Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Consultation on the second exposure draft of the Human Services (Enhanced Service Delivery) Bill 2007; Submission to the Australian Government Office of the Access Card (August 2007)

Submission to the Australian Government Office of the Access Card August 2007 Summary Office of the Privacy Commissioner Background Previous engagement Structure of this submission Privacy and the access card system Public engagement and scrutiny Progress since the...

pdfConsultation on the second exposure draft of the Human Services (Enhanced Service Delivery) Bill 2007; Submission to the Australian Government Office of the Access Card (August 2007)

Submission to the Australian Government Office of the Access Card

August 2007

Summary

  1. The Office welcomes the ongoing development of a comprehensive legislative package for the access card system, and the decision to release a public exposure draft of the expanded legislation (paragraphs 2-3).
  2. The Privacy Commissioner believes it is important that the access card system aligns with community expectations, and that robust privacy safeguards control the way information is used under the system (8-10).
  3. The current Bill combines aspects of the previous bill with more comprehensive provisions on confidentiality and information protection, among other matters. The Bill makes progress in advancing privacy protections and giving regard to privacy issues (13-14).
  4. This submission makes proposals as to how the Bill may be further enhanced, by examining six major privacy aspects of the Bill (listed at 30), and providing specific comments on detailed matters in the Bill (listed in a Table at Appendix A).
  5. The Office welcomes the multifaceted approach that DHS has adopted in developing privacy protections for the access card system, involving four elements: Design + Technology + Legislation + Oversight (16-29).
  6. The Office notes that the Bill provides a number of important oversight mechanisms, including review and appeal processes, mandatory consultation with the Privacy Commissioner in several areas, Parliamentary scrutiny of Administration Rules (still to be developed), and annual reporting requirements (28-29).
  7. The Office welcomes the listing of the Bill''s objects, and the intention that the Act should be interpreted to limit impacts on privacy.
  8. To satisfy the object that the access card is not to be used as, or become, a national identity card, the Office suggests further safeguards to supplement the protections proposed in the Bill (36-40). These suggestions include making the photograph optional on the card surface (54-63). The Office also suggests a regular statutory review mechanism be considered for the access card system (41-47).
  9. The Bill''s Administration Rules framework will regulate important areas relating to information protection in the access card system. However, it is difficult to assess the effectiveness of this framework without the Rules themselves. In general, the Office believes the Administration Rules should offer clarity and prescribe detailed obligations, and add to the protections already prescribed in the Bill, and should not permit information handling that is broader than that envisaged by the existing clauses. The submission specifically discusses handling of the photograph and template at paragraphs 64-68.
  10. The Office welcomes the Bill''s dedicated provisions on confidentiality in Part 5, and the combination of offences and infringement notices. In addition to storing access card records separately from other government databases, the Office notes the need to limit information-sharing between government databases except where necessary and within public expectations (69-78).
  11. To allow individuals to seek redress where access card information is mishandled, the Office suggests that civil remedies be available. This could permit complaints to the Privacy Commissioner where any entity breaches an information protection provision in the Bill (80-84). The Office also recommends additional offences and civil remedies where an individual''s photo or signature on the card surface is improperly collected, used or disclosed.
  12. The Office suggests that the access card system should not create the infrastructure for the emergence of a shared unique identifier (such as the access card number) across government agencies. This could facilitate broad-scale data-matching and data-linkage of information about the majority of Australians in ways that are considered intrusive, unnecessary or beyond public expectations (87-126).
  13. The Office welcomes the Bill''s limits on the disclosure of protected information. This is particularly important for disclosures that may not relate to providing benefits and services, such as for law enforcement (132-135).

Office of the Privacy Commissioner

1. The Office of the Privacy Commissioner (''the Office'') is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) (''the Privacy Act''), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

Background

2. The Office welcomes the continuing development of a comprehensive legislative package to underpin the access card system, particularly in regard to the handling of individuals'' personal information. In the Office''s view, legislative measures are one of the essential elements to ensure that individual privacy is protected and respected under the access card system.

3. The Office also welcomes the Australian Government''s decision to provide a second public exposure draft of the Human Services (Enhanced Service Delivery) Bill 2007 (''the Bill''). Submissions made during this process should usefully inform the further development of the Bill, affording the opportunity for enhanced public confidence and improved privacy outcomes for all Australian.

Previous engagement

4. In the past year, the Office has made several submissions on aspects of the access card system. This has included a submission on the first exposure draft of the access card legislation to the Office of the Access Card (''OAC'') in January 2007, and another on the previous version of the Bill tabled in Parliament (''the previous Bill'') to the Senate Finance and Public Administration Committee''s Inquiry in February 2007[1]. These and other submissions are available from the Office''s access card webpage at www.privacy.gov.au/materials/archive/other/view/5895.

5. The Office has also engaged with the OAC through its participation on various interdepartmental committees and working groups established for the purpose of progressing the project.

6. The Office has also discussed issues relevant to the access card in its submission to the Australian Law Reform Commission''s Review of Privacy. In particular, that submission discusses issues surrounding new technologies, including smartcards, and privacy issues regarding unique multi-purpose identifiers.[2]

Structure of this submission

7. This submission examines the use of a multifaceted approach to address privacy issues in relation to the access card system, and assesses the major privacy aspects of the Bill - particularly in the context of information protection provisions. An appendix to this submission provides further specific comments on matters of detail in the legislation, including matters that are not addressed in the body of the submission.

Privacy and the access card system

8. The access card proposal will have a significant impact on the way Australians interact with Australian Government agencies, and receive the services and benefits to which they are entitled. This impact has the potential to extend to those concessions provided by State, Territory and local governments, as well as the private sector. The access card system is similarly significant from a privacy perspective, because it involves the collection and handling, in a centralised manner, of a considerable amount of personal information about almost all Australians.

9. In previous public submissions, the Office has noted a range of privacy risks that may be posed by a near-universally held, photographically-enabled access card. These risks include not just the physical card or embedded chip, but also the substantial information infrastructure that would sit behind the card. These risks may include, for example:

  • a rich central repository of personal information including photographs and biometric templates may be tempting to hackers and organised crime;
  • pressures may emerge to use the central repository for purposes that are unrelated to the reason it was established, and may, through ''function creep'', go beyond public expectations [3] (such as facilitating the sharing of personal information between disparate public and private sources, including by data-matching and data-linking); [4] and
  • there is a risk that the access card could become a de facto national identity card in the absence of adequate protections and sanctions.

10. Accordingly, the Privacy Commissioner believes it is important that the operation of the access card aligns with community expectations of how personal information should be handled. Robust privacy safeguards are also needed to control the way information is used under the system, and to protect it from misuse, both now and in the future.

Public engagement and scrutiny

11. The Office welcomes the opportunities that have been afforded for public engagement and scrutiny of the access card system, particularly the legislation, since the first exposure draft was released in December 2006. The Office acknowledges the public engagement undertaken by the Australian Government, through the OAC, which has included:

  • the provision of a second exposure draft of the Bill, to allow the public to view the legislative package as a whole, in line with the Senate Standing Committee''s single recommendation following its inquiry into the previous bill in March 2007;[5]
  • providing public briefings and roundtable meetings for stakeholders to receive an overview of legislative changes since the first exposure draft; [6] and
  • the public release of all five of the Consumer and Privacy Taskforce''s (''the Taskforce'') reports.[7]

12. In the interests of further transparency, the Office suggests that the Government publicly release the Taskforce''s Privacy Impact Assessment (PIA) of the access card system. The Office would also welcome opportunities for public consultation on other matters as they continue to develop, including detailed design features and the proposed Administration Rules.

Progress since the first exposure draft

13. The previous bill set out the purposes of the access card system, details of the registration process and the access card itself, and certain offences. The current Bill develops and combines aspects of the previous bill with more comprehensive provisions on confidentiality and information protection (Part 5), representation issues (Part 6), compliance and enforcement (Part 7), administrative review and appeals (Part 8), and a framework for Administration Rules on various matters (Part 9).

14. With these new elements, the Bill makes considerable progress in advancing privacy protections and giving regard to privacy issues alongside other public interests. The Office will continue to advise the Australian Government on how the privacy of Australians can best be protected and respected.

15. This submission makes proposals as to how the Bill may be further enhanced from a privacy perspective.

Multifaceted approach to privacy protections

16. The Office welcomes the multifaceted approach that DHS has adopted in developing privacy protections for the access card system. This approach is consistent with the framework proposed in the Office''s first submission to the Taskforce.[8] That submission noted that a comprehensive framework for privacy protection should be based on four elements:

Design + Technology + Legislation + Oversight

Design

17. In the Office''s view, the proposed modular design of the backend system is likely to promote better protection of privacy than keeping the information in one place. Modular design may also assist in restricting who can access information on various parts of the Register and card chip, particularly where supported by technology, legislative and oversight measures.[9]

18. The Bill''s requirement that the Register and other access card records be stored separately from existing government databases is also potentially a privacy positive - provided there are protections against inappropriate linkage of information in separately stored records (see paragraph 73).

19. At the same time, the Office notes that design and technology issues are in ongoing development. In regard to the current Bill, the Office submits that legislative provisions should not enshrine design options that may introduce unnecessary privacy risks.

