Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
 Download PDFDownload PDF 

Previous Fragment    Next Fragment
STANDING COMMITTEE ON FINANCE AND PUBLIC ADMINISTRATION
06/03/2007
Human Services (Enhanced Service Delivery) Bill 2007

CHAIR —Ms Curtis, we welcome you and the other officers. Do you have an opening statement before I call for questions?

Ms Curtis —Yes, thank you, I would like to make an opening statement. Good afternoon. I thank the committee for the opportunity to appear. Today I intend to highlight major points from my office’s submission and to make a few general comments. I draw the attention of the committee to the fact that I have consistently made the argument that new technologies, including smartcard technology, are not inherently privacy invasive. Technology can be used in ways that are privacy invasive or privacy enhancing. Further, I recognise the potential of the access card system to deliver significant benefits to individuals. A well-conceived and well-designed smartcard system for the delivery of health and social welfare benefits should be able to enhance individuals’ privacy. The office understands that a smartcard can be configured to ensure that access to an individual’s information is limited to those who have a need to see that particular information. Further, a central point where an individual’s identity can be verified may assist in ensuring the accuracy of that information amongst the participating agencies. Finally, a smartcard has the potential to reduce the risk of identity fraud by handling personal information in a more secure way.

To achieve those benefits, my office favours a comprehensive privacy framework to handle the personal information of the great majority of the adult Australian population. A comprehensive privacy framework involves a matrix of measures, including the design of the system, technology, legislation and oversight mechanisms. Addressing all four elements of the framework will help to ensure the best possible privacy outcomes for such a large project. I believe that the access card project is moving forward on all four of these fronts.

This bill addresses the legislative element. I have called for and welcomed a legislative framework to underpin the access card and the systems that support it. I believe that the suggestions I have made in the submission would enhance privacy protections and would also inform the future tranches of legislation that are foreshadowed for the access card. In relation to the specific sections of the bill I make the following comments. Part 2 of the bill deals with registration for the access card. My submission focuses on the need to ensure that only information that is needed should be collected and stored on the register. In particular, I make the point that the access card, including its back-end systems such as the register, is intended to identify an individual to participate in health and welfare agencies. I believe that information that may be necessary for a particular agency to determine whether a benefit is payable to an individual should be kept in the individual’s record with that agency rather than attempting to establish a central point from which identity verification and eligibility for benefits and services can be determined.

Given that guiding principle of collecting only information that is necessary for the purposes of the access card rather than particular benefit eligibility and notwithstanding the arguments made in the DHS submission to this committee, I still consider that individual citizenship, sex or Indigenous status need not be stored on the register. Similarly, I consider that an individual’s residential address is unnecessary where the postal address is recorded in the register for the purpose of receiving relevant communications.

I also take the opportunity to mention that legislative provisions that go to the technological design of the system may prematurely preclude more privacy enhancing options. An example of such a decision is in item 14 of the table under clause 17 of the bill. This clause requires that the register include flags that indicate relationships with particular agencies. This appears to mean that each agency with which an individual has a relationship must be able to link the individual’s access card number and their local agency issued identifier. This creates a situation where more than one agency can hold a common government issued identifier for a single individual. The risk here is that the ease of matching those records may in the future increase the temptation to change existing restrictions on information sharing between agencies and thus the framework for large-scale data matching could be in place. The best way to ensure that this does not happen is to avoid creating a system that would make it easy to happen.

One way this could be achieved is by storing the existing agency issued identifiers on the chip with the access card so that when an individual docked their card at an agency it would recognise the agency identifier and there would be no need for the access card number to be stored by each agency. While this suggestion means that a number of different Commonwealth identifiers would be stored in the one place, the ability to translate an agency identifier to an access card number will not rest in any government-controlled database. The only place where the translation can happen is in the chip, which is within the control of the individual. The access card chip will need to be subject to security measures appropriate for storage of such information.

Turning now to the information displayed on the face of the card, I welcome the decision to allow an individual to choose their preferred name to be on the face of the card and the option for individuals to choose whether their date of birth is displayed. This facilitates individual control over the information displayed. My officers argue that the individual should also be able to choose whether their photo and their signature are displayed on the face. These measures would further enhance privacy. However, I acknowledge that the government has considered this issue, including competing demands, and put forward in this bill its decision on those matters. It is now imperative to ensure that the security of the whole system provides maximum possible protection around this information.

I would like to make a few comments on the ability for an individual to consent to the use of their access card number—

CHAIR —What about the number, Ms Curtis? Do you want that to appear on the card?

Ms Curtis —Sorry?

CHAIR —A number?

Ms Curtis —The number on the card is fine.

CHAIR —You have no problem with that?

Ms Curtis —No. We have accepted that in our submission. Clause 57(2) of the bill allows for the copying or recording of the access card number, photograph or signature with the written consent of the owner of the access card. However, I believe this may be inconsistent with the terms and policy intent of national privacy principle 7, which prohibits organisations from adopting, using or disclosing Commonwealth issued identifiers. Generally, as I have already indicated, providing individuals with control over their personal information is consistent with good privacy practice. However, a consent mechanism is unlikely to be appropriate for a government issued unique identifier that will be held by most of the adult population. This is already recognised in the requirements surrounding the use of a tax file number.

As more organisations or agencies collect, use and adopt the access card number, even with individuals’ consent, and as greater amounts of personal information become associated with that number, the risks to privacy increase. I am concerned that individuals may not always be aware of the potentially significant long-term privacy risks when they are asked for their consent, especially where they may be offered an immediate and tangible convenience. My office suggests that organisations should not be permitted to copy or record the access card number with or without the individual’s consent unless it is in accordance with the specific requirements of other legislation.

I am aware that the access card number is not a lifetime identifier; I understand that the number will change each time the card is reissued. However, I am not confident that this will eliminate the risks associated with the use of a single identifier across government agencies and private sector organisations, in some cases, for an extended period of time, and given that each new card number for a particular individual may be linked to the last.

