Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
STANDING COMMITTEE ON FINANCE AND PUBLIC ADMINISTRATION
05/03/2007
Human Services (Enhanced Service Delivery) Bill 2007

CHAIR —Welcome. Would one of you like to make an opening statement?

Ms Versey —Thank you. I have made a written submission to this inquiry and do not wish to add to or alter anything in that written submission. But what I would like to say to the committee is this: I do not object to the use of technology to update and improve the existing Medicare scheme or people’s access to Commonwealth benefits and concessions. Nor am I opposed to a scheme that assists in the prevention of identity theft, as outlined in the bill. But the question must be asked whether the scheme, as outlined in the bill, will truly deliver the benefits claimed for it and whether the benefits outweigh the cost and the potential loss of privacy and security of approximately 16.7 million people’s personal information and whether the stated objects of the scheme can be achieved by a more modest approach.

In my written submission I stated that for the first time Australia will have a national population database. This database, or register, as the bill calls it, will contain a considerable amount of personal information about every man, woman or child who is a citizen, a permanent resident and, in some cases, a temporary resident in Australia. Since it will be compulsory from 2010 to register to obtain an access card and the access card will eventually be the only means to obtain any Commonwealth benefits such as Medicare, then few will not be on the database. As with any large database containing a lot of personal information, it will be especially vulnerable to unauthorised access and use. One only has to reflect on repeated reports of unauthorised access and misuse of police databases or, more recently, the Centrelink database, to know that this is not just possible but inevitable, as is function creep. Audit trails and criminal sanctions will not prevent it. This database will be the richest of them all. It not only contains extensive personal identifying information but also a photograph, digitised signature, copies of identity documents such as birth certificates, and a unique identifier in the form of an access card number. In the second reading speech the Hon. Mal Brough stated:

The register will not be amalgamated with the databases of existing participating agencies. It will be established separately ... and will not contain medical or health information.

That may be so, but the creation of a unique identifier will allow data matching and data sharing between those agencies that hold the unique identifier without the merging of those databases. The bill does not prevent this. Clause 57 only prevents the recording, copying and using of a card number from the card, not the register. It is therefore small comfort that the register will be kept separately from the participating agencies’ databases.

The card itself is said to carry less information than a driver’s licence, but this is not a relevant comparison. It carries more information than the Medicare card. It has a photograph, the unique identifier and a signature. It also carries other information of a person’s choosing, such as a date of birth. The government has been adamant that this card is not a national identity card. It has made this an express object of the act. It has created penalties for people who require it as an ID card except for the purpose of the act. Yet the very presence of a photograph and voluntary date of birth means that it will become an identity card albeit through the stated means of choice and consent.

The very process of registration and application for the card is intended to meet the proposed Commonwealth gold standard for evidence of identity. When a driver’s licence did not contain a photograph, no-one apart from the police for purposes connected with the driver’s licence asked to see it. But the moment it had a photograph on the face of it then it became a de facto ID card. The presence of a photo on the face of the card will do the same. There may be criminal sanctions, but the committee must ask itself how likely it is that these will be enforced in practice.

The chip on the card contains much more information, including residential address. Apart from veteran or age pension status, by choice, the face of the card does not identify what Commonwealth benefits the holder of the card is entitled to. This is contained in the chip. This means that whenever an organisation is offering concessions to certain classes of persons, whether it be a state or territory government, a pharmacist or the local video shop, they will require a reader for the chip. Thousands of people and organisations will have some degree of access to information on the chip. This is a significant security concern. It is unclear how access will be limited to what the reader needs to know. The bill, in clause 34(1), makes reference to a card PIN and password, but these features appear to be optional. PINs and passwords are security features. If they are needed to protect the information on the chip, they should not be optional.

One of the benefits of the card that has been promoted is that it will give easier access to persons requiring emergency payments after events such as Cyclone Larry, therefore both the register and the chip will contain an emergency payment number. Putting aside whether people involved in natural disasters such as Cyclone Larry are going to have their access card preserved, it is worth reflecting what this feature means in practice. The emergency payment number, while not an individual’s bank account number, is the means by which a person accesses an emergency payment and, thus, the card will also have to be able to be read at ATMs. This is another outlet which will have to be able to read the chip.

The chip will not only contain information said to be relevant for access to Commonwealth benefits and concessions; the bill creates a so-called customer-controlled part of the chip. As yet the size of this is unknown. What information could be put on this part of the chip is also unknown, save that the bill, in section 40, allows the cardholder to use the card for any lawful purpose. Apparently Queensland is already interested in it containing driver’s licence information. Other states and territories may follow.

