NATIONAL FACIAL BIOMETRIC MATCHING CAPABILITY

Transcription

1 MEMORANDUM OF UNDERSTANDING SERVICES Attorney-General s Department and [THE AGENCY] FOR PARTICIPATION AS A DATA HOLDING AGENCY IN THE NATIONAL FACIAL BIOMETRIC MATCHING CAPABILITY Version 5.0 (10 October 2016) This MOU is intended to operate in conjunction with the Interagency Data Sharing Arrangement Template and Access Policy documents AGD has provided/will provide for the Face Verification Service and Face Identification Service. The template is intended to form the basis for arrangements and negotiation between Commonwealth entities only. Items in [yellow highlighted text and square brackets] are for the relevant Party to replace. Items in [green highlighted text] are for both parties to discuss, decide on and record their position in the document. <Text in blue italics> is for guidance and explanatory purposes only, and should be deleted before the document is executed.

2 MOU for Data Holding Agencies Table of Contents 1. Parties Context Interpretation Definitions Term Termination of this MOU Compliance Services Terms of access to service Security Remediation AGD General Service Levels The Agency s Commitments to AGD as a Data Holding Agency AGD s access to resolve technical issues Management of the Agency s use of the Services Interactions with the public Understanding on costs and charges Understanding on Data Holding Agency imposed costs and charges Control of Nominated Users Appointment of Nominated Users Management of Nominated Users Termination of Nominated Users Dispute Resolution Suspension of service Termination of service Opportunity for the Agency to Respond Limit of AGD s Responsibility Intervening Event Subcontracting and AGD Service Providers Notices Confidentiality Variation Schedule 1 Internal Access Permissions & Estimated Transaction Quotas... 1 Schedule 2 Nominated User Quotas, Roles and User-level Access Permissions... 1 Schedule 3 Principal Client Administrator... 1 Schedule 4 Data Holding Agency Service Levels... 1

3 Schedule 5 AGD Service Levels... 1 Schedule 6 Statement of Legislative Compliance... 1 Schedule 7 Contact Information... 1 Schedule 8 Nominated User Registry Requirements... 1 Schedule 9 Compliance Statement... 1 Schedule 10 Variation Request Form

4 Part A Background 1. Parties This Memorandum of Understanding (MOU) is made between the following agencies (the Parties): 1. Commonwealth of Australia acting through and represented by the Attorney-General s Department ABN (AGD) 2. Commonwealth of Australia acting through and represented by the [Insert name] [ABN] (the Agency) 2. Context 2.1. This document (the MOU) sets out the understanding between AGD and the Agency in relation to: providing Identity Information held by the Agency to Requesting Agencies through the Interoperability Hub terms on which the Agency will access and use its own Data Source(s) through the Services provided via the Interoperability Hub the Agency s compliance with safeguards contained in applicable legislation when using and managing data obtained through the Services provided via the Interoperability Hub This MOU is intended to operate and be interpreted in conjunction with: the Access Policy for the FVS, and FVS IDSA(s) the Agency has entered into There is no intention for this MOU to create a legal relationship between the Parties; it does not create legally binding obligations on the Parties The Agency acknowledges the Services it will access through the Interoperability Hub are designed to assist and complement the Agency s existing processes and procedures for verifying a person s identity The Agency understands: Identity Information may contain Personal Information and Sensitive Information, it is responsible for any decisions it makes based on the Identity Information it receives through the Services, and information received through the Interoperability Hub is not intended to be used as the sole basis for the Agency to make a decision about an individual s entitlement to a service, a product, an outcome, or the applicability of a law or policy to an individual. 2

5 Part B Interpretation 3. Interpretation 3.1 The Schedules to this MOU form an integral part of the MOU and are subject to its provisions unless specified otherwise. In the event of any inconsistency between the Schedules or any other attachments and the MOU, the terms of the MOU will prevail. 4. Definitions In this MOU, capitalised terms have the meaning given below. Access Policy means a documented set of requirements approved by [Governing Body] that a Participant will comply with in order to access a service facilitated by the Interoperability Hub. <Drafting note: For Agencies using this template in August 2016, the relevant Governing Body will be Programme Advisory Committee > Administration Facility means a service provided through the Portal that enables Client Administrators to add, manage (including password reset, access support, and access re-justification) and remove Nominated Users. Client Administrator means an Employee of a Participant specified in this MOU whose user account enables performance of administrative functions. These functions include, but are not limited to, Nominated User creation and approval, reauthorisation, audit reporting and outage management. Compliance Statement means the information and evidence the Agency provides in response to the items in Schedule 9 Compliance Statement. Data Holding Agency means a Participant receiving and responding to a Query from a Requesting Agency with which it has entered into a data sharing arrangement for the Services provided by the Interoperability Hub. Data Source means a database of Identity Information for a document type. Dispute means a difference of opinion raised by a Party relating to an operative provision of this MOU. Effective Date means the date in paragraph 5.1. Employee is an individual who works under a contract of employment (whether oral or written, express or implied) and who has responsibilities and duties to a Party. Estimated Peak Transaction Volume means the total number of Transactions in a Financial Year the Agency estimates it will submit to its own Data Source(s), as set out in Column D of each table in Part B of Schedule 1. Estimated Transaction Quota means the total number of Transactions in a Financial Year the Agency estimates it will submit to its own Data Source(s), as set out in Column C of each table in Part B of Schedule 1. Executive Management means Employees of the Parties who directly supervise or are superior to the Senior Representatives. Facial Image(s) includes digital photographs, live capture images, scanned photographs and other technical information related to those images (such as the time and date of capture and data capture standards used). 3