20. For example, as the detailed design phase of the access card system progresses, the Office reiterates its advice that the system should not create infrastructure which may permit the emergence of a shared unique identifier that can be used across all government agencies (see paragraph 87 below). This submission also discusses the privacy risks that may be created where agencies maintain access card numbers in their own ''translation tables'' at paragraphs 118.

21. The design of existing government databases, where each agency retains its own unique identifier for each customer, enhances privacy by making it harder to systematically link large amounts of personal information about an individual in ways that may be considered intrusive, or beyond community expectations.[10]

Technology

22. The Privacy Commissioner has acknowledged that technology can be privacy enhancing or privacy invasive, depending on how it is implemented.[11] The Office believes that the use of smartcard technology (involving a card chip) has the potential to be a key security improvement over existing magnetic stripe technology, which can be susceptible to fraudulent copying, and ''skimming'' of personal information.

23. The option of PIN protection over legal name, date of birth and proof of identity status in the chip is a potentially usefully privacy protection (cl 77). Testing and certification of the system''s technology by the Defence Signals Directorate (DSD) is also an appropriate and prudent safeguard. The Office believes that the community would welcome and be reassured by a public statement from DSD in relation to its ongoing role in assessing the technology aspects of access card system.

Legislation

24. It is fundamental that privacy protections have the force of law. The Privacy Act provides an important foundation for such legal protections. It also creates a regulatory mechanism that allows individuals to seek redress when their privacy has been interfered with.

25. As the Privacy Act is principle-based and technology neutral, on occasion additional privacy protections are warranted and necessary to regulate large-scale initiatives that involve the handling of personal information in new ways, such as with the Tax File Number, credit reporting information and Medicare claims information.[12] This is particularly likely to be the case where these new projects might create privacy risks that may not have been anticipated when the principles in the Privacy Act were enacted. The Office believes that the access card is one of these comparatively infrequent projects.

26. It is therefore appropriate that the Bill provides additional information protection provisions, such as specific prohibitions on unauthorised access, use and disclosure of information (Part 5, Division 3); and compliance and enforcement mechanisms such as offences and infringement notices (Part 5 and Part 7). Importantly, the Bill also sets out key elements such as the objects of the system (clause 7), and what information will be collected and stored on the Register, chip and card surface.[13]

27. The important role of ensuring appropriate remedies for individuals is discussed at paragraph 80.

Oversight

28. To promote community confidence and good governance, the Office has previously noted the need for appropriate oversight of decisions which affect the handling of personal information.[14] The Office welcomes a number of important oversight mechanisms under the access card system which are detailed in the Bill. In particular:

  • Review and appeal processes regarding Secretaries'' and Ministers'' decisions, including internal review, an Access Card Ombudsman and Administrative Appeals Tribunal processes (Part 8 of the Bill);
  • Mandatory consultation with the Privacy Commissioner on the content of the Administration Rules, the manner and form of the Register and access card, and various administrative forms;[15]
  • Parliamentary scrutiny of the Administration Rules (which are legislative instruments), including where information may be added to the Register or card chip; and scrutiny of various annual reports (cll 198-199); and
  • Annual reporting requirements imposed on:
    • the DHS Secretary on the operation of the system, and on disclosures of information to law enforcement and intelligence agencies;
    • the proposed Access Card Ombudsman on administrative complaints; and
    • the Privacy Commissioner on privacy issues and complaints relating to the access card.

29. As the Office has noted previously, there would be additional merit in making the form of the access card into a legislative instrument.[16] This would mandate Parliamentary scrutiny of decisions under clause 67(4), which may have particular significance if the Register and card are adapted in response to emerging technologies, which may themselves create new and unforeseeable privacy risks and opportunities.

Major aspects for privacy and the access card

30. This part of the submission considers the privacy protections in the Bill under six major areas:

  1. Limiting personal information collected for the access card system
  2. Objects and administration
  3. The role of the photograph
  4. Information protection provisions
  5. Protection for the access card number
  6. Permitted disclosures of access card information

Additional suggestions in relation to these areas, along with other detailed aspects of the legislation, can also be found in Appendix A to this submission.

1) Limiting personal information collected for the access card system

31. The Office has noted that the access card proposal should be developed with basic privacy principles reflected in its underlying policy settings.[17] These principles include:

  • collect only what is necessary for the defined purpose
  • provide for individual control over the handling of personal information
  • use and disclosure only for the purpose for which information was collected
  • transparency of the system and information-handling practices, and
  • secure handling of personal information.

32. An effective method to prevent privacy risks is to collect only the minimum amount of personal information necessary to meet a clearly defined and articulated purpose.[18] Accordingly, the Office has stated that the guiding policy setting for the Register should be to collect the minimum amount of personal information necessary, and that this should be reflected in the access card legislation.

33. The Office welcomes the Bill''s limits on the amount of information which may be stored on the Register, card chip and card surface.[19] However, this may not limit how much personal information can be collected for the access card system and stored outside of the Register or card.

34. For example, the Office notes that the biometric template is not a listed item in the Register, although it is a significant item of personal information that will be collected as part of the system.[20]

35. The Bill could therefore include a further statement that no other personal information may be collected for (or held in) the access card system beyond what is outlined in the Bill. It would be problematic if, in the absence of such a provision, it were possible to collect and store additional personal information in the access card system (outside of the Register) - without specifying that information in the primary legislation or Administration Rules.

2) Objects and administration

Objects of the Bill (clause 7)

36. The Office acknowledges that listing the objects of the Bill will provide guidance on how the access card system may be used, and welcomes the legislative oversight that would have to accompany any amendment to those objects.

37. While the Office recognises that objects in clause 7 are likely to have public benefit, it is crucial to ensure those objects are pursued without unreasonably, inappropriately or disproportionately compromising individuals'' privacy rights. In particular, object (1)(c) regarding reducing fraud on the Commonwealth could be interpreted broadly, which may permit information handling practices that the community would not expect.

38. Accordingly, the intention that ''this Act should be construed… so as to limit interferences with the privacy of individuals'' is a welcome addition to the Objects at subclause 7(3). To avoid confusion, it may be useful to note, either in the Bill or the Explanatory Material, that the term ''interference with privacy'' does not have the same effect as the use of the same expression in s 13 of the Privacy Act. In s 13 of the Privacy Act, this expression has a specific meaning relating to compliance with various principles and other obligations. In contrast, the Office understands that the same expression in the Bill is not intended to invoke this relationship to compliance, but is a broader statement of policy intent.

Access card not to be a national identity card

39. The Office understands that a number of protections are designed to prevent the card being used or perceived as a national identity card. For example:

  • no requirement to carry the card at any time (cl 82);
  • offences for requiring an individual to produce their card in most situations (cl 131); and
  • limits on how governments and businesses may handle individuals'' information held under the system (mainly under Part 5).

40. The Office also submits that some aspects of the system could be improved to reduce the risk of community confidence being undermined by perceptions that the access card proposal may be a national identity card. A number of these aspects include design decisions that might be usefully prescribed in the legislation. These enhancements could include:

  • making the photo optional on the face of the card (in that a card with a mandatory photograph on its face, and near-universal coverage of the adult population, could be close in appearance to a community perception of a national identity card);
  • reducing the type of information held in the system (to avoid the system being used for expanded uses relating to a national identity card or similar scheme in the future);
  • some enhancement to the protections around use of information on the chip and card surface, as discussed later in this submission;
  • preventing the use of the access card number by non-participating agencies (to avoid the emergence of a shared unique identifier across the whole of the Australian Government); and
  • increasing appropriate limitations on the disclosure of access card information for purposes that may not relate to service delivery (such as law enforcement).

Ongoing statutory review mechanism for the access card system

41. In addition to the Bill''s objects clause, the Office suggests that the Government consider including provisions which establish a regular mechanism for review, consultation and assessment of the access card system, once operational. This builds on the Office''s previous suggestions for a process of assessing future uses of the system.[21]

42. Such a statutory review mechanism could require the DHS Minister to convene an independent panel of experts, including the Privacy Commissioner, to review the operation of the access card system and the effectiveness of its enabling legislation on a periodic basis, such as every five years.

43. The terms of reference for such a review could include an assessment of:

  • the effectiveness of the legislation in pursuing its objects;
  • whether safeguards remain appropriate to prevent access cards being used as, or becoming, national identity cards;[22]
  • whether safeguards are in place to prevent and respond to impacts of the access card system on individual privacy;[23]
  • the effectiveness of compliance, enforcement and oversight mechanisms;
  • the availability of relevant advances in technology that could enhance privacy protection and improve the operation of the system; and
  • cumulative impacts of matters that must be reported annually under the Bill over the review period.

44. The panel could report to Parliament with any recommendations for improving the design, technology, legislation and oversight of the access card system, in order to pursue its objects in a manner that respects and protects privacy.

45. In the Office''s view, such a review mechanism would improve public confidence in the system, reduce the possibility of ''function creep'', and be a positive means of government accountability regarding the system.

46. Possible model provisions for such a review mechanism are available in section 4 of the Anti Terrorism Act (No. 2) 2005 and Section 4 of the Security Legislation Amendment (Terrorism) Act 2002, which requires an ''independent and public'' review to be undertaken on the operations of the relevant laws after 5 years.[24]

47. Alternatively, the Australian National Audit Office (ANAO) might be required to conduct regular reviews in consultation with appropriate stakeholders, including the Privacy Commissioner.

