Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Compliance | Law enforcement and national security

Passenger Name Records (PNR data) Audit Report No 2

document icon pdf (693.17 KB)

Section 27(1)(h) Privacy Act 1988

Passenger Name Records (PNR data) No.2

Australian Customs and Border Protection Service

Final audit report

Information Privacy Principles audit

Audit undertaken: June 2009

Draft report issued: December 2009

Final report issued: January 2010

Classification of Content

This is an unclassified version of the final audit report completed in January 2010. The report has been amended to withhold some details regarding sensitive law enforcement processes. These details were withheld, as requested by Australian Customs and Border Protection Service, to protect the integrity of Australia's border control processes. No amendments have been made to the findings and best practice suggestions of the report.

Contents

Part 1 - Introduction
- Background
Part 2 - Description of audit
Part 3 - Audit issues
IPP 1-3 issues - Collection of personal information
IPP 4 issues - storage and security of personal information
IPP 5 issues - information relating to records kept by record-keeper
IPP 6 Issues - Access to records containing personal information
IPP 7 Issues - Alteration of records containing personal information
IPP 8 Issues - Record-keeper to check accuracy etc. of personal information before use
IPP 9 - Personal information to be used only for relevant purposes
IPP 10-11 - Limits on use and disclosure of personal information
Other Privacy Issues - Privacy Training
Part 4 - Summary of Best Practice Privacy Suggestion
Appendix A - Information Privacy Principles

Part 1 – Introduction

Background

1.1 An Agreement exists between the Australian Customs and Border Protection Service (Customs and Border Protection) and the Office of the Privacy Commissioner (the Office). The Agreement is intended to ensure the provision of a regular audit program for Customs and Border Protection's use of Passenger Name Records (PNR data).

1.2 Under the terms of the Agreement, the Office conducts two audits per financial year of Customs and Border Protection's handling of PNR data under section 27(1)(h) of the Privacy Act 1988 (Cth) (the Act).

1.3 The first audit was conducted in February 2009 of Customs and Border Protection's handling of PNR data during its pre-arrival risk assessment process.

1.4 This audit is the second audit under the Agreement for the 2008-2009 financial year.

Part 2 – Description of audit

Purpose

2.1 The purpose of the audit was to ascertain Customs and Border Protection's compliance with the Information Privacy Principles (IPPs) contained in section 14 of the Act, specifically in relation to its handling of PNR data.

Scope

2.2 The audit focussed on assessing Customs and Border Protection's compliance with the IPPs in handling requests for information for PNR data internally from other areas of Customs and Border Protection and from third parties. The audit involved a review of Customs and Border Protection's policies and procedures for the collection, storage, use and disclosure of PNR data during this process. Enquiries were also made regarding information technology matters and staff training procedures.

Timing and location

2.3 The audit was conducted on 17 and 18 June 2009 at Customs House, 5 Constitution Avenue, Canberra, Australian Capital Territory (ACT).

Description of Auditee

2.4 Customs and Border Protection is the primary border protection agency in Australia. It manages the security and integrity of Australia's borders. It works closely with other government and international agencies to detect and deter unlawful movement of goods and people across the border. Some of those other agencies are the Australian Federal Police (AFP), the Australian Quarantine and Inspection Service (AQIS), the Department of Immigration and Citizenship (DIAC) and the Department of Defence (DoD).

2.5 Customs and Border Protection employs more than 5,500 people nationally in Australia and overseas. Its National Office is in Canberra.

2.6 Customs and Border Protection runs three main programs: the Passenger and Trade Facilitation Program, the Border Enforcement Program and Corporate Operations Program.

2.7 Among other activities it intercepts illegal drugs and firearms, targets high-risk aircraft, vessels, cargo, postal items and travellers. Customs and Border Protection also has a fleet of ocean-going patrol vessels and contracts two aerial surveillance providers for civil maritime surveillance and response.

Description of Passenger Analysis Unit

2.8 One of Customs and Border Protection's border protection activities is its pre-arrival risk assessment of passengers travelling to or in transit through Australia. Pre-arrival risk assessment aims to prevent terrorism and related crimes and other serious crimes that are transnational in nature, for example, money laundering, drugs importation, weapons trafficking and people smuggling/trafficking.