 Finally, I look forward to seeing more detail on how further legislation will deal with matters not yet raised in the bill. In particular, my office’s submission sets out recommendations for statutory processes governing the introduction of future uses and on specific secrecy provisions that might appropriately be implemented to protect the information on the register and in the chip. The Department of Human Services submission indicates that subsequent legislation will address a number of matters—in part 2(4) of their submission—that will be informed by ongoing consultation by the department and the consumer and privacy task force. My office looks forward to working with both of those in addressing issues for the future tranches of legislation. I invite questions from the committee.

CHAIR —Thank you , Ms Curtis.

Senator LUNDY —Just going to the point you make in your opening statement about the technology being a key element of four elements, to what extent is the Privacy commission privy to the actual technology? We have had CSC before us, who have tendered and therefore cannot say too much. That is fair enough, given their circumstances. We have had great difficulty in getting any information about the architecture that will underpin the system. What knowledge do you have about the systems architecture that allows you to basically tick that off as an area that you think has been addressed adequately in the plans to date?

Ms Curtis —I will clarify what I said. I said we are moving forward on all four fronts, not that we have got the definitive answers in all four areas at this point in time.

Senator LUNDY —But you are not opposing the proposal at all? You are just going with it?

Ms Curtis —With a hundred billion dollars of government expenditure a year it is good public administration for us to look very carefully at the systems we have in place. The existing Medicare technology has been around for 23 years. It is appropriate to look for the best way we can protect people’s information and provide good services. However, it does require that you actually examine very carefully all aspects of the proposal. We have been very involved with the Department of Human Services and the Office of Access Card over a long period—in fact, going back to 2004, when the then Health Insurance Commission was looking at a smartcard. We have continuously been involved in the processes of providing advice. During 2005-06 and currently we have provided advice to a number of the working parties. To the extent that we are aware of the technology, members of my office are involved in some of the working parties that have been looking at it. I would ask Mr Solomon to comment on that.

Mr Solomon —We have been involved, as the commissioner says, in some of the working parties. We understand the basic parameters of the architecture of the scheme. We have had access to the tender documents prior to their finalisation but under strict security regime to just view those. We have some knowledge and concept of how this scheme is being constructed. I do not think I am at liberty to disclose that to the committee; it is a matter for the department.

Senator LUNDY —The same brick wall we hit last time. It is a real problem for the committee, because so many of the questions go to how this will be built and what the permissions are between the different layers of people who are reading the cards, the database and so forth. Without that information—and I appreciate it is probably not your place to give it; it would be the department’s—it is very difficult for the committee to make a determination on whether privacy will be protected or whether it will be secure enough. That is something that we will pursue with the department this afternoon.

I have one specific question, however: in our questioning to CFC last Friday at the hearings in Sydney I asked whether they were aware if the metadata standards—that is, the information addressing system within the databases—of the registration database would be the same as the metadata standards on the existing databases or at least one thereof, for example, Centrelink or HIC. Are you able to answer that question? Their response was that that was as yet unresolved. We will test that with the department. Do you have any additional information, given it is such a key issue with respect to the design of the system, as you say, Ms Curtis, and the potential for it to be used for extensive data matching in the future?

Ms Curtis —That is a technical question that I think you will have to address to the Department of Human Services.

Senator LUNDY —But would you agree that it is absolutely critical in terms of the potential for this system to be expanded into looking at data matching? Is that not the sort of thing that you have expressed that you are afraid of, if that were the case?

Ms Curtis —I cannot answer a question about the metadata. I am not sure whether my colleagues can answer questions on their technical application. But ideally you would have all pieces of legislation before the committee at the moment, which would help to make these assessments easier for you.

Senator LUNDY —You mentioned that you anticipate another piece of legislation. What is your understanding of what is going to be in that subsequent piece of legislation?

Ms Curtis —I think part 2(4) of the Human Services submission identified a whole page of dot points, from my recollection. It will be addressing more of the privacy protections and security and more information about the chip and about the back-end system.

Senator LUNDY —So all of the questions that go to the design of and therefore the potential for this technology to be abused or not abused are not contained in the current bill, anyway?

Ms Curtis —No. The first bill really addresses the registration and the card, and establishing the fact that the card exists.

Senator LUNDY —Does the privacy commission have a problem with that, given that essentially puts all of your key points in abeyance until we see the second bill?

Ms Curtis —This process has been going on for a long time. We have been making those points. I think the Department of Human Services has tried to accommodate many of our suggestions. I think it is a construct of the process they are going through; it means that things are being dealt with in chunks or sequentially.

Senator LUNDY —Divide and conquer is one way of looking at it. I would like to go to your point about the storage of the number—the unique identifier—on the chip itself as opposed to within the database. How could that be given expression in the current bill, given the design of the system is foreshadowed for the next bill? How could we give effect if we were of the mind to amend the current bill to pursue that suggestion?

Mr Solomon —The issue for us is that the current bill actually cuts off a potential option by indicating that there will be a flag, and that seems to indicate the design. So that is what we have raised—that that may have cut off that potential option. It is not what could be put in the bill but the fact that that is in the bill and cuts off an option.

Senator LUNDY —That is the point you were making about the technologically specific aspects of the bill that preclude that particular privacy enhancement?

Ms Curtis —That is correct.

Senator LUNDY —You have made a specific suggestion of amending a clause of the bill, in your submission, to fix that particular problem?

Mr Solomon —We have not indicated what to do about that specifically in terms of what words to take out. We have just indicated some issues.

Senator LUNDY —Which clause is it?

Ms Curtis —I think it is section 17, clause 14, from memory.

Mr Solomon —It is one of the items that is indicated on the register.

Senator LUNDY —Can you describe in more detail how you would envisage that proposal working, given the limited knowledge about the systems architecture to date?

Mr Solomon —It is about how the system recognises the agencies that you have a relationship with. The concept we are raising is that that information could be on the chip and, therefore, the chip itself would recognise the relationship and tell the agency that you were docking the card with who you were by reference to their particular identifier—Centrelink’s identifier, Medicare’s identifier and so forth. The agency would then not need to have the access card number itself in its systems. That is the overarching purpose of our proposal. In terms of technical detail, we do not have the expertise or the skill to put forward how to do that in a technical way. We are just putting forward the policy proposal.

