Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Consultation on the Exposure Draft of the Human Services (Enhanced Service Delivery) Bill 2007; Submission to the Office of the Access Card (January 2007)

Submission to the Office of the Access Card

January 2007

Office of the Privacy Commissioner

  1. The Office of the Privacy Commissioner (the Office) is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Office, established under the Privacy Act 1988 (Cth) ('the Privacy Act'), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

    Background

  2. The Office welcomes the development of dedicated legislation on the access card and accompanying system. This presents an opportunity to prescribe the purpose, functions and practical operation of the access card system in a way that may benefit all Australians by safeguarding their personal information and respecting their privacy. In its submission to the Office of Access Card's Consumer and Privacy Taskforce, chaired by Professor Allan Fels AO ('the Fels Taskforce'), the Office highlighted the role of such legislative protections as a necessary element of a robust privacy framework for this important initiative.
  3. In the Office's view, it is important that the legislation includes the types of protections and accompanying oversight mechanisms that the community is likely to expect. The Office therefore welcomes the Office of Access Card's (OAC) decision to engage in public consultation on the exposure draft Human Services(Enhanced Service Delivery) Bill 2007 (the exposure draft).
  4. It is hoped that the Office's comments below will assist in the development and refinement of legislation for the access card that provides robust protection for individual privacy.
  5. The Office looks forward to similar opportunities for public comment in regard to future tranches of legislation.

    General comments

  6. In noting the timeframe established for the implementation of the access card system, the Office beleves it is important that legislative measures do not pre-empt the finalisation of important design and policy considerations. In the Office's view, decisions on those considerations should be open to public scrutiny and settled, before enabling legislation is enacted. If not, there is a risk that privacy enhancing design and policy options could be prematurely excluded, to the overall detriment of the initiative and community support of the system.
  7. In particular, the Office notes the importance of ensuring that the Bill does not establish a legislative framework, whether intentionally or otherwise, that relies on or assumes the existence of a unique personal identifier (UPI) for each card holder, such as a number, that is then held and shared by various agencies or organisations.
  8. The risks of such a system are discussed in detail in the Office's submission to the Fels Taskforce , but include:
    • significantly expanding the capacity for datamatching between agencies or organisations in ways that may go beyond public expectations;
    • creating pressures to allow uses of personal information in ways not currently envisaged by the legislation; and
    • increasing the risk of interferences with privacy by creating an infrastructure that could allow the linking of data from currently disparate data sources, possibly including in the private sector.
  9. The Office encourages the OAC to consult with relevant privacy and technology experts to explore design options that avoid such risks. Legislation can then be pursued to give effect to such agreed designs.

    Detailed comments on the Bill

  10. For ease of reference, these comments will generally be grouped under the sections of the Bill.

    Part 1 - Introduction

  11. The Office welcomes the enumeration of the objects and purposes of the Bill, which determine what can legally be done under the legislation once enacted.
  12. The Office notes section 20(2), which states that it is not an object of the Bill that access cards be used as a 'national identity card'. The Office submits, however, that community trust may be promoted by recasting this provision and including in section 20(1) a statement that the objects of the Bill include to prohibit the access card being used as a national identity card.
  13. Whether retained in current form or adopted as a clause to section 20(1), the Office suggests that it may be useful for section 20(2) to be expanded to clarify its full intent. For example, the Office suggest that a useful addition to this provision would be to state the access card number (and related identifiers) are not to become unique identifiers for each individual, which could be used, shared or adopted by Australian Government agencies, State and Territory agencies, or the private sector. Such a protection would be consistent with the policy intent of National Privacy Principle 7 (on unique identifiers) and the protections afforded to the Tax File Number.
  14. The Office welcomes the requirement for any administrative policy statement that may be prepared by the Minister pursuant to s 30 being tabled in Parliament.
  15. However, the content that may be included in such a statement is unclear to the Office, as is its precise function and relationship to the exposure draft's objects and purposes. It is assumed that such statements will assist in defining the manner and scope in which discretion is exercisable by the Secretary and delegates in a range of provisions under the exposure draft. If so, it may be useful to redraft the provision to make this intention more apparent.

