Introduction

The Department of Immigration and Citizenship (DIAC) employs more than 7000 staff, located in offices around Australia and overseas.¹ DIAC's key tasks include: entry, stay and departure arrangements for non-citizens; migrant and humanitarian settlement arrangements; border (immigration) control and security; citizenship; and ethnic and multicultural affairs.² In undertaking these tasks, DIAC exercises powers under a range of immigration and citizenship legislation, chiefly, the Migration Act 1958 and the Australian Citizenship Act 2007.³

DIAC and other Australian Government agencies with roles in border security have been considering the potential benefits for using ‘biometrics' since the late 1990s to assist them in discharging their responsibilities. The term ‘biometrics' describes information drawn from a person's characteristics that is relatively unique and relatively invariant (unchanging). A person's biometric information can assist in identifying the person and/or verifying their claimed identity. The technology behind biometrics, and its associated standards, is evolving rapidly.

From 2003, DIAC, the Australian Customs Service (ACS), the Department of Foreign Affairs and Trade (DFAT), and the Office of the Privacy Commissioner (OPC) started developing a four-agency approach to the introduction of biometrics for border control. Under the four-agency Biometrics for Border Control initiative, DIAC has been funded to undertake a number of inter-related projects.

The benefits of biometrics in the area of border security generally relate to reduced rates, and financial impacts, of identity fraud, improved confidence in administration and national security, and greater efficiency in border processing. Some of these benefits, and their associated costs, are difficult to quantify.

After the announcement of the introduction of the Biometrics for Border Control initiative (May 2005), the Government announced substantial administrative and systems reform for DIAC in response to the Palmer and Comrie Reports.⁴ Funding of $231 million over four years was announced in October 2005 for what became known as the ‘Palmer Implementation Plan'.⁵

Results of a DIAC review of its information requirements and systems gave rise to the ‘Systems for People' initiative announced in May 2006 ($495 million over four years).⁶ Both the Palmer Implementation Plan and Systems for People changes post-date DIAC's biometrics program, but have direct and indirect influences on the biometrics projects. Notwithstanding the substantial additional funding provided to the department, DIAC has found its overall budget position to be challenging, with the resulting management responses impacting on individual projects and program areas.

A contractor was selected as DIAC's strategic biometrics partner to provide a suite of biometric solutions, software tools and a range of identity management services, including research. At the time of the audit, two system development projects were underway, the Identity Services Repository (ISR) and the Detention Centre Rollout (DCR).

The ISR project, which commenced in mid-2004 and is ongoing, provides the basis for a consistent approach to the management of client identity information held by DIAC. The DCR project was introduced to acquire, store, retrieve and match biometric data, and deliver the infrastructure and training to support the introduction of biometric systems in detention facilities and its compliance operations.⁷

Audit scope and objective

The audit objective was to determine whether DIAC's biometrics program had appropriate:

• business review processes (including a business case);
• authorisation;
• business and IT governance arrangements; and
• IT project management and systems development arrangements.

The audit scope was on the design and planning for the introduction of biometrics in DIAC. Matters concerning the implementation of the technology in DIAC and arrangements with other agencies in relation to the ‘Biometrics for Border Control' initiative were outside the audit scope.

Overall audit conclusion

Better verification of claimed identity, and identification of persons where there may be doubt about their identity, are priorities for the Australian Government, as is the appropriate protection of individual privacy. DIAC's introduction of biometric technologies is an important part of its response to these priorities. Total funding for the biometrics initiatives amounts to more than $83 million over the period 2003–04 to 2009–10.

DIAC's introduction of biometric technologies has been challenging given the rapidly evolving nature of the technologies involved and the dynamic international environment in which the technology is being deployed. The DIAC biometrics program area has also had to adapt to substantial changes to the internal DIAC systems environment during the design and deployment phase of the program. Consequently, there have been delays in the delivery of planned biometric capabilities.

Consistent with the approach taken by ACS and DFAT, DIAC has chosen the facial image as its primary biometric and has invested its resources accordingly. However, its main overseas counterpart agencies (in the USA and UK) have subsequently begun implementing multi-modal biometric systems, involving both facial images and fingerprints. DIAC's current relatively limited capability to use other biometric data, such as fingerprints, raises the risk that it will not be in a position to benefit fully from the international developments tending towards a broader use of fingerprints, particularly in enabling effective matching for watch–list and other identification purposes.

