Submission by the Australian Privacy Commissioner on the Migration Amendment (Strengthening Biometrics Integrity) Bill 2015

14 May 2015

Committee Secretary

Senate Legal and Constitutional Affairs Committee
PO Box 6100
Parliament House
Canberra ACT 2600

[Email redacted]

Dear Secretary

Submission by the Australian Privacy Commissioner on the Migration Amendment (Strengthening Biometrics Integrity) Bill 2015

Thank you for the opportunity to comment on the Migration Amendment (Strengthening Biometrics Integrity) Bill 2015 (the Bill). I understand that the Bill is intended to consolidate and simplify the provisions of the Migration Act 1958 (the Migration Act) relating to the collection of certain types of biometric information (called ‘personal identifiers’ in the Migration Act).[1]

While I appreciate that these amendments are intended to assist the Department of Immigration and Border Protection (DIBP) to perform its functions under the Migration Act, I am mindful that by consolidating the existing powers to collect biometric information into a single broad discretionary power (the proposed s 257A) the Bill expands the existing powers, particularly in relation to non-citizens. Specifically, I understand that the Bill:

  • expands the types of biometric information that may be collected about both citizens and non-citizens in certain circumstances

  • expands the circumstances in which biometric information may be collected about non-citizens, and

  • reduces the safeguards that apply to the collection of biometric information in both those circumstances.

This expansion of the power to collect biometric information means that the Bill has the potential to impact on the privacy interests of individuals, particularly those of non-citizens. My comments below highlight where further consideration of some of these privacy impacts may be required.

Background

Relationship to the Foreign Fighters Act 2014

It is important to highlight that the amendments proposed in the Bill are closely related to the amendments to the Migration Act made by the Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014 (the Foreign Fighters Act), which (among other things) authorises the collection of biometric information at the border by an automated border clearance system (called an ‘authorised system’), such as a SmartGate.

While the current Bill relates to the collection of biometric information by the Minister or an authorised officer (rather than an ‘authorised system’), as was the case with the Foreign Fighters Act, it is important to consider the extent to which the impact on individuals’ privacy that results from expanding the power to collect biometric information is balanced by the need to ensure that DIBP is able to perform its functions under the Migration Act, including securing Australia’s borders and national security interests.

Before it was passed, the Counter-Terrorism Legislation Amendment (Foreign Fighters) Bill 2014 (Foreign Fighters Bill) was the subject of an Inquiry by the Parliamentary Joint Committee on Intelligence and Security (PJCIS), to which I also made a Submission. Relevantly, the PJCIS made the following two recommendations in its final Report:

Recommendation 35 – that the Counter-Terrorism Legislation Amendment (Foreign Fighters) Bill 2014 be amended to remove the ability to prescribe the collection of additional categories of biometric information within the Migration Regulations. Should this information be required by relevant agencies to ensure Australia’s border security, further legislative amendments should be proposed by the Government and referred to this Committee with appropriate time for inquiry and report.

Recommendation 36 – that the Government consult with the Privacy Commissioner and conduct a privacy impact statement prior to proposing any future legislative amendments which would authorise the collection of additional biometric data such as fingerprints and iris scans.[2]

In making Recommendation 35 the PJCIS explained that it appreciated the need for laws to be able to accommodate changes in technology. However, the committee concluded that the sensitivity of biometric information meant that the regulations were an ‘inappropriate mechanism for such an important policy’.[3] I discuss this recommendation in the context of the current Bill further below.

In making Recommendation 36, the PJCIS considered that a Privacy Impact Assessment (PIA)[4] could help better inform the Parliament’s, as well as the public’s consideration of proposals involving the handling of biometric information. Recommendation 36 is equally relevant to the current Bill, which, like the Foreign Fighters Bill, proposes a further legislative amendment which would authorise the collection of additional biometric information.

Biometric information and the Privacy Act

Importantly, since the reforms to the Privacy Act 1988 (Privacy Act), which came into effect on 12 March 2014, biometric information is considered ‘sensitive information’ where it is used for the purpose of automated biometric verification or biometric identification (s 6(1)). For example, this might include a fingerprint collected using a mobile hand-held scanner for the purpose of checking the individual’s identity against an existing list of persons of interest.

Public concern about the handling of biometric information was evident in the PJCIS’ consideration of the amendments proposed in the Foreign Fighters Bill. As I explained in my Submission to that Committee, the Privacy Act reflects this concern by affording sensitive information (including biometric information) a higher level of protection under the Privacy Act than other types of personal information. For example, Australian Privacy Principle (APP) 3 requires that sensitive information must only be collected with the consent of the individual unless one of the listed exceptions applies. Those exceptions include where the collection is authorised or required by law.

This means that if the Bill is passed, under the Privacy Act an individual’s consent will no longer be required for the collection of any additional types of biometric information by the Minister or an immigration officer, as the collection will be authorised by law. It is therefore especially important to ensure that the privacy impacts of the expanded power to collect biometric information are considered, including whether any additional safeguards are necessary.