2.9 The Passenger Analysis Unit (PAU) in Customs and Border Protection conducts pre-arrival risk assessments of passengers using PNR data. The PAU also responds to requests for PNR data from other areas of Customs and Border Protection (internal requests) and from other agencies, such as the AFP (external requests). These internal and external requests for PNR data are referred to as Requests For Information, or RFIs, and are the focus of this audit.

2.10 PNR data is information about airline passengers that is held by airlines on their computer reservation system and departure control system. PNR data includes such information as:

PNR locator code;
passenger name(s);
passport number;
nationality;
details of travel companions;
frequent flyer information;
ticketing information; date of reservation/issue of ticket; itinerary; alterations made to booking;
contacts; payments/billing; travel agent details;
special request/service information;
number of bags; weight of bags;
seat allocation.

2.11 Customs and Border Protection may provide any of this information (depending on what has been requested) in response to an RFI.

2.12 PAU Officers electronically access the computer reservation systems and departure control systems of airlines and retrieve PNR data. As of June 2009 the PAU had access to 33 airlines PNR data. PAU Officers use this information together with a range of other information (for example immigration, intelligence and other law enforcement data) to screen passengers prior to arrival to Australia and assist in identifying those passengers that may pose a risk to the border.

2.13 The PAU uses an application called QIK Analysis to access and analyse PNR data. The QIK Analysis application provides Customs and Border Protection with the capability to connect and retrieve information from the computer reservation systems and departure control systems of international airlines. It also has the capability to automatically analyse the information returned from each of the airlines against risk profiling information.

2.14 The PAU conducts "On-going Research" and automatic PNR monitoring on behalf of regional Customs and Border Protection Officers and external agencies. On-going Research is the process of looking for a Person of Interest's airline booking using QIK analysis. The research is conducted without the flight date and/or flight number and/or airline details.

2.15 redacted

2.16 The PAU consists of four teams of six analysts which includes a team supervisor in each team. The PAU operates 24 hours a day seven days a week. These teams are supported by four Planning and Targeting Officers. These staff in the PAU have direct access to PNR data.

2.17 The auditors also spoke with Customs and Border Protection staff from Passenger Enabling Services, Passenger Policy and Training Standards and PACE Alert Management.

2.18 Passenger Enabling Services consist of 12 staff and provides technical and Information Technology support to the PNR system and the PAU. Staff in Passenger Enabling Services have access to PAU production and development systems and some have access to QIK Analysis. Staff generally only work with de-identified PNR data.

2.19 Passenger Policy consists of ten staff and provides policy and other legislative support to the PAU. Staff in Passenger Policy do not have direct access to PNR data.

2.20 Training Standards and PACE Alert Management provides training to PAU staff and conducts compliance audits. These staff have access to QIK Analysis.

Information obtained prior to the audit

2.21 The following documentation was provided by Customs and Border Protection prior to the commencement of the Office's audit of its pre-arrival risk assessment processes in February 2009:

a current organisation chart and office locations for the relevant areas of Customs and Border Protection that handle PNR data;
an outline of personal information data flows within Customs and Border Protection as it relates to the handling of PNR data;
an outline of personal information data flows to external third parties as it relates to the handling of PNR data;
details of who within Customs and Border Protection has access to PNR data and access limitations in place;
details of audit trails of access to this information;
any Privacy Impact Assessment(s) or relevant risk assessments undertaken by Customs and Border Protection on its PNR system;
copies of any forms or brochures relevant to the collection of PNR data;
summary information around any relevant computer systems documentation and/or specifications including systems security and any IT Security Policy in relation to the PNR Data;
copies of any staff instructions/memorandums addressing the Act and/or information security;
details of any staff training concerning the Act and the handling of PNR data in Customs and Border Protection, including a copy of any training material presented to participants.

2.22 The auditors considered these materials in this audit of Customs and Border Protection's RFI processes.

Information obtained during the audit

2.23 The following documentation was received from Customs and Border Protection during the audit:

An outline of personal information data flows within Customs and Border Protection as it relates to RFIs;
A copy of a PNR Monitoring Request pro forma template;
A copy of a pro forma template used by the Transnational Sexual Exploitation Team (TSET) in the AFP when requesting information from the PAU;
A copy of the PAU Standard Operating Procedures (SOPs) for:
- Requests for Information (SOP no. 16);
- International Enquiries (SOP no. 5);
- Dissemination of Passenger Lists (SOP no. 27); and
- On-Going Research/Auto PNR Monitoring (SOP no. 30).

