16.08.2010
30.105 This section discusses identifiers assigned to individuals by governments for use by multiple government agencies and organisations (multi-purpose identifiers). The section commences by providing an overview of concerns that have been expressed about the impact on privacy of multi-purpose identifiers. It then examines the history of identification schemes in Australia before discussing the recently abandoned access card scheme. Finally, the ALRC makes a recommendation to address the privacy concerns associated with unique multi-purpose identifiers.
Benefits and privacy concerns
30.106 Schemes involving multi-purpose identifiers can have a number of benefits. For example, they can increase administrative efficiency and enhance data accuracy.[137] The existence of multi-purpose identifiers, however, also raises a number of privacy concerns. One such concern is that the introduction of a multi-purpose identifier changes fundamentally the relationship between the individual and government.[138] In liberal democratic societies, governments are accountable to their citizens. It has been argued that the introduction of a multi-purpose identifier symbolically reverses this tradition, making citizens accountable to their governments.[139] This could then open the way for ‘further extensions of government power and … further restrictions on the individual’s sphere of independent action’.[140]
30.107 It also is argued that linking a multi-purpose identifier to a name limits the ability of individuals to use different names in different contexts.[141] At common law, there is nothing to prevent an individual from operating under various names, provided that he or she does not use different names to engage in unlawful behaviour.[142] Aliases may be used by a variety of people, such as artists, authors and intelligence operatives.[143]
30.108 Further, the introduction of multi-purpose identifiers increases the ability of the state to monitor the activities of its citizens. By recording multi-purpose identifiers during transactions, government agencies and organisations can compile substantial amounts of information about a person, including information about a person’s financial circumstances, family composition, hobbies or health. This could then be used for a variety of purposes, such as to locate a person or to determine a person’s interests for the purposes of direct marketing.
30.109 Different agencies or organisations could then combine the data collected about the transactions or activities of particular individuals to create a richer dataset. This process is known as data-matching.[144] The use of a multi-purpose identifier facilitates greatly the data-matching process. The ability of a government to compile dossiers of personal information about individuals could have a ‘chilling effect’ on the activities of citizens, who no longer have a private sphere in which to relax, experiment or engage in creative pursuits.[145]
30.110 In addition, the unintended dissemination of either the identity information required to be provided by individuals in order to receive a multi-purpose identifier, or data generated by the use of the multi-purpose identifier, can erode the privacy of the individual to whom the information relates.[146] For example, such information could be stolen by a ‘hacker’; accidentally disclosed through an administrative error; or deliberately sold by those with access to it, such as employees of agencies. This can increase the risk that the individual will subsequently become the victim of identity theft.[147]
30.111 Another privacy concern relates to the quality of the data involved in an identification scheme involving multi-purpose identifiers. Errors inputting data for the purposes of the scheme, or corruption of stored data, could impact adversely on the ability of individuals to access the services for which the multi-purpose identifier is required.
30.112 Finally, it has been argued that identity documents have had a long history of discriminatory uses for social control.[148] One commentator has noted that slaves in the United States were required to carry identification papers to travel, Nazis used identification cards to locate Jewish people during World War II, and the slaughter of Tutsis in Rwanda was aided by the fact that their identity cards revealed their ethnicity.[149]
History of identification schemes in Australia
Identification schemes in wartime
30.113 Several identification schemes were implemented in wartime Australia. During World War I and World War II, all aliens (non-British subjects) were required to register with local government officials.[150] After registration, they were required to notify officials if they changed their address[151] and to produce their certificates of registration on demand.[152] In 1942, all residents of 16 years of age or above (other than aliens and other specified groups, such as members of the Defence Force performing continuous full-time war service) were required to register with local government officials in order to obtain an identity card.[153] They were then required to produce their identity cards if requested to do so by specified people, such as constables on duty.[154]
The Australia Card
30.114 In September 1985, the Australian Government announced its intention to develop a national identification scheme—the ‘Australia Card’ scheme[155]—to combat tax fraud, social security fraud and illegal immigration.[156] In May 1986, a Joint Select Committee on an Australia Card delivered a report that strongly recommended against the introduction of the Australia Card. The Committee suggested a number of alternative reforms such as: the computerisation of all state and territory registries of births, deaths and marriages;[157] and the introduction of an upgraded, high-integrity tax file number scheme.[158]
30.115 In October 1986, the Australia Card Bill 1986 (Cth) was introduced into Parliament. On two occasions the Australia Card Bill was passed by the House of Representatives[159] only to be rejected by the Senate.[160] Under s 57 of the Australian Constitution this became a potential trigger for a double dissolution election. Accordingly, in May 1987, the Australian Government announced Australia’s sixth double dissolution election.[161] On 11 July 1987, the Australian Labor Party was returned to office and the Australia Card Bill was reintroduced into Parliament for a third time. The Bill was ultimately laid aside after Opposition senators indicated that they would disallow regulations that were required to bring crucial clauses of the Bill into effect.[162]
Other proposed identification schemes
30.116 After the bombings in London in July 2005, the then Prime Minister of Australia stated that the introduction of a national identification scheme was an issue that should be ‘back on the table’.[163] The introduction of such a scheme was discussed on a number of occasions during 2005 and early 2006.[164] On 26 April 2006, however, it was announced that the Australian Government did not intend to proceed with the introduction of a compulsory national identity card. It did intend, however, to introduce a new card that would be required to access health and welfare benefits (the access card).[165]
The access card
Overview
30.117 The access card scheme was intended to enable consumers to access all health and social services with one card; access emergency relief payments through automatic teller machines and through Electronic Funds Transfer at Point of Sale (EFTPOS);[166] and reduce fraud in relation to Australian Government benefits.[167]
30.118 The access card would have replaced up to 17 existing health care and social services cards and vouchers.[168] It would have displayed the cardholder’s name and photograph on its front, and the cardholder’s signature and card number on its back.[169] Other personal information, such as the cardholder’s photograph, date of birth, concession status, and details of the cardholder’s children or dependants would have been stored on a microchip embedded in the card.[170] Information on the card and the chip would have been stored on a database that would have been maintained separately from existing agency databases.[171]
30.119 The Human Services (Enhanced Service Delivery) Bill 2007 (Cth), was introduced into the House of Representatives on 7 February 2007. The Bill provided a framework for the introduction of the proposed access card scheme[172] and stated that the purpose of the scheme was to improve the delivery of Commonwealth services and reduce fraud, particularly in relation to identity theft.[173] Later legislation was intended to provide detail on aspects of the scheme such as information protection, uses of the card, and review and appeal processes.[174]
30.120 On 8 February 2007, the provisions of the Bill were referred for inquiry to the Senate Standing Committee on Finance and Public Administration (the Committee).[175] The Committee released its report on 15 March 2007.[176] The Committee endorsed the goals of the proposed access card scheme[177] but noted that a number of privacy concerns that related to the architecture of the scheme were not dealt with by the Bill.[178]
30.121 At the time the federal election was called in October 2007, the Australian Government was conducting consultations on a revised exposure draft of access card legislation.[179] Shortly after winning the federal election in November 2007, the Australian Labor Party announced it would not proceed with the access card scheme.[180]
Privacy and the access card scheme
30.122 A number of concerns were expressed about the potential impact of the access card scheme on privacy. Some argued that the access card scheme was the same as the failed Australia Card scheme.[181] Other commentators were concerned about: profiling of individuals through the use of access card numbers;[182] accessing of the database for illegitimate purposes; [183] and the possibility for ‘function creep’[184] if new legislation required or authorised the use or disclosure of personal information collected for the access card scheme, or new uses for the access card.[185]
Regulation of multi-purpose identifiers
30.123 In light of the above, in IP 31 the ALRC asked what role the Privacy Act should play in the regulation of multi-purpose identifiers.[186]
30.124 In DP 72, the ALRC expressed the view that the policy intent of NPP 7 remains relevant for Australian Government identification schemes, such as the proposed access card scheme. The ALRC noted that multi-purpose identifiers such as the proposed access card number would likely fall within the definition of ‘identifier’ in the ‘Identifiers’ principle. Any exceptions to the ‘Identifiers’ principle should be set out clearly in legislation establishing such schemes. To this end, the ALRC proposed that before introducing a multi-purpose identifier, the Australian Government, in consultation with the Privacy Commissioner, should consider the need for a privacy impact assessment (PIA).[187]
Submissions and consultations
30.125 Several agencies expressed support for the practice of conducting a PIA before introducing a multi-purpose identifier.[188] The Department of Human Services supported the ALRC’s proposal on the basis that it afforded flexibility to the Australian Government by not mandating the requirement for a PIA but allowing the Government to consider whether there was a need for a PIA.[189]
30.126 On the other hand, a number of stakeholders submitted that the ALRC’s proposal would not provide individuals with sufficient privacy protection.[190] The OVPC submitted that mandatory PIAs should be required in the context of multi-purpose identifiers.[191] The OPC supported mandatory PIAs in cases where significant privacy risks are anticipated, and submitted that multi-purpose identifiers often create such risks.[192]
30.127 The Cyberspace Law and Policy Centre submitted that, for the regulation of multi-purpose identifiers,
[a]ny variations from the application of any of the principles should be defined by specific legislative provisions stating exceptions or variations, and not left to inference from the existence of a different set of principles. Such an approach will (i) ensure that variations are obvious; (ii) facilitate a consistent body of law emerging on both the core principles and the exceptions.[193]
ALRC’s view
30.128 The ALRC has not recommended that the ‘Identifiers’ principle apply to agencies. Multi-purpose identifiers, however, pose significant privacy risks. Accordingly, such identifiers should be established by legislative schemes that set out clearly the exceptions to the ‘Identifiers’ principle. The ‘Identifiers’ principle would regulate the adoption, use and disclosure by organisations of multi-purpose identifiers where this is not addressed by specific legislative regimes establishing such identifiers.
