Part 1 — Introduction
1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of the Australian Customs and Border Protection Service’s (ACBPS) handling of Passenger Name Record (PNR) data, including European Union-sourced Passenger Name Record (EU PNR) data.
1.2 The purpose of the assessment was to consider ACBPS’s new administrative arrangements for the handling of PNR data and whether these are consistent with the requirements of Australian Privacy Principle (APP) 6 (use or disclosure of personal information) and APP 11 (security of personal information).
1.3 Assessors examined ACBPS’s relevant internal policies and procedures and conducted interviews with key staff to determine the impact of the new arrangements on the use, disclosure and security of PNR data.
1.4 The fieldwork component of the assessment was conducted on 3 and 4 June 2015 at ACBPS’s national office in Canberra, including the National Border Targeting Centre (NBTC). Assessors made enquiries about the operations of key areas involved in the handling of PNR data including Intelligence Information Services, NBTC – Target Assessment and Selection, NBTC – Partner Agencies, Advanced Analytics and the Tactical Support Unit (TSU). The functions of these areas are described in more detail in Part 3.
1.5 The OAIC identified some privacy risks associated with ACBPS’s arrangements for the use, disclosure and security of PNR data and has made four recommendations in relation to these. Three of the recommendations address medium privacy risks associated with ACBPS’s security arrangements for PNR data. One recommendation addresses a medium risk associated with the use and disclosure of PNR data.
Memorandum of understanding arrangements
1.6 The OAIC and ACBPS have a Memorandum of Understanding (MOU) in place for the conduct of privacy assessments relating to ACBPS’s handling of PNR data.
1.7 The MOU refers to the oversight and accountability functions of the OAIC contained in Article 10 of the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record data by Air Carriers to the Australian Customs and Border Protection Service (the EU Agreement).
1.8 The EU Agreement provides for the processing and transfer of EU PNR data to ACBPS from airlines that store data in the European Union (EU). EU PNR data forms a subset of all PNR data handled by ACBPS. More detailed information about ACBPS’s handling of PNR data is in Part 3 of the report.
1.9 The OAIC’s assessments focus specifically on ACBPS’s handling of PNR data against the requirements of the APPs. The OAIC will have regard to the requirements of the EU Agreement when considering the ‘reasonable steps’ ACBPS has taken to protect EU PNR data under APP 11. Additionally, the OAIC may note any issues or practices observed that may be inconsistent with the requirements of the EU Agreement.
Overview of ACBPS
1.10 At the time of the assessment, ACBPS was the primary border protection agency in Australia. Its role was to:
- foster legitimate trade and travel
- support and enforce Australia’s trade and industry policy at the border
- prevent, deter and detect the illegal movement of people and prohibited, restricted or regulated goods across Australia’s border
- counter civil maritime security threats in Australian waters in collaboration with the Department of Defence
- collect border-related revenue and trade statistics.
New structural arrangements
1.11 On 1 July 2015, ACBPS and the Department of Immigration and Border Protection were consolidated into a single Department of Immigration and Border Protection (DIBP). The Australian Border Force (ABF), a single frontline operational border agency, was also established within the DIBP portfolio.
1.12 The ABF brings together all existing immigration and customs operational border functions. DIBP delivers policy, regulatory and corporate support to the ABF. The ABF is divided into two key areas: Border Protection Command, for off-shore maritime activity, and Strategic Border Command for all other border related operational activity.
1.13 Strategic Border Command operates 24 hours a day, 7 days a week and has oversight and control of operational activities taking place in Australian states and territories.
1.14 Strategic Border Command also hosts the NBTC. An interim NBTC commenced operation on 1 July 2014. The NBTC co-locates a number of Commonwealth agencies in a dedicated facility on DIBP premises in Canberra. The NBTC provides an enhanced approach to identifying high-risk international travellers and cargo through collaboration, coordination and sharing of information and intelligence between national security and intelligence.
1.15 At the time of the assessment, ACBPS and DIBP were operating in a joint structure in preparation for formal integration on 1 July 2015. Existing accountabilities were still in place, with the Secretary of DIBP retaining responsibility for immigration functions, and the CEO of ACBPS retaining responsibility for customs and trade-related matters. As such, this report still refers to ACBPS as the entity responsible for the handling of PNR data.
Part 2 — Description of assessment
Objective and scope
2.1 The assessment was conducted under s 33C(1)(a) of the Privacy Act 1988 (the Privacy Act) which allows the OAIC to assess whether personal information held by an APP entity is being maintained and handled in accordance with the APPs.
2.2 The objective and scope of the assessment was to:
- identify ACBPS’s new arrangements for the use, disclosure and security of PNR data
- assess whether the arrangements are consistent with ACBPS’s obligations under:
- APP 6 (use or disclosure of personal information)
- APP 11 (security of personal information).
2.3 The scope did not include an assessment of:
- APPs other than APP 6 and APP 11
- the effect of the new arrangements on ACBPS Airport Operations Rooms located at international airports across Australia
- whether ACBPS has met its obligations under the EU Agreement
- records disposal or retention requirements under the ArchivesAct 1983 (Cth).
Timing, location and assessment techniques
2.4 The assessors conducted the fieldwork component of the assessment on 3 and 4 June 2015 at 2 Constitutional Avenue, Canberra, Australian Capital Territory (ACT) and at the NBTC [redacted].
2.5 The assessment was conducted as a review of key policy, procedural and training documents provided by ACBPS. Assessors also utilised the following techniques:
- a site inspection of ACBPS facilities relevant to the handling of PNR data
- semi-structured interviews with key staff to assess the impact of the new arrangements on the use, disclosure and security of PNR data.
Information obtained during the assessment
2.6 ACBPS provided a range of documents during the assessment that were relevant to its arrangements for the use, disclosure and security of PNR data. These documents are listed at Appendix A.
