Passenger Name Records: Implementation of Recommendations — Audit report
Australian Customs and Border Protection Service
Information Privacy Principles audit
Section 27(1)(h) Privacy Act 1988
Part 1 — Introduction
1.1 The Australian Customs and Border Protection Service (ACBPS) and the Office of the Australian Information Commissioner (the OAIC) have a Memorandum of Understanding (MOU) in place, which provides a regular audit program for ACBPS’ use, disclosure, storage and security of Passenger Name Record (PNR) data.
1.2 This MOU has regard to the oversight and accountability functions of the OAIC contained in Article 10 of the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record data by Air Carriers to the Australian Customs and Border Protection Service (the EU Agreement).
1.3 The OAIC will have regard to the EU Agreement; however the OAIC does not have a role in assessing ACBPS compliance with the requirements of the EU Agreement.
1.4 The OAIC and former Office of the Privacy Commissioner (OPC) have audited ACBPS’s use of EU sourced PNR data since 2008.
Part 2 — Description of audit
2.1 The purpose of the audit was to assess how ACBPS has addressed previous OAIC audit recommendations about its handling of PNR data.
Objective, scope and assessment techniques
2.2 The objectives of this audit were to:
- identify how recommendations made by the OPC/OAIC in relation to ACBPS Information Privacy Principle (IPP) obligations have been addressed by ACBPS
- assess the appropriateness and adequacy of ACBPS responses to OPC/OAIC recommendations.
2.3 The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) introduced significant changes to the Privacy Act 1988 (Cth)(the Privacy Act) from 12 March 2014. The Privacy Act now includes a set of 13 Australian Privacy Principles (APPs), which regulate the handling of personal information by both Australian Government agencies and organisations (collectively referred to as APP entities). The APPs replaced the IPPs and National Privacy Principles (NPPs).
2.4 As the APPs were not in force when past audit recommendations were made and when this review was undertaken, ACBPS responses were assessed against the IPPs. However, the report includes comments related to the introduction of the APPs, where relevant, to assist ACBPS’s transition to the obligations of the current Act.
2.5 The scope of the audit was determined by the range of prior recommendations that had been made in relation to ACBPS’s handling of PNR data. A total of 19 recommendations relating to IPP obligations were considered in relation to IPPs 1-3 (collection), IPP 4 (storage and security), IPP 8 (accuracy), IPP 10 (use) and IPP 11 (disclosure) at both the Passenger Analysis Unit (PAU) in Canberra, and in Airport Operations rooms located in selected international airports around Australia.
2.6 The assessment involved a documentary review of ACBPS responses to the recommendations but did not include any on-location observation of ACBPS’s implementation of the policies/standard operating processes provided.
2.7 The OAIC does not have a role in assessing ACBPS compliance with the requirements of the EU Agreement. However, previous audits have noted issues relevant to ACBPS’s obligations under the EU Agreement and (in three instances - see recommendations 20-22 of this report) recommended that ACBPS consider taking actions to ensure these obligations are met. The appropriateness of ACBPS responses to meeting these obligations is not addressed in this report.
2.8 The audit fieldwork included:
- a document review of materials developed by ACBPS to address the audit recommendations made by our office
- a review of notices and relevant forms also developed in response to these recommendations.
Timing and location
2.9 The auditors conducted the fieldwork component of the audit (document review) on 16 and 17 January 2014, at the OAIC’s Sydney office.
Information obtained from ACBPS
2.9 ACBPS provided a range of documents in relation to this audit (see Appendix A).
2.10 The auditors are of the opinion that ACBPS is generally maintaining its records of personal information within the scope of this audit in accordance with the IPPs.
2.11 The auditors identified four recommendations that do not appear to have been appropriately or adequately addressed, which may continue to pose privacy risks to ACBPS’s information handling practices in relation to PNR data. A summary of the issues is included in the ‘Summary of Review’ section of this report.
2.12 A recommendation is a suggested course of action or a control measure that, if put in place by the agency, will (in the opinion of the OAIC) minimise the risks identified around how personal information is handled against the relevant criterion.
2.13 To the extent possible, the OAIC publishes final audit reports in full or in an abridged version on its website, www.oaic.gov.au. It is sometimes inappropriate to publish all or part of a report because of statutory secrecy provisions or for reasons of privacy, confidentiality, security or privilege. This report has been published in full, except for the deletion of some ACBPS document titles in Appendix A.
Part 3 — Description of auditee
3.1 ACBPS is the primary border protection agency in Australia, managing the security and integrity of Australia’s borders by:
- working closely with other government and international agencies to detect and deter unlawful movements of goods and people across the border
- intercepting illegal drugs and firearms through its targeting of high-risk aircraft, vessels, cargo, postal items and travelers entering Australia.
3.2 As at 30 June 2013, ACBPS employed 5,516 people nationally. ACBPS’s central office is located at Customs House, in Canberra.
3.3 ACBPS’s collection and use of PNR data assists in the detection of irregular movements of people by air and is a key component in countering serious transnational crime and terrorism.
3.4 PNR data is information about airline passengers held by airlines on their computer reservation systems and/or departure control systems. EU sourced PNR data is PNR data that has been processed in the EU by international passenger air service operators or airline global database management system (GDMS) providers.
3.5 PNR data may include any of the following information:
- PNR locator code
- passenger name(s)
- passport number
- details of travel companions
- frequent flyer information
- ticketing information: date of reservation/issue of ticket; itinerary and alterations made to booking
- contact information, including travel agent details
- travel status of passenger (including confirmations and check-in status)
- special request/service information
- all baggage information (number and weight of bags)
- seat allocation(s)
- all historical changes to the above PNR.
3.6 Some PNR data is automatically generated by the airline (for example, itinerary detail), while other information is supplied by or on behalf of the passenger (for example, contact details). Airlines or authorised travel agents may also add a range of further information, such as dietary or medical requirements, or special requests for assistance.
3.7 In its 2012-13 annual report, ACBPS states it worked with 48 international airlines to ensure they meet ACBPS requirements for the provision of PNR data. ACBPS identified 13 airlines as providing EU sourced PNR data at the OAIC’s last ACBPS audit, conducted between 31 October and 1 November 2012.
3.8 The two main areas of ACBPS which handle PNR data are:
- the PAU, located at Customs House, Canberra, which receives EU-sourced and non EU-sourced PNR data directly from airlines
- Airport Operations Rooms, located at Australian international airports, receiving alert information from the PAU about passengers in transit or landing at the airport, who may pose a risk at arrival.
Description of the PAU
3.9 PAU staff conduct pre-arrival risk assessments of passengers travelling to (or in transit through) Australia using both EU and non EU-sourced PNR data, as well as other advanced passenger information.
3.10 Pre-arrival risk assessment aims to prevent terrorism and related crimes and other serious transnational crimes, such as money laundering, drug importation, weapons trafficking and people smuggling/trafficking.
