Requests For Information for
Passenger Name Record data
Australian Customs and Border Protection Service
Final audit report
Information Privacy Principles audit
Section 27(1)(h) Privacy Act 1988
Audit undertaken: October/November 2012
Draft report issued: May 2013
Final report issued: June 2013
Contents
Part 1 — Introduction .................................................................................... 2
Background ................................................................................................................................ 2
Part 2 — Description of audit ......................................................................... 3
Purpose ...................................................................................................................................... 3
Scope .......................................................................................................................................... 3
Objectives................................................................................................................................... 3
Timing and location.................................................................................................................... 3
Methodology.............................................................................................................................. 4
Information obtained during the audit ...................................................................................... 4
Opinion....................................................................................................................................... 6
Follow up review ........................................................................................................................ 6
Reporting.................................................................................................................................... 6
Part 3 — Description of auditee ..................................................................... 7
Overview .................................................................................................................................... 7
Passenger Name Record (PNR) Data ......................................................................................... 7
Legislative basis for collection and uses of PNR data ................................................................ 8
The EU agreement ..................................................................................................................... 9
Description of the PAU............................................................................................................. 10
Structure .................................................................................................................................. 11
Part 4 — Audit issues ................................................................................... 12
IPP 10 issues — Uses of EU-sourced PNR data ........................................................................ 12
IPP 11 issues — Disclosures of EU-sourced PNR data ............................................................. 21
IPP 4 issues — Storage and security of EU-sourced PNR data ................................................ 30
Other identified issues ............................................................................................................. 38
Part 5 — Summary of recommendations ..................................................... 39
Recommendation 1 – Finalise policy and procedure documents ........................................... 39
Recommendation 2 – Electronic storage arrangements ......................................................... 39
Recommendation 3 – Security of EU-sourced PNR data ......................................................... 39
Recommendation 4 – Audit logs .............................................................................................. 40
Recommendation 5 – Identity verification procedures ........................................................... 40
Appendix A — Information Privacy Principles .............................................. 41
1
Part 1 — Introduction
Background
1.1 The Australian Customs and Border Protection Service (Customs and Border Protection)
and the Office of the Australian Information Commissioner (the OAIC) have a
Memorandum of Understanding (MoU) which provides a regular audit program for
Customs and Border Protection's use of European Union-sourced Passenger Name
Record (EU-sourced PNR) data.
1.2 Under the terms of the MoU signed on 9 May 2008 and in effect until 8 May 2012, the
OAIC undertook to conduct two audits per financial year of Customs and Border
Protection's handling of EU-sourced PNR data under section 27(1)(h) of the Privacy Act
1988 (Cth) (the Privacy Act).
1.3 This is the second audit undertaken for the 2011-12 financial year, under the MoU
signed 9 May 2008. The conduct of the audit was deferred by agreement between
Customs and Border Protection and the OAIC to be undertaken within the 2012-13
financial year.
1.4 The focus of the audit is on Customs and Border Protection's handling of internal and
external Requests For Information (RFI) involving EU-sourced PNR data.
1.5 Customs and Border Protection and the OAIC signed a further MoU on 8 February 2013
with effect until 30 June 2014. Under the terms of this agreement, the OAIC will
undertake one audit per year of Customs and Border Protection's handling of EUsourced PNR data under section 27(1)(h) of the Privacy Act.
1.6 The MoU has regard to the oversight and accountability functions of the OAIC contained
in Article 10 of the Agreement between the European Union and Australia on the
processing and transfer of Passenger Name Record (PNR) data by Air Carriers to the
Australian Customs and Border Protection Service (the EU Agreement). The EU
Agreement was made in Brussels on 29 September 2011, with effect from 1 June 2012.
2
Part 2 — Description of audit
Purpose
2.1 The primary purpose of the audit was to assess Customs and Border Protection's
compliance with the Information Privacy Principles (IPPs) contained in section 14 of the
Privacy Act, specifically in relation to its handling of RFIs for EU-sourced PNR data.
Scope
2.2 The audit assessed Customs and Border Protection's handling of both hard-copy and
electronic EU-sourced PNR data, in response to either internal or external RFIs for this
data.
2.3 The audit scope was limited to the use (IPP 10), disclosure (IPP 11) and storage and
security (IPP 4) practices of Customs and Border Protection in relation to the handling of
EU-sourced PNR data in response to an RFI.
2.4 Enquiries were also made regarding the activities and operations of the Department of
Immigration and Citizenship (DIAC) Tactical Surveillance Unit (TSU) within the Customs
and Border Protection Passenger Analysis Unit (PAU) and staff training arrangements.
Any observations made in relation to these aspects of the audit are provided for
Customs and Border Protections information only, and do not form part of the overall
assessment of agency compliance in this audit.
2.5 The audit also sought to provide some preliminary information for Customs and Border
Protection’s consideration in relation to the obligations under the EU Agreement.
2.6 The use of EU-sourced PNR data by Customs and Border protection to undertake prearrival risk assessment (or Flight Screening) of passengers travelling to (or in transit
through) Australia, did not form any part of the scope of the current audit.
Objectives
2.7 The three objectives of the audit were to identify whether:
1. uses of EU-sourced PNR data in response to RFIs received from within Customs and
Border Protection over a defined period are consistent with IPP 10 obligations
2. disclosures of EU-sourced PNR data in response to RFIs from other Australian
government agencies or third country authorities are consistent with IPP 11
obligations
3. storage and security arrangements for hard-copy and electronic EU-sourced PNR
data in response to RFIs are consistent with IPP 4 obligations.
Timing and location
2.8 The audit fieldwork was conducted on 31 October and 1 November 2012 at Customs
House, 5 Constitution Avenue, Canberra, Australian Capital Territory (ACT).
3
2.9 The location of the audit was the PAU based at Customs House Canberra, and included
a site inspection, observation of the handling of EU-sourced PNR data in response to
RFIs and an inspection of records of completed EU-sourced PNR RFIs over specified
periods.
Methodology
2.10 The audit utilised the following methodologies:
 Semi-structured interviews with key Customs and Border Protection staff from the
Passenger Targeting Branch, including PAU managers and staff responding to RFIs,
to assess:
o management and governance arrangements (including but not limited to
internal review/ audit activities in relation to EU-sourced PNR data,
document destruction processes, internal governance arrangements)
o processing of RFIs (internal and external) for EU-sourced PNR data.
 Inspection of a random selection of 61 EU-sourced PNR RFIs received during the
following three specified one week periods:
o 20 records from the current financial year (24-28 September 2012)
o 25 records from 6 months prior (26-30 March 2012)
o 16 records from 12 months prior (26-30 September 2011).
 Document review of relevant material prepared by Customs and Border Protection
to assist PAU staff with the handling of EU-sourced PNR data, including (but not
limited to) relevant templates and Standard Operating Procedures (SOPs).
 Site inspection assessing physical and IT security and storage arrangements,
including (but not limited to) relevant access controls, audit logs, and use of third
party contractors if relevant.
Information obtained during the audit
2.11 The following documentation was provided prior to the audit fieldwork into Customs
and Border Protection's processing of EU-sourced PNR RFIs in October and November
2012:

An organisational chart and office locations for the relevant areas of Customs and
Border Protection that handle PNR data.
o ‘PAU Structure Sep-Dec 2012’ document.
o ‘Advanced Analytics, Intelligence Strategies and Program Branch’
document.
4
o Software developers, located in Allara House, Constitution Avenue,
Canberra.

Staff instructions/memorandums in relation to the handling of PNR data in
Customs, including relevant SOPs.

Staff training materials addressing the Privacy Act, the handling of PNR data and
relevant information security practices.
2.12 The following information and documentation was gathered during the audit
fieldwork period:

An outline of personal information data flows within Customs relating to handling
RFIs of EU-sourced PNR data.
o ‘Practice Statement 2012/05: Processing requests for Passenger Name
Record (PNR) Information’ DRAFT document (Practice Statement).

An outline of personal information data flows to any internal or external third
parties relating to handling RFIs of EU-sourced PNR data:
o ‘Instructions and Guidelines 2012/05: Processing requests for PNR
Information’ - DRAFT document – Protected (Instructions and Guideline).
o ‘Associated Document 2012/05: Responding to and recording of PAU
Request for PNR Information (RFPI)’ - DRAFT document – Protected
(Associated Document).
o Section 16 Undertakings (as of March 2008).
o ‘Disclosure of EU-sourced PNR data’ caveat for email communications.
o ‘Disclosure of Non-EU-sourced PNR data’ caveat for email communications.

Details of internal Customs and Border Control access to EU-sourced PNR data,
access limitations, staff training materials and audit log information.
o ‘PNR Control Framework: Legal and Compliance (EPAC2/ PG1/002)
Enhanced passenger Assessment and Clearance Program 2 (EPAC2),
Version 0.6 (15 August 2012)’ document.
o ‘Application for Integrated Analysis Tool (IAT) PNR Push Access’ template.
o ‘Separation from PAU’ document - management checklist for revoking
System access, mailbox/ distribution access, communication resources,
physical access and other entitlements on separation from the PAU.
o Audit log of an RFI response observed live by OAIC assessors.
5
o ‘PAU Training Schedule Overview‘ document (Version 20100525.v2).
Opinion
2.13 The auditors are of the opinion that Customs and Border Protection is generally
maintaining its records of personal information in accordance with its IPP 4, 10 and 11
obligations under the Act in the handling of hard-copy and electronic EU-sourced PNR
data in response to internal and external RFIs for this data.
2.14 The auditors identified a number of privacy risks in Customs and Border Protection’s
maintenance of personal information under its IPP obligations. The auditors have
made seven recommendations in relation to these.
2.15 The auditors have also made a number of observations in relation to observed
practice against the specific requirements of the EU Agreement, which have been
provided here for Customs and Border Protection’s consideration.
Follow up review
2.16 Under the terms of the EU Agreement in effect from 1 June 2012, and a separate MoU
between Customs and Border protection and the OAIC dated 8 February 2013, the
OAIC will continue to undertake up to one audit of Customs and Border Protection’s
handling of EU-sourced PNR data each year.
Reporting
2.17 Generally the OAIC will publish final audit reports on its website, except where there
are concerns with sensitive material. For example, where the audit: relates to material
affecting national security, defence, Commonwealth-State relations or law
enforcement; involves certain business, commercial or financial information; or where
material has been obtained in confidence, it may be appropriate to redact some
information from the report or not to publish the report.
2.18 Where final reports of audits of ACT, Australian and Norfolk Island government
agencies are published, they will be available on the OAICs website
(www.oaic.gov.au).
2.19 Information Privacy Principle audit findings and recommendations that are considered
relevant to good privacy practice across the public sector are also generally discussed
in the OAIC’s annual report.
6
Part 3 — Description of auditee
Overview
3.1
Customs and Border Protection is the primary border protection agency in Australia. It
manages the security and integrity of Australia's borders, and works closely with other
government and international agencies to detect and deter unlawful movement of
goods and people across the border.
3.2
Other agencies Customs border protection works with include the Australian Federal
Police (AFP), the Office of Transport Security (OTS), DIAC and the Attorney General's
Department (AG Department).
3.3
As at 30 June 2012, Customs and Border Protection employed 5,671 people nationally
in Australia and overseas. Its central office is located in Canberra.
3.4
Customs and Border Protection operates two major programs: Maritime, Corporate
and Intelligence, and Border Management. A third corporate division (Strategy,
Finance and Integrity) reports directly to the Chief Executive Officer.
3.5
Among other activities, it intercepts illegal drugs and firearms and targets high-risk
aircraft, vessels, cargo, postal items and travellers. Customs and Border Protection
also has a fleet of ocean-going patrol vessels and contracts aerial surveillance
providers for civil maritime surveillance and response.
Passenger Name Record (PNR) Data
3.6
PNR data is information about airline passengers held by airlines on their computer
reservation systems and/or departure control systems.
3.7
PNR data may include any of the following information:

PNR locator code

passenger name(s)

passport number

nationality

details of travel companions

frequent flyer information

ticketing information: date of reservation/issue of ticket; itinerary and alterations
made to booking

contact information, including travel agent details
7

payments/billing

travel status of passenger (including confirmations and check-in status)

special request/service information

all baggage information (number and weight of bags)

seat allocation(s)

all historical changes to the above PNR.
3.8
Some PNR data is automatically generated by the airline (eg itinerary detail), while
other information is supplied by or on behalf of the passenger (eg contact details).
Airlines or authorised travel agents may also add a range of further information, such
as dietary or medical requirements, or special requests for assistance.
3.9
At the time of the audit, the OAIC was informed that a total of 39 airlines provided
PNR data to Customs and Border Protection.
3.10 Of these, 13 airlines were identified as specifically providing EU-sourced PNR data.
3.11 Authorised Customs and Border Protection PAU officers receive up to five scheduled
transmissions from specified airlines of both EU-sourced and non-EU sourced PNR
data beginning at 72 hours before the scheduled departure of a flight to Australia.
3.12 Any updates to the PNR data are then provided at 24 hours, 2 hours and 1 hour
respectively (if available).
3.13 A final full list of available PNR data is also received after the flight has departed for
Australia.
Legislative basis for collection and uses of PNR data
3.14 The collection of PNR data by Customs and Border Protection, for both EU and Non-EU
sourced PNR data, is permitted under section 64AF of the Australian Customs Act 1901
(the Customs Act).
3.15 This provision specifies that if requested, all international passenger air service
operators, flying to, from or through Australia, are required to provide Customs and
Border Protection with PNR data to the extent that they are collected and contained in
the air carrier's reservations and departure control systems, in a particular manner
and form.
3.16 Access to all PNR data is only given to specifically authorised Customs Officers in
accordance with section 64AF(5), with a person an ‘authorised officer’ only if:
a. appointed as an officer of Customs (as set out in section 4 of the Customs
Act)
8
b. authorised in writing by the CEO to exercise the powers to perform the
functions of an authorised officer under section 64AF.
3.17 PNR data must only be accessed by authorised Customs and Border Protection officers
for the purpose of performing their functions under the Customs Act or prescribed
laws of the Commonwealth.
3.18 Functions of officers under section 64AF include conducting traveller assessments for
border risks, conducting post-seizure analysis and servicing RFIs.
3.19 PNR data may also be accessed in support of relevant joint operations, task force or
national Customs and Border Protection operations, detection analysis or
investigation and search and seizure warrants.
3.20 The Customs Administration Act 1985, Migration Act 1958, Crimes Act 1914 (Cth),
Privacy Act 1988 (Cth), Freedom of Information Act 1982 (Cth), Auditor-General Act
1997 (Cth), Ombudsman Act 1976 (Cth) and Public Service Act 1999 (Cth) all provide
for data protection, rights of access and redress, rectification and annotation and
remedies and sanctions for misuse of personal data, including PNR data.
3.21 Unauthorised purpose uses of any PNR data may result in offences under a number of
Commonwealth laws dealing with unauthorised access, including the Customs
Administration Act 1985, the Criminal Code 1995 (Cth), the Public Service Act 1999
(Cth) and the Privacy Act 1988 (Cth).
The EU agreement
3.22 The EU agreement between Australia and the European Union in relation to the
transfer and provision of EU-sourced PNR data to Customs and Border Protection was
signed in Brussels on 29 September 2011, with effect from 1 June 2012.
3.23 The EU agreement sets out the terms of the transfer and use provisions of EU-sourced
data to Customs and Border Protection.
3.24 Under the EU Agreement, Customs and Border Protection agrees to use PNR data
strictly for the purpose of preventing, detecting, investigating and prosecuting
terrorist offences and serious transnational crime in strict compliance with safeguards
on privacy and the protection of personal data.
3.25 The EU Agreement also sets out certain other circumstances when PNR data may be
used or disclosed, such as:
a. in the protection of vital interests of an individual, such as risk of death,
serious injury or threat to health (Article 3(4))
b. where specifically required by Australian law, on a case by case basis, for the
purpose of supervision and accountability of public administration and the
facilitation of redress and sanctions for the misuse of data (Article 3(5))
9
c. for the oversight and accountability functions undertaken by the OAIC
(Article 10).
3.26 The EU Agreement also sets out a list of government authorities in Australia with
whom Customs and Border Protection are authorised to share (or disclose) EUsourced PNR data with (Annex 2). These authorities are:

Australian Crime Commission (ACC)

Australian Federal Police (AFP)

Australian Security Intelligence Organisation (ASIO)

Commonwealth Director of Public Prosecutions (DPP)

Department of Immigration and Citizenship (DIAC)

OTS (within the Department of Infrastructure and Transport).
3.27 Additionally, Article 19 of the EU Agreement specifies how Customs and Border
Protection may transfer EU-sourced PNR data to authorities from third countries (on a
case by case basis).
3.28 Article 6 sets out the arrangements for EU-based Law Enforcement Authorities (LEAs)
access to PNR data (or analytical information obtained from PNR data) provided to
Customs and Border Protection under the EU Agreement.
Description of the PAU
3.29 The PAU in Customs and Border Protection conducts pre-arrival risk assessments of
passengers travelling to (or in transit through) Australia using both EU and non-EU
sourced PNR data, along with other advanced passenger information.
3.30 Pre-arrival risk assessment aims to prevent terrorism and related crimes and other
serious transnational crimes, such as money laundering, drug importation, weapons
trafficking and people smuggling/trafficking.
3.31 PAU officers use this information, together with a range of other information (for
example immigration, intelligence and other law enforcement data), to screen
passengers prior to arrival to Australia and assist in identifying those passengers that
may pose a risk at the time of arrival.
3.32 The PAU also responds to requests for PNR data from other areas of Customs and
Border Protection (internal RFIs) and from other Australian government agencies or
specified third country authorities (external RFIs).
3.33 These internal and external RFIs for EU-sourced PNR data are the subject of this audit.
10
Structure
3.34 The Director, PAU leads three distinct sections: Assessment and Selection, Profile
Management and Alerts Management.
3.35 The Assessment and Selection manager oversees four shift teams of five analysts
(each with a team supervisor) and two further Supervisors. This team operates 24
hours a day, seven days a week.
3.36 The Profile Management team consists of a manager, supervisor and analyst, while
the Alerts Management team consists of a manager, supervisor and five senior
customs officers.
3.37 The auditors also spoke with Customs and Border Protection staff from Passenger
Strategy and Policy Section, the Policy and Risk Team, the PAU (Passenger Targeting
Branch) and key staff from the Advanced Analytics Section (Intelligence Strategies and
Program Branch).
3.38 Additionally, the auditors spoke to an officer from the DIAC TSU around their access,
use and disclosure (if any) of EU-sourced PNR data.
11
Part 4 — Audit issues
The following findings and recommendations relate to the auditors consideration of Custom
and Border Protection’s handling of both hard-copy and electronic EU-sourced PNR data, in
response to either internal or external RFIs for this data.
The IPPs are produced in full at Appendix A.
IPP 10 issues — Uses of EU-sourced PNR data
IPP 10 sets out how personal information collected for one purpose may be used for
another (secondary) purpose, such as with the individual’s consent or for some health and
safety or law enforcement reasons in certain circumstances. Specifically:
IPP 10.1 provides that a record keeper who has possession or control of a record that
contains personal information that was obtained for a particular purpose shall not
use the information for any other purpose unless one or more of certain exceptions
apply.
IPP 10.2 provides that, where personal information is used under IPP 10.1(d) the record
keeper shall include in the record containing that information a note of the use.
The following Articles in the EU Agreement are also relevant to the OAIC’s consideration of
Customs and Border Protection’s use of EU-sourced PNR data:



Article 3: Scope of application
Article 8: Sensitive data
Article 17: Logging and documentation of PNR data.
Observation(s)
Interpretation of ‘use’ by the OAIC
4.1
The auditors considered that, where Customs and Border Protection use of EUsourced PNR data is in response to an internal RFI from a Customs staff member, this
constitutes a use of EU-sourced PNR data.
4.2
Article 3 of the EU Agreement terms explicitly states that Customs and Border
Protection agree to process (ie use) PNR data strictly for the purpose of preventing,
detecting, investigating and prosecuting terrorist offences and serious transnational
crime. These two uses form the primary purpose of the collection of the EU-sourced
PNR data.
4.3
Three additional permitted uses are also set out in Article 3 of the EU agreement (see
paragraph 3.25 above).
Policies and procedures around the use of EU-sourced PNR data by Customs and Border Protection
4.4
The auditors noted throughout the interviews that Customs and Border Protection
staff generally had a clear understanding of the obligation to use EU-sourced PNR data
12
only for internal RFIs in relation to terrorist offences or for serious transnational crime
issues.
4.5
The OAIC reviewed three key policy and practice documents in relation to RFIs for EUsourced PNR data:

‘Passenger Name Record (PNR) data’ - (Practice statement)

‘Processing requests for PNR Information (2012/05)’ – DRAFT – Protected (Instruction and Guidelines)

‘Responding to and recording of PAU Request for PNR Information (RFPI)’ –
DRAFT - Protected – (Associated Document)
4.6
The Practice statement provides a high level overview of Customs and Border
Protection’s collection, use and sharing of both EU and non EU-sourced PNR data.
4.7
The draft Instruction and Guidelines (Protected) provides greater detail for Customs
and Border Protection officers in terms of the appropriate uses of PNR data (both EU
and non EU-sourced).
4.8
Section 1.6.4 of the Instruction and Guidelines sets out appropriately the allowable
uses of EU-sourced PNR data only for the purposes specified in Article 3 of the EU
Agreement (see paragraphs 3.24 and 3.25 above).
4.9
Section 1.3 also specifies a range of actions that a PAU Officer should undertake on
receipt of a RFI for PNR data (including EU-sourced PNR data). This section
appropriately:

outlines all RFIs should be received in writing (email) to the PAU Canberra
Mailbox

provides examples of the type of RFIs that Customs and Border Protection
PAU officers may action

specifies that the RFI must include the offence being considered and/or
investigated, including the relevant Act and section

outlines the response should only include the particular types of PNR data or
elements requested, and only be provided within the purpose limitation
under Article 3 of the EU Agreement

outlines the common sources of RFIs including:
i. Customs and Border Protection officers (including overseas Senior
Australian Customs and Border Protection representative network)
ii. officers of other Australian LEAs and intelligence agencies
13
iii. international LEAs with which Customs and Border Protection has a
valid Cooperative Agreement in place (and received through relevant
international counsellor or intelligence liaison officers).

outlines reasons for not actioning a RFI, and the written advice that must be
provided outlining why the decision has been made not to action an RFI (to
be logged and recorded as if actioned).
4.10 At the time of the audit, the Associated Document was also a draft document. The
auditors were provided with a copy, and noted that the document template set out a
series of actions to be undertaken by Customs and Border Protection PAU staff in
responding to written and verbal RFIs in general, and in relation to written and verbal
responses to international counterpart agencies.
4.11 The auditors noted that there could be better consistency within the Instruction and
Guideline, given it states PAU must review all RFIs in writing (page 6), and later
(page 9, Section 1.5.4) specifies the steps to be taken in the limited circumstances in
which an RFI may be received by telephone.
4.12 It is possible that this is an effect of the draft nature of these documents, and is raised
here as an observation only for Customs and Border Protection’s consideration.
4.13 Subject to the above, the policies and procedures developed (or under development)
by Customs and Border Protection appear likely (when finalised) to support PAU staff
to use EU-sourced PNR data appropriately within the requirements of the Privacy Act.
Observation of the processing of RFI requests
4.14 Auditors were advised that PAU staff usually receive RFIs that had been sent to a
dedicated PAU EU-RFI email inbox. PAU staff may also receive RFIs over the telephone
from calls to a dedicated PAU landline.
4.15 The auditors observed a senior PAU officer handling a real-time request for PNR data
received via email.
4.16 The process for PAU staff dealing with RFIs received via email is set out in the
Associated Document (Section 1.1).
4.17 Relevantly, the auditors observed the PAU staff:
a) check and verify the source of the request (AFP in the observed instance)
b) check the offence being considered and/or investigated and the legislative basis for
PAU response to the PNR RFI
c) check the airline operator to establish if EU-sourced PNR or non EU-sourced PNR RFI
data had been requested
d) review multiple PNR data entries for the Person Of Interest and consider the
relevance of available EU-sourced PNR data to the request received
14
e) access relevant IT systems to extract appropriate EU-sourced PNR data
f) draft an email response to the RFI, manually inputting relevant elements of the EUsourced PNR data
g) add the standard EU disclosure caveat
h) recheck the RFI request, the EU-sourced PNR information provided, the recipient and
the legislative basis for actioning the request
i) send the RFI response email (with a cc to the PAU EU-RFI mailbox as a record of the
response, stored by month of actioned request).
4.18 In responding to an RFI received over the telephone, the auditors were advised that
PAU staff:

verify the internal Customs and Border Protection staff members Customs
User ID against internal systems (phone or email systems)

proceed as above for a written RFI, but verbally advising the requesting
officer of the information sought (ie after 4.17 step ‘e’ above)

confirming the verbal RFI request and PAU response in an email then sent to
the requesting officer (with a cc to the PAU EU-RFI mailbox as a record of the
response, stored by month of actioned request).
4.19 Customs and Border Protection advised the auditors that procedures and templates
were in development to improve the consistency of PAU staff responses to both
written and verbal RFIs.
4.20 The auditors noted that Section 1.5.4 of the ‘Instruction and Guideline’ document
specifies the steps to be undertaken in responding to an RFI received by telephone,
and Section 1.9 specifies, for urgent operational cases only, how a verbal RFI is to be
logged and recorded. Customs and Border Protection was developing a more detailed
checklist in the ‘Associated Document’.
4.21 Customs and Border Protection also advised that, at the time of the audit, there was
no specific Standard Operating Procedure (SOP) document which covered verbal RFI
responses. However, the draft Associated Document (a procedural/technical level
document below an Instruction and Guideline) sets out the procedures for PAU staff
to follow on receipt of a verbal RFI.
4.22 Discussion with PAU staff showed a high level of awareness of when RFIs are to be
refused, with examples being given of State LEAs seeking information for nonCommonwealth offences which had been declined.
4.23 The auditors were advised that, where the RFI did not clearly specify what EU-sourced
PNR information was required, PAU staff have the discretion to determine what
information (if any) from the EU-sourced PNR record would be provided in response.
15
4.24 Staff were able to articulate that only the minimum EU-sourced PNR data relevant to
the request should be provided (consistent with Article 18(1)(d) requirements of the
EU Agreement).
4.25 The auditors also noted that statistics of shift records are recorded every day. These
statistics record the number of RFIs responded to by the PAU Officers. No personal
information from EU-sourced PNR data is included in these statistics.
Inspection of RFI records over specified periods
4.26 Customs and Border Protection provided the auditors with hard copies of all RFI
responses for each of the below specified weeks.
4.27 These records included both EU and non-EU sourced RFIs received in each week,
received in either written or verbal format.
4.28 The auditors undertook an inspection of a total of 61 completed EU-sourced PNR RFIs
during the three randomly selected specified one week periods, as follows:

20 records (21%) from 97 RFIs in the specified week (24-28 September 2012)

25 records (24%) from 104 RFIs from 6 months previous (26-30 March 2012)

16 records (22%) from 74 RFIs from 12 months previous (26-30 September
2011).
4.29 In summary, and across the three specified weeks:

the 61 EU-sourced PNR RFIs accounted for 22% of a total of 275 PNR RFIs
received

the majority (59%) of the EU-sourced PNR RFIs received across the three
week periods were internal RFIs from Customs and Border Protection staff

almost all of the EU-sourced PNR RFIs were written (received via email),
rather than by telephone

four EU-sourced PNR RFIs across the three week period did not clearly specify
the grounds for the enquiry. While two of these RFIs had been refused on
these grounds, two appeared to have been actioned

the most recent specified week had the least number of issues identified,
while records from the period 12 months prior to the specified week had the
most number of issues identified.
4.30 Specifically, the auditors noted the following with regard to the EU-sourced PNR RFIs
received in each of the three week periods inspected:

Specified period (24-28 September 2012) – of the 20 records inspected:
16
i. 13 were internal RFIs (ie 65% of all EU-sourced PNR RFIs received
during the week)
ii. 5 were external RFIs (ie 25% of all EU-sourced PNR RFIs received
during the week) from other Australian government agencies
iii. a further two RFIs (10%) did not clearly show whether the source of
the request was internal or external. The response to each of the two
RFIs, if any, was also not recorded. This observation is also noted at
Paragraph 4.73 (iii) (see ‘Specified Period’ dot point)
iv. all but two internal RFIs specified clearly the grounds under which the
RFI had been requested, which were legitimate purposes under the
EU Agreement
v. of the two that did not clearly specify the purpose:

one had been refused on these grounds

one appeared to have been actioned
vi. The appropriate EU caveat had been applied to all internal RFI
responses.

Six months previous to specified week (26-30 March 2012) – of the 25
records inspected:
i. 13 were internal RFIs (ie 52% of all EU-sourced PNR RFIs received
during the week)
ii. 12 were external RFIs (ie 48% of all EU-sourced PNR RFIs received
during the week) from other Australian government agencies
iii. one internal RFI did not have any record of the response provided, if
any
iv. in two instances, PAU officers had appropriately sought further
information prior to actioning the internal RFI
v. all but one internal RFI specified clearly the grounds under which the
RFI had been requested, which were legitimate purposes under the
EU Agreement
vi. for the record that did not clearly specify the purpose, the internal RFI
was refused on these grounds
vii. the appropriate EU caveat had been applied to all internal RFIs.