2.7 The OAIC makes recommendations to address ‘high’ and ‘medium’ privacy risks. For more information about these privacy risk ratings, see the OAIC’s ‘Privacy risk guidance’ at Appendix B. Further detail on this approach can be found in Chapter 7 of the OAIC’s Guide to privacy regulatory action.
2.8 The assessors have made four recommendations to address medium privacy risks identified during the course of the assessment. A recommendation is a suggested course of action or a control measure that, if put in place by ACBPS, will (in the opinion of the OAIC) minimise the risks identified around how PNR data is handled.
2.9 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege.
2.10 A redacted version of this report has been published.
Part 3 — Passenger Name Record data
3.1 PNR data is information about airline passengers held by airline operators. PNR data is captured in many ways during the booking and departure process. Once a booking or reservation has been created, certain PNR data fields will be available for viewing under airline reservation systems. Upon check-in, a separate system, known as the departure control system, captures other PNR data such as number of bags checked and seating information.
3.2 EU PNR data refers specifically to PNR data that has been processed in the EU by air carriers or airline global database management system providers.
3.3 PNR data may contain a number of categories of information relating to a passenger’s travel including:
- passenger name (family and given)
- contact details including address and telephone numbers
- any collected Advance Passenger Information data (including name on passport, date of birth, sex, nationality, passport number)
- ticketing information including payment information
- travel itinerary.
3.4 Analysis of PNR data and other relevant information by ACBPS and partner agencies is used in the identification of possible persons of interest in the context of combating terrorism or serious transnational crimes (including drug trafficking, identity fraud and people smuggling).
Legislative basis for collection of PNR data
3.5 The collection of PNR data by ACBPS is authorised under s 64AF of the Customs Act 1901 (the Customs Act).
3.6 This provision specifies that, if requested by ACBPS, all international passenger air service operators, flying into and out of Australia, are required to provide any passenger information (PNR data) that is kept electronically.
3.7 Access to PNR data is only available to ‘authorised officers’ for the purpose of performing their functions under the Customs Act or prescribed laws of the Commonwealth. An ‘authorised officer’ is an ACBPS officer authorised in writing by the CEO to exercise the powers or perform functions under the Customs Act.
3.8 Functions of authorised officers under s 64AF are in accordance with the Customs Act and prescribed regulations. Officers undertake activities to assist in performing these functions which may include conducting traveller risk assessments to identify travellers that may pose a risk at the border, data analysis including post and missed detection analysis and servicing Requests For Information (RFIs). PNR data may also be accessed by authorised officers in support of relevant joint operations, task forces or national ACBPS operations.
3.9 Where passenger information is accessed for an unauthorised purpose, an officer potentially commits an offence against a number of laws dealing with unauthorised access to data. There are substantial penalties, including imprisonment, for breaching legislation which restricts the disclosure of information.
Handling of PNR data
3.10 Previously, the OAIC’s assessments of ACBPS’s handling of PNR data have focussed either on the activities of the Passenger Analysis Unit based at ACBPS’s national office in Canberra, or on Airport Operations Rooms located within international airport terminals around Australia.
3.11 The Passenger Analysis Unit conducted pre-arrival risk assessments of passengers travelling to (or in transit through) Australia using PNR data, along with other advanced passenger information. Officers used this information to screen and identify passengers that may have posed a risk upon arrival in Australia.
3.12 The Passenger Analysis Unit was also responsible for responding to PNR RFIs from other areas of ACBPS (internal RFIs) and from other Australian government agencies or third country authorities (external RFIs).
3.13 ACBPS officers stationed at Airport Operations Rooms located at international airport terminals are responsible for the facilitation of passenger processing and the application of risk management techniques to identify and intercept travellers who may pose a risk to border integrity.
3.14 Airport Operations Rooms do not collect PNR data nor are they involved in the disclosure of PNR data to other agencies or organisations. Consequently, this assessment focussed on the impact of the new arrangements on areas that handle PNR data at ACBPS’s national office in Canberra.
3.15 At the time of the assessment, the Passenger Analysis Unit had been restructured and its functions relating to PNR data were divided between two new operational areas:
- Intelligence Information Services – responsible for the processing of internal and external RFIs for PNR data
- NBTC Target Assessment and Selection – responsible for pre-arrival risk assessments of passengers using PNR data and generating alerts to Airport Operations Rooms.
3.16 A significant aspect of the new arrangements is the establishment of the NBTC. As outlined above, the NBTC is hosted by the Strategic Border Command in the ABF and (at the time of the assessment) included representatives from up to nine law enforcement, intelligence, regulatory and border protection agencies.
3.17 The nine agencies are:
- Department of Immigration and Border Protection
- Australian Crime Commission
- Australian Federal Police
- Australian Security Intelligence Organisation
- Australian Transaction Reports and Analysis Centre (AUSTRAC)
- Department of Agriculture
- Australian Passports Office, Department of Foreign Affairs and Trade (DFAT Passports Office)
- Office of Transport Security, Department of Infrastructure and Regional Development.
3.19 The structure and responsibilities of other areas involved in the handling of PNR data have remained largely unchanged and have continued on a business as usual basis. These areas, and their primary functions, include:
- Advanced Analytics – applies analytic techniques to ACBPS data collections (including PNR data) [redacted]
- DIBP’s Tactical Surveillance Unit (TSU) – DIBP officers are authorised under s 64AF of the Customs Act to access PNR data. The TSU’s main focus is to identify improperly documented travellers and prevent illegal travellers from entering Australia. The TSU is hosted by the Strategic Border Command.
Part 4 — Assessment issues: Use and disclosure of personal information
4.1 The following findings and recommendations relate to the assessors consideration of ACBPS’s new administrative arrangements for the use and disclosure of PNR data and whether these are consistent with the requirements of APP 6.
