Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
STANDING COMMITTEE ON FINANCE AND PUBLIC ADMINISTRATION
02/03/2007
Human Services (Enhanced Service Delivery) Bill 2007

CHAIR —I welcome Mr Cook and Mr Bolton. Do you have an opening statement?

Mr Cook —We do. I would like to give you a bit of background on CSC. I have over 22 years IT experience in this country and overseas. CSC is not as well known as Hewlett Packard and IBM, but we are a $14 billion turnover per annum company. We operate in 80 countries, employing 78,000 people around the world. We run and develop computer systems for customers such as GE, Motorola, BHP Billiton and Rio Tinto and undertake complex projects such as the replacement of the UK’s national health system’s computers and networks for roughly 60 per cent of that country. Globally we have a strong health practice, earning about $1 billion per year. We are implementing health networks of the kind that were being discussed in the earlier testimony. We are implementing these health networks across the United States and employ over 200 doctors and physicians working with the US and UK centres for disease control.

We also provide core banking systems operated by Suncorp, St George and ANZ, and almost 80 per cent of insurance premiums in Australia are processed through software supplied by CSC. Our software manages over 500 million credit cards around the world in 17 countries, and in Victoria we conduct the processing of credit card transactions for the European, US and Mexican operations of an international financial institution. We have operated in Australia for over 30 years and still have our very first customer, AMP. We employ about 4,000 people in Australia, with staff in all state and territory capitals plus Newcastle, Wollongong, Whyalla and Nowra. In Victoria and New South Wales we operate computer data centres rating to the T4 security level by ASIO and provide computing services to many federal and state government departments.

CSC has been contributing to the debate about access card technology through submissions to the Consumer and Privacy Taskforce and comments on the draft legislation. CSC is able to comment on the technology that can enable a card system, and in this area we are vendor independent and pick technologies that are fit for purpose. Our position is informed by real experience with implementing systems supporting 11 million national social welfare cards in Belgium and almost 20 million healthcare access smartcards in France, as well as operating the central population register for Denmark for over 20 years.

CSC has particular strength in technology security, including significant engagements with the Australian government, which is the key underpinning of privacy and protection of data for the access card system. We are one of only three companies authorised to issue DSD certification of systems on behalf of DSD and, accordingly, we maintain a number of security cleared IRAP assessors on staff. We also undertake penetration testing of systems and have a large group of ethical hackers employed to test the robustness of security applied to the systems of our customers. CSC has a commercial interest in the outcome of the access card tender processes and is bound by confidentiality deeds relating to that process, so I hope you will understand if some of our answers are a little circumspect. However, we will endeavour to be as open and forthright as we can in helping the senators achieve their objectives.

CHAIR —Thank you. Do you have anything to add, Mr Bolton?

Mr Bolton —I do not have an opening statement, but I would just like to add that I have been working on the access card and understanding it since it was announced almost a year ago. My experience in IT goes back about 25 years. I have experience in electronics engineering going back before that for almost the same number of years. I would like to start. Senator Lundy, as part of your discussion with Mr Wilson you were talking about open source and open standards, and it finished at open standards. I support everything that Mr Wilson said in that respect. However, I would like to make the point that open source is not the same as open standards. Open standards basically allow clean interfaces and interoperability and allow the straightforward replacement of components of a system, so, if a system has been designed around open standards, even if you have proprietary components, it does allow you the ability to replace those proprietary components if necessary. Open standards are in fact the middle ground between the full open source and the full proprietary view of the world, and commercially in fact that is where the bulk of implementation is done. It is based on open standards, rather than full proprietary or full open source nowadays.

Senator LUNDY —Indeed, open source has a full range of commercial applications and outcomes anyway. It all gets a bit cloudy.

Mr Bolton —It does. Basically we are here today to provide any advice that we can in terms of answering questions that are related to the technology base of the access card. We did put in a submission related to the draft exposure of the bill, but that was mostly in terms of procedural information and technical detail that needed to be tidied up, and I am pleased to see that quite a few of those things did get taken forward into the final text that was presented to parliament. Basically we are here to provide information and support you.

