Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Consultation on the Australian Government Health and Social Services Access Card - Discussion Paper Number 3 on Registration; Submission to the Access Card Consumer and Privacy Taskforce (April 2007)

Consultation on the Australian Government Health and Social Services Access Card - Discussion Paper Number 3 on Registration Submission to the Access Card Consumer and Privacy Taskforce April 2007

pdfConsultation on the Australian Government Health and Social Services Access Card - Discussion Paper Number 3 on Registration; Submission to the Access Card Consumer and Privacy Taskforce (April 2007)

Submission to the Access Card Consumer and Privacy Taskforce

April 2007

Office of the Privacy Commissioner

1. The Office of the Privacy Commissioner (the Office) is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) (the Privacy Act), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

Background

Previous engagement with the access card

2. On 23 March 2007, the Head of the Minister for Human Service’s Consumer and Privacy Taskforce (‘the Taskforce’), Professor Allan Fels AO, released a Discussion Paper on the Registration process (‘Discussion Paper 3’)[1]. This submission is made in response to Discussion Paper 3.

3. The Office has previously made submissions to the Taskforce in response to its earlier Discussion Papers 1 and 2. These Discussion Papers addressed, respectively, the broad policy settings of the access card and the specific issue of voluntary optional health information. These submissions are available from the Office’s website.[2]

4. In addition to its engagement on Discussion Papers 1 and 2, the Office has also made the following submissions regarding the proposed accompanying legislation for the access card, the Human Services (Enhanced Service Delivery) Bill 2007 (‘the Bill’):

  • Submission to the Office of Access Card regarding its Consultation on the Exposure Draft of the Human Services (Enhanced Service Delivery) Bill 2007;[3] and
  • Submission to the Senate Finance and Public Administration Committee Inquiry into the Human Services (Enhanced Service Delivery) Bill 2007.[4]

5. The Office notes that this Bill has not been passed by Parliament, though it is expected that many of its provisions will be retained when a new Bill is tabled in June introducing matters including those previously referred to as ‘second tranche’ matters.

Submission to Australian Law Reform Commission’s Review of Privacy

6. The Office’s recent submission in response to Issues Paper 31 of the Australian Law Reform Commission’s Review of Privacy (‘ALRC submission’) also addresses issues relevant to the access card initiative. Chapter 11 (‘Developing Technology’)[5] and chapter 12 (‘Unique Multi-Purpose Identifiers’)[6] may be of particular interest in this area.

7. Relevantly, chapter 11 has noted, among other things, that the Privacy Act as it stands will offer some protections to individuals who participate in smartcard systems, but that privacy protection will be most effective when it is built into system design. In particular, smartcard systems should:

  • allow anonymity where possible;
  • provide individuals with control over their information;
  • minimize the use of unique identifiers and centralized storage of identifying data; and
  • avoid unnecessary collection of information, or collection in excess of that which is required for the system to function.

8. Chapter 11 also discusses a range of issues relating to biometrics, noting that such technologies may raise privacy issues such as:

  • the enhanced capacity for data linking and function creep associated with the use of unique identifiers;
  • the difficulty of re-securing biometric information once its security has been breached (for example, it is possible to re-issue a credit card number if something goes wrong but it is significantly more difficult to issue a replacement fingerprint); and
  • the capacity for covert collection and monitoring of biometrics (for example, face recognition technology enables faces to be identified at a distance from the individual, and therefore may be undertaken without the subject's knowledge).[7]

9. Further, chapter 12 of the Office’s ALRC submission discusses the particular privacy issues raised by the use of multi-purpose unique identifiers, and the need to ensure that specific privacy protections are adopted to ensure that they are not inappropriately and widely adopted and used throughout the community.[8]

Privacy and the registration process

10. The broad approach adopted in Discussion Paper 3 to the issue of access card registration appropriately reflects the importance of this process, as well as the possibly complexities that may emerge. The creation of a photographic and biometric enabled card for Australian Government benefits is a significant measure, as it will be the first time that nearly all of the adult population are invited to provide such data for a government held database.

