Skip to main content
  • On this page

Part 1: Executive summary

1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) 2022 assessment of the Department of Home Affairs’ (Home Affairs) processes governing cross-border disclosures of European Union-sourced Passenger Name Record data (EU PNR data) under Australian Privacy Principle (APP) 8 of the Privacy Act 1988 (Cth).[1]

1.2 International passenger airlines are required to provide Home Affairs certain passenger information upon request, including personal information, for flights travelling to, from or through Australia under s 64AF of the Customs Act 1901 (Cth). This information is known as Passenger Name Record (PNR) data.

1.3 Cross-border disclosures of personal information are regulated under APP 8 of the Privacy Act. APP 8.1 requires an APP entity to take reasonable steps in the circumstances to ensure that an overseas recipient does not breach the APPs (other than APP 1) before disclosing personal information. However, there are exceptions to the reasonable steps requirement at APP 8.1, such as where disclosure to an overseas recipient is required or authorised by law.

1.4 In addition to the obligations regarding Home Affairs’ handling of PNR data under the APPs, disclosures of EU PNR data are governed by the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record data by Air Carriers to the Australian Customs and Border Protection Service[2] (the EU Agreement).[3] The OAIC considers compliance with the EU Agreement to be a reasonable step under APP 8.1.

1.5 Overall, the assessment found that Home Affairs has effective mechanisms in place to safeguard personal information and limit the risk of unauthorised cross-border disclosures of EU PNR data under APP 8. In particular, the assessment found that Home Affairs has taken steps aimed at ensuring that cross-border disclosures of EU PNR data only occur when required or authorised by law. However, more can be done to proactively ensure that overseas recipients comply with obligations in line with APP 8 and the EU Agreement, and support officers procedurally in processing and reviewing cross-border disclosures.

1.6 As no recent cross-border disclosures of EU PNR data were available for review in this assessment, our recommendations primarily relate to the documents, databases, and checklists Home Affairs’ officers utilise when processing requests for the cross-border disclosure of EU PNR data, as well as mechanisms used to govern the handling of disclosed information.

1.7 The OAIC made 8 recommendations and 4 suggestions to Home Affairs to address the privacy risks identified in this assessment. This included recommendations to address 2 high privacy risks. These recommendations and suggestions are listed in Part 4 of this report.

Part 2: Introduction

Passenger Name Records

2.1 International passenger airlines are required to provide certain passenger information to Home Affairs for flights that travel to, from or through Australia under s 64AF of the Customs Act 1901 (Cth). This information is known as PNR data.

2.2 PNR data that is processed in the European Union (EU) or sourced from airline reservation systems located in the EU is referred to as EU PNR data in this assessment.

2.3 The EU Agreement authorises EU PNR data to be used exclusively to prevent, detect, investigate, and prosecute terrorism and serious transnational crimes such as drug trafficking and people smuggling.

2.4 EU PNR data is personal information as it relates to identified individuals. It includes:

  • Passenger name and contact information
  • Booking details including payment/billing information
  • Travel status and itinerary
  • Frequent flyer and benefit information

2.5 Cross-border disclosures of PNR data, including EU PNR data, are uncommon. When the assessment fieldwork was conducted,[4] Home Affairs advised that no cross-border disclosures of PNR data had been made in the 2021-2022 financial year. Prior to the COVID-19 pandemic in the 2019 calendar year, only 2 cross-border disclosures of PNR data were made. Neither of these disclosures related to EU PNR data.

At the time of the assessment fieldwork in late-June 2022, no cross-border disclosures of PNR data had been made in the 2021-2022 financial year.

2.6 Where PNR data is requested, Home Affairs staff may not provide PNR data in response. Officers are instructed in procedural documentation to consider alternative data that may sufficiently address the request. This mitigates the risk that an inappropriate disclosure of EU PNR data will be made.

Australian Privacy Principle 8

2.7 APP 8.1 requires that, before disclosing personal information such as EU PNR data, APP entities such as Home Affairs must take steps that are reasonable in the circumstances to ensure that overseas recipients do not breach the APPs (other than APP 1) unless an exception under APP 8.2 applies.

2.8 Exceptions include cross-border disclosures:

  • required or authorised by an Australian law or court/tribunal order (APP 8.2(c))
  • by an agency, such as Home Affairs,[5] and the disclosure is required or authorised by an international agreement relating to information sharing to which Australia is a party (APP 8.2(e))
  • by an agency that reasonably believes the disclosure is reasonably necessary for enforcement related activity of an enforcement body, where the overseas recipient performs functions, or exercises powers, like those of an enforcement body (APP 8.2(f)).

The EU Agreement

2.9 Disclosures of EU PNR data are also governed by the EU Agreement. Article 19 authorises disclosures of EU PNR data to third-party countries subject to certain requirements – many of which align with various APPs. For example, ensuring the security and integrity of the EU PNR data (APP 11), and disclosing EU PNR data only for the purpose it was collected for (APP 6). Several of these requirements are considered in Part 3 below.

2.10 Article 10 of the EU Agreement provides that Home Affairs’ compliance with data protection rules shall be subject to oversight by the Australian Information Commissioner (Commissioner).

Part 3: Summary of findings

3.1 The OAIC’s assessment of Home Affairs’ cross-border disclosures of EU PNR data considered relevant obligations and exceptions under APP 8 and the EU Agreement. The key findings are set out below.

