Publication date: 30 October 2019

Assessment undertaken: May 2017 
Draft report issued: November 2017
Final report issued: July 2019

Part 1: Executive summary

1.1 This report sets out the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of the then Department of Immigration and Border Protection (DIBP) (now Department of Home Affairs), with respect to DIBP’s handling of Passenger Name Record (PNR) data, including European Union-sourced Passenger Name Record (EU PNR) data.

1.2 This assessment was conducted under s 33C(1)(a) of the Privacy Act 1988 (Cth) and in accordance with the Memorandum of Understanding (MOU) between DIBP and the OAIC. The MOU reflects oversight and accountability arrangements contained in the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border Protection Service (the EU Agreement).

1.3 The scope of this assessment includes a follow-up of four recommendations made in the OAIC’s 2015 assessment of the Australian Customs and Border Protection Service (ACBPS).[1] That assessment considered whether ACBPS’s handling of PNR data was consistent with its obligations under the Privacy Act, and in particular under Australian Privacy Principles (APPs) 6 and 11.

1.4 The current assessment also considers whether DIBP is destroying or de-identifying EU PNR data in accordance with its obligations under APP 11. In conducting this assessment, the OAIC has also had regard to DIBP’s obligations under the EU Agreement.

1.5 This assessment finds that:

  • DIBP has addressed recommendation 1 of the 2015 assessment report, in that the documents referred to in that recommendation no longer exist. However, the OAIC found minor errors in current DIBP policy documents that DIBP should rectify.
  • DIBP has addressed recommendation 2 from the 2015 assessment report, in that it has carried out internal audits relating to requests for PNR information. However, DIBP should develop policies and procedures setting out how and when these internal audits will be conducted and how recommendations arising from internal audits will be implemented.
  • DIBP has addressed recommendation 3 from the 2015 assessment report.
  • DIBP has not addressed recommendation 4 of the 2015 assessment report, however, DIBP advised that a case management system was in the early stages of development.
  • DIBP is generally taking reasonable steps under APP 11 with respect to the destruction and de-identification of EU PNR data.

1.6 The OAIC has made two recommendations to address medium privacy risks identified in this assessment. These recommendations and DIBP’s responses are set out in Part 4 of this report.

Part 2: Introduction

Background

2.1 The transfer of PNR data[2] to Australia is provided for under the Customs Act 1901 (Cth)and EU PNR data is governed by the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border Protection Service (ACBPS) (the EU Agreement).[3]

2.2 The Department of Immigration and Border Protection (DIBP) receives PNR data from an air carrier for a passenger’s air travel reservation for a flight to, from, or through Australia. This information includes, for example:

  • passenger names
  • all available contact information
  • dates of intended travel
  • date of reservation/issue of ticket
  • all available payment/billing information.[4]

2.3 Article 10, paragraph 1 of the EU Agreement provides that ACBPS’s (later DIBP—see paragraph 2.7 below) compliance with data protection rules shall be subject to oversight by the Australian Information Commissioner. Article 10, paragraph 2 of the EU Agreement refers to arrangements for the Australian Information Commissioner to undertake regular formal audits of all aspects of ACBPS’s EU-sourced PNR data use, handling and access policies and procedures.

2.4 These oversight and accountability provisions under the EU Agreement have been implemented, in part, through a Memorandum of Understanding (MOU) between DIBP and the OAIC for the conduct of privacy assessments relating to DIBP’s handling of EU PNR data. Under this MOU, the OAIC is to conduct one assessment per financial year.

2.5 In 2015, the OAIC conducted an assessment of the ACBPS under s 33C(1)(a) of the Privacy Act 1988 (Cth).[5] That assessment considered whether ACBPS’s handling of PNR data was consistent with its obligations under the Privacy Act, and in particular under Australian Privacy Principles (APP) 6 and 11. The APPs set out obligations around the handling of personal (including sensitive) information, such as PNR data. APP 6 outlines when an APP entity[6] may use or disclose personal information it holds. APP 11 requires an APP entity to take reasonable steps to secure personal information it holds, and to destroy or de-identify that personal information once it is no longer required.

2.6 The 2015 assessment report included four recommendations, which ACBPS accepted:

  • Recommendation 1—Review and update all relevant policy documents

    ACBPS should review and update all relevant documents (e.g. instructions and guidelines, manuals, standard operating procedures and training material) to ensure they accurately reflect current internal procedures for the handling of PNR data and current legislative requirements under the Privacy Act and the APPs.

  • Recommendation 2—Implement an audit or quality assurance program of stored Requests For Information (RFIs)

    ACBPS should implement a regular audit or quality assurance program of stored Requests For Information (RFI) to ensure that ACBPS is handling PNR data in accordance with the requirements of the APPs and the EU Agreement.