3.11 PAU officers use this information and a range of other information (for example immigration, intelligence and other law enforcement data), to screen passengers prior to their arrival in Australia.
3.12 The PAU also responds to requests for PNR data from other areas of ACBPS and from other Australian government agencies or specified third country authorities.
Description of Airport Operations
3.13 ACBPS officers at Australian international airports are responsible for the facilitation of passenger processing and the application of risk management techniques to identify and intercept travellers who may pose a risk to border integrity.
3.14 While Airport Operations may receive alerts about PNR data (including EU sourced PNR data) from the PAU, Airport Operations does not itself collect PNR data, nor is it involved in the disclosure of PNR data to other agencies or organisations. The privacy concerns raised in previous audits around Airport Operations’ handling of PNR data were therefore limited to storage and security issues only.
Part 4 — Audit issues
The following findings relate to ACBPS’s implementation of previous OPC/OAIC audit recommendations around the handling of PNR data, relevant to the IPPs.
The IPPs are available at www.oaic.gov.au/privacy/privacy-act/information-privacy-principles.
IPP 1–3 issues — Collection of EU-sourced PNR data
There were two recommendations made in reference to IPPs 1-3, which relate to the collection of EU sourced PNR data by the PAU. As Airport Operations does not collect PNR data, no discussion relevant to Airport Operations is contained in this section of the report.
Recommendation One — Update privacy notice
4.1 The OAIC’s audit report entitled ′Handling of PNR’, issued in November 2011 recommended:
‘that (ACBPS) update its website to advise individuals which agencies may be recipients of information in a lawful disclosure.’
4.2 The OAIC noted that the privacy notice on ACBPS’s website outlined its purpose of collection and legal authority for collecting PNR data, but did not specify the agencies to which ACBPS generally discloses this information.
4.3 ACBPS addressed the recommendation by:
- including a notice entitled Collection of Passenger Name Records by the Australian Customs and Border Protection Service on the Privacy page of its website.
- advising airlines (such as Qantas and British Airways) about their notice obligations to passengers, thus promoting good privacy practices within the industry.
4.4 The audit team acknowledges the steps taken by ACBPS to update its privacy notice and to encourage a better privacy approach by airlines.
4.5 However, while ACBPS’s notice includes all the information outlined in paragraph 4.3 of this report, the notice still omits details of any relevant bodies ACBPS would generally disclose this information to.
4.6 Article 18 of the current EU agreement specifies the conditions for sharing EU sourced PNR data within Australia. ACBPS may only share EU sourced PNR data with clearly defined and identified Australian government authorities listed in Annex 2. Article 19 of the current EU Agreement specifies the conditions for which international transfer may occur. There is no clearly defined list of international authorities.
4.7 The OAIC recognises that there is no obligation under IPP 2 for ACBPS to include information in its privacy notice about the agencies with which it shares EU sourced PNR data. However, given the explicit nature of Recommendation One and the fact that these agencies are already publicly identified in the EU Agreement, auditors consider the recommendation both clear and simple to implement.
4.8 As the ACBPS website (including the updated privacy notice) does not outline the agencies that ACBPS usually discloses EU sourced PNR data to and as this information is otherwise available to the public, the audit team is of the view that ACBPS has not appropriately or adequately addressed this recommendation.
4.9 The APPs include certain obligations that exceed the IPP requirements assessed in this audit.
4.10 While APP 5 generally mirrors IPP 2 requirements, this new privacy principle imposes more rigorous notification requirements at collection, including requiring an APP entity to take reasonable steps to notify individuals of its usual disclosures. An APP entity must now give this notice regardless of whether the entity collected the personal information directly from the individual or not.
Recommendation Two — Ensure PNR data collections are necessary
4.11 The OAIC’s audit report entitled ′Handling of PNR’, issued in November 2011, recommended:
‘that (ACBPS) consider whether each PNR data element collected is authorised by s 64AF of the Customs Act.’
4.12 Section 64 AF of the Customs Act 1901 states that ‘an operator of an international passenger air service commits an offence if the operator receives a request from the CEO to allow authorised (ACBPS) officers ongoing access to the operator’s passenger information in a particular manner and form and the operator fails to provide that access in that manner and form’. That section also defines ‘passenger information’.
4.13 When making Recommendation Two, the OAIC noted the operation of s 64 AF of the Customs Act does not override ACBPS’s IPP 1 privacy obligation to limit the collection of personal information to that which is necessary for its lawful functions or activities.
4.14 ACBPS addressed the recommendation by advising, at the time of the audit, that it had been collecting PNR data from airlines for 15 years and had always ensured the data elements it collected were necessary.
4.15 ACBPS had also advised, at the time of the audit, that it was considering amending s 64 AF to make it more explicit. ACBPS has stated, given the imminent launch of the National Border Targeting Centre (NBTC), that an overall assessment of the current legislative framework is being conducted to ensure consistency. Any proposed amendments to the Customs Act are therefore still under consideration.
4.16 The audit team is of the view that ACBPS’s response appropriately and adequately addresses Recommendation Two as it considers that each data set is necessary for ACBPS lawful functions.
4.17 APPs 3.1 and 3.5 generally reflect the obligations outlined in IPP 1 to only collect information that is necessary, by fair and lawful means.
IPP 4 issues — Storage and security of EU sourced PNR data
There were 12 recommendations by the OPC/OAIC in reference to IPP 4, made over five separate audits. These recommendations relate to the storage and security of EU sourced PNR data, by both the PAU and Airport Operations.
Obligations outlined in APP 11.1 of the reformed Act largely reflect IPP 4 requirements, although APP 11.1 also requires that APP entities protect data from ‘interference’. An example of interference may be an external attack on a computer system that leads to personal data being exposed, but not necessarily modified.
In addition, APP 11.2 creates obligations regarding the retention and destruction of personal information held in a record, however this does not apply to Commonwealth records (APP 11.2(c)).
Recommendation Three — Ensure security of data between PAU and Airport Operations
4.18 The OPC’s audit report entitled ′Australian Customs and Border Protection Service’, issued in December 2009 recommended:
‘that (ACBPS) ensure PNR data sent from the PAU to arrival airports is protected by reasonable security safeguards.’
4.19 The OPC noted that alerts relating to high risk passengers were being transmitted from the PAU to the arrivals airport using an ordinary facsimile machine.
4.20 ACBPS addressed the recommendation by discontinuing its practice of faxing information (including PNR data) between the PAU and arrivals airports.
4.21 ACBPS implemented an Alerts Management System (AMS) in 2012 to store this data. According to an internal document provided during the current audit, the AMS matches PNR data with Person of Interest (POI) or Travel Document (TD) information obtained from other Australian Government agencies to create a POI or TD alert.
4.22 Airport officers requiring PNR data in the course of performing their duties must lodge a Request for PNR Information (RFPI) form specifying the reason for their request, POI particulars, information sought and relevant requesting officer’s details.