Senator LUNDY —The obvious technical question that flows from that is: how would you get that information onto the chip and would there still be a database there that would administer, if you like, the distribution of the cards and that initial information being placed on the chip? Okay, we will not go there. I do not know; I am just speculating on what the technological implications would be and whether that system would still require a central database to be administered by Human Services.

Mr Solomon —There are a lot of issues about how it would actually occur. It is partly about how long you keep information in particular systems as well. At the moment the register keeps permanently the flags against which agencies you have a relationship with. There may be ways of building that system so that that information is only temporarily held that connects the information until it gets onto the chip. There is other information that will only be temporarily held in the register until it gets onto the chip, as the department has discussed and is included in the bill. Similarly, it could be just a temporary measure; it is not held permanently on the register before it gets into the chip.

Senator LUNDY —We will explore that one with Human Services. Thank you. I also have some questions about the powers and resources of the privacy commission. I remember years ago asking the same kinds of questions. I know that the Privacy Commissioner is not well resourced, particularly for proactive activities and the pursuit of complaints right through to taking action. There is a pretty serious hierarchy in terms of what qualifies for taking action and what does not. Has it been foreshadowed or have you been provided with additional resources not just to participate in what has been an extensive long-term consultation exercise, no doubt requiring a lot of research and effort, but also in terms of your role that has been flagged in representing the interests of citizens who, for whatever reason, may feel their privacy has been breached because of a misuse of the access card?

Ms Curtis —On a general note, in the federal budget last year we received extra funding. Essentially the office now has a budget of about $8 million a year, whereas previously—as little as two or three years ago—it was about $4 million. We have received extra funding for particular purposes: to help business with understanding their obligations under the act; to improve our compliance handling processes; and, finally, to provide policy advice to government—three general areas.

We also have developed a memorandum of understanding with the Department of Human Services in recognition of the significant resources that my office has been putting into the project. We have a number of MOUs with other departments and agencies as well. We have a work plan and we commit to doing certain things; it in no way fetters independence. It is couched in terms of our providing advice but it does not prevent us from making comments that may be at odds with what they may be most interested in.

Senator LUNDY —At odds with the advice?

Ms Curtis —They may not like what we say and we may not like what they do. But it is a serious attempt to understand that it does have an impact on a small agency.

Senator LUNDY —How is that MOU with Human Services constructed and what does it involve?

Ms Curtis —It is over a four-year period. There is $375,000 a year in funding. We commit to meet regularly and also to provide a report on the activities that we have agreed under our work plan.

Senator LUNDY —Is that $375,000 per annum out of the Human Services budget?

Ms Curtis —Yes.

Senator LUNDY —So they give the privacy commission money to perform certain tasks?

Ms Curtis —Yes. This is in its first year, effective from 1 July last year.

Senator LUNDY —What do you spend that money on, specifically?

Ms Curtis —Essentially, on staff and providing advice. I might ask Mr Pilgrim to give the detail.

Mr Pilgrim —At the moment, that money is being particularly focused on providing for additional staff in our policy area to allow us to undertake research so that we can provide various advice on possible implications of the access card in terms of its working with the Privacy Act. Down the track, it will also provide us with the opportunity to perhaps do some work on assessing some of the systems and the information transfers that may occur with the access card. So there will be a couple of phases in how we expend that money.

Senator LUNDY —Will it be forthcoming once it is in place and people start making complaints? Will they still give you money then?

Ms Curtis —We have a four-year agreement at this point in time. I assume that it will stay in place for four years and, if there is a need for it to continue, for us to give advice, the agreement could be renegotiated.

Senator LUNDY —I suppose it depends on how much trouble you are causing.

In terms of assessing the systems that you mentioned, I go back to the question about the issue of the tender documentation. At what point will you get access to the contracts and be able to do an assessment on the privacy protections in the contract, given that many of the services and systems integration will be done by a contractor, not public servants?

Mr Solomon —I am not sure exactly when we would be given access to the contract. I could not tell you the answer to that at this stage. But, as I have said before, we have had access to documentation under strict security controls prior to the tender being released. So I would presume that, at a future time, once the contract has been put in place, unless the department have some reason why we should not be able to see it, to give them some advice in that area, then we probably would get access at that time.

Senator LUNDY —Going to the issue of pursuing complaints: are you confident that, under the current budget—and I presume this $8 million is ongoing—and with the anticipated removal of the additional $375,000 after the four-year period, you will have the resources necessary to adequately represent citizens who are aggrieved or allege a breach of privacy?

Ms Curtis —Currently, we receive only about 130 complaints against the Commonwealth government in total, including against Centrelink and Medicare. Given all the transactions, that is a relatively small number of complaints. Those agencies handle privacy complaints before they would come to us. I would envisage that there may be an increase in complaints, but I would expect that our resources would be appropriate to deal with it. But if that were not to be the case, we would obviously make a case to government for extra funding.

Senator LUNDY —That is all I have.

CHAIR —I have a few questions. I will be as direct and as quick as I can. One of the big issues that we have encountered over the last two and a half days of hearings has been much concern about the discretionary power of the minister and the secretary. I notice, in paragraphs 24 and 35 of your submission, you argue that the bill could usefully promote community confidence by including a general provision that these powers be exercised in consultation with the Privacy Commissioner—that is, the discretionary powers of the minister and the secretary. Do you have examples where that has worked in the past?

Ms Curtis —In our submission we make reference to the spent conviction scheme.

CHAIR —Can you expand on that?

Ms Curtis —It works quite well.

CHAIR —It has worked quite well?

Ms Curtis —Yes. We probably only receive a request once a year or twice a year. I think I have probably done three requests since I have been commissioner, which is 2½ years. But as a system that appears to have worked quite well.

Mr Pilgrim —The system has worked quite well. We are required to provide advice to the minister in those circumstances about our views on the appropriateness or otherwise of someone seeking exclusion from the spent conviction scheme. Our experience has been that our comments are carefully considered. Again, there may not always be agreement, but I think the process has worked well from our perspective and that our views have been taken on board.

CHAIR —How about in relation to the discretion of secretaries or public servants operating in that context as well?

Mr Pilgrim —From my experience, I do not believe that we have operated in that circumstance, where it has been a discretionary power on the part of the secretary or other public servants.

