Audit Report No. 35 2008-09
Chapter 5 Management of the Movement Alert List
Introduction
5.1
The Movement Alert List (MAL) is a computer database maintained by the
Department of Immigration and Citizenship (DIAC) to protect the country from
those people who may pose a threat to the Australian community. MAL is used to
inform decisions about visa and citizenship grant and admission of non-citizens
into the country. Checking takes place at several points, contributing to a
‘layered’ approach to border management. In this way, MAL forms an important
element in Australia’s national security and border protection strategy.
5.2
MAL contains two subsidiary databases: the first, the Person Alert List
(PAL), contains adverse information about people who are placed on this list
for various reasons (‘Alert Reasons’). The second is the Document Alert List
(DAL), primarily a list of lost and stolen travel documents. DIAC checks MAL
when any non-citizen seeks a visa, seeks to travel to or enter Australia or
applies for citizenship. Essentially, MAL is a collection of information about
identities and travel documents of interest, primarily, to visa
decision-makers.
5.3
Travel to and from Australia has continued to grow in recent years[1]
and the number of records in MAL has also grown in complexity and size,
particularly after 2001. It now has around 680 000 PAL and over two million DAL
records. Over half of PAL comprises records of non-citizens of national
security concern.
5.4
The growth of the number of records in MAL has been encouraged by DIAC
so as to maximise the likelihood of identifying a non-citizen of concern
travelling, or seeking to travel, to Australia. Under such an approach it is
important that the department have in place appropriate arrangements to review
the quality of records over time to avoid deterioration in the quality of the
database and the matches it generates.
5.5
The 2003 Budget funded a proposal to have a task force review MAL (the
Wheen Review). Subsequently, DIAC obtained government approval and funding in
the 2005 Budget to implement the recommendations of the Review. Among other
things, the Review identified risks in MAL’s then mode of operation and
proposed redevelopment of the system with all MAL checking taking place
centrally. This has been the Central Movement Alert List (CMAL) project, which
was being implemented at the time of the audit.
The Audit[2]
Audit objectives and scope
5.6
The objective of the audit was to assess the effectiveness of DIAC’s
management of MAL. The scope was confined to DIAC’s management and use of the
system: it did not examine the work of others with an interest in the system,
such as security agencies.
Overall audit conclusion
5.7
The ANAO made the following overall audit conclusion:
Successive reviews over more than a decade have judged MAL to
be conceptually sound and an increasingly important part of the suite of
facilities used by DIAC and related agencies to control entry to Australia. MAL
provides important information to DIAC decision-makers to help in deciding visa
and citizenship applications and whether a person should be allowed into
Australia.
DIAC has managed an extended period of growth in the number
of records in MAL by adding substantial numbers of National Security records
and maintaining light controls on new entries provided by departmental staff.
However, the department has been less successful in ensuring the quality of its
MAL records.
All the reviews of MAL have stressed the importance of it
comprising sound data. However, the completeness, quality and currency of MAL
data has proved an enduring problem for DIAC. Despite efforts to improve MAL
data, the overall quality of data has been declining in recent years.
Contributing to this position has been the challenge faced by the department in
implementing an effective accountability regime to assure the quality of
records over time.
Further, at an operational processing level, gaps have
occurred in the arrangements designed to provide the department with assurance
that all elements of MAL are working as intended. Given the centrality of the
system to border protection, this aspect of the department’s operations needs
to be upgraded so that attention is drawn promptly to any substantial element
that is not operating properly.
Over the last four years, DIAC has successfully managed the
development and implementation of the new version of MAL, CMAL. This addresses
certain substantial risks identified by the Wheen Review. The introduction of
CMAL has improved management control over DIAC’s MAL operations and provides a
basis for DIAC to enhance its quality assurance of MAL data and of the operation
of the system as a whole.[3]
ANAO recommendations
Table 2.1 ANAO recommendations, Audit Report No. 35
2008-09
1.
|
The ANAO recommends that DIAC develop a plan for the
population, maintenance and review of the MAL database. This should include,
at a minimum:
·
clarification as to who (within the department and externally,
as appropriate) is responsible for MAL data, the quality issues to be
addressed and business rules for addressing them; and
·
a course of action which includes:
o
arrangements for data entry into MAL that ensures its own
business rules and desired quality standards are observed;
o
instigation of a program, with target dates, for data cleansing
its existing stock of MAL records; and
o
a mechanism for reviewing and reporting progress with this work.
