Skip to main content

Please be advised that our office will be closed from 5pm – Tuesday, 24 December, and will reopen on Thursday, 2 January 2025.

  • On this page

Commencement date: 15 November 2017

Please note the variations commencing 8 May 2019 and 30 June 2020 between the Department of Home Affairs and the Office of the Australian Information Commissioner.

Memorandum of Understanding between the Attorney-General’s Department (‘AGD’) and the Office of the Australian Information Commissioner (‘OAIC’) for the provision of privacy assessments in relation to the National Facial Biometric Matching Capability (‘NFBMC’)

This Memorandum of Understanding (MOU) provides for the funding arrangements between the Attorney-General’s Department (‘AGD’) and the Office of the Australian Information Commissioner (‘OAIC’) for the provision of privacy assessments by the OAIC in relation to the National Facial Biometric Matching Capability (‘NFBMC’).

1. Parties

1.1 The Parties to this MOU are the Attorney-General’s Department (‘AGD’) and the Office of the Australian Information Commissioner (‘the OAIC’).

2. Commencement and term

2.1 This MOU commences on the date it is signed by both Parties to this MOU and will continue until 31 December 2019 unless this MOU is extended in accordance with clause 15.

3. About the Attorney-General’s Department

3.1 AGD is the Australian Government agency leading development and implementation of the NFBMC.

3.2 AGD manages the Interoperability Hub (‘the Hub’), which acts as a router to facilitate the secure and auditable exchange of biometric data between Commonwealth, State and Territory agencies participating in the NFBMC.

3.3 The Hub supports the following Face Matching Services:

  • the Face Verification Service (FVS) which enables searching or matching of facial images on a one-to-one basis to help verify the identity of a known person
  • the Face Identification Service (FIS) which enables agencies to search or match images on a one-to-many or one-to-few basis to help determine the identity of a known or unknown person, or to detect instances where a person may hold multiple fraudulent identities.

3.4 Other Face Matching Services may be added over time.

3.5 AGD will also manage a National Driver Licence Facial Recognition Solution (NDLFRS), on behalf of the states and territories, to make available driver licence images via the Face Matching Services. The NDLFRS will support the following additional matching services specific to road agencies:

  • the One Person Once Licence Service (OPOLS) to enable road agencies to match facial images within the NDLFRS to help establish the person’s identity, or to detect instances where a person holds multiple fraudulent licences in different jurisdictions
  • the Facial Recognition Analysis Utility Service (FRAUS) to enable road agencies to conduct facial biometric matching of their own data.

3.6 Agencies participating in the Face Matching Services must enter into an interagency data sharing arrangement (IDSA), based on a template developed by AGD. The IDSAs set out the terms and conditions on which the entities will share identity information and comply with privacy safeguards in accordance with their obligations under the relevant Access Policy for the Face Matching Service.

3.7 Each agency participating in the Face Matching Services must also have an MOU with AGD which sets out the terms under which personal information will be shared via the Hub and the safeguards agencies will employ to protect the information.

3.8 Over time, the IDSAs and Hub MoUs are expected to be replaced by a common Face Matching Services Participation Agreement which outlines the roles, right and obligations of all participating agencies including AGD as the operator of the Hub.

3.9 These will be complemented by an NDLFRS Hosting Agreement between AGD and the states and territories that will outline the arrangements, including privacy safeguards, for the management or personal information within the NDLFRS and the provision of facial recognition services to participating state and territory agencies.

4. About the Office of the Australian Information Commissioner

4.1 The OAIC is a statutory agency established by section 5 of the Australian Information Commissioner Act 2010 (‘AIC Act’).

4.2 The Information Commissioner is the head of the OAIC (for the purpose of the Public Service Act 1999).

4.3The Information Commissioner (‘the Commissioner’) has the privacy functions as set out under sections 9 and 10(1) of the AIC Act. Under the Privacy Act, the Commissioner has the following functions relevant to this MOU:

  1. to promote an understanding and acceptance of the Australian Privacy Principles (APPs) and the objects of those principles (s 28(1)(c));
  2. to provide advice (on request or on the Commissioner’s own initiative) to a Minister or entity about any matter relevant to the operation of the Act (s 28B(1)(a));
  3. informing the Minister of action that needs to be taken by an agency in order to comply with the APP (s 28B(1)(b));
  4. providing reports and recommendations to the Minister in relation to a matter concerning the need for, or the desirability of, legislative or administrative action in the interests of the privacy of individuals (s 28B(1)(c));
  5. to conduct an assessment of whether personal information held by an APP entity (as defined in the Privacy Act) is being maintained and handled in accordance with the APPs (s 33C); and
  6. to examine a proposed enactment that would require or authorise acts or practices of an entity that might otherwise be interferences with the privacy of individuals, or which may otherwise have any adverse effects on the privacy of individuals (s28A(2)(a)).