4.23 Verbal RFPIs are only actioned in cases of operational urgency (that is, where the required response is time sensitive) or when the Office of Transport Security requests data in connection with a suspected aviation security incident.
4.24 This report considers recommendations around the verbal RFPI process in more detail (see discussion at Recommendation Seven).
4.25 The audit team is of the view that the steps taken by ACBPS appropriately and adequately address Recommendation Three. Further comments relating to the verbal RFPI process are provided at Recommendation Seven.
Recommendation Four — Monitor and develop data storage and security processes
4.26 The OAIC’s audit report entitled ′Handling of PNR’, issued in November 2011 recommended:
‘that (ACBPS) monitor and develop business processes for stored EU sourced PNR data with a view to protecting this information.’
4.27 The OAIC noted at the time that ACBPS had not previously stored EU sourced PNR data and that certain privacy risks could be avoided by developing standard processes to address this newly implemented practice.
4.28 ACBPS advised it is continuing to monitor and develop business procedures, by developing the PNR Enhanced Risk Assessment initiative, which is a further phase of the Enhanced Passenger Assessment and Clearance (EPAC) Program. ACBPS also addressed the recommendation by developing the following procedural documents:
- The ‘Solution Requirements Elaboration — PNR Data Retention (EPAC2/PG3/002) EPAC 2, Version 1.0 (26 June 2013)’ document illustrates how PNR data is stored as a separately partitioned database within the Enterprise Data Warehouse (EDW).
- EPAC2/PG3/002 further outlines the automated de-identification and deletion workflows applicable to the EPAC2 system:
- retention timeframes are consistent with current EU Agreement requirements
- access to de-identified data is limited to Senior Executive Officer users
- all PNR data, unless subject to an investigation, is deleted 5 ½ years from initial receipt; a report is generated confirming deletion.
4.29 In addition, the ‘PNR Controls Validation: Legal and Compliance (EPAC2/ PG1/002) EPAC2, Version 1.0 (7 July 2013)’ document states that access to PNR is restricted to ACBPS officials specifically authorised by the ACBPS CEO to access this data.
4.30 ACBPS has also developed a draft Instruction and Guideline document entitled ‘Access to Passenger Name Records (PNR) (August 2013)’ which outlines the limitations on access to PNR data, penalties for unlawful accesses, delegations required to obtain access and circumstances in which PNR data can be accessed.
4.31 Auditors note that certain documents provided by ACBPS are still in draft. It is also unclear whether EPAC2 processes have now been finalised or are still in train.
4.32 However, auditors recognise the considerable efforts made by ACBPS to continue developing and monitoring business processes.
4.33 The audit team is of the view that the steps taken by ACBPS appropriately and adequately address Recommendation Four and that ACBPS is addressing this on an ongoing basis.
Recommendation Five — Assess and address risks around manual filtering of sensitive data
4.34 The OAIC’s audit report entitled ′Handling of PNR’, issued in November 2011 recommended:
‘that (ACBPS) continue to assess the security risks posed by manual filtering of “sensitive” information, and explore other methods to achieve the same outcome.’
4.35 The meaning of ‘sensitive’ PNR data in the EU Agreement includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or health or sex life.
4.36 This description does not extend beyond the definition of sensitive information outlined in s 6 of the Privacy Act. However, at the time of this and all previous EU-sourced PNR audits, ‘sensitive’ information was not a relevant consideration for agencies under the IPPs (that is, only relevant to those private sector organisations in Australia covered by the NPPs).
4.37 The OAIC noted that ACBPS did not have automatic processes in place to filter out sensitive information. Manual filtering would generally involve staff viewing and removing data that ACBPS is not authorised to process under the EU Agreement.
4.38 ACBPS has addressed this recommendation through ongoing collaborations with the International Air Transport Association (IATA), the International Civil Aviation Organisation (ICAO) and airline providers, to standardise the information provided by air carriers to ACBPS to a ‘PNRGOV’ format. This standardisation will further improve the ability of ACBPS to automatically filter out sensitive information.
4.39 Currently, limited automated processing enables the filtering of special service requests, (for example, meals or wheelchair requirements), which could reveal religious or philosophical beliefs or health information, if retained. Specific codes denoting salutations and titles are also automatically filtered and ACBPS has been working with IATA on an ongoing basis to review format standardisation in this area.
4.40 A policy document drafted by ACBPS provides details on the automated and manual controls used by ACBPS to filter sensitive data in PNR. The PIA also refers to an internal guideline, which requires that all sensitive information be manually filtered, before EU-sourced PNR data may be disclosed.
4.41 The above information is also reflected in the Joint Review of the 2012 EU-Australia PNR Agreement Questionnaire and in Control 41 of the PNR Control Framework (contained in document (EPAC2/ PG1/002).
4.42 The audit team is of the view that the steps taken by ACBPS appropriately and adequately address Recommendation Five and that ACBPS is addressing this on an ongoing basis.
4.43 APP 3.4 prohibits entities from collecting sensitive information, unless certain exceptions apply. Auditors note that this principle is comparable to the prohibition against processing sensitive PNR data, outlined in Article 8 of the current EU Agreement.
Recommendation Six — Review electronic data storage arrangements
4.44 The OAIC’s audit report entitled ′Requests for Information for Passenger Name Record data’, issued in June 2013 recommended:
‘that (ACBPS) review its electronic storage arrangements for requests for information relating to EU sourced PNR data (RFPIs), to ensure that appropriate security safeguards are in place to protect this information.’
4.45 The OAIC noted that ACBPS staff were storing EU sourced requests for information and related responses in discrete email folders on the departmental email system. The OAIC noted this as a privacy risk during the audit.
4.46 ACBPS addressed this recommendation by advising that it is reviewing EU sourced PNR data storage arrangements as part of a transition to an electronic document management system, which is a whole-of-government requirement for Australian Government agencies.
4.47 To this end, ACBPS signed a contract in 2012, with an Enterprise Document and Records Management System (EDRMS) provider, so as to satisfy conditions delineated in the ′Whole of Government Digital Transition Policy (2011)’, the ‘Digital Continuity Plan (2012)’ and ACBPS’s ‘Information Management (IM) Strategy 2012-2015’.
4.48 The EDRMS Project is being implemented in a phased rollout, which commenced in September 2013 and is being progressively applied across ACBPS.
4.49 A draft Instruction and Guideline developed by ACBPS outlines the record management processes to be followed by ACBPS officers. The document states that when managing RFPIs, officers must log the request, copy the RFPI inbox on all correspondence, save records relevant to each request in a secure folder created for that purpose and delete any remaining RFPI data in their Outlook folder.
4.50 The document also outlines destruction and archiving requirements for RFPI data.
4.51 The audit team is of the view that the steps taken by ACBPS appropriately and adequately address Recommendation Six and that ACBPS is addressing this issue on an ongoing basis.
