Requests For Information for Passenger Name Record data

 
Requests For Information for
       Passenger Name Record data
Australian Customs and Border Protection Service

                                      Final audit report
                  Information Privacy Principles audit
                    Section 27(1)(h) Privacy Act 1988

                    Audit undertaken: October/November 2012

                                Draft report issued: May 2013

                                Final report issued: June 2013
Contents
Part 1 — Introduction .................................................................................... 2
Background ................................................................................................................................ 2
Part 2 — Description of audit ......................................................................... 3
Purpose ...................................................................................................................................... 3
Scope .......................................................................................................................................... 3
Objectives................................................................................................................................... 3
Timing and location.................................................................................................................... 3
Methodology.............................................................................................................................. 4
Information obtained during the audit ...................................................................................... 4
Opinion....................................................................................................................................... 6
Follow up review ........................................................................................................................ 6
Reporting.................................................................................................................................... 6
Part 3 — Description of auditee ..................................................................... 7
Overview .................................................................................................................................... 7
Passenger Name Record (PNR) Data ......................................................................................... 7
Legislative basis for collection and uses of PNR data ................................................................ 8
The EU agreement ..................................................................................................................... 9
Description of the PAU............................................................................................................. 10
Structure .................................................................................................................................. 11
Part 4 — Audit issues ................................................................................... 12
IPP 10 issues — Uses of EU-sourced PNR data ........................................................................ 12
IPP 11 issues — Disclosures of EU-sourced PNR data ............................................................. 21
IPP 4 issues — Storage and security of EU-sourced PNR data ................................................ 30
Other identified issues ............................................................................................................. 38
Part 5 — Summary of recommendations ..................................................... 39
Recommendation 1 – Finalise policy and procedure documents ........................................... 39
Recommendation 2 – Electronic storage arrangements ......................................................... 39
Recommendation 3 – Security of EU-sourced PNR data ......................................................... 39
Recommendation 4 – Audit logs .............................................................................................. 40
Recommendation 5 – Identity verification procedures ........................................................... 40
Appendix A — Information Privacy Principles .............................................. 41

                                                                        1
Part 1 — Introduction
Background

1.1 The Australian Customs and Border Protection Service (Customs and Border Protection)
    and the Office of the Australian Information Commissioner (the OAIC) have a
    Memorandum of Understanding (MoU) which provides a regular audit program for
    Customs and Border Protection's use of European Union-sourced Passenger Name
    Record (EU-sourced PNR) data.

1.2 Under the terms of the MoU signed on 9 May 2008 and in effect until 8 May 2012, the
    OAIC undertook to conduct two audits per financial year of Customs and Border
    Protection's handling of EU-sourced PNR data under section 27(1)(h) of the Privacy Act
    1988 (Cth) (the Privacy Act).

1.3 This is the second audit undertaken for the 2011-12 financial year, under the MoU
    signed 9 May 2008. The conduct of the audit was deferred by agreement between
    Customs and Border Protection and the OAIC to be undertaken within the 2012-13
    financial year.

1.4 The focus of the audit is on Customs and Border Protection's handling of internal and
    external Requests For Information (RFI) involving EU-sourced PNR data.

1.5 Customs and Border Protection and the OAIC signed a further MoU on 8 February 2013
    with effect until 30 June 2014. Under the terms of this agreement, the OAIC will
    undertake one audit per year of Customs and Border Protection's handling of EU-
    sourced PNR data under section 27(1)(h) of the Privacy Act.

1.6 The MoU has regard to the oversight and accountability functions of the OAIC contained
    in Article 10 of the Agreement between the European Union and Australia on the
    processing and transfer of Passenger Name Record (PNR) data by Air Carriers to the
    Australian Customs and Border Protection Service (the EU Agreement). The EU
    Agreement was made in Brussels on 29 September 2011, with effect from 1 June 2012.

                                             2
Part 2 — Description of audit
Purpose
2.1 The primary purpose of the audit was to assess Customs and Border Protection's
    compliance with the Information Privacy Principles (IPPs) contained in section 14 of the
    Privacy Act, specifically in relation to its handling of RFIs for EU-sourced PNR data.

Scope
2.2 The audit assessed Customs and Border Protection's handling of both hard-copy and
    electronic EU-sourced PNR data, in response to either internal or external RFIs for this
    data.

2.3 The audit scope was limited to the use (IPP 10), disclosure (IPP 11) and storage and
    security (IPP 4) practices of Customs and Border Protection in relation to the handling of
    EU-sourced PNR data in response to an RFI.

2.4 Enquiries were also made regarding the activities and operations of the Department of
    Immigration and Citizenship (DIAC) Tactical Surveillance Unit (TSU) within the Customs
    and Border Protection Passenger Analysis Unit (PAU) and staff training arrangements.
    Any observations made in relation to these aspects of the audit are provided for
    Customs and Border Protections information only, and do not form part of the overall
    assessment of agency compliance in this audit.

2.5 The audit also sought to provide some preliminary information for Customs and Border
    Protection’s consideration in relation to the obligations under the EU Agreement.

2.6 The use of EU-sourced PNR data by Customs and Border protection to undertake pre-
    arrival risk assessment (or Flight Screening) of passengers travelling to (or in transit
    through) Australia, did not form any part of the scope of the current audit.

Objectives
2.7 The three objectives of the audit were to identify whether:

   1. uses of EU-sourced PNR data in response to RFIs received from within Customs and
      Border Protection over a defined period are consistent with IPP 10 obligations

   2. disclosures of EU-sourced PNR data in response to RFIs from other Australian
      government agencies or third country authorities are consistent with IPP 11
      obligations

   3. storage and security arrangements for hard-copy and electronic EU-sourced PNR
      data in response to RFIs are consistent with IPP 4 obligations.

Timing and location
2.8 The audit fieldwork was conducted on 31 October and 1 November 2012 at Customs
    House, 5 Constitution Avenue, Canberra, Australian Capital Territory (ACT).

                                              3
2.9 The location of the audit was the PAU based at Customs House Canberra, and included
    a site inspection, observation of the handling of EU-sourced PNR data in response to
    RFIs and an inspection of records of completed EU-sourced PNR RFIs over specified
    periods.

