Template A - Guidance document template€¦ · Web viewShould there be a change to the issuing...

INSERT YOUR DOCUMENT CLASSIFICATION

Aviation Security Identification Card (ASIC) Program

for

<Insert Issuing Body Legal Entity Name>

Trading As <Insert Trading Name>

ACN / ABN / ARBN <Insert Australian Company Number, Australian Business Number or Australian Registered Body Number>

<Optional: Insert Company Logo>

INFRA 3249

Disclaimer

The Australian Government has prepared this document with due care. However, it is made available on the under-standing that the Australian Government is not providing legal advice and that users of this guidance exercise their own skill and care with respect to its use and seek independent advice if necessary. The Australian Government takes no responsibility for any errors, omissions or changes to the information that may occur and disclaims any responsibil -ity and liability to any person, organisation or the environment in respect of anything done, or omitted to be done, in reliance upon information contained in this guidance.

The information contained is guidance material only. The information in no way overrides Commonwealth or State legislation. Aviation industry participants should refer to the Aviation Transport Security Act 2004 and the Aviation Transport Security Regulations 2005 before submitting ASIC programs for approval.



TABLE OF CONTENTS1 Program Administration....................................................................................................................

1.1 Scope............................................................................................................................................

1.2 Document Management................................................................................................................

1.2.1 ASIC Program Variation Record..................................................................................8

1.3 Variations......................................................................................................................................

1.4 Issuing Body Details......................................................................................................................

1.5 Secure Procedures.......................................................................................................................

1.6 Document Protection.....................................................................................................................

1.7 Activities Performed by Entities..................................................................................................

1.8 Limitations on Activities of Entities..............................................................................................

2 Operational overview......................................................................................................................

2.1 Purpose.......................................................................................................................................

2.2 Types of ASICs...........................................................................................................................

3 Issue and Production of ASICs.......................................................................................................

3.1 Accepting Applications for ASICs...............................................................................................

3.1.1 ‘Job Ready’ Applications............................................................................................13

3.2 Applying for Background Checks................................................................................................

3.3 Verifying Identification Documents..............................................................................................

3.3.1 Foreign Documents....................................................................................................16

3.4 Determining that Applicants have an Operational Need.............................................................

3.4.1 Airport-Specific ASICs................................................................................................17

3.4.2 Australia-Wide (AUS) ASICs......................................................................................18

3.4.3 White ASICs...............................................................................................................18

3.4.4 Printing and Producing ASICs....................................................................................19

3.5 Criteria for the Issue of ASICs....................................................................................................

3.6 Distributing ASICs to Applicants.................................................................................................

3.7 Communicating Obligations to Holders.......................................................................................

4 Storage and Transport....................................................................................................................

4.1 Storing ASICs..............................................................................................................................

4.2 Transporting ASICs.....................................................................................................................


INSERT YOUR DOCUMENT CLASSIFICATION4.3 Storing Equipment.......................................................................................................................

5 Information, Documents and Records............................................................................................

5.1 Information and Documents about ASICs and ASIC Applications..............................................

5.1.1 Collection and Storage of Information and Documents..............................................25

5.1.2 Destroying Information and Documents.....................................................................26

5.2 Keeping Records of Activities.....................................................................................................

6 Procedures for ASICs that are no longer required.........................................................................

6.1 Recovery Procedures..................................................................................................................

6.1.1 Expired ASICs............................................................................................................27

6.1.2 ASICs that are cancelled, suspended or no longer required.....................................27

6.2 Destroying ASICs........................................................................................................................

6.3 Cancelling Access Control..........................................................................................................

7 Quality Assurance and Auditing.....................................................................................................

7.1 Ongoing Quality Assurance Process..........................................................................................

7.2 Annual Audit................................................................................................................................

8 Cessation as an Issuing Body........................................................................................................

8.1 Communication...........................................................................................................................

8.2 Handling and Preserving Information..........................................................................................

9 Accompanying Document to the ASIC Program for <Insert Issuing Body Legal Entity Name>.......................................................................................................................................................


<<Name of issuing body>> ASIC program, Version # 6


Definitions

Definitions are provided in the Act under section 9 and in the Regulations at r1.03 and r6.01.

Glossary of Acronyms and Terms

Term Meaning

AACA Accredited air cargo agent

Act, the Aviation Transport Security Act 2004

AGD Attorney-General’s Department

ASIC An Aviation Security Identification Card of the kind described in regulation 6.03 and is either a permanent ASIC or a temporary ASIC

AusCheck scheme

The scheme prescribed for the purposes of section 8 of the AusCheck Act 2007

Department, the Department of Infrastructure and Regional Development

Entity A third party, person, business or organisation that undertakes activities on behalf of the issuing body.

