This chapter discusses proposed sections 17-25 of the IMS Bill which provide for the collection, use, disclosure, protection and recording of identification information.
The chapter then discusses proposed sections 26-30 of the Bill which provide for the delegation of the Secretary’s powers, annual reporting and review of the Bill.
Collection of identification information
Proposed section 17(1) of the IMS Bill provides that the Department may collect identification information (whether or not it is sensitive information as defined in the Privacy Act 1988) about an individual from someone other than the individual, if the collection is by means of an electronic communication to the interoperability hub or the Driver Recognition Solution.
Proposed section 17(2) outlines the purposes for which identification information may be collected under subsection (1). These purposes include providing an identity-matching service for the purpose of an identity or community protection activity, developing identity-matching services, protecting assumed identities and protecting witness identities.
Proposed section 18 of the IMS Bill provides that the Department may, for any purpose described in subsection 17(2), use or disclose identification information collected by means of an electronic communication to the interoperability hub or the Driver Recognition Solution.
Proposed section 19 applies if a law of a state or territory limits disclosure of some or all identification information by an authority of a state or territory or by a body or person acting on behalf of such an authority and exempts from the limitation a disclosure authorised by a law of the Commonwealth.
Proposed section 19(2) further provides that, for the purposes of the exemption, the authority, body or person may disclose to the Department by electronic communication identification information about an individual for inclusion in the Driver Recognition Solution.
Protection of identification information
Proposed section 21(1) creates an offence, punishable by imprisonment for two years if a person is or has been, an entrusted person; and the person has obtained protected information in his or her capacity as an entrusted person; and, the person makes a record of the information or discloses the information to another person. The fault element for the offence is recklessness.
Proposed section 21(2) creates exceptions to the prohibitions in proposed section 21(1) where the conduct is authorised by a law of the Commonwealth or of a state or territory or the conduct is in compliance with a requirement under a law of the Commonwealth or of a state or territory. A defendant bears an evidential burden in relation to the matter in 21(2).
Proposed section 21(3) restricts required disclosure of protected information or production of documents, except where it is necessary to do so for the purposes of giving effect to the Act or the Law Enforcement Integrity Commissioner Act 2006, or a legislative instrument under either Acts. It provides that an entrusted person is not to be required to disclose protected information, or produce a document containing protected information, to a court or a tribunal, authority or person that has the power to require the answering of questions or the production of documents.
Entrusted person is broadly defined in Section 21(4) and includes the Secretary of the Department or an Australian Public Service (APS) employee in the Department. In addition, entrusted persons are those who are contractors engaged in relation to the interoperability hub or the Driver Recognition Solution and are also officers or employees of an agency or authority of the Commonwealth, a state or territory, the government of a foreign country or of a public international organisation.
Protected information is also broadly defined in section 21(4) as:
identification information that was obtained by a person, in the person’s capacity as an entrusted person, from an electronic communication to or from either the interoperability hub or the Driver Recognition Solution,
information obtained by a person, in the person’s capacity as an entrusted person about an electronic communication made to or from either the interoperability hub or the Driver Recognition Solution,
identification information relating to a particular individual held in, or generated using, the Driver Recognition Solution, and,
information that enables access to the interoperability hub or the Driver Recognition Solution and was obtained by a person, in the person’s capacity as an entrusted person.
Authorised use and disclosure of identification information
Proposed section 22 provides that an entrusted person may make a record of or disclose protected information if the record is made, or the information is disclosed for the purposes of the Act or in the course of exercising powers, or performing functions or duties, relating wholly or partly to the interoperability hub or the Driver Recognition Solution.
Proposed section 23 provides that an entrusted person may disclose protected information if they reasonably believe that the disclosure is necessary to lessen or prevent a serious and imminent threat to the life or health of an individual and the disclosure is for the purpose of lessening or preventing that threat.
Proposed section 24 of the Bill provides that an entrusted person may disclose protected information to the Integrity Commissioner for the purpose of referring an allegation, or information, that raises a corruption issue (within the meaning of the Law Enforcement Integrity Commissioner Act 2006) or for the purpose of notifying a corruption issue under that Act or for the purpose of an investigation of a corruption issue under that Act.
In both cases an entrusted person may make a record of protected information for the purpose of disclosing the protected information.
Proposed section 25 provides that an entrusted person may make a record of, or disclose, protected information that relates to the affairs of a person if the person has consented to the recording or disclosure and the recording or disclosure is in accordance with that consent.
Section 27 of the Bill allows that the Secretary of the Department may, in writing, delegate all or any of his or her functions or powers under this Act to a Senior Executive Service (SES) employee or acting SES employee in the Department. In performing a delegated function or exercising a delegated power, the delegate must comply with any written directions of the Secretary of the Department.
Section 28(1)(a) provides that the Secretary of the Department must give the Minister a report on statistics relating to all requests in the financial year, from authorities of the Commonwealth (except the Australian Security Intelligence Organisation (ASIO)) or of a state or territory, for the Face Identification Service, Face Verification Service and One License Service.
