Submission
12 January 2007
Exposure Draft of Bill on the Access Card
Below is a copy of EFA's submission to the Department of Human Services re the Exposure Draft of Bill on the Access Card.
Contents:
- Executive Summary
- Introduction
- Title of the Act
- Definitions
- Policy Statements
- Powers to demand/require and store information
- Purported Card Ownership
- Offences
- Civil Remedies Necessary
- Delegations and Authorisations
- References
- About EFA
1. Executive Summary
- The Act should have a title that makes it readily apparent to the general public what the Act is about.
- Government policy in relation to the administration of the Act should be determined and made apparent in the drafting of the Act, not determined from time to time by the Minister or anyone else. This provision appears intended to facilitate function creep and/or changes without Parliamentary or public scrutiny. At the least any such policy statement should be a disallowable instrument.
- The definition of "document", in conjunction with the broad powers to be granted to the Secretary, appears to give the Secretary the power to demand finger prints, iris scans, etc for inclusion on or in the card and in the national ID database (Register). The definition requires amendment to preclude such a possibility.
- The definition and information provided in the explanatory material concerning the new term "legal name" is inadequate and unclear. Moreover, EFA objects to a new concept of a "legal name" whether determined by the government or otherwise, being introduced into Australian law.
- If the legislation is to grant the Secretary the power to determine that use of a name is unlawful (as contained in the draft), the public should be informed up front by the government as to the circumstances in which the Secretary could refuse to register a person for an Access Card (and hence prevent them obtaining Medicare refunds etc) on the grounds of unlawful use of a name. EFA is unaware of any provisions in Australian law that make it "unlawful" for an individual to use as a matter of general practice any name they wish.
- The extensive list of information about individuals that must be included in the Register, which goes beyond the government's previous statements on this matter, demonstrates that the Register is unquestionably intended to be a national ID database for the purpose of facilitating surveillance and monitoring of, and data matching in relation to, all citizens and other Australian residents.
- The legislation should not grant the Secretary and the Minister the power, as contained in the draft, to require and include other unspecified information in the Register and on the chip. Such powers render lists in s75 and s160 and the implied promises of s90 and s170 nugatory because the legislation places no limit on what information can be placed on the Register, and on the card chip, without the individual's consent.
- Sections 175 and 185 show the ridiculousness of the government's claim that a card holder "owns" the card. At most card holders will "own" a piece of plastic, excluding everything on and in it. Nevertheless, EFA questions how the Government can claim to own, for example, a person's name printed on or in the card. Whether or not the government considers it has constitutional power to "own" a citizen's name, EFA doubts the vast majority of the population will regard the government as the owner of information consisting of their name (and date of birth, address etc) irrespective of claims made in legislation.
- A number of the offence provisions suffer from a deficiencies and inadequacies resulting in loopholes.
- EFA is strongly opposed to the criminal offence of changing 'information in the Commonwealth's area of the chip in your access card' on the grounds that (a) it demonstrates DHS has no confidence in the security of the chip architecture, (b) it is poorly drafted enabling criminal conviction of a person for conduct that the person did not intend, or know, would result in changes to information in the Commonwealth's area of the chip, and (c) it will deter legitimate investigation into whether or not the personal information on the chip is secure.
- In our view s210(2) is a token offence - it is most unlikely to ever result in prosecution and conviction. While the explanatory material purports that this offence will provide protection for 'vulnerable' people, it seems unlikely that the prosecution, or the vulnerable person, could prove what the particular person ("you") understood to be meant to the standard of "beyond a reasonable doubt" as required in criminal law.
- The factual basis of the offence of failing to give an access card to the Secretary immediately on demand appears to be created by no more than the Secretary's suspicion of particular conduct by the card holder or another person. EFA considers this to be a completely inappropriate basis for a criminal offence.
- The use of the phrase "without reasonable excuse" in offence provisions shows that DHS knows that the width of the offence is too broad and believes that the potential for innocuous conduct to be caught by the offence is very great. Such offences should be re-drafted to significantly reduce the potential for innocuous conduct to be caught.
- Subsection 300(1)(e) prohibiting use of the card name, or a similar name, in a URL should be deleted. This provision would make criminals of individuals, organisations and businesses engaged in innocuous activity.
- EFA has doubts as to the probability of enforcement of a number of the criminal offences, due to the nature of criminal law and the Prosecution Policy of the Commonwealth (which we do not criticise) and hence whether these criminal offences will afford adequate protection to individuals.
- Where individuals suffer detriment, disadvantage, inconvenience, costs, etc, arising from breach of the Act by another person, a combination of a decision not to prosecute and no civil remedy available will not be satisfactory. EFA submits that civil remedies should be provided to enable the Federal Court of Australia or a court of a State or Territory, on the application of an aggrieved person, to grant the aggrieved person remedial relief.
Go to Contents List2. Introduction
This submission has been prepared during the one month consultation period, which included the Christmas/New Year/January holiday period. EFA's human resources were limited during this period and therefore this submission may not necessarily address all issues that may be of concern to EFA. EFA may identify additional matters of concern at a later date.
3. Title of the Act
EFA considers the title indicated by the draft Bill[1], i.e. "Human Services (Enhanced Service Delivery) Act 2007", to be bureaucratic newspeak. We are of the view that the Act should have a name that makes it readily apparent to the general public what the Act is about. We submit that it should be named the "Human Services (Health and Social Services Access Card) Act" and if that is not to be the name of the card, the title should contain the name decided on. The name of the card should be decided before legislation is enacted for the reasons put forward later herein.