Sections of the private sector such as banks are no doubt keenly interested. The consumer and privacy task force has just issued a discussion paper that flags that information such as allergies, drug alerts, chronic illness, donor status and next of kin may be included. The more information and the wider the diversity of the information that is to be included, the greater the security risks, especially, as has been suggested, if the customer has access to the information on the customer part of the chip and is able to update it or alter it from the internet-enabled home computer. Although the bill stipulates that the card cannot be required to be produced for purposes other than the purposes of the bill, if information such as driver’s licence information is included then mandatory production widens. It is also easy to predict that those that want to populate the customer part of a card will be able to coerce consent through such methods as significant financial incentives.

In spite of the enormity of this project, the bill at present before parliament is silent on many significant areas—for example, reviews and appeals; privacy protection; effective oversight and governance; protection of information; issues relating to the customer controlled part of the chip; dependants, carers and other linked persons. The task force is yet to report on these matters. It is yet to do a privacy impact assessment. The bill gives the authority to the executive without the protections to the public.

The existing federal Privacy Act is not sufficient. It is a generic act with many exemptions. It does not apply to state and territory bodies such as road authorities or contracted service providers to states and territories, such as transport authorities. It does not apply to all of the private sector. In my submission, the bill should not proceed until all of the legislation underpinning the scheme has been introduced. Only then can an informed assessment of the scheme be made. If it does proceed then at least the commencement clause should be amended to expressly link the commencement of this bill with related bills.

CHAIR —Before I invite questions from my colleagues, can I just remind my colleagues again about timing. I thanked you for your cooperation last Friday, but perhaps we could keep questions and answers direct, if that is okay. The government has said there are two principal reasons for introducing this bill—first of all, to stop fraud or to fight fraud; and, secondly, to facilitate access to welfare. They are the two principal arguments the government has raised, including in the explanatory memorandum. If we go to the card itself, one of the arguments is that smartcard technology is good because information does not need to be on the card; it can be on the chip. Do you think that the government would be hindered in facilitating access to welfare or fighting fraud if there were not a photograph and a universal personal identifying number or digitised signature on the card?

Ms Versey —With regard to a photograph, no, I do not think so, because people are going to need to have readers in any event. So, in my submission, a photograph could be on the chip and those who need to be able to identify the person by looking at the photograph and looking at the person who is presenting the card should be able to do so through a reader.

CHAIR —So welfare benefits would not be paid in any case unless there is a reader available.

Ms Versey —That is right, because the card needs to be read for the welfare benefits. As I understand the scheme, anyone who is providing benefits is going to need a reader in any event. So logically, if they have to have a reader, you have a reader that can read the photograph or can bring up the photograph as the check. Once you remove a photograph off the card, you greatly reduce it being used as an identity card, if that is what the government wishes to prevent. With regard to the unique identifier, one of my concerns was that there seemed to be some suggestion in the explanatory memorandum that this would be used over the telephone to identify someone so that the cardholder—

CHAIR —Or over the internet as well.

Ms Versey —Yes, so the cardholder needed to be able to read their own number off the card itself. I had some real concerns about that because I would have thought that, if someone is ringing up or accessing the internet and is able to do so, or can obtain information simply by quoting a number, that is a real security risk. If an unauthorised person has got hold of the card but can access information simply by reading the number, that is very poor security. A person should in any event have to provide much more identifying information to be able to get information over the phone or on the internet. So I do not think that that assists in any sort of security arrangement by having the unique identifier on the card.

CHAIR —Professor Fels’s task force did equivocate but came down in the end in favour of a photograph being on the surface of the card. In essence, he argued that it would be convenient for users. What do you say to that?

Ms Versey —It may be convenient to users. I suppose it is the whole issue as to whether one wants to encourage the use of this card by choice basically as an identifying card or identity card. Of course, that raises the whole—

CHAIR —That is a different issue, isn’t it?

Ms Versey —That is a different issue, but that is really what it is all about.

CHAIR —You cannot confuse the issues.

Ms Versey —No. But it is convenient to the user if they have a photograph given the pressure on people to produce an identity card with a photograph on it. If you go to the airport to pick up your electronic ticket, you have to produce a drivers licence or your passport. If you go into the post office to post a parcel overseas, you have to produce some photographic evidence of your identity. If it is the case that it is envisaged that this will be used—and it clearly is—by choice as another form of identity, then obviously it is of consumer convenience to have the photograph on the card.