  • Recommendation 3—Update National Border Targeting Centre (NBTC) material to prevent unauthorised disclosures

    ACBPS should update material developed for partner Agency Liaison Officers (ALO) with an explicit statement that EU PNR data is not to be disclosed to the Australian Transactions and Reporting Analysis Centre (AUSTRAC), Department of Agriculture or the Department of Foreign Affairs and Trade’s (DFAT) Passport Office.

  • Recommendation 4—Implement a case management system or uniform template for recording disclosures by ALOs

    ACBPS should implement a case management system to log all disclosures by ALOs to their home agencies. In the absence of a case management system, ACBPS should create a standardised template for ALOs to record home agency disclosures and regularly monitor these logs for the purpose of verifying the accuracy and lawfulness of any disclosures.

2.7 ACBPS and the Department of Immigration and Border Protection were integrated by machinery of government changes into a single Department of Immigration and Border Protection (DIBP) on 1 July 2015. On 20 December 2017, subsequent to this assessment being conducted, the Department of Home Affairs was established and carries out the functions of the former DIBP.

Part 3: Findings

Updates to relevant policies and training material

Observations

3.1 In its response to recommendation 1 of the 2015 assessment report, ACBPS noted that an update to all policy documentation was in progress following the merger of ACBPS and DIBP in July 2015.

3.2 As part of the current assessment, the OAIC asked DIBP to advise on the status of the documents that were provided for the 2015 assessment. DIBP advised that all documents have been either updated, replaced, or made obsolete following the merger.

3.3 In the 2015 assessment report, the OAIC identified three specific documents that contained conflicting, outdated or inaccurate descriptions of ACBPS internal practices or legislative requirements. These documents were:

  • Disclosure to Foreign Countries, Instrumentalities or Agencies of a Foreign Country and international organisations, Instruction and Guideline
  • Passenger Name Record, Intelligence Division, Instruction Manual (2014)
  • Guidelines for disclosure of ACBPS official information under section 16.

3.4 DIBP has advised that each of these documents from the 2015 assessment is no longer in use following the 2015 merger.

3.5 The OAIC noted some inconsistencies and inaccuracies in the following documents that are provided by DIBP for this assessment:

  • the PNR Control Framework contains (at page 52) an outdated reference to ‘IPP2’[7]
  • the document s 64AF standard operating procedure—authorisation process refers (at page 1) to the National Border Targeting Centre (NBTC), which is now named the Border Intelligence Fusion Centre (BIFC)
  • the document Solution Requirements Elaboration—PNR Data Retention for the Enhanced Passenger Assessment and Clearance Program 2 (EPAC2) refers (e.g. at page 12) to the NBTC and ACBPS, rather than the BIFC and DIBP.

3.6 To assess DIBP’s implementation of recommendation 3 in the 2015 assessment report, the OAIC viewed the PNR legislation and policy eLearning training module that staff must complete before they can be registered as officers authorised to access PNR data. This module outlines the process by which DIBP receives, uses and discloses PNR data, including obligations under Australian law and the specific obligations for EU PNR data in the EU Agreement. This module includes a list of specific agencies to which disclosures of EU PNR data may be made, reflecting the agencies listed in annex 2 of the EU Agreement. DIBP also advised the OAIC that on-the-job training at the BIFC helped to reduce the risk of improper disclosures of PNR data.

Analysis

3.7 Recommendations 1 and 3 of the 2015 assessment report related to DIBP’s policies and training material.

3.8 Recommendation 1 in the 2015 assessment report noted that ACBPS should review and update all relevant policy documents to ensure they accurately reflected both the internal procedures for the handling of PNR data, as well as current legislative requirements under the Privacy Act.

3.9 This recommendation was aimed at mitigating the medium risk presented by outdated references to internal procedures or legislation, which may result in a use or disclosure of personal information in breach of APP 6. Outdated policies and procedures may also represent a risk that DIBP is not meeting its obligations under APP 11 (discussed below).

3.10 For the purposes of APP 11, DIBP should document the internal practices, procedures and systems that it uses to protect personal information. DIBP should also regularly review and update these documents to ensure they reflect DIBP’s current acts and practices.

3.11 Although the specific documents identified in the 2015 assessment report are no longer in use, the outdated legislative and internal references identified above demonstrate that some minor issues remain with ensuring all documents are regularly reviewed and updated, particularly after major legislative or internal changes. The OAIC considers that these errors represent a low risk that DIBP is not meeting its obligations under APP 11.

3.12 The OAIC therefore suggests that DIBP undertake regular reviews of its internal policies to ensure that they are accurate and up-to-date.

3.13 Additionally, even though it is outside the scope of this assessment, the OAIC notes that establishing and maintaining practices, procedures and systems that will ensure compliance with the APPs is also a requirement under APP 1.2. The OAIC’s APP Guidelines provide, as an example of such reasonable steps, a program of proactive review and audit of the adequacy and currency of practices, procedures and systems implemented under APP 1.2.[8]

3.14 Recommendation 3 in the 2015 assessment report stated that documents provided to ALOs should contain an explicit statement that ALOs from AUSTRAC, Department of Agriculture and DFAT’s Passport Office are not to disclose EU PNR data to their home agency.

3.15 This recommendation was intended to address a medium risk that ACBPS was not taking reasonable steps under APP 11 to protect EU PNR data because the documents developed for use by ALOs within the NBTC did not adequately identify or address the risk of unauthorised handling of EU PNR data. At the time of the 2015 assessment, ALOs served as representatives of their home agencies within the NBTC to assist with identifying high-risk international travellers and cargo. Although the EU Agreement allows DIBP to share EU PNR data with most of those home agencies, representatives from AUSTRAC, Department of Agriculture and DFAT’s Passport Office are not authorised to disclose EU PNR data to their home agencies.

3.16 The OAIC considers that the training material in the PNR legislation and policy eLearning module, coupled with on-the-job training, makes it sufficiently clear that EU PNR disclosures should not be disclosed to these agencies, addressing recommendation 3 in the 2015 assessment report.

3.17 However, the OAIC suggests that DIBP consider any further ways that the risks of improper disclosures could be reduced—for example, through software controls in a case management system (discussed below).

Internal audits of requests for PNR data

Observations

3.18 DIBP staff advised the OAIC of the following internal audits, being carried out by DIBP staff:

  • an audit (in progress at the time of this assessment) to determine whether the Department’s delegations (including the authorisation of officers under s 64AF(5) of the Customs Act 1901 (Cth) (Customs Act) were being made appropriately
  • a 2015 audit of a sample of PNR RFIs to determine whether PNR data (including PNR data not sourced from the EU) was being accessed only by authorised officers under s 64AF of the Customs Act, and only for legitimate purposes
  • a planned 2017 audit, similar in scope and purpose to the 2015 audit referred to above.

3.19 The 2015 audit included a review of documents listing officers with access rights to PNR data against a master list of officers authorised under s 64AF, and an inspection of six RFIs covering a six-month period. The audit made four recommendations, including introducing an automated process with intrinsic checks and balances for accessing PNR data, increasing awareness and training about PNR handling obligations for officers and contractors, developing a standardised RFI template for all PNR requests, and conducting quarterly audits of s 64AF authorisation and system access. These recommendations were taken into consideration in the BIFC’s 2017 work plan, and DIBP advised the OAIC that the recommendations had been, or were in the process of being, implemented.

3.20 The OAIC was advised that the no PNR RFI audit was conducted in 2016 due to resourcing issues within DIBP.

3.21 The OAIC noted the following arrangements from the information provided by DIBP in relation to its internal audit programs:

  • Control 53 of DIBP’s PNR Control Framework refers to a ‘quality assurance framework’ setting out a range of controls that are subject to review (e.g. through monitoring system access logs) and the team responsible for conducting the review
  • page 12 of the PNR Procedural Instruction states that the ‘PNR Policy section within the Intelligence Division is responsible for supporting operational work areas on the use of PNR data. PNR Policy is responsible for providing a level of assurance that the Department’s use of PNR data is compliant with applicable legislative and treaty obligations’.

3.22 DIBP staff advised that an officer within DIBP’s PNR policy unit was responsible for considering and responding to recommendations arising from these audits. However, the documentation the OAIC received did not address future audit planning for PNR data, audit methodology, and how DIBP would respond to audit findings or who within DIBP would have responsibility for ensuring audit findings were addressed.

Analysis

3.23 Recommendation 2 of the 2015 assessment report was that DIBP implement a regular audit or quality assurance program of stored RFIs to ensure that EU PNR data was being handled in accordance with the requirements of the APPs and the EU Agreement.

3.24 This recommendation addressed a risk of unauthorised use or disclosure of EU PNR data going undetected if stored RFIs were not regularly reviewed or monitored for compliance with APP 6 and the EU Agreement, and in turn a risk that reasonable steps were not being taken to secure EU PNR data in accordance with APP 11.

3.25 While DIBP conducted an audit in 2015, DIBP should continue to audit the access, use and disclosure of PNR data and determine the scope, methodology and frequency of these audits based on the magnitude of the risks.

