Consultation on the Australian Government Health and Social Services Access Card - Discussion Paper Number 1

	Publications
		Archives
	SPECIFIC PRIVACY INFORMATION FOR:
		Individuals
		Business
		Health
		Government

		Federal Privacy Law
		About the Office
		Frequently Asked Questions
		IT and Internet Issues
		Media and Speeches
		Publications
		Privacy Links
		International
		Contact us

Consultation on the Australian Government Health and Social Services Access Card - Discussion Paper Number 1

View printable version of this page

PDF, Word

Submission to the Department of Human Services: Access Card Consumer and Privacy Taskforce

August 2006

Summary
Office of the Privacy Commissioner
Background
Structure of this submission
Preliminary Comments by the Office
Identification of critical issues
Appendix A: Community attitudes to data-sharing between government agencies
Appendix B: "Function creep" and the Canadian Social Insurance Number
Endnotes

Summary

The Office's comments on the Department of Human Services Consumer and Privacy Taskforce's Discussion Paper No 1 recognise the access card proposal in its wider context, as a system, rather than merely a standalone card. As the Office understands it, the access card will be accompanied by significant infrastructure, processes and policies, and accordingly it is necessary to consider the privacy implications of the system in its entirety.

The Office recognises the access card's potential to deliver benefits to individuals. However, in the Office's view, there is a need to ensure that the benefits resulting from the introduction of the access card system are proportional to any impacts on individual's privacy.

The Office submits that the access card system raises a number of potential privacy issues that need to be considered. To address these privacy issues, the policy settings for the access card system should incorporate fundamental privacy principles. Further, rather than attempting to rely on a single measure, these principles should be given effect through a multifaceted framework encompassing:

design, including in regard to what choices are available to individuals, particularly concerning how their images are handled (paragraphs 117-140), as well as the broader systems architecture (51-69);
technology, including by technology choices that display privacy-enhancing characteristics (191-215);
legislation, enacted to offer the community assurances that privacy protections apply over all elements of the access card system, with appropriate sanctions and remedies (218-232); and
oversight measures, including measures that ensure that existing information handling practices are appropriate, such as complaint handling and audit functions(233-238), as well as a transparent and accountable process for considering any future uses of the access card system (239-249).

The Office submits that the development and implementation of the access card system should be accompanied by a number of detailed Privacy Impact Assessments (18-23).

Office of the Privacy Commissioner

1. The Office of the Privacy Commissioner (the Office) is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Office, established under the Privacy Act 1988 (Cth) ('the Privacy Act'), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

Background

2. The Office welcomes the opportunity to make a submission to the Department of Human Services' Access Card Consumer and Privacy Taskforce ('the Taskforce') in response to its Discussion Paper Number 1 ('the Discussion Paper').1 The Office welcomes this process as an important contribution to meeting the Government's commitment to conducting thorough community consultation concerning the access card.

3. The Office understands that the purpose of the Discussion Paper is to inform the work of the Taskforce and the advice that it will provide to Government, through the Department of Human Services (DHS), on the design and implementation of the access card and its supporting system.

4. The Office has been consulted on proposals for a government services smartcard since the Health Insurance Commission (now Medicare Australia) proposed a Medicare smartcard in 2004. The Office has had ongoing involvement through the Interdepartmental Committee (IDC) that, during 2005, examined the potential use of smart technologies (including smartcards) for the delivery of government services. The Office was subsequently consulted by DHS during the development of the proposal that led to the Government's decision to proceed with the Access Card in April 2006. Since then the Office has continued to be consulted by DHS and, more lately, the Taskforce.

5. The Office would also point to other directly relevant submissions it has produced:

submission to the Australian Government Information Management Office on the Australian Government e-Authentication Framework for Individuals Discussion Paper (March 2006);2 and
submission to the Australian Government Information Management Office on the Australian Government Draft Smartcard Framework (March 2006).3

Structure of this submission

6. The Discussion Paper outlines aspects of the access card proposal, as informed by the business case developed by KPMG on behalf of DHS ( 'the business case'). Part 3 of the Discussion Paper provides a valuable overview of some of the issues that require further analysis and discussion.

7. This submission will generally mirror the structure and issues presented in Part 3 of the Discussion Paper beginning with what the Taskforce has termed "matters of principle". The submission will then provide general comments in regard to the broadly described "initial matters" raised in pages 17-24 of the Discussion Paper. More substantial comment is provided in regard to the five proposed "specific issues requiring further consideration" these being:

The Right of Choice
The Right to and Protection of Privacy
Customer Benefit and Customer Control
Making the Right Technology Choices
Authorisation and Accountability

Preliminary Comments by the Office

8. The Office's comments on the Discussion Paper recognise the proposal in its wider context as a system, rather than merely a standalone chipcard. As the Office understands it, the access card will be accompanied by significant infrastructure, processes and policies, and accordingly it is necessary to consider the privacy implications of this system in its entirety.

9. The Office recognises the access card's potential to deliver benefits to individuals. Drawing on information provided in the Discussion Paper, these possible benefits are outlined below at paragraphs 32-33.

10. In The Office recognises the access card's potential to deliver benefits to individuals. However, in the Office's view, there is a need to ensure that the benefits resulting from the introduction of the access card system are proportional to any impacts on individual's privacy. Where such impacts arise, consideration should be given to whether a given objective may be achieved through any alternative means.

11. A number of references have been made to the potential for the access card to be "privacy enhancing". The Office agrees that a well conceived and designed smartcard system may enhance individuals' privacy. However, it is essential that the term not be used lightly or without reasonable justification. Design and implementation choices that may be less privacy intrusive than other available alternatives should not be confused as being privacy enhancing, when they are merely less intrusive.

12. In the Office's view, to meet the community's expectations concerning privacy, it is necessary to ensure that fundamental privacy principles underpin development of the proposal. Further, these principles should be given effect through a comprehensive privacy framework that avoids excessive reliance on a single form of privacy protection.

Incorporating fundamental privacy principles into policy settings

13. To be privacy enhancing, the access card proposal should be developed with basic privacy principles reflected in its underlying policy settings. Such principles should include:

collect only what is necessary for purpose – an effective way of promoting good privacy practice is to collect only the minimum amount of personal information that is necessary to meet a clearly defined and articulated purpose. Due recognition should be given to those circumstances where no collection of personal information is necessary and where an individual should be able to interact anonymously;4
individual control - individuals should have control over how their personal information is handled, afforded by offering a range of informed choices that are accessible and freely exercised;
use or disclosure for purpose - the system should minimise the risk of individuals being surprised as to how their personal information is handled, including by ensuring personal information is generally only used or disclosed for the purpose for which it was collected;
transparency – a high degree of transparency should accompany both the process of designing and implementing the system, as well as its ongoing operation, including by ensuring that there is openness in how the system handles personal information and that individuals can access their personal information and, where necessary, correct any inaccuracies; and
secure handling of personal information – an element of enhancing privacy will be measures that improve how securely personal information can be handled, whether while in storage, during transmission or during use.

14. It is crucial to a privacy enhancing system that each of these principles be advanced. For example, a system that increases the security of personal information, while reducing an individual's control of personal information may not enhance privacy overall. This would similarly be the case for a system that offers some individual control, but collects far more personal information than is necessary for the stated purpose of the system.

Necessity for a comprehensive privacy framework

15. The Office strongly recommends that a multifaceted approach is essential to a robust privacy framework. A comprehensive framework for privacy protection should be based on four elements, rather than attempting to rely excessively on a single tool. These four elements can be expressed as:

Design + Technology + Legislation + Oversight

16. In brief, these elements can be explained as:

Fundamental system design, including card design, system architecture and the parameters governing what information is collected and what information flows are possible;
Technological measures, including, but not limited to, data security initiatives, as well as measures to minimise the degree to which existing systems become increasingly integrated, a consequence of which may be new and potentially privacy invasive flows of personal information;
Legislative measures, including defining the extent of the functions of the access card, proscribing purposes that fall outside those functions and introducing sanctions for misusing any aspect of the system or the personal information it handles; and
Oversight mechanisms that promote confidence in the system by assuring the community that the operation of the system is subject to stringent accountability measures, including provision for audit and independent complaint handling.

17. This submission will draw on this framework in responding to the issues raised by the Discussion Paper. These elements should promote the 5 basic privacy principles described in paragraph 13 above.