Content of the Administration Rules (Part 9)

48. Part 9 of the Bill requires the Minister to approve Administration Rules in relation to proof of identity; photographs; and information retention and disposal; along with other discretionary matters (cll 182-189). Relevant officers must comply with applicable Rules (cl 189). Once made, these Rules will form an important part of the detailed legislative protections around information handling.

49. In general, the Office believes the Administration Rules should offer clarity and prescribe detailed obligations, and add to the protections already prescribed in the Bill, and should not permit information handling that is broader than that envisaged by the existing clauses. That is, the Rules should not become a means to expand the way information is handled in ways that the public may not expect, including on matters about which the Act is silent. In particular, in regard to the handling of photographs and biometric templates, the rules should afford higher protections than the existing clauses provide for other types of information.

50. This is particularly important in relation to the matters such as:

  • additional information that can be stored on the Register and card chip;[25]
  • the handling of individuals'' photographs and numerical templates[26] (discussed below at paragraph 54);
  • handling of the access card number; [27] and
  • retention periods for personal information (cl 186).

In such cases, the degree to which the Administration Rules are either permissive or restrictive can have a considerable impact on permitted information flows under the access card system, and the overall value of the Administrative Rules in protecting privacy.

51. The Office welcomes the requirements that the Minister consult with the Privacy Commissioner prior to approving the Administration Rules, and their further scrutiny through the Parliamentary process as legislative instruments. This is likely to provide more oversight in certain areas than the previous bill.

52. The Office also suggests that certain clauses in the Bill could specify that discretion must be exercised in accordance with (or as permitted by) the Administrative Rules. This could include where the Secretary may: request additional information to be satisfied of an individual''s identity; [28] and specify alternative means of applying for registration or an access card.[29]

53. Overall, in the absence of further detail on the content of the Administration Rules (beyond what clauses 184-186 require), it is difficult to assess their likely effectiveness in protecting personal information under the Bill. Accordingly, the Office looks forward to broader public consultation on the content of these Rules before the access card system is fully developed.

3) The role of the photograph

Printing of a photo on card surface

54. The biometric photograph and numerical template are perhaps the most significant and unprecedented items of personal information collected under the access card system. As submitted in evidence to the Senate Committee Inquiry on the previous bill, the Privacy Commissioner continues to see merit in individuals being able to choose whether they want the photograph to be stored on the card surface.[30]

55. The Bill provides that the photograph will be mandatory on the Register, card chip and card surface.[31] The Bill''s Explanatory Material states that the photograph on the card surface will play an important part in fraud reduction.[32] The Office acknowledges that a photo on the card surface could more easily allow the cardholder''s identity to be verified whenever the card is presented.

56. However, individuals may not expect that photographic identification should have to be presented in order to access all Government benefits or services, by way of an access card or otherwise. Photo ID is not generally required to access such benefits and services today. In the Office''s view, photo ID should only be required for high-risk or high-value transactions. This would seem to be consistent with other approaches to identity management, such as the Australian Government''s AGAF policy for online authentication.[33]

57. The perception that photo ID could be required in a much greater range of government interactions may sit uneasily with the Bill''s provision that individuals are not required to carry their card ''at any time'' (cl 82), as well as the offences for requiring production of a card (cl 131).

58. In its first submission to the Taskforce, the Office noted this concern that the existence of a photo-enabled access card may lead to high-level evidence of identity being required as a matter of course for a vastly expanded range of transactions than is currently the case. The convenience of its use, and the fact that the majority of adults would carry a card on their person at all times would provide impetus for such demand. The intrusion into individual privacy lies in the move to a culture in which individuals are required to routinely establish their identity to transact in society.

59. Making the photograph optional on the card surface would improve the ability of at least 16 million Australians to choose how their personal information is handled and displayed.[34] Individuals who wish to use their access card as a day-to-day proof of identity document may believe a photograph on the card surface is convenient.[35] Other individuals who do not need an additional form of photo ID, or who do not want to use the card beyond participating agencies and service providers, could decide not to have the photograph displayed.

60. In those cases where photographic proof of identity is necessary for benefits and services (and photo-capable card readers are not available to view the chip), individuals without a photo on their access card could verify their identity with an existing form of valid photo ID, such as a driver''s licence. This would seem to overcome the widespread need for additional photo-capable readers, at least for the large majority of adult Australians who have a drivers licence.

61. Making the photograph optional would be a design measure that supports the Bill''s object ''that access cards are not to be used as, and do not become, national identity cards'' (subclause 7(2)). This would also be likely to diminish public perceptions of the access card as a de facto national identity card.[36]

62. DHS has noted that if the photo were optional on the card surface, the cost of providing photo-capable readers to health professionals and other service providers would be significant.[37] However, as the Senate Committee noted in its Report:

The Committee considers that even if the costs involved are quite substantial, fiscal considerations of investment in public infrastructure (such as readers) should not necessarily trump privacy and civil liberties concerns on the question of the access card photograph.[38]

63. Finally, the Office notes that making the photograph optional on the card surface would not diminish the need for robust protections of the photographs stored on the Register, card chip and card surface, and the biometric template of the photograph. Such protections are necessary given the unprecedented nature of these items, and their status as a highly accurate form of identification which should be protected to prevent misuse.

Protection of the photograph and template (Part 5 and Administration Rules)

64. As the Office has noted in relation to the Administration Rules generally at paragraph 48-53, it is difficult to assess the likely effectiveness of the Administration (Photograph) Rules (''Photo Rules'') without further details of their content. The Office believes the Bill''s requirements could be more detailed in that regard.

65. The Bill requires the Photo Rules to contain provisions that must be complied with when ''accessing, disclosing or using'' photographs and numerical templates of individuals under Part 5 (cl 185(b)). Part 5 itself also requires photographs and templates stored in the backend system to be accessed, disclosed and used in accordance with the Photo Rules.[39]

66. The content of the Rules will therefore have a significant bearing on how photographs and templates may be handled under Part 5. Accordingly, the Office suggests that there might usefully be additional limitations on the handling of photos and templates in clauses 94-97; clause 185 could also prescribe greater detail on what the Photo Rules must include.

67. In relation to accessing photos and templates, it may be useful to clarify that both subclauses 94(1) and 94(2) apply to these items. That is, photos and templates can only be accessed by ''regulated persons'' for ''permitted purposes'' (94(1)), plus additional requirements in the Photo Rules (to which cl 94(2) refers). Clauses 95-97 could similarly restrict the handling of photos and templates to ''permitted purposes'', in addition to the Rules'' requirements. The language in clauses 94-97 could also be more restrictive; for example, by requiring photos and templates to be handled ''as permitted by'' the Rules rather than ''in accordance with'' them.

68. The Office suggests that among other things, the Photo Rules could:

  • limit the ways that recipients can use or disclose photographs and templates, particularly for secondary purposes. This could include when the Secretary discloses the information from a protected record (including with the individual''s consent under cl 105), as well as when the photo is collected from the chip or card surface (if these matters are not addressed elsewhere);
  • restrict the technical means and methods by which regulated persons can access the photo or template, such as specifying ''view-only'' access in circumstances where that is all that is required (such as for counter transactions);
  • detail any appropriate audit and record-keeping requirements by the Secretary and recipients of these items (such as records of disclosures); and
  • specify procedures to be followed during the registration process, such as where human intervention is required following a ''match'' of an existing photo on the Register.

4) Information protection provisions: Confidentiality, offences and infringements

Dedicated information protections in the Bill

69. The Office welcomes the inclusion of dedicated ''confidentiality'' provisions in Part 5 of the Act. These provisions are a significant addition to the privacy regime under the access card system, on top of the limited offences proposed in the previous bill and the existing principle-based protections under the Privacy Act.

70. As is appropriate, Part 5 significantly expands on the previous bill by detailing specific prohibitions on accessing, using and disclosing ''protected information'' and ''protected records'' under the access card system - most significantly from the Register. Part 5 also sets out the limited circumstances when information in these records may be disclosed (Division 4), discussed below at paragraph 127.

71. The Office welcomes the ongoing refinement of the previous bill''s offences, most of which are retained (in some cases, in amended form) in Part 7 of the Bill. In particular, the Office welcomes the offences for requiring an individual to produce an access card in most circumstances (cl 131) and the amended provision that individuals are not required to carry their access card ''at any time'' (cl 82). These provisions are likely to diminish perceptions that the access card is a national ID card. Clauses 131 and 82 also are consistent with National Privacy Principle 8, that individuals should have the option to remain anonymous where lawful and practicable.

72. The Office makes further suggestions for enhancing the Bill''s information protection provisions below.

Separation of protected records from other databases

73. The Office supports the requirement that ''protected records'' (such as information on the Register) be stored separately from existing government databases. Protections around the storage and linkage of access card information, including with other data, is of central importance to privacy, particularly as pressures may emerge for the access card Register to be used for purposes other than the reason it was established.

74. Such currently unintended purposes could include facilitating the sharing of personal information between disparate public and private sources, including by data-matching and data-linking. While data-matching can serve important public interests, its overuse can potentially lead to the data surveillance of individuals about whom there is no cause for suspicion, and no reason for surveillance. These risks may further include:

  • creating a ''honeypot'' of information, or a single point of access, that may attract would-be hackers; and
  • permitting increased data-matching of individuals'' information held by various government agencies, in ways that the public may not expect (discussed further below from paragraph 87).

