New Queensland Driver Licence

Transcription

1 New Queensland Driver Licence Privacy Management Plan

2 Contents Contents...2 Executive Summary...3 Abbreviations and Glossary... 5 Introduction to the New Queensland Driver Licence... 7 Information Privacy Principles... 8 Legislative provisions... 9 Information Privacy Management for the New Queensland Driver Licence Collection IPPs Storage and Security IPP Access and Amendment IPPs Accuracy and Relevancy IPPs Use and Disclosure IPPs Monitoring and Auditing Monitoring Auditing Privacy Complaints Complaints against TMR Breaches within TMR Complaints against others Appendix Appendix Appendix NQDL PMP, Transport and Main Roads, September of 34

3 Executive Summary The New Queensland Driver Licence Privacy Management Plan has been updated to reflect the technological changes made to the functionality of the new cards from 27 September This revised Privacy Management Plan replaces the November 2010 version. The Queensland Department of Transport and Main Roads (TMR) has used globally recognised technology to make Queensland driver licences, industry authorities, marine licence indicator and Adult Proof of Age Cards more secure, more reliable and more durable. Driver licences and other authorities are now issued in the form of credit card-sized plastic cards and contain state-of-the-art technology and security features such as reproductions of the cardholder s digital photograph and digitised signature, holograms, a computer chip and watermarks. Security has been further enhanced with the introduction of facial recognition technology (i.e. a form of biometrics). This helps ensure the national policy position of one-person, one-licence and underpins the Queensland Government s road safety strategies by helping ensure that only those qualified to do so, drive on our roads. TMR is committed to the responsible and transparent collection and management of Queenslanders personal information. When this new technology was first introduced TMR engaged Crown Law to produce a Privacy Impact Assessment (PIA). The objective of the PIA was to provide the Queensland Government and its stakeholders with: assurance that the major potential privacy impacts arising from the New Queensland Driver Licence (NQDL) Project were identified, analysed and defined within the privacy regime in Queensland, and recommendations to meet the Queensland Government s privacy policy settings in sufficient detail to enable adoption of these by TMR. While the Privacy Management Plan (PMP) addresses the privacy impacts identified in the PIA and specifies how these impacts will be managed (see Appendix 1) it is noted that with the technological changes made to the functionality of the card some of the privacy impacts are no longer relevant. The original intention for the new cards was for widespread adoption at various public and government institutions. These objectives have not been fully realised which means that many of the capabilities of the original card were not being fully utilised and as such are no longer required. As a result, the function of recording and using the Personal Identification Number (PIN) or Shared Secret is no longer available. For existing smartcard holders the chip will continue to hold the PIN or Shared Secret however the capability to read, access, change, or remove information is no longer available. Chips on new cards issued will not have this functionality and therefore cannot record this information. The Personal Identification Number (PIN) was only permanently stored on the Smartcard. Shared Secrets will be deleted from all TMR databases shortly after 27 September These changes are reflected in this updated version of the PMP. The PMP also provides a general outline of TMR s policies for the issue of the new driver and marine licences, industry authority and Adult Proof of Age Cards. NQDL PMP, Transport and Main Roads, September of 34

4 The PMP will help ensure that whenever personal information is collected, used, disclosed, maintained and destroyed, it will be done in accordance with the relevant information privacy legislation and information privacy principles. TMR will ensure ongoing compliance with its information privacy obligations through monitoring and auditing activities, and by identifying and responding to any ongoing policy and technological changes which may occur. NQDL PMP, Transport and Main Roads, September of 34

5 Abbreviations and Glossary Abbreviations APAC Act Adult Proof of Age Card Act 2008 IMS Image Management System IP Act Information Privacy Act 2009 IPP Information Privacy Principle IS18 Information Standard No 18 Information Security MOU Memorandum of Understanding NEVDIS National Exchange of Vehicle and Driver Information System NPP National Privacy Principle NQDL New Queensland Driver Licence OCSP Online Certificate Status Protocol PIA Privacy Impact Assessment for the New Queensland Driver Licence PIN Personal Identification Number PKI Public Key Infrastructure PMP Privacy Management Plan for the New Queensland Driver Licence PPRA Police Powers and Responsibilities Act 2000 QGPKI Framework Queensland Government Enterprise Architecture PKI Framework QPS Queensland Police Service RTI Act Right to Information Act 2009 ROI Release of Information TMR Department of Transport and Main Roads TOMS Act Transport Operations (Marine Safety) Act 1994 TOPT Act Transport Operations (Passenger Transport) Act 1994 TORUM Act Transport Operations (Road Use Management) Act 1995 TPAC Act Transport Planning and Coordination Act 1994 TRAILS TMR s Transport Registration and Integrated Licensing System TT Act Tow Truck Act 1973 NQDL PMP, Transport and Main Roads, September of 34

