Requests For Information for Passenger Name Record data
Requests For Information for Passenger Name Record data
Requests For Information for Passenger Name Record data Australian Customs and Border Protection Service Final audit report Information Privacy Principles audit Section 27(1)(h) Privacy Act 1988 Audit undertaken: October/November 2012 Draft report issued: May 2013 Final report issued: June 2013
Contents Part 1 — Introduction . 2 Background . . 2 Part 2 — Description of audit . 3 Purpose . . 3 Scope . . 3 Objectives . . 3 Timing and location . . 3 Methodology . . 4 Information obtained during the audit . . 4 Opinion . . 6 Follow up review . . 6 Reporting .
. 6 Part 3 — Description of auditee . 7 Overview . . 7 Passenger Name Record (PNR) Data . . 7 Legislative basis for collection and uses of PNR data . . 8 The EU agreement . . 9 Description of the PAU . . 10 Structure . . 11 Part 4 — Audit issues . 12 IPP 10 issues — Uses of EU-sourced PNR data . . 12 IPP 11 issues — Disclosures of EU-sourced PNR data . . 21 IPP 4 issues — Storage and security of EU-sourced PNR data . . 30 Other identified issues . . 38 Part 5 — Summary of recommendations . 39 Recommendation 1 – Finalise policy and procedure documents . . 39 Recommendation 2 – Electronic storage arrangements .
. 39 Recommendation 3 – Security of EU-sourced PNR data . . 39 Recommendation 4 – Audit logs . . 40 Recommendation 5 – Identity verification procedures . . 40 Appendix A — Information Privacy Principles . 41 1
Part 1 — Introduction Background 1.1 The Australian Customs and Border Protection Service (Customs and Border Protection) and the Office of the Australian Information Commissioner (the OAIC) have a Memorandum of Understanding (MoU) which provides a regular audit program for Customs and Border Protection's use of European Union-sourced Passenger Name Record (EU-sourced PNR) data. 1.2 Under the terms of the MoU signed on 9 May 2008 and in effect until 8 May 2012, the OAIC undertook to conduct two audits per financial year of Customs and Border Protection's handling of EU-sourced PNR data under section 27(1)(h) of the Privacy Act 1988 (Cth) (the Privacy Act).
1.3 This is the second audit undertaken for the 2011-12 financial year, under the MoU signed 9 May 2008. The conduct of the audit was deferred by agreement between Customs and Border Protection and the OAIC to be undertaken within the 2012-13 financial year. 1.4 The focus of the audit is on Customs and Border Protection's handling of internal and external Requests For Information (RFI) involving EU-sourced PNR data. 1.5 Customs and Border Protection and the OAIC signed a further MoU on 8 February 2013 with effect until 30 June 2014. Under the terms of this agreement, the OAIC will undertake one audit per year of Customs and Border Protection's handling of EU- sourced PNR data under section 27(1)(h) of the Privacy Act.
1.6 The MoU has regard to the oversight and accountability functions of the OAIC contained in Article 10 of the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by Air Carriers to the Australian Customs and Border Protection Service (the EU Agreement). The EU Agreement was made in Brussels on 29 September 2011, with effect from 1 June 2012. 2
Part 2 — Description of audit Purpose 2.1 The primary purpose of the audit was to assess Customs and Border Protection's compliance with the Information Privacy Principles (IPPs) contained in section 14 of the Privacy Act, specifically in relation to its handling of RFIs for EU-sourced PNR data. Scope 2.2 The audit assessed Customs and Border Protection's handling of both hard-copy and electronic EU-sourced PNR data, in response to either internal or external RFIs for this data. 2.3 The audit scope was limited to the use (IPP 10), disclosure (IPP 11) and storage and security (IPP 4) practices of Customs and Border Protection in relation to the handling of EU-sourced PNR data in response to an RFI.
2.4 Enquiries were also made regarding the activities and operations of the Department of Immigration and Citizenship (DIAC) Tactical Surveillance Unit (TSU) within the Customs and Border Protection Passenger Analysis Unit (PAU) and staff training arrangements. Any observations made in relation to these aspects of the audit are provided for Customs and Border Protections information only, and do not form part of the overall assessment of agency compliance in this audit. 2.5 The audit also sought to provide some preliminary information for Customs and Border Protection’s consideration in relation to the obligations under the EU Agreement.
2.6 The use of EU-sourced PNR data by Customs and Border protection to undertake pre- arrival risk assessment (or Flight Screening) of passengers travelling to (or in transit through) Australia, did not form any part of the scope of the current audit. Objectives 2.7 The three objectives of the audit were to identify whether: 1. uses of EU-sourced PNR data in response to RFIs received from within Customs and Border Protection over a defined period are consistent with IPP 10 obligations 2. disclosures of EU-sourced PNR data in response to RFIs from other Australian government agencies or third country authorities are consistent with IPP 11 obligations 3.
storage and security arrangements for hard-copy and electronic EU-sourced PNR data in response to RFIs are consistent with IPP 4 obligations. Timing and location 2.8 The audit fieldwork was conducted on 31 October and 1 November 2012 at Customs House, 5 Constitution Avenue, Canberra, Australian Capital Territory (ACT). 3
2.9 The location of the audit was the PAU based at Customs House Canberra, and included a site inspection, observation of the handling of EU-sourced PNR data in response to RFIs and an inspection of records of completed EU-sourced PNR RFIs over specified periods. Methodology 2.10 The audit utilised the following methodologies: Semi-structured interviews with key Customs and Border Protection staff from the Passenger Targeting Branch, including PAU managers and staff responding to RFIs, to assess: o management and governance arrangements (including but not limited to internal review/ audit activities in relation to EU-sourced PNR data, document destruction processes, internal governance arrangements) o processing of RFIs (internal and external) for EU-sourced PNR data.