CHAIR —So you are saying it is a de facto identity card?

Ms Versey —Yes. It is promoted as such through choice and consent—expressly so, really.

CHAIR —Putting aside those issues about the card and the information on the card for a second, in your submission you also go to some lengths to describe the very broad discretion of the secretary of the department and the fact that that is not subject to legislative review.

Ms Versey —Yes.

CHAIR —Why is that so concerning? It is administratively convenient, isn’t it?

Ms Versey —A lot of things can be brought in under the label of administrative convenience. I think with a scheme which is as sensitive as this, one should be very careful how much discretion you give to a bureaucrat—and I mean no disrespect to the secretary—without proper legislative oversight. You should be keeping it tightly controlled as to what information is required from people and what goes on the register.

CHAIR —So at the very least it should be subject to legislative scrutiny. Is that your point?

Ms Versey —Yes, that is my point. At the very least it should be subject to legislative scrutiny. Wide discretions may not necessarily be abused but can be interpreted very widely.

CHAIR —This is my last issue because I know my colleagues have many questions. My colleagues, among many other issues in Sydney on Friday, raised the issue of the proof of identity documents being kept on the register.

Ms Versey —Yes.

CHAIR —You flagged that. What are your specific concerns about that?

Ms Versey —My specific concerns are that you will now have a register where identity documents, such as birth certificates, are now copied onto the register. This makes it a very rich source for those that want to indulge in identity theft or want to take over identities, which means that you have—

CHAIR —So it creates opportunities for identity theft?

Ms Versey —It creates opportunities and it makes those that have access to and control of the register vulnerable. It makes the register vulnerable. The less you have on the register the better. If you have a source where you not only have all this personal written information but also actually have copies of the identifying documents themselves, then you have the whole person’s identity all in once place. There is always danger when you put everything in one place. Even though it may seem terribly convenient and a good idea, if you collect personal information and put it all in one place, then it makes it much easier for those that wish to steal identities to do so.

CHAIR —Would you be happier if, when proving your identity, a person applying for the card showed the information to an officer but it was not copied or scanned?

Ms Versey —Yes. There seems to me to be no reason why it should be copied or scanned if the person doing the interview sees the documents and is satisfied, and then ticks a box to say that they have seen the documents and are satisfied they are genuine. I know this ties into the document validation service that is being proposed. There is no explanation as to why the documents have to be copied onto the register.

CHAIR —My friend Senator Watson has just whispered, ‘What is the maximum amount of information?’

Ms Versey —I have not really turned my mind to the maximum amount of information on the register. I have expressed my concerns in some areas in my submission. If you want me to give that more thought I could take it on notice, but I think my concerns are expressed in my submission.

CHAIR —You say it is an identity card—you actually say that, don’t you? You say: ‘This is an identity card.’

Ms Versey —Well, it is a de facto identity card. It is meant to be. It is meant to identify people who are presenting to obtain concessions. There is no doubt about that.

CHAIR —But that is not the problem, is it? The issue is whether it can be used for other purposes.

Ms Versey —That is right.

CHAIR —That is the point.

Ms Versey —The point is whether it becomes a national identity card for everyone apart from the people presenting to obtain their concessions.

Senator FORSHAW —I have two quick issues. Thank you for your submission and particularly the fact that you have been through the bill and have identified issues with respect to the various clauses and paragraphs, which was most helpful. You mentioned in your opening statement—and it runs through your submission as well—this difficulty that we do not have the parallel proposed legislation going to whether there is going to be a right of appeal and so on. I take the point that you are saying it should either be delayed until the full package is available or the commencement date is delayed. But having regard to the fact that the government seems very keen to push on and push this through the Senate, do you have any proposals—you could take this on notice or maybe you have submitted this to Professor Fels’s inquiry—about the sort of scheme that should be in the legislation to provide some sort of appeal or system of checks and balances against discretionary decisions by the secretary or refusal to provide a card but not give reasons and so on?

Ms Versey —I have not got it in detail, but what I would say is this: where the secretary has power to, for instance, decide a person has not properly proved their identity or to suspend or cancel the card—which would have very serious consequences on a person who does not get their access card, especially if they need it for a number of concessions—there must be some sort of right of review and appeal to the secretary’s decision that is accessible to people. If a secretary has the power to make the sorts of decisions that can radically affect someone’s life there should be oversight of that and an appeal mechanism against it.

Senator FORSHAW —One of the things that concerns me about that is that at the moment under the current system if you want to get a Medicare, pensioner or veterans card there is a system—whether it is a good one or a bad one—in place that gives the applicant the right to appeal an unfavourable decision. I am struggling to understand how the new system with his card will operate where you have another layer. You have a secretary who presumably has the ultimate right.

Ms Versey —That is what we do not know at the moment and that is what I am saying: the legislation needs to include a system whereby people can appeal against the secretary’s decision. I cannot give you details of what sort of system it should be apart from it needing to be accessible. It perhaps needs to be outside of the bureaucracy so that you have a layer above the bureaucracy, given that we have the secretary making the decisions, and a system where a person has a right to be heard.

The other area that I am concerned about is the mandatory information on the register. In particular, I am concerned about the residential address. It seems that the secretary’s power not to put the residential address on is very limited. I think that (a) it should be discretionary and (b) if there is a refusal not to put it on the register, there should be an appeal against that. In our office we have had one case where a person’s residential address, which was held in the government’s database, was disclosed—after the woman had changed that address and her name—to her estranged husband, who was violent. This had, potentially, very serious consequences. There are those sorts of issues regarding discretion about what to put on or not put on the register and there being a right of appeal if the person’s application not to have information on the register is refused.

Senator FORSHAW —On the second matter, very quickly, it seems to me that there is a catch 22 in a lot of this where the government says that this one card will replace up to 17 cards. But we know for most people it will be one—Medicare—and maybe a couple of others, such as a veterans card or a Centrelink related card. One of the things that happens with, say, the veterans card or the seniors card is that they are used—and I think quite legitimately—in the private sector for those persons to obtain a discount or a lower charge on services. It may not necessarily be a government service. With the card that we have been shown, the access card, that sort of information is not actually on the face of the card—

Ms Versey —That is right.

Senator FORSHAW —so there is the potential, if you like, for persons to lose the opportunity to access benefits that they may have now. A simple one might be to go to McDonald’s and get a free cup of coffee or something.

Ms Versey —That was the point I made. Of course, I think it is voluntary for veterans to have their status on the card. But that was a point I made. This means that there will have to be readers of the chip all over the place. If that system is to continue, there will have to be readers in all sorts of places where concessions are granted. The state government provides—

Senator FORSHAW —Sorry to interrupt—or that you may need some second identification system.

Ms Versey —Yes.

Senator FORSHAW —You have your access card but you have a readily identifiable entitlement to some other benefits, because you are not going to have these readers right for the private sector, surely.

Ms Versey —I suppose that begs the question as to whether there should really be only one card.

Senator FORSHAW —Okay. I will leave it at that. Thank you.

Senator STOTT DESPOJA —Thank you for your excellent submission. I just wanted to pick up a specific point you raised in response to Senator Forshaw—again, I apologise if you have covered this: the issue of suppression of address and the very valid points that you raised; the fact that no-one is exempt apart from witness protection program people. Do you have an example that we could use for suppression of address? I understand that in New Zealand domestic violence legislation there are mechanisms that they have employed. Is there something you can give us to help us in possibly redrafting these bills?

Ms Versey —We were involved in amendments to the Victorian state Business Licensing Authority Act 1998. They set up a scheme where, if you were to be placed on the business licence register, which of course is a public register, you could apply to have residential address excluded from the register by the registrar and if the registrar refused your application then there was a right of appeal to the Victorian Civil and Administrative Tribunal. That is one example of a scheme where the person controlling the register can make the initial decision and, if there is a refusal, there is a right of appeal.

Senator STOTT DESPOJA —Thank you. In your submission, as I am sure you have today, you have talked about the issue of access. I have concerns not just with the issue of unauthorised access. My first question is: do you think we should explicitly prohibit in the legislation unauthorised access? Is that something that is missing in the bill from your perspective?

Ms Versey —Yes. I do not think the bill does expressly prohibit unauthorised access, but I think what is completely missing from the bill is the protections around the information. It does not expressly prohibit unauthorised access, data sharing or data matching and that is needed in the bill. Yes, I would say that there must be express prohibitions in the bill.

Senator STOTT DESPOJA —Conversely, my second question, which is probably predictable in following on from that, is about the fact that there is no explicit listing of who can access the register.