4. Definitions
This definition should be amended to the type of microchip intended to be placed in the Access Card, or at the least limited to a contact chip/device. The proposed definition would permit the use of a contactless chip, which carries significantly greater security/privacy risks, without Parliamentary or public scrutiny and/or the use of any other 'device' with less effective security mechanisms than the type of chip which the government has stated will be used.
(a) any paper or other material on which there is writing; or
(b) any paper or other material on which there are marks, figures, symbols or perforations that are:
(i) capable of being given a meaning by persons qualified to interpret them; or
(ii) capable of being responded to by a computer, a machine or an electronic device; or
(c) any article or material from which sounds, images or writings are capable of being reproduced with or without the aid of any other article or device.
This definition, in conjunction with the broad powers to be granted to the Secretary, would enable the Secretary to demand finger prints, iris scans, etc for inclusion on or in the card and in the national ID database (Register).
The definition should be amended to exclude paper or "other material" on which there is any biometric information/data other than facial data. If the government plans to require the provision of finger prints or iris scans etc either in the short or long term future, such plans should be required to be the subject of public and Parliamentary scrutiny.
(a) the name on the individual's birth certificate; or
(b) the name on a certificate of citizenship granted to the individual under the Australian Citizenship Act 1948; or
(c) the name on a certificate, entry or record of the individual's marriage, being a certificate granted or entry or record made by the Registrar of births, deaths and marriages (however described) of a State or Territory; or
(d) the name included, by way of effecting a name change of the individual, on a register kept under a law of a State or Territory by the Registrar of births, deaths and marriages (however described) of the State or Territory.
The definition and information provided in the explanatory material concerning the new term "legal name" is inadequate and unclear. Among other things, who will determine which of the names on the documents listed is an individual's "legal name"? This definition appears intended to give the government/DHS the power to decide what a person's name is instead of the person. Further, will the "legal name" be able to be changed at a future time when, for example, a person marries, or a person reverts to a previous name after divorce or death of the spouse, or changes their name by Deed.
The list of documents appears to have been extracted from the Passports Act (which does not use the term "legal name") and used without due regard for the different context. Persons applying for an Australian passport are limited to Australian citizens and are therefore generally likely to have one or more of the Australian-issued documents in (b)-(d) if they do not use the name on their birth certificate. However, persons from overseas who are entitled to Medicare refunds (including temporary residents from countries with reciprocal arrangements), and those who are entitled to government provided benefits, are not limited to Australian citizens and are significantly less likely to have a document in (b)-(d).
Individuals from overseas may be using a name that is on a marriage certificate, or deed of name change, issued in another country. These individuals will apparently be forced to have as their "legal name" the name that is on their birth certificate. For example, a woman who married overseas will not be able to have her married name as her "legal name" unless she pays to have her name changed by deed poll in an Australian State/Territory. This would result in no more surety as to "who the person is" than if DHS allowed the person to have, as their legal name, the name on an overseas marriage certificate, or on a passport issued by another country, etc.
EFA submits that the list of documents allowed to be used to prove name must be extended to include other documents such as other countries' passports and marriage certificates.
EFA objects to a new concept of a "legal name" whether determined by the government or otherwise, being introduced into Australian law. Individuals should continue to be able to use, as a matter of general practice, the name they wish and DHS agencies should be required to respect an individual's preference, not force them to have a so-called "legal name" recorded in the national ID database (Register).
Further, EFA submits that no legislation concerning names or registration requirements and process should be introduced into Parliament until the Task Force has completed its public consultation on these matters and submitted its recommendations to government. The consultation period for the draft Bill, of one month including Christmas/New Year/January holiday period, is not sufficient to enable adequate consideration of these matters.
In the above, "encryption" should be replaced by "encryption software", since encryption is not software.
Missing Definition of "Commonwealth's area"
Although the term "Commonwealth's area" is referred to in numerous place in the draft Bill, the term is not defined. As this term is referred to in criminal offences we consider it important that it be defined and as clearly as possible. Criminal courts should not be left to attempt to determine what was intended by the government/Parliament. For example, is the "Commonwealth area" limited to the area containing information listed in s160, or is it intended to also include system software etc on the chip?
The user's/card holder's area may also require definition. However, we are not able to determine whether it will be important to define same in the absence of the proposed second and third tranche of this legislation.
5. Policy Statements
(1) The Minister may, in consultation with the *DVA Minister, prepare a written statement of the policy of the Australian Government in relation to the administration of this Act. ...
Government policy in relation to the administration of the Act should be determined and made apparent in the drafting of the Act, not determined from time to time by the Minister or anyone else. This provision appears intended to facilitate function creep and/or changes without Parliamentary or public scrutiny. At the least any such policy statement should be a disallowable instrument.
6. Powers to demand/require and store information
(2) For the purposes of paragraph (1)(a), a written application must:
(a) be in the form approved by the Secretary; and
(b) be accompanied by such other specified information or specified *document that the Secretary:
(i) determines is needed for the Secretary to be satisfied of your identity; or
(ii) determines is needed to obtain information that is required to be included on the *Register.
The types of information and documents required for registration should be specified in the legislation, not left to the Secretary to determine, and identity guidelines proposed to be determined by the Minister should also be specified in the legislation.