    Part 2 - Registration

  16. Section 55(1) states that "You, or someone else on your behalf, may apply…" for registration. The Office suggests further clarity regarding how this "someone else" is determined and what authority they must have to apply on an individual's behalf (for example, status as a parent, guardian, carer or legal representative; and whether written authority alone would be accepted). A clearer expression of policy intent or definition in the legislation could be useful to avoid multiple, unwanted or fraudulent applications.

    Information on the register

  17. The development of the access card system would be the first time an Australian Government database has held a digitised signature and biometric photograph of the majority of the adult population. The Office has previously noted its concerns about the collection of these items. The Office supports the Fels Taskforce recommendation that rigorous controls on unauthorised access and improper disclosure be put in place to safeguard these items wherever held, including on the register, chip and card surface.
  18. An effective way of minimising interferences with privacy is to only collect personal information where there is a specific, lawful and necessary purpose for doing so. This is an underlying principle of privacy law and practice.
  19. Although some explanation is provided in the Explanatory Material, in some cases it remains unclear to the Office whether it is necessary for particular types of personal information to be collected and stored on the register (s 75). The Office submits that the register may not need to include personal information that is required to specifically determine an individual's eligibility for entitlements. Such personal information would best be collected by the administering agency for that entitlement, rather than into a central database.
  20. The Office submits that the guiding policy setting for the register should be to collect the minimum amount of personal information, and that this should be reflected in the legislation.
  21. In regard to specific types of information currently prescribed in the Bill, the Office makes the following comments:
    1. Place of birth (item 2): This information is potentially sensitive information as defined under section 6 of the Privacy Act, as it may reveal an individual's racial or ethnic origins. It is unclear whether this information is necessary to register an individual for an access card.
    2. Citizenship/residency status (item 3): Given that the access card is not a citizenship document, it is unclear why residency status need be stored. If certain benefits accrue depending on residency status, the Office suggests that the relevant agencies collect this information independently of the register, or the card could be appropriately limited in its functionality without retaining that information on the register.
    3. Gender (item 4): The Office suggests the OAC consider whether gender is necessary to be stored on the register, as distinct from being information necessary for particular agencies to provide certain services. In terms of accuracy of personal information, the OAC is also encouraged to consider how the preferences of transgender persons will be respected when collecting this information, particularly given the sensitivities that are likely to arise. Consultation with transgender groups may be of benefit before law is enacted.
    4. Contact details (item 5): It is unclear whether both residential and postal address are mandatory for the register. There may be valid reasons why an individual would prefer that one address remains unknown (such as in a domestic violence situation). Noting the first two objects of the legislation, the Office submits that individuals should be able to elect whether one or both address types are stored on the register.
    5. Signature (item 8(f)): The Office has previously questioned the need to include a digitised signature on each of the register, card chip and card surface, given that it would appear to have limited value to government and consumers, and the potential risks of its use in identity fraud if any of those systems are inappropriately accessed.
    6. Date of birth (item 8(i)): It is presently unclear why the fact that the individual's "date of birth is on the surface of [the] access card" needs to be stored on the register.
    7. Participating agency flag (item 12): The Office is unsure of the design implications of this item. The storage of a 'flag', rather than an agency specific identifier, may suggest that each agency would retain a common identifier to enable them, in approved and appropriate circumstances, to exchange information for the delivery of programs (see also paragraphs 7-8 above). However, the creation of such an infrastructure also leaves open the possibility of future data sharing that may go beyond individuals' expectations. The Office discussed the risks of such designs in its submission to the Fels Taskforce. The Office would encourage the OAC to consult relevant privacy and technical experts to avoid a system which allows the linkage of identifiers between agencies.
    8. Death (item 14): Noting the discussion at paragraph 19 above, the Office understands that it may be necessary for this information to be passed on to agencies, but it remains unclear why this information would need to be retained on the register. The issue of retention of information is discussed below at paragraph 27.
    9. Benefit card information, copies of POI documents, and other information necessary for administration (items 6, 11 and 15): Information recorded under these items is determined at the discretion of the Secretary. The open-ended nature of these provisions may lead to greater collection than is necessary. The provisions may also limit the effectiveness of s 90, which precludes additional information being stored on the register.
  22. Item 15(b) of s 75 provides for other information to be stored on the register, as determined by the Minister (by legislative instrument), for the purposes of the Act. The Office welcomes this opportunity for parliamentary scrutiny (by way of disallowable instruments), and the link provided to the Act's purposes. The Office also notes that this power may be delegated to the Secretary (s 320(1)(b)), and this is discussed further at paragraph 69.
  23. The number and nature of types of personal information that may be stored on the register is a key privacy issue. As noted earlier, good privacy practice is promoted by ensuring that only necessary information is collected.
  24. Accordingly, the Office suggests that a general provision could be provided, to the effect that any powers to make decisions to expand the permitted contents of the register should be done in consultation with the Privacy Commissioner. A possible model of such a mechanism is available in section 85ZZ(1)(b) of the Crimes Act 1914 concerning the Commonwealth spent convictions scheme. Under this provision, the Privacy Commissioner is required to advise the Minister for Justice and Customs on possible exclusions to the scheme.
  25. The Office suggests that the provision to scan and retain copies of POI documents (s 75, item 11) raises privacy issues and should be removed. Such documents may include much personal information that is not necessary for the access card system, including about third parties. The Fels Taskforce also recommended against the scanning, copying or keeping on file of POI documents once verified.
  26. The Office notes that the exposure draft is silent on the period for which scanned documents will be stored on the register. While the Office's preference is that this form of collection not occur, some privacy protection may be afforded by a provision that limits the retention period.
  27. The exposure draft does not prescribe procedures for the deletion of information from the register more generally, once it is no longer necessary to retain it (for example, when an individual dies or voluntarily de-registers). The Office notes that unnecessary retention of information can have privacy implications. While these matters may be contemplated for the second tranche of legislation, the Office submits they should not be left to existing legislation such as the Privacy Act, which may not provide suitable protection (such as for deceased persons' information).
  28. The Office remains of the view that there are important distinctions between information which needs to remain on the register, information which need only be stored temporarily, and that which need not be stored at all.
  29. Some individuals may prefer to retain more direct control over their personal information including, where practicable, by storing it on the chip alone. Where the intention for 'duplicated storage' is for greater individual convenience (such as minimal re-registration if a card is lost), the legislation could allow for such storage at the individual's discretion.

