Submission
16 March 2007
Access Card - Voluntary Medical and Emergency Information
Below is a copy of EFA's submission to the DHS Access Card Consumer and Privacy Taskforce in response to the Discussion Paper Number 2 - Voluntary Medical and Emergency Information.
Contents:
- Executive Summary
- Introduction
- Background
- Voluntary Participation and Technological Security Risks
- How many "customer controlled" tiers necessary - two or three?
- Card Owner's control of own area - a myth?
- Storage of medical and emergency information in the Register database
- The Threshold Question
- The Taskforce's Recommended Scheme
- Background Principles and Practices
- Data Quality and Verification
- Extent of Data Storage and Electronic Health Records
- Prescription Dispensing and Pharmacy Operations
- Third Party Contacts
- Accessing the Emergency and Medical Data
- Management of the Scheme
- Conclusion
- References
- About EFA
Executive Summary
- While EFA agrees with many of the Taskforce's views as stated in the Discussion Paper, EFA is unable to support the proposal in the Discussion Paper. There are too many unresolved issues and it is not apparent that these can be resolved in a satisfactory manner.
- EFA notes that the Discussion Paper raises numerous issues related to
privacy and security, and that although the Taskforce states it has previously consulted with "representatives of all areas related to this proposition" (not including EFA), no practical/effective means of resolving all of these issues has been put forward.
- EFA notes that the non-profit MedicAlert Foundation's comprehensive services, including bracelets, necklets and cards, provide the same functionality in relation to provision of emergency medical information already, and do not have to infringe privacy to do so.
- While use of the "your space" portion of the chip is said to be voluntary and "controlled" by card owner, the Discussion Paper is focussed entirely on what may be wanted by individuals who wish to use this space. No regard whatsoever appears to be being given to the requirements of individuals who may not want to use it and/or are concerned about the technological security risks of this space.
- If voluntary areas are to be made available on the chip, individuals who do not wish to use that space must be given the option of having that space on their chip burnt out or locked in a manner that ensures to the greatest extent possible that no card reader/writer, including government approved/authorised readers, can write data to, or access, that area. This would also serve to minimise the potential for viruses and/or trojans to be loaded into blank space on the chip.
- EFA questions whether all "absolutely essential" emergency and medical information (undefined) would be able to be in Tier 1, or whether in fact Tier 1 (if not able to be updated by card owners) would need to be sub-divided into two parts in order to enable individuals themselves to update emergency contact details.
- The KPMG 'business case' document stated that the voluntary medical and emergency information "will be also be held on the SCRS". This issue is not mentioned in the Discussion Paper and such storage without consent should not be permitted.
- EFA agrees that for the protection of the person who acts in good faith on the data provided by the cardholder, it would be essential that a robust system of authentication and verification be incorporated into the storage process.
- In relation to the provision of medical services in an emergency and medico-legal issues, it remains entirely unclear how, if at all, the major tension between the expectations of individuals who choose to avail themselves of the voluntary chip facility (involving exposure of sensitive information in a publicly accessible part of the chip) and those who do not could be appropriately resolved.
- If emergency medical data is stored in the chip, it is absolutely essential that a symbol showing that be required to be on the surface of the card.
- EFA agrees with the statement in the Discussion Paper that the listing of third party contacts on a publicly accessible part of the chip "has privacy implications". This is an issue far more serious than in relation to third party contact details that are hand written onto a page of a passport. It appears unlikely that this issue can be appropriately resolved given that the Taskforce reports having previously consulted with "representatives of all areas related to this proposition" but does not put forward any proposed solutions or suggestions.
- EFA considers the Discussion Paper shows that the idea of storing emergency and medical information on an Access Card is impractical and unworkable.
- If such a scheme is to be implemented, it must be fully funded by people who choose to participate in it, not by all taxpayers. Furthermore, if it is to be administered in the public sector, before any implementation decision is made, professional market research should be conducted to ascertain an indication of the likely number of people who would participate and how much they would be prepared to pay for such a service, followed by a professional cost/benefit analysis.
Introduction
This submission is made in response to the DHS Access Card Consumer and Privacy Taskforce's Discussion Paper No. 2: Voluntary Medical and Emergency Information[1].