6 Face Verification Service (FVS) means the identity matching service and its three functions (Retrieve, Match and Search) that enable biographical data or a facial image associated with an individual to be compared, on a one-to-one basis, against an image held on a specific government record associated with that same individual. Financial Year means the period starting 1 July and ending 30 June the following year. FVS IDSA means an Interagency Data Sharing Arrangement entered into by the Agency and another Participant using the FVS IDSA Template. FVS IDSA Template means the version of the template FVS Interagency Data Sharing Arrangement (IDSA) most recently approved by [Governing Body] before the execution of this MOU. <Drafting note: For Agencies using this template in August 2016, the relevant Governing Body will be Programme Advisory Committee > Hub Operator means the Attorney-General s Department or an entity contracted by the Attorney- General s Department to manage services on its behalf. Identity Information includes, but is not limited to, an individual s facial images, government related identifiers, and other biographical or biometric information. Identity Matching Services Administrator (IDMS Administrator) means AGD employees responsible for managing the Interoperability Hub and its Services. Identity Matching Services Team (IDMS Team) means AGD employees responsible for the policy development and management of the Interoperability Hub and its Services. Image Matching means the automated process of comparing two images to determine whether they are of the same person, using a facial recognition engine. Interoperability Hub means the technical system that provides a mechanism for the secure and auditable transmission of facial images and associated information between agencies or entities participating in the National Facial Biometric Matching Capability. Intervening Event means a situation or circumstance described in paragraph ITIL means information technology infrastructure library. Match means the function of the FVS that allows a Nominated User to submit a person s facial image and required biographic details to a Data Holding Agency s Data Source(s) to confirm whether it matches the person s record. National Facial Biometric Matching Capability (NFBMC) means the infrastructure, legislative and governance arrangements that support the sharing and matching of Identity Information. Nominated User means either a person who is an Employee of the Agency or an information technology system of the Agency. Nominated User Quota means the total number of the Agency s Nominated Users that may access a Data Source in a Financial Year as specified in Column C of each table in Schedule 2 Nominated User Quotas, Roles and User-level Access Permissions. Outage means an occurrence within AGD or the Agency s information and communications technology environment that results in the partial or complete cessation of the Services. Participant means an agency, organisation or entity that connects to the Interoperability Hub. 4

7 Personal Information has the same meaning as in the Privacy Act. Portal means the user interface associated with the Interoperability Hub that allows Nominated Users to access the Services or perform administrative functions. Post-Incident Report (PIR) means a report relating to the Interoperability Hub or the Services containing recommendations to mitigate risks and minimise vulnerabilities identified by a potential or actual security breach. Principal Client Administrator is an Employee of the Agency who has the power to appoint the Agency s Client Administrators and Nominated Users and is appointed by the Agency under this MOU. Privacy Act means the Privacy Act 1988 (Cth). Production Environment means the information technology environment used to deploy the production version of the Interoperability Hub and Portal that allows Nominated Users to run Transactions and perform administrative functions. Query means Identity Information submitted by a Participant either through the Portal or by a systemto-system connection that is intended to be compared against the Identity Information held in a Data Source. Re-authorise means a management process by which a Client Administrator satisfies themselves that a Nominated User meets the requirements of paragraph 20.1, either upon a change of Role or at regular intervals for a continuing Nominated User. Representative means, in relation to an Agency, the person specified as a Representative for that Agency in Schedule 7 Contact Information or as otherwise notified by a Party to the other Agency from time to time. Requesting Agency means a Participant that submits a Query to a Data Holding Agency with which it has entered into an interagency data sharing arrangement for the Services provided through the Interoperability Hub. Response means Identity Information or a system response (including but not limited to a Yes/No Flag or an error message ) provided from the Data Holding Agency via the Interoperability Hub to the Requesting Agency either through the Portal or by a System-to-system connection. Retrieve means the function of the FVS that allows a Nominated User to submit a person s biographic details to a Data Holding Agency s Data Source(s) to retrieve either that person s Facial Image, that person s biographic details, or both. Role means a category of Nominated User(s) specified by the Agency in Column A of all tables in Schedule 2. Sandpit Environment means a shared information technology environment between AGD, the Hub Operator and the Agency used for initial integration testing with the Interoperability Hub by the Agency to test the Agency s application with the services provided by the Interoperability Hub. Search means the function of the FVS that allows a Nominated User to submit a person s biographic details and Facial Image to the Data Holding Agency s Data Source(s) to verify that person s record. Security Risk Management Plan means a document relating to the Services and/or connection to the Interoperability Hub which identifies security risks and appropriate mitigation measures for information technology systems, determines a risk tolerance threshold, and ensures consistent and coordinated management of risks across a Participant. A security risk management plan is undertaken in accordance with the information security management framework which is required by the Australian Government information security management protocol of the Australian Government Protective Security Policy Framework. 5