6 Glossary Card chip Card reader Cardholder Customer Device (CID) Digital Photo Interaction The integrated computer chip embedded in a card. An electronic device that is used to communicate with the new card. The holder of a driver licence, marine licence indicator, industry authority or Adult Proof of Age Card issued by TMR. A counter-top device that allows the customer to enter their signature. A facial image encoded in a digital form. Digitised signature MINDA An image of a person s signature encoded in a digital form. Mobile Integrated Network Data Access database. A database which stores vehicle and recreational marine vessel registration information and driver and recreational marine licence information, as well as information from QPRIME that lists vehicles and persons of interest. Prescribed Acts Smartcard Adult Proof of Age Card Act 2008 Transport Operations (Marine Safety) Act 1994 Transport Operations (Passenger Transport) Act 1994 Transport Operations (Road Use Management) Act 1995 Tow Truck Act 1973 Personal Information Queensland Police Records and Information Management Exchange (QPRIME) As defined in the Information Privacy Act information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. A single policing information system that consolidates information collected from various sources to assist in managing most policing incidents as well as to conduct performance reporting, task management and information analysis. QPRIME connects to the TRAILS database through various service points (interfaces) established between the two systems. Relevant Transport Acts Transport Operations (Marine Safety) Act 1994 Transport Operations (Passenger Transport) Act 1994 Transport Operations (Road Use Management) Act 1995 Tow Truck Act 1973 Third party Transport Integrated Customer Access (TICA) Any person other than an authorised person or the cardholder (e.g. a person to whom the cardholder provides consent to access information stored electronically on the card). The third party is a party that TMR may not know, nor trust. A browser based interface to TRAILS. NQDL PMP, Transport and Main Roads, September of 34

7 Introduction to the New Queensland Driver Licence Queensland licences, authorities and proof of age cards have changed to reflect new technology. They are more reliable, more durable and more secure because, unlike the laminated cards, the new cards are extremely difficult to duplicate. The Queensland Government began rolling out the following cards in late 2010: Driver Licence Heavy Vehicle Driver Licence Adult Proof of Age Card Marine Licence Indicator Industry Authority (including driver authorisations, dangerous goods driver licences, tow truck drivers and assistants, traffic controllers, driver/rider trainers and pilot and escort vehicle drivers). These have replaced existing laminated cards and marine licence confirmation reports. The new cards are necessary to replace the existing laminated cards that were being produced with materials and technology that has become obsolete. Furthermore, the laminated cards had become increasingly vulnerable to tampering and fraud and needed to be replaced with more secure technology. Relatively unsophisticated equipment was able to be used to create fraudulent licence, authority and proof of age cards. These fraudulent cards could be used to commit a wide range of crimes such as identity theft, identity fraud, creating false identities, money laundering, purchasing age-restricted products and driving illegally. The Queensland Government had the opportunity to introduce cards that adopt global technology to strengthen the integrity of our licensing system. The new card differs from the previous laminated card in the following ways: the card is a credit card-sized hard plastic card; the card has an embedded computer chip that securely stores product information; a digital photo and digitised signature, which are printed on the card, will be taken and stored securely by the department; and the card has a number of visual and hidden security features. NQDL PMP, Transport and Main Roads, September of 34

8 Information Privacy Principles On 1 July 2009, the IP Act came into effect which applies to all state government agencies. The IP Act contains 11 Information Privacy Principles (IPP's) which place certain obligations on the way in which TMR collects, stores, uses and discloses personal information. IPPs 1-3 relate to the collection of personal information TMR can only collect personal information directly related to its activities and only by fair means. The collection of the information should not unreasonably intrude upon the privacy of the individuals concerned. When collecting personal information, an individual is advised: the purpose for which the information is being collected; if the collection is authorised or required by or under law - and if so which law; and details of any entity or person to whom the agency regularly gives information and if it is known, any second entity that the first entity discloses to. TMR must also take reasonable steps to ensure that personal information collected is relevant, up-to-date and complete before use. All forms used by TMR to collect personal information contain an appropriate privacy statement. IPP 4 relates to the Storage and Security of personal information TMR has in place reasonable safeguards to prevent unauthorised access, use or disclosure of personal information held. IPPs 5-7 relate to access and amendment of personal information Individuals are able to access TMR-held records containing their own personal information and to request amendments to those records if they are inaccurate. IPPs 8-9 relate to accuracy and relevancy of personal information TMR must not make use of any personal information held, without firstly taking reasonable steps to ensure that it is accurate, complete, up to date and relevant in terms of the proposed purpose. IPPs relate to the use and disclosure of personal information As a general principle, TMR must only use personal information for the purpose for which it was collected, and disclose personal information only if the individual concerned is aware of, or has consented to, that disclosure or there is a legal obligation to do so. In certain circumstances, TMR may use or disclose personal information without consent if the use or disclosure is authorised under legislation; to assist in certain types of law enforcement, investigations or to lessen a serious threat to the life, health, safety or welfare of an individual, or to public health, safety or welfare. NQDL PMP, Transport and Main Roads, September of 34