Known consignor

A known consignor a person responsible for securing air cargo that originates from their business until the air cargo is provided to another regulated business

OTS The Office of Transport Security within the Department of Infrastructure and Regional Development

RACA Regulated air cargo agent

Regulation(s), the

Aviation Transport Security Regulations 2005

Secretary, the The Secretary of the Department of Infrastructure and Regional Development

Secretary AGD The Secretary of the Attorney-General’s Department who is responsible for administering the AusCheck scheme



INSERT YOUR DOCUMENT CLASSIFICATION1 Program Administration1.1 Scope

Reference: Part 6, Division 6.2

This program sets out the procedures under which <<Name of issuing body>> (“we”) issues

ASICs

and will comply with both the Regulations and the procedures set out in this program. The

provisions of the Aviation Transport Security Act 2004 and the Aviation Transport Security

Regulations 2005 shall prevail to the extent of any inconsistency with this program.

(If applicable) We will ensure that any entities we engage to be directly involved in the issue of

ASICs on our behalf will comply with both the Regulations and the procedures set out in this

program. This program does not authorise the issue of Visitor Identification Cards (VICs) or

Temporary Aircrew Cards (TACs).

1.2 Document ManagementIn accordance with the Regulations we will submit our ASIC program and any future variations to

the Department of Infrastructure and Regional Development for approval. Once the the ASIC

program is approved, the measures and procedures contained in ASIC program will be in effect.

1.2.1 ASIC Program Variation Record

Versio

n

Section

Number

Page

Number

Reason for variation Date of

Variation

Authorised

Representative

1.0 All All Initial plan dd/mm/yyyy xxx

1.1 3.2 x Change to background

checks

Note: The variation record will only include final versions of the ASIC program submitted to the Secretary for approval. The document

footer will match the current version.

1.3 VariationsReference: r6.10

Where proposed changes to service delivery result in a change to procedures, we will submit a

variation to this program to the Secretary for approval before implementation.



INSERT YOUR DOCUMENT CLASSIFICATION1.4 Issuing Body Details

Reference: r6.06(4), r6.06(5)

The issuing body details for <<Name of issuing body>> are set out in an accompanying

document attached to this ASIC program.

Should there be a change to the issuing body details, we will notify the Secretary in writing within

5 working days after becoming aware of the change.

1.5 Secure ProceduresReference: r6.06(3)

We will ensure that we and any representatives operating on our behalf perform our functions and

exercises our powers as an issuing body in an appropriately secure manner. The secure

procedures relating to each of our functions and powers have been detailed under the relevant

sections of this ASIC program.

We are also responsible for the entities we engage operating in a secure manner in relation to their

responsibilities for being directly involved in the issue of ASICs on our behalf.

1.6 Document ProtectionThe <<insert relevant position title>> is responsible for the management and implementation of

this ASIC program. The ASIC program is protected from unauthorised access or disclosure to third

parties using the following measures:

Set out details of the procedures for protecting your program. For example:

Access is limited to only those employees who have a need to know and a record is

maintained by the primary contact officer; Electronic access is controlled through password protection on our internal system; All hard copies are stored in a locked cabinet and a record of their issue is maintained; [any other – please specify]




1.7 Activities Performed by EntitiesReference r6.06(2), r6.27AA, r6.28

<<Name of issuing body>> does not engage other entities to perform activities on our behalf.

OR

<<Name of issuing body>> has engaged the following entities to perform specific ASIC issuing

activities.

*Edit as appropriate

Activity Entity performing this activity

Accepting applications for ASICs* e.g. Australia post

Verifying identification documents in

person *

Determining whether applicants for ASICs

have an operational need for an ASIC*

Printing and producing ASICs*

Distributing ASICs to applicants*

Ensuring that holders of ASICs are aware

of obligations that apply in relation to

holding ASICs*

Storing and transporting ASICs*

Collecting, storing and destroying

information and documents about ASICs

and ASIC applications*

Storing equipment associated with the

production of ASICs*

Taking all reasonable steps to recover red

or grey ASICs that are no longer required,

including expired or cancelled red or grey

ASICs*

Destroying red or grey ASICs that are no

longer required, including expired or

cancelled red or grey ASICs*



INSERT YOUR DOCUMENT CLASSIFICATIONCancelling access control arrangements

that are related to red or grey ASICs that

are no longer required, including expired,

cancelled or suspended red or grey ASICs,

and red or grey ASICs that have been lost,

stolen or destroyed*

Keeping records of the activities of the

issuing body*.

