Requests For Information for Passenger Name Record data
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Requests For Information for
Passenger Name Record data
Australian Customs and Border Protection Service
Final audit report
Information Privacy Principles audit
Section 27(1)(h) Privacy Act 1988
Audit undertaken: October/November 2012
Draft report issued: May 2013
Final report issued: June 2013Contents
Part 1 — Introduction .................................................................................... 2
Background ................................................................................................................................ 2
Part 2 — Description of audit ......................................................................... 3
Purpose ...................................................................................................................................... 3
Scope .......................................................................................................................................... 3
Objectives................................................................................................................................... 3
Timing and location.................................................................................................................... 3
Methodology.............................................................................................................................. 4
Information obtained during the audit ...................................................................................... 4
Opinion....................................................................................................................................... 6
Follow up review ........................................................................................................................ 6
Reporting.................................................................................................................................... 6
Part 3 — Description of auditee ..................................................................... 7
Overview .................................................................................................................................... 7
Passenger Name Record (PNR) Data ......................................................................................... 7
Legislative basis for collection and uses of PNR data ................................................................ 8
The EU agreement ..................................................................................................................... 9
Description of the PAU............................................................................................................. 10
Structure .................................................................................................................................. 11
Part 4 — Audit issues ................................................................................... 12
IPP 10 issues — Uses of EU-sourced PNR data ........................................................................ 12
IPP 11 issues — Disclosures of EU-sourced PNR data ............................................................. 21
IPP 4 issues — Storage and security of EU-sourced PNR data ................................................ 30
Other identified issues ............................................................................................................. 38
Part 5 — Summary of recommendations ..................................................... 39
Recommendation 1 – Finalise policy and procedure documents ........................................... 39
Recommendation 2 – Electronic storage arrangements ......................................................... 39
Recommendation 3 – Security of EU-sourced PNR data ......................................................... 39
Recommendation 4 – Audit logs .............................................................................................. 40
Recommendation 5 – Identity verification procedures ........................................................... 40
Appendix A — Information Privacy Principles .............................................. 41
1Part 1 — Introduction
Background
1.1 The Australian Customs and Border Protection Service (Customs and Border Protection)
and the Office of the Australian Information Commissioner (the OAIC) have a
Memorandum of Understanding (MoU) which provides a regular audit program for
Customs and Border Protection's use of European Union-sourced Passenger Name
Record (EU-sourced PNR) data.
1.2 Under the terms of the MoU signed on 9 May 2008 and in effect until 8 May 2012, the
OAIC undertook to conduct two audits per financial year of Customs and Border
Protection's handling of EU-sourced PNR data under section 27(1)(h) of the Privacy Act
1988 (Cth) (the Privacy Act).
1.3 This is the second audit undertaken for the 2011-12 financial year, under the MoU
signed 9 May 2008. The conduct of the audit was deferred by agreement between
Customs and Border Protection and the OAIC to be undertaken within the 2012-13
financial year.
1.4 The focus of the audit is on Customs and Border Protection's handling of internal and
external Requests For Information (RFI) involving EU-sourced PNR data.
1.5 Customs and Border Protection and the OAIC signed a further MoU on 8 February 2013
with effect until 30 June 2014. Under the terms of this agreement, the OAIC will
undertake one audit per year of Customs and Border Protection's handling of EU-
sourced PNR data under section 27(1)(h) of the Privacy Act.
1.6 The MoU has regard to the oversight and accountability functions of the OAIC contained
in Article 10 of the Agreement between the European Union and Australia on the
processing and transfer of Passenger Name Record (PNR) data by Air Carriers to the
Australian Customs and Border Protection Service (the EU Agreement). The EU
Agreement was made in Brussels on 29 September 2011, with effect from 1 June 2012.
2Part 2 — Description of audit
Purpose
2.1 The primary purpose of the audit was to assess Customs and Border Protection's
compliance with the Information Privacy Principles (IPPs) contained in section 14 of the
Privacy Act, specifically in relation to its handling of RFIs for EU-sourced PNR data.
Scope
2.2 The audit assessed Customs and Border Protection's handling of both hard-copy and
electronic EU-sourced PNR data, in response to either internal or external RFIs for this
data.
2.3 The audit scope was limited to the use (IPP 10), disclosure (IPP 11) and storage and
security (IPP 4) practices of Customs and Border Protection in relation to the handling of
EU-sourced PNR data in response to an RFI.
2.4 Enquiries were also made regarding the activities and operations of the Department of
Immigration and Citizenship (DIAC) Tactical Surveillance Unit (TSU) within the Customs
and Border Protection Passenger Analysis Unit (PAU) and staff training arrangements.
Any observations made in relation to these aspects of the audit are provided for
Customs and Border Protections information only, and do not form part of the overall
assessment of agency compliance in this audit.
2.5 The audit also sought to provide some preliminary information for Customs and Border
Protection’s consideration in relation to the obligations under the EU Agreement.
2.6 The use of EU-sourced PNR data by Customs and Border protection to undertake pre-
arrival risk assessment (or Flight Screening) of passengers travelling to (or in transit
through) Australia, did not form any part of the scope of the current audit.
Objectives
2.7 The three objectives of the audit were to identify whether:
1. uses of EU-sourced PNR data in response to RFIs received from within Customs and
Border Protection over a defined period are consistent with IPP 10 obligations
2. disclosures of EU-sourced PNR data in response to RFIs from other Australian
government agencies or third country authorities are consistent with IPP 11
obligations
3. storage and security arrangements for hard-copy and electronic EU-sourced PNR
data in response to RFIs are consistent with IPP 4 obligations.
Timing and location
2.8 The audit fieldwork was conducted on 31 October and 1 November 2012 at Customs
House, 5 Constitution Avenue, Canberra, Australian Capital Territory (ACT).
32.9 The location of the audit was the PAU based at Customs House Canberra, and included
a site inspection, observation of the handling of EU-sourced PNR data in response to
RFIs and an inspection of records of completed EU-sourced PNR RFIs over specified
periods.