4.2 APP 6 outlines when an APP entity may use or disclose personal information. An APP entity can only use or disclose the information for a particular purpose for which it was collected (known as the ‘primary purpose’ of collection), unless an exception applies. Where an exception applies the entity may use or disclose personal information for another purpose (known as the ‘secondary purpose’).
The EU Agreement
4.3 Article 3 of the EU Agreement states that ACBPS agrees to process EU PNR data strictly for the purpose of preventing, detecting, investigating and prosecuting terrorist offences or serious transnational crime. This is the ‘primary purpose’ of collection meaning that EU sourced PNR data may only be used and disclosed for this purpose.
4.4 The EU Agreement also sets out other limited circumstances where EU PNR data may be used or disclosed, including:
- in the protection of vital interests of an individual, such as risk of death, serious injury or threat to health (Article 3(4))
- where specifically required by Australian law, on a case by case basis, for the purpose of supervision and accountability of public administration and the facilitation of redress and sanctions for the misuse of data (Article 3(5))
- for the oversight and accountability functions undertaken by the OAIC (Article 10).
‘Use’ of PNR data
4.5 With regard to the objectives and scope of this assessment, the assessors consider that a ‘use’ of PNR data occurs if an:
- ACBPS officer in Intelligence Information Services responds to an internal RFI from another ACBPS staff member
Observations in relation to ‘use’
Policies and procedures around the use of PNR data
4.6 Assessors were advised that the new arrangements for the use of PNR data are governed by existing policy documents. During the course of the assessment, ACBPS provided assessors with the following policy documents:
- ACBPS Website Privacy Statement
- Passenger Name Record Practice Statement (July 2008) (PROTECTED)
- Passenger Name Record Instruction and Guideline (May 2015) (PROTECTED)
- Passenger Name Record, Intelligence Division, Instruction Manual (2014) (PROTECTED)
4.7 The Website Privacy Statement and Passenger Name Record Practice Statement provide a high level overview of ACBPS’s collection, access, use and disclosure of PNR data.
4.8 The Passenger Name Record Instruction and Guideline (the Instruction and Guideline) contains information for ACBPS officers concerning the appropriate uses of PNR data. Relevantly, the Instruction and Guideline outlines the different requirements that govern the handling of EU and non-EU PNR data.
4.9 Paragraph 2.3.4 of the Instruction and Guideline sets out the purpose limitation governing the use of EU PNR data (see paragraph 4.3).
4.10 Section 3 of the Instruction and Guideline deals with requests for PNR data (RFIs). Specifically, it states that:
- a request must be received prior to accessing PNR
- an RFI should be received in writing and clearly state the purpose for access and the PNR data elements required
- verbal requests should only be actioned in cases of operational urgency.
4.11 The Passenger Name Record Manual (the Manual) contains greater detail and specifies a range of actions ACBPS officers should undertake on receipt of an RFI for PNR data. The Manual also documents step-by-step procedures for ACBPS staff for responding to both written and verbal RFIs.
4.12 The Manual appropriately states that:
- all RFIs should be received in writing (email) to the Intelligence Services mailbox or via a secret network
- verbal internal RFIs must only be actioned in cases of operational urgency [redacted]
- the RFI must state the suspected offence/s being considered or investigated and the relevant legislative provision if known
- for EU PNR, the RFI must be within the purpose limitation of:
- preventing, detecting, investigating and prosecuting terrorist offences or serious transnational crime, or
- necessary to protect the vital interests of any individual, such as risk of death, serious injury or threat to health (Article 3)
- serious transnational crime means any offence that carries a maximum penalty of at least 4 years, or a more serious penalty as defined by Australian law, and the crime is transnational in nature.
4.13 The assessors note the Manual uses the term ‘disclose’ to describe ACBPS’s response to both internal RFIs (considered in this report to be a ‘use’ of information) as well as responses to external RFIs (considered to be a ‘disclosure’, and discussed in detail below). Notwithstanding this, the Manual appropriately states:
- a response to a request should only disclose those particular PNR data elements which can be clearly demonstrated as necessary to support the PNR RFI. Each request and the related disclosure must be handled on a case-by-case basis and the minimum amount of data possible should be shared
- before disclosing any PNR data in response to a PNR RFI, the authorised officer should check for the existence of any sensitive data and ensure the data is deleted and not disclosed
- where PNR RFIs cannot be actioned, written advice should be provided to the client outlining the reason for the decision not to service the PNR RFI. If no information is disclosed the PNR RFI must still be logged and recorded.
4.14 Assessors consider that the policies and procedures reviewed generally address the requirements of APP 6 relating to the appropriate uses of PNR data.
Impact of new arrangements on ‘use’ of PNR data
4.15 Assessors interviewed staff from Intelligence Information Services about the impact of the new arrangements. Staff advised that, while there had been structural changes, the new arrangements have not had an impact on the procedures for handling internal RFIs. Assessors did not observe staff from Intelligence Information Services processing RFIs, however, this has been observed in previous assessments.
4.16 Assessors noted that staff generally demonstrated a clear understanding of the obligation to use EU PNR data only for internal RFIs relating to terrorist offences or for serious transnational crime issues.
4.17 Assessors were advised that staff use templates when responding to RFIs, which distinguish between EU and non-EU PNR data. Specifically, when responding to an RFI involving EU PNR data, staff use a template that contains a banner at the top of the document stating ‘this information contains EU-sourced PNR data’. Assessors were advised that staff then insert a caveat which outlines the restrictions on the use of EU PNR data. The content of the caveats is outlined in greater detail below at 4.31.
