Publication date: 24 October 2019

Assessment undertaken: December 2017
Draft report issued: March 2018
Final report issued: October 2018

Introduction

1.1 In December 2017, the Office of the Australian Information Commissioner (OAIC) conducted a privacy assessment of IBM, an organisation that provides IT and communication services.

1.2 The assessment was conducted under s 33C(1)(a) of the Privacy Act 1988 (Cth), which allows the OAIC to assess whether personal information held by an Australian Privacy Principle (APP) entity is being maintained and handled in accordance with the APPs.

1.3 The assessment considered IBM’s handling of personal information collected by the Department of Immigration and Border Protection (DIBP)[1] through SmartGates against the requirements of the Privacy Act, in particular APP 11.

1.4 The OAIC did not make any recommendations in this assessment.

Description of assessment

Background

1.5 SmartGates are an automated system used by DIBP to collect an image of an Australian citizen’s face and shoulders as they cross Australia’s borders. SmartGates are now deployed at Australia’s major international airport departure terminals.

1.6 IBM has a third party provider contract with DIBP to manage some of the back-end systems that hold personal information collected by departures SmartGates.

1.7 This assessment follows on from the earlier Assessment of departures SmartGates systems – Department of Immigration and Border Protection (the SmartGates report).[2] In that assessment, the OAIC learned that IBM managed, owned or had access to a number of components of the SmartGates systems.

Objective and scope

1.8 The objective of this assessment was to establish whether IBM is taking reasonable steps to secure the personal information held in the SmartGate systems and databases, in accordance with the APPs.

1.9 The assessment examined whether IBM’s security controls around access to the personal information held in the SmartGate systems and databases are reasonable in the circumstances to protect that personal information from misuse, interference, loss, unauthorised access, modification or disclosure, in accordance with APP 11.

1.10 The assessment specifically focussed on the security controls around IBM’s access to personal information held in the SmartGate systems and databases.

Timing, location and methodology

1.11 The OAIC reviewed documentation provided by DIBP and IBM on policies and procedures related to the security of personal information held in the SmartGate systems. The assessors then attended DIBP’s offices in Canberra on 12 and 13 December 2017 to interview staff from both DIBP and IBM. The OAIC also attended one of IBM’s data centres on 21 December 2017.

1.12 The assessment of IBM was risk based. The focus was on identifying privacy risks to the effective handling of personal information in accordance with APP 11.

1.13 The OAIC makes recommendations to address ‘medium’ and ‘high’ privacy risks in accordance with the privacy risk guidance at Appendix A of the OAIC’s Guide to Privacy Regulatory Action.

Summary of findings

1.14 The OAIC found that:

  • both IBM and DIBP play a role in providing and managing IBM staff access
  • there is a strong governance structure underpinning the relationship and communications between IBM and DIBP
  • IBM and DIBP have implemented a number of security controls designed to limit the nature and level of staff access.

1.15 The OAIC did not identify any medium or high-level privacy risks. The OAIC made one suggestion to assist IBM to further enhance the privacy protective measures that apply to the SmartGate systems.

Footnotes

[1] Subsequent to this assessment being conducted, the Department of Home Affairs was established and carries out the functions of the former Department of Immigration and Border Protection.

[2] See Assessment of departures SmartGates systems – Department of Immigration and Border Protection