pdf (83.54 KB)

Senator Payne

Chair

Senate Legal and Constitutional Legislation Committee
Room S1.61, Parliament House
Canberra ACT 2600
AUSTRALIA

Dear Senator Payne

MIGRATION LEGISLATION AMENDMENT (IDENTIFICATION AND AUTHENTICATION) BILL 2003

Thank you for the opportunity to make a submission to the Senate Legal and Constitutional Legislation Committee’s Inquiry into the Migration Legislation Amendment (Identification and Authentication) Bill 2003 (the Bill).

In its present form, the Bill would introduce into law a scheme for the collection from individuals of strongly identifying information, in some cases against the wishes of those individuals. Strongly identifying information based on emerging biometric technologies may provide new means for uniquely identifying individuals.

The Bill appears to be entering new territory in the area of personal identification. The community and this Office are still in the early stages of grappling with, and are yet to fully understand, the implications of these new methodologies. It is unclear at the moment how the proposals in the Bill will mesh with emerging thinking by other areas of government on authentication, identification, identity fraud and privacy.

As such, the Bill would appear to be a good candidate for a Privacy Impact Assessment. This Office has previously commented on the desirability of conducting Privacy Impact Assessments in our submission to the Joint Committee of Public Accounts and Audit inquiry into the Management and Integrity of Electronic Information in the Commonwealth in January 2003. (Available at www.privacy.gov.au/publications/jcpaasubs.pdf).

The Bill was referred to the Committee to examine the rationale behind the proposed extra powers in relation to citizen identification (Senate Hansard, 20 August 2003, p. 13 746), however the Bill generally applies to non-citizens. It may be appropriate to clarify how the Bill’s provisions apply to a citizen whose identifying information was collected at a time he or she was a non-citizen.

Prior analysis of the Bill

This Office was consulted on previous versions of the Bill, prior to its introduction to the House of Representatives, and appreciates this degree of engagement in the process. However, due to very short timeframes in some key instances, the Office’s analysis of the Bill and its wider implications has not been as thorough as we would wish.

A number of the comments the Office made to the Department of Immigration, Multicultural and Indigenous Affairs (DIMIA) during the above consultation process are now reflected in the final version of the Bill.

The Deputy Privacy Commissioner wrote to DIMIA on 3 June 2003 outlining the Office’s remaining concerns. I would like to draw to the Committee’s attention these key remaining areas.

Accountability mechanisms

This Office has developed a framework for assessing new initiatives relating to law enforcement and national security, where there are tensions between the public interest in privacy and other broad public interests.

The “Framework for Assessing and Implementing New Law Enforcement and National Security Powers” (the Framework) is at Attachment A. The Framework was first outlined in a paper for the Australian Institute of Criminology’s conference in June 2001[1] and again in a submission to the Senate Legal and Constitutional Committee in April 2002 on proposed anti-terrorism legislation.[2] As an overall framework for assessing the Bill, we strongly recommend it to the Committee.

The Bill establishes, for the first time in Australia, a compulsory and sometimes forcible regime of strong identity, using new biometric technology, in situations beyond traditional law enforcement. In this context, transparent accountability is a paramount consideration. The accountability safeguards the Office has recommended to DIMIA, but which do not appear to be reflected in the Bill, include:

• a legislative requirement to review the Bill’s operation after two years of operation;
• assurance that appropriate review mechanisms are in place, especially as regard the accuracy and reliability of the various methods of identification contemplated; and
• assurance that appropriate oversight of privacy arrangements relating to the proposal are in place, including appropriate resourcing of this Office.

Overseas disclosures

Once personal information is transferred overseas, it is, generally speaking, beyond the power of Australian privacy law. Many overseas jurisdictions do not have privacy protections of the sort afforded by the Privacy Act 1988. As a consequence, an individual whose personal information is transferred overseas may lose significant privacy protections.

The Bill provides for the disclosure overseas of personal information. The recipients of personal information (foreign countries, law enforcement or border control authorities in foreign countries, international organisations etc.) are to be specified by the Secretary to the Department (the Secretary) in writing (proposed s. 336F).

According to the Bill, personal information of non-citizens, including biometric identifiers such as fingerprints and iris scans, may be disclosed to foreign governments and entities for a very broad range of purposes (set out in proposed s. 5A(3)). For example, after the Secretary authorises officers to disclose information to a specified foreign entity, a situation may arise where personal information of an individual is disclosed to a foreign entity in relation to which an individual had unsuccessfully applied for a protection visa (proposed s. 336F(5)). The disclosure of personal information in such a case may harm the interests of the unsuccessful applicant for a protection visa, or that individual’s family. The disclosure of strongly identifying biometric information may increase the risk of harm to that individual’s, and his or her family’s, interests.

At the very least, consistent with our Framework, this Office recommends that the scope of foreign entities to which officers may disclose personal information be authorised by regulation, setting out more detailed parameters for authorised disclosures, in particular to allow for Parliamentary oversight.

This Office also suggests that the Bill include a mechanism to impose restrictions on the (foreign entity) recipient’s use and disclosure of identifying information disclosed under these provisions, for example by ensuring that recipients only use the information for purposes set out in proposed subsection 5A(3), and that recipients do not disclose the information.