Methodology
2.10 The audit utilised the following methodologies:

      Semi-structured interviews with key Customs and Border Protection staff from the
       Passenger Targeting Branch, including PAU managers and staff responding to RFIs,
       to assess:

          o management and governance arrangements (including but not limited to
            internal review/ audit activities in relation to EU-sourced PNR data,
            document destruction processes, internal governance arrangements)

          o processing of RFIs (internal and external) for EU-sourced PNR data.

      Inspection of a random selection of 61 EU-sourced PNR RFIs received during the
       following three specified one week periods:

          o 20 records from the current financial year (24-28 September 2012)

          o 25 records from 6 months prior (26-30 March 2012)

          o 16 records from 12 months prior (26-30 September 2011).

      Document review of relevant material prepared by Customs and Border Protection
       to assist PAU staff with the handling of EU-sourced PNR data, including (but not
       limited to) relevant templates and Standard Operating Procedures (SOPs).

      Site inspection assessing physical and IT security and storage arrangements,
       including (but not limited to) relevant access controls, audit logs, and use of third
       party contractors if relevant.

Information obtained during the audit
2.11 The following documentation was provided prior to the audit fieldwork into Customs
     and Border Protection's processing of EU-sourced PNR RFIs in October and November
     2012:

        An organisational chart and office locations for the relevant areas of Customs and
         Border Protection that handle PNR data.

            o ‘PAU Structure Sep-Dec 2012’ document.

            o ‘Advanced Analytics, Intelligence Strategies and Program Branch’
              document.

                                              4
o Software developers, located in Allara House, Constitution Avenue,
              Canberra.

        Staff instructions/memorandums in relation to the handling of PNR data in
         Customs, including relevant SOPs.

        Staff training materials addressing the Privacy Act, the handling of PNR data and
         relevant information security practices.

2.12 The following information and documentation was gathered during the audit
     fieldwork period:

        An outline of personal information data flows within Customs relating to handling
         RFIs of EU-sourced PNR data.

            o ‘Practice Statement 2012/05: Processing requests for Passenger Name
              Record (PNR) Information’ DRAFT document (Practice Statement).

        An outline of personal information data flows to any internal or external third
         parties relating to handling RFIs of EU-sourced PNR data:

            o ‘Instructions and Guidelines 2012/05: Processing requests for PNR
              Information’ - DRAFT document – Protected (Instructions and Guideline).

            o ‘Associated Document 2012/05: Responding to and recording of PAU
              Request for PNR Information (RFPI)’ - DRAFT document – Protected
              (Associated Document).

            o Section 16 Undertakings (as of March 2008).

            o ‘Disclosure of EU-sourced PNR data’ caveat for email communications.

            o ‘Disclosure of Non-EU-sourced PNR data’ caveat for email communications.

        Details of internal Customs and Border Control access to EU-sourced PNR data,
         access limitations, staff training materials and audit log information.

            o ‘PNR Control Framework: Legal and Compliance (EPAC2/ PG1/002)
              Enhanced passenger Assessment and Clearance Program 2 (EPAC2),
              Version 0.6 (15 August 2012)’ document.

            o ‘Application for Integrated Analysis Tool (IAT) PNR Push Access’ template.

            o ‘Separation from PAU’ document - management checklist for revoking
              System access, mailbox/ distribution access, communication resources,
              physical access and other entitlements on separation from the PAU.

            o Audit log of an RFI response observed live by OAIC assessors.

                                             5
o ‘PAU Training Schedule Overview‘ document (Version 20100525.v2).

Opinion
2.13 The auditors are of the opinion that Customs and Border Protection is generally
     maintaining its records of personal information in accordance with its IPP 4, 10 and 11
     obligations under the Act in the handling of hard-copy and electronic EU-sourced PNR
     data in response to internal and external RFIs for this data.

2.14 The auditors identified a number of privacy risks in Customs and Border Protection’s
     maintenance of personal information under its IPP obligations. The auditors have
     made seven recommendations in relation to these.

2.15 The auditors have also made a number of observations in relation to observed
     practice against the specific requirements of the EU Agreement, which have been
     provided here for Customs and Border Protection’s consideration.

Follow up review
2.16 Under the terms of the EU Agreement in effect from 1 June 2012, and a separate MoU
     between Customs and Border protection and the OAIC dated 8 February 2013, the
     OAIC will continue to undertake up to one audit of Customs and Border Protection’s
     handling of EU-sourced PNR data each year.

Reporting
2.17 Generally the OAIC will publish final audit reports on its website, except where there
     are concerns with sensitive material. For example, where the audit: relates to material
     affecting national security, defence, Commonwealth-State relations or law
     enforcement; involves certain business, commercial or financial information; or where
     material has been obtained in confidence, it may be appropriate to redact some
     information from the report or not to publish the report.

2.18 Where final reports of audits of ACT, Australian and Norfolk Island government
     agencies are published, they will be available on the OAICs website
     (www.oaic.gov.au).

2.19 Information Privacy Principle audit findings and recommendations that are considered
     relevant to good privacy practice across the public sector are also generally discussed
     in the OAIC’s annual report.

                                             6
Part 3 — Description of auditee
Overview
3.1   Customs and Border Protection is the primary border protection agency in Australia. It
      manages the security and integrity of Australia's borders, and works closely with other
      government and international agencies to detect and deter unlawful movement of
      goods and people across the border.

3.2   Other agencies Customs border protection works with include the Australian Federal
      Police (AFP), the Office of Transport Security (OTS), DIAC and the Attorney General's
      Department (AG Department).

3.3   As at 30 June 2012, Customs and Border Protection employed 5,671 people nationally
      in Australia and overseas. Its central office is located in Canberra.

3.4   Customs and Border Protection operates two major programs: Maritime, Corporate
      and Intelligence, and Border Management. A third corporate division (Strategy,
      Finance and Integrity) reports directly to the Chief Executive Officer.

3.5   Among other activities, it intercepts illegal drugs and firearms and targets high-risk
      aircraft, vessels, cargo, postal items and travellers. Customs and Border Protection
      also has a fleet of ocean-going patrol vessels and contracts aerial surveillance
      providers for civil maritime surveillance and response.

Passenger Name Record (PNR) Data
3.6   PNR data is information about airline passengers held by airlines on their computer
      reservation systems and/or departure control systems.

