ACIC running into jurisdictional data troubles with new national firearms database

The Commission is just the interface and can only promise security over what it's responsible for.

The Australian Criminal Intelligence Commission (ACIC) decommissioned the National Firearms Licensing Registration System user interface in 2018-19, requiring law enforcement across the country to transition to the Australian Firearms Information Network (AFIN), which has been touted as a more sophisticated system that holds richer, higher quality data.

ACIC CEO Mike Phelan told senators on Monday that access to accurate data has been a problem the organisation has faced in transitioning to AFIN and that given the mismatch of state, territory, and Commonwealth laws, end-to-end security could not be assured.

As AFIN data is sourced from partner agencies, data quality is a local management issue. Phelan was asked how the ACIC was ensuring data consistency.

"There's no consistency in terms of any of the systems that we run when you run states and territories and a Commonwealth system. And that's the difficulty of trying to run hybrid systems," he said.

The AFIN is not governed by the federal government's Information Security Manual as it has no jurisdiction or management authority for partner agency's local IT systems. Phelan was asked to comment on certain jurisdictions being "less than careful with the details of their own licenced firearm owners".

"I know from time to time … private information leaks out of databases. That's why we have an Information Commissioner, Privacy Commissioners, all these sorts of things -- these things unfortunately happen," he said. "But systems themselves, we try to make as tight as they possibly can.

"The reasons for disclosure of info, and I'm not just specifically saying firearms here, but the reasons for disclosure of information, depending on its character vary from state to state. And whilst it might seem self-evident that what you can disclose in Victoria, same piece of information should be disclosed in New South Wales, that is not the case and we're running into that."

There are currently around 3 million firearms registered in systems across Australia. Phelan said there's a data cleansing process that intends to clean as much of the data the ACIC gets from states and territories as it can, and provide them with information in relation to their own holdings.

"That itself is not an easy task to do," he said. "And you can clean up the data as much as you can -- everybody wants the data clean, so that you can make good tactical decisions if you need to, at the operational level rather than having to look at multiple pieces of information to make some sort of subjective judgement."

Phelan said ACIC and its law enforcement partners are working through similar issues at the moment with the development of the National Criminal Intelligence System (NCIS).

The government has previously described the NCIS as a system that "will provide law-enforcement and intelligence agencies with a national repository of criminal intelligence and information".

"It's actually the jurisdictions that place on it the caveats of the information as to whether or not it can be used and accessed by individuals … and then we decide who gets it," Phelan said. "It's whoever provisions the information decides the restrictions upon that information and how it can be distributed. And then we handle the information management system."

He said such a practice is consistent with all systems the ACIC monitors.

"Everything that we hold goes back out to the jurisdictions and then the jurisdictions determine their own assessment and their own assessment as to who has access to those informations based upon the need to know principle or the need to use that information and it varies across states and territories," he continued.

Although they have respectively provided data into AFIN, Victoria Police and the Australian Federal Police (AFP) are yet to begin using the system. Phelan said he was "fair dinkum" that VicPol's timeline was pushed back due to COVID-related issues requiring the state police force to focus on other IT systems.

RELATED COVERAGE