5. Purpose

5.1 The purpose of this MOU is to set out the operational arrangements between AGD and the OAIC by which the OAIC will conduct privacy assessments of AGD’s privacy practices in connection with the NFBMC.

5.2 This MOU specifies the Activities the OAIC agrees to undertake and the level of resources that AGD undertakes to provide to the OAIC for the period of this MOU.

5.3 AGD recognises that the OAIC must be resourced to provide dedicated specialist assistance/support to AGD and to be able to appropriately respond to relevant privacy issues in a timely way. Government funding for the NFBMC includes an allocation to AGD to meet the costs of OAIC conducting annual audits of the Interoperability Hub and NDLFRS.

5.4 This MOU also details how the Parties will work together and itemises overall principles and obligations, while taking account of the OAIC’s role as an independent adviser to the Australian Government and as an independent statutory office with regulatory functions.

5.5 This MOU will not fetter the powers conferred on the Commissioner under the Privacy Act 1988 (Cth).

5.6 The Parties agree that this MOU is neither able nor intended to create legal obligations between them and that its sole purpose is to set out the basis upon which the Activities will be performed, including funding arrangements for those Activities.

6. Definitions and interpretation

6.1 In this MOU, the following definitions apply unless the contrary intention appears:

TermDefinition

Activities

means those activities outlined in Schedule 2 to this MOU

Access policy

means the current version of the documented set of requirements approved by the Governing Body that a Participant must comply with in order to access the Service.

AGD

means the Attorney-General’s Department

APP

means the Australian Privacy Principles

Business Day

means any day other than a Saturday, Sunday or public holiday in the Australian Capital Territory or the State of New South Wales

Contact Officer

means, in relation to a Party, a person nominated under Schedule 1 of this MOU

Face Matching Services

means the Identity Matching Services that involve facial biometric matching, namely the Face Verification Service, Face Identification Service, Facial Recognition Analysis Utility Service and One Person One Licence Service.

FIS

means the Face Identification Service

FVS

means the Face Verification Service

IDSA

means the Interagency Data Sharing Arrangements entered into by participating agencies

IRAP

means the Information Security Registered Assessors Program

OAIC

means the Office of the Australian Information Commissioner

PAC

means the Program Advisory Committee

Parties/Party

means either or both AGD and OAIC as the context requires

NDLFRS

National Driver Licence Facial Recognition Solution

NFBMC

National Facial Biometric Matching Capability

6.2 In this MOU, unless a contrary intention appears:

  1. words in the singular include the plural and vice versa;
  2. if a word or phrase is defined its other grammatical forms have corresponding meanings;
  3. a reference to a schedule or attachment is a reference to a schedule or attachment to this MOU;
  4. a reference to this MOU includes these terms and conditions and any schedule or attachment;
  5. the clause headings are for convenient reference only and have no effect in limiting or extending the language of the provision to which they refer;
  6. a cross reference to a clause number is a reference to all its sub clauses; and
  7. words importing one gender include the other gender.

7. Contact Officers

7.1 Each Party nominates a Contact Officer to facilitate communication and liaison between the Parties for the purposes of this MOU. Contact Officer details are included in Schedule 1.

7.2 Each Party may, by giving notice in accordance with clause 12.2, nominate replacement or additional Contact Officers in addition to or instead of those nominated in Schedule 1.

8. Resources and activities

8.1 Under this MOU, AGD will provide to the OAIC access to premises, systems, office accommodation and key personnel to support a range of Activities undertaken by the OAIC relating to personal information privacy issues involved in the use of the NFBMC.