4.18 Enquiries were also made with staff from Advanced Analytics, NBTC Target Assessment and Selection and the TSU. Staff advised that the impact of the new arrangements on their existing procedures for handling EU PNR data has been minimal and their activities have continued on a business as usual basis.
4.19 The most significant impact of the new arrangements has been the establishment of the NBTC. [redacted]
4.20 Assessors visited the NBTC watch floor where the Agency Liaison Officers (ALOs) are stationed. [redacted]
4.21 Assessors note that ALOs undertake both general ACBPS training and NBTC specific training prior to commencing their duties in the NBTC. The majority of the information relating specifically to the NBTC is contained in training material, which is discussed further below at paragraph 5.33. It is relevant to note that ALOs complete a comprehensive induction program which refers them to the internal ACBPS policies outlined above.
Privacy risks in relation to ‘use’
4.22 The new arrangements do not appear to have had a significant impact on current procedures surrounding the use of PNR data by ACBPS. Assessors consider that the existing policy and procedural documents reviewed during the assessment generally appear to address the requirements of APP 6 for the appropriate use of PNR data.
Disclosure of PNR data
4.23 With regard to the objectives and scope of this assessment, the assessors consider that a ‘disclosure’ of PNR data occurs if an:
- ACBPS officer releases PNR data in response to an external RFI from an Australian government agency or third country authority
- ALO in the NBTC releases PNR information to their home agency.
Disclosure requirements in the EU Agreement
4.24 Under Article 18 of the EU Agreement, ACBPS may only disclose EU PNR data to the following Australian government authorities listed in Annex 2:
- Australian Crime Commission
- Australian Federal Police
- Australian Security Intelligence Organisation
- Commonwealth Director of Public Prosecutions
- Department of Immigration and Border Protection
- Office of Transport Security, Department of Infrastructure and Transport.
4.25 Additional requirements of Article 18 are that:
- receiving government authorities shall afford to EU PNR data the safeguards as set out in the EU Agreement
- data is only shared for the purposes stated in Article 3
- data is only shared on a case-by-case basis unless the data has been depersonalised
- only relevant data elements which are clearly demonstrated as necessary in particular circumstances shall be disclosed
- receiving government authorities must ensure that the data is not further disclosed without the permission of ACBPS.
4.26 Under Article 19 of the EU Agreement, ACBPS may transfer EU PNR data to specific third country authorities, whose functions are directly related to preventing, detecting, investigating and prosecuting terrorist offences or serious transnational crime. Article 19 also requires ACBPS to:
- ensure third country authorities afford appropriate safeguards to EU PNR data
- obtain agreement to only retain data until investigation or prosecution is concluded
- obtain agreement not to further transfer EU PNR data
- inform passenger (where appropriate) of the transfer
- ensure safe transfer of analytical information.
4.27 Under Article 17, ACBPS must log and document all processing, access, consulting or transfer of EU PNR data, including where the RFI has been denied.
Observations in relation to ‘disclosure’
Policies and procedures around the disclosure of PNR data
4.28 In addition to the policy documents outlined above under ‘use’ of PNR data, assessors were also provided with the following documents relevant to the disclosure of PNR data:
- Disclosure to Commonwealth, State and Territory agencies, Instruction and Guideline (July 2008)
- Disclosure to foreign countries, instrumentalities or agencies of a foreign country and international organisations, Instruction and Guideline (July 2008).
Disclosures to Australian government authorities
4.29 The policy documents provided to assessors set out the following key information relating to disclosure of PNR data to Australian government authorities:
- Passenger Name Record, Instruction and Guideline
- Identifies the relevant legislation that governs the disclosure of ACBPS official information such as the Customs Administration Actand the Privacy Act
- Provides the definition of sensitive information and specifies that ACBPS should ensure that sensitive information is deleted before disclosing PNR data
- States that EU PNR data may only be disclosed to other Australian government authorities in accordance with Article 18 of the ‘PNR Agreement’ and sets out those agencies listed in Annex 2 of the EU Agreement that are authorised to receive EU PNR data
- States that an Australian government agency must obtain written permission from ACBPS before further disclosing EU PNR data to a third party
- States that all disclosures of PNR data must include an appropriate caveat, which governs the use, storage and further disclosure of PNR data provided by ACBPS
- States that every PNR disclosure is to be recorded and logged as a case with a unique identifier. Each case should contain a written copy of the request, the PNR data that was disclosed and justification for the disclosure.
- Disclosure to Commonwealth, State and Territory agencies, Instruction and Guideline
- This Guideline deals with the disclosure of all ACBPS protected information to domestic agencies under s 16 of the Customs Administration Act. It does not specifically address the additional requirements of Article 18 of the EU Agreement
- The Guideline states that protected information may be disclosed to a Commonwealth, State or Territory agency under s 16 in the following limited circumstances:
- there is a serious and imminent threat to the health or life of a person
- the disclosure is required or authorised by another law
- the disclosure is in the course of duties
- there is an ongoing authorisation in place
- the disclosure is authorised by a one-off authorisation
- a body corporate or Commonwealth, State, Territory or overseas agency has consented.
- Passenger Name Record, Intelligence Division, Instruction Manual
- As outlined in the observations around ‘use’, the Manual provides a step-by-step procedure for responding to written and verbal RFIs, including that, before actioning a request for EU PNR data, the ACBPS officer must ensure that the request is within the purpose limitation of Article 3 of the EU Agreement
- States that PNR data is personal information and must be handled in accordance with the APPs of the Privacy Act. The Manual also states that, when disclosing PNR data, complying with s 16 of the Customs Administration Act will ensure that obligations under the Privacy Act are met
- The Manual states that an ACBPS officer processing an RFI from an external domestic agency must ensure that the requesting agency has a legal arrangement with ACBPS covering information sharing, by way of:
- a s 16 undertaking and ongoing authorisation, or
- a valid Cooperative Agreement with ACBPS; and
- for EU PNR, the agency must be listed in Annex 2 of the EU Agreement.
