2.1
This chapter discusses the central issue raised in evidence to the Committee’s review of the two bills: privacy concerns with the sharing, use, security and reliability of biometric data.
2.2
First, the chapter outlines biometrics and biometric identification, and presents stakeholder concerns about the security, use and reliability of this type of information. Second, the chapter examines the privacy concerns raised in evidence including the source of the right to privacy (under international law and the Australian Privacy Principles) and the extent to which those rights are maintained in the Intergovernmental Agreement on Identity Matching Services (IGA) and the IMS Bill.
2.3
Finally, the chapter discusses other human rights concerns raised by stakeholders: freedom of movement, the right to non-discrimination, and the right to a fair trial.
2.4
The Committee’s comment on each of these concerns, and its recommendations for amendment, appear at the end of the chapter.
Biometrics and biometric identification
2.5
The Biometrics Institute defines biometrics as covering a variety of technologies in which unique attributes of people are used for identification and authentication. This includes a person's fingerprint, iris print, hand, face, voice, gait or signature, which can be used to validate the identity of individuals seeking to control access to computers, airlines, databases and other areas which may need to be restricted.
2.6
The Biometrics Institute cites the following as different types of biometrics:
eyes – retina recognition,
finger geometry recognition,
hand geometry recognition,
voice/speaker recognition,
voice-speaker verification/authentication, and
voice – speaker identification.
Security, use and reliability concerns
2.7
While the Explanatory Memorandum to the IMS Bill states that ‘using facial biometrics can make government and private sector services more accessible and convenient to citizens’, a number of submitters raised concerns regarding the use of biometric technologies.
2.8
For example, Electronic Frontiers Australia (EFA) pointed to a risk that the security of biometric data contained in the interoperability hub could be compromised, with unintended consequences. EFA stated that
the collection, use and disclosure of personal and sensitive information for the purpose of “protecting Australians against identity theft” may correspondingly become the vehicle by which Australian’s identities are compromised.
2.9
The Australian Human Rights Commission (AHRC) questioned the security and accuracy of biometrics. The AHRC cautioned that, because biometrics are based on what are considered unique characteristics, ‘there is a risk that biometric identification may be perceived to be more accurate than may be the case’. In addition, the Commission also argued that the use of biometrics creates new risks and may increase the risk of identity fraud and theft.
2.10
In regards to facial recognition technology, the Commission raised privacy concerns and the need for strict controls around use of this technology:
The intrusions into citizens’ privacy that are enabled by facial recognition technology are real, and they are profound. It has been said that the technology may herald ‘the end of anonymity’. For that reason, particular care needs to be taken to ensure that the use of biometric technologies, including facial recognition technologies, is strictly controlled.
2.11
The Human Rights Law Centre (HRLC) had specific concerns about the accuracy of facial recognition technologies. In particular, the HRLC referred to false positives and false negatives. False positives occur where a person is wrongly identified. