pdf (74.88 KB)

Submission by the Office of the Privacy Commissioner March 2006

Office of the Privacy Commissioner

The Office of the Privacy Commissioner (the Office) is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Privacy Act 1988 (the Privacy Act) covers federal and ACT Government agencies, businesses with an annual turnover of more than $3 million, the private health sector, small businesses that trade in personal information, credit providers and credit reporting agencies. The Privacy Commissioner has responsibilities under the Privacy Act and other federal legislation to regulate the way Australian government agencies and organisations collect, use, store and disclose individuals’ personal information.

Background

The Office welcomes the opportunity to comment on the draft Australian Government Smartcard Framework (the Framework) which was prepared by the Australian Government Information Management Office (AGIMO) as one of a number of frameworks and strategies to support interoperable whole-of-government business applications[1]. The Office understands that through the Framework, AGIMO is seeking to facilitate clear thinking about new technologies, help agencies understand the business case for smartcards, and promote standardisation and uniformity for the shared good of all government deployments. The Framework is intended for use by Australian Government agencies and third-party service providers delivering services on behalf of a government agency. The document is intended to be dynamic and AGIMO anticipates that further extension to the Framework will be developed in due course.

Smartcards and Privacy

The Office commends the recognition in the Framework of the importance of privacy to the successful implementation of smartcard technology. Where smartcards are involved in the handling of personal information, the possible privacy impacts will need to be carefully considered from the earliest stages of development through to deployment.

The Framework notes at section 5.1 that a crucial component in maintaining consumer trust is

“privacy protection – the provision of assurances by means of law, technology design and industry practice that personal information will be collected, exchanged and used fairly”

However, the concept of fairness here may be open to a range of interpretations. Privacy protection can usefully be understood in terms of the two key privacy concepts of choice and control. For example, the Framework could reflect this by recognising that personal information should be collected, exchanged and used in a manner that recognises individuals’ choices about how their personal information is handled, and provides them with control over that handling.

With the right measures, and where it is demonstrated to be the most effective solution to a particular issue, smartcard technology can be privacy enhancing, rather than privacy invasive. Implementing measures which ensure individual choice and control over the information on the smartcard, and its use, may determine whether a particular smartcard proposal is privacy enhancing.

In regard to projects that may have significant impact on the privacy of Australians, the OPC has previously suggested that a balanced and coherent framework for protecting privacy requires consideration of:

• fundamental system design, including such matters as carefully considering what information will be collected;
• technical measures, including but not limited to data security initiatives;
• legislative measures; and
• mechanisms which promote confidence in the system by encouraging transparency and openness, including provision for audit and independent complaint handling.

While none of these items would individually afford the best privacy protection, when addressed collectively they can promote a privacy framework in which the community could have confidence.

The privacy considerations discussed at section 5.5.7 of the Framework document raise some useful points and reflect these items to some degree. The Framework may benefit from a further discussion of privacy obligations and risks raised by smartcards to assist agencies in thinking through the implications of a smartcard proposal. A number of those issues are highlighted in this submission.

Key Privacy Issues

Smartcards, and their use, can raise a number of privacy issues which relate to three distinct characteristics within the smartcard environment.

The first important consideration from a privacy perspective is the information the smartcard holds electronically. Some questions that need to be asked about this data are:

• what information is stored on the smartcard chip?
• Is this electronic information appropriately stored and effectively secured?
• What are the processing implications raised by the design of the chip and the information it holds? In particular:
  • do applications on the chip make decisions that affect the individual, e.g. about what data may be released when or to whom, and
  • what is the transparency around such decisions?

Secondly, it is useful to consider the privacy issues associated with the physical personal information that appears on the face of (or the back of) the card, for example a photograph, name or address details. The importance of this type of information includes that it may be used for other purposes, in particular as evidence of identity in a range of situations not contemplated by the smartcard issuer.

Finally, it is vital to recognise that smartcards do not exist in isolation. Privacy issues associated with the implementation of a smartcard system cannot be determined without a thorough examination of the infrastructure and supporting systems that make up the smartcard system as a whole. When assessing the privacy impacts of a particular smartcard deployment, consideration should be given to the “back office” systems that are either created for the card, or are enhanced by the existence of the card. In particular, any new or different flows of personal information that are created by the use of the card within these systems will need to be analysed.