- The Manual states that when PNR information is disclosed to an approved external agency, that agency must not further disclose the PNR data without obtaining written permission from ACBPS. If an agency makes a request to on-disclose the information to a third party, ACBPS officers must consider the purpose for the request and seek the appropriate authorisation (a supervisor (Customs level 3) for domestic third party disclosures).
Disclosures to third country authorities
4.30 The policy documents provided to assessors set out the following key information relating to disclosure of PNR data to third country authorities:
- Passenger Name Record, Instruction and Guideline
- States that EU PNR data may only be disclosed to specific international authorities in accordance with Article 19 of the EU Agreement
- States that when EU PNR data is initially disclosed to an approved international authority, that agency must not further disclose the PNR data.
- Disclosure to foreign countries, instrumentalities or agencies of a foreign country and international organisations, Instruction and Guideline
- This Guideline deals with the disclosure of all ACBPS protected information to international entities under s 16 of the Customs Administration Act. It does not specifically address the additional requirements of Article 19 of the EU Agreement. The circumstances in which protected information may be disclosed under s 16 are outlined above under the Disclosure to Commonwealth, State and Territory agencies, Instruction and Guideline (see paragraph 4.29).
- Passenger Name Record, Intelligence Division, Instruction Manual
- States that if the PNR RFI is from an international agency, the ACBPS officer processing the request should check if the requesting agency has a legal arrangement with ACBPS covering information sharing by way of a valid Cooperative Agreement.
- Additionally, the Manual states that EU PNR data may only be disclosed to international government authorities in circumstances where:
- the agency’s functions relate directly to the purposes of preventing, detecting, investigating and prosecuting terrorist offences or serious transnational crime (Article 19(b))
- ACBPS is satisfied that the other conditions set out in Article 19 are met including the condition that the receiving third country authority has agreed to afford to the data the same safeguards set out in the EU Agreement.
- States that all responses to requests for disclosure of PNR information received directly from international agencies must satisfy the purpose limitation requirements, s 16 of the Customs Administration Act and, where applicable, the EU Agreement.
- International disclosures, other than to ‘Border-5’ administrations, require approval from a Director (other Border-5 administrations are New Zealand, UK, Canada and the US).
- Border-5 administrations require the approval of at least a Supervisor (Customs level 3) staff member.
4.31 Both the Passenger Name Record, Instruction and Guideline and Passenger Name Record, Instruction Manual state that where PNR data is authorised for disclosure to another agency or international entity, a caveat is to be included on the disclosure to ensure the recipient is fully informed of their obligations in relation to its subsequent use, storage or further disclosure.
4.32 ACBPS has developed four different caveats that must be included on responses to PNR RFIs depending on the requesting entity (international or domestic) and the type of data being disclosed (EU or non-EU PNR).
4.33 The two relevant caveats relating to EU PNR data contain the following key information:
- International disclosure – EU data
- clearly states that the EU data may not be further disclosed
- clearly states the permitted purpose uses of EU PNR data
- identifies the data retention and destruction requirements contained in Article 19 of the EU Agreement
- states the relevant Australian legislative requirements including the Customs Administration Act and the Privacy Act
- National (Australia) disclosure – EU data
- clearly states that EU data may not be further disclosed without the prior written permission of ACBPS
- clearly states the permitted purpose uses of EU PNR data
- refers to the EU Agreement and specifically states that the entities handling of the information is governed by APP 6.
NBTC specific documents
4.34 Assessors were provided with a document developed for ALO’s, which outlines the requirements of s 16 of the Customs Administration Act for disclosure of ACBPS official information to an ALO’s home agency (Guidelines for disclosure of ACBPS official information under section 16).
4.35 Relevantly, the document states:
- the disclosure must be compliant with s 16 of the Customs Administration Act and the Privacy Act (including the APPs)
- disclosure to a home agency email address is only permissible if another contact email address is included
- a record of the disclosure must be kept. ALO’s should maintain a simple table/log on their ACBPS home drive until an appropriate Case Management System is introduced. Details should include the date, receiver, type of data disclosed and permissible purpose. If the NBTC mailbox is included in the distribution, the NBTC will keep the log.
- disclosures should include the applicable ACBPS caveat.
4.36 The document also contains links to other relevant ACBPS policies and procedures, including:
- interactive flow chart to determine whether disclosures under s 16 are lawful
- section 16 undertaking document which provides a list of all agencies that have provided a written undertaking that they will only use information for a specific purpose and will not on-disclose the information
- relevant caveats that must accompany any disclosures.
4.37 Assessors consider that the policies and procedures reviewed above generally address the requirements of APP 6 for the disclosure of PNR data. However, assessors did identify some inconsistencies between the documents and noted that a number of documents do not appear to have been updated to reflect the reforms to the Privacy Act that commenced on 12 March 2014.
Impact of new arrangements on ‘disclosure’ of PNR data
4.38 Assessors interviewed staff from Intelligence Information Services about the impact of the new arrangements and were advised that there had been minimal impact on existing processes and procedures for handling external RFIs.
4.39 Assessors consider that ACBPS staff generally demonstrated a clear understanding of the requirements surrounding disclosure of information to domestic or international entities, including s 16 of the Customs Administration Act, the EU Agreement and the requirement to attach the appropriate caveat to any release of information.
4.40 The biggest change relates to the handling of PNR data by ALOs in the NBTC. Specifically, ALOs [redacted] potentially disclose EU and non-EU PNR data to their home agency [redacted].