3.7   PNR data may include any of the following information:

          PNR locator code

          passenger name(s)

          passport number

          nationality

          details of travel companions

          frequent flyer information

          ticketing information: date of reservation/issue of ticket; itinerary and alterations
           made to booking

          contact information, including travel agent details

                                               7
   payments/billing

          travel status of passenger (including confirmations and check-in status)

          special request/service information

          all baggage information (number and weight of bags)

          seat allocation(s)

          all historical changes to the above PNR.

3.8   Some PNR data is automatically generated by the airline (eg itinerary detail), while
      other information is supplied by or on behalf of the passenger (eg contact details).
      Airlines or authorised travel agents may also add a range of further information, such
      as dietary or medical requirements, or special requests for assistance.

3.9   At the time of the audit, the OAIC was informed that a total of 39 airlines provided
      PNR data to Customs and Border Protection.

3.10 Of these, 13 airlines were identified as specifically providing EU-sourced PNR data.

3.11 Authorised Customs and Border Protection PAU officers receive up to five scheduled
     transmissions from specified airlines of both EU-sourced and non-EU sourced PNR
     data beginning at 72 hours before the scheduled departure of a flight to Australia.

3.12 Any updates to the PNR data are then provided at 24 hours, 2 hours and 1 hour
     respectively (if available).

3.13 A final full list of available PNR data is also received after the flight has departed for
     Australia.

Legislative basis for collection and uses of PNR data
3.14 The collection of PNR data by Customs and Border Protection, for both EU and Non-EU
     sourced PNR data, is permitted under section 64AF of the Australian Customs Act 1901
     (the Customs Act).

3.15 This provision specifies that if requested, all international passenger air service
     operators, flying to, from or through Australia, are required to provide Customs and
     Border Protection with PNR data to the extent that they are collected and contained in
     the air carrier's reservations and departure control systems, in a particular manner
     and form.

3.16 Access to all PNR data is only given to specifically authorised Customs Officers in
     accordance with section 64AF(5), with a person an ‘authorised officer’ only if:

           a. appointed as an officer of Customs (as set out in section 4 of the Customs
              Act)

                                                8
b. authorised in writing by the CEO to exercise the powers to perform the
              functions of an authorised officer under section 64AF.

3.17 PNR data must only be accessed by authorised Customs and Border Protection officers
     for the purpose of performing their functions under the Customs Act or prescribed
     laws of the Commonwealth.

3.18 Functions of officers under section 64AF include conducting traveller assessments for
     border risks, conducting post-seizure analysis and servicing RFIs.

3.19 PNR data may also be accessed in support of relevant joint operations, task force or
     national Customs and Border Protection operations, detection analysis or
     investigation and search and seizure warrants.

3.20 The Customs Administration Act 1985, Migration Act 1958, Crimes Act 1914 (Cth),
     Privacy Act 1988 (Cth), Freedom of Information Act 1982 (Cth), Auditor-General Act
     1997 (Cth), Ombudsman Act 1976 (Cth) and Public Service Act 1999 (Cth) all provide
     for data protection, rights of access and redress, rectification and annotation and
     remedies and sanctions for misuse of personal data, including PNR data.

3.21 Unauthorised purpose uses of any PNR data may result in offences under a number of
     Commonwealth laws dealing with unauthorised access, including the Customs
     Administration Act 1985, the Criminal Code 1995 (Cth), the Public Service Act 1999
     (Cth) and the Privacy Act 1988 (Cth).

The EU agreement
3.22 The EU agreement between Australia and the European Union in relation to the
     transfer and provision of EU-sourced PNR data to Customs and Border Protection was
     signed in Brussels on 29 September 2011, with effect from 1 June 2012.

3.23 The EU agreement sets out the terms of the transfer and use provisions of EU-sourced
     data to Customs and Border Protection.

3.24 Under the EU Agreement, Customs and Border Protection agrees to use PNR data
     strictly for the purpose of preventing, detecting, investigating and prosecuting
     terrorist offences and serious transnational crime in strict compliance with safeguards
     on privacy and the protection of personal data.

3.25 The EU Agreement also sets out certain other circumstances when PNR data may be
     used or disclosed, such as:

           a. in the protection of vital interests of an individual, such as risk of death,
              serious injury or threat to health (Article 3(4))

           b. where specifically required by Australian law, on a case by case basis, for the
              purpose of supervision and accountability of public administration and the
              facilitation of redress and sanctions for the misuse of data (Article 3(5))

                                               9
c. for the oversight and accountability functions undertaken by the OAIC
              (Article 10).

3.26 The EU Agreement also sets out a list of government authorities in Australia with
     whom Customs and Border Protection are authorised to share (or disclose) EU-
     sourced PNR data with (Annex 2). These authorities are:

          Australian Crime Commission (ACC)

          Australian Federal Police (AFP)

          Australian Security Intelligence Organisation (ASIO)

          Commonwealth Director of Public Prosecutions (DPP)

          Department of Immigration and Citizenship (DIAC)

          OTS (within the Department of Infrastructure and Transport).

3.27 Additionally, Article 19 of the EU Agreement specifies how Customs and Border
     Protection may transfer EU-sourced PNR data to authorities from third countries (on a
     case by case basis).

3.28 Article 6 sets out the arrangements for EU-based Law Enforcement Authorities (LEAs)
     access to PNR data (or analytical information obtained from PNR data) provided to
     Customs and Border Protection under the EU Agreement.

Description of the PAU
3.29 The PAU in Customs and Border Protection conducts pre-arrival risk assessments of
     passengers travelling to (or in transit through) Australia using both EU and non-EU
     sourced PNR data, along with other advanced passenger information.

3.30 Pre-arrival risk assessment aims to prevent terrorism and related crimes and other
     serious transnational crimes, such as money laundering, drug importation, weapons
     trafficking and people smuggling/trafficking.

3.31 PAU officers use this information, together with a range of other information (for
     example immigration, intelligence and other law enforcement data), to screen
     passengers prior to arrival to Australia and assist in identifying those passengers that
     may pose a risk at the time of arrival.

3.32 The PAU also responds to requests for PNR data from other areas of Customs and
     Border Protection (internal RFIs) and from other Australian government agencies or
     specified third country authorities (external RFIs).