3.26 As noted above, the OAIC received limited information about the audit methodology and responsibilities within DIBP. The OAIC recommends that DIBP develop such documentation (possibly through updates to existing documentation). This may help to ensure that DIBP’s internal audits relating to EU PNR are as effective as possible.

Recommendation 1

DIBP should develop policies and procedures for its internal audits relating to PNR data. This could involve updating, clarifying or expanding existing documentation. These policies should set out, at a minimum, the frequency, scope, and methodology of the audits, as well as processes and responsibilities for implementing recommendations that arise from the audits.

Disclosure logging

Observations

3.27 This assessment considered DIBP’s arrangements around logging the disclosure of EU PNR information by authorised officers to their home agencies, in order to determine whether DIBP had implemented a case management system or a uniform RFI disclosure template in accordance with recommendation 4 of the 2015 assessment report.

3.28 DIBP staff advised the OAIC of several software systems currently in development. One project, titled ‘Connected Information Environment’ (CIE), would consolidate the various data sources used by DIBP’s Intelligence Services Branch. This system would replace current arrangements, which DIBP advised requires an analyst to log in to up to nine different systems to collect information, taking up to 45 minutes for processing a RFI. The CIE would include functions to ensure compliance with relevant access and usage requirements. For example, access to information would be granted or denied based on the user’s role and authorisations.

3.29 As well as the CIE, DIBP advised the OAIC of a second project, titled ‘Intelligence Management Capability’ (IMC), which would be used to manage PNR RFIs as well as the information life cycle. The IMC would include case management functions. This project had not received funding at the time of this assessment, with priority being given to the CIE.

3.30 Until the IMC is implemented, DIBP is making use of a SharePoint system to record RFIs and disclosures of PNR data. However, the OAIC understands that the SharePoint system does not have the full functionality of a case management system. For example, the SharePoint system does not allow for case allocation, task tracking, or other functions that might be found in a case management system.

3.31 DIBP staff also advised that email could be used to track RFIs and PNR disclosures, as all RFIs and disclosures are expected to be made through a dedicated email system. Emails are marked with different flags, including a flag to indicate that the email contains PNR data.

3.32 DIBP have developed templates for authorised officers to use in their email responses to PNR RFIs, but DIBP could not confirm that the templates are routinely used.

3.33 The templates include one of two disclosure caveats, depending on whether the response includes EU PNR data. The EU PNR caveat identifies that purpose limitation in article 3 of the EU Agreement, being that EU PNR data may only be used for detecting, investigating and prosecuting terrorist offences or serious transnational crime as described in the PNR agreement.

3.34 DIBP advised that all outgoing emails containing EU PNR data, even those that do not use the template to respond to an RFI, are sent with an EU PNR caveat. This caveat prominently states that the email contains EU PNR data and provides additional information about requirements for handling such data under the EU Agreement and the Privacy Act. The OAIC notes that of the six random PNR RFI samples reviewed for the 2015 DIBP PNR internal audit, all contained the correct PNR disclosure caveat.

Analysis

3.35 Recommendation 4 of the 2015 assessment report was that ACBPS should introduce a case management system to maintain logs of EU PNR disclosures. At the time of the 2015 assessment, no such case management system was in place. ACBPS policies instead required each partner agency ALO to maintain a log of disclosures. The OAIC considered that the lack of a case management system presented a medium risk that unauthorised disclosures were going undetected. In reaching this conclusion, the OAIC at the time had regard to article 17(1) of the EU Agreement:

All processing, including accessing and consulting or transfer of PNR data as well as requests for PNR data by the authorities of Australia or third countries, even if refused, shall be logged or documented by the Australian Customs and Border Protection Service for the purpose of verification of lawfulness of the data processing, self-monitoring and ensuring appropriate data integrity and security of data processing.

3.36 DIBP advised the OAIC that recommendation 4 has not been implemented. However, it appears that DIBP is taking steps towards implementing a case management system in the IMC. The IMC appears to be in early stages of development, which the OAIC understands to reflect competing priorities and resourcing constraints within DIBP.

3.37 At the time of this assessment, however, it appears that DIBP lacks an appropriate case management system that would allow DIBP to maintain logs of EU PNR disclosures in a systematic and consistent manner. The use of emails and the SharePoint system to manage RFIs and disclosures appears to require greater human intervention than a case management system and may not be as readily auditable as a case management system. This continues to represent a risk of DIBP failing to take reasonable steps to secure EU PNR data under APP 11. The OAIC restates its recommendation that DIBP implement a case management system, whether this system is the IMC or an alternative case management system.