Audit opinion

2.24 The recommendation arising from this audit is outlined in Section 4 of this report.

2.25 The audit revealed that Customs and Border Protection generally manages requests for PNR data internally from other areas of Customs and Border Protection and from third parties in accordance with the IPPs in the Act. Consequently, the opinion of the audit team was that Customs and Border Protection was compliant in meeting its obligations under the Act.

2.26 The auditors made a ‘Best Privacy Practice Suggestion' for Customs and Border Protection's RFI processes. This suggestion does not necessarily arise out of actual risks to personal information but is suggested as a best practice privacy control to promote compliance with the Act.

2.27 Section 4 in this report lists the best privacy practice suggestion.

Follow up review

2.28 It is the intention of the Office to undertake on-going audits of Customs and Border Protection's handling of PNR data in accordance with the Agreement between Customs and Border Protection and the Office.

Reporting

Completed audit reports of ACT and Australian government agencies commenced after 1 July 2002 are generally published on the Office of the Privacy Commissioner's web site (available at. http://www.privacy.gov.au/law/apply/audit#reports).

2.29 Findings and recommendations from IPP audits that are considered relevant to good privacy practice across the public sector generally are also discussed in the Office of the Privacy Commissioner's Annual Report.

Part 3 – Audit issues

A copy of the IPPs is provided at Appendix A.

IPPs 1-3 Issues - Collection of personal information

IPP 1 provides that personal information shall not be collected unless the collection is for a lawful purpose directly related to the collector's functions and activities and necessary or directly related to that purpose.

IPP 2 provides that, where a collector solicits and collects personal information directly from an individual, it must inform the individual of the purpose of collection, any legal authorisation or requirement for the collection, and any person, body or agency to which it usually discloses that information.

IPP 3 provides that, where a collector solicits and collects personal information generally it must take steps reasonable in the circumstances to ensure that, having regard to the purpose for which the information is collected, the information is relevant to that purpose, up to date and complete, and that the collection does not intrude to an unreasonable extent on the individuals' personal affairs.

Observations

3.1 The auditors observed a number of PAU Officers processing RFIs.

3.2 The AFPs TSET has a standard template it completes when making a RFI to PAU. The template provides for personal information such as name, date of birth, passport number and reason for the request. Other RFIs from other agencies, including other sections of the AFP, have no standard template. The auditors received a copy of the TSET standard form.

3.3 The auditors observed a Customs and Border Protection PAU Officer processing a request from TSET. TSET make the requests via email, which is addressed to the PAU Mailbox with the completed form as an attachment. External agencies know this is the email address to address RFIs. The PAU Officer marked the email request with a flag to indicate it has been examined by a PAU Officer (and is marked with a tick once the request has been completed).

3.4 The auditors were informed that the majority of external requests are received by email, although only TSET has a standard form. Other requests from the AFP, for example, will generally be sent to the PAU by the AFP Customs and Border Protection Liaison Officer. While email is the preferred form for the RFIs, the telephone is occasionally used for external requests if the matter is time critical. AFP staff have their own caller identification numbers, which they provide Customs and Border Protection if they make phone requests.

3.5 In responding to RFI requests, PAU Officers electronically access the computer reservation systems and departure control systems of airlines and retrieve PNR data. PAU Officers then use this information to respond to RFIs. The PNR data is collected from the airlines for a lawful purpose directly related to the PAU's functions and activities, in accordance with IPP 1.

3.6 When Customs and Border Protection receives an RFI request from an external agency, Customs and Border Protection is not collecting PNR data directly from the individual concerned. Therefore IPP 2 does not apply with regards to RFI requests.

3.7 Customs and Border Protection collect information direct from airlines for the purpose of responding to RFIs. The auditors consider that Customs and Border Protection is taking reasonable steps to ensure the information is relevant to this purpose and that the information is up to date and complete. The auditors consider this is consistent with Customs and Border Protection's obligations under IPP 3.

