Managing personal information – Passenger Name Records

8 July 2021

Part 1: Executive summary

1.1          This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of Department of Home Affairs’ (Home Affairs) handling of personal information under the Privacy Act 1988 (Cth) (Privacy Act), conducted in November 2020.

1.2          The OAIC has previously conducted privacy assessments of Home Affairs’ handling of Passenger Name Record (PNR) data in accordance with Australian Privacy Principle (APP) 6 (use or disclosure of personal information) and APP 11 (security of personal information) in 2015, 2017 and 2018.

1.3          This assessment had two purposes:

  1. to follow up Home Affairs’ implementation of 2 recommendations made in the 2017 assessment and 5 recommendations made in the 2018 assessment.
  2. to consider Home Affairs’ handling of PNR data in accordance with its obligations under APP 1.2 (open and transparent management of personal information) and the Privacy (Australian Government Agencies – Governance) APP Code 2017 (the Code).

1.4          The OAIC identified 9 medium privacy risks and 3 high privacy risks yielding 10 recommendations. The OAIC also made a number of suggestions to assist Home Affairs to further enhance its information handling practices. For more information about these privacy risk ratings, see the OAIC’s ‘Privacy risk guidance’ at Appendix A.

1.5          The assessment found that Home Affairs has made some progress towards implementing measures to mitigate privacy risks identified during the 2017 and 2018 assessments. However, the OAIC found that Home Affairs has either not or only partially implemented actions to address the OAIC’s previous 7 recommendations. Specifically, 4 recommendations have not been implemented, 2 recommendations partly implemented, and one recommendation has been fully implemented.

1.6          In addition, the assessment identified new privacy risks in relation to Home Affairs’ management of personal information, specifically in relation to non-compliance with the Code and documenting its internal policies, practices and procedures.

1.7          Specifically, as a matter of high priority, the OAIC recommends Home Affairs:

  • implement the 2 recommendations from the 2017 assessment
  • implement recommendations from the 2018 assessment that have not been implemented or only partially implemented
  • provide mandatory annual refresher privacy training for all staff who have access to personal information
  • maintain and update the version of its PIA register published on its website in April 2021, and properly record all PIAs in its internal centralised register with a sufficient level of detail to ensure the accuracy of the published version
  • establish an inventory of personal information holdings and consider having the Privacy Officer maintain the record as an ongoing obligation.

1.8          The OAIC also recommends Home Affairs:

  • in response to one of the partially implemented recommendations from the 2018 assessment, undertake a privacy impact assessment for any future updates and changes to the Connected Information Environment platform or related systems, applications and capabilities which will involve new or changed ways of handling PNR data
  • regularly review and update existing privacy and PNR specific policies and procedures, finalise policies which are currently in draft form and develop those policies which are planned but not yet developed.

Part 2: Introduction

Background

2.1          The transfer of passenger name record (PNR) data[1] to Australia is permitted by the Customs Act 1901 (Cth) (Customs Act) and European Union (EU) PNR data is governed by the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record data by Air Carriers to the Australian Customs and Border Protection Service (ACBPS) (the EU Agreement).[2]

2.2          The ACBPS and the Department of Immigration and Border Protection were integrated by machinery of government changes into a single Department of Immigration and Border Protection (DIBP) on 1 July 2015. On 20 December 2017, the Department of Home Affairs (Home Affairs or the Department) was established and carries out the functions of the former DIBP.

2.3          Home Affairs receives EU PNR data from an air carrier when the information necessary for processing or controlling a passenger’s air travel reservation for a flight to, from, or through Australia, is processed in the EU. This information includes, for example:

  • passenger names
  • all available contact information
  • dates of intended travel
  • date of reservation/issue of ticket
  • all available payment/billing information.[3]

2.4          Article 10, paragraph 1 of the EU Agreement provides that ACBPS’s compliance with data protection rules shall be subject to oversight by the Australian Information Commissioner. Article 10, paragraph 2 of the EU Agreement refers to arrangements for the Australian Information Commissioner to undertake regular formal audits of all aspects of ACBPS’s EU-sourced PNR data use, handling and access policies and procedures.

2.5          These oversight and accountability provisions under the EU Agreement have been implemented, in part, through a Memorandum of Understanding (MOU) between Home Affairs and the Office of the Australian Information Commissioner (OAIC) for the conduct of privacy assessments relating to Home Affairs’ handling of EU PNR data.

2.6          Several other provisions of the EU Agreement relate to privacy and security protections for EU PNR data, including storage requirements, retention periods, a right of access, disclosure of EU PNR data to other Australian government agencies, and a prohibition on the processing of any EU PNR data that contains sensitive data (as that term is defined in article 2(h) of the EU Agreement). Article 3 limits the use of EU PNR data ‘strictly for the purpose of preventing, detecting, investigating and prosecuting terrorist offences or serious transnational crime.’

Previous PNR assessments of Home Affairs

2.7          In 2015, the OAIC conducted an assessment of the then ACBPS’s handling of PNR data (2015 assessment[4]), which considered ACBPS’s new administrative arrangements for the handling of PNR data and whether they were consistent with the requirements of Australian Privacy Principle (APP) 6 (use or disclosure of personal information) and APP 11 (security of personal information).

2.8          In 2017, the OAIC conducted an assessment of the then DIBP’s handling of PNR data (2017 assessment[5]) under APPs 6 and 11. The 2017 assessment included a follow-up of 4 recommendations made in the OAIC’s 2015 assessment of ACBPS and also considered whether DIBP was destroying or de-identifying PNR data in accordance with its obligations under APP 11. The OAIC found that a number of recommendations in the 2015 assessment had been addressed but made 2 additional recommendations to address medium privacy risks.

2.9          In 2018, the OAIC conducted an assessment of Home Affairs’ handling of PNR data (2018 assessment[6]) under APPs 6 and 11. The 2018 assessment examined the handling of PNR information in relation to the connected information environment (CIE) that Home Affairs was developing (at the time of the assessment) and has since implemented. The OAIC made 5 recommendations in the report to address medium privacy risks that were identified by the assessment.

Connected Information Environment (CIE)

2.10       The CIE is a platform used by Home Affairs that stores and supports many data products for a variety of business functions and activities, such as PNR data access. These products may access the same data within the CIE for different purposes and levels of detail.

2.11       One of the search capabilities within the CIE is the Single View of Entity (SVoE), which is designed to reduce the time it takes analysts within Home Affairs to conduct intelligence checks and risk assessments of entities. Home Affairs confirms that the SVoE does not, and will not contain PNR data.

2.12       Due to the limitations that the EU Agreement imposes on Home Affairs regarding the use of EU PNR data, not all analysts have access to PNR data. Analysts who require access to PNR data must meet security clearance and training requirements before they are granted access, the process for which is explained later in this report.

Part 3: Findings

Our approach

3.1          The key findings of the OAIC’s assessment of Home Affairs’ handling of PNR data are set out below under the following headings:

  • Follow-up of previous OAIC assessments
  • Code obligations
  • Governance and training
  • Internal policies, practices and procedures
  • Handling of privacy complaints and enquiries
  • Information security and access controls.

3.2          For each issue, we have outlined a summary of the OAIC’s observations, the privacy risks arising from those observations, followed by recommendations or suggestions to address those risks.

3.3          The first part of this section provides an overview of Home Affairs’ implementation of the OAIC’s 2017 and 2018 assessment recommendations. Subsequent sections consider:

  • whether Home Affairs has implemented its obligations under the Australian Government Agencies Privacy Code[7] (the Code) which applies to all Australian Government agencies subject to the Privacy Act (except for Ministers). It is a binding legislative instrument under the Privacy Act. The Code sets out specific requirements and key practical steps that agencies must take as part of complying with APP 1.2
  • Home Affairs’ broader obligations under APP 1.2.

3.4          APP 1.2 requires an entity to take reasonable steps to implement practices, procedures and -systems that will:

  • ensure that the entity complies with the APPs, and
  • enable the entity to deal with privacy related enquiries or complaints from individuals.

3.5          For an entity to meet its obligations under APP 1.2, that entity must be proactive in establishing, implementing and maintaining privacy processes. This is an enduring obligation and necessitates good governance.

3.6          In considering the requirements related to APP 1.2, the OAIC was guided by the Privacy Management Framework[8] and Chapter 1 of the APP Guidelines[9].

3.7          The Privacy Management Framework details steps that Home Affairs is expected to take to meet its ongoing compliance obligations under APP 1.2. This includes governance around the Home Affairs’ ICT security and access controls where relevant.[10]

3.8          Where appropriate, the OAIC also had regard to the terms of the EU Agreement.

Follow-up of previous OAIC assessments

Implementation of 2017 assessment recommendations

3.9          The table below lists recommendations the OAIC made in the 2017 assessment, whether Home Affairs has implemented each recommendation and which sections of this report provide further information. In summary, the OAIC notes that none of the recommendations from the 2017 assessment have been implemented by Home Affairs.

#

The OAIC’s 2017 Recommendations

Recommendation implemented

(✓-Yes, -No)

For further analysis, see paragraph(s)

1

DIBP should develop policies and procedures for its internal audits relating to PNR data. This could involve updating, clarifying or expanding existing documentation. These policies should set out, at a minimum, the frequency, scope, and methodology of the audits, as well as processes and responsibilities for implementing recommendations that arise from the audits.

3.10-3.13

2

DIBP should implement a case management system to log all disclosures by authorised officers to their home agencies. DIBP should also undertake a privacy impact assessment (PIA) of the case management system. Ideally, the PIA should be undertaken in the early stages of development of the system.

3.14-3.16

Policies and procedures for its internal audits relating to PNR data

3.10      Recommendation 1 from the 2017 assessment has not been implemented. Home Affairs advised the OAIC that it has not developed policies and procedures governing regular internal sample testing audits of PNR ‘Request for Information’ (RFI) disclosures to other agencies which highlight the audit program’s frequency, scope and methodology. Furthermore, during the fieldwork for this assessment the OAIC was also advised that Home Affairs has not conducted an internal quarterly sample audit of PNR RFIs since 2017.

3.11      The OAIC was advised that when Home Affairs discloses information to another agency, the disclosure is documented for record keeping purposes to justify the reason for the disclosure and to trace the information if there is data breach linked to another government agency.

3.12      During the 2017 assessment, the OAIC received limited information about the audit methodology and responsibilities for the audits within DIBP (now Home Affairs). This raised the medium privacy risk that the internal sample audits of PNR RFIs would not occur on a regular basis and would not be effective at identifying unauthorised disclosures of PNR data. Consequently, the 2017 assessment recommended that the Department develop policies and procedures for its internal audits relating to PNR data setting out, at a minimum, the frequency, scope, and methodology of the audits, as well as processes and responsibilities for implementing recommendations that arise from the audits.

3.13      The medium privacy risk identified by the OAIC in the 2017 assessment has been realised, given that no internal quality sample audits of PNR RFI’s have been undertaken since that time. As a matter of high priority, the OAIC recommends Home Affairs implement recommendation 1 of the OAIC’s 2017 assessment. In addition, the OAIC recommends that Home Affairs, as a matter of high priority, recommence regular internal sample audits of PNR RFI disclosures to other agencies.

3.14      Other PNR related policies and procedures are discussed further in the ‘Internal policies, practices and procedures’ section below.

 

Recommendation 1

 

As a matter of high priority, the OAIC recommends Home Affairs implement the OAIC’s 2017 assessment recommendation to:

  • develop policies and procedures for its internal sample audits relating to PNR data ‘Request for Information’ (RFI) disclosures to other agencies. This could involve updating, clarifying or expanding existing documentation. These policies should set out, at a minimum, the frequency, scope, and methodology of the audits, as well as processes and responsibilities for implementing recommendations that arise from the audits.

The OAIC also recommends that Home Affairs, as a high priority, recommence regular internal sample audits of PNR RFI disclosures to other agencies.

Case management system

3.15      Recommendation 2 from the 2017 assessment has not been implemented. Home Affairs advised the OAIC that it has not implemented a case management system to log all disclosures by authorised officers to their home agencies and as a result had also not undertaken a PIA of the case management system. However, it appears that Home Affairs is taking preliminary steps towards implementing such a system. During the fieldwork for this assessment, the OAIC was advised that Home Affairs has implemented an interim portal for logging disclosures with the longer-term view to introduce a case management system that will leverage an existing system.

3.16      In both the 2015 and 2017 assessments, the OAIC considered that the lack of a case management system presented a medium privacy risk that unauthorised disclosures of PNR data were going undetected and had regard to Article 17(1) of the EU Agreement in reaching this conclusion[11]. A case management system would allow Home Affairs to maintain logs of PNR data disclosures in a systemic and consistent manner and allow for disclosures to be readily auditable.

3.17      As a matter of high priority, the OAIC recommends Home Affairs implement Recommendation 2 from the 2017 assessment. This system may leverage the existing systems or be an alternative system, provided it can maintain logs of PNR data disclosures in a systemic and consistent manner and is readily auditable. The OAIC also recommends that Home Affairs undertake a privacy threshold assessment (PTA) and if necessary, a PIA of the case management system in the early stages of its design and development.

 

Recommendation 2

 

As a matter of high priority, the OAIC recommends Home Affairs implement the OAIC’s 2017 assessment recommendation to:

  • implement a case management system to log all disclosures of PNR data by authorised officers to their home agencies. This system may leverage the existing systems or be an alternative system, provided it can maintain logs of PNR data disclosures in a systemic and consistent manner and is readily auditable
  • undertake a privacy threshold assessment (and, if necessary, a privacy impact assessment) of the case management system in the early stages of its design and development.

Implementation of 2018 assessment recommendations

3.18      The table below lists recommendations the OAIC made in the 2018 assessment, whether Home Affairs has implemented each recommendation and which sections of this report provide further information. In summary, the OAIC notes that while some progress has been made toward mitigating privacy risks identified in the 2018 assessment, most of the recommendations have not been implemented or have only been partially implemented.

#

The OAIC’s 2018 Recommendations

Recommendation implemented

(✓-Yes, -No)

For further analysis, see paragraph(s)

1

Home Affairs conduct a privacy threshold assessment of the Connected Information Environment (CIE) and, if determined necessary, a privacy impact assessment, as soon as possible.

Partial

3.18-3.21

2

Home Affairs:

  • continue to monitor and implement the risk treatments identified in the CIE Security Risk Assessment (SRA), including those that address mandatory ISM controls
  • document decisions not to implement mandatory ISM controls, including details of alternative approaches to managing the risks associated with non-compliance
  • identify new risks and treatment strategies as the CIE evolves.

3.23-3.24

3

Home Affairs:

  • conduct regular proactive monitoring of audit logs, especially for PNR data
  • continue with implementing additional audit logging measures as identified in the SRA
  • continue with its planned automation of provisioning access to PNR data
  • implement multi-factor authentication (MFA) in accordance with ISM control 1173 or document a decision not to implement this control and include details of alternative approaches to managing the risks associated with non-implementation.

Partial

3.26-3.32

4

Home Affairs implement appropriate measures to ensure third parties involved in the CIE, and in particular those involved in handling PNR data, meet their obligations under the Privacy Act. This should include explicitly incorporating privacy and personal information handling obligations into third party contracts.

3.33-3.35

5

Home Affairs:

  • expand its operational guidance on responding to data breaches and document its organisational data breach response plan
  • consider ways it can promote better coordination between Privacy and Cyber security data breach response documentation.

 

 

3.36-3.40

 

PIA of the Connected Information Environment

3.19      Recommendation 1 from the 2018 assessment has only been partly implemented. A PIA of the whole CIE platform was not conducted following the OAIC’s 2018 assessment. Rather than conducting a single PIA for the entire CIE, Home Affairs advised that it has been assessing the privacy impacts of the CIE in relation to individual data products and use cases. Home Affairs demonstrated this approach by providing the OAIC with documentation showing it has conducted a PTA and commenced (at the time of fieldwork) a PIA for the CIE’s new PNR search capability, which will update and replace the existing PNR search function for the CIE.

3.20      In its response to the OAIC’s 2018 assessment, Home Affairs noted it also implemented a Data Security & Access Management function under the Department’s Chief Data Officer (who is also the privacy champion) to assess applicable legislative obligations and restrictions for data assets within the CIE, and ensure appropriate controls are in place.

3.21      PIAs can assist entities to identify any personal information security risks, as well as the reasonable steps that can be taken to protect personal information. It is important that Home Affairs identifies privacy risks as early in the project as possible. Given the size and scope of the CIE, and the volume of personal information it contains, the OAIC considers there is a medium privacy risk that Home Affairs may not have identified all privacy risks in the development and design of the CIE.

3.22      However, noting Home Affairs’ current approach to assessing the privacy impacts of the CIE, the security risk assessment conducted for the CIE (discussed below) and other measures discussed above, the OAIC recommends that Home Affairs undertake, in the development and design stage, a PTA and if necessary a PIA, for any future updates and changes to the CIE platform or related systems, applications and capabilities which will involve new or changed ways of handling PNR data.

3.23      This recommendation also reflects Home Affairs’ legal obligation under the Code to undertake a written PIA for all ‘high privacy risk’ projects or initiatives that involve new or changed ways of handling personal information.

 

Recommendation 3

The OAIC recommends that Home Affairs undertake a privacy threshold assessment (and, if necessary, a privacy impact assessment) of future updates and changes to the CIE platform or related systems, applications and capabilities involving new or changed ways of handling PNR data, in the early stages of design and development.

 

 

Risk management

3.24       Recommendations 2 and 3 of the 2018 assessment have, for the most part, been implemented. The implementation of privacy and security risk management processes is integral to establishing robust and effective privacy and security practices, procedures and systems. These risk management processes allow an entity to identify, assess, treat and monitor any privacy risks related to its activities. Good privacy risk management informs and triggers changes to practices, procedures and systems to better manage privacy risks.

3.25       Home Affairs has made regular updates to key documents related to the management of risks associated with the systems used to access and handle PNR data, such as the PNR Control Framework, the Connected Information Environment (CIE) Security Risk Assessment (SRA) and CIE Security Risk Management Plan.

3.26      Updated security risk documentation provided to the OAIC for this assessment shows:

  • regular updates which catalogue security control changes made for the CIE since the last OAIC assessment
  • outstanding risk treatments identified in the CIE SRA including those that address mandatory ISM controls
  • the status of the solutions to address risks.

3.27      However, the OAIC was advised that the following 2 security controls recommended by the OAIC in the 2018 assessment (Recommendation 3) have yet to be implemented:

  • regular proactive monitoring of audit logs for access to PNR data
  • automated provisioning of access to PNR data based on a person’s role.
Regular proactive monitoring of audit logs

3.28      Unauthorised access to personal information can be detected by reviewing records of system activities, such as audit logs. Proactive monitoring of such logs to identify unauthorised access or disclosure is a reasonable step for Home Affairs to undertake in relation to PNR data, given the large amount of personal information available. While Home Affairs advised it keeps audit logs which would identify access to PNR data, these logs are not regularly and proactively reviewed. This raises the medium risk that unauthorised access to PNR data may go undetected.

3.29      Home Affairs should regularly and proactively monitor access to PNR data to make sure that access is maintained in accordance with staff’s need-to-know requirements and internal policies for use and disclosure of PNR data.

3.30      As a matter of high priority, the OAIC recommends that Home Affairs implement the OAIC’s 2018 assessment recommendation to regularly conduct proactive reviews of audit logs which record access to PNR data. This activity could be included as part of an assurance program which includes other regular PNR audit activities that were previously recommended by the OAIC in the 2018 assessment, such as random sample audits of RFIs (discussed above) and the auditing of staff members across the Department who have access to PNR data, already undertaken by Home Affairs (discussed below).

Automated provisioning of access to PNR data

3.31      In relation to Home Affairs’ process for provisioning access to PNR data, during fieldwork for this assessment the OAIC was advised that while contractor access has a limited duration, the current manual process for provisioning access to PNR data for departmental staff does not facilitate proactive de-provisioning of access. Home Affairs informed the OAIC that while there are plans for a future move to an automated, role-based provisioning system there are budgetary and technical challenges in actioning this outcome.

3.32      The OAIC was also advised that the Border Intelligence Watch Office (BIWO) within Home Affairs conducted a privacy audit in September and October 2020 of all staff within Home Affairs who have access to PNR data to ensure they required their access. However, privacy audits are not conducted on a regular basis.

3.33      There is a medium privacy risk that staff, particularly those that have moved roles or left Home Affairs, continue to have access to PNR data even when they no longer require such access. The OAIC recommends that Home Affairs implement the OAIC’s 2018 assessment recommendation to continue with its planned implementation of an automated provisioning system for PNR access, including a transition to role-based access, which may help to mitigate this privacy risk.

3.34      Noting the budgetary and technical challenges of implementing automatic provisioning of access, as an interim measure Home Affairs should consider turning its recent privacy audit of staff who have PNR access across the Department into a regular activity. Making the audit of PNR access a regular assurance activity should assist Home Affairs with managing the risks associated with the current manual process for provisioning access to PNR data.

Recommendation 4

 

As a matter of high priority, the OAIC recommends Home Affairs implement the OAIC’s 2018 assessment recommendation to:

  • regularly conduct proactive reviews of audit logs which record access to PNR data
  • continue with its planned implementation of an automated provisioning system for PNR access. This includes a transition to role-based access and, while this is being actioned, conducting regular audits of staff across the department who have access to PNR data.
Third party handling of PNR data

3.35      Recommendation 4 of the 2018 assessment has not been implemented. Home Affairs uses some third-party vendors in the operation of its systems, including the CIE. Home Affairs engages contractors under panel arrangements and each panel arrangement has an overarching agreement which is signed at the vendor level, typically known as a Deed of Standing Offer[12]. In addition, each individual working under these arrangements is required to sign a Deed of Confidentiality.