Background
EFA is unaware of "the issue of a Background Information Paper in December 2006" and notes that no such document is available on the Taskforce/Access Card web site. We also note that there appears to be no publicly available information concerning the Taskforce's definition of "representatives of all areas related to this proposition".
Submissions published on the Taskforce web site as at 12 March 2007 do not support the above assertion.
Furthermore, it is questionable whether the area in which emergency health and medical data is proposed to be stored should be promoted as a "customer controlled area", given the probable limitations on a card holder's actual control over this area. See later herein.
Voluntary Participation and Technological Security Risks
EFA notes that while use of the "your space" portion of the chip is said to be voluntary and "controlled" by card owner, the Discussion Paper is focussed entirely on what is wanted by individuals who wish to use this space. No regard whatsoever appears to be being given to the requirements of individuals who may not want to use it and/or are concerned about the security risks of this space.
While not mentioned in the Discussion Paper, the inclusion of "voluntary" space (which obviously must be read/write) presents the additional issue of how an individual can be assured that data is not being written into that space without their consent, or even knowledge, when the card is docked in a reader - whether or not the reader is connected to the government's back end database system. It also appears that individuals will not be easily able to check what has been written onto the chip (without for example visiting a DHS office with the card) given DHS representatives have stated that only "authorised readers" will be able to read the chip.
EFA considers it will be entirely unsatisfactory if cards are issued (to people who do not want to use the "your space" area) that have blank writeable space on them that may potentially be written to by any card reader/writer. Any claims that this will be prevented by the security-related architecture of the system, or the software in so-called "authorised readers", will not be reassuring. As stated in AGIMO's Australian Government SmartCard Framework/Handbook Part B[2]:
"8.2 Potential security vulnerabilities
There is, of course, no such thing as perfect security. Like any other security component, smartcards have their own vulnerabilities. Moreover, smartcards are only ever one component of an overarching information system, the end-to-end security of which will depend on many other factors."
An apparent example of "other factors" was reported in Smartcards not 'hackerproof'[3], AAP/Herald Sun, 27 February 2007:
"Dr [Adrian] McCullagh [from the Queensland University of Technology's Information Security Institute] said he could already identify one potential chink in the armour of the [Access] card's proposed two-tier data storage system.The access card will store personal details in two parts of the chip.
One part will store information such as health alerts, blood type and emergency contact details and will be accessible to the cardholder and other parties such a health professional.
Another, more secure part, only available to the government, will store sensitive data such as the cardholder's digitised signature, the card number, expiry date and encrypted PIN (personal identification number).
'These two tiers have to communicate with each other and that's the vulnerability,' he said.
'It is possible to exploit the open or non-secure section to get into the secure section.'
'You would probably start looking at the communications channel between the non-secure and the secure because that's where the vulnerability will be.'" "
We note the Taskforce now proposes there be three tiers (and it seems there may need to be four, see later herein).
If voluntary areas are to be made available on the chip, individuals who do not wish to use that space must be given the option of having that space on their chip burnt out or locked in a manner that ensures to the greatest extent possible that no card reader/writer, including government approved/authorised readers, can write data to, or access, that area. This would also serve to minimise the potential for viruses and/or trojans to be loaded into blank space on the chip.
In the case of the Australian passport chip:
"(2) Once data is written to the [passport] chip by the issuing authority (the Department of Foreign Affairs and Trade) in the issuing process, the chip is locked and cannot be written to by any other person or authority."
(Answer to Questions on Notice: Passports[4], Senate Hansard, 9 February 2006)
While obviously the whole chip in the Access Card cannot be similarly locked, due to the need to update information in the "Commonwealth area", a means of locking the "voluntary" area, at the option of the card owner, needs to be implemented.
How many "customer controlled" tiers necessary - two or three?
EFA questions whether all "absolutely essential" information (undefined) would be able to be included in Tier 1, or whether in fact Tier 1 would need to be sub-divided into two parts.
The Discussion Paper indicates that details of an emergency contact person would be stored in Tier 1, given the paper states people designated as an emergency contact "may not have consented to be the contact point or to have this data listed in what, as we have noted above, is effectively a public and relatively easily accessible record".
However, the paper also states that the need for proper verification or authorisation by a medical practitioner "has a clear implication that the entry of such information [emergency health data] cannot be done by the individuals themselves since this would allow the bypassing of the verification process. It means, that at least for Tier 1 information, data entry can be done only at an approved location and only from an approved and authenticated form."