3.33 These internal and external RFIs for EU-sourced PNR data are the subject of this audit.

                                              10
Structure
3.34 The Director, PAU leads three distinct sections: Assessment and Selection, Profile
     Management and Alerts Management.

3.35 The Assessment and Selection manager oversees four shift teams of five analysts
     (each with a team supervisor) and two further Supervisors. This team operates 24
     hours a day, seven days a week.

3.36 The Profile Management team consists of a manager, supervisor and analyst, while
     the Alerts Management team consists of a manager, supervisor and five senior
     customs officers.

3.37 The auditors also spoke with Customs and Border Protection staff from Passenger
     Strategy and Policy Section, the Policy and Risk Team, the PAU (Passenger Targeting
     Branch) and key staff from the Advanced Analytics Section (Intelligence Strategies and
     Program Branch).

3.38 Additionally, the auditors spoke to an officer from the DIAC TSU around their access,
     use and disclosure (if any) of EU-sourced PNR data.

                                             11
Part 4 — Audit issues
The following findings and recommendations relate to the auditors consideration of Custom
and Border Protection’s handling of both hard-copy and electronic EU-sourced PNR data, in
response to either internal or external RFIs for this data.

The IPPs are produced in full at Appendix A.

IPP 10 issues — Uses of EU-sourced PNR data
IPP 10 sets out how personal information collected for one purpose may be used for
another (secondary) purpose, such as with the individual’s consent or for some health and
safety or law enforcement reasons in certain circumstances. Specifically:

IPP 10.1 provides that a record keeper who has possession or control of a record that
         contains personal information that was obtained for a particular purpose shall not
         use the information for any other purpose unless one or more of certain exceptions
         apply.

IPP 10.2 provides that, where personal information is used under IPP 10.1(d) the record
         keeper shall include in the record containing that information a note of the use.

The following Articles in the EU Agreement are also relevant to the OAIC’s consideration of
Customs and Border Protection’s use of EU-sourced PNR data:

          Article 3: Scope of application
          Article 8: Sensitive data
          Article 17: Logging and documentation of PNR data.

Observation(s)
Interpretation of ‘use’ by the OAIC
4.1       The auditors considered that, where Customs and Border Protection use of EU-
          sourced PNR data is in response to an internal RFI from a Customs staff member, this
          constitutes a use of EU-sourced PNR data.

4.2       Article 3 of the EU Agreement terms explicitly states that Customs and Border
          Protection agree to process (ie use) PNR data strictly for the purpose of preventing,
          detecting, investigating and prosecuting terrorist offences and serious transnational
          crime. These two uses form the primary purpose of the collection of the EU-sourced
          PNR data.

4.3       Three additional permitted uses are also set out in Article 3 of the EU agreement (see
          paragraph 3.25 above).

Policies and procedures around the use of EU-sourced PNR data by Customs and Border Protection
4.4       The auditors noted throughout the interviews that Customs and Border Protection
          staff generally had a clear understanding of the obligation to use EU-sourced PNR data

                                                 12
only for internal RFIs in relation to terrorist offences or for serious transnational crime
      issues.

4.5   The OAIC reviewed three key policy and practice documents in relation to RFIs for EU-
      sourced PNR data:

              ‘Passenger Name Record (PNR) data’ - (Practice statement)

              ‘Processing requests for PNR Information (2012/05)’ – DRAFT – Protected -
               (Instruction and Guidelines)

              ‘Responding to and recording of PAU Request for PNR Information (RFPI)’ –
               DRAFT - Protected – (Associated Document)

4.6   The Practice statement provides a high level overview of Customs and Border
      Protection’s collection, use and sharing of both EU and non EU-sourced PNR data.

4.7   The draft Instruction and Guidelines (Protected) provides greater detail for Customs
      and Border Protection officers in terms of the appropriate uses of PNR data (both EU
      and non EU-sourced).

4.8   Section 1.6.4 of the Instruction and Guidelines sets out appropriately the allowable
      uses of EU-sourced PNR data only for the purposes specified in Article 3 of the EU
      Agreement (see paragraphs 3.24 and 3.25 above).

4.9   Section 1.3 also specifies a range of actions that a PAU Officer should undertake on
      receipt of a RFI for PNR data (including EU-sourced PNR data). This section
      appropriately:

              outlines all RFIs should be received in writing (email) to the PAU Canberra
               Mailbox

              provides examples of the type of RFIs that Customs and Border Protection
               PAU officers may action

              specifies that the RFI must include the offence being considered and/or
               investigated, including the relevant Act and section

              outlines the response should only include the particular types of PNR data or
               elements requested, and only be provided within the purpose limitation
               under Article 3 of the EU Agreement

              outlines the common sources of RFIs including:

                    i. Customs and Border Protection officers (including overseas Senior
                       Australian Customs and Border Protection representative network)

                   ii. officers of other Australian LEAs and intelligence agencies

                                               13
iii. international LEAs with which Customs and Border Protection has a
                        valid Cooperative Agreement in place (and received through relevant
                        international counsellor or intelligence liaison officers).

              outlines reasons for not actioning a RFI, and the written advice that must be
               provided outlining why the decision has been made not to action an RFI (to
               be logged and recorded as if actioned).

4.10 At the time of the audit, the Associated Document was also a draft document. The
     auditors were provided with a copy, and noted that the document template set out a
     series of actions to be undertaken by Customs and Border Protection PAU staff in
     responding to written and verbal RFIs in general, and in relation to written and verbal
     responses to international counterpart agencies.

4.11 The auditors noted that there could be better consistency within the Instruction and
     Guideline, given it states PAU must review all RFIs in writing (page 6), and later
     (page 9, Section 1.5.4) specifies the steps to be taken in the limited circumstances in
     which an RFI may be received by telephone.

4.12 It is possible that this is an effect of the draft nature of these documents, and is raised
     here as an observation only for Customs and Border Protection’s consideration.

4.13 Subject to the above, the policies and procedures developed (or under development)
     by Customs and Border Protection appear likely (when finalised) to support PAU staff
     to use EU-sourced PNR data appropriately within the requirements of the Privacy Act.