8 Senior Representative means, in relation to a Party, the person specified as a Senior Representative for that Party in Schedule 7 Contact Information or as otherwise notified by a party to the other party from time to time. Sensitive Information has the same meaning as in the Privacy Act. Services means the Identity Matching services to be provided by AGD to the Agency, specified in Item 8. Suspension and Termination Framework means a document approved by [Governing Body] that sets out the policy and principles for suspending access to the Interoperability Hub and its Services. <Drafting note: For Agencies using this template in August 2016, the relevant Governing Body will be Programme Advisory Committee > System Configuration Items are externally configurable values set across the NFBMC for Participants by IDMS Administrators. System and User-Acceptance Testing (UAT) Environment means the IT environments used for end-to-end integration testing, performance, and user-acceptance testing of the Interoperability Hub which Participants will use to undertake the tests to ensure that the Interoperability Hub meets their requirements. System-to-system means Queries submitted by a Requesting Agency to a Data Holding Agency through the Hub via a Requesting Agency information technology system, or third-party information technology system used by a Requesting Agency. Technical Specifications means a document available on a sharepoint site for the Interoperability Hub, as updated from time to time by AGD in relation to either a single Data Source or multiple Data Sources. Transaction means both a Query and Response sent through the Interoperability Hub. User Requirements means the characteristics, qualifications or other items specified by the Agency for a Role in Column B of all tables in Schedule 2. User-level Access Permissions means a subset of Identity Information a Nominated User with a particular Role can access through the FVS as specified by the Agency in Column D of each table in Schedule 2. Part C Term and Termination, Compliance and Governance 5. Term 5.1 This MOU will be effective from the date both Parties representatives have signed in Part I. 5.2 This MOU will continue from the Effective Date until terminated through the process in Item Termination of this MOU 6.1 A Party may withdraw from this MOU by giving not less than 45 days notice, in writing, to the other Party. 6

9 6.2 After the period in paragraph 6.1, this MOU will be terminated. 7 Compliance 7.1 The Agency acknowledges the importance of ensuring compliance with requirements to maintain and enhance the integrity of the Interoperability Hub. 7.2 The Agency will complete a Compliance Statement and submit it to AGD for consideration by the [Governing Body] that: documents any breaches of the service levels in Part E - Service Requirements and Schedule 4 Data Holding Agency Service Levels, and is signed off by its Senior Representative. 7.3 The Agency will submit the Compliance Statement in paragraph 7.2: by the end of the month of March each year, or if outstanding on 1 April, at the request of AGD after consultation with the Agency. <Drafting note: For Agencies using this template in August 2016, the relevant Governing Body will be Programme Advisory Committee > 7.4 The Agency will ensure that, at a minimum, its Compliance Statement will contain information that provides evidence of: its use of and/or or service provision to the Interoperability Hub being in accordance with: this MOU the Access Policy relevant to the Services it uses, and technical, privacy and security safeguards working effectively to protect the integrity of the Interoperability Hub and the Services. 7.5 Each Compliance Statement will cover a 12 month period beginning in February of the previous year and ending in February of the year in which a Compliance Statement is required to be submitted to AGD under paragraph 7.3. <Guidance note: For example, a Compliance Statement delivered to AGD in March 2017 would provide evidence of compliance for the period between February 2016 and February 2017> 7.6 The Agency will provide recommendations that may be made to it in relation to its use of and/or service provision to the Interoperability Hub to the [Governing Body] as information becomes available. This information may come from reports to the Agency from areas such as: audits of the Office of the Australian Information Commissioner review bodies of state/territories, and other audits or reviews. <Drafting note: For Agencies using this template in August 2016, the relevant Governing Body will be Programme Advisory Committee > 7