12 months previous to specified week (26-30 September 2011) – of the 16
records inspected:
17
i. 10 were internal RFIs (ie 62.5% of all EU-sourced PNR RFIs received
during the week)
ii. 4 were external RFIs (ie 25% of all EU-sourced PNR RFIs received
during the week) from other Australian government agencies)
iii. two RFIs (12.5%) did not clearly show whether the source of the
request was internal or external. The response to each of these RFIs, if
any, was also not recorded. This observation is also noted at
Paragraph 4.73 (iii) on (see ‘12 month previous’ dot point)
iv. one internal RFI did not specify clearly the grounds under which the
RFI had been requested, but appeared to have been actioned
v. in another instance, a PAU officer had appropriately sought further
information prior to actioning the internal RFI
vi. The appropriate EU caveat had not been applied to three of the ten
internal RFIs. The non-EU caveat had been applied in two records,
while no caveat appeared to be attached to one record.
4.31 Overall, the inspection of records identified an improvement in the completeness of
EU-sourced PNR RFI records over the previous year up to the specified week.
4.32 The inspection also showed, however, that in each period at least one EU-sourced PNR
record appeared to have been actioned without a clear reason provided for the
request. It was not clear whether staff had responded to the RFI without a reason
being provided, or whether the reason had not been clearly recorded.
Logging and documentation of RFI responses
4.33 Article 17 of the EU Agreement (in part) requires Customs and Border Control to:

log all processing, access, consulting or transfer of EU-sourced PNR data

include where the RFI has been denied.
4.34 Customs and Border Protection advised that all EU-sourced PNR RFIs are received in a
dedicated PAU EU-RFI mailbox, located within the standard departmental email
system.
4.35 All responses to EU-sourced PNR RFIs (including where an RFI has been refused) are
also stored in a dedicated PAU EU-RFI mailbox (ie held separately from other PNR
data).
4.36 The Associated Document specifies that all responses (and the original RFI) are to be:

logged in a PAU RFI Register

hard copy printed and placed on a PAU RFI RIM file
18

recorded on a PAU statistics sheet.
4.37 It was unclear at the time of the audit whether these instructions were in force.
4.38 Logging of RFIs received by telephone occurs after the RFI had been responded to
verbally, through a confirmation email sent by the responding PAU officer to the
requesting party.
4.39 The inspection of records relevantly showed:

instances where the RFI had been declined had been recorded, including the
reasons why the request was declined

one or two instances in each week where a hard copy record of the RFI had
been logged, while the response (if any) was not specified.
4.40 Customs and Border Protection staff indicated to the auditors that retrieval and/or
search of these email records, where a specific RFI response needed to be located,
was currently quite difficult.
4.41 Customs and Border Protection also indicated that the storage of RFI requests and
responses on the email system was problematic, and in the longer term there was a
need to review how best to store electronic (and hard copy) records of the RFIs and
the responses provided, if any.
4.42 The auditors requested a copy of the system audit log of the written EU-sourced PNR
RFI that had been observed. Customs and Border Protection was able to provide an
SQL query log for the RFI, based on the responding Customs Staff User Id, showing:

Person Of Interest name search

EU-sourced PNR flight list request from inbound flight manifest

EU-sourced PNR detail reviewed (further detail was available from the
database, on request).
Sensitive data — Limitations on use
4.43 Article 8 of the EU Agreement covers the prohibition of Customs and Border
Protection from processing sensitive EU-sourced PNR data. Sensitive data includes
information on:





racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
health or sex life information
4.44 The IPPs do not currently or specifically deal with the collection or use of sensitive
personal information. However, the incoming Australian Privacy Principle 3 (in effect
19
from 12 March 2014) will place new obligations on Customs and Border Protection in
terms of its collection of sensitive personal information.
4.45 While the PAU handling of sensitive personal information is not therefore covered by
the IPPs, the following observations are noted for Customs and Border Protection
consideration in terms of the EU Agreement requirements, and the introduction of the
APPs on 12 March 2014.
4.46 Customs and Border Protection staff advised the OAIC that EU-sourced PNR data
collected by the airline operators is not standardised, and EU-sourced PNR data
collected by different airline operators is variable in terms of the provided data fields,
structures and formats.
4.47 To assist with the collection of a minimum level of core EU-sourced PNR data, Customs
and Border Protection requests access to a pre-determined set of EU-sourced PNR
data fields from relevant airline operators (as specified in Attachment A of the
‘Instruction and Guideline’ document).
4.48 Customs and Border Protection staff were aware of the obligation under Article 8 of
the EU agreement to destroy any sensitive data contained in EU-sourced PNR data.
4.49 Customs and Border Protection advised that (at present) there was very little sensitive
information contained in EU-sourced PNR data received.
4.50 If an EU-sourced PNR record contained sensitive data, this would likely occur in the
free text or general remarks associated with PNR data (ie Other Supplementary
Information (OSI), Special Service Information (SSI) or Special Service Request (SSR)
detail).
4.51 Customs and Border Protection advise that it is currently very difficult to automatically
censor or delete free text or general remark information prior to the entry of the EUsourced PNR record into the database. This reflects an IT systems limitation, in that
the location of the data (if included) is within non-standardised and free text fields.
4.52 Customs and Border Protection advised that they have not, and do not intend to, use
any EU-sourced PNR data (including sensitive information, if included) to conduct any
form of racial profiling.
4.53 At present, the PAU addresses the issue of sensitive information on a case by case
basis. Sensitive information is not utilised in any processing of EU PNR data and where
possible the information is deleted i) prior to entry of the EU- sourced PNR data to the
IAT or ii) upon ad-hoc identification by PAU staff in response to an RFI.
4.54 However, there appeared to be some lack of awareness in discussions with PAU staff
of what constitutes ‘sensitive data’ under the EU agreement.
4.55 A higher level of awareness of what constitutes ‘sensitive data’ from PAU staff would
enable this information to be better identified and removed, if the data did find its
way into the IAT. Further, PAU staff also need to be aware that this information
20
cannot be disclosed in response to an RFI, and take appropriate steps to notify the
relevant IT area to have the sensitive data removed from the EU-sourced PNR record,
to ensure obligations under the EU Agreement are met.
Privacy issues
4.56 A range of risks have been identified in terms of Customs and Border Protection’s use
of data, under both the Privacy Act and more specifically the EU Agreement. These
issues are outlined below for Customs and Border Protection’s consideration.
4.57 At the time of the audit, the ‘Instruction and Guideline’ and ‘Associated Document’
were in draft form. There is a risk that a lack of finalised policies and procedures to
support PAU staff in applying the allowable uses of PNR data (including EU-sourced
PNR data) may lead to a breach of Customs and Border Protection obligations under
either the Privacy Act or the terms of the EU Agreement.
4.58 There is a risk that, where the records of RFIs received and PAU response (if any) are
not complete or accurate, especially around the grounds provided for the RFI,
Customs and Border Protection: may be in breach of its obligations under IPP 7
(accuracy, completeness etc); may not know whether personal information has been
used and disclosed in accordance with IPP 10 and 11; or may not be complying with
the terms of the EU Agreement with regard to its use of this data.
4.59 A lack of awareness of the types of data that are considered ‘sensitive’ under the EU
agreement (and after 12 March 2014, in the new Australian Privacy Principles)
increases the risk that PAU staff may use this data in providing an RFI response, rather
than deleting the data as required under the EU agreement.
Recommendation 1 — Finalise policy and procedure documents
4.60 The auditors recommend that Customs and Border Protection finalise the ‘Instructions
and Guideline’ and ‘Associated Document’ to guide PAU staff in handling PNR data.
The auditors note that the draft documents contain specific instructions in relation to
EU-sourced PNR data requirements, such as the Australian government agencies that
this data may be shared with, the need to clearly record the reasons for the RFI and
response (if any) and sensitive data destruction requirements.
IPP 11 issues — Disclosures of EU-sourced PNR data
IPP 11 sets out when an agency may disclose personal information to someone else, for
example another agency. This can only be done in special circumstances, such as with the
individual’s consent or for some health and safety or law enforcement reasons. Specifically:
IPP 11.1 provides that a record keeper who has possession or control of a record that
contains personal information shall not disclose the information to a person, body
or agency (other than the individual concerned) unless one or more of certain
exceptions apply.
21
IPP 11.2 provides that, where personal information is disclosed under IPP 11.1(e) the record
keeper shall include in the record containing that information a note of the
disclosure.
IPP 11.3 provides that, where personal information is disclosed under IPP 11.1, the parties
who receive that information must not use or disclose the information for a
purpose other than the purpose for which the information was given to them.
The following Articles in the EU Agreement are also relevant to the OAIC’s consideration of
Customs and Border Protection’s disclosure of EU-sourced PNR data:



Article 18: Sharing PNR data with other government authorities of Australia
Article 19: Transfers to authorities of third countries
Article 6: Police and Judicial cooperation.
Interpretation of ‘disclosure’ by the OAIC
4.61 The OAIC considers that, where Customs and Border Protection responds to a RFI from
an external Australian government authority, third country authority or the police or
judicial authorities of a Member State of the EU, Europol or Eurojust, this constitutes a
disclosure of EU-sourced PNR data.
Policies and procedures around the disclosure of EU-sourced PNR data by Customs and
Border Protection
4.62 The OAIC noted throughout the interviews that Customs and Border Protection staff
generally had a clear understanding of the obligation to disclose EU-sourced PNR data
for external RFIs only in relation to offences relating to terrorism or serious
transnational criminal activities.
4.63 The disclosure aspects of the three key policy and practice documents in relation to
RFIs for EU-sourced PNR data showed:

‘Passenger Name Record data’ - (Practice statement)
i. Paragraph 12 contains a specific reference to the addition of the
appropriate PNR caveat where PNR data is disclosed to another
agency.