General Comments

The Privacy Act recognises that the protection of individuals’ privacy, through the protection of their personal information, is not an absolute right. Rather, the protection of privacy must be balanced with the broader interest of the community in ensuring that entities, such as the DIBP, are able to carry out their legitimate functions and activities.

With respect to the Bill, this involves assessing whether the expansion of the power to collect biometric information is both a necessary and proportionate measure to enable DIBP to perform its functions and activities under the Migration Act. In making that assessment, consideration should be given to whether the Bill only authorises the collection of the minimum amount of biometric information necessary to achieve that objective, and whether the expanded powers are accompanied by an appropriate level of privacy safeguards and accountability.

If an expansion of the power of an authorised officer to collect biometric information is considered to be a necessary and proportionate measure to enable DIBP to perform its functions under the Migration Act, consideration should be given to how this can be achieved in a way that minimises the privacy impacts on individuals. Any amendments to the Migration Act that expand the power to collect biometric information should be drafted narrowly, and as far as practicable, ensure that those amendments are consistent with the overall policy objective of the Privacy Act.

With those considerations in mind, my suggestions below seek to ensure that the amendments proposed by the Bill are the least privacy intrusive means of enabling DIBP to perform its functions under the Migration Act. Or, alternatively, whether there may be another, less privacy intrusive means of achieving this objective.

Expansion of the circumstances in which biometric information may be collected about non-citizens

As acknowledged in the Explanatory Memorandum, the Bill proposes to expand the circumstances in which biometric information can be required to be collected from non-citizens.[5] I understand that the Migration Act currently authorises the collection of biometric information (such as a fingerprint) from non-citizens in the following limited range of circumstances:

  • for the purpose of granting a visa

  • when a non-citizen wishes to enter or depart Australia

  • to determine whether a non-citizen holds a valid visa, and

  • for the purpose of detention decision-making.[6]

In contrast, the Bill proposes to allow the Minister or an authorised officer to collect certain types of biometric information from a non-citizen in any circumstance, provided that the collection is for a purpose of the Migration Act or the Migration Regulations 1994 (the Migration Regulations). In this regard, it is important to ensure that such a broad expansion of the power to collect biometric information from non-citizens is necessary and, further, that it is proportionate to the objective of enabling DIBP to ensure the integrity of Australia’s migration programme. I note that the Scrutiny of Bills Committee expressed concern about the breath of the proposed power to collect biometric information in its Alerts Digest No.3.[7]

The Statement of Compatibility with Human Rights that accompanies the Bill (the Statement) qualifies the breadth of this new power to collect biometric information by explaining that:

‘The Bill is not introducing a universal collection policy. Rather, the department will selectively collect personal identifiers from particular individuals who have not previously provided their personal identifiers, but who have been identified as of concern after their arrival in Australia, or due to their behaviour while living in the Australian community.’ – see paragraph 12.

However, I note that there is nothing in the Bill itself that would limit the power in this way. Given this, it would appear that the proposed expansion of the power to collect biometric information from non-citizens may be broader than is necessary to enable DIBP to perform their functions under the Migration Act.

As I explain above, to minimise the privacy impacts of the Bill, any expansion of the existing power to collect biometric information from non-citizens should be drafted narrowly and limited to only what is necessary. Accordingly, I suggest that consideration be given to amending the Bill to clearly state the purposes for which this power is able to be exercised in the Act, rather than only referring generally to the purposes of the Migration Act and the Migration Regulations.

The collection of additional types of biometric information

I understand that the Bill also proposes to expand the types of biometric information that are able to be collected by the Minister or an authorised officer in certain circumstances to include any of the information listed in the definition of a ‘personal identifier’ in the Migration Act. For example, in relation to a person seeking to enter Australia, the effect of the Bill is to authorise the collection of:

  • an audio or video recording of an individual, and
  • a measurement of a person’s height and weight,

in addition to the types of biometric information that are already permitted to be collected.[8]

However, the definition of ‘personal identifier’ also includes a power to prescribe additional types of biometric information in the Migration Regulations. I appreciate that this regulation making power is intended to enable the Migration Act to accommodate changes in technology, including the development of new biometric identification methods.

However, in view of the sensitivity of this type of personal information, I note Recommendation 35 made by the PJCIS in its Report on the Foreign Fighters Bill which recommended the removal of the ability to prescribe the collection of additional categories of biometric information within the Migration Regulations. This was a result of the Committee’s concerns regarding amendments aimed at permitting additional categories of biometric data (such as fingerprints and iris scans) to be added to the Migration Regulations without those proposals being subject to sufficient parliamentary approval or public comment. This Recommendation, along with Recommendation 36, was accepted by Government.[9]

With this in mind, I would suggest that in these circumstances it may also be appropriate for any expansion in the types of biometric information able to be collected under the Migration Act, to be made through an amendment to the Act itself and not through the regulations.