Further, in our earlier comments to DIMIA, this Office recommended that the Explanatory Memorandum to the Bill refer to the intention to develop Memoranda of Understanding (MOUs) with the foreign countries to which officers may disclose personal information, however there is no such reference in the Explanatory Memorandum. The Office remains of the view that disclosures to foreign countries should occur under a framework such as a MOU, which should specify the permitted uses and disclosures of the disclosed information (see above), as well as set out the operational context in which these transfers will occur.

More generally, however, there is scope for more careful regulation of the situations in which personal information may be disclosed to foreign countries and entities. For example, it may be appropriate to require each case of disclosure to meet a set of criteria to ensure that the disclosure is reasonably necessary to meet an appropriate objective, and does not unduly harm the interests of the individual concerned. It may also be appropriate to ensure that there is some scope to appeal on merit, decisions to disclose information to foreign countries and entities, as it appears that this is not currently provided for in existing legislation.

Indefinite Retention

The Bill sets out destruction and retention requirements for information collected. This Office welcomes the recognition, albeit qualified by reference to the Archives Act 1983 (Archives Act), in proposed s. 336K, of the general principle that it is appropriate to destroy personal information once it is no longer needed for the purposes for which it was collected.

However, the Bill provides for the indefinite retention of identifying information in a number of cases, including in the case of individuals who have been in immigration detention, and in the case of individuals whom the Minister is satisfied are a threat to the security of Australia (proposed s. 336L).

It is our understanding that the current arrangements for fingerprinting non-citizens include the guidance that fingerprint records should be destroyed after the detainee is removed or granted a visa.

Hence, the Bill would appear to significantly change the current situation in relation to fingerprints, and apply the new, lesser standard governing data retention to all other personal identifiers specified in the Bill, or that may be later specified in regulations.

The Office would also welcome clarification that information retained under the authorisation of the Archives Act (proposed s. 336K(1)(c)) is only available for use or disclosure in exceptional circumstances, and consistent with the purpose of collection.

The need for maintaining strongly identifying personal information for indefinite periods in the broad range of situations provided for in proposed sections 336K and 336L also deserves consideration. Where information of this sort is to be held indefinitely, a clear and specific need should be established first. Among other issues, indefinite retention increases the possibility that the information may be used for purposes unrelated to the purpose of collection, perhaps years after that collection.

It may also be helpful to clarify that the destruction provisions of the Bill at proposed s. 336K(4) require the destruction of any thing that may be reidentified at a later time. For example, the sample or measurement taken in the process of collecting a fingerprint, iris scan etc., may be readily reidentified when matched with another, identified, fingerprint or iris scan.

Hearings of the Committee

I understand that the Committee has scheduled public hearings on this matter for the evening of Monday 8 September 2003. This Office is hosting over 350 International and Australian delegates to the 25^th International Conference of Data Protection and Privacy Commissioners during that week. I have speaking engagements during Monday, extending into the evening in connection with this event. Regrettably, then, it would not be possible for me or my staff to appear before the Committee at that time.

Yours sincerely

Malcolm Crompton

Malcolm Crompton

Federal Privacy Commissioner

2 September 2003

Office of the Federal Privacy Commissioner

Framework for assessing and implementing new law enforcement and national security powers

The Office of the Federal Privacy Commissioner has developed a proposed framework for assessing and implementing new law enforcement and national security powers. The framework was first outlined in a paper for the Australian Institute of Criminology’s conference in June 2001^[3] and again in a submission to the Senate Legal and Constitutional Committee in April 2002 on proposed anti-terrorism legislation^[4].

The framework sets out a life cycle approach to such proposals from development to implementation and review. The aim of the framework is to bring balance and perspective to the assessment of proposals for law enforcement or national security measures with significant effects on privacy.

First, careful analysis is needed in the development phase to ensure that the proposed measure is necessary, effective, proportional, the least privacy invasive option and consistent with community expectations. This analysis should involve consideration of the size, scope and likely longevity of the problem, as well as the range of possible solutions, including less privacy invasive alternatives. The impact on privacy of the proposed solution should be analysed and critical consideration given to whether the measure is proportional to the risk.

Second, the authority by which the measure is implemented should be appropriate to its privacy implications. Where there is likely to be a significant impact on privacy, the power should be conferred expressly by statute subject to objective criteria. Generally, the authority to exercise intrusive powers should be dependent on special judicial authorisation. Intrusive activities should be authorised by an appropriately senior officer.

Third, implementation of the measure should be transparent and ensure accountability. Accountability processes should include independent complaint handling, monitoring, independent audit, and reporting and oversight powers commensurate with the intrusiveness of the measures.

Finally, there should be periodic appraisal of the measure to assess costs and benefits. Measures that are no longer necessary should be removed and unintended or undesirable consequences rectified. Mechanisms to ensure such periodic review should be built into the development of the measure. This could involve a sunset clause or parliamentary review after a fixed period.

In summary:

Analysis – is there a problem? Is the solution proportional to the problem? Is it the least privacy invasive solution to the problem? Is it in line with community expectations?

Authority – Under what circumstances will the organisation be able to exercise its powers and who will authorise their use?

Accountability – What are the safeguards? Who is auditing the system? How are complaints handled? Are the reporting mechanisms adequate? And how is the system working?

Appraisal – Are there built in review mechanisms? Has the measure delivered what it promised and at what cost and benefit?

OFPC 14 July 2003.