DIAC response: Agreed
|
2.
|
The ANAO recommends that DIAC:
·
clarifies the circumstances in which it can properly record
Australian citizens on MAL, consulting other agencies with an interest in MAL
as appropriate;
·
in this light, revises its policy and procedural guidelines for
recording Australian citizens on MAL; and
·
completes its review of records of Australians on MAL, and
deletes records of Australians where they are inappropriately recorded.
DIAC response: Agreed
|
3.
|
The ANAO recommends that DIAC improves its reporting on
the performance of MAL by, where practicable, identifying instances where MAL
has alerted its decision makers to information that has been the reason, or
part of the reason, for decisions on visa and citizenship applications.
DIAC response: Agreed
|
4.
|
To enable DIAC to manage MAL effectively, the ANAO
recommends that DIAC seek to measure and report internally on:
(a) data quality;
(b) MAL’s reliability;
and
(c) client service, measured
by the service level agreements agreed internally with CMAL client areas of
the department.
DIAC response: Agreed
|
5.
|
The ANAO recommends that DIAC implements a mechanism for
providing regular assurance that all key parts of the MAL system are
operating satisfactorily.
DIAC response: Agreed
|
The Committee’s review
5.8
The Committee held a public hearing on Monday 16 November 2009, with the
following witnesses:
n Australian National
Audit Office (ANAO);
n Department of
Immigration and Citizenship (DIAC).
5.9
The Committee took evidence on the following issues:
n number of Australian
citizens on MAL;
n access by external
agencies;
n data population;
n quality control of
data including who enters the data, who can change the data and who can view
the data on MAL;
n measurement and
reporting;
n effectiveness of MAL;
n confidence displayed
by the users of MAL in the data held on the system;
n child support and
abduction; and
n privacy impact
assessment.
Australian citizens on MAL
5.10
The ANAO identified the substantial number of Australian citizens
recorded on MAL and recommended that DIAC review the records of Australians on
the system, delete those that have been inappropriately recorded and revise its
policy and procedural guidelines for recording Australian citizens on MAL.[4]
ANAO noted that:
DIAC’s policy on the inclusion of Australians on MAL is not
currently coherent or complete. It has not fully clarified its reasons for
wanting to list Australians on MAL nor, therefore, identified the specific
characteristics that would justify considering Australians for listing on PAL.[5]
5.11
DIAC informed the Committee that following the ANAO’s recommendation it
had conducted a thorough review of the listings of Australian citizens on MAL
and had reduced the list from 578 individuals to 163.[6]
The Committee questioned whether the clean up of the listings may have been a
knee-jerk reaction to the Audit Report but DIAC assured the Committee it had
been handled responsibly and that the cases that were removed were no longer
current or contained unreliable data.[7]
5.12
The Committee asked DIAC to explain the reasons why an Australian
citizen would be listed on MAL in the first place. DIAC identified the major
reason as involvement in organised immigration malpractice including
people-smuggling activities.[8] Other reasons include
lost or stolen passports or damaged Australian travel documents.[9]
DIAC also indicated that the Australian Federal Police (AFP) and the Australian
Security Intelligence Organisation (ASIO) enter data onto MAL regarding issues
of national security, criminal activity and child custody concerns.[10]
Access by external agencies
5.13
The Committee asked DIAC to identify the external agencies that have
access to MAL and were told that ASIO is the only external agency currently
using the list. The Department of Foreign Affairs and Trade (DFAT) and the AFP
previously had access but DFAT has not been re-provisioned with access since
the 2009 system release. DIAC has established a Private MAL account for the
AFP:
The purpose of a PMAL is to place alerts in a parallel
database from the mainstream MAL whereby an activity will trigger a
notification for a client against an alert on the PMAL without directly
impacting visa, travel or citizenship processing.[11]
Data population
5.14
The ANAO noted that there is no systematic approach to populating MAL,
particularly with regard to DAL, and that data collection had ‘developed
piecemeal with no strategy and no structured or formal approach to other
governments or agencies to obtain data’.[12] The Committee inquired
whether or not DIAC had sought to obtain formal agreements from other agencies
to use its data to populate MAL. DIAC confirmed that it holds a high level
agreement with ASIO for the sharing of information and that the system holds
national security alerts from this agency.[13] DIAC receives United Nations
Security Council Resolutions (UNSCRs) and Travel sanction information from DFAT