10 Part D Access to Services 8 Services 8.1 AGD proposes to allow the Agency to share Identity Information via the Interoperability Hub for: the Face Verification Service, and [Place holder for other Services]. <Guidance note: the Placeholder is included so that the Template can, in the future, also apply to the Face Identification Services. Delete and sub-paragraph if FIS not used> 9 Terms of access to service 9.1 From the Effective Date, AGD permits the Agency to test its connection to the Portal and the Interoperability Hub in the Sandpit Environment. 9.2 Once approved by the IDMS Team, the Agency will have access to the Production Environment. 9.3 AGD will allow the Agency to maintain its access to, the Production, User-Acceptance Testing or System Integration Testing Environments if: the Agency notifies AGD of material changes to, or termination of each FVS IDSA the Agency is a party to, and AGD [and the Governing Body] is, or remains, satisfied that: <Guidance Note: the Governing Body can be specified once Governance arrangements are settled. For Agencies using this template in August 2016, the relevant Governing Body will be Programme Advisory Committee > all requirements of the Access Policy for the Services have been met by the Agency the Agency has met its responsibilities under this MOU. 10 Security 10.1 The Agency will notify AGD within 48 hours when: it is aware of a security breach that affects the NFBMC or the Services the Agency suspects there is a security breach that may affect the NFBMC or the Services For the purposes of paragraph 10.1, a security breach includes situations related to the NFBMC or the Services where: an Agency loses, or loses control over, Identity Information, and Identity Information is not disclosed consistently with the terms of any FVS IDSA After the notification in paragraph 10.1, the Agency will complete a Post-Incident Report (PIR) within 2 weeks of the relevant security breach. 8

11 10.4 The Agency will send the Post-Incident Report and any recommendations to AGD, and each Requesting Agency accessing the affected Data Source(s). 11 Remediation 11.1 Within 1 week after the Agency conducts a PIR under paragraph 10.3, the Agency will submit a remediation plan to AGD which includes timeframes for implementing recommendations of the Post-Incident Report The Agency will use its best endeavours to remedy issues in conformity with the ITIL framework AGD is not responsible for any costs associated with carrying out the remediation plan. Part E - Service Requirements 12 AGD General Service Levels 12.1 Response times Transactions will generally be processed within the Interoperability Hub within 10 seconds AGD will use its best endeavours to process Queries Priority of requests Queries will be actioned by the Interoperability Hub in three processing queues according to their priority AGD maintains its right to alter the order in which Transactions are resolved If an Intervening Event under paragraph 28.1 occurs, AGD will prioritise any Queries or Responses that may assist in resolving that event, and AGD may perform rate limiting on Transactions if the capacity of the Interoperability Hub is compromised AGD will provide the Principal Client Administrator with information, specifications, documentation and data necessary for the Agency to provide Identity Information for the Services, which includes: Guidance for Nominated Users on how to use the Interoperability Hub through the Portal and System-to-system interfaces (user guide) System Configuration Items, and Interoperability Hub or FVS Documentation AGD will provide the documents referred to in paragraph 12.3 (and any updates to them) on a sharepoint site for the Interoperability Hub, in relation to either a single Data Source or multiple Data Sources. All information hosted on the sharepoint site for the Interoperability Hub will be at a For-Official-Use-Only classification or lower. 9

12 12.5 The IDMS Team will notify the Agency Party s Principal Client Administrator of: any events or circumstances that are likely to result in a disruption to the Services, or any scheduled outages updates to any documents in paragraph 12.3, and any security breach other Participants have notified AGD of (under paragraph 10.1 or its equivalent in other Memoranda of Understanding to which AGD is a party) if AGD considers the security breach has, or may adversely affect, the security, privacy, reputation, stability or integrity of the Agency or its information technology systems AGD will ensure that the Services meet the standards set out in Schedule 5 AGD Service Levels AGD commits to auditing the Hub Operator s contractual obligations and AGD s obligations under this MOU annually, by an entity that is independent of AGD For the avoidance of doubt, the audit in paragraph 12.7 will cover all activities of AGD under Item AGD will deactivate the accounts of Nominated Users not Reauthorised when the period specified in sub-paragraph expires. 13 The Agency s Commitments to AGD as a Data Holding Agency 13.1 The Agency will provide access to its Identity Information and Image Matching in accordance with the Service levels set out in Schedule 4 Data Holding Agency Service Levels The provision of Services through the Interoperability Hub relies on the cooperation of all Participants. To this end, the Agency acknowledges that to generate value to all Participants, it will share its Identity Information to the maximum possible extent permissible by law. <Guidance note: the Placeholder is included so that the Template can, in the future, also apply to the Face Identification Services> 13.3 The Agency will participate in at least one disaster recovery exercise related to the Interoperability Hub per year The Agency acknowledges AGD is only required to provide Identity Information to a Requesting Agency for each Data Source as specified in the Technical Specifications. 14 AGD s access to resolve technical issues 14.1 The Agency acknowledges that to enable the provision of the Services and access to the Interoperability Hub, the IDMS Administrators will have all of the privileges and access granted to any Client Administrators under any data sharing arrangements the Agency enters into For the purposes of resolving technical issues with the Services or access to the Interoperability Hub (including but not limited to triaging technical faults or reproducing technical faults) the Agency permits IDMS Administrators to run Transactions against its Data Source(s), and disclose Queries, Responses or Transactions to the Hub Operator or relevant Participants. 10