CHAIR —Is there any reason why you could not?

Ms Curtis —I do not believe so.

CHAIR —There has been a lot of concern expressed about the powers of the secretary under this legislation. I am sure you are aware of them; you point to them. Some people have made the case that they are the sorts of powers that, in general, parliament has some oversight over. But in this case, of course, they do not because it is not a legislative instrument; it is not subject to oversight by parliament. Are we looking at a mechanism to somehow ensure that the public, to use your words, can have confidence in this process? The committee thanks you for your suggestion, and we will look at it.

Secondly, just taking one example—and Senator Stott Despoja raised this issue before with another witness—clause 17(12) concerns proof of identity documents. You argue—and I think Professor Fels does also—that you oppose the scanning, copying and keeping on file of proof of identity documents once verified. In other words, it is okay to copy them, but once they are verified they should be destroyed. Do you hold to that view?

Ms Curtis —We hold to that view. A general principle of privacy law is that you collect information for a particular purpose and, once that purpose is no longer required, you delete your information unless there is a reason to keep it. We would suggest that, once verification has occurred, there should be no need to actually keep those scanned documents.

CHAIR —Again, my colleagues raised this morning the criminal offences under proposed sections 45 and 46. You argue that there should also be included some civil remedies, and again this has been touched on by other witnesses over the past couple of days. I suspect Senator Nettle is going to ask this question, so I will take it from her: do you see any problems with sections 45 and 46 working in practice?

Ms Curtis —I think in our submission we referred to the fact it is difficult to prove criminal—

CHAIR —Problems of proof.

Ms Curtis —The burden of proof would be harder. I think it goes almost to the heart of this bill in that it is clear that the access card should be used only for a specific purpose and have a number of objectives. In that sense, anything that took it further than an access card would be at complete odds with the bill and therefore it would be appropriate to have offences with high sanctions.

CHAIR —I understand that in the sense that, as you say, it goes to the core of the bill, and it is almost a matter of principle. I think the committee accepts that. But the problem is that we have had much evidence that it just will not work in practice.

Ms Curtis —In our submission we also raised the idea about civil penalties.

CHAIR —That is right; that is what I mentioned this before. I asked that.

Ms Curtis —Yes.

CHAIR —That is why the committee is interested. Do you think perhaps we should use civil remedies to buttress the potentially less utilitarian criminal offences?

Ms Curtis —Yes. We have proposed that the tax file numbers may provide another useful model. Again, individuals may seek a remedy under the Privacy Commissioner’s tax file number guidelines. Also, then you can do something under the Taxation Administration Act as well.

CHAIR —We will look at that. We heard a lot of evidence about those criminal offences and I just wanted to get your views on the civil remedies. Finally—and you touched on this and I rudely interrupted you, Ms Curtis, in your opening statement—I want to ask about the information on the card. The government has said repeatedly in the explanatory memoranda, in other material, in parliament and in press releases that this bill is about facilitating access to welfare and fighting fraud. They are the two principal objects of this legislation. Some people have put to us that we can stop in its tracks any likelihood of this becoming a national ID card simply by taking the signature, the number and potentially even the photograph off the card. I am not saying it solves all the problems, but it would certainly kill fairly instantly the idea of a card being used as an identity card, because people would not be asking for it, would they? All it would have is your name on it, potentially. What do you say to that?

Ms Curtis —I think we wrote about 20 paragraphs on that in our original submission to the Fels task force last August. We recognise that some individuals actually want that option of having a photo on the front. So our preferred position was to give people the choice.

CHAIR —Of whether they want a photo?

Ms Curtis —Of whether or not they want a photo.

CHAIR —That is your preferred position? I want to hear your preferred position, not—

Ms Curtis —No, my preferred position would be that it not be compulsory to have a photo, but to give people the choice to have a photo if they so desired. So it would be of use to those people who do not have other forms of photo ID—those who do not have a drivers licence, for instance.

CHAIR —We do not want to get to the stage where we are creating the architecture of this scheme just because some people need a form of ID. It is different if some people choose to have a photo on it; that is a different issue. Some people have tended to argue that we need this entire scheme because some people need a form of identification. It does not wash with me that we need to have this entire artifice just because some people need another form of ID. That is not going to be good enough. We need to do a bit better than that. Do you see the number being required on the card?

Ms Curtis —We have said that it is okay to have the number on the card.

CHAIR —In the same way the Medicare number is on the card?

Ms Curtis —That is correct.

CHAIR —Once again, though, with the reservations that it should not be copied and so forth that you made before. What about the digitalised signature?

Ms Curtis —We have expressed concerns about why the digitised signature is needed as well.

CHAIR —In summary, a photo is optional; the number should be on the surface of the card and no digitalised signature?

Ms Curtis —That is correct.

CHAIR —Thank you very much.

Senator STOTT DESPOJA —The chair’s summary deals with the face of the card. But looking at your comprehensive submission, there are a lot of problems with the legislation that we have before us. Ms Curtis, as the guardian of privacy in this nation—the head honcho, top banana or whatever when it comes to privacy protection in this land—as a citizen I am looking to you and asking should this legislation be passed in its current form? Is this a sufficient danger and threat to privacy protection in Australia as it currently stands? Based on your submission, that is the impression I get.

Ms Curtis —Our submission addresses the bill. This bill is the first tranche of legislation. The system that is proposed for the access card is more than just this bill. I think it would be ideal if we had the whole system to look at at the moment. We do not. We have this bill, which is establishing a few key elements. Our role is to protect and promote privacy in Australia. Our legislation is couched in terms where privacy is not an absolute right; we need to look at a variety of issues when we are determining where the balance may lie. We need to have free flow of information. Businesses need the right to operate. We need to protect the privacy of individuals.

We have examined this proposal in its various iterations for over three years. Inherently, it is not a bad thing to improve our delivery of social services. As we have said in our submission, we think there are a lot of benefits that will accrue to Australian citizens. What is important is that we ensure as we implement the system that we have those four elements there, that we get the technology right, we have the appropriate oversight mechanisms, we have legislation in place and it is designed appropriately. This bill is a first step in getting all of those things in place.

