFSA’s offices.
4.82 AFSA advised that this is the same for all of its other four office sites. Each site also has a nominated site security officer.
4.83 AFSA advised that staff are subject to police checks prior to starting work at AFSA.
4.84 AFSA advised that the database that holds DVS related personal information is stored offsite within the AFSA portfolio agency’s (AGD’s) ‘zone four’ certified secure premises.
4.85 AFSA advised that no DVS related personal information is recorded in hard copy form.
Observations — Staff training and awareness
4.86 AFSA advised that face to face information security training for staff is provided annually and that all training completed is recorded in AFSA’s systems. Information security training includes reference to how documents should be kept in lockable cabinets. There is no specific privacy training provided in the information security training.
4.89 AFSA advised that all areas of AFSA can approach the PCO for assistance about any privacy issues. Staff can also request assistance by sending an email to the privacy mailbox (firstname.lastname@example.org) that is available for both internal and external stakeholders.
4.90 AFSA also has a number of privacy related resources available to staff on its intranet. This includes a Privacy Amendments: Training module. This module has three sections:
- Key points about the 2014 privacy reforms with links to additional resources
- Australian Privacy Principles — How do they apply to AFSA?
- FAQs on some of the APPs most regularly encountered by AFSA staff.
4.91 This training appears to adequately cover AFSA staff members’ APP obligations.
Observations — Retention
4.92 AFSA advised that it does not destroy its DVS related audit logs. AFSA has only been collecting these audit logs since it commenced using the DVS in December 2013.
4.93 AFSA also advised that it destroys DVS related personal information in accordance with its Records Authority and the Archives Act 1983 (Cth) (the Archives Act). As such, as it classifies DVS related personal information as included in the category of ‘Official Receiver Administration — Issuing Notices’, these records should be destroyed seven years after the completion of the associated action.
4.94 The DVS related personal information records collected by AFSA in the audit logs are most likely considered to be ‘Commonwealth records’ as defined in s 6(1) of the Archives Act. As such, the destruction requirements of APP 11.2 are unlikely to apply to these records. Assessors note that it is good privacy practice to only hold personal information for as long as is necessary or required under applicable law.
4.95 The assessors did not identify any particular privacy risks relating to AFSA’s handling of DVS related personal information in line with APP 11, which warrant any specific recommendations. However, we have provided some comments for AFSA’s consideration below.
4.96 AFSA may consider including more detailed information about staff members’ privacy obligations in the induction training package it provides to new starters and in the annual information security training it provides all staff. This would increase staff members understanding of their privacy obligations and further lower any risks of staff handling DVS related personal information improperly.
4.97 Further, while the assessors note that a PIA is not a specific requirement of the Privacy Act, it can assist entities to identify any privacy risks (including information security risks) and inform the reasonable steps that are needed to protect the personal information they hold. Further, if a complaint about AFSA’s collection and use of DVS related personal information was to ever arise, depending upon the circumstances, undertaking and implementing the recommendations in a PIA to mitigate privacy risks could be viewed as a reasonable step taken to protect that personal information in accordance with APP 11.1.
4.98 AFSA may find the OAIC’s Guide to undertaking privacy impact assessments helpful as it looks to expand its use of the DVS in the future.
4.99 The assessors also note AFSA’s intention to undertake penetration and vulnerability testing of its POI system in January 2015 and consider that this would be highly beneficial for ensuring that DVS related personal information collected and stored is adequately protected.
4.100 The assessors acknowledge that AFSA’s POI system and collection and storage of DVS related personal information, as well as the de-identification/destruction requirements of APP 11.2, are recent developments.
4.101 While the APP 11.2 destruction and de-identification requirements do not apply to Commonwealth records, AFSA should be aware of its record disposal obligations and destroy DVS related personal information as soon as it can, in accordance with its obligations under the Archives Act.
Documents gathered pre-fieldwork:
- Proof of Identity Security Risk Management Plan
- Proof of Identity Solution Architecture
- Memorandum of understanding between the Commonwealth of Australia represented by the Attorney-General’s Department and Insolvency and Trustee Service Australia for participation as a user agency in the National Document Verification Service
- Monthly DVS reports to DVS manager for December 2013 to June 2014
- Diagram of ‘Roles and responsibilities in relation to the Document Verification Service’
- DVS training information including Trainer’s Guide R1.1, Re-Solve quiz R1.1, R1.1 training powerpoints, training schedules and attendance record.
- ‘Changes to the Privacy Act 1988 (Cth)’ extract from #6 of Insights@AFSA
- NSC guides for:
- DVS — Submit POI
- DVS — Unlock Identity Document
- DVS — Australian Visa
- DVS — Australian Citizenship Certificate
- Register for Online Services
- Assess Manual POI
- Accept Manual POI
- Assess, Move and Complete Manual POI
- Reject Manual POI.
Documents gathered post-fieldwork:
- AFSA organisational chart
- Information security policy
- AFSA ICT Services — Our Service Approach
- ICT Change Management Process Reference Guide
- ICT Incident Management Process Reference Guide
- ICT Request Fulfilment Process Reference Guide
- ICT Problem Management Process Reference Guide
- ICT Major Incident Management Process Reference Guide
- Records Authority — Insolvency and Trustee Service Australia
- User Access Management Reference Guide
- Cessation Clearance Form
- Work Instruction Cessation of User Accounts
- Knowledge Base Cessating User Access
- User Access Map
- Privacy Amendment: Training
- Screenshot of privacy training within AFSA’s induction training package
- Sample of AFSA’s DVS audit log.
 APP guidelines, para 3.19
 APP guidelines, para 3.16.
 For a list of identity documents and their associated points refer to Australian Financial Security Authority, Accepted identity documents, viewed 29 August 2014, Australian Financial Security Authority website <www.afsa.gov.au/online-services/register-as-an-individual/accepted-identity-documents#-br--list-of-primary-identity-documents-----points-required->.
 Australian Financial Security Authority, Terms and conditions, viewed 1 September 2014, Australian Financial Security Authority website <www.afsa.gov.au/about-us/corporate-information/about-this-site-1/terms-and-conditions>.
 Australian Financial Security Authority, Why is proof of identity needed?, viewed 1 September 2014, Australian Financial Security Authority website <www.afsa.gov.au/online-services/register-as-an-individual/why-is-proof-of-identity-needed>.
 APP guidelines, para 5.5.
 APP guidelines, para 5.28-5.33.
 APP guidelines, para 11.7.
 Australian Government Security Vetting Agency, Clearance subject FAQs, viewed 4 September 2014, Australian Government Security Vetting Agency website <www.defence.gov.au/agsva/clearance-subject-faqs.html>.
 For further information about premises certified as ‘zone four’ see Attorney-General’s Department, Physical security management guidelines — security zones and risk mitigation control measures, viewed 4 September 2014, Attorney-General’s Department website <www.protectivesecurity.gov.au/physicalsecurity/Pages/Supporting-Guidelines.aspx>.
 APP guidelines, para B.23-27.
Guide to undertaking privacy impact assessments, available at the Office of the Australian Information Commissioner’s website <www.oaic.gov.au/privacy/privacy-resources/privacy-guides/guide-to-undertaking-privacy-impact-assessments>.