Inspection of a random selection of 61 EU-sourced PNR RFIs received during the following three specified one week periods: o 20 records from the current financial year (24-28 September 2012) o 25 records from 6 months prior (26-30 March 2012) o 16 records from 12 months prior (26-30 September 2011). Document review of relevant material prepared by Customs and Border Protection to assist PAU staff with the handling of EU-sourced PNR data, including (but not limited to) relevant templates and Standard Operating Procedures (SOPs). Site inspection assessing physical and IT security and storage arrangements, including (but not limited to) relevant access controls, audit logs, and use of third party contractors if relevant.
Information obtained during the audit 2.11 The following documentation was provided prior to the audit fieldwork into Customs and Border Protection's processing of EU-sourced PNR RFIs in October and November 2012: An organisational chart and office locations for the relevant areas of Customs and Border Protection that handle PNR data. o ‘PAU Structure Sep-Dec 2012’ document. o ‘Advanced Analytics, Intelligence Strategies and Program Branch’ document. 4
o Software developers, located in Allara House, Constitution Avenue, Canberra. Staff instructions/memorandums in relation to the handling of PNR data in Customs, including relevant SOPs.
Staff training materials addressing the Privacy Act, the handling of PNR data and relevant information security practices. 2.12 The following information and documentation was gathered during the audit fieldwork period: An outline of personal information data flows within Customs relating to handling RFIs of EU-sourced PNR data.
o ‘Practice Statement 2012/05: Processing requests for Passenger Name Record (PNR) Information’ DRAFT document (Practice Statement). An outline of personal information data flows to any internal or external third parties relating to handling RFIs of EU-sourced PNR data: o ‘Instructions and Guidelines 2012/05: Processing requests for PNR Information’ - DRAFT document – Protected (Instructions and Guideline). o ‘Associated Document 2012/05: Responding to and recording of PAU Request for PNR Information (RFPI)’ - DRAFT document – Protected (Associated Document).
o Section 16 Undertakings (as of March 2008).
o ‘Disclosure of EU-sourced PNR data’ caveat for email communications. o ‘Disclosure of Non-EU-sourced PNR data’ caveat for email communications. Details of internal Customs and Border Control access to EU-sourced PNR data, access limitations, staff training materials and audit log information. o ‘PNR Control Framework: Legal and Compliance (EPAC2/ PG1/002) Enhanced passenger Assessment and Clearance Program 2 (EPAC2), Version 0.6 (15 August 2012)’ document. o ‘Application for Integrated Analysis Tool (IAT) PNR Push Access’ template. o ‘Separation from PAU’ document - management checklist for revoking System access, mailbox/ distribution access, communication resources, physical access and other entitlements on separation from the PAU.
o Audit log of an RFI response observed live by OAIC assessors. 5
o ‘PAU Training Schedule Overview‘ document (Version 20100525.v2). Opinion 2.13 The auditors are of the opinion that Customs and Border Protection is generally maintaining its records of personal information in accordance with its IPP 4, 10 and 11 obligations under the Act in the handling of hard-copy and electronic EU-sourced PNR data in response to internal and external RFIs for this data. 2.14 The auditors identified a number of privacy risks in Customs and Border Protection’s maintenance of personal information under its IPP obligations. The auditors have made seven recommendations in relation to these.
2.15 The auditors have also made a number of observations in relation to observed practice against the specific requirements of the EU Agreement, which have been provided here for Customs and Border Protection’s consideration. Follow up review 2.16 Under the terms of the EU Agreement in effect from 1 June 2012, and a separate MoU between Customs and Border protection and the OAIC dated 8 February 2013, the OAIC will continue to undertake up to one audit of Customs and Border Protection’s handling of EU-sourced PNR data each year.
Reporting 2.17 Generally the OAIC will publish final audit reports on its website, except where there are concerns with sensitive material.
For example, where the audit: relates to material affecting national security, defence, Commonwealth-State relations or law enforcement; involves certain business, commercial or financial information; or where material has been obtained in confidence, it may be appropriate to redact some information from the report or not to publish the report. 2.18 Where final reports of audits of ACT, Australian and Norfolk Island government agencies are published, they will be available on the OAICs website (www.oaic.gov.au).