3.2 Overall, the assessment found that Home Affairs has effective mechanisms in place to safeguard personal information when making cross-border disclosures of EU PNR data. However, more can be done to proactively ensure that overseas recipients comply with obligations in line with APP 8 and the EU Agreement, and support officers procedurally in processing and reviewing cross-border disclosures.

3.3 As no recent cross-border disclosures of EU PNR data were available for review in this assessment, our recommendations primarily relate to the documents, databases, and checklists Home Affairs’ officers utilise when processing requests for the cross-border disclosure of EU PNR data, as well as mechanisms used to govern the handling of disclosed information.

3.4 Home Affairs relies upon information sharing agreements to govern how EU PNR data is handled when it is disclosed to an overseas recipient. In this assessment, Home Affairs provided a sample of 3 such agreements for review. Findings in this assessment are based on this sample. However, it may not be representative of all of information sharing agreements that Home Affairs may have with overseas and international entities.

APP 8.2(c): Required or authorised by Australian law

3.5 APP 8.2(c) provides that APP 8.1 does not apply to disclosures of information that are required or authorised by Australian law.

3.6 The assessment found that Home Affairs primarily relies on s 45 of the Australian Border Force Act 2015 (Cth) (ABF Act) when undertaking cross-border disclosures of EU PNR data. Home Affairs advised that it is highly unlikely to disclose EU PNR data under any other legislative provision.

Disclosure under s 45 of the ABF Act

3.7 Home Affairs’ policies instruct staff to first determine whether requests for cross-border disclosures of EU PNR data can be made under s 45 of the ABF Act.

3.8 Subsection 45(2) of the ABF Act allows an authorised ‘entrusted person’ to disclose personal information, such as EU PNR data, to a foreign country, an agency or authority of a foreign country or a public international organisation (overseas recipient). Such a disclosure may only be made where the following elements are satisfied:

  • The disclosure is for a purpose outlined in s 46 of the ABF Act, such as the administration of a criminal law, including the prevention, detection, or analysis of criminal conduct.
  • The Secretary of the Department[6] is satisfied that:
    • the information will be used in accordance with an agreement between the Commonwealth, or an agency or authority thereof, and a foreign country, an agency or authority of a foreign country and/or a public international organisation
    • the disclosure is necessary for a purpose outlined in s 46.
  • The overseas recipient has undertaken to not use or further disclose the information except in accordance with the agreement or otherwise as required or authorised by law.

3.9 Home Affairs’ Instrument of Authorisation (Instrument) authorises all Immigration and Border Protection workers, except Australian Border Force staff, as entrusted persons under s 45 of the ABF Act. For matters that are not authorised under the Instrument, a one-off Authority to Disclose Immigration and Border Protection Information form must be completed by a delegate of the Secretary.

3.10 The requirements under s 45 of the ABF Act are considered in more detail below.

Overseas recipients

3.11 Subsection 45(2) of the ABF Act only authorises disclosures to be made where the overseas recipient is a foreign country, an agency or authority of a foreign country or a public international organisation.

3.12 The Border Intelligence Watch Office (BIWO) receives and processes all requests for EU PNR data. It requires all requests for information to be lodged in a BIWO Request for Information form outlining information such as the requestor’s details, the information requested, and reason that information is required. Home Affairs use this information, in particular the requestor’s email address, to verify that the requestor is an overseas recipient under s 45 of the ABF Act.

3.13 The Instrument also identifies entities to which disclosures are ‘authorised’. However, this includes at least one corporate entity, an airline, which apparently does not satisfy the requirements of s 45 of the ABF Act. This is a high privacy risk as disclosures that do not satisfy s 45 of the ABF Act are not authorised by law for the purposes of APP 8.2(c). Unless Home Affairs otherwise satisfies APP 8.1 or another APP 8.2 exception, this would constitute a breach of the Privacy Act.

3.14 The OAIC recommends that Home Affairs must review and update the Instrument of Authorisation as a matter of high priority to ensure that the overseas and international entities listed are ‘a foreign country, an agency or authority of a foreign country or a public international organisation’ within the meaning of s 45 of the ABF Act.

Recommendation 1

Home Affairs must review and update the Instrument of Authorisation to ensure that all overseas and international entities listed in Column 1 of Schedule 2 are ‘a foreign country, an agency or authority of a foreign country or a public international organisation’ within the meaning of s 45 of the ABF Act.

Where this is not immediately apparent, commentary should be recorded stating the entity’s relevant classification (e.g., agency of a foreign country) and the reason for the classification. This may be documented in the Instrument or a separate record.

In accordance with an agreement

3.15 Disclosures of EU PNR data are only authorised under s 45(2) of the ABF Act where the Secretary of the Department (including a delegate) is satisfied that the information will be used in accordance with an agreement between the Commonwealth, or an agency or authority thereof, and a foreign country, an agency or authority of a foreign country or a public international organisation. It appears that these agreements generally contain safeguards that Home Affairs relies upon to govern overseas recipients’ handling of personal information.

3.16 Home Affairs provides officers checklists to facilitate their determinations under certain provisions of the ABF Act. The ‘ABF Act Part 6 – s45 – Disclosure in accordance with agreements Intelligence Division Checklist’ (Section 45 Checklist) requires staff to check there is an active and relevant agreement on the MOU Register when considering a request for information. The MOU Register table describes the currency of agreements by ‘status’ (unknown, active, expired). It does not contain the expiry dates of agreements.