4.52 Auditors also note, however, that security and storage processes are issues subject to continuous change and improvement so the OAIC will continue to evaluate this issue in future assessments.
Recommendation Seven — Review identity verification processes for verbal RFPIs
4.53 The OAIC’s audit report entitled ‘Requests for Information for Passenger Name Record data’, issued in June 2013 recommended:
‘that (ACBPS) review its identity verification procedures for the handling of verbal (telephone) requests for PNR information (RFPIs), to ensure appropriate security safeguards are in place prior to PAU staff disclosing any EU sourced PNR data verbally.’
4.54 The OAIC noted that RFPIs were frequently submitted to ACBPS verbally rather than in writing, due to issues of ‘operational urgency’ and the identity verification processes ACBPS had in place around both internal and external verbal requests posed a risk of unauthorised access and disclosure.
4.55 ACBPS addressed this recommendation by advising that verbal RFPIs are only actioned in limited circumstances, as noted in paragraph 4.24 of this report.
4.56 ACBPS also confirmed that, for internal verbal RFPIs, the legitimacy of the request is verified by confirming the ACBPS officer’s user ID. ACBPS officer user IDs are only granted once a security clearance process and Organisational Suitability Assessment have been successfully completed. An RFPI actioning officer can verify the validity of user IDs by entering the code into Outlook or the corporate phone book to confirm that the name, contact details and work location match. An officer may also request confirmation from their supervisor.
4.57 ACBPS did not comment on its current processes for handling external (that is, non-ACBPS officer) RFPIs, however an internal guideline by ACBPS notes that officers responding to verbal RFPIs may verify caller identity by requesting collecting officer’s ID details (internal requests); or making a return call to the relevant external agency.
4.58 The associated document to this guideline further provides:
- if an officer must action a verbal RFPI, then all communication must be recorded in an email and forwarded to the requesting officer following completion
- if a verbal request is received, PAU officers must record it in the RFPI template.
4.59 Auditors acknowledge the layered protections surrounding the issuing of an ACBPS officer’s user ID. However, the auditors note this does not address the risks associated with an unauthorised access where this user ID has been compromised (for example, through identity theft or loss of a valid User ID).
4.60 Auditors further note that while ACBPS has outlined the various ways an actioning officer may verify the validity of user IDs, these verification processes are not included in ACBPS’s internal guidance documents. It is not clear to what extent these verification processes are adopted by PAU staff.
4.61 The audit team acknowledges that a PAU officer must complete an RFPI template when actioning a verbal request. Requesting officer details such as the officer’s name, user ID, contact number, email address and work area are included in the template. It is again unclear whether all details must be submitted and if the actioning officer uses these details to verify identity.
4.62 While ACBPS appears to have reviewed the identity verification procedures it had in place for verbal RFIs, the security safeguards currently in place do not yet appear to be appropriate or adequate to address external verbal RFI requests.
4.63 As such, the audit team is of the view that ACBPS has not adequately addressed this recommendation and further steps are required to ensure the validity of external officer user IDs provided to ACBPS. Relevant steps may include requiring the officer to provide full identity and contact details when completing the RFPI form; making a call back to the agency’s known telephone switchboard as soon as a request is received to confirm the caller’s identity; requesting supervisor signoff to an RFPI before the disclosure is made.
Recommendation Eight — Review audit log use
4.64 The OAIC’s audit report entitled ‘Requests for Information for Passenger Name Record data’, issued in June 2013 recommended:
‘that (ACBPS) review the manner in which its audit logs for EU sourced PNR data RFI records are currently captured and used, with a view towards improving their use as a more proactive and effective monitoring mechanism and an effective deterrent to the misuse of this data.’
4.65 The OAIC noted that ACBPS’s audit logs capture RFPI transactions, but ACBPS does not proactively use these logs to monitor the appropriateness of data accesses. Logs were usually only accessed on an ad hoc and restrictive basis in response to an investigation into an incident.
4.66 ACBPS addressed this recommendation by referring to the guidance it provides to its officers around maintaining the audit log. Specifically these documents state that:
- all RFPIs must be recorded in the RFPI audit log, whether or not data is disclosed
- a reference number relating to the RFPI must be included on all relevant correspondence.
4.67 In its response to the questionnaire by the Joint Review of the 2012 Australia-EU PNR Agreement, ACBPS further states that user accesses to PNR data are audited through audit logging and monitoring of user access to the PNR system, as well as quarterly user access reviews, which compare log records of accesses to the list of approved users. Accesses to PNR data are in a read-only format.
4.68 The audit team recognises the steps taken by ACBPS, through the implementation of quarterly reviews, to proactively use its audit logs to monitor PNR data accesses.
4.69 The audit team is of the view that the steps taken by ACBPS appropriately and adequately address Recommendation Eight. The OAIC encourages ACBPS to continue this work to make optimal use of audit log data to monitor appropriate access and use of EU sourced PNR data.
Recommendation Nine — Audit relevant IT systems
4.70 The OAIC’s audit report entitled ′Requests for Information for Passenger Name Record data’, issued in June 2013 recommended:
‘that (ACBPS) undertake an audit of other relevant IT systems (such as its National Intelligence System - NIS) to identify whether identifiable EU sourced PNR data has been included in other system records, and (if so) takes whatever steps are reasonable to ensure this data is protected from unauthorised access, use, modification, disclosure or other misuse.’
4.71 The OAIC noted that small amounts of PNR data had been identified by ACBPS on other systems (such as NIS). ACBPS stated that this appeared to have occurred because raw PNR data had been ‘cut and pasted’ to these IT systems.
4.72 ACBPS addressed this recommendation in its response to the questionnaire relating to the Joint Review of the 2012 Australia-EU PNR Agreement, by advising that ACBPS has implemented the following controls to protect PNR data in its systems:
- clear definition and boundary of the PNR system that is used to manage user access and to separate PNR data from other ACBPS data
- user access controls which require users to seek approval from the CEO, to access PNR data; and approval from the system owner’s delegate to obtain access to PNR systems and data
- built-in functionality and systems controls that have implemented key requirements under the Agreement
- implementation of Policy and Procedures with respect to the handling, management and disclosure of PNR data
- implementation of backup and recovery measures and disaster recovery plans.
4.73 ACBPS further advised that in 2012 it undertook research to track PNR data stored outside its PNR and PAU operational systems. The audit identified a low percentage of raw PNR data contained in the NIS. NIS is ACBPS’s primary corporate intelligence reporting system, used across most operational areas to input Information Reports that have an intelligence value to ACBPS or its partner agencies.
4.74 Following its 2012 audit, ACBPS implemented an internal policy relating to PNR data retention and de-personalisation requirements. The policy relevantly provides that:
- ACBPS is permitted to store specific, identified PNR data elements, including return flight details, seat number, reservation and ticket issue dates, travel itinerary, travel agency and agent, payment information, bag tag number, outside the PNR system for law enforcement purposes, without being limited by depersonalisation and retention requirements imposed by Article 16 of the EU Agreement.