Methodology
2.10 The audit utilised the following methodologies:
Semi-structured interviews with key Customs and Border Protection staff from the
Passenger Targeting Branch, including PAU managers and staff responding to RFIs,
to assess:
o management and governance arrangements (including but not limited to
internal review/ audit activities in relation to EU-sourced PNR data,
document destruction processes, internal governance arrangements)
o processing of RFIs (internal and external) for EU-sourced PNR data.
Inspection of a random selection of 61 EU-sourced PNR RFIs received during the
following three specified one week periods:
o 20 records from the current financial year (24-28 September 2012)
o 25 records from 6 months prior (26-30 March 2012)
o 16 records from 12 months prior (26-30 September 2011).
Document review of relevant material prepared by Customs and Border Protection
to assist PAU staff with the handling of EU-sourced PNR data, including (but not
limited to) relevant templates and Standard Operating Procedures (SOPs).
Site inspection assessing physical and IT security and storage arrangements,
including (but not limited to) relevant access controls, audit logs, and use of third
party contractors if relevant.
Information obtained during the audit
2.11 The following documentation was provided prior to the audit fieldwork into Customs
and Border Protection's processing of EU-sourced PNR RFIs in October and November
2012:
An organisational chart and office locations for the relevant areas of Customs and
Border Protection that handle PNR data.
o ‘PAU Structure Sep-Dec 2012’ document.
o ‘Advanced Analytics, Intelligence Strategies and Program Branch’
document.
4o Software developers, located in Allara House, Constitution Avenue,
Canberra.
Staff instructions/memorandums in relation to the handling of PNR data in
Customs, including relevant SOPs.
Staff training materials addressing the Privacy Act, the handling of PNR data and
relevant information security practices.
2.12 The following information and documentation was gathered during the audit
fieldwork period:
An outline of personal information data flows within Customs relating to handling
RFIs of EU-sourced PNR data.
o ‘Practice Statement 2012/05: Processing requests for Passenger Name
Record (PNR) Information’ DRAFT document (Practice Statement).
An outline of personal information data flows to any internal or external third
parties relating to handling RFIs of EU-sourced PNR data:
o ‘Instructions and Guidelines 2012/05: Processing requests for PNR
Information’ - DRAFT document – Protected (Instructions and Guideline).
o ‘Associated Document 2012/05: Responding to and recording of PAU
Request for PNR Information (RFPI)’ - DRAFT document – Protected
(Associated Document).
o Section 16 Undertakings (as of March 2008).
o ‘Disclosure of EU-sourced PNR data’ caveat for email communications.
o ‘Disclosure of Non-EU-sourced PNR data’ caveat for email communications.
Details of internal Customs and Border Control access to EU-sourced PNR data,
access limitations, staff training materials and audit log information.
o ‘PNR Control Framework: Legal and Compliance (EPAC2/ PG1/002)
Enhanced passenger Assessment and Clearance Program 2 (EPAC2),
Version 0.6 (15 August 2012)’ document.
o ‘Application for Integrated Analysis Tool (IAT) PNR Push Access’ template.
o ‘Separation from PAU’ document - management checklist for revoking
System access, mailbox/ distribution access, communication resources,
physical access and other entitlements on separation from the PAU.
o Audit log of an RFI response observed live by OAIC assessors.
5o ‘PAU Training Schedule Overview‘ document (Version 20100525.v2).
Opinion
2.13 The auditors are of the opinion that Customs and Border Protection is generally
maintaining its records of personal information in accordance with its IPP 4, 10 and 11
obligations under the Act in the handling of hard-copy and electronic EU-sourced PNR
data in response to internal and external RFIs for this data.
2.14 The auditors identified a number of privacy risks in Customs and Border Protection’s
maintenance of personal information under its IPP obligations. The auditors have
made seven recommendations in relation to these.
2.15 The auditors have also made a number of observations in relation to observed
practice against the specific requirements of the EU Agreement, which have been
provided here for Customs and Border Protection’s consideration.
Follow up review
2.16 Under the terms of the EU Agreement in effect from 1 June 2012, and a separate MoU
between Customs and Border protection and the OAIC dated 8 February 2013, the
OAIC will continue to undertake up to one audit of Customs and Border Protection’s
handling of EU-sourced PNR data each year.
Reporting
2.17 Generally the OAIC will publish final audit reports on its website, except where there
are concerns with sensitive material. For example, where the audit: relates to material
affecting national security, defence, Commonwealth-State relations or law
enforcement; involves certain business, commercial or financial information; or where
material has been obtained in confidence, it may be appropriate to redact some
information from the report or not to publish the report.
2.18 Where final reports of audits of ACT, Australian and Norfolk Island government
agencies are published, they will be available on the OAICs website
(www.oaic.gov.au).
2.19 Information Privacy Principle audit findings and recommendations that are considered
relevant to good privacy practice across the public sector are also generally discussed
in the OAIC’s annual report.
6Part 3 — Description of auditee
Overview
3.1 Customs and Border Protection is the primary border protection agency in Australia. It
manages the security and integrity of Australia's borders, and works closely with other
government and international agencies to detect and deter unlawful movement of
goods and people across the border.
3.2 Other agencies Customs border protection works with include the Australian Federal
Police (AFP), the Office of Transport Security (OTS), DIAC and the Attorney General's
Department (AG Department).
3.3 As at 30 June 2012, Customs and Border Protection employed 5,671 people nationally
in Australia and overseas. Its central office is located in Canberra.
3.4 Customs and Border Protection operates two major programs: Maritime, Corporate
and Intelligence, and Border Management. A third corporate division (Strategy,
Finance and Integrity) reports directly to the Chief Executive Officer.
3.5 Among other activities, it intercepts illegal drugs and firearms and targets high-risk
aircraft, vessels, cargo, postal items and travellers. Customs and Border Protection
also has a fleet of ocean-going patrol vessels and contracts aerial surveillance
providers for civil maritime surveillance and response.
Passenger Name Record (PNR) Data
3.6 PNR data is information about airline passengers held by airlines on their computer
reservation systems and/or departure control systems.
3.7 PNR data may include any of the following information:
PNR locator code
passenger name(s)
passport number
nationality
details of travel companions
frequent flyer information
ticketing information: date of reservation/issue of ticket; itinerary and alterations
made to booking
contact information, including travel agent details
7 payments/billing
travel status of passenger (including confirmations and check-in status)
special request/service information
all baggage information (number and weight of bags)
seat allocation(s)
all historical changes to the above PNR.
3.8 Some PNR data is automatically generated by the airline (eg itinerary detail), while
other information is supplied by or on behalf of the passenger (eg contact details).
Airlines or authorised travel agents may also add a range of further information, such
as dietary or medical requirements, or special requests for assistance.
3.9 At the time of the audit, the OAIC was informed that a total of 39 airlines provided
PNR data to Customs and Border Protection.
3.10 Of these, 13 airlines were identified as specifically providing EU-sourced PNR data.
3.11 Authorised Customs and Border Protection PAU officers receive up to five scheduled
transmissions from specified airlines of both EU-sourced and non-EU sourced PNR
data beginning at 72 hours before the scheduled departure of a flight to Australia.
3.12 Any updates to the PNR data are then provided at 24 hours, 2 hours and 1 hour
respectively (if available).
3.13 A final full list of available PNR data is also received after the flight has departed for
Australia.
Legislative basis for collection and uses of PNR data
3.14 The collection of PNR data by Customs and Border Protection, for both EU and Non-EU
sourced PNR data, is permitted under section 64AF of the Australian Customs Act 1901
(the Customs Act).
3.15 This provision specifies that if requested, all international passenger air service
operators, flying to, from or through Australia, are required to provide Customs and
Border Protection with PNR data to the extent that they are collected and contained in
the air carrier's reservations and departure control systems, in a particular manner
and form.
3.16 Access to all PNR data is only given to specifically authorised Customs Officers in
accordance with section 64AF(5), with a person an ‘authorised officer’ only if:
a. appointed as an officer of Customs (as set out in section 4 of the Customs
Act)
8b. authorised in writing by the CEO to exercise the powers to perform the
functions of an authorised officer under section 64AF.
3.17 PNR data must only be accessed by authorised Customs and Border Protection officers
for the purpose of performing their functions under the Customs Act or prescribed
laws of the Commonwealth.
3.18 Functions of officers under section 64AF include conducting traveller assessments for
border risks, conducting post-seizure analysis and servicing RFIs.
3.19 PNR data may also be accessed in support of relevant joint operations, task force or
national Customs and Border Protection operations, detection analysis or
investigation and search and seizure warrants.
3.20 The Customs Administration Act 1985, Migration Act 1958, Crimes Act 1914 (Cth),
Privacy Act 1988 (Cth), Freedom of Information Act 1982 (Cth), Auditor-General Act
1997 (Cth), Ombudsman Act 1976 (Cth) and Public Service Act 1999 (Cth) all provide
for data protection, rights of access and redress, rectification and annotation and
remedies and sanctions for misuse of personal data, including PNR data.
3.21 Unauthorised purpose uses of any PNR data may result in offences under a number of
Commonwealth laws dealing with unauthorised access, including the Customs
Administration Act 1985, the Criminal Code 1995 (Cth), the Public Service Act 1999
(Cth) and the Privacy Act 1988 (Cth).
The EU agreement
3.22 The EU agreement between Australia and the European Union in relation to the
transfer and provision of EU-sourced PNR data to Customs and Border Protection was
signed in Brussels on 29 September 2011, with effect from 1 June 2012.
3.23 The EU agreement sets out the terms of the transfer and use provisions of EU-sourced
data to Customs and Border Protection.
3.24 Under the EU Agreement, Customs and Border Protection agrees to use PNR data
strictly for the purpose of preventing, detecting, investigating and prosecuting
terrorist offences and serious transnational crime in strict compliance with safeguards
on privacy and the protection of personal data.
3.25 The EU Agreement also sets out certain other circumstances when PNR data may be
used or disclosed, such as:
a. in the protection of vital interests of an individual, such as risk of death,
serious injury or threat to health (Article 3(4))
b. where specifically required by Australian law, on a case by case basis, for the
purpose of supervision and accountability of public administration and the
facilitation of redress and sanctions for the misuse of data (Article 3(5))
9c. for the oversight and accountability functions undertaken by the OAIC
(Article 10).
3.26 The EU Agreement also sets out a list of government authorities in Australia with
whom Customs and Border Protection are authorised to share (or disclose) EU-
sourced PNR data with (Annex 2). These authorities are:
Australian Crime Commission (ACC)
Australian Federal Police (AFP)
Australian Security Intelligence Organisation (ASIO)
Commonwealth Director of Public Prosecutions (DPP)
Department of Immigration and Citizenship (DIAC)
OTS (within the Department of Infrastructure and Transport).
3.27 Additionally, Article 19 of the EU Agreement specifies how Customs and Border
Protection may transfer EU-sourced PNR data to authorities from third countries (on a
case by case basis).
3.28 Article 6 sets out the arrangements for EU-based Law Enforcement Authorities (LEAs)
access to PNR data (or analytical information obtained from PNR data) provided to
Customs and Border Protection under the EU Agreement.
Description of the PAU
3.29 The PAU in Customs and Border Protection conducts pre-arrival risk assessments of
passengers travelling to (or in transit through) Australia using both EU and non-EU
sourced PNR data, along with other advanced passenger information.
3.30 Pre-arrival risk assessment aims to prevent terrorism and related crimes and other
serious transnational crimes, such as money laundering, drug importation, weapons
trafficking and people smuggling/trafficking.
3.31 PAU officers use this information, together with a range of other information (for
example immigration, intelligence and other law enforcement data), to screen
passengers prior to arrival to Australia and assist in identifying those passengers that
may pose a risk at the time of arrival.