The report must also include statistics relating to all requests in the financial year from non-government entities for a Face Verification Service, and the report is required to include statistics from each authority of the Commonwealth (except ASIO), and each authority of a State or Territory (including a local government authority), that used an Identity Data Sharing Service to disclose or collect identification information in the financial year.
The Department of Home Affairs informed the Committee that the Minister has agreed to seek to amend the IMS Bill to provide for annual reporting in relation to the number of instances in which an entrusted person discloses protected information to lessen or prevent a threat to life or health as provided for in proposed section 23 of the IMS Bill.
The Explanatory Memorandum notes that ‘non-government entities are not required to be individually named in the report’ as this is ‘necessary to protect commercial confidentiality.’
In response to this, the Law Council of Australia stated that it considers ‘that the public have a right to know which non-government entities have access to the Face Verification Service.’ Similarly the Office of the Information Commissioner (Queensland) pointed out that
private sector users of the [Face Verification Service] will be required to secure the consent of the individual whose identity they are seeking to verify [s7(3)(b)]. As this would reveal to the individual that the non-government entity is using the [Face Verification Service], it is unclear why the commercial confidentiality of that non-government entity would be compromised by its identification in the annual report.
In relation to the exceptions to reporting by ASIO, the Explanatory Memorandum states that this is in order to ‘protect the security of their operations’.
The Law Council argued that such an exception ‘should be determined on a case by case basis’ and should not be included ‘as a blanket exception, particularly in circumstances where ASIO has shared biometric data with international partners.’
In relation to ASIO’s exclusion for the reporting requirements, the Department expanded on information provided in the Explanatory Memorandum noting that ‘ASIO is exempt from the operation of the Privacy Act and the Freedom of Information Act 1982’ and that ‘ASIO will continue to be subject to its existing oversight regimes, which will apply in relation to ASIO’s use of the identity-matching services. This includes oversight by the Inspector-General of Intelligence and Security’.
Proposed section 28(2) provides that the annual report must not unreasonably disclose personal information about an individual. Proposed sections 28(3) and (4) provide that the Secretary of the Department must give the Minister the report as soon as practicable after the end of the financial year and in any case within 6 months after the end of the financial year and that the Minister must cause a copy of the report to be tabled in each House of the Parliament within 15 sitting days of that House after the Minister receives the report.
The Office of the Information Commissioner (Queensland) submitted that additional requirements in annual reporting processes are necessary to ‘adequately monitor privacy impacts, misuse, mistakes and private sector use associated with the IMS regime’. They noted that the IMS Bill ‘does not require data breaches or security incidents (for example through unauthorised access or unauthorised disclosure), system failures or accuracy rates to be reported upon’.
Noting that management of data breaches is governed by the new data breach notification provisions in Part IIIC of the Privacy Act 1988 the Department of Home Affairs stated that it is ‘not necessary to duplicate data breach reporting by requiring this information to be included in the annual report under the Bill’.
In relation to other matters, such as security incidents and unauthorised use or disclosure, the Department stated that such reporting may not be appropriate as it may ‘disclose information about the security architecture of the systems’.
The Department also explained that it ‘may not have information about all instances of unauthorised use or disclosure if these occur at participating agency level’. However the Department noted that ‘this information will be able to be captured, and properly investigated and assessed, through annual audit requirements on participating agencies using the services’ as well as reviews of the services required under the IGA (every three years), and the Bill (a review to be commenced within five years)’.
In addition, the Human Rights Law Centre (HRLC) raised concerns on the accuracy of facial recognition technology. The HRLC explained that facial recognition technology contains a ‘bias towards the dominant ethnic group in the area in which it is developed’ and, in Australia, the use of such technology could have a disproportionate effect on ’Aboriginal and Torres Strait Islanders who are overrepresented in arrest and incarceration rates’. Given this concern the annual report should include ‘annual accuracy testing based on demographics’.
The Committee were interested in the accuracy of the technology and inquired about the vendor supplying biometric facial recognition algorithms. The Department of Home Affairs explained that it did not report the identity of vendors in order to reduce ‘the potential vectors of attack’ and that as all biometric facial recognition providers use different algorithms, naming them would potentially create ‘an increased threat of attack’.
In response to a question about possible publication of performance figures in order to provide a level of public assurance in the algorithm used, the Department answered:
That's some of what's involved in the annual reporting requirement, but not the level of detail that you're asking for.
Proposed section 29 provides for a review of operation of the Act and provision of identity-matching services to be started within five years of the commencement of the Act. A copy of the report is to be tabled in each House of the Parliament within 15 sitting days of that House after the Minister receives the report.
Proposed section 30 provides that the Minister may, by legislative instrument, make rules prescribing matters required or permitted by the Act to be prescribed by the rules or that are necessary or convenient to be prescribed for carrying out or giving effect to the Act. The rules may not do certain things such as create an offence or civil penalty, provide powers of arrest or detention; allow for entry, search or seizure, or impose a tax. The rules may not set an amount to be appropriated from the Consolidated Revenue Fund under an appropriation in the Act or directly amend the text of the Act.