Requests For Information for Passenger Name Record data Australian Customs and Border Protection Service Final audit report Information Privacy Principles audit Section 27(1)(h) Privacy Act 1988 Audit undertaken: October/November 2012 Draft report issued: May 2013 Final report issued: June 2013 Contents Part 1 — Introduction .................................................................................... 2 Background ................................................................................................................................ 2 Part 2 — Description of audit ......................................................................... 3 Purpose ...................................................................................................................................... 3 Scope .......................................................................................................................................... 3 Objectives................................................................................................................................... 3 Timing and location.................................................................................................................... 3 Methodology.............................................................................................................................. 4 Information obtained during the audit ...................................................................................... 4 Opinion....................................................................................................................................... 6 Follow up review ........................................................................................................................ 6 Reporting.................................................................................................................................... 6 Part 3 — Description of auditee ..................................................................... 7 Overview .................................................................................................................................... 7 Passenger Name Record (PNR) Data ......................................................................................... 7 Legislative basis for collection and uses of PNR data ................................................................ 8 The EU agreement ..................................................................................................................... 9 Description of the PAU............................................................................................................. 10 Structure .................................................................................................................................. 11 Part 4 — Audit issues ................................................................................... 12 IPP 10 issues — Uses of EU-sourced PNR data ........................................................................ 12 IPP 11 issues — Disclosures of EU-sourced PNR data ............................................................. 21 IPP 4 issues — Storage and security of EU-sourced PNR data ................................................ 30 Other identified issues ............................................................................................................. 38 Part 5 — Summary of recommendations ..................................................... 39 Recommendation 1 – Finalise policy and procedure documents ........................................... 39 Recommendation 2 – Electronic storage arrangements ......................................................... 39 Recommendation 3 – Security of EU-sourced PNR data ......................................................... 39 Recommendation 4 – Audit logs .............................................................................................. 40 Recommendation 5 – Identity verification procedures ........................................................... 40 Appendix A — Information Privacy Principles .............................................. 41 1 Part 1 — Introduction Background 1.1 The Australian Customs and Border Protection Service (Customs and Border Protection) and the Office of the Australian Information Commissioner (the OAIC) have a Memorandum of Understanding (MoU) which provides a regular audit program for Customs and Border Protection's use of European Union-sourced Passenger Name Record (EU-sourced PNR) data. 1.2 Under the terms of the MoU signed on 9 May 2008 and in effect until 8 May 2012, the OAIC undertook to conduct two audits per financial year of Customs and Border Protection's handling of EU-sourced PNR data under section 27(1)(h) of the Privacy Act 1988 (Cth) (the Privacy Act). 1.3 This is the second audit undertaken for the 2011-12 financial year, under the MoU signed 9 May 2008. The conduct of the audit was deferred by agreement between Customs and Border Protection and the OAIC to be undertaken within the 2012-13 financial year. 1.4 The focus of the audit is on Customs and Border Protection's handling of internal and external Requests For Information (RFI) involving EU-sourced PNR data. 1.5 Customs and Border Protection and the OAIC signed a further MoU on 8 February 2013 with effect until 30 June 2014. Under the terms of this agreement, the OAIC will undertake one audit per year of Customs and Border Protection's handling of EUsourced PNR data under section 27(1)(h) of the Privacy Act. 1.6 The MoU has regard to the oversight and accountability functions of the OAIC contained in Article 10 of the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by Air Carriers to the Australian Customs and Border Protection Service (the EU Agreement). The EU Agreement was made in Brussels on 29 September 2011, with effect from 1 June 2012. 2 Part 2 — Description of audit Purpose 2.1 The primary purpose of the audit was to assess Customs and Border Protection's compliance with the Information Privacy Principles (IPPs) contained in section 14 of the Privacy Act, specifically in relation to its handling of RFIs for EU-sourced PNR data. Scope 2.2 The audit assessed Customs and Border Protection's handling of both hard-copy and electronic EU-sourced PNR data, in response to either internal or external RFIs for this data. 2.3 The audit scope was limited to the use (IPP 10), disclosure (IPP 11) and storage and security (IPP 4) practices of Customs and Border Protection in relation to the handling of EU-sourced PNR data in response to an RFI. 2.4 Enquiries were also made regarding the activities and operations of the Department of Immigration and Citizenship (DIAC) Tactical Surveillance Unit (TSU) within the Customs and Border Protection Passenger Analysis Unit (PAU) and staff training arrangements. Any observations made in relation to these aspects of the audit are provided for Customs and Border Protections information only, and do not form part of the overall assessment of agency compliance in this audit. 2.5 The audit also sought to provide some preliminary information for Customs and Border Protection’s consideration in relation to the obligations under the EU Agreement. 2.6 The use of EU-sourced PNR data by Customs and Border protection to undertake prearrival risk assessment (or Flight Screening) of passengers travelling to (or in transit through) Australia, did not form any part of the scope of the current audit. Objectives 2.7 The three objectives of the audit were to identify whether: 1. uses of EU-sourced PNR data in response to RFIs received from within Customs and Border Protection over a defined period are consistent with IPP 10 obligations 2. disclosures of EU-sourced PNR data in response to RFIs from other Australian government agencies or third country authorities are consistent with IPP 11 obligations 3. storage and security arrangements for hard-copy and electronic EU-sourced PNR data in response to RFIs are consistent with IPP 4 obligations. Timing and location 2.8 The audit fieldwork was conducted on 31 October and 1 November 2012 at Customs House, 5 Constitution Avenue, Canberra, Australian Capital Territory (ACT). 3 2.9 The location of the audit was the PAU based at Customs House Canberra, and included a site inspection, observation of the handling of EU-sourced PNR data in response to RFIs and an inspection of records of completed EU-sourced PNR RFIs over specified periods. Methodology 2.10 The audit utilised the following methodologies: Semi-structured interviews with key Customs and Border Protection staff from the Passenger Targeting Branch, including PAU managers and staff responding to RFIs, to assess: o management and governance arrangements (including but not limited to internal review/ audit activities in relation to EU-sourced PNR data, document destruction processes, internal governance arrangements) o processing of RFIs (internal and external) for EU-sourced PNR data. Inspection of a random selection of 61 EU-sourced PNR RFIs received during the following three specified one week periods: o 20 records from the current financial year (24-28 September 2012) o 25 records from 6 months prior (26-30 March 2012) o 16 records from 12 months prior (26-30 September 2011). Document review of relevant material prepared by Customs and Border Protection to assist PAU staff with the handling of EU-sourced PNR data, including (but not limited to) relevant templates and Standard Operating Procedures (SOPs). Site inspection assessing physical and IT security and storage arrangements, including (but not limited to) relevant access controls, audit logs, and use of third party contractors if relevant. Information obtained during the audit 2.11 The following documentation was provided prior to the audit fieldwork into Customs and Border Protection's processing of EU-sourced PNR RFIs in October and November 2012: An organisational chart and office locations for the relevant areas of Customs and Border Protection that handle PNR data. o ‘PAU Structure Sep-Dec 2012’ document. o ‘Advanced Analytics, Intelligence Strategies and Program Branch’ document. 4 o Software developers, located in Allara House, Constitution Avenue, Canberra. Staff instructions/memorandums in relation to the handling of PNR data in Customs, including relevant SOPs. Staff training materials addressing the Privacy Act, the handling of PNR data and relevant information security practices. 2.12 The following information and documentation was gathered during the audit fieldwork period: An outline of personal information data flows within Customs relating to handling RFIs of EU-sourced PNR data. o ‘Practice Statement 2012/05: Processing requests for Passenger Name Record (PNR) Information’ DRAFT document (Practice Statement). An outline of personal information data flows to any internal or external third parties relating to handling RFIs of EU-sourced PNR data: o ‘Instructions and Guidelines 2012/05: Processing requests for PNR Information’ - DRAFT document – Protected (Instructions and Guideline). o ‘Associated Document 2012/05: Responding to and recording of PAU Request for PNR Information (RFPI)’ - DRAFT document – Protected (Associated Document). o Section 16 Undertakings (as of March 2008). o ‘Disclosure of EU-sourced PNR data’ caveat for email communications. o ‘Disclosure of Non-EU-sourced PNR data’ caveat for email communications. Details of internal Customs and Border Control access to EU-sourced PNR data, access limitations, staff training materials and audit log information. o ‘PNR Control Framework: Legal and Compliance (EPAC2/ PG1/002) Enhanced passenger Assessment and Clearance Program 2 (EPAC2), Version 0.6 (15 August 2012)’ document. o ‘Application for Integrated Analysis Tool (IAT) PNR Push Access’ template. o ‘Separation from PAU’ document - management checklist for revoking System access, mailbox/ distribution access, communication resources, physical access and other entitlements on separation from the PAU. o Audit log of an RFI response observed live by OAIC assessors. 