and Interpol data from the AFP.[14] DIAC told the Committee
that these relationships are due for review in the first half of 2010:
As part of a review of the Alert Reason Code owner
relationship commenced in December 2009, there will be a number of high level
meetings with the external data owners to reaffirm the roles and functions of
the stakeholders, and to put in place streamlined data access, data management
and referral processes.[15]
5.15
The ANAO expressed concern that not enough care is being taken when data
from open sources such as the internet, media and non-government agencies is
added to MAL, which could compromise the integrity of the system.[16]
DIAC indicated to the ANAO that it is setting up a new body to discuss issues
of data ownership and quality.[17] The Committee requested
an update on this initiative. DIAC told the Committee that a series of meetings
had been convened by the Border Operations Branch (BOB) with the Alert Reason
Code owners to review and discuss the current administrative operating model
and look at data management. DIAC expects these discussions to ‘determine more
clearly the role of the BOB and the alert policy owners’.[18]
Quality control of data
5.16
The ANAO noted that the lack of quality control regarding the entry and
maintenance of data into MAL seriously compromises the effectiveness of the
system and recommended that steps be taken to rectify the deficiencies.[19]
The ANAO suggested that a review of a risk-based sample of change/update transactions
could be a useful tool to improve quality control.[20]
5.17
The Committee asked how many people are authorised to enter data in the
system and DIAC confirmed that just under 4000 departmental offices have
authorisation plus a number of external agencies, including the AFP and ASIO.[21]
A majority of these officers had the ability and authority to create, review,
update and delete alerts and there is significant potential for unnecessary
browsing of records.[22]
5.18
To improve quality control, DIAC informed the Committee that since the
audit was carried out the Department has implemented quality assurance measures,
withdrawing direct access to the system and requiring all new entries by
departmental offices to be approved by the Border Operations Branch in Canberra.[23]
DIAC told the Committee this formal, secure Remote Input Function (RIF) is
operated by a small group of officers:
There are approximately 65 officers within the Border
Operations Branch that have access to approve new or altered records to the Movement
Alert List. However, only one-to-two officers are required at any one time to
action this work queue. The work queue is rotated between day and shift teams
so all requests are actioned 24 hours 7 days per week.[24]
5.19
DIAC confirmed that external agencies are also subject to the new
quality assurance measures and that ASIO does not have the authority to load
alerts directly onto the system. ASIO must use the RIF and go through the operative
centre in Canberra if it proposes to create, delete or change a MAL entry.[25]
Further, data received from external agencies is also subject to quality
assurance through various software programs that element unsatisfactory
records.[26]
Measurement and reporting
5.20
The ANAO found that a series of reviews and reports have identified the
need for better measurement and reporting on the performance of MAL to improve
management of the system.[27] Of particular concern
are the occasions when management has been unaware of the failure of parts of
the system, occasionally for significant periods of time.[28]
The ANAO recommended that DIAC develop the means to measure and report
internally on ‘data quality, client services and overall system reliability’.[29]
5.21
The Committee asked DIAC what steps have been taken to implement this
recommendation. DIAC replied that the BOB prepares a daily report on processing
queues to assess client service and fortnightly reports are generated for the
Production Control Authority to ‘identify system availability and performance’.[30]
Reports are being identified to help detect transmission failures and ensure
system to system connectivity.[31]
5.22
DIAC added that it is developing a range of reporting tools to interrogate
the Business Intelligence Warehouse and provide more comprehensive performance
information for management:
This will provide a range of routine reports and the
mechanism for creating ad-hoc reports to cater for the range of queries with
respect to data quality to assist the Border Operations Branch staff and key
data owner stakeholder to better identify areas of vulnerability.[32]
Effectiveness of MAL
5.23
DIAC maintains that MAL is a central element in Australia’s national
security and border protection.[33] However, the ANAO found
that DIAC collects no information to assess the outcomes of the system.[34]
The Committee questioned how the effectiveness of the system is being measured.