75. To ensure the intent of clause 93 is fully realised, the Office suggests that the term ''combined with'' could be clarified, to indicate that the clause also prohibits the electronic linkage of these records (or the information they contain) in ways that could have the same privacy risks as physically combined storage.

76. For example, records could be kept physically separate, but system design and technology could allow information in those records to be easily accessed, cross-linked or amalgamated by agencies (including by way of a shared unique identifier), even if entire databases are not ''combined''.[41]

77. Equally, it is important that other provisions in the Bill do not unnecessarily undermine the privacy benefits of requiring that protected records are stored separately, such as disclosures for ''facilitating'' investigation and prosecution of fraud (cl 92), and disclosure of protected information to other agencies under Part 5 Division 4 (discussed below at paragraph 127).

78. The Office notes that there may be community concerns about systems that enhance government agencies'' abilities to share information. For example, survey research conducted by the Office in 2004 found that while 62% of those surveyed believed that agencies should be able to share data for some purposes, only a small majority of this number believed that those purposes should include to update basic information, or for agency efficiency. Notably, 24% were opposed to agencies sharing data for any purpose.[42] Community attitudes to data sharing within government are discussed further at paragraph 97.

Infringement notices for certain offences

79. The Office welcomes the inclusion of an infringement notices scheme. This will supplement the enforceability of provisions restricting the use of the access card number and demands to produce the card (cll 99 and 131). The Office would welcome further details of how the Secretary is notified of a breach in order to issue an infringement notice; and how officers would investigate and gather evidence about such infringements.[43]

Complaints to the Privacy Commissioner about certain acts and practices

80. The Office notes that the proposed combination of offences and infringement notices does not include the option of individual redress, such as a right to complain to the Privacy Commissioner. The Bill could usefully allow individuals to make such a complaint where any entity breaches an information protection provision under the Bill.[44] This would supplement existing rights to complain about a breach of the Information Privacy Principles (IPPs) or the National Privacy Principles (NPPs) in the Privacy Act.

81. Such an arrangement would offer two benefits. Firstly, while the Office supports criminal offences for some misuse of the access card system, it is noted that such arrangements do not offer a tangible remedy to the individual whose privacy may have been harmed. Under the Privacy Act, the Commissioner has determination making powers to issue appropriate forms of remedy, including apologies from the non-compliant party, the payment of compensation, the correction of inaccurate information and provision of access where it had been denied.

82. Secondly, as was noted during the Senate Inquiry, prosecutorial policies of the relevant bodies may mean that possible offences are not investigated or followed through to prosecution. Without civil remedy, this could leave the aggrieved individual with no satisfactory outcome for the possible interference with their privacy.

83. Additionally, it should be noted that the practices prohibited by the offence provisions might not always constitute breaches of the principles set-out in the Privacy Act. This is because while the confidentiality provisions contain relatively narrow permissions to handle personal information, the principles offer broader exceptions. Accordingly, a practice might constitute a breach of the confidentiality provisions, though an agency or organisation might be able to rely on a Privacy Act exception to avoid non-compliance with an Information Privacy Principle (for agencies) or National Privacy Principle (for organisations).

84. The Office proposes that one suitable model may for individuals to be permitted to complain about acts or practices proscribed by the confidentiality provisions as ''interferences with privacy'' under section 13 of the Privacy Act. This is the framework currently applying for a range of special jurisdiction matters, including alleged mishandling of tax files numbers and Medicare claims information.

Additional protections around the collection of the photo and signature from the card surface or the chip

85. The Office has pointed to the need for significant safeguards around information wherever it is held in the system - on the Register, in the card chip, and on the card surface, as well as other backend databases that are part of the system. The Office suggests that the Bill could include additional offences to limit the handling of the individual''s photo and signature on the card surface, and information on the chip.

86. For example, collection of the individual''s photo or signature could be limited to where it is for the purposes of the Bill, with the individual''s informed consent for specified purposes, or where authorised by law.

5) Role of the access card number as a unique identifier

87. The Office has previously discussed the importance of affording appropriate protections to limit the handling of the access card number, including in its first submission to the Taskforce, and the submissions on the previous versions of the bill.[45] While these protections should include legislative measures, attention to design elements is also important, particularly where these elements may be set down in the Bill. This section will first discuss the need for legislative protections of the access card number and their current adequacy in the Bill. Second, it will discuss design issues related to how the Register identifies existing relationships between individuals and participating agencies.

88. The Office is not convinced that because access card numbers are intended to change over an individual''s life, they are not unique identifiers.[46] By their design and intended purpose, access card numbers would establish highly reliable identifiers for individuals, which will be retained for at least as long as each card - ''up to ten years'' .[47] In addition, linking of subsequently issued access card numbers would also create a chain of reliable identifiers linked to the same individual.

89. Accordingly, the Office particularly draws attention to the importance of ensuring that access card numbers cannot become de facto government identity numbers shared across government agencies, or the private sector. The risks of such an outcome in other contexts has already been recognised legislatively through the strict measures limiting the use of tax file numbers, as well as through National Privacy Principle 7, which prohibits organisations regulated by the Privacy Act from adopting, using or disclosing Australian Government issued identifiers, except where a prescribed exception applies.

90. In the Office''s view, access card numbers, while important for the system to function, bring with them the type of privacy risks that are associated with any universally allocated identifier. These risks may emerge even where it is not intended that access card numbers be adopted as widely held multi-purpose identifiers, as the Office understands is the case.

91. In the absence of strong legislative restrictions, many Australian, State or Territory government agencies, or private sector organisations (particularly small businesses not covered by the Privacy Act), may be tempted to adopt access card numbers as their own identifiers, or as linkage keys to match records about the same individual. This is because the access card number will be reliable (that is, individuals should only be issued one number, accompanied by a high reliability evidence of identity process) and widely held, meaning it will often be safe to assume that an individual will have such a number.

Privacy risks of widely held unique identifiers

92. In most cases, data-matching or linking is labour intensive, time consuming and costly. It requires specialist skills to undertake large-scale data-matching of disparate data sets not designed to be interlinked. The Office understands that other increasingly sophisticated methods are available for data-matching that do not rely on unique identifiers, such as probabilistic matching or the use of structured-query languages. However, it remains the case that issuing each individual a unique identifier, or common number across a range of systems, is often the easiest way to facilitate the linking of databases (and the matching of personal information they contain).

93. Enabling such easy and accurate data-matching creates the privacy risk that matching could be done excessively and without justification. This could include combining personal information that has been collected for very different purposes, and creating rich datasets about individuals' interactions in society.

94. Accordingly, a significant privacy risk emerges if many databases use the same number to identify each individual. A similar privacy risk arises simply if separate databases keep a record of the unique identifier, though do not rely on it for day-to-day transactions. This design element introduces the risk of creating infrastructure that permits disparate agencies to link or match records on the same individual in ways that individuals may not expect.

95. Ensuring that each agency attributes a separate identifier to each individual, as is generally the case now, will prevent a drift to a single identifier for each individual, and adds another layer of 'practical obscurity'[48] by acting as a natural (but not insurmountable) barrier to function creep and inappropriate data-linkage and aggregation.

96. The example of the Canadian social insurance number (SIN) is a cautionary one. An inquiry by a Canadian Parliamentary Committee found that:

The expanded use of the SIN inside government soon paved the way to broader use of the Social Insurance Number in the private sector. Before long, credit bureaus began to use the SIN to run credit checks on potential borrowers. Provincial social programs began using the SIN in the administration of benefits. Employers large and small used it as part of their tracking and accounting system for employee benefits.

Mistakenly, the private sector began to look upon the SIN as a piece of identification and property owners asked for it on apartment rental applications, video stores required it as security for movie rentals, universities and colleges requested it on their application forms and pizza places even used it as a customer number for their delivery system.

Apart from inappropriate use of the number, its uncontrolled use leaves Canadians vulnerable to serious breaches of their personal privacy that range from data- matching carried out without their knowledge and authorisation, to identity theft.[49]

Community attitudes to data-matching and the sharing of information across government

97. The Office has noted the results of its own quantitative research into community attitudes to government data sharing at paragraph 78.

98. Additionally, the Office has previously noted a range of international research studies that have explored this same area, using both quantitative and qualitative methodologies.

99. Canadian focus group research into community attitudes to government data-sharing for service delivery, supports the view that a significant number of citizens in that country are willing to allow greater sharing of data, provided they obtain some benefit, and provided appropriate protections are afforded.[50]

100. This Canadian research draws out consumer concerns around function creep, noting:

''...concern that this kind of information sharing would open a door that would not be easily closed… Others in the group quickly picked up on the theme, saying that they feared a future where there might be a less benevolent government that could use the information to control them, rather than serve them.''

101. Research produced by the UK Cabinet Office, "Strategies for reassurance: public concerns about privacy and data sharing in government"[51] presents very rich focus group data and makes a number of observations about community views concerning the risks and benefits of government data-sharing.