Ms Versey —Exactly.

Senator STOTT DESPOJA —Is there something that you would recommend in relation to—

Ms Versey —I would certainly recommend that you expressly say who has access to the register so it is clear and transparent in the legislation as to who has access. For example, if it is intended that federal police should have access to the register for law enforcement purposes, the bill should say so.

Senator STOTT DESPOJA —Other witnesses have asked and some other people have said there should be an additional clause or schedule. You are not fussed about the process by which that happens as long as—

Ms Versey —It is in the legislation.

Senator STOTT DESPOJA —Just in relation to an explicit legislative revenue mechanism, is there something you would recommend to us, particularly when it comes to reviewing some of those administrative decisions? I note that throughout your submission you have drawn our attention to the wide-ranging discretionary powers that rest with the minister and, more particularly, the secretary of the department. Is the review of administrative decisions something we should be placing in the bill?

Ms Versey —I certainly think that review of administrative decisions needs to be placed in the bill. I do not have an actual model for you. I can take that on notice and attempt one, but it is probably something that is in the draft. I am sure there are plenty of examples of administrative review models. I can certainly take that on notice if the committee would like some examples.

Senator STOTT DESPOJA —That would be great. I think we would value that. Thank you.

Senator LUNDY —I would like to follow up on one point about discretion. In your submission you reference clause 30, which authorises the minister to issue policy statements setting out the Australian government’s policy in relation to the administration of the bill. You go on to note that the breadth of discretion proposed to be given to the secretary combined with that creates a whole new realm of non-legislative change. Can you expand upon that and give some examples about how that power could be used and how dramatically it could change the application of the access card in Australian society?

Ms Versey —I need to refresh myself on that matter.

Senator LUNDY —It goes to the point of broad discretion. It has been noted by other submitters that this authorisation to the minister to issue policy statements setting out the Australian government’s policy being included in the bill is strange because of course they can always do that through their role in the parliament. Why is that specifically in the bill and what implications does it have?

Ms Versey —It did seem an odd inclusion in the bill to give the minister this power to make policy statements. I do not think the explanatory memoranda in any way explained why it was there. Given that the scheme is presented as government policy that it is not an identity card but simply to enhance access to services and reduce fraud, it is difficult to see why the minister needs to have an express power to make policy statements which may actually take the scheme wider than the present government’s stated policy.

Senator LUNDY —Without legislative amendments.

Ms Versey —Yes, without express legislative amendment. That was my concern. Similarly, when you have discretions of the secretary, it means that you do not have that legislative oversight. It is such an enormous scheme that I think giving discretions without legislative oversight causes concern.

Ms Fisher —Can I add something to that?

Ms Versey —Yes, please do.

Ms Fisher —One of the things that might be considered by the committee in relation to those guidelines is that I think it evidences the inherent tension between ‘Is the card an access card?’ and ‘Is it an identity card?’ because, if the identity guidelines establish a very robust level of identity that needs to be proved, either on an interim status or as a full status, which has now been introduced into the bill but was not in the exposure draft, then it raises the intent of the card to be more of an identity card rather than an access card, because there should be simply enough identity to establish your eligibility to access—

CHAIR —Sorry, could you explain that again, Ms Fisher? I am listening.

Ms Fisher —There is a tension in the bill, I think, about what the purpose of the card is. Is it to be a robust alternative form of ID to your 100-points check? Can you present the one card, or do you present a wallet of cards? So I think there is a tension: do we promote that, do we go off the back of the access card to provide this optional alternative to proving your identity, or do we simply want it to evidence your entitlement to access services? How robust does identity need to be to access services?

CHAIR —If it is the former, the government has not said that. The government has simply said it is to facilitate access to welfare and to fight fraud. If that is part of the agenda, I wish the government would say so.

Ms Fisher —It does mention it in the explanatory memo, when it explains why we are having this new interim full status for registration. There is a reference to the gold standard for proving identity. It does make one wonder why.

CHAIR —It may be convenient, but that is a different issue. Issues keep merging.

Ms Fisher —Exactly. There is a tension.

CHAIR —Yes, if it is convenient, that is fine, but that is not why I am told the card is being brought in. It may be a consequence if people want to use it that way—I understand that—but that is not why it is being brought in.

Senator STOTT DESPOJA —What is clause 33(a)?

Ms Fisher —If you want it to be an access card then make it an access card. Why ask too much from the card, unless you want it to be a convenient form of ID?