3.36      During fieldwork the OAIC was provided with documents used for engaging third parties. These included privacy and confidentiality contract provisions which apply when ICT contractors are engaged under a particular services panel used by Home Affairs. These documents were requested by the OAIC in order to gain insight into how Home Affairs oversees and manages its privacy obligations in relation to third parties. These documents were similar to the contractual provisions provided in the 2018 assessment. An examination of these documents, specifically the clauses related to privacy and security, indicated that Home Affairs had not reviewed these documents following the 2018 assessment, as they still contained outdated references to repealed privacy legislation such as the ‘Information Privacy Principles’ and ‘National Privacy Principles’.

3.37      Based on the information provided, the OAIC considers that there is a medium privacy risk that Home Affairs has not taken reasonable steps to ensure the security of personal information handled by third parties involved in the CIE. The use of outdated contractual terms could lead to a failure to protect personal information in accordance with current legislative obligations found in the APPs. The OAIC recommends that Home Affairs implement the OAIC’s 2018 assessment recommendation and establish measures to ensure all third parties involved in the CIE, including vendors and contractors, are taking reasonable steps to protect personal information held by Home Affairs. This should include reviewing and updating documents used for engaging third party contractors, such as standard contractual provisions to ensure they reflect current obligations found in the Privacy Act.  

Recommendation 5

As a matter of high priority, the OAIC recommends that Home Affairs implement the OAIC’s 2018 assessment recommendation and establish measures to ensure all third parties involved in the CIE, including vendors and contractors, are taking reasonable steps to protect personal information held by Home Affairs. This should include reviewing and updating documents used for engaging third party contractors, such as standard contractual provisions, to ensure they reflect current obligations found in the Privacy Act. 

Data breach response

3.38      Recommendation 5 of the 2018 assessment has not been implemented. Home Affairs has clear guidance for staff on how to respond to a suspected privacy breach. However, Home Affairs lacks a documented process for what happens once a data breach is reported to the Privacy Team (Privacy and Information Disclosure Section (PIDS)), including how a data breach should be assessed, contained, notified and reviewed at a departmental level.

3.39      Each business area is responsible for the identification and notification of any potential data breaches. While PIDS maintains a register of all suspected and actual breaches for the Department, which includes notifiable data breaches as well as incidents which are deemed not to be notifiable breaches, it is unclear if all the breaches recorded by the respective business areas are captured by PIDS’ register.

3.40      Home Affairs advised that the development of a data breach response plan was in progress at the time of the assessment. The proposed plan will document roles and responsibilities, and set out the membership of a data breach response team. Home Affairs also advised that key stakeholders, such as the Cyber Security team, will be consulted in the development of this plan.

3.41      A failure to properly identify and document organisational level procedures for handling a data breach represents a medium privacy risk that the impact of data breach will not be promptly and effectively managed. The OAIC recommends that Home Affairs implement the OAIC’s 2018 assessment recommendation and expand its operational guidance on responding to data breaches to include its departmental data breach response plan. This recommendation should be implemented as a high priority to ensure that the impact of data breaches will be promptly contained and to assist the department to meet notification obligations, such as the requirement to notify affected individuals and the OAIC if it suffers an eligible data breach[13].

3.42      As part of the development of the departmental data breach response plan, the OAIC also recommends Home Affairs implement the OAIC’s 2018 assessment recommendation and review its documentation related to the management of data breaches and cyber security incidents. This extends to those  maintained by the Privacy and Cyber Security Teams respectively and to consider ways that these documents should complement each other as part of ensuring a coordinated departmental response to data breach management.

Recommendation 6

 

As a matter of high priority, the OAIC recommends that Home Affairs implement the OAIC’s 2018 assessment recommendation and:

  • expand operational guidance on responding to data breaches and document its departmental data breach response plan
  • review documentation related to data breaches and cyber security incidents maintained by the Privacy and Cyber Security Teams respectively.  This includes considering ways that these documents should complement each other as part of ensuring a coordinated departmental response to data breach management.

Code obligations

3.43      As stated earlier, the Code sets out specific requirements and key practical steps that agencies must take as part of complying with APP 1.2.

3.44      The table below sets out the requirements of the Code, whether the OAIC considers Home Affairs, in the context of handling PNR data, has met these requirements and which sections of this report provide further information.

3.45      In summary, the OAIC has identified that Home Affairs is meeting some of its obligations under the Code, however, there are some areas of non-compliance.

Section of Code

Home Affairs has…

Requirement implemented?

(✓-Yes, -No)

For further analysis, see paragraph(s)

9

A Privacy Management Plan (PMP), which identifies specific, measurable privacy goals and targets, and sets out how the agency will meet its compliance obligations under APP 1.2

3.64-3.66

10

Appointed a Privacy Officer who fulfils required functions as part of the Privacy Code

3.45-3.46

11

Appointed a senior official Privacy Champion who fulfils required functions as part of the Privacy Code

3.45-3.46

10

A record of the personal information that it holds            

3.76-3.77

12

Undertaken written PIA for all high privacy risk projects

3.67-3.72

15

Maintains and updates a register of PIAs, and publishes this register, or a version of this register, on its website

✓*

3.73-3.75

16

Conducts appropriate privacy training and education for staff in its induction programs, and provides appropriate annual privacy training and education for staff who have access to personal information in the course of performing their duties

partial

3.47-3.52

17

A process in place to proactively review and update its privacy practices, and monitor compliance with its privacy practices, procedures and systems regularly     

3.64-3.66

         

*Code requirement was not implemented at the time of the assessment but evidence of compliance was subsequently provided.

Governance and training

Privacy governance

3.46      Home Affairs has privacy governance arrangements in place which apply to the handling of PNR data including:

  • staff appointed to key privacy management related roles and responsibilities as required under the Code, specifically the Director of the privacy team (discussed below) as the Privacy Officer and the Department’s Chief Data Officer as the Privacy Champion. Their roles and responsibilities are outlined on the intranet and staff received notifications to advise them of the Privacy Officer and Privacy Champion when they were appointed.
    • a dedicated privacy team (Privacy and Information Disclosure Section (PIDS)) which allows for department-wide coordination, discussion, reporting and response to privacy matters, including PNR related privacy matters. PIDS responsibilities include:
    • advising business areas to take a privacy-by-design approach to ensure that privacy is embedded in the design of systems and practices
    • participating in a number of different forums, where the Privacy Officer reports on the number of actual and suspected data breaches, including PNR related privacy breaches. For example, privacy issues are raised at the quarterly Executive Committee meetings
    • assessing all suspected data breaches under the NDB scheme, and reporting to the OAIC, if required
    • providing guidance on the risk of ‘serious harm’, in consultation with the Legal team, and recommending any actions to business areas that can prevent breaches of a similar nature
    • promoting Home Affairs’ privacy culture by providing policy advice, privacy training and publishing content on the intranet about privacy and the department’s obligations under the Privacy Act
    • maintaining a privacy mailbox which handles all privacy-related enquiries and complaints, and a designated staff member who monitors the inbox to ensure that all matters are triaged to the relevant areas
  • establishment of boards, committees and councils that govern and oversee new projects and ongoing data management which allow for discussion of privacy and information security issues (including in relation to PNR) with privacy team and cyber security staff attending and participating in these fora.

3.47      The assessment did not identify any risks with respect to Home Affairs’ privacy governance arrangements required under the Code as it relates to the handling of PNR data.

Privacy training

3.48      All Home Affairs staff who are required to handle PNR data as part of their duties have to undergo mandatory department-wide privacy induction training and PNR-specific induction training prior to handling any PNR information. These are known as ‘Privacy Essentials’ and ‘PNR Legislation and Policy ELearning’ modules respectively. The OAIC reviewed these documents and found a range of topics are covered including personal information handling obligations under the APPs, data breach management and response and the requirements for authorised officers regarding the access and use and dissemination of PNR data.