These provisions should be deleted from the currently proposed Bill and await completion of the Task Force's consultation on registration related matters and subsequent government decisions following the Task Force recommendations. The provisions should then be re-drafted in a manner that restricts the Secretary's powers to demand information to information specified in the legislation.
Further, as mentioned earlier herein, these provisions together with the definition of "document" would enable the Secretary and/or Minister to determine that fingerprint, iris scan, etc, information is required. This should not be permitted.
The remarks above also apply to s105(2) concerning "Applying for an access card" which contains similar provisions/powers to s55(2).
(1) Once you are registered, the Secretary must include on the *Register the information set out in the following table. ...
(1) The Secretary must include in the Commonwealth's area of the *chip in your access card the *information set out in the following table. ...
We observe that information that must be included in the Register goes beyond the government's previous publicity about the contents of the Register. This includes:
- any name that is known to the Secretary, including when the individual has not provided that name and does not know that the Secretary knows it. This demonstrates that the Register is unquestionably intended to be a national ID database for the purpose of facilitating surveillance and monitoring of, and data matching in relation to, all citizens.
- whether or not a person is an Australian resident. This further confirms the national ID database intention.
- "postal address" (in addition to residential address) and place of birth. This also further confirms the national ID database intention.
None of the above information should be permitted to be stored in the Register, unless the individual explicitly and voluntarily requests that it be so stored.
Name
The plan to store names in the Register that an individual has not provided is totally unacceptable and must be deleted. Apart from the privacy invasiveness of such a plan, it presents significant potential for incorrect and/or out of date information about an individual to be stored.
The information in the draft Bill and explanatory material concerning the circumstances in which so-called "legal name" and/or preferred name will be included on the Register and/or on the chip in the card is confusing and hence unclear. The documents appear to state that the Register will only contain the "legal name" unless either the person is exempted under s310 from providing their legal name or the person requests their preferred name also be included. However, the card chip is required to contain both the legal name ("protected by the personal identification number") and also the preferred name. This appears to result in a situation whereby the name on the chip visible without PIN entry will not match the name on the Register (when an individual did not want/request their preferred name to be included on the Register). EFA questions what systems/procedures will be in place to ensure individuals are not accused of using a fake card etc when, for example, the card reader in the relevant office is defective/inoperative and the (preferred) name on the face of the card does not match the (legal) name in the Register, and/or when the person has forgotten their PIN and the name on the chip does not match the name in the Register.
Further, these provisions appear to make a mockery of the claims that a person will be able to use their preferred name for dealings with government agencies because they will apparently not be able to do so without agency staff knowing their "legal name" from the Register, and any other name that the Secretary knew although the individual did not provide it.
There is no justification for storing more than one name in relation to an individual unless an individual so requests (other than for the purposes of a national identity database and related citizen monitoring and tracking systems). The Access Card is said by government to be the means by which a DHS government agency can know that the card holder is entitled to a benefit. Once the Access Card is issued and is thereafter required to be used to prove to a DHS agency who the person is, it is irrelevant how many names the person may have or have had. Further, the government has stated that the reason/justification for requiring photograph and use of facial recognition technology is to prevent a person from registering twice, hence how many names they have or have used in the past is irrelevant.
We also observe that the government appears to have a different interpretation of the term "consumer choice" than would the majority of the population. The explanatory material states that the Secretary must place a person's preferred name on the Register if the person is exempted under s310 from providing a legal name and claims the reason for this is "consumer choice". However, there is no element of "choice" by the relevant individual. The "choice" lies with the Minister and Secretary in deciding whether or not to exempt an individual under s310. If there is to be consumer choice in relation to name, the choice should be which name the person wants stored in the Register and on the card chip, and no other names should be stored.
Address
We observe the card chip is to contain only the residential address but the Register "must" also contain the postal address. We see no legitimate reason why the Register must contain a person's postal address unless the person so requests. Further, we question whether the system will be capable of ensuring a postal address is not downloaded to the card chip when an individual does not want that information on the chip.
Information about benefit cards
Information to be included in the Register includes information "about" a person's benefit cards (e.g. PBS Concession Card, Pensioner Concession Card, etc). Firstly, this aspect is incomprehensible in the context of government claims that the Access Card would replace 17 cards which include the cards defined as "benefit cards" in the draft Bill. Will the Access Card replace such cards or not? Secondly, inclusion of information about such cards shows that government claims that information pertaining to agencies will be kept separate from the Register are not true because the legislation explicitly enables such information to be included in the database. Medicare card numbers and benefit card numbers should not be permitted to be stored in the Register database at any time, nor should any information "about" these cards.
Other Unspecified Information
The legislation should not grant the Secretary and the Minister the power, as contained in the draft, to require and include other unspecified information in the Register and on the chip. Such powers render lists in s75 and s160 and the implied promises of s90 and s170 nugatory because the legislation places no limit on what information can be placed on the Register, and on the card chip, without the individual's consent. Such powers result in the situation whereby citizens will not know what information about them is or may be included in the Register at any point in time (without regularly requesting such information under the relevant IPP).
If the government wishes the public to trust the government in relation to Access Card system, it ought not provide its Ministers and departmental staff, nor any future government's, with such broad all encompassing powers enabling major change to the system at a future time. At the least such determinations should be legislative instruments disallowable by Parliament (and we observe the draft Bill explicitly states that such determinations are not legislative instruments).