30.129 The potential privacy risks of multi-purpose identifiers are always so significant that the Australian Government, in consultation with the OPC, should be required to conduct a PIA before the introduction by agencies of any multi-purpose identifier. This proactive approach encourages agencies to incorporate privacy and security safeguards into the design of multi-purpose identifiers.
Recommendation 30-6 Before the introduction by an agency of any multi-purpose identifier, the Australian Government, in consultation with the Privacy Commissioner, should conduct a Privacy Impact Assessment.
[137] See, eg, Council of Europe, The Introduction and Use of Personal Identification Numbers: The Data Protection Issues (1991).
[138] Parliament of Australia—Joint Select Committee on an Australia Card, Report of the Joint Select Committee on an Australia Card (1986), [3.7].
[139] G de Q Walker, ‘Information as Power: Constitutional Implications of the Identity Numbering and ID Card Proposal’ (1986) 16 Queensland Law Society Journal 153, 163.
[140] Ibid, 163.
[141] Parliament of Australia—Joint Select Committee on an Australia Card, Report of the Joint Select Committee on an Australia Card (1986), [3.37].
[142] Ibid, Addendum, [22].
[143] R Clarke, ‘Just Another Piece of Plastic for your Wallet: The “Australia Card” Scheme’ (1987) 5 Prometheus 1, 40.
[144] Chs 9 and 10 discuss data-matching in detail.
[145] G de Q Walker, ‘Information as Power: Constitutional Implications of the Identity Numbering and ID Card Proposal’ (1986) 16 Queensland Law Society Journal 153, 160–161.
[146] M Crompton, ‘Proof of ID Required? Getting Identity Management Right’ (Paper presented at Australian IT Security Forum, 30 March 2004), 14.
[147] Identity theft is discussed in Ch 12.
[148] R Sobel, ‘The Demeaning of Identity and Personhood in National Identification Systems’ (2002) 15 The Harvard Journal of Law and Technology 319, 343. See also Privacy International, Some Personal Views from Around the World on ID Cards (1996) <www.privacyinternational.org> at 1 May 2008.
[149] R Sobel, ‘The Demeaning of Identity and Personhood in National Identification Systems’ (2002) 15 The Harvard Journal of Law and Technology 319, 343–349.
[150]War Precautions (Alien Registration) Regulations 1916 (Cth) reg 5; Aliens Registration Act 1939 (Cth) ss 8, 13(1).
[151]War Precautions (Alien Registration) Regulations 1916 (Cth); Aliens Registration Act 1939 (Cth) ss 9–12.
[152]War Precautions (Alien Registration) Regulations 1916 (Cth) reg 12.
[153]National Security (Man Power) Regulations 1942 (Cth)reg 32.
[154] Ibidregs 45, 45A.
[155] P Keating (Treasurer), Reform of the Australian Taxation System: Statement by the Treasurer The Hon Paul Keating, 1 September 1985, 28–31.
[156] R Clarke, ‘Just Another Piece of Plastic for your Wallet: The “Australia Card” Scheme’ (1987) 5 Prometheus 1, 33; Parliament of Australia—Joint Select Committee on an Australia Card, Report of the Joint Select Committee on an Australia Card (1986), Addendum, [28].
[157] Parliament of Australia—Joint Select Committee on an Australia Card, Report of the Joint Select Committee on an Australia Card (1986), rec 2(a).
[158] Ibid, rec 12(a)–(d).
[159] On 14 November 1986 and 25 March 1987: See R Jordan, E-brief: Identity Cards (2006) Parliament of Australia—Parliamentary Library <www.aph.gov.au> at 1 May 2008.
[160] On 10 December 1986 and 2 April 1987: See Ibid.
[161] R Clarke, ‘The Australia Card: Postscript’ (1988) 18 Computers & Society 10, 10; G Greenleaf, ‘Lessons from the Australia Card—Deux ex Machina?’ (1988) 3(6) Computer Law and Security Report 6, 6.
[162] G Greenleaf, ‘Lessons from the Australia Card—Deux ex Machina?’ (1988) 3(6) Computer Law and Security Report 6, 6.
[163] J Howard (Prime Minister), Doorstop Interview, 15 July 2005.
[164] See, eg, C Keller, ‘Identity Card Way to Prevent Rau Case: Vanstone’, The Advertiser (Adelaide), 25 January 2006, 17; ‘PM’s Open Mind on ID Card’, The Australian (Sydney), 25 January 2006, 2; M Priest, ‘Ruddock to Push National Identity Card’, Australian Financial Review (Sydney), 16 January 2006, 1.