3.49      Home Affairs offers and encourages staff handling PNR data to undertake refresher PNR specific training. At the time of the assessment, the OAIC was advised that all BIWO staff have recently undertaken refresher training on access and disclosures of information, which includes a component on PNR.

3.50      Home Affairs also offers ad hoc privacy training sessions on an opt-in basis to all departmental staff delivered via face-to-face privacy information disclosure training sessions, which may be tailored to suit different business areas within the department. For example, BIWO staff receive more detailed PNR specific training than other staff in the Intelligence Division. Home Affairs will also email staff when new training materials are developed and are in force. Home Affairs advised and their PMP (discussed below) indicates that it is planning for the implementation of refresher privacy training to ensure that staff are regularly reminded of their privacy obligations. However, at the time of the assessment this had not been implemented.

3.51      The Intelligence Enabling and Governance Branch within the Intelligence Division manages the induction and refresher training for all staff in the Intelligence Division, including PNR staff. Training materials are developed in accordance with department-wide policy statements and standard operating procedures (SOPs) which provides more detailed step-by-step instructions, informed by supporting documentation. Home Affairs’ policy statement was under review at the time of the assessment and is discussed further in the ‘Internal policies, practices and procedures’ section below.

3.52      Taking into account that staff accessing PNR data receive PNR specific induction training before they are granted access to PNR data and that all BIWO staff have recently undertaken opt-in refresher training, the lack of departmental wide mandatory privacy refresher training currently presents a low privacy risk that PNR staff within Home Affairs may not be aware of their obligations to properly handle PNR data. However, Home Affairs not providing mandatory and regular privacy refresher training raises a high privacy risk that Home Affairs is not meeting its obligations under section 16 of the Code to provide annual privacy training and education for staff who have access to personal information in the course of performing their duties.

3.53      As a matter of high priority, the OAIC recommends that Home Affairs review its privacy training program and provide mandatory annual refresher privacy training for all staff who have access to personal information.

Recommendation 7

As a matter of high priority, the OAIC recommends that Home Affairs provide mandatory annual refresher privacy training for all staff who have access to personal information.

Internal policies, practices, and procedures

3.54      Entities should document the internal policies, practices and procedures they use to handle personal information. This documentation should outline the privacy measures that are in place to manage the risks and threats to personal information. Section 17 of the Code requires an agency to regularly review and update its privacy practices, procedures and systems, to ensure their currency and adequacy for the purposes of compliance with the APPs.

3.55      At the time of the assessment, Home Affairs has a range of department wide and PNR specific internal policies and procedures related to the handling of personal information which are either finalised, existing and under review, in draft form and awaiting finalisation or proposed but not drafted. Staff can access finalised policies and procedures via a central register published on the staff intranet.

3.56      Internal policies and procedures discussed with or provided to the OAIC include:

  • a new draft policy statement which sets out increased governance and oversight for the PNR function. This includes the purposes for which users are accessing information, the disclosure of information, and the reasons for keeping information, as well as the lawfulness of any disclosure
  • a proposed PNR data destruction and retention policy document which will set out and reconcile the destruction of PNR data obligations under the EU agreement and the retention of PNR information under the Archives Act 1983
  • a proposed PNR access governance policy, which will outline how staff use and access PNR-related systems
  • the PNR Control Framework
  • a PMP
  • a revised PIA process document
  • a departmental data breach response plan (discussed in the ‘Implementation of 2018 assessment recommendations’ section above).

PNR policy statement

3.57       At the time of the assessment, Home Affairs based some of its PNR training material on the ‘Collecting Using and Disclosing Information in Intelligence Division Policy Statement’ document. The document is not up to date and in need of review, for example it refers to ‘DIBP’ instead of Home Affairs, which changed over three years ago.  While training material is not regularly drawn on by Home Affairs staff as an information resource, it is regularly used in training. Therefore, there is a medium privacy risk that the outdated training material may provide information to staff that is not up-to-date and not reflective of existing processes. The OAIC recommends that Home Affairs finalise its new policy statement.

PNR access governance policy and PNR data destruction and retention policy

3.58       At the time of the assessment, Home Affairs had proposed but not developed a documented PNR access governance policy and a PNR data destruction and retention policy, including documented procedures for accessing PNR data in Home Affairs’ systems. This represents a medium privacy risk that PNR data may not be appropriately accessed, handled, as well as retained and destroyed, especially when EU PNR data needs to be destroyed in accordance with the EU Agreement.

3.59       Home Affairs should have an access governance policy which includes specific procedures for accessing PNR data in Home Affairs’ systems. Having documented policies for PNR access would also mitigate against the risk of the loss of corporate knowledge to ensure continuity if staff leave.

3.60       The OAIC recommends that Home Affairs develops and finalises the PNR data destruction and retention policy and the PNR access governance policy as soon as possible to ensure that staff are accessing, handling, retaining and destroying PNR data appropriately.

COVID-19 related policies, practices and procedures

3.61       Home Affairs advised that the use and disclosure of PNR data has been significantly reduced during the COVID-19 pandemic, particularly since the closure of international borders. When the pandemic first began, there were requests for PNR data from other agencies that were documented through email correspondence, seeking contact details and seat numbers associated with passengers who have been identified as COVID-19 positive. BIWO reviewed these cases individually and concluded that PNR data alone was insufficient to identify these individuals and did not disclose the PNR data.

3.62       During the pandemic, Home Affairs implemented working from home (WFH) and teleworking arrangements for staff subject to meeting security, work health and safety and operational requirements. These arrangements were set out in Department wide guidance communicated to all staff. The OAIC was advised that some BIWO staff have access to PNR in a WFH environment. All WFH activity involving PNR data is conducted through departmental issued laptops.

3.63       The lack of a PNR access governance policy with specific procedures for accessing PNR data in Home Affairs’ systems raises the medium privacy risk that staff who are accessing PNR data in a WFH environment may not be appropriately accessing and handling PNR data. The OAIC recommends that Home Affairs include procedures for accessing PNR data in a WFH environment in its proposed PNR access governance policy.

PNR Control Framework

3.64       In addition to the documents discussed above, the OAIC was also provided with the PNR Control Framework, which was last updated in 2017, and was under review at the time of the assessment. The Framework identifies key controls required over PNR data including controls that are needed to meet requirements under the EU Agreement and other key obligations such as the Privacy Act. While there have been no substantial updates to the handling of PNR over the last few years, the OAIC recommends that Homes Affairs continues to review and update its PNR documentation including the Framework to ensure it remains current and fit for purpose.

Privacy management plan

3.65       Home Affairs has a PMP as required under section 9 of the Code. The OAIC was advised that the PMP is reviewed and updated annually with issues noted in the PMP formally reported to the senior levels of the Department including the Chief Data Officer. There is also a midpoint review of the PMP at 6 months to examine how Home Affairs is progressing with its privacy goals and targets.

3.66       The OAIC was provided with the PMP for the financial years 2019-20 and 2020-21. The PMP sets out specific, measurable privacy goals and targets and how Home Affairs will meet its compliance obligations under APP 1.2 and includes a list of actions which the Department plans to achieve in order to improve its privacy maturity. As outlined in the PMP, Home Affairs is currently reviewing and updating its privacy practices, procedures and systems, to ensure their currency and adequacy for the purposes of compliance with the APPs. Examples include reviewing its APP 1 privacy policy to ensure that it is current, as well as planning for the implementation of refresher privacy training to ensure that staff are regularly reminded of their privacy obligations. The PMP does not specifically refer to PNR data though the high-level privacy goals and targets mentioned in the PMP are relevant to the handling of PNR data.