11. In previous submissions,[9] the Office has noted that a robust privacy framework is dependent on ensuring that excessive reliance is not placed on one form of privacy protection. The Office has suggested that such protections should be multifaceted, incorporating:

  • Fundamental system design, including card design, system architecture and the parameters governing what information is collected and what information flows are possible;
  • Technological measures, including, but not limited to, data security initiatives, as well as measures to minimise the degree to which existing systems become increasingly integrated, a consequence of which may be new and potentially privacy invasive flows of personal information;
  • Legislative measures, including defining the extent of the functions of the access card, proscribing purposes that fall outside those functions and introducing sanctions for misusing any aspect of the system or the personal information it handles; and
  • Oversight mechanisms that promote confidence in the system by assuring the community that the operation of the system is subject to stringent accountability measures, including provision for audit and independent complaint handling.

12. The Office notes that the design and policy settings of the registration process are likely to be important to promoting these protections, particularly in regard to the fundamental system design.

13. The Office has previously suggested that a key design question is to determine what personal information is necessary (rather than, for example, merely useful or expedient) for a system to operate. Determining this is important to ensuring that subsequent system design is not premised on the collection of excessive or unnecessary personal information. In this regard, the registration process, taken together with legislative requirements, will have a central role in determining what personal information is collected from individuals for the purpose of the access card.

14. In addition, the Office notes that the registration process will be the first, and in many cases most significant, direct engagement that individuals will have with the access card system. Careful attention to privacy issues is likely to be important to promoting ongoing community trust in the access card.

The registration process

15. Discussion Paper 3 describes the registration process for the access card initiative in broad terms and invites consideration of a range of related issues. The Discussion Paper seeks to examine the process in regard to a series of “distinct elements”. These elements are described on page 32 as:

  • notification of the need to register and to arrange a registration interview;
  • invitations to pre-register and register on-line;
  • advice about the need to provide POI documentation;
  • verification of POI documentation;
  • presentation at a structured interview;
  • the capture of personal data and the recording of a photograph and signature, consent and PIN;
  • transmission of data to a personalisation site;
  • the physical production of the card;
  • the return of the card to the relevant cardholder; and
  • commencement of the operation of the card.

16. The Taskforce has, however, taken the approach that it is useful to discuss registration with reference to wider issues, including, for example, the challenges associated with registering up to 16 million individuals by 2010, as well as the challenges of engaging with individuals for whom the registration process may raise particular difficulties. These issues are specified on page 11, and include:

  • the contents of the chip and register;
  • what evidence of POI will be required at registration and the period for which it will be retained by the Government;
  • the standard of proof of identity and the associated verification procedures relating to proof of identity (POI) documents;
  • the exceptions and exemptions which may be authorised; and
  • the physical processes associated with access card applications, production and issuance.

17. While the Office has limited its comments primarily to matters of information privacy, the broad approach taken by the Taskforce to examining registration and related issues is welcomed.

18. Importantly, given the timeframe established for individuals to register to remain eligible for benefits, the Office submits that it is important that privacy considerations continue to be appropriately addressed and not curtailed for the purpose of expediting the registration process.

Communication strategies, notification and informed consent

Promoting an informed community

19. Discussion Paper 3 draws attention to the importance of ensuring that individuals are fully informed of the implications of their engagement in the access card system. For example, at page 13, it is noted that individuals should have explained to them both the advantages and disadvantages of having their date of birth printed on the card.

20. The Office agrees with the importance of ensuring comprehensive information is provided to the community by a range of print and electronic media and directly at interview, and in ways that ensure accessibility to diverse cultural and socio-economic groups, including disadvantaged and illiterate individuals.

21. An effective community information campaign is likely to promote the expectation, reflected in the Privacy Act, that individuals are given notice of why their personal information is collected, how it may be used and to whom it may be disclosed.

Notice and consent obligations under the Privacy Act

22. Privacy is promoted by giving individuals an appropriate degree of control, exercised through realistic choices, over how their personal information is handled. Where such choices may not be appropriate, individuals should still be notified as to how their personal information is handled, including why it is collected, for what purpose it may be used, and to whom it may be disclosed.