3.17 As the MOU Register is updated manually, there is a high privacy risk that the status of an agreement may become inaccurate between updates and staff may incorrectly disclose information in reliance on an expired agreement. Such a disclosure would not satisfy s 45 of the ABF Act and would not be authorised by law as per APP 8.2(c). Unless Home Affairs satisfies APP 8.1 or another APP 8.2 exception, this would constitute a breach of the Privacy Act. The OAIC recommends that the MOU Register be updated as a high priority to capture the expiry dates of agreements to allow staff to confirm that agreements are current before making a disclosure.

Recommendation 2

Home Affairs must update the MOU Register to:

  • remove all references to the ‘Active’ status
  • include expiry and review dates (if any) in the MOU Register table for each agreement listed. Where an agreement does not have an expiry date, this should be stated for completeness.

3.18 Home Affairs advised anecdotally that some staff may rely on the Instrument to determine whether there is an applicable agreement. However, the few entries in the Instrument that identify an agreement do not state whether and when the agreements expire. As the Instrument is not designed to be regularly maintained and updated, officers should refer to the MOU Register and the agreements themselves to ascertain the currency and relevance of specific agreements.

3.19 As there is a low privacy risk that staff will not check the currency of agreements in the MOU Register, the Instrument could be updated to refer readers to the MOU Register and not include details of information sharing agreements in the Instrument itself.

Suggestion 1

Home Affairs could update the Instrument of Authorisation to:

  • remove details of all relevant information sharing agreements to dissuade readers from relying on the Instrument in lieu of the MOU Register
  • direct readers to check the existence and currency of all agreements in the MOU Register prior to making a disclosure of information.

3.20 In the BIWO Request for Information form, a requestor is also required to declare that they will ‘handle and store any information provided…in accordance with all associated memoranda and legislation’. While some explanatory material about the EU Agreement is included, the form does not identify an agreement to which the overseas recipient may be subject as ‘associated memoranda’.

3.21 Home Affairs relies on terms and safeguards within certain agreements to determine whether a disclosure is authorised under s 45 of the ABF Act. If a relevant agreement is not expressly identified to the overseas recipient, there is a medium risk that the overseas recipient may not understand or be aware of its obligations under that agreement when receiving EU PNR data.

Recommendation 3(a)

Home Affairs should update the BIWO Request for Information form to require the requestor of a cross-border disclosure of information to identify an agreement relevant to the disclosure for the purposes of s 45 of the ABF Act (as applicable).

Necessity for s 46 purpose

3.22 A requestor must provide details of the offence relevant to the request and the intended use of the information in the BIWO Request for Information form. This information may be used to determine whether a disclosure of EU PNR data is necessary for a purpose under s 46 of the ABF Act and for a law enforcement purpose under the EU Agreement.[7]

3.23 Home Affairs advised that disclosures of information under s 45(2) of the ABF Act were generally for the prevention, detection, or analysis of criminal conduct under a law of an Australian or foreign jurisdiction.[8] When reviewing matters for disclosure, staff are also instructed to consider the necessity of disclosing PNR data, or whether alternative data might sufficiently address the request.

Limitations on further disclosure

3.24 Home Affairs requires agreements relevant to cross-border disclosures to contain an undertaking that the recipient will not use or further disclose information – except in accordance with the agreement or otherwise as required or authorised by law.[9] All 3 of the agreements reviewed in this assessment contained this undertaking.

3.25 The BIWO Request for Information form requests that recipients do not further disclose information received unless Home Affairs grants written permission, or the disclosure is required or authorised by law. The caveat template for disclosures of EU PNR data also states that the information cannot be further disclosed without the prior written consent of Home Affairs. Compliance with such caveats is a condition of the agreements reviewed in this assessment.

Recording decisions

3.26 Complete and accurate records of determinations of cross-border requests for EU PNR data are necessary to verify whether information has been handled lawfully and appropriately.[10] Although Home Affairs does record requests and the outcome of each determination, for matters authorised under the Instrument, the assessment found that there is no record of Home Affairs’ substantive considerations when deciding whether to disclose EU PNR data.[11]

3.27 Officers should record their considerations when deciding whether to disclose information, including EU PNR data. This could be by expanding officer checklists, such as the Section 45 Checklist, to allow staff to explain whether and how the requirements of s 45 of the ABF Act have been satisfied. Additional procedural items should also be included in officer checklists to ensure that this information and requisite supporting documentation are consistently saved on Home Affairs’ record management system and the BIWO portal.[12]

Recommendation 4

Home Affairs should record whether and how requirements of the ABF Act, APPs and EU Agreement have been satisfied when deciding whether to disclose EU PNR data. For example, officer checklists could be expanded to instruct officers to demonstrate whether requirements of the ABF Act have been satisfied.

Officer checklists should also be updated to include record keeping requirements to ensure that these considerations and supporting documentation are recorded on Home Affairs’ record management system and the BIWO portal.

Other means of cross-border disclosure

3.28 Where s 45 of the ABF Act does not apply, Home Affairs’ policy documents suggest that staff consider whether a disclosure may be made in accordance with s 42(2)(b) of the ABF Act. Paragraph 42(2)(b) may not ‘authorise or require’ a disclosure to be made as required under APP 8.2(c). It provides that an entrusted person does not commit an offence when making a disclosure in the course of their employment or service.

3.29 Disclosures of EU PNR data that are not authorised by s 45 of the ABF Act may fall under other APP 8.2 exceptions, such as APPs 8.2(e)[13] and 8.2(f).[14] Home Affairs noted that disclosures that may fall under these exceptions are highly unlikely to arise. These exceptions have therefore not been considered in this assessment.