5 o ‘PAU Training Schedule Overview‘ document (Version 20100525.v2). Opinion 2.13 The auditors are of the opinion that Customs and Border Protection is generally maintaining its records of personal information in accordance with its IPP 4, 10 and 11 obligations under the Act in the handling of hard-copy and electronic EU-sourced PNR data in response to internal and external RFIs for this data. 2.14 The auditors identified a number of privacy risks in Customs and Border Protection’s maintenance of personal information under its IPP obligations. The auditors have made seven recommendations in relation to these. 2.15 The auditors have also made a number of observations in relation to observed practice against the specific requirements of the EU Agreement, which have been provided here for Customs and Border Protection’s consideration. Follow up review 2.16 Under the terms of the EU Agreement in effect from 1 June 2012, and a separate MoU between Customs and Border protection and the OAIC dated 8 February 2013, the OAIC will continue to undertake up to one audit of Customs and Border Protection’s handling of EU-sourced PNR data each year. Reporting 2.17 Generally the OAIC will publish final audit reports on its website, except where there are concerns with sensitive material. For example, where the audit: relates to material affecting national security, defence, Commonwealth-State relations or law enforcement; involves certain business, commercial or financial information; or where material has been obtained in confidence, it may be appropriate to redact some information from the report or not to publish the report. 2.18 Where final reports of audits of ACT, Australian and Norfolk Island government agencies are published, they will be available on the OAICs website (www.oaic.gov.au). 2.19 Information Privacy Principle audit findings and recommendations that are considered relevant to good privacy practice across the public sector are also generally discussed in the OAIC’s annual report. 6 Part 3 — Description of auditee Overview 3.1 Customs and Border Protection is the primary border protection agency in Australia. It manages the security and integrity of Australia's borders, and works closely with other government and international agencies to detect and deter unlawful movement of goods and people across the border. 3.2 Other agencies Customs border protection works with include the Australian Federal Police (AFP), the Office of Transport Security (OTS), DIAC and the Attorney General's Department (AG Department). 3.3 As at 30 June 2012, Customs and Border Protection employed 5,671 people nationally in Australia and overseas. Its central office is located in Canberra. 3.4 Customs and Border Protection operates two major programs: Maritime, Corporate and Intelligence, and Border Management. A third corporate division (Strategy, Finance and Integrity) reports directly to the Chief Executive Officer. 3.5 Among other activities, it intercepts illegal drugs and firearms and targets high-risk aircraft, vessels, cargo, postal items and travellers. Customs and Border Protection also has a fleet of ocean-going patrol vessels and contracts aerial surveillance providers for civil maritime surveillance and response. Passenger Name Record (PNR) Data 3.6 PNR data is information about airline passengers held by airlines on their computer reservation systems and/or departure control systems. 3.7 PNR data may include any of the following information: PNR locator code passenger name(s) passport number nationality details of travel companions frequent flyer information ticketing information: date of reservation/issue of ticket; itinerary and alterations made to booking contact information, including travel agent details 7 payments/billing travel status of passenger (including confirmations and check-in status) special request/service information all baggage information (number and weight of bags) seat allocation(s) all historical changes to the above PNR. 3.8 Some PNR data is automatically generated by the airline (eg itinerary detail), while other information is supplied by or on behalf of the passenger (eg contact details). Airlines or authorised travel agents may also add a range of further information, such as dietary or medical requirements, or special requests for assistance. 3.9 At the time of the audit, the OAIC was informed that a total of 39 airlines provided PNR data to Customs and Border Protection. 3.10 Of these, 13 airlines were identified as specifically providing EU-sourced PNR data. 3.11 Authorised Customs and Border Protection PAU officers receive up to five scheduled transmissions from specified airlines of both EU-sourced and non-EU sourced PNR data beginning at 72 hours before the scheduled departure of a flight to Australia. 3.12 Any updates to the PNR data are then provided at 24 hours, 2 hours and 1 hour respectively (if available). 3.13 A final full list of available PNR data is also received after the flight has departed for Australia. Legislative basis for collection and uses of PNR data 3.14 The collection of PNR data by Customs and Border Protection, for both EU and Non-EU sourced PNR data, is permitted under section 64AF of the Australian Customs Act 1901 (the Customs Act). 3.15 This provision specifies that if requested, all international passenger air service operators, flying to, from or through Australia, are required to provide Customs and Border Protection with PNR data to the extent that they are collected and contained in the air carrier's reservations and departure control systems, in a particular manner and form. 3.16 Access to all PNR data is only given to specifically authorised Customs Officers in accordance with section 64AF(5), with a person an ‘authorised officer’ only if: a. appointed as an officer of Customs (as set out in section 4 of the Customs Act) 8 b. authorised in writing by the CEO to exercise the powers to perform the functions of an authorised officer under section 64AF. 3.17 PNR data must only be accessed by authorised Customs and Border Protection officers for the purpose of performing their functions under the Customs Act or prescribed laws of the Commonwealth. 3.18 Functions of officers under section 64AF include conducting traveller assessments for border risks, conducting post-seizure analysis and servicing RFIs. 3.19 PNR data may also be accessed in support of relevant joint operations, task force or national Customs and Border Protection operations, detection analysis or investigation and search and seizure warrants. 3.20 The Customs Administration Act 1985, Migration Act 1958, Crimes Act 1914 (Cth), Privacy Act 1988 (Cth), Freedom of Information Act 1982 (Cth), Auditor-General Act 1997 (Cth), Ombudsman Act 1976 (Cth) and Public Service Act 1999 (Cth) all provide for data protection, rights of access and redress, rectification and annotation and remedies and sanctions for misuse of personal data, including PNR data. 3.21 Unauthorised purpose uses of any PNR data may result in offences under a number of Commonwealth laws dealing with unauthorised access, including the Customs Administration Act 1985, the Criminal Code 1995 (Cth), the Public Service Act 1999 (Cth) and the Privacy Act 1988 (Cth). The EU agreement 3.22 The EU agreement between Australia and the European Union in relation to the transfer and provision of EU-sourced PNR data to Customs and Border Protection was signed in Brussels on 29 September 2011, with effect from 1 June 2012. 3.23 The EU agreement sets out the terms of the transfer and use provisions of EU-sourced data to Customs and Border Protection. 3.24 Under the EU Agreement, Customs and Border Protection agrees to use PNR data strictly for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious transnational crime in strict compliance with safeguards on privacy and the protection of personal data. 3.25 The EU Agreement also sets out certain other circumstances when PNR data may be used or disclosed, such as: a. in the protection of vital interests of an individual, such as risk of death, serious injury or threat to health (Article 3(4)) b. where specifically required by Australian law, on a case by case basis, for the purpose of supervision and accountability of public administration and the facilitation of redress and sanctions for the misuse of data (Article 3(5)) 9 c. for the oversight and accountability functions undertaken by the OAIC (Article 10). 3.26 The EU Agreement also sets out a list of government authorities in Australia with whom Customs and Border Protection are authorised to share (or disclose) EUsourced PNR data with (Annex 2). These authorities are: Australian Crime Commission (ACC) Australian Federal Police (AFP) Australian Security Intelligence Organisation (ASIO) Commonwealth Director of Public Prosecutions (DPP) Department of Immigration and Citizenship (DIAC) OTS (within the Department of Infrastructure and Transport). 3.27 Additionally, Article 19 of the EU Agreement specifies how Customs and Border Protection may transfer EU-sourced PNR data to authorities from third countries (on a case by case basis). 3.28 Article 6 sets out the arrangements for EU-based Law Enforcement Authorities (LEAs) access to PNR data (or analytical information obtained from PNR data) provided to Customs and Border Protection under the EU Agreement. Description of the PAU 3.29 The PAU in Customs and Border Protection conducts pre-arrival risk assessments of passengers travelling to (or in transit through) Australia using both EU and non-EU sourced PNR data, along with other advanced passenger information. 3.30 Pre-arrival risk assessment aims to prevent terrorism and related crimes and other serious transnational crimes, such as money laundering, drug importation, weapons trafficking and people smuggling/trafficking. 3.31 PAU officers use this information, together with a range of other information (for example immigration, intelligence and other law enforcement data), to screen passengers prior to arrival to Australia and assist in identifying those passengers that may pose a risk at the time of arrival. 3.32 The PAU also responds to requests for PNR data from other areas of Customs and Border Protection (internal RFIs) and from other Australian government agencies or specified third country authorities (external RFIs). 3.33 These internal and external RFIs for EU-sourced PNR data are the subject of this audit. 10 Structure 3.34 The Director, PAU leads three distinct sections: Assessment and Selection, Profile Management and Alerts Management. 3.35 The Assessment and Selection manager oversees four shift teams of five analysts (each with a team supervisor) and two further Supervisors. This team operates 24 hours a day, seven days a week. 3.36 The Profile Management team consists of a manager, supervisor and analyst, while the Alerts Management team consists of a manager, supervisor and five senior customs officers. 3.37 The auditors also spoke with Customs and Border Protection staff from Passenger Strategy and Policy Section, the Policy and Risk Team, the PAU (Passenger Targeting Branch) and key staff from the Advanced Analytics Section (Intelligence Strategies and Program Branch). 