Chapter 3 - Key issues
Introduction
3.1
This bill is intended to be the cornerstone of the government's proposed
access card system. It will provide the legislative basis for the card's roll
out, operation and the architecture supporting it. As chapter 2 indicates, the
bill's provisions cover a large range of complex matters extending from the
purpose of the card through to the information on its surface, chip and
database, as well as penalties for misuse. However, at the heart of the
proposed access card system are two primary goals:
- Improving delivery of Commonwealth human services and benefits;
and
- Combating fraud, particularly in relation to identity theft.
3.2
The Committee endorses goals to streamline the delivery of Commonwealth
benefits and prevent fraud. The Committee supports any policy that will
facilitate access to those who are eligible while forestalling access to those
who are ineligible.
3.3
In considering the bill's provisions, the Committee has used these two goals
as a point of reference for assessing the merits and necessity of measures
provided for in the bill.
3.4
This chapter examines the following matters in the bill:
- The information to be stored on the card's surface and in its
chip;
- The register;
- Discretions and delegations;
- Administrative review;
- Access to the information on the card and in the register; and
- Offences.
3.5
The chapter also lists a number of items of concern that the Committee
has not had adequate time to consider.
3.6
To understand the context of the Committee's discussion of the key
issues in the bill, it is important to outline a number of timing factors that
have shaped the design of the bill, impinged on the Committee's inquiry and
which raise concerns about the legislative approach to this measure.
Timing issues
3.7
The Australian Government submission justifies the timing of the bill on
three grounds. Under the heading, 'Why the first instalment of the legislation
is needed now', it states:
- A legal framework is needed to support the implementation of the
access card system and initial registration of card holders in early 2008;
- It is also needed to allow sufficient time to inform the
community about the new system, a step recommended by the Consumer and Privacy
Taskforce headed by Professor Fels (and referred hereafter as the 'Fels'
Taskforce'); and
- '... early passage of the legislation is required to provide
certainty for contract negotiations for the procurement of critical elements of
the access card system'.[1]
3.8
The government submission further explains that legislation for the card
is being staggered in a series of bills to make it easier for the community to
understand the measure, to avoid public confusion which might result from a
large, complex omnibus bill and to allow people to focus on specific issues in
a considered way.
3.9
The Committee has a number of concerns with the approach and timing
adopted with this bill. The most immediate is the limited time given to the
Committee to examine the bill, to receive and hear evidence and consider the
issues presented to it.
3.10
With only the first tranche of the access card legislation before it,
the Committee has also been put at a disadvantage in that it does not know the
detail of key provisions and measures that are intended to be addressed in
later legislation. That the provisions held over relate to critical matters
such as reviews and appeals, privacy protections and oversight and governance measures
does little to allay the Committee's general unease with the adequacy of this
bill.[2]
In essence, the Committee is being asked to approve the implementation of the
access card on blind faith without full knowledge of the details or
implications of the program. This is inimical to good law-making. The delay in
introducing these measures is unlikely to encourage public confidence in the
access card proposal, particularly as the missing measures are essential for
providing the checks and balances needed to address serious concerns about the
bill.
3.11
The Committee has also been asked to consider the bill while a number of
processes central to the operation of the access card or of bearing on its
legislative framework are still underway. The most important include:
- The Fels' Taskforce reporting on the registration process, appeals
and a privacy impact assessment;
- The Australian Law Reform Commission's review of the Privacy Act;
and
- The Attorney-General's Department's project for a Documentation
Verification System.
3.12
In addition, two tender processes, one for the systems integrator, the
other for card issuance and management, were running during the Committee's
consideration of the matter.[3]
This could be seen as undermining the authority of the Committee by creating
the impression that passage of this legislation is preordained, rendering
Senate oversight superfluous.
3.13
The Committee appreciates that a complex, multifaceted and expensive project
like the access card involves several processes running in parallel, and that
it is not possible to have answers for every issue or detail during the
introductory stages of such an undertaking.
3.14
The government submission has argued that any lengthy delay with the
adoption of the bill would hamper the introduction of the access card system.
It states:
If passage of the Bill were to be significantly delayed this
would reduce the time available to put in place the necessary infrastructure,
administrative arrangements and public information to properly implement the
new system. This could jeopardise contract negotiations and would not allow
adequate time to fully and adequately inform the Australian community of these
important changes.[4]
3.15
The Committee cannot accept that priority has been given to tender
processes at the expense of reasonable time for the Parliament to scrutinise properly
a complex piece of legislation.
3.16
Moreover, the processes surrounding the bill appear to have led to inconsistencies
with other Commonwealth legislation and concerns among other Commonwealth
agencies. The Committee heard that the bill potentially conflicts with the
customer verification obligations under new anti-money laundering and
counter-terrorism financing laws.[5]
(In subsequent advice, government agencies said they believe this is not the
case.)[6]
The Australian Federal Police (AFP) also raised concerns about penalty
provisions inhibiting intelligence and investigations.[7]
These problems raise questions about the drafting of the bill and degree of
consultation among government agencies about the interaction of the bill with
other Commonwealth law.
3.17
Legal academics and practitioners also criticised the bill for its
poorly defined terminology and other drafting deficiencies. While committee
scrutiny of bills is designed to identify and fix problems of this nature, the
limited time allotted means other problems may go undetected while any remedial
amendments will also have to be rushed and risk further drafting
inconsistencies.
3.18
The haste involved with this bill has also led to a number of irregular
and inappropriate actions. The department published on its website the
Australian Government submission to the inquiry before the Committee could
consider its contents, let alone authorise its publication. This breached the longstanding
rule and practice that Senate committees have sole discretion to publish
evidence they receive. The Committee also received evidence from the department
that did not take account of other powers and procedures of the Senate and its
committees (for instance, in relation to claims of legal professional
privilege). The Committee assumes these oversights were largely a result of the
haste with which this inquiry has had to be prosecuted.
Conclusions
3.19
The time allowed for consideration of all the important and complex
issues relating to the access card legislation has been truncated, including
the time given to the Committee to examine this bill. Key measures that need to
be taken into account including privacy, governance, appeals and review
mechanisms are to be considered in a second tranche of legislation. It is not
possible to assess adequately this new measure in the absence of these vital
protections and other provisions. The Committee considers that this bill needs
to be combined with the second tranche of legislation into a consolidated bill
to allow proper consideration of the access card proposal.
Recommendation 1
3.20
The Committee recommends that this bill be combined with the proposed second
tranche of legislation for the access card system into a consolidated bill.
The Card – surface information
3.21
In seeking to explain how the primary objectives of improved service
delivery and fraud prevention will be met, the bill includes provisions for
what information will be displayed on the surface of the card and in the chip
inside the card. Clause 30 of the bill states that information displayed on the
surface of the card will include, among other things, the cardholder's
photograph, and the cardholder's signature, and the access card number.[8]
3.22
The sections below discuss the case for these features and the concerns
raised about them.
The photograph
3.23
In its written submission to the inquiry, the Australian Government
stated that including a photograph on the surface of the card is essential to the
integrity of the new scheme, as 'The inclusion of a photograph on the card will
significantly enhance the identity security elements of the card, protecting
the card owner's identity and reducing opportunities for fraud'.[9]
3.24
The Office of Access Card elaborated on this by noting that the
inclusion of a photograph on the surface of the card would be essential to:
- reduce fraud;
- reduce complexity;
- increase customer convenience;
- provide a user friendly and reliable method for accessing
Commonwealth benefits;
- improve access to Australian Government relief in emergency
situations; and
- permit access card owners to use their access cards for such
other lawful purposes as they choose.[10]
3.25
It also highlighted the importance that government agencies place on the
photograph for combating fraud. The Office of Access Card provided material
from the Australian Federal Police (AFP) stating that the AFP's operational
experience has shown that:
...in cases of systematic and organised identity fraud, the one
single feature that remains constant in offenders is their facial features.