- PNR data elements stored in NIS may be shared with relevant law enforcement bodies for the purpose of combatting terrorist offences and transnational crime, however PNR data sharing domestically and internationally, will still be subject to the requirements of Articles 18 and 19 of the EU Agreement.
4.75 The policy was drafted in consultation with the Target Assessment and Selection, Information Management and Legal Services Branches and approved by the Acting National Director, Intelligence Division of ACBPS.
4.76 ACBPS further advised in response to this recommendation that it will continue to monitor business processes and controls to ensure that PNR data is protected against mishandling.
4.77 The audit team is of the view that the steps taken by ACBPS appropriately and adequately address Recommendation Nine.
Recommendation Ten — Cease faxing PAU alerts to Airport Operations
4.78 The OPC’s audit report entitled ‘Australian Customs and Border Protection Service’, issued in July 2010 recommended:
‘that (ACBPS) cease the practice of faxing urgent PAU alerts (containing PNR information) through to Airport Operations and instead phone through urgent alert notifications to Airport Operations.’
4.79 The OAIC noted the risk that an urgent PAU alert may get lost or sent to an incorrect fax number either within or external to ACBPS.
4.80 ACBPS addressed the recommendation by discontinuing its practice of faxing information (including PNR data) between the PAU and arrivals airports.
4.81 Instead, ACBPS created an Alerts Management System (AMS) to store this data. Details of the AMS process are outlined under Recommendation Three of this report.
4.82 The audit team is of the view that the steps taken by ACBPS appropriately and adequately address Recommendation Ten.
Recommendation Eleven — Review contractor accesses to Control Room and secure areas
4.83 The OPC’s audit report entitled ‘Australian Customs and Border Protection Service’, issued in July 2010 recommended:
‘that (ACBPS) review access to the Control Room and Secure Work Areas by contractors, and ensure that IPP obligations form a part of the terms of their contractual agreement.’
4.84 The OAIC noted that contractors at Sydney Airport had unhindered access to the Control Room area, where PAU alert information was openly displayed.
4.85 ACBPS addressed this recommendation by referring to an Instruction and Guideline that deals with accesses to ACBPS premises. This document refers to contractors as authorised persons and includes contractors within ACBPS’ definition of an employee.
4.86 Before a contractor can gain access to ACBPS’s premises, the contractor must successfully complete an Organisational Suitability Assessment (OSA), a Commonwealth Security Clearance issued by AGVSA, and be issued an ACBPS Photo ID card.
4.87 The OSA is an internal security vetting assessment conducted by ACBPS for the specific purpose of ensuring employee suitability to work in ACBPS and access classified information in a law enforcement environment.
4.88 ACBPS also indicated at audit that contractors are not left unsupervised in the Control Room, as they do not have access to the room outside business hours.
4.89 For Sydney airport, advice received from ACBPS’s traveller policy section noted that when a visitor is required to enter the Sydney airport control room, the Visitor contacts the Duty Manager who organises for an officer to collect them from Client Services and escorts them to the Control Room. The visitor completes an Access Register, which is also signed by the escorting officer, and is granted entry into the Control Room. Supervision is maintained at all times and the visitor is escorted back to client services when finished.
4.90 The audit team recognises the numerous protections ACBPS has in place to ensure the proper handling of PNR data by contractors.
4.91 However, it does not appear that ACBPS has reviewed contractor accesses to the Control Room or ensured contractor agreements included specific clauses around maintaining IPP obligations, as outlined in the original recommendation.
4.92 While ACBPS has certain protections in place to protect PNR data from misuse by contractors, these steps do not appear to incorporate any of the aspects of recommendation eleven. As such, the audit team is of the view that ACBPS has not appropriately or adequately addressed this recommendation.
Recommendation Twelve — Create storage and destruction policy for finalised PAU alerts
4.93 The OPC’s audit report entitled ′Australian Customs and Border Protection Service’, issued in July 2010 recommended:
‘that (ACBPS) institute a uniform Airport Operations policy on the storage and destruction process of actioned and/or otherwise finalised PAU alerts.’
4.94 The OAIC noted a discrepancy between Sydney and Cairns airport site approaches to the storage and destruction of PAU alerts, which may include EU-sourced PNR data.
4.95 ACBPS addressed this recommendation by referring to internal guidance developed in reference to PACE alert information. The document outlines appropriate periods of retention by Control Rooms, relevant to PACE alerts requests, close alert match notification reports, alert match notification reports and the log of alert query requests.
4.96 Further guidance relevant to AMS alerts states that alert information must be retained in line internal policy and Commonwealth Security Standards. Paper based documentation needs to be captured within the Records and Information Management System (RIMS).
4.97 The audit team is of the view that the steps taken by ACBPS appropriately and adequately address Recommendation Twelve.
Recommendation Thirteen — Review PACE alert retention practices
4.98 The OAIC’s audit report entitled ′Passenger name records (PNR) data: Australian Customs and Border Protection Service Audit Report’, issued in July 2012 recommended:
‘that (ACBPS) review the current practice of having PACE alerts kept in the same system for 90 days once the alerts are deactivated.’
4.99 The OAIC noted that after temporary PACE alerts are deactivated, they remain on the system for 90 days; and that the narrative in PACE alerts sometimes contains PNR data which is no longer needed.
4.100 ACBPS addressed this recommendation by clarifying that in PACE, PAU alerts could be searched for and viewed up to 90 days after they expired or were deactivated, however this did not mean that alert data was purged from the system after 90 days. To access deactivated alerts, a back-end query could be made to retrieve this data.
4.101 In the AMS, active, expired or deactivated alerts can be searched for and viewed at any time for any alert that has been created using AMS, on the proviso that the user has the appropriate privileges to conduct such a search. Like PACE, AMS alerts are still only active for a defined period after which they expire automatically or come up for review by the Alert Owner. This is confirmed in PACE and AMS internal policies.
4.102 ACBPS has advised that the only change since using the AMS, has been in its ability to search and view historical alerts. ACBPS advises that this functionality is essential when conducting entity searches for persons subject to an intelligence assessment and when servicing FOI and Subpoena requests.
4.103 ACBPS has also advised that while data held in AMS is subject to the same controls as all intelligence information, namely the Protective Security Policy Framework, Customs Administration Act 1985 and Archives Act 1983, all alert information held in AMS will now have an indefinite storage timeframe.
4.104 The IPPs do not specifically require that personal information be destroyed within a set timeframe. However, IPP 4 requires agencies to take reasonable steps to ensure records are protected from loss, unauthorised access, use or modification and other misuse. In some circumstances destroying personal information is an appropriate step to protect personal information.
4.105 In addition, the indefinite retention of EU sourced PNR data may raise compliance issues with Article 16 of the EU Agreement.
