pdf (1.02 MB)

Section 27(1)(h) Privacy Act 1988

Passenger Name Records (PNR data) No.1

Australian Customs and Border Protection Service

Final audit report

Information Privacy Principles audit

Audit undertaken: February 2009

Revised report issues: November 2009

Final report issued: December 2009

Contents

• Part 1 - Introduction
  • Background
• Part 2 - Description of audit
  • Purpose
  • Scope
  • Description of Auditee
  • Timing and location
  • Information obtained before the audit
  • Opinion
  • Follow up review
  • Reporting
• Part 3 - Audit issues
• IPP 1-3 issues - Collection of personal information
• IPP 4 issues - storage and security of personal information
• IPP 5 issues - information relating to records kept by record-keeper
• IPP 6 Issues - Access to records containing personal information
• IPP 7 Issues - Alteration of records containing personal information
• IPP 8 Issues - Record-keeper to check accuracy etc. of personal information before use
• IPP 9 - Personal information to be used only for relevant purposes
• IPP 10-11 - Limits on use and disclosure of personal information
• Other Privacy Issues - Privacy Training
• Part 4 - Summary of recommendations
• Appendix A - Information Privacy Principles

Part 1 - Introduction

Background

1.1 An Agreement exists between the Australian Customs and Border Protection Service (Customs and Border Protection) and the Office of the Privacy Commissioner (the Office). The Agreement is intended to ensure the provision of a regular audit program for Customs and Border Protection use of Passenger Name Records (PNR data).

1.2 Under the terms of the Agreement, the Office conducted an audit of Customs and Border Protection handling of PNR data under section 27(1)(h) of the Privacy Act 1988 (Cth) (the Act).

Back to Top

Part 2 - Description of audit

Purpose

2.1 The purpose of the audit was to ascertain Customs and Border Protection's compliance with the Information Privacy Principles (IPPs) contained in section 14 of the Act, specifically in relation to its handling of PNR data.

Back to Top

Scope

2.2 The audit focussed on Customs and Border Protection's handling of PNR data during its pre-arrival risk assessment process. The audit involved a review of Customs and Border Protection's policies and procedures for the collection, storage, use and disclosure of PNR data during this process. Enquiries were also made regarding information technology matters and staff training procedures.

Back to Top

Timing and location

2.3 The audit was conducted on 25 February and 26 February 2009 at Customs House, 5 Constitution Avenue, Canberra, Australian Capital Territory (ACT).

Back to Top

Description of Auditee

2.4 Customs and Border Protection is an Australian Government agency and manages the security and integrity of Australia's borders. It detects and deters unlawful movements of goods and people across the border.

2.5 One of Customs and Border Protection border protection activities is its pre-arrival risk assessment of passengers travelling to or in transit through Australia. Pre-arrival risk assessment aims to prevent terrorism and related crimes and other serious crimes that are transnational in nature, for example, money laundering, drugs importation, weapons trafficking and people smuggling/trafficking.

2.6 The Passenger Analysis Unit (PAU) in Customs and Border Protection conducts pre-arrival risk assessments of passengers using among other things PNR data.

2.7 PNR data is information about airline passengers that is held by airlines on their computer reservation system and departure control system. PNR data includes such information as:

• PNR locator code; passenger name(s); passport number; nationality;
• details of travel companions;
• frequent flyer information;
• ticketing information; date of reservation/issue of ticket; itinerary; alterations made to booking;
• contacts; payments/billing; travel agent details;
• special request/service information;
• number of bags; weight of bags;
• seat allocation.

2.8 PAU Officers electronically access the computer reservation systems and departure control systems of airlines and retrieve PNR data. The PAU currently has access to 33 airlines PNR data. PAU Officers then use this information together with a range of other information, for example immigration, intelligence and other law enforcement data, to screen passengers prior to arrival to Australia and assist in identifying those passengers that may pose a risk at the time of arrival.

2.9 If an individual is not of interest to Customs and Border Protection, their PNR data is deleted and no information regarding that passenger is retained.

2.10 Where a passenger is identified by a PAU Officer as a risk, the PAU Officer may alert Customs and Border Protection Officers based at the Australian arrival airport. Customs and Border Protection Officers at the arrival airport may then conduct further assessment of the individual at their time of arrival.