23. Ensuring that individuals are aware of how their personal information may be handled may promote transparency and community trust, and is a requirement of the Privacy Act. For example, Information Privacy Principle (IPP) 2 requires that Australian Government agencies take reasonable steps to ensure that individuals are notified of why personal information about them is collected and to whom it may be disclosed. Similarly, National Privacy Principle 1 creates similiar obligations for private sector organisations.

24. Additionally, both the IPPs and NPPs require that, once collected, personal information may only be used or disclosed for the purpose for which it was collected, unless a prescribed exception applies. Such exceptions include where the individual gives their consent to that subsequent use or disclosure.

25. In the Office’s understanding, common law consent may be express or implied, and may be given orally or in writing. Significantly, to be valid, consent must have the following elements:

  • it must be provided voluntarily;
  • the individual must be adequately informed; and
  • the individual must have the capacity to understand, provide and communicate their consent.

Distinguishing between consent and notice in the registration process

26. The Office suggests that Discussion Paper 3 may create some ambiguity regarding the role of informed consent in the registration process, particularly when relating obligations imposed by the Privacy Act on Australian Government agencies.

27. In particular, it may be valuable to draw a distinction between the processes of seeking consent and of providing notice as to how information will be handled. At points in Discussion Paper 3, this distinction appears blurred, resulting in some imprecision in describing agencies’ obligations under the Privacy Act.

28. For example, the discussion on page 12 of “Informed Consent” says, among other things:

  • They [individuals registering for an access card] must also have information about who will be able to access this data and for what purposes, and of their right to know who has accessed the data. Their positive consent to the sharing of this data among participating agencies must be obtained.” The Office notes here, that if adequate notice is provided at collection, then the Privacy Act would not require consent to be obtained for the sharing of data.
  • Registration is a one-off process (replacements excepted) in which each cardholder consents to data being collected and stored.” While it is good privacy practice, it is worth noting that the Privacy Act does not require Australian Government agencies to seek consent for the collection of personal information.[10]

29. In addition, it is stated that:

“The Commonwealth Privacy Act is quite specific about what constitutes “informed consent” (see Privacy Principle 2) and its principles and requirements must be observed by those administering the Access Card scheme.”

30. It should be noted, however, that the policy intent of IPP 2 is not to seek the consent of an individual to the handling of their personal information, but rather to give an individual notification of how their personal information will be handled. Notice conforming with IPP 2 would still be required, even where the individual has no choice as to whether they provide their personal information (such as when registering to vote). In regard to the access card, it has been noted previously that, for many individuals, the choice whether or not to register may not be a realistic one.[11] However, individuals should still be provided with notice as to how their personal information will be handled.

31. Accordingly, consent is more likely to be relevant to secondary uses and disclosures of personal information that fall outside of the purposes for which the information was collected in the first place. It may be useful for the Taskforce to more clearly draw this distinction between notice and consent. Such a distinction may be helpful in focusing on what measures are necessary to ensure that individuals are fully informed of how their personal information will be handled, while still attempting to offer as may specific choices as is reasonable within the broad policy settings of the card.

32. This distinction could also be clarified at page 36, where the second last paragraph refers to the applicant for an access card giving informed consent “…in line with Information Privacy Principle 2”. In this example, which goes to the potential disclosure of personal information for the purpose of verification, IPP 11 is likely to be the relevant principle.

Security of personal information and the registration process

33. A key concern that emerges in several contexts throughout Discussion Paper 3 is whether adequate security will be afforded to individuals’ personal information collected for registration. This issue is relevant in four contexts:

  • at the interview site;
  • during transmission of registration information to the manufacturing site;
  • during distribution of the access card to individuals; and
  • the security of the register itself.

34. The Office welcomes the attention paid to these elements.

Security at the interview site

35. Discussion Paper 3 raises a number of issues relating to the security of personal information at the registration interview site. Community confidence will likely be promoted where individuals feel comfortable that the personal information they provide during the interview is immediately afforded a high degree of protection.

36. The Office suggests that attention be given to the physical environment and layout of sites where interviews will be conducted. This should include ensuring whether such sites afford appropriate privacy to the individual, including by ensuring that any discussion cannot be overheard.