9 Legislative provisions Over and above the requirements of the IP Act, TMR must comply with additional specific information privacy provisions contained in its own suite of legislation. These additional information privacy provisions are tailored to the new processes and information flows for the NQDL project. The following are the primary legislative instruments relevant to the introduction of new card products for the range of licences and authorities issued by TMR: - Adult Proof of Age Card Act 2008 (APAC Act) - Transport Operations (Road Use Management) Act 1995 (TORUM Act) - Tow Truck Act 1973 (TT Act) - Transport Operations (Marine Safety) Act 1994 (TOMS Act) - Transport Operations (Passenger Transport) Act 1994 (TOPT Act) - Transport Planning and Coordination Act 1994 (TPC Act) - Police Powers and Responsibilities Act 2000 (PPRA Act) - Right to Information Act 2009 (RTI Act) - Information Privacy Act 2009 (IP Act) - Public Records Act NQDL PMP, Transport and Main Roads, September of 34

10 Information Privacy Management for the New Queensland Driver Licence Following is a general outline of TMR s new policies for the issue of the new driver and marine licences, industry authorities and Adult Proof of Age Cards. Collection IPPs 1-3 Application Documents All application forms, including electronic forms, used by TMR to collect personal information contain an appropriate privacy statement. Application forms also provide for the applicant to agree to the use of their digital photo and digitised signature under the Prescribed Smartcard Acts. Evidence of Identity Documents Evidence of Identity (EOI) documents are required to be produced when a person first applies for a licence, authority or proof of age card issued by TMR. EOI documents support claims to: the legal existence of the person; their name and date of birth; and the use of their name, and their status, in the community. TMR will scan an image of EOI documents presented by applicants where: Digital Photo a service to verify a document is not immediately available; and/or the document fails verification with an on-line verification service. A digital photo of the cardholder is taken by TMR and retained in TMR s back-end system. While the laminated licence included a photo, a separate copy of the photo was not retained by TMR. The digital photo is printed on the face of the card but not stored on the card chip. Digital photos are collected for a range of purposes, with the dominate purpose being an aid in identifying a licence holder (i.e. to deliver the one licence, one person objective). Purpose-built image capture devices, which incorporate a camera and lights, are used to take a biometric facial image of a customer. The digital photo is stored in a secure drive prior to being uploaded in an encrypted file to the card production company. TMR also retains the digital photos in a secure and dedicated database, with restricted access to limited TMR officers (i.e. officers of TMR s Identity Management Unit (IMU)). NQDL PMP, Transport and Main Roads, September of 34

11 Digitised Signature An image of the cardholder s signature is also collected and retained by TMR electronically. While signatures are currently collected by TMR on application forms, TMR does not retain electronic images of the signatures. A copy of the digitised signature is printed on the face of the new card but not separately stored on the card chip. A person uses a Customer Interaction Device (CID) at the time of application to record their digitised signature. The CID is a counter top device that the customer signs to enable a digital signature to be captured when they apply for a licence at a licence issuing centre. Similar to digital photos, a principle purpose of collecting digitised signatures is to aid in identifying a licence holder. Storage and Security IPP 4 Storage TMR is required by legislation to keep and maintain proper records of its activities. To ensure recordkeeping compliance TMR is committed to meeting its responsibilities under the Financial Performance Management Standard 2009, Public Records Act 2002 and the Queensland Government Information Standards. Management of Personal Information TMR's electronic Document and Records Management System (edrms), and the Document Management System (DMS), have been approved as appropriate systems to manage TMR's physical and electronic information and records. Personal information held by TMR is destroyed in accordance with Queensland Disposal Authority Number 474 (QDAN 474) of the General Retention and Disposal Schedule (GRDS) as released by Queensland State Archives (QSA). Transport Registration and Integrated Licensing System (TRAILS) TRAILS is TMR s computer-based licensing and vehicle and vessel registration database. All information in the TRAILS database is treated as private and confidential, and any information accessed or searched must only be used in the execution of the relevant accessing officer s official duty. Each user is assigned a unique profile which limits their access to TRAILS, so that only those functions that are necessary for them to perform their duty are available. An auditable record of TMR officer access on TRAILS is maintained. Image Management System (IMS) A cardholder s digital photo and digitised signature, and any scanned EOI documents, will be stored in a dedicated and secure database known as the Image Management System (IMS). These records will be stored as an algorithm and not as a plain image. Any EOI documents that are scanned will be retained for the length of any investigation and appeal periods, and in accordance with TMR s Retention and Disposal schedules. The IMS will only allow searches based on criteria available in the TRAILS system. Any transaction involving access to the IMS will be logged and reported for auditing and monitoring purposes. NQDL PMP, Transport and Main Roads, September of 34