3.32 The PAU also responds to requests for PNR data from other areas of Customs and
Border Protection (internal RFIs) and from other Australian government agencies or
specified third country authorities (external RFIs).
3.33 These internal and external RFIs for EU-sourced PNR data are the subject of this audit.
10Structure
3.34 The Director, PAU leads three distinct sections: Assessment and Selection, Profile
Management and Alerts Management.
3.35 The Assessment and Selection manager oversees four shift teams of five analysts
(each with a team supervisor) and two further Supervisors. This team operates 24
hours a day, seven days a week.
3.36 The Profile Management team consists of a manager, supervisor and analyst, while
the Alerts Management team consists of a manager, supervisor and five senior
customs officers.
3.37 The auditors also spoke with Customs and Border Protection staff from Passenger
Strategy and Policy Section, the Policy and Risk Team, the PAU (Passenger Targeting
Branch) and key staff from the Advanced Analytics Section (Intelligence Strategies and
Program Branch).
3.38 Additionally, the auditors spoke to an officer from the DIAC TSU around their access,
use and disclosure (if any) of EU-sourced PNR data.
11Part 4 — Audit issues
The following findings and recommendations relate to the auditors consideration of Custom
and Border Protection’s handling of both hard-copy and electronic EU-sourced PNR data, in
response to either internal or external RFIs for this data.
The IPPs are produced in full at Appendix A.
IPP 10 issues — Uses of EU-sourced PNR data
IPP 10 sets out how personal information collected for one purpose may be used for
another (secondary) purpose, such as with the individual’s consent or for some health and
safety or law enforcement reasons in certain circumstances. Specifically:
IPP 10.1 provides that a record keeper who has possession or control of a record that
contains personal information that was obtained for a particular purpose shall not
use the information for any other purpose unless one or more of certain exceptions
apply.
IPP 10.2 provides that, where personal information is used under IPP 10.1(d) the record
keeper shall include in the record containing that information a note of the use.
The following Articles in the EU Agreement are also relevant to the OAIC’s consideration of
Customs and Border Protection’s use of EU-sourced PNR data:
Article 3: Scope of application
Article 8: Sensitive data
Article 17: Logging and documentation of PNR data.
Observation(s)
Interpretation of ‘use’ by the OAIC
4.1 The auditors considered that, where Customs and Border Protection use of EU-
sourced PNR data is in response to an internal RFI from a Customs staff member, this
constitutes a use of EU-sourced PNR data.
4.2 Article 3 of the EU Agreement terms explicitly states that Customs and Border
Protection agree to process (ie use) PNR data strictly for the purpose of preventing,
detecting, investigating and prosecuting terrorist offences and serious transnational
crime. These two uses form the primary purpose of the collection of the EU-sourced
PNR data.
4.3 Three additional permitted uses are also set out in Article 3 of the EU agreement (see
paragraph 3.25 above).
Policies and procedures around the use of EU-sourced PNR data by Customs and Border Protection
4.4 The auditors noted throughout the interviews that Customs and Border Protection
staff generally had a clear understanding of the obligation to use EU-sourced PNR data
12only for internal RFIs in relation to terrorist offences or for serious transnational crime
issues.
4.5 The OAIC reviewed three key policy and practice documents in relation to RFIs for EU-
sourced PNR data:
‘Passenger Name Record (PNR) data’ - (Practice statement)
‘Processing requests for PNR Information (2012/05)’ – DRAFT – Protected -
(Instruction and Guidelines)
‘Responding to and recording of PAU Request for PNR Information (RFPI)’ –
DRAFT - Protected – (Associated Document)
4.6 The Practice statement provides a high level overview of Customs and Border
Protection’s collection, use and sharing of both EU and non EU-sourced PNR data.
4.7 The draft Instruction and Guidelines (Protected) provides greater detail for Customs
and Border Protection officers in terms of the appropriate uses of PNR data (both EU
and non EU-sourced).
4.8 Section 1.6.4 of the Instruction and Guidelines sets out appropriately the allowable
uses of EU-sourced PNR data only for the purposes specified in Article 3 of the EU
Agreement (see paragraphs 3.24 and 3.25 above).
4.9 Section 1.3 also specifies a range of actions that a PAU Officer should undertake on
receipt of a RFI for PNR data (including EU-sourced PNR data). This section
appropriately:
outlines all RFIs should be received in writing (email) to the PAU Canberra
Mailbox
provides examples of the type of RFIs that Customs and Border Protection
PAU officers may action
specifies that the RFI must include the offence being considered and/or
investigated, including the relevant Act and section
outlines the response should only include the particular types of PNR data or
elements requested, and only be provided within the purpose limitation
under Article 3 of the EU Agreement
outlines the common sources of RFIs including:
i. Customs and Border Protection officers (including overseas Senior
Australian Customs and Border Protection representative network)
ii. officers of other Australian LEAs and intelligence agencies
13iii. international LEAs with which Customs and Border Protection has a
valid Cooperative Agreement in place (and received through relevant
international counsellor or intelligence liaison officers).
outlines reasons for not actioning a RFI, and the written advice that must be
provided outlining why the decision has been made not to action an RFI (to
be logged and recorded as if actioned).
4.10 At the time of the audit, the Associated Document was also a draft document. The
auditors were provided with a copy, and noted that the document template set out a
series of actions to be undertaken by Customs and Border Protection PAU staff in
responding to written and verbal RFIs in general, and in relation to written and verbal
responses to international counterpart agencies.
4.11 The auditors noted that there could be better consistency within the Instruction and
Guideline, given it states PAU must review all RFIs in writing (page 6), and later
(page 9, Section 1.5.4) specifies the steps to be taken in the limited circumstances in
which an RFI may be received by telephone.
4.12 It is possible that this is an effect of the draft nature of these documents, and is raised
here as an observation only for Customs and Border Protection’s consideration.
4.13 Subject to the above, the policies and procedures developed (or under development)
by Customs and Border Protection appear likely (when finalised) to support PAU staff
to use EU-sourced PNR data appropriately within the requirements of the Privacy Act.