3.38 The reasonable steps to secure personal information required by APP 11 could include the conduct of a privacy impact assessment (PIA). A PIA is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact. Completing a PIA may assist in clarifying the personal information that the project may affect, and help to mitigate any ensuing privacy risks.[9] DIBP’s Privacy Management Plan also requires that the Privacy and Reviews section be consulted on any project involving the handling of personal information to determine whether a PIA is necessary.

3.39 A PIA is ideally conducted at the early stages of a new project. This can help to ensure that privacy is taken into account as the system is developed (known as ‘privacy by design’) rather than requiring the system to be redesigned at a later stage to satisfy relevant privacy obligations—a potentially costly and time-consuming undertaking. Conducting a PIA of the IMC system (or other case management system) at the early stages of its development may assist DIBP in identifying and mitigating any privacy risks.

3.40 The OAIC has published the Guide to undertaking privacy impact assessments,[10] which may be of assistance in considering future PIAs. Additionally, the OAIC has released an online PIA eLearning tool[11] which aims to better equip organisations with the tools to conduct an in-house assessment.

Recommendation 2

DIBP should implement a case management system to log all disclosures by authorised officers to their home agencies. DIBP should also undertake a privacy impact assessment (PIA) of the case management system. Ideally, the PIA should be undertaken in the early stages of development of the system.

Destruction and de-identification of EU PNR data

Background

3.41 APP 11.2 requires an APP entity to take reasonable steps in the circumstances to destroy personal information that it holds about an individual or to ensure that the information is de-identified, if:

  • the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity under the APPs
  • the information is not contained in a Commonwealth record[12]
  • the entity is not required by or under an Australian law, or a court/tribunal order, to retain the information.

3.42 Along with DIBP’s destruction and de-identification obligations under APP 11.2, the OAIC has had regard to the requirements of the EU Agreement, and in particular article 16.

3.43 Article 16(1) of the EU Agreement sets requirements around DIBP’s retention of EU PNR data:

  • from its initial receipt to three years, EU PNR data is to be retained and accessible only to persons authorised by the CEO of ACBPS (now the Australian Border Force Commissioner)[13]
  • from three years to five and a half years after initial receipt, EU PNR data is to be retained in a depersonalised form and accessible only to persons authorised by the CEO of ACBPS, with full access to depersonalised EU PNR permitted only if it is necessary to carry out investigations related to terrorist offences or serious transnational crimes.[14]

3.44 Under article 16(2), depersonalisation is to be achieved by masking out the following data:

  • name(s)
  • other names on PNR, including number of travellers on PNR
  • all available contact information
  • general remarks to the extent that these contain any information capable of identifying a natural person
  • advanced passenger processing or advance passenger information data to the extent that it contains any information capable of identifying a natural person.[15]

3.45 Notwithstanding these requirements, EU PNR data required for a specific investigation, prosecution or enforcement of penalties for terrorist offences or serious transnational crime may be retained for that purpose.[16]

3.46 Once the specified retention period expires, EU PNR data is to be permanently deleted.[17]

Observations

3.47 As reported by DIBP staff during the assessment, and as set out in the PNR Control Framework document viewed by the OAIC, an enterprise data warehouse (EDW) houses the PNR data store, which is the primary storage location of EU PNR data. EU PNR data from the PNR data store is backed up on a regular basis.

3.48 EU PNR data is also stored in a number of other systems. These include:

  • transient storage in a range of PNR system capabilities, such as:
    • the Customs Connect Facility: airline data passes through
    • the Enhanced Traveller View: a temporary data store that enriches PNR data with additional traveller data from existing stores.

    DIBP staff advised that the length of time EU PNR data is stored in these other systems varies but is generally in the order of two weeks to a month.

  • the Alerts Management System: stores elements of incoming PNR data to generate PNR Watchlist notifications each time an alert match occurs. Results also feed back into the PNR data store. Any matches created within this system are deleted within three years after the initial match
  • the Advanced Analytics’ Sandbox: stores PNR data from the EDW while that data is the subject of analytical modelling activities. DIBP advised that all PNR data is automatically deleted within 30 days
  • the Border Risk Engine: a profiling tool that feeds results back into the PNR data store
  • the email system: used to make disclosures to partner agencies. RFIs are received in emails, and responses are sent as emails (with EU PNR data either in the body of the email or as an attachment). Responses containing EU PNR data include a caveat stating that the email contains EU PNR data and setting out the limits on use and disclosure of that data. DIBP advised that sent emails are not deleted from the Tactical Intelligence Group mailbox. Additionally, DIBP advised that they do not undertake any activities to provide assurance that partner agencies are deleting EU PNR data once it is no longer required
  • MTF message logging system, a tool to track, monitor and log the PNR data once it arrives at the Customs Connect Facility. DIBP advised that data is removed from this system after two weeks.

