Publication date: 6 July 2020

In October 2017, the OAIC commenced a follow-up of the actions taken and progress made by the Department of Immigration and Border Protection (DIBP)[1] in response to the recommendations made in the Assessment of Schedule 6 of the Foreign Fighters Act. This follow-up required an ongoing engagement with DIBP and was completed in December 2019.

The OAIC’s recommendations and DIBP’s responses are outlined below:

Recommendation 1 — security of missing Advanced Passenger Processing (AdPP) reports and infringement notices

1.1 The assessors recommended that DIBP review the security arrangements for the transmission of missing Advance Passenger Processing (AdPP) reports and infringement notices, and establish safeguards to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

1.2 DIBP responded that it was willing to explore options, in consultation with the airline industry.

Follow-up

1.3 After the assessment, DIBP considered a series of options to revise the security arrangements around the transmission of AdPP information. DIBP is implementing a Secure File Transfer service that applies to the transmission of AdPP reports and infringement notices, and will act as a safeguard to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

1.4 This service commenced in June 2019, and is expected to be complete in September 2020.

1.5 The OAIC considers that DIBP is addressing this recommendation.

Recommendation 2 — contract performance assurance

2.1 The assessors recommended that DIBP undertake appropriate contract performance assurance activities to ensure SITA is compliant with APP 11, and ensure those assurance activities are completed within more appropriate timeframes in the future.

2.2 DIBP agreed that assurance activities should be completed within reasonable timeframes and will continue to work with the service provider to ensure these are met.

2.3 DIBP has undertaken a variety of activities to ensure that SITA has met its contractual obligations, including conducting an inspection of SITA’s data centres on 15 March 2017. The OAIC has observed documentation following these inspections that found SITA is meeting its Protective Security Policy Framework requirements.

2.4 DIBP advised that:

  • it continues to work closely with SITA
  • it has established greater representation from ICT and AdPP business areas for executive level meetings, to ensure that a holistic approach is taken to the management of the SITA contract
  • it has increased its oversight and enforcement of its contract with SITA.

2.5 The OAIC considers that DIBP has addressed this recommendation.

Recommendation 3 — data breach response plan

3.1 Assessors recommended that DIBP implement a breach response plan, or adapt existing policies, to deal with data breaches.

3.2 DIBP advised that its Privacy Management Plan 2016-17 had identified as a key action a review of the Department’s Privacy Breach Management Framework (Data Breach Response Plan) and reporting instructions. This was due for completion by 30 September 2016.

Follow-up

3.3 DIBP has developed a Data Breach Response Plan that forms part of a broader Procedural Instruction on responding to suspected privacy breaches. The OAIC has reviewed the Data Breach Response Plan, which outlines the roles and responsibilities involved in managing a suspected data breach. The Procedural Instruction will be uploaded to the DIBP intranet.

3.4 The OAIC considers that DIBP has addressed this recommendation.

Recommendation 4 — policies on the destruction or de-identification of personal information

4.1 Assessors recommended that DIBP review and create documentation for policies on the destruction or de-identification of information collected through the outward AdPP arrangement.

4.2 DIBP agreed there needs to be policy on the de-identification and destruction of information collected in the long term. However, the information collected is required for an extended period of time as the records collected determine the location of a person; assist with the facilitation of travel if the departure or arrival has been recorded incorrectly; and the time spent onshore, which can determine eligibility for visas, return to Australia or citizenship. These records also assist external agencies, such as the Department of Human Services, to calculate eligibility for government services for Australian citizens as well as non-citizens.

Follow-up

4.3 DIBP has developed a Records Management Policy Statement that outlines that the destruction or de-identification of personal information must be in accordance with the Archives Act 1983 (Cth). DIBP also uses records authorities[2] to make decisions about keeping, destroying, or de-identifying personal information collected during the outward AdPP arrangement.

4.4 The OAIC considers that DIBP has addressed this recommendation.

Footnotes

[1] Subsequent to this assessment being conducted, the Department of Home Affairs (Home Affairs) was established and carries out the functions of the former Department of Immigration and Border Protection (DIBP). References in this report to ‘DIBP’ are inclusive of DIBP and Home Affairs, whichever is applicable at the relevant time.

[2] For further information about records authorities, see https://www.naa.gov.au/information-management/records-authorities.