3.67       The assessment did not identify any significant privacy risks with respect to Home Affairs’ PMP and the handling of PNR data. However, the OAIC suggests that Home Affairs considers adding the development of internal PNR policies and procedures, such as the new PNR policy statement and the proposed PNR access governance and data destruction and retention policies, to the PMP’s list of actions which the Department plans to achieve in order to improve its privacy maturity.

PIAs

3.68       APP 1.2 outlines the requirements for entities to manage personal information in an open and transparent way. This includes embedding good privacy practices into an entity’s risk management strategies, such as conducting a PIA at the early stage of a proposal’s development to assist an entity to identify any privacy risks and the reasonable steps that could be taken to protect personal information.

3.69       The OAIC was advised that Home Affairs undertakes written PIAs for all high privacy risk projects. Specific PIAs conducted in relation to the handling of PNR data are discussed in the ‘PIA of the Connected Information Environment’ section above and the ‘PIA process document’ section below. Home Affairs has procedures for conducting privacy threshold assessments (PTAs) and PIAs for business projects or decisions that involve new or changed personal information handling practices. Business areas are responsible for managing their own PIAs and are encouraged to provide copies to PIDS to be included in Home Affairs’ internal PIA register. The OAIC was advised that PIAs for medium and high-risk projects are outsourced using relevant procurement panels, where possible.

3.70       The OAIC was informed that PIDS engages with business areas through various working groups to raise their awareness of Home Affairs’ obligations under the Code, such as reminders about the importance of PIAs and ensure that PIAs are conducted in the early stages of a project and to suggest new PIAs to be conducted where significant time may have elapsed since the last PIA was conducted.

PIA process document

3.71       Home Affairs provided the OAIC with a draft PIA process document ‘Privacy Impact Assessment Process Procedural Instruction’ which at the time of the assessment was awaiting finalisation and sets out the Department’s PIA governance process and is intended to provide guidance to staff on how and when to complete a PTA and if necessary, a PIA. 

3.72       The OAIC was provided with and reviewed the PTA conducted for the new PNR Search function. The PTA was missing important information including the outcome of the PTA and whether the project should undergo a PIA. The PTA for the new PNR Search function and the lack of a finalised documented PIA process raises a medium privacy risk that staff are not always aware of the need to conduct a PIA and if conducted may not be properly assessing the privacy risks associated with new projects which involve the handling of personal information including PNR data. Home Affairs should finalise its PIA process document to ensure that:

  • business areas within Home Affairs (and for the purposes of this assessment the area/s responsible for the handling of PNR data) conduct PTAs and if necessary PIAs for new projects
  • PTAs and PIAs follow a clear methodology set out in the process document.

3.73       The OAIC recommends that Home Affairs finalise its PIA process document and communicate the process to all staff.

Register of PIAs

3.74       Under section 15 of the Code an agency must maintain a register of the PIAs it conducts and must publish the register, or a version of the register, on its website. At the time of the assessment, Home Affairs advised that its internal centralised register for recording PIAs was incomplete and it did not have the register or a version of the register published on its website. Home Affairs advised that the register was not published to avoid compromising business operations due to consideration of sensitivities associated with some intelligence systems. At the completion of the assessment fieldwork, the OAIC noted that there was a high privacy risk that Home Affairs was breaching its Code obligations and recommended that Home Affairs establish an up-to-date register of PIAs and publish it or as version of it on their website.

3.75       Following the assessment fieldwork and after engagement with the OAIC on this issue, Home Affairs advised the OAIC that it published a version of its register of PIAs on its website in April 2021.[14]  Agencies should include information about completed PIAs on their registers. As a minimum, the PIA register should include the title of the agency’s PIA. The OAIC notes that the version of the register published by Home Affairs contains the title and date of each PIA. The OAIC makes the better practice suggestion that where appropriate Home Affairs include on the register additional information such as a summary of the project, the team responsible for undertaking the PIA and the outcome of the PIA or project.

3.76        Home Affairs’ advice that its internal centralised register for recording PIAs was incomplete raises a medium privacy risk that the published version of the PIA register may  not be consistent with the requirements of the Code. Taking into account the sensitives of specific projects, the OAIC recommends that Home Affairs maintain and update the published version of its PIA register. Home Affairs should properly record all PIAs in its internal centralised register with a sufficient level of detail to ensure the accuracy of the published version.

Record of personal information holdings 

3.77       Paragraph 10(5)(b) of the Code identifies one of the functions of the Privacy Officer as maintaining a record of the agency's personal information holdings. Home Affairs does not have a centralised record of the personal information that it holds and advised the OAIC that it faces challenges in developing a single register of its data holdings for a department of its size. However, the Code commenced on 1 July 2018 and by the time of the assessment the Code had been in effect for over 2 years. This compliance gap has been identified in the Home Affairs’ PMP (discussed above), in the form of a data asset register that will be managed by the Data Division. Given that this is a mandatory obligation under the Code there is a high risk that Home Affairs is not be managing its personal information, including PNR data, in accordance with its obligations.

3.78       As a matter of high priority, the OAIC recommends that Home Affairs establish a centralised record of personal information holdings and consider having the Privacy Officer maintain the record as an ongoing obligation, as required under the Code.

 

Recommendation 8

The OAIC recommends that Home Affairs:

  • regularly review and update its existing privacy and PNR specific policies and procedures such as its PNR policy statement and the PNR Control Framework
  • finalise policies which are currently in draft form, in particular the PIA process document
  • develop those policies which are planned but not yet progressed, in particular:
    • the PNR data destruction and retention policy
      • the PNR access governance policy, including procedures for accessing PNR data in a WFH environment.

 

Recommendation 9

Taking into account the sensitives of specific projects, the OAIC recommends Home Affairs:

  • maintain and update the published version of its PIA register
  • properly record all PIAs in its internal centralised register with a sufficient level of detail to ensure the accuracy of the published version.

 

Recommendation 10

As a matter of high priority, the OAIC recommends that Home Affairs establish a centralised record of personal information holdings and consider having the Privacy Officer maintain the record as an ongoing obligation, as required under the Code.

Handling of privacy complaints and enquiries

3.79       Under APP 1.2, an APP entity is required to take reasonable steps to deal with enquiries or complaints from individuals about the entity’s compliance with the APPs or any binding registered APP code.

3.80       Home Affairs has a dedicated complaint handling function with escalation procedures for complaints that involve the handling of personal information, including PNR data.

3.81       The Global Feedback Unit (GFU) is the single gateway for triaging external enquiries and complaints within Home Affairs. GFU refers all external privacy enquiries or complaints to PIDS for a response, in accordance with the department-wide complaints policy. The complaints policy states that Home Affairs will provide a response within 14 days and outlines the process for making a complaint through the GFU.

3.82       PIDS manages a privacy-specific mailbox, which is the main channel for raising and triaging internal privacy matters. PIDS also maintains a record of all privacy complaints that have been received.

3.83       Home Affairs handles access and correction requests from members of the public regarding their PNR data through formal FOI requests. For all requests outside of the FOI process, Home Affairs would direct those customers to the relevant airline.

3.84       The OAIC did not identify any privacy risks with the Department’s handling of privacy enquiries and complaints in relation to PNR data.