8.2 The range of Activities is outlined in Schedule 2.

9. Funding arrangements

9.1 Subject to provision of an invoice under clause 9.3, AGD agrees to pay the OAIC the amount specified in Schedule 2, on the dates specified in Schedule 2.

9.2 The funding referred to in clause 9.1 above and as outlined in Schedule 2 is the total funding to be paid under this MOU. This amount reflects the anticipated costs to the OAIC of undertaking the Activities and the Parties’ understanding that this is a non-commercial arrangement and that GST does not apply.

9.3 AGD will pay the amounts specified in Schedule 2 within 30 days of receipt of an invoice from the OAIC.

10. Activities of the OAIC

10.1 During the term of this MOU, the OAIC will, consistent with the priorities nominated by AGD, provide independent, expert assessments in relation to the Activities.

10.2 The OAIC will:

  1. ensure that appropriately skilled officers are available to respond, as a priority, to a request by AGD for assistance or advice, in connection with the Activities set out in Schedule 2; and
  2. respond to a request from AGD consistent with the priority nominated in accordance with clause 10.1, within a reasonable timeframe.

10.3 AGD will:

  1. ensure that all necessary information is fully accessible to the OAIC for the purposes of the OAIC undertaking the Activities; and
  2. respond within a reasonable timeframe to any specific requests by the OAIC for any information that it requires to undertake the Activities.

10.4 The Activities can be varied by both parties in accordance with the variation clause set out in clause 15.

11. Undertakings

11.1 Neither Party will represent the other Party as endorsing or approving any proposal in connection with the Activities, unless agreed in writing.

11.2 Each Party will consult the other Party prior to releasing any public document or press release in connection with the Activities which attributes a regulatory or policy position to the other Party.

11.3 Subject to clause 14, clauses 11.1 and 11.2 do not prevent a Party from making a factual public statement that accurately represents previous dealings between the Parties.

11.4 The Parties acknowledge that it is imperative that the OAIC is able to conduct the Activities in an independent and proper manner. The OAIC may decline to undertake an Activity that gives rise to a conflict of interest, actual or perceived. In that case the Parties will negotiate in good faith regarding an alternative Activity or a reduction in that particular Activity.

12. Giving of notices and agency names

12.1 Either Party may replace or nominate additional officers as Contact Officer(s) by giving written notice to the other Party.

12.2 If the name and functions of either of parties changes, this MOU will continue. However, the relevant party should inform the other party of the changes.

13. Confidentiality, disclosure and security

13.1 Either Party may publish this MOU on their websites or release this MOU in response to requests from Parliamentary Committees or under the Freedom of Information Act 1982.

13.2 Both Parties acknowledge that they are subject to certain legislative obligations and restrictions, including any relevant secrecy provisions under Commonwealth legislation, and that both agencies must conduct themselves under this MOU in accordance with those legislative obligations and restrictions.

14. Dispute resolution

14.1 Any dispute arising out of this MOU will be referred to the respective Parties’ Contact Officers nominated in Schedule 1 for resolution. Within five Business Days of a dispute arising, the respective Parties’ Contact Officers will commence discussions, in good faith and by direct communication, in an attempt to resolve the dispute.

15. Variation

15.1 This MOU may be varied in writing at any time with the agreement of AGD and the OAIC.

16. Notice for termination

13.1 Either Party may bring this MOU to an end by giving at least 60 Business Days’ notice in writing and addressed to a Contact Officer nominated in Schedule 1.

16.2 If this MOU is brought to an end under clause 16.1:

  1. AGD will pay the OAIC any reasonable and unavoidable costs which are incurred by the OAIC as a direct result of this MOU coming to an end (although the OAIC must do all things reasonably necessary to mitigate these costs); and
  2. the OAIC will, within 30 Business Days of this MOU coming to an end, refund to AGD a proportion of the previous invoiced amount, so that there is an equitable distribution of that invoiced amount between the Parties, taking into account the need for the OAIC to have had staff ready and able to undertake the work, and the nature and extent of work that was undertaken by the OAIC before the MOU came to an end.

16.3 The Parties will negotiate in good faith as to the amounts payable under clause 16. Such negotiations will be between the Contact Officer(s) nominated in Schedule 1.

17. Entire agreement

17.1 This MOU represents the entire agreement between the Parties and supersedes all prior arrangements or agreements whether oral or in writing about the NFBMC.