Privacy Impact Assessments

18. A Privacy Impact Assessment (PIA) is an assessment tool that describes in detail the personal information flows in a project, and analyses the possible privacy impacts of the project.5 A PIA may do this by helping an agency to identify when the collection of particular information is unnecessary for a given project, or where accountability or oversight processes may reduce privacy risks. The elements that make up a PIA (including identification, analysis and management of privacy risks) help agencies to drive good privacy practice and underpin good public policy. PIAs also help to engender community trust in a smartcard proposal if the issues raised during the PIA are responded to adequately through the proposal's development.

19. For large projects such as the access card, conducting a PIA may be an iterative process, with a number of PIAs done at various stage of development. For example, when introducing a smart government services card, the Hong Kong Department of Immigration conducted four PIAs at various stages of development.6

20. The over-arching benefit of a PIA is that it will identify and analyse privacy impacts during a project's design phase, which in turn assists agencies to determine the appropriate management of any negative privacy impacts.

21. The example of the Canadian Longitudinal Labour Force File Databank project illustrates the risks of not comprehensively considering privacy issues before implementation.7 In that case, community privacy expectations were not addressed during development of an information handling system and led to the dismantling of a national database on 34 million Canadians (at a cost of many millions of dollars) and a greater appreciation of the need for "…transparency and accountability, and the application of privacy-protection rules for the use of such information".8 Thorough PIAs done at regular intervals have the potential to assist projects to avoid such risks and should therefore be considered as a key element to project risk management.

22. Ideally, a PIA should be conducted by an independent expert specialising in privacy issues and the process of conducting PIAs. In addition, to aid transparency in the process, the Office generally sees merit in the PIAs being made publicly available.

23. The Office notes that a PIA was produced to accompanying the business case, leading up to the decision by the Australian Government to proceed with the access card development. Now that the development of the access card has been publicly announced the Office would see benefit in the government building on that initial PIA to reflect the current parameters of the access card system. The Office recommends that further PIAs be undertaken on specific aspects of the project as it proceeds. This submission notes a number of areas that would benefit from specific PIAs.

Identification of critical issues

Questions of Principle described in the Discussion Paper

National Identity Card

24. The Office notes the Government's statement, made in announcing the access card, that it "…is ruling out introducing a compulsory national ID card."9

25. The Discussion Paper suggests that there are various measures that may be taken to support the Government's commitment that the access card will not become a national identity card. Much of this discussion focuses on the role of legislation in prohibiting such a purpose, though notes that "…legislation can always be changed by future parliaments". The Discussion Paper also highlights the potential role of technological guarantees in preventing the access card becoming a wider identity card.

26. As discussed above (paragraphs 15-16), a robust privacy framework that ensures that privacy commitments are met will require attention to be given not just to legislation and technology, but also to fundamental questions of design and the existence of robust and independent oversight mechanisms. For example, not requiring a mandatory photograph on the front of the access card would significantly lessen the risk of it becoming a mandatory identity card in the future. (The question of what choices are made available concerning the photograph is examined further below at paragraphs 107-140 and 150-155).

27. The Office also notes the potential for the access card, if not accompanied by necessary privacy protections, to emerge over time as a de facto form of national identity card. This risk is likely to emerge where a card has the characteristics of being nearly universal in its distribution amongst the adult populace, while also containing details (such as name and photograph) sufficient to reliably identify an individual. Where such a card exists, there would be pressures over time for it be used as a standard identity token by a range of public and private sector stakeholders and in contexts that fall well outside the purposes of the current proposal.

Initial matters raised for consideration by the Discussion Paper

28. The Discussion Paper presents eight matters relevant to the Government's proposal which, in the Taskforce's view "…need to be raised at the earliest opportunity for consideration". These aspects are described as "initial matters for consideration" and are discussed in general terms only. In responding to these initial matters, the Office notes the overlap, apparent to various degrees, between some of these matters and the five specific issues presented later in the Discussion Paper.

Establishing Benefits to Consumers

29. The Office agrees with the principle expressed by the Taskforce that "…public policy should be directed at all times to outcomes which enhance customer benefit and control" (at page 18).

30. Further, while accepting the Taskforce's view that it is not in a position to comment on the financial analysis presented to Government by its advisers, the Office agrees with the Discussion Paper (at page 18) that:

"…where the Government claims that the access card will benefit consumers, then this is a matter to be tested".

31. To assist in ensuring the community's trust, there needs to be a clear articulation of the primary purposes of the access card. From the perspective of fundamental privacy principles, an articulation of purpose is essential to being able to decide what personal information is genuinely necessary to be collected and handled by the proposed system.

32. Statements to date attribute a wide range of objectives to implementing the access card.10 Proposed benefits to individuals include:

enhancing consumer choice;
making transactions quicker and more efficient;
reducing administrative complexity when dealing with government services;
collapsing multiple cards into one;
facilitating emergency relief payments;
making it easier for individuals to register for benefits by providing a common evidence of identity token to use across agencies; and
allowing individuals who have relationships with more than one agency to update their personal details more simply.11

33. In addition, benefits to government may include: creating streamlined and uniform proof of identity processes across government agencies and reducing fraud and concession abuse.12

34. Where the proposed benefits of the access card are not immediately self-evident, analysis of the proposal would be advanced by detailed examination of these benefits. In general, the access card's benefits could be demonstrated more clearly through the following lines of enquiry:

The nature of the problem that is being addressed.

When the problem is clearly articulated, optimal solutions can be explored.
The scope of the problem in question.

Determining the seriousness and extent of a given problem is necessary to assess whether a response is proportionate.
The means by which the access card addresses the problem in question.

Describing how a given policy solution addresses the problem in question will help assist program evaluation by identifying what outcomes are attributable to the access card.
The extent to which the access card will remedy that problem.

Describing the anticipated impact of the access card on the problem will assist future program evaluation.
What alternative solutions may be available, which achieve the same, or better, outcomes.

Transparency is assisted by articulating other solutions that were considered. Doing so will help assure the community that, on balance, the access card represents the best approach.

Resolving tensions between agency and individual benefits

35. In some cases, the interests of government agencies and the individual beneficiary will coincide to their mutual benefit. For example, to the extent that the outcome is realised, both consumers and government agencies will likely benefit from shorter, simpler transactions.

36. In other cases, however, the objectives may be in tension. Tensions may exist, for instance, between the objectives of individual choice and agency efficiency. The business case suggests that such a tension should be reconciled by deferring to the imperative of "…a predictable, simple, uniform service system" 13 at the expense of offering greater choice to consumers. The Access Card may achieve objectives across a range of policy areas, but may not be able to achieve each one to the fullest extent desirable.

37. Therefore, at this early stage in the access card's development, the public analysis would benefit from an indication as to how balance is to be achieved where tensions arise between policy objectives. The Office welcomes the Government's statement that "the key principle for the access card is that individuals will control the information that is on the card."14 Accordingly, policy settings would ideally give preference to enhanced consumer benefit and control to the greatest extent possible.

Benefits to existing Medicare-only cardholders

38. The Office notes that if the access card is made compulsory, some sections of the community may regard it as an unnecessary imposition. This is the case whether that compulsion is administered through direct prescriptions or the weight of incentives. According to the business case a substantial portion of the community only has a relationship with Medicare.15 For them, the prospect of reducing the number of cards in their wallet, or simplifying their dealings with multiple agencies offers no real and immediate gain. From their perspective, the potential inconvenience, and the privacy impositions may outweigh the access card's benefits.

39. The possible broader implications of individuals choosing not to register for an access card are discussed at paragraphs 46-49.

The Voluntary Nature of the Card

40. An optimal access card model would offer consent-based participation that is enshrined in law. The Discussion Paper raises this issue briefly. The Office's submission will consider these matters in more detail in relation to the right of choice (see from paragraph 106 below) and optional stored information (see from paragraph 141 below).

41. The Discussion Paper (at page 18) raises the question of whether the access card is truly voluntary, given the likelihood that, at some point in their lives, almost all Australians will need to access Government services associated with the Card. As others have argued, a substantive choice may not be available in these circumstances.

42. The Office recognises that the benefits that are likely to accrue from a more secure Medicare and social services card may justify individuals being required to register for a smartcard if they wish to receive entitlements. However, the relatively limited discretion available to individuals concerning registration should not limit the degree of control individuals have over how they interact with the access card system. Mandatory registration makes it more important that the design provide for choice in other key areas of the system.

43. Incorporating the capacity for individual choice should inform the design and implementation of the access card. While the Office acknowledges the Government's current intention to print the photograph on the face of the card,16 it is the Office's preference that individuals should be able to control whether and how a photographic image is stored on the system to the greatest extent possible. Individuals should also be able to choose the ways in which they use the access card to interact with Government agencies – including the option of using some alternative form of photographic identification to supplement the access card where they elect not to have a photograph displayed on the face of the card. The role of the access card as photographic identification is discussed below from paragraph 107 .