CHAIR —Yes. Sorry, Senator Lundy.

Senator LUNDY —That is okay. I think this really does go to the heart of it, because the witness appears to be contending that—it is the duck thing—it looks like an identity card, based on what is required to establish it, albeit that that is not the government’s stated policy intention. I think that is pretty much the heart of what we are going to be debating in the parliament.

I have two other questions. You have already responded to Senator Stott Despoja’s questions about authorised access, but I am interested to know if you are able to find anything in the bill that specifically prohibits compilation and/or distribution of the registration database. I would like to refer to the compilation and distribution—in fact, sale—of the ABN database following the introduction of the GST, when all of the corporate ABN numbers, the company ABN numbers, were in fact sold to Dun and Bradstreet. That practice quickly stopped when it was raised in parliament—in fact, in Senate estimates. I was involved in that. So what is there in this proposed act to prevent compilation and/or distribution either in an authorised or an unauthorised fashion of this new database?

Ms Versey —There is nothing express in the legislation. At the moment, all that would apply would be the federal Privacy Act, but that has many exemptions, as I have said, and it is a very generic act. But what is missing from the legislation is express prohibitions on compiling and exchanging information.

Senator LUNDY —And is there anything, to your knowledge, that would prohibit or prevent the compilation and distribution of this database within the Commonwealth—that is, to other agencies—for perhaps data-matching purposes but also, I guess my point is, not just checking individual records but compilation and allowing that database to be cross-checked, if you like? I do not know the precise words.

Ms Versey —Again, only the federal Privacy Act would apply. It is not within the bill itself. That is our point: it is not incorporated in the legislation.

Ms Fisher —I would add that I think it is not prohibited when you are dealing with other laws that have a demand power. For instance, one question worth exploring—and I do not profess to be an expert on this—is the powers under the census act to access information in administering the census. So, where other laws provide an authority to access information held by government or elsewhere, that is a potential draw upon the register.

Senator LUNDY —So, by virtue of the presence of those demand powers and the absence of any explicit prohibitions, we can pretty much draw the conclusion that this database would be compiled electronically and distributed for those demand-style purposes.

Ms Fisher —It is certainly vulnerable to that.

Ms Versey —Bearing in mind that the federal Privacy Act expressly allows disclosure that is authorised by law.

Senator LUNDY —Yes. I want to go to the issue of the Crown being exempt from prosecution—Crown immunity protecting Commonwealth agencies from being prosecuted for misusing the information. You reference part 1, division 5, clause 35. Can you just expand on that and the indications of that if the database were to be distributed and misused?

Ms Versey —I suppose we have raised the issue because I do not myself understand how it is going to impact on it, because the bill creates criminal offences and then provides Crown immunity. I have to confess that I am not clear how the two sit together, because there is no point creating criminal offences if the Crown has immunity from criminal prosecution. I am saying it needs to be explained how that works together and whether that renders the criminal offences provisions inoperable in relation to the Crown.

Ms Fisher —It also suggests that perhaps criminal law is not the only place you look to for breaches. Maybe civil redress should be worked into the bill.

Senator LUNDY —There was discussion at our previous hearings about compensation and some sort of repatriation. I want to take that issue a step further. We had a private company which has experience in the area of IT outsourcing. They self-identified as submitting a tender for the systems integration for this particular project. I asked them about the transference of liability to a contractor in that environment, and they were not able really to explain in detail and did not want to reference the tender documentation. Can you shed any light on the extent to which a contractor would be liable for such breaches, if in fact their contract said they should not do it? I guess my fear is that it would ultimately end up in litigation and the one with the deepest pockets would win. If you can shed some light on that transference of liability in the presence of a major contract governing the management of this data, that would be helpful to the committee.

Ms Versey —I think there are real concerns about contracted service providers. It probably needs to be expressly addressed in the legislation to ensure there is liability. The federal Privacy Act does provide for government not to be able to exclude liability on themselves if their contracted service providers breach the Privacy Act, as does the Victorian privacy act. That also provides that contracted service providers to government can be made directly liable through contract or the outsourcing agent remains liable for the contracted service providers’ actions. We have found great difficulties in that because, first of all, if the liability passes to the contractor you have to be able to demonstrate that there is an enforceable contract between the outsourcer and the contracted service provider, and that causes all sorts of problems. So my view is that, if you have a situation where there is a contracted service provider to government, then government should remain responsible for the actions of its contracted service providers. If it has a contract and can seek indemnity, then so be it, but the initial liability should remain with the outsourcer, and that should be expressed in the legislation.