Assessing privacy impacts

The Office welcomes the requirement in the Framework that a privacy impact assessment be undertaken when developing the business case for smartcards and at other crucial steps in the smartcard deployment[2].

A thorough Privacy Impact Assessment (PIA) can play an important role in ensuring compliance with privacy laws as well as taking into account broader privacy considerations. For example, a PIA can help to identify future risks of a smartcard proposal, such as function creep, or to expose unintended consequences which may impact on privacy.

It is important to note that the conduct of PIAs, coupled with adherence to the guiding principle of transparency, will help to engender community trust in a smartcard proposal if the issues raised during the PIA are responded to adequately through the proposal’s development.

Smartcards and individuals

Individual Control

Key privacy considerations that apply to databases held by agencies or organisations are also relevant to data stored on the smartcard. For example, the individual should generally have control of the electronic information stored on the card, which can include having access to, and the ability to correct that information. This consideration may be reflected to some extent in the table on pp. 79-81, however the suggestion that “Concessions profile” information should be “owned by the card issuer” is unclear. It is also important that the individual card holder can control, to the greatest extent practicable, which private sector organisations, government agencies or other bodies also have access to the information on or around the card.

Individual control over smartcard information can be delivered through a range of structures including legislation, technological design and industry procedures.

For example, key legislative protections such as prohibiting a smartcard being used for unauthorised or unintended purposes, and the imposition of penalties for the misuse of another person’s smartcard (as already exist in relation to Tax File Numbers and Australian Passports), may contribute to effectively promoting community trust and allaying privacy concerns.

Further, some of the most important protections can be delivered by technical design features including the segregation of data on the card, strong security and minimisation of the personal information appearing on the face of the card.

The Framework does not reflect the possibility that smartcards may not always carry personal information, nor identify a particular individual. The Office notes that the proposed model for smartcard content includes, as a core element, “cardholder verification”. The purpose of this component is explained as being “to hold data allowing the card to verify that it is being used by the person it was issued to”[3]. The description of this component also suggests that the card provide a means to identify the legitimate user to the card by means of a PIN, biometric template or other suitable combination of means[4]. One example of how this component might be applied is that a biometric identifier be used by the individual to unlock the data on the card[5]. The Office has previously noted that this latter type of biometric encryption can allow both strong security and individual control[6].

Similarly, section 5.5.3 of the Framework states that the common minimum technical requirements for interoperable government smartcards include that identity data should be in a standard electronically readable format and that identity data should be positively verified.

However, in keeping with the risk management approach of the Australian Government Authentication Framework for Individuals (AGAF(I)), it may not always be necessary for identity data on a smartcard to be verified, nor for it to be in a standard format. Some smartcards may be issued in situations where no identity data is required on the card, or where any identity data on the card is not critical to the card’s purpose, or to its interoperability. It is important for agencies to recognise that not all smartcards need to have the capacity to identify the user, or to be used as evidence of identity.

The Office recommends that the Framework be amended to ensure consistency with the AGAF(I), including the recognition that smartcards should only be designed to be identity credentials where there is a clear business case and where the privacy issues related to issuing a verified identity credential have been carefully assessed.

Control can also be delivered through encouraging transparency and openness, including provisions for independent audit and complaint handling, particularly in the event of anything going wrong. If an individual has access to the data on the card, and can easily update it, this can help to ensure that individuals are not disadvantaged by the circulation of inaccurate or out of date information about them. Similarly, if an individual suspects the data on their card has been accessed or used in an inappropriate way they should be able to avail themselves of an effective and enforceable complaint mechanism. The Privacy Act, and the Office of the Privacy Commissioner will provide these mechanisms to the extent that a smartcard implementation is within the jurisdiction of the Privacy Act. However, there may be cases where stronger privacy protections are appropriate, or where the Privacy Act does not fully regulate the smartcard system as a whole. This is discussed further, below, under “Jurisdictional issues”.

Individual choice

Privacy is often enhanced where individuals are able to choose whether, and how, their personal information is handled. The Office recommends that the Framework endorse the principle of maximising the choice individuals have about whether to use a smartcard, and the extent to which they use it.

In exercising choice, individuals need to be fully informed about the implications of the smartcard and its surrounding infrastructure for the handling of their personal information. In relation to electronic information on the card, it is important that individuals understand that the key feature that distinguishes smartcards from more familiar plastic cards is that they contain a microprocessor and memory. As a consequence, personal information can be stored and processed on the card itself.