Storage of scanned copies of birth certificates etc
The intention to scan copies of birth certificates etc and store same in the Register database poses an unacceptable security risk. This intention together with the extensive list of information about individuals that will be included in the database puts beyond any doubt that the "Register" will be a national ID database and an extremely attractive honeypot for identity thieves because it will contain all information necessary to steal a person's identity and information, as well as information such as mother's maiden name commonly used by some banks and other businesses for the purpose of ascertaining identity during telephone calls.
DHS plans in relation to information to be stored in the Register appear to be proceeding without any regard whatsoever for the national Document Verification System (DVS) in final trial stages by the Attorney-General's Department. Scanning and storage of birth certificates etc, and storage of information such as place of birth, in the DHS Register database should not be necessary, nor permitted, when such documents can be verified via the DVS, which ought to be in operation before registration for an Access Card commences.
Card PIN
(a) if there is a personal identification number for your access card-that number encrypted;
(b) if there is other information (for example, a password) for authenticating the personal identification number-that information;
Firstly, EFA finds the above incomprehensible. What is the purpose of a PIN if a password is to be necessary to authenticate the PIN? We have not previously heard of smart card access control systems involving a password for authenticating a card PIN and question whether new unproven technology is to be used. Will card holders have to remember both a PIN and a password? If there is a password as well as a PIN stored on the chip, will it be one-way hashed? Does the term "encrypted" in (a) above mean two-way encryption or is what will be stored a one-way hash value? We would expect it to be the latter.
Secondly, while the draft Bill refers to a PIN in the Commonwealth area of the chip, it makes no reference to a PIN in the card holder's area. Therefore apparently information stored in the card holder's area of the chip will be viewable by government agency staff and other people when a card is placed in a card reader. Such a design is completely insecure and unacceptable.
Further, while we observe that the procurement document issued on 8 January 2007 states that "Card holders can choose to protect information in either area using a PIN", the apparent plan to have only one PIN appears to result in information in the card holder's area of the chip being viewable by other people when the PIN is entered for the purpose of providing access to the Commonwealth area. Such a design would be completely unacceptable.
Significantly more information needs to be made publicly available about the architecture of the chip and related card readers etc. To date information released, together with the draft Bill, suggests the design of the chip will not provide adequate security and privacy of information on the chip.
Death
We observe that s75(1)(14) implies that the information about dead people will be kept on the Register for ever. Surely cards 'owned' by persons who have died should be cancelled and information about them deleted within a reasonable period. This is another aspect that indicates the Register and the card have more to do with national identity documents and schemes than access to government benefits.
(1) Despite subsection 75(1), the Secretary must not include particular information about you on the *Register under that subsection if:
(a) the Secretary considers it would be inappropriate to do so because of your inclusion in the National Witness Protection Program; or
(b) to do so would be inconsistent with an Act.
(2) Despite subsection 75(1), the Secretary must not include your preferred name or other name on the *Register if the Secretary is satisfied that use of that name is unlawful.
(3) Despite subsection 75(1), the Secretary may refuse to include your preferred name or other name on the *Register if the Secretary is satisfied that the name is offensive or misleading.
With regard to s80(1), in view of the vast amount of information to be included in the Register and resultant security risks, special provisions should not be limited to witnesses. Various other types of people will also be subject to an exceptionally high level of risk, including but not limited to, battered spouses, victims of stalkers, law enforcement officers under deep cover, etc.
With regard to s80(2), EFA is unaware of any provisions in Australian law that make it "unlawful" for an individual to use as a matter of general practice any name they wish. We presume this provision is related to the government's apparent intention to commence determining what is a person's "legal name" (as referred to earlier herein). The concept of "legal name" should not be incorporated in the proposed Act, nor should powers be granted to the Secretary to determine (be "satisfied") that use of a name is unlawful in the absence of any information being made available by the government as to the circumstances in which it believes use of a particular name would be "unlawful" in Australian law. If the Secretary is to have this power, the public should be informed up front by the government as to the circumstances in which the Secretary could refuse to register a person for an Access Card (and hence prevent them obtaining Medicare refunds etc) on the grounds of unlawful use of a name. The foregoing remarks also apply to s145 concerning the preferred name a person wishes to have printed on a card.
With regard to s80(3), a definition of "offensive" in this context should be specified in the legislation.
If you hold an access card, the *Register may temporarily hold the following information for the purposes of transferring it to the Commonwealth's area of the *chip in your card:
(a) if you have a *medicare number-that number;
(b) if you have a *Reciprocal Health Care Card-the number of that card;
(c) if DVA has allocated you a DVA file number-that number;
(d) if you are a *veteran, you hold a *DVA White Card and you have a condition that has a code under the *International Classification of Diseases-that code.
The purpose of the above provisions is unclear other than as an attempt to imply to the general public that this information will not normally be held in the national ID database (Register). However, s75 makes clear that the Secretary is permitted to include the above information on the Register on a permanent, not temporary, basis.
Section 85 should be deleted because it is misleading.
The Secretary is taken to have issued you your access card when:
(a) the Secretary sends your access card to you by post, or such other method as the Secretary determines; or
(b) you collect your access card from a place determined by the Secretary.
Clause (b) above should place an obligation on the Secretary to ensure any such "place" is convenient to the relevant individual.
(1) The access card is to be known as the Health and Social Services Access Card, or such other name as the Minister determines in writing.