    Discretionary functions of the Secretary and delegates - generally

  30. The Office recognises that it is common for legislation to provide mechanisms to delegate powers. Such provisions will often relate to routine or administrative matters.
  31. The legislative protections accompanying the introduction of the access card are an essential element in promoting community confidence. The access card system is unique in character, in that it will cover the majority of the Australian adult population, facilitating the collection, retention and handling of personal information on a significant scale. Accordingly, even those matters that may ordinarily be considered routine or administrative are likely to have consequences for how personal information is handled.
  32. Accordingly, the Office suggests that in drafting the Bill, there should be a general policy of ensuring that decisions which affect personal information are subject to appropriate oversight, including where such decisions go to administrative matters.
  33. There are a number of areas of the exposure draft which the Office believes should be subject to additional oversight mechanisms, independent review, clear Ministerial direction or specific criteria, including determining:
    1. what proof of identity (POI) information and documents are needed for registration (s 55(2));
    2. the form or manner in which the register may be kept;
    3. what information about an individual's benefit cards will be held on the register and the chip (respectively - s 75, item 6; and s 160, item 10);
    4. what POI documents (or information about those documents) will need to be scanned and placed on the register (s 75, item 11); and
    5. when applying for an access card, what "other specified information" or documents that the Secretary deems necessary: (i) to be satisfied of the applicant's identity, or (ii) to obtain information required for the card or the register (s 105(2)(b)).
  34. In particular, the Office suggests that items a), d) and e) above should be subject to parliamentary scrutiny. The absence of such scrutiny could reduce the benefits of prescribing, in statute, the types of personal information that may be collected for the purposes of the access card.
  35. In addition, the Office repeats its suggestion (see paragraph 24 above) that the Bill could usefully promote community confidence by including a general provision that these powers be exercised in consultation with the Privacy Commissioner. Section 212(2)(a)(vi) of the recently enacted Anti Money Laundering and Counter Terrorism Financing Act 2006 provides a possible example of such a provision.