2.11 The PAU has the ability to monitor a particular person of interests PNR data. These are referred to as PNR monitors. When a monitor is placed on a PNR, an automated system updates Customs and Border Protection on any alterations to the PNR data.

2.12 The PAU also deals with internal and external requests for PNR data and makes referrals to other government agencies. This handling of PNR data was not considered as part of this audit.

2.13 The PAU uses an application called QIK Analysis to access and analyse PNR data. The QIK Analysis application provides Customs and Border Protection with the capability to connect and retrieve information from the computer reservation systems and departure control systems of international airlines. It also has the capability to automatically analyse the information returned from each of the airlines against risk profiling information.

2.14 Customs and Border Protection access to each airlines computer reservation system and departure control system is via the SITA network. SITA is a commercial service provider and provides the gateway and connection of QIK Analysis to airline hosts.

2.15 The PAU consists of four teams of six analysts which includes a team supervisor in each team. The PAU operates 24 hours a day seven days a week. These teams are supported by four Planning and Targeting Officers. These staff in the PAU have direct access to PNR data.

2.16 The auditors also spoke with Customs and Border Protection staff from Passenger Enabling Services, Passenger Policy and Training Standards and PACE Alert Management.

2.17 Passenger Enabling Services consist of 12 staff and provides technical and Information Technology support to the PNR system and the PAU. Staff in Passenger Enabling Services have access to PAU production and development systems and some have access to QIK Analysis. Staff generally only work with de-identified PNR data.

2.18 Passenger Policy consists of five staff and provides policy and other legislative support to the PAU. Staff in Passenger Policy do not have direct access to PNR data.

2.19 Training Standards and PACE Alert Management provide training to PAU staff and conduct compliance audits. These staff have access to QIK Analysis.

Back to Top

Information sought prior to the audit

2.20 The following documentation was sought from Customs and Border Protection prior to the commencement of the audit:

• a current organisation chart and office locations for the relevant areas of Customs and Border Protection that handle PNR data;
• an outline of personal information data flows within Customs and Border Protection as it relates to the handling of PNR data;
• an outline of personal information data flows to any external third parties as it relates to the handling of PNR data;
• details of who within Customs and Border Protection has access to PNR data and any access limitations in place;
• details of any audit trails of access to this information;
• any Privacy Impact Assessment(s) or relevant risk assessments undertaken by Customs and Border Protection on its PNR system;
• copies of any forms or brochures relevant to the collection of PNR data;
• summary information around any relevant computer systems documentation and/or specifications including systems security and any IT Security Policy in relation to the PNR Data;
• copies of any staff instructions/memorandums addressing the Act and/or information security;
• details of any staff training concerning the Act and the handling of PNR data in Customs and Border Protection, including a copy of any training material presented to participants.

Back to Top

Audit opinion

2.21 The recommendation arising from this audit is outlined in Section 4 of this report.

2.22 The audit revealed that Customs and Border Protection generally manages PNR data in its pre-arrival risk assessment in accordance with the IPPs in the Act. Consequently, the opinion of the audit team was that Customs and Border Protection was compliant in meeting its obligations under the Act..

Back to Top

Follow up review

2.23 It is the intention of the Office to undertake on-going audits of Customs and Border Protection handling of PNR data in accordance with the Agreement between Customs and Border Protection and the Office.

Back to Top

Reporting

2.24 Completed audit reports of ACT and Australian government agencies commenced after 1 July 2002 are generally published on the Office of the Privacy Commissioner's web site (available at http://www.privacy.gov.au/law/apply/audit).

2.25 Findings and recommendations from IPP audits that are considered relevant to good privacy practice across the public sector generally are also discussed in the Office of the Privacy Commissioner's Annual Report.

Back to Top

Part 3 - Audit issues

A copy of the IPPs is provided at Appendix A.

IPP 1-3 issues - Collection of personal information

IPP 1 provides that personal information shall not be collected unless the collection is for a lawful purpose directly related to the collector's functions and activities and necessary or directly related to that purpose.

IPP 2 provides that, where a collector solicits and collects personal information directly from an individual, it must inform the individual of the purpose of collection, any legal authorisation or requirement for the collection, and any person, body or agency to which it usually discloses that information.