Observation of the processing of RFI requests
4.14 Auditors were advised that PAU staff usually receive RFIs that had been sent to a
     dedicated PAU EU-RFI email inbox. PAU staff may also receive RFIs over the telephone
     from calls to a dedicated PAU landline.

4.15 The auditors observed a senior PAU officer handling a real-time request for PNR data
     received via email.

4.16 The process for PAU staff dealing with RFIs received via email is set out in the
     Associated Document (Section 1.1).

4.17 Relevantly, the auditors observed the PAU staff:

   a) check and verify the source of the request (AFP in the observed instance)

   b) check the offence being considered and/or investigated and the legislative basis for
      PAU response to the PNR RFI

   c) check the airline operator to establish if EU-sourced PNR or non EU-sourced PNR RFI
      data had been requested

   d) review multiple PNR data entries for the Person Of Interest and consider the
      relevance of available EU-sourced PNR data to the request received

                                                14
e) access relevant IT systems to extract appropriate EU-sourced PNR data

   f) draft an email response to the RFI, manually inputting relevant elements of the EU-
      sourced PNR data

   g) add the standard EU disclosure caveat

   h) recheck the RFI request, the EU-sourced PNR information provided, the recipient and
      the legislative basis for actioning the request

   i) send the RFI response email (with a cc to the PAU EU-RFI mailbox as a record of the
      response, stored by month of actioned request).

4.18 In responding to an RFI received over the telephone, the auditors were advised that
     PAU staff:

              verify the internal Customs and Border Protection staff members Customs
               User ID against internal systems (phone or email systems)

              proceed as above for a written RFI, but verbally advising the requesting
               officer of the information sought (ie after 4.17 step ‘e’ above)

              confirming the verbal RFI request and PAU response in an email then sent to
               the requesting officer (with a cc to the PAU EU-RFI mailbox as a record of the
               response, stored by month of actioned request).

4.19 Customs and Border Protection advised the auditors that procedures and templates
     were in development to improve the consistency of PAU staff responses to both
     written and verbal RFIs.

4.20 The auditors noted that Section 1.5.4 of the ‘Instruction and Guideline’ document
     specifies the steps to be undertaken in responding to an RFI received by telephone,
     and Section 1.9 specifies, for urgent operational cases only, how a verbal RFI is to be
     logged and recorded. Customs and Border Protection was developing a more detailed
     checklist in the ‘Associated Document’.

4.21 Customs and Border Protection also advised that, at the time of the audit, there was
     no specific Standard Operating Procedure (SOP) document which covered verbal RFI
     responses. However, the draft Associated Document (a procedural/technical level
     document below an Instruction and Guideline) sets out the procedures for PAU staff
     to follow on receipt of a verbal RFI.

4.22 Discussion with PAU staff showed a high level of awareness of when RFIs are to be
     refused, with examples being given of State LEAs seeking information for non-
     Commonwealth offences which had been declined.

4.23 The auditors were advised that, where the RFI did not clearly specify what EU-sourced
     PNR information was required, PAU staff have the discretion to determine what
     information (if any) from the EU-sourced PNR record would be provided in response.

                                             15
4.24 Staff were able to articulate that only the minimum EU-sourced PNR data relevant to
     the request should be provided (consistent with Article 18(1)(d) requirements of the
     EU Agreement).

4.25 The auditors also noted that statistics of shift records are recorded every day. These
     statistics record the number of RFIs responded to by the PAU Officers. No personal
     information from EU-sourced PNR data is included in these statistics.

Inspection of RFI records over specified periods
4.26 Customs and Border Protection provided the auditors with hard copies of all RFI
     responses for each of the below specified weeks.

4.27 These records included both EU and non-EU sourced RFIs received in each week,
     received in either written or verbal format.

4.28 The auditors undertook an inspection of a total of 61 completed EU-sourced PNR RFIs
     during the three randomly selected specified one week periods, as follows:

               20 records (21%) from 97 RFIs in the specified week (24-28 September 2012)

               25 records (24%) from 104 RFIs from 6 months previous (26-30 March 2012)

               16 records (22%) from 74 RFIs from 12 months previous (26-30 September
                2011).

4.29 In summary, and across the three specified weeks:

               the 61 EU-sourced PNR RFIs accounted for 22% of a total of 275 PNR RFIs
                received

               the majority (59%) of the EU-sourced PNR RFIs received across the three
                week periods were internal RFIs from Customs and Border Protection staff

               almost all of the EU-sourced PNR RFIs were written (received via email),
                rather than by telephone

               four EU-sourced PNR RFIs across the three week period did not clearly specify
                the grounds for the enquiry. While two of these RFIs had been refused on
                these grounds, two appeared to have been actioned

               the most recent specified week had the least number of issues identified,
                while records from the period 12 months prior to the specified week had the
                most number of issues identified.

4.30 Specifically, the auditors noted the following with regard to the EU-sourced PNR RFIs
     received in each of the three week periods inspected:

               Specified period (24-28 September 2012) – of the 20 records inspected:

                                                   16
i. 13 were internal RFIs (ie 65% of all EU-sourced PNR RFIs received
           during the week)

       ii. 5 were external RFIs (ie 25% of all EU-sourced PNR RFIs received
           during the week) from other Australian government agencies

       iii. a further two RFIs (10%) did not clearly show whether the source of
            the request was internal or external. The response to each of the two
            RFIs, if any, was also not recorded. This observation is also noted at
            Paragraph 4.73 (iii) (see ‘Specified Period’ dot point)

       iv. all but two internal RFIs specified clearly the grounds under which the
           RFI had been requested, which were legitimate purposes under the
           EU Agreement

       v. of the two that did not clearly specify the purpose:

                  one had been refused on these grounds

                  one appeared to have been actioned

       vi. The appropriate EU caveat had been applied to all internal RFI
           responses.

   Six months previous to specified week (26-30 March 2012) – of the 25
    records inspected:

        i. 13 were internal RFIs (ie 52% of all EU-sourced PNR RFIs received
           during the week)

       ii. 12 were external RFIs (ie 48% of all EU-sourced PNR RFIs received
           during the week) from other Australian government agencies

       iii. one internal RFI did not have any record of the response provided, if
            any

       iv. in two instances, PAU officers had appropriately sought further
           information prior to actioning the internal RFI

       v. all but one internal RFI specified clearly the grounds under which the
          RFI had been requested, which were legitimate purposes under the
          EU Agreement

       vi. for the record that did not clearly specify the purpose, the internal RFI
           was refused on these grounds

      vii. the appropriate EU caveat had been applied to all internal RFIs.