13 14.3 Any access to Data Source(s) or disclosure for the purposes identified in 14.2 may only occur in the following circumstances: the IDMS Administrators have been specifically requested to resolve a technical issue with access to the Interoperability Hub or the Services by a Participant, operation(s) the IDMS Administrators perform under paragraph 14.2 use either: test data agreed with the Agency, or Identity Information, where the individual to whom it relates has consented in writing to the operation to be performed under paragraph 14.2, The relevant disclosure is made on a For-Official-Use-Only basis. 15 Management of the Agency s use of the Services 15.1 The Agency s Principal Client Administrator will circulate any information AGD provides to them to their affected Nominated User(s) The Agency will provide AGD with notifications if the delivery of its Identity Information to Requesting Agencies is likely to be delayed As soon as possible either before it occurs or afterwards, the Agency will notify the Hub Operator of an Outage by recording the Outage through the outage and notification functionality. 16 Interactions with the public 16.1 The Agency will: respond to any enquiries or complaints by members of the public relating to the Identity Information provided to users of the Services provide an accessible process for members of the public to correct any information held by the Data Holding Agency, and review decisions relating to privacy, in accordance with its own procedures The Agency acknowledges that AGD is the central point of contact for any public enquiries about the Interoperability Hub and the Agency will cooperate with AGD when AGD undertakes any coordination necessary for public statements. 17 Understanding on costs and charges 17.1 The Agency is responsible for its own technical links and System-to system interface with the Interoperability Hub and associated costs, and for the provision of management information on the performance of its Services under the Interoperability Hub Subject to 17.3, the Agency acknowledges that AGD reserves the right to introduce charges to Participants to recover costs of the Services and access to the Interoperability Hub AGD will not charge the Agency for access to the Interoperability Hub. 11

14 17.4 AGD is the sole biller. AGD may bill Participants for Transactions relating to the Services conducted through the Interoperability Hub Any charges made or billing for Services under paragraphs 17.2 or 17.3 will be implemented through a variation to this MOU under Item 32. For the avoidance of doubt, any such variation will be agreed by AGD and the Agency before any charging or billing occurs. 18 Understanding on Data Holding Agency imposed costs and charges 18.1 The Agency may authorise AGD to collect any charges it imposes on Requesting Agencies accessing its Data Source(s) under the terms of any FVS IDSA, when: The Agency requests AGD to do so in writing, and A Requesting Agency has assented to charging arrangements with the Agency under an FVS IDSA. Part F The Agency s Use of its own Data Source(s) through the Interoperability Hub 19 Control of Nominated Users 19.1 The Agency agrees it will only submit Queries for the Services through its Nominated Users The Principal Client Administrator and a Client Administrator have the power to appoint Nominated Users, terminate Nominated Users and change the Role of a Nominated User through the Administration Facility The Agency will notify AGD of its Principal Client Administrator(s) and any change to the identity or contact details of that Principal Client Administrator(s) The notification in paragraph 19.3 should be given either on the Effective Date or as soon as practicable, and contain all of the information in Schedule 3 Principal Client Administrator The Principal Client Administrator: has the power to appoint a Client Administrator, and is responsible for ensuring a Client Administrator complies with the obligations in Items 20, 21 and Appointment of Nominated Users 20.1 An appointment or change to Role under paragraph 19.2 may only occur when all of the applicable conditions are met: If the Nominated User is a person: 12

15 that person has undergone training that meets the requirements of the Access Policy, and there is a reasonable need for the person to use the Services to perform his or her employment duties If the Nominated User is an information technology system: that information technology system has a current security accreditation under each interagency data sharing Arrangement the Agency has entered into, and there is a reasonable need to use the Services to perform operations required by the Agency A Client Administrator is satisfied the appointment does not cause the Agency to exceed any Nominated User Quota A Client Administrator is satisfied the appointment does not cause the Agency to exceed any sub-quota of Nominated Users that may be assigned to each Role as specified in Column C of each table contained in Schedule 2 Nominated User Quotas, Roles and User-level Access Permissions A Client Administrator has checked that the person meets the User Requirements when assigning a Role under sub-paragraph , and Based on the check conducted in sub-paragraph , a Client Administrator is satisfied that the Role and User-level Access Permissions assigned to that Nominated User is appropriate Prior to each Nominated User accessing any Data Source of the Agency, a Client Administrator will assign to that Nominated User: a single Role from the available Roles in each table contained in Schedule 2 Nominated User Quotas, Roles and User-level Access Permissions, and the User-level Access Permissions associated with the Role assigned under paragraph , as specified in Column B of Schedule 2 Nominated User Quotas, Roles and User-level Access Permissions. 21 Management of Nominated Users 21.1 The Agency undertakes to establish and maintain a Nominated User Registry The Agency s Client Administrator will: re-authorise a Nominated User(s) access to: the FVS or Administration Facility once every 180 days. <The purpose of this requirement is to introduce a mechanism to ensure only users who currently require access to the Interoperability Hub have it> 13