Privacy risks in relation to ‘disclosure’
4.42 Assessors did note some inconsistencies between the policy documents. Specifically, the Disclosure to foreign countries, instrumentalities or agencies of a foreign country and international organisations, Instruction and Guideline states that when an officer sends information to a foreign agency in response to a request from that agency (including PNR data), the officer must include or ‘cc’ the Overseas Coordination (OSCORD) mailbox in their response. However, the Passenger Name Record, Instruction Manual states that all RFI responses must cc the PNR RFI inbox and does not mention the OSCORD mailbox.
4.43 Assessors also noted that both Instruction and Guideline documents created in 2008 contain the superseded definition of ‘personal information’. Reforms to the Privacy Act introduced a new definition of ‘personal information’, which states that personal information means information or an opinion about an identified or reasonably identifiable individual, whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.
4.44 In the Passenger Name Record, Instruction Manual, it states that ‘when disclosing PNR data, complying with s 16 of the Customs Administration Act will ensure obligations under the Privacy Act are met.’ This statement may not accurately reflect ACBPS’s obligations under the APPs. Specifically, while compliance with s 16 of the Customs Administration Act may satisfy the disclosure exception contained in APP 6.2(b), it does not ensure that the other requirements of the Privacy Act and the APPs are met (for example, security requirements contained in APP 11). ACBPS could revise this statement so that it more accurately describes how compliance with s 16 satisfies the requirements of APP 6.2(b).
4.45 Additionally, assessors noted that the Guidelines for disclosure of ACBPS official information under section 16 document developed for ALOs, state that ‘disclosure to a home agency email address is only permissible if another contact email address is included.’ It is not clear to assessors what contact email address should be included in any disclosure to an ALO’s home agency. ACBPS could revise this document to more clearly specify which email address should be included when an ALO discloses information to their home agency.
4.46 Assessors consider there is a medium risk that a breach of APP 6 may occur if policy documents relating to the handling of PNR data contain out-of-date information that does not reflect current internal practices or legislative requirements.
4.47 ACBPS should review and update all relevant policy documents (eg. Instructions and Guidelines, manuals, Standard Operating Procedures and training material) to ensure they accurately reflect current internal procedures for the handling of PNR data and current legislative requirements under the Privacy Act and the APPs.
Part 5 – Assessment issues: Security of personal information
5.1 The following findings and recommendations relate to the assessors consideration of ACBPS’s new administrative arrangements for the security of PNR data and whether these are consistent with the requirements of APP 11.
5.2 APP 11 states that entities that hold personal information must take steps that are reasonable in the circumstances to protect the personal information from:
- misuse, interference and loss, and
- unauthorised access, modification or disclosure.
5.3 In the context of this assessment, assessors considered a number of broad areas under APP 11.1, including policies and procedures, physical security, Information and Communication Technology (ICT) and access security, record-keeping and monitoring and staff training.
5.4 Article 9 of the EU Agreement sets out data security and integrity requirements to prevent accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access to any unlawful forms of processing of EU PNR data.
5.5 Additionally, Article 16 contains specific requirements surrounding the retention, destruction and ‘depersonalisation’ of EU PNR data.
5.6 The OAIC may have regard to the requirements of the EU Agreement when considering the ‘reasonable steps’ ACBPS has taken to protect EU PNR data.
Observations in relation to ‘security’
5.7 Entities should consider what steps, if any, are necessary to ensure that physical copies of records containing personal information are secured appropriately.
5.8 [redacted]. Assessors observed that access to the general building and to the floor housing Intelligence Information Services is restricted by appropriate physical and electronic security measures.
5.9 Intelligence Information Services operates on a floor rated to SECRET (Negative Vet 1). [redacted]
5.10 Visitors to the floor must complete a visitors log and are issued with temporary visitor passes. All visitors are also prohibited from carrying electronic devices onto the floor and are escorted by ACBPS officers at all times in restricted areas.
5.11 [redacted] Access to the general building and to the NBTC watch floor is also restricted by comprehensive and layered physical and electronic security measures.
5.12 All NBTC members receive ACBPS photographic identification which is required to be displayed at all times while in the workplace.
5.13 The NBTC operates on a floor rated to SECRET (Negative Vet 1). [redacted]
5.14 Visitors to the NBTC need to obtain a visitor’s pass from the security desk in the building foyer, which is to be clearly displayed while on ACBPS premises. To access the NBTC, visitors must also sign the NBTC visitor register and are issued with another pass to access the NBTC watch floor. Visitors are escorted at all times by ACBPS officers.
5.15 Both ACBPS staff and visitors are prohibited from carrying electronic devices into the NBTC. All mobile phones are required to be placed in lockers prior to entering the NBTC.
5.16 Assessors did not observe any risks associated with ACBPS’s physical security arrangements.
ICT and access security
5.17 Effective ICT security requires protecting both computer hardware and the data it holds. Access security and monitoring controls help entities protect themselves against internal and external risks by ensuring that personal information is only accessed by authorised persons.
5.18 Assessors were advised that PNR data is stored electronically in a separately partitioned database within a larger Enterprise Data Warehouse. The Enterprise Data Warehouse stores extensive amounts of passenger movement data. PNR data is accessed in the Enterprise Data Warehouse through the Integrated Analysis Tool.
5.19 Only authorised officers are given access to PNR data through the Integrated Analysis Tool. Prior to accessing PNR data officers must ensure they have completed the required training and have the appropriate authorisation under s 64AF of the Customs Act.
5.20 The Passenger Name Record, Instruction and Guideline (2008) states that to obtain authorisation to access PNR data, officers must:
- complete a s 64AF online training course
- complete the associated s 64AF quiz and achieve a pass mark
- send an email requesting s 64AF authorisation to relevant ACBPS mailbox. The email must include, amongst other things, endorsement from the work area supervisor and a screen shot of the quiz results.
5.21 After a completed request is received, an authorisation will be processed in conjunction with the Legal Division. Once the relevant officer has received the appropriate authorisation, they can request access to the Integrated Analysis Tool PNR module.