102. In regard to the perceived risks of data-sharing, the research found:

"The range of risks perceived by the focus groups is, when aggregated, impressive and thoughtful. For people who had in almost every case not really thought much, if at all, about data sharing across government, to have produced such a list in just two hours each, and with rather little prompting, and then to have had intelligent things to say about just which risks are more and which less serious, deserves the reader''s respect. … Moreover, by far the more frequent unprompted factors and the stronger affect were exhibited in respect of risks than were in respect of benefits…."[52]

103. Further discussion of this research is provided at Appendix B.

Clause 99 on adopting, using or disclosing access card numbers

104. In light of these concerns, the Office welcomes the intent of clause 99 to restrict the adoption, use or disclosure of individual''s access numbers in a manner that is consistent with NPP 7.

105. This clause would be enhanced by requiring a stronger nexus under subclause 99(1)(b)(ii) between the permitted handling of the access card number and the administration of the Act or the provision of Commonwealth benefits. Currently, this provision would permit the adoption, use or disclosure for purposes ''connected with'' the administration of the Act or the provision of Commonwealth benefits. The Office suggests that ''reasonably necessary for'' would provide a more appropriate test.

106. The current drafting and explanation in the Explanatory Material (which notes that the offences will not apply to the Commonwealth),[53] leave unclear the extent to which this clause will be effective in limiting the adoption of the access card number across government agencies. The Office suggests that the restrictions of clause 99 should apply to Australian Government Departments and agencies to similar effect as other entities.

107. As suggested in paragraph 105, an appropriately narrow provision could be made for where it is reasonably necessary to handle the access card number for the provision of benefits. However, as discussed below at paragraph 136, it is unclear whether even participating agencies should routinely need to use and disclose the access card number, particularly if some form of ''federated'' or other model of identity management is adopted.

108. The issue of permitted disclosures of protected information, including access card numbers, to agencies is also discussed at paragraphs 136 and 140.

Administration Rules and the access card number

109. The Office notes subclause 99(5), which provides that an access card number may, under proposed Administration Rules, be used or disclosed ''in connection with the use of an access card as an identification document''.

110. The Office understands that this relates to those circumstances where organisations are required by law to ensure the identity of the individual with whom they are interacting. In particular, this mechanism seems intended to permit relevant organisations to meet the customer identification requirements of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (''AML/CTF Act'').

111. The Office is of the view that any provision in the Administration Rules for this purpose should be narrow and specific, rather than establishing a general exception. It may also be appropriate for the Administration Rules to permit handling of the access card number where it is required or authorised by law.

112. It should be recognised that the AML/CTF Act and associated regulation does not require that access card numbers be adopted as the organisation''s own identifier, nor necessarily used or disclosed. As the Office understands it, the requirements may simply entail the need for organisations to take and keep copies of valid EOI documents. Accordingly, the terms of any exception should be duly considered to avoid the Administration Rules creating an unnecessarily broad exception.

Access card number and consent

113. The Office maintains its view against individuals being afforded the choice to consent to the handling of their own unique identifier, such as the access card number, for any unspecified purposes.[54] In the Office's view, such handling should only occur within clearly prescribed statutory limits, though the draft of subclause 99(5) would seem to leave open the possibility that the Administrative Rules may provide such a mechanism.

114. While the Office generally welcomes measures to enhance consumer control over their personal information, a consent mechanism is unlikely to be appropriate for the access card number, that will be held by most of the population. By way of comparison with other government-issued identifiers, a consent mechanism is not available for the handling of Tax File Numbers, or under NPP 7.

115. The Office's concerns about providing this consent mechanism are due to the fact that the privacy risks of sharing unique identifiers are not always immediate. The risks accumulate as more organisations or agencies adopt the number for their own purposes, and as greater amounts of otherwise unrelated personal information become associated with that number. This is demonstrated above by the Canadian social insurance number experience (see paragraph 96).

116. In addition, the Office has previously noted that in some circumstances consent to a particular information handling practice may be an imperfect form of privacy protection. This is most evident in the case of "bundled consent", that is, the bundling together of consent to a wide range of uses and disclosures of personal information, without giving the individual the opportunity to choose which uses and disclosures they agree to. Bundled consent is often sought as part of the terms and conditions of a service.

117. Such long term risks are suggested in the Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000 which notes that the policy intent of NPP 7 was to 'to prevent the gradual adoption of government identity numbers as de facto universal identity numbers'.

Retention of access card numbers in agency translation tables

118. The Office has previously noted its concerns regarding the possible ''translation table'' framework for the access card system.

119. The Taskforce''s discussion paper on registration explained this as follows:

The system will… allow the linkage from the Register to the individual agency databases, each on a separate basis, by use of the Access Card number which would be ''translated'' into the relevant individual agency number (i.e. the Medicare number, DVA number or Centrelink Customer Reference Number (CRN)) through a translation table unique to each participating agency.[55]

120. This translation table arrangement appears to create a requirement that each participating agency will know and keep a local record of the individual''s access card number.

121. The Office has previously expressed concern about this design feature. For example, the Office''s August 2006 submission to the Taskforce on Discussion Paper 1, noted that:

''…a significant privacy risk comes about if all the databases use the same number to identify each individual. A similar privacy risk arises simply if databases keep a record of the unique identifier of other databases.[56]

''It would be of concern if the system is designed such that each constituent part of the system had knowledge of a single unique number which it could attribute to an individual.[57]

122. As the Office understand it, agencies would not retain the access card number for their own transactions, nevertheless it remains a concern that the sharing of a single number across agencies may make it easier and more cost effective to conduct extensive datamatching or linking in the future, to a degree not envisaged currently. This was reiterated in the Office''s submission on the first exposure draft.[58]

Alternate options for managing information flows

123. The Office has proposed alternative designs to this translation table model, such as storing agency identifiers on the access card chip (subject to tight encryption and legislative protections against tampering and misuse).

124. An alternative technical option may be for each agency to retain a translation table which relates an encrypted or ''scrambled'' form of the access card number to the agency specific identifier. Such a model is adopted for the exchange of Medicare and PBS claims information between Medicare Australia and the Department of Health and Ageing (DoHA).

125. Under this arrangement, as the Office understands it, Medicare Australia uses an algorithm to convert the individual''s Medicare PIN number into a different unique identifier, which is then attached to data provided to DoHA. Medicare Australia is, if needed, able to unscramble the encrypted number to re-associate it with the original source PIN (as well as with identifying information not disclosed to DoHA). The unique identifier received by DoHA will remain constant for each individual, though it does not allow DoHA to determine the individual''s Medicare PIN.

126. Such a model may be usefully adopted for the access card and register , provided that different algorithms were used for each participating agency. This would allow the register and each agency to exchange information (such as updated address or biographical information), though would overcome the need for each agency to retain the same unique identifier for each individual. For telephone and internet transactions, agencies could pass the access card number back to the Register (without ''collecting'' the number for the purposes of the Privacy Act), which may then provide the relevant translated identifier for linking to the agency''s own records.

6) Permitted disclosures of access card information

127. The Office welcomes the Bill''s prescription of permitted disclosures of information in ''protected records'' (chiefly the Register) under Part 5, Division 4. In particular, the Office welcomes the limitations and oversight of disclosures to law enforcement and intelligence agencies (cll 109-111), discussed at paragraph 132.

128. Certain disclosures of information from the Register will be necessary for the proper functioning of the access card system, including to improve benefits and service delivery, and permit access by the individual (cl 104). Other permitted disclosures are for secondary purposes such as law enforcement.

129. In the Office''s view, disclosures for such secondary purposes should be subject to strong limitations and oversight. This is consistent with the privacy principle that, generally, an individual''s personal information should only be used for the purpose it was originally collected, unless a strong justification applies.[59]

130. The Office welcomes the fact that several provisions restrict disclosures to information that is ''reasonably necessary'' for the permitted purpose (for example, cll 106-108).

131. Clause 116 is also a useful provision, as it prevents disclosures under other laws. The Office suggests that the relationship between this provision and clause 118 (''Operation of Privacy Act not affected'') could be clarified, to ensure that the use and disclosure provisions of the Privacy Act cannot be relied upon to circumvent the higher standards in the Bill.

Disclosures to law enforcement and intelligence agencies (clauses 109-111)

132. The Office welcomes the appropriate limitations and oversight of disclosures of ''protected information'' to law enforcement and intelligence agencies in clauses 109-111. In particular, the Office welcomes the following requirements:

  • that a senior police officer must certify the information is ''reasonably necessary'' in relation to a ''serious offence'', or provide a warrant under the Crimes Act 1914 (subclauses 109(2)(a) and (3));
  • that a specific individual be named in certificates that request disclosure under clauses 109-111, to limit large-scale requests and disclosures;
  • that information be disclosed at the Secretary''s discretion, rather than permitting other entities to have direct access to the Register;[60]
  • that DHS include certain details about disclosures to police (and the Australian Crime Commission) in its annual report;[61] and
  • that the Secretary report to the Inspector General of Intelligence and Security (IGIS) with details of disclosures to intelligence agencies.[62]

133. To further enhance public confidence and accountability, the Office suggests that more detailed information could be required under the annual reports in relation to law enforcement and intelligence disclosures. In particular, those reports could be required to include:

  1. the number of biometric photographs (and numerical templates if applicable) that were disclosed to each agency, and
  2. the number of requests that were made to the Secretary, compared with the number of disclosures, with an ''overview of reasons''[63] for declining requests.