Information security and access controls

3.85       The OAIC’s Privacy Management Framework details steps that Home Affairs is expected to take to meet its ongoing compliance obligations under APP 1.2. This includes governance around the Home Affairs’ ICT security and access controls where relevant.

3.86       In addition to the ICT and access security measures discussed in the ‘Follow-up of previous OAIC assessments’ section of this report, the OAIC was also advised of additional measures used to protect personal information.

3.87       Staff requests to access PNR data are managed using a SharePoint system where reasons for access need to be outlined. Privileged and/or administrator access requires additional authorisation as per legislative requirements for access to PNR data under s 64AF of the Customs Act.

3.88       All staff in the BIWO who have access to PNR have a minimum Negative Vetting 1 security clearance at Home Affairs.

3.89       Selected teams within Home Affairs’ Intelligence Division have access to the PNR system and PNR data, including delegations and quality assurance on a day-to-day basis. Two teams within the Intelligence Division have access to PNR data to carry out data analytics functions.

3.90       The BIWO has primary oversight over the use and disclosure of PNR data, including internal and external requests for PNR data. BIWO is also the only team that receives requests for PNR data, including information from the EU, and handles the data and information exchange in accordance with MOUs, which stipulate the requirements under which information is shared between entities.

3.91       BIWO maintains a list of PNR staff who have their accreditations, such as security clearances and training records. While there are plans to automate the process, this is currently a manual process.

3.92       Other than those risks noted earlier in the report, the OAIC did not identify any privacy risks related to the Department’s information security and access controls used to protect PNR data.  

Part 4: Description of assessment

Objective and scope of the assessment

4.1          This assessment was conducted under s 33C(1)(a) of the Privacy Act and in accordance with the Memorandum of Understanding (MOU) between the OAIC and Home Affairs. The MOU reflects oversight and accountability arrangements contained in the EU Agreement.

4.2          This privacy assessment of Home Affairs had two objectives:

  • to follow up on Home Affairs’ implementation of 2 recommendations made in 2017 and five recommendations made in 2018
  • to consider Home Affairs’ handling of personal information, specifically PNR data, under APP 1.2.

4.3          The scope of this assessment was limited to APP 1.2 (open and transparent management of personal information).

4.4          This assessment also considered the requirements of the Code that have been implemented by Home Affairs in relation to its PNR Team and its management of PNR data.

4.5          Where appropriate, the OAIC also had regard to the terms of the EU Agreement.

Privacy risks

4.6          Where the OAIC identified privacy risks and considered those privacy risks to be high or medium risks according to OAIC guidance (Appendix A refers), the OAIC made recommendations to Home Affairs about how to address those risks. These recommendations are set out in Part 5 of this report.

4.7          OAIC assessments are conducted as a ‘point in time’ exercise. That is, our observations and analysis are only applicable to the time period during which the assessment was undertaken.

4.8          For more information about privacy risk ratings, see the OAIC’s ‘Risk based assessments – privacy risk guidance’. Chapter 7 of the OAIC’s Guide to privacy regulatory action[15]provides further detail on this approach.

Timing, location and assessment techniques

4.9          The OAIC conducted a risk-based assessment of Home Affairs’ handling of PNR data. The focus was on identifying privacy risks to the effective handling of PNR data in relation to the APPs.

4.10       The assessment involved the following:

  • review of relevant policies and procedures provided by Home Affairs
  • fieldwork, which included interviewing key staff at Home Affairs’ Mascot office on 10 to 12 November 2020.

Reporting

4.11       The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published with operational sensitivities removed.

Part 5: Recommendations and Home Affairs’ responses

OAIC recommendation 1

5.1   As a matter of high priority, the OAIC recommends Home Affairs implement the OAIC’s 2017 assessment recommendation to:

  • develop policies and procedures for its internal sample audits relating to PNR data ‘Request for Information’ (RFI) disclosures to other agencies. This could involve updating, clarifying or expanding existing documentation. These policies should set out, at a minimum, the frequency, scope, and methodology of the audits, as well as processes and responsibilities for implementing recommendations that arise from the audits.

5.2   The OAIC also recommends that Home Affairs, as a high priority, recommence regular internal sample audits of PNR RFI disclosures to other agencies.

Response by Home Affairs

5.3   Home Affairs accepts this recommendation. 

Home Affairs is finalising four policy documents to ensure PNR data is accessed, used and disclosed lawfully, and in accordance with the European Union agreement for EU PNR data.  These are a PNR Policy Statement, Procedural Instruction on Access and Disclosure of PNR data, a PNR Search Access Control Standard Operating Procedure (SOP) and a PNR – Request for Information Local Procedure.

The policy framework establishes the requirement to conduct quarterly compliance checks on the access, use, storage and disclosure of PNR data. The policy framework is expected to be finalised by July 2021, with the first compliance check also expected to be carried out in July.

 

OAIC recommendation 2

5.4   As a matter of high priority, the OAIC recommends Home Affairs implement the OAIC’s 2017 assessment recommendation to:

  • implement a case management system to log all disclosures of PNR data by authorised officers to their home agencies. This system may leverage the existing systems or be an alternative system, provided it can maintain logs of PNR data disclosures in a systemic and consistent manner and is readily auditable
  • undertake a privacy threshold assessment (and, if necessary, a privacy impact assessment) of the case management system in the early stages of its design and development.

Response by Home Affairs

5.5      Home Affairs accepts this recommendation. Since 2017, Home Affairs has formalised its use of a request tracking database (to track the details of the request itself only) and Home Affairs’ formal record-keeping system to store request responses and the associated PNR data. As such, a new case management system and privacy threshold assessment is not required. Home Affairs will seek to confirm and close this recommendation.

OAIC recommendation 3

5.6          The OAIC recommends that Home Affairs undertake a privacy threshold assessment (and, if necessary, a privacy impact assessment) of future updates and changes to the CIE platform or related systems, applications and capabilities involving new or changed ways of handling PNR data, in the early stages of design and development.

Response by Home Affairs 

5.7          Home Affairs accepts this recommendation.

OAIC recommendation 4

5.8          As a matter of high priority, the OAIC recommends Home Affairs implement the OAIC’s 2018 assessment recommendation to:

  • regularly conduct proactive reviews of audit logs which record access to PNR data
  • continue with its planned implementation of an automated provisioning system for PNR access. This includes a transition to role-based access and, while this is being actioned, conducting regular audits of staff across the department who have access to PNR data.

Response by Home Affairs

5.9          Home Affairs accepts this recommendation. All audit logging on the CIE platform is now centrally stored on a Security Information and Event Management system. Access to the CIE platform using admin, privileged user and positions of trust accounts is protected by multi-factor authentication. 

A user interface which will enable authorised users to easily search Home Affairs’ PNR data store will be delivered by 30 June 2021. It will also enable Home Affairs to implement quarterly reviews of audit logs which record access, and role-based access.

OAIC recommendation 5

5.10      As a matter of high priority, the OAIC recommends that Home Affairs implement the OAIC’s 2018 assessment recommendation and establish measures to ensure all third parties involved in the CIE, including vendors and contractors, are taking reasonable steps to protect personal information held by Home Affairs. This should include reviewing and updating documents used for engaging third party contractors, such as standard contractual provisions to ensure they reflect current obligations found in the Privacy Act. 

Response by Home Affairs

5.11      Home affairs accepts this recommendation and notes it has already been implemented.

All third-party contracts are developed in accordance with the requirements of the Commonwealth Contracting Suite, including adherence to the Commonwealth Contracting Terms and Conditions. These requirements include provisions outlining obligations under the Privacy Act 1988 and the handling of personal information.