Signed for and on behalf of AGD, by:

Anna Harmer
First Assistant Secretary
Intelligence and Identity Division
Date: 7 November 2017

Signed for and on behalf of the OAIC, by:

Timothy Pilgrim
Privacy Commissioner
Office of the Australian Information Commission
Date: 15 November 2017

Schedule 1

Contact officer

  1. The OAIC nominates the following officer as its primary point of contact:

    Paula Cheng, Director
    Regulation and Strategy
    Tel: [contact details removed] Email: [contact details removed]

  2. AGD nominates the following officer as its primary point of contact:

    Duncan Anderson,
    Director, Identity Security Policy
    Tel: [contact details removed] Email: [contact details removed]

Schedule 2

Activities

Assessment Activity scope

1
2017/18

Conduct a privacy assessment of AGD’s management of the Hub

OAIC must conduct an assessment of the governance, operation and information security of the Hub.

The assessment must focus on compliance with APP 1 and APP 11.

Assessment of compliance with APP1

The OAIC must:

  1. Review whole of governance documents and AGD processes;
  2. Consider how governance arrangements are being applied, including through the work of the PAC;
  3. Consider FVS and FIS functions of NFBMC, but not NDLFRS; and
  4. Give brief consideration to the processes and procedures which AGD has implemented to address other APPs relevant to the Hub.

Assessment of compliance with APP11

The OAIC must consider ICT controls, access controls, information security policies and procedures relating to the Hub and the role of any third parties. This may involve assistance from an information security consultant.

The OAIC acknowledges that the completion and findings of an extended IRAP assessment in the Hub may impact upon the scope of the OAIC’s assessment of compliance with APP11. AGD will advise any updated scope accordingly.

The assessment should include consideration of matters such as the following:

  • whether the audit data generated by the Hub is the minimum necessary to effectively manage the Hub and provide assurance that access to the Hub is for legitimate and appropriate purposes;
  • whether the metadata generated by the Hub is retained for the minimum period necessary to support effective management of the Hub and oversight of its use;
  • whether Hub access permissions granted to agencies’ users conform with the agencies’ IDSAs and/or Hub Service MoUs (or equivalent);
  • whether any security breaches in relation to the Hub have occurred, and if so, what steps have been taken to address such breaches; and
  • whether any complaints have been received from members of the public in relation to operation of the Hub, and if so, what steps have been taken to address these complaints.

This assessment report should be provided no later than 1 October 2018.

2
2018/19

Conduct privacy assessments of AGD’s management of the NDLFRS

OAIC must conduct an assessment of the governance, operation and information security of the NDLFRS.

The assessment must focus on compliance with APP 1 and APP 11.

Assessment of compliance with APP1

The OAIC must:

  • review the governance documents and processes put in place by AGD for the NDLFRS, and
  • Give brief consideration to the processes and procedures which AGD has implemented to address other APPs relevant to the NDLFRS.

Assessment of compliance with APP11

The OAIC must review the information security controls and procedures put in place by AGD, in a manner similar to the 2017/18 assessment of the NFBMC Hub. This may involve assistance from an information security consultant.

The assessment should include consideration of matters such as the following:

  • whether the audit data generated by the NDLFRS is the minimum necessary to effectively manage the NDLFRS and provide assurance that access to the NDLFRS is for legitimate and appropriate purposes;
  • whether access permissions granted to agencies’ users conform with the agencies’ IDSAs (or equivalent);
  • whether any security breaches in relation to the NDLFRS have occurred, and if so, what steps have been taken to address such breaches; and
  • whether any complaints have been received from members of the public in relation to operation of the NDLFRS, and if so, what steps have been taken to address these complaints.

While this assessment may consider linkages between the NFBMC Hub and the NDLFRS, it will not seek to revisit any of the matters considered in the 2017/18 assessment. However, any privacy risks or recommendations that may have arisen in the 2017/18 assessment may be revisited in this assessment.

This assessment report should be provided no later than 1 October 2019.

Funding

AGD agrees to pay the OAIC the amount of $150,000 over the term of this MOU as follows:

  1. $75,000 Year 1 – payable on [30 June 2018];
  2. $75,000 Year 2 – payable on [30 June 2019].