This highlights the necessity and importance of having a facial photograph...The
proposed Access Card regime provides greater surety of the link between an
individual and relevant entitlements through the enhanced security features,
and also protects the individual. The presence of a photograph on the surface
of the card provides a basic verifiable link to the person claiming the
entitlement, benefit or service.[11]
3.26
The Office of Access Card further stated that:
Without a photo on the surface of the card it will always be the
case that people will be able to get someone else's entitlements as
photographic readers will not be available everywhere, every time.[12]
3.27
By contrast, it claimed that putting the photograph on the surface of
the card will be a major deterrent to people considering defrauding the system:
KPMG has noted that it takes considerable bravado to walk into a
doctor's surgery and present a card with someone else's photo on it.[13]
Concerns about including a photograph on the surface of the card
3.28
Four general arguments were presented to the Committee that raised doubt
about the necessity for the photo to be on the card's surface. The following
section looks at each of these in turn.
The access card as a national identity card
3.29
Any consideration of the proposal to show a personal identifier such as
a person's photograph on the card's surface needs to examine the question of
whether the access card might become a national identity card. Frequent
references arose in evidence about the parallels between the proposal for the
access card and an earlier proposal for a national identity card. This issue
goes to the heart of the bill's objectives and rationale. It also goes to the
heart of concerns about the privacy implications of the access card system. As
such, the Committee considers that the case for constructing the card with or
without certain features must be sound and properly tested.
3.30
Some witnesses and submissions suggested that the inclusion of personal
information, particularly a photograph on the card's surface, represents the
greatest risk of the card becoming a de facto national identity card.
The Australian Privacy Foundation stated that:
... if all of that information can be read off the chip, there is
no need to have it on the surface of the card for the objective of the card. By
having it on the surface of the card when it is not needed for that objective,
it lends the card more weight as an all-purpose ID card and means banks, Video
Ezy et cetera will want to see it.[14]
3.31
Similarly, the New South Wales Council for Civil Liberties submitted
that:
The Access Card will be readily capable of use as an identity
card because it will carry on its face five pieces of identity information: a
unique id number; a name; a date of birth; a photograph; and a signature...An id
card is an undesirable thing in a free society that promoted civil liberties.
It unreasonably provides to the State a tool with a range of potentially
oppressive uses...The id number, photograph and signature need not appear on the
face of the card. Recording them on a secure area of the chip, accessible only
by authorised persons, would resolve this aspect of the proposal.[15]
3.32
The Government has given assurances that the access card is not intended
as a national identity card.[16]
The Committee is concerned, however, that not enough attention has been given
to the practical effect of information on the surface of the card.
3.33
In this regard, the Committee has taken particular note of the
Taskforce's view that:
...most Australians are eligible for Medicare, so even those who
do not make regular use of Medicare services are likely to find that at some
time in their lives, for example when they start a family or when they reach a
certain age or degree of infirmity, they will need to access Medicare. To do so
they will need an access card. To this extent, the Taskforce recognises that,
at some stage, almost every Australian is likely to need an access card
and as such to become a person registered in the Secure Customer Registration
Service.[17]
[italics added]
3.34
The Committee remains concerned that the inclusion of a biometric
photograph, as well as the other information on the surface of the card, could trigger
public concern about the access card becoming the preferred identity document
of most Australians. There is no comparable document issued on a national
scale in Australia that contains a photo of biometric quality.
3.35
Alternative forms of identity are not likely to be considered as
authoritative, for example, drivers’ licenses are issued by states rather than
the Commonwealth, and the photos that appear there are of non-biometric
quality. Passports are not issued on a universal basis, and their bulky size
guarantees that they will not be routinely carried by most citizens.
Semantic imprecision
3.36
The imprecise wording of key items in the bill raised further concerns
that there are inadequate constraints to prevent the access card becoming an
identity card.
3.37
For instance, a 'Commonwealth Benefit' is defined in the clause 5 of the
bill as a 'benefit or service that:
- is provided to an individual (whether under Commonwealth law or
otherwise); and
- is administered or delivered, wholly or partly, by a 'participating
agency''.
3.38
However, the wording of this definition suggests that any concession
granted by virtue of veteran or pensioner status could be deemed by the wording
of this definition to be a 'Commonwealth Benefit' because one of the specified
'participating agencies' will be involved as a gatekeeper in determining
eligibility for the benefit. This could be deemed to satisfy the 'administered
or delivered, wholly or partly' definition in clause 5.
3.39
The possibility of function creep may be increased by clause 7 of the bill
stating that the purposes of this bill:
...are to facilitate the provision of benefits, services, programs
or facilities to some or all members of the public (whether under Commonwealth
law or otherwise), where that provision involves a participating agency.
3.40
The language of this clause could conceivably allow the providers of
state concessions to claim inclusion in the provisions of this bill. The
'benefits, services or facilities' are to be provided to 'some or all members
of the public'. The provision of these benefits is to be authorised by
'Commonwealth law, or otherwise'. As long as a participating agency is
'involved,' regardless of how peripherally, the service or benefit could be
construed to come within the ambit of the bill. For example, the DVA's
'gatekeeper' role in the provision of concession status to veterans might allow
public transport providers (for instance, the NSW railways) to make such a
claim.
3.41
The expansion of Commonwealth benefits status to State and Territory
concessions would further enhance the ubiquity of access card usage, and would
materially contribute to its emergence as the dominant identity document in day
to day use through out Australia.
3.42
Thus, it is argued that there is potential for the access card to evolve
into an ID card if a biometric photo, signature and serial number are visible
on the face of the card. However, this might contravene the government's
explicit declaration in clause 6 (2) that 'access cards are not to be used as,
and do not become, national identity cards'.
3.43
The Committee remains mindful of public concerns that the inclusion of a
photograph on the surface of the card could lead it to become Australia's de
facto ID card, and that this conflicts with the stated objectives of the
bill.
The necessity of the photograph for improved service delivery
3.44
Enhanced service delivery is one of the key objectives of the bill. The
function of a photograph in this regard was noted by Professor Allan Fels
during public hearings:
There would be quick recognition of them (the card holder) in
dealings with the government and maybe in dealings with doctors, pharmacies and
so on. It is the idea that you just hold up the card and it shows your face. If
you did not have the photo on the card, I think whoever was dealing with you,
the cardholder, would have to take a bit of time to look you up.[18]
3.45
However, the use of card readers to determine eligibility for services
has cast doubt in some witnesses' minds on whether the photograph is necessary
on the card's surface. Since readers would show the person's photograph on the
card's chip, the need to have the photograph on the card's surface would not
appear to be essential or mandatory. Professor Fels told the Committee:
...the big thing for them is to have a photo in the chip and on
register, rather than necessarily compelling it to be on the card when there
would be some people who would be strongly opposed to that and not like it and
there would be others who, given the choice, would not want their photo on it.[19]
3.46
On this basis, Professor Fels concluded that it would be preferable for
the inclusion of a photograph on the surface of the card to be a matter of individual
choice:
...I now tend to see the idea of it being a matter of choice as
having a lot of merit, almost to the point where I think a very strong case
would need to be made against that before you would remove the consumer choice
possibility.[20]
3.47
Similarly, the Privacy Commissioner expressed her preference that the
inclusion of a photograph on the surface of the card be a matter of individual choice.[21]
3.48
However, the Office of Access Card informed the Committee that not all
service providers would have card readers capable of viewing the photograph in
the chip:
While the Human Services' agencies will have the capability,
doctors, pharmacists, allied health professionals, specialists, hospitals and
third party concession providers will not. To introduce another card reader
into a doctor's surgery or a pharmacy will impose an unacceptable burden on
their business.[22]
3.49
The Office's supplementary submission, received very late in the inquiry
process, went on to note that the photograph on the surface of the card is
central to flexible service delivery, which is important given the wide range
of service delivery models which exist within Human Services, and that
providing alternative photographic identification is not ideal for reasons
relating to security, privacy and customer convenience.[23]
3.50
The supplementary submission further asserts that the cost of supplying
photo capable readers to all service providers would be $15 million (50,000
units costing $2,500 per unit).[24]
The cost of upgrading terminals to photo capable status would cost an
additional $700 million.[25]
The Committee was provided with no detailed information to support these cost
estimates.