If entry of data into Tier 1 can be done only at an approved location and only from an approved and authenticated form, then this has the clear implication that individuals will also not be able to enter or update an emergency contact's details in Tier 1 because there would apparently need to be technological measures implemented to prevent the use of non-approved readers/writers to write data into Tier 1.
EFA submits that if the Taskforce has considered the above matter and believes that Tier 1 could operate to prevent writing by card owners to parts of it but allow writing to other parts of it, the Taskforce should explain how this is expected to work in its forthcoming report. Alternatively, EFA submits that the Taskforce should investigate this matter prior to making any recommendations indicating that there would only need to be two tiers in the "customer controlled" area.
Card Owner's control of own area - a myth?
EFA submits that if proposed Tier 1 is to continue to be referred to as a "customer controlled area", the Taskforce and/or the Government should explain how card holders will have actual control of this area of the chip, as distinct from control over to whom they hand their card.
Currently it appears that the proposed area would more appropriately be described as "your doctors' area", given individuals will not be able to write information into this area and will apparently not even able to easily find out what has been written onto the chip by someone else (without visiting a DHS office) given DHS representatives have stated that only "authorised readers" will be able to read the chip.
Storage of medical and emergency information in the Register database
EFA notes that the KPMG 'business case' document at section 6.1.8 refers to voluntary medical and emergency information and states:
"This information will be also be held on the SCRS to enable lost cards to be replaced."
EFA questions why the above matter has not been raised in the Discussion Paper and has not been the subject of public consultation. EFA considers storage of such information on the Register, apparently without the consent of the card holder, raises serious privacy issues and should not be permitted.
The Threshold Question
...
Because of this, there must, in the opinion of the Taskforce be a requirement, for the protection of the person who acts in good faith on the data provided by the cardholder, that a robust system of authentication and verification must be incorporated into the storage process. Without such a checking mechanism the storage of the data becomes less than useful, since third parties will either decline to act, or be restrained from acting, on the data, thus negating the whole purpose of its listing in the first instance. In the absence of such checking it would be possible to have a scheme entirely controlled and operated by the cardholder themselves, provided they expected no one else to do anything with or about the data. In this respect health and medical data would be no different from any other.
If, however, the cardholder expects some third party to undertake actions to their benefit on the basis of the stored data then different rules and requirements must apply and be accepted.
EFA agrees with the above.
The Taskforce's Recommended Scheme
The customer controlled area of the access card should contain a two-tiered system of emergency and health information:
- in the first tier, which should be accessible to anyone with an approved reader, there should be listed only that data which is absolutely necessary to facilitate the provision of emergency health treatment in a crisis situation;
- in the second tier, which should be PIN protected (and thus accessible only with the express consent of the cardholder) other medical and health data could be listed in accordance with the Recommendations which appear below;
- the Access Card itself could contain, on the surface, some symbol (such as the caduceus) to indicate that emergency medical data is stored in the chip so that no time is wasted in an emergency situation looking for information which may not be there in the first instance.
EFA submits that, if emergency medical data is stored in the chip, it is absolutely essential that a symbol showing that be required to be on the surface of the card.
EFA is concerned that individuals who choose not to place sensitive personal information in the publicly accessible part of the chip may suffer harm resulting from emergency workers etc wasting time not only searching for, but also attempting to read, a card that contains no relevant information. We note that this risk of harm to individuals appears to be being ignored by the government and the Taskforce.
Furthermore, as stated in our submission to the Taskforce's Discussion Paper No. 1:
"EFA is also concerned about potential discrimination against, and disadvantage to, people who choose not to include 'voluntary' information due to concerns about access to it. Will they be placed at the end of the 'queue' in an emergency situation, and/or will they be told 'it's your own fault' if an emergency worker gives them a drug to which they are allergic, etc?"
Whether the information is stored in plain text or in some encrypted form is a matter requiring further consideration. This is a question which involves both the preferences of the cardholder and the specific operations of the relevant technology to be taken into account.
