Summary of the OAIC’s assessment of SITA’s handling of personal information using the advance passenger processing system
Assessment undertaken: April 2017
Draft report issued: October 2017
Final report issued: October 2018
1.1 In April 2017, the Office of the Australian Information Commissioner (OAIC) conducted a privacy assessment of SITA, an organisation that provides IT and communications services for air transport.
1.2 The assessment was conducted under s 33C(1)(a) of the Privacy Act 1988 (Cth) (Privacy Act), which allows the OAIC to assess whether personal information held by an Australian Privacy Principle (APP) entity is being maintained and handled in accordance with the APPs.
1.3 The assessment considered SITA’s handling of personal information that the Department of Immigration and Border Protection (DIBP) collects from individuals through the Advanced Passenger Processing (AdPP) arrangements.
1.4 The assessment considered SITA’s AdPP activities against the requirements of the Privacy Act, in particular APP 11.
1.5 The OAIC made two recommendations in the assessment to address medium-level privacy risks.
1.6 SITA and DIBP accepted the OAIC’s recommendations, and SITA has implemented or is in the process of implementing the recommendations.
Description of assessment
1.7 AdPP is a system that provides the Australian government with access to information about individuals’ intention to travel. The Australian government uses this information to determine the eligibility of an individual to cross Australia’s border, in advance of them presenting at the border crossing.
1.8 Previously, AdPP only applied to passengers and crew travelling into Australia. Schedule 6 of the Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014 (Foreign Fighters Act) amended the Migration Act 1958 and Customs Act 1901 to expand the AdPP to passengers and crew departing from Australia.
1.9 The outward AdPP arrangement commences with the collection of certain personal information (AdPP data) at airline check-in (either at an airline counter or by individuals online). The AdPP system, operated by SITA under a third party provider contract with DIBP, processes this AdPP data to determine an individual’s authority to depart Australia. In doing so, the AdPP system transmits and receives AdPP data to and from DIBP’s systems.
1.10 This assessment follows on from the earlier Assessment of Schedule 6 of the Foreign Fighters Act – Department of Immigration and Border Protection (the Schedule 6 report). That assessment broadly considered DIBP’s implementation of the expanded AdPP arrangements.
Objective and scope
1.11 The objective of this assessment was to establish whether SITA is taking reasonable steps to secure the personal information collected via AdPP and held in its systems and databases, in accordance with the APPs.
1.12 The assessment examined whether SITA’s information storage and security arrangements were reasonable in the circumstances to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure, in accordance with APP 11.
1.13 This assessment specifically focussed on SITA’s AdPP systems. The relationship between DIBP and SITA was considered in this assessment to the extent that it is relevant to SITA’s management of AdPP.
Timing, location and methodology
1.14 The OAIC reviewed documentation provided by DIBP and SITA on policies and procedures related to the security of personal information collected via AdPP and held in SITA’s systems and databases. The assessors then attended SITA’s offices in Sydney on 4 and 5 April 2017 to interview staff from both SITA and DIBP, as well as to inspect one of SITA’s data centres.
1.15 The assessment of SITA was risk based, focusing on identifying privacy risks to the effective handling of personal information in accordance with APP 11.
1.16 The OAIC makes recommendations to address ‘medium’ and ‘high’ privacy risks in accordance with the privacy risk guidance at Appendix A of the OAIC’s Guide to Privacy Regulatory Action.
Summary of findings
1.17 The OAIC found that:
- communication between SITA and DIBP, which was identified as an area for improvement in the previous assessment, had improved
- SITA uses the services of a number of external vendors to help operate the AdPP system, and there was room for improvement in the clarification and formal documentation of the external vendors’ responsibilities and roles
- SITA had generally effective controls in place to protect the outer layers of the computer network that comprises the AdPP system
- some of the ICT security and access security controls designed to protect the inner layers of the AdPP system had room for improvement.
1.18 The OAIC considered that the issues identified in these ICT security and access security controls amounted to medium-level privacy risks. The OAIC made two recommendations to address these risks.
1.19 SITA and DIBP accepted the OAIC’s recommendations, and SITA has implemented or is in the process of implementing the recommendations.
 The Department of Immigration and Border Protection, as it was at the time this assessment was conducted, was subsequently renamed the Department of Home Affairs.