12 Card chip Cards issued from TMR have an embedded microchip processor (card chip) which holds a personal identifier and card validation data (for TMR use only).. Arrangements with service providers On 1 July 2009, the IP Act came into effect, replacing Information Standard 42 - Information Privacy. The IP Act applies to all state government agencies. Any service provider that is contracted by TMR, even if it is a small business and is exempt from meeting the obligations imposed by the Privacy Act 1988 (Cth), will be contractually bound with the same privacy obligations as TMR in relation to their activities dealing with personal information. Staff Training TMR has a suite of core employment courses that its staff complete on a regular basis, including a course on Information Privacy. The Information Privacy Course provides a summary of the privacy scheme regulating how personal information is collected, stored, used and disclosed by Queensland Government agencies. In addition, the TMR s Right to Information and Privacy Unit also conducts training for divisions/units relating to specific information privacy matters relevant to a particular area s operation. With the introduction of the NQDL card, four training packages have been developed for all frontline TMR staff who will be dealing with the new technology. The NQDL Awareness Package provides a general overview of the new cards. Initially the package will be made available to frontline service delivery staff. Following this distribution the package will be made available to the remainder of TMR as well as QPS. The NQDL Essentials Package is a follow up training package, containing background detail about the new cards along with the major changes/impacts. The NQDL Transition Package contains the necessary information to ensure operating staff understand the processes and procedures, and system requirements when handling card transactions and enquiries while working at a laminate office (during the transition period). The NQDL Procedures Package is only intended for staff that actually process customer transactions or those that interact with customers on some level, e.g. call centre staff. NQDL PMP, Transport and Main Roads, September of 34

13 Access and Amendment IPPs 5-7 Key written information is provided to cardholders on the different methods to access and amend their personal information held by TMR. TMR has further chosen to provide this information, where appropriate, by more than one means to the customer. This includes information made available to customers: Access in hard copy format when they apply for a new card product or are invited to renew an existing card product; when they visit a licensing issuing centre to have their digital photo and digitised signature recorded; in hard copy format when the card is delivered to the customer; and electronically on the TMR website. Cardholders can access their personal information, or authorise someone else to have access, held on TMR s back-end computer system, using the already established processes within the department, including the Release of Information (ROI) procedure. Access to information held on the card chip may be obtained when the card is inserted into a suitably configured card reader operated by QPS or TMR. A person may apply to obtain a copy of their digital photo kept by TMR if they establish their connection to the digital photo. A printed copy of the person s digital photo will be sent to the cardholder s mailing address, and will not be released over the counter or in a digital format. Amendment Change of Name and Address In accordance with Relevant Transport Acts, a person is required to notify TMR of a change to their name or address within 14 days. Penalties may apply if they fail to do so. A cardholder may also choose to advise TMR of a change of name or address for an Adult Proof of Age Card; however this is not a mandatory requirement. Supporting material regarding the cardholder s obligation to keep their personal information up to date will be provided to the cardholder when they receive their first card and in licence and authority renewal reminder notices. Accuracy and Relevancy IPPs 8 9 Personal Information TMR has processes in place to ensure high standards of data accuracy and relevance for all aspects of licence, authority and proof of age card products. TMR achieves this objective by undertaking the following processes: requesting applicants to confirm personal, address and licence details on receipt of payment for a licence, authority or proof of age credential; the recording of the applicant s digital photograph and digitised signature, where legislation allows for a photo to be taken and kept; NQDL PMP, Transport and Main Roads, September of 34