3.30 Home Affairs have developed an ‘ABF Act Part 6 – s42(2)(b) – Disclosure in the course of employment Intelligence Division Checklist’ (Section 42(2)(b) Checklist) to assist officers when processing requests for information under that provision.

3.31 While the Section 42(2)(b) Checklist does refer to matters such as relevant APPs and the need to consider ‘treaty’ obligations, the information provided is limited. There is a low privacy risk that officers will not understand their obligations under the APPs and EU Agreement when disclosing EU PNR data. Home Affairs could include links to the APPs, APP guidelines and the EU Agreement in the checklist to assist staff.

Suggestion 2(a)

Home Affairs could update the Section 42(2)(b) Checklist to:

  • explicitly refer to the EU Agreement and link to resources, including the agreement itself and decision-making flowcharts, to assist staff to determine whether a disclosure of EU PNR data will be made in accordance with Article 19 of the EU Agreement
  • include links to APP resources such as policy documentation, the APPs, and the APP Guidelines to assist staff in assessing whether a disclosure complies with the APPs.

APP 8.1 Reasonable steps

3.32 As noted above, the information provided in this assessment indicates that Home Affairs’ cross-border disclosures of EU PNR data will likely be authorised by law. As this is an exception under APP 8.2(c), APP 8.1 will not apply to most cross-border disclosures of EU PNR data.

3.33 Nonetheless, Home Affairs’ policies and procedures contemplate that cross-border disclosures of EU PNR data may occur in circumstances where APP 8.2(c) does not apply. APP 8.1 may apply in these instances.

3.34 APP 8.1 requires Home Affairs to take reasonable steps in the circumstances to ensure that an overseas recipient does not breach the APPs (other than APP 1) prior to disclosing personal information. These steps are also important in strengthening Home Affairs’ privacy posture generally.

Caveats

Home Affairs adopts a layered approach to securing the information it discloses, relying on caveats which are included in disclosure documents and are enforced by information sharing agreements. This approach is flexible as caveats can be easily amended and adjusted as required, unlike a formal agreement.

3.35 Home Affairs’ policies and procedures most often refer to the inclusion of caveats in disclosure documents as a mechanism to ensure that overseas recipients appropriately handle the information disclosed.

3.36 Home Affairs have prepared a template caveat for all disclosures of EU PNR data. However, this caveat may not be suitable for cross-border disclosures. For example, the caveat states that the reader is governed by the APPs which is incorrect where the recipient is not subject to Australian legal jurisdiction. There is a medium privacy risk that the overseas recipient will not adequately understand their obligations as outlined in the caveat.

Recommendation 5(a)

Home Affairs should update its caveat, or prepare new caveats, to accommodate the cross-border disclosure of EU PNR data.

This caveat should outline overseas recipients’ obligations in line with the APPs, but the caveat should not state that overseas recipients who are not subject to Australian legal jurisdiction are governed by the APPs.[15]

Request for Information form

3.37 The BIWO Request for Information form contains commentary for requestors about restrictions when handling EU PNR data. For example, the form advises potential overseas recipients that EU PNR data can only be processed to detect, investigate, and prosecute terrorism offences or serious transnational crime.

3.38 While Home Affairs requests that overseas recipients only use and disclose information for the purpose for which it was provided (APP 6), it should also refer to obligations that arise in line with other APPs under APP 8.1 such as the security and deletion of the information disclosed (APP 11).

Recommendation 3(b)

Home Affairs should update the BIWO Request for Information form to outline personal information handling requirements in line with the APPs.

Internal mechanisms

3.39 Home Affairs has various internal mechanisms to facilitate compliance with APP 8 when considering cross-border disclosures of EU PNR data. These include conducting compliance checks and providing annual staff training.

Compliance checks

3.40 Home Affairs conduct quarterly compliance checks to assess compliance with Home Affairs’ policies and legislative requirements. These compliance checks ensure that staff are aware of their obligations when handling EU PNR data, may detect instances where EU PNR data was inappropriately disclosed, and can effectively identify process improvements.

3.41 Home Affairs advised that it has not identified any significant issues in compliance checks but has made recommendations and suggestions, all of which have been accepted by the business area. Home Affairs also advised that it has mechanisms to track, follow up and escalate recommendations and suggestions that are yet to be implemented.

3.42 Although procedural instructions indicate that PNR requests are sampled for compliance checks randomly, it was advised in fieldwork that compliance checks are generally targeted at issues identified in previous checks. This may enhance the deterrent effect of these checks. However, random compliance checks allow previously unknown issues to be identified. The OAIC suggests that Home Affairs also undertake random compliance checks in accordance with its policy and procedural documentation.

Suggestion 3

In addition to auditing targeted matters, Home Affairs could audit randomly selected matters to facilitate the identification of potentially unknown compliance issues.

Home Affairs could also update policy and procedural instructions to reflect that PNR requests may be specifically targeted for compliance checks (in addition to being randomly selected as currently stated).

Training

Home Affairs train staff annually regarding privacy, information sharing, and handling PNR data.

3.43 Home Affairs provides annual privacy, information sharing and PNR data handling training to relevant staff. Completion of the latter training is a prerequisite for all staff to access PNR data. This ensures that staff are aware of their obligations when disclosing EU PNR data.