3.49 For the purposes of this assessment, the OAIC focussed on the destruction and de-identification of EU PNR data housed in the PNR data store. However, the OAIC notes that the requirements of APP 11 would generally apply to any personal information held by DIBP, and this could include personal information held in these other systems.

3.50 Access to PNR data held in the PNR data store is managed through database ‘views’. An end user can only see the information that they are authorised to access. Through the use of ‘views’, DIBP is able to maintain a single database of PNR data while ensuring that specified information is not displayed to an unauthorised end user.

3.51 The mechanisms DIBP uses to meet the depersonalisation and deletion requirements of the EU Agreement are documented in Solution Requirements Elaboration: PNR Data Retention (EPAC2/PG3/002), and include:

  • EU PNR records required for specific investigations (in accordance with article 16 of the EU Agreement) can be flagged by authorised users or through a rule-based automated process
  • on a nightly basis, an automated process identifies EU PNR data in the PNR data store that is over three years old and marks these records for depersonalisation (provided the data has not been flagged for an investigation)
  • on a nightly basis, an automated process identifies EU PNR data in the PNR data store that is over five and a half years old and deletes it (provided the data has not been flagged for an investigation)
  • access to EU PNR data marked for depersonalisation is restricted, through the use of database views, to particular groups of authorised users, based on those users’ roles and the requirements of the EU Agreement
  • once EU PNR data that has been flagged for investigation is no longer required for an investigation, the flag is removed.

3.52 This document also sets out requirements around logging and reporting of the depersonalisation and deletion processes.

3.53 The document TA001—Test Strategy: PNR data depersonalisation, sets out the responsibilities and methods used for testing that the depersonalisation processes are operating correctly. DIBP also provided the OAIC with examples of completed test documentation.

3.54 Destruction of information in backups of the EU PNR database relies on newer backups overwriting old backups. As live EU PNR data reaches five and a half years, it is ‘nulled’ in the database (i.e. the values in the record are removed). The database, containing the nulled records, is then backed up, overwriting the older, non-nulled data. DIBP advised that the frequency of backups means that a backup could potentially contain EU PNR data no more than one month past the five and a half year period.

3.55 DIBP advised that portable media (e.g. USB storage devices) could not be used in computers in the BIFC. This is supported by the DIBP Records Management Policy, which states (at page 8) that temporary storage solutions (such as USB storage devices) must not be used without prior approval from DIBP’s Information, Communication and Technology Division.

Analysis

PNR data that is a Commonwealth record (accessed data)

3.56 DIBP advised the OAIC that it considers any PNR data, including EU PNR data, which an authorised officer has accessed, to be a Commonwealth record. Therefore, the requirements of APP 11.2 do not apply to any such accessed PNR data; instead, DIBP must comply with the provisions of the Archives Act in relation to those Commonwealth records. DIBP’s obligations under the Archives Act are outside the scope of this assessment.

3.57 DIBP advised that an internal policy decision was made that the requirements of article 16 of the EU Agreement also do not apply to accessed EU PNR data. DIBP informed the EU of this policy decision in 2013.

PNR data that is not a Commonwealth record (raw data)

3.58 DIBP does not consider any raw PNR data within the PNR system, including EU PNR data, which an authorised officer has not accessed, to be a Commonwealth record. APP 11.2 applies to such data. For EU PNR data that has not been accessed by an authorised officer, the requirements of article 16 of the EU Agreement also apply.

Raw EU PNR data within the PNR system

3.59 In accordance with the requirements of article 16 of the EU Agreement, DIBP appears to be taking reasonable steps to mask out EU PNR data, by:

  • identifying, through nightly processes, data that should be masked out
  • limiting the users who may access this data.

3.60 In accordance with the requirements of article 16 of the EU Agreement and APP 11.2, DIBP appears to be taking reasonable steps to delete EU PNR data, by identifying, through nightly processes, data that should be deleted.

3.61 However, the OAIC notes that DIBP does not appear to have in place a process for positively verifying that EU PNR records older than five and a half years have been deleted. Although the nightly automated processes used for flagging and deleting EU PNR data generate reports, including the number of records deleted, positive verification (even if it is only undertaken once) could provide assurance to DIBP that the nightly processes and reporting mechanisms are working correctly.

3.62 DIBP’s policy against the use of portable media helps to address the risk that EU PNR data may be disclosed without authorisation or persist outside the PNR data store.