14 the use of facial recognition technology; scanning and retaining EOI documents provided by applicants where those documents are not able to be immediately confirmed as genuine, for later checking; promptly dealing with change of address or other changes to personal details; and promptly amending any inaccurate information as requested by the licence, authority or Adult Proof of Age Card holder. Supporting material regarding the cardholder s obligation to keep their personal information up to date will be provided at appropriate regular intervals and by a range of communication media (i.e. such as on first application for a card and on subsequent renewals of a card product; when undertaking other related transactions with the department and via printable facts sheets on the TMR webpage). Digital Photo Facial recognition technology may be used to establish the person s connection to a digital photo kept by TMR and consequently their entitlement to conduct a transaction in relation to a particular licence, authority or Adult Proof of Age Card. The two forms of facial recognition comparisons are: one to one (1:1) facial image comparison this is a comparison between a new photograph taken at the time and the latest stored valid photograph for that customer. The system performs the match immediately on capture of the photo to confirm that the customer is who they claim to be; and one to many (1:N) facial image comparison this is a comparison of a customer s facial image against facial images stored for all customers. A 1:N facial image comparison is used to distinguish customers who may have multiple records under one or more names or who may be attempting to impersonate someone else. This match is conducted prior to the production of their new card. Use and Disclosure IPPs As a general principle, TMR must only use personal information for the purpose for which it was collected, and disclose personal information only if the individual concerned is aware of, or has consented to, that disclosure or there is a legal obligation to do so. In certain circumstances, TMR may use or disclose personal information without consent if the use or disclosure is authorised under legislation; to assist in certain types of law enforcement, investigations or to lessen a serious threat to the life, health, safety or welfare of an individual, or to public health, safety or welfare. Personal Information From 27 September 2013 there is no personal information (excluding ECI information where it has been requested) on the card chip. The chip holds a personal identifier and card validation data. NQDL PMP, Transport and Main Roads, September of 34

15 Cardholders TMR cards are designed to meet the needs of driver licensing (or other transport or proof of age purposes) without regard to any other uses. Accordingly, cardholders need to satisfy themselves as to the adequacy and appropriateness of using cards for their own purposes. Cardholders will also be given specific information about what to do in the event of fraud, where there is suspicion of unauthorised access to their card, where they encounter unuthorised disclosure of information by third parties, and finally to be aware of the possibility of data harvesting by a third party. Digital Photos and QPS TMR and the QPS will enter into a MOU setting out the basis by which the QPS will access digital photos held by TMR. Specifically, the MOU: will establish a cooperative framework between the two agencies for the access to digital photos; identify the respective roles and responsibilities of the parties; outline the dispute resolution process to be used by the parties; and establish reporting and audit arrangements. Centralised production of the card All new cards are securely produced and distributed from a central card production house. Under the centralised production process, information including the cardholder s digital photo and digitised signature is transferred from the licensing issuing centre to the card production house over a secure communication line. The card is produced and mailed to the customer, which will normally be within 10 business days. The card is mailed from the card production house to the nominated address of the cardholder via Australia Post. Monitoring and Auditing Monitoring A periodic review of the PMP will be facilitated by TMR s RTI and Privacy Unit. TMR s operational divisions responsible for each of the Prescribed Smartcard Acts will assist in identifying any policy and technological changes which may need to be addressed, and approve any updates or amendments if required. Auditing As part of TMR s current privacy practices, all databases which hold customer personal information are audited on a routine basis. This audit is coordinated by the RTI and Privacy Unit. The audits identify all holdings (electronic and paper based) and evaluate how the systems comply with the Information Privacy Principles (IPPS). The objective of these audits is to ascertain across TMR, whether records of personal information are being collected, stored, used and disclosed in accordance with the IPPs. This audit also assists in identifying measures that may be taken to reduce the risk, for TMR, brought about by noncompliance with the IPPs. TMR s Internal Audit Branch reviews and evaluates departmental operations and systems, including regularly testing if those operations and systems are working properly. NQDL PMP, Transport and Main Roads, September of 34

16 TRAILS Every time a record in TRAILS is accessed and/or searched within the database, a transaction log is kept of the date and time the access/search is made, the transactions that were performed against a customer record and the involved party and their location, i.e. through their user identification (UserID). TMR maintains and manages a transaction log for TRAILS, and if inappropriate use is suspected, the user may be subject to an investigation. Depending on the circumstances, the investigation may be conducted by a user's Manager, Internal Auditors, the Privacy Contact Officer, Legal and Prosecutions Branch or the Crime and Misconduct Commission (CMC). In addition, TMR conducts periodic audits of TRAILS UserID s to ensure that it is appropriate for current users to retain TRAILS access, and confirm they have been assigned the correct profile. Image Management System Details of all instances of access to digital photos kept in the IMS will be electronically and automatically logged. In accordance with approved TMR procedures, these log details will be compared to recent product transaction records for related customers for the purpose of identifying any potentially inappropriate access to a person's photo. If inappropriate access is suspected, the operator and their actions will be subject to further investigation. This investigation may be conducted by the operator's Manager, Internal Auditors, the Privacy Contact Officer or the CMC. Should inappropriate access be confirmed the employee would be subject to disciplinary action which may include dismissal and/or prosecution depending upon the seriousness of the misuse. Contractor audits TMR is committed to ensuring that all contracts, sub-contracts, memoranda of understanding, agreements, licence agreements, and forms collecting personal information, comply with the privacy obligations detailed in the IP Act and the Prescribed Smartcard Acts. In accordance with the contractual arrangements, regular audits will be conducted by TMR to ensure compliance with the approved Contractor PMP. Privacy Complaints Complaints against TMR If anyone believes TMR has not dealt with their personal information appropriately, they may lodge a complaint using TMR s established Complaints Management Policy. This includes complaints about third parties who act as agents for, or provide products or services on behalf of, TMR. All complaints about the issue of the new driver licence, marine licence indicator and authority cards and Adult Proof of Age Cards can be made online, by phoning TMR on or visiting a TMR customer service centre, Queensland Government Agency Program (QGAP) office or police station that issues driver licences in rural areas. Breaches within TMR If a breach of privacy has been identified within TMR, an investigation will initially be conducted by officers within the RTI and Privacy Unit who have the necessary expertise. NQDL PMP, Transport and Main Roads, September of 34