‘Processing requests for PNR Information (2012/05)’ – DRAFT – Protected (Instruction and Guidelines):
i. Section 1.4 outlines circumstances in which RFIs may be received from
other Australian government agencies.
ii. Section 1.6.5-6 sets out allowable disclosures to Commonwealth
agencies and Third Country Authorities.
iii. Section 1.6.10-13 describes the need to apply appropriate caveats to
disclosed PNR data.
22
iv. Section 1.6.14 describes the requirement to log all RFIs and responses
(if any) on an appropriate RIMS file.

‘Responding to and recording of PAU Request for PNR Information’ – DRAFT Protected – (Associated Document)
i. Section 3 Appendix 1 specifies a list of six airlines that provide EUsourced PNR data, explicitly identifies the six Australian government
agencies that this data may be disclosed to (in addition to Customs
and Border Protection) and warns against any identified bulk
disclosure of EU-sourced PNR data.
ii. The section also sets out that sensitive EU-sourced PNR data (if
included in the record) is to be deleted before further processing.
iii. Section 6 Appendix 4 provides the EU and non-EU PNR disclosure
caveats to be attached to any RFI response.
iv. Section 7 Appendix 5 provides written and verbal response templates,
including for non-compliant (or ‘no data available’) RFI responses.
4.64 The Instructions and Guidelines (Section 1.4) indicate that RFIs may be received
directly to the PAU (rather than through out posted Customs and Border Protection
Liaison Officers) from four Australian government agencies, as follows:

AG Department via the Australian Security Network (ASNET), a dedicated
secure communications network for the exchange of information classified in
relation to national security. Due to sensitivity of AG Department’s
operations, the specific nature of the risk which prompts the RFI does not
need to be identified

the Trans-National Sexual Exploitation Targeting Team (TSETT), received from
the AFP

the OTS

for issues of ‘Operational Urgency’, where the RFI is time critical.
4.65 The policies and procedures developed (or under development) by Customs and
Border Protection appear likely (when finalised) to support PAU staff to disclose PNR
data, including EU-sourced PNR data, appropriately within both the Australian
legislative frameworks and the terms of the EU Agreement.
Disclosures of EU-sourced PNR information to other Australian government Authorities
4.66 Under Article 18 of the EU Agreement, Customs and Border control are authorised to
share EU-sourced PNR data on a case by case basis with the following government
authorities of Australia:

Australian Crime Commission
23

Australian Federal Police

Australian Security Intelligence Organisation

Commonwealth Director of Public Prosecutions

Department of Immigration and Citizenship

Office of Transport Security (within the Department of Infrastructure and
Transport).
4.67 Discussions with PAU staff showed a high level of awareness of when RFIs are to be
refused, with examples being given of external State-based LEAs seeking RFI for nonCommonwealth offences, which had been declined.
4.68 Three major agencies were commonly identified as agencies to which EU-sourced PNR
data could be shared (AFP, ASIO and ACC), likely reflecting the higher frequency of
RFIs received from these agencies.
4.69 However, staff awareness of the other Australian government agencies that EUsourced PNR data could be shared with (ie the OTS and DPP) appeared less clear, with
these agencies not generally referenced during interviews.
4.70 External RFIs from DIAC appear to be received only on occasion from the TSU, which is
co-located with the PAU and supports the DIAC Airline Liaison Officer (ALO) network,
based at airports across the world.
4.71 The TSU advised auditors that DIAC RFIs of the PAU were made relatively infrequently,
due to a range of reasons including:

DIAC preference for non-EU sourced ‘pull’ data over the ‘push’ data held by
the PAU

access the DIAC ALOs located in each airport will often already have to
relevant passenger information (ie Advanced Passenger Information received
directly from the relevant airline).
4.72 Customs and Border Protection advised that TSU staff have appropriate authorisations
under section 64AF(5) of the Customs Act to access PNR data, as required.
Inspection of RFI records over specified periods
4.73 In terms of the inspection of EU-sourced PNR RFIs from the three randomly selected
one week periods, the auditors noted the following:

Specified period (24-28 September 2012) – of the 20 records inspected:
i. 5 were external RFIs (ie 25% of all EU-sourced PNR RFIs received
during the week)
24
ii. 13 were internal RFIs (ie 65% of all EU-sourced PNR RFIs received
during the week)
iii. as noted previously under the ‘Specified Period’ dot point at
Paragraph 4.30 (iii), two RFIs (10%) did not clearly show whether the
source of the request was internal or external. The response to each
of these RFIs, if any, was also not recorded
iv. there were no third country authority requests in the period
v. of the external RFIs, all specified clearly the grounds under which the
RFI had been requested, and were legitimate purposes under the EU
Agreement
vi. the appropriate EU caveat had been applied to all external RFI
responses.

Six months previous to specified week (26-30 March 2012) – of the 25
records inspected:
i. 12 were external RFIs (ie 48% of all EU-sourced PNR RFIs received
during the week
ii. 13 were internal RFIs (ie 52% of all EU-sourced PNR RFIs received
during the week)
iii. there were no third country authority requests in the period
iv. all but one external RFI specified clearly the grounds under which the
RFI had been requested, which were legitimate purposes under the
EU Agreement
v. the record that did not clearly specify the purpose for the external RFI
appeared to have been actioned by Customs and Border Protection
vi. the appropriate EU caveat had been applied to all but one of the
external RFI responses. The one exception applied the non-EU caveat.

12 months previous to specified week (26-30 September 2011) – of the 16
records inspected:
i. 4 were external RFIs (ie 25% of all EU-sourced PNR RFIs received
during the week)
ii. 10 were internal RFIs (ie 62.5% of all EU-sourced PNR RFIs received
during the week)
iii. as noted previously under the ‘12 month previous’ period dot point at
Paragraph 4.30 (iii), two RFIs (12.5%) did not clearly show whether the
25
source of the request was internal or external. The response to each
of these RFIs, if any, was also not recorded
iv. there were no third country authority requests in the period
v. all but one external RFI specified clearly the grounds under which the
RFI had been requested, which were legitimate purposes under the
EU Agreement
vi. the record that did not clearly specify the purpose for the external RFI
appeared to have been actioned by Customs and Border Protection
vii. the appropriate EU caveat had been applied to all but one of the
external RFIs. The one exception applied the non-EU caveat.
4.74 Overall, the inspection of records identified an improvement in the completeness of
EU-sourced PNR records over the previous year up to the specified week.
4.75 In summary, the inspection showed that:

one EU-sourced PNR record in both the six and 12 month period prior to the
specified week appeared to have been actioned without a clear reason
provided for the request. It was not clear whether the RFI had been
responded to without a reason being provided, or whether the reason had
not been clearly recorded on the record inspected

one EU-sourced PNR record in both the six and 12 month period prior to the
specified week had been sent with the incorrect PNR caveat attached (ie the
non-EU PNR caveat had been attached).
Disclosure of EU-sourced PNR information to authorities of third countries
4.76 Under Article 19 of the EU Agreement, Customs and Border control are authorised to
transfer PNR data on a case by case basis to specific third country authorities, whose
functions are directly related to preventing, detecting, investigating and prosecuting
terrorist offences or serious transnational crime.
4.77 Article 19 also requires Customs and Border Protection to:

ensure third country authorities afford appropriate safeguards

assess third country authority functions are directly related to terror or
transnational crime purposes

obtain agreement to only retain data until investigation or prosecution is
concluded

obtain agreement not to further transfer EU-sourced PNR data

inform passenger (where appropriate) of the transfer
26

ensure safe transfer of analytical information.
4.78 Customs and Border Protection advised the auditors that six individual third country
authorities have been identified (from four specific countries with equivalent data
protection guidelines as Australia) as authorities that RFI responses may be provided
to without specific authorisation from the Director, PAU.
4.79 These countries (known as the Border 5 (B5) Countries) and the individual agencies
are detailed in Section 6, Attachment C of the ‘Instruction and Guideline’ document.
4.80 All RFIs received from any other third country authority requires authorisation from
the Director, PAU, prior to any response being provided.
4.81 There were no third country authority requests in the any of the three week periods
inspected, from either B5 or other third country authorities.
4.82 Customs and Border Protection also advised that no requests for EU-sourced PNR data
have been received under Article 6 of the EU Agreement (Police and Judicial
Cooperation).
Addition of the disclosure permission caveat with EU-sourced PNR RFIs
4.83 Under IPP 11.3, any agency or authority that Customs and Border Protection discloses
personal information to must not further use or disclose the information for purposes
other than the purpose for which Customs and Border Protection disclosed the
information. The Plain English Guidelines to Information Privacy Principles 8 – 11 (the
IPP Guidelines) state at page 54 that a ‘disclosing agency should take all reasonable
steps to prevent the personal information being re-used or re-disclosed for purposes
other than that for which the agency discloses it.’
4.84 The IPP Guidelines suggest a number of steps an agency might take including
‘informing the receiving organisation that their use or disclosure of their personal
information is governed by IPP 11.3.’
4.85 Customs and Border Protection’s Instructions and Guidelines document states that
where PNR data is authorised for disclosure to another agency, a caveat is to be
included on the disclosure to ensure the recipient is fully informed of their obligations
in relation to its subsequent use, storage or further disclosure, consistent with
IPP 11.3 obligations.
4.86 Customs and Border Protection staff also demonstrated a high level of awareness of
the need for all disclosures of PNR data (both EU and non EU-sourced) to include the
appropriate caveat with RFI responses.
4.87 The auditors obtained copies of the existing EU and non-EU Disclosure caveats setting
out PAU permissions regarding further use/ disclosure of the RFI response, and make
the following comments:

EU-sourced PNR caveat
27
i. The caveat clearly states that EU-sourced PNR data cannot be further
disclosed without the prior written permission of the PAU.
ii. The EU-sourced PNR content, the EU Agreement and data retention
and destruction/ security and storage obligations are clearly specified.
iii. All permitted purpose uses of the EU-sourced PNR data have been
clearly stated.
iv. The caveat refers to the June 2008 EU Agreement, rather than the
updated and in-force June 2012 Agreement
v. The Australian legislative requirements of the Customs Act and
Privacy Act are also specified.
vi. The caveat does not specifically state that the personal information is
governed by IPP 11.3.