...
(4) An access card is to be in such form as the Minister determines in writing. ...
(5) A determination under subsection (1), (2) or (4) is not a legislative instrument.
The name and "form" of the access card should be established before legislation is enacted and specified in the legislation. Given use of the name in various circumstances is to be a criminal offence, the particular name should be readily findable in legislation (not merely made public in a newspaper advertisement as proposed in the draft Bill). Further, what is meant by the "form" of an access card is entirely unclear. Information on the meaning of the term "form" in this context should be made public and defined in the legislation.
145 Your name
Comments earlier herein on s80(2) concerning the Secretary's powers and "unlawful" names also apply to s145.
The provisions of s160 are discussed in conjunction with those of s75 earlier herein.
7. Purported Card Ownership
(1) You own your access card.
(2) You acquire ownership when your access card is issued to you (see section 115).
(3) However, subsection (1) does not:
(a) give you ownership of the *information (however compiled) in your area of the *chip in your access card that you would not otherwise have; and
(b) affect the copyright, design or other intellectual property rights of the Commonwealth or another person in relation to your access card.
Despite subsection 175(1), the Commonwealth owns the *information (however compiled) in the Commonwealth's area of the *chip in your access card.
The above provisions show the ridiculousness of the government's claim that a card holder "owns" the card. At most card holders will "own" a piece of plastic, excluding everything on and in it. Nevertheless, EFA questions how the Government can claim to own, for example, a person's name printed on or in the card. Whether or not the government considers it has constitutional power to "own" a citizen's name, EFA doubts the vast majority of the population will regard the government as the owner of information consisting of their name (and date of birth, address etc) irrespective of claims made in legislation.
You are not required to carry your access card at all times.
At which times, or under what circumstances, will individuals be required to carry their card? If the government actually intends none, then the above should be changed to "You are not required to carry your access card at any time.", otherwise it should state the times/circumstances when individuals will be required to carry the card.
8. Offences
(1) A person commits an offence if:
(a) the person intentionally requires you to produce your access card or someone else's access card; and
(b) the person does so for the purposes of identifying you or someone else; and
(c) if the person is an *authorised person-the requirement is not made for the purposes of this Act; and
(d) if the person is not an authorised person-the requirement is not made to establish that:
(i) you hold, or someone else holds, a *benefit card or a *Medicare Card; or
(ii) you have, or someone else has, a *medicare number.
The offence should also prohibit requiring provision of an access card number, not only production of the actual card.
Furthermore, (d) should be limited to circumstances where the requester has a legitimate need to know that information. We presume the exception is intended to apply for example to doctors and chemists who have a legitimate need to know whether a person has a Medicare card but it is not limited to persons with a legitimate need to know. It apparently allows any person at all to require production of an access card for the purpose of finding out whether a person has another card or number referred to in (i) and (ii).
(a) the person makes a statement (whether orally, in writing or any other way) to you that you could reasonably understand to mean that you are required to produce your access card or someone else's access card; and
Section 210(2) suffers from the same defects and inadequacies as outlined in relation to Section 210(1) above.
Moreover, in our view s210(2) is a token offence - it is most unlikely to ever result in prosecution and conviction. While the explanatory material purports that this offence will provide protection for 'vulnerable' people, it seems extremely unlikely that the prosecution, or the vulnerable person, could prove what the particular person ("you") understood to be meant to the standard of "beyond a reasonable doubt" as required in criminal law. We also have some concerns about the appropriateness of requiring such vulnerable people to appear in a criminal court and be subjected to cross examination in relation to attempts to prove what they did or did not understand. Such a prospect is likely to further reduce the probability of prosecution. It may be more appropriate such an offence to refer to what "a reasonable person" would reasonably understand.
Section 215 suffers from the same defects and inadequacies as outlined in relation to Section 210(1) and s210(2) above.
In addition, we consider offences should apply to requiring production of the card or provision of the card number for any purpose whatsoever other than the purposes of the Act. It should not be limited to "supply of goods and services" nor should it be limited to a specified list of matters. EFA is not persuaded that the list of matters in proposed s215 would cover all circumstances in which individuals could be required to provide the card for purposes such as proving an address or date of birth or any other information about themselves and we consider it impractical if not impossible to attempt to produce such a list that would be adequate for the long term. The offences should apply in relation to all purposes other than the purposes of the Act.
Further, the offences do not deal with situations where the card or card number is requested, but not required, but benefits or goods or services are denied when the card holder declines to provide the card in response to a request for it. If the government is serious about the card not becoming a defacto national ID card, offences need to be established to strongly discourage discrimination against individuals who decline to provide their card or card number in response to a request for it. This situation is not covered by the proposed criminal offences and given the standard of proof in criminal law it is unlikely that 'requirement' would be interpreted to include 'request' and doubtful that a request could be proven to be in fact a requirement.
You commit an offence if you change any *information in the Commonwealth's area of the *chip in your access card.
Penalty: Imprisonment for 2 years or 120 penalty units, or both.
EFA is strongly opposed to the above proposed offence on the grounds that (a) it demonstrates DHS has no confidence in the security of the chip architecture, (b) it is poorly drafted enabling criminal conviction of people who did not intend to change information, and (c) it will deter legitimate investigation into whether or not the personal information on the chip is secure.