16 22 Termination of Nominated Users 22.1 If the requirements contained in paragraph 20.1 are no longer met, the Agency s Client Administrator will: terminate a Nominated User by removing a person or information technology system from the Nominated User Registry, and remove access to the Services for that Nominated User as soon as practicable, or request AGD to remove access to the Services as soon as practicable on their behalf. Part G Disputes, Suspension and Termination 23 Dispute Resolution 23.1 The provision of Services through the Interoperability Hub relies on the cooperation of all Participants. To this end, the Agencies will consult fully with each other, other Participants, the IDMS Team, IDMS Administrators, Representatives and any other affected party to resolve any issue in connection with the Interoperability Hub or this MOU In the event that issues are not resolved within a reasonable period of time through the consultation required by paragraph 23.1, the Parties are taken to be in Dispute over the relevant issue A Party to a Dispute may at any time, by written notice to the other Party, request that the Dispute be referred for resolution by their respective Executive Management. Within 7 days of such a request being made, each Representative, by written notice to the other Party, will: nominate a member of its Executive Management with authority to settle the Dispute to represent the Party in discussions ensure that the nominated member of its Executive Management is reasonably available to discuss the Dispute and nominate a range of times and venues at which its nominated member is able to engage in discussions, and provide a written summary of the facts and issues that the Party has identified as relevant to the Dispute, and any other information that will assist in discussions to resolve the Dispute Nominated members of the Executive Management will make all reasonable efforts to engage in and progress discussions, and endeavour, in good faith, to resolve the Dispute In resolving any Dispute in accordance with the procedures in paragraphs 23.1 or 23.3 either Party may (at its own cost) engage an independent mediator or facilitator to assist in discussions at any stage. 14

17 24 Suspension of service 24.1 AGD has the right to suspend the access of the Agency or a Nominated User of the Agency to the Services or the Interoperability Hub in the event that any of the following occurs: AGD becomes aware through a Compliance Statement referred to in Item 7, or is notified by either the Agency or [Governing Body] that one or more of the requirements or the timeframes in which the requirements are to be done in Part D Access to Services and Part E - Service Requirements are not met, or are no longer met. <Drafting note: For Agencies using this template in August 2016, the relevant Governing Body will be Programme Advisory Committee > A Data Holding Agency makes a written request for AGD to suspend the Agency AGD considers on reasonable grounds that the Agency s access to the Interoperability Hub, or the Services provided through it, has the potential to cause an adverse effect on the security, privacy, reputation, stability or integrity of the Services If AGD decides to exercise its right to suspend the Agency under 24.1, AGD will suspend a Party s access to the Services for a period: recommended to it by [the Governing Body ], or that it determines is appropriate. <Drafting note: For Agencies using this template in August 2016, the relevant Governing Body will be Programme Advisory Committee > 24.3 AGD will apply the Suspension and Termination Framework to determine an appropriate suspension period under sub-paragraph During the period of any suspension AGD and the Agency will work cooperatively to cease, remedy or ameliorate any activity or circumstances which lead to the suspension being imposed or continued. 25 Termination of service 25.1 AGD has the right to terminate the access of the Agency or a Nominated User of the Agency to any or all of: one or more Data Sources, the Services, or the Interoperability Hub, in the event that one or more of the following occurs: AGD becomes aware through a Compliance Statement referred to in Item 7, or is notified by either the Agency or [Governing Body] that the one or more of the requirements or the timeframes in which the requirements are to be done in Part D Access to Services are not met, or are no longer met. <Drafting note: For Agencies using this template in August 2016, the relevant Governing Body will be Programme Advisory Committee > AGD previously suspended the Agency or its Nominated User under Item

18 In AGD s opinion, the Agency s or its Nominated User s use of the Interoperability Hub or the Services: causes, or may cause, severe and prolonged disruption to other users of the FVS or the Interoperability Hub, or results, or may result in, in an unacceptable level of risk to the security of the Interoperability Hub AGD will terminate a Party s access to one or more Data Sources, the Services, or the Interoperability Hub: to implement a recommendation made to it by [Governing Body], or <Guidance: this may occur if, for example, the Governing Body/Board determines the Agency has not addressed recommendations of an audit, it receives a complaint from a Privacy regulator or oversight body that remains unaddressed> <Drafting note: For Agencies using this template in August 2016, the relevant Governing Body will be Programme Advisory Committee > on request of a Data Holding Agency if AGD decides to exercise its right to terminate under paragraph Opportunity for the Agency to Respond 26.1 Before termination or suspension under paragraphs 24.2 or 25.2, AGD will: where practicable, provide reasonable advance notice of its intention to Suspend or Terminate and the reasons for its decision to Suspend or Terminate, or offer the Agency the opportunity to respond with a statement that contains evidence of how the Agency will cease, remedy or ameliorate any activity or circumstances which enables AGD to take action under paragraphs 24.2 or The Agency will ensure its statement in sub-paragraph is sent to AGD as soon as practicable after being provided with the advance notice in sub-paragraph If the statement in sub-paragraph is not received within 7 business days, or AGD is not satisfied with the response, AGD is entitled to proceed with suspension or termination under paragraphs 24.2 or Part H Miscellaneous 27 Limit of AGD s Responsibility 27.1 The Interoperability Hub and the Services provided through it are the result of cooperative endeavour between many entities, including Participants. Accordingly, the Agency acknowledges that its access to, and the exchange of Identity Information via the Interoperability Hub is on an as-is basis The Interoperability Hub relies on the cooperation and best efforts of all Participants. The Agency will utilise its best efforts towards the co-operative endeavour. 16