CHAIR —Thank you.

Senator LUNDY —I would go first to the issue of CSC’s intention to respond to the request for tender that is currently in the market. Is that the status of it?

Mr Bolton —There are two tenders in the marketplace at the moment. There is a tender for systems integration and a tender for the supply of cards. The way that the Commonwealth has gone to market with those is that there can only be one prime in each of those. You cannot bid for both of them and participate in both of them as a prime, and we chose to participate for the systems integration.

Senator LUNDY —As a prime?

Mr Bolton —As a prime.

Senator LUNDY —Do you have any role in the supply of cards tender?

Mr Cook —We have not taken a decision on that at this point.

Senator LUNDY —So you still could?

Mr Cook —That is correct.

Senator LUNDY —Do you have existing partnerships with any of the card suppliers in the market?

Mr Cook —No, not in Australia. We have implemented systems overseas.

Senator LUNDY —Of the standard that is in the tender documents?

Mr Cook —Of the standard in the tender documents.

Senator LUNDY —You have potential partnerships, albeit with overseas manufacturers of cards, to the standard required?

Mr Cook —Correct, although they are potential partnerships. The tenders have been split so that one will have to work with the other, whoever the government picks. That is one of the complexities of the program overall.

Mr Bolton —To echo what Mr Wilson was saying, it really does not make that much difference, other than in terms of a level of technical detail about what card technology or what supplier it comes from. That is more of a commercial relationship in terms of who makes the best commercial offer to the government. The fact that we have worked with particular suppliers overseas does not tie us to working with those in the Australian situation, and in fact what we are really working with in most cases is standards. The standards that are embodied in the card are much more likely to direct what we do at the systems integration level and who we might choose to work with where that option is available than existing brand relationships or what have you.

Senator LUNDY —Can you advise the committee what markets overseas currently use the standard that the government has specified?

Mr Cook —We would have to take that on notice.

Mr Bolton —We would have to take that on notice. It is being widely adopted in Europe. The US has been running on a slightly different set of standards. However, the whole standards process has been driving towards the set of standards which the Australian government has adopted for this card, and in fact AGIMO has recommended more generally in the smartcard space.

Senator LUNDY —Was that the agency that determined the standard for the purposes of this tender, to your knowledge?

Mr Bolton —To my knowledge that would probably have been the major influence. I am not an expert in terms of being able to take you back through the whole history of smartcards and the Australian government, which is quite complex, as you may be aware.

Senator LUNDY —Yes.

Mr Bolton —However, AGIMO has been establishing standards in the smartcard space starting in 2005. We put in a consultant’s submission to the discussion around that. AGIMO basically has established the standards in the Australian government space for smartcards. My understanding is that the DHS smartcard is basically adherent to the AGIMO standards.

Senator LUNDY —Does ‘basically inherent’ mean ‘the same as’?

Mr Bolton —I cannot swear to that because I am not an expert on the AGIMO standards. As part of the run-up to the revealing of the more detailed information about the smartcard, I had a look at the AGIMO smartcard standards, and I can see the material that was in the AGIMO standards reflected quite strongly in the information that is in the public space as far as the DHS access card goes. I have not done a tick-by-tick comparison to say that they line up, but my feeling would definitely be that there is a strong alignment between those two.

Senator LUNDY —Given you have identified yourselves as responding to the tender for the prime systems integration contract—

Mr Bolton —That is correct.

Senator LUNDY —I am going to ask you some questions in the broad about the potential logistical challenges of that contract. I hope you are able to answer them without giving any specific information that you have already said you cannot give because of the tender.

Mr Bolton —We will give it our best shot.

Senator LUNDY —My first big question is whether it is feasible for 35,000 people to be registered for the access card every working day between April 2008 and 2010. I appreciate that the answer if you want the contract is probably yes, but I am looking for a little bit more intelligent information than that.