Senator STOTT DESPOJA —Is this an acceptable first step? With all those qualifications and agreeing with you on all those bases in terms of improved service delivery and the issues and criteria to be taken into account, and acknowledging your ideal that a second tranche of legislation should be in place, as the Privacy Commissioner, when you look at this legislation and the possibility that it will be rammed through in two weeks time with a truncated, running-late committee process—we do not even have a minister—are you prepared to go on record and say that this should not be passed without the second tranche of legislation that actually deals with the issue of privacy protection? This is where we are at, and I do not mean to reflect my frustrations on you. I think it has become evident to members of the public, agencies and my colleagues—many of whom were aware of this—that there are privacy loopholes in here that will have huge ramifications for your job, your work and the people of Australia. Would you recommend that this not be passed until we have dealt with the second lot?

Ms Curtis —The second tranche of legislation will address all of those protections.

Senator STOTT DESPOJA —Will it?

Ms Curtis —It is foreshadowed that it will. It is clearly stated in the explanatory memo and the DHS submission. Ideally, it would be best to have the other pieces of legislation, but they are not here. I would say, with some suggestions, that this piece of legislation is needed to be able to move forward.

Senator STOTT DESPOJA —Mr Pilgrim, do you have a view?

Mr Pilgrim —No, I think the commissioner has covered that, thank you.

Senator STOTT DESPOJA —What was your level of involvement in the privacy impact assessment?

Ms Curtis —That is going back to the end of 2005 and early 2006—is that right?

Senator STOTT DESPOJA —Yes.

Ms Curtis —We were involved to the extent that we helped prepare the terms of reference—correct me if I am wrong—for the successful consultants, and we looked at the draft and then at the final PIA.

Senator STOTT DESPOJA —So you have seen the privacy impact assessment. I am trying to get my hands on one of those. The document verification service—DVS—has been delayed until 2010, as we have heard today.

CHAIR —It will have full operability then.

Senator STOTT DESPOJA —It will not have full operability until 2010, thank you. In your mind, does that have any implications for the successful operation of the access card and the protection of it? Is that something that concerns the office?

Ms Curtis —The DVS’s great asset is the fact that it is just a verification point, a yes/no. It actually is not creating any extra databases or any further information. It is the ideal way for people in Australia who have been here a long time and have a footprint here to have their information verified. Ideally, again, it will be operational as soon as possible to make the registration process simpler.

Senator STOTT DESPOJA —Going back to the issue of the second tranche of legislation, would one possibility be amending 33(a), the clause that deals with the space on the card—in particular that deals with the individual’s space as opposed to the Commonwealth information on the card—and deleting it? Would that go some way towards preventing what I feel is a blank cheque at the moment in terms of the Commonwealth’s area of the chip? Clause 33(a) states:

The information in the chip in your access card consists of 2 parts:

(a) information in your area of the chip ...

That is the line that is not accompanied with any specifics. Would you find it acceptable if that was deleted and maybe dealt with when the criteria to deal with it are actually introduced?

Ms Curtis —I think in principle it is ideal to have ‘information in your area of the chip should be permissible.’ I think if you deleted 33(a), we would not be allowing for a system to be designed that would have a chip that had an individual part.

Senator STOTT DESPOJA —I am not suggesting you could not amend the legislation at another time. What I am saying is that, for now, while there is no final list of things that may actually be on the card—there is no final decision; in fact, no decisions have been made—would it not make sense to postpone dealing with that element because it is so open-ended?

Ms Curtis —I do not know whether my colleagues have any particular views, but—

Mr Solomon —We did not address this issue within our submission to the committee. I think it is just a part of the framework that the bill sets out for the card, the chip and the register. I do not think we would have a view that that should be deleted from the bill at this stage, considering there are going to be further changes to the legislation to address the privacy issues in relation to all aspects of the chip and the register.

Senator STOTT DESPOJA —We have referred a number of times to clause 17, obviously mostly in relation to Senator Lundy’s question, and I know that you have gone through it in some detail in your submission. Similar to you, I am curious about item 16 in clause 17, which is the one dealing with death; the fact that, if you die, the date of your death is placed on the register. You have queried as to why it would need to be on the register, understanding, of course, that it would need to be passed on to agencies. I am curious as to whether you have been given any idea from government or whether you have a notion of how long personal information would exist on the register after death?

Ms Curtis —I cannot answer that detail.

Mr Solomon —My understanding is that the department is still looking at that issue; that it has not made a final determination on how long information will stay on the register after death. I think that in their submission to this committee they mentioned that issue.

Senator STOTT DESPOJA —Is that of concern to you, that a decision has not been made on that, and that relates directly to not just storage of information but storage of information when we are not even on this mortal coil?

Ms Curtis —I think that further consideration is going to be given to it and I think even the Fels task force may be looking at that as well. It is one of the issues associated with its registration discussion paper which will be coming out shortly, I understand.

Mr Solomon —The department is looking at it in the context of the Archives Act and other Commonwealth requirements.

Senator STOTT DESPOJA —Are you happy to take questions on notice? The Privacy Act, as you well know, is under review by the ALRC at the moment. What are the implications of that, if any, for this process? Do you think the access card will be affected by the changes to, if there are any, or the recommendations of the ALRC in relation to the Privacy Act and its loopholes or adequacy or otherwise?

Ms Curtis —I do not think so, because the ALRC will be reporting in March 2008, and often they have extensions and then government responses usually take some time. I would be surprised if we did not have a response until 2009 on that—in two and a half years

Senator STOTT DESPOJA —Genetic privacy probably gives us a good example. How should we deal with or protect information that travels off shore? Do you have a view on that?

Ms Curtis —In relation to the access card?

Senator STOTT DESPOJA —Yes.

Ms Curtis —NPP 9, National Privacy Principle 9, covers the way the private sector transfers information overseas. We have suggested in our submission to the Australian Law Reform Commission that a similar provision should also be in place for government departments and agencies for any information that is transferred overseas.