5.22 Assessors noted that the Passenger Name Record, Instruction Manual (2014) also states that once online training is satisfactorily completed, officers must complete the PNR Push System – User Registration Form.
5.23 ACBPS advised that, once an officer receives the s 64AF authorisation, they must go through Integrated Analysis Tool training and submit a user registration form to IT. The form must be signed off by an EL1 officer. IT then creates a profile in the system for the officer which enables access to PNR data through the Integrated Analysis Tool.
5.25 The Instruction Manual states that an assurance program is conducted annually by ACBPS to ensure compliance with s 64AF in relation to access to PNR data.
5.26 After the assessment, assessors were advised that the Customs Incident Reporting Centre deals with incidents involving, amongst other things, breaches of security. For specific security incidents, a Security Incidents, Breach and Reporting Plan provides instructions for identifying and reporting incidents and the responsibilities of staff. Assessors understand that any privacy issues or incidents involving PNR data are dealt with in the first instance by the relevant line area and escalated to the Legal Advice and Operational Support Branch when necessary.
Record-keeping and monitoring
5.27 The Instruction Manual states that all PNR RFIs, whether data is disclosed or not, are logged in the OSCORD/LEL database. Officers must:
- ensure the PNR RFI audit log is completed fully
- copy the PNR RFI inbox in all correspondence, including disseminations and decisions not to action
- save all records to the PNR RFI folder located on the Local Area Network (LAN). The records should be saved under the corresponding case number.
5.28 In interviews with staff, assessors were advised that all RFIs (referred to as ‘jobs’) are logged in the Intelligence Services Client Portal. It was not clear to the assessors if this Portal is different to the OSCORD/LEL database described in the Instruction Manual above.
5.29 Assessors were advised that the portal has mandatory fields that must be completed by the officer actioning the request, including the requesting officer’s details, type of PNR requested, relevant legislative reference and the intended use of the information. All jobs (whether actioned or not) are logged in the Portal.
5.30 ACBPS’s response to the requesting entity is entered into a template and attached as a PDF to the relevant job record in the Portal. The email response back to the requesting officer is then stored in a folder in the shared Intelligence Information Services mailbox.
5.31 Assessors were advised that there was no regular audit or quality assurance program of stored RFI records. Assessors understand that ACBPS plans to implement this in the future.
5.32 In the context of the NBTC, assessors noted that the Guidelines for disclosure of ACBPS official information under section 16 states that ALOs are required to keep a record of any disclosures made to their home agency. Until a case management system is introduced, ALOs are required to maintain a table or log on their ACBPS home drive that includes details such as the date, receiver, type of data disclosed and the ‘permissible purpose’.
5.33 It is not clear to assessors whether these logs are monitored or reviewed to verify the appropriateness of any disclosures made by ALOs to their home agency.
5.34 It is important that all staff members understand their general APP obligations and what constitutes good information handling and security practices. Privacy training helps ACBPS staff to identify and avoid practices that may breach ACBPS’s privacy obligations.
5.35 Assessors were advised that the Legal Advice and Operational Support Branch supports ACBPS staff by facilitating training, providing advice on secrecy and disclosure provisions in the Customs Administration Act and the Privacy Act and coordinating privacy complaints. The Branch also provides PNR specific advice around the s 64AF framework, appropriate access to PNR, disclosure under s 16 of the Customs Act and how the EU Agreement interacts with the various Australian legislative provisions.
5.36 Assessors reviewed a number of key training documents relating to the use, disclosure and security of PNR data, including:
- a two day PNR RFI training schedule (covers topics such as how to access PNR, purpose limitations for EU and non EU PNR, s 64AF delegation, the requirements of the EU Agreement, how to service an RFI)
- Passenger Analysis Unit s 64AF of Customs Act 1901 (PowerPoint presentation)
- Accessing PNR (PowerPoint presentation)
- Servicing an RFI (PowerPoint presentation)
- Request for Information PNR flow chart 1
- PNR – Must meet the following for Access and Dissemination – Information sheet
5.37 ACBPS advised that ALOs must complete both standard ACBPS training and tailored training specific to their role in the NBTC. Assessors were also provided with NBTC specific training documents, including:
- Welcome package – National Border Targeting Centre
- NBTC Stage 1 – NBTC Implementation Program – Agency Liaison Officer Induction and On-Boarding
- NBTC Disclosure of Information and Privacy Act (PowerPoint presentation)
5.38 There are a number of mandatory online learning courses that NBTC participants are required to complete. These qualifications are mandatory for all members of the NBTC to fulfil the requirements of becoming an ACBPS officer and for access to NBTC premises and ACBPS information. Some courses need to be completed every year while others are valid for two years. As at April 2015, the mandatory courses include:
- Culture and conduct – completed every year
- Integrity corruption and fraud awareness – completed every year
- Disclosure of official information – completed every second year
- Security awareness training or protective security presentation – completed once upon becoming an ACBPS officer.
5.39 Assessors consider that the training provided to ACBPS officers and ALOs generally address the requirements of the Privacy Act and the EU Agreement.
5.40 Assessors did note that some training documents were outdated and referred to the superseded Information Privacy Principles in one instance.
Privacy risks is relation to ‘security’
5.41 Assessors consider that regular monitoring of internal information handling practices is a reasonable step entities can take to protect personal information. Proactive audit or quality assurance programs can aid in detecting possible misuse or disclosure and may provide a deterrent to the inappropriate handling of personal information.
5.42 Assessors consider that there is a risk that unauthorised use or disclosure of EU PNR data may go undetected if ACBPS does not regularly review and monitor stored RFI responses for compliance with the requirements of APP 6 and the EU Agreement. Assessors consider that this presents a medium risk that ACBPS is not taking reasonable steps to protect EU PNR data under APP 11. ACBPS should implement a regular audit or quality assurance program to ensure adherence to internal policies and procedures around the use and disclosure of EU PNR data.