37. In addition, the security that is afforded to personal information once collected and stored at the registration site is a significant matter. In particular, the Office notes proposals for mobile registration facilities, including “…at country shows, rodeos, bush football and racing carnivals, country picnics and even major events such as (Royal) Easter shows”.[12]

38. While the Office recognises the potential convenience offered by mobile facilities, it would be important to ensure that the security they are able to offer reflects the significance of the personal information that may be collected, including biometric photographs of individuals. The Office suggests that such facilities should be subject to the same form of law enforcement and intelligence agency certification as the Discussion Paper proposes should apply to the transmittal of information to the manufacturing site (discussed at paragraphs 42-43 below). Further, the Office may also be able to provide advice on appropriate personal information handling within such contexts, as well as exercising more formal oversight in line with its powers to audit Australian Government agencies.

39. Discussion Paper 3 also makes reference to the use of venues other than DHS agencies and appropriate Australia Post offices as possible registration venues. The suggestion to use additional sites, such as local government venues, appears inconsistent with recent statements made by DHS. For example, in its submission to the Senate Finance and Public Administration Committee’s inquiry into the Bill, the Government stated that:

“Registration interview locations will be made available throughout Australia at Medicare Australia, Centrelink, Department of Veterans’ Affairs (DVA) and Australia Post offices, and at mobile registration offices in rural and remote locations.”[13]

40. The Office suggests that whatever agency offices are used as registration sites, it should be made clear to individuals that the process is on behalf of DHS and solely for the purpose of receiving an access card.

41. In regard to registration sites generally, the Office is also unsure of the merit of attempting to manage enrolments by class of people.[14] It is important that such a strategy does not convey a sense of compulsion that may be inconsistent with the voluntary nature of enrolment, and that individuals who prefer not to enrol by class are not disadvantaged. In addition, many individuals may not see a nexus between their place of employment and their private decision to register for a government services card, and may view such a strategy as an imposition or intrusion.

Transmission to and handling at the manufacturing site

42. In regard to transmission of personal information from the registration site to the manufacturing site, the Office agrees that the security of such transmissions should be subject to certification from appropriate agencies, including the Defence Signals Directorate, the Australian Security Intelligence Organisation and the Australian Federal Police. In addition to certifying such processes, the Office suggests that those agencies should have an ongoing role in monitoring the technical operation of the transmittal process (rather than interrogating the personal information itself), at least during the initial phase of registrations.

43. Discussion Paper 3 also advocates that a certification process could usefully be adopted for those sites where access cards are manufactured. The Taskforce has suggested that a range of law enforcement and intelligence agencies could be involved in such certification.

44. The paper has also proposed oversight roles for agencies such as the Office of the Privacy Commissioner and the Commonwealth Ombudsman. While the Office offers in principle support to this approach, there may be limitations created by the jurisdiction of the Privacy Act for the Office to undertake more active oversight of manufacturing sites, such as by conducting audits, if the relevant entity is not an Australian Government agency.

Security during the distribution of the access card to individuals

45.The Office notes that the Bill provided that access cards can be taken as having been issued by the Secretary when sent by post.[15] It is conceivable that Individuals may incur some form of liability for their card’s handling from this point, even if the access card is stolen or tampered with in the post (it is noted that clause 37 of the Bill states that the individual acquires ownership of the card when it is ‘issued’, including when sent by post).

46.Discussion Paper 3 distinguishes between the use of registered or normal post, suggesting that access cards with PIN protection could be distributed by the latter. The Office suggests that further consideration could be given to whether this would afford adequate protection to any optional information placed on the individual’s ‘open zone’ area of the chip, where such a zone may not have PIN protection.

47.Additionally, the Office suggests that further consideration be given to whether there may be information security issues raised merely from the information recorded on the surface of the card, and hence accessible (and capable of being copied) regardless of whether the chip is PIN-protected.

48.The Taskforce has also proposed an activation or “ trigger” mechanism, by which individuals would activate the card once it is received and which “brings the card into its fully functional state”[16]. While this option has merit, it is unclear how an individual would activate the chip (rather than simply activate the card in the various systems facilitating government benefits), without a card reader that is linked to the register. This approach may, however, be useful in limiting individual’s liability for any misuse of their card before it is physically provided to them.