3.44 APP 8 is referred to in the training programs with limited detail. Home Affairs’ primary ‘privacy essentials’ training focuses on scenarios that are potential exceptions under APP 8.2 but does not appear to outline the APP 8.1 requirements when an exception does not apply. Nor does it advise that a breach of an APP by an overseas recipient may be taken to be a breach by Home Affairs for cross-border disclosures under APP 8.1.[16] The Intelligence Information Sharing training briefly refers to APP 8 but does not outline the substantive requirements and exceptions of the APP.

3.45 It is important that officers understand the requirements of the Privacy Act when disclosing information overseas, particularly where there is no valid APP 8.2 exception. This creates a medium privacy risk that a disclosure of EU PNR data may breach APP 8.

Recommendation 6

Home Affairs should update its Privacy Essentials[17] training to outline all APP 8 requirements.

This and other training could also address that the conduct of an overseas recipient in breach of the APPs may be taken to be the conduct of Home Affairs under s 16C of the Privacy Act.

The EU Agreement

3.46 While the assessment has found that Home Affairs does not disclose information solely in reliance on the EU Agreement, the OAIC considers that the protections contained in the EU Agreement are relevant to all disclosures of EU PNR data.

3.47 As stated above, compliance with the EU Agreement is a reasonable step for the purposes of APP 8.1.

Home Affairs makes consistent reference to Article 19 of the EU Agreement in policy documentation when addressing the potential disclosure of EU PNR data.

3.48 Home Affairs makes consistent reference to Article 19 of the EU Agreement in policy documentation. However, while officer checklists require officers to consider ‘treaty obligations’ in their determinations, they do not make explicit reference to the EU Agreement and its additional requirements when disclosing EU PNR data.

3.49 As cross-border disclosures of EU PNR data are so infrequent, staff may be less familiar with the EU Agreement and any obligations it imposes. For disclosures made under s 45 of the ABF Act, there is a medium privacy risk that an officer will not consider and apply the safeguards required by the EU Agreement when making a cross-border disclosure of EU PNR data.

Recommendation 7

Home Affairs should update the Section 45 Checklist to explicitly refer to the EU Agreement and provide links to relevant resources, including the agreement itself and decision-making flowcharts. This will assist staff in determining whether a disclosure of EU PNR data can be made in accordance with Article 19 of the EU Agreement.

Sensitive information

3.50 Article 8 of the EU Agreement prohibits processing ‘sensitive data’ which is ‘any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or health or sex life.’

3.51 In fieldwork, Home Affairs advised that some fields containing sensitive information are blocked when PNR data is received, but sensitive data such as the titles (e.g., Reverend) of individuals may be received in free text notes. Home Affairs staff must delete sensitive information from disclosure documents when processing requests for information prior to making a disclosure.

3.52 As this is a manual process, this creates a low privacy risk that officers may not remove sensitive information. Home Affairs could update officer checklists to require staff to confirm that all sensitive information has been removed from the disclosure document prior to disclosing EU PNR data.

Suggestion 2(b)

Home Affairs could update the Section 42(2)(b) Checklist to require officers to indicate whether all sensitive EU PNR data has been removed from the disclosure document.

Suggestion 4

Home Affairs could update the Section 45 Checklist to require officers to indicate whether all sensitive EU PNR data has been removed from the disclosure document.

Oversight and redress

3.53 Home Affairs records all requests for PNR data in accordance with Article 17 of the EU Agreement. This enables oversight of cross-border disclosures of EU PNR data.

3.54 Articles 13 and 14 of the EU Agreement also require individuals be provided a right of rectification and erasure in relation to EU PNR data, and a right to redress if their rights under the EU Agreement are violated.

3.55 The Australian Border Force’s online notice regarding PNR data[18] outlines mechanisms for individuals to request access to, or the correction of, their PNR data. However, it is unclear how those mechanisms operate where a cross-border disclosure has occurred.

3.56 Only 1 of the 3 information sharing agreements provided by Home Affairs for review included clauses addressing the accuracy, correction and retention of information, and redress for individuals regarding the handling of their personal information. This agreement was also the only one that provided for oversight arrangements, including requiring parties to notify each other where information disclosed is subject to accidental or unauthorised access, use, modification or disposal.

3.57 Where an agreement does not address certain safeguards in line with the EU Agreement, there is a medium privacy risk that an overseas recipient will not apply those safeguards.

3.58 The OAIC recommends that Home Affairs should update the ‘Memorandums of Understanding and Other Collaborative Instruments’ procedural instructions to require that information sharing agreements, to the extent that they are relevant to the disclosure of EU PNR data, contain safeguards with the same effect as those in the EU Agreement. These safeguards may be relevant to disclosures generally under APP 8.1 and are important privacy protections for individuals.

Recommendation 8(a)

Home Affairs should update the ‘Memorandums of Understanding and Other Collaborative Instruments’ procedural instructions to require that information sharing agreements, to the extent that they are relevant to the disclosure of EU PNR data, contain safeguards with the same effect as those in the EU Agreement.

This includes, but is not limited to, requirements that information sharing agreements contain clauses:

  • addressing oversight arrangements requiring parties to report the potential unauthorised access, use, and disclosure of information disclosed. This could be reinforced by including an information notice in all disclosure documents to the same effect.
  • that require parties to implement mechanisms to provide individuals opportunities for redress, and the ability to access, correct, and request the deletion of, their data.