5.43 As outlined above at 5.26 and 5.27, some policies and procedures contain inconsistent information about the process for ACBPS staff when logging RFI responses or ‘jobs’. Assessors also noted some outdated references to the Privacy Act in the training and policy documents.
5.44 Consistent with recommendation one above, ACBPS should review all relevant policy documents to ensure they accurately reflect current internal procedures and relevant legislative requirements.
NBTC privacy risks
5.45 The OAIC may have regard to the requirements of the EU Agreement when considering what reasonable steps ACBPS should take to secure EU PNR data. That is, in some circumstances, the standards imposed by the EU Agreement may constitute a ‘reasonable step’ that ACBPS should take to protect the personal information it holds.
5.46 Assessors do not consider that the documents developed by ACBPS for ALOs adequately identify or address the risk of unauthorised handling of EU PNR data. Assessors consider that there is a medium risk that ACBPS is not taking reasonable steps under APP 11 to protect EU PNR data. A reasonable step ACBPS should take to protect EU PNR data is to update material for NBTC staff with an explicit statement that ALOs from AUSTRAC, Department of Agriculture and DFAT’s Passport Office are not to disclose EU PNR data to their home agency.
5.47 Further, it is noted that the Guidelines for disclosure of ACBPS official information under section 16 state that ALOs should maintain a simple table/log on their ACBPS home drive until an appropriate Case Management System is introduced.
5.48 Assessors consider there is a risk that the requirement for ALOs to maintain their own log of disclosures may result in a lack of consistency amongst the logs kept and not all disclosures being recorded in accordance with Article 17 of the EU Agreement. More broadly, this practice creates a medium risk that unauthorised disclosure may go undetected if uniform record-keeping practices are not implemented and regularly monitored.
5.49 In the absence of an appropriate case management system, ACBPS should develop a standardised template for ALOs to record home agency disclosures and regularly review these logs to ensure consistency with the requirements of Article 17 and to assist in the detection of possible unauthorised disclosures.
5.50 ACBPS should implement a regular audit or quality assurance program of stored RFIs to ensure that ACBPS is handling PNR data in accordance with the requirements of the APPs and the EU Agreement.
5.51 ACBPS should update material developed for ALOs with an explicit statement that EU PNR data is not to be disclosed to AUSTRAC, Department of Agriculture or DFAT’s Passport Office.
5.52 ACBPS should implement a case management system to log all disclosures by ALOs to their home agencies. In the absence of a case management system, ACBPS should create a standardised template for ALOs to record home agency disclosures and regularly monitor these logs for the purpose of verifying the accuracy and lawfulness of any disclosures.
EU Agreement considerations
5.53 Article 16 of the EU Agreement specifies that ACBPS must hold identified EU PNR data for three years from the time of receipt, after which it is to be de-personalised and retained for a further two and a half years before destruction.
5.54 In a previous assessment, the OAIC considered that the storage of RFIs and responses in an electronic email system would likely pose a difficulty in efficiently de-personalising EU PNR data after three years and then destruction of these records after five and a half years from initial receipt.
5.55 Assessors note that ACBPS is still storing RFIs and their responses in designated folders within a shared mailbox, which may make it difficult for ACBPS to meet the data retention requirements under the EU Agreement.
5.56 It is anticipated that a future assessment by the OAIC will consider in greater detail how ACBPS is handling the de-personalisation and destruction obligations for PNR data under APP 11, with regard also to the specific requirements in force for this data under the EU Agreement.
Part 6 — Summary of recommendations
Recommendation one – Review and update all relevant policy documents
6.1 ACBPS should review and update all relevant documents (eg. Instructions and Guidelines, manuals, Standard Operating Procedures and training material) to ensure they accurately reflect current internal procedures for the handling of PNR data and current legislative requirements under the Privacy Act and the APPs.
6.2 ACBPS accepts this recommendation
6.3 Since the audit, ACBPS merged with the Department of Immigration and Border Protection and ceased to exist from 1 July 2015. To effect this change the Australian Government passed the Custom and Other Legislation Amendment (Australian Border Force) Act 2015 (the Act) and the Australian Border Force Act 2015. The Act repealed the Customs Administration Act 1985 and abolished the ACBPS as a separate statutory agency. The Act also amended the Customs Act and other Commonwealth Acts to update terminology to reflect integration. Section 64AF of the Customs Act remains unchanged.
6.4 Updates to all policy documentation to reflect the legislative amendments, as a result of portfolio integration, is in progress. Attention will be made to ensure documentation reflects the current legislative requirements under the Privacy Act and APPs.
Recommendation two – Implement an audit or quality assurance program of stored RFIs
6.5 ACBPS should implement a regular audit or quality assurance program of stored RFIs to ensure that ACBPS is handling PNR data in accordance with the requirements of the APPs and the EU Agreement.
6.6 ACBPS accepts this recommendation.
Recommendation three – Update NBTC material to prevent unauthorised disclosures
6.7 ACBPS should update material developed for ALOs with an explicit statement that EU PNR data is not to be disclosed to AUSTRAC, Department of Agriculture or DFAT’s Passport Office.
6.8 ACBPS accepts this recommendation.
Recommendation four – Implement a case management system or uniform template for recording disclosures by ALOs
6.9 ACBPS should implement a case management system to log all disclosures by ALOs to their home agencies. In the absence of a case management system, ACBPS should create a standardised template for ALOs to record home agency disclosures and regularly monitor these logs for the purpose of verifying the accuracy and lawfulness of any disclosures.
6.10 ACBPS accepts this recommendation.