IPP 3 provides that, where a collector solicits and collects personal information generally it must take steps reasonable in the circumstances to ensure that, having regard to the purpose for which the information is collected, the information is relevant to that purpose, up to date and complete, and that the collection does not intrude to an unreasonable extent on the individuals' personal affairs.

Observations

3.1 The auditors noted that Customs and Border Protection collects PNR data directly from airlines. The auditors observed PAU Officers use QIK analysis to retrieve PNR data from airline's flight manifests.

3.2 The auditors noted that Customs and Border Protection can only access PNR data for future flights. After a flight has arrived at the border, the airline's PNR data is only generally available to Customs and Border Protection through QIK Analysis for approximately 48 hours. After this time, Customs and Border Protection can no longer access the PNR data through QIK Analysis. Requests for PNR data after this time have to be made specifically to the airline.

3.3 The auditors noted that Customs and Border Protection, in practice, does not retrieve the PNR data from every flight to Australia. PNR data is retrieved from flights pre-determined by Customs and Border Protection to be subject of screening. Additional flights may, however, also be screened.

3.4 Of flights that are screened, QIK Analysis can apply a risk assessment to the PNR data on those flights and produce a list of PNR's that are higher risk. QIK Analysis does its risk assessment based on instructions inputted into QIK Analysis by Customs and Border Protection.

3.5 PAU Analysts manually assess the PNR data from the list produced by QIK analysis using a range of other information, for example immigration, intelligence and other law enforcement data. In some cases, PAU Analysts may screen an entire flight.

3.6 When screening a flight, PNR data that is not of interest to Customs and Border Protection is immediately deleted by the PAU Analyst. Customs and Border Protection does not keep a copy of information that is deleted.

3.7 If an alert is raised on a passenger by the PAU as a result of the pre-arrival screening, the PNR data of that passenger is printed and placed in a file. Once the PAU is aware of the result of this alert, this PNR data is disposed of in a secure destruction bin. The auditors observed that typically this means the PNR data is retained for not more than a few days.

3.8 The auditors observed that the only PNR data that is retained long term by Customs and Border Protection is PNR data associated with passengers who commit an offence. This is stored electronically on the PAU Local Area Network (LAN) and hard copy on file.

3.9 The auditors noted that the collection of PNR data is lawful under section 64AF of the Customs Act 1901 (Cth). Section 64AF obliges airlines to provide authorised officers of Customs and Border Protection ongoing access to their PNR data on request of the CEO of Customs and Border Protection.

3.10 As Customs and Border Protection is not collecting PNR data directly from the individual concerned, IPP 2 does not apply to the collection of PNR data.

Privacy issues

3.11 There were no specific issues identified in the audit in relation to the collection of PNR data by Customs and Border Protection

Back to Top

IPP 4 issues - storage and security of personal information

IPP 4(a) requires a record keeper who has possession or control of a record that contains personal information to ensure that the record is protected by security safeguards reasonable in the circumstances against loss, unauthorised access, use, modification, disclosure and other misuse.

IPP 4(b) requires that, if it is necessary for the record to be given to a person in connection with the provision of a service to the record keeper, everything reasonably within the record keeper's power be done to prevent unauthorised use or disclosure of information contained in the record.

Observations

3.12 The auditors observed that the PAU Officers are all located in one room in Customs House in Canberra. The auditors noted that access to the PAU area is restricted to individuals with swipe card access. The auditors noted that there are three doors that require a swipe card to open before entering the PAU area.

3.13 The auditors noted that swipe card access to the PAU area is limited to individuals in Customs and Border Protection who need to access the area. Individuals who require access to the PAU area on a non-ongoing basis must be escorted by someone with access.

3.14 The auditors noted that access is further broken down into those individuals who have unrestricted access 24 hours a day seven days a week and those that are given business hours only access. The auditors noted that as at December 2008 approximately 70 staff in Customs and Border Protection had access to the PAU area.

3.15 The auditors noted that the swipe card access is audited by Customs and Border Protection. The auditors noted that the last two audits of swipe card access to the PAU area were done in June 2008 and December 2008. On both of these occasions individuals who did not have a need to access the PAU area had their swipe card access removed. The auditors were advised that audits of swipe card access have previously been done ad hoc but Customs and Border Protection plans to undertake an audit of swipe card access every six months.