DIAC obtained a clear government mandate to research and conduct detailed tests and trials of potential biometric technology options and, subsequently, to introduce the technologies. Accompanying legislation has been put in place. The legislation is due to be reviewed during 2008, and the ANAO identified additional areas for consideration during the review. In particular, the consistency between legislative wording and policy intent relating to the assessment of personal identifiers (which include biometric information), and the provisions relating to retaining and destroying personal identifiers would benefit from review.

DIAC's planning for the introduction of biometrics, including its business case, was generally sound. DIAC's planning documents established clear timelines and adequate review points. The business case identified reasons for, and the expected benefits and costs that could accrue from, introducing biometrics. However, the ANAO concluded that DIAC would benefit from a more structured approach to monitoring changes arising from its introduction of biometrics over time and evaluating the effectiveness of its chosen biometric solution in delivering its expected benefits. This is necessary to support management decisions about future directions in this area.

DIAC has in place strong provisions in legislation aimed at protecting sensitive personal information, including biometric information. However, while the framework is sound, the ANAO concluded that DIAC needs to strengthen substantially its processes for assuring itself that the legislative requirements in relation to access, disclosure, retention and destruction of personal identifiers and related information are being implemented consistently and appropriately.

DIAC's business governance arrangements for the introduction of biometric technologies were sound. However, the ANAO identified a number of lessons for DIAC to consider, both in terms of future biometric project activity, and more generally. These lessons included:

• ensuring that key meetings and decisions including the assessment of projects risks, are appropriately documented;
• ensuring that there is shared understanding among stakeholders about the allocation of funds to projects and that systems accurately record both project allocations and expenditures;
• involving DIAC's Internal Audit in IT system development initiatives;
• ensuring compliance with DIAC's IT project management framework; and
• implementing DIAC's requirements management mechanism for the biometrics projects. This would assist DIAC in capturing and managing system features and functions that are required to meet the needs of business stakeholders.

Key findings

Planning for Implementation (Chapter 2)

In 2004 DIAC was authorised to research and test ways of incorporating biometric technologies into existing visa and entry arrangements, and a capacity to store biometric images. The funding was for twelve months and was followed by a four-year initiative known as the Biometrics for Border Control initiative in 2005.

In considering its options for introducing biometrics, DIAC had conducted several tests and trials of biometric technologies. The Defence Science and Technology Organisation provided analyses into the effects associated with biometric enrolment and verification on DIAC.

In 2005, DIAC prepared a business case that identified sound reasons why a phased application of biometrics should be approved. Alternative non‑biometric options to introducing biometrics were explored in earlier DIAC work but were not addressed in the business case. The scope and requirements were also apparent in the business case, but did not include a clear timeframe for the project development.

Also in 2005, DIAC prepared a cost-benefit analysis as part of the Biometrics for Border Control initiative and later identified key benefits to government from the introduction of biometrics. The expected benefits and costs are assessable, but to be meaningful, DIAC would benefit from a more structured approach to monitoring changes arising from its introduction of biometrics over time and evaluating the effectiveness of its chosen biometric solution in delivering its expected benefits. This is necessary to support management decisions about future directions in this area. DIAC's recently established evaluation and monitoring team is a useful first step in establishing an effective monitoring and evaluation capability.

A number of planning documents have also been prepared. Aside from a cross-agency Implementation Plan, DIAC also developed its own Implementation and Strategic Plans for the introduction of biometrics.

Success factors and critical dependencies were clearly identified in DIAC's planning documents. DIAC established clear timelines that set adequate review points for both business and IT deliverables. However, there have been delays in the delivery of specific capabilities primarily as a consequence of unmet dependencies on other related biometric or IT projects.

The wording of the Migration Act 1958 expects DIAC decision makers to form judgements about the qualities (‘integrity') of personal identifiers provided by DIAC clients. However, DIAC's policy guidance indicates that the intention was not that the qualities of personal identifiers themselves should be assessed, but rather that assessment should be of the claims being made by people about the identifiers (that the personal identifiers are theirs). In such a contestable area, there would be merit in DIAC considering the consistency between the legislation, as drafted, and the policy intent as part of a review of the legislation scheduled for 2008.