Non-EU sourced caveat
i. The caveat clearly states that PNR data cannot be further disclosed
without the prior written permission of the PAU.
ii. The Australian legislative requirements of the Customs Act and
Privacy Act are also clearly specified.
iii. The caveat does not specifically state that the personal information is
governed by IPP 11.3.
Privacy issues
4.88 The audit identified minor risks in terms of Customs and Border Protection’s
disclosures of this data under the EU Agreement. These issues are outlined below for
Customs and Border Protection’s consideration.
4.89 During interviews, PAU staff did not generally refer to two of the six Australian
government agencies that EU-sourced PNR data may be shared with (as set out in
Annex 2 of the EU agreement). It was not clear whether this was due to a lack of
awareness of these agencies, or whether they were not identified as they were not
common sources of RFIs.
4.90 There is a risk that EU-sourced PNR data may not be shared with all of the Australian
government agencies authorised to receive this data under the EU agreement, if there
is a lack of awareness across PAU staff of all agencies identified in Annex 2 of the EU
Agreement. The auditors noted that there was no evidence to suggest that this had
occurred during the audit interviews, or the inspection of records.
4.91 While two disclosures identified during the record inspection had been sent with the
inappropriate caveat attached, the non-EU PNR caveat informs the recipient that the
personal information must be used in accordance with the Privacy Act.
28
4.92 Customs and Border Protection could provide an addition to its caveats that, although
not a requirement of IPP 11, is cited as a possible step in the IPP Guidelines. Both the
EU-sourced caveat and non EU-sourced caveat could specifically state that the
receiving agency’s use or disclosure of its personal information is governed by IPP 11.3
and explain that 11.3 does not allow a further use or disclose of personal information
for purposes other than the purpose for which the information was disclosed. Such a
further disclosure by the agency cannot occur even with the consent of Customs and
Border Protection.
Recommendation 2 — Reference to IPP 11.3 in caveats to receiving agency
4.93 The auditors recommend that Customs and Border Protection re-word the EU-sourced
caveat and non EU-sourced caveat to specifically state that IPP 11.3 governs the
receiving agency’s use or disclosure of its personal information.
29
IPP 4 issues — Storage and security of EU-sourced PNR data
IPP 4 sets out how personal information held by an agency must be stored securely to
prevent its loss, misuse, modification or disclosure. Specifically:
IPP 4(a) A record-keeper who has possession or control of a record that contains personal
information shall ensure the record is reasonably protected against loss, against
unauthorised access, use, modification or disclosure, and against other misuse.
IPP 4(b) If it is necessary for the record to be given to a person in connection with the
provision of a service to the agency, everything reasonably within the agency's
power should be done to prevent unauthorised use or disclosure of the information
contained in the record.
The following Articles in the EU Agreement are also relevant to the OAIC’s consideration of
Customs and Border Protection’s storage and security of EU-sourced PNR data:



Article 9: Data security and integrity
Article 7: Data protection and non-discrimination
Article 16: Retention of data.
Observations
The EU Agreement
4.94 The auditors noted Article 9 of the EU Agreement specifies in part that Customs and
Border Protection must:

hold data in secure physical environment and maintain high level systems and
physical intrusion controls (Article 9.1(a))

store PNR data separately from any other data (Article 9.1(b))

control access by security access systems (eg layered logins) (Article 9.1(c))

maintain an audit log (Article 9.1(d))

transfer data securely (Article 9.1(e))

ensure fault detection, malfunctioning and disaster recovery mechanisms are in
place (Article 9.1(f-h))

impose effective and dissuasive sanctions against any data security breach
(Article 9.2).
4.95 Article 16 of the EU Agreement specifies that Customs must store PNR data:

from initial receipt to three years, in an identified form

from three years to the end of a five and a half year period, in a de-identified
form (ie de-personalised PNR data).
30
Physical access security issues
4.96 The auditors observed that PAU Officers are located within a secured area within
Customs House in Canberra. The auditors noted that access to both the general
building and the PAU area is heavily restricted by high level physical intrusion controls.
4.97 Access to the building and PAU areas are through layered physical and electronic
security measures. Authorised individuals can only access each area through the use
of issued electronic access cards.
4.98 Visitors to both the general building and the PAU itself are required to be escorted by
a Customs Officer. Visitor access to the general building requires completion of a
visitors' log. Customs Officer escort visitors and issue a photographic temporary
visitors pass, valid for the day of entry only.
4.99 Secondary access to the PAU requires completion of a separate PAU Visitors log,
recording visitor name and organisation, entry and exit times and Customs Officer
escort.
4.100 The auditors were advised that Customs and Border Protection routinely audits swipe
card access.
4.101 On separation from the PAU, Customs and Border Protection has developed a
checklist (‘Separation from PAU’ checklist) to ensure that all access to IT systems,
mailboxes, physical areas and secure communication channels have been
appropriately revoked.
4.102 Further miscellaneous security returns are also undertaken, including but not limited
to returns of issued uniforms and badges, Customs and/or ASIC identification card and
a ‘Complete PAU staff log’ is entered.
Storage of EU-sourced PNR data
4.103 The auditors discussed the existing IT Systems PNR Control Framework with Customs
and Border Protection staff from the Advanced Analytics Section (ie the ‘Enhanced
Passenger Assessment & Clearance Program’ (EPAC)).
4.104 Customs and Border Protection advised of the work underway on the second phase of
the PNR quality control framework, currently under development and expected to be
rolled out in mid-2013 (EPAC 2).
4.105 Customs and Border Protection advised that PNR data is stored as a separately
partitioned database within the broader Enterprise Data Warehouse (EDW). Within
the EDW, PNR data is accessed through the IAT module.
4.106 In terms of RFIs and their response, Customs and Border Protection advised that (with
the exception of RFIs from AG Department received and responded to via ASNET, or
telephone RFIs), all RFIs and responses are currently stored in a separate inbox on the
PAUs electronic email system.
31
4.107 Hard copy records are generally only made and maintained where an offence has
been committed.
4.108 Customs and Border Protection indicated that storage of EU-sourced PNR data in a
separate inbox on the PAUs electronic email system had been a short term storage
solution.
4.109 Proposals are being considered within Customs and Border Protection in relation to a
more appropriate longer term storage option for these records, to assist with the
identification, de-personalisation (after three years from initial receipt) and
destruction (after five and half years from initial receipt) of these records.
4.110 In discussing the storage of PNR data generally, Customs and Border Protection
advised that it had become aware that a small amount of PNR data had been
identified on one other Customs and Border Protection IT system (ie on files in the
National Intelligence System (NIS)).
4.111 At the time of the audit, and in the absence of any specific examples provided by
Customs and Border Protection, it was not clear whether the data involved was EUsourced PNR data or non-EU PNR sourced data.
4.112 Customs and Border Protection advised that, under current policy, this information
should not form part of NIS records, as NIS (although a PROTECTED system) is
accessible to a number of Customs and Border Protection staff beyond the PAU.
4.113 While aware of this issue, Customs and Border Protection advised that they are yet to
develop a longer term fix or solution to this issue. As an interim measure, Customs and
Border Protection advised PAU staff that there is to be no ‘cut and paste’ of
information from the PNR record to other IT systems.
4.114 Customs and Border Protection also advised that the NIS remains within the secured
IT system environment. As PNR data may form one part of the general intelligence for
an individual, the difficulties in determining when PNR data (or information based on
PNR data) could be included in more general intelligence systems, and, if so, in what
format, were also discussed by Customs and Border Protection.
IT Security Access controls
4.115 The ‘PNR Control Framework: Legal and Compliance (EPAC2/ PG1/002) EPAC2, Version
0.6 (15 August 2012)’ document was provided for the auditors information.
4.116 Table 2.3 ‘Control Summary’ of the EPAC2 control framework document outlines the
layered access, monitoring and transactional logging controls at each key point of PNR
information flow (ie initial capture/ collection, use, storage and disclosure).
4.117 Access to PNR data (including EU-sourced PNR data) is only available to ‘privileged’ IAT
users, rather than all staff who have access to the IAT. Customs and Border Protection
also provided the ‘Application for IAT PNR Push Access’ form to be completed by staff
to access PNR data through IAT.
32
4.118 This form allows PNR system access (or removal of access), and includes managerial
authorisations, user detail, IAT training status, reasons for access and the user to
agree to a detailed user declaration (which includes sanctions for misuse).
4.119 Overall, Customs and Border Protection advised that access to EU-sourced PNR data
requires the following layered approvals:

access to the departmental Local Area Network (LAN)

Section 64(AF) approval after completing appropriate online training specific
to the EU Agreement and Privacy Act obligations

‘IAT PNR Push’ access (requiring approval from the Director, PAU).
4.120 Removal of IT access to PNR data is undertaken through the ‘Separation from PAU’
document discussed previously.
Audit logs
4.121 The auditors were advised that audit logging of all PNR transactions occurs routinely.
4.122 While audit logs appear to be captured for each transaction, Customs and Border
Protection advised that these logs are difficult to proactively use to identify areas of
inappropriate access. Logs are usually only accessed in response to any incidents, on
an ad-hoc and reactive basis.
4.123 As outlined in paragraph 4.42 above, the auditors requested a copy of the audit log for
the RFI observed within the PAU. The audit log provided for the RFI showed:

Person of Interest name search

EU-sourced PNR flight list request from inbound flight manifest

EU-sourced PNR detail review (further detail was available from the
database, on request).
Security of transfer of EU-sourced PNR data
4.124 The majority of RFIs are received electronically (soft copy), via a joint PAU RFI mailbox,
accessible across the PAU.
4.125 Responses to both written and telephone EU-sourced RFIs are also provided by email,
with a carbon copy being stored in the separate mailbox folder PAU EU-RFI response.
4.126 The auditors noted that the email requests are protected through Fedlink. Emails from
external agencies are classified as ‘in confidence’.
4.127 Internal email RFIs and responses to Customs and Border Protection officers should
have a classification of ‘protected’, and transfer occurs through the secure Customs
and Border Protection IT system and servers.
33
4.128 During the inspection of records, the auditors noted:

all 15 EU-sourced PNR RFI responses in the specified week of 24-28 September
2012 were classified ‘Protected‘

20 of the 23 EU-sourced PNR RFIs responded to (87%) from six months previous
to the specified week (26-30 March 2012) were classified ‘protected‘. Three
external RFIs were ‘unclassified’

13 of the 15 EU-sourced PNR RFIs (87%) responded to from 12 months previous
to the specified week (26-30 September 2011) were classified ‘protected‘. One
internal RFI was classified ‘in-confidence’, while one external RFI was
unclassified.
4.129 Sections 4.18 to 4.21 of this report referred to the procedures used by Customs and
Border Protection to respond to verbal RFIs received over the telephone.
4.130 Customs and Border Protection advised that, for external telephone RFIs, PAU staff
ask the requesting officers to put in a formal written request to the PAU. However, for
reasons of operational urgency, the requesting officers ask the information be
provided verbally. The outcome is that many external EU-sourced PNR RFI responses
are provided verbally (with an email confirmation) in the first instance.
4.131 The auditors note that how PAU staff appropriately verify the identity of the
requesting officer, for both internal and external telephone RFIs, is a critical
component of ensuring EU-sourced PNR data is secured, used and disclosed correctly.
4.132 The draft ‘Associated Document’ contains a process checklist for verifying the identity
of internal and external RFIs received over the telephone:

Internal requesting officers are asked to provide their Customs User Identity,
which is then checked against appropriate Customs and Border Protection
internal systems (eg phone lists and email systems) to verify their identity.

External requesting officers are asked to provide a contact number, which the
PAU staff then call back to verify their identity.
4.133 The process used to verify the identity of a telephone requesting officer (both internal
and external) appear to be applied at the discretion of individual officers, and based
(in part) on their personal experience of the individual requesting officer and (for an
internal RFI) on their ability to verify a Customs Officer Identification number.
4.134 It is not clear what further identity verification checks, if any, are undertaken prior to
the verbal release of EU-sourced PNR data and follow-up (confirmatory) email.
Fault detection and disaster recovery mechanisms
4.135 Customs and Border Protection advised that backups of all PNR data are maintained
on a separate tape, undertaken on a daily basis and stored securely.
34
4.136 Both the existing IT Systems PNR Control Framework (EPAC) and the proposed EPAC2
development contain summaries of the control procedures around maintaining the
integrity of EU-sourced PNR data, which includes:

scheduling and monitoring of EU-sourced PNR data

PNR System monitoring

PNR System security processes

data correction/ fault detections

backup and recovery

disaster recovery processes.
Data Breaches and sanctions
4.137 The Director, PAU advised that, as at the time of the audit, there had been no data
breaches or incidents associated with EU-sourced PNR data.
4.138 The auditors noted that Customs Identification badges contained reference
information/instructions on how to respond to any incidents (including a data breach),
by contacting the Customs Incident Reporting Centre.
4.139 The Director, PAU advised of the process involved in reporting a data breach, if one
occurred. These steps included internal Customs and Border Protection referral, and
notification to both the EU and the OAIC.
4.140 Applicable sanctions under the Customs Act and the APS Code of Conduct were also
discussed.
4.141 The auditors noted that the Practice Statement, Instructions and Guideline (Draft) and
Associated Document (Draft) all contained information (to varying degrees) on a range
of sanctions possible under the Customs Act, the Crimes Act and the Privacy Act for
any officers who misused EU-sourced PNR data.
Data retention issues
4.142 Article 16 of the EU Agreement specifies that Customs must hold identified EU PNR
data for three years from the time of receipt, after which it is to be de-personalised
and retained for a further two and a half years before destruction.
4.143 There is no specific obligation under the IPPs contained in the Privacy Act in relation to
the period for which data must be retained before deletion.
4.144 As identified previously, the current storage of both RFIs and responses in the PAUs
electronic email system will likely pose a difficulty in efficiently de-personalising EUsourced PNR records after three years from their initial receipt, and then destroying
these records after five and a half years from initial receipt, as required under the EU
Agreement.
35
4.145 Customs and Border Protection advised that proposals are currently being considered
to address this issue, while also noting that the requirement to de-personalise EUsourced PNR data provided will first come into effect from 1 June 2015 (ie for EUsourced PNR records received from 1 June 2012 onwards).
Privacy issues
4.146 The electronic storage of EU-sourced RFIs and responses within designated and
discrete email folders on the departmental email system raises a number of issues in
relation to the access and search-ability of these records, the ability of Customs and
Border Protection to meet data retention requirements under the EU Agreement and,
more generally, whether this is the most appropriate form of storage for this data.
4.147 The inclusion of identifiable components of EU-sourced PNR data (through cutting and
pasting of this material into NIS system files) increases the risk that this information
may be accessed, used or disclosed for purposes other than that for which it has been
collected by Customs and Border Protection.
4.148 Difficulty in being able to access and locate audit logs for specific transactions
involving EU-sourced PNR data increases the risk that audit logs may not provide a
proactive deterrent to inappropriate data use, or an effective monitoring mechanism.
4.149 There is a risk that the current identity verification procedures for PAU staff to
accurately verify the identity of either internal or external individuals requesting EUPNR data may not be sufficient to prevent a targeted or more sophisticated criminal
attempt to inappropriately access this data. This increases the risk of an unauthorised
disclosure of this data to individuals not authorised to receive this data, particularly
for external RFIs.
Recommendation 3 — Electronic Storage arrangements
4.150 The auditors recommend that Customs and Border Protection reviews the electronic
storage arrangements for RFIs relating to EU-sourced PNR data, to ensure that
appropriate security safeguards are in place to protect this information from loss,
misuse, modification or disclosure.
Recommendation 4 — Security of EU-sourced PNR data
4.151 The auditors recommend that Customs and Border Control undertakes an audit of
other relevant IT systems (such as NIS) to identify whether identifiable EU-sourced
PNR data has been included in other system records, and (if so) takes whatever steps
are reasonable to ensure this data is protected from unauthorised access , use,
modification, disclosure or other misuse.
Recommendation 5 — Audit logs
4.152 The auditors recommend that Customs and Border Protection reviews the manner in
which its audit logs for EU-sourced PNR data RFI records are currently captured and
used, with a view towards improving their use as a more proactive and effective
monitoring mechanism and an effective deterrent to the misuse of this data.
36
Recommendation 6 — Identity verification procedures
4.153 It is recommended that Customs and Border Protection reviews its identity verification
procedures for the handling of verbal (telephone) RFIs, especially for external RFIs, to
ensure appropriate security safeguards are in place prior to PAU staff disclosing any
EU-sourced PNR data verbally.
37
Other identified issues
Observations
Staff Training
4.154 Customs and Border Protection provided a copy of a ‘PAU Training Schedule Overview’
to the auditors prior to the audit, outlining 27 key induction, legislation and policy,
PNR specific, Profiling and IAT training activities provided for PAU staff.
4.155 Six of these training activities are completed via online training, as follows:

Section 16: Disclosure of Official Information

IAT Traveller Search Module

counter-terrorism

introduction to intelligence

NIS Skills and techniques

BAGS (Intelligence Support System).
4.156 With the exception of the induction program, the remaining 21 training courses are
completed through on-the-job training.
4.157 Staff from the PAU and Customs and Border Protection advised that the quality and
consistency of the training offered to PAU staff has been variable over the past two
years.
4.158 At the time of the audit, the Passenger Strategy and Policy Section was undertaking a
quality assurance processes to identify any knowledge gaps or concerns across all PAU
activities. The results of this process would be used in part to feed into a re-developed
training program for PAU staff.
4.159 The auditors noted the general environment within the PAU and Customs and Border
Protection was one where data protection was highly valued.
Privacy issues
4.160 If PAU staff are unaware of their specific responsibilities and obligations in the use of
EU-sourced PNR data, there is an increased risk of an inadvertent breach of the IPP
obligations or the requirements of the EU Agreement.
Recommendation 7 — Regular, ongoing and formal training
4.161 The auditors note that current quality assurance program will assist Customs and
Border Protection to review its training materials in relation to the handling of EUsourced PNR data. The auditors recommend regular, ongoing and formal training for
all PAU staff to encourage best privacy practice in this area.
38
Part 5 — Summary of recommendations
Recommendation 1 — Finalise policy and procedure documents
5.1
The auditors recommend that Customs and Border Protection finalise the ‘Instructions
and Guideline’ and ‘Associated Document’ to guide PAU staff in handling PNR data.
The auditors note that the draft documents contain specific instructions in relation to
EU-sourced PNR data requirements, such as the Australian government agencies that
this data may be shared with, the need to clearly record the reasons for the RFI and
response (if any) and sensitive data destruction requirements.
Auditee response
The auditee accepted this recommendation.
Recommendation 2 — Reference to IPP 11.3 in caveats to receiving agency
5.2
The auditors recommend that Customs and Border Protection re-word the EU-sourced
caveat and non EU-sourced caveat to specifically state that IPP 11.3 governs the
receiving agency’s use or disclosure of its personal information.
Auditee response
The auditee accepted this recommendation.
Recommendation 3 — Electronic storage arrangements
5.3
The auditors recommend that Customs and Border Protection reviews the electronic
storage arrangements for RFIs relating to EU-sourced PNR data, to ensure that
appropriate security safeguards are in place to protect this information from loss,
misuse, modification or disclosure.
Auditee response
The auditee accepted this recommendation and made the following comment:
Since the audit completion in 2012, Customs and Border Protection has reviewed
storage arrangements for RFIs and is in the process of implementing new storage
arrangements for RFI records to ensure that appropriate record keeping safeguards
are in place.
Recommendation 4 — Security of EU-sourced PNR data
5.4
The auditors recommend that Customs and Border Control undertakes an audit of
other relevant IT systems (such as NIS) to identify whether identifiable EU-sourced
PNR data has been included in other system records, and (if so) takes whatever steps
are reasonable to ensure this data is protected from unauthorised access , use,
modification, disclosure or other misuse.
Auditee response
The auditee accepted this recommendation and made the following comment:
39
Customs and Border Protection accepts this recommendation and has recently
investigated PNR use and business procedures surrounding PNR data elements in
relevant IT systems. A policy direction has been developed to clarify the data
retention and depersonalisation provisions of Article 16 of the PNR Agreement with
respect to the use of PNR data identified as relating to persons of interest. Customs
and Border Protection will continue to monitor business processes and controls to
ensure that PNR data is protected from unauthorised access, use, modification,
disclosure or other misuse and handled within the terms of the EU-Australia PNR
Agreement.
Recommendation 5 — Audit logs
5.5
The auditors recommend that Customs and Border Protection reviews the manner in
which its audit logs for EU-sourced PNR data RFI records are currently captured and
used, with a view towards improving their use as a more proactive and effective
monitoring mechanism and an effective deterrent to the misuse of this data.
Auditee response
The auditee accepted this recommendation.
Recommendation 6 — Identity verification procedures
5.6
It is recommended that Customs and Border Protection reviews its identity verification
procedures for the handling of verbal (telephone) RFIs, especially for external RFIs, to
ensure appropriate security safeguards are in place prior to PAU staff disclosing any
EU-sourced PNR data verbally.
Auditee response
The auditee accepted this recommendation.
Recommendation 7 — Regular, ongoing and formal training
5.7
The auditors note that current quality assurance program will assist Customs and
Border Protection to review its training materials in relation to the handling of EUsourced PNR data. The auditors recommend regular, ongoing and formal training for
all PAU staff to encourage best privacy practice in this area.
Auditee response
The auditee accepted this recommendation.
40
Appendix A — Information Privacy Principles
Principle 1 — Manner and purpose of collection of personal information
1.
Personal information shall not be collected by a collector for inclusion in a record or in a
generally available publication unless:
(a) the information is collected for a purpose that is a lawful purpose directly related to a
function or activity of the collector; and
(b) the collection of the information is necessary for or directly related to that purpose.
2.
Personal information shall not be collected by a collector by unlawful or unfair means.
Principle 2 — Solicitation of personal information from individual concerned
Where:
(a) a collector collects personal information for inclusion in a record or in a generally available
publication; and
(b) the information is solicited by the collector from the individual concerned:
the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure
that, before the information is collected or, if that is not practicable, as soon as practicable after
the information is collected, the individual concerned is generally aware of:
(c) the purpose for which the information is being collected
(d) if the collection of the information is authorised or required by or under law - the fact that
the collection of the information is so authorised or required; and
(e) any person to whom, or any body or agency to which, it is the collector's usual practice to
disclose personal information of the kind so collected, and (if known by the collector) any
person to whom, or any body or agency to which, it is the usual practice of that first
mentioned person, body or agency to pass on that information.
Principle 3 — Solicitation of personal information generally
Where:
(a) a collector collects personal information for inclusion in a record or in a generally available
publication; and
(b) the information is solicited by the collector:
the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure
that, having regard to the purpose for which the information is collected:
(c) the information collected is relevant to that purpose and is up to date and complete; and
(d) the collection of the information does not intrude to an unreasonable extent upon the
personal affairs of the individual concerned.
Principle 4 — Storage and security of personal information
A record-keeper who has possession or control of a record that contains personal information shall
ensure:
41
(a) that the record is protected, by such security safeguards as it is reasonable in the
circumstances to take, against loss, against unauthorised access, use, modification or
disclosure, and against other misuse; and
(b) that if it is necessary for the record to be given to a person in connection with the provision
of a service to the record-keeper, everything reasonably within the power of the recordkeeper is done to prevent unauthorised use or disclosure of information contained in the
record.
Principle 5 — Information relating to records kept by record-keeper
1.
A record-keeper who has possession or control of records that contain personal information
shall, subject to clause 2 of this Principle, take such steps as are, in the circumstances,
reasonable to enable any person to ascertain:
(a) whether the record-keeper has possession or control of any records that contain personal
information; and
(b) if the record-keeper has possession or control of a record that contains such information:
(i)
the nature of that information
(ii) the main purposes for which that information is used; and
(iii) the steps that the person should take if the person wishes to obtain access to the
record.
2.
A record-keeper is not required under clause 1 of this Principle to give a person information if
the record-keeper is required or authorised to refuse to give that information to the person
under the applicable provisions of any law of the Commonwealth that provides for access by
persons to documents.
3.
A record-keeper shall maintain a record setting out:
(a) the nature of the records of personal information kept by or on behalf of the recordkeeper
(b) the purpose for which each type of record is kept
(c) the classes of individuals about whom records are kept
(d) the period for which each type of record is kept
(e) the persons who are entitled to have access to personal information contained in the
records and the conditions under which they are entitled to have that access; and
(f) the steps that should be taken by persons wishing to obtain access to that information.
4.
A record-keeper shall:
(a) make the record maintained under clause 3 of this Principle available for inspection by
members of the public; and
(b) give the Commissioner, in the month of June in each year, a copy of the record so
maintained.
Principle 6 — Access to records containing personal information
Where a record-keeper has possession or control of a record that contains personal information, the
individual concerned shall be entitled to have access to that record, except to the extent that the
record-keeper is required or authorised to refuse to provide the individual with access to that record
under the applicable provisions of any law of the Commonwealth that provides for access by persons
to documents.
42
Principle 7 — Alteration of records containing personal information
1.
A record-keeper who has possession or control of a record that contains personal information
shall take such steps (if any), by way of making appropriate corrections, deletions and additions
as are, in the circumstances, reasonable to ensure that the record:
(a) is accurate; and
(b) is, having regard to the purpose for which the information was collected or is to be used
and to any purpose that is directly related to that purpose, relevant, up to date, complete
and not misleading.
2.
The obligation imposed on a record-keeper by clause 1 is subject to any applicable limitation in
a law of the Commonwealth that provides a right to require the correction or amendment of
documents.
3.
Where:
(a) the record-keeper of a record containing personal information is not willing to amend that
record, by making a correction, deletion or addition, in accordance with a request by the
individual concerned; and
(b) no decision or recommendation to the effect that the record should be amended wholly or
partly in accordance with that request has been made under the applicable provisions of a
law of the Commonwealth;
the record-keeper shall, if so requested by the individual concerned, take such steps (if any) as
are reasonable in the circumstances to attach to the record any statement provided by that
individual of the correction, deletion or addition sought.
Principle 8 — Record-keeper to check accuracy etc of personal information
before use
A record-keeper who has possession or control of a record that contains personal information shall
not use that information without taking such steps (if any) as are, in the circumstances, reasonable
to ensure that, having regard to the purpose for which the information is proposed to be used, the
information is accurate, up to date and complete.
Principle 9 — Personal information to be used only for relevant purposes
A record-keeper who has possession or control of a record that contains personal information shall
not use the information except for a purpose to which the information is relevant.
Principle 10 — Limits on use of personal information
1.
A record-keeper who has possession or control of a record that contains personal information
that was obtained for a particular purpose shall not use the information for any other purpose
unless:
(a) the individual concerned has consented to use of the information for that other purpose
(b) the record-keeper believes on reasonable grounds that use of the information for that
other purpose is necessary to prevent or lessen a serious and imminent threat to the life or
health of the individual concerned or another person
(c) use of the information for that other purpose is required or authorised by or under law
43
(d) use of the information for that other purpose is reasonably necessary for enforcement of
the criminal law or of a law imposing a pecuniary penalty, or for the protection of the
public revenue; or
(e) the purpose for which the information is used is directly related to the purpose for which
the information was obtained.
2.
Where personal information is used for enforcement of the criminal law or of a law imposing a
pecuniary penalty, or for the protection of the public revenue, the record-keeper shall include
in the record containing that information a note of that use.
Principle 11 — Limits on disclosure of personal information
1.
A record-keeper who has possession or control of a record that contains personal information
shall not disclose the information to a person, body or agency (other than the individual
concerned) unless:
(a) the individual concerned is reasonably likely to have been aware, or made aware under
Principle 2, that information of that kind is usually passed to that person, body or agency
(b) the individual concerned has consented to the disclosure
(c) the record-keeper believes on reasonable grounds that the disclosure is necessary to
prevent or lessen a serious and imminent threat to the life or health of the individual
concerned or of another person
(d) the disclosure is required or authorised by or under law; or
(e) the disclosure is reasonably necessary for the enforcement of the criminal law or of a law
imposing a pecuniary penalty, or for the protection of the public revenue.
2.
Where personal information is disclosed for the purposes of enforcement of the criminal law or
of a law imposing a pecuniary penalty, or for the purpose of the protection of the public
revenue, the record-keeper shall include in the record containing that information a note of the
disclosure.
3.
A person, body or agency to whom personal information is disclosed under clause 1 of this
Principle shall not use or disclose the information for a purpose other than the purpose for
which the information was given to the person, body or agency.
44