4.106 ACBPS does not appear to have considered or taken any action in reference to recommendation thirteen, nor has it provided specific reasons why it chose not to. The audit team is therefore of the view that ACBPS has not appropriately or adequately addressed this recommendation.
4.107 The OAIC suggests that ACBPS consider whether the indefinite retention of EU sourced PNR data in AMS unreasonably exposes that data to loss, misuse and unauthorised access, use or modification, and if it does, put in place procedures to destroy that information within a reasonable timeframe.
Recommendation Fourteen — Review mail exchange process between TSU and PAU
4.108 The OAIC’s audit report entitled ′Passenger Name Records (PNR data) Australian Customs and Border Protection Service Audit Report’, issued in July 2012 recommended:
‘that (ACBPS) develop and implement a uniform email exchange process between the Tactical Support Unit (TSU) and the PAU.’
4.109 The OAIC noted inconsistent practices where PNR data requests were sometimes emailed to the ‘Intell Air’ mailbox and other times sent directly through to the PAU officer’s individual mailbox. Auditors noted that requests sent to an individual’s mailbox could be inadvertently forwarded to an incorrect recipient.
4.110 ACBPS addressed this recommendation by stating that requests from the TSU for PNR data are to be sent directly to the PAU mailbox and further steps are then outlined in the Instruction and Guideline and Associated Document.
4.111 The Associated Document specifically states that RFPIs are received in writing by the PAU on the RFPI template, into the RFPI mailbox. Verbal requests do not go through any mailbox / inbox.
4.112 The audit team is of the view that the steps taken by ACBPS to implement a uniform mail exchange process, appropriately and adequately address Recommendation Fourteen.
IPP 8 issues — Accuracy of EU-sourced PNR data
There was one recommendation made in reference to IPP 8, which relates to the steps taken by the PAU, to ensure EU sourced PNR data in its possession is accurate, complete and up to date. There are no recommendations relevant to Airport Operations’ handling of EU sourced PNR data in this section of the report.
Recommendation Fifteen — Take steps to ensure accuracy of EU-sourced PNR data
4.113 The OAIC’s audit report entitled ′Handling of PNR’, issued in November 2011 recommended:
‘that (ACBPS) consider further steps to ensure it is taking reasonable measures to ensure the accuracy of the personal information it holds before using it.’
The OAIC noted that there was a significant possibility of ACBPS receiving inaccurate information when receiving ‘push’ EU sourced PNR data from airlines, especially since ACBPS was receiving data earlier than under the previous ‘pull’ system of receiving PNR data.
4.114 ACBPS addressed the recommendation by referring to its response to the questionnaire by the Joint Review of the 2012 Australia-EU PNR Agreement, which states that ACBPS currently receives PNR in the two data formats outlined below:
SBRRES/PRL EDI format PNR data from Amadeus is received via a secure channel which provides a direct link between Amadeus (the airline service provider) and ACBPS. EDI Messages from Amadeus are received via the ACBPS Gateway and Customs Connect Facility (CCF).
PNRGOV format PNR data is also received via the ACBPS Gateway and Customs Connect Facility (CCF). The PNR Collect and Store capability transforms the message from EDI to PNR-centric output XML which only includes data listed in Annex 1 of the Agreement. The output XML will then be made available for subsequent store in the PNR Data Store.
Overall for both formats, data beyond the elements listed in Annex 1 of the Agreement are removed and deleted prior to being loaded in the PNR data store.
4.115 ACBPS considers that these standardised formats increase the likelihood that data received by ACBPS is accurate.
4.116 In addition, in its response to the questionnaire by the Joint Review of the 2012 Australia-EU PNR Agreement, ACBPS stated that air carriers are required to provide five scheduled transfers of PNR data, starting at 72 hours prior to departure, then 24 hours, two hours and one hour prior to departure and then again on departure.
4.117 The audit team considers that the steps taken to standardise PNR data formats and the frequency of EU sourced PNR data transfers would contribute greatly towards ensuring that PNR data collected by ACBPS is accurate, up to date and complete.
4.118 The audit team is of the view that these steps appropriately and adequately address Recommendation Fifteen.
4.119 APP 10 replaces IPPs 8 and 9. APP 10.1 contains obligations similar to IPPs 8 and 9 regarding the use of personal information, however APP 10.2 extends the requirements to ensure personal information is accurate, up to date, complete and relevant, to the disclosure of personal information to third parties.
4.120 ACBPS will need to ensure it meets the standards set by APP 10 when making transitional arrangements to address its new privacy obligations.
IPP 10 & 11 issues — Use and disclosure of EU-sourced PNR data
There were four recommendations made in reference to IPPs 10 and 11, which relate to the use and disclosure of EU-sourced PNR data, by the PAU. There are no recommendations relevant to Airport Operations in this section of the report.
Recommendation Sixteen — Advise PNR data recipients of their privacy obligations
4.121 The OPC’s audit report entitled ′Passenger Name Records (PNR data) No 2′, issued in January 2010 recommended:
‘that PNR data disclosed to third parties include clear instructions on conditions surrounding the use of that information by third parties, including primary purpose of collection and the receiving agency’s obligations under IPP 11.3.’
4.122 The OAIC noted that access to traces of EU sourced PNR data contained in other ACBPS systems (for example, NIS) by agencies other than ACBPS, may put PNR data at risk of being mishandled by the third party agency. These agencies should be informed of their privacy obligations.
4.123 ACBPS addressed the recommendation by referring to the caveat document it now provides to all third party agencies when disclosing PNR data. The caveat:
- is to be included on responses to requests for PNR data
- states that the email to the requesting agency is for their use only and is not to be further disclosed without ACBPS permission
- refers third party agencies to their IPP 11.3 obligations under the Privacy Act
- outlines the purpose for which the PNR data must be used.
4.124 The audit team is of the view that the steps taken by ACBPS appropriately and adequately address Recommendation Sixteen.
Recommendation Seventeen — Ensure consistency between EU and non EU caveats
4.125 The OAIC’s audit report entitled ′Handling of PNR’, issued in November 2011 recommended:
‘that (ACBPS) consider amending the caveat placed on the disclosure of non-EU sourced PNR data in line with the caveat placed on EU sourced PNR data, to ensure both caveats hold the recipient to a similarly high standard of privacy responsibilities.’
4.126 The OAIC noted certain discrepancies between privacy constraints placed on the disclosure on non EU sourced PNR data and EU sourced PNR data.
4.127 ACBPS addressed the recommendation by referring to the caveat discussed in paragraph 4.124 of this report. This caveat is now used by ACBPS for disclosures of all PNR, regardless of the source.
4.128 The audit team is of the view that the steps taken by ACBPS appropriately and adequately address Recommendation Seventeen.
Recommendation Eighteen — Avoid function creep
4.129 The OAIC’s audit report entitled ′Handling of PNR’, issued in November 2011 recommended:
‘that (ACBPS) consider which exception under IPP 10 it will be relying upon to use PNR data in order to de-identify it.’