[any other – please specify

We do not allow persons employed by other entities to act on our behalf and be directly in-

volved in an ASIC issuing activity, unless that person holds a valid ASIC.

1.8 Limitations on Activities of EntitiesReference r6.06(2), r6.27AA, r6.28

<<Name of issuing body>> does not allow an entity to perform the following activities: Applying for background checks; and Issuing ASICs, including considering whether criteria for the issue of ASICs are satisfied

and whether ASICs are to be issued with conditions.

We are responsible for the actions of our contracted entities. It is our responsibility to educate and

provide relevant communication material/updates to entities acting on our behalf. We are

responsible for checking the compliance of our representatives (e.g. regular audits, control

measures etc.).



INSERT YOUR DOCUMENT CLASSIFICATION2 Operational overview

Reference: r6.06(2), r6.06(3), r6.06(4)

2.1 PurposeThis is the ASIC program of <<Name of issuing body>>, as an issuing body authorised to issue

ASICs. Pursuant to the Regulations, the purpose of this ASIC program is to set out procedures to

be followed in accordance with the regulations.

2.2 Types of ASICsReference: r6.03, r6.36, r6.50

Pursuant to the Regulations and this ASIC program, we issue the following types of ASICs:

* Delete as appropriate. If applicable, replace the “airport-specific” wording below with an airport code as per

r6.33(4)(f)(ii) for each airport-specific card that is issued.

Airport-specific ASICs (red and/or grey)*; Airport specific ASICs will only be issued with approval from the airport

operator, or if an exemption under r6.27A has been given by the Secretary.

Reference: r6.27A. We maintain records of these approvals and any airport-

specific ASICs issued. Australia-wide (AUS) ASICs (red and/or grey)* Temporary airport-specific ASICs (red and/or grey) Temporary Australia-wide (AUS) ASICs (red and/or grey) White ASICs.



INSERT YOUR DOCUMENT CLASSIFICATION3 Issue and Production of ASICs

3.1 Accepting Applications for ASICsReference: r6.06(2)(a)

We will ensure our ASIC application form meets the requirements for the issue of an ASIC as set

out in this ASIC program and the Regulations.

We receive ASIC applications via the following methods: Delete/Modify/Add below as appropriate

Directly in person; Online at our web site; By post; and Directly to <<Name of entity>> (an entity engaged by us) in person.

The step-by-step procedures to apply for an ASIC to our organisation are:

If you do not use another entity in accepting applications, please delete this next section.

<<Name of entity>> performs the following functions in accepting ASIC applications on our

behalf.

3.1.1 ‘Job Ready’ Applications

<<Name of issuing body>> does not accept ‘job ready’ applications for ASICs.

OR

<<Name of issuing body>> processes ‘job ready’ applications as per the following:

Applying to AusCheck for a background check prior to receiving the applicant’s evid-

ence of operational need for an ASIC.

The application process will be undertaken in accordance with section 3.1 ‘Accepting

Applications for ASICs’ and 3.2 ‘Applying for Background Checks’ of this program.



INSERT YOUR DOCUMENT CLASSIFICATION ASICs for ‘job ready’ applicants will not be issued or printed until the applicant’s opera-

tional need has been established in accordance with section 3.4 of this program ‘De-

termining that applicants have an operational need’.

Regardless of when the applicant’s operational need is established, we will ensure that

the ASIC will expire no later than 2 years after the last day of the month in which the

background check was completed.

3.2 Applying for Background ChecksReference: r6.06(2)(b)

<<Name of issuing body>> lodges all background check applications with AusCheck, and

will not use any other entity to do so.

A background check application to AusCheck can only be made by issuing body staff. This will

not be made unless we have provided the applicant with a notice explaining how AusCheck

will use and disclose personal information about the individual for the AusCheck scheme. The

copies of these notices will be obtained from AusCheck.

All applicants who are under 18 years of age will be required to undergo a national security

assessment prior to being issued an ASIC.

If an applicant is aged 14 to 17 years of age inclusive, they will need to sign the consent section of

the ASIC or MSIC application form; this gives permission for a national security assessment to

take place and is a requirement to receive an ASIC.

Additional consent requirements apply for applicants under 14 years of age.

For applicants younger than 14 years of age, we must ensure that a parent or guardian of the

applicant provides written consent on the application form, in order for them to undergo the

national security assessment. If there is no consent, the national security assessment cannot be

undertaken and the card will not be issued.




3.3 Verifying Identification DocumentsReference: r6.06(2)(c)

<<Name of issuing body>> will not issue an ASIC to a person unless the identification of the

applicant has been confirmed and we are satisfied that the person is not an unlawful non citizen.

