pdf (67.65 KB)

Australian Government e-Authentication Framework for Individuals

Discussion Paper

Submission by the Office of the Privacy Commissioner March 2006

Office of the Privacy Commissioner

The Office of the Privacy Commissioner (the Office) is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Privacy Act 1988 (the Privacy Act) covers federal and ACT Government agencies, businesses with an annual turnover of more than $3 million, the private health sector, small businesses that trade in personal information, credit providers and credit reporting agencies. The Privacy Commissioner has responsibilities under the Privacy Act and other federal legislation to regulate the way Australian government agencies and organisations collect, use, store and disclose individuals’ personal information.

Background

The Office welcomes the opportunity to comment on the Australian Government e-Authentication Framework for Individuals (the AGAF(I)) Discussion Paper which was prepared by the Australian Government Information Management Office (AGIMO) as a policy framework to provide guidance to agencies whose electronically delivered services require e-authentication of individuals’ identity and/or other assertions. The Discussion Paper asserts that the AGAF(I) provides a consistent approach for government agencies to follow when evaluating the risk inherent in electronic transactions. The Office understands that it is intended that the AGAF(I) provide guidance in selecting an e-authentication approach with an appropriate assurance level.

The Office is encouraged by the level of attention given to privacy issues throughout the document.

Privacy and the AGAF(I)

The Information Privacy Principles (the IPPs) in the Privacy Act regulate the handling of personal information by Australian government agencies. IPP 1(b) limits the collection of personal information by agencies to situations where the collection of the information is necessary or directly related to that purpose.

In the context of identity authentication, the Office recognises that there are circumstances where it is necessary and appropriate to ensure that a person is who they say they are. However, from a privacy perspective, it is desirable to seek to achieve a framework which generally allows individuals to make appropriate choices about when, and to what extent, they reveal themselves to others[1]. Requiring individuals to be identifiable when it is not necessary can serve to limit the choice and control individuals have over their personal information. In addition, the authentication of an assertion will often require increased handling of personal information, and sometimes the increased handling of more sensitive personal information. It is for these reasons that the Office supports the proposal in the AGAF(I) that an individual’s identity should only be authenticated by an agency where it is necessary for the transaction between the individual and the agency.

It is worth noting that the Discussion Paper usefully distinguishes between authenticating identity and authenticating other assertions that may be made by individuals. There may be situations where an agency needs to authenticate one assertion to a higher level than other assertions. For example, there may be circumstances where it is very important that an individual’s qualifications are verified but less important that the individual’s identity is verified.

The Office recommends that the AGAF(I) recognise that different assurance levels may attach to different assertions made by an individual in the one transaction. This would mean that ‘Part 2’ of ‘The AGAF process’ depicted by diagram in the Discussion Paper would allow for agencies to determine multiple assertions to be authenticated and then evaluate assurance level requirements for each of those assertions.

The Office notes that the Discussion Paper proposes that a Privacy Management Strategy be implemented by agencies once a Privacy Impact Assessment (PIA) is conducted.

The Office welcomes the inclusion of choice as one of the principles to guide the selection and implementation of e-authentication approaches. It is understood that choice in the AGAF(I) specifically refers to the capacity of individuals to determine whether or not they wish to access government services electronically. It is important that this choice be a real and easily exercised one. For example, an individual may have a theoretical choice not to engage with a government department electronically but if choosing not to do so means that they encounter greater obstacles in accessing the services offered by the department it may not amount to a real choice in practice.

In this regard, the AGAF(I) would benefit from a statement to the effect that individuals not be unreasonably disadvantaged as a result of not taking up the option to use e-authentication mechanisms when dealing with agencies. Such an approach appears consistent with the New Zealand Policy and Implementation Principles for online authentication as described in the Discussion Paper[2].

A thoroughly conducted PIA can play an important role in ensuring compliance with privacy laws as well as taking into account broader privacy considerations. For example, a PIA can help to identify future risks of an authentication proposal, such as function creep, or to expose unintended consequences which may impact on privacy.

Relevantly, the Office notes that transparency is another guiding principle of the AGAF(I). Whilst the decision whether to publish PIA findings may depend on the stage or nature of the particular project, the process of conducting comprehensive robust and open PIAs would contribute to the transparency of the AGAF(I) as a whole.

It is important to note that the conduct of PIAs, coupled with adherence to the guiding principle of transparency, will help to engender community trust in an e-authentication proposal.

Taking the particular example of the PIA as a feature of the AGAF(I), a PIA can be a valuable tool to help agencies to ensure compliance with privacy laws. For instance, a PIA can include an analysis of how the data-handling practices of the project comply with the specific provisions of applicable privacy laws.

In relation to consistency between the IPPs and the AGAF(I), the Office notes that the section in the Discussion Paper entitled “Individuals’ roles and responsibilities”, includes requirements that individuals:

• Take appropriate care of government issued credentials
• Endeavour to keep personal computers secure, by employing security patches, virus protection and firewalls, and by controlling who uses the computer.

The Discussion Paper does not include corresponding responsibilities under the heading “Government’s roles and responsibilities”.

Under IPP 4, record-keepers in possession or control of a record that contains personal information are required to ensure that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse.

Accordingly, it may be appropriate for the AGAF(I) to reflect this obligation by expanding upon the roles and responsibility of Government to reflect agencies’ obligations under IPP 4, and by carefully considering the extent to which individuals can reasonably be expected to, and are likely to, maintain the levels of IT security suggested.

Rather than viewing privacy and electronic service delivery as two competing outcomes, it is the Office’s view that privacy can be an integral part of electronic service delivery. That is, if done correctly, an e-authentication system could help to deliver key elements of privacy protection such as data security and control.