4.130 The OAIC noted that PNR data was being used to conduct ‘critical longer term trend analysis, pattern recognition and profile development, consistent with the aims of preventing and combating terrorism and other crimes’. ACBPS advised at the time of the audit that all PNR data collected would be de-identified at some stage after collection for this use.
4.131 Auditors were concerned that PNR data was being used for a secondary purpose, however they acknowledged that if the data was completely de-identified, then IPP 10 would not apply.
4.132 ACBPS addressed the recommendation by stating that it relies on the exception at IPP 10.1(e) to use this information, namely that the purpose for which the information is used is directly related to the purpose for which it was obtained, that is, further use in the border risk assessment process.
4.133 The audit team is of the view that ACBPS’s response appropriately and adequately addresses Recommendation Eighteen.
Recommendation Nineteen — Finalise policy and procedure documents
4.134 The OAIC’s audit report entitled ′Requests for Information for Passenger Name Record data’, issued in June 2013 recommended:
’that (ACBPS) finalise Policy and Procedure documents including the ‘Instructions and Guideline’ and ‘Associated Document’ to guide PAU staff in handling PNR data.′
4.135 The OAIC noted that key guidance documents developed by ACBPS for staff use were still in draft format.
4.136 Copies of these documents, provided by ACBPS in response to this audit, were also in draft format.
4.137 ACBPS responded by advising that ACBPS’s development of internal policy documentation is ongoing as ACBPS finalises internal restructures in line with NBTC transitioning requirements.
4.138 ACBPS advises that as a result of this, it has had to review previously finalised policy, process and staff training documentation.
4.139 The audit team acknowledges the difficulties of transitioning to a new business model and recognises ACBPS’s ongoing efforts to finalise guidance documents.
4.140 The audit team is of the view that ACBPS is addressing Recommendation Nineteen on an ongoing basis.
4.141 APP 6 replaces current IPP 10 and 11 requirements, as well as introducing new exceptions permitting the use or disclosure of personal information for secondary purposes.
4.142 In addition, APP 6 also places new obligations on APP entities regarding the use or disclosure of sensitive information.
Between 2008 and 2013, three recommendations were made which were primarily relevant to ACBPS’s obligations under the EU Agreement, rather than the IPPs. As foreshadowed earlier in this report, the audit team will comment on ACBPS’s responses to these three recommendations, particularly as they relate to the APPs and IPPs, but will not make specific recommendations about compliance with the EU Agreement.
Recommendation Twenty — Prevent re-identification of anonymised data
4.143 The OAIC’s audit report entitled ′Handling of PNR’, issued in November 2011 recommended:
’that (ACBPS) form clear processes around the ‘anonymisation’ and subsequent disclosure of EU sourced PNR data, with a view to ensuring that the data cannot be reasonably re-identified.′
4.144 The OAIC noted that disclosures of anonymised or de-identified information that can be re-identified, may place the security of that information at risk. Auditors therefore recommended that ACBPS take reasonable steps to ensure data cannot be re-identified and enter an agreement with third party agencies that would prevent re-identification.
4.145 Article 18.1(c) states that PNR data may only be shared on a case-by-case basis unless depersonalised.
4.146 In addition, Article 16.1(b) states that PNR data stored in the system must be depersonalised. Article 16.2 outlines the PNR data elements which must be masked to achieve depersonalisation.
4.147 ACBPS addressed the recommendation through a number of internal publications.
4.148 An internal ACBPS guideline informs officers that bulk EU-sourced PNR data must not be disclosed unless depersonalised. This is achieved by manually removing the PNR elements outlined in Article 16.2 from EU sourced data.
ACBPS notes that a layered approach to depersonalising EU sourced PNR will be implemented from 1 January 2015 (date set under Article 27 of the PNR Agreement). Depersonalisation and deletion will occur automatically when the EU sourced PNR data reaches the data retention timeframes specified in Article 16 of the PNR Agreement. This will occur through an automated depersonalisation and deletion tool. Manual filtering will continue to be a requirement by officers prior to any PNR disclosure.
4.149 In addition, Control no. 45 of the EPAC2 Control Framework provides that bulk PNR data disclosures to authorities can only occur if data has been depersonalised so it is no longer identifiable. Customs’ Share Capability will aim to address this issue however this functionality has not yet been implemented.
4.150 In its response to the Joint Review of the 2012 Australia-EU PNR Agreement, Customs advised that it is designing and implementing processes to mask relevant database and field level information automatically in the system, after three years. General PNR users will not have access to any anonymised data after three years. Access to this data will be restricted to Advanced Analytics users.
4.151 The audit team recognises the steps ACBPS currently has in place in regards to the EU agreement and notes that de-identification would assist to comply with APP 11 (formerly IPP 4) because de-identifying personal information protects against loss and misuse.
Recommendation Twenty-One — Cease collection of sensitive information
4.152 The OAIC’s audit report entitled ′Handling of PNR’, issued in November 2011 recommended:
‘that (ACBPS) ensures there is no collection of sensitive information taking place, in line with its EU Agreement obligations.’
4.153 The OAIC noted that ACBPS’s collection of sensitive information may not be relevant to its purpose for collecting PNR data.
4.154 Article 8 of the current EU agreement states that any processing of sensitive EU sourced PNR data shall be prohibited. Any sensitive PNR data transferred to ACBPS is to be deleted by them.
4.155 ACBPS addressed the recommendation by outlining the processes it currently has in place to address this issue. These have previously been considered by the audit team under Recommendation Five of this report.
4.156 The audit team recognises that ACBPS’ efforts in this area are ongoing.
4.157 APP 3.4 prohibits entities from collecting sensitive information, unless certain exceptions apply. This principle closely reflects the prohibition against collection of sensitive PNR data, outlined in Article 8 of the current EU Agreement.
Recommendation Twenty-Two — Ensure EU agreement retention timeframes are met
4.158 The OAIC’s audit report entitled ′Handling of PNR’, issued in November 2011 recommended:
‘that (ACBPS) assess the required retention timeframes for stored PNR data so they are limited to retention times set out in the EU agreement.’
4.159 The OAIC noted that ACBPS had not previously stored PNR data and would need to ensure it adhered to retention timeframes outlined in the EU agreement.
4.160 Article 16 outlines data retention requirements under the Agreement. It specifies that all PNR data must be de-identified three years after the data has been received, and must be destroyed after five and a half years from initial collection. The exception to this is where the data is required ‘for a specific investigation, prosecution or enforcement of penalties’. EU-sourced PNR data may then be retained until the relevant investigation, prosecution or enforcement is finalised.
4.161 ACBPS advised that it has addressed the recommendation by designing and building an automated mechanism into the PNR system to de-personalise data after three years and retain it no longer than five and a half years.
4.162 This response was reflected in ACBPS’s response to the Joint Review of the 2012 Australia-EU PNR Agreement and in control no. 53 of ACBPS’ Control Framework.