3.38 Additionally, the auditors spoke to an officer from the DIAC TSU around their access, use and disclosure (if any) of EU-sourced PNR data. 11 Part 4 — Audit issues The following findings and recommendations relate to the auditors consideration of Custom and Border Protection’s handling of both hard-copy and electronic EU-sourced PNR data, in response to either internal or external RFIs for this data. The IPPs are produced in full at Appendix A. IPP 10 issues — Uses of EU-sourced PNR data IPP 10 sets out how personal information collected for one purpose may be used for another (secondary) purpose, such as with the individual’s consent or for some health and safety or law enforcement reasons in certain circumstances. Specifically: IPP 10.1 provides that a record keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless one or more of certain exceptions apply. IPP 10.2 provides that, where personal information is used under IPP 10.1(d) the record keeper shall include in the record containing that information a note of the use. The following Articles in the EU Agreement are also relevant to the OAIC’s consideration of Customs and Border Protection’s use of EU-sourced PNR data: Article 3: Scope of application Article 8: Sensitive data Article 17: Logging and documentation of PNR data. Observation(s) Interpretation of ‘use’ by the OAIC 4.1 The auditors considered that, where Customs and Border Protection use of EUsourced PNR data is in response to an internal RFI from a Customs staff member, this constitutes a use of EU-sourced PNR data. 4.2 Article 3 of the EU Agreement terms explicitly states that Customs and Border Protection agree to process (ie use) PNR data strictly for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious transnational crime. These two uses form the primary purpose of the collection of the EU-sourced PNR data. 4.3 Three additional permitted uses are also set out in Article 3 of the EU agreement (see paragraph 3.25 above). Policies and procedures around the use of EU-sourced PNR data by Customs and Border Protection 4.4 The auditors noted throughout the interviews that Customs and Border Protection staff generally had a clear understanding of the obligation to use EU-sourced PNR data 12 only for internal RFIs in relation to terrorist offences or for serious transnational crime issues. 4.5 The OAIC reviewed three key policy and practice documents in relation to RFIs for EUsourced PNR data: ‘Passenger Name Record (PNR) data’ - (Practice statement) ‘Processing requests for PNR Information (2012/05)’ – DRAFT – Protected (Instruction and Guidelines) ‘Responding to and recording of PAU Request for PNR Information (RFPI)’ – DRAFT - Protected – (Associated Document) 4.6 The Practice statement provides a high level overview of Customs and Border Protection’s collection, use and sharing of both EU and non EU-sourced PNR data. 4.7 The draft Instruction and Guidelines (Protected) provides greater detail for Customs and Border Protection officers in terms of the appropriate uses of PNR data (both EU and non EU-sourced). 4.8 Section 1.6.4 of the Instruction and Guidelines sets out appropriately the allowable uses of EU-sourced PNR data only for the purposes specified in Article 3 of the EU Agreement (see paragraphs 3.24 and 3.25 above). 4.9 Section 1.3 also specifies a range of actions that a PAU Officer should undertake on receipt of a RFI for PNR data (including EU-sourced PNR data). This section appropriately: outlines all RFIs should be received in writing (email) to the PAU Canberra Mailbox provides examples of the type of RFIs that Customs and Border Protection PAU officers may action specifies that the RFI must include the offence being considered and/or investigated, including the relevant Act and section outlines the response should only include the particular types of PNR data or elements requested, and only be provided within the purpose limitation under Article 3 of the EU Agreement outlines the common sources of RFIs including: i. Customs and Border Protection officers (including overseas Senior Australian Customs and Border Protection representative network) ii. officers of other Australian LEAs and intelligence agencies 13 iii. international LEAs with which Customs and Border Protection has a valid Cooperative Agreement in place (and received through relevant international counsellor or intelligence liaison officers). outlines reasons for not actioning a RFI, and the written advice that must be provided outlining why the decision has been made not to action an RFI (to be logged and recorded as if actioned). 4.10 At the time of the audit, the Associated Document was also a draft document. The auditors were provided with a copy, and noted that the document template set out a series of actions to be undertaken by Customs and Border Protection PAU staff in responding to written and verbal RFIs in general, and in relation to written and verbal responses to international counterpart agencies. 4.11 The auditors noted that there could be better consistency within the Instruction and Guideline, given it states PAU must review all RFIs in writing (page 6), and later (page 9, Section 1.5.4) specifies the steps to be taken in the limited circumstances in which an RFI may be received by telephone. 4.12 It is possible that this is an effect of the draft nature of these documents, and is raised here as an observation only for Customs and Border Protection’s consideration. 4.13 Subject to the above, the policies and procedures developed (or under development) by Customs and Border Protection appear likely (when finalised) to support PAU staff to use EU-sourced PNR data appropriately within the requirements of the Privacy Act. Observation of the processing of RFI requests 4.14 Auditors were advised that PAU staff usually receive RFIs that had been sent to a dedicated PAU EU-RFI email inbox. PAU staff may also receive RFIs over the telephone from calls to a dedicated PAU landline. 4.15 The auditors observed a senior PAU officer handling a real-time request for PNR data received via email. 4.16 The process for PAU staff dealing with RFIs received via email is set out in the Associated Document (Section 1.1). 4.17 Relevantly, the auditors observed the PAU staff: a) check and verify the source of the request (AFP in the observed instance) b) check the offence being considered and/or investigated and the legislative basis for PAU response to the PNR RFI c) check the airline operator to establish if EU-sourced PNR or non EU-sourced PNR RFI data had been requested d) review multiple PNR data entries for the Person Of Interest and consider the relevance of available EU-sourced PNR data to the request received 14 e) access relevant IT systems to extract appropriate EU-sourced PNR data f) draft an email response to the RFI, manually inputting relevant elements of the EUsourced PNR data g) add the standard EU disclosure caveat h) recheck the RFI request, the EU-sourced PNR information provided, the recipient and the legislative basis for actioning the request i) send the RFI response email (with a cc to the PAU EU-RFI mailbox as a record of the response, stored by month of actioned request). 4.18 In responding to an RFI received over the telephone, the auditors were advised that PAU staff: verify the internal Customs and Border Protection staff members Customs User ID against internal systems (phone or email systems) proceed as above for a written RFI, but verbally advising the requesting officer of the information sought (ie after 4.17 step ‘e’ above) confirming the verbal RFI request and PAU response in an email then sent to the requesting officer (with a cc to the PAU EU-RFI mailbox as a record of the response, stored by month of actioned request). 4.19 Customs and Border Protection advised the auditors that procedures and templates were in development to improve the consistency of PAU staff responses to both written and verbal RFIs. 4.20 The auditors noted that Section 1.5.4 of the ‘Instruction and Guideline’ document specifies the steps to be undertaken in responding to an RFI received by telephone, and Section 1.9 specifies, for urgent operational cases only, how a verbal RFI is to be logged and recorded. Customs and Border Protection was developing a more detailed checklist in the ‘Associated Document’. 4.21 Customs and Border Protection also advised that, at the time of the audit, there was no specific Standard Operating Procedure (SOP) document which covered verbal RFI responses. However, the draft Associated Document (a procedural/technical level document below an Instruction and Guideline) sets out the procedures for PAU staff to follow on receipt of a verbal RFI. 4.22 Discussion with PAU staff showed a high level of awareness of when RFIs are to be refused, with examples being given of State LEAs seeking information for nonCommonwealth offences which had been declined. 4.23 The auditors were advised that, where the RFI did not clearly specify what EU-sourced PNR information was required, PAU staff have the discretion to determine what information (if any) from the EU-sourced PNR record would be provided in response. 15 4.24 Staff were able to articulate that only the minimum EU-sourced PNR data relevant to the request should be provided (consistent with Article 18(1)(d) requirements of the EU Agreement). 4.25 The auditors also noted that statistics of shift records are recorded every day. These statistics record the number of RFIs responded to by the PAU Officers. No personal information from EU-sourced PNR data is included in these statistics. Inspection of RFI records over specified periods 4.26 Customs and Border Protection provided the auditors with hard copies of all RFI responses for each of the below specified weeks. 4.27 These records included both EU and non-EU sourced RFIs received in each week, received in either written or verbal format. 4.28 The auditors undertook an inspection of a total of 61 completed EU-sourced PNR RFIs during the three randomly selected specified one week periods, as follows: 20 records (21%) from 97 RFIs in the specified week (24-28 September 2012) 25 records (24%) from 104 RFIs from 6 months previous (26-30 March 2012) 16 records (22%) from 74 RFIs from 12 months previous (26-30 September 2011). 4.29 In summary, and across the three specified weeks: the 61 EU-sourced PNR RFIs accounted for 22% of a total of 275 PNR RFIs received the majority (59%) of the EU-sourced PNR RFIs received across the three week periods were internal RFIs from Customs and Border Protection staff almost all of the EU-sourced PNR RFIs were written (received via email), rather than by telephone four EU-sourced PNR RFIs across the three week period did not clearly specify the grounds for the enquiry. While two of these RFIs had been refused on these grounds, two appeared to have been actioned the most recent specified week had the least number of issues identified, while records from the period 12 months prior to the specified week had the most number of issues identified. 