Observation of the processing of RFI requests
4.14 Auditors were advised that PAU staff usually receive RFIs that had been sent to a
dedicated PAU EU-RFI email inbox. PAU staff may also receive RFIs over the telephone
from calls to a dedicated PAU landline.
4.15 The auditors observed a senior PAU officer handling a real-time request for PNR data
received via email.
4.16 The process for PAU staff dealing with RFIs received via email is set out in the
Associated Document (Section 1.1).
4.17 Relevantly, the auditors observed the PAU staff:
a) check and verify the source of the request (AFP in the observed instance)
b) check the offence being considered and/or investigated and the legislative basis for
PAU response to the PNR RFI
c) check the airline operator to establish if EU-sourced PNR or non EU-sourced PNR RFI
data had been requested
d) review multiple PNR data entries for the Person Of Interest and consider the
relevance of available EU-sourced PNR data to the request received
14e) access relevant IT systems to extract appropriate EU-sourced PNR data
f) draft an email response to the RFI, manually inputting relevant elements of the EU-
sourced PNR data
g) add the standard EU disclosure caveat
h) recheck the RFI request, the EU-sourced PNR information provided, the recipient and
the legislative basis for actioning the request
i) send the RFI response email (with a cc to the PAU EU-RFI mailbox as a record of the
response, stored by month of actioned request).
4.18 In responding to an RFI received over the telephone, the auditors were advised that
PAU staff:
verify the internal Customs and Border Protection staff members Customs
User ID against internal systems (phone or email systems)
proceed as above for a written RFI, but verbally advising the requesting
officer of the information sought (ie after 4.17 step ‘e’ above)
confirming the verbal RFI request and PAU response in an email then sent to
the requesting officer (with a cc to the PAU EU-RFI mailbox as a record of the
response, stored by month of actioned request).
4.19 Customs and Border Protection advised the auditors that procedures and templates
were in development to improve the consistency of PAU staff responses to both
written and verbal RFIs.
4.20 The auditors noted that Section 1.5.4 of the ‘Instruction and Guideline’ document
specifies the steps to be undertaken in responding to an RFI received by telephone,
and Section 1.9 specifies, for urgent operational cases only, how a verbal RFI is to be
logged and recorded. Customs and Border Protection was developing a more detailed
checklist in the ‘Associated Document’.
4.21 Customs and Border Protection also advised that, at the time of the audit, there was
no specific Standard Operating Procedure (SOP) document which covered verbal RFI
responses. However, the draft Associated Document (a procedural/technical level
document below an Instruction and Guideline) sets out the procedures for PAU staff
to follow on receipt of a verbal RFI.
4.22 Discussion with PAU staff showed a high level of awareness of when RFIs are to be
refused, with examples being given of State LEAs seeking information for non-
Commonwealth offences which had been declined.
4.23 The auditors were advised that, where the RFI did not clearly specify what EU-sourced
PNR information was required, PAU staff have the discretion to determine what
information (if any) from the EU-sourced PNR record would be provided in response.
154.24 Staff were able to articulate that only the minimum EU-sourced PNR data relevant to
the request should be provided (consistent with Article 18(1)(d) requirements of the
EU Agreement).
4.25 The auditors also noted that statistics of shift records are recorded every day. These
statistics record the number of RFIs responded to by the PAU Officers. No personal
information from EU-sourced PNR data is included in these statistics.
Inspection of RFI records over specified periods
4.26 Customs and Border Protection provided the auditors with hard copies of all RFI
responses for each of the below specified weeks.
4.27 These records included both EU and non-EU sourced RFIs received in each week,
received in either written or verbal format.
4.28 The auditors undertook an inspection of a total of 61 completed EU-sourced PNR RFIs
during the three randomly selected specified one week periods, as follows:
20 records (21%) from 97 RFIs in the specified week (24-28 September 2012)
25 records (24%) from 104 RFIs from 6 months previous (26-30 March 2012)
16 records (22%) from 74 RFIs from 12 months previous (26-30 September
2011).
4.29 In summary, and across the three specified weeks:
the 61 EU-sourced PNR RFIs accounted for 22% of a total of 275 PNR RFIs
received
the majority (59%) of the EU-sourced PNR RFIs received across the three
week periods were internal RFIs from Customs and Border Protection staff
almost all of the EU-sourced PNR RFIs were written (received via email),
rather than by telephone
four EU-sourced PNR RFIs across the three week period did not clearly specify
the grounds for the enquiry. While two of these RFIs had been refused on
these grounds, two appeared to have been actioned
the most recent specified week had the least number of issues identified,
while records from the period 12 months prior to the specified week had the
most number of issues identified.
4.30 Specifically, the auditors noted the following with regard to the EU-sourced PNR RFIs
received in each of the three week periods inspected:
Specified period (24-28 September 2012) – of the 20 records inspected:
16i. 13 were internal RFIs (ie 65% of all EU-sourced PNR RFIs received
during the week)
ii. 5 were external RFIs (ie 25% of all EU-sourced PNR RFIs received
during the week) from other Australian government agencies
iii. a further two RFIs (10%) did not clearly show whether the source of
the request was internal or external. The response to each of the two
RFIs, if any, was also not recorded. This observation is also noted at
Paragraph 4.73 (iii) (see ‘Specified Period’ dot point)
iv. all but two internal RFIs specified clearly the grounds under which the
RFI had been requested, which were legitimate purposes under the
EU Agreement
v. of the two that did not clearly specify the purpose:
one had been refused on these grounds
one appeared to have been actioned
vi. The appropriate EU caveat had been applied to all internal RFI
responses.
Six months previous to specified week (26-30 March 2012) – of the 25
records inspected:
i. 13 were internal RFIs (ie 52% of all EU-sourced PNR RFIs received
during the week)
ii. 12 were external RFIs (ie 48% of all EU-sourced PNR RFIs received
during the week) from other Australian government agencies
iii. one internal RFI did not have any record of the response provided, if
any
iv. in two instances, PAU officers had appropriately sought further
information prior to actioning the internal RFI
v. all but one internal RFI specified clearly the grounds under which the
RFI had been requested, which were legitimate purposes under the
EU Agreement
vi. for the record that did not clearly specify the purpose, the internal RFI
was refused on these grounds
vii. the appropriate EU caveat had been applied to all internal RFIs.
12 months previous to specified week (26-30 September 2011) – of the 16
records inspected:
17i. 10 were internal RFIs (ie 62.5% of all EU-sourced PNR RFIs received
during the week)
ii. 4 were external RFIs (ie 25% of all EU-sourced PNR RFIs received
during the week) from other Australian government agencies)
iii. two RFIs (12.5%) did not clearly show whether the source of the
request was internal or external. The response to each of these RFIs, if
any, was also not recorded. This observation is also noted at
Paragraph 4.73 (iii) on (see ‘12 month previous’ dot point)
iv. one internal RFI did not specify clearly the grounds under which the
RFI had been requested, but appeared to have been actioned
v. in another instance, a PAU officer had appropriately sought further
information prior to actioning the internal RFI
vi. The appropriate EU caveat had not been applied to three of the ten
internal RFIs. The non-EU caveat had been applied in two records,
while no caveat appeared to be attached to one record.
4.31 Overall, the inspection of records identified an improvement in the completeness of
EU-sourced PNR RFI records over the previous year up to the specified week.
4.32 The inspection also showed, however, that in each period at least one EU-sourced PNR
record appeared to have been actioned without a clear reason provided for the
request. It was not clear whether staff had responded to the RFI without a reason
being provided, or whether the reason had not been clearly recorded.
Logging and documentation of RFI responses
4.33 Article 17 of the EU Agreement (in part) requires Customs and Border Control to:
log all processing, access, consulting or transfer of EU-sourced PNR data
include where the RFI has been denied.
4.34 Customs and Border Protection advised that all EU-sourced PNR RFIs are received in a
dedicated PAU EU-RFI mailbox, located within the standard departmental email
system.
4.35 All responses to EU-sourced PNR RFIs (including where an RFI has been refused) are
also stored in a dedicated PAU EU-RFI mailbox (ie held separately from other PNR
data).
4.36 The Associated Document specifies that all responses (and the original RFI) are to be:
logged in a PAU RFI Register
hard copy printed and placed on a PAU RFI RIM file
18 recorded on a PAU statistics sheet.
4.37 It was unclear at the time of the audit whether these instructions were in force.
4.38 Logging of RFIs received by telephone occurs after the RFI had been responded to
verbally, through a confirmation email sent by the responding PAU officer to the
requesting party.
4.39 The inspection of records relevantly showed:
instances where the RFI had been declined had been recorded, including the
reasons why the request was declined
one or two instances in each week where a hard copy record of the RFI had
been logged, while the response (if any) was not specified.
4.40 Customs and Border Protection staff indicated to the auditors that retrieval and/or
search of these email records, where a specific RFI response needed to be located,
was currently quite difficult.
4.41 Customs and Border Protection also indicated that the storage of RFI requests and
responses on the email system was problematic, and in the longer term there was a
need to review how best to store electronic (and hard copy) records of the RFIs and
the responses provided, if any.
4.42 The auditors requested a copy of the system audit log of the written EU-sourced PNR
RFI that had been observed. Customs and Border Protection was able to provide an
SQL query log for the RFI, based on the responding Customs Staff User Id, showing:
Person Of Interest name search
EU-sourced PNR flight list request from inbound flight manifest
EU-sourced PNR detail reviewed (further detail was available from the
database, on request).
Sensitive data — Limitations on use
4.43 Article 8 of the EU Agreement covers the prohibition of Customs and Border
Protection from processing sensitive EU-sourced PNR data. Sensitive data includes
information on:
racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
health or sex life information
4.44 The IPPs do not currently or specifically deal with the collection or use of sensitive
personal information. However, the incoming Australian Privacy Principle 3 (in effect
19from 12 March 2014) will place new obligations on Customs and Border Protection in
terms of its collection of sensitive personal information.
4.45 While the PAU handling of sensitive personal information is not therefore covered by
the IPPs, the following observations are noted for Customs and Border Protection
consideration in terms of the EU Agreement requirements, and the introduction of the
APPs on 12 March 2014.
4.46 Customs and Border Protection staff advised the OAIC that EU-sourced PNR data
collected by the airline operators is not standardised, and EU-sourced PNR data
collected by different airline operators is variable in terms of the provided data fields,
structures and formats.
4.47 To assist with the collection of a minimum level of core EU-sourced PNR data, Customs
and Border Protection requests access to a pre-determined set of EU-sourced PNR
data fields from relevant airline operators (as specified in Attachment A of the
‘Instruction and Guideline’ document).
4.48 Customs and Border Protection staff were aware of the obligation under Article 8 of
the EU agreement to destroy any sensitive data contained in EU-sourced PNR data.
4.49 Customs and Border Protection advised that (at present) there was very little sensitive
information contained in EU-sourced PNR data received.
4.50 If an EU-sourced PNR record contained sensitive data, this would likely occur in the
free text or general remarks associated with PNR data (ie Other Supplementary
Information (OSI), Special Service Information (SSI) or Special Service Request (SSR)
detail).
4.51 Customs and Border Protection advise that it is currently very difficult to automatically
censor or delete free text or general remark information prior to the entry of the EU-
sourced PNR record into the database. This reflects an IT systems limitation, in that
the location of the data (if included) is within non-standardised and free text fields.
4.52 Customs and Border Protection advised that they have not, and do not intend to, use
any EU-sourced PNR data (including sensitive information, if included) to conduct any
form of racial profiling.
4.53 At present, the PAU addresses the issue of sensitive information on a case by case
basis. Sensitive information is not utilised in any processing of EU PNR data and where
possible the information is deleted i) prior to entry of the EU- sourced PNR data to the
IAT or ii) upon ad-hoc identification by PAU staff in response to an RFI.
4.54 However, there appeared to be some lack of awareness in discussions with PAU staff
of what constitutes ‘sensitive data’ under the EU agreement.
4.55 A higher level of awareness of what constitutes ‘sensitive data’ from PAU staff would
enable this information to be better identified and removed, if the data did find its
way into the IAT. Further, PAU staff also need to be aware that this information
20cannot be disclosed in response to an RFI, and take appropriate steps to notify the
relevant IT area to have the sensitive data removed from the EU-sourced PNR record,
to ensure obligations under the EU Agreement are met.
Privacy issues
4.56 A range of risks have been identified in terms of Customs and Border Protection’s use
of data, under both the Privacy Act and more specifically the EU Agreement. These
issues are outlined below for Customs and Border Protection’s consideration.
4.57 At the time of the audit, the ‘Instruction and Guideline’ and ‘Associated Document’
were in draft form. There is a risk that a lack of finalised policies and procedures to
support PAU staff in applying the allowable uses of PNR data (including EU-sourced
PNR data) may lead to a breach of Customs and Border Protection obligations under
either the Privacy Act or the terms of the EU Agreement.
4.58 There is a risk that, where the records of RFIs received and PAU response (if any) are
not complete or accurate, especially around the grounds provided for the RFI,
Customs and Border Protection: may be in breach of its obligations under IPP 7
(accuracy, completeness etc); may not know whether personal information has been
used and disclosed in accordance with IPP 10 and 11; or may not be complying with
the terms of the EU Agreement with regard to its use of this data.
4.59 A lack of awareness of the types of data that are considered ‘sensitive’ under the EU
agreement (and after 12 March 2014, in the new Australian Privacy Principles)
increases the risk that PAU staff may use this data in providing an RFI response, rather
than deleting the data as required under the EU agreement.
Recommendation 1 — Finalise policy and procedure documents
4.60 The auditors recommend that Customs and Border Protection finalise the ‘Instructions
and Guideline’ and ‘Associated Document’ to guide PAU staff in handling PNR data.
The auditors note that the draft documents contain specific instructions in relation to
EU-sourced PNR data requirements, such as the Australian government agencies that
this data may be shared with, the need to clearly record the reasons for the RFI and
response (if any) and sensitive data destruction requirements.
IPP 11 issues — Disclosures of EU-sourced PNR data
IPP 11 sets out when an agency may disclose personal information to someone else, for
example another agency. This can only be done in special circumstances, such as with the
individual’s consent or for some health and safety or law enforcement reasons. Specifically:
IPP 11.1 provides that a record keeper who has possession or control of a record that
contains personal information shall not disclose the information to a person, body
or agency (other than the individual concerned) unless one or more of certain
exceptions apply.
21IPP 11.2 provides that, where personal information is disclosed under IPP 11.1(e) the record
keeper shall include in the record containing that information a note of the
disclosure.
IPP 11.3 provides that, where personal information is disclosed under IPP 11.1, the parties
who receive that information must not use or disclose the information for a
purpose other than the purpose for which the information was given to them.
The following Articles in the EU Agreement are also relevant to the OAIC’s consideration of
Customs and Border Protection’s disclosure of EU-sourced PNR data:
Article 18: Sharing PNR data with other government authorities of Australia
Article 19: Transfers to authorities of third countries
Article 6: Police and Judicial cooperation.
Interpretation of ‘disclosure’ by the OAIC
4.61 The OAIC considers that, where Customs and Border Protection responds to a RFI from
an external Australian government authority, third country authority or the police or
judicial authorities of a Member State of the EU, Europol or Eurojust, this constitutes a
disclosure of EU-sourced PNR data.
Policies and procedures around the disclosure of EU-sourced PNR data by Customs and
Border Protection
4.62 The OAIC noted throughout the interviews that Customs and Border Protection staff
generally had a clear understanding of the obligation to disclose EU-sourced PNR data
for external RFIs only in relation to offences relating to terrorism or serious
transnational criminal activities.
4.63 The disclosure aspects of the three key policy and practice documents in relation to
RFIs for EU-sourced PNR data showed:
‘Passenger Name Record data’ - (Practice statement)
i. Paragraph 12 contains a specific reference to the addition of the
appropriate PNR caveat where PNR data is disclosed to another
agency.
‘Processing requests for PNR Information (2012/05)’ – DRAFT – Protected -
(Instruction and Guidelines):
i. Section 1.4 outlines circumstances in which RFIs may be received from
other Australian government agencies.
ii. Section 1.6.5-6 sets out allowable disclosures to Commonwealth
agencies and Third Country Authorities.
iii. Section 1.6.10-13 describes the need to apply appropriate caveats to
disclosed PNR data.
22iv. Section 1.6.14 describes the requirement to log all RFIs and responses
(if any) on an appropriate RIMS file.
‘Responding to and recording of PAU Request for PNR Information’ – DRAFT -
Protected – (Associated Document)
i. Section 3 Appendix 1 specifies a list of six airlines that provide EU-
sourced PNR data, explicitly identifies the six Australian government
agencies that this data may be disclosed to (in addition to Customs
and Border Protection) and warns against any identified bulk
disclosure of EU-sourced PNR data.
ii. The section also sets out that sensitive EU-sourced PNR data (if
included in the record) is to be deleted before further processing.
iii. Section 6 Appendix 4 provides the EU and non-EU PNR disclosure
caveats to be attached to any RFI response.
iv. Section 7 Appendix 5 provides written and verbal response templates,
including for non-compliant (or ‘no data available’) RFI responses.
4.64 The Instructions and Guidelines (Section 1.4) indicate that RFIs may be received
directly to the PAU (rather than through out posted Customs and Border Protection
Liaison Officers) from four Australian government agencies, as follows:
AG Department via the Australian Security Network (ASNET), a dedicated
secure communications network for the exchange of information classified in
relation to national security. Due to sensitivity of AG Department’s
operations, the specific nature of the risk which prompts the RFI does not
need to be identified
the Trans-National Sexual Exploitation Targeting Team (TSETT), received from
the AFP
the OTS
for issues of ‘Operational Urgency’, where the RFI is time critical.