Note: An issuing body must confirm an applicant’s identity for all applications. The Regulations do not make a distinction between new or subsequent applications in regards to the requirements that must be met in order for an applicant to be issued an ASIC.

The ‘Working with Proof of Identity Documents’ guidance material will be updated in 2017 and made available on the GovDex website. The guidance is designed to assist issuing bodies assessing the authenticity of common identification documents presented during the ASIC application process.

We accept the kinds of documentation as prescribed in r6.04. We will not issue an ASIC

unless the applicant presents their original identification documents in person to the issuing

body or the entity acting on our behalf.

We will undertake the following procedures in order to confirm the identity of the applicant:

Set out details of the procedures of how you verify an applicant’s identity. If another entity performs any of

the procedures in this section, you must clearly detail who and what they are. * Delete if not appropriate for

your operations. Procedure examples are:

Original identification documents must be provided by the applicant at <<insert at what

stage this occurs>> These documents will be submitted to <<insert who does this part of the process>> The applicants’ appearance must match the identification documents provided; We will not accept certified documents We, or the entity acting on our behalf, will take a copy from the original identification

document, certify it, and store it in accordance with legislative requirements. [any other – please specify]

From 1 August 2017 (and not before):We accept the kinds of documentation as prescribed in r6.27AB (also defined in r6.06(1)) for the

purposes of confirming the identity of an ASIC applicant.

Documentation will consist of: One Category A identification document that provides evidence of the start of the person’s

identity in Australia;



INSERT YOUR DOCUMENT CLASSIFICATION One Category B identification document that provides photographic proof of the person’s

identity and includes the person’s signature; and One Category C identification document that provides evidence of the person’s use of

identity while operating in the community.

Should an applicant’s current residential address not be present on any of the documents that

they provided for Categories A, B or C, we will also obtain: One Category D identification document that provides evidence of the person’s current

residential address.

We will ensure that the same document is not used more than once to support an ASIC

application.

If an applicant cannot satisfy one or more of the above requirements, we may apply to the Secret-

ary in writing for approval of alternative identification documents.

3.3.1 Foreign Documents

Note: The issuing body must set out the procedures to be followed to verify foreign documents. From 1 August 2017, an applicant’s identity documents that are not in English must be accompanied by an original or certified copy of an accurate translation of the document.

The Department considers a translation from a NAATI (National Accreditation Authority for Translators and Interpreters) approved translator to be satisfactory for this purpose. However, an alternative accredited translation service may also be used.

As some foreign documents may be easier to verify than others, it may be appropriate to request verification/confirmation from that country’s High Commission/Embassy (to be obtained by the applicant) or alternatively the issuing body may request other documentation that can satisfy identification requirements.

An issuing body must not issue an ASIC if there is any doubt about the applicant’s identity and/or validity of identification documents presented.

Where an applicant presents foreign documents as identification, we will undertake the

following procedures to verify the documents:

From 1 August 2017, we will only accept an applicant’s identity documents that are not in English if

they are accompanied by an original or certified copy of an accurate translation of the document.




3.4 Determining that Applicants have an Operational NeedReference: r6.01(1),)

We will ensure that the applicant’s operational need has been established for new and all

subsequent applications. Sufficient information and evidence to support the applicant’s

operational need will be obtained prior to the issue of an ASIC.

For red or grey ASICs detailed information confirming they require unmonitored access to all or

part of a secure area of an airport.

For white ASIC detailed information confirming: their employment by a known consignor, RACA or AACA; or as a staff member of, or contractor for, an issuing body; or as a VIC issuer.

For an Australia-wide (AUS) ASIC, we will also establish that the applicant has an operational

need to access more than one airport.

The relevant written evidence confirming these details will include: a letter from the applicant’s current employer; a letter from the applicant’s current contracting party; [any other – please specify]

Set out below the details of the procedures you engage other entities to conduct, or delete if not applicable.

<<Name of entity>> has been engaged by us to undertake the following procedures for

determining operational need by applicants.

3.4.1 Airport-Specific ASICsWritten evidence is required from an appropriate person or entity which supports the applicant’s

operational need for an ASIC.

We determine an ASIC applicant’s operational need for an airport-specific ASIC by requesting the

following information from the applicant:




INSERT YOUR DOCUMENT CLASSIFICATION Type of card required (e.g. red/grey); Occupation or activity/nature of duties relevant to the secure area of the airport; The specific reason(s) for unmonitored access to all or part of a secure area of the

nominated airports; and Minimum frequency of access; [any other – please specify]

3.4.2 Australia-Wide (AUS) ASICsWritten evidence is required from an appropriate person or entity which supports the applicant’s

operational need for an ASIC.