49.The Office suggests that adequate security may require more than one card protection measure, including by considering whether individuals should be afforded the choice to collect their access card from a registration site or other approved location (as discussed on page 45 of Discussion Paper 3).

50.Additionally, the Office suggests that the question of card security highlights the need for legislative protections against mishandling the card or personal information on it. These protections could take the form of offences (particularly where there is a criminal intention associated with the mishandling). Alternatively, civil remedies could be afforded, such as such as legislating to provide that mishandling, when done by an entity, is an “interference with privacy” for the purposes of s.13 of the Privacy Act (where the mishandling is done by an individual in a private capacity, it may be appropriate for individuals to have a right to take action in a relevant court).

Protection of personal information on the register

51. Discussion Paper 3 notes the importance of ensuring that personal information held in the register is afforded the highest possible security. For example, it is proposed at page 14 that:

“Consideration should also be given to the proposition that the physical register itself (that is to say the mainframe and related support systems) should be housed in a separate purpose-built, high security facility to minimise any opportunities for improper accessing or external penetration of the system.”

52. The Office supports the Register being afforded significant security protections and suggests that the type of certification already proposed for the transmission of data and manufacturing facilities could also usefully be adopted in regard to the register.

53. The Office suggests that the operation of the register should be subject to the Privacy Commissioner’s statutory audit functions if held by an Australian Government agency. It should be noted, however, that such statutory functions may be limited if the management of the register were outsourced to a private sector contracted service provider.

54. In addition, the Office has strongly supported the need for specific legislative restrictions around how personal information on the register may be handled and notes the commitment given by Government to enact specific provisions for the “…protection of information on the register and card”.[17] While such restrictions should not impede specified DHS participating agencies or the Department of Veterans’ Affairs (DVA) from providing benefits in an efficient manner, they should limit which other bodies may access the data and for what purposes.

Disclosures for law enforcement purposes

55. In the Office’s view, one element of a comprehensive framework of legislative protections should include specific measures regulating the circumstances under which personal information may be disclosed to law enforcement agencies for criminal investigations.

56. The Office distinguishes access by law enforcement agencies and access by intelligence agencies. The latter have different roles and powers to law enforcement agencies. The Office’s views on law enforcement’s agencies access to information in the Access Card system does not extend to the intelligence agencies except in relation to accountability issues (see para 61).

57. The storage of photographs and biometric templates on the register is likely to raise particular privacy sensitivities, particularly as Discussion Paper 3 notes that this will establish the “…first ever national photographic database of virtually the entire adult population”.[18] The paper notes the commitment of the then Minister for Human Services that “Rigorous access controls will be put in place to ensure the highest level of security and that photographs are stored in a manner to prevent unauthorised and improper disclosure.”[19] The Office suggests that the photograph and biometric template should be afforded the highest levels of technical and legislative protections.

58. Discussion Paper 3 draws particular attention to the possible disclosure of this information to law enforcement agencies, noting that “A point of concern is the need for an explanation so that the community can understand the prohibitions by law of access (for) law enforcement.”[20]

59. In regard to legislative protections, the Office suggests that disclosures of photographs and biometric templates to specified law enforcement agencies for criminal investigations should be limited to where specific criteria are met, such as for the investigation of “serious offences” (such as an offence carrying a penalty in excess of two year imprisonment) and where a warrant is issued by a judicial officer.

60. For personal information other than the photograph and biometric, the Office suggests that disclosures to law enforcement should be permitted where either of the two criteria above are met.

61. As an additional mechanism of accountability and public assurance, the Office also believes that the access card legislation should specify mandatory reporting requirements for disclosures (by DHS) of information from the Register to law enforcement agencies, as well as to intelligence agencies such as ASIO. Such reporting requirements (for example, to the Inspector-General of Intelligence and Security for tabling in Parliament) would be statistical in nature, and would be subject to operational and national security requirements.