17 Where an investigation raises reasonable belief that a departmental employee has accessed, released or otherwise dealt with, personal information in a way which suggests a breach of the code of conduct, the Manager (RTI & Privacy) will refer this to the Chief Auditor. In these cases, the employee may be suspended, pending advice. The complainant will be advised of the outcome of the investigation and the options available for resolving the complaint. Complaints against others Where an information privacy complaint is lodged against a third party who provides services or transacts business on behalf of TMR, TMR will liaise directly with the third party and examine options to promptly resolve the information privacy complaint, consistent with established customer service standards and applicable legislative provisions. In the event that a complainant believes that the personal information collected by TMR has been used in a criminal matter, the complainant will immediately be referred to the QPS and advised to lodge a formal complaint which can be investigated by the proper authorities. TMR will pro-actively investigate any cardholder reports of unauthorised access to information on the card chip to the extent to which it has authority and capacity to do so. NQDL PMP, Transport and Main Roads, September of 34

18 Appendix 1 The following table sets out the recommendations of the PIA, and identifies strategies TMR will apply to address them: PIA Recommendations TMR Strategy Recommendation 1 Privacy impact assessment before emergency contact information provisions commence Recommendation 2 Collection of height and eye colour Recommendation 3 IPP 2 notice It is recommended that a PIA be conducted in relation to the emergency contact information provisions before the commencement of those provisions. It is recommended that TMR consider whether it is still necessary to collect height data and a description of eye colour, given that TMR will take and keep digital photos. 3.1 It is recommended that TMR make applicants for card licence products aware of the following before they apply for the product or renewal: (a) the purpose of collection of the information collected, including the additional information; (b) that the collection of the information is authorised by Agreed. The collection of height information for the Adult Proof of Age Card, and height and eye colour for driver licenses, marine licences and industry authorities, as an additional form of identifier, will continue on commencement of the New Queensland Driver Licence. TMR is of the view that collection of the height information remains necessary, and is directly collected for lawful purposes, because digital photos do not indicate the height of an individual, and therefore height information can be used to verify identity for licensing purposes where facial recognition technology returns multiple matches. Consistent with observations in the PIA, TMR also believes the collection of eye colour provides additional textual information beyond that apparent in digital photos (i.e. because apparent eye colour may vary according to the angles at which the eye is observed). However, the collection of height and eye colour data will be subject to ongoing review, given the introduction of facial recognition technology. Agreed. In accordance with departmental policy, all licence, authority and Adult Proof of Age Card application forms, including electronic forms, used to collect personal information contain an appropriate privacy statement. This statement advises: the purpose for which the information is being collected; if the collection is authorised or required by or under law; and the details of any entity or person to whom the agency regularly gives information. NQDL PMP, Transport and Main Roads, September 2013

19 PIA Recommendations law, and the law authorising collection; and (c) to whom the agency usually discloses the information. 3.2 It is recommended that information about collection of data in certificate revocation list service and OCSP service transaction logs be made available to cardholders. TMR Strategy This recommendation is no longer applicable. Cards issued after 27 September 2013 do not have digital certificates. Recommendation 4 Notice of information disclosed from card 4.1 It is recommended that cardholders be informed of the information that may be disclosed when their card is inserted into a specially configured card reader by an authorised party. 4.2 It is recommended that cardholders be informed of the information that may be disclosed: (a) when their card is inserted by a third party into a card reader; and (b) when they enter their PIN into the third party s card reader. Agreed. TMR will provide this information in explanatory documentation provided to the cardholder when they receive their card. All access to protected information stored on the card chip will be logged by the MINDA system and can be retrieved for audit purposes. This recommendation is no longer applicable The function of recording and reading the PIN is not available after 27 September Recommendation 5 Notice of 4.3 It is also recommend that TMR give notice of the actual information which may be disclosed when the card is inserted in a card reader and PIN entered: (a) when a cardholder receives their first card; and (b) through web access or at customer service centres. It is recommended that cardholders be informed of their obligation to notify TMR of changes in their address and This recommendation is no longer applicable The function of recording and reading the PIN is not available after 27 September NQDL PMP, Transport and Main Roads, September of 34 This will be made clear in explanatory documentation provided to the cardholder when they receive their card.