Privacy issues

3.8 There were no specific issues identified in the audit in relation to the collection of personal information by Customs and Border Protection.

IPP 4 Issues - Storage and security of personal information

IPP 4(a) requires a record keeper who has possession or control of a record that contains personal information to ensure that the record is protected by security safeguards reasonable in the circumstances against loss, unauthorised access, use, modification, disclosure and other misuse.

IPP 4(b) requires that, if it is necessary for the record to be given to a person in connection with the provision of a service to the record keeper, everything reasonably within the record keeper's power be done to prevent unauthorised use or disclosure of information contained in the record.

Observations

Physical security

3.9 The auditors observed that the PAU Officers are all located in one room in Customs House in Canberra. The auditors noted that access to the PAU area is restricted to individuals with swipe card access. The auditors noted that there are three doors that require a swipe card to open before entering the PAU area.

3.10 The auditors noted that the swipe card access is audited by Customs and Border Protection. The auditors were advised the last audit of swipe card access to the PAU area was carried out in December 2008. As a result of this audit, individuals that did not have a need to access the PAU area had their swipe card access removed. The auditors were advised that audits of swipe card access have previously been done ad hoc but Customs and Border Protection plans to undertake swipe card access audits every six months.

3.11 Telephone RFIs are logged and recorded in an access speadsheet. This spreadsheet is printed out and archived regularly. It is kept in the secure PAU room at all times. The only instance when PAU Officers are not present in the PAU Room is in the event of a fire alarm, in which case the access spreadsheet is securely locked away.

3.12 The auditors noted that some PAU officers printed out hard copies of the RFIs. However these printouts were put in the PAU shredder at the end of the Officer's shift. Printouts did not leave the PAU secured room. The responses of the PAU Officers to the RFI were not printed out. In general the auditors noted that hard copy of data in the PAU is very minimal.

3.13 The auditors also noted that statistics of shift records are recorded every day. These statistics record the number of RFIs responded to by the PAU Officers. No personal information is included in these statistics.

IT security

3.14 The auditors noted that access to the QIK Analysis System is limited to certain individuals in Customs and Border Protection. To be granted access to this system, the individual must have the appropriate delegation under section 64AF of the Customs Act 1901 (Cth) (the Customs Act). The CEO of Customs and Border Protection is the only person in Customs and Border Protection who can authorise the section 64AF delegations.

3.15 redacted

3.16 The auditors noted that the email requests are protected through Fedlink. Emails from external agencies are classified as "in confidence". Email requests from Customs and Border Protection officers have a classification of "protected" and are protected by the secure Customs and Border Protection server.

Steps to prevent unauthorised disclosure

3.17 redacted

3.18 Access to passenger information is limited to the investigation of serious criminal offences under the Customs Act and Commonwealth legislation. The auditors noted that one external email request did not include a reference to the suspected serious criminal offence being investigated. The PAU Officer replied immediately to the requesting Officer asking for details of the suspected offence, if any, before acting any further.

Privacy issues

3.19 There were no specific issues identified in the audit in relation to the storage and security of PNR data.

IPP 5 - Information relating to records kept by record-keeper

IPP 5.1 requires that, where a record keeper has possession or control of records containing personal information, the record keeper will take reasonable steps in the circumstances to enable any person to ascertain the nature of the information held, the main purposes for which the information is used, and the steps a person should take to obtain access to the record.

IPP 5.3 and 5.4 also requires that, where a record keeper has possession or control of records containing personal information, the record keeper will maintain and make available to the public and the Privacy Commissioner a listing of the personal information it holds. The listing will include the nature and purposes of keeping the record, the classes of individuals about whom records are kept, retention periods and access conditions to the records, and steps that should be taken by persons wishing to access the record. This listing is known as Customs and Border Protection's Personal Information Digest (PID).

Observations

3.20 The auditors noted that Customs and Border Protection's PID is available on this Office's website at: http://www.privacy.gov.au/materials/types/pids?sortby=62.

3.21 The auditors noted that the section numbered 25 in Customs and Border Protection's 2008 PID records that Customs and Border Protection holds passenger records for the purpose of profiling and targeting persons and/or aircraft that may prevent a threat to the integrity of Australia's borders. The PID records who in Customs and Border Protection has access to this information and who it may be disclosed to.