   12 months previous to specified week (26-30 September 2011) – of the 16
    records inspected:

                                   17
i. 10 were internal RFIs (ie 62.5% of all EU-sourced PNR RFIs received
                      during the week)

                  ii. 4 were external RFIs (ie 25% of all EU-sourced PNR RFIs received
                      during the week) from other Australian government agencies)

                  iii. two RFIs (12.5%) did not clearly show whether the source of the
                       request was internal or external. The response to each of these RFIs, if
                       any, was also not recorded. This observation is also noted at
                       Paragraph 4.73 (iii) on (see ‘12 month previous’ dot point)

                  iv. one internal RFI did not specify clearly the grounds under which the
                      RFI had been requested, but appeared to have been actioned

                  v. in another instance, a PAU officer had appropriately sought further
                     information prior to actioning the internal RFI

                  vi. The appropriate EU caveat had not been applied to three of the ten
                      internal RFIs. The non-EU caveat had been applied in two records,
                      while no caveat appeared to be attached to one record.

4.31 Overall, the inspection of records identified an improvement in the completeness of
     EU-sourced PNR RFI records over the previous year up to the specified week.

4.32 The inspection also showed, however, that in each period at least one EU-sourced PNR
     record appeared to have been actioned without a clear reason provided for the
     request. It was not clear whether staff had responded to the RFI without a reason
     being provided, or whether the reason had not been clearly recorded.

Logging and documentation of RFI responses
4.33 Article 17 of the EU Agreement (in part) requires Customs and Border Control to:

              log all processing, access, consulting or transfer of EU-sourced PNR data

              include where the RFI has been denied.

4.34 Customs and Border Protection advised that all EU-sourced PNR RFIs are received in a
     dedicated PAU EU-RFI mailbox, located within the standard departmental email
     system.

4.35 All responses to EU-sourced PNR RFIs (including where an RFI has been refused) are
     also stored in a dedicated PAU EU-RFI mailbox (ie held separately from other PNR
     data).

4.36 The Associated Document specifies that all responses (and the original RFI) are to be:

              logged in a PAU RFI Register

              hard copy printed and placed on a PAU RFI RIM file

                                              18
   recorded on a PAU statistics sheet.

4.37 It was unclear at the time of the audit whether these instructions were in force.

4.38 Logging of RFIs received by telephone occurs after the RFI had been responded to
     verbally, through a confirmation email sent by the responding PAU officer to the
     requesting party.

4.39 The inspection of records relevantly showed:

              instances where the RFI had been declined had been recorded, including the
               reasons why the request was declined

              one or two instances in each week where a hard copy record of the RFI had
               been logged, while the response (if any) was not specified.

4.40 Customs and Border Protection staff indicated to the auditors that retrieval and/or
     search of these email records, where a specific RFI response needed to be located,
     was currently quite difficult.

4.41 Customs and Border Protection also indicated that the storage of RFI requests and
     responses on the email system was problematic, and in the longer term there was a
     need to review how best to store electronic (and hard copy) records of the RFIs and
     the responses provided, if any.

4.42 The auditors requested a copy of the system audit log of the written EU-sourced PNR
     RFI that had been observed. Customs and Border Protection was able to provide an
     SQL query log for the RFI, based on the responding Customs Staff User Id, showing:

              Person Of Interest name search

              EU-sourced PNR flight list request from inbound flight manifest

              EU-sourced PNR detail reviewed (further detail was available from the
               database, on request).

Sensitive data — Limitations on use
4.43 Article 8 of the EU Agreement covers the prohibition of Customs and Border
     Protection from processing sensitive EU-sourced PNR data. Sensitive data includes
     information on:

              racial or ethnic origin
              political opinions
              religious or philosophical beliefs
              trade union membership
              health or sex life information

4.44 The IPPs do not currently or specifically deal with the collection or use of sensitive
     personal information. However, the incoming Australian Privacy Principle 3 (in effect

                                               19
from 12 March 2014) will place new obligations on Customs and Border Protection in
      terms of its collection of sensitive personal information.

4.45 While the PAU handling of sensitive personal information is not therefore covered by
     the IPPs, the following observations are noted for Customs and Border Protection
     consideration in terms of the EU Agreement requirements, and the introduction of the
     APPs on 12 March 2014.

4.46 Customs and Border Protection staff advised the OAIC that EU-sourced PNR data
     collected by the airline operators is not standardised, and EU-sourced PNR data
     collected by different airline operators is variable in terms of the provided data fields,
     structures and formats.

4.47 To assist with the collection of a minimum level of core EU-sourced PNR data, Customs
     and Border Protection requests access to a pre-determined set of EU-sourced PNR
     data fields from relevant airline operators (as specified in Attachment A of the
     ‘Instruction and Guideline’ document).

4.48 Customs and Border Protection staff were aware of the obligation under Article 8 of
     the EU agreement to destroy any sensitive data contained in EU-sourced PNR data.

4.49 Customs and Border Protection advised that (at present) there was very little sensitive
     information contained in EU-sourced PNR data received.

4.50 If an EU-sourced PNR record contained sensitive data, this would likely occur in the
     free text or general remarks associated with PNR data (ie Other Supplementary
     Information (OSI), Special Service Information (SSI) or Special Service Request (SSR)
     detail).

4.51 Customs and Border Protection advise that it is currently very difficult to automatically
     censor or delete free text or general remark information prior to the entry of the EU-
     sourced PNR record into the database. This reflects an IT systems limitation, in that
     the location of the data (if included) is within non-standardised and free text fields.

4.52 Customs and Border Protection advised that they have not, and do not intend to, use
     any EU-sourced PNR data (including sensitive information, if included) to conduct any
     form of racial profiling.

4.53 At present, the PAU addresses the issue of sensitive information on a case by case
     basis. Sensitive information is not utilised in any processing of EU PNR data and where
     possible the information is deleted i) prior to entry of the EU- sourced PNR data to the
     IAT or ii) upon ad-hoc identification by PAU staff in response to an RFI.