134. This greater specificity in reporting would recognise the special characteristics and sensitivity of these data items and the likely community expectation that even greater transparency is afforded to their handling, especially for purposes unrelated to the delivery of benefits.

135. The Office also suggests that disclosures under clauses 110-111 could be required to be ''reasonably necessary for'', rather than merely ''connected with'', the relevant functions of the Australian Crime Commission, Australian Secret Intelligence Service and the Australian Security Intelligence Organisation. This would enhance privacy protections and reflect the terms used in clauses 106-108.

Disclosures to participating agencies etc. to identify individuals (clause 107)

136. The Office recognises that the Register and agency databases must be able to verify they are referring to the same individual, which may require information to be disclosed from the Register. However, the Office is concerned that clause 107 could permit the emergence of a shared unique identifier for individuals across government, if participating agencies are permitted to collect and store the access card number (see discussion above, from paragraph 87).

137. A more privacy-enhancing option may allow a mutual customer to be reliably identified without the separate databases sharing and retaining the same unique identifier. For example, the system could employ one-way algorithms, ''federated identity'' technology or other methods to encrypt identifiers (for example, see paragraph 124 above).[64] The Office suggests that such techniques be investigated in consultation with technology experts.

138. The Office also suggests that clause 107 could prevent agencies from retaining the access card number on their own databases, or prevent its retention or use in a way that would permit data-matching of individuals'' information. Each participating agency would then continue to use its own unique identifier to provide individuals with benefits and services, while reliably verifying individual identities with the Register. Such a position would also align with the intent of cll 21 and 99, which restrict the sharing of unique identifiers.

Disclosure of information to Ministers

139. Clause 103 could permit a significant range of disclosures, depending on the relevant functions of the Minister receiving protected information. Accordingly, the Office suggests that annual reporting requirements could apply to clause 103 in a similar way to clauses 109(4), 110(3) and 112(3). Reports could include the number of (and purposes for) disclosures made, particularly to Ministers other than the DHS and DVA Ministers.

Disclosure with the individual''s consent

140. The Office suggests that clause 105 could be clarified to require the individual''s ''express'' consent for relevant disclosures. The intent would be to reduce the prospect of ''bundled consent'', discussed above at paragraph 116. Such an amendment may also reduce the risk of consent being mistakenly implied; express consent will generally require a much more active and clear statement of intent from the individual.

141. For clarity, clause 105 should also note that an individual cannot consent to the disclosure of their access card number for any unspecified purpose, to reinforce the intent of clause 99 in preventing the emergence of a widespread unique identifier. The Government could also consider restricting the disclosure of individuals'' photos and biometric templates under this clause, given the heightened privacy risks if these items were to be misused. Where the use of an access card number might be authorised by law, such as for AML/CTF purposes, then an individual should be able to consent to handling for such purposes (the use of information for AML/CTF is discussed further at paragraphs 109-111).

Appendix A:  Additional matters of detail

DESCRIPTION OF ISSUE

PROPOSAL

CLAUSE 7 - OBJECTS OF THIS ACT

In describing the objects, the ''Outline'' in the EM does not include reference to the objects in cl 7(2) and (3).  These clauses highlight the important object of protecting privacy, which could be usefully highlighted in the ''Outline''.

Note the privacy related objects in the ''Outline'' to the EM.

The Bill could also provide additional clarity around the meaning of ''emergency situations'' in subclause 7(1)(d), including whether or not this bears any relationship to ''emergencies and disasters'' contemplated under Part VIA of the Privacy Act.

Provide statutory definition or explanation in EM.

For other and more detailed comments on ''Objects of the Bill'' see paragraphs 36-40 of this submission.

 

CLAUSE 15 - REGISTRATION EXEMPTIONS AND ACCESS CARD EXEMPTIONS FOR CLASSES OF INDIVIDUAL

To promote transparency, it may be appropriate for Administrative Rules to accompany the exemption provisions.  Such rules might usefully outline some of the factors that may be taken into consideration when deciding whether to grant an exemption. 

The rules might also outline the process that an individual or group (including arrangements for representative applicants) would go through to apply for an exemption.  

Insert requirement for Administrative Rules for exemptions in Part 9.

CLAUSE 19 - APPLYING FOR REGISTRATION

The EM explains that the exercise of the Secretary''s powers under cl 19(4) are subject to the identity guidelines, as prescribed in Part 9, though this is not mentioned in this clause. 

Greater clarity may be promoted by expressly requiring in cl 19 that the exercise of these powers must be in accordance with the relevant Administrative Rules.

Add requirement that exercise of powers be in accordance with the Administration Rules for identification of individuals.

CLAUSE 20 - ALLOCATION OF ACCESS CARD NUMBERS

It is unclear why there is reference to an individual having access card numbers, rather than just a single number.

Could be clarified in EM.

CLAUSE 21 - SECRETARY NOT TO USE IDENTIFIERS ALREADY ALLOCATED BY PARTICIPATING AGENCIES

The clause proscribes the Secretary adopting or using as the Secretary''s identifier a number already allocated by a participating agency.  It may be useful to recognise that unique identifiers might take non-numerical form or include other characters.

 

Amend provision to: ''The Secretary must not adopt or use, as the Secretary's identifier of an individual for the purposes of this Act, an identifier, including a number, that has already been allocated…''

The clause appears to permit the Secretary to ''adopt'', as an identifier for the purpose of this Act, a number that has been allocated to the individual by a participating agency for the purpose of this Act.

This may permit the adoption of a shared unique identifier (in this case, an agency identifier) by the access card system and participating agencies. The Office acknowledges that the Secretary may need to ''use'' an agency identifier for the purposes of the Act, but submits that this clause prevent its ''adoption''

That cl 21 also prohibit the Secretary from ''adopting'' an identifier that has been allocated by a participating agency for the purposes of this Act.

CLAUSE 25 - CANCELLATION ON REQUEST

It is unclear what would happen to individual''s personal information if they request their registration to be cancelled - this might be a matter appropriately dealt with under the retention Administration Rules.

Prescribe required content for retention Rules to include how information will be handled when an individual cancels registration.

CLAUSE 33 - THE REGISTER

New technologies or designs for the form and manner of the Register are likely to have significant privacy implications.  Given this importance, and associated privacy issues, the form and manner should be set out in primary or delegated legislation. 

While this clause has been improved since the previous bill, and any Ministerial directions will be a legislative instrument, it remains unclear why the instrument in cl 33(3) is not subject to disallowance (cl 33(4)). (The Office understands that such instruments should be subject to disallowance except where exceptional policy circumstances exist.[65])

Note: The Office has discussed issues surrounding the content of the register and other backend databases at paragraph 31.

Amend cl 33(6) so that directions regarding the form of the Register are disallowable instruments.

CLAUSE 35 - INFORMATION RELATING TO AN INDIVIDUAL THAT MUST, OR MAY, BE IN THE REGISTER

Clause 35(1) item 1(c) another name

 

In addition to legal name and preferred name, the Secretary must include ''any other name of the individual.'' This would seem to apply regardless of whether individual consents or is even aware.

Individuals may choose to use other names in their daily lives (including ''nicknames'') for legitimate purposes, and which will never be used in connection with obtaining health and social services.  However, such names must be recorded if the Secretary knows of them, without the consent of the individual.  This practice would probably be inconsistent with the intent of IPPs 1.2 (unfair means of collection) and 3 (indirect collection must be relevant to purpose and not intrude to an unreasonable extent on personal affairs).

Other names should only be collected with consent and where necessary to register an individual for an access card. Delete item 1(c).

Alternatively, clarify that only ''other names'' used in conjunction with Cth service delivery may be collected, and in accordance with provisions set out in Administration (Identification) Rules.

Clause 35(1) item 3(d) citizenship of another country

 

To avoid the perception that the register is a register of citizenship, it may be preferable for this information to only be retained by those participating agencies to which it is relevant.

Delete item 3(d)

Clause 35(1) item 14 information required by legislation

 

The Office acknowledges that information handling laws such as the Privacy Act and the Freedom of Information Act 1982 (Cth) may require information to be attached to a record, such as a correction notice under Information Privacy Principle 7 (IPP 7). It is not clear why the clause includes ''or another law of the Commonwealth that requires information to be on the register''. It may be appropriate to expressly restrict this clause to the Privacy Act or the Freedom of Information Act, while noting that the Bill does not affect what other information may be stored locally by applicable agencies.

Limit item 14 to the Privacy Act and Freedom of Information Act

Clause 35(1) item 15 Participating agency flag

 

The Office has discussed this issue, particularly in the context of agency ''translation tables'' in detail at paragraph 118.

See discussion of ''translation tables'' from 118.

Clause 35(1) item 16 emergency payment number

 

Page 34 of the EM explains that the emergency payment number  ''will be the key that will allow individuals to access money provided by the Australian Government for emergency relief.''  Equally though, the Bill appears to refer to this number as relating to an individual.

Accordingly, it remains unclear whether this number, if widely adopted, could become a unique identifier; if so, protections similar to the access card number may be appropriate. 

The precise scope of the emergency payment number could be described in the EM and, if necessary, protections afforded similar to those in cl 99.

