Schedule 5, Foreign Fighters Act: follow-up of the Department of Immigration and Border Protection's implementation of the recommendations

Recommendation 1 — Establish policy governance

1.1 The assessors recommend that DIBP introduces governance measures to ensure an appropriate level of responsibility and accountability for the oversight and implementation of practices, procedures and systems for handling personal information during border clearance processes in accordance with Schedule 5 of the Foreign Fighters Act.

1.2 DIBP accepts this recommendation.

Follow-up

1.3 In June 2018, DIBP established a Policy and Procedure Control Framework Team to ensure that all Australian Border Force (ABF) procedural guidance was reviewed and uploaded to the Policy and Procedure Control Register (PPCR). The OAIC has reviewed the documents on the PPCR that relate to personal information handling processes at the border.

1.4 DIBP has established a number of Best Practice Groups (BCGs), such as the Traveller Operational Policy BCG. These BCGs support management by providing field operations officers with access to program governance information and policies and procedures.

1.5 The OAIC considers that DIBP has introduced governance measures, and has taken steps to improve the accountability and oversight around its implementation of practices, procedures and systems for border clearance, including those related to personal information handling.

1.6 The OAIC considers that DIBP has addressed this recommendation.

Recommendation 2 — Enhance privacy notification

2.1 Assessors recommend that DIBP enhances its privacy notifications in the departures hall at Brisbane Airport and consider the application of similarly enhanced privacy notifications across all Australian airports.

2.2 DIBP accepts this recommendation.

Follow-up

2.3 DIBP has implemented privacy notification signage at Brisbane airport.

2.4 The OAIC considers that DIBP has addressed this recommendation.

Recommendation 3 — Review and/or create documented policies, practices and procedures

3.1 Assessors recommend that DIBP establish policies on the destruction or de-identification of personal information collected during border clearance processes, training and guidance for DIBP staff and ABF officers on any privacy risks that arise throughout the flow of information collected during border clearance processes and how to mitigate them, and a response plan for incidences of a data breach.

3.2 DIBP accepts this recommendation.

Follow-up

3.3 DIBP has incorporated privacy guidance into the mandatory training module delivered by the ABF College. The OAIC has reviewed this training, which consists of an online module about DIBP disclosure obligations around personal information collected during border clearance processes.

3.4 DIBP has developed a Records Management Policy Statement that outlines that the destruction or de-identification of personal information must be in accordance with the Archives Act 1983 (Cth). DIBP also uses records authorities to make decisions about keeping, destroying, or de-identifying personal information collected during border clearance processes.[2]

3.5 DIBP has developed a Data Breach Response Plan that forms part of a broader Procedural Instruction on responding to suspected privacy breaches. The OAIC has reviewed the Data Breach Response Plan, which outlines the roles and responsibilities involved in managing a suspected data breach. The Procedural Instruction will be uploaded to the DIBP intranet.

3.6 The OAIC considers that DIBP has addressed this recommendation.

Recommendation 4 — Review ICT security policies, practices and procedures

4.1 Assessors recommend that DIBP reviews its policies, procedures and systems in relation to the ICT security of personal information collected during border clearance processes, particularly in relation to manual information handling processes and data encryption.

4.2 DIBP accepts this recommendation.

Follow-up

4.3 DIBP has reviewed these policies, procedures and systems, and has implemented data encryption for the information collected during border clearance processes.

4.4 The OAIC considers that DIBP has addressed this recommendation.

Recommendation 5 — Review third party provider access

5.1 Assessors recommend that DIBP reviews its policies, procedures and systems in relation to the levels of access that are granted to third party providers supporting the automated border clearance process.

5.2 DIBP accepts this recommendation.

Follow-up

5.3 The OAIC understands that since the time of the assessment DIBP has implemented a new series of SmartGates. The OAIC has observed documentation which reflects DIBP’s review of its policies, procedures and systems in relation to the levels of access that are granted to third party providers supporting these new SmartGates.

5.4 The OAIC considers that DIBP has addressed this recommendation.

Recommendation 6 — Enhance physical security at departures SmartGates

6.1 Assessors recommend that DIBP enhances the physical security of the departures SmartGates desk area and the OPC box as necessary to prevent persons being able to view personal information, written or visual.

6.2 DIBP accepts this recommendation, and has already taken steps to address this issue.

Follow-up

6.3 The OPC process was discontinued in June 2017. As a result, the OAIC considers that the risk of personal information on the OPCs being viewed through the clear deposit boxes has been eliminated.

6.4 DIBP have installed privacy screens that limit the viewing of other personal information on the computer screens in the desk area occupied by the ABF officers by passing passengers or other third parties.

6.5 The OAIC considers that DIBP has addressed the aspects of the recommendation that relate to the aspects of physical security that have continued to apply.