Retaining information

3.59 When disclosing EU PNR data, the EU Agreement requires Home Affairs to be satisfied that an overseas recipient will not retain the information longer than necessary to facilitate the investigation, prosecution or penalty for which it was disclosed.[19]

3.60 The assessment found a medium privacy risk that a cross-border disclosure may not accord with the EU Agreement. Restrictions on the retention of information are not stated in caveats included with disclosures of EU PNR data. Nor are they proactively addressed in information sharing agreements and the request for information form. For example, only 1 of the 3 agreements reviewed contained a requirement to assess and dispose of information when it is no longer necessary for the purpose of the disclosure.

Recommendation 3(c)

Home Affairs should update the BIWO Request for Information form to require the requestor of a cross-border disclosure of information to make an express undertaking that information disclosed will be deleted once it is no longer necessary for the purpose for which it was requested.

Recommendation 5(b)

Home Affairs should update its caveat, or prepare new caveats, for disclosures of EU PNR data to require overseas recipients to delete EU PNR data once it is no longer necessary for the specific investigation, prosecution, or enforcement of penalties for which the information was disclosed.

Recommendation 8(b)

Home Affairs should update the procedural instructions ‘Memorandums of Understanding and Other Collaborative Instruments’ to require that information sharing agreements, to the extent that they are relevant to the disclosure of EU PNR data, contain a clause that requires parties to delete information disclosed once it is no longer necessary for the purpose for which it was obtained.

Part 4: Recommendations and responses

Recommendation 1

Home Affairs must review and update the Instrument of Authorisation to ensure that all overseas and international entities listed in Column 1 of Schedule 2 are ‘a foreign country, an agency or authority of a foreign country or a public international organisation’ within the meaning of s 45 of the ABF Act.

Where this is not immediately apparent, commentary should be included stating the entity’s relevant classification (e.g., agency of a foreign country) and why that is the case. This may be documented in the Instrument or a separate record.

Home Affairs’ response

4.1

Home Affairs partially agrees with the recommendation.

Home Affairs agrees that the Instruments of Authorisation should be updated as a high priority.

Home Affairs disagrees with creating a separate document stating an entity’s relevant classification, due to the additional administrative burden. Alternatively, Home Affairs will address the underlying risk that this portion of the recommendation addresses by updating the process instructions relating to the Instruments to ensure checks occur to confirm that overseas entities are of a requisite classification to prevent a repeat of the error.

Home Affairs agrees with the recommendation.

The MOU Register will be updated in accordance with the recommendation. Home Affairs expects this to be completed by end of June 2023.

Recommendation 2

Home Affairs must update the MOU Register to:

  • remove all references to the ‘Active’ status
  • include expiry and review dates (if any) in the MOU Register table for each agreement listed. Where an agreement does not have an expiry date, this should be stated for completeness.

Home Affairs’ response

4.2

Home Affairs agrees with the recommendation.

The MOU Register will be updated in accordance with the recommendation. Home Affairs expects this to be completed by end of June 2023.

Recommendation 3

Home Affairs should update the BIWO Request for Information form to:

  • require the requestor of a cross-border disclosure of information to identify an agreement relevant to the disclosure for the purposes of s 45 of the ABF Act (as applicable)
  • outline personal information handling requirements in line with the APPs
  • require the requestor of a cross-border disclosure of information to make an express undertaking that information disclosed will be deleted once it is no longer necessary for the purpose for which it was requested.

Home Affairs’ response

4.3

The Department partially agrees with this recommendation.

The Department will update the BIWO Request for Information form to include personal information handling requirements and require the requestor to make an undertaking with respect to the deletion of information. This work will be completed by 1 May 2023.

The Department is of the view that it is the responsibility of the disclosing officer to determine whether disclosure under s45 of the ABF Act is permitted. In doing so, they must identify an agreement relevant to the disclosure, and ensure the agreement complies with all requirements under s45 of the ABF Act, including s45(2)(c).

As an alternative approach, the Department suggests that the disclosing officer identify the relevant agreement, and note in their response to the requestor that the disclosure is being made in accordance with the terms of that agreement.

Recommendation 4

Home Affairs should record whether and how requirements of the ABF Act, APPs and EU Agreement have been satisfied when deciding whether to disclose EU PNR data. For example, officer checklists could be expanded to instruct officers to demonstrate whether requirements of the ABF Act have been satisfied.

Officer checklists should also be updated to include record keeping requirements to ensure that these considerations and supporting documentation are recorded on Home Affairs’ record management system and the BIWO portal.

Home Affairs’ response

4.4

The Department agrees with this recommendation.

The Department is currently reviewing its recordkeeping practices, as they relate to servicing requests for PNR data, and will address this recommendation as part of that review.

This work will be completed by 1 May 2023.

Recommendation 5

Home Affairs should update its caveat, or prepare new caveats, to accommodate the cross-border disclosure of EU PNR data. This caveat should:

  • outline overseas recipients’ obligations in line with the APPs, but should not state that overseas recipients who are not subject to Australian legal jurisdiction are governed by the APPs.[20]
  • require overseas recipients to delete EU PNR data once it is no longer necessary for the specific investigation, prosecution, or enforcement of penalties for which the information was disclosed.

Home Affairs’ response

4.5

The Department agrees with this recommendation.

Following the inspection, the Department updated the drafted new caveats to include amendments that OAIC suggested during the inspection. The Department will review the amended caveats to ensure that the recommendation is fully implemented in full.

Recommendation 6

Home Affairs should update its Privacy Essentials[21] training to outline all APP 8 requirements.

This and other training could also address that the conduct of an overseas recipient in breach of the APPs may be taken to be the conduct of Home Affairs under s 16C of the Privacy Act.