We draw to the Taskforce's attention that if the information is stored "in some encrypted form", it would be necessary for emergency workers to have special readers containing a decryption key capable of decrypting the Tier 1 content of all cards (which is technologically possible while still enabling individuals to have a decryption key which only decrypts Tier 1 of their own chip). However, this would appear to be not practical for the same reason that Task Force states a PIN over-ride reader is not practical:
As such, cardholders who chose to make use of this system must accept that they are putting sensitive personal information, effectively, into the public domain, and that this is something which they may be doing for the very first time.
If Tier 1 information were to be stored in encrypted form, emergency workers etc would require readers, different from readers to be used by DHS agencies and businesses, containing special software and related key that is able to decrypt the Tier 1 information. This appears to be not practical for the same reason as "PIN-override readers" are not - such readers would in effect be the equivalent of a PIN-override reader in that they could decrypt the content of Tier 1 of any card.
...
* ensuring that there are effective sanctions available and applied in relation to people or organisations who breach privacy requirements inherent in the management of this sensitive data.
The sanctions in the first Bill do not provide adequate protection and there are no sanctions whatsoever for copying information on the chip (only information on the surface of the card). Furthermore, a number of the criminal offences in the first Bill are unlikely to be enforced and/or enforceable and some are largely illusory due, for example, to the operation of other legislation (see EFA's submission to the Senate Committee[5]). Given this, it seems unlikely that any sanctions the government may be willing to implement in relation to sensitive information to be stored in a publicly accessible Tier 1 part of the chip would be any better.
Background Principles and Practices
• individual participation in any such scheme will always be voluntary and must be within the control of the cardholder
Legislation must state the above. The first Bill does not.
Data Quality and Verification
EFA agrees with the above.
It remains an open question as to whether there should be some charge for this service, and if so, who should bear that charge. The general position of the Taskforce is that, since this facility is being accessed at the choice of the individual cardholder it could be the responsibility of the individual to bear the costs associated with it.
Any costs must be borne by individuals choosing to avail themselves of the facility. It would be completely inappropriate for any aspect of this voluntary participation facility/system to be funded by all tax payers.
Recommendation 4: That the medico-legal issues arising from persons acting in good faith on the medical data contained in an access card be addressed and clarified in future legislation related to the operation of the access card chip.
EFA agrees with the above recommendation. However, EFA considers the issue goes beyond that stated in the recommendation. A major issue is that if a third party can be held liable for failing to search for or act upon information in the card chip, then this will result in emergency workers etc being in effect forced to waste time searching for a card that an at risk individual may not be carrying or which may not include relevant information. It appears that legislation must ensure that third parties cannot be held liable for failing to search for or act on information in the chip because this appears to be the only means of seeking to ensure that individuals who have chosen not to place sensitive information in a publicly accessible part of the chip are not subject to unnecessary harm or detriment due to waste of time. This of course raises the question of the point of the placing emergency medical information on the chip.
It remains entirely unclear how, if at all, the major tension between the expectations of individuals who choose to avail themselves of voluntary facility (involving exposure of sensitive information in a publicly accessible part of the chip) and those who do not could be appropriately resolved.
Extent of Data Storage and Electronic Health Records
Recommendation 5: The Australian Government, in its information campaign, restate its policy that the access card will not be used to store electronic health records or link to existing electronic health records.
EFA agrees with the above recommendation. It is concerning that a number of individuals and medical professional organisations appear to favour of the inclusion of emergency medical information in an expectation that this will include vastly more detailed health-related information than the government's stated intention. EFA does not support the use of the Access Card for electronic health records. Any participation in a national system of linked electronic health records must be voluntary and must not be associated with an Access Card, or any other card, that is in effect compulsory for another purpose.
Prescription Dispensing and Pharmacy Operations
The "Taskforce's proposals" in the above regard are not clear in the Discussion Paper. Does the Taskforce intend that such information will be able to be placed in Tier 2? If so, EFA considers there are a number of issues in this regard, including the following.
Firstly, a card holder may wish to consent to give access to a small piece of information in Tier 2, but unless every item of information is protected using a different PIN, the degree of granularity available will not be sufficient to control access to other sensitive information. It would seem to be an "all or nothing" approach to accessing the information in this voluntary section of the card, which is contrary to the principles in the
Privacy Act 1988 which fundamentally state that you should only have to provide the minimum amount of information necessary for the service you are requesting.