4.30 Specifically, the auditors noted the following with regard to the EU-sourced PNR RFIs received in each of the three week periods inspected: Specified period (24-28 September 2012) – of the 20 records inspected: 16 i. 13 were internal RFIs (ie 65% of all EU-sourced PNR RFIs received during the week) ii. 5 were external RFIs (ie 25% of all EU-sourced PNR RFIs received during the week) from other Australian government agencies iii. a further two RFIs (10%) did not clearly show whether the source of the request was internal or external. The response to each of the two RFIs, if any, was also not recorded. This observation is also noted at Paragraph 4.73 (iii) (see ‘Specified Period’ dot point) iv. all but two internal RFIs specified clearly the grounds under which the RFI had been requested, which were legitimate purposes under the EU Agreement v. of the two that did not clearly specify the purpose: one had been refused on these grounds one appeared to have been actioned vi. The appropriate EU caveat had been applied to all internal RFI responses. Six months previous to specified week (26-30 March 2012) – of the 25 records inspected: i. 13 were internal RFIs (ie 52% of all EU-sourced PNR RFIs received during the week) ii. 12 were external RFIs (ie 48% of all EU-sourced PNR RFIs received during the week) from other Australian government agencies iii. one internal RFI did not have any record of the response provided, if any iv. in two instances, PAU officers had appropriately sought further information prior to actioning the internal RFI v. all but one internal RFI specified clearly the grounds under which the RFI had been requested, which were legitimate purposes under the EU Agreement vi. for the record that did not clearly specify the purpose, the internal RFI was refused on these grounds vii. the appropriate EU caveat had been applied to all internal RFIs. 12 months previous to specified week (26-30 September 2011) – of the 16 records inspected: 17 i. 10 were internal RFIs (ie 62.5% of all EU-sourced PNR RFIs received during the week) ii. 4 were external RFIs (ie 25% of all EU-sourced PNR RFIs received during the week) from other Australian government agencies) iii. two RFIs (12.5%) did not clearly show whether the source of the request was internal or external. The response to each of these RFIs, if any, was also not recorded. This observation is also noted at Paragraph 4.73 (iii) on (see ‘12 month previous’ dot point) iv. one internal RFI did not specify clearly the grounds under which the RFI had been requested, but appeared to have been actioned v. in another instance, a PAU officer had appropriately sought further information prior to actioning the internal RFI vi. The appropriate EU caveat had not been applied to three of the ten internal RFIs. The non-EU caveat had been applied in two records, while no caveat appeared to be attached to one record. 4.31 Overall, the inspection of records identified an improvement in the completeness of EU-sourced PNR RFI records over the previous year up to the specified week. 4.32 The inspection also showed, however, that in each period at least one EU-sourced PNR record appeared to have been actioned without a clear reason provided for the request. It was not clear whether staff had responded to the RFI without a reason being provided, or whether the reason had not been clearly recorded. Logging and documentation of RFI responses 4.33 Article 17 of the EU Agreement (in part) requires Customs and Border Control to: log all processing, access, consulting or transfer of EU-sourced PNR data include where the RFI has been denied. 4.34 Customs and Border Protection advised that all EU-sourced PNR RFIs are received in a dedicated PAU EU-RFI mailbox, located within the standard departmental email system. 4.35 All responses to EU-sourced PNR RFIs (including where an RFI has been refused) are also stored in a dedicated PAU EU-RFI mailbox (ie held separately from other PNR data). 4.36 The Associated Document specifies that all responses (and the original RFI) are to be: logged in a PAU RFI Register hard copy printed and placed on a PAU RFI RIM file 18 recorded on a PAU statistics sheet. 4.37 It was unclear at the time of the audit whether these instructions were in force. 4.38 Logging of RFIs received by telephone occurs after the RFI had been responded to verbally, through a confirmation email sent by the responding PAU officer to the requesting party. 4.39 The inspection of records relevantly showed: instances where the RFI had been declined had been recorded, including the reasons why the request was declined one or two instances in each week where a hard copy record of the RFI had been logged, while the response (if any) was not specified. 4.40 Customs and Border Protection staff indicated to the auditors that retrieval and/or search of these email records, where a specific RFI response needed to be located, was currently quite difficult. 4.41 Customs and Border Protection also indicated that the storage of RFI requests and responses on the email system was problematic, and in the longer term there was a need to review how best to store electronic (and hard copy) records of the RFIs and the responses provided, if any. 4.42 The auditors requested a copy of the system audit log of the written EU-sourced PNR RFI that had been observed. Customs and Border Protection was able to provide an SQL query log for the RFI, based on the responding Customs Staff User Id, showing: Person Of Interest name search EU-sourced PNR flight list request from inbound flight manifest EU-sourced PNR detail reviewed (further detail was available from the database, on request). Sensitive data — Limitations on use 4.43 Article 8 of the EU Agreement covers the prohibition of Customs and Border Protection from processing sensitive EU-sourced PNR data. Sensitive data includes information on: racial or ethnic origin political opinions religious or philosophical beliefs trade union membership health or sex life information 4.44 The IPPs do not currently or specifically deal with the collection or use of sensitive personal information. However, the incoming Australian Privacy Principle 3 (in effect 19 from 12 March 2014) will place new obligations on Customs and Border Protection in terms of its collection of sensitive personal information. 4.45 While the PAU handling of sensitive personal information is not therefore covered by the IPPs, the following observations are noted for Customs and Border Protection consideration in terms of the EU Agreement requirements, and the introduction of the APPs on 12 March 2014. 4.46 Customs and Border Protection staff advised the OAIC that EU-sourced PNR data collected by the airline operators is not standardised, and EU-sourced PNR data collected by different airline operators is variable in terms of the provided data fields, structures and formats. 4.47 To assist with the collection of a minimum level of core EU-sourced PNR data, Customs and Border Protection requests access to a pre-determined set of EU-sourced PNR data fields from relevant airline operators (as specified in Attachment A of the ‘Instruction and Guideline’ document). 4.48 Customs and Border Protection staff were aware of the obligation under Article 8 of the EU agreement to destroy any sensitive data contained in EU-sourced PNR data. 4.49 Customs and Border Protection advised that (at present) there was very little sensitive information contained in EU-sourced PNR data received. 4.50 If an EU-sourced PNR record contained sensitive data, this would likely occur in the free text or general remarks associated with PNR data (ie Other Supplementary Information (OSI), Special Service Information (SSI) or Special Service Request (SSR) detail). 4.51 Customs and Border Protection advise that it is currently very difficult to automatically censor or delete free text or general remark information prior to the entry of the EUsourced PNR record into the database. This reflects an IT systems limitation, in that the location of the data (if included) is within non-standardised and free text fields. 4.52 Customs and Border Protection advised that they have not, and do not intend to, use any EU-sourced PNR data (including sensitive information, if included) to conduct any form of racial profiling. 4.53 At present, the PAU addresses the issue of sensitive information on a case by case basis. Sensitive information is not utilised in any processing of EU PNR data and where possible the information is deleted i) prior to entry of the EU- sourced PNR data to the IAT or ii) upon ad-hoc identification by PAU staff in response to an RFI. 4.54 However, there appeared to be some lack of awareness in discussions with PAU staff of what constitutes ‘sensitive data’ under the EU agreement. 4.55 A higher level of awareness of what constitutes ‘sensitive data’ from PAU staff would enable this information to be better identified and removed, if the data did find its way into the IAT. Further, PAU staff also need to be aware that this information 20 cannot be disclosed in response to an RFI, and take appropriate steps to notify the relevant IT area to have the sensitive data removed from the EU-sourced PNR record, to ensure obligations under the EU Agreement are met. Privacy issues 4.56 A range of risks have been identified in terms of Customs and Border Protection’s use of data, under both the Privacy Act and more specifically the EU Agreement. These issues are outlined below for Customs and Border Protection’s consideration. 4.57 At the time of the audit, the ‘Instruction and Guideline’ and ‘Associated Document’ were in draft form. There is a risk that a lack of finalised policies and procedures to support PAU staff in applying the allowable uses of PNR data (including EU-sourced PNR data) may lead to a breach of Customs and Border Protection obligations under either the Privacy Act or the terms of the EU Agreement. 4.58 There is a risk that, where the records of RFIs received and PAU response (if any) are not complete or accurate, especially around the grounds provided for the RFI, Customs and Border Protection: may be in breach of its obligations under IPP 7 (accuracy, completeness etc); may not know whether personal information has been used and disclosed in accordance with IPP 10 and 11; or may not be complying with the terms of the EU Agreement with regard to its use of this data. 4.59 A lack of awareness of the types of data that are considered ‘sensitive’ under the EU agreement (and after 12 March 2014, in the new Australian Privacy Principles) increases the risk that PAU staff may use this data in providing an RFI response, rather than deleting the data as required under the EU agreement. Recommendation 1 — Finalise policy and procedure documents 4.60 The auditors recommend that Customs and Border Protection finalise the ‘Instructions and Guideline’ and ‘Associated Document’ to guide PAU staff in handling PNR data. The auditors note that the draft documents contain specific instructions in relation to EU-sourced PNR data requirements, such as the Australian government agencies that this data may be shared with, the need to clearly record the reasons for the RFI and response (if any) and sensitive data destruction requirements. IPP 11 issues — Disclosures of EU-sourced PNR data IPP 11 sets out when an agency may disclose personal information to someone else, for example another agency. This can only be done in special circumstances, such as with the individual’s consent or for some health and safety or law enforcement reasons. Specifically: IPP 11.1 provides that a record keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless one or more of certain exceptions apply. 21 IPP 11.2 provides that, where personal information is disclosed under IPP 11.1(e) the record keeper shall include in the record containing that information a note of the disclosure. IPP 11.3 provides that, where personal information is disclosed under IPP 11.1, the parties who receive that information must not use or disclose the information for a purpose other than the purpose for which the information was given to them. The following Articles in the EU Agreement are also relevant to the OAIC’s consideration of Customs and Border Protection’s disclosure of EU-sourced PNR data: Article 18: Sharing PNR data with other government authorities of Australia Article 19: Transfers to authorities of third countries Article 6: Police and Judicial cooperation. Interpretation of ‘disclosure’ by the OAIC 4.61 The OAIC considers that, where Customs and Border Protection responds to a RFI from an external Australian government authority, third country authority or the police or judicial authorities of a Member State of the EU, Europol or Eurojust, this constitutes a disclosure of EU-sourced PNR data. Policies and procedures around the disclosure of EU-sourced PNR data by Customs and Border Protection 4.62 The OAIC noted throughout the interviews that Customs and Border Protection staff generally had a clear understanding of the obligation to disclose EU-sourced PNR data for external RFIs only in relation to offences relating to terrorism or serious transnational criminal activities. 