CLAUSE 42 - WHEN THE SECRETARY MUST DECIDE TO ISSUE AN ACCESS CARD TO AN INDIVIDUAL

It may be useful to include reference to the Secretary making such a decision in accordance with the Administration Rules for identification

Add requirement that any decision be made in accordance with the Administration Rules for identification of individuals.

CLAUSE 44 - ISSUE OF ACCESS CARD

The Office notes that if an access card is posted to the individual, the card is ''issued'' once it is sent by DHS, as opposed to once it is received by the individual. The card is also owned by the individual once it is ''issued'' (cl 78(2)). It is unclear to the Office whether the individual would bear any liability for a card that has been ''issued'' to them but goes astray in the mail.

Clarify in EM or Bill the liability of access card holder when card is issued, though not received.

CLAUSE 47 - CANCELLATION ON REQUEST

It may be appropriate for Administration Rules to detail procedures for an individual to ''request'' cancellation of the individual''s access card.

This could include a requirement that the Secretary give information to the individual about the process and consequences of cancellation, and noting how long information may be retained on the Register (or any other databases) under clause 35(3).

Prescribe that one set of Administration Rules should set out process to request cancellation.

CLAUSE 67 - NAME, SYMBOL AND FORM OF AN ACCESS CARD

The EM notes that this may facilitate the access card adopting new technologies as they emerge.[66] New technologies may raise significant privacy issues, and accordingly should be subject to Parliamentary scrutiny.

Clause 67(6) should be amended such that determinations made under clause 27(4) are legislative instruments.

CLAUSE 71 - INFORMATION RELATING TO AN INDIVIDUAL THAT MUST BE ON THE SURFACE OF THE ACCESS CARD WHEN IT IS ISSUED

Item 4 Photograph

 

The Office has discussed this item in detail at paragraphs 54-63.

This item should be made optional through cl 72(1), item a.

CLAUSE 74 - INFORMATION RELATING TO THE INDIVIDUAL THAT MUST BE OR MAY BE IN THE CHIP IN THE ACCESS CARD AT THE CHANGE TIME

Item 3 if the individual''s photograph is on the surface of the access card - that photograph

 

The Office submits that if the photograph is on the face of the card, then it does not need to be on the chip.

If there are substantial public policy reasons why the photograph should be on the chip, then individuals should have the option to restrict access to it by PIN protection, as provided for other information on the chip by cl 77.

Delete 3 from cl 74(1) is the strongly preferred position.

Alternatively, add item 3 to those items which may be PIN protected under cl 77.

Item 13 organ donor status

 

Organ donor status is ''health information'' under the Privacy Act and afforded additional protections.  To avoid inadvertent collection of this information (when a card is ''swiped''), which may constitute a breach of NPP 10, individuals should at least have the option of PIN protecting this information (as is provided in cl 77 for legal name, date of birth and proof of identity status).

Add organ donor status to those matters which may be PIN protected under cl 77.

Item 15 information required by legislation

 

See the discussion of Clause 35(1) item 14 above.  This item should similarly be limited to information required by the Privacy Act and Freedom of Information Act.

Limit item 15 to the Privacy Act and Freedom of Information Act

CLAUSE 91 - PERMITTED PURPOSES IN RELATION TO REGULATED PERSONS

Item 3 defines permitted purposes for officers in participating agencies, otherwise than to the extent that they are covered by item 2, as ''the performance of functions or duties connected with the provision of Commonwealth benefits''.

This seems a potentially broad definition, particularly as the purposes only need be ''connected'' with the provision of benefits.  In turn, the definition of ''permitted purposes'' has significant implications for how personal information may be accessed, used and disclosed under the Bill.

The definition of permitted purposes under item 3 of cl 91 should be amended to: ''the performance of functions or duties reasonably necessary for the provision of Commonwealth benefits''.

This would be consistent with other provisions in Bill, eg cl 101(1)(b).

CLAUSE 93 - HOW PROTECTED RECORDS ARE TO BE KEPT

The Office has discussed this clause in detail at paragraph 73.

The meaning of the term ''combined with'' be clarified in light of concerns regarding data matching and linking.

CLAUSE 94 - ACCESSING PROTECTED RECORDS

The Office has generally welcomed this clause at paragraph 69 , though has made proposals for improvements at paragraph 64 in regard to access to photographs and the proposed Administrative Rules.

See paragraph 64.

CLAUSE 109 DISCLOSURE TO POLICE FORCES

There appears a discrepancy between the text of the EM and the provision in the Bill regarding the definition of ''senior officer''. The Bill states ''an officer… whose rank is that of inspector (or equivalent) or above'' (cl 109(1)(b)(iii)). The EM states ''…or a person above the rank of Inspector…''

Clarify in Bill or EM for consistency.

CLAUSES 100-114

The Office has discussed these clauses in detail from paragraph 127.

See from paragraph 127.

CLAUSE 146 - PURPOSE AND EFFECT OF THIS DIVISION

The Office has welcomed the infringement notice provisions (paragraph 79), though has noted the possible value of further specificity around process and powers to investigate.

See paragraph 79.

CLAUSES 182-189

The Office has noted at various points in its submission where the Bill could usefully set out additional matters which the Administration Rules could cover. 

See paragraphs 48, 64, 109, as well as comments above on clauses 15, 19, 25, 42 and 47.

CLAUSES 191-192

The Office has noted above in regard to cl 15 that Administrative Rules for exemptions may usefully clarify process and procedural matters around exemptions.

Insert requirement for Administrative Rules for exemptions in Part 9.

Appendix B:  Research on community attitudes to government datasharing

Community attitude research from Canada (also discussed at paragraph 99) reports on the consumer sample as posing a range of questions/assertions that highlight the importance placed on gaining community trust:

  • "While we recognize government can do good things for us, what will stop it from using our information in ways that might end up causing harm or nuisance?
  • Who will be accountable or liable when our information is in the possession of human beings and machines that can make mistakes?
  • With so much information available or potentially available, is there a hard line that can be drawn between generic and personal information?
  • What ensures [sic] us that our information can be made secure from attacks or theft of the machines that contain our information, either during the life of their use or after their disposal?[67]

UK research, Strategies for reassurance: public concerns about privacy and data sharing in government (also discussed at paragraph 101) says of the perceived benefits of sharing information between different governments agencies, that:

  • ''the benefits perceived by our focus groups from data sharing are relatively few in number;
  • at least without a great deal of thought, people cannot identify many ways in which they personally benefit;
  • those things which they do see as personal benefits are not necessarily of overwhelming importance to them, even before they are asked to think systematically or be prompted about risks;
  • those who attach greatest weight to the benefits to government are the ones who use public services least frequently;
  • without prompting, the only benefits that occur to people are combating fraud and eliminating multiple requests for the same information, and the latter is valued but not of overwhelming importance to everyone, although its importance rises with frequency of use of public services"[68]

Recent international comparative research conducted by Accenture[69] found significant difference in the degrees of comfort individuals had with government departments sharing data depending on what the data was. While there is some comfort around the sharing of information such as name and date of birth, this diminishes considerably when the data being shared is medical records, or information related to social security, social insurance or national tax numbers.

Endnotes

1 Office of the Privacy Commissioner, 'Submission to the Office of the Access Card, Consultation on the Exposure Draft of the Human Services (Enhanced Service Delivery) Bill 2007', January 2007 ('submission on the first exposure draft'); and Office of the Privacy Commissioner, 'Submission to the Senate Finance and Public Administration Committee Inquiry into the Human Services (Enhanced Service Delivery) Bill 2007', February 2007.

2 Office of the Privacy Commissioner, 'Submission to the Australian Law Reform Commission's Review of Privacy - Issues Paper 31', Chapters 11 and 12 respectively, available at www.privacy.gov.au/materials/types/submissions/view/6757.

3 The Office makes a distinction between considered, appropriate decisions to change the purposes that a system or object is used for; and the incremental expansion of a system's purposes to include things that were not initially agreed or envisaged - often without overall strategic direction, planning or oversight. This second type of expansion is sometimes referred to as 'function creep'.

4 Data-linking is the explicit linking of personal information about a specific individual from different sources. Data-matching entails the batch comparison of personal information about large numbers of individuals held in different databases to identify individuals of possible interest.

5 Recommendation 1 of the Standing Committee on Finance and Public Administration report on the Human Services (Enhanced Service Delivery) Bill 2007, March 2007, at paragraph 3.193: "The Committee recommends that the bill be combined with the proposed second tranche of legislation for the access card system into a consolidated bill."

6 See, "Consultation and public information sessions" available at http://www.accesscard.gov.au/legislation.html.

7 The Taskforce reported on areas such as system architecture and general principles, voluntary medical and emergency information, review and appeals processes, governance, and registration. The Taskforce's reports are available at www.accesscard.gov.au/taskforce_publications.html.

8 Office of the Privacy Commissioner, 'Consultation on the Australian Government Health and Social Services Access Card - Discussion Paper Number 1, Submission to the Department of Human Services Access Card Consumer and Privacy Taskforce', August 2006, at paragraphs 15-17, available at http://www.privacy.gov.au/materials/types/submissions/view/6453#mozTocId959788.

9 See, for example, Office of the Access Card, exposure draft package information sheet, 'Viewing Information on the Access Card'.