Privacy issues

3.22 There were no specific issues identified in the audit in relation to Customs and Border Protection's PID as it relates to PNR data.

IPP 6 Issues - Access to records containing personal information

IPP 6 provides that, where a record keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record except where one or more of certain exceptions under Commonwealth law apply.

Observations

3.23 The auditors noted that Customs and Border Protection's PID contains contact details for individuals wishing to obtain access to passenger records. This includes a telephone number for Customs and Border Protection's Privacy Contact Officer and Freedom of Information (FOI) Coordinator.

3.24 The auditors also noted that Passenger Policy respond to FOI requests which may involve a request for PNR data, including RFIs. The auditors were advised that Customs and Border Protection had not received any FOI requests from individuals for access to their information relating to RFIs.

Privacy issues

3.25 There were no specific issues identified in the audit in relation to access to PNR data in the RFI process.

IPP 7 Issues - Alteration of records containing personal information

IPP 7 requires a record keeper who has possession or control of a record that contains personal information to take such steps that are reasonable in the circumstances to ensure the record is accurate, and, having regard for the purpose for which the information was collected, relevant, up to date, complete and not misleading.

Where, despite an individual's request, the record keeper is not willing to correct, delete or amend personal information in the record and no decision or recommendation under an applicable Commonwealth law applies, the record keeper shall, following an individual's request, take reasonable steps to attach to the record any statement provided by that individual of the correction, deletion or addition sought.

Privacy issues

3.26 There were no specific issues identified in the audit in relation to the alteration of personal information in the RFI process

IPP 8 Issues - Record-keeper to check accuracy etc. of personal information before use

IPP 8 provides that a record keeper who has possession or control of a record that contains personal information shall not use that information without taking steps that are reasonable in the circumstances to ensure that, having regard for the purpose for which the information is proposed to be used, the information is accurate, up to date, and complete.

Privacy issues

3.27 There were no specific issues identified in the audit in relation to the accuracy of PNR data before use.

IPP 9 - Personal information to be used only for relevant purposes

IPP 9 provides that a record keeper who has possession or control of a record that contains personal information shall not use that information except for a relevant purpose.

Privacy issues

3.28 There were no specific issues identified in the audit in relation to Customs and Border Protection using PNR data only for relevant purposes.

IPPs 10-11 - Limits on use and disclosure of personal information

IPP 10.1 provides that a record keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless one or more of certain exceptions apply.

IPP 10.2 provides that, where personal information is used under IPP 10.1(d) the record keeper shall include in the record containing that information a note of the use.

IPP 11 provides that a record keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless one or more of certain exceptions apply.

IPP 11.2 provides that, where personal information is disclosed under IPP 11.1(e) the record keeper shall include in the record containing that information a note of the disclosure.

IPP 11.3 provides that a where personal information is disclosed under IPP 11 the person, body or agency is not shall not use or disclose the information for a purpose other than the purpose for which the information was given to the person, body or agency.

Observations

3.29 The auditors observed a number of PAU Officers processing RFIs.

3.30 redacted

3.31 redacted

3.32 redacted

3.33 redacted

3.34 redacted

3.35 redacted

3.36 redacted

3.37 The auditors noted that all email responses to RFIs included a PAU Disclosure Caveat at the bottom of the email that reads in part:

****The recipient is NOT authorised to further disclose this email or its contents to third parties without the permission of the Passenger Analysis Unit.****

When the request involves a flight connected with the European Union, the email response includes a European Union caveat.

3.38 The AFP (or another external agency) may request Customs and Border Protection's consent to disclose the PNR data collected to a third party. Customs and Border Protection normally receives this type of request to disclose to a third party after the AFP (or other agency) has received the PNR information requested. Only Level Three Customs and Border Protection Officers have the delegation to grant a request to an agency to disclose PNR data to a third party. The auditors were informed that TSET do not need to ask Customs and Border Protection for consent as there are treaties in place that obliges TSET to disclose certain types of information to specific third parties.