44. Even where aspects of the access card are not discretionary the individual should be fully informed as to how their personal information is handled including to whom it may be disclosed and why. This is consistent with the obligations established by the Privacy Act requiring agencies and organisations to be open and transparent in their handling of personal information.17

Public policy and the choice not to register for an access card

45. As the Discussion Paper recognises, the initiative "represents a significant change in the way in which people will interface with participating agencies."18 Interactions across government agencies and the private sector would also undergo significant change. The Office suggests that consideration should be given to the underlying structural changes which may result in processes of public administration and the manner individuals interact with their government.

46. It may also be of use to consider the effect of individuals choosing not to access government services due to privacy concerns, and how such decisions may affect government policy and the broader community well-being. The Government has decided that while the access card is voluntary, registration will be required to obtain government entitlements. It is possible that some percentage of the population, however small, will choose not to receive entitlements due to privacy concerns.19

47. This may be particularly problematic in the context of the 9 million individuals who currently only have a Medicare card. Individuals choosing to forgo Medicare entitlements (or any other form of entitlement) due to privacy concerns could raise serious public policy concerns. Examples that most immediately come to mind are those with particular forms of mental illness whose conditions may heighten their privacy sensitivity or be exacerbated by privacy concerns.

48. Additionally, individuals with highly sensitive and potentially stigmatising conditions, such as HIV/AIDS, may display some reluctance to participate in a system if they have privacy concerns. While it is noted that the access card system is not intended to handle agency transaction data, such as PBS claims information, individuals may not grasp this fact or may understand but have residual concerns.

49. Similarly, individuals without any sensitive health conditions may simply exercise a choice not to participate choosing instead to pay for any medical treatment out of pocket. Many of these individuals may be less absolutely reliant, in general, on Medicare entitlements than individuals who may be heavily dependent on social security entitlements to provide either full or supplementary income. Accordingly, these individuals may feel less compelled to register, particularly if they perceive privacy risks.

50. Such a choice may, overtime, lead these individuals to limit or avoid medical treatment, a course of action that may endanger their own health and raise public health issues, for example, in the case of contagious conditions.

The Architecture of the Access Card System

51. The Discussion Paper provides a brief discussion of issues that may be relevant to the architecture of the access card system, including the crucial matter of the interaction between the proposed central database of photographs (particularly when they are converted into biometric templates)20 and closed circuit television (CCTV) technology. The Office welcomes the recognition given to this matter by the Taskforce.

52. The Office's comments on the question of the possible interaction between the access card system and CCTV are provided below from paragraph 133 .

53. In considering the question of access card architecture generally, the Office would make the overarching comment that it is essential to recognise the proposal in its entirety, rather than to focus exclusively on the card. The initiative is a complex system comprising:

the access card;
the Secure Customer Registration Service (SCRS);
the databases and systems used by agencies (as well as private sector organisations) and which will interact with the access card through the SCRS; and
the infrastructure associated with each of these components (card-readers, for example).

54. In effect, the physical card is one part of a substantial infrastructure that will support both "front counter" (that is, at the point of service delivery), online and "back office" functions.

55. From a privacy perspective, the essential importance of system architecture lies in its capacity to fix the parameters of the access card for the life of the product.21 If there is a particular application (such as a national identity card) which the Government commits to exclude from the scope of the access card, this should be addressed at the design stage.

Key design elements of the access card system

56. The Office's understanding is that, in the present proposal, the face of the access card will display:

on the front of the card, the cardholder's name and a digital photograph of the cardholder; and
on the back of card, a digitised representation of the cardholder's signature and the access card number.22

57. Further, the Office understands that the chip will contain demographic information, information on dependents, entitlement statuses of the cardholder23 and, at the option of the cardholder, other specified items of information.24

58. The design of the SCRS (including its specified content) will be significant in determining whether privacy risks are mitigated or heightened. It is proposed that the SCRS will store the same information as recorded on the face of the access card and on the chip.25 It may also contain records of documents scanned in the initial registration process, whether as scanned copies, or as document numbers. Individuals' relationships with government agencies will be indicated by "flags" though the SCRS will not indicate the nature of the relationship (for example, the type of entitlement the beneficiary receives), transactional information regarding the provision of the entitlement or the identifier used within each agency to identify individuals.

59. The risks associated with a single database containing information, including basic demographic information, on almost 16 million individuals in Australia are significant. For example, such a rich central repository of personal information may prove particularly tempting to hackers and organised crime, as breaching the system will provide them with access to details on almost all adult Australians. Pressures to use the central repository for other uses unrelated to the reason it is established would also likely emerge.

60. One design issue that may need to be addressed is the extent to which it is necessary for the SCRS to contain information that will already be held by other agencies for the purpose of delivering services, particularly if the primary functions of the system are to process initial registrations and to facilitate the distribution of updated beneficiary information.

Dataflows between system elements

61. An essential design issue that requires careful consideration is how the access card, SCRS and agency databases will interact. For example, a key envisaged benefit of the access card system is that individuals will only be required to update changes in their personal details once with those changes then passed on to each agency with which they have a relationship. Such a process appears premised on each part of the system being able to identify the individual in question though it is currently unclear how this will be done. It would be of concern if the system is designed such that each constituent part of the system had knowledge of a single unique number which it could attribute to an individual.

62. The Office notes that there may be community concerns in regard to systems that enhance the ability of government agencies to share data. While the initial proposal is intended to offer convenience to the individual, concerns may emerge regarding what other information may be shared once the infrastructure is established. Survey research conducted by the Office in 2004 found that while 62% believed that government agencies should be able to share data for "some purposes" only a small majority of this number believed that the purpose should include to update basic information or for agency efficiency. Notably, 24% were opposed to agencies sharing data for any purpose.26

63. Qualitative community attitude research conducted in Canada on the issue of government agency data-sharing noted:

"...concern that this kind of information sharing would open a door that would not be easily closed… Others in the group quickly picked up on the theme, saying that they feared a future where there might be a less benevolent government that could use the information to control them, rather than serve them."27

64. Further discussion of community attitude research to government data-sharing is provided at Appendix A.

Comparison between the access card and existing information handling tools

65. Some comment has been made that the system will not collect significantly more data than that which is already stored on the respective agency databases and, accordingly, that this realisation should temper privacy concerns. Similarly, comparison has been made to existing drivers' licences; with the point offered that the front of the access card will provide less information than that printed on these licences. 28

66. The Office notes that establishing a new system that may change the way in which information is able to flow between pre-existing databases or to centralise previously disparate pieces of data, has the effect of qualitatively changing the nature of that data including by making it easier to be manipulated for other purposes. Arguably, if this were not the case, there would be no benefit in pursuing such outcomes.

67. Further, the addition of photographic images and digital signatures are significant new pieces of personal information in addition to that already held by the relevant agencies. The potential privacy implications of this collection are considerable. An individual's signature is a common form of evidence of identity, such as for credit card transactions. Accordingly, it will be necessary to carefully consider the implications of the digitisation of signatures of most of the Australian populace and what opportunities this may create for identity fraud, particularly if an access card is stolen and the signature copied electronically. The question of photographs is discussed in further detail below from paragraph 117 .

Potentially privacy enhancing design elements

68. Examples of design elements that may promote privacy could include:

that the system is not built on the assumption that there will be a unique number shared across each element of the system and particularly across agencies. This includes where an agency may not actually use that number for its own transactions with the individual, but still maintains a record of the link between that unique number and the individual. The system should be "design-proofed" against any possibility that agencies or other parties can easily link or match personal information based on an identifier that is unique for each individual, but shared between different systems;
that the system does not include significant latent capacity for the storage of greater amounts of information or additional applications well beyond the intended and presently articulated scope of the system. Such a design would be inconsistent with the principle that the only information that should be collected is that which is necessary to meet the stated objectives of the system. Latent capacity leaves open the prospect of greater amounts of information being collected beyond that which is necessary;
except where necessary to meet the objectives of the proposal, system elements, including in the SCRS and in the chip on the card, should remain segregated to avoid unintended or undesirable flows of personal information;
personal information that is used for different purposes should be kept separate and only accessible to relevant and authorised users. For example, optional health information stored on the access card should be segregated from demographic information that may be transmitted to the central data-store;
the handling of personal information in the system could be controlled by a token (such as a PIN) that remains in the possession of the individual; and
the most fundamental design element is to minimise the collection and subsequent handling of personal information to only that which is necessary to meet the system's functions.