Senator STOTT DESPOJA —Speaking of the Privacy Act, Senator Nettle was hoping I would ask about this on her behalf. I think this is something we are all interested in. You may have heard the evidence today from ASIO and AFP in relation to their access to the register and potentially information on the chip. Do you have a view about the notion of warrantless access to information and in what circumstances that should or should not happen? We just want to clarify that they are exempt when it comes to law enforcement.

Ms Curtis —The privacy principles are broad based principles. Again, it was a recognition that there needed to be a balance, and it was appropriate to have access for law enforcement agencies in particular for certain circumstances. Currently—

CHAIR —Would you like this taken on notice or do you want an answer given now?

Senator STOTT DESPOJA —Yes, if that is okay.

Ms Curtis —Principle 11 allows disclosure in certain circumstances. Currently, principle 11 operates quite well with the law enforcement community. There is a suggestion that I would make to the committee. At the moment, DFAT provides access to law enforcement agencies to the biometric photo database in certain circumstances, and we understand that the system works quite well. You might like to look at that as a model for the way access could be provided to law enforcement agencies to the photographic database that is proposed under the access card.

Senator STOTT DESPOJA —Are there any exemptions or loopholes in the Privacy Act that currently concern you in relation to the construction of this access card? One obvious one is the issue of authorised and unauthorised access specifically when it means people are or are not informed about the fact that their information has been accessed in some way or they have had their privacy breached. I know you have brought up the issue of civil redress. I am happy for you to take it on notice too.

Ms Curtis —The Australian Law Reform Commission’s submission suggests that consideration should be given to some sort of mandatory reporting of breaches—not absolutely every breach—and we need to come up with some threshold. We have asked the ALRC to examine that.

Senator STOTT DESPOJA —Do you think that should be the case with the access card if information is accessed inappropriately or it is accessed without—

Ms Curtis —It should be dealt with appropriately under either the Privacy Act or any specific secrecy provisions that they then put in place. Mandatory reporting of it I think should be done in the context of what is worked out ultimately for the Privacy Act. Mandatory reporting is relatively new. It is not easy to actually say what the best method is. We need to think very carefully about how we construct mandatory reporting.

Senator STOTT DESPOJA —While you are thinking carefully about it, do you have a view on the access card in terms of an appropriate threshold or level? As you say, it would be best worked through the Privacy Act. The problem is that the Privacy Act does not cover an issue at the moment in relation to, say, an agency employee who inappropriately accesses or browses and breaches someone’s privacy. At what point should an individual, given that they do not know they have been affected, be informed and what kind of threshold should there be? I would presume that everyone should be informed, but you are saying that there is a bit of a delicate balance or that a debate needs to take place?

Ms Curtis —A one-off browsing, inappropriate look or a mistake in bringing up the wrong records in some way is very different from something that was deliberate and involved using the information or disclosing it—somewhere in between.

Mr Pilgrim —We could take the example of a tax file number. If a tax file number is in some way compromised, the tax office will make attempts to contact the individual to offer them the opportunity to have that number changed and get a new number. That just adds to the level of where the threshold should be—where the number is compromised and it may impact on the individual’s ability to continue to carry on business using that number or, in this case, that card. There may be a threshold test along those lines as well.

Senator STOTT DESPOJA —Thank you for that example. I would be curious to see how this debate goes on and whether it is picked up by government in terms of potential changes to the legislation, particularly in the second tranche. I might put my data matching questions on notice. Section 17(17)(a) talks about such other technical or administrative information that can be added to the register by the secretary. Does that mean audit logs and serial numbers, for example? You may have covered some of this in Senator Lundy’s questions in relation to clause 17(14). Is there a possibility that some of these numbers might become de facto unique identifiers? I am to put a more specific question on notice, but do you have any concerns about that clause and in particular the powers of the secretary?

Ms Curtis —In paragraphs 21 to 23 of our submission we might have addressed that issue.

Senator STOTT DESPOJA —You have talked also about the fact that it is unclear in terms of the effect it would have in limiting the secretary’s ability. Are you concerned by the broad-ranging—

Ms Curtis —It is uncertain, so we are suggesting greater clarity and transparency.

Senator STOTT DESPOJA —I will ask the department about that. I turn to linkages in relation to the agencies’ databases, which you might have heard us ask about this morning with the Attorney-General’s Department. Obviously, it is not expressly prohibited in the legislation that there be linkage of information held on agencies’ databases. Would you recommend an amendment that expressly prohibited that?

Ms Curtis —Our understanding is that it was not the intention to have any linkage between the agency databases whatsoever.

Senator STOTT DESPOJA —I think the Attorney-General’s Department confirmed that. I am not suggesting that there is a motive to link databases. I am just wondering if we should put an added protection in the legislation to ensure it does not happen.

Ms Curtis —It is not there at the moment, but I would suggest that consideration should be given to putting in an express prohibition.

Senator STOTT DESPOJA —I know that is the view, I think, of the acting Victorian Privacy Commissioner, from whom we heard yesterday, but I just wanted to check whether there were any views on that. In terms of a role for—

Mr Pilgrim —In terms of whether or not there should be a prohibition, I think what the commissioner is saying is that we think it could warrant further assessment about whether or not the prohibition should occur. However, I think it could be done in such a way that should allow possibly for recognition that there may be some good reasons in some cases for data linkage to occur—for assessment of trends, analysis, research, and those sorts of areas. It could be done in such a way that we already see under, say, the data matching laws that exist already.

Senator STOTT DESPOJA —Yes.

Mr Pilgrim —While there might be a prohibition, there could also be a potential for some exemptions to allow it to happen in certain specified or prescribed circumstances.

Senator STOTT DESPOJA —Indeed. You could always have the explicit provision and exceptions—

Mr Pilgrim —Yes.

Senator STOTT DESPOJA —as opposed to it being somewhat open-ended. We have heard from witnesses who have said there may be a role for a public interest monitor, a privacy commissioner or a third party to oversee what is happening with the legislation or, indeed, the upkeep of the register, for lack of a better term. Do you have a view on whether a public interest monitor or other such—

Ms Curtis —I do not have a specific view on a public interest monitor at this stage, but we have always said that there need to be appropriate oversight mechanisms, and that will be the subject of the next tranche of legislation or the one after.

Mr Pilgrim —Building on that, the Privacy Commissioner does have some statutory functions under section 27 of the act, firstly, to provide on her own volition comments on the development of legislation and government policy. Further to that, down the path of, say, when a system such as this is in place, we also have an auditing power; we could audit the use of personal information in a system such as this.

Senator STOTT DESPOJA —You bet—I am aware of that section and I am hoping it is going to be used. Thank you. I will put further questions on notice.

CHAIR —I have a couple of questions following on from the senators’ questioning. In relation to the Privacy Act and how that protects information relating to the access card, the development of the register and the development of the photographic database, are you satisfied that the Privacy Act offers sufficient protection?

Ms Curtis —We have also called for specific secrecy provisions to be included in the next tranche of legislation to cover access to the information on the register—

CHAIR —And the photographic database?

Ms Curtis —And the photographic database, the chip and the register—the whole system.

CHAIR —You are not satisfied that the Privacy Act at the moment offers sufficient protection?

Ms Curtis —I think such a large-scale project would be enhanced by having extra provisions. That is consistent with other views as well.

CHAIR —What will those provisions be?

Ms Curtis —Quite a number of departments and agencies in the enabling legislation have secrecy provisions. There are 140-odd secrecy provisions in various pieces of Commonwealth legislation. It would cover the way information could be accessed, used and it would also cover penalties and sanctions.

CHAIR —Are you happy for ASIO to have access to the photographic database without a warrant?

Ms Curtis —As Mr O’Sullivan said, I think it would depend on the circumstances. In some circumstances he would require a warrant.

CHAIR —And in others he would not?

Ms Curtis —That is correct. At the moment, the system does not require that he have a warrant in some—

CHAIR —This is the creation of a very large, powerful, national database, and he would have access to that without a warrant. Does that not concern you as Privacy Commissioner?

Ms Curtis —Law enforcement and Australian intelligence agencies are exempt from the operation of the Privacy Act. Those six agencies have in place their own privacy guidelines, which are quite similar to the Privacy Act.

CHAIR —That does not answer my question. There is this argument that the information is there. The fact is that this is bringing information from all around the country into one database. It is not necessarily new information at one level; Mr O’Sullivan cleverly said that. But, in fact, it is making it far, far more accessible to a law enforcement agency. Are you not concerned that ASIO without a warrant would have access to that register and to the photographic database, which has a biometric function that makes it useable in all sorts of circumstances? As Privacy Commissioner, does that not worry you?

Ms Curtis —We try to look at all of the issues that are put before us and try to weigh them in a balanced way and come up with a position. Currently the parliament has decided that the law enforcement agencies and Australian intelligence community agencies are exempt from the operation of the Privacy Act.

CHAIR —Sure, but we rely on advice from people like you to say that this is a very powerful database and perhaps there should be new protections.

Ms Curtis —That could be considered as part of the next bill, in the next tranche of legislation.

CHAIR —I look forward to seeing that. This is a very serious issue of warrantless searches through a biometric photographic database and the national register by ASIO. It is fine so long as the matter is considered rather than it being allowed just because, ‘Oh, well, the Privacy Act makes exceptions for law enforcement agencies.’ That is what I do not like. I have no problem if it is a considered issue; if parliament sits down and considers it specifically. That is one thing. Let us not just let it slip through to the keeper and think, ‘Oh, gee, we gave that away five years ago.’ That is my problem.

Ms Curtis —We would welcome consideration of those issues.

CHAIR —We look forward to your comments on that. Back to the number on the card, you said that you do not have a problem with a unique personal identifier being on the card. Why don’t you have a problem with that? Welfare services will not be paid out unless a card is entered into a reader. Certainly the number can be on the chip, but why does it need to be on the card surface at all?

Mr Solomon —The existing Medicare card has the Medicare number on the face of the card. The department has argued that it is important for the card number to be on the face of the card for those vulnerable people who want to access the department through the telephone, and apparently there are quite a lot accessing Centrelink, Medicare and so on through the telephone. In order for people to be able to identify who they are talking to, the card number is something people would be able to give as part of the way of identifying who they are.

CHAIR —Would that not make it less secure? I could just take Senator Fifield’s card and read out his number over the phone. If that is the identification, they might just give me all of the details about Senator Fifield.

Mr Solomon —That is not the only identification that would be asked for, but it is of assistance to people who are elderly and so on, who may not easily remember the number themselves to have it on the card. It just assists that process.

CHAIR —You mean like credit cards over the phone; about as safe as that?

Mr Solomon —I think the office’s position is that there needs to be something on the card. You cannot just have a card with nothing on it.

CHAIR —You could have your name.

Mr Solomon —We have taken the position—

CHAIR —You could have ‘Mr Andrew Solomon’; what is wrong with that?

Mr Solomon —We have taken the position that, if the photograph, signature and date of birth are by choice those are good privacy enhancing features. We have not taken a position on the actual card number.

CHAIR —You have not justified yourself very well, with the greatest of respect. You tell me what you want. The parliament is here to listen to what you think is desirable. If you think privacy would be further enhanced by getting rid of the number, you tell the committee that.

Ms Curtis —I think Mr Solomon just said it would not be.

CHAIR —It would not be. If that is your evidence, that is fine. So you do not think that privacy would be enhanced? You are not concerned about card numbers falling into other people’s hands and so on?

Mr Solomon —There are provisions in the act already going to the copying of the number and the use of the number. The government is looking to protect the number from misuse in the community.

CHAIR —You say:

In particular, the Office notes the importance of ensuring that the Bill does not establish a legislative framework, whether intentionally or otherwise, that relies on or assumes the existence of a unique personal identifier ...

You are putting that unique personal identifier on the front of the card. Are you not making it easier to do exactly what you say you do not want to happen?

Mr Solomon —As I have said, there are provisions in the bill around the use of the number.

CHAIR —Why make the number so readily available? Why put the temptation out there?

Ms Curtis —I think the representatives from the Veterans’ Affairs Department would be able to argue strongly for one reason why they would like the number on the face of the card, which is to help veterans. Veterans have apparently indicated they think it is highly desirable and it is the way they operate. They use that number.