Home Affairs’ response

4.6

Home Affairs agrees with this recommendation.

The Privacy Foundations training is currently undergoing a general update. This recommendation will be actioned as part of this work. Home Affairs expects this to be completed by end of September 2023.

Recommendation 7

Home Affairs should update the Section 45 Checklist to explicitly refer to the EU Agreement and provide links to relevant resources, including the agreement itself and decision-making flowcharts. This will assist staff in determining whether a disclosure of EU PNR data can be made in accordance with Article 19 of the EU Agreement.

Home Affairs’ response

4.7

The Department agrees with this recommendation.

The Department will review the checklist, and determine how best to implement the recommendation. In doing so, the Department will consider whether the creation of a separate checklist specific to the disclosure of PNR data would be a more suitable approach.

This work will be completed by 1 May 2023.

Recommendation 8

Home Affairs should update the ‘Memorandums of Understanding and Other Collaborative Instruments’ procedural instructions to require that information sharing agreements, to the extent that they are relevant to the disclosure of EU PNR data, contain safeguards with the same effect as those in the EU Agreement.

This includes, but is not limited to, requirements that information sharing agreements contain clauses:

  • addressing oversight arrangements requiring parties to report the potential unauthorised access, use, and disclosure of information disclosed. This could be reinforced by including an information notice in all disclosure documents to the same effect.
  • that require parties to implement mechanisms to provide individuals opportunities for redress, and the ability to access, correct, and request the deletion of, their data.
  • that require parties to delete information disclosed once it is no longer necessary for the purpose for which it was obtained.

Home Affairs’ response

4.8

Home Affairs agrees with this recommendation.

Home Affairs will update the relevant Collaborative Instrument procedural instruction to include the above requirement in relation to information sharing agreements which relate to the disclosure of EU PNR data.

Home Affairs expects that this work will be completed by end of May 2023.

Suggestion 1

Home Affairs could update the Instrument of Authorisation to:

  • remove details of all relevant information sharing agreements to dissuade readers from relying on the Instrument in lieu of the MOU Register
  • direct readers to check the existence and currency of all agreements in the MOU Register prior to making a disclosure of information.

Home Affairs’ response

4.9

Home Affairs will consult relevant areas of the Department regarding the policy aspects of this suggestion.

In line with the completion expectations of Recommendation 1, if this is considered the best policy approach, Home Affairs expects to complete implementation of this suggestion by end of 2023.

Suggestion 2

Home Affairs could update the Section 42(2)(b) Checklist to:

  • explicitly refer to the EU Agreement and link to resources, including the agreement itself and decision-making flowcharts, to assist staff to determine whether a disclosure of EU PNR data will be made in accordance with Article 19 of the EU Agreement
  • include links to APP resources such as policy documentation, the APPs, and the APP Guidelines to assist staff in assessing whether a disclosure complies with the APPs
  • require officers to indicate whether all sensitive EU PNR data has been removed from the disclosure document.

Home Affairs’ response

4.10

The Department accepts this suggestion.

The Department will review the checklist, and determine how best to implement the recommendation. In doing so, the Department will consider whether the creation of a separate checklist specific to the disclosure of PNR data would be a more suitable approach.

This work will be completed by 1 May 2023.

Suggestion 3

In addition to auditing targeted matters, Home Affairs could audit randomly selected matters to facilitate the identification of potentially unknown compliance issues.

Home Affairs could also update policy and procedural instructions to reflect that PNR requests may be specifically targeted for compliance checks (in addition to being randomly selected as currently stated).

Home Affairs’ response

4.11

The Department accepts this suggestion.

Following the inspection, the Department amended the Access and Disclosure of Passenger Name Record (PNR) Data Procedural Instruction (PI) to note that the quarterly internal audit process undertaken by Intelligence Partnerships and Governance Section will include a random and/or targeted inspection of PNR access, use and disclosure activities. The PI is in the final stages of the review and approval process.

This work is expected to be completed by 1 May 2023.

Suggestion 4

Home Affairs could update the Section 45 Checklist to require officers to indicate whether all sensitive EU PNR data has been removed from the disclosure document.

Home Affairs’ response

4.12

The Department accepts this suggestion.

The Department will review the checklist, and determine how best to implement the recommendation. In doing so, the Department will consider whether the creation of separate checklist specific to the disclosure of PNR data would be a more suitable approach.

This work will be completed by 1 May 2023.

Part 5: Description of assessment

5.1 In accordance with a Letter of Exchange with Home Affairs, the OAIC conducted an assessment under s 33C(1)(a) of the Privacy Act.[22]

5.2 EU PNR data is personal information and subject to the provisions of the Privacy Act under Article 7 of the EU Agreement.

5.3 Article 10 of the EU Agreement also provides that the Commissioner has oversight of Australian government authorities’ processing of EU PNR data and refers to arrangements for the Commissioner to undertake regular formal audits of Home Affairs’ handling of EU PNR data.

5.4 In 2019, the EU and Australia conducted a joint review of the EU Agreement under Article 24(2) of the EU Agreement. In its subsequent report to the European Parliament and Council of the European Union,[23] the European Commission’s recommendations included:

For the periodical assessments made by the Office of the Australian Information Commissioner, to include also compliance to other relevant principles in the context of the processing of PNR data like cross-border disclosure of personal data...[24]

5.5 This recommendation was considered in deciding the objective and scope of this assessment.

Objective and scope

5.6 The objective of this assessment was to identify privacy risks (if any) relevant to Home Affairs’ handling of EU PNR data and its obligations relating to cross-border disclosures under APPs 8.1 and/or 8.2.

