Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

AusCheck Amendment Bill 2009; Submission to the Senate Legal and Constitutional Affairs Committee (June 2009)

Inquiry into the AusCheck Amendment Bill 2009 Submission to the Senate Legal and Constitutional Affairs Committee June 2009

pdfsub_auscheck_amendment_bill

Submission to the
Senate Legal and Constitutional Affairs Committee

June 2009

 

Office of the Privacy Commissioner

The Office of the Privacy Commissioner (the Office) is an independent statutory agency responsible for promoting an Australian culture that respects privacy. The Office, established under the Privacy Act 1988 (Cth) (the Privacy Act), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses

Background

The Office provided comments to the Senate Legal and Constitutional Affairs Committee (the Committee) on the AusCheck Bill 2006[1]. As well representatives from the Office appeared before the Committee during its inquiry into the that bill[2]. The Office welcomed the development of a regulatory framework for the AusCheck background checking system.

In relation to the current proposal to amend the AusCheck Act 2007 the Office notes that a Privacy Impact Assessment (PIA) has been conducted by Salinger Privacy[3]. The Office participated in discussions with Salinger Privacy on the development of the PIA. The Office welcomes the opportunity to comment to the Committee on the AusCheck Amendment Bill 2009 (the Amendment Bill).

The AusCheck Amendment Bill

The Amendment Bill amends the AusCheck Act 2007, which provides for background checking of applicants for Aviation and Maritime Security Identification Cards. The Office understands that the Amendment Bill would provide:[4]

  • a legal framework within which AusCheck would conduct additional background checks for national security purposes relating to defence, national emergency, terrorism or any matter related to the executive power of the Commonwealth or matters incidental to the legislative powers of Parliament.
  • a regulation-making power which would authorise the Attorney-General to table regulations for the establishment of background checking schemes for purposes relating to national security, defence, national emergency, terrorism or any matter related to the executive power of the Commonwealth or matters incidental to the legislative powers of Parliament.
  • an authorisation to collect biometric information about a person during the completion of a background check, and would amend provisions relating to an existing online identity verification system to reflect the broader scope of background checking enabled by the Bill.

The Office recognises the need to consider national security in the context of background checks for individuals employed within secure areas. The Office notes that under this Amendment Bill the collection of a significant amount of personal information including sensitive biometric information raises privacy issues which are canvassed in the PIA. The Office believes two of these issues require further consideration.

Privacy Impact Assessment Issues

The Office welcomes the fact that the Attorney-General’s Department (the Department) commissioned a PIA on the proposed amendments to the AusCheck Act. A PIA is useful in the development of proposals that include the handling of personal information because it identifies the personal information flows in a proposal and analyses the possible privacy impacts that those flows, and the proposal as a whole, may have on the privacy of individuals. The Office issued a PIA guide for Australian Government agencies in August 2006. This guide assists agencies to determine when a PIA is relevant and how to develop a methodology and undertake a PIA[5].

The Office acknowledges the efforts of the Department to address the privacy concerns of the Amendment Bill in their response to the recommendations of the PIA[6]. The Office appreciates the transparency shown in the development of the Amendment Bill and is encouraged by the publication of the PIA and the acceptance of many of the PIA’s recommendations. In the Office’s view, this demonstrates that potential community concerns about the privacy impacts of this proposal have been taken into consideration.

The Office suggests there are several recommendations from the PIA, that have not presently been taken up in the Amendment Bill, that may minimise the privacy risks and maximise the privacy protections for this extension of the AusCheck scheme. The Office addresses these below.

Function Creep

The term 'function creep' describes the incremental expansion in the purpose of a project or scheme to a point where personal information is used for purposes not initially agreed to or envisaged and unrelated to the original intent of the project or scheme. Such expansion is generally organic in nature and may lack overall direction, planning or oversight.