3.39 The auditors note that, in these circumstances, Customs and Border Protection discloses this information to the AFP (or other external agency) for the primary purpose of law enforcement. The auditors note that any subsequent use or disclosure by the AFP (or other external agency) of this information under, for example, an applicable treaty would need to be consistent with this primary purpose to meet the IPP 11.3 obligation.

Automated monitoring and file requests

3.40 redacted

3.41 redacted

3.42 redacted

3.43 redacted

3.44 The auditors noted that PNR data was only used and disclosed for relevant purposes.

Privacy issues

3.45 When a PAU Officer uploads PAU data into a NIS file, there is a risk that when a second agency (such as the AFP) accesses the PNR data from NIS at a later date, it may be used by that agency for a purpose other than the purpose for which the information was provided by Customs and Border Protection. If such a situation occurred, there is a risk the second agency may be in breach of its IPP 11.3 obligations.

3.46 A measure to ensure other agencies do not use PNR data for a purpose other than the purpose for which the information was given to it may be to put a caveat (similar to the PAU Disclosure Caveat) under any PNR data uploaded to the NIS system reminding agencies of their IPP 11.3 obligations under the Privacy Act.

Best Privacy Practice Suggestion

3.47 That Customs and Border Protection take steps to ensure that any PNR data disclosed to third parties has with it clear instructions on conditions surrounding the use of that information by third parties, including the primary purpose for which the information has been provided and the receiving agency's obligations under IPP11.3. This may include steps such as a caveat under any PNR data uploaded to the NIS system specifying the primary purpose and reminding third parties of its IPP11.3 obligations.

Other Privacy Issues

Audits

3.48 redacted

3.49 The auditors were also aware from this Office's audit of PNR data during its pre-arrival risk assessment process (undertaken in February 2009) that PAU staff are issued with ‘VASCO tokens' that enable staff remote access to Customs and Border Protection's information systems. The auditors noted no change in procedures and no audits had occurred with regards to VASCO tokens since this Office's February 2009 audit.

Training

3.50 The auditors were informed three new Officers have joined the PAU since the Office's audit of the PAU in February 2009. All new employees have had on-the-job training, however formal training involving section 16 of the Customs Administration Act 1985, section 64AF of the Customs Act, and the Privacy Act 1988 had yet to be arranged.

3.51 The auditors also observed on the audit that there is a strong culture in the PAU of the importance of the security of PNR data.

Part 4 – Summary of Best Practice Privacy Suggestion

4.1 That Customs and Border Protection take steps to ensure that any PNR data disclosed to third parties has with it clear instructions on conditions surrounding the use of that information by third parties, including the primary purpose for which the information has been provided and the receiving agency's obligations under IPP11.3. This may include steps such as a caveat under any PNR data uploaded to the NIS system specifying the primary purpose and reminding third parties of its IPP11.3 obligations.

Auditee response

The auditee accepted this suggestion.

Appendix A – Information Privacy Principles

Principle 1 – Manner and purpose of collection of personal information

1. Personal information shall not be collected by a collector for inclusion in a record or in a generally available publication unless:

(a) the information is collected for a purpose that is a lawful purpose directly related to a function or activity of the collector; and
(b) the collection of the information is necessary for or directly related to that purpose.

2. Personal information shall not be collected by a collector by unlawful or unfair means.

Principle 2 – Solicitation of personal information from individual concerned

Where:

(a) a collector collects personal information for inclusion in a record or in a generally available publication; and
(b) the information is solicited by the collector from the individual concerned:
the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, before the information is collected or, if that is not practicable, as soon as practicable after the information is collected, the individual concerned is generally aware of:
(c) the purpose for which the information is being collected
(d) if the collection of the information is authorised or required by or under law ‑ the fact that the collection of the information is so authorised or required; and
(e) any person to whom, or any body or agency to which, it is the collector's usual practice to disclose personal information of the kind so collected, and (if known by the collector) any person to whom, or any body or agency to which, it is the usual practice of that first mentioned person, body or agency to pass on that information.

Principle 3 – Solicitation of personal information generally

Where:

(a) a collector collects personal information for inclusion in a record or in a generally available publication; and
(b) the information is solicited by the collector:
the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is collected:
(c) the information collected is relevant to that purpose and is up to date and complete; and
(d) the collection of the information does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.