19 27.3 Both Agencies understand they will not hold each other either wholly or partially responsible for any act or omission, system fault or error that may be related to: use, access or sharing of Identity Information via the Interoperability Hub termination or suspension of the Services, and connecting any information technology systems to the Interoperability Hub. 28 Intervening Event 28.1 Where an event occurs which is out of that Party s control (an Intervening Event), the Party will be excused from fulfilling its responsibilities under this MOU. This includes, but is not limited to, force majeure, a national security event, terrorist activity, natural disasters, acts of war, riots and strikes outside that party's Agency Without limiting paragraph 28.1, a Party will be excused from performing its responsibilities under this MOU to the extent that it is prevented from doing so by: a Government policy decision, or a default of one of a Party s external service providers, provided that the Party exercises all reasonable measures to mitigate the effect of that default Where circumstances described in paragraphs 28.1 or 28.2 arise, the affected party will give notice to the other party as soon as possible, and the parties agree to negotiate in good faith to minimise the impact of any delay on the Services. 29 Subcontracting and AGD Service Providers 29.1 Both AGD and the Agency may outsource or subcontract any aspect of their connection to the Interoperability Hub to one or more external service providers Where requested by each other, the Parties will: promptly provide all reasonable assistance to enable the other Party to comply with its obligations under its contracts with its external service providers, and cooperate with the other Party s external service providers as reasonably required to enable the AGD service provider to provide the Services. 30 Notices 30.1 Where notices, statements, reports or information are required to be sent or communicated to either of the Parties or other Participants, notices should be actioned or sent to a person in accordance with the contact protocol contained in Schedule 7 Contact Information Notices can be effected by electronic mail, and is the preferred method of communication Unless otherwise specified, notices will be provided: 17

20 where the notification is to occur after an event, within 3 business days after that event, or where the notification is to occur before an event, 5 business days before an event occurring, as appropriate. 31 Confidentiality 31.1 This document will be handled by the Parties in accordance with its security classification Except where disclosure is required by law or is otherwise in accordance with Commonwealth policy, a Party will not distribute this MOU without the prior agreement of the other Party. 32 Variation 32.1 Subject to paragraph 32.2, the terms of this MOU, including the forms contained in the Schedules, can be varied by the written agreement of the Parties A variation to this MOU will only be effective to the extent: it is consistent with the Access Policy of the Services, and the proposed variation is provided to the other Party in the form specified in Schedule 10 Variation Request Form. 18

21 Part I Execution This MOU is entered into by the Parties indicated below. Signed for, and on behalf of, the Commonwealth of Australia by [Insert Name], Assistant Secretary, National Security Division, Attorney-General s Department, in the presence of:. signature of representative. witness name. signature of witness Date, 201X. Signed for, and on behalf of, the Commonwealth of Australia by [name], [position], [branch], [Department], in the presence of:. signature of representative. witness name. signature of witness Date, 201X. 19

22 Schedule 1 Internal Access Permissions & Estimated Transaction Quotas <Guidance: This template document provides an example of how a data source could be included in the scope of the Arrangement in Schedules 1 and 2. Multiple data sources can be accommodated under this Arrangement by adding additional information tables in Schedules 1 and 2> Part A. Data Holding Agency s internal Access Permissions <Guidance on content in Column D: The total scope of biographic details, biographic alias information and document details for each Data Source will be available from AGD or the Data Holding Agency.> <Guidance on content in Column D: For Nominated Users using the Portal, biographic details, biographic alias information and document details are supplied in their entirety and a subset cannot be requested.> <Guidance on content in Column D: For System-to-system transactions performed by Nominated Users, a subset of biographic details, biographic alias information and/or document detail information can be requested.> Face Verification Service (A) Data (B) the Agency s Source Data Source to be number shared through FVS 1. [the Agency to insert Data Source 1] <Drafting Note: For example, the data source might be Passport Images > (C) FVS Function Retrieve (D) Agency-level Access Permissions: Type of information the Agency can provide in response to Queries conducted by its Nominated Users * optional response [the Agency to select option(s) by checking boxes/ insert details] Biometrics (facial image) Biometrics (facial image) <Guidance: Check the box to request Biometrics (facial image)> Biographic details Biographic details, including: [insert] < Guidance: Check the box to request biographic details, and identify which biographic details are required (for example: Citizenship Certificate Document Status; Citizenship Status; Family Name; Given Name(s); Date of Birth; Sex; Country of Birth; Place of Birth; Deceased Indicator)> Biographic alias Biographic alias information not required Notification Only < Guidance: check the Notification only box to be advised that alias information exists> Alias Information, including: [insert] <Guidance: check the alias information box to receive the alias information, and identify which biographic details are required (for example: Family Name; Given Name(s); Date of Birth; Sex) > Document details Document details including: [insert] < Guidance: Check the box to request additional document details, and identify which details are required (for example Visa Grant Number, Visa Class, Visa Subclass, Visa Status, Visa Grant Date)> 1