Secondly, there is the question of whether special application software will be necessary in the chip and in readers (which we expect would be the case) and if so who is to pay for it. The costs associated with design and implementation of any such voluntary use facilities should not be borne by all tax payers.
Third Party Contacts
... [P]eople so designated may not have been made aware that they are the contact point, or, that as a result of activity on the part of another party, some personal data about themselves has been entered into the system (e.g. their next of kin or relationship status or their private contact numbers). They may not have consented to be the contact point or to have this data listed in what, as we have noted above, is effectively a public and relatively easily accessible record.
...
We are aware that this matter has been addressed in other contexts (eg the listing of contacts in the Australian passport) but it is still one needing to be approached in line with best privacy protection principles.
EFA agrees that the listing of third party contacts on a publicly accessible part of the chip "has privacy implications" and considers this a serious issue.
If this issue has been addressed in relation to the listing of contacts in the Australian passport, then it is unhelpful that relevant information is not provide in the Taskforce Discussion Paper, and that the DFAT web site also fails to provide any such information.
Irrespective of how this matter might be dealt with in relation to passports, the issue is vastly more problematic in relation to the Access Card. This is because the contact details of a person other than the card holder will be subject to potentially wide exposure and potential for automatic copying every time the card is docked in reader. The number of times, and places in which, such information is likely to be exposed and/or automatically copied is much greater than in relation to third party contact details that are hand written onto a page of a passport.
It is disturbing that the Taskforce offers no solution to this issue, despite having stated that it issued "a Background Information Paper in December 2006" and convened a panel which brought together "representatives of all areas related to this proposition".
EFA agrees that this issue is "still one needing to be approached in line with best privacy protection principles". However, we fail to see how it can be dealt with in line with best privacy protection principles which are generally based on the principle that individuals should have choice and control about use of their personal information. EFA considers it would undesirable to create offences applicable to persons who failed to gain consent before including another person's contact details on their card for emergency contact purposes. Hence, there must be heavy penalties applicable to any any person (other than the card holder) who copies, uses or discloses the information for any purpose that is not directly related to providing emergency medical services to the card holder. (The existing provisions of the Privacy Act 1988 are not adequate in this regard. Among other things, that Act does not even apply to State/Territory Government agencies, small businesses, etc.)
EFA does not consider such penalties are likely to provide adequate protection (for the same reasons as the offences in the first Bill do not), but there does not appear to be any better option.
The above is one of the reasons why EFA does not support the inclusion of voluntary medical emergency information, including other individuals' contact details in a non-protected part of the chip, on a government mandated identity card that is extremely likely be used by some people for many purposes other than the stated purposes of the card (i.e. access to Medicare rebates and Centrelink benefits).
Accessing the Emergency and Medical Data
EFA considers the above, together with other commentary in the Discussion Paper, shows that the idea of storing emergency medical information on an Access Card is completely impractical and unworkable.
We also note that the non-profit MedicAlert Foundation[6]'s comprehensive services, including bracelets, necklets and cards, provide the same functionality in relation to provision of emergency medical information already, and do not have to infringe privacy to do so.
Management of the Scheme
Whether this is done by the medical practitioners themselves using facilities available in their own surgeries (or in some instances pharmacies), by authorised officers in participating agencies or by some external third-party contracted for this specific purpose is an open question. The Taskforce understands that the Australian Government itself has no interest in running such a project and agrees entirely with this position.
EFA would be opposed to any involvement by authorised officers in participating agencies. Such involvement would of course be funded by all tax payers. This is entirely inappropriate for a voluntary participation scheme, and especially one that would be in effect set up by government in competition with existing private sector services (e.g. MedicAlert).
EFA also has issues with medical practitioners being involved in chip data entry (and alteration). In some areas the difficulty in obtaining a reasonably prompt medical appointment suggests some medical practices are already under staffed, without practitioners and their staff having to spend time updating chips.
Recommendation 8 : That the Office of the Privacy Commissioner be actively engaged in any development of policy in relation to the voluntary medical and emergency information.
EFA agrees that the Federal Privacy Commissioner should be actively engaged. However, given the Commissioner has no concern about a new unique identification number being visible on the surface of the Access Card (see Senate F&PA Committee Hansard, 6 March 2007[7]), it is doubtful that the Commissioner's involvement would result in a satisfactory outcome in relation to privacy issues of concern to numerous members of the public.