Personal information collected at registration

Contents of the register

62. The collection of personal information only where necessary for a specific purpose is a foundation of good privacy. The Office has previously highlighted the importance of ensuring that only the information necessary for an individual’s registration for an access card should be collected to the register, and has commented on specific data items in previous submissions.[21]

63. To ensure that individuals are fully informed as to why their personal information is being collected (as well as how it will be handled), an important element of any community information program will be to provide specific explanation of why each data item is necessary for the purposes of registration. At the same time, it should be recognised that not all individuals may have the same degree of interest regarding specific data items. To accommodate difference in information needs, a “layered” approach to providing privacy notices could be adopted.[22]

Other specified information

64. Discussion Paper 3 (at page 15) discusses the provision made in the bill for ‘other information’ to be included in the register where determined by the Secretary for administrative purposes related to the access card. The Office notes that the Minister may, by legislative instrument, specify any other information.

65. The paper notes that this administrative or technical information must not “expressly identify” an individual, though it should also be noted that this test does not appear equivalent to the test provided in section 6 of the Privacy Act for the definition of ‘personal information’ (which includes information or opinion about an individuals whose identity is apparent or reasonably ascertainable).

Flagging relationships with agencies

66. Discussion Paper 3 notes that, at registration interview, individuals will be asked to nominate those participating agencies with which they have a relationship. This flag will then be recorded on the chip and in the register.

67. The paper goes on to describe that:

The system will… allow the linkage from the Register to the individual agency databases, each on a separate basis, by use of the Access Card number which would be “translated” into the relevant individual agency number (i.e. the Medicare number, DVA number or Centrelink Customer Reference Number (CRN)) through a translation table unique to each participating agency.[23]

68. The Office has previously expressed concern about this design feature. For example, in its August 2006 submission to the Taskforce on Discussion Paper 1, it was noted that:

“…a significant privacy risk comes about if all the databases use the same number to identify each individual. A similar privacy risk arises simply if databases keep a record of the unique identifier of other databases.”[24]

“It would be of concern if the system is designed such that each constituent part of the system had knowledge of a single unique number which it could attribute to an individual.”[25]

69. While the Office understands that agencies would not retain the access card number for their own transactions, it remains a concern that the sharing of a single number across agencies may make it easier and more cost effective to conduct extensive datamatching or linking in the future, to a degree not envisaged currently. This was reiterated in the Office’s recent submissions on the Bill:

“The storage of a 'flag', rather than an agency specific identifier, may suggest that each agency would retain a common identifier to enable them, in approved and appropriate circumstances, to exchange information for the delivery of programs. However, the creation of such an infrastructure also leaves open the possibility of future data sharing that may go beyond individuals' expectations.”[26]

Alternate options for managing information flows

70. The Office has proposed alternative designs to this translation table model, such as storing agency identifiers on the access card chip (subject to tight encryption and legislative protections against tampering and misuse).

71. An additional technical option may be for each agency to retain a translation table which relates an encrypted or “scrambled” form of the access card number to the agency specific identifier. Such a model can be seen in the mechanism established for the exchange of Medicare and PBS claims information between Medicare Australia and the Department of Health and Ageing (DoHA).

72. Under this arrangement, as the Office understands it, Medicare Australia uses an algorithm to convert the individual’s Medicare PIN number into a different unique identifier, which is then attached to data provided to DoHA. Medicare Australia is, if needed, able to unscramble the encrypted number to re-associate it with the original source PIN (as well as with identifying information not disclosed to DoHA). The unique identifier received by DoHA will remain constant for each individual, though it does not allow DoHA to determine the individual’s Medicare PIN.

73. Such a model may be usefully adopted for the access card and register , provided that different algorithms were used for each participating agency. This would allow the register and each agency to exchange information (such as updated address or biographical information), though would overcome the need for each agency to retain the same unique identifier for each individual. For telephone and internet transactions, agencies could pass the access card number back to the register (without ‘collecting’ the number for the purposes of the Privacy Act), which may then provide the relevant translated identifier for linking to the agency’s own records.

Contents of the chip

74. As with the contents of the register, the Office has expressed views on the information expected to be stored on the access card chip.[27] The permitted contents of the chip should be underpinned by the principle that each piece of data should have a clearly defined and necessary purpose relevant to registering for an access card.