3.51
However, assuming that they are accurate, they do nothing to detract
from the primary issue relating to the access card photograph – the inclusion
of a photo on the face of the card virtually guarantees its rapid evolution
into a widely accepted national form of identification.
3.52
The Committee considers that even if the costs involved are quite
substantial, fiscal considerations of investment in public infrastructure (such
as readers) should not necessarily trump privacy and civil liberties concerns
on the question of the access card photograph.
Impact on service providers
3.53
The Committee was also told that including a photograph on the surface
of the card, with the expectation that it will allow service providers to
quickly verify a card holder's identity, may transfer the burden of assessing
eligibility to individual service providers rather than government agencies.
The Australian General Practice Network (AGPN) submitted that:
AGPN is supportive of ensuring that only eligible patients are
able to access the government rebate; however the quantum of any fraud and the
extent of disputes/conflict that arise on eligibility grounds will now be more
prevalent in the practice. This increased scrutiny is not something that practices
are currently funded for or trained to cope with, particularly as GPs do not
ration care on the basis of eligible/non-eligible Medicare guidelines; rather
they seek to improve the health outcomes of any person that requires treatment
or advice. The proposed approach passes the responsibility of managing the
physical process for checking a patient's eligibility to access an Australian
Government rebate to the practice without acknowledging this in the
legislation.[26]
3.54
The Committee is concerned that the AGPN's comments reflect a lack of
information about the training and other assistance which will be given to
service providers to manage situations involving improper use of the card.
Risks of counterfeiting
3.55
To put the question of the photograph and fraud in perspective, the
Committee was concerned about the risk of the access card being counterfeited
and whether including a photograph on the card may support fraudulent activity
by providing an extra layer of legitimacy to false identities.
3.56
With regard to counterfeiting, one witness suggested:
...I think there are vast commercial opportunities available to a
whole lot of people in shady alleys as a result of this who will be selling
lovely copies of the plastic of the ID, for example, to go down to your local
video store, which will not have a reader, and show them a fake version of an
ID card. There are great commercial opportunities that are going to grow with
that.[27]
3.57
Another witness referred the Committee to concerns expressed by
government figures about the risk of counterfeiting:
In fact, at the Australian smartcard summit on 29 June 2005, the Attorney-General said that a national ID card 'could increase the risk
of fraud because only one document would need to be counterfeited to establish
identity'. This was supported by the Commissioner of Taxation, who warned that
the access card proposal, if implemented, was likely to lead to a rise in
identity theft. It is just naïve to assume from the moment that this was
proposed there was not already an industry being put in place to produce its
own identity cards. If the government can make it, criminals can also copy it.
So it does not actually support the case that it will combat identity fraud.[28]
3.58
The Committee is concerned that a lack of information about the risk of
counterfeiting, and the possibility of false identities being entrenched and
widely disseminated through inclusion of photographs on the card surface, makes
it difficult to judge the extent to which the bills' objective of combating
fraud will be achieved.
3.59
While the access card's security features appear stronger than the
current Medicare card, it cannot be assumed that it will not be vulnerable to
corruption and misuse. The question of the risk of counterfeiting the access
card needs to be included in any assessment of the card's impact in countering
fraud.
Conclusions
3.60
The Committee concludes that decisions about information displayed on
the surface of the card must be informed by the two stated major objectives of
the bill: facilitation of access to health and social services, and reduction
of fraud against the Commonwealth. While it is recognised that certain groups
of people may also find the card to be of convenience for accessing
concessions, these are ancillary issues and should not be used to justify the
architecture of the access card system.
The photograph
3.61
On the basis of the evidence, the Committee has concluded the inclusion
of a biometric photograph on the surface of the card increases the likelihood
of the access card becoming a de facto national ID card. It is
noteworthy that it may not be necessary that the photograph should appear on
the surface of the card for the purpose of providing Government services if the
providers have access to appropriate card readers.
3.62
The Committee notes the Department of Human Services' supplementary
submission which states that there would be considerable cost involved in
providing terminals capable of reading the card to agencies, doctors,
pharmacies and third party providers. However, the Committee considers that the
cost of investing in public infrastructure is offset by the protection of
essential privacies and freedoms, and that these should be balanced
appropriately. The Committee considers that the government should consider
providing appropriate terminals or readers to those agencies and providers providing
benefits and services to access card holders.
3.63
The Committee considers that the government should take the following
matter into consideration when drafting the consolidated bill:
Whether the government consider
providing appropriate terminals or readers to those agencies and providers
providing benefits and services to access card holders.
The signature
3.64
The Committee does not consider that the inclusion of a digitised
signature on the surface of the card is necessary to achieve the bill's two key
objectives when it is also held in the card's chip and on the register. The
main rationale for mandatorily including the signature (that it will facilitate
identity assurance where a card holder is not present) is weakened when it is
recognised that agencies providing benefits in the absence of a card holder
will also have access to data in the Commonwealth's area of the chip, through
which a signature on a form may be verified.
3.65
Professor Fels told the Committee that including the signature on the
card would mean:
It is one more piece of centrally stored data, and one should
exercise a bit of caution and be satisfied that there is a reasonable case for
actually having stored somewhere millions of signatures. I think there are some
reasonable arguments for making this a matter of choice.[29]
3.66
Similarly, the Committee heard the Privacy Commissioner's view that 'the
individual should also be able to choose whether their photo and their
signature are displayed on the face'.[30]
3.67
The Committee also noted, however, that there may be circumstances,
generally relating to particular card holder groups, in which the inclusion of
a signature on the surface of the access card could be helpful in verifying a
card holder's identity. The Office of Access Card's supplementary submission
noted that some Department of Veterans' Affairs (DVA) benefits are provided in
the veteran's home, and that:
The veterans' community was particularly in strong favour of
retaining the digitised signature on the surface of the card to enable the
transaction of their unique benefits.[31]
3.68
In these circumstances, having a signature displayed on the surface of
the card will add another element of surety to verification of a card holder's
identity. The Committee considers that the best way of resolving this tension
is to make the inclusion of a digitised signature on the surface of the card a
matter of choice for individual card holders.
The card number
3.69
In relation to inclusion of the card number on the surface of the card,
the Committee noted the evidence given by Professor Allan Fels which
highlighted the relationship between having the number on the card and having a
unique personal identifier, and that business methods may be adapted to privacy
concerns, rather than the reverse.[32]
Professor Fels told the Committee that:
We originally leant against the idea of a number being on the
card, but we see much merit in the idea that it is the option of the card
holder whether or not there is a number on their card.[33]
3.70
The Committee considers there is a balance to be struck between privacy
protection and increased convenience, and concurs with Professor Fel's view
that this is best achieved through allowing individual card holders the choice
of having their number included on the card surface or not.
3.71
The Committee is aware that some Australians will choose to forego
certain privacy protections in favour of the convenience offered by the access
card. It is also mindful of the fact that personal opinions on the balance of
privacy versus convenience are likely to evolve over time, with individuals
choosing to include or exclude different items of personal information on the
card at different times.
3.72
The Committee considers that the government should take the following
matter into consideration when drafting the consolidated bill:
Whether the only mandatory
information displayed on the surface of the card should be the card holder's
name and that other information should be at the discretion of the card holder.