Principle 4 – Storage and security of personal information

A record-keeper who has possession or control of a record that contains personal information shall ensure:

(a) that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and
(b) that if it is necessary for the record to be given to a person in connection with the provision of a service to the record-keeper, everything reasonably within the power of the record-keeper is done to prevent unauthorised use or disclosure of information contained in the record.

Principle 5 – Information relating to records kept by record-keeper

1. A record-keeper who has possession or control of records that contain personal information shall, subject to clause 2 of this Principle, take such steps as are, in the circumstances, reasonable to enable any person to ascertain:

(a) whether the record-keeper has possession or control of any records that contain personal information; and
(b) if the record-keeper has possession or control of a record that contains such information:
- (i) the nature of that information
- (ii) the main purposes for which that information is used; and
- (iii)the steps that the person should take if the person wishes to obtain access to the record.

2. A record-keeper is not required under clause 1 of this Principle to give a person information if the record-keeper is required or authorised to refuse to give that information to the person under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.

3. A record-keeper shall maintain a record setting out:

(a) the nature of the records of personal information kept by or on behalf of the record-keeper
(b) the purpose for which each type of record is kept
(c) the classes of individuals about whom records are kept
(d) the period for which each type of record is kept
(e) the persons who are entitled to have access to personal information contained in the records and the conditions under which they are entitled to have that access; and
(f) the steps that should be taken by persons wishing to obtain access to that information.

4. A record-keeper shall:

(a) make the record maintained under clause 3 of this Principle available for inspection by members of the public; and
(b) give the Commissioner, in the month of June in each year, a copy of the record so maintained.

Principle 6 – Access to records containing personal information

Where a record-keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record, except to the extent that the record-keeper is required or authorised to refuse to provide the individual with access to that record under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.

Principle 7 – Alteration of records containing personal information

1. A record-keeper who has possession or control of a record that contains personal information shall take such steps (if any), by way of making appropriate corrections, deletions and additions as are, in the circumstances, reasonable to ensure that the record:

(a) is accurate; and
(b) is, having regard to the purpose for which the information was collected or is to be used and to any purpose that is directly related to that purpose, relevant, up to date, complete and not misleading.

2. The obligation imposed on a record-keeper by clause 1 is subject to any applicable limitation in a law of the Commonwealth that provides a right to require the correction or amendment of documents.

3. Where:

(a) the record-keeper of a record containing personal information is not willing to amend that record, by making a correction, deletion or addition, in accordance with a request by the individual concerned; and
(b) no decision or recommendation to the effect that the record should be amended wholly or partly in accordance with that request has been made under the applicable provisions of a law of the Commonwealth;

the record-keeper shall, if so requested by the individual concerned, take such steps (if any) as are reasonable in the circumstances to attach to the record any statement provided by that individual of the correction, deletion or addition sought.

Principle 8 – Record-keeper to check accuracy etc of personal information before use

A record-keeper who has possession or control of a record that contains personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date and complete.

Principle 9 – Personal information to be used only for relevant purposes

A record-keeper who has possession or control of a record that contains personal information shall not use the information except for a purpose to which the information is relevant.

Principle 10 – Limits on use of personal information

1. A record-keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless:

(a) the individual concerned has consented to use of the information for that other purpose
(b) the record-keeper believes on reasonable grounds that use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person
(c) use of the information for that other purpose is required or authorised by or under law
(d) use of the information for that other purpose is reasonably necessary for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue; or
(e) the purpose for which the information is used is directly related to the purpose for which the information was obtained.

2. Where personal information is used for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue, the record-keeper shall include in the record containing that information a note of that use.

Principle 11 – Limits on disclosure of personal information

1. A record-keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless:

(a) the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that information of that kind is usually passed to that person, body or agency
(b) the individual concerned has consented to the disclosure
(c) the record-keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person
(d) the disclosure is required or authorised by or under law; or
(e) the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue.

2. Where personal information is disclosed for the purposes of enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the purpose of the protection of the public revenue, the record-keeper shall include in the record containing that information a note of the disclosure.

3. A person, body or agency to whom personal information is disclosed under clause 1 of this Principle shall not use or disclose the information for a purpose other than the purpose for which the information was given to the person, body or agency.