This recommendation is addressed through Departmental policy via a Confidentially Deed Poll, which is completed by all ICT Contractors prior to their commencement with Home Affairs.  

Further, all contractors with access to the PNR data are required to confirm their requirement to have access each year and also successfully complete a mandatory PNR Data eLearning module.

OAIC recommendation 6

5.12      As a matter of high priority, the OAIC recommends that Home Affairs implement the OAIC’s 2018 assessment recommendation and:

  • expand operational guidance on responding to data breaches and document its departmental data breach response plan
  • review documentation related to data breaches and cyber security incidents maintained by the Privacy and Cyber Security Teams respectively.  This includes considering ways that these documents should complement each other as part of ensuring a coordinated departmental response to data breach management.

Response by Home Affairs

5.13           Home Affairs accepts this recommendation. The expanded guidance is expected to be finalised in the first quarter of 2021-22 financial year.  

OAIC recommendation 7

5.14      As a matter of high priority, the OAIC recommends that Home Affairs provide mandatory annual refresher privacy training for all staff who have access to personal information.

Response by Home Affairs 

5.15      Home Affairs accepts this recommendation. A privacy training program is in place and work is also underway to build a privacy module into Home Affairs’ annual mandatory refresher training program, The Essentials.

OAIC recommendation 8

5.16           The OAIC recommends that Home Affairs:

  • regularly review and update its existing privacy and PNR specific policies and procedures such as its PNR policy statement and the PNR Control Framework
  • finalise policies which are currently in draft form, in particular the PIA process document
  • develop those policies which are planned but not yet progressed, in particular:
    • the PNR data destruction and retention policy
    • the PNR access governance policy, including procedures for accessing PNR data in a WFH environment.

Response by Home Affairs

5.17      Home Affairs accepts this recommendation and has finalised the updated Privacy Impact Assessment (PIA) Procedural Instruction which was in draft at the time of this assessment. The Procedural Instruction has been published on Home Affairs’ intranet and was promoted to staff during recent Privacy Awareness Week activities. This Procedural Instruction replaces the previous version published in 2018.

Home Affairs is finalising four policy documents to ensure PNR data is accessed, used and disclosed lawfully, and in accordance with the European Union agreement for EU PNR data.  These are a PNR Policy Statement, Procedural Instruction on Access and Disclosure of PNR data, a PNR Search Access Control Standard Operating Procedure (SOP) and a PNR – Request for Information Local Procedure.

These documents will encompass any WFH arrangements which may be distinct to PNR data, if applicable.

The Policy Statement and Procedural Instruction establish the requirements for data destruction and retention as well as systems access. The Policy Statement and Procedural Instruction are expected to be finalised by July 2021.

OAIC recommendation 9

5.18      Taking into account the sensitives of specific projects, the OAIC recommends Home Affairs:

  • maintain and update the published version of its PIA register
  • properly record all PIAs in its internal centralised register with a sufficient level of detail to ensure the accuracy of the published version.

Response by Home Affairs

5.19           Home Affairs partially accepts this recommendation. On 9 April 2021, Home Affairs         published its PIA register on its external website at                             https://www.homeaffairs.gov.au/access-and-accountability/our-commitments/privacy           which contains the requirements specified in the OAIC guidelines, i.e. title and date of a PIA.  Home Affairs will update its PIA register as new PIAs are completed.

Home Affairs maintains an internal centralised register of PIAs which includes sufficient               level of detail to ensure accuracy of the published version. Home Affairs recently undertook a stocktake of all PIAs conducted by business areas to ensure the register is    complete.

OAIC recommendation 10

5.20      As a matter of high priority, the OAIC recommends that Home Affairs establish a centralised record of personal information holdings and consider having the Privacy Officer maintain the record as an ongoing obligation, as is required under the Code.

Response by Home Affairs

5.21      Home Affairs accepts this recommendation. Development of a centralised record of personal information holdings is one of the actions in the Home Affairs’ Privacy Management Plan.

Appendix A: Privacy risk guidance

Privacy risk rating

Entity action required

Likely outcome if risk is not addressed

High risk

Entity must, as a high priority, take steps to address mandatory requirements of Privacy legislation

 

Immediate management attention is required.

This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects

  • Likely breach of relevant legislative obligations (for example, APP, TFN, Credit) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking)
  • Likely adverse or negative impact upon the handling of individuals’ personal information
  • Likely violation of entity policies or procedures
  • Likely reputational damage to the entity, such as negative publicity in national or international media.
  • Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines
  • Likely ministerial involvement or censure (for agencies)

Medium risk

Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation

 

Timely management attention is expected.

This is an internal control or risk management issue that may lead to the following effects

  • Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation
  • Possible adverse or negative impact upon the handling of individuals’ personal information
  • Possible violation of entity policies or procedures
  • Possible reputational damage to the entity, such as negative publicity in local or regional media.
  • Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities.
  • Possible ministerial involvement or censure (for agencies)

Low risk

Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy legislation

Management attention is suggested.

This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed.

  • Risks are limited, and may be within acceptable entity risk tolerance levels
  • Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit)
  • Minimum compliance obligations are being met

 

 

 

 

 



[1] Throughout this report, references to ‘PNR data’ are used when the context relates to all PNR data that Home Affairs handles, including EU PNR data. The term ‘EU PNR data’ is used where the context specifically relates to the handling of that subset of PNR data. 

[2] Agreement between the European Union and Australia on the processing and transfer of passenger name record (PNR) data by air carriers to the Australian Customs and Border Protection Service, signed 29 September 2011, [2012] ATS 19, (entered into force 1 June 2012), <http://www.austlii.edu.au/au/other/dfat/treaties/ATS/2012/19.html>. Compliance with the EU Agreement by Home Affairs constitutes an adequate level of protection for EU PNR data for the purposes of the EU’s data protection law, allowing this data to be transferred from EU member states to Australia: Council Decision 2008/651/CFSP/JHA of 30 June 2008 on the signing, on behalf of the European Union, of an Agreement between the European Union and Australia on the processing and transfer of European Union-sourced passenger name record (PNR) data by Air Carriers to the Australian Customs Service, [2008] OJ L 213/47, <http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:JOL_2008_213_R_0047_01>.

[3] EU Agreement, Annex 1.

[7] Registered on the Federal Register of Legislation as the Privacy (Australian Government Agencies – Governance) APP Code 2017 - https://www.legislation.gov.au/Series/F2017L01396 (accessed 4 March 2021).

[10] Step 2 of the Privacy Management Framework requires that an entity covered by the Privacy Act establishes robust and effective privacy practices, procedures and systems, including ICT security controls as a risk management process. This is to allow an entity to address privacy risks, including personal information security risks.

[11] See 2017 assessment at paragraph 3.35.

[12] A panel arrangement is a tool used by many Australian Government agencies for the procurement of regularly acquired goods or services. In a panel arrangement, a number of suppliers are selected, each of which are able to supply identified goods or services to an agency. To establish a panel, an agency enters into contracts or deeds of standing offer, (known as panel arrangements) with each supplier on the panel, setting out the type and cost of the goods or services the supplier will provide and the manner in which the agency will obtain the goods or services from the supplier. For more information see the Department of Finance website, Panel Arrangements (accessed 9 March 2021).

[13] For more information about what constitutes and ‘eligible data breach’, see the OAIC’s guidance on Identifying eligible data breaches.