3.16 The auditors noted that access to the QIK Analysis System is limited to certain individuals in Customs and Border Protection. To be granted access to this system, the individual must have the appropriate delegation under section 64AF of Customs Act 1901 (Cth). The CEO of Customs and Border Protection is the only person in Customs and Border Protection who can authorise the section 64AF delegations.

3.17 The auditors noted that an audit of the section 64AF delegations was done in February 2009. This audit revealed that some individuals had section 64AF delegation who do not require access to PNR data. An instrument was being drafted to revoke this delegation. The auditors noted that despite having the delegation these individuals did not have access to the PNR data.

3.18 The auditors noted that as at February 2009 it appeared that approximately 58 individuals in Customs and Border Protection had section 64AF delegation. The auditors noted that there are 6 officers from the Department of Immigration and Citizenship who have section 64AF delegation. These Officers are currently Acting Officers of Customs and Border Protection. There are also nine contractors in non-ongoing positions in Customs and Border Protection who have section 64AF delgation.

3.19 The auditors noted that there were four levels of access to QIK Analysis: 1) User 2) Supervisor 3) Manager and 4) Developer. The PAU Supervisor and PAU Manager are the only Customs and Border Protection staff with manager access level in QIK Analysis to grant new staff access to the application.

3.20 To gain access to QIK Analysis, an email must be sent to the Manager PAU requesting access. The Manager will determine if the person has a need to access PNR data and will check to make sure the individual has the section 64AF delegation. If satisfied access to QIK Analysis should be granted, the individual is then given a user identification and password.

3.21 The auditors noted that Customs and Border Protection has a clearance form that must be completed when an individual ceases work at Customs and Border Protection which includes checking mechanisms to ensure access to QIK analysis is removed.

3.22 The auditors noted that QIK Analysis resides on a dedicated special purpose LAN. It has an encrypted connection to SITA.

3.23 The auditors observed that to log on to computers in the PAU staff had a user name and password. The password was a minimum of 8 characters in length. Staff were prompted for a further user name and password to log on to QIK Analysis. This password was also a minimum of 8 characters in length. The auditors also noted that three airlines had their own user names and passwords to access their computer reservation systems and departure control systems.

3.24 The auditors noted that PAU staff are issued with ‘VASCO tokens' that enable staff remote access to customs information systems. The auditors noted that there are strict instructions surrounding the use of VASCO tokens including limiting use to secure environments. PAU Officers had to sign an acknowledgment in June 2008 re-confirming their acknowledgment of the instructions. In practice, the PAU limits use of VASCO tokens to those in cases of an emergency. Use of VASCO tokens is audited.

3.25 The auditors observed a PAU Officer raise an alert on a high risk passenger. The auditors observed that the PAU Officer extracted relevant information from the PNR data and used it to type up a brief summary of the alert on a one page template. The auditors observed that summary being sent by facsimilie to the arrival airport for further action.

3.26 The PNR data of the high risk passenger was then printed and placed in a folder. Customs and Border Protection Officers at the arrival airport will advise the PAU via email over the Customs and Border Protection network of the outcome of any further action on the high risk passenger. Once the PAU Officer who raised the alert is aware of this outcome, the printed PNR data in the folder is disposed of in a secure destruction bin. The auditors noted that this typically means the printed PNR data is kept for not more than 4 days.

3.27 The auditors noted that the only PNR data that is kept long term is PNR data that is associated with passengers who commit an offence. The auditors observed that an electronic record of this data is kept on the dedicated PAU LAN. A hard copy of the PNR data is stored in a locked cabinet that is also in a locked room.

Privacy issues

3.28 The transmission of PNR information from the PAU to the arrival airport by ordinary facsimile when raising an alert on a high risk passenger was identified as a security risk by the Office in an audit conducted on PNR data in 2003. In response, Customs and Border Protection advised that a secure facsimile machine was installed in the PAU and action was being taken to install secure facsimile machines in all airport control rooms.

3.29 In an audit on PNR data conducted by this Office in 2004, the Office noted that technical difficulties had meant that the secure facsimile transmission of PNR information from the PAU to arrival airports was not yet operational. The Office recommended that Customs and Border Protection take steps to ensure that the PNR data contained in alerts is transmitted from the PAU to the airport by secure means. Customs and Border Protection advised that it was continuing to work to resolve these technical issues.