23 Face Verification Service (A) Data (B) the Agency s Source Data Source to be number shared through FVS (C) FVS Function Match Search (D) Agency-level Access Permissions: Type of information the Agency can provide in response to Queries conducted by its Nominated Users * optional response [the Agency to select option(s) by checking boxes/ insert details] Flag only: Yes/No Response <Guidance: Check this box to receive a flag indicating match or no-match > Flag: Yes/No Response and further information <Check this box to receive the match notification and all of, or a subset of, the Biometrics (facial image), Biographic details, Biographic alias and Document details for a Yes Response, as indicated by checking the boxes below. Biometrics (facial image) Biometrics (facial image) Biographic details Biographic details, including: [insert] Biographic alias Biographic alias information not required Notification Only Alias Information, including: [insert] Document details Document details including: [insert] [the Agency to select option(s) by checking boxes/ insert details] Flag only: Yes/No Response Flag: Yes/No Response and further information Biometrics (facial image) Biometrics (facial image) Biographic details Biographic details, including: [insert] Biographic alias Biographic alias information not required Notification Only Alias Information, including: [insert] Document details Document details including: [insert] <Drafting Note: The Agency will insert additional rows (following the format above) for every Data Source of its own the Agency will use under this MOU> <The Agency will insert an additional table (following the format above) for each Service entered into after the Effective Date> 2

24 Part B. Estimated Transaction Quotas <Guidance: This information will assist the AGD to ascertain the level of technical and other resources needed to provide the capacity required to accommodate the expected number of transactions to be conducted on the Data Holding Agency s own Data> Face Verification Service (A) Data (B) Data source to be Source shared through FVS number 1. [The Agency to insert Data Source 1] < For example, the data source might be Passport Images > (C) Estimated Transaction Quota per Financial Year <Guidance: Parties should negotiate and consider the infrastructure and costs implied by the Transaction Quota> [the Agency to insert] <Example 10,000 requests> (D) Estimated Peak Transaction Volume and period <Guidance: The Total number of Transactions in this Column cannot exceed the Transaction Quota in Column (C) for the Data Source> [the Agency to insert volume] <Guidance: For example 100 requests> [the Agency to insert time period, if relevant] < For example Every Friday> <Guidance: this would be within quota - 52 x100 peak requests, = 5200: there would be 4,800 off-peak requests remaining> <Drafting Note: The Agency will insert additional rows (following the format above) for every Data Source the Agency provides access to under this MOU> <Drafting Note: There should be a separate table for each Service under this MOU The Agency will insert an additional table (following the format above) for each Service entered into after the Effective Date> 3

25 Schedule 2 Nominated User Quotas, Roles and User-level Access Permissions Face Verification Service Data Source 1: [The Agency to insert Data Source 1] <Drafting Note: This refers to Row number 1 of the Table in Part A of Schedule 1, so the data source would be Passport Images > (D) User-level Access Permissions (A) Role <Guidance: The Agency may choose the name of the Role. Each Role may only be assigned query or administrative permission which are mutually exclusive.> (B) User requirements <Guidance Parties should negotiate what requirements are appropriate and discuss with AGD how these can be incorporated into Technical Specifications> <Guidance: Parties should specify in this Column whether the Role is required to be a person or an information technology system> (C)Nominat ed User Sub-quota <Guidance: The Total number of Nominated Users in this Column cannot exceed the Nominated User Quota below> <Guidance: With the exception of the Administration facility, the type of information provided in response can only be equal to, or a subset of, the Agency Level Access Permissions for the Data Source, as recorded in Schedule 1,Part A Column D> <Guidance: Refer to explanations and guidance in Schedule 1, Table A> <Guidance: Content below is for example purposes only> [The Agency to insert] <Example: Senior Investigator> <Example: Query Role> [The Agency to insert] <Example: Level of security clearance Training requirements Other requirements> [The Agency to insert Access Method] [The Agency to insert] <Guidance: Example 10 Nominated Users> [the Agency to select option(s) by checking boxes/ insert details] Retrieve Access No Access [the Agency to select option(s) by checking boxes/ insert details] Biometrics (facial image) Biometrics (facial image) Biographic details Biographic details, including: [insert] Biographic alias Biographic alias information not required Notification Only Alias Information, including: [insert] <Example: Direct access to the Portal> Document details Document details including: [insert] Match Access No Access Flag only: Yes/No Response Flag: Yes/No Response and further information Biometrics (facial image) Biometrics (facial image) Biographic details Biographic details, including: [insert] Biographic alias Biographic alias information not required Notification Only Alias Information, including: [insert] Document details Document details including: [insert] 1