69. The Office submits that close collaboration between the Taskforce and the system designers and architects will be essential to ensure that the fundamental system design incorporates design elements that are consistent with privacy principles and that are privacy enhancing.

The Registration and Issuing Procedures

70. Based on the business case the Office understands that the registration and card issuing process will involve:

improved evidence of identity arrangements for verifying the identity of applicants;
a streamlined process of registering "known customers";29 and
a comprehensive uniform registration program involving up to 16 million Australians.30

71. The Office welcomes the Taskforce's commitment to exploring registration processes for individuals who may have difficulty establishing their identity to a high level of confidence.

72. It is vital to recognise that the access card proposal does not exist in isolation. Privacy issues associated with the implementation of the system should be considered with reference to other initiatives in the public and private sectors that may directly affect, or be affected by, the operation of the system.

73. For example, the Office notes the initiatives that may conceivably intersect with the access card proposal may include:

momentum toward the standardisation of EOI and improvement of identity data;31
extension of customer identification requirements under the Financial Transaction Reports Act 1988 and its proposed successor legislation;
introduction of new EOI requirements for electoral enrolment and voting;
the proposed Document Verification Service;
harmonisation of state drivers licenses and smartcard initiatives;
introduction of smart public transport tickets and their linkages to concession entitlement verification; and
electronic health records (EHR) and unique personal identifier initiatives in the health care sector.

Role of the Document Verification Service

74. In the Office's view, the proposed Document Verification Service (DVS) has the potential to make a significant contribution to enhancing the process of identity authentication including during registration for the access card. While it has been stated that the access card "…will conform with and utilise the standards and processes of the Government's National Identity Security Strategy, including the Document Verification Service (DVS)",32 it does not appear at this stage that the benefits of using the DVS have been fully factored into the business case.

75. A proper recognition of the important role that may be played by the DVS may address some of the privacy issues arising from the proposal. In particular, the role of the DVS in providing reliable EOI at registration may be particularly relevant to whether the SCRS needs to retain a biometric template of an individual's face. If individuals' identities can be reliably authenticated at registration by using the DVS then it may be possible to prevent multiple registrations without needing to retain individuals' biometric templates on the SCRS (with the associated costs that this brings).

76. The Office recommends that further consideration be given to the need to collect and store a biometric template on the SCRS if individuals' identities are authenticated using the DVS.

77. Additionally, the role of the DVS may be relevant to whether or not it is necessary to retain copies of identification documents provided as part of the registration process.

"Known customers"

78. The processes surrounding the enrolment of "known customers" will require detailed analysis and should be a key focus of a further Privacy Impact Assessment. Initial privacy issues that may be raised by a known customer registration process may include:

the extent to which such individuals are able to exercise choice and control over the handling of their personal information particularly if their personal information is pre-populated to the SCRS before they have been granted an appropriate opportunity to make an informed choice about their participation;
whether a known customer registration process will simply result in government service delivery agencies becoming more confident in false identities. If individuals are currently known, though registered under false identities, then a known customer registration process may result in some of these false identities being inappropriately authenticated;
the extent to which government agencies will compare their existing databases to assist in establishing the authenticity of individuals' identities, and under what protocols and authority such data-matching may be conducted; and
what allowance may be made for those individuals who, for legitimate reasons of personal choice, prefer to provide different information about themselves to different agencies and in different contexts. For example, individuals may wish to be able be known by shortened, derivative or anglicised names or may go by their middle rather than given name. Similarly, there may be cultural or religious reasons why individuals choose to use different names, such as indigenous Australians choosing to use their traditional or another name depending on whether they are interacting in the indigenous or non-indigenous community.

The Need for Legislative Authorisation

79. The access card should be supported by its own comprehensive statutory framework. As discussed above (paragraphs 15-16), legislation is a necessary (though not, in itself sufficient) mechanism for protecting individuals' privacy. While the Privacy Act gives a sound foundation, the protections it affords are principle based, rather than drafted prescriptively to meet privacy risks posed by specific projects or information handling practices.

80. A precedent exists for supplementary privacy enactments. In addition to the principle based regulation afforded in section 14 and schedule 4 of the Privacy Act, this statute provides for more prescriptive regulation where Parliament has identified acts or practices which may pose heightened privacy risks. Such additional legislation is likely to be of considerable value for the access card proposal.

81. Further discussion of the role of dedicated legislation is provided below under "Authorisation and Accountability" from paragraph 216 .

Function Creep

82. "Function creep" describes the process of incremental expansion in the purpose for which a system or object is used, to the point that it is employed for purposes that were not initially agreed to or envisaged. Such expansion is generally organic in nature and lacks overall direction, planning or oversight. Individuals may not expect these incremental uses nor consider them appropriate. The Office makes a distinction between function creep and the exercise of a considered, deliberate and appropriate decision to change the manner for which something is used.

83. The Discussion Paper notes the example of the use of drivers licenses has expanded to encompass a range of functions far beyond that originally intended.33 Today, it may be requested in numerous contexts from boarding a plane, entering nightclubs, collecting mail and renting videos. The Office is concerned that if drivers' licenses can undergo such an expansion then the risk of function creep for the access card needs to be considered.

84. A Canadian Parliamentary Inquiry provides a cautionary description of the function creep experienced by that nation's Social Insurance Number:

"Mistakenly, the private sector began to look upon the SIN as a piece of identification and property owners asked for it on apartment rental applications, video stores required it as security for movie rentals, universities and colleges requested it on their application forms and pizza places even used it as a customer number for their delivery system." 34

85. The Canadian experience is described in further detail at Appendix B.

86. Given the range of intersecting identity management initiatives (see paragraph 73 above), it is to be expected that there may be impetus for other applications to utilise or interact with the access card system.

87. Function creep can be avoided by ensuring that the system design limits future expansions in scope. Additionally, any future expanded uses of the access card should be managed in such a way to avoid function creep. In regard to possible future uses, it is imperative that a process is established that is transparent, widely consultative and supported by legislation to guarantee community confidence. The degree to which the community can be engaged in this process, should it ever be required, will determine whether an expansion of use is regarded as a useful and deliberate innovation, or uncontrolled function creep.

88. Preventing function creep is discussed further from paragraph 239 .

Using the Access Card and Ensuring Data Accuracy

89. The Discussion Paper poses a diverse range of questions regarding access to personal information, both by the individual and by organisations.35 This section includes a number of issues that may benefit from being unbundled and are perhaps more coherently addressed in the discussions concerning specific issues.

90. As a general statement, in the Office's view, the fundamental privacy principles articulated above in paragraphs 13 and 14 should inform the handling of personal information associated with the system.

91. The Office understands that the key applications of the access card are to facilitate access to government health and socials services and, where appropriate and desired by the individual, to serve as an alternative form of EOI. These applications indicate the broad policy settings that inform the system's development and, in turn, should define the rules around who may access personal information on the system and for what purposes. Uses and users that fall outside of these boundaries should be excluded.

An individual's right of access and accuracy

92. The Discussion Paper has raised questions as to individual's right of access to information collected for the access card, and how that right may be exercised in practice.36 The Privacy Act gives individuals a general right to access and correct their personal information held by an organisation.37 The Office suggests that further consideration be given to the means by which all cardholders can be assured of such access. Access to information stored on the SCRS is of particular concern.

93. Convenience, efficiency and equity issues between urban and remote areas suggest that individuals should be able to access that information remotely. The Office notes the Government's proposals to integrate the access card initiative with web-based service delivery and in particular to allow individuals to update their personal information online or request that a lost card be reissued.38

94. Remote access, however, raises a number of issues. The possibility of accessing information other than by presenting the access card in person detracts from the integrity of the access card's security. If some alternative means is made available as the sole means of identification (such as a PIN), this alternative becomes a substitute for the access card, rather than an additional protective layer.

95. Consideration will also be needed as to how information stored on the access card will be kept up-to-date and accurate. If one outcome of the access card agenda is that information will be updated on a cross-agency basis then it becomes all the more important that each piece of data be accurate. One solution may be to minimise the amount of non-static information retained on chips. It may not be necessary, for example, that the chip contain an individual's address.

96. It is also important to note that, as the Office understands it, the updating process (by which information is channelled through the SCRS to other agencies) will be automatic, that is, it will occur without an individual's consent.

97. Issues of legislative protection and redress for individuals in the event of misuse of information are discussed below under "Authorisation and Accountability" at paragraph 216 .

98. Issues of security are discussed at paragraph 212 .

The Question of Balance

99. At this point, the Discussion Paper provides a brief commentary on the proposed Document Verification Service (DVS). In the Office's view, this is a valuable issue to highlight, particularly in light of the earlier comment that the impact of the DVS may not yet be fully explored in the proposal (paragraphs 74-77).