4.63 The disclosure aspects of the three key policy and practice documents in relation to RFIs for EU-sourced PNR data showed: ‘Passenger Name Record data’ - (Practice statement) i. Paragraph 12 contains a specific reference to the addition of the appropriate PNR caveat where PNR data is disclosed to another agency. ‘Processing requests for PNR Information (2012/05)’ – DRAFT – Protected (Instruction and Guidelines): i. Section 1.4 outlines circumstances in which RFIs may be received from other Australian government agencies. ii. Section 1.6.5-6 sets out allowable disclosures to Commonwealth agencies and Third Country Authorities. iii. Section 1.6.10-13 describes the need to apply appropriate caveats to disclosed PNR data. 22 iv. Section 1.6.14 describes the requirement to log all RFIs and responses (if any) on an appropriate RIMS file. ‘Responding to and recording of PAU Request for PNR Information’ – DRAFT Protected – (Associated Document) i. Section 3 Appendix 1 specifies a list of six airlines that provide EUsourced PNR data, explicitly identifies the six Australian government agencies that this data may be disclosed to (in addition to Customs and Border Protection) and warns against any identified bulk disclosure of EU-sourced PNR data. ii. The section also sets out that sensitive EU-sourced PNR data (if included in the record) is to be deleted before further processing. iii. Section 6 Appendix 4 provides the EU and non-EU PNR disclosure caveats to be attached to any RFI response. iv. Section 7 Appendix 5 provides written and verbal response templates, including for non-compliant (or ‘no data available’) RFI responses. 4.64 The Instructions and Guidelines (Section 1.4) indicate that RFIs may be received directly to the PAU (rather than through out posted Customs and Border Protection Liaison Officers) from four Australian government agencies, as follows: AG Department via the Australian Security Network (ASNET), a dedicated secure communications network for the exchange of information classified in relation to national security. Due to sensitivity of AG Department’s operations, the specific nature of the risk which prompts the RFI does not need to be identified the Trans-National Sexual Exploitation Targeting Team (TSETT), received from the AFP the OTS for issues of ‘Operational Urgency’, where the RFI is time critical. 4.65 The policies and procedures developed (or under development) by Customs and Border Protection appear likely (when finalised) to support PAU staff to disclose PNR data, including EU-sourced PNR data, appropriately within both the Australian legislative frameworks and the terms of the EU Agreement. Disclosures of EU-sourced PNR information to other Australian government Authorities 4.66 Under Article 18 of the EU Agreement, Customs and Border control are authorised to share EU-sourced PNR data on a case by case basis with the following government authorities of Australia: Australian Crime Commission 23 Australian Federal Police Australian Security Intelligence Organisation Commonwealth Director of Public Prosecutions Department of Immigration and Citizenship Office of Transport Security (within the Department of Infrastructure and Transport). 4.67 Discussions with PAU staff showed a high level of awareness of when RFIs are to be refused, with examples being given of external State-based LEAs seeking RFI for nonCommonwealth offences, which had been declined. 4.68 Three major agencies were commonly identified as agencies to which EU-sourced PNR data could be shared (AFP, ASIO and ACC), likely reflecting the higher frequency of RFIs received from these agencies. 4.69 However, staff awareness of the other Australian government agencies that EUsourced PNR data could be shared with (ie the OTS and DPP) appeared less clear, with these agencies not generally referenced during interviews. 4.70 External RFIs from DIAC appear to be received only on occasion from the TSU, which is co-located with the PAU and supports the DIAC Airline Liaison Officer (ALO) network, based at airports across the world. 4.71 The TSU advised auditors that DIAC RFIs of the PAU were made relatively infrequently, due to a range of reasons including: DIAC preference for non-EU sourced ‘pull’ data over the ‘push’ data held by the PAU access the DIAC ALOs located in each airport will often already have to relevant passenger information (ie Advanced Passenger Information received directly from the relevant airline). 4.72 Customs and Border Protection advised that TSU staff have appropriate authorisations under section 64AF(5) of the Customs Act to access PNR data, as required. Inspection of RFI records over specified periods 4.73 In terms of the inspection of EU-sourced PNR RFIs from the three randomly selected one week periods, the auditors noted the following: Specified period (24-28 September 2012) – of the 20 records inspected: i. 5 were external RFIs (ie 25% of all EU-sourced PNR RFIs received during the week) 24 ii. 13 were internal RFIs (ie 65% of all EU-sourced PNR RFIs received during the week) iii. as noted previously under the ‘Specified Period’ dot point at Paragraph 4.30 (iii), two RFIs (10%) did not clearly show whether the source of the request was internal or external. The response to each of these RFIs, if any, was also not recorded iv. there were no third country authority requests in the period v. of the external RFIs, all specified clearly the grounds under which the RFI had been requested, and were legitimate purposes under the EU Agreement vi. the appropriate EU caveat had been applied to all external RFI responses. Six months previous to specified week (26-30 March 2012) – of the 25 records inspected: i. 12 were external RFIs (ie 48% of all EU-sourced PNR RFIs received during the week ii. 13 were internal RFIs (ie 52% of all EU-sourced PNR RFIs received during the week) iii. there were no third country authority requests in the period iv. all but one external RFI specified clearly the grounds under which the RFI had been requested, which were legitimate purposes under the EU Agreement v. the record that did not clearly specify the purpose for the external RFI appeared to have been actioned by Customs and Border Protection vi. the appropriate EU caveat had been applied to all but one of the external RFI responses. The one exception applied the non-EU caveat. 12 months previous to specified week (26-30 September 2011) – of the 16 records inspected: i. 4 were external RFIs (ie 25% of all EU-sourced PNR RFIs received during the week) ii. 10 were internal RFIs (ie 62.5% of all EU-sourced PNR RFIs received during the week) iii. as noted previously under the ‘12 month previous’ period dot point at Paragraph 4.30 (iii), two RFIs (12.5%) did not clearly show whether the 25 source of the request was internal or external. The response to each of these RFIs, if any, was also not recorded iv. there were no third country authority requests in the period v. all but one external RFI specified clearly the grounds under which the RFI had been requested, which were legitimate purposes under the EU Agreement vi. the record that did not clearly specify the purpose for the external RFI appeared to have been actioned by Customs and Border Protection vii. the appropriate EU caveat had been applied to all but one of the external RFIs. The one exception applied the non-EU caveat. 4.74 Overall, the inspection of records identified an improvement in the completeness of EU-sourced PNR records over the previous year up to the specified week. 4.75 In summary, the inspection showed that: one EU-sourced PNR record in both the six and 12 month period prior to the specified week appeared to have been actioned without a clear reason provided for the request. It was not clear whether the RFI had been responded to without a reason being provided, or whether the reason had not been clearly recorded on the record inspected one EU-sourced PNR record in both the six and 12 month period prior to the specified week had been sent with the incorrect PNR caveat attached (ie the non-EU PNR caveat had been attached). Disclosure of EU-sourced PNR information to authorities of third countries 4.76 Under Article 19 of the EU Agreement, Customs and Border control are authorised to transfer PNR data on a case by case basis to specific third country authorities, whose functions are directly related to preventing, detecting, investigating and prosecuting terrorist offences or serious transnational crime. 4.77 Article 19 also requires Customs and Border Protection to: ensure third country authorities afford appropriate safeguards assess third country authority functions are directly related to terror or transnational crime purposes obtain agreement to only retain data until investigation or prosecution is concluded obtain agreement not to further transfer EU-sourced PNR data inform passenger (where appropriate) of the transfer 26 ensure safe transfer of analytical information. 4.78 Customs and Border Protection advised the auditors that six individual third country authorities have been identified (from four specific countries with equivalent data protection guidelines as Australia) as authorities that RFI responses may be provided to without specific authorisation from the Director, PAU. 4.79 These countries (known as the Border 5 (B5) Countries) and the individual agencies are detailed in Section 6, Attachment C of the ‘Instruction and Guideline’ document. 4.80 All RFIs received from any other third country authority requires authorisation from the Director, PAU, prior to any response being provided. 4.81 There were no third country authority requests in the any of the three week periods inspected, from either B5 or other third country authorities. 4.82 Customs and Border Protection also advised that no requests for EU-sourced PNR data have been received under Article 6 of the EU Agreement (Police and Judicial Cooperation). Addition of the disclosure permission caveat with EU-sourced PNR RFIs 4.83 Under IPP 11.3, any agency or authority that Customs and Border Protection discloses personal information to must not further use or disclose the information for purposes other than the purpose for which Customs and Border Protection disclosed the information. The Plain English Guidelines to Information Privacy Principles 8 – 11 (the IPP Guidelines) state at page 54 that a ‘disclosing agency should take all reasonable steps to prevent the personal information being re-used or re-disclosed for purposes other than that for which the agency discloses it.’ 4.84 The IPP Guidelines suggest a number of steps an agency might take including ‘informing the receiving organisation that their use or disclosure of their personal information is governed by IPP 11.3.’ 4.85 Customs and Border Protection’s Instructions and Guidelines document states that where PNR data is authorised for disclosure to another agency, a caveat is to be included on the disclosure to ensure the recipient is fully informed of their obligations in relation to its subsequent use, storage or further disclosure, consistent with IPP 11.3 obligations. 4.86 Customs and Border Protection staff also demonstrated a high level of awareness of the need for all disclosures of PNR data (both EU and non EU-sourced) to include the appropriate caveat with RFI responses. 