We will determine an ASIC applicant’s operational need for an Australia-wide (AUS) ASIC by

requesting the following information from the applicant:


Type of card required (e.g. red/grey); Occupation or activity/nature of duties relevant to the secure area of the airport; Which airports they will require access to; The specific reason(s) for unmonitored access to all or part of a secure area of the

nominated airports; and Minimum frequency of access; [any other – please specify]

3.4.3 White ASICsIssuing body staff will not be required to hold a white ASIC if they hold a red or grey ASIC to

undertake other duties at the airport.

We will determine an ASIC applicant’s operational need for a white ASIC by requesting the

following information from the applicant:

Set out details of the procedures for your program. For example:

For issuing body staff, the issuing body will provide written confirmation (letter/email or

signed form) that the applicant requires a white ASIC in order to perform the issuing body

activities detailed in r6.01(1). For employees/contractors of an entity engaged by the issuing body to perform activities on

its behalf, the entity will provide written confirmation (letter/email) that the applicant requires

a white ASIC as they will be directly involved in the issue of ASICs.



INSERT YOUR DOCUMENT CLASSIFICATION For employees or contractors of known consignors, RACA or AACA, the employer of the

applicant will provide written confirmation on letterhead or official email that the applicant

requires a white ASIC to perform their work. For employees/contractors of airports involved in the issue of VICs where the airport is not

the issuing body, the airport will provide written confirmation (letter/email) that the applicant

requires a white ASIC to issue VICs.

[any other – please specify]

ORWe do not issue white ASICs. If our staff and/or contractors directly involved in the issue of ASICs

do not meet the operational need requirement for a red or grey ASIC, white ASICs will be obtained

from another ASIC issuing body.

3.4.4 Printing and Producing ASICsReference: r6.06(2)(e)

* Delete as appropriate

<<Name of issuing body>> does/does not* print ASICs.

If not, specify who does this function

Our ASICs are printed by <<XX>>.

If applicable, please complete the following or delete.

We print ASICs on behalf of the following issuing bodies who do not have card printing

equipment:

3.5 Criteria for the Issue of ASICsReference: r6.06(2)(f), r6.28, r6.29

<<Name of issuing body>> will not allow a third-party entity to act on its behalf when issuing

ASICs, including considering whether criteria for the issue of ASICs are satisfied and whether

ASICs are to be issued with conditions. Before issuing an ASIC to a person, we ensure that the

requirements under

r6.28(1) have been satisfied. This is confirmed through the following measures:

Set out details of your procedures. For example:

The operational need for an ASIC has been confirmed;



INSERT YOUR DOCUMENT CLASSIFICATION The identity of the applicant has been verified; A background check has been completed and there are no adverse findings;

Our criteria checklist has been completed and verified;


Where an ASIC is issued subject to conditions, we will ensure that such conditions are

implemented and adhered to and will manage such cases by the following measures:

automatic reminders for any required actions such as additional/periodic background

checks;

evidence of drug tests,

system generated/calendar reminders;

flagged cases for monitoring via the ASIC register;


We will not issue an ASIC to a person unless we have received a notice from AusCheck stating

that the person does not have an adverse security assessment or an adverse criminal record.

However, an ASIC may be issued to a person with an adverse criminal record if the person has

had an application approved under r6.29.

We may issue an ASIC to a person with a qualified security assessment if the Secretary has given

a written notice under r6.31(2).

We may issue an ASIC to a person who is under 18 after this person has been subject to a

background check (national security assessment only). An ASIC issued to a person who is under

18 will expire no later than 6 months after the person’s 18th birthday or two years from the date of

the background check – whichever is earlier.

We will apply to AusCheck for a subsequent background check, within two working days,

where a person has provided notification that he/she has been convicted and sentenced for an

aviation-security-relevant offence.

Where an applicant for or the holder of an ASIC notifies <<Name of issuing body>> in writing

of a change of name, we will notify AusCheck with the changed name within 7 days. The ASIC

holder must provide a Government issued document as proof of their name change (e.g.

marriage certificate).