Mr Cook —We can point to the performance of other national register programs. Partners that we are working with globally have rolled out projects in Pakistan, for example, where 55 million people have been registered. They are well on the way to their target of 75 million people registered there. As you would be aware, there are the Muslim and hijab issues there, as there will be here. In terms of whether you can do it, yes, the technology is capable of doing it. It comes down to the logistics of how many work stations and how many people you have actually subscribing that number of people. It comes down to a mathematical exercise in terms of the theoretical maximum. Certainly the technologies are available to handle that many registrations a day. There will be issues with regards to network bandwidth and being able to cope with the size of images that are required for biometric photos, but that is all technology; they can be handled.

Senator LUNDY —Staff and technology?

Mr Cook —Yes.

Mr Bolton —Obviously it is the number of registration places that you are prepared to mount and the distribution of them.

Senator LUNDY —That would be your bag in systems integration, wouldn’t it?

Mr Bolton —Yes.

Senator LUNDY —Forgive me for casting aspersions on CSC and all other major IT outsourcers, but we have been here before—where contracts have been responded to and undertakings given about roll-out economies of scale that can be achieved that have never been fulfilled. I think you know what past experiences I am referring to. What is in this contract that would make the winning contractor comply with that key performance indicator and what sanctions exist in the tender documents?

Mr Cook —You are aware that we are under confidentiality deeds with regard to this document.

Senator LUNDY —I cannot ask you specific questions about the tender documentation.

Mr Cook —You can ask them but we cannot answer them.

Mr Bolton —I can answer some of the question by saying that this is not an outsourcing arrangement; it is a fairly straight supply arrangement. You would have to ask the department for the details of that arrangement. If your concern is about operation being done by a systems integrator, that is not the nature of the relationship which the department has envisaged here. I would refer you to the department for any further information on that.

Senator LUNDY —They will be using their own staff to do the registrations?

Mr Cook —You might say that.

Senator LUNDY —That will send me back to them with more questions about that. From CSC’s perspective and extensive experience in government contracts and systems integration, what are the common risks and cost blowouts of this type of contract? And be honest.

Mr Cook —We would not be anything else.

Senator LUNDY —I know that is a difficult question because I am asking you to reflect on your own performance in the past, but it is a genuine question.

Mr Cook —There are two key things. One is access to skills. If you look at the nature of what the government is attempting to do with this roll-out, there is a surge capacity that has to be gotten over in terms of registering 16.7 million people. There is access to skills, there is the depth of skills and then there is the access to world-class program management to run that whole program. Then there are the interrelationships between DHS and the various agencies and their sense of urgency with regards to meeting the same time lines that a systems integrator would be being held accountable for. There is a lot of stakeholder management in all systems integration programs.

For example, we can point to the ones in the United Kingdom, and I have referred to that in my opening address, with the NHS. I can point you to our performance there, where we won one region. We were doing a good job in that region and handling trusts that were running hospitals. There are various case studies now coming out from the NHS about that. One of our competitors was falling behind in the time line, and in fact their two regions were taken off them and awarded to us very recently. That is a £3.2 billion roll-out into two other regions. The key point for us is that there is a lot of stakeholder management and that would be the biggest risk in this situation.

Of course, there is also the commitment of the Australian people. That is something that the systems integrator can support, and I would refer to the points that we were making in our opening address around DSD certification. There is the depth of skill in it and the probing and testing of the systems to make sure that they are robust. It is committing to do those things that are necessary to make sure that the system is secure that will give the Australian public confidence in this kind of program.

Senator LUNDY —I am going to reinterpret what you said. Areas of normal risk in this kind of undertaking would be the acquisition of the human resources with the appropriate level of skill?

Mr Cook —That is correct.

Senator LUNDY —The high-level management required to perform that very complex management task?

Mr Cook —Preferably people who have done it before.

Senator LUNDY —Relationship management with a big number of stakeholders?

Mr Cook —A large number of stakeholders, yes.

Senator LUNDY —And, fourthly—and I think importantly—the customers fronting up?

Mr Cook —In terms of the public?

Senator LUNDY —Yes, and registering.

Mr Cook —That is the success of the whole program.

Senator LUNDY —How do you tender for that? How do allow for that, in the abstract, when you submit a price, given that you cannot effectively control that key performance indicator or outcome?