3.63 The OAIC also considered whether DIBP is meeting its obligations under APP 11.2 in respect of the PNR data held in backups of the PNR data store.

3.64 The OAIC’s Guide to Securing Personal Information[18] provides further information about the reasonable steps that an entity could take to meet the destruction and de-identification requirements of APP 11.2. Relevantly, the reasonable steps to destroy information can include:

  • ‘sanitising’ hardware containing personal information in order to completely remove the stored personal information
  • destroying backups of personal information.

3.65 In determining reasonable steps for APP 11.2, consideration may also be given to relevant standards, and in particular the Australian Signals Directorate’s Australian Government Information Security Manual (ISM).[19]

3.66 Control 0354 of the ISM states that agencies must sanitise non-volatile magnetic data (e.g. hard drives or tape backups) by overwriting the media at least once (at least three times if there is less than 15 GB of data or the data is pre-2001) in its entirety with a random pattern, and read back for verification.

3.67 Whilst the OAIC does not conduct direct assessments or audits of compliance with the ISM, on the information provided to the OAIC, it is unclear whether DIBP’s practice of deleting backups of EU PNR data by overwriting them with new backups meets the requirements of control 0354 of the ISM.

3.68 DIBP informed the OAIC that it was advised by the contractor responsible for EDW backups that an IRAP assessment[20] was conducted in 2017, which included consideration of deletion.

3.69 DIBP may wish to consider whether its process of overwriting old backups with newer backups meets the requirements of APP 11, taking the ISM requirement into account.

Raw non-EU PNR data within the PNR system

3.70 The OAIC notes that de-identification and deletion of non-EU PNR data is outside the scope of this assessment. Documents provided to the OAIC indicate that DIBP does not use the same depersonalisation or deletion process for non-EU PNR data held in the PNR data store as it does for EU PNR data.

3.71 However, DIBP should also consider the OAIC’s comments above, in paragraphs 3.66-3.69 in relation to sanitisation and destruction of backups of PNR data in the context of non-EU PNR data within the PNR system that has not been accessed by an authorised officer.

EU PNR data that is outside of the PNR system

3.72 As noted at paragraph 3.48, DIBP advised that emails containing EU PNR data are not deleted from the Tactical Intelligence Group mailbox. DIBP has an internal policy decision paper that states that article 16 of the EU Agreement does not apply to PNR data outside of the PNR system, such as in emails or the MTF message logging system. However, APP 11.2 will generally apply to any PNR data, including EU PNR data, which sits outside of the PNR system and is not a Commonwealth record.

3.73 The handling of EU PNR data outside of the PNR system is outside the scope of this assessment. However, the OAIC suggests that DIBP review its handling of such data, including outgoing emails containing EU PNR data to ensure that it is meeting its obligations under APP 11.2. In particular, the OAIC suggests that DIBP implement policies and procedures for the destruction of EU PNR data that exists outside of the PNR system, such as in emails, whilst also complying with any relevant Archives Act obligations in relation to that data.

3.74 The OAIC also suggests that DIBP consider its options for assuring itself that partner agencies are handling and deleting EU PNR data appropriately.

Part 4: Recommendations and responses

Recommendation 1

OAIC recommendation

4.1 DIBP should develop policies and procedures for its internal audits relating to PNR data. This could involve updating, clarifying or expanding existing documentation. These policies should set out, at a minimum, the frequency, scope, and methodology of the audits, as well as processes and responsibilities for implementing recommendations that arise from the audits.

Response by DIBP to the recommendation

4.2 The Department accepts this recommendation.

Recommendation 2

OAIC recommendation

4.3 DIBP should implement a case management system to log all disclosures by authorised officers to their home agencies. DIBP should also undertake a privacy impact assessment (PIA) of the case management system. Ideally, the PIA should be undertaken in the early stages of development of the system.

Response by DIBP to the recommendation

4.4 The Department accepts this recommendation.

Part 5: Description of assessment

Objective and scope of the assessment

5.1 The objectives of this assessment are to examine:

  • DIBP’s implementation of the OAIC’s recommendations in the 2015 assessment report
  • whether DIBP has in place reasonable steps to destroy or de-identify information, in accordance with APP 11.

5.2 In determining what constitutes ‘reasonable steps’ for the purposes of APP 11, the OAIC has regard to its Guide to securing personal information.[21] The OAIC also has regard to the EU Agreement, which includes requirements around security and depersonalisation[22] of EU PNR data.