75. The Office reiterates the need to ensure robust protections against unauthorised access and improper disclosure of information held on the card chip, and elsewhere in the access card system, including by entities not currently covered by the Privacy Act.

Audit information

76. Discussion Paper 3 makes brief mention of audit information being retained as part of the category of ‘other’ information that may be permitted on the chip by a determination of the Secretary.

77. In the Office’s view, the role of audit information is a potentially significant one, which warrants greater consideration, including in regard to any audit information retained on or about the register, as well as the chip. Audit information may promote transparency by allowing the individual to see who has accessed their information. At the same time, the Office would have concerns about the creation of extensive audit trails which might allow profiles to be built of all of the uses of the card by individuals, particularly where those uses are not in relation to the specific provision of health and social services by the Australian Government.

78. Accordingly, it would be important to clarify what information would be included in audit records, who may access it and for what purpose.

Proof of identity issues

Full and interim POI status

79. The Office supports the Government’s intention that individuals who are unable to meet a gold standard will not have their eligibility to benefits reduced.[28] However, it is proposed that such individuals be afforded “interim” (as opposed to “full”) registration status.[29] The Office understands that the primary implication of these two categories of registration may be the degree to which an access card is able to be relied on as a proof of identity (POI) document in its own right. That is, for example, a ‘full status’ access card may be worth more points under the existing 100-point system, established under the Financial Transactions Reports legislation, than an ‘interim status’ card.

80. It is currently proposed that the interim or full status would be recorded on the chip and the register. The Office has previously commented on this matter in its submission to the Senate Finance and Public Administration Committee’s inquiry into the Bill. The Office noted that:

“It is unclear why this information is necessary on the chip, which may be able to be read by participating agencies, concession providers or readers held by other bodies. The risk that this information could establish two classes of recipients of goods or services, even if this involves a tacit rather than explicit differentiation by providers, could be mitigated by storing this information, if it is necessary to be stored at all, only on the register.”[30]

81. The Office notes the Taskforce’s description, at page 20, of some social security payments which do not require the beneficiary to establish proof of their identity (for example, some child benefits and related taxation concessions). The Office reiterates its support for the underlying principle in its submission on the Australian Government’s e- Authentication Framework for Individuals,[31] that identity should be authenticated only when this is necessary for the transaction. Any proof of identity requirements for these particular payments will need to match the level of assurance actually needed for transactions with those beneficiaries.

Retention of POI data

82. The Office supports the Taskforce Recommendation 20, quoted at page 20, that POI documents should not be scanned, copied or kept on file, once those POI documents have been verified, consistent with any requirements under the Archives Act 1983.

Known Customer information

83. The Office outlined a number of potential issues surrounding the registration of “known customers” in its August 2006 submission to the Taskforce on Discussion Paper 1. Two that remain of significant relevance are:

  • the extent to which government agencies will compare their existing databases to assist in establishing the authenticity of individuals' identities, and under what protocols and authority such data-matching may be conducted; and
  • whether a known customer registration process may result in government service delivery agencies becoming more confident in false identities. If individuals are currently known, though registered under false identities, then a known customer registration process may result in some of these false identities being inappropriately authenticated.

Problems associated with registering members of particular groups

84. Discussion Paper 3 outlines a range of groups in the community which may have difficulty, for various reasons, meeting the requirements for registration for an access card. While the Office is not in a position to provide detailed advice on the issues raised by such groups, it would encourage the Taskforce to consult widely with relevant expert bodies in the community, such as welfare, disability and ethnic bodies.

Eligibility for access cards for individuals under 18

85. The Office welcomes the intention by Government, referred to in Discussion Paper 3 at page 29, not to diminish the right of individuals younger than 18 to obtain an access card, where they are currently entitled to existing benefit cards.

86. The Office shares the concerns outlined in Discussion Paper 3 regarding whether such individuals would be able to obtain the necessary proof of identity documents and notes the guidelines attached to the paper, titled “Criteria for people under 18 years of age applying for their own Access card”. While the Office has not been able to consider the full implications of these guidelines, it appears that they would be of assistance in addressing such concerns.

Exemptions and appeals

87. The Office welcomes the flexibility provided for the relevant Ministers and Secretaries to exempt individuals or classes of individuals from registration requirements.