Mr Cook —I am sorry, but you will have to speak with DHS with regard to the scope of the tenders that they are letting.

Mr Bolton —I think without breaching the deed I can say that they have made some provision for that in the way that they are actually running this thing. But once again, you really need to ask the department for that level of detail.

Senator LUNDY —Yes, we will.

Mr Bolton —The process has adequate flexibility to make us feel comfortable enough to want to engage. I really cannot say more than that.

Senator LUNDY —No, that is fine. We can leave it there. Just going to the DSD authentication, we are hoping to talk to DSD in Canberra, but for the committee’s benefit I think it is important that the committee understands how DSD manages its security authentication processes and the fact that it does procure that service from a number of private companies to act as proxies to authenticate the security systems. Can you describe CSC’s role in that process, and how you manage the probity of your role in authenticating security systems as opposed to your role as an IT service supplier to the federal government?

Mr Cook —Neither of us is a security expert in that respect, so we cannot take you into the black-letter detail.

Senator LUNDY —I do not want to know how you do it, but just explain the set-up.

Mr Cook —It is not only the design of the system and the equipment that is in the system, it is how the system is configured. But just as importantly it is how it is managed. It is the human side of the management of the system that is actually very important. It is those procedures and processes for running the system that are also vetted as well as the technology, the appliances that are in the network or in the system. Then there is the issue of notification of potential breaches or potential unauthorised disclosures of information. There is an escalation program around all of that as well. The comment made in one of the earlier discussions was that, in terms of assessing a process and a technology, a lot of discussion goes on between the experts. Post that, there is a lot of testing to make sure that those assumptions or decisions that have been made are actually valid.

Senator LUNDY —That takes months and costs a lot, does it not?

Mr Cook —It can do, and certainly if you are unfamiliar with the expectations of DSD and you have created a system that is not easily able to meet their expectations.

Senator LUNDY —Just looking at this from the perspective of CSC as a service provider for security authentication or approval, at what point would that service be provided with respect to the tender timetable and the security of the access card? Do you understand what I mean?

Mr Cook —I understand, and you can expect that it will be allowed for in the program, as we have done many times before with other services that we provide to federal government departments at the moment. We are currently providing services based on equipment that are certified, as I mentioned in the opening, to T4 standard and the DSD certified internet connections and things like that. In terms of the time frame, we are quite conscious of the time frame that it takes, and certainly the government will have factored that into its program.

Senator LUNDY —Would that occur before or after a winning tender was announced or at the point of short-listing of tenders?

Mr Cook —The certification process only occurs once the system is in place, but it has to be built so that it can be certified.

Senator LUNDY —What if it cannot be?

Mr Cook —It can be.

Senator LUNDY —What if you test it and it fails?

Mr Cook —Then you would have to re-engineer it until it passed.

Mr Bolton —The basis on which DSD works is that it has a set of technologies that have been evaluated through an evaluation mechanism, in which we really do not participate strongly. That is at the inner core of what DSD does. Certainly from the range of technologies as we understand them that exist at the moment, it is perfectly possible to come up with a very secure access card system. There is no requirement to go and certify new technologies to be able to implement the access card. The requirement is to assess the system which is assembled out of technologies that have already been approved by DSD, and to make sure that they comply with the relevant standards that have been issued with DSD. There is a process related to that, and this is the I-RAP process that we talked about before, using I-RAP assessors. We have a small number of I-RAP assessors within CSC, which operate at arm’s length from the rest of the organisation—a chinese wall, if you like—that does the assessment on a commercial basis for anybody in the market place who cares to engage us. They are the people who eventually do the assessment of those sorts of systems—our own systems and other commercial systems in the marketplace. We have all the bits and pieces to be able to do that; the bits and pieces are also available to anybody else in the marketplace that cares to engage and get an I-RAP assessment done by ourselves or any of the other organisations that can do it.

Senator LUNDY —If you won the I-RAP assessment aspect of this contract, do you have to tender on that separately or is that something DSD assigns at some point?

Mr Cook —You would have to talk to the department about that.