Such an offence should not be necessary because the system architecture should designed so as to be trustworthy. It should ensure that information in the Commonwealth's area of the chip cannot be changed, either intentionally or accidentally, by unauthorised persons. The fact that such an offence has been deemed necessary raises major concerns about security (and reliability) of information on the chip. We observe that the Passports Act does not contain an offence pertaining to changing information on the chip in the passport. It appears that DFAT was confident about the trustworthiness and security of the architecture of their chip and related system but that DHS is not confident about the security of their chip and associated system architecture.
Moreover, if the chip and system architecture is not to be secure and trustworthy, there will exist the potential for unintended changes to be made to information Commonwealth's area of the chip when, for example, an individual is attempting to change the information in their own area, or as a result of use of a defective card reader/writer that was not known to be defective, etc.
Hence, it is of major concern that the construction of the proposed offence apparently enables criminal conviction of an individual for conduct that the person did not intend, or know, would result in changes to information in the Commonwealth's area of the chip.
The proposed offence apparently applies the default fault element of intention to conduct, without regard to whether the person had any intention to bring about the result that information be changed. As pointed out in the Attorney-General's Department's Guidelines for framing Commonwealth offences "it will almost always be clear that a person intended his or her own conduct" and "it is generally neither fair, nor useful, to subject people to criminal punishment for unintended actions or unforeseen consequences unless these resulted from an unjustified risk (ie recklessness)".
EFA insists in the strongest terms that if such an offence is to remain (which should only be the case if DHS lacks confidence as to the security of their system), the offence must be re-drafted to ensure a person cannot be found guilty and punished for mere conduct, which resulted in unintended actions or unforeseen consequences etc. The offence must be amended to require proof of an additional physical element of result, to which the fault element of recklessness applies. For example, we are under the impression from the A-G Department Guidelines that the following construction would achieve that objective:
245 Changing information in the Commonwealth's area of the chip in your access card
(1) A person commits an offence if:
(a) the person engages in conduct; and
(b) the conduct results in change to any *information in the Commonwealth's area of the *chip in your access card.
However, any offence pertaining to changing information would require exceptions, and may require specification of defences to minimise capture of innocuous activity. For example, a person who changed the PIN on their access card would be guilty of the above offence as they would of the offence in the draft Bill. (EFA assumes and expects the system architecture will be designed so as to enable an individual to change their own PIN).
While the offence proposed above would be a significant improvement, EFA does not support the inclusion of such an offence. The system architecture should be secure and trustworthy. Moreover, the government should not introduce a criminal offence that can readily be perceived to have a principal objective of discouraging and deterring citizens, including IT security experts, from investigating whether or not the personal information stored on the chip is secured against unauthorised changes. If it is not, the first people to find this out will be real criminals such as identity thieves etc. It has long been well known that security through obscurity in relation to information technology is completely ineffective.
You commit an offence if you sell, or otherwise transfer any part of your ownership of, your access card.
Penalty: Imprisonment for 10 years or 1,000 penalty units, or both.
The above new crime would give criminals who had stolen a card the opportunity to claim it was sold to them by the "owner", resulting in the owner in effect having to attempt to prove that they did not sell their card.
The pretence that individuals own the card should be dispensed with. All references to ownership by individuals, including the above new crime, should be deleted from the draft Bill.
(1) The Secretary may require you to give an access card to the Secretary if:
[... the Secretary suspects ...]
(3) You commit an offence if:
...
(e) you fail to give the access card to the Secretary immediately.
This offence enables the Secretary to demand a person surrender an access card merely on the basis that the Secretary suspects on reasonable grounds that it has either been obtained by means of false or misleading conduct or has been used in the commission of an offence against any law of an Australian jurisdiction.
The factual basis of the offence appears to be created by no more than the Secretary's suspicion, on reasonable grounds, of particular conduct by the card holder or another person. EFA considers this to be a completely inappropriate basis for a criminal offence of failing to give an access card to the Secretary immediately. The Secretary's suspicion may be wrong but nevertheless the person will not be able to access benefits or Medicare refunds after surrendering their card and may be subjected to considerable time and effort in attempting to obtain a replacement card. EFA questions what arrangements will be in place to ensure speedy replacement, at minimal inconvenience to the individual, of the card.
EFA also questions whether a person charged with such an offence will be sufficiently protected (or protected at all) by constraints on, and penalties for, any misuse of this power. We also observe that while the offence refers to the Secretary having such power, the power is also exercisable by any number of Commonwealth officers in participating agencies to whom the Secretary has delegated the power.
EFA also questions how it will be possible for a person to "give the access card to the Secretary immediately" especially in the case of persons located in remote areas where there are no DHS offices and hence no officer with delegated power to whom the card could be given "immediately".
Given the government claimed benefits of using a smart card, we would expect DHS to have in place appropriate systems for suspension and/or cancellation of suspect cards to prevent use of same for the purpose of obtaining government benefits whether or not a card is surrendered "immediately".
(1) You commit an offence if:
(a) you have possession or control of a *document; and
(b) you know that the document is a *false access card. Penalty: Imprisonment for 10 years or 1,000 penalty units, or both.
(2) Subsection (1) does not apply if the person has a reasonable excuse.
Note: The defendant bears an evidential burden in relation to the matter in subsection (2): see subsection 13.3(3) of the Criminal Code.