INSERT YOUR DOCUMENT CLASSIFICATION3.6 Distributing ASICs to Applicants

Reference: r6.06(2)(g)

<<Name of issuing body>> undertakes the following procedures for the collection of an ASIC by

the applicant:

Set out details of the procedures for your program. For example, (add or delete as applicable for your organisation):

ASICs are to be personally collected by the applicant from us. The identity is confirmed by

a face to card check from an officer of our organisation at the time of collection;

ASICs are collected from Australia Post who confirm the identity by a face to card check at

the time of collection. A copy of the receipt by the card holder is forwarded to and retained

by our organisation;

ASICs are forwarded to the applicant by a secure postal or courier where the applicant

must sign to confirm they received the plan. A copy of the receipt by the card holder is

forwarded to and retained by our organisation;

A register is maintained of all documentation confirming the applicant has received the

card;


3.7 Communicating Obligations to HoldersReference: r6.06(2)(h)

Note: To assist issuing bodies in communicating ASIC holder obligations, the Department has produced ASIC holder obligation cards. They can be requested by email at <[email protected]> or are available to print from the Department’s website.

While ASIC holders are responsible for complying with card holder obligations as set out in the Regulations, the issuing body must have in place ongoing measures to communicate these obligations to the ASIC holders. This may be through a combination of training, advisories on the issuing body’s website/intranet, newsletters, emails, signage, lanyard cards, etc.

An issuing body must have procedures for how it communicates to card holders, to ensure they are aware of their individual obligations under the Regulations, in respect to the following matters: Notification of potential penalties which may be incurred by an ASIC holder for non-dis-

play of an ASIC (r3.03). Notification of conviction and sentence for an aviation-security-relevant offence

(r6.41); Notification of change of name in writing and accompanied by a valid document

(r6.42); Return of ASICs to the issuing body on expiry, suspension, cancellation, if damaged/

altered/defaced or the holder no longer has an operational need to enter a secure area (r6.42B, r6.45);

Notification of a lost/stolen/destroyed ASIC in the form of a statutory declaration or police report (r6.46).



mailto:[email protected]

INSERT YOUR DOCUMENT CLASSIFICATIONThe program should set out any information that the issuing body provides to ASIC holders concerning how they should maintain the security of their ASIC to mitigate loss, destruction or theft.

<<Name of issuing body>> undertakes the following procedures to ensure that ASIC holders are

aware of obligations that apply in relation to holding an ASIC.

Future changes to requirements will be advised to card holders via:



INSERT YOUR DOCUMENT CLASSIFICATION4 Storage and Transport

4.1 Storing ASICsReference: r6.06(2)(i)

<<Name of issuing body>> undertakes the following measures and procedures for the secure

storage of cards. Cards are always stored in lockable cupboards/containers. Access to the cards is restricted to specific personnel. Access and distribution are recorded via a register/electronic system*. [any other – please specify]

These procedures are applied by us or <<name of entity acting on your behalf>> for the

following: Blank cards; ASICs awaiting collection; ASICs awaiting transport; Returned ASICs; ASICs awaiting destruction;


The card stock will be subject to the following audit processes.

An audit will be conducted every <<please specify>>

The audits will include all cards, the storage devices and <<please specify>>


Invalid ASICs will be reconciled and destroyed by the following processes.



INSERT YOUR DOCUMENT CLASSIFICATION4.2 Transporting ASICs

Reference: r6.06(2)(i)

Note:Transporting means the transfer of an ASIC between the issuing body and the entity acting on behalf of the issuing body prior to distributing it to an applicant (e.g. between the card printing location and issuing body, and/or between the issuing body and collection location, etc.).

Where applicable, the issuing body must set out its procedures, including the method of transport (e.g. registered mail), for the secure transport of ASICs between: Different sites of the issuing body; Entities acting on behalf of the issuing body; ASIC printing facilities, including other issuing bodies for which ASICs have

been produced.

If an entity engaged by the issuing body is involved in the procedures in this sec-tion, the process undertaken by the entity must be specified.

<<Name of issuing body>> undertakes the following procedures to ensure the secure transport

of ASICs:

4.3 Storing EquipmentReference: r6.06(2)(k)

<<Name of issuing body>> undertakes the following measures and procedures for the se-

cure storage of equipment associated with the production of ASICs: Access is restricted to the card storage and production area to approved personnel who

have a need to enter these areas. Access to them is by key card/electronic

password/key/other When the production equipment is not in use it is secured by <<please specify>>. These areas are covered by monitored/unmonitored CCTV that is retained for a period of

…. The responsibility for the security of the equipment and storage is managed by <<position

of this responsibility>>




INSERT YOUR DOCUMENT CLASSIFICATION5 Information, Documents and Records

5.1 Information and Documents about ASICs and ASIC ApplicationsReference: r6.06(2)(j), r6.23, r6.29

5.1.1 Collection and Storage of Information and Documents

<<Name of issuing body>> securely stores all records (including the ASIC register) contain-

ing information about ASICs and ASIC applications through the following measures and pro-

cedures: A secure online database that is protected from unauthorized access by a firewall.