88. Discussion Paper 3 has drawn attention to the expected powers of the Secretary to delegate the power to issue exemptions. In particular, the paper has noted that this may vest “…a significant power over the lives and rights of individual Australians in the hands of Commonwealth officers,”[32] including in circumstances where such officers may be relatively inexperienced or not well enough qualified to assess claims for exemptions on sensitive matters.[33]

89. Accordingly, as noted in Discussion Paper 3, the Office agrees that it is important that:

“…all registration staff are qualified to manage the issues of diversity (in terms of race, ethnicity, religion, disability, mental health and psychiatric issues, vulnerability and sensitivity etc.) which they will face throughout the registration process.”[34]

90. Similarly, appeal processes will be required that provide for the quick resolution of complaints where individuals may feel they are disadvantaged by a decision made regarding requests for exemptions.

91. Relatedly, the Office also notes that clause 54(1)(b) of the Bill gave the Secretary the power to require a person to return an access card where the Secretary forms a reasonable belief that the card may have been used in regard to an offence against an Commonwealth, state or territory law. The Office suggest that a clear and timely appeal process should be available for any such decisions by the Secretary.


[2] The Office’s submission on Discussion Paper 1 is available at http://www.privacy.gov.au/publications/accesscard_sub_082006.html. The submission regarding Discussion Paper 2 is at http://www.privacy.gov.au/publications/act-2-voluntary-info-200703.pdf.

[7] Biometric technologies are discussed at several points through the Office’s ALRC submission, though these particularly privacy risks are described in the Office’s responses to question 11-1 available at http://www.privacy.gov.au/publications/submissions/alrc/c11.html#L24414.

[8] See Chapter 12, “Unique multi-purpose identifiers” available at http://www.privacy.gov.au/publications/submissions/alrc/c12.html.

[9] See, for example, the Office’s submission on Discussion Paper 1 (August 2006) available at http://gov.au/publications/accesscard_sub_082006.doc.

[10] However, private sector organisations do generally require consent for the collection of “sensitive information” – See, NPP 10, available at http://www.privacy.gov.au/publications/npps01.html#j.

[11] For example, the Office’s submission on Discussion Paper 1 notes at paragraph 41 that:

The Discussion Paper (at page 18) raises the question of whether the access card is truly voluntary, given the likelihood that, at some point in their lives, almost all Australians will need to access Government services associated with the Card. As others have argued, a substantive choice may not be available in these circumstances.

[12] See page 35 of Discussion Paper 3.

[14] The example provided, at page 32, is for all employees of a particular government department or workplace to enrol at the same time.

[15] See clause 25(a).

[16] Page 46.

[17] See, Media Release, “New ‘smartcard’ legislation introduced” 7 February 2007, available at http://www.accesscard.gov.au/media/new_smartcard_legislation_introduced.html.

[18] Page 40.

[19] Page 41.

[20] Page 40.

[21] See, for example, the Office’s Submission to the Senate Finance and Public Administration Committee concerning its inquiry into the bill. The specific discussion is available at http://www.privacy.gov.au/publications/sub-hsesd032007.html#Informatio.

[22] This approach is discussed in the Office’s Privacy Policy, specifically at http://www.privacy.gov.au/policy/privacy_policy.html#mozTocId309173.

[23] Page 14

[24] See discussion under “Unique identifiers” available at http://www.privacy.gov.au/publications/accesscard_sub_082006.html#mozTocId957306.

[25] See paragraph 61 under “Dataflows between system elements” available at http://www.privacy.gov.au/publications/accesscard_sub_082006.html#mozTocId493233.

[26] See paragraph 21 of the Office’s submission to the Department of Human Services (January 2007) available at http://www.privacy.gov.au/publications/accesscard_sub_082006.html#mozTocId957306.

[27] See, part 3 of the Office’s submission on the Bill to Senate Finance and Public Administration Committee, available at http://www.privacy.gov.au/publications/sub-hsesd032007.html#Part2

[28] Refer page 19.

[29] Page 19

[32] Page 29.

[33] Page 29.

[34] Page 40.