The chip inside the card
3.73
A number of concerns were raised about the chip inside the proposed
card. Some witnesses and submissions claimed there is a lack of clarity about
the rationale for having a personal area on the chip. They were also concerned
about the bill's silence on what information would be stored in the personal
area and how it would be protected and managed.[34]
The personal area of the chip
3.74
In particular, concerns have been raised about the suggestion that
sensitive health information may be held in the personal part of the chip and
be available to health professionals in certain situations, such as
emergencies. This issue was covered in a discussion paper released by the
Access Card Consumer and Privacy Taskforce on 21 February 2007,[35]
which favoured the inclusion of minimal necessary medical information in the
chip, accompanied by a robust system of authentication and verification. The
Taskforce also noted that:
To be of any use, the data must be readily and easily
accessible. This means that anyone with an approved reader...will necessarily be
able to view it...As such, card holders who choose to make use of this system
must accept that they are putting sensitive personal information, effectively,
into the public domain...[36]
3.75
This issue highlights the question of achieving a balance between
protecting privacy and providing some private details which could be of vital
importance in life-or-death situations.
The Commonwealth's area of the chip
3.76
Discussion of the Commonwealth's area of the chip highlighted the
interface between information held there, information held on the register and
information held in individual agency databases. There was concern about the
data sharing arrangements between these holdings, and whether privacy would be
adequately protected. This is discussed later in the section on the register.
3.77
The ability of numerous agencies and individuals to access information
in the card by using the card's identifying number also raised privacy
concerns. It was suggested that the use of a single identifying number by multiple
agencies and individuals encourages the possibility of the card becoming a de
facto national identity card, and facilitates unauthorised access to a
wider range of personal information. The Privacy Commissioner told the
Committee that:
This creates a situation where more than one agency can hold a
common government issued identifier for a single individual. The risk here is
that the ease of matching those records may in the future increase the
temptation to change existing restrictions on information sharing between
agencies and thus the framework for large-scale data matching could be in
place.[37]
3.78
The Committee heard that a possible solution to this problem could be to
store existing agency identifiers in the Commonwealth part of the chip, so that
when an individual docked a card at an agency the agency number rather
than the access card number would be identified. The Privacy Commissioner told
the Committee that:
I believe that information that may be necessary for a
particular agency to determine whether a benefit is payable to an individual
should be kept in the individual's record with that agency rather than
attempting to establish a central point from which identity verification and
eligibility for benefits and services can be determined.[38]
3.79
The proposed arrangement would satisfy the objectives of the bill to
facilitate access to health and welfare benefits, while protecting an
individual's access card number and private information across different
databases.[39]
Conclusions
3.80
The Committee acknowledges concerns about the lack of information in the
bill regarding the personal area of the card and considers this issue must be
dealt with as a priority.
3.81
In relation to sensitive health and medical information being placed on
the personal area of the chip, the Committee concurs with the Access Card
Consumer and Privacy Taskforce's observation that this issue highlights the
balance which needs to be struck between maintaining personal privacy and
making information available for the wellbeing of the card holder. The
Committee concludes that the question of what information should be placed on
the chip is most appropriately left to the discretion of individual card
holders, in consultation with medical staff.
3.82
The Committee also notes suggestions from the Privacy Commissioner that
the bill's objective of facilitating access to health and social services and
welfare benefits, while protecting a card holder's personal information held in
different databases, could well be achieved by storing existing agency identifiers
in the Commonwealth area of the chip. The Committee supports examination of
this option as a matter of priority.
3.83
The Committee considers that the government should take the following
matter into consideration when drafting the consolidated bill:
Whether the Commonwealth area
of the chip should store existing agency identifiers and that these numbers should
be used when linking a card to a participating agency database, rather than the
access card number.
The register
3.84
Personal information about access card holders will be recorded during a
registration process and stored on a database known as the register. Clause 16
of the bill requires the secretary to establish and maintain the register.
Clause 17 specifies the information to be stored in it.
3.85
The register will be a single database storing basic identity
information – name, date of birth, citizenship or residency status and so on – including
a photograph and numerical template of a person's photograph as a security and
verification measure. It will also include the card holder's digitised
signature if it appears on the surface of the card.
3.86
The department stated the register would not amalgamate personal
information stored on other government databases, which would continue to be
maintained separately by other agencies. It emphasised the register would not
be a 'mega database containing health, veterans' and social service records'.[40]
Instead, the register is intended to provide basic information necessary for
the payment of health benefits, veterans' and social services delivered by or
on behalf of the following participating agencies:
- Centrelink
- Medicare Australia
- Australian Hearing Services
- Health Services Australia Ltd
- Department of Veterans' Affairs (DVA) and
- Department of Human Services (DHS) including the Child Support
Agency and CRS Australia.
3.87
The department stated the register would not include or connect to taxation
records, census data or personal or financial records.[41]
3.88
The department's explanation of the reason for establishing a
centralised data system indicated that this avoided the need to amalgamate data
from participating agencies:
The Register is designed to sit as a secure gateway between the
card and the specific agency databases. Having a centralised register with only
the minimum necessary amount of customer registration data avoids the need to
integrate the data of all the participating agencies.[42]
3.89
Despite these assurances, the register, along with the issue of the
photo on the card's surface discussed above, is the most contentious element of
the access card system. The register gives rise to the prospect of the
government having unprecedented access to a single national database containing
the majority of Australia's adult population's basic personal information. It
is seen as presenting a major risk to personal privacy and security, not only
from government agencies but also other parties with malicious intent. The
Fels' Taskforce put the significance of the register into historical
perspective:
No previous Australian government, even in wartime, has
effectively required all its citizens to give it a physical representation of
themselves, nor contemplated having this stored in one national database.[43]
3.90
In evidence to this inquiry, the main concerns about the register
related to:
- the potential for the register to be used as a national identity
base, by virtue of its centralisation of vital personal information for most
Australians;
- access to the register, including by non-participating agencies
(such as security bodies and police) and non-authorised access by either
government staff or hackers;
- the amount of personal information to be stored in the register;
- the vulnerability of the register to external hacking;
- the discretion provided in the bill to the secretary and
minister; and
- the absence of Parliamentary scrutiny or disallowance.
3.91
The question of access is interconnected with concerns that the register
will gradually assume greater importance, leading to function creep and its
growing use as an identity system. The issues of access and discretion are
dealt with later in this chapter.
Personal information concerns
3.92
A major concern in evidence is that the register will store a range of
private information that would leave people at risk if the information were to
fall into the wrong hands. This concern relates particularly to the storage of
people's addresses and proof of identity documents. Ms Versey, the acting
Victorian Privacy Commissioner, pointed to the dangers this information
potentially poses to people's privacy and identity:
My specific concerns are that you will now have a register where
identity documents, such as birth certificates, are now copied onto the
register. This makes it a very rich source for those that want to indulge in
identity theft or want to take over identities...
... The less you have on the register the better. If you have a
source where you not only have all this personal information but also actually
have copies of the identifying documents themselves, then you have the whole
person's identity all in one place.[44]
3.93
Other witnesses suggested the inclusion of proof of identity (POI)
documents in the register provides the 'raw materials' for identity theft.[45]
3.94
A related concern is that, unless protected adequately, details about
people's address could leave them at risk of personal harm if this information
leaked out of the system.[46]
3.95
Concerns about the concentration of vital personal data in one database
also tie in with fears about the security of the system in which the
information is stored.