20 requirement to notify change of address PIA Recommendations the need for the address information to be changed on both the TMR System and on the card. TMR Strategy If a person holds a driver licence, any industry authority or a marine licence card, they are required to notify TMR of a change of name or address within 14 days. A cardholder may also choose to advise TMR of a change of name or address for an Adult Proof of Age Card, however this is not a mandatory requirement. At present, a cardholder may update their address via the TMR website, by calling or by visiting a licence issuing centre. TMR will then send a change of address label to the new address with instructions on how to place the label on the card. Recommendation 6 Consent to use of digital photo and digitised signature Recommendation 7 Information regarding transactions with third parties It is recommended that the application forms for the grant, renewal or replacement of a card clearly provide that, by signing the application, the applicant consents to use of the applicant s digital photo and digitised signature as required under section 91B of the TORUM Act (or section 19B of the TT Act, section 63B of the TOMS Act, section 35B of the TOPT Act or section 32 of the APAC Act). 7.1 It is recommended that cardholders be informed that: (a) if they provide their card to a third party it is likely that it would be implied that the cardholder consents to the third party accessing information stored on the card chip accessible without PIN entry; (b) if they provide their card to a third party and enter their PIN it is likely that it would be implied that the cardholder consents to the third party accessing information stored on the card chip accessible Agreed. Application forms will provide for the applicant to consent to the use of their personal information as provided under a relevant Prescribed Smartcard Act. This recommendation is no longer applicable The function of recording and reading the PIN is not available after 27 September Further, this particular information will also appear on the TMR website. NQDL PMP, Transport and Main Roads, September of 34

21 PIA Recommendations following PIN-entry; (c) if they do not consent to disclosure of any of the information on the card chip then they should not produce their card to the third party unless the third party agrees that the third party will not insert the card into a card reader; (d) if they do not consent to disclosure of the PINprotected information then they should not enter their PIN; and (e) if they consent to disclosure of only particular items of information which is always accessible, or particular items of PIN-protected information they should reach agreement with the third party beforehand about which items of information the third party may access. TMR Strategy 7.2 It is recommended that cardholders be informed that: (a) cards are designed to meet the needs of driver licensing (or other transport or proof of age purposes) without regard to any other uses; (b) they need to satisfy themselves as to the adequacy and appropriateness of using cards for their own purposes; and (c) TMR will not be responsible Agreed. NQDL PMP, Transport and Main Roads, September of 34 Cardholders will be informed via the explanatory documentation provided to the cardholder when they receive their card. Further, this particular information will also appear on the TMR website.

22 PIA Recommendations for any use of the card for evidence of identity purposes or any other non-driver licensing purposes (or other transport or proof of age purposes in the case of other licence products) or anything arising out of that use. 7.3 It is recommended that third parties be informed that: (a) cards are designed to meet the needs of driver licensing (or other transport or proof of age purposes) without regard to any other uses; (b) they need to satisfy themselves as to the adequacy and appropriateness of using personal information from cards for their own purposes; (c) TMR will not be responsible for any use of the card for evidence of identity purposes or any other non-driver licensing purposes (or other transport or proof of age purposes in the case of other licence products) or anything arising out of that use; (d) they need to satisfy themselves that the card chip personal information is sufficiently authentic and accurate for their purposes; (e) in collecting card chip personal information, they remain subject to privacy laws which may apply to them or TMR Strategy The sole purpose of a TMR issued driver licence (regardless of what form it takes) is and has always been to establish a person s authority to drive. Similarly, industry authority and marine licence indicator cards are produced solely for transport related purposes. Accordingly, the information in this recommendation will appear on the TMR website. It is noted that the function of recording and reading the PIN is not available after 27 September NQDL PMP, Transport and Main Roads, September of 34

23 PIA Recommendations their activities; and it is an offence to access information on a card chip without consent and it would be necessary for the third party to obtain the cardholder s consent to access any information on the card chip, including:(i) consent to accessing the items of information to be accessed by the third party prior to PIN-entry; and(ii) where relevant, consent to accessing the particular items of PIN-protected information to be accessed by the third party following PIN-entry (eg by giving or displaying to the cardholder a list of the items of information on the chip which will be accessed with consent). TMR Strategy Recommendation 8 Information about steps to take in the event of fraud, unauthorised access and unauthorised disclosure 8.1 It is recommended that cardholders be informed of: (a) actions to take in the case of fraud (e.g. contacting the police); (b) the offences relating to unauthorised access to information on the card chip and steps to take if a cardholder suspects that an offence has been committed (e.g. making a complaint to TMR or to the police); and (c) actions to take in relation to the unauthorised disclosure of Agreed. NQDL PMP, Transport and Main Roads, September of 34 Cardholders will be provided with this information via the explanatory documentation provided to the cardholder when they receive their card; Further, this particular information will also appear on the TMR website. The function of recording and reading the PIN is not available after 27 September 2013.