    Part 3 - The Access Card

  36. The Office has noted above (see paragraphs 17-29), in regard to collection for the register, the importance of ensuring that personal information is only collected where necessary.
  37. Similarly, the Office notes its earlier comments cautioning against unnecessarily duplicating collection and storage of personal information on the chip, card and register (paragraph 29) and the need for additional oversight where discretionary powers affect the handling of personal information (paragraphs 30-35).

    Form of the access card

  38. More specifically to this Part, the Office notes that the form of the access card is determined by the Minister (s 125(4) and (5)). This decision would be particularly important if (drawing on the example at paragraph 5.29 of the Explanatory Material) the card were adapted in the future in response to emerging technologies. It is often the case that new technologies raise new privacy issues.
  39. The Office submits that the determination of this issue could be strengthened by subjecting it to parliamentary scrutiny (for example, as a disallowable instrument), independent review and/or public comment. Doing so could also increase public confidence, transparency and accountability. This would be consistent with other powers in the Bill that are subject to legislative oversight.
  40. The Office also notes that a general provision, as suggested above at paragraph 24, requiring consultation with the Privacy Commissioner on the operation of the Act may again be appropriate.

    Information on the surface of the access card

  41. The Office welcomes the choice to display an individual's preferred name on the card upon request, and that displaying one's date of birth is optional (s 140, items 1 and 6). It is important that these options and other such 'requests' are well explained, publicised and easily exercisable.
  42. Notwithstanding the Office's concerns over certain items on the surface of the card (as previously raised in the Office's submission to the Fels Taskforce, and by the Taskforce itself ), the Office welcomes the limitation of information held on the card's surface under section 150 (and for the card chip at s 170).

    Information on the card chip

  43. Item 4 of s 160 states that a residential address must be stored on the chip. While noting this is a lesser requirement than for the register (s 75, item 5), the Office believes that the individual should be able to choose whether residential or postal address is stored on the card chip.
  44. The Office reiterates the need to ensure robust protections against unauthorised access and improper disclosure of information held on the card chip, and elsewhere in the access card system.
  45. The Office understands that the Fels Taskforce is examining how to regulate the individual's area of the chip. The Office welcomes proposals to maximise consumer choice in this matter. Nevertheless, in the interests of data integrity, consideration should be given (possibly in future legislation) to dealing with the risk of viruses, 'spyware' and other inappropriate software being stored on the chip, with the intent of modifying any person's card or interfering with the access card system.

    Ownership and use of the access card

  46. The intention and effect of section 175(3)(a) seems unclear. It states that ownership of the card does not give ownership of information in the individual's area of the chip "that you would not otherwise have". Also, the Explanatory Material refers to the Commonwealth's area of the chip rather than the individual's area. This provision may benefit from clarification.
  47. The Office understands that the intention of s 195 is to regulate use of the card by all officers of participating agencies. However, given the broad terms of the statutory purpose, the Office queries whether the provision would unintentionally permit use of the card by such an officer who would not otherwise be able to use the card at all (provided they do so for the purposes of the Act).
  48. The Office submits that more robust protections may be afforded by inserting a provision, under Part 3 Division 6, proscribing any use of the access card by Commonwealth officers (other than "authorised persons" and those in participating agencies) unless the individual chooses to allow it. Consenting to allow agencies to use an access card beyond the purposes of the Act
  49. If an individual may consent to the use of their access card outside of the purposes of the exposure draft (s 195(b)), it is important that the consent be fully informed and voluntary. This provision could refer to s 295 (abuse of public office) to discourage improper seeking of consent.
  50. In addition, the Office suggests that "express" could be inserted before the word "consent" in section 195(b). This may ensure that a clear and unambiguous statement of consent is required from an individual that they agree to their access card being used by a Commonwealth officer in a participating agency for purposes outside the Act.