Determining the need to authenticate identity

100. It is noted that the Discussion Paper (at page 24) says:

"…there is great benefit to the Australian community in being able to establish questions of personal identity with the highest degree of confidence."

101. The Office agrees with this statement, though would offer the qualification that identity should be reliably authenticated "where necessary". In particular, it is arguable that the degree of confidence with which an identity need be authenticated varies according to a number of risk factors, including the nature of a transaction and the value of that transaction. For example, some credit card companies do not require an individual to offer their signature (that is, offer evidence of their identity) for credit card transactions on amounts less than $25.

102. It may also be useful to consider further what attribute requires authentication. In some instances, and for some transactions, it may not be necessary to authenticate an individual's identity, merely that the individual who has presented a card is entitled to a concession.39 Such an approach permits an individual to interact in an anonymous way while offering assurance to the service provider that the transaction is valid.

103. The Office understands that this general approach is consistent with the framework being developed by the Australian Government Information Office (AGIMO) in its work toward an Australian Government e-Authentication Framework for Individuals.40

104. The Office recommends that the broad policy question of what needs to be authenticated in order to address the objectives of the access card proposal be given further consideration by the Taskforce.

Engaging with all elements of the community

105. The Discussion Paper observes the difficulties that some individuals may have in providing adequate evidence of identity. Some groups may not be adequately dealt with under standard registration and use processes. Where, for instance, the access card is made the sole means of access to government services, an itinerant person who does not typically carry cards on their person would be placed at a disadvantage. The policy implications of adapting the access card to minority groups require further consideration. The Office recommends substantial consultation with appropriate stakeholders on these social justice issues.

Specific Issues Requiring Further Consideration

Issue 1: The Right of Choice

106. One of the foundations of privacy is that individuals control the use of their personal information to the greatest extent possible. Allowing for individuals to determine how and to what extent they participate could be a fundamental way of sustaining trust in the access card system.

Choosing how to establish your identity

107. The Office recognises the Government's decision that presentation of the card will be required when accessing Government services.41 However, the Discussion Paper raises the question of whether, for the purposes of receiving entitlements, individuals should be able to establish their identity by means other than the access card.

108. In considering this issue, it will be helpful to distinguish between authenticating an individual's entitlement to benefits, and verifying their identity. In the context of a system such as the access card authentication could involve confirming that the card holder has a given status (for example, that they are entitled to a particular concession). This can be achieved without the service provider knowing the identity of the cardholder. On the other hand identification may involve linking the person presenting the card with a given individual's profile.

109. The Office acknowledges that presentation of the card will be required to authenticate the individual's entitlement to Government benefits where identification is required. However, it is the Office's view that individuals should be given options as to how they verify their identity. This could be achieved by a photograph printed on the face of the card at the choice of the individual. Alternatively, where an individual has elected not to have a printed photograph, an individual may be required to verify their identity by presenting a supplementary document, such as a drivers license or proof of age card.42 The option of such a choice could be privacy enhancing. Issues surrounding the role of the photograph in the access card project are discussed further from paragraph 117 .

110. It is the Office's understanding that a primary policy objective of the access card proposal is to strengthen evidence of identity (EOI) requirements around the delivery of entitlements. The Office recognises the value of this policy objective.

111. However, in the Office's view, it is not necessarily the case that this policy objective can only be achieved by restricting the EOI requirement to a photographically enabled access card. Mandating the access card to function as an EOI document may pose privacy risks that may not be commensurate with the benefits to particular individuals. It may also undermine community confidence in the proposal.

112. In contrast, the Office believes that the access card proposal can engender community trust and confidence by offering individuals the choice whether or not to use the access card as an EOI token.

113. It follows from this that the Office recommends that individuals should be able to choose whether or not their photograph is printed on the face of the card. The objective of enhancing EOI can be achieved by requiring individuals to provide any valid and reliable photographic identification. For example, a person presenting at a Centrelink office, where the access card reader is not functioning, could provide their access card accompanied by a drivers license or other appropriately reliable document.

114. It is recognised that a proportion of individuals will welcome the opportunity to engage with entitlement agencies using a single card as evidence of both identity and entitlement. Similarly, other individuals may not have privacy concerns about the access card or generally have less sensitivity about privacy. This highlights the value of making a printed photograph on the face of the card optional, as individuals can exercise control over how the card works for them.

115. The Office recognises that, if this design is adopted, then those individuals who chose not to have a photograph on their access card may, in certain circumstances, be required to present some alternative form of identity document (such as a drivers license).

116. The Office believes that this approach is consistent with fundamental privacy principles and the Government's intention that the access card should benefit individuals. As the Discussion Paper states, genuine choice "…implies that individuals should be free to choose to use their access cards in ways which might suit their particular circumstances."43 This may involve a course which better protects their privacy, though is less convenient. Consumer research on related matters indicates that individuals put a premium on privacy – they will 'pay for' having their privacy protected, including by choosing to restrict their engagement with the organisation concerned.44

Photographs and Biometrics Templates

117. The Office recognises the Government's stated intention of storing an individual's photograph in printed form on the face of the card and in electronic form on the card chip and the SCRS.45 The Discussion Paper, however, has raised questions surrounding the role of the photograph.46 In the following comments, this submission outlines the privacy issues associated with storing the photograph on the face of the card, on the chip and on the SCRS, and suggests possible alternatives.

Printing the photograph on the access card

118. As already noted, the Office recommends that the photograph should only be printed on the access card if the individual chooses. A card with near universal adult population coverage and having a printed photograph on its face would be close in appearance to a national identity card. With a photograph on the face of the card, the access card's uses would be dissociated from the need for the access card to interact with an electronic reader for the person's identity to be established; the identity of the cardholder could be established immediately upon presentation of the card.

119. The business case has suggested that printing a photograph on the face of the access card would not be contentious given that photographs are already a common feature of drivers' licenses and passports.47 However, the Office submits that such other forms of EOI are not a meaningful comparator in this instance. Though the physical format is superficially similar, the ubiquity, functionality and uniformity of a photographically-enabled access card are substantially different, thus raising privacy risks that are not as apparent or pronounced with existing documents containing a photograph.

120. The principal argument advanced by the business case for printing the photograph on the face of the access card is that this will prevent it being used by someone other than the owner if the card is lost or stolen.48 The Office notes that approved service providers would have use of a card-reader. The level of identification that this provides allows the fraud-prevention objective to be achieved without requiring a printed photograph on the face of the card. In circumstances where the card reader is inoperable, alternative photographic identification may be required.

121. Where high level identity authentication is required and access to any photograph on the card or chip is not available then the implementation of policies and business rules requiring the access card to be used in association with valid photographic identification may satisfactorily address this issue.

122. The argument could be made that a printed photograph is necessary to prevent counterfeit cards being manufactured. However, in sample cards viewed by the Office, a range of other security features are incorporated on the face of the access card (holograms being one example) to prevent counterfeiting.

Storing the photograph on the chip

123. As the Office understands it, it is proposed that the photograph will be stored on the chip. Authorised users would use the card-readers to access this photograph, thus providing visual confirmation that the person presenting the card is the person registered.

124. Alternatively, this function may be achieved by requiring photographic identification to be presented whenever the card is used. As discussed above, this may be achieved via a photograph printed on the face of the card, or by some other form of photographic identification. Doing so would still enable visual evidence of identity but would avoid the need for the photograph to be mandated.

125. If it is determined that a photograph must be stored on the chip, then access to the image should be restricted so that only agencies (or approved organisations) with valid readers would be able to view the image. Such an arrangement would make the printed photograph unnecessary for agency EOI purposes, as this function can be served by reading the chip. If individuals would like the access card to function as an alternative EOI for purposes other than the delivery of government services, then they should be able to exercise a choice to have the photograph printed on the card.

Storing the photograph on the SCRS

126. As the Office understands it, the photograph will be capable of being converted into a biometric template and used by way of comparison with the biometric templates of cardholders on the SCRS to prevent a person establishing multiple identities and multiple entitlements.49 If implemented, this would be the first time that the Australian Government has collected images of, in effect, nearly all adults in Australia. It would then be technically possible for the photograph to be used in applications other than those originally intended.

127. The Office understands that the SCRS will likely include the photographic image, as well as a biometric template (or numerical representation) of that image. Each piece of data will serve different functions:

the image will allow lost or stolen cards to be re-issued without individuals having to be re-photographed;
the template will provide for matching of biometric templates to those already stored on the SCRS to determine if an individual registering for an access card has previously been issued a card.