3.30 The auditors observed in the current audit that the PAU continues to send PNR data to airports via ordinary facsimile. IPP 4(a) requires agencies to protect personal information by such security safeguards as is reasonable in the circumstances to take, to protect personal information against loss, unauthorised access, use, modification, disclosure and other misuse. As this Office noted in the audits in 2003 and 2004, the transmission of PNR data by ordinary facsimile presents a security risk in the mode of transmission.

3.31 Customs and Border Protection staff advised the auditors during the fieldwork of this audit that Customs and Border Protection is implementing changes to address this issue. The auditors noted some changes are already in operation with airports now emailing the response to an alert back to the PAU through the Customs and Border Protection network rather than sending by ordinary facsimile.

Recommendation

3.32 That Customs and Border Protection ensures that PNR data being sent from the PAU to arrival airports is protected by reasonable security safeguards to protect the information from loss, unauthorised access, disclosure and other misuse

Back to Top

IPP 5 issues -- information relating to records kept by record-keeper

IPP 5.1 requires that, where a record keeper has possession or control of records containing personal information, the record keeper will take reasonable steps in the circumstances to enable any person to ascertain the nature of the information held, the main purposes for which the information is used, and the steps a person should take to obtain access to the record.

IPP 5.3 and 5.4 also requires that, where a record keeper has possession or control of records containing personal information, the record keeper will maintain and make available to the public and the Privacy Commissioner a listing of the personal information it holds.  The listing will include the nature and purposes of keeping the record, the classes of individuals about whom records are kept, retention periods and access conditions to the records, and steps that should be taken by persons wishing to access the record.  This listing is known as Customs' Personal Information Digest (PID).

Observations

3.33 The auditors noted that Customs and Border Protection's PID is available on this Office's website at: http://www.privacy.gov.au/materials/types/pids?sortby=62.

3.34 The auditors noted that the section numbered 25 in Customs and Border Protection's 2008 PID records that Customs and Border Protection holds passenger records for the purpose of profiling and targeting persons and/or aircraft that may prevent a threat to the integrity of Australia's borders. The PID records who in Customs and Border Protection has access to this information and who it may be disclosed to.

Privacy issues

3.35 There were no specific issues identified in the audit in relation to access to PNR data.

Back to Top

IPP 6 Issues - Access to records containing personal information

IPP 6 provides that, where a record keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record except where one or more of certain exceptions under Commonwealth law apply.

Observations

3.36 The auditors noted that Customs and Border Protection's PID contains contact details for individuals wishing to obtain access to passenger records. This includes a telephone number for Customs and Border Protection's Privacy Contact Officer and Freedom of Information (FOI) Coordinator.

3.37 The auditors also noted that Passenger Policy deal with FOI requests which may involve a request for PNR data.

Privacy issues

3.38 There were no specific issues identified in the audit in relation to access to PNR data.

Back to Top

IPP 7 Issues - Alteration of records containing personal information

IPP 7 requires a record keeper who has possession or control of a record that contains personal information to take such steps that are reasonable in the circumstances to ensure the record is accurate, and, having regard for the purpose for which the information was collected, relevant, up to date, complete and not misleading. 

Where, despite an individual's request, the record keeper is not willing to correct, delete or amend personal information in the record and no decision or recommendation under an applicable Commonwealth law applies, the record keeper shall, following an individual's request, take reasonable steps to attach to the record any statement provided by that individual of the correction, deletion or addition sought.

Privacy issues

3.39 There were no specific issues identified in the audit in relation to IPP 7.

Back to Top

IPP 8 Issues - Record-keeper to check accuracy etc. of personal information before use

IPP 8 provides that a record keeper who has possession or control of a record that contains personal information shall not use that information without taking steps that are reasonable in the circumstances to ensure that, having regard for the purpose for which the information is proposed to be used, the information is accurate, up to date, and complete.

Observation

3.40 The auditors observed that before raising an alert on a passenger and notifying the arrival airport, PAU Officers use various other intelligence data in addition to PNR data to assess the risk of a passenger and check accuracy and completeness of the PNR data.

Privacy issues

3.41 There were no specific issues identified in the audit in relation to the accuracy of PNR data before use.

Back to Top

IPP 9 - Personal information to be used only for relevant purposes

IPP 9 provides that a record keeper who has possession or control of a record that contains personal information shall not use that information except for a relevant purpose .

