Summary of the OAIC's assessment of Department of Immigration and Border Protection's handling of personal information using SmartGate systems
Assessment undertaken: December 2016
Draft report issued: June 2017
Final report issued: October 2018
1.1 In December 2016, the Office of the Australian Information Commissioner (OAIC) conducted a privacy assessment of the Department of Immigration and Border Protection (DIBP).
1.2 The assessment was conducted under s 33C(1)(a) of the Privacy Act 1988 (Cth) (Privacy Act), which allows the OAIC to assess whether personal information held by an Australian Privacy Principle (APP) entity is being maintained and handled in accordance with the APPs.
1.3 The assessment considered DIBP’s handling of personal information collected using SmartGates against the requirements of the Privacy Act, in particular APP 11.
1.4 The OAIC made two recommendations in the assessment to address one high-level privacy risk and one medium-level privacy risk.
1.5 DIBP accepted the OAIC’s recommendations.
Description of assessment
1.6 Schedule 5 of the Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014 (Foreign Fighters Act) amended the Migration Act 1958 (Cth) to empower DIBP to use an automated system, SmartGates to collect an image of an Australian citizen’s face and shoulders as they cross Australia’s borders. SmartGates are now deployed at Australia’s major international airport departure terminals.
1.7 This report follows on from the already published report, Assessment of Schedule 5 of the Foreign Fighters Act – Department of Immigration and Border Protection. That assessment considered DIBP’s handling of personal information throughout the arrivals and departures border clearance processes.
Objective and scope
1.8 The objective of this assessment was to establish whether DIBP is taking reasonable steps to secure the personal information held in its SmartGate systems in accordance with the APPs.
1.9 The assessment examined whether DIBP’s information storage and security arrangements were reasonable in the circumstances to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure, in accordance with APP 11.
1.10 The assessment specifically focussed on the systems and databases, operated by DIBP, that hold personal information collected from individuals by departures SmartGates. The scope of the assessment did not include the manner in which the SmartGates themselves collect or hold personal information.
Timing, location and methodology
1.11 The OAIC reviewed documentation provided by DIBP on policies and procedures related to the security of personal information held in its SmartGate systems. The assessors then attended the DIBP’s offices in Canberra on 7, 8 and 20 December 2016 to interview staff, review further documentation and observe DIBP operations.
1.12 The assessment of DIBP was risk based. The focus was on identifying privacy risks to the effective handling of personal information in accordance with APP 11.
1.13 The OAIC makes recommendations to address ‘medium’ and ‘high’ privacy risks in accordance with the privacy risk guidance at Appendix A of the OAIC’s Guide to privacy regulatory action.
Summary of findings
1.14 The OAIC found that:
- the integration of the Australian Customs and Border Protection Service and DIBP continued to impact upon the establishment of clear lines of accountability and oversight for managing privacy risks associated with the SmartGate systems
- there were gaps in DIBP’s risk assessment process for SmartGate systems prior to when the systems began to hold personal information, and DIBP is now taking action to address these gaps
- there was room for improvement in some of the ICT controls that DIBP uses to protect personal information held by the SmartGate systems
- there was room for improvement in some of the access control procedures DIBP uses to protect personal information held by the SmartGate systems
- DIBP has vendor contracts to operate the SmartGate systems. While some of the contracts with these vendors contain specific clauses to protect personal information, DIBP was not proactively ensuring the vendors comply with these clauses.
1.15 The OAIC considered that the gaps in these governance processes and ICT security controls amounted to a high-level privacy risk, and that DIBP’s approach to vendor management amounted to a medium-level privacy risk. The OAIC made two recommendations to address these risks.
1.16 DIBP accepted the OAIC’s recommendations.
 The Department of Immigration and Border Protection, as it was at the time this assessment was conducted, was subsequently renamed the Department of Home Affairs.
 Assessment of Schedule 5 of the Foreign Fighters Act — Department of Immigration and Border Protection. In that assessment, the OAIC noted that it would undertake a separate assessment of the security of DIBP’s SmartGate systems.
 This was assessed in the already published report, Assessment of Schedule 5 of the Foreign Fighters Act – Department of Immigration and Border Protection.