4.87 The auditors obtained copies of the existing EU and non-EU Disclosure caveats setting out PAU permissions regarding further use/ disclosure of the RFI response, and make the following comments: EU-sourced PNR caveat 27 i. The caveat clearly states that EU-sourced PNR data cannot be further disclosed without the prior written permission of the PAU. ii. The EU-sourced PNR content, the EU Agreement and data retention and destruction/ security and storage obligations are clearly specified. iii. All permitted purpose uses of the EU-sourced PNR data have been clearly stated. iv. The caveat refers to the June 2008 EU Agreement, rather than the updated and in-force June 2012 Agreement v. The Australian legislative requirements of the Customs Act and Privacy Act are also specified. vi. The caveat does not specifically state that the personal information is governed by IPP 11.3. Non-EU sourced caveat i. The caveat clearly states that PNR data cannot be further disclosed without the prior written permission of the PAU. ii. The Australian legislative requirements of the Customs Act and Privacy Act are also clearly specified. iii. The caveat does not specifically state that the personal information is governed by IPP 11.3. Privacy issues 4.88 The audit identified minor risks in terms of Customs and Border Protection’s disclosures of this data under the EU Agreement. These issues are outlined below for Customs and Border Protection’s consideration. 4.89 During interviews, PAU staff did not generally refer to two of the six Australian government agencies that EU-sourced PNR data may be shared with (as set out in Annex 2 of the EU agreement). It was not clear whether this was due to a lack of awareness of these agencies, or whether they were not identified as they were not common sources of RFIs. 4.90 There is a risk that EU-sourced PNR data may not be shared with all of the Australian government agencies authorised to receive this data under the EU agreement, if there is a lack of awareness across PAU staff of all agencies identified in Annex 2 of the EU Agreement. The auditors noted that there was no evidence to suggest that this had occurred during the audit interviews, or the inspection of records. 4.91 While two disclosures identified during the record inspection had been sent with the inappropriate caveat attached, the non-EU PNR caveat informs the recipient that the personal information must be used in accordance with the Privacy Act. 28 4.92 Customs and Border Protection could provide an addition to its caveats that, although not a requirement of IPP 11, is cited as a possible step in the IPP Guidelines. Both the EU-sourced caveat and non EU-sourced caveat could specifically state that the receiving agency’s use or disclosure of its personal information is governed by IPP 11.3 and explain that 11.3 does not allow a further use or disclose of personal information for purposes other than the purpose for which the information was disclosed. Such a further disclosure by the agency cannot occur even with the consent of Customs and Border Protection. Recommendation 2 — Reference to IPP 11.3 in caveats to receiving agency 4.93 The auditors recommend that Customs and Border Protection re-word the EU-sourced caveat and non EU-sourced caveat to specifically state that IPP 11.3 governs the receiving agency’s use or disclosure of its personal information. 29 IPP 4 issues — Storage and security of EU-sourced PNR data IPP 4 sets out how personal information held by an agency must be stored securely to prevent its loss, misuse, modification or disclosure. Specifically: IPP 4(a) A record-keeper who has possession or control of a record that contains personal information shall ensure the record is reasonably protected against loss, against unauthorised access, use, modification or disclosure, and against other misuse. IPP 4(b) If it is necessary for the record to be given to a person in connection with the provision of a service to the agency, everything reasonably within the agency's power should be done to prevent unauthorised use or disclosure of the information contained in the record. The following Articles in the EU Agreement are also relevant to the OAIC’s consideration of Customs and Border Protection’s storage and security of EU-sourced PNR data: Article 9: Data security and integrity Article 7: Data protection and non-discrimination Article 16: Retention of data. Observations The EU Agreement 4.94 The auditors noted Article 9 of the EU Agreement specifies in part that Customs and Border Protection must: hold data in secure physical environment and maintain high level systems and physical intrusion controls (Article 9.1(a)) store PNR data separately from any other data (Article 9.1(b)) control access by security access systems (eg layered logins) (Article 9.1(c)) maintain an audit log (Article 9.1(d)) transfer data securely (Article 9.1(e)) ensure fault detection, malfunctioning and disaster recovery mechanisms are in place (Article 9.1(f-h)) impose effective and dissuasive sanctions against any data security breach (Article 9.2). 4.95 Article 16 of the EU Agreement specifies that Customs must store PNR data: from initial receipt to three years, in an identified form from three years to the end of a five and a half year period, in a de-identified form (ie de-personalised PNR data). 30 Physical access security issues 4.96 The auditors observed that PAU Officers are located within a secured area within Customs House in Canberra. The auditors noted that access to both the general building and the PAU area is heavily restricted by high level physical intrusion controls. 4.97 Access to the building and PAU areas are through layered physical and electronic security measures. Authorised individuals can only access each area through the use of issued electronic access cards. 4.98 Visitors to both the general building and the PAU itself are required to be escorted by a Customs Officer. Visitor access to the general building requires completion of a visitors' log. Customs Officer escort visitors and issue a photographic temporary visitors pass, valid for the day of entry only. 4.99 Secondary access to the PAU requires completion of a separate PAU Visitors log, recording visitor name and organisation, entry and exit times and Customs Officer escort. 4.100 The auditors were advised that Customs and Border Protection routinely audits swipe card access. 4.101 On separation from the PAU, Customs and Border Protection has developed a checklist (‘Separation from PAU’ checklist) to ensure that all access to IT systems, mailboxes, physical areas and secure communication channels have been appropriately revoked. 4.102 Further miscellaneous security returns are also undertaken, including but not limited to returns of issued uniforms and badges, Customs and/or ASIC identification card and a ‘Complete PAU staff log’ is entered. Storage of EU-sourced PNR data 4.103 The auditors discussed the existing IT Systems PNR Control Framework with Customs and Border Protection staff from the Advanced Analytics Section (ie the ‘Enhanced Passenger Assessment & Clearance Program’ (EPAC)). 4.104 Customs and Border Protection advised of the work underway on the second phase of the PNR quality control framework, currently under development and expected to be rolled out in mid-2013 (EPAC 2). 4.105 Customs and Border Protection advised that PNR data is stored as a separately partitioned database within the broader Enterprise Data Warehouse (EDW). Within the EDW, PNR data is accessed through the IAT module. 4.106 In terms of RFIs and their response, Customs and Border Protection advised that (with the exception of RFIs from AG Department received and responded to via ASNET, or telephone RFIs), all RFIs and responses are currently stored in a separate inbox on the PAUs electronic email system. 31 4.107 Hard copy records are generally only made and maintained where an offence has been committed. 4.108 Customs and Border Protection indicated that storage of EU-sourced PNR data in a separate inbox on the PAUs electronic email system had been a short term storage solution. 4.109 Proposals are being considered within Customs and Border Protection in relation to a more appropriate longer term storage option for these records, to assist with the identification, de-personalisation (after three years from initial receipt) and destruction (after five and half years from initial receipt) of these records. 4.110 In discussing the storage of PNR data generally, Customs and Border Protection advised that it had become aware that a small amount of PNR data had been identified on one other Customs and Border Protection IT system (ie on files in the National Intelligence System (NIS)). 4.111 At the time of the audit, and in the absence of any specific examples provided by Customs and Border Protection, it was not clear whether the data involved was EUsourced PNR data or non-EU PNR sourced data. 4.112 Customs and Border Protection advised that, under current policy, this information should not form part of NIS records, as NIS (although a PROTECTED system) is accessible to a number of Customs and Border Protection staff beyond the PAU. 4.113 While aware of this issue, Customs and Border Protection advised that they are yet to develop a longer term fix or solution to this issue. As an interim measure, Customs and Border Protection advised PAU staff that there is to be no ‘cut and paste’ of information from the PNR record to other IT systems. 4.114 Customs and Border Protection also advised that the NIS remains within the secured IT system environment. As PNR data may form one part of the general intelligence for an individual, the difficulties in determining when PNR data (or information based on PNR data) could be included in more general intelligence systems, and, if so, in what format, were also discussed by Customs and Border Protection. IT Security Access controls 4.115 The ‘PNR Control Framework: Legal and Compliance (EPAC2/ PG1/002) EPAC2, Version 0.6 (15 August 2012)’ document was provided for the auditors information. 4.116 Table 2.3 ‘Control Summary’ of the EPAC2 control framework document outlines the layered access, monitoring and transactional logging controls at each key point of PNR information flow (ie initial capture/ collection, use, storage and disclosure). 4.117 Access to PNR data (including EU-sourced PNR data) is only available to ‘privileged’ IAT users, rather than all staff who have access to the IAT. Customs and Border Protection also provided the ‘Application for IAT PNR Push Access’ form to be completed by staff to access PNR data through IAT. 32 4.118 This form allows PNR system access (or removal of access), and includes managerial authorisations, user detail, IAT training status, reasons for access and the user to agree to a detailed user declaration (which includes sanctions for misuse). 4.119 Overall, Customs and Border Protection advised that access to EU-sourced PNR data requires the following layered approvals: access to the departmental Local Area Network (LAN) Section 64(AF) approval after completing appropriate online training specific to the EU Agreement and Privacy Act obligations ‘IAT PNR Push’ access (requiring approval from the Director, PAU). 4.120 Removal of IT access to PNR data is undertaken through the ‘Separation from PAU’ document discussed previously. Audit logs 4.121 The auditors were advised that audit logging of all PNR transactions occurs routinely. 4.122 While audit logs appear to be captured for each transaction, Customs and Border Protection advised that these logs are difficult to proactively use to identify areas of inappropriate access. Logs are usually only accessed in response to any incidents, on an ad-hoc and reactive basis. 