[165] J Howard (Prime Minister), P Ruddock (Attorney-General) and J Hockey (Minister for Human Services), Joint Press Conference, 26 April 2006.
[166] Australian Government Office of Access Card, Fact Sheet—Emergency Payments (2007) <www.
accesscard.gov.au/resources/pdf/factsheets/emergency-payments.pdf> at 31 July 2007.
[167] Revised Exposure Draft Human Services (Enhanced Service Delivery) Bill 2007 (Cth) cl 7.
[168] The health care and social services cards and vouchers that were to be replaced by the access card included the PBS Entitlement Card, PBS Safety Net Concession Card, Pensioner Concession Card, Centrelink Health Care Card (including a Low Income Health Care Card and a Foster Child Health Care Card), Reciprocal Health Care Card, Commonwealth Seniors Health Card, Cleft Lip and Palate Card, DVA Gold, White and Orange Cards, War Widow/Widower Transport Card, Medicare Card, and other cards or vouchers prescribed by the regulations: Ibid cl 4.
[169] Ibid cls 70–71.
[170] Ibid cls 73–74.
[171] Ibid cl 35; Australian Government Office of Access Card, Fact Sheet—No Mega Database (2007) <www.accesscard.gov.au/resources/pdf/factsheets/no-mega-database.pdf> at 31 July 2007.
[172] Human Services (Enhanced Service Delivery) Bill 2007 (Cth) cl 3.
[173] Ibid cls 6, 7.
[174] Commonwealth, Parliamentary Debates, House of Representatives, 7 February 2007, 3 (M Brough—Minister for Families Community Services and Indigenous Affairs), 3.
[175] Parliament of Australia—Senate Standing Committee on Finance and Public Administration, Human Services (Enhanced Service Delivery) Bill 2007 [Provisions] (2007).
[176] Ibid.
[177] Ibid, 11.
[178] Ibid, 11. In addition, an Access Card Consumer and Privacy Taskforce was established to provide advice to the Australian Government on a range of matters relating to the structure and operation of the Access Card scheme, including community views on the scheme and the impact of the scheme on privacy. The Taskforce published several consultation papers and reports on the access card scheme: see, eg, Access Card Consumer and Privacy Taskforce, Discussion Paper Number 1: The Australian Government Health and Social Services Access Card (2006); Access Card Consumer and Privacy Taskforce, Discussion Paper Number 2: Voluntary Medical and Emergency Information (2007); Access Card Consumer and Privacy Taskforce, Discussion Paper Number 3: Registration (2007); Acccess Card Consumer and Privacy Taskforce, Report Number 2: Voluntary Medical and Emergency Information on the Access Card (2007); Access Card Consumer and Privacy Taskforce, Report Number 3: The Access Card Review and Appeals System (2007); Access Card Consumer and Privacy Taskforce, Report Number 5: Registration (2007).
[179] Revised Exposure Draft Human Services (Enhanced Service Delivery) Bill 2007 (Cth).
[180] Commonwealth, Parliamentary Debates, Senate, 13 February 2008, 47 (J Ludwig—Minister for Human Services); K Dearne, ‘Labor Swift to Dump Access Card’, The Australian (online), 7 December 2007, <www.australianit.news.com.au>.
[181] See, eg,G Greenleaf, ‘Australia’s Proposed ID Card: Still Quacking Like a Duck’ (2007) 23 Computer Law & Security Report 156.
[182] See, eg, Australian Privacy Foundation, Why Every Australian Should Oppose the ‘Access Card’: The Arguments Against a National ID Card System (2006).
[183] See, eg, Ibid; ‘Centrelink Scandal Highlights Smartcard Fears’, The Epoch Times (online), 25 August 2006, <www.theepochtimes.com>.
[184] Function creep occurs when personal information or a system is used in a manner that was unintended at the time the information was collected or the system devised: Office of the Privacy Commissioner, An Introductory Guide to Privacy Impact Assessment for Australian Government and ACT Government Agencies, Consultation Draft (2004), [3].
[185] See, eg, M Franklin, ‘MP Warns of Access Card Misuse’, The Courier-Mail (Brisbane), 18 July 2006, 4; A Stafford, ‘Access Card Could Link to Surveillance’, The Age (Melbourne), 5 June 2006, 9.
[186] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 12–3.
[187] PIAs are discussed in Ch 47.
[188] Australian Government Department of Finance and Deregulation, Submission PR 558, 11 January 2008; Australian Government Centrelink, Submission PR 555, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007.
[189] Australian Government Department of Human Services, Submission PR 541, 21 December 2007.
[190] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; National Legal Aid, Submission PR 521, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007.
[191] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.
[192] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[193] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007. See also G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007.