CHAIR —They may, and there might be an option to put the number on. I do not have any problem with that. That is a different issue. I think I mentioned right at the beginning of our questioning that you cannot argue that, just because some people might find it a convenient form of ID, we should create this entire architecture. That is not an answer, is it? No. Are there any further questions of the Privacy Commissioner?

Senator FORSHAW —Were you here when I asked some questions and had a discussion with the Attorney-General’s representatives about the use of the card in circumstances such as people wanting to get a concession? The provisions in the bill are in clauses 45 and 46. The explanatory memorandum states:

For example, some service providers provide some of their services at discounted rates to pensioners or to persons who are entitled to particular kinds of Commonwealth concessions. Subparagraph 46(1)(d)(i) is intended to ensure that these service providers can continue to provide these discounted rates to persons who are entitled to the relevant concession. Accordingly, it will not be an offence for a provider to refuse to provide a service at a discounted rate if a person refuses to produce his or her card to verify that they are entitled to the relevant concession.

Clauses 46 and 45 are similar. Do you have a clear understanding of where the limits are in regard to the operations of that exemption, if you like?

Ms Curtis —I think that is a question for the Department of Human Services.

Senator FORSHAW —I know it is a question for the Department of Human Services. That is what the Attorney-General’s department told me. But it is also a question, in my view, for most people who are appearing today.

Ms Curtis —The Department of—

Senator FORSHAW —You are the people who are going to have some role in overseeing the operation of this legislation in the same way as A-Gs and others, and it is important that we understand the boundaries in terms of who has a right to require the production of this card outside of the agencies that we clearly understand have that right—Medicare and so on. Secondly, how is it that going to happen given that the information they may be seeking, such as proof of concession status—seniors card or veterans’ entitlement card—is not on the card itself but is contained in the chip? As the Privacy Commissioner, shouldn’t you be absolutely confident that any exemptions given or any entitlement allowed under this legislation, particularly to the non-government sector—companies and others—to access this card is clear and unambiguous, not confusing and will not undermine the supposed security of the information?

Ms Curtis —My understanding is that a working group in the Commonwealth is looking at the issue of concessions, and it is liaising with the states and territories on a way to ensure that appropriate concessions will still be available to those people who are entitled to them. I understand that is a work in progress.

Senator FORSHAW —What you are telling me—and I say this with the greatest respect, Ms Curtis, because I think you are labouring under a similar situation to ours—is that they have drafted a bill and they have tried to cover the operation of who can access it in circumstances where they are saying that it is unlawful to require the production of the card in general unless it is done for a proper and prescribed purpose. Then, unfortunately, we do not have any real clear indication as to the extent of the class of persons, organisations or companies that will be able to do it lawfully.

Ms Curtis —People will offer their access card—

Senator FORSHAW —But that is not what we are dealing with here. We are dealing with who under the proposed law has an entitlement to require its production.

Ms Curtis —My understanding at the moment is that it is only those participating agencies that are listed.

Senator FORSHAW —That is not what I understand the legislation to say. I am confused or uncertain about it. I am having trouble in defining the groups that might be able to do it lawfully. A whole range of people out there, retailers and everybody, offer concessions—

Mr Solomon —I might be able to assist. The intention of the department, and through the bill, is that, where people currently offer concessions to Commonwealth benefit holders, that will continue.

Senator FORSHAW —I understand that.

Mr Solomon —The intention of the bill is that, if I have a concession that is issued by the Commonwealth and I want to ask for that concession from a provider who provides it, the provider can actually ask me to present my card. It is a simple proposition.

Senator FORSHAW —I understand that. That is obvious. I understand exactly what the explanatory memoranda says. The difficulty that I come back to all the time is that the new access card that will replace the seniors card, the veterans’ card and so on, as we are told, will not have an identification on the card that says, ‘I, John Citizen, am entitled to seniors benefits or a seniors card.’ It will not have that on the surface. It will not say that I am a veteran or that I am a widow of a veteran. That is different from the current situation. There are specific cards that you show to the person at the cinema counter, who looks at it and says, ‘Yes, you get your discount.’ This card will not be like that. The information that they are searching for is on the chip. Presumably, they are going to have to read the card to be able to ascertain that the person who shows the card is a senior citizen. I think you need to know the extent of who can access that information under those exemptions.

CHAIR —I should just point out, Mr Solomon, that Senator Forshaw and I were earlier discussing that the veteran community is in a slightly different category because some of the concessions will in fact be on the face of the card.

Senator FORSHAW —A few are.

CHAIR —Put it this way: it still applies in many other circumstances.

Mr Solomon —That is true. In some circumstances, for permanent concession holders, there will be indicators—either a colour or something else on the card; for others, it will be on the chip. The privacy enhancing feature of this card is that, with a simple reader that can only indicate that you have a concession, a provider will not see your address, date of birth and so on. This card actually provides a privacy enhancing feature in that circumstance. As we understand it, the way the department wants to roll it out is that there will be a simple reader that shows only a concession entitlement and no other information.

Senator FORSHAW —What you are saying is that, at the end of the day, it comes down to the technology of the reader and what it is capable of doing. The readers will not be able to electronically record the information that might come up on the screen or whatever it is when they put the card through. Is that what you are saying?

Ms Curtis —As we understand it.

Mr Solomon —The technology will be important, and we have said that in our submission.

Senator LUNDY —Do you know what sort of reader is attached to the ones you buy at the shop?

CHAIR —Different readers for different folks. That is right, is it not, Mr Solomon, as you understand it?

Mr Solomon —Yes. The department will have a different type of reader from the local hairdresser offering a concession.

Senator FORSHAW —I understand that is the argument, but we are unsure about this and need some proof about it. The other thing I have difficulty I have with is that it is an undefined class of persons or organisations, because you cannot draw up a list and say, ‘All these groups and businesses can do this and all those groups and businesses cannot.’ I can see that, at the moment, they could all ask for the seniors card, but that is not what this legislation is doing. This legislation is coming at it from a different angle. It is saying: ‘Here is this new card. Some will be entitled to ask for it and some will not.’

CHAIR —I think that could be considered to be more of a comment. Ms Curtis and officers, thank you very much for your assistance to the committee today.

[1.19 pm]