4.123 As outlined in paragraph 4.42 above, the auditors requested a copy of the audit log for the RFI observed within the PAU. The audit log provided for the RFI showed: Person of Interest name search EU-sourced PNR flight list request from inbound flight manifest EU-sourced PNR detail review (further detail was available from the database, on request). Security of transfer of EU-sourced PNR data 4.124 The majority of RFIs are received electronically (soft copy), via a joint PAU RFI mailbox, accessible across the PAU. 4.125 Responses to both written and telephone EU-sourced RFIs are also provided by email, with a carbon copy being stored in the separate mailbox folder PAU EU-RFI response. 4.126 The auditors noted that the email requests are protected through Fedlink. Emails from external agencies are classified as ‘in confidence’. 4.127 Internal email RFIs and responses to Customs and Border Protection officers should have a classification of ‘protected’, and transfer occurs through the secure Customs and Border Protection IT system and servers. 33 4.128 During the inspection of records, the auditors noted: all 15 EU-sourced PNR RFI responses in the specified week of 24-28 September 2012 were classified ‘Protected‘ 20 of the 23 EU-sourced PNR RFIs responded to (87%) from six months previous to the specified week (26-30 March 2012) were classified ‘protected‘. Three external RFIs were ‘unclassified’ 13 of the 15 EU-sourced PNR RFIs (87%) responded to from 12 months previous to the specified week (26-30 September 2011) were classified ‘protected‘. One internal RFI was classified ‘in-confidence’, while one external RFI was unclassified. 4.129 Sections 4.18 to 4.21 of this report referred to the procedures used by Customs and Border Protection to respond to verbal RFIs received over the telephone. 4.130 Customs and Border Protection advised that, for external telephone RFIs, PAU staff ask the requesting officers to put in a formal written request to the PAU. However, for reasons of operational urgency, the requesting officers ask the information be provided verbally. The outcome is that many external EU-sourced PNR RFI responses are provided verbally (with an email confirmation) in the first instance. 4.131 The auditors note that how PAU staff appropriately verify the identity of the requesting officer, for both internal and external telephone RFIs, is a critical component of ensuring EU-sourced PNR data is secured, used and disclosed correctly. 4.132 The draft ‘Associated Document’ contains a process checklist for verifying the identity of internal and external RFIs received over the telephone: Internal requesting officers are asked to provide their Customs User Identity, which is then checked against appropriate Customs and Border Protection internal systems (eg phone lists and email systems) to verify their identity. External requesting officers are asked to provide a contact number, which the PAU staff then call back to verify their identity. 4.133 The process used to verify the identity of a telephone requesting officer (both internal and external) appear to be applied at the discretion of individual officers, and based (in part) on their personal experience of the individual requesting officer and (for an internal RFI) on their ability to verify a Customs Officer Identification number. 4.134 It is not clear what further identity verification checks, if any, are undertaken prior to the verbal release of EU-sourced PNR data and follow-up (confirmatory) email. Fault detection and disaster recovery mechanisms 4.135 Customs and Border Protection advised that backups of all PNR data are maintained on a separate tape, undertaken on a daily basis and stored securely. 34 4.136 Both the existing IT Systems PNR Control Framework (EPAC) and the proposed EPAC2 development contain summaries of the control procedures around maintaining the integrity of EU-sourced PNR data, which includes: scheduling and monitoring of EU-sourced PNR data PNR System monitoring PNR System security processes data correction/ fault detections backup and recovery disaster recovery processes. Data Breaches and sanctions 4.137 The Director, PAU advised that, as at the time of the audit, there had been no data breaches or incidents associated with EU-sourced PNR data. 4.138 The auditors noted that Customs Identification badges contained reference information/instructions on how to respond to any incidents (including a data breach), by contacting the Customs Incident Reporting Centre. 4.139 The Director, PAU advised of the process involved in reporting a data breach, if one occurred. These steps included internal Customs and Border Protection referral, and notification to both the EU and the OAIC. 4.140 Applicable sanctions under the Customs Act and the APS Code of Conduct were also discussed. 4.141 The auditors noted that the Practice Statement, Instructions and Guideline (Draft) and Associated Document (Draft) all contained information (to varying degrees) on a range of sanctions possible under the Customs Act, the Crimes Act and the Privacy Act for any officers who misused EU-sourced PNR data. Data retention issues 4.142 Article 16 of the EU Agreement specifies that Customs must hold identified EU PNR data for three years from the time of receipt, after which it is to be de-personalised and retained for a further two and a half years before destruction. 4.143 There is no specific obligation under the IPPs contained in the Privacy Act in relation to the period for which data must be retained before deletion. 4.144 As identified previously, the current storage of both RFIs and responses in the PAUs electronic email system will likely pose a difficulty in efficiently de-personalising EUsourced PNR records after three years from their initial receipt, and then destroying these records after five and a half years from initial receipt, as required under the EU Agreement. 35 4.145 Customs and Border Protection advised that proposals are currently being considered to address this issue, while also noting that the requirement to de-personalise EUsourced PNR data provided will first come into effect from 1 June 2015 (ie for EUsourced PNR records received from 1 June 2012 onwards). Privacy issues 4.146 The electronic storage of EU-sourced RFIs and responses within designated and discrete email folders on the departmental email system raises a number of issues in relation to the access and search-ability of these records, the ability of Customs and Border Protection to meet data retention requirements under the EU Agreement and, more generally, whether this is the most appropriate form of storage for this data. 4.147 The inclusion of identifiable components of EU-sourced PNR data (through cutting and pasting of this material into NIS system files) increases the risk that this information may be accessed, used or disclosed for purposes other than that for which it has been collected by Customs and Border Protection. 4.148 Difficulty in being able to access and locate audit logs for specific transactions involving EU-sourced PNR data increases the risk that audit logs may not provide a proactive deterrent to inappropriate data use, or an effective monitoring mechanism. 4.149 There is a risk that the current identity verification procedures for PAU staff to accurately verify the identity of either internal or external individuals requesting EUPNR data may not be sufficient to prevent a targeted or more sophisticated criminal attempt to inappropriately access this data. This increases the risk of an unauthorised disclosure of this data to individuals not authorised to receive this data, particularly for external RFIs. Recommendation 3 — Electronic Storage arrangements 4.150 The auditors recommend that Customs and Border Protection reviews the electronic storage arrangements for RFIs relating to EU-sourced PNR data, to ensure that appropriate security safeguards are in place to protect this information from loss, misuse, modification or disclosure. Recommendation 4 — Security of EU-sourced PNR data 4.151 The auditors recommend that Customs and Border Control undertakes an audit of other relevant IT systems (such as NIS) to identify whether identifiable EU-sourced PNR data has been included in other system records, and (if so) takes whatever steps are reasonable to ensure this data is protected from unauthorised access , use, modification, disclosure or other misuse. Recommendation 5 — Audit logs 4.152 The auditors recommend that Customs and Border Protection reviews the manner in which its audit logs for EU-sourced PNR data RFI records are currently captured and used, with a view towards improving their use as a more proactive and effective monitoring mechanism and an effective deterrent to the misuse of this data. 36 Recommendation 6 — Identity verification procedures 4.153 It is recommended that Customs and Border Protection reviews its identity verification procedures for the handling of verbal (telephone) RFIs, especially for external RFIs, to ensure appropriate security safeguards are in place prior to PAU staff disclosing any EU-sourced PNR data verbally. 37 Other identified issues Observations Staff Training 4.154 Customs and Border Protection provided a copy of a ‘PAU Training Schedule Overview’ to the auditors prior to the audit, outlining 27 key induction, legislation and policy, PNR specific, Profiling and IAT training activities provided for PAU staff. 4.155 Six of these training activities are completed via online training, as follows: Section 16: Disclosure of Official Information IAT Traveller Search Module counter-terrorism introduction to intelligence NIS Skills and techniques BAGS (Intelligence Support System). 4.156 With the exception of the induction program, the remaining 21 training courses are completed through on-the-job training. 4.157 Staff from the PAU and Customs and Border Protection advised that the quality and consistency of the training offered to PAU staff has been variable over the past two years. 4.158 At the time of the audit, the Passenger Strategy and Policy Section was undertaking a quality assurance processes to identify any knowledge gaps or concerns across all PAU activities. The results of this process would be used in part to feed into a re-developed training program for PAU staff. 