    No requirement to carry an access card

  51. The Office welcomes the intent of s 200 ("You are not required to carry your access card at all times"). However, the qualification "at all times" could leave open the prospect that individuals may, in future, be required to carry an access card when in certain places or carrying on certain activities. This would seem to create a tension with the stated policy intent that individuals need only present an access card when they choose to seek benefits and entitlements related to health and social services.

    Part 4 - Offences

  52. The Office acknowledges that not all possible offences are necessarily included in this exposure draft (including those related to the individual's area of the chip), and looks forward to the public consultation process for future proposals. The Office supports the inclusion or reference to applicable Criminal Code and Public Service Act offences under the Bill.
  53. Generally, the Office notes that Part 4 tends to focus on offences relating to access cards rather than the register. For example, the offences do not appear to deal with unauthorised access to or interference with the register, either by Commonwealth officers or others. The Office believes such matters should be addressed in future legislation.
  54. While the Offence supports the inclusion of criminal offences in regard to the access card, individual offences under the exposure draft may be difficult to prosecute and prove (such as showing 'intent', particularly under the criminal standard of 'beyond reasonable doubt'), reducing the deterrent effect and the likelihood that an aggrieved individual would obtain satisfaction.
  55. It is important that penalties and offences (such as those relating to 'requiring production') are clearly articulated, effective and enforceable. The Office notes that criminal offences will generally require intent to be proven. Accordingly, the OAC may wish to consider including civil offences alongside criminal ones, as is found in other legislation.
  56. Civil penalty provisions may provide individuals with an alternative means of redress, and minimise the unchecked misuse of access cards due to a lack of evidence or resources to pursue criminal charges.
  57. The arrangements for the handling of Tax File Numbers may provide another useful model, whereby an individual may seek remedy under the regulatory mechanism of the Privacy Commissioner's TFN Guidelines, issued under s 17 of the Privacy Act 1988. At the same time, criminal action may be pursued against an individual who, in the handling of TFNs, commits offences against the Taxation Administration Act 1953 (Cth).
  58. Review of the effectiveness of the offence provisions after a certain period may also assist in protecting consumers and minimising unconscionable conduct.

    Division 2 - Offences for requiring production

  59. The Office welcomes efforts to protect individuals from improper demands for production and refusal of services, including where such demands are oral, in writing or in another way and meet a test that the individual would "reasonably understand" that they are being required to produce an access card (ss 210-215).

    Division 3 - Offences for doing things to access cards

  60. The Office is uncertain whether s 220 intends to encompass damage that occurs unintentionally. The explanatory material (para 6.23) refers to intentional damage, but the clause itself does not. The Office also notes that it may be questionable whether it would always be practicable to show 'intent' for such offences.
  61. The Bill does not appear to provide an offence for possessing someone else's card without consent, or for copying information from a person's access card (including from the chip), or from the register, without authorisation. Such offences could lie, for example, under s 225.
  62. The Office questions whether "damage" under s 235 would include 'modifying' one's card, particularly by using the individual's area to install software, to dishonestly obtain an advantage. The Office also notes that this provision is unlikely to apply where the intent is merely to interfere with the system, and submits that the latter should also be considered under the offence provisions.

    Divisions 4, 5 and 6 - Other offences

  63. The Office welcomes the offences relating to unauthorised recording and use of the access card number (s 270). These offences would be reinforced if specific secrecy provisions were enacted to protect the information held on access cards, chips and the register.
  64. The explanatory material, at paragraph 6.60, seeks comment on whether recording with consent should be expressly excluded from this offence, so as to clarify that it is not intended to be an offence. The Office notes that permitting individuals to be able to consent to the access card number being recorded is inconsistent with the terms and policy intent of National Privacy Principle 7. Without further explanation of the rationale, the Office is not inclined to support individuals being able to consent to such practices.
  65. In Division 5, although the Explanatory Material (paragraphs 6.6161 and 6.64) indicates ss 275 and 280 only intend to proscribe deliberately false or misleading statements, the Office queries whether this should be expressly noted in the provisions themselves, to avoid the appearance of penalising accidental omissions.