Mr Bolton —The normal mechanism would be that to obtain an assessment there is just a straight commercial engagement with an assessor. In this particular case we happen to be an assessor as well as somebody who is bidding for the RFT.

Senator LUNDY —That is useful, because I can ask you questions about that side of it as well as in your role as a tenderer. I will have to think about the wording of my final question.

CHAIR —Mr Bolton, I think it was you who said that a similar program to the one that the government has foreshadowed for Australia has been conducted in Western Europe. Is that with a social welfare access card with a photograph, a number and a digitised signature and so forth on it?

Mr Bolton —I would have to actually confirm with you the exact details of the card. The country is Belgium. They have had the card out not as a national identity card but as an identity card for some time.

CHAIR —It is an identity card. So that is different.

Mr Bolton —No, if I may finish?

CHAIR —Sorry.

Mr Bolton —They have had a basic card out as an identity card for particular purposes for some time, and having absorbed the experience of that over the last few years they have been expanding that into more of the social welfare space—not quite the same scope as the access card but generally in the same area. We can certainly provide you with some information on that. Because it involves a card that is issued by another sovereign government, we need to be a little bit careful about where we might be revealing information that is confidential to that government, but we certainly will be able to provide you with the basic information about that. I have physically seen some of the cards, and they do have photographs on them. But I would actually have to confirm the exact information on the physical face of the card. I am sure, because the cards are in public circulation, we would be able to provide that information without any real problem.

CHAIR —There is a certain irony in that, because you were saying that they have an identification card and you are going to expand it into a welfare access card. What the government is talking about is having a welfare access card, which is deliberately not an ID card. In other words, an ID card to the government is a broader thing—

Senator FIERRAVANTI-WELLS —It is a media beat-up.

Mr Bolton —The European model is different in terms of what is acceptable with national identity cards and what is not. They happen to have started from one place and they are moving towards using that card, because it is already there, for delivery of social welfare. The Australian situation is quite different; we are coming from a situation where we do not have a national identity card. So the government is implementing a card for a particular purpose related to social welfare and health care. The two are not automatically tied together; it just happened to be the way that, in one country in Europe, that was the flow.

CHAIR —Mr Bolton, you are right, but as Senator Fierravanti-Wells has mentioned, the nomenclature of the debate is very important, as you can appreciate, in this country.

Mr Bolton —I understand that, yes.

Senator FORSHAW —What you are saying is that there was an identity card that became a social welfare card. Was the identity card a compulsory card?

Mr Cook —Yes. Before, during and after the Second World War, Europe moved to identity papers. Most of the population registries were created at that time and from there sprung the ID cards. To take another extension, I mentioned in my opening address that in France there is a health benefits card issued—SESAM-Vitale—and CSC was instrumental in that as well. That is not an ID card; it is a health and benefits card.

Senator FORSHAW —When we say that it is not an ID card, it is not authorised or designated as an ID card by a relevant authority such as a government—right? In countries where there is no compulsory identification card, or no ID card that is given some imprimatur by the government, such as Australia, then in the absence of that what you have is a system whereby all sorts of cards can be de facto identity cards, depending upon how they are used.

Mr Cook —Yes, and whether they are able to be demanded and used for identity for policing purposes and those kinds of things—

CHAIR —The functionalities.

Mr Bolton —That is right, yes.

Mr Cook —So with, say, the Belgian ID card: yes, you have to produce it on demand but it is really up to government policy, whether they wish to take it back to parliament and change the anticipated legislation.

Senator FORSHAW —And what you have are situations where there is a requirement for proof of identity, as a societal requirement rather than a government requirement, although in some cases it is a government requirement or an authority requirement. I am seeking your comment because, as a company that is experienced in both systems of identity cards and systems of other cards that are not intended to be ID cards but are used for other purposes—

Mr Bolton —My colleagues from Belgium, who live under the particular social environment where the card is acceptable, have absolutely no issues with it because that is what they are used to. They think we are a little strange because we do not have an identity card. I think that is a bit of an old world-new world thing, and it has a lot of historical background to it.