The concept of choice may increase in importance in the case of multi- application cards. For example, individuals may accept the use of a card for engagement with some government agencies but may be more circumspect about providing the same level of access to private sector organisations, or vice versa.

For individuals to exercise choice over their personal information in relation to a particular smartcard proposal, they need to fully understand:

• what personal information can be kept on the face of card, in the chip and within the infrastructure connected to the card (e.g. databases)
• who can read that personal information and in what circumstances and
• the alternatives to using the smartcard.

Application of the Privacy Act to Smartcards

Jurisdictional issues

Adherence to the Privacy Act is a legal requirement for Australian Government and ACT Government agencies. There are a number of references to the Privacy Act, and to privacy legislation more generally, that require attention in the Framework.

The Office understands that the sentence on p. 60 of the Framework document which reads “Australia does not have a formal legislative data protection regime” refers to the fact that there does not exist at this time any data protection legislation that is specific to smartcards. Nonetheless, this sentence may be misleading and the Office recommends it be redrafted.

In this context, the Office would emphasise that the Privacy Commissioner has responsibilities under the Privacy Act and other federal legislation to regulate the way Australian government agencies and some private sector organisations collect, use, store and disclose individuals’ personal information. The handling of personal information in relation to the use and deployment of smartcards by Australian and ACT Government agencies would be regulated by the Privacy Act in most circumstances. In addition, the Privacy Act would regulate the handling of personal information associated with smartcards by private sector organisations in many circumstances. The public sectors in the NT, NSW, Victoria and Tasmania are also regulated by privacy laws. The Office recommends that the Framework be amended to accurately reflect the current legislative situation.

In particular, the eleven Information Privacy Principles (the IPPs) in the Privacy Act regulate the handling of personal information by Australian government agencies and the ten National Privacy Principles (the NPPs) regulate the handling of personal information by organisations including all businesses with an annual turnover of more than $3 million, the private health sector and small businesses that trade in personal information. Under section 95B of the Privacy Act Commonwealth contractors are generally required to comply with the IPPs in relation to the provision of services under the contract.

However, in considering whether existing privacy regulation is adequate for a particular smartcard deployment, it is important to recognise that while the NPPs generally apply to the private sector, there are exceptions, potentially the most significant in this context being the exemption (under s 7B(5) of the Privacy Act) of the acts and practices of State contractors as they relate to such contracts. Instead, state contractors may be required to comply with state privacy laws, where they exist.

Privacy Act obligations on Australian Government agencies

Under section 5.5.7 of the Framework it is noted that it is "prudent for all smartcard implementers to familiarise themselves with the IPPs"[7]. In fact, most Australian Government agencies implementing a smartcard will have legal obligations under the IPPs. Compliance with the IPPs, in the case of government agencies and contractors to which this Framework is aimed, will inform a number of considerations for those embarking on smartcard deployment. For example, IPP 1(b) limits the collection of personal information by agencies to situations where the collection of the information is necessary or directly related to a lawful purpose directly related to a function or activity of the agency.

By way of further illustration, under IPP 4, record-keepers in possession or control of a record that contains personal information are required to ensure that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse. Agencies will need to carefully consider how the IPPs apply to all the personal information on and associated with a smartcard deployment, including the electronic and physical information on the smartcard itself, as well as the flows of personal information in and around the smartcard infrastructure.

The Office notes the expectation in the Framework that agencies take into consideration the OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security[8]. Reference to and consideration of international guidelines such as these may indeed be useful for agencies developing a smartcard proposal. In the context of Australian and ACT Government agencies and contractors to Australian Government agencies, it is important to note that the legislative requirements in relation to data protection found in the IPPs would take precedence over any external guidelines should any inconsistency with these types of documents arise. The Framework does include a note about the precedence of the Privacy Act on p. 74, but this refers to the NPPs.

Relevantly, it should be noted at this point that there are eleven IPPs, rather than ten as is noted in the Framework[9]. It would also be remiss of this Office not to correct the footnote reference to the IPPs which appears to be a URL address to this Office’s website which links to the NPPs. The IPPs can be found at: http://www.privacy.gov.au/publications/ipps.html.