    Part 5 - Miscellaneous

    Division 2 - Identity guidelines

  66. The "identity guidelines" under section 315 hold considerable significance for the manner in which the Secretary and delegates make important decisions under the exposure draft, including how an individual may prove their identity, their eligibility for registration, and the issuing of the access card. The Office believes that the issuing of these guidelines should be mandatory, rather than discretionary.
  67. The Office welcomes these potentially crucial guidelines being subject to Parliamentary scrutiny. In addition, the Office suggests that they be subject to mandatory consultation, including with the Privacy Commissioner. This importance is heightened given the need to ensure that they are consistent with other Australian Government identity management initiatives.

    Division 3 - Delegations and authorisations

  68. In relation to powers of the Minister which are delegable under section 320(2) and are to be exercised by legislative instrument, the Office believes there may be benefit in clarifying that these functions will continue to receive the benefit of parliamentary scrutiny when delegated.
  69. For example, as the Office understands it, item 15 of s 75 may be delegated to the Secretary (determining what additional information may be stored on the register). However, it is noted that section 75(2) states that the Secretary's determinations under item 15 (which would ordinarily relate to administrative matters under item 15(a) of s 75) are not legislative instruments. The Office assumes that where a power is to be exercised subject to parliamentary oversight, that oversight remains if the power is delegated. The Office suggests this should be articulated in the legislation.

    Possible matters for future legislation

  70. The Office looks forward to opportunities for public comment on future legislative proposals that affect the access card system, particularly the second tranche of dedicated legislation.

    Determining future uses

  71. The Office acknowledges the role of the objects and purposes clauses in providing guidance on how the access card system may be used, and welcomes the legislative oversight which would need to accompany the amendment of those clauses.
  72. However, some provisions of the exposure draft, such as object (c) on fraud reduction and the proposed purpose under s 25, may leave open the prospect of a broader interpretation of possible uses than that which the public might reasonably expect. It does not appear that the exposure Bill currently proscribes other uses.
  73. The Office believes that legislation should prescribe, in detail, a statutory process for assessing and approving any future uses of the access card and associated systems (such as the register). It is suggested this would positively impact on public confidence in the initiative.
  74. Such processes could be applied to proposed uses, whether or not those uses fit within the current objects and purposes. They could also apply to any proposed expansion of the objects and purposes.
  75. Appropriate mechanisms could include a combination of mandatory public consultation; parliamentary oversight or committee review; referral to an independent panel of experts; and review by the Privacy Commissioner, before those future uses are subject to parliamentary oversight and amendment to primary legislation.
  76. While such detailed processes are not included in the exposure draft, the Office looks forward to the opportunity for public comment on such proposals in the second tranche of legislation.

    Specific secrecy provisions

  77. The Office notes the role of the Privacy Act 1988 as a source of underlying privacy protection for the access card system. However, the size and scope of the register raise privacy risks that the Office believes requires additional privacy and secrecy protections to be enacted in legislation. Such legislation could also ensure uniform protections over all entities that may use the access card and associated systems, including in regard to acts and practices of individuals and companies not currently within the Privacy Act's jurisdiction.
  78. The Office recommends the development of specific secrecy provisions for the second tranche of legislation to protect the personal information contained in the register and the card chip.
  79. This is particularly important given the size, sensitivity and coverage of the access card databases. As previously noted, this would be the first biometrics-enabled database established for the majority of Australia's adult population (containing a biometric photograph, a digitised signature, and a large amount of other personal information).
  80. Such provisions would provide greater protection to personal information held on the register and the access card chip, over and above existing legislation such as the Privacy Act, which does not apply to the activities of many individuals, small businesses and state or territory government agencies, and does not provide for criminal sanctions.

--END--

Media announcement: Privacy Commissioner comments on draft Access Card legislation