4.159 The auditors noted the general environment within the PAU and Customs and Border Protection was one where data protection was highly valued. Privacy issues 4.160 If PAU staff are unaware of their specific responsibilities and obligations in the use of EU-sourced PNR data, there is an increased risk of an inadvertent breach of the IPP obligations or the requirements of the EU Agreement. Recommendation 7 — Regular, ongoing and formal training 4.161 The auditors note that current quality assurance program will assist Customs and Border Protection to review its training materials in relation to the handling of EUsourced PNR data. The auditors recommend regular, ongoing and formal training for all PAU staff to encourage best privacy practice in this area. 38 Part 5 — Summary of recommendations Recommendation 1 — Finalise policy and procedure documents 5.1 The auditors recommend that Customs and Border Protection finalise the ‘Instructions and Guideline’ and ‘Associated Document’ to guide PAU staff in handling PNR data. The auditors note that the draft documents contain specific instructions in relation to EU-sourced PNR data requirements, such as the Australian government agencies that this data may be shared with, the need to clearly record the reasons for the RFI and response (if any) and sensitive data destruction requirements. Auditee response The auditee accepted this recommendation. Recommendation 2 — Reference to IPP 11.3 in caveats to receiving agency 5.2 The auditors recommend that Customs and Border Protection re-word the EU-sourced caveat and non EU-sourced caveat to specifically state that IPP 11.3 governs the receiving agency’s use or disclosure of its personal information. Auditee response The auditee accepted this recommendation. Recommendation 3 — Electronic storage arrangements 5.3 The auditors recommend that Customs and Border Protection reviews the electronic storage arrangements for RFIs relating to EU-sourced PNR data, to ensure that appropriate security safeguards are in place to protect this information from loss, misuse, modification or disclosure. Auditee response The auditee accepted this recommendation and made the following comment: Since the audit completion in 2012, Customs and Border Protection has reviewed storage arrangements for RFIs and is in the process of implementing new storage arrangements for RFI records to ensure that appropriate record keeping safeguards are in place. Recommendation 4 — Security of EU-sourced PNR data 5.4 The auditors recommend that Customs and Border Control undertakes an audit of other relevant IT systems (such as NIS) to identify whether identifiable EU-sourced PNR data has been included in other system records, and (if so) takes whatever steps are reasonable to ensure this data is protected from unauthorised access , use, modification, disclosure or other misuse. Auditee response The auditee accepted this recommendation and made the following comment: 39 Customs and Border Protection accepts this recommendation and has recently investigated PNR use and business procedures surrounding PNR data elements in relevant IT systems. A policy direction has been developed to clarify the data retention and depersonalisation provisions of Article 16 of the PNR Agreement with respect to the use of PNR data identified as relating to persons of interest. Customs and Border Protection will continue to monitor business processes and controls to ensure that PNR data is protected from unauthorised access, use, modification, disclosure or other misuse and handled within the terms of the EU-Australia PNR Agreement. Recommendation 5 — Audit logs 5.5 The auditors recommend that Customs and Border Protection reviews the manner in which its audit logs for EU-sourced PNR data RFI records are currently captured and used, with a view towards improving their use as a more proactive and effective monitoring mechanism and an effective deterrent to the misuse of this data. Auditee response The auditee accepted this recommendation. Recommendation 6 — Identity verification procedures 5.6 It is recommended that Customs and Border Protection reviews its identity verification procedures for the handling of verbal (telephone) RFIs, especially for external RFIs, to ensure appropriate security safeguards are in place prior to PAU staff disclosing any EU-sourced PNR data verbally. Auditee response The auditee accepted this recommendation. Recommendation 7 — Regular, ongoing and formal training 5.7 The auditors note that current quality assurance program will assist Customs and Border Protection to review its training materials in relation to the handling of EUsourced PNR data. The auditors recommend regular, ongoing and formal training for all PAU staff to encourage best privacy practice in this area. Auditee response The auditee accepted this recommendation. 40 Appendix A — Information Privacy Principles Principle 1 — Manner and purpose of collection of personal information 1. Personal information shall not be collected by a collector for inclusion in a record or in a generally available publication unless: (a) the information is collected for a purpose that is a lawful purpose directly related to a function or activity of the collector; and (b) the collection of the information is necessary for or directly related to that purpose. 2. Personal information shall not be collected by a collector by unlawful or unfair means. Principle 2 — Solicitation of personal information from individual concerned Where: (a) a collector collects personal information for inclusion in a record or in a generally available publication; and (b) the information is solicited by the collector from the individual concerned: the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, before the information is collected or, if that is not practicable, as soon as practicable after the information is collected, the individual concerned is generally aware of: (c) the purpose for which the information is being collected (d) if the collection of the information is authorised or required by or under law - the fact that the collection of the information is so authorised or required; and (e) any person to whom, or any body or agency to which, it is the collector's usual practice to disclose personal information of the kind so collected, and (if known by the collector) any person to whom, or any body or agency to which, it is the usual practice of that first mentioned person, body or agency to pass on that information. Principle 3 — Solicitation of personal information generally Where: (a) a collector collects personal information for inclusion in a record or in a generally available publication; and (b) the information is solicited by the collector: the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is collected: (c) the information collected is relevant to that purpose and is up to date and complete; and (d) the collection of the information does not intrude to an unreasonable extent upon the personal affairs of the individual concerned. Principle 4 — Storage and security of personal information A record-keeper who has possession or control of a record that contains personal information shall ensure: 41 (a) that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and (b) that if it is necessary for the record to be given to a person in connection with the provision of a service to the record-keeper, everything reasonably within the power of the recordkeeper is done to prevent unauthorised use or disclosure of information contained in the record. Principle 5 — Information relating to records kept by record-keeper 1. A record-keeper who has possession or control of records that contain personal information shall, subject to clause 2 of this Principle, take such steps as are, in the circumstances, reasonable to enable any person to ascertain: (a) whether the record-keeper has possession or control of any records that contain personal information; and (b) if the record-keeper has possession or control of a record that contains such information: (i) the nature of that information (ii) the main purposes for which that information is used; and (iii) the steps that the person should take if the person wishes to obtain access to the record. 2. A record-keeper is not required under clause 1 of this Principle to give a person information if the record-keeper is required or authorised to refuse to give that information to the person under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents. 3. A record-keeper shall maintain a record setting out: (a) the nature of the records of personal information kept by or on behalf of the recordkeeper (b) the purpose for which each type of record is kept (c) the classes of individuals about whom records are kept (d) the period for which each type of record is kept (e) the persons who are entitled to have access to personal information contained in the records and the conditions under which they are entitled to have that access; and (f) the steps that should be taken by persons wishing to obtain access to that information. 4. A record-keeper shall: (a) make the record maintained under clause 3 of this Principle available for inspection by members of the public; and (b) give the Commissioner, in the month of June in each year, a copy of the record so maintained. Principle 6 — Access to records containing personal information Where a record-keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record, except to the extent that the record-keeper is required or authorised to refuse to provide the individual with access to that record under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents. 42 Principle 7 — Alteration of records containing personal information 1. A record-keeper who has possession or control of a record that contains personal information shall take such steps (if any), by way of making appropriate corrections, deletions and additions as are, in the circumstances, reasonable to ensure that the record: (a) is accurate; and (b) is, having regard to the purpose for which the information was collected or is to be used and to any purpose that is directly related to that purpose, relevant, up to date, complete and not misleading. 2. The obligation imposed on a record-keeper by clause 1 is subject to any applicable limitation in a law of the Commonwealth that provides a right to require the correction or amendment of documents. 3. Where: (a) the record-keeper of a record containing personal information is not willing to amend that record, by making a correction, deletion or addition, in accordance with a request by the individual concerned; and (b) no decision or recommendation to the effect that the record should be amended wholly or partly in accordance with that request has been made under the applicable provisions of a law of the Commonwealth; the record-keeper shall, if so requested by the individual concerned, take such steps (if any) as are reasonable in the circumstances to attach to the record any statement provided by that individual of the correction, deletion or addition sought. Principle 8 — Record-keeper to check accuracy etc of personal information before use A record-keeper who has possession or control of a record that contains personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date and complete. Principle 9 — Personal information to be used only for relevant purposes A record-keeper who has possession or control of a record that contains personal information shall not use the information except for a purpose to which the information is relevant. Principle 10 — Limits on use of personal information 1. A record-keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless: (a) the individual concerned has consented to use of the information for that other purpose (b) the record-keeper believes on reasonable grounds that use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person (c) use of the information for that other purpose is required or authorised by or under law 43 (d) use of the information for that other purpose is reasonably necessary for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue; or (e) the purpose for which the information is used is directly related to the purpose for which the information was obtained. 2. Where personal information is used for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue, the record-keeper shall include in the record containing that information a note of that use. Principle 11 — Limits on disclosure of personal information 1. A record-keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless: (a) the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that information of that kind is usually passed to that person, body or agency (b) the individual concerned has consented to the disclosure (c) the record-keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person (d) the disclosure is required or authorised by or under law; or (e) the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue. 2. Where personal information is disclosed for the purposes of enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the purpose of the protection of the public revenue, the record-keeper shall include in the record containing that information a note of the disclosure. 3. A person, body or agency to whom personal information is disclosed under clause 1 of this Principle shall not use or disclose the information for a purpose other than the purpose for which the information was given to the person, body or agency. 44