The Amendment Bill provides for a regulation-making power for the establishment of background checking schemes [7]. There appears to be no clearly defined limit on the kind of regulations that may be made except that they fall under a relevant Constitutional head of legislative power or the executive power of the Commonwealth. There is also no specific definition of ‘national security’ in the Amendment Bill.

The Office notes the comment in the PIA that:

AusCheck would likely be under frequent pressure to expand or alter the focus of the national security background checking scheme, in multiple directions[8].

The Office suggests that further consideration be given to the threshold contained in Recommendation 11 of the PIA which suggests that a national security background check should only be requested in relation to an individual who, if found eligible, would be in a position to contribute to a terrorist act or otherwise pose a risk to national security because of their access to security sensitive information, premises, substances, weapons or munitions.

The Office suggests that to further support public confidence and legislative transparency in the AusCheck scheme, the threshold for additional national security background checks could be stated in primary legislation, as part of the Amendment Bill.

In addition, as recommended in the PIA, the Office suggests that there should be a requirement for future regulatory schemes which rely on the AusCheck framework to undergo a privacy impact assessment[9].

Biometrics

The Amendment Bill allows AusCheck to collect fingerprints, or other biometric data, for the purpose of verifying the identity of an individual in relation to a background check[10]. Further, the Amendment Bill states ‘identity verification information’ (collected for a background check) consists of an individual’s fingerprints or other biometric data about the individual (but does not include a photograph)[11]. Under this definition a large range of biometric data could be collected, potentially leading to significant holdings of personal and sensitive personal information.

In its Report 108[12] the Australian Law Reform Commission has recommended that the definition of ‘sensitive’ information in the Privacy Act be amended to include biometric information. Most biometric information is very personal in nature as it relates to an individual’s physical features and in some circumstances can reveal other sensitive information, such as health or genetic information or an individual’s racial or ethnic origin. [13]

The Office notes that the PIA identified a concern with AusCheck collecting and storing biometric information and welcomes the Department’s response that:

  • The AusCheck Amendment Bill 2009 recognises that in coordinating background checks the Department has a valid role to facilitate proper identification of individuals being checked. In the small percentage of cases where it is necessary to use fingerprints to establish identity, the Department is an appropriate conduit of that material. The proposed amendments address the concern that without additional protections, identity verification information is subject to the same record keeping requirements as any other information received by the Department. The effect of the provisions defining and restricting the use of identity verification information is to ensure that in effect the Department acts only as a conduit for the information.[14]

However, the Office suggests that the proposal that AusCheck would only be acting as a conduit for the information could be clarified in the Bill.



[2] Appearance before committee - Thursday 1st March 2007, transcript available at: www.aph.gov.au/Senate/committee/legcon_ctte/completed_inquiries/2004-07/auscheck/hearings/index.htm

[4] Letter to the Privacy Commissioner dated 19 May 2009

[6] Commentary on the Recommendations of the Privacy Impact Assessment of the AusCheck Amendment Bill 2009 and the national security background check – March 2009, available at: www.ag.gov.au/www/agd/agd.nsf/Page/OrganisationalStructure_NationalSecurityandCriminalJustice_AusCheck_PrivacyImpactAssessmentandCommentary

[7] AusCheck Amendment Bill, proposed Amendment to section 8

[8] PIA – AusCheck Amendment Bill, p. 46

[9] PIA – AusCheck Amendment Bill, Recommendation 2

[10] Amendment Bill, Schedule 1 –Amendments, Section 5(d); Section 13(a)

[11] Amendment Bill, Schedule 1 – Amendments, subsection 4(1)

[12] ALRC Report 108 For Your Information: Australian Privacy and Practice at paragraph 6.119, available at: www.austlii.edu.au/au/other/alrc/publications/reports/108/6.html#Heading283

[13] Paragraph 6.119

[14] Comment on Recommendation 4 on page 5 of Commentary on the Recommendations of the Privacy Impact Assessment of the AusCheck Amendment Bill 2009 and the national security background check – March 2009