In approving the Biometrics for Border Control initiative, the Government decided that the four agencies should give priority to ensuring that the biometric technology introduced is fully interoperable with similar technology developed by other countries. Consistent with the approach taken by ACS and DFAT, DIAC has chosen the facial image as its primary biometric and has invested its resources accordingly. Its main counterpart overseas agencies (USA and UK) are implementing multi-modal biometric systems, involving faces and fingerprints.

Currently, DIAC has relatively limited capability to use other biometric data, such as fingerprints for matching purposes. Consequently, there is a risk that DIAC is unable to benefit fully from interactions with domestic and overseas systems. DIAC's early strategies have mainly focused on the use of face as a one‑to‑one matching capability. The current relatively limited fingerprint matching capability leaves the department in a position where it is unable to benefit fully from the international developments tending towards a broader use of fingerprints.

To maximise interactions with domestic and overseas systems, particularly in enabling effective matching for watch list and other identification purposes, DIAC should assess the costs and benefits of broadening its biometric capability.

Governance arrangements (Chapter 3)

The four agencies involved in the Biometrics for Border Control initiative developed a governance model aimed at ensuring cross-agency outputs supporting whole of government objectives were met, and individual agency objectives aligned with the whole of government framework. Similarly, DIAC's Identity Branch introduced new governance arrangements to ensure alignment with broader DIAC planning processes and its strategic plan for identity management.

DIAC's Identity Branch has responsibility for the agency's implementation of identity management solutions, including biometrics. The Branch's current organisational framework aligns and integrates the individual projects to the rest of the department. There are clear accountability arrangements within the Branch.

DIAC's current IT governance structure was introduced in late 2005. Systems Boards are responsible for overseeing specific systems within their defined areas. All IT governance bodies advise and report to DIAC's Systems Committee. DIAC's highly rated IT risks were reported to DIAC's Systems Executive Board. However, there were limited details recorded of specific risks in relation to biometric IT projects discussed in meetings of DIAC's Border Systems Board.

DIAC's biometric related IT projects, the Identity Services Repository (ISR) and the Detention Centre Rollout (DCR) projects, report through the IT governance structure. Both the ISR and DCR projects were providing project status information, as required by the DIAC IT project management framework. However, more comprehensive documentation of key decisions, and reasons for the decisions would strengthen project design and administration. DIAC's Internal Audit has had little involvement in the development of the biometric systems.

At the time of the audit, there was uncertainty in DIAC's Identity Branch about the allocation of funds to the biometrics projects—however this was clarified as a result of the audit. While it is possible to report on aggregate allocations and expenditure for the biometrics projects, DIAC's practices in recording project level expenditure were inadequate, meaning that any project-level reporting for the $83 million biometrics projects is likely to be substantially inaccurate. Going forward, the ANAO considers that more transparent and timely communication of allocation decisions and better data on project expenditures would help in managing the biometrics projects and in accounting for the use of funds approved by government for DIAC's biometrics initiatives.

The goal of offsetting the costs of the biometrics initiatives by raising the Visa Application Charge (VAC) by five per cent on certain visa types could have been better managed and monitored. The ANAO found that there is likely to be substantially more revenue raised than originally projected??in essence a ‘windfall' gain to the Australian Government. Closer monitoring would have helped the department to better manage the risks of not meeting the Government's intention to ‘offset' the costs of the program through the VAC increase.

Administrative arrangements (Chapter 4)

DIAC has prepared detailed draft guidance and adequate training on client identity matters, including biometrics. Although the guidance is sound its finalisation has not been timely. There have also been delays in up-loading the completed guidance onto LEGEND (the system through which DIAC staff can access policy guidance).

When the guidance is completed and is made available for staff, it would benefit from being accompanied by a performance monitoring and feedback strategy. DIAC's national Quality Assurance Framework may provide a suitable platform for obtaining this assurance.

DIAC has also prepared an Identity Management Training Plan 2007??2010, that maps out sound training initiatives for the Identity Branch.

In order to assure information privacy, DIAC designed its ISR so that access is based on a person's ‘position number'. However, DIAC was unable to provide evidence of actions taken to ensure that access to identifying information was only by authorised officers. Further, there was no monitoring process to provide assurance about the appropriateness of access to identifying information by authorised officers.