4.54 However, there appeared to be some lack of awareness in discussions with PAU staff
     of what constitutes ‘sensitive data’ under the EU agreement.

4.55 A higher level of awareness of what constitutes ‘sensitive data’ from PAU staff would
     enable this information to be better identified and removed, if the data did find its
     way into the IAT. Further, PAU staff also need to be aware that this information

                                              20
cannot be disclosed in response to an RFI, and take appropriate steps to notify the
     relevant IT area to have the sensitive data removed from the EU-sourced PNR record,
     to ensure obligations under the EU Agreement are met.

Privacy issues
4.56 A range of risks have been identified in terms of Customs and Border Protection’s use
     of data, under both the Privacy Act and more specifically the EU Agreement. These
     issues are outlined below for Customs and Border Protection’s consideration.

4.57 At the time of the audit, the ‘Instruction and Guideline’ and ‘Associated Document’
     were in draft form. There is a risk that a lack of finalised policies and procedures to
     support PAU staff in applying the allowable uses of PNR data (including EU-sourced
     PNR data) may lead to a breach of Customs and Border Protection obligations under
     either the Privacy Act or the terms of the EU Agreement.

4.58 There is a risk that, where the records of RFIs received and PAU response (if any) are
     not complete or accurate, especially around the grounds provided for the RFI,
     Customs and Border Protection: may be in breach of its obligations under IPP 7
     (accuracy, completeness etc); may not know whether personal information has been
     used and disclosed in accordance with IPP 10 and 11; or may not be complying with
     the terms of the EU Agreement with regard to its use of this data.

4.59 A lack of awareness of the types of data that are considered ‘sensitive’ under the EU
     agreement (and after 12 March 2014, in the new Australian Privacy Principles)
     increases the risk that PAU staff may use this data in providing an RFI response, rather
     than deleting the data as required under the EU agreement.

Recommendation 1 — Finalise policy and procedure documents
4.60 The auditors recommend that Customs and Border Protection finalise the ‘Instructions
     and Guideline’ and ‘Associated Document’ to guide PAU staff in handling PNR data.
     The auditors note that the draft documents contain specific instructions in relation to
     EU-sourced PNR data requirements, such as the Australian government agencies that
     this data may be shared with, the need to clearly record the reasons for the RFI and
     response (if any) and sensitive data destruction requirements.

IPP 11 issues — Disclosures of EU-sourced PNR data
IPP 11 sets out when an agency may disclose personal information to someone else, for
example another agency. This can only be done in special circumstances, such as with the
individual’s consent or for some health and safety or law enforcement reasons. Specifically:

IPP 11.1 provides that a record keeper who has possession or control of a record that
         contains personal information shall not disclose the information to a person, body
         or agency (other than the individual concerned) unless one or more of certain
         exceptions apply.

                                              21
IPP 11.2 provides that, where personal information is disclosed under IPP 11.1(e) the record
         keeper shall include in the record containing that information a note of the
         disclosure.

IPP 11.3 provides that, where personal information is disclosed under IPP 11.1, the parties
         who receive that information must not use or disclose the information for a
         purpose other than the purpose for which the information was given to them.

The following Articles in the EU Agreement are also relevant to the OAIC’s consideration of
Customs and Border Protection’s disclosure of EU-sourced PNR data:

      Article 18: Sharing PNR data with other government authorities of Australia
      Article 19: Transfers to authorities of third countries
      Article 6: Police and Judicial cooperation.

Interpretation of ‘disclosure’ by the OAIC
4.61 The OAIC considers that, where Customs and Border Protection responds to a RFI from
     an external Australian government authority, third country authority or the police or
     judicial authorities of a Member State of the EU, Europol or Eurojust, this constitutes a
     disclosure of EU-sourced PNR data.

Policies and procedures around the disclosure of EU-sourced PNR data by Customs and
Border Protection
4.62 The OAIC noted throughout the interviews that Customs and Border Protection staff
     generally had a clear understanding of the obligation to disclose EU-sourced PNR data
     for external RFIs only in relation to offences relating to terrorism or serious
     transnational criminal activities.

4.63 The disclosure aspects of the three key policy and practice documents in relation to
     RFIs for EU-sourced PNR data showed:

              ‘Passenger Name Record data’ - (Practice statement)

                   i. Paragraph 12 contains a specific reference to the addition of the
                      appropriate PNR caveat where PNR data is disclosed to another
                      agency.

              ‘Processing requests for PNR Information (2012/05)’ – DRAFT – Protected -
               (Instruction and Guidelines):

                   i. Section 1.4 outlines circumstances in which RFIs may be received from
                      other Australian government agencies.

                  ii. Section 1.6.5-6 sets out allowable disclosures to Commonwealth
                      agencies and Third Country Authorities.

                  iii. Section 1.6.10-13 describes the need to apply appropriate caveats to
                       disclosed PNR data.

                                             22
iv. Section 1.6.14 describes the requirement to log all RFIs and responses
                      (if any) on an appropriate RIMS file.

              ‘Responding to and recording of PAU Request for PNR Information’ – DRAFT -
               Protected – (Associated Document)

                   i. Section 3 Appendix 1 specifies a list of six airlines that provide EU-
                      sourced PNR data, explicitly identifies the six Australian government
                      agencies that this data may be disclosed to (in addition to Customs
                      and Border Protection) and warns against any identified bulk
                      disclosure of EU-sourced PNR data.

                  ii. The section also sets out that sensitive EU-sourced PNR data (if
                      included in the record) is to be deleted before further processing.

                  iii. Section 6 Appendix 4 provides the EU and non-EU PNR disclosure
                       caveats to be attached to any RFI response.

                  iv. Section 7 Appendix 5 provides written and verbal response templates,
                      including for non-compliant (or ‘no data available’) RFI responses.

4.64 The Instructions and Guidelines (Section 1.4) indicate that RFIs may be received
     directly to the PAU (rather than through out posted Customs and Border Protection
     Liaison Officers) from four Australian government agencies, as follows:

              AG Department via the Australian Security Network (ASNET), a dedicated
               secure communications network for the exchange of information classified in
               relation to national security. Due to sensitivity of AG Department’s
               operations, the specific nature of the risk which prompts the RFI does not
               need to be identified

              the Trans-National Sexual Exploitation Targeting Team (TSETT), received from
               the AFP

              the OTS

              for issues of ‘Operational Urgency’, where the RFI is time critical.