Personnel with a need to know specific information will be registered and issued with a

recorded password. Locked filing cabinets and containers with key access recorded An alarmed area that is subject to patrols every <<please specify>> Monitored/unmonitored CCTV with footage retained for <<please specify>> Only authorised personnel with a need to know have access to electronic and hard copy

records


AND/OR

<<Name of entity>> securely stores the following records containing information about ASICs and

ASIC applications.

<<Name of entity>> securely stores all records containing information about ASICs and ASIC

applications through the following measures and procedures.

5.1.2 Destroying Information and DocumentsTo ensure that information and documents about ASICs and ASIC applications are securely

destroyed, we:



INSERT YOUR DOCUMENT CLASSIFICATION Shred paper records by <<please specify>> Destroy digital data so that it cannot be retrieved using <<please specify>>


5.2 Keeping Records of ActivitiesReference: r6.06(2)(o), 6.23, r6.29.

We will keep records of the activities that are sufficient to demonstrate that we have complied

with our ASIC program.

We will retain: A copy of the application; A record of the issue of a card to an applicant; Copies of the original identification documents that were given to the issuing body in the

application; Any other records or documents given in the application (e.g. proof of operational need); Records of any changes made to an ASIC (e.g. change of name, replacement ASICs); and Details of activities undertaken by other entities on our behalf.

We will maintain a register of ASICs in accordance with r6.23.

We will retain records relating to an application for an ASIC:

For issued ASICs – three years after the completion of the background check for that

card; or

All other circumstances – three years after the application was made.



INSERT YOUR DOCUMENT CLASSIFICATION6 Procedures for ASICs that are no longer required6.1 Recovery Procedures

Reference r6.06(2)(l), r6.45(1)

Note:All reasonable measures must be undertaken by the issuing body to recover a red or grey ASIC that is no longer required, including cards that have expired or been cancelled or suspended. Note that white ASICs are not required to be returned.

The timeframe and frequency of these recovery attempts must be clearly documented and be sufficient to safeguard that ASICs are recovered within a timely period to reduce the likelihood of the card being misplaced.

Regulation 6.45(1) requires ASICs be returned to the issuing body within one month of the card expiring or no longer being required.

Numerous contact attempts with the holder via a combination of methods including emails, telephone calls, SMS messages, letters etc. must be used in order to have the greatest chance of making successful contact with the applicant and recovering the ASIC.

Contacting the applicant’s employer may also be an effective step in the recovery process.As a guide, the attempts should intensify on the expiry of the ASIC and again a month after expiry. Recovery procedures must apply to both subsequent applicants and those holders that are not applying for a new ASIC.

The issuing body may consider additional initiatives, such as establishing a refundable bond.

The issuing body should measure the effectiveness of its recovery procedures against the number of outstanding ASICs not returned.

Where existing recovery procedures are ineffective or becoming less effective, the issuing body should review its procedures and request a variation to their program containing improved processes.

6.1.1 Expired ASICsWe undertake the following step-by-step procedures to recover red and grey ASICs that have

expired, or are about to expire:

6.1.2 ASICs that are cancelled, suspended or no longer requiredWe undertake the following step-by-step procedures to recover ASICs that have been can-

celled, suspended or are otherwise no longer required:




We will maintain records of all our attempts to seek the return of ASICs.

6.2 Destroying ASICsReference r6.06(2)(m)

<<Name of issuing body>> undertakes the following procedures to ensure the secure de-

struction of red and grey ASICs that have expired, been cancelled or suspended, or are other-

wise no longer required. The cards are: Rendered unusable by <<please specify>> when securely stored prior to destruction shredded using <<please specify>>


6.3 Cancelling Access ControlReference r6.06(2)(n)

<<Name of issuing body>> does not enable electronic access control on ASICs it issues.

OR

<<Name of issuing body>> undertakes the following procedures to cancel electronic ac-

cess control arrangements that are related to red and grey ASICs that have expired, been can-

celled, suspended, lost or stolen, or are otherwise no longer required:



INSERT YOUR DOCUMENT CLASSIFICATION7 Quality Assurance and Auditing

7.1 Ongoing Quality Assurance ProcessReference r6.06(2)(q)

Note:An ASIC program must include ongoing quality assurance processes for: Any matters that are relevant to a function that the issuing body proposes to

perform; A power that the issuing body proposes to exercise; and Any procedures performed by an entity acting on behalf of the issuing body.

Any quality assurance measures included in the ASIC program must specify: The minimum frequency at which they occur; and What method of evaluation will be utilised (e.g. a checklist of components re-

viewed; assessment of a randomly selected batch of cards and/or applications; supplementary evaluation by a separate staff member; etc.).