Protections in the Migration Act 1958 surrounding access to, and disclosure of, identifying information do not extend to third parties to which DIAC discloses information. DIAC cannot ensure that there is/will be no inappropriate use or disclosure of identifying information by the agencies to which it discloses the information. Stronger provisions in DIAC's Memoranda of Understanding would provide some further assurance that identifying information disclosed by DIAC to third parties is appropriately protected. There is also no effective process to provide assurance that disclosures of identifying information by DIAC officers are appropriately documented.

While there is a general legislative requirement to destroy identifying information, there are exceptions. These exceptions mean that DIAC is authorised to retain indefinitely virtually all of the biometric information it is currently planning to collect.⁸

DIAC's current Records Disposal Authority (RDA) provides for the disposal of records one year after ‘the action is completed'. DIAC advised that it was ‘looking at ensuring that dates of entry of data are flagged'. Although this will be a useful first step, DIAC needs to institute monitoring processes to identify aged information for destruction and should consider whether the legislative provisions with respect to the retention and destruction of identifying information are functioning fully as intended.

DIAC is in the process of implementing an IT system development framework that can support DIAC's current and future biometric software development activities. However, given the relative immaturity of the framework and tools, the ANAO was not in a position to assess its implementation.

As required by the Systems for People program, software development and release management process have been implemented for two of DIAC's biometric system development projects that are currently underway, the ISR and DCR projects.

However, for the DCR project, system development documents were not being formally reviewed or approved by all business stakeholders and groups involved in developing the system. This is essential for quality assurance.

DIAC has not implemented its requirements management mechanism for its biometrics related IT projects. The absence of an effectively implemented requirements management mechanism raises risks that DIAC's biometric related system will be completed without all the originally specified features and functions, or that the features and functions implemented may not meet the needs of business stakeholders.⁹ The ANAO found evidence of these risks eventuating.

Recommendations

The ANAO has made four recommendations and a number of suggestions to strengthen DIAC's management of the introduction of biometric technologies. DIAC agreed with all four recommendations.

DIAC response to the audit

DIAC welcomes the audit into the introduction of biometric technology, which has made constructive recommendations that will enable the department to better manage, measure and assess the benefits of the biometric solutions being implemented. DIAC's identity management strategy is a complex, multi-faceted programme of work in a dynamic environment, requiring national and international collaboration as well as a whole of agency change management agenda. It is fundamentally important that we maximize the benefits from our identity management and biometric tools and continue to balance our roles of facilitating genuine travel while deterring those who would circumvent our visa and border systems.

The ANAO's findings in relation to the department's sound business governance and planning for the introduction of biometrics are pleasing, and the audit recommendations will help the department to capitalise on this through improved assurance mechanisms. The audit will assist DIAC to build on the lessons learned to date and will contribute to the department's capability to effectively identify those entering Australia and to maintain that foundation identity for use within the Australian community.

Footnotes

^{1 Department of Immigration and Multicultural Affairs, Portfolio Budget Statements 2007–08, pp. 49, 71.}

^{2 Ibid., p. 26.}

^{3 On 1 July 2007, the Australian Citizenship Act 2007 replaced the Australian Citizenship Act 1948.}

^{4 DIMIA, September 2005, Report from the Secretary to Senator the Hon Amanda Vanstone Minister for Immigration and Multicultural and Indigenous Affairs: Implementation of the Recommendations of the Palmer Report on the Inquiry into the Circumstances of the Immigration Detention of Cornelia Rau. See also Amanda Vanstone, Minister for Immigration and Multicultural Affairs, 6 October 2005, Palmer Implementation Plan and Comrie Report.}

^{5 MJ Palmer, op. cit, 2005; and Commonwealth Ombudsman, op. cit, 2005.}

^{6 Amanda Vanstone, Minister for Immigration and Multicultural Affairs media release, 9 May 2006, Palmer and Comrie Reports Guide DIMA's Budget.}

^{7 DIAC, 2007, Detention Centre Rollout of Biometrics—IT Project Management Plan, Version: 2.0.}

^{8 Information such as biometric photographs from a range of visa and citizenship applicants, as well as fingerprints of people in immigration detention.}

^{9 Consequential risks include: the system may not be accepted by the business stakeholders; compensating manual processes may need to be introduced (which will have associated costs, risks and inefficiencies); and further system re-development effort may be needed at an additional cost to address shortcomings in features and functions of the system.}