4.65 The policies and procedures developed (or under development) by Customs and
Border Protection appear likely (when finalised) to support PAU staff to disclose PNR
data, including EU-sourced PNR data, appropriately within both the Australian
legislative frameworks and the terms of the EU Agreement.
Disclosures of EU-sourced PNR information to other Australian government Authorities
4.66 Under Article 18 of the EU Agreement, Customs and Border control are authorised to
share EU-sourced PNR data on a case by case basis with the following government
authorities of Australia:
Australian Crime Commission
23 Australian Federal Police
Australian Security Intelligence Organisation
Commonwealth Director of Public Prosecutions
Department of Immigration and Citizenship
Office of Transport Security (within the Department of Infrastructure and
Transport).
4.67 Discussions with PAU staff showed a high level of awareness of when RFIs are to be
refused, with examples being given of external State-based LEAs seeking RFI for non-
Commonwealth offences, which had been declined.
4.68 Three major agencies were commonly identified as agencies to which EU-sourced PNR
data could be shared (AFP, ASIO and ACC), likely reflecting the higher frequency of
RFIs received from these agencies.
4.69 However, staff awareness of the other Australian government agencies that EU-
sourced PNR data could be shared with (ie the OTS and DPP) appeared less clear, with
these agencies not generally referenced during interviews.
4.70 External RFIs from DIAC appear to be received only on occasion from the TSU, which is
co-located with the PAU and supports the DIAC Airline Liaison Officer (ALO) network,
based at airports across the world.
4.71 The TSU advised auditors that DIAC RFIs of the PAU were made relatively infrequently,
due to a range of reasons including:
DIAC preference for non-EU sourced ‘pull’ data over the ‘push’ data held by
the PAU
access the DIAC ALOs located in each airport will often already have to
relevant passenger information (ie Advanced Passenger Information received
directly from the relevant airline).
4.72 Customs and Border Protection advised that TSU staff have appropriate authorisations
under section 64AF(5) of the Customs Act to access PNR data, as required.
Inspection of RFI records over specified periods
4.73 In terms of the inspection of EU-sourced PNR RFIs from the three randomly selected
one week periods, the auditors noted the following:
Specified period (24-28 September 2012) – of the 20 records inspected:
i. 5 were external RFIs (ie 25% of all EU-sourced PNR RFIs received
during the week)
24ii. 13 were internal RFIs (ie 65% of all EU-sourced PNR RFIs received
during the week)
iii. as noted previously under the ‘Specified Period’ dot point at
Paragraph 4.30 (iii), two RFIs (10%) did not clearly show whether the
source of the request was internal or external. The response to each
of these RFIs, if any, was also not recorded
iv. there were no third country authority requests in the period
v. of the external RFIs, all specified clearly the grounds under which the
RFI had been requested, and were legitimate purposes under the EU
Agreement
vi. the appropriate EU caveat had been applied to all external RFI
responses.
Six months previous to specified week (26-30 March 2012) – of the 25
records inspected:
i. 12 were external RFIs (ie 48% of all EU-sourced PNR RFIs received
during the week
ii. 13 were internal RFIs (ie 52% of all EU-sourced PNR RFIs received
during the week)
iii. there were no third country authority requests in the period
iv. all but one external RFI specified clearly the grounds under which the
RFI had been requested, which were legitimate purposes under the
EU Agreement
v. the record that did not clearly specify the purpose for the external RFI
appeared to have been actioned by Customs and Border Protection
vi. the appropriate EU caveat had been applied to all but one of the
external RFI responses. The one exception applied the non-EU caveat.
12 months previous to specified week (26-30 September 2011) – of the 16
records inspected:
i. 4 were external RFIs (ie 25% of all EU-sourced PNR RFIs received
during the week)
ii. 10 were internal RFIs (ie 62.5% of all EU-sourced PNR RFIs received
during the week)
iii. as noted previously under the ‘12 month previous’ period dot point at
Paragraph 4.30 (iii), two RFIs (12.5%) did not clearly show whether the
25source of the request was internal or external. The response to each
of these RFIs, if any, was also not recorded
iv. there were no third country authority requests in the period
v. all but one external RFI specified clearly the grounds under which the
RFI had been requested, which were legitimate purposes under the
EU Agreement
vi. the record that did not clearly specify the purpose for the external RFI
appeared to have been actioned by Customs and Border Protection
vii. the appropriate EU caveat had been applied to all but one of the
external RFIs. The one exception applied the non-EU caveat.
4.74 Overall, the inspection of records identified an improvement in the completeness of
EU-sourced PNR records over the previous year up to the specified week.
4.75 In summary, the inspection showed that:
one EU-sourced PNR record in both the six and 12 month period prior to the
specified week appeared to have been actioned without a clear reason
provided for the request. It was not clear whether the RFI had been
responded to without a reason being provided, or whether the reason had
not been clearly recorded on the record inspected
one EU-sourced PNR record in both the six and 12 month period prior to the
specified week had been sent with the incorrect PNR caveat attached (ie the
non-EU PNR caveat had been attached).
Disclosure of EU-sourced PNR information to authorities of third countries
4.76 Under Article 19 of the EU Agreement, Customs and Border control are authorised to
transfer PNR data on a case by case basis to specific third country authorities, whose
functions are directly related to preventing, detecting, investigating and prosecuting
terrorist offences or serious transnational crime.
4.77 Article 19 also requires Customs and Border Protection to:
ensure third country authorities afford appropriate safeguards
assess third country authority functions are directly related to terror or
transnational crime purposes
obtain agreement to only retain data until investigation or prosecution is
concluded
obtain agreement not to further transfer EU-sourced PNR data
inform passenger (where appropriate) of the transfer
26You can also read