EFA notes the following extract from the Attorney-General's Department's Guide to framing Commonwealth offences[2]:
"Do not use 'without reasonable excuse'
Principle: The phrases 'without reasonable excuse' or 'section X [being an offence] does not apply if the person has a reasonable excuse' should not be used in the context of Commonwealth offences.
Discussion: These phrases are too open-ended and place uncertainty in the way of any prosecution as to what defence might be raised. Many of the exceptions to criminal responsibility thought to be caught by the "reasonable excuse" defence (such as duress, mistake or ignorance of fact, intervening conduct or event, and lawful authority) are covered by the generic defences in Part 2.3 of the Criminal Code. Either reliance should be placed on these defences, or additional specific defences should be set out.
Generally, the only circumstance in which the use of a reasonable excuse defence can be justified is if the potential for innocuous conduct being caught by the offence is so great that it is not practical to design specific defences. In such cases there will be real questions about whether the width of the offence is too broad. Agencies wishing to include such defences in their legislative schemes should be asked to justify why they are needed. Often this process will force the agency sponsoring the legislation to articulate more clearly what they wanted the "reasonable excuse" defence to cover. This may lead to the development of more tailored/ specific defences, which is encouraged."
The fact that the phrase "without reasonable excuse" is used in the proposed offence shows that DHS knows that the width of the offence is too broad and believes that the potential for innocuous conduct to be caught by the offence is very great.
EFA submits that the offence should be re-drafted to significantly reduce the potential for innocuous conduct to be caught.
A person commits an offence if the person:
(a) does any of the following in relation to your access card number:
(i) records it;
(ii) maintains a record of it;
(iii) uses it in a manner connecting it with your identity;
(iv) divulges or communicates it to a third person; and
(b) either or both of the following apply:
(i) the person is not an *authorised person;
(ii) the person does not do so for the purposes of this Act.
Penalty: Imprisonment for 2 years or 120 penalty units, or both.
The above offence appears to have been constructed without regard for the provisions of s190 which states "You may use your access card for any lawful purpose you choose.". If a person chooses to provide their access card to, for example, a bank for the purpose of opening an account, the bank is, we assume, required by other legislation to make a record of evidence of identity information. However, the above offence would appear to prevent them recording the number or making a photocopy of the card with the number printed on it.
EFA agrees that it should be an offence to do the things in (a) above, but the offence should apply in the circumstance of doing so without the explicit and genuinely voluntary consent of the card holder. The proposed offence should be re-constructed accordingly. Such a construction should take care to deal appropriately with circumstances where a card holder is incapable of acting on their own behalf and another person is authorised to manage that person's personal affairs.
This offence applies to government agency staff only in the circumstance of dishonesty.
EFA questions what provisions/offences will be put in place to discourage and punish inappropriate browsing/viewing of information in the national ID database (Register) and disclosure of same by government agency staff.
The existing provisions of the Privacy Act 1988 are inadequate in this regard as demonstrated by the decision in NS v Commissioner, Department of Corrective Services [2004] NSWADT 263[3]. Further information regarding the foregoing case and serious inadequacy of existing Commonwealth legislation is available in Section 5.1 of EFA's submission to the Inquiry into the Privacy Act 1988[4] conducted by the Senate Legal and Constitutional References Committee.
300 Protection of access card name and symbol
(1) A person commits an offence if the person, without the Minister's consent, does any of the following with a protected name or protected symbol:
(a) uses it in relation to a business, trade, profession or occupation; or
(b) uses it as the name, or as part of the name, of any firm, body corporate, institution, premises, vehicle, ship or craft
(including aircraft); or
(c) applies it, as a trade mark or otherwise, to goods imported, manufactured, produced, sold, offered for sale or let on hire; or
(d) uses it as part of a domain name; or
(e) uses it as part of a URL; or
(f) uses it in relation to:
(i) goods or services; or
(ii) the promotion, by any means, of the supply or use of goods or services.
Penalty: 30 penalty units.
(2) In this section:
protected name means any of the following names:
(a) "Health and Social Services Access Card";
(b) the name determined under section 125; or a name so closely resembling a name in paragraph (a) or (b) as to be likely to be mistaken for it.
Clause 1(e) above should be deleted. This provision would make criminals of individuals, organisations and businesses engaged in innocuous activity. For example an individual who used a URL like the following would commit an offence:
http://www.examplemysite.id.au/Health and Social Services Access Card submission.pdf
Similarly media organisations that produce URLs from article headings, whether by means of automated technology or not, would commit an offence with URLs such as:
http://www.examplemediasite.com.au/news/company-wins-health-and-social
-services-access-card-tender/2007/01/01/123456789.html
Use of the protected name in a URL would be prohibited by (1)(f) where use is in relation to goods and services and promotion thereof. No other use in URLs should be prohibited. Therefore 1(e) should be deleted.
Further, clause (2) above should be limited to the actual name. If it is not so limited, then a significantly more certain definition of what is prohibited than "likely to be mistaken for it" (by who?) should be used in offence provisions.
9. Civil Remedies Necessary
EFA is of the view that civil remedies, and possibly civil penalties, should be incorporated in the legislation.
We are concerned as to the probability of enforcement of a number of the criminal offences and hence whether these will afford adequate protection to individuals. This applies especially in relation to s210(2) as discussed earlier herein.