The reduction in the privacy safeguards that apply to the collection of biometric information

The Bill also proposes to reduce the privacy protections that will apply to the collection of biometric information from both citizens and non-citizens in certain circumstances.[10] I understand that currently, personal identifiers must be provided to an authorised officer by way of an ‘identification test’ (as defined in the Migration Act), which is subject to certain general rules contained in the Migration Act about how the test must be carried out. Those rules include that the test must be carried out in circumstances affording reasonable privacy to the individual.[11]

However, the Bill proposes to give the Minister a discretion to decide that personal identifiers are to be provided another way. The effect of this is to remove the privacy safeguard that currently applies to the collection of biometric information. This is acknowledged in the Statement, which explains that:

‘This will provide the Minister or an officer with flexibility about how a person is to provide personal identifiers when required to do so, allowing the system of safeguards and legislative instruments which currently govern the collection of personal identifiers to be bypassed where an officer or the Minister authorises a different method of collection’ – see paragraph 19.

The Statement goes on to explain that this discretion is only intended to be used in relation to the collection of fingerprints using mobile finger scanners (which is considered ‘a non-intrusive’ method of collecting personal identifiers) thereby minimising the impact on individuals’ privacy.[12] However, it further explains that ‘this restriction will apply in policy only’. This means that there is nothing in the Bill which would prevent this discretion being exercised in relation to the collection of other types of biometric information, including types that might be added to the definition of ‘personal identifiers’ in the future. The potential privacy impact is heightened when this is considered in conjunction with the expansion of the circumstances in which biometric information can be collected about non-citizens (discussed above).

Consistent with my comments above, if an amendment to the Migration Act that removes the requirement for personal identifiers to be collected using an identification test is found to be both necessary and proportionate to enable DIBP to perform its functions, this should be done in a way that minimises the impact on individual’s privacy. Accordingly, I suggest that the restriction outlined in the Statement, that the discretion is only intended to be used in relation to the collection of fingerprints using mobile finger scanners, be included within the Bill itself.

Privacy impact assessment

Comments I provided during the drafting of the Bill recommended that DIBP undertake a PIA in relation to the Bill.[13] Since providing those comments, I understand that a PIA has been completed. I welcome this as an important step in ensuring that the Bill appropriately balances the protection of privacy and the need to ensure that DIBP is able to perform its functions under the Migration Act. However, I would also strongly encourage DIBP to publish the PIA. Publishing the PIA would help give the Australian public confidence about whether the privacy impacts of the Bill, and any necessary safeguards, have been fully considered. Specifically, that the PIA considered whether the:

  • expansion of the types of biometric information that may be collected
  • expansion of the circumstances in which biometric information may be collected about non-citizens, and
  • reduction in the safeguards that apply to the collection of biometric information in certain circumstances,

are necessary and proportionate measures to enable DIBP to perform its functions under the Migration Act. Further, that the PIA considered whether additional safeguards are required to ensure that the privacy interests of both citizens and non-citizens are appropriately protected.

Should the Committee require any further information please contact Este Darin-Cooper, Director, on [contact details redacted].

Yours sincerely

Timothy Pilgrim
Australian Privacy Commissioner
14 April 2015

Footnotes

[1] See Explanatory Memorandum, p 1.

[2] See Joint Committee on Intelligence and Security, Parliament of Australia, ‘Advisory Report on the Counter-Terrorism Legislation Amendment (Foreign Fighters) Bill 2014’, available online: <http://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/Counter-Terrorism_Legislation_Amendment_Foreign_Fighters_Bill_2014/Report1>

[3] See Joint Committee on Intelligence and Security, Parliament of Australia, ‘Advisory Report on the Counter-Terrorism Legislation Amendment (Foreign Fighters) Bill 2014’, available online: <http://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/Counter-Terrorism_Legislation_Amendment_Foreign_Fighters_Bill_2014/Report1> , p 184.

[4] A PIA is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact. The OAIC has published a revised PIA Guide that describes the purpose and process of undertaking a PIA.

[5] See the Statement of Compatibility with Human Rights, paragraphs 13-15.

[6] See the Statement of Compatibility with Human Rights, paragraph 13.

[7] See Senate Standing Committee for the Scrutiny of Bills, Parliament of Australia, Alert Digest No 3 of 2015 (2014) available online: <http://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Scrutiny_of_Bills/Alerts_Digests/2015/index>, p 38.

[8] Currently, under s 166 of the Migration Act a clearance officer is able to collect the following types of personal identifiers: a fingerprint or a handprint of a person, an iris scan, a facial image and a person’s signature; see s 166(5).

[9] See Hon George Brandis QC, Attorney-General for Australia, Government response to committee report on the Counter-Terrorism Legislation Amendment (Foreign Fighters) Bill 2014, (Media Release, 22 October 2014), available online: <http://www.attorneygeneral.gov.au/Mediareleases/Pages/2014/FourthQuarter/22October2014-Government​response​to​committee​report​on​the​Counter​Terrorism​Legislation​Amendment​Foreign​Fighters​Bill.aspx>.

[10] See the Statement of Compatibility with Human Rights, paragraph 19.

[11] See Migration Act 1958, s 258E(a).

[12] See the Statement of Compatibility with Human Rights, paragraph 49.

[13] Further information about PIAs, including when they should be undertaken and how, is set out in the OAIC’s Guide to undertaking a PIA.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au