EFA considers the Privacy Commissioners of all States/Territories that have same should also be actively engaged given health and medical services (as distinct from Medicare) are not generally within the Commonwealth's area of regulation or responsibility.
If such a scheme is to be administered in the public sector, it must be fully funded by people who choose to participate in it, not by all taxpayers.
Furthermore, before any decision is made to implement such a scheme, professional market research should be conducted to ascertain an indication of the likely number of people who would participate and how much they would be prepared to pay for such a service, followed by a professional cost/benefit analysis.
Conclusion
EFA considers the Discussion Paper shows that the idea of storing emergency and medical information on an Access Card is impractical and unworkable. Hence, while EFA agrees with many of the Taskforce's views as stated in the Discussion Paper, EFA is unable to support the proposal set out in the Discussion Paper. There are too many unresolved issues and it is not apparent that these, especially privacy issues, can be resolved in a satisfactory manner given the Taskforce states it has previously consulted with "representatives of all areas related to this proposition".
References
1. DHS Access Card Consumer and Privacy Taskforce Discussion Paper No. 2: Voluntary Medical and Emergency Information
<http://www.accesscard.gov.au/discussion/Discussion%20Paper%20Voluntary%20Medical%20and%20Emergency
%20Information.pdf>
2. AGIMO's Australian Government SmartCard Framework/Handbook Part B
<http://www.agimo.gov.au/infrastructure/smart_cards>
3. Smartcards not 'hackerproof', AAP/Herald Sun, 27 February 2007.
<http://www.news.com.au/heraldsun/story/0,21985,21298139-662,00.html>
4. Answer to Questions on Notice: Passports, Senate Hansard, 9 February 2006.
<http://parlinfoweb.aph.gov.au/piweb/TranslateWIPILink.aspx?Folder=HANSARDS
&Criteria=DOC_DATE:2006-02-09%3BSEQ_NUM:167%3B>
5. EFA's submission to the Senate Finance and Public Administration Committee, 28 February 2007.
<http://www.efa.org.au/Publish/efasubm-sfpac-acbill-200702.html#57_14>
6. MedicAlert Foundation
<http://www.medicalert.com.au/>
7. Senate Finance and Public Administration Committee Hansard, 6 March 2007.
<http://www.aph.gov.au/hansard/senate/commttee/S10028.pdf>
About EFA
Electronic Frontiers Australia Inc. ("EFA") is a non-profit national organisation representing Internet users concerned with on-line rights and freedoms. EFA was established in January 1994 and incorporated under the Associations Incorporation Act (S.A.) in May 1994.
EFA is independent of government and commerce, and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting online civil liberties. EFA members and supporters come from all parts of Australia and from diverse backgrounds.
Our major objectives are to protect and promote the civil liberties of users of computer based communications systems (such as the Internet) and of those affected by their use and to educate the community at large about the social, political and civil liberties issues involved in the use of computer based communications systems.
EFA policy formulation, decision making and oversight of organisational activities are the responsibility of the EFA Board of Management. The elected Board Members act in a voluntary capacity; they are not remunerated for time spent on EFA activities. The role of Executive Director was established in 1999 and reports to the Board.
EFA has long been an advocate for the privacy rights of users of the Internet and other telecommunications and computer based communication systems. EFA's Executive Director was an invited member of the Federal Privacy Commissioner's National Privacy Principles Guidelines Reference Group and the Research Reference Committee (2001) and the Privacy Consultative Group (2004-2005). EFA participated in NOIE's Privacy Impact Assessment Consultative Group relating to the development of a Commonwealth Government Authentication Framework (2003), Centrelink's Voice Authentication Initiative Privacy Impact Assessment Consultative Group (2004-2007), the ENUM Discussion Group and Privacy & Security Working Group convened by the Australian Communications and Media Authority ("ACMA" formerly ACA) (2003-2007), and the ACA's Consumer Consultative Forum meeting (April 2005). EFA has presented written and oral testimony to Federal Parliamentary Committee and government agency inquiries into privacy related matters, including amendments to the Privacy Act 1988 to cover the private sector, telecommunications interception laws, cybercrime, spam, etc.