Addressing jurisdictional issues

Careful consideration needs to be given to the structure and comprehensiveness of the privacy regulatory regime that will apply to any smartcard proposal involving personal information. This should include consideration of the broader oversight, monitoring and accountability framework that will exist in relation to matters such as investigations, complaints-handling and independent audit, especially where there is a cross-jurisdictional or cross-border element.

Strong privacy regulation that complements the Privacy Act may be required for some smartcard proposals, including legislative provisions covering the handling of personal information in circumstances where the Privacy Act does not apply. This could enable a comprehensive, cross-jurisdictional privacy regulatory regime covering all acts and practices of private sector organisations in relation to particular smartcard deployments.

Annex C: Outline Agreement – Data Protection

The Office appreciates the intention of the proposed Outline Agreement on Data Protection (the Outline Agreement) annexed to the Framework. The Outline Agreement provides a list of useful considerations for agencies to address when entering into contractual agreements with smartcard service providers. These types of considerations may help to assist agencies in meeting their obligations under section 95B of the Privacy Act. This section requires an agency entering into a Commonwealth contract to take contractual measures to ensure that a contracted service provider for the contract does not do an act, or engage in a practice, that would breach an IPP[10]. The Office would reiterate the caution by AGIMO that both the application issuer and owner will have specific responsibilities to ensure that obligations relating to data protection are met.

In regard to part (a) of the Outline Agreement, the Office notes the potential usefulness of the OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security but would emphasise that there is currently no legislative requirement that government agencies and their contractors comply with these guidelines. Requiring compliance with guidelines within a pro forma contract clause may result in confusion should an inconsistency with Australian data protection legislative requirements arise.

The Office also notes the reference to charging a fee for access. The Freedom of Information Act 1982 may specify parameters around this practice that should be reflected in the Framework.

Whilst the Office welcomes the intention of the Outline Agreement to assist agencies in drafting contractual clauses which help to meet privacy law obligations, in the interests of avoiding confusion it may be useful if this document was reframed as a non-exhaustive list of considerations for agencies developing contractual agreements, rather than as pro forma contractual clauses.

Conclusion

The Office is encouraged by the discussion of privacy issues in this initial draft of the Framework document. The Framework will benefit from building on this privacy analysis so that a clear picture of the current privacy regulatory regime and its impact on smartcard proposals is developed. The Office supports a Framework which provides for individual choice and control over the use of smartcards and incorporates mechanisms which may deliver transparency and openness, such as the conduct of comprehensive PIAs at appropriate stages of smartcard proposals. Importantly, the Framework should guide agencies to consider the three key areas where potential privacy issues may arise: the electronic information stored in the card, the personal information displayed on the face of the card and the infrastructure and supporting systems behind the card.

Key Recommendations

• The Office recommends that the Framework guides agencies to consider the three key areas where potential privacy issues may arise:
  • the electronic personal information stored in the card
  • the personal information displayed on the face of the card, and
  • the personal information handled in the infrastructure and supporting systems behind the card.
• The Office recommends that the Framework include a further discussion of privacy obligations and risks that arise in the context of smartcards, including reference to individual control over their personal information.
• The Office recommends that the Framework endorse the principle of maximising the choice individuals have about whether to use a smartcard, and the extent to which they use it.
• The Office recommends that the Framework be amended to ensure consistency with the AGAF(I), including the recognition that smartcards should only be designed to be identity credentials where there is a clear business case and where the privacy issues related to issuing a verified identity credential have been carefully assessed.
• The Office recommends amendments to privacy sections of the Framework document to ensure accurate reflection of the current legislative regime as it may apply to smartcards. In particular:
  • the Office would emphasise that the Privacy Commissioner has responsibilities under the Privacy Act and other federal legislation to regulate the way Australian government agencies and organisations collect, use, store and disclose individuals’ personal information
  • The eleven IPPs apply to Australian and ACT Government agencies and the ten NPPs apply to many private sector organisations.
  • There are some exceptions to these principles, specifically for state and commonwealth contractors which the Framework may need to note.
  • The Office recommends that the Framework require careful consideration to be given to the structure and comprehensiveness of the privacy regulatory regime that will apply to any smartcard proposal.
• Whilst the Office welcomes the intention of the Outline Agreement at Annex C to assist agencies in drafting contractual clauses which help to meet privacy law obligations, in the interests of avoiding confusion it may be useful if this document was reframed as a non-exhaustive list of considerations for agencies developing contractual agreements, rather than as pro forma contractual clauses.