Senator LUNDY —In the legislation?

Ms Versey —I think that it should be expressed the legislation.

Senator LUNDY —At the moment, it is not.

Ms Versey —It is silent, yes.

Senator LUNDY —It has been practice in the past for it to be a feature of the contract, but we are unable also at this stage to be able to view those aspects of the contract, so we have no way to test where liability resides. My final question is about interoperability. We heard at the hearing on Friday that in fact the government’s motivation for choosing the standard for the smartcard that they chose was its interoperability features. Do you have any knowledge of or can you identify anywhere in the act that specifies that the smartcard standard is such that it allows it to be interoperable with the existing databases of Centrelink, the Health Insurance Commission and other databases? Is there any technical information about it?

Ms Versey —I do not have the technical information. I can take the question on notice if you would like me to, because I cannot comment on that at this stage.

Senator LUNDY —I am not sure if the information is available. I am asking most witnesses to see if they can shed any light on it, because I presume it is a feature of the contract, but to me it is an essential tenet in what will constitute the scope and potential of this particular database.

Ms Fisher —The interoperability question goes a bit beyond the participating agencies’ data sets as well if you are looking at the customer controlled area and the potential for drivers licences to be brought on board. That is something I understand they are in discussion with Queensland about—to ensure that it is interoperable so that it can actually work in that way.

Senator LUNDY —So it is not just about the Commonwealth agencies.

Ms Fisher —I would expect that that would be part of the customer controlled area, but I do not have the information.

Senator LUNDY —And what about private sector functionality?

Ms Fisher —For the banks, clearly you need to get to an ATM to get emergency payments, so there must be some sense of interoperability to be able to use an ATM to access payments. So that is private sector.

Senator LUNDY —Okay. So where are we likely to get some of the answers to those questions?

Ms Fisher —I would suggest the Office of Access Card should have answers to that.

Senator LUNDY —Thank you very much.

CHAIR —Tomorrow afternoon, Senator Lundy, will be your opportunity to ask them.

Senator FIERRAVANTI-WELLS —Ms Fisher, taking you back to a comment you made, were you saying that if something has a photograph on it then that is it, it is an ID card, and you cannot see a circumstance where access cards could legitimately have photographs on them?

Ms Fisher —If the intent of the access card is to access benefits and services, and those benefits and services are by agencies who already have a reader which has a chip, the chip itself has the photograph on it. Why do you need it on the surface of the card unless it is to promote the convenient use of the card as an identity card? I have not received or read any information that suggests why it is not adequate to leave the photo on the chip and not on the card, aside from the ‘convenient form of ID’ argument.

Senator FIERRAVANTI-WELLS —Do you have some experience of what is happening overseas in this area?

Ms Fisher —In the UK?

Senator FIERRAVANTI-WELLS —Or in other countries.

Ms Fisher —We will probably take that on notice, but we do have discussions with other privacy commissioners in the region, including Hong Kong, who have an identity card in place, about the use of the Hong Kong card in the private sector and across other areas. I think Korea has briefed us about their use of their identity card.

Senator FIERRAVANTI-WELLS —My question is about access cards with photographs on them, not ID cards. You have made the distinction. I am asking you your experience with them. Clearly you have concerns about an access card with a photograph on it. I am asking you what your experience is and what your observations are in relation to other countries that have access cards with photographs on them as opposed to identity cards.

Ms Fisher —For me, one of the most powerful examples is in the UK where they initially started the identity card as an entitlement card, and by the end of it they called it an identity card because that is what it was. If there is additional information or questions you have, I would be—

Senator FIERRAVANTI-WELLS —So we should object to it simply because one jurisdiction particularly for its own set of circumstances—

Ms Fisher —I am just calling it what it is.

Senator FIERRAVANTI-WELLS —We are calling it an access card. It is an access card.

Ms Fisher —But you are saying it is not an identity card. I suppose it is for the government to decide: do we call it an identity card, because that is what it is on the face of it and that is what is being promoted?

Senator FIERRAVANTI-WELLS —It is an access card which requires a photograph on it. That is what it is.

Ms Fisher —The question remains for government.

Senator FIERRAVANTI-WELLS —It is the general hype that is calling it an identity card and that is portraying it as an identity card. That is not what the government is intending.