I do not know what the answer is. The experience of the company is that we are quite neutral about any of that sort of stuff. The people with whom I have come into contact are quite comfortable with it. As an Australian citizen, I am comfortable with the position here and, as Belgian citizens, my colleagues in Belgium seem to be quite comfortable with their situation.

Senator FORSHAW —I am not trying to trap you, and I am not necessarily seeking from you a comment about policy or whatever, but I am prompted by some of the comments and the questions of the Chair and other comments. You have a situation in this country, and in a lot of countries, where there are certain cards—say, a passport—that have a specific function as an identity card, if you like. A passport does and a drivers licence does. You use your passport when you enter or leave the country. You use your licence when you are required to produce it for the relevant police authority. But that card or that passport also become identity cards in a whole range of other circumstances that are not necessarily compulsory situations but, by their very nature, they have become so. That is where a lot of the debate is, as distinct from a media beat-up. The same applies with Centrelink cards, student concession cards, DVA cards, or even Medicare cards or PBS cards. That is what the debate is about. I do not think it is a media beat-up, but I will leave my comment at that.

Mr Cook —I guess CSC’s position is that, if a business benefit can be derived through the use of technology, that is what our company does.

Senator FORSHAW —Each one of those others has a particular business function, too.

Mr Cook —Yes. If there is an initiative that allows us to draw on our skills and achieve a program that builds confidence in the program and drives down the cost of fraud, which I bear as a taxpayer as well, those are the sorts of things that CSC likes to do. We gain a lot of personal and individual satisfaction from doing that.

Senator FIERRAVANTI-WELLS —I think if the public understands that that is exactly what the thing is about, they will be a lot more willing and probably the rollout will be a lot better for whoever gets the contract. You mentioned your involvement in about 80 countries. Is it more appropriate to ask the department to do the comparison with what happens in those countries? Are we imposing too much on you to ask you to give us an outline of what happens in those various countries in terms of the use of smart card technology?

Mr Cook —My opening remarks were just to give you an idea of the background of CSC.

Senator FIERRAVANTI-WELLS —Yes, I appreciate that.

Mr Cook —We operate in 80 countries. We have not done smart card rollouts in 80 countries.

Senator FIERRAVANTI-WELLS —No, but what you are saying is that you could probably assist with the countries where you operate and you have done work?

Mr Cook —We were referring in particular to Belgium and France. In my opening remarks, I also commented on Denmark, because we have been operating a population registry there for 23 years. Building, running and maintaining that, with the iterations of technology that have been required, is something that we do not have in Australia to start from. Most other countries, when they have implemented smart card technology, already have a population registry of some sort. Through that Denmark operation, CSC has actually created population registries in multiple countries across Europe, Italy being the most recent one.

Senator FIERRAVANTI-WELLS —Yes, and you find people that probably did not even exist in Italy. That is quite common.

Mr Cook —The SESAM-Vitale card in France is the one that has derived the most benefit—not so much from the application of the card but, as was discussed in an earlier presentation, in terms of epidemiological studies and long-term data collection, and being able to mine those to improve population and health outcomes. Not only are there cost savings because of the reduction in fraud, et cetera, but also the quality improvement in terms of public health outcomes is by far the most impactful of that technology. It is not through the application of the card per se but the smart use of information that comes from that card.

Senator FIERRAVANTI-WELLS —I inferred from what you were saying that, when you look at what we are doing in Australia in comparison with what is done around the world, this is a limited scope operation. Mr Bolton, is that what I read between the lines of your earlier comments—surprise at all the hype, when really all we are doing is something very simple for a limited purpose?