Security concerns
3.96
Several witnesses claimed the establishment of a single repository of
personal information would become a target or 'honey pot' for identity fraud
and privacy invasion.[47]
This gave rise to fears that the vast pool of personal information in the
register would be vulnerable to external hacking, on the ground that no
information system is entirely secure.[48]
Professor Greenleaf of the Cyberspace Law and Policy Centre summed up these
concerns:
The collection together of photograph, signature and an
undefined range of POI [proof of identity documents] create a system which is
an exceptionally high security risk for identity fraud from unauthorised
access... .[49]
3.97
The Fels' Taskforce recognised that the security of personal information
held on the register is of the utmost importance, especially for gaining public
confidence and trust in the access card system. Ensuring the photographic
database could not be hacked was particularly important in this regard.[50]
3.98
The department's evidence indicates it has a high degree of confidence
and faith in the security measures designed to protect information stored in
the register. It described the register's anti-hacking architecture as using
segregated or 'siloed' databases for different items of personal information:
To protect customer information, data in the access card system
is not held centrally in one place. No single officer will be able to access
all components of the system. The system is modular in design and comprises
separate databases (i.e. Secure Customer Database, Photo Database, Biometrics
System, Card Management System.) Hackers would be confronted by multiple
defences – isolated separate databases protected by many different levels of
security and encryption. Any attempt to hack the card would not result in
access to the system or any part of the system.[51]
3.99
Even if these security measures are currently robust, it is likely that
future technological advances will present both opportunities to enhance the
system's security but also pose threats to it. The Committee reaffirms the view
of the Fels' Taskforce that the security of the register's information should
remain an ongoing priority of the department and agencies supporting it.
3.100
The Defence Signals Directorate (DSD) is providing advice on the
security design of the system and will evaluate and certify its security
aspects. DSD will also test the security of system both before and after the
system is implemented.[52]
3.101
Professor Fels told the Committee he would be satisfied if DSD approved
the system after testing it. However, he also suggested that a twin-pronged
approach combining technological and legislative safeguards may be the best
guarantee of the system's security.[53]
The Committee examines the issue of legislative measures in the next section.
Absence of parliamentary scrutiny
or disallowance
3.102
Clause 16 provides for the secretary to establish and maintain the
register in any form or manner the secretary considers appropriate. The
explanatory memorandum states it is proposed to keep the register in electronic
form. Clause 16 (3) makes the register not a legislative instrument on the
ground that it is 'administrative in character'. This means the form and manner
in which the register is kept will not be subject to Parliamentary oversight or
disallowance.[54]
3.103
The Office of the Victorian Privacy Commissioner encapsulated concerns
over the absence of Parliamentary scrutiny or disallowance in relation to both
the maintenance of the register and the information kept on it. It noted that
the explanatory memorandum says the register will be kept separate from
databases maintained by other participating agencies and there will be no
centralised database holding all of a person's information in one place, but
that the bill does not expressly prohibit this. It went on to say:
The form and manner in which the Register is to be kept will
have a significant impact on the privacy interests of individuals and the
necessary security and other safeguards that must be considered and
established. This should be set out in legislation and prohibitions such as
keeping the Register separate from other data bases expressly stated.[55]
3.104
The Fels' Taskforce was also of the view that to enhance public support
for the access card scheme and win acceptance of it, decisions related to the
register should be reviewable by the Parliament.[56]
Professor Fels told the Committee that in considering the question of
safeguards:
... I would suggest that one should err on the side of caution in
this matter in terms of maximising the parliamentary review processes and
appeals and so on.[57]
3.105
The Committee also notes Professor Fels' view that parliamentary
oversight could complement technical measures to strengthen the security and
governance of the register.
3.106
Establishing an ongoing Parliamentary role in overseeing the register
would provide a channel for any community concerns to be raised and ensure
transparency over the way in which the register is maintained. In this regard,
it would also allow the Parliament to monitor the ongoing security of the
register and provide a safeguard in the event of security problems or any
expansion of the register's purpose arising. This would provide a significant
measure for maintaining public confidence in the access card system.
Conclusion
3.107
The establishment of the register is a new measure of national
significance with far reaching implications for the privacy and security of
most Australians' personal data. It is vital that the necessary level of
transparency and oversight is also established to monitor its use. The current
bill does not provide these necessary mechanisms.
3.108
The legislation should provide for Parliamentary scrutiny of the
maintenance of the register and review of any decisions to alter the manner and
form in which it is kept or the personal information to be recorded in it. The
bill should also stipulate that the register will be kept separate from other
agency databases (both participating and non-participating agencies) and there
will be no centralised database holding all of a person's information in one
place.
3.109
The Committee considers that the government should take the following
matter into consideration when drafting the consolidated bill:
Whether the form and manner in
which the register is to be kept should be set out in legislation and
prohibitions such as keeping the register separate from other data bases should
be expressly stated.
Discretions and Delegations
Discretions
3.110
Liberty Victoria identified 29 separate discretions that are vested in
the minister by the bill, which include 23 discretions vested in the secretary
that are subject to ministerial direction under Clause 8 of the bill. According
to that witness many of these discretions affect the operation of the Bill in
fundamental ways, e.g. those permitting certain persons not to register and
those affecting the information which must be provided for proof of identity,
for inclusion on the register and for inclusion on the card.[58]
3.111
It was alleged that these and other non-reviewable provisions would
facilitate 'function creep' by providing for discretions in the secretary and
minister to make decisions that would expand the system, but that would be not
disallowable by Parliament. [59]
3.112
At a more fundamental level there is also a concern that the bill 'vests
extraordinarily wide discretions in both the Minister and the Secretary of the
Department of Human Services, which are tantamount to a delegation of
legislative power to them'.[60]
3.113
Such statements might lead to the conclusion that the bill would grant
the minister and secretary unfettered discretion in all matters.
3.114
Some discretions are to be exercised by way of legislative instruments
that are disallowable. These include discretions that would allow the minister
to add personal information to the register or to the Commonwealth area of the
chip (Clauses 17(1)(17)(b) and 34(1)(17)(b)). The bill also requires the
minister to determine guidelines that must be taken into account by the
secretary when making certain decisions relating to applications and
registration by way of a disallowable legislative instrument (Clause 66).
3.115
However, even these provisions are contentious. For example, the
Government submitted that the secretary would not have the power to add
personal information to the Register and that only the minister could do that
by disallowable legislative instrument.[61]
The Cyberspace Law and Policy Centre (CLPC) argued, however, that the secretary
would have power to add personal information under Clause 17(1) (12). CLPC
contended that proof of identity documents dealt with in that sub-clause are
personal information. The witness suggested that perhaps the secretary does not
have the power under the bill to add 'new classes (in original) of personal
information to the Register'.[62]
3.116
Such contentious issues aside, there remain many areas of discretion in
the bill where no Parliamentary oversight or external review is provided.
3.117
The Victorian Privacy Commissioner observed, for example, that Clause 16
gives the secretary wide discretion to determine the form and manner in which
the Register is kept. The Commissioner recommended that because these matters
will have a significant impact on the privacy interests of individuals they
should be set out in the legislation or regulations.[63]
3.118
The Australian Government Office of the Privacy Commissioner informed
the Committee that the following determinations should be subject to additional
oversight mechanisms, independent review, clear Ministerial direction or
specific criteria, including determining:
- what proof of identity (POI) information and documents are needed for
registration (s 13(2));
- the form or manner in which the register may be kept;
- what information about an individual's benefit cards will be held on the
register and the chip (respectively – s 17, item 7; and s 34, item 10); what
proof of identity (POI) information and documents are needed for registration
(s 13(2));
- what proof of identity documents (or information about those documents)
will need to be scanned and placed on the register (s 17, item 12); and
- when applying for an access card, what 'other specified information' or
documents that the secretary deems necessary: (i) to be satisfied of the
applicant's identity, or (ii) to obtain information required for the card or
the register (s 23(2)(b)
3.119
The Office suggested that items a), d) and e) in particular should be
subject to parliamentary scrutiny.
3.120
The Office also suggested that the bill could usefully promote community
confidence by including a general provision that these powers be exercised in
consultation with the Privacy Commissioner. It considered that section
212(2)(a)(vi) of the recently enacted Anti-Money Laundering and
Counter-Terrorism Financing Act 2006 provides a possible example of such a
provision.[64]
[65]
Retention of proof of identity
documents
3.121
A number of witnesses were particularly concerned by one discretion
provided for in the bill. This discretion enables the secretary to make
determinations about the retention of proof of identity (POI) documents
(subclause 17(2)).