10 See further the Office's discussion of unique multi-purpose identifiers in its 'Submission to the Australian Law Reform Commission's Review of Privacy - Issues Paper 31', February 2007, Chapter 12, available at: www.privacy.gov.au/publications/submissions/alrc/c12.html.

11 Karen Curtis, Privacy Commissioner, 'Protecting the privacy of our citizens', Presentation to the Govtech Summit, 19 July 2007, available at www.privacy.gov.au/materials/types/download/8290/6289.

12 These are afforded additional protections by, respectively, section 17 of the Privacy Act, Part IIIA of the Privacy Act, and section 135AA of the National Health Act 1953.

13 See Part 3, Division 6 ('The Register'); and Part 4, Division 8 ('Information on an access card').

14 See, for example, the Office's submission on the first exposure draft, January 2007, paragraphs 30-35, 'Discretionary functions of the Secretary and delegates - generally', available at http://www.privacy.gov.au/materials/types/submissions/view/6747.

15 See, for example, cll 183 (Administration Rules), 33 (form of Register), 67 (form of card); and cll 19, 30, 41, 57, 63 and 126 (administrative forms).

16 Office of the Privacy Commissioner, submission on the first exposure draft, January 2007, para. 38-40.

17 These principles are outlined in greater detail in the Office's submission to the Taskforce's Discussion Paper 1, at paragraph 13, available at www.privacy.gov.au/materials/types/submissions/view/6453#mozTocId602833.

18 See also the Office's submission to OAC on the first exposure draft, paragraphs 17-20.

19 See Part 3, Division 6 ('The Register'); and Part 4, Division 8 ('Information on an access card').

20 The Office understands that the template may be stored by DHS outside of the Register for security reasons. Clarification of this issue would be welcome.

21 See the Office's submission to DHS on the first exposure draft, at paragraphs 71-76, ('Determining future uses').

22 In line with the object at subclause 7(2) of the Bill.

23 In line with the intention at subclause 7(3) of the Bill.

24 The latter provision is available at http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation1.nsf/bodylodgmentattachments/0638844A692768C4CA256F7100572151?OpenDocument#SECT4.

25 See cl 35(1) item 18 and cl 74(1) item 17, in combination with cl 187.

26 See cll 94-97 in combination with cl 185.

27 See cll 99(4)-(5) in combination with cl 187.

28 See subcll 19(4), 30(4), 41(4), 57(4) and 63(5).

29 See subcll 19(1)(b), 41(1)(b), 30(1)(b).

30 Karen Curtis, Privacy Commissioner, Proof Committee Hansard, Senate Standing Committee on Finance and Public Administration, 6 March 2007, p 36. See also the Office's submission to the Taskforce, August 2006, paragraphs 118-122, available at www.privacy.gov.au/materials/types/submissions/view/6453.

31 See cll 35, 74 and 71, respectively.

32 See the Explanatory Material to the Bill, p 57.

33 The Australian Government e-Authentication Framework (AGAF) for Individuals. See the overview at http://www.agimo.gov.au/infrastructure/authentication/agaf_i.

34 The Taskforce notes that DHS planning is based upon the figure of 16.0 million individuals. See Access Card Consumer and Privacy Taskforce, 'Discussion Paper Number 3: Registration', p 31, available at www.accesscard.gov.au/various/Registration%20Paper%20FINAL%20Released%2023%20March.pdf.

35 This may be a particularly useful option for the minority of Australian adults who do not already own a (optional) state or territory driver's licence or proof of age card. The Office understands this figure is around 10% of Australian adults.

36 The Senate Committee acknowledged these issues in its report into the previous bill: Standing Committee on Finance and Public Administration report on the Human Services (Enhanced Service Delivery) Bill 2007, March 2007, at paragraphs 3.32-3.35.

37 Department of Human Services, Submission 39a to the March 2007 Senate Standing Committee Inquiry, pp 9-11.

38 Senate Committee report on the previous bill, March 2007, at paragraphs 3.52.

39 Provisions include cll 94(2) on access, 95(1)(e)(iii) on disclosure, 96(1)(e)(iii) on use, and 97(3)(c)(iii) on access and modification of information in the card chip.

40 This principle is given effect in the Privacy Act under National Privacy Principle 8 (NPP 8), which binds many private sector businesses: 'Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.'

41 This issue was discussed in the Office's submission to the Taskforce's Discussion Paper 1, August 2006, at paragraph 181-184, available at www.privacy.gov.au/materials/types/submissions/view/6453#mozTocId409674.

42 See 'Community Attitudes Towards Privacy 2004', available at www.privacy.gov.au/publications/rcommunity/chap7.html.

43 Noting that cl 152 ('Secretary may obtain information etc.') only relates to serious offences.

44 For example, individuals could be permitted to complain to the Privacy Commissioner where the individual believes an entity has handled their access card information in breach of a provision under Part 5, Division 3, as well as offences that may be added to the Bill regarding the use of the photo and signature on the card surface.

45 These submissions are available at www.privacy.gov.au/materials/archive/other/view/5895.

46 Australian Government submission to the Senate Inquiry on the Human Services (Enhanced Service Delivery) Bill 2007, page 81, available at http://www.accesscard.gov.au/resources/pdf/Australian%20Government%20Submission%20-%20FINAL.pdf.

47 Office of Access Card information sheet, 'When an Access Card Expires, is Lost or Stolen', available at www.accesscard.gov.au/getting-and-using-card/when-card-expires-lost-or-stolen.html.

48 The term "practical obscurity" was originally coined as a US legal principle that "...private information in public records is effectively protected from disclosure as the result of practical barriers to access." (see, http://www.archivists.org/glossary/term_details.asp?DefinitionKey=3053). It has come to be more widely applied as a term explaining the privacy benefits that accrue where information is kept in disparate sources such that even if each source is available separately, the practical difficulty in combining these sources are such that there is some protection against a complete and potentially invasive single source of information about an individual.

49 Standing Committee on Human Resources Development and the Status of Persons with Disabilities, Beyond the numbers: the future of the social insurance number system in Canada May 1999 available at http://www.parl.gc.ca/InfoComDoc/36/1/HRPD/Studies/Reports/hrpdrp04/09-part1-e.htm.

50 Available at http://www.crossingboundaries.ca/files/kta_final_report_050805.pdf.

51 Perri 6. (2002). Strategies for reassurance: public concerns about privacy and data sharing in government, Performance and Innovation Unit, Cabinet Office, London.

52Strategies for reassurance: public concerns about privacy and data sharing in government pp.41-42.

53 Page 81

54 See, for example, the Office's response to question 4-27 in its submission to the ALRC Inquiry (available at http://www.privacy.gov.au/publications/submissions/alrc/c4.html#Consent1) and the Office's March 2007 submission the Senate Inquiry into the previous bill (available at http://www.privacy.gov.au/materials/types/submissions/view/6659#Section).

55 Taskforce Discussion Paper No.1, Australian Government Health and Social Services access card, page 14, available at http://www.accesscard.gov.au/discussion/060615_taskforce_discussion_paper.pdf.

56 See discussion under "Unique identifiers" available at http://www.privacy.gov.au/materials/types/submissions/view/6453#mozTocId957306.

57 See paragraph 61 under "Dataflows between system elements" available at http://www.privacy.gov.au/materials/types/submissions/view/6453#mozTocId493233.

58 See paragraph 21 of the Office's submission to the Department of Human Services (January 2007) available at http://www.privacy.gov.au/materials/types/submissions/view/6453#mozTocId957306.

59 This policy intent is reflected in the Privacy Act under National Privacy Principle 2 (in the private sector provisions), and Information Privacy Principles 10 and 11 (for agencies).

60 Office of the Access Card information sheet, 'Disclosure of Information in the Register to Law Enforcement Agencies', available at www.accesscard.gov.au/privacy-security-technology/disclosure-information-register.html.

61 Subclauses 109(4), 110(3) and 198(2)(g).

62 Subclause 111(4).

63 This reflects the detail required in some of the Bill's other reporting provisions. See, for example, subclauses cll 198(2) ('Annual report on operation of the Act') and 199(2)(c) ('Privacy Commissioner to report about matters arising out of the operation of this Act').

64 AGIMO notes: '...The concept of federated identity is that personal information remains in the hands of the original collector and is shared across a wide range of providers, instead of consolidated into a master database. The relationships between providers are regulated by private contract and applicable privacy and data protection laws.' (at www.agimo.gov.au/publications/2004/05/egovt_challenges/privacy/identity/distributed). In relation to encrypted identifiers, see Liberty Alliance, 'Privacy and Security Best Practices' (2003), at www.projectliberty.org/liberty/content/download/374/2681/file/final_privacy_security_best_practices.pdf, 'Account federation', at p 25. However, see also B Pfitzmann, 'Privacy in Enterprise Identity Federation' (2004), at www.zurich.ibm.com/security/publications/2002/Pfit2002LibertyPolicies-rz3470.pdf.

65Legislative Instruments Handbook (2004), pp 63-64.

66 Page 53

67 Available at http://www.crossingboundaries.ca/files/kta_final_report_050805.pdf.

68Strategies for reassurance: public concerns about privacy and data sharing in government p.ix.

69 Accenture(2005) Leadership in customer service: new expectations, new experiences, available at http://www.accenture.com/xdoc/ca/locations/canada/insights/studies/leadership_cust.pdf .