4.65 The policies and procedures developed (or under development) by Customs and
     Border Protection appear likely (when finalised) to support PAU staff to disclose PNR
     data, including EU-sourced PNR data, appropriately within both the Australian
     legislative frameworks and the terms of the EU Agreement.

Disclosures of EU-sourced PNR information to other Australian government Authorities
4.66 Under Article 18 of the EU Agreement, Customs and Border control are authorised to
     share EU-sourced PNR data on a case by case basis with the following government
     authorities of Australia:

          Australian Crime Commission

                                              23
   Australian Federal Police

          Australian Security Intelligence Organisation

          Commonwealth Director of Public Prosecutions

          Department of Immigration and Citizenship

          Office of Transport Security (within the Department of Infrastructure and
           Transport).

4.67 Discussions with PAU staff showed a high level of awareness of when RFIs are to be
     refused, with examples being given of external State-based LEAs seeking RFI for non-
     Commonwealth offences, which had been declined.

4.68 Three major agencies were commonly identified as agencies to which EU-sourced PNR
     data could be shared (AFP, ASIO and ACC), likely reflecting the higher frequency of
     RFIs received from these agencies.

4.69 However, staff awareness of the other Australian government agencies that EU-
     sourced PNR data could be shared with (ie the OTS and DPP) appeared less clear, with
     these agencies not generally referenced during interviews.

4.70 External RFIs from DIAC appear to be received only on occasion from the TSU, which is
     co-located with the PAU and supports the DIAC Airline Liaison Officer (ALO) network,
     based at airports across the world.

4.71 The TSU advised auditors that DIAC RFIs of the PAU were made relatively infrequently,
     due to a range of reasons including:

              DIAC preference for non-EU sourced ‘pull’ data over the ‘push’ data held by
               the PAU

              access the DIAC ALOs located in each airport will often already have to
               relevant passenger information (ie Advanced Passenger Information received
               directly from the relevant airline).

4.72 Customs and Border Protection advised that TSU staff have appropriate authorisations
     under section 64AF(5) of the Customs Act to access PNR data, as required.

Inspection of RFI records over specified periods
4.73 In terms of the inspection of EU-sourced PNR RFIs from the three randomly selected
     one week periods, the auditors noted the following:

              Specified period (24-28 September 2012) – of the 20 records inspected:

                   i. 5 were external RFIs (ie 25% of all EU-sourced PNR RFIs received
                      during the week)

                                             24
ii. 13 were internal RFIs (ie 65% of all EU-sourced PNR RFIs received
           during the week)

       iii. as noted previously under the ‘Specified Period’ dot point at
            Paragraph 4.30 (iii), two RFIs (10%) did not clearly show whether the
            source of the request was internal or external. The response to each
            of these RFIs, if any, was also not recorded

       iv. there were no third country authority requests in the period

       v. of the external RFIs, all specified clearly the grounds under which the
          RFI had been requested, and were legitimate purposes under the EU
          Agreement

       vi. the appropriate EU caveat had been applied to all external RFI
           responses.

   Six months previous to specified week (26-30 March 2012) – of the 25
    records inspected:

        i. 12 were external RFIs (ie 48% of all EU-sourced PNR RFIs received
           during the week

       ii. 13 were internal RFIs (ie 52% of all EU-sourced PNR RFIs received
           during the week)

       iii. there were no third country authority requests in the period

       iv. all but one external RFI specified clearly the grounds under which the
           RFI had been requested, which were legitimate purposes under the
           EU Agreement

       v. the record that did not clearly specify the purpose for the external RFI
          appeared to have been actioned by Customs and Border Protection

       vi. the appropriate EU caveat had been applied to all but one of the
           external RFI responses. The one exception applied the non-EU caveat.

   12 months previous to specified week (26-30 September 2011) – of the 16
    records inspected:

        i. 4 were external RFIs (ie 25% of all EU-sourced PNR RFIs received
           during the week)

       ii. 10 were internal RFIs (ie 62.5% of all EU-sourced PNR RFIs received
           during the week)

       iii. as noted previously under the ‘12 month previous’ period dot point at
            Paragraph 4.30 (iii), two RFIs (12.5%) did not clearly show whether the

                                  25
source of the request was internal or external. The response to each
                      of these RFIs, if any, was also not recorded

                  iv. there were no third country authority requests in the period

                  v. all but one external RFI specified clearly the grounds under which the
                     RFI had been requested, which were legitimate purposes under the
                     EU Agreement

                  vi. the record that did not clearly specify the purpose for the external RFI
                      appeared to have been actioned by Customs and Border Protection

                 vii. the appropriate EU caveat had been applied to all but one of the
                      external RFIs. The one exception applied the non-EU caveat.

4.74 Overall, the inspection of records identified an improvement in the completeness of
     EU-sourced PNR records over the previous year up to the specified week.

4.75 In summary, the inspection showed that:

              one EU-sourced PNR record in both the six and 12 month period prior to the
               specified week appeared to have been actioned without a clear reason
               provided for the request. It was not clear whether the RFI had been
               responded to without a reason being provided, or whether the reason had
               not been clearly recorded on the record inspected

              one EU-sourced PNR record in both the six and 12 month period prior to the
               specified week had been sent with the incorrect PNR caveat attached (ie the
               non-EU PNR caveat had been attached).

Disclosure of EU-sourced PNR information to authorities of third countries
4.76 Under Article 19 of the EU Agreement, Customs and Border control are authorised to
     transfer PNR data on a case by case basis to specific third country authorities, whose
     functions are directly related to preventing, detecting, investigating and prosecuting
     terrorist offences or serious transnational crime.

4.77 Article 19 also requires Customs and Border Protection to:

          ensure third country authorities afford appropriate safeguards

          assess third country authority functions are directly related to terror or
           transnational crime purposes

          obtain agreement to only retain data until investigation or prosecution is
           concluded

          obtain agreement not to further transfer EU-sourced PNR data

          inform passenger (where appropriate) of the transfer

                                              26
You can also read
NEXT SLIDES ... Cancel