We are also doubtful about, for example, s270 in terms of the probability of prosecution being commenced against a person (e.g. doctors, chemists, etc) who divulges access card numbers in breach of that provision. In this regard, for example, the Australian Communications and Media Authority does not institute prosecution proceedings for breach of privacy protection provisions of the Telecommunications Act 1997 where it considers that to enforce the law could disadvantage carriers and/or that only a small number of individuals' personal information has been unlawfully disclosed. Further, we note a recent case where the Federal Police were apparently not willing to prosecute in relation to unlawful disclosure of tax file numbers.
According to the decision in H v Chartered Accountant [2006] PrivCmrA 7[5], an accounting firm sent a list of TFNs of numerous employees of a company in liquidation to those employees, in error. Apparently the list was meant to be sent to the ATO. The decision states:
"In the course of the investigation, the [Privacy] Commissioner formed the view that the disclosures might constitute a Tax File Number offence. The Commissioner advised the parties of this and referred the matter to the Australian Federal Police. The investigation was then discontinued but recommenced on advice from the Australian Federal Police that it would not institute proceedings for an offence in view of the nature of the alleged offence and its general impact."
(The outcome was that no sanction was applied to the accounting firm and no remedy was available to the complainant.)
That the Australian Federal Police decided not to institute proceedings is not, in our view, surprising given the Prosecution Policy of the Commonwealth[6]. This is not a criticism of that policy.
However, where individuals suffer detriment, disadvantage, inconvenience, costs, etc, arising from breach of the Act by another person, a combination of a decision not to prosecute and no civil remedy available will not be satisfactory.
Accordingly EFA submits that civil remedies should be provided to enable the Federal Court of Australia or a court of a State or Territory, on the application of an aggrieved person, to grant the aggrieved person remedial relief.
We consider remedial relief should be available to facilitate monetary compensation to persons for their time and related costs in obtaining a new Access Card (number) when, as one example, their card number has been disclosed in breach of the law. Civil remedies should also be available in circumstances such as where the Secretary (or a delegate) has required a card to be surrendered immediately and the Secretary's/delegate's suspicion was wrong.
10. Delegations and Authorisations
EFA has not sufficient time to consider Part 5 Division 3 in detail. However, we have serious concerns about the breadth of, for example, the Secretary's authority to delegate powers to any Commonwealth officer in relation to, for example, power to form 'suspicion' and demand surrender of a card where failure to do so is a criminal offence. We consider legislation should narrowly restrict the number of officers to whom such powers are permitted to be delegated and ensure delegates may only be senior/high level officers.
11. References
1. Exposure draft of the Human Services (Enhanced Service Delivery) Bill 2007 for the access card, 13 Dec 2006.
<http://www.accesscard.gov.au/exposure_draft.html>
2. Attorney-General's Department's Guide to framing Commonwealth offences, civil penalties and enforcement powers, issued by authority of the Minister for Justice and Customs, February 2004.
<http://www.ag.gov.au/www/agd/agd.nsf/Page/Publications_FramingCommonwealth
offences,civilpenaltiesandenforcementpowers-February2004>
3. NS v Commissioner, Department of Corrective Services [2004] NSWADT 263
<http://www.austlii.edu.au/cgi-bin/disp.pl/au/cases/nsw/NSWADT/2004/263.html>
4. Section 5.1 of EFA's submission to the Inquiry into the Privacy Act 1988
<http://www.efa.org.au/Publish/efasubm-slcrc-privact2004.html#52_22>
5. H v Chartered Accountant [2006] PrivCmrA 7
<http://www.austlii.edu.au//cgi-bin/disp.pl/au/cases/cth/PrivCmrA/2006/7.html>
6. Prosecution Policy of the Commonwealth
<http://www.cdpp.gov.au/Prosecutions/Policy/>
12. About EFA
Electronic Frontiers Australia Inc. ("EFA") is a non-profit national organisation representing Internet users concerned with on-line rights and freedoms. EFA was established in January 1994 and incorporated under the Associations Incorporation Act (S.A.) in May 1994.
EFA is independent of government and commerce, and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting online civil liberties. EFA members and supporters come from all parts of Australia and from diverse backgrounds.
Our major objectives are to protect and promote the civil liberties of users of computer based communications systems (such as the Internet) and of those affected by their use and to educate the community at large about the social, political and civil liberties issues involved in the use of computer based communications systems.
EFA policy formulation, decision making and oversight of organisational activities are the responsibility of the EFA Board of Management. The elected Board Members act in a voluntary capacity; they are not remunerated for time spent on EFA activities. The role of Executive Director was established in 1999 and reports to the Board.
EFA has long been an advocate for the privacy rights of users of the Internet and other telecommunications and computer based communication systems. EFA's Executive Director was an invited member of the Federal Privacy Commissioner's National Privacy Principles Guidelines Reference Group and the Research Reference Committee (2001) and the Privacy Consultative Group (2004-2005). EFA participated in NOIE's Privacy Impact Assessment Consultative Group relating to the development of a Commonwealth Government Authentication Framework (2003), Centrelink's Voice Authentication Initiative Privacy Impact Assessment Consultative Group (2004-2005), the ENUM Privacy and Security Working Group convened by the Australian Communications Authority ("ACA") (2003-2006), and the ACA's Consumer Consultative Forum meeting (April 2005). EFA has presented written and oral testimony to Federal Parliamentary Committee and government agency inquiries into privacy related matters, including amendments to the Privacy Act 1988 to cover the private sector, telecommunications interception laws, cybercrime, spam, etc.