This section should set out what matters will be evaluated including but not lim-ited to: Process verification:

Currency and accuracy of application documents; Identification requirements; Establishing operational need; Background checks completed and approved for issue; and Ensuring relevant staff directly involved in issuing ASICs have a white, red

or grey ASIC. Card production:

Compliance with prescribed form of card i.e. photo placement etc; and Correct details on the printed card including applicant’s photo, expiry date

etc. Card recovery and destruction:

o Effectiveness of recovery procedures;o Documentation of contact attempts and outcomes; ando Destruction records.

General security:o Physical security of card issuing/production facilities;o Online security; ando Security of records (current and archived).

If the issuing body does not engage another entity to perform activities on its be-half, delete the text below this Note Box.

We have implemented the following ongoing quality assurance processes to ensure we com-

ply with the procedures in this ASIC program:




We will ensure that any entity acting on our behalf will comply with this ASIC program. Where

an entity is engaged to undertake ASIC issuing functions on our behalf, we have implemented

the following processes to ensure that the entity conducts those functions accordingly in a se-

cure manner:

7.2 Annual AuditReference r6.06(2)(r)

We will conduct an annual audit to examine the procedures in this ASIC program and determ-

ine whether they have been implemented correctly through the following measures and pro-

cedures:

Note:

An ASIC program must include measures for conducting an annual audit to determine whether the issuing body and any entity acting on behalf of the issuing body are compliant with the Regulations and that the procedures set out in their ASIC program.

An audit of an ASIC program should preferably be conducted by an independent auditor.

The person conducting the annual audit should: Have an understanding of issuing body obligations; Have an understanding of the relevant sections within the Regulations; and Be independent of the development and management of the ASIC program.

Evidence of the audit, including findings and any required corrective actions, must be retained by the issuing body for inspection by OTS during compliance activities. How are the findings evaluated and by who?

For the purposes of this regulatory requirement, the audits conducted by OTS do not satisfy the issuing body’s requirement for an annual audit.



INSERT YOUR DOCUMENT CLASSIFICATION8 Cessation as an Issuing Body

Reference r6.06(2)(s)

Note:The need to revoke may be unplanned and as a result of other matters within an issuing body’s business. Should an issuing body be reconsidering its future as an issuing body, the ongoing provision of issuing body functions to existing cardholders is of the highest importance to the Department.

The Department is committed to assist issuing bodies with support and guidance regarding the best path forward. If this is being considered, you should contact the Department as a priority as there will be impacts on all of your stakeholders.

The earliest possible contact may allow for more flexibility with options going forward, as well as more time for all parties to follow the required actions. Ongoing communication will assist in a smooth revocation process.

8.1 CommunicationPrior to our authorisation as an issuing body being revoked we will undertake the following

procedures to engage with our card holders, the Department and other issuing bodies.

8.2 Handling and Preserving InformationWhere we cease to be an issuing body, we will undertake the following procedures to ensure

that information about applications for ASICs, and holders of ASICs, is appropriately handled

or preserved:



INSERT YOUR DOCUMENT CLASSIFICATION9 Accompanying Document to the ASIC Program

Reference: r. 6.06(4)

Name of Issuing Body

ACN / ABN / ARBN

Chief Executive Officer or Manager

Postal Address

Physical Address

Email address

Primary Contact Person

Name Position Phone After-hours phone

Alternative Contact Person

Name Position Phone After-hours phone

Note:

Should there be a change to these details this document must be updated and provided to the Secretary within five working days of becoming aware of the change(r. 6.06(5)).

A formal submission of the whole ASIC program is not required when only making updates to this Accompanying Document.



INSERT YOUR DOCUMENT CLASSIFICATIONFinal checks prior to submission

Final Checks CompletedAll black text was provided to you as examples for context,

however they must have been reviewed and amended by you to

reflect your operations

Any purple text should have been replaced or overwritten in black

text with the information relevant to your operations.

All red text (except your security classification) should be deleted.

There should be no tracked changes or comments.

If you click on the table and press function key F9, it will update

immediately. You will be able to confirm any changes you initiate at

that time.

Check the Accompanying Document contact details are current.

Ensure the Document Revision Record is completed.

Remove any passwords or other protection measures.

Ensure that your submission is accompanied by an email signed

and dated by the CEO (or authorised signatory).

Ensure your organisation retains identical electronic and hard copies

of the document.

Send the completed ASIC program by email to

[email protected] for consideration by the

Department.

DELETE THIS PAGE PRIOR TO SUBMISSION



Date post:	30-May-2020
Category:	Documents
Upload:	others
View:	4 times
Download:	0 times