3.122
Subclause 17(2) provides that Item 12 is not a legislative instrument
and therefore not subject to Parliamentary oversight.
3.123
The Privacy Commissioner stated that:
A general principle of privacy law is that you collect
information for a particular purpose and, once that purpose is no longer
required, you delete your information unless there is a reason to keep it. We would
suggest that, once verification has occurred, there should be no need to
actually keep those scanned documents.[66]
3.124
Ms Carol Berry from the Public Interest Advocacy Centre pointed to the
risks of storing POI data. She said that:
The bill also has other core problems. Copies of identity
documents may be kept alongside identity information on the register, for
example. The bill specifies that under clause 17, item 12, copies of documents
used to prove identity may also be kept in the register. PIAC is concerned by
the lack of justification for keeping copies of documents beyond their use for
the purpose of verifying identity and the lack of clarity under [which] circumstances
this may occur. We believe that this is an inherent risk in relation to the
possibility of identity theft.[67]
3.125
The Fels' Taskforce in its first report advanced strong arguments
against the retention of copies of proof of identity documents in the system
and recommended that POI documents should not be scanned, copied or kept on
file once those POI documents have been verified.[68]
3.126
The government agreed to try to implement the recommendation.[69]
The department submitted that:
Consistent with the Australian Government response to
Recommendation 20 in Report 1 of the Consumer and Privacy Taskforce, we are
exploring relevant legislation (including the Archives Act) and business
process with a view to establishing processes so that POI documents or copies
of them are not kept once they are no longer required for verification or fraud
purposes.[70]
3.127
In response to a question on notice asked by a member of the Committee,
the National Archives of Australia (NAA) submitted documentation that DHS had
consulted NAA about the disposal of records accumulated or created by the
registration authority. The Committee has noted an observation made by NAA to
the effect that it is possible for the enabling legislation to make provision
for the control and ultimate disposal of documents without conflict with the
Archives Act.[71]
3.128
The Committee would expect that this will be one of the options that the
department will consider when trying to give effect to the Fels' Taskforce
recommendation.
3.129
Of more immediate interest is the current provision in item 17(1)(12)
that the secretary may make determinations to include POI documentation in the
register.
3.130
The department submitted that the secretary may make determinations to
add 'technical or administrative information' to the register. Retention of
proof of identity documents under 17(1)(12) apparently is considered to be an
addition of 'technical and administrative information'.
3.131
The department considered the Fels' Taskforce recommendation to include 'technical
and administrative information' in a legislative instrument but declined to
accept the recommendation. The department argued its decision was based on the
ground that much of the information relates to security matters and that
'Releasing the details of such information would provide a blueprint for
hacking into the system'.[72]
3.132
The Committee has difficulty understanding how retained copies of proof
of identity documents may, on the one hand, be defined as 'technical or
administrative information' and yet, on the other, how the making of a
secretary's determination relating to the retention of these documents would
provide a 'blueprint for hacking into the system'.
3.133
The Committee considers that determinations made under item 17(1)(12) should
be disallowable legislative instruments. The Committee is also of the view that
proof of identity documents should be destroyed as soon as a person's identity
is verified.
Delegations
3.134
The delegation of functions under the bill was a matter of great concern
to some witnesses. The delegation provisions were also raised by the Senate
Committee on the Scrutiny of Bills.
3.135
That committee, in Alert Digest 2/07, commented on the provisions of
Subclauses 68(1), 70(1) and 71(1) that permit the minister and the secretaries
of human services and veterans' affairs to delegate many of their powers and
authorities to a wide group of persons. The committee noted that there was
little explanation of these wide discretions in the Explanatory Memorandum and
sought the minister's advice:
as to whether the various subclauses relating to delegation of
power might impose some limit on the type or nature of the powers and functions
which may be delegated in any particular instance, along the lines of the
limitation in proposed new subsection 95A-11(2) of the Aged Care Act 1997,
which requires the Aged Care Commissioner, in exercising his or her powers to
delegate, to ‘have regard to the function to be performed by the delegate and
the responsibilities of the APS employee to whom the function is delegated'.[73]
3.136
The Scrutiny Committee drew senators' attention to those provisions 'as
they may be considered to make rights, liberties or obligations unduly
dependent upon insufficiently defined administrative powers ...' [74]
3.137
The Australian Government submitted that the delegation provisions in
the bill are consistent with the usual delegation provisions in Commonwealth
legislation,[75]
but that the Office of the Access Card was currently undertaking consultations
before finalising the policy with respect to delegations.[76]
3.138
It is not clear to the Committee what the latter statement means. Is the
Government reconsidering the provisions relating to delegations or is it merely
consulting on how the provisions are to be effected?
3.139
The Committee would expect in the light of community concerns and
particularly the concerns of the Senate Scrutiny of Bills Committee that the
Government will revisit the whole matter of the delegations provided for in the
bill.
Conclusions
3.140
The Committee has concluded that public and parliamentary confidence in
the Access Card would be enhanced if more legislative provision were made for
Parliamentary and other external review (such as the Senate Standing Committee
on Regulations and Ordinances), especially of the bill's more contentious
elements. The suggestions made by the Privacy Commissioner in that regard about
this bill would be of particular value. This would require that the bill be
amended appropriately.
3.141
The wide-ranging delegations provided for in the bill are also an issue
that should be addressed by the Government in this legislation, particularly in
the light of the Scrutiny of Bills Committee's concerns.
3.142
The Committee understands that at least some of the matters relating to
the discretions provided for in the bill have been considered in the Consumer
and Privacy Taskforce's discussion paper on registration that has only very
recently been provided to the minister.[77]
3.143
The Committee considers that the government should take the following
matter into consideration when drafting the consolidated bill:
Whether the following determinations
should be made by way of legislation or disallowable legislative instrument:
- what proof of identity (POI) information and documents are needed
for registration (clause 13(2));
- what proof of identity documents (or information about those
documents) will need to be scanned and placed on the register (clause 17, item
12); and
- when applying for an access card, what 'other specified
information' or documents that the secretary deems necessary: (i) to be
satisfied of the applicant's identity, or (ii) to obtain information required
for the card or the register (clause 23(2)(b)).
Administrative review
3.144
There are no provisions in the bill for the administrative review of
decisions.
3.145
This matter was raised in the Scrutiny of Bills Committee's Alert Digest
referred to earlier in this section of the report. The committee drew senators'
attention to the fact that the absence of appeal rights in the bill might make
rights, liberties or obligations unduly dependent on non-reviewable decisions.
3.146
The Government has stated in the Explanatory Memorandum that the bill
does not provide any express administrative review mechanisms and that these
mechanisms will be included (together with several other matters, including
privacy issues and governance) 'in the second tranche of legislation'.
3.147
The Government has given an undertaking that:
Appeal rights will not be diminished and will be consistent with
those in place for existing cards and entitlements. The form of that review
mechanism will be the subject of advice from the Taskforce.[78]
3.148
The Scrutiny of Bills Committee has sought the minister's advice as to
whether appeal rights could be included in this bill, together with the
decision-making powers. [79]
Conclusions
3.149
No doubt the minister will respond promptly to the concerns of the
Scrutiny of Bills committee. In framing those provisions the Government should
be mindful that this is an issue of great concern to many in the community.
Access
3.150
Many witnesses were concerned about the matter of who would have access
to the Register and to the card.