128. Each function raises distinct privacy considerations.

129. The principal argument advanced in favour of storing the photograph in the SCRS is that it facilitates the re-issue of lost or stolen cards without an individual having to have a photograph taken again. It is unclear whether this process would actually prevent the individual from having to appear in person to apply for, or take delivery of, a new card.

130. The Office acknowledges that this design could offer convenience for individuals who have lost or had their card stolen, though this benefit will mainly accrue if the business processes will not require them to have to present at an agency. If an individual is able to telephone and request a new card, then this would undoubtedly be convenient. It is less clear though whether it would be secure and effectively promote the integrity of the access card system.

131. Setting aside potential security issues, the proposal to store all images on the SCRS must be weighed against the privacy concerns of a central database of nearly all Australian adults' images. In essence, it is necessary to consider what is the greater impost: that a person who loses their access card has to arrange for another photograph (with the resulting cost to themselves or the government), or that the government creates a database storing photographs for the nearly all the Australian adult population.

132. In the view of the Office, the solution proposed – storing the photograph on the SCRS – raises privacy concerns. If the SCRS is to contain the images of most Australian adults then strong risk mitigating strategies need to invoked in the four key areas of design, technology, legislation and oversight.

Photographs and closed circuit television (CCTV)

133. The Office acknowledges that the access card proposal does not include within its scope the use of the SCRS in conjunction with closed circuit television camera surveillance. However, it does expressly include the adoption of facial recognition technology to be implemented for the purpose of comparing new registrants for access cards with existing cardholders stored on the SCRS.

134. The question of the potential future interaction between a possible central database of facial biometrics and CCTV should be addressed. The risks should also be considered in the context of the momentum that has emerged favouring greater use of CCTV and greater standardisation in its application and technology.50

135. The concern here is that CCTV networks may be used to employ face-recognition technology as "face in a crowd" applications, whereby the faces of large groups of people are scanned and compared to databases. Such applications can be highly privacy-invasive applications due to their capacity to operate at some distance from the individual. Potentially, an individual's face can be scanned and compared against the database without their consent, or even knowledge. It is reported that law enforcement authorities in Victoria are proposing to take advantage of this application in relation to drivers license photographs.51 The Office also notes initiatives being conducted overseas linking centralised databases of face biometrics to street CCTV cameras.52

136. To avoid any risk of mass-surveillance, biometrics used in the access card system should be generated in such a way that they cannot be used for other applications. This may be achieved by using encryption software which is specific to the access card system. As a result, comparisons between biometric templates could only be made within the access card system itself (for example, to prevent multiple registrations), and not across different applications. For example, a biometric template generated from a CCTV photograph could not be matched against an access card template.

137. These issues should be explored in a detailed Privacy Impact Assessment.

Photographs: Policy Options

138. In summary, the Office holds that ideal privacy protection involves giving the individual an option as to whether the photograph is printed on the face of the card. If the photograph is on the face of the card, the need to store the photograph on the chip may be avoided.

139. Storing the photograph on the SCRS requires particular consideration. It follows from the Office's general view on the importance of choice and control that if an individual anticipates that the benefit of not having to be re-photographed if their card is lost or stolen outweighs their concerns about privacy, then that individual would ideally be able to choose to have their image stored on the SCRS. This may be particularly useful for individuals who live in remote areas or have reduced mobility.

140. For each of the above scenarios, where individuals are offered choices, they should be informed of the consequences of their choice (for example, being required to present supplementary EOI if they elect not to have a photograph printed on the card), and the benefits and disadvantages of each choice.

Proposed types of optional stored information

141. The Office understands that the access card may provide for the storage, at the individual's choice, of a range of optional information. This information will primarily be health and other emergency information that an individual may not be able to provide, through illness or incapacity, at a relevant time.

142. Such options may offer benefits where they are well designed and implemented. However, it is noted that the type of personal information being considered raises a number of privacy issues. These issues stem from the sensitive nature of health information that will likely be involved, as well as possibility that the information may, depending on design, be accessed without the individual's consent.

143. Legislative restrictions are likely to be needed to tightly control access to this health information. An individual considering storing this information on their card should be able to know exactly who will be able to access that information, and in what circumstances.

144. The access card system should be designed in such a way that the information remains secure. Only those organisations explicitly authorised by legislation to access the information should be able to do so. If these protections are not built into the architecture of the card, compliance issues may arise. An entitlement agency officer, for example, who swipes an individual's card may be able to view information about the individual's allergies, or perhaps more problematically, chronic illnesses. The question of whether the information is segmented into 'open' or 'closed' zones on the access card, as well as whether the individual understands the implications of such segmentation, will also need to be considered.

145. The Office also notes the concerns raised in the Discussion Paper about the accuracy and currency of optional health information. This is particularly true of non-static information. If acted upon, the optional information may be of vital importance. However, if a person has failed to keep their allergy notifications (for example) up to date, or has simply chosen not to store that information on their card, the utility of the system is compromised. It is unclear whether, in an emergency situation, a medical professional would regard an absence of allergy information as indicating a negative result, or simply an incomplete record. It is not clear how the currency of this information could be guaranteed in a non-privacy intrusive manner.

146. It is also unclear who would be responsible for entering the health information onto the chip. Either possibility, the individual or their health care provider, raises issues, the former for reasons of accuracy and the latter because of the consent issues raised.

Prospects for further optional information

147. Beyond the specific type of options considered above, the Discussion Paper raises the question of what other optional information the access card could accommodate, or whether capacity should be built-in to allow additional options in the future. While the idea seems initially attractive from an individual choice perspective, the Office is concerned at the prospect of expansive uses unrelated to the policy objectives of the proposal, which would be made possible through large storage capacity. Such capacity may create a desire by agencies and organisations that it should be used, possibly creating pressures toward inappropriate uses and function creep.

148. Further as noted at paragraph 13 , it may not be consistent with good privacy for the access card to be designed with the assumption that greater amounts of personal information will be collected beyond that which is necessary to meet the access card's currently proposed objectives.

149. Given the concerns outlined above, the Office suggests that optional information, and latent capacity for future options, should be limited unless a clear need for an application is demonstrated and is consistent with the established policy settings of the access card.

Using the access card as evidence of identity in other contexts

150. DHS has stated that cardholders would be able to use the access card as a high-quality EOI document outside of their interactions with entitlement agencies.53

151. The Office does not support the unrestricted use of the access card, in its current proposed form, for EOI purposes. However, if individuals are granted the option to determine whether or not a photograph is printed on the access card, as recommended by the Office, then it follows that they should be free to choose to use the card for identity purpose as they wish.

152. The Office welcomes the Government's statements that private sector organisations should be prevented by legislation from demanding presentation of the access card as a condition of service.54 This provides individuals with a degree of control over when they present their access card. Drafting of this provision would need to ensure that it is sufficient to address situations where the card is not formally "demanded", but a transaction is dependent on the individual "choosing" to present it.

153. If it remains mandatory for a photograph to be printed on the access card, then the Office recommends that this prohibition should be extended such that the access card may not be requested unless for the purpose of entitlements or where expressly authorised by law (the latter category would include prescribed purposes such as 100-point checking under the Financial Transactions Report Act). This arrangement is similar to that which applies for the Tax File Number, which may not be requested unless authorised by relevant law.

154. On a general policy level, the Office is concerned that the existence of the access card may lead to high-level EOI being required as a matter of course for a vastly expanded range of transactions than is currently the case. The convenience of its use, and the fact that the majority of adults would carry a card on their person at all times would provide impetus for such demand. A business processing a credit-card payment may require photographic evidence of identity – whether that be through a passport, drivers license, or access card – before proceeding. In this sense, there is no compulsion, but nor is there real choice. The intrusion into individual privacy lies in the move to a culture in which individuals are required to routinely establish their identity to transact in society.

155. Further, the Office is concerned at the security risks that may arise from using the access card as alternative EOI in the broader private sector. Presumably, organisations would require chip readers (at the least) to verify that the access card is not counterfeit. The implications of such a widespread roll-out of access card infrastructure require further consideration and should be included in a detailed Privacy Impact Assessment.

Issue 2: The Right to and Protection of Privacy

156. The Discussion Paper invites stakeholders to nominate the "…fundamental privacy issues which arise in relation to the proposed access card..", and then comment on whether existing privacy legislation, specifically in the form of the Information Privacy Principles (IPPs) contained in the Privacy Act, is likely to be adequate to address these issues.