5.7 The scope of the assessment included consideration of Home Affairs’ processes and mechanisms relating to cross-border disclosures of EU PNR data, including:

  • the process of making cross-border disclosures of EU PNR data, including any relevant policies, procedures, systems, governance, and training
  • steps taken by Home Affairs to ensure the overseas recipient does not breach the APPs (other than APP 1), such as contractual or non-contractual arrangements with overseas recipients
  • the grounds and circumstances of PNR cross-border disclosures, and any arrangements, policies and procedures relating to the applicability of relevant APP 8.2 exception(s).

Methodology

5.8 This assessment involved:

  • a review of documents provided by Home Affairs’, including policies and procedures relevant to its handling of EU PNR data
  • interviews, including case studies, with Home Affairs staff responsible for the privacy and operational handling of EU PNR data.

5.9 As this was a risk-based assessment, the OAIC applied its privacy risk guidance to identify risks and make recommendations and suggestions to address those risks.

5.10 This was a point-in-time assessment and the findings in this report are based on information provided, and represented to be current, at the time of the assessment. The OAIC did not directly observe Home Affairs’ policies and procedures in practice.

Footnotes

[1] This assessment was conducted under s 33C(1)(a) of the Privacy Act which provides that the Australian Information Commissioner may assess whether personal information held by an APP entity is maintained and handled in accordance with the APPs.

[2] The functions of the Australian Customs and Border Protection Service, including those under the EU Agreement, are now performed by Home Affairs. A copy of the EU Agreement is available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:22012A0714(01).

[3] Article 10(2) of the EU Agreement refers to arrangements for the Australian Information Commissioner to undertake regular formal audits of all aspects of Home Affair’s EU-sourced PNR data use, handling and access policies and procedures.

[4] Fieldwork for this assessment occurred on 22-23 June 2022. This was near the end of the 2021-2022 financial year which ended 30 June 2022.

[5] Privacy Act 1988 (Cth) s 6(1) (definition of ‘agency’).

[6] Though the ABF Act describes these functions as that of the ‘Secretary’, these functions have been delegated under s 53 of the ABF Act to Australian Border Force officers Australian Public Service (APS) Level 5 and above, and Home Affairs officers APS Level 6 and above. Although there are separate instruments of delegation for the Australian Border Force and Home Affairs, both documents delegate functions under the ABF Act to ‘Immigration and Border Protection workers’.

[7]Paragraph 45(2)(b) of the ABF Act requires the Secretary to be satisfied that the cross-border disclosure of information is necessary for a purpose in s 46 of the ABF Act. Article 19(1)(e) of the EU Agreement similarly requires that Home Affairs disclose EU PNR data only where relevant and necessary to prevent, detect, investigate, and prosecute terrorist offences or serious transnational crime.

[8] In accordance with s 46(b) of the ABF Act.

[9] In accordance with s 45(2)(c) of the ABF Act.

[10] Article 17 of the EU Agreement requires all processing of EU PNR data to be logged or documented to verify the lawfulness of data processing.

[11] Where a matter is not authorised under the Instrument, the one-off Authority to Disclose Immigration and Border Protection Information form captures the substance of many requirements under s 45 of the ABF Act. However, this form appears to be used only in exceptional cases as the Instrument will generally apply.

[12] In internal compliance reviews, Home Affairs observed that most, but not all records relating to disclosures of information, could be located on its record management system.

[13] APP 8.2(e) provides that APP 8.1 does not apply to disclosures made by an agency such as Home Affairs where the disclosure is required or authorised by or under an international agreement relating to information sharing to which Australia is a party. The EU Agreement may be an example of such an agreement.

[14] APP 8.2(f) provides that APP 8.1 does not apply to disclosures made by an agency such as Home Affairs if they reasonably believe it is reasonably necessary for the enforcement related activities of an enforcement body, and the overseas recipient performs functions or exercises powers similar to those of an enforcement body.

[15] For example, the caveat may state that overseas recipients can only use the EU PNR data disclosed for the reason it was requested. This obligation may accord with APP 6, but the overseas recipient’s obligation is derived from the caveat and any information provided in the BIWO Request for Information form – not the APPs themselves.

[16] Privacy Act 1988 (Cth) s 16C.

[17] Since fieldwork was conducted, it is understood that the name of this training has changed, and it is now known as ‘Privacy Foundations’.

[19] Article 19(1)(g) of the EU Agreement.

[20] For example, the caveat may state that overseas recipients can only use the EU PNR data disclosed for the reason it was requested. This obligation may accord with APP 6, but the overseas recipient’s obligation is derived from the caveat and any information provided in the BIWO Request for Information form – not the APPs themselves.

[21] Since fieldwork was conducted, it is understood that the name of this training has changed, and it is now known as ‘Privacy Foundations’.

[22] Paragraph 33C(1)(a) of the Privacy Act provides that the Commissioner may assess whether personal information held by an APP entity is maintained and handled in accordance with the APPs.

[24] The recommendation also referred to assessments examining the deletion of sensitive data. This was addressed in a previous assessment which considered Home Affairs’ obligations to destroy or de-identify PNR data under APP 11. That assessment report is available at https://www.oaic.gov.au/privacy/privacy-assessments/handling-of-personal-information-department-of-immigration-and-border-protection-passenger-name-records.