3.151
The Public Interest Advocacy Centre (PIAC), for example, submitted that
it is unclear who would have access to the database that is being created as a
core part of the scheme.[80]
The Victorian Privacy Commissioner stated that the bill is silent as to who
will be able to access or use information on the Register, and for what purpose.[81]
3.152
Both witnesses considered that the question of access should be explicit
in the legislation. PIAC proposed that the issue of access should be addressed
in the principal legislation rather than in subordinate regulations.[82]
The Victorian Privacy Commissioner recommended that the bill should address who
has access to the information on the Register, and for what purpose and stated
that, 'The Bill should not be passed without addressing this issue'.[83]
3.153
The Government stated that:
Only authorised people will be permitted access to your
information and they will have access only to those fields of information that
they need to deliver health benefits and veterans' social services to you.
Transactions involving the card will be securely logged, including access,
authentication and the specific details of the transaction. All logs will be
analysed constantly for anomalous behaviour. [84]
3.154
The Government informed the Committee that it had been suggested in some
submissions to the exposure draft of the bill that the definition of
'authorised persons' needed clarification and that the category of Commonwealth
officers who could be authorised was too broad. The Government had responded to
those concerns by providing that Commonwealth officers from non-participating agencies
must be in an agency listed in the regulations.[85]
Authorised persons
3.155
The term 'authorised person' is defined in Clause 72. That clause
provides that the Secretary may, in writing, appoint:
- a Commonwealth officer in a participating agency: or
- a Commonwealth officer prescribed by the regulations; or
- an individual prescribed by regulations;
to be an authorised person for the purposes of a specified
provision of this Act in which the expression 'authorised officer' occurs
3.156
The 'participating agencies' are specified in Clause 5 and are;
- The Department of Human Services
- The Department of Veterans Affairs
- The Chief Executive Officer of Medicare Australia
- The Chief Executive Officer of Centrelink
- Australian Hearing Services
- Health Services Australia Limited
Participating agencies
3.157
If the Access Card is to meet its objective of improving access to
Government benefits, it is obviously necessary that employees of the
participating agencies must have access. There are concerns, however, that
other agencies, especially those with investigative functions, such as the
Australian Taxation Office, may have access to the Register.
3.158
It is clear from Clause 72 that this would require that a disallowable
regulation be tabled in the Parliament. However, an amendment to the legislation
to appoint additional participating agencies would be a much more transparent
and positive process.
Conclusions
3.159
The Committee would prefer that all proposals to add additional
participating agencies and to appoint other organisations and individuals as
authorised persons should be by way of legislation, rather than by regulation.
It considers that the current provision to make appointments by way of
disallowable regulations in most cases may represent a reasonable compromise
between the need for parliamentary accountability and the administrative and
legislative load that could be involved if all appointments were to be made by
legislation.
3.160
Nevertheless, given the apparent high levels of community concern and
the fact that the access card is not an identity card, proposals to appoint any
additional participating agencies should be made by way of legislation.
3.161
An interesting issue that arose during the inquiry was the desire of the
Australian Federal Police (AFP) to have investigating officers exempted from
the offence provision in Clause 57 that prohibits unauthorised persons from
copying the information or imaging the card.[86]
If the AFP were to be given a specific exemption or if the AFP were to be
appointed a participating agency, that should be done by way of legislation.
3.162
The Committee considers that the government should take the following
matter into consideration when drafting the consolidated bill:
Whether any
proposals to appoint additional participating agencies should be made through
legislative amendment of the principal act.
Access to information on the chip
3.163
DHS informed the Committee that access to information on the
Commonwealth's areas of the chip will be as follows:
- approved Department of Human Services (DHS) and Department of Veterans'
Affairs (DVA) officers and officers of agents issuing the access card. DHS and
DVA will use secure terminals operated in a secure environment by approved
officers.
- Pharmacists and general practitioners will use secure terminals to
access limited information. That information is expected to be limited to the
person's name, concession status and Medicare number. Software controlling the
card readers will be used to customise and limit the information which can be
seen on a need to know basis.
- Third party concession providers will use readers that will only reveal
concessional status.[87]
3.164
It has not yet been decided what information will be included in the
consumer area of the chip. Nor has a decision been made about how any such
information may be viewed or updated. According to DHS:
Procedures for viewing and updating of information in the
consumer area of the chip are the subject of separate consultations being
conducted by the Consumer and Privacy Taskforce.[88]
3.165
This once again highlights the inadequacy of the piecemeal nature of the
legislative process of this bill.
Law enforcement and national
security agencies
3.166
The question of access for law enforcement and security agencies was
pursued during the inquiry.
3.167
The AFP currently has access to DHS databases and other information held
by Commonwealth agencies under certain legislative conditions and under certain
defined conditions may not require a warrant to access that information. The
Australian Security Intelligence Organisation (ASIO) may also gain access to the
current databases without a warrant, but apparently may do so only at the
discretion of the secretary. In a supplementary submission, DHS confirmed oral
evidence given at previous Senate committee hearings that:
... ASIO may ask DHS for information from the access card
Register. DHS has the discretion to give or not give that information to ASIO.
If DHS does not give that information to ASIO, ASIO can only compel DHS to give
that information to it in accordance with a search warrant issued pursuant to
the ASIO Act 1979.
The Director-General of Security has already outlined ... the
significant safeguards and accountability mechanisms to which ASIO is subject. [89]
3.168
Ms Scott, Secretary of the Department of Human Services, informed the
Committee that in the past two and a half years she had only on one occasion
refused a request from a law enforcement agency for access to information,
apparently because the request was not sufficiently defined.[90]
3.169
Professor Fels suggested that AFP and ASIO access to the register should
be set up in the access card legislation if possible, rather than relying on
other acts.
Conclusion
3.170
The Committee considers that access to a single database covering the
great majority of the Australian population, complete with biometric data,
would no doubt greatly facilitate the work of the law enforcement and security
agencies. Whether this would necessarily be compatible with the government's
stated objectives for this legislation is another question.
3.171
The Committee has also concluded that the Secretary of the Department of
Human Services should report on the exercise of discretion in relation to the
access requests made by the law enforcement and security agencies. This could
perhaps be done in the department's annual report in such a way as not to compromise
any operational matters or matters of national security.
3.172
The Committee saw value in the Professor Fel's suggestion that access
for the law-enforcement and security agencies should be set out in the access
card legislation, rather than in other acts.
3.173
The Committee considers that the government should take the following
matters into consideration when drafting the consolidated bill:
Whether access of law
enforcement and security agencies to the information in the register should be
specified in the access card legislation; and
Whether any exercise of
discretion by the secretary of DHS to grant law enforcement or security
agencies access to the register should be reported to the Parliament, perhaps
in the agency's annual report in such a way as not to compromise operational
matters or national security.
Individuals prescribed by
regulations
3.174
Providers of services such as medical practitioners will require access
to sufficient information on the card to enable them to provide a service for
which people may claim a Government benefit. Presumably the secretary will seek
to appoint medical practitioners and pharmacists as a class of 'authorised
persons'.
3.175
The Committee understands that these individuals would have access only
to those features on the card that would be required to perform a service, such
as a GP consultation, and that the system would employ a range of technological
protections.[91]
Given that DHS expects that there will be 50,000 terminals,[92]
the scheme's success will rely heavily on the choice and application of robust
and appropriate technology to ensure that these protections are delivered.
Offences
3.176
In the little time that the Committee had to consider this bill, it was
not possible to cover all the issues raised in the evidence concerning the
penalties that would be imposed by this legislation. The following comments
relate mainly to the penalties imposed by Part 4, Division 2 – Offences for
requiring production of an access card, and to an issue relating to Clause 57 –
Unauthorised copying.