Ms Fisher —If parliament and the government do not want it to be an identity card, what harm is there in removing the photograph? That is the question that I think the Senate needs to debate.

Senator NETTLE —There are two areas of your submission that I want to ask you to expand on. On page 11, you talk about people giving their consent for their details or information for their access card. You talk about this idea of ‘coerced consent’. Could you expand a little bit more about how you envisage that that may work in relation to this card?

Ms Versey —Having worked in many areas of the law for a long time, I am conscious that consent is a very difficult area. The law talks about true consent being informed, voluntary, et cetera. But much consent actually is not really consent at all, and it gets more difficult the more vulnerable and the less educated people are. People assume that because a government body is asking them for something, it is required. I can give you an example. Every year or two years, Australia Post send out a massive survey asking for all sorts of personal information. It is completely voluntary; you are entering a competition if you fill it out. But I can assure you that every time it goes out, our inquiry lines are full of people who believe that it is compulsory because a government organisation has asked them for the information and they believe they have to fill it in. That is one example where, even though it is apparently completely by consent and voluntary, people do not understand that and believe that they are obliged to produce the information.

The other side of the coin is that you can coerce people into giving their consent through, say, benefits. For example, let’s say that the Queensland government wants to put its drivers licence onto your part of the card. Because they do not want to run two systems, it is much more convenient and financially viable for them to have it on your part of the card. But it is supposed to be your choice—you consent to whatever goes on that card. Then they make it financially beneficial for you to have your drivers licence on the card. They give you incentives to do it, or it becomes much more convenient to do it. So you can either produce your card as a form of identity, say, or you have this terrible and difficult process to go through to show your identity. Those are examples of what I mean by ‘coerced consent’. You may not be expressly asked or forced to do it—or even impliedly forced to do it—but the alternative may be too arduous, so it is much more convenient to do it, even if you do not particularly want to.

Senator NETTLE —When your office has received concerns from people—as, for instance, with the Australia Post example—who say, ‘We thought it was compulsory’, do the people who contact your office with those sorts of concerns fall into a particular category? For example, later today we are hearing from the Federation of Ethnic Communities Councils. I would imagine that that is one group of people. But I am wondering if it is specifically limited to people from non-English-speaking backgrounds, or is it across the board in the sorts of complaints that you get?

Ms Versey —To some extent it is across the board, but a lot of elderly people assume that anything that government asks for they have to do, even though it is by consent.

Senator NETTLE —Thank you. The other issue I wanted to ask you about is on page 3 of your submission. You give what I think is a very useful example for the committee, where the government has talked about ‘If you change your address you only need to inform one person.’ I am sure all of us have our own stories about circumstances where there are inaccuracies and errors. You highlight what I think is really an important point in terms of the implications of that. I do not know if you are in a position to answer this question, but I wanted to ask how frequently in your work you come across this type of scenario and the sorts of implications it has for people?

Ms Versey —It certainly arises from time to time where information gets plugged in, and it is not even in this sort of situation where there are a lot of agencies involved; sometimes it is purely that the wrong information gets sent off. One example is drivers licence information, which can now be changed online—the wrong information is put into the system and then suddenly a person is in WA driving around after their drivers licence has been cancelled because their reminder went off to the wrong address and they did not realise that they no longer had a drivers licence. Sometimes the wrong information somehow ends up in the wrong place even though the person is adamant that they have not changed their address. That is one example. We do get a lot of examples where wrong information gets put against the wrong person and then causes problems.

What I am saying is that, if the wrong information gets spread across a lot of participating agencies, that compounds the problem. Sometimes, again, there is safety in a person not just putting information into one place, because it compounds errors. That is often a problem. It is the problem with data sharing and data matching—if there is an error it gets compounded.

Senator STOTT DESPOJA —Are you willing to take a couple of written questions on notice?

Ms Versey —I am able to, yes.

Senator STOTT DESPOJA —On record, in your submission you refer to the current inadequacies in the Privacy Act. One of the arguments that has been put to us by the former minister and the government has been that the privacy protections currently in our laws will be adequate. I am specifically concerned about, in the case of a victim whose information is breached or accessed without their consent, firstly, whether or not they will be informed—and my understanding is that they cannot be under the current privacy laws—and, secondly, whether or not there is room for redress.

Ms Versey —Yes, we will do that on notice.

CHAIR —Ms Versey and Ms Fisher, thank you very much for your assistance this morning.

[10.03 am]