Smart cards

9.55 A smart card is usually a plastic card with an embedded microchip that can be programmed to perform multiple and varied functions.[105] A microchip embedded in a smart card can vary in sophistication.[106] Some microchips have memory functions only, while others have ‘a micro-controller, various types of memory and an operating system’.[107] It has been noted that ‘multi-application smartcards today have approximately the same capabilities and logical powers as the first commercial micro-computers in the mid 1970s’.[108]

9.56 Smart card technology has existed for several decades and has been described as ‘technology looking for an application’.[109] Currently, smart card technology has a number of established uses. For example, a Subscriber Identity Module (SIM) card in a mobile telephone uses smart card technology.[110] Smart cards also have a number of nascent uses, including for identity authentication and financial transactions. For example, a smart card could store a cardholder’s biometric information in order to enable the cardholder to access a building or computer network. It could also contain an ‘electronic purse’ that could be used as a substitute for cash in small value transactions, such as for travel on public transport or small retail purchases.[111]

9.57 Smart cards can be divided into two main categories: ‘contact smart cards’ and ‘contactless smart cards’. Information contained on a contact smart card can only be read if the card is inserted directly into a card reader. Contactless smart cards, however, use low-frequency radio waves to communicate with readers. Accordingly, they can be read from a distance.[112]

9.58 The use of smart card technology raises several privacy concerns. One concern is that a particular smart card may be linked to a particular individual, for example, where the individual uses his or her bank account to add value to the card’s electronic purse. Widespread use of smart cards that are linked to identifiable individuals may mean that individuals no longer have the option of transacting anonymously.[113] Further, widespread use of these cards could enable vast amounts of information about the activities of cardholders to be collected and stored. In the future, smart cards could

generate records of the date, time and location of all movements on public and private transport systems, along with details of all goods purchased, telephone use, car parking, attendance at the cinema, and any other activities paid for by smart cards.[114]

9.59 These records could then be used by smart card operators or third parties for a number of purposes, for example, to generate detailed profiles of individuals to market goods and services to them. They may also be sought by third parties, such as law enforcement agencies.[115]

9.60 Another concern is that smart card schemes that are used by numerous agencies or organisations may lack a central data controller. Accordingly, it may be unclear who is accountable for the use, disclosure, accuracy and security of personal information collected by the smart card system.[116] Concern also has been expressed about the potential for function creep[117] and the ability to read contactless smart cards without the cardholder’s knowledge or consent. Finally, the security of a smart card system depends on the reliability and security of the various components of the system—that is, the security of the data pathways between the smart card and any reading, processing, storage or transmission system.

9.61 In 2004, the Council of Europe published a set of guiding principles for the protection of personal information in systems using smart card technology.[118] After acknowledging that the protection of personal information in any smart card system depended ‘on many different factors and circumstances’, the Council set out 11 principles to be taken into account by those who issue smart cards, as well as other participants in smart card systems, such as project designers and managers.

9.62 Among other things, the principles require the collection of personal information for storage on a smart card to be for ‘legitimate, specific and explicit purposes’.[119] They also require a smart card to offer an appropriate level of security given the state of technology, the data stored on the card, the applications of the card, and the security risks.[120] Further, the principles require a data subject to be alerted every time personal information is exchanged between a smart card and a smart card system.[121]

9.63 In 2006, the Australian Government released part of a framework to assist agencies seeking to implement smart card technology.[122] The framework requires agencies implementing smart card technologies to include data protection clauses in agreements with third parties about the supply of smart cards and related services, and to undertake privacy impact assessments (PIAs) during the design of smart card systems. It also requires agencies implementing smart card technologies to produce comprehensive privacy policy statements and to revise these statements ‘whenever a third party agency adds additional functionality to an existing smartcard deployment’.[123] In June 2007, the Online and Communications Council endorsed the initial stages of the National Smartcard Framework.[124] Currently, the Australian Government is continuing to develop the National Smartcard Framework to ‘underpin evidence of identity and service initiatives by articulating a minimum set of requirements for interoperability at both the infrastructure and application levels’.[125]

[105] See, eg, S Newman and G Sutter, ‘Electronic Payments—The Smart Card: Smart Cards, E-payments, & Law—Part I’ (2002) 18 Computer Law & Security Report 235, 235; Privacy Committee of New South Wales, Smart Cards: Big Brother’s Little Helpers (1995), i.

[106] Australian Government Information Management Office, Australian Government Smartcard Framework (2006), [b.6].

[107] Ibid, [b.6].

[108] Ibid, [b.6].

[109] Privacy Committee of New South Wales, Smart Cards: Big Brother’s Little Helpers (1995), 3.

[110] S Newman and G Sutter, ‘Electronic Payments—The Smart Card: Smart Cards, E-payments, & Law—Part I’ (2002) 18 Computer Law & Security Report 235, 235.

[111] Privacy Committee of New South Wales, Smart Cards: Big Brother’s Little Helpers (1995), i.

[112] Council of Europe, Report on the Protection of Personal Data with Regard to the Use of Smart Cards (2001).

[113] Privacy Committee of New South Wales, Smart Cards: Big Brother’s Little Helpers (1995), ii.

[114] Ibid, ii.

[115] Ibid, ii–iii.

[116] Office of the Victorian Privacy Commissioner, Submission to the Senate Legal and Constitutional References Committee Inquiry into the Privacy Act 1988, 1 March 2005, [26].

[117] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [3.40], [3.43]–[3.54].

[118] Council of Europe, Guiding Principles for the Protection of Personal Data with Regard to Smart Cards (2004).

[119] Ibid, Principle 2.

[120] Ibid, Principle 6.

[121] Ibid, Principle 9.

[122] Australian Government Information Management Office, Australian Government Smartcard Framework (2006).

[123] Ibid, [a.17].

[124] Online and Communications Council, ‘Fourteenth Online and Communications Council Communiqué’ (Press Release, 14 July 2007).

[125] Australian Government Information Management Office, Australian Government Smartcard Framework (2007) <www.agimo.gov.au/infrastructure/smart_cards> at 24 April 2008.