Privacy issues

3.42 There were no specific issues identified in the audit in relation to Customs and Border Protection using PNR data for irrelevant purposes.

Back to Top

IPP 10-11 - Limits on use and disclosure of personal information

IPP 10.1 provides that a record keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless one or more of certain exceptions apply.

IPP 10.2 provides that, where personal information is used under IPP 10.1(d) the record keeper shall include in the record containing that information a note of the use.

IPP 11 provides that a record keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless one or more of certain exceptions apply.

IPP 11.2 provides that, where personal information is disclosed under IPP 11.1(e) the record keeper shall include in the record containing that information a note of the disclosure.

Observations

3.43 The auditors noted that Customs and Border Protection limited the use of the PNR data during the pre-arrival risk assessment process to the purpose for which it was collected. This included using the PNR data to conduct pre-arrival risk assessments of passengers travelling to or through Australia, raising alerts and monitoring high risk passengers and studying certain PNR information for future profiling and risk assessments.

3.44 The auditors did not observe any disclosures of personal information that occur during the pre-arrival risk assessment process.

3.45 The auditors are aware that PAU Officers respond to Requests For Information (RFI's) from within Customs and Border Protection and from external agencies which involves the use and disclosure of PNR data. However, RFI's were not considered within the scope of this audit.

Privacy issues

3.46 There were no specific issues identified in the audit in relation to the use and disclosure of PNR data during the pre-arrival risk assessment process.

Back to Top

Other Privacy Issues - Privacy Training

Observations

3.47 The auditors noted all new staff to Customs and Border Protection must undertake induction training which includes a session on the Privacy Act. The auditors also noted that staff undertake ongoing refresher training which means staff usually undertake further Privacy Act training every 12 months.

3.48 The auditors noted that compliance with relevant legislation, like the Privacy Act, is built into Customs and Border Protection's staff performance assessments. Also a part of performance assessments is compulsory online training modules that staff must complete. These modules, while not specific to the Privacy Act, cover issues like security, disclosure of official information and responsible record keeping.

3.49 The auditors noted that PAU staff also undertake specific PNR training which includes training on section 64AF of the Customs Act 1901 (Cth) and section 16 of the Customs Administration Act 1985 (Cth). Section 16 of the Customs Administration Act 1985 (Cth) also imposes obligations on Customs and Border Protection Officers handling of information which includes PNR data.

3.50 The auditors observed on the audit that there is a strong culture in the PAU regarding the importance of the security of PNR data....

Privacy issues

3.51 There were no specific issues identified in the audit in relation to Customs and Border Protection privacy training

Back to Top

Part 4 - Summary of recommendations

4.1 That Customs and Border Protection ensures that PNR data being sent from the PAU to arrival airports is protected by reasonable security safeguards to protect the information from loss, unauthorised access, disclosure and other misuse.

Auditee response

The auditee accepted this recommendation and did not make any further comments.

Back to Top

Appendix A - Information Privacy Principles

Principle 1 - Manner and purpose of collection of personal information

1. Personal information shall not be collected by a collector for inclusion in a record or in a generally available publication unless:

• (a) the information is collected for a purpose that is a lawful purpose directly related to a function or activity of the collector; and
• (b) the collection of the information is necessary for or directly related to that purpose.

2. Personal information shall not be collected by a collector by unlawful or unfair means.

Principle 2 - Solicitation of personal information from individual concerned

Where:

• (a) a collector collects personal information for inclusion in a record or in a generally available publication; and
• (b) the information is solicited by the collector from the individual concerned:
• the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, before the information is collected or, if that is not practicable, as soon as practicable after the information is collected, the individual concerned is generally aware of:
• (c) the purpose for which the information is being collected
• (d) if the collection of the information is authorised or required by or under law ‑ the fact that the collection of the information is so authorised or required; and
• (e) any person to whom, or any body or agency to which, it is the collector's usual practice to disclose personal information of the kind so collected, and (if known by the collector) any person to whom, or any body or agency to which, it is the usual practice of that first mentioned person, body or agency to pass on that information.

Principle 3 - Solicitation of personal information generally

Where:

• (a) a collector collects personal information for inclusion in a record or in a generally available publication; and
• (b) the information is solicited by the collector:
• the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is collected:
• (c) the information collected is relevant to that purpose and is up to date and complete; and
• (d) the collection of the information does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.