2.19 Information Privacy Principle audit findings and recommendations that are considered relevant to good privacy practice across the public sector are also generally discussed in the OAIC’s annual report. 6
Part 3 — Description of auditee Overview 3.1 Customs and Border Protection is the primary border protection agency in Australia. It manages the security and integrity of Australia's borders, and works closely with other government and international agencies to detect and deter unlawful movement of goods and people across the border. 3.2 Other agencies Customs border protection works with include the Australian Federal Police (AFP), the Office of Transport Security (OTS), DIAC and the Attorney General's Department (AG Department).
3.3 As at 30 June 2012, Customs and Border Protection employed 5,671 people nationally in Australia and overseas. Its central office is located in Canberra. 3.4 Customs and Border Protection operates two major programs: Maritime, Corporate and Intelligence, and Border Management. A third corporate division (Strategy, Finance and Integrity) reports directly to the Chief Executive Officer. 3.5 Among other activities, it intercepts illegal drugs and firearms and targets high-risk aircraft, vessels, cargo, postal items and travellers. Customs and Border Protection also has a fleet of ocean-going patrol vessels and contracts aerial surveillance providers for civil maritime surveillance and response.
Passenger Name Record (PNR) Data 3.6 PNR data is information about airline passengers held by airlines on their computer reservation systems and/or departure control systems. 3.7 PNR data may include any of the following information: PNR locator code passenger name(s) passport number nationality details of travel companions frequent flyer information ticketing information: date of reservation/issue of ticket; itinerary and alterations made to booking contact information, including travel agent details 7
payments/billing travel status of passenger (including confirmations and check-in status) special request/service information all baggage information (number and weight of bags) seat allocation(s) all historical changes to the above PNR.
3.8 Some PNR data is automatically generated by the airline (eg itinerary detail), while other information is supplied by or on behalf of the passenger (eg contact details). Airlines or authorised travel agents may also add a range of further information, such as dietary or medical requirements, or special requests for assistance. 3.9 At the time of the audit, the OAIC was informed that a total of 39 airlines provided PNR data to Customs and Border Protection.
3.10 Of these, 13 airlines were identified as specifically providing EU-sourced PNR data. 3.11 Authorised Customs and Border Protection PAU officers receive up to five scheduled transmissions from specified airlines of both EU-sourced and non-EU sourced PNR data beginning at 72 hours before the scheduled departure of a flight to Australia. 3.12 Any updates to the PNR data are then provided at 24 hours, 2 hours and 1 hour respectively (if available). 3.13 A final full list of available PNR data is also received after the flight has departed for Australia.
Legislative basis for collection and uses of PNR data 3.14 The collection of PNR data by Customs and Border Protection, for both EU and Non-EU sourced PNR data, is permitted under section 64AF of the Australian Customs Act 1901 (the Customs Act).
3.15 This provision specifies that if requested, all international passenger air service operators, flying to, from or through Australia, are required to provide Customs and Border Protection with PNR data to the extent that they are collected and contained in the air carrier's reservations and departure control systems, in a particular manner and form.
3.16 Access to all PNR data is only given to specifically authorised Customs Officers in accordance with section 64AF(5), with a person an ‘authorised officer’ only if: a. appointed as an officer of Customs (as set out in section 4 of the Customs Act) 8
b. authorised in writing by the CEO to exercise the powers to perform the functions of an authorised officer under section 64AF. 3.17 PNR data must only be accessed by authorised Customs and Border Protection officers for the purpose of performing their functions under the Customs Act or prescribed laws of the Commonwealth.
3.18 Functions of officers under section 64AF include conducting traveller assessments for border risks, conducting post-seizure analysis and servicing RFIs. 3.19 PNR data may also be accessed in support of relevant joint operations, task force or national Customs and Border Protection operations, detection analysis or investigation and search and seizure warrants.
3.20 The Customs Administration Act 1985, Migration Act 1958, Crimes Act 1914 (Cth), Privacy Act 1988 (Cth), Freedom of Information Act 1982 (Cth), Auditor-General Act 1997 (Cth), Ombudsman Act 1976 (Cth) and Public Service Act 1999 (Cth) all provide for data protection, rights of access and redress, rectification and annotation and remedies and sanctions for misuse of personal data, including PNR data. 3.21 Unauthorised purpose uses of any PNR data may result in offences under a number of Commonwealth laws dealing with unauthorised access, including the Customs Administration Act 1985, the Criminal Code 1995 (Cth), the Public Service Act 1999 (Cth) and the Privacy Act 1988 (Cth).
The EU agreement 3.22 The EU agreement between Australia and the European Union in relation to the transfer and provision of EU-sourced PNR data to Customs and Border Protection was signed in Brussels on 29 September 2011, with effect from 1 June 2012. 3.23 The EU agreement sets out the terms of the transfer and use provisions of EU-sourced data to Customs and Border Protection. 3.24 Under the EU Agreement, Customs and Border Protection agrees to use PNR data strictly for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious transnational crime in strict compliance with safeguards on privacy and the protection of personal data.
3.25 The EU Agreement also sets out certain other circumstances when PNR data may be used or disclosed, such as: a. in the protection of vital interests of an individual, such as risk of death, serious injury or threat to health (Article 3(4)) b. where specifically required by Australian law, on a case by case basis, for the purpose of supervision and accountability of public administration and the facilitation of redress and sanctions for the misuse of data (Article 3(5)) 9