157. In regard to the first matter, in the Office's view, the key privacy issues raised by the access card proposal are likely to include:

the possibility that individuals may experience a reduction in the extent to which they control personal information held about them by government agencies;
the creation of an infrastructure that may increase the possibility that distinct government agencies will increasingly share personal information in ways not expected by the community;
the potential for unique identifiers to be shared between different entities, in the public and private sectors, thus facilitating enhancing data-linking and data-matching about individuals as they go about their ordinary lives;
the possibility of the access card becoming a de facto identity card through its widespread availability, in turn contributing to a culture whereby it becomes expected that individuals must identify themselves as a matter of course; and
the proposal to collect photographs for all participating adults, and the resulting possibilities for surveillance not previously envisaged in either form or extent.

Interaction between the access card proposal and existing privacy regulation

158. The current privacy regulatory framework emerged as a response to new government initiatives. In the second reading speech for the Privacy Bill 1988, the then Attorney-General, the Hon Lionel Bowen MP noted that:

"There is no doubt that with the greater range of services being provided, governments are accumulating more personal information about individuals in order to provide those services efficiently and effectively. This, together with the ever-increasing capacity of modern computers to search and process information, offers significant potential for invasion of personal privacy by misuse."

159. It is the Office's view that the access card proposal introduces a range of privacy risks that will require additional and specific privacy regulation. The form of this additional regulation is elaborated upon below from paragraph 216 under "Authorisation and Accountability."

Application of the Information Privacy Principles

160. A thorough Privacy Impact Assessment could usefully consider the application of existing privacy regulation to the access card proposal. The Office submits, in brief, the below comments on this matter.

161. The Privacy Act prescribes eleven rules, called Information Privacy Principles (IPPs), with which most Australian Government agencies must comply.55 These principles regulate the collection, use (that is, handling within the agency), disclosure (sending personal information outside of the agency), storage and security of individual's personal information, as well as affording rights of access and correction to individuals.

162. IPPs 10 and 11 prohibit agencies from, respectively, using or disclosing personal information for any other purpose other than the primary purpose for which the personal information was collected, unless one of a number of prescribed exceptions applies. This principle prohibits, for example, the linking of personal information about individuals when that personal information is collected for another purpose. Both IPPs allow an individual to give their consent to a use or disclosure.56

163. The role of IPP 11 is significant to the policy objective of increasing the ease with which individuals are able to update personal details across agencies. This principle would allow such information handling practices where the individuals consents or is reasonably likely to be aware that change of details will be passed to other relevant agencies.

National Privacy Principles and private sector privacy regulation

164. The National Privacy Principles (NPPs) came into effect in 2001 to provide a national, consistent and clear set of standards to encourage and support good privacy practices in the private sector. While these principles are similar to the IPPs, there are some notable differences which could impact on government services delivered by the access card, including where the private sector delivers services to which government benefits or entitlements apply.

165. One area where the NPPs may be significant to the delivery of entitlements by the access card system is in regard to health service providers (which are defined broadly in section 6 of the Privacy Act). The second reading speech for the amendment Act that introduced the NPPs noted that:

"…the government recognises that Australians consider their personal health information to be particularly sensitive and that they expect that it will be handled fairly and appropriately by all those who come into contact with it."

166. Consequently, Parliament enacted additional protections in the NPPs in regard to the handling of health information by the private sector.

167. For example, NPP 10 imposes a prohibition against the collection of personal health information, unless one of a limited number of exceptions applies. Generally, the effect of NPP 10 is that the collection of personal health information will require consent from the individual, except in specified circumstances including, but not limited to, emergencies or as required by law.57

168. To relate NPP 10 to the access card proposal, it is noted that the current types of proposed optional information are predominately health information. If an access card were read by, for example, a financial institution as part of EOI processes when opening a new account, then care would be required to ensure that the organisation did not breach NPP 10 by inadvertently collecting health information from an open zone of the chip.

169. Also likely to be important for the access card system proposal are the regulatory implications of NPP 7. This privacy principle prohibits, subject to prescribed exceptions, private sector organisations from adopting, using or disclosing any identifier issued by the Australian Government (such as the Medicare number).58

170. Further implications of the IPPs and NPPs on the access card could usefully be explored in further Privacy Impact Assessments.

Jurisdiction of the Privacy Act

171. It should be noted that the jurisdiction of the Privacy Act is limited to most Australian Government agencies and to parts of the private sector, including businesses with a turnover greater than $3 million and all private sector health service providers. Notably, the Privacy Act's jurisdiction does not extend to any state or territory government agencies (apart from the ACT) or to small businesses.59 Thus, to the extent that such bodies interacted with the access card system (such as if state public transport bodies sought entitlement status to determine concessions), the existing protections of the Privacy Act would not apply.

172. This lends weight to the Office's general view that specific legislation will be required to afford appropriate privacy protections to the access card system.

Role of the Privacy Commissioner

173. The Discussion Paper asks (at page 28) a number of questions about oversight and regulatory bodies, including the Office. The Office's comments on these matters are provided as part its response to the section titled "Authorisation and Accountability" from paragraph 216 below.

Collection of personal information and the SCRS

174. Personal information should not be collected unless necessary to meet a defined purpose. While it remains the prerogative of government to legislate to authorise or require the collection of data from its citizens, nonetheless, the consequences of increased collection of data across the public and private sector enhances the opportunity for subsequent uses of data that are remote from the original purpose of collection.

175. In the context of the proposal, the fundamental collection issue is whether the various items of personal information can reasonably be regarded as necessary for the delivery of services, access to entitlements and the establishment and proof of identity by the individual to support their claim of entitlement.

176. One of the rationales underpinning the traditional constraints against unnecessary collection of personal information is that the aggregation of large quantities of rich data invites, for example, data-matching, data-linking and other uses beyond the purpose of collection. Such practices may undermine community trust that personal information is handled appropriately and in ways that respect the private lives of individuals.

177. Therefore, the Office submits that the access card registration process should not collect more information than is currently collected when an individual registers for Medicare or Centrelink. More expansive collection raises a real risk of function creep. If the information is stored on the system, a presumption may arise that it should be used.

178. The Office recognises that there will be a need to handle information about an individual in the course of registration. EOI documents will need to be sighted, for example, to verify an individual's identity. The Office is unconvinced of the need to retain copies of scanned EOI documents once they have been appropriately verified. Such documents have the potential to import into the SCRS more information than may be necessary, including, in some cases, concerning third-parties.

179. The question of collecting and storing carer and dependents' personal information will also require greater consideration,60 particularly to ensure that the handling of this information is consistent with fundamental privacy principles. This includes the right to control what use is made of their information, and the right to access and correct that information where necessary.

180. The Office recommends that careful consideration is given to each type of personal information that is proposed to be stored on the SCRS to determine if its collection and retention is necessary to meet the objectives of the access card. A Privacy Impact Assessment would be a useful process for such considerations.

Databases and Data-Linking

181. The Discussion Paper notes that community trust in the access card system may be undermined by the creation of new databases of personal information and new data-linkages between datasets that need not be linked. Concerns in this regard are often based on fears, whether perceived or real, that such databases will allow the government to unreasonably intrude on individual's private affairs (Appendix A provides further discussion on possible community concerns). Such intrusion may occur through government using information in ways which the individual had not anticipated or through the routine surveillance of large sections of the community, without their knowledge and about whom there is no cause for suspicion. A clear articulation is needed, therefore, as to how the access card will exclude this possibility.

182. The Office welcomes the DHS's statement that the access card will not lead to a centralised database of detailed information, including transaction information.61 However, the risk still exists that an enhanced capacity for data-linking62 and data-matching63 may result in the access card's back-end system becoming a virtual centralised database whereby information resides with separate agencies, but is so readily cross-linked and accessed that the effect (and privacy implications) are the same as if it were one large centralised database of all information currently on the separate agency databases.

183. Although the SCRS will be established separately from the databases administered by participating agencies, its existence may place greater pressures on Government to expand data-matching exercises. On the material supplied to date it is reasonably open to conclude that the system has the capacity to facilitate easier and more sophisticated data exchanges. Accordingly, it can be expected that agencies may see the opportunity to pursue data-matching and data-sharing initiatives that have, to date, been technically difficult and therefore not viable.

184. In general, data-matching should be the exception not the norm and should be known, publicly justified and be based wherever possible on the consent of the individuals involved. The challenge remains how to enable appropriate data-linking while ensuring appropriate privacy protections. In many cases, relying on an individual's informed consent will be a useful way forward. A separate Privacy Impact Assessment in relation to the data-matching ability of the access card system would be beneficial.

Unique Identifiers

185. In most cases, data-matching or linking is extremely labour intensive, time consuming and costly. It requires specialist skills to undertake large-scale data-matching of disparate data sets not designed to be interlinked. Issuing each individual a unique identifier or number common across the range of systems is often the easiest way to facilitate the linking of two databases.

