The Department of Foreign Affairs and Trade has revealed that biometric information is currently disclosed with other agencies via email.
It made the admission as part of an endorsement of the national facial recognition scheme, which it sees as a way to improve its data sharing practices.
Proposed laws to enable that scheme are currently being reviewed by a parliamentary committee.
In a submission to that committee, the department said the bills - which formalise an agreement signed between federal, state and territory leaders last October to establish a capability for law enforcement agencies to share and access identity information in real time - would improve how biometrics information requests are performed.
It said the current approach was largely “analagous” to the facial verification service (FVS) and face identification service (FIS), except it was ad hoc, manual and relied on “a person in another agency ... send[ing] an email to an inbox in the department”.
The process involves a requestor sending a completed request form stating “the reason for the request” and a facial image from “an official Australian Commonwealth or state or territory government email address”.
The department said the requestor needed to “assert that they have responsibility within that agency for the matter of the request”, and that it would query requests that “seem out of place”.
After the application for biometric information is received, a “desk level [DFAT] staff member” retrieves the information from departmental systems, before sending it back to the requestor by email.
The department concedes there are “a number of drawbacks” associated with the “manual nature” of interrogating department systems: “It is labour-intensive, slow and only able to process small volumes of requests”.
It also has no way of tracking its progress with the requests, and “there are no biometric request audit logs”.
However, by adopting the new systems and automating the decision-making process, the department expects to “overcome limitations” with the current service.
“... [T]he department estimates that it processes up to a few hundred biometric requests to disclose information every year for purposes comparable to those of the FVS and FIS,” it said.
“Once the FVS is in full swing, the department is likely to receive thousands of disclosure requests per day via that service.”
DFAT anticipates “handl[ing] high volumes” of biometric information requests about passport holders, which will “come in via a secure hub rather than by email”.
“There will be an extensive audit and statistical capability to ensure that users are authorised by their agencies to have access to the services and that only use this access for prescribed purposes consistent with privacy requirements,” it said.
“User constraints will be especially tight for the FIS.
“Business rules will be incorporated into the interfaces used by requestors so that requests are always within the required parameters and always include the minimum required information.”
The submission's claims correspond with the findings of an independent privacy impact assessment commissioned by DFAT into accessing image data held by the then-Department of Immigration and Border Protection.
The assessment found that the FVS would improve privacy compared with current sharing practices, avoiding “unnecessary manual handling of ... biometrics data”.
It would also formalise the handling of biometrics data by restricting functionality to the specific agencies and named staff members who meet the requirements set out on the FVS access policy.