Principle 4 - Storage and security of personal information

A record-keeper who has possession or control of a record that contains personal information shall ensure:

• (a) that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and
• (b) that if it is necessary for the record to be given to a person in connection with the provision of a service to the record-keeper, everything reasonably within the power of the record-keeper is done to prevent unauthorised use or disclosure of information contained in the record.

Principle 5 - Information relating to records kept by record-keeper

1. A record-keeper who has possession or control of records that contain personal information shall, subject to clause 2 of this Principle, take such steps as are, in the circumstances, reasonable to enable any person to ascertain:

• (a) whether the record-keeper has possession or control of any records that contain personal information; and
• (b) if the record-keeper has possession or control of a record that contains such information:
  • (i) the nature of that information
  • (ii) the main purposes for which that information is used; and
  • (iii) the steps that the person should take if the person wishes to obtain access to the record.

2. A record-keeper is not required under clause 1 of this Principle to give a person information if the record-keeper is required or authorised to refuse to give that information to the person under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.

3. A record-keeper shall maintain a record setting out:

• (a) the nature of the records of personal information kept by or on behalf of the record-keeper
• (b) the purpose for which each type of record is kept
• (c) the classes of individuals about whom records are kept
• (d) the period for which each type of record is kept
• (e) the persons who are entitled to have access to personal information contained in the records and the conditions under which they are entitled to have that access; and
• (f) the steps that should be taken by persons wishing to obtain access to that information.

4. A record-keeper shall:

• (a) make the record maintained under clause 3 of this Principle available for inspection by members of the public; and
• (b) give the Commissioner, in the month of June in each year, a copy of the record so maintained.

Principle 6 - Access to records containing personal information

Where a record-keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record, except to the extent that the record-keeper is required or authorised to refuse to provide the individual with access to that record under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.

Principle 7 - Alteration of records containing personal information

1. A record-keeper who has possession or control of a record that contains personal information shall take such steps (if any), by way of making appropriate corrections, deletions and additions as are, in the circumstances, reasonable to ensure that the record:

• (a) is accurate; and
• (b) is, having regard to the purpose for which the information was collected or is to be used and to any purpose that is directly related to that purpose, relevant, up to date, complete and not misleading.

2. The obligation imposed on a record-keeper by clause 1 is subject to any applicable limitation in a law of the Commonwealth that provides a right to require the correction or amendment of documents.

3. Where:

• (a) the record-keeper of a record containing personal information is not willing to amend that record, by making a correction, deletion or addition, in accordance with a request by the individual concerned; and
• (b) no decision or recommendation to the effect that the record should be amended wholly or partly in accordance with that request has been made under the applicable provisions of a law of the Commonwealth;

the record-keeper shall, if so requested by the individual concerned, take such steps (if any) as are reasonable in the circumstances to attach to the record any statement provided by that individual of the correction, deletion or addition sought.

Principle 8 - Record-keeper to check accuracy etc of personal information before use

A record-keeper who has possession or control of a record that contains personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date and complete.

Principle 9 - Personal information to be used only for relevant purposes

A record-keeper who has possession or control of a record that contains personal information shall not use the information except for a purpose to which the information is relevant.

Principle 10 - Limits on use of personal information

1. A record-keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless:

• (a) the individual concerned has consented to use of the information for that other purpose
• (b) the record-keeper believes on reasonable grounds that use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person
• (c) use of the information for that other purpose is required or authorised by or under law
• (d) use of the information for that other purpose is reasonably necessary for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue; or
• (e) the purpose for which the information is used is directly related to the purpose for which the information was obtained.

2. Where personal information is used for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue, the record-keeper shall include in the record containing that information a note of that use.

Principle 11 - Limits on disclosure of personal information

1. A record-keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless:

• (a) the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that information of that kind is usually passed to that person, body or agency
• (b) the individual concerned has consented to the disclosure
• (c) the record-keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person
• (d) the disclosure is required or authorised by or under law; or
• (e) the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue.

2. Where personal information is disclosed for the purposes of enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the purpose of the protection of the public revenue, the record-keeper shall include in the record containing that information a note of the disclosure.

3. A person, body or agency to whom personal information is disclosed under clause 1 of this Principle shall not use or disclose the information for a purpose other than the purpose for which the information was given to the person, body or agency.

Back to Top