Clauses 45 and 46
3.177
According to the Explanatory Memorandum a major objective of the
Government's policy is that access cards are not to be used as national
identity cards and for that reason, Clause 45 makes it an offence for persons
intentionally to require a card holder to produce the card for identification
purposes. Clause 46 prohibits persons from intentionally requiring a card
holder to produce his or her card as a pre-condition to the supply of goods or
services.[93]
3.178
A matter of concern to some witnesses was that these provisions could be
breached through ignorance because many people are accustomed to demanding
proof of identity, for example, to verify that certain people are entitled to
concessions. It was suggested that this could lead to so many breaches of the
offences provisions as to bring the entire Act into disrepute. Another issue
that concerned some witnesses is that it might be difficult to bring successful
prosecutions under these provisions. [94]
3.179
The privacy guarantees included in the bill are well intentioned, but
the Committee is of the view that there are serious questions about their
efficacy in practice. In fact, some of these provisions could, in fact,
militate towards the repeal of the very privacy provisions that they are
intended to protect.
3.180
The Committee is concerned about the possibility that clauses 45 and 46 could
become dead letter law because they impose draconian penalties on behaviour
that is both rational and morally harmless. These provisions of the bill will
criminalise behaviour that is an almost inevitable consequence of this same
legislation. It is logically questionable for the government to create a
document that can serve perfectly as a high quality identity document, and then
to penalise those in the private sector who would want to use it for precisely
that purpose.
3.181
It will be entirely logical for persons whose job entails requiring
proof of identity to prefer the most authoritative and high quality document
possible. So from nightclub bouncer to airline check-in clerk, the temptation
to ask for the access card as a form of ID will only be exceeded by the
willingness of individual Australian citizens to produce that same document in
the face of such a request. The government provides no compelling explanation
for the argument that requiring a drivers’ licence as proof of identity should
be legitimate, while requiring an access card as proof of identity should be
punishable by 5 years imprisonment.
3.182
The Committee is concerned about the likelihood that this provision will
become widely ignored in practice. This prediction is supported by evidence
from NSW, where it is illegal to require a state drivers’ licence as proof of
identity.[95]
This law has routinely been ignored throughout NSW since its enactment with only
three charges having been brought from 1993 to 2005.[96]
3.183
Thus it is easy to envisage the following scenario: after almost
universal registration for the access card, clauses 45 and 46 will be
demonstrated to be both ineffective and excessively punitive. There will be
widespread pressure on the government from a business community that is highly
dependent upon reliable identification documents to repeal the dead letter,
draconian prohibition against requiring the access card for that purpose. In
fact, even before the bill has been enacted into law, the Australian Bankers
Association argued for the deletion of clauses 45 and 46 during testimony at
the Committee’s hearings in Melbourne.[97]
Some would argue that the removal of these clauses would eliminate the final
obstacle to the access card becoming a de facto national identification
card.
3.184
The Government has responded that when the card is introduced there will
be a publicity or education campaign that will inform people of these
provisions.[98]
On the second issue identified above, Dr Karl Alderson, an Assistant Secretary
in the Attorney-General's Department, stated that some Commonwealth criminal
offences are never or rarely prosecuted but still perform a very important
role, for the following reasons:
Firstly, they act as a clear statement of what people’s rights
and obligations are so that it is clearly set out and people know where they
stand and know what they must do.
Secondly, for those tempted not to comply, the severe criminal
penalties are designed to act as a deterrent so that people are conscious of
how serious the consequences of a breach would be.[99]
3.185
Dr Alderson asserted that the offences provisions in the bill had been
drafted to make it possible to effectively prosecute. [100]
Clause 57
3.186
The Australian Federal Police (AFP) informed the Committee that the AFP
is concerned about the offence provision in clause 57, which would make it an
offence for an unauthorised person to copy or record information from the card.
It was claimed that without the ability of law enforcement officers to copy
information or image the card itself, intelligence analysis and investigative
activity could be significantly impeded.
3.187
It is the AFP's position that law enforcement staff need to be
specifically excluded from this offence provision when carrying out law
enforcement functions.
Conclusions
3.188
The Committee understands that many of the offence provisions in the
bill have been inserted in an attempt to ensure that the access card does not
become a national identity card. Whether these provisions will have that effect
cannot now be known, but much of the evidence suggested that the card will be
widely used by people to establish their identity.
3.189
The Committee considers that the provisions of Clauses 45 and 46 are
consistent with the bill's stated object that access cards are not to be used
as, and do not become, national identity cards, and they are not objectionable.
However, the Committee considers that in all probability these provisions will
be ignored in practice and will become dead letter law. If so, they will not
operate as the Government intends and will not be an obstacle to the access
card becoming a national identity card.
3.190
As regards the request that AFP investigators should be exempt from the
provisions of Section 57, the Committee notes that the bill does not provide
for this. If the Government were minded to meet the request, the Committee
repeats its earlier conclusion that this should be done by way of legislation.
Issues not considered
3.191
The Committee has listed below a number of issues of concern to which,
due to time constraints, it has been unable to give adequate consideration:
- Whether the Privacy Act provides adequate protection in relation
to the proposed access card system;
- Tensions between this bill and other Commonwealth legislation,
particularly the new anti-money laundering legislation;
- Tensions between this bill and state and territory legislation
and benefits regimes;
- The adequacy of fraud estimates;
- Function creep in relation to State and Territory benefits and
commercial or financial uses of the card;
- Implications of the access card regime for young people and youth
services;
- Technical issues, particularly the extent to which necessary
technology is available in Australia, the interaction of different agency
datasets and ownership and management of the new dataset if this is contracted
out as proposed;
- Implications for specific groups in society, particularly people
who are blind or vision-impaired, indigenous people and women; and
- More detailed information on the proposed offences and penalties
associated with the access card proposal, particularly the disproportionate
nature of proposed penalties compared with current penalties for similar
offences.
Conclusion
3.192
In the little time the Committee has had to consider the bill, a number
of matters of concern have arisen. Furthermore, important measures that need to
be taken into account including protections, appeals and review mechanisms are
to be considered in a second tranche of legislation. The Committee has
concluded that it is not possible to assess the proposed access card system in
the absence of these safeguards and other measures. The Committee considers
that the bill needs to be combined with the second tranche of legislation into
a consolidated bill to allow proper consideration of the access card proposal.
Recommendation 1
3.193
The Committee recommends that the bill be combined with the proposed second
tranche of legislation for the access card system into a consolidated bill.
Matters to be taken into account
3.194
In the process of drafting a consolidated bill for the access card
system, the Committee would expect the following matters to be considered:
- Whether the government should consider providing appropriate terminals
or readers to those agencies and providers providing benefits and services to
access card holders.
- Whether the only mandatory information displayed on the surface
of the card should be the card holder's name and that other information should be
at the discretion of the card holder.
- Whether the Commonwealth area of the chip should store existing
agency identifiers and that these numbers should be used when linking a card to
a participating agency database, rather than the access card number.
- Whether the form and manner in which the register is to be kept should
be set out in legislation and prohibitions such as keeping the register
separate from other data bases should be expressly stated.
- Whether the following determinations should be made by way of
legislation or disallowable legislative instrument:
- what proof of identity (POI) information and documents are needed
for registration (clause 13(2));
- what proof of identity documents (or information about those
documents) will need to be scanned and placed on the register (clause 17, item
12); and
- when applying for an access card, what 'other specified
information' or documents that the secretary deems necessary: (i) to be
satisfied of the applicant's identity, or (ii) to obtain information required
for the card or the register (clause 23(2)(b).
- Whether any proposals to appoint additional participating
agencies should be made through legislative amendment of the principal act.
- Whether access of law enforcement and security agencies to the
information in the register should be specified in the access card legislation.
- Whether any exercise of discretion by the secretary of DHS to
grant law enforcement or security agencies access to the register should be
reported to the Parliament, perhaps in the agency's annual report in such a way
as not to compromise operational matters or national security.
3.195
The matters to be taken into account listed above will be reassessed in
the event of the Committee's examination of a consolidated bill.
Senator Brett
Mason
Chair
Navigation: Previous Page | Contents | Next Page