Privacy risks

5.3 The OAIC makes recommendations to address ‘high’ and ‘medium’ privacy risks. For more information about these privacy risk ratings, see the OAIC’s ‘Privacy risk guidance’ at Appendix A. Further detail on this approach can be found in Chapter 7 of the OAIC’s Guide to privacy regulatory action.[23]

5.4 The OAIC has made two recommendations to address medium privacy risks identified during this assessment. A recommendation is a suggested course of action or a control measure that, in the opinion of the OAIC, will, if implemented by DIBP, minimise the privacy risks identified around DIBP’s handling of PNR data, including EU PNR data.

Timing, location and assessment techniques

5.5 The assessment of DIBP was risk based and focussed on identifying privacy risks to the effective handling of personal information in accordance with privacy legislation.

5.6 The assessment involved the following:

  • review of relevant policies and procedures provided by DIBP
  • fieldwork, which included interviewing key members of DIBP’s staff, at DIBP’s offices in Canberra on 24 May 2017
  • review of further documentation provided by DIBP after the fieldwork, up to 3 July 2017.

Reporting

5.7 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published in full.

Appendix A: Privacy risk guidance

Privacy risk rating Entity action required Likely outcome if risk is not addressed
High risk

Entity must, as a high priority, take steps to address mandatory requirements of Privacy legislation
Immediate management attention is required.

This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects
  • Likely breach of relevant legislative obligations (for example, APP, TFN, Credit) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking)
  • Likely adverse or negative impact upon the handling of individuals’ personal information
  • Likely violation of entity policies or procedures
  • Likely reputational damage to the entity, such as negative publicity in national or international media.
  • Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines
  • Likely ministerial involvement or censure (for agencies)
Medium risk

Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation
Timely management attention is expected.

This is an internal control or risk management issue that may lead to the following effects
  • Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation
  • Possible adverse or negative impact upon the handling of individuals’ personal information
  • Possible violation of entity policies or procedures
  • Possible reputational damage to the entity, such as negative publicity in local or regional media.
  • Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities.
  • Possible ministerial involvement or censure (for agencies)
Low risk

Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy legislation
Management attention is suggested.

This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed.
  • Risks are limited, and may be within acceptable entity risk tolerance levels
  • Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit)
  • Minimum compliance obligations are being met

Footnotes

[1] The 2015 assessment report is published on the OAIC’s website: Passenger Name Records: New administrative arrangements — Australian Customs and Border Protection Service.

[2] Throughout this report, references to ‘PNR data’ are used when the context relates to all PNR data that DIBP handles, including EU PNR data. The term ‘EU PNR data’ is used where the context specifically relates to the handling of that subset of PNR data.

[3] Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border Protection Service, signed 29 September 2011, [2012] ATS 19, (entered into force 1 June 2012). Compliance with the EU Agreement by DIBP constitutes an adequate level of protection for EU PNR data for the purposes of the EU’s data protection law, allowing this data to be transferred from EU member states to Australia: Council Decision 2008/651/CFSP/JHA of 30 June 2008 on the signing, on behalf of the European Union, of an Agreement between the European Union and Australia on the processing and transfer of European Union-sourced passenger name record (PNR) data by air carriers to the Australian Customs Service , [2008] OJ L 213/47.

[4] EU Agreement, Annex 1.

[5] The 2015 assessment report is published on the OAIC’s website: Passenger Name Records: New administrative arrangements — Australian Customs and Border Protection Service.

[6] ‘APP entity’ is defined in s 6(1) of the Privacy Act.

[7] The APPs superseded the Information Privacy Principles (IPPs) on 12 March 2014.

[8] APP Guidelines, 1.7.

[9] Guide to Securing Personal Information.

[10] Guide to Undertaking Privacy Impact Assessments.

[11] e-learning: Undertaking a privacy impact assessment.

[12] Archives Act 1983 (Cth), s 3.

[13] Art 16(1)(a). These authorisations are now provided by the Australian Border Force Commissioner (also known as the Comptroller of Customs), as per the Australian Border Force Act 2015 (Cth).

[14] Art 16(1)(b).

[15] Art 24(2) provides that the parties to the EU Agreement shall review its implementation at regular intervals, and that these reviews shall consider, in particular, the mechanism of masking out data in accordance with art 16(1)(b).

[16] Art 16(3).

[17] Art 16(4).

[18] Guide to Securing Personal Information.

[19] Australian Government Information Security Manual.

[20] Information Security Registered Assessors Program. For more information, see What is an IRAP Assessment?

[21] Guide to Securing Personal Information.

[22] The term ‘depersonalisation’ is used in the EU Agreement and relates to the ‘masking out’ of certain PNR elements three years after initial receipt of the PNR data (Art 16 EU Agreement).

[23] Guide to Privacy Regulatory Action.