Mr Bolton —The technology is here to do a straightforward job providing a highly secure environment for the card and for the backend systems that support the card—the central registry and all of that. This is all well-known technology. There is nothing magical about it; fine-grained access control for how people access the card from within the Public Service—all of those sorts of mechanisms are well known. The technology related to the card is really not the problem. The issue is the business processes, the legislation and the administrative controls designed around it to use that technology. The real issue that I think everybody in the industry is finding—and I think Mr Wilson reflected some of that in his comments—is that we do not have that good a visibility of a lot of the business processes yet. Therefore it is hard to know exactly which bits of the technology are going to be employed and in what way they are going to be employed. That situation is improving. Every so often the Office of Access Card releases more information and we get a better view of how all of that is developing. The legislation itself provides important information on how the processes around the card are likely to work. The actual implementation, though, depends on detailed design work, which has not yet been undertaken by anybody. We can envisage—in fact, we have spent a lot of time envisaging—what that is likely to be, but nobody knows for sure until we are further into the process. Lots of people in the community who are interested in the card are frustrated by the lack of clarity at the moment related to the business processes, because they will control how the technology that is available is applied.

Senator FIERRAVANTI-WELLS —In the bigger picture of what we are doing here, it is a relatively simple operation compared to other things that are being done overseas. It is a simple concept for a simple purpose and for a simple scope. That is really the point that I am making. We see all this hype and media focus on peripheral issues. My point is that this is a very simple operation. Even given what you have said about the business parameters that may be put on it, in effect we really are talking about something that is very simple in the bigger picture and the bigger context of what may be done overseas.

Mr Cook —And also what is possible with the smartcard technologies, yes.

Senator FIERRAVANTI-WELLS —Yes, I appreciate that.

Mr Bolton —I do not want to disagree with you, because as a general principle that is correct. It is very hard, though, to find a definitive high-water mark in what is done overseas. Probably the Malaysian MyKad would be the most strongly leveraged smartcard technology for general community use. In comparison to that, certainly what is intended for the access card is much more straightforward than what is intended there. However, in terms of the broad scope of the application of smartcards to health and welfare service access, I am not aware of any exact parallel with what Australia is doing. It is certainly an achievable goal, but it does have a few twists in it that are unique to the Australian experience. But I do not think they are necessarily show-stoppers or things that will present any particularly difficulty. We do need to acknowledge that, while we are building on standard technologies and standard approaches, there is a degree of uniqueness to the Australian access card compared to anything else in the marketplace at the moment. A lot of the applications for smartcard technology are single-purpose applications. They will be for a transit card, for a physical building access card, for a border crossing card—for one thing or another—but they are primarily around doing one thing. It is only very recently that something like the MyKad has come along, which really starts to leverage a single card to do a wide range of things and provide a wide range of services. Even though that capability has been in the technology for a long time, it has taken a fair amount of time for the industry to get its act together and get to a realisation of that in either a public or a commercial space.

Senator LUNDY —What would be the application of the electronic document archiving practices and principles of the Commonwealth to proof of identity documentation collected as a result of the access card?

Mr Bolton —There is a tension between what we consider to be a good privacy principle, which is that you only maintain information for as long as it is immediately necessary for the particular purpose, and my understanding of the requirements of the Archives Act. I recognise the tension is there. CSC as an organisation has no opinion one way or the other on which one of those should take precedence. There certainly seems to be a strong tension there.

Senator LUNDY —That is interesting. We will follow up that one with the department. Can you advise the committee whether the metadata standards as specified for the central registry permit interoperability with both the HIC and the Centrelink databases?

Mr Bolton —I cannot answer that one definitively. The metadata standards as we understand they exist at the moment are not definitive; they are not complete yet. One of the reasons I cannot answer it is that we do not have a definitive set of standards in the DHS space. As to how comparable they are to the metadata standards in HIC and Centrelink, I think the answer to that might be ‘mu’; it is not really the right question. The issue with the use of the access card is that it basically provides an identity validation to the agency systems. It does not need to line up exactly with the data in the agency systems.

Senator LUNDY —I know that the department has said that quite specifically, but my question was about the metadata standards and their compatibility quite specifically for that reason.

Mr Bolton —In the case of the metadata standards, I do not believe that they are compatible or that they need to be compatible, but I refer to my earlier comments that the metadata is not cast in concrete for the DHS. I could not give you a definitive answer on that until we can actually do a tick-box comparison about what is in each place.

CHAIR —There being no further questions, gentlemen, thank you very much for your assistance this afternoon.

[4.08 pm]