4.163 The audit team recognises ACBPS’ ongoing efforts to implement a system which will fulfil ACBPS’ data retention requirements through automated controls.
4.164 However, auditors also note the indefinite timeframe ACBPS currently has for the retention of AMS alerts. ACBPS may wish to consider whether this is consistent with EU Agreement requirements where alerts are not being retained for specific investigation, prosecution or penalty enforcement purposes.
4.165 As previously outlined in this report, de-identification and destruction requirements outlined in APP 11.2 do not extend to information contained in a Commonwealth record. As such ACBPS’ obligations under the EU Agreement will be more rigorous than APP requirements.
Part 5 — Summary of review
5.1 Between December 2009 and July 2013, a total of 19 recommendations were made in relation to ACBPS’s obligations under the IPPs when handling EU sourced PNR data.
5.2 The OAIC is satisfied that ACBPS has adequately and appropriately addressed or is adequately and appropriately addressing 15 recommendations on an ongoing basis.
5.3 However, the auditors consider that ACBPS’s responses have been either inappropriate or inadequate in reference to the following four recommendations made over this period:
5.4 Recommendation One — As ACBPS’s website (including the updated privacy notice) does not outline the agencies that ACBPS usually discloses EU sourced PNR data to and as this information is otherwise available to the public, the audit team is of the view that ACBPS has not appropriately or adequately addressed this recommendation.
5.4.1 ACBPS accepts this recommendation and would like to provide further information.
5.4.2 ACBPS will update the PNR Privacy page on the agency’s internet site to list the six Australian Government agencies ACBPS is authorised, under the Australia-EU PNR Agreement, to share EU sourced PNR with.
5.5 Recommendation Seven — While ACBPS appears to have reviewed the identity verification procedures it had in place for verbal RFPIs, the security safeguards currently in place do not yet appear to be appropriate or adequate to address external verbal RFPI requests.
5.5.1 ACBPS accepts this recommendation.
5.6 Recommendation Eleven — It does not appear that ACBPS has reviewed contractor accesses to the Control Room or ensured contractor agreements included specific clauses around adhering to privacy obligations
5.6.1 ACBPS accepts this recommendation and would like to provide further information.
5.6.2 Where contractual arrangements are concerned, our contracts include clauses relating to security (clause 23), confidentiality and the disclosure of information (clause 18), and protection of personal information (clause 19). The contract also makes provision for ACBPS to identify whether OSAs and AGSVA clearances are required, and if so, the level that is applicable. As well as this, our contract provides that Key Personnel of the Contractor, who are involved in the performance of the services, may need to sign a Deed of Confidentiality, Schedule 3, (which also includes non-disclosure and privacy obligation clauses).
5.7 Recommendation Thirteen — ACBPS should consider whether the indefinite retention of EU sourced PNR data in AMS unreasonably exposes that data to loss, misuse and unauthorised access, use or modification, and if it does, put in place procedures to destroy that information within a reasonable timeframe.
5.7.1 ACBPS accepts this recommendation and would like to provide further information.
5.7.2 ACBPS complies with its obligations to safeguard the use of PNR data sourced from the European Union, including its obligations relating to the retention of data in the PNR system in Article 16 of the Australia-EU PNR Agreement (the EU Agreement). For use operationally or for law enforcement purposes, PNR data may be extracted from the PNR system in accordance with both the PNR Agreement and s 64AF of the Customs Act 1901. The data may then be analysed and combined with other information or intelligence on an individual and incorporated into an alert. PNR data is treated by ACBPS in accordance with the same stringent controls as other intelligence information and in accordance with the Privacy Act, s 16 of the Customs Administration Act 1926 and all relevant obligations under the PNR Agreement.
5.7.3 ACBPS complies with its obligations in the Archives Act 1983 (Archives Act) and with the Records Disposal Authority for ACBPS dated 20 December 2001 (RDA) (see www.naa.gov.au/naaresources/ra/2001-00000630.pdf) in relation to the retention and disposal of records. The RDA provides minimum retention periods for records and notes that ACBPS may extend the retention period if it considers that there is an administrative need to do so. There are specific retention requirements for intelligence products including entry 2749 which provides that records documenting formal intelligence product and the provision of intelligence product to clients about a specified subject or a range of subjects of concern are to be destroyed 10 years after the record is compiled.
5.7.4 ACBPS has put in place reasonable security measures to protect the information (including EU sourced PNR data) in the AMS from loss, misuse and unauthorised access, use or modification. The measures are governed by the mandatory security requirements of the Protective Security Policy Framework. These requirements include approved authorised access, disabling of inactive accounts, access control via roles and powers assigned to workgroups and the secure network. Elements of PNR data relating to persons of law enforcement interest, including alerts, are stored electronically in the appropriate protected law enforcement systems and on relevant protected hard copy files.
5.7.5 We note that ACBPS needs to retain the narrative (which includes the PNR data) of each alert so that there is a known reason as to why the person was placed on alert. This is required for both intelligence purposes and to meet our obligations to provide information subject to a subpoena. The OAIC expects that ACBPS will consider the outcome of this review of EU sourced PNR audit recommendations when implementing transitional arrangements to address its APP obligations under the current Privacy Act.
5.8 The OAIC will follow up these recommendations in future assessments of ACBPS.
Appendix A — Documents obtained from ACBPS
- Privacy statement — Australian Customs and Border Protection internet site
- Solution Requirements Elaboration (SRE) PNR Data Retention (EPAC2)
- Caveat for a Request for PNR Information (RFPI)
- Practice Statements:
- Assessment of Travellers
- Passenger Name Data
- Access to Passenger Name Record Instruction and Guideline
- PNR Controls Validation (EPAC2)
- PNR Control Framework (EPAC2)
- Customs Response to questionnaire — Joint Review of the 2012 Australia-EU PNR Agreement
- SSR codes extract filtered out in relation to PNR
- List of PNR data elements
- Internal policy re. PNR data retention / depersonalisation requirements
- Visitor Access to Australian Customs and Border Protection Premises
- Draft ‘Visitor Identification Card (VIC) issuance under the Aviation Security Identification Card (ASIC) scheme’
- Visitor Identification Card Register
- Extraordinary Update number: EU2013/01
- Managing Customs Controlled Areas
- Seaport Notification
- **Document name removed**
- **Document name removed**
- **Document name removed**
- **Document name removed**
- **Document name removed**
- **Document name removed**
- **Document name removed**.
 Australian Customs and Border Protection Service website www.customs.gov.au/aboutus/annualreports/2013/p3h.html, viewed 27 March 2014
 Australian Customs and Border Protection Service Practice Statement - Passenger Name Record Data (PS2012/05), published 10 May 2012, www.customs.gov.au/webdata/resources/files/PS201005_Passenger_Name_Record_Data.pdf
 Chapter 11, APP Guidelines, <www.oaic.gov.au/privacy/applying-privacy-law/app-guidelines/>