The AGAF(I)’s guiding principles of transparency, privacy and choice in particular assist in increasing the potential for privacy enhancement. However, it is important to realise that the interpretation of the principles will be important in this context. In particular, clarification may be necessary in relation to the practicality of choice and the openness of the PIA process. These issues are addressed in more detail earlier in this submission.

The principle of “privacy” may require further exploration in the AGAF(I), specifically in relation to explanation of the Privacy Management Strategy which is proposed once a PIA is conducted. The AGAF(I) would benefit from more detail about the Privacy Management Strategy, including how it would be implemented.

e-Authentication Infrastructure

The Discussion Paper notes that the AGAF(I) is not a national ID system or a central registry of personal information but a policy framework to provide guidance to agencies whose electronically delivered services require e-authentication.

Where government is exploring possible infrastructure models it will be important that the model or models are guided by use of the AGAF(I) policy framework to ensure that e-authentication approaches deliver an assurance level that matches the risk associated with each type of transaction. For example, application of the AGAF(I) may determine that one of the above e-authentication approaches is appropriate for particular types of transactions for particular agencies but less effective or appropriate for others.

In addition, application of the AGAF(I) guiding principles will help to inform decisions about possible infrastructure models. For instance, the Discussion Paper notes that the ubiquity of a hypothetical credential that is used for transactions with several agencies may reduce individual’s choice[3], one of the AGAF(I) principles.

Privacy, also an AGAF(I) principle, will be a vital consideration in determining appropriate infrastructure and the privacy impacts of each possible model will require further exploration and community debate. In terms of privacy issues which may be associated with each of the models described in the Discussion Paper, a lot will depend on the specifics of a proposal, including technological design. However, the Office offers the following high-level considerations in relation to the specific models mentioned.

The Discussion Paper notes that there are privacy risks in using the same credential to store a range of information that wouldn’t otherwise be linked. This privacy risk can be managed, for example through ensuring that different data on the credential can only be accessed for the appropriate purposes, and ensuring individual choice about whether the credential is used for more than one purpose. However, the details need to be carefully considered.

Similarly, there is a privacy risk in using the same credential to access a diverse range of services. A unique identifier attached to a token useable for many purposes can act as a key for uncovering and linking separate data trails.

If a whole of government credential was a smartcard which was used in the community for a large range of evidence of identity and other purposes, a unique number associated with the smartcard could link the information held by a range of organisations. While National Privacy Principle 7 in the Privacy Act would provide some protections in this regard, agencies or private sector organisations may begin to tell a lot about a person’s movements and interactions from this sort of linkage. This privacy risk might be manageable, for example through ensuring individual choice about whether the card is used for more than one purpose, but again the details are critical to the assessment of possible privacy impacts.

A centralised gateway to government services that require e-authentication may risk aggregating personal information that would otherwise be kept separate, and may provide the capacity for detailed tracking of how and when individuals engage with different government agencies. These risks might also be manageable, depending on the nature of the centralised gateway and its connection to other government agencies.

Accordingly, any analysis of the benefits or risks of the various models will necessarily depend on the detail of a particular authentication proposal. It will be important that any model explored by government is considered within the parameters set by an accepted framework. A key feature of applying the AGAF to assessing authentication models is the PIA requirement. A thorough, robust and open PIA will assist government is assessing the appropriateness of each of these authentication infrastructure models.

The Office notes that the imposition of a single e-authentication infrastructure is unlikely to fit well with the application of the AGAF(I) to the specifics of each agency’s requirements. AGAF(I) encourages agencies to consider the level of assurance required for each type of transaction. The existence of a single e-authentication model across government may lead to pressures to use that model for all transactions, regardless of the level of assurance required.

Conclusion

The AGAF(I) is a useful tool in encouraging thoughtful consideration of issues associated with the e-authentication of individuals, including privacy issues. The Office strongly supports the AGAF(I) guiding principles of privacy, transparency and choice. The Office supports both the underlying principle of the AGAF(I) that identity should be authenticated only where this is necessary for the transaction and the recommendation that PIAs be conducted in relation to government e-authentication initiatives. Whichever models of authentication infrastructure are explored by government, it will be important that they are considered within the parameters set by an accepted framework.

Key Recommendations

The Office makes the following recommendations in regard to the AGAF(I):

• The Office supports the underlying principle that identity should be authenticated only when this is necessary for the transaction.
• The AGAF(I) should recognise that different assurance levels may attach to different assertions made by an individual in the one transaction.
  • ‘Part 2’ of ‘The AGAF process’ depicted by diagram in the Discussion Paper should allow for agencies to determine multiple assertions to be authenticated and then evaluate assurance level requirements for each of those assertions.
• The principle of choice should reflect a real choice
  • Individuals should not be disadvantaged by choosing not to access government services electronically.
• The Office supports the proposal that agencies conduct PIAs for all new authentication initiatives and the extension of existing services that go beyond their original scope.
  • The principle of transparency may be relevant to the openness of the PIA process and should inform agencies decisions about whether or not to publish PIA findings.
• The principle of privacy may require further explanation, specifically in relation to explanation of the Privacy Management Strategy which is proposed once a PIA is conducted.
• “Government’s roles and responsibilities” under the AGAF(I) should be consistent with the IPPs, specifically IPP 4 which includes obligations on agencies where records are given to a person.
• Any authentication infrastructure model explored by government should be considered within the parameters set by the AGAF(I) and incorporate a requirement for a robust, thorough and open PIA.