DIAC explained that it is difficult to assess the specific outcomes from MAL as
it is only one of the tools used by decision makers when assessing
applications.[35]
5.24
The Committee notes the long standing concern over the lack of
measurable performance data from MAL which has been identified over a number of
reviews and inquiries. The ANAO has detailed the steps that can be taken to
verify the outcomes of the system and provide relevant information that could
be used to evaluate its effectiveness.
Recommendation 10
|
|
The Committee recommends that the Department of Immigration
and Citizenship (DIAC) report back to the Committee on the effectiveness of
the Movement Alert List (MAL) after implementing Recommendation Number 3 from
the Australian National Audit Office Report No. 35 2008-09 which requires
DIAC to identify instances where MAL has alerted its decision makers to
information that has been the reason, or part of the reason, for decisions on
visa and citizenship applications. The report from DIAC should be presented
to the Committee within six months of this report being tabled.
|
Confidence in MAL
5.25
The Committee asked if users had confidence in MAL considering the
problems identified with regard to data quality and the lack of evidence of the
systems effectiveness. DIAC maintained that there is confidence in the system
as demonstrated by the continuous use of the data by departmental offices and
external agencies such as the AFP, ASIO and the Australian Custom and Border
Protection Service (Customs).[36] The ANAO confirmed that
the system is used extensively by DIAC officers and the external agencies.[37]
Child support and abduction
5.26
The Committee asked for clarification of the role played by MAL with
regard to the AFP and implementation of the Hague Convention on the Civil
Aspects of International Child Abduction and prohibition orders in relation to
child support. DIAC explained that the AFP operates Departure Prevention Orders
(DPOs) and Departure Authorisation Certificates (DACs) issued by the Child
Support Agency (CSA) through the PACE/EPAC system. In the past AFP have
monitored the movement of DPO and DAC cases through MAL but at present this
facility is not being used. DIAC facilitates CSA access to MAL as required.[38]
5.27
With regard to the Child Custody Concerns of foreign children, DIAC
informed the Committee it facilitates ‘any court order received through a
credible source up to the child’s 18th birthday.’ Credible sources
include Interpol Yellow Notices and the Australian Chief Lawyer, Governance and
Legal.[39] DIAC has no involvement
with Australian child custody as the Family Court deals directly with the AFP
who will list the child on PACE/EPAC.[40]
Privacy Impact Assessment (PIA)
5.28
Although the ANAO acknowledges that DIAC is aware of its obligations
under the Privacy Act 1988 and related legislation, the report found
that no Privacy Impact Assessment (PIA) had been carried out on MAL or CMAL.[41]
A PIA is considered sound practice for any agency handling personal information
as it will determine the effect of the agency’s actions on individual privacy
and help to identify potential problems.[42] The ANAO suggested that
DIAC conduct a PIA and the Department agreed to the suggestion.[43]
5.29
The Committee asked for an update on the implementation of a PIA and if
there had been any findings. DIAC informed the Committee that it has sort
advice from its own internal Privacy Section and the Office of the Privacy
Commissioner and will engage a consultant to undertake the PIA in the first
quarter of 2010.[44]
Conclusion
5.30
The Committee is concerned by the number of Australian citizens on MAL
and is satisfied that DIAC has substantially reduced this number since the
audit. The Committee urges DIAC to implement the ANAO recommendation to revise
its policy and guidelines regarding the recording of Australian citizens on the
system, to ensure a consistent approach is taken in future.
5.31
The Committee finds it difficult to assess the effectiveness of MAL and
the contribution it is making to Australia’s national security and border
protection strategy due to the lack of performance data available. The
Committee notes DIAC’s response to the ANAO Recommendation No. 3 and looks
forward to seeing more concrete measurement of effectiveness in future.
5.32
The Committee notes that DIAC is taking steps to improve the quality control
of data on MAL and is satisfied that relevant stakeholders have confidence in
the system. However, the Committee is concerned at the lack of systematic
control over data input and maintenance and the potential inconvenience or
harassment that Australian citizens and visitors may suffer due to
misinformation or incorrect information being entered into the system.