24 PIA Recommendations information by third parties (e.g. making a complaint to the third party and making a complaint to the Office of the Privacy Commissioner). 8.2 It is recommended that TMR pro-actively investigate any cardholder reports of unauthorised access to information on the card chip to the extent to which it has authority to do so. TMR Strategy TMR will actively assist in any such investigation to the extent to which it has authority and capacity to do so. Recommendation 9 Memorandum of understanding with Queensland Police Service - additional information about digital photo access 9.1 It is recommended that TMR consider requesting additional information in reports from the Queensland Police Service in relation to access, including: (a) the number of applications for access approval orders and the number of applications for post-access approval orders: (i) made; (ii) granted; and (iii) denied; and (b) for each application for an access approval order or postaccess approval order made the category of crime in respect of which access was sought. In response to (a), it is proposed that the MOU between TMR and the QPS will provide for this additional information to be reported. In response to (b), TMR has given due consideration as to whether, for each application for an Access Approval Order or Post-Access Approval Order, the category of crime should also be separately reported. TMR is of the belief that the collection of this information could not be: for a lawful purpose directly related to a function or activity of TMR; and necessary to fulfil a function or activity of TMR. Accordingly, TMR will not be requesting that the QPS additionally report category of crime information. TMR will, however, collect broad information as to the reason for the request. Specifically, whether the request was for investigating, prosecuting or enforcing a transport Act, section 328A (Dangerous operation of a motor vehicle) of the Criminal Code, the criminal law or for emergency access purposes under the PPRA. TMR also notes that section 195B (Access approval order) of the PPRA provides as follows: (1) This section applies if a police officer considers it is reasonably necessary for the investigation, prosecution or enforcement of the criminal law for a police officer to access a registered digital photo. (2) The police officer may apply to a justice for an order authorising a police officer to access the registered digital photo (access approval order). (3) The application must (a) be sworn; and (b) identify the registered digital photo for which the access approval order is sought; and (c) state the purpose for which the access is sought; and (d) state why the police officer considers it is reasonably necessary to access the registered digital NQDL PMP, Transport and Main Roads, September of 34

25 PIA Recommendations TMR Strategy photo for the purpose mentioned in paragraph (c). It is proposed that the MOU between TMR and QPS will provide for QPS giving a copy of the Access Approval Order or Post-Access Approval Order to TMR, as soon as practicable, but within 14 days after the order was made. 9.2 It is recommended that TMR consider publishing a copy of the approved memorandum of understanding on its web site. TMR does not have any immediate objections to publishing a copy of the signed MOU on the TMR website. Appropriate enquiries will be made with QPS, who will also be a signatory to the MOU, and a final determination will be made on this issue. Recommendation 10 Information about privacy obligations of third parties Recommendation 11 Staff training on security and privacy issues for NQDL 10.1 It is recommended that cardholders be informed that third parties receiving information from the card chip may not be subject to privacy protection laws (e.g. businesses with an annual turnover of $3 million or less are exempt from the operation of the Privacy Act) 10.2 It is recommended that if a cardholder requests information about the extent of privacy obligations of authorised parties and third parties, that TMR provide the cardholder with: (a) information about the extent of the obligations; or (b) guidance about where that information is available. It is recommended that TMR provide training to staff to be aware of potential security and privacy issues and TMR s policies and procedures to address security and privacy issues, including: (a) regular staff privacy awareness training; and (b) periodic compliance checks. This recommendation is no longer applicable The function of recording and reading the PIN is not available after 27 September Agreed. This is something that TMR would do if one of its customers requests information of this nature. Please note, however, that TMR may not be aware of the status and annual turnover of specified third party, and therefore may not be in a position to advise on a particular third party s level of obligation to comply with privacy protection laws. Agreed. TMR has a suite of core employment courses that its staff completes on a regular basis, including an Information Privacy course. The Information Privacy Course provides a summary of the privacy scheme regulating how personal information is collected, stored, used and disclosed by Queensland Government agencies. In addition, the TMR s Right to Information and Privacy Unit also conducts training for divisions/units relating to specific information privacy matters relevant to a particular area s operation. NQDL PMP, Transport and Main Roads, September of 34