186. However, enabling such easy and accurate data-linking creates the privacy risk that linking will be done excessively and without justification. Such linkages may combine personal information that has been collected for very different purposes and create rich datasets about individuals' interactions in society. In some countries, these risks have been deemed so significant that commonly-held unique identifiers have been proscribed (for example, Germany) or made unconstitutional (Portugal).

187. Accordingly, a significant privacy risk comes about if all the databases use the same number to identify each individual. A similar privacy risk arises simply if databases keep a record of the unique identifier of other databases.

188. Ensuring that each agency attributes a separate identifier for each individual will prevent a drift to one number per person systems, and adds another layer of practical obscurity64 by acting as a natural (but not insurmountable) barrier to function creep and inappropriate data-linkage and aggregation.

189. To protect against this privacy risk a solution is to ensure that different data sets use different identifiers and that data custodians do not routinely have access to a shared identifier for individuals. This idea is now reflected in legislation, for example, in NPP 7 in the Privacy Act, as well as the restrictions that apply to the handling of the Tax File Number.

Issue 3: Customer Benefit and Customer Control

Benefit and choice

190. The Discussion Paper raises the broad question as to whether the access card enhances customer choice and control (at page 29). This issue is addressed at various points in this submission:

a clear articulation of the access card's purposes is needed (paragraph 29 );
current possibilities for individual choice are limited to storing optional information (paragraph 141 ) or using the card as an alternative form of EOI (paragraph 150 );
individual choice could be significantly enhanced by offering choices around collecting and storing the photograph (from paragraph 117 ); and
a number of issues are raised in the Discussion Paper concerning the EOI processes used at registration. These issues are addressed from paragraph 78 .

Issue 4: Making the Right Technology Choices

191. The Office notes that a number of technology vendors and other experts will brief DHS on technology that could be appropriated for the access card system. It is not the role of the Office to provide comment on various specific options. However, the Office would make the following comments that may inform the process of choosing technology.

192. While technology should be one of many matters that inform policy it should not define policy. The existence of a technology or functionality does not necessarily mean that it should be adopted. Consideration should be given to whether the use of the technology is necessary, whether it is effective at achieving the policy objectives, whether it is a proportional response to the identified problem, and whether there is an alternative approach which is less privacy intrusive or preferably privacy enhancing.

193. The answers to those questions should guide the use of technology. The Office reaffirms the view that the most robust privacy protection will often be to not collect personal information unnecessarily in the first place.

194. One of the issues on which the Discussion Paper seeks comments was measures which restrict technology enabled function creep. Such measures will not necessarily be based in the technology. Decisions about the design of the access card influence the actual capabilities of the card, whereas legislation prescribes what uses are permitted.

195. One way to limit the risk of technology doing something different from that which was originally intended is by decisions about design features which make that more difficult, such as decisions regarding the data storage capacity on the chip. For example, the Government has stated that it does not intend the card to store electronic health records.65 An example of a design decision which prevents the technology from being used for this purpose may be to ensure that the capacity of the chip is insufficient to contain the amount of data required for an individual's electronic health record.

Privacy enhancing technologies

196. The Office submits that there is a clear distinction between a privacy enhancing technology (PET) and a technology that is merely less intrusive than alternatives. For example, the Discussion Paper states that the design choices which have resulted in the individual's name and photo on the front of the access card and the card number and signature on the reverse of the access card are "privacy enhancing" aspects of the proposed access card, because it will make unauthorised collection "much more difficult". The Office notes that, while this design choice may be a better choice than having all the information available on the face of the card, technology exists which is able to read both sides of a smart card simultaneously.66 As such, dual-sided printing may not offer a full guarantee of security.

197. In considering whether a technology is the "right" choice for the access card system, the proposed technology should be benchmarked against the characteristics of PETs.

198. The characteristics of a PET may include that:

it allows anonymity where possible;
it provides an individual with control over their information;
it minimises the use of unique identifiers and centralised storage of rich identifying data; and
it avoids unnecessary collection of information, or collection in excess of that which is required for the system to function.

199. Conceptualised another way, the purposes of PETs can be described as being to achieve one or more of the following:

"Unobservability – making private information invisible or unavailable to others;
Unlinkability – preventing others from linking different pieces of observed information together; and
Anonymity – preventing others from connecting observed information with a specific person." 67

Anonymity

200. Anonymity is not synonymous with privacy, but it is one means by which individuals can obtain a degree of privacy. However, the ability to identify an individual is necessary in certain circumstances. There may be some circumstances though where once the individual has been identified and their eligibility for a benefit or service has been determined it may not be necessary to retain personal information from every subsequent transaction.

201. The Office suggests that the Taskforce consider whether it is necessary for an individual to be identified for a given class of transactions, or whether authentication of the cardholder's status is sufficient (see paragraph 108 for a discussion of authentication and identification).

202. For example, if the access card were to be used when obtaining transport concessions then the transport service provider would not need to verify the identity of the cardholder but simply that the cardholder had the requisite entitlement. Allowing for such anonymity reflects the fundamental privacy principle that information should only be collected where needed for a relevant purpose (see paragraph 13 ).

Individual control

203. Individual control over the information that is collected and what it is used for is another means by which aspects of the system can be privacy enhancing. Control can be exercised through making choices through physical control or possession of the information or through transparent provision of information about the collection and uses of personal information and informed consent to those collections and uses.

Minimise central storage with unique identifiers

204. Given that unintended and unforseen data-linkage is a key privacy risk which needs to be managed, then a privacy enhancing feature is to ensure that unrelated data is stored separately and is not easily linked.

205. Systems and technologies which link an individual's information by a unique identifier, which then use the information in a range of contexts, create significant privacy risks. Computer systems, whether in regard to physical environment, hardware or software, can be compromised. The best security is to minimise the collection and collation of data to that which is necessary to achieve the stated purposes.

206. Where it is necessary to be able to establish relationships between data for prescribed purposes, use of client-master indexes may be appropriate. A client master index matches identity numbers created in a number of different settings (for example, an individual's Medicare Number, Centrelink number and Department of Veterans Affairs number). Accordingly, a client master index itself is not a repository itself, but rather a directory of identifiers attributed to specific individuals. The value of a client master index approach can be that it keeps the data separate and retains the separate identities associated with the different service providers while facilitating combination of info

Consultation on the Australian Government Health and Social Services Access Card - Discussion Paper Number 1

Submission to the Department of Human Services: Access Card Consumer and Privacy Taskforce

August 2006

Table of Contents

Summary

Office of the Privacy Commissioner

Background

Structure of this submission

Preliminary Comments by the Office

Incorporating fundamental privacy principles into policy settings

Necessity for a comprehensive privacy framework

Design + Technology + Legislation + Oversight

Privacy Impact Assessments

Identification of critical issues

Questions of Principle described in the Discussion Paper

National Identity Card

Initial matters raised for consideration by the Discussion Paper

Establishing Benefits to Consumers

Resolving tensions between agency and individual benefits

Benefits to existing Medicare-only cardholders

The Voluntary Nature of the Card

Public policy and the choice not to register for an access card

The Architecture of the Access Card System

Key design elements of the access card system

Dataflows between system elements

Comparison between the access card and existing information handling tools

Potentially privacy enhancing design elements

The Registration and Issuing Procedures

Role of the Document Verification Service

"Known customers"

The Need for Legislative Authorisation

Function Creep

Using the Access Card and Ensuring Data Accuracy

An individual's right of access and accuracy

The Question of Balance

Determining the need to authenticate identity

Engaging with all elements of the community

Specific Issues Requiring Further Consideration

Issue 1: The Right of Choice

Choosing how to establish your identity

Photographs and Biometrics Templates

Printing the photograph on the access card

Storing the photograph on the chip

Storing the photograph on the SCRS

Photographs and closed circuit television (CCTV)

Photographs: Policy Options

Proposed types of optional stored information

Prospects for further optional information

Using the access card as evidence of identity in other contexts

Issue 2: The Right to and Protection of Privacy

Interaction between the access card proposal and existing privacy regulation

Application of the Information Privacy Principles

National Privacy Principles and private sector privacy regulation

Jurisdiction of the Privacy Act

Role of the Privacy Commissioner

Collection of personal information and the SCRS

Databases and Data-Linking

Unique Identifiers

Issue 3: Customer Benefit and Customer Control

Benefit and choice

Issue 4: Making the Right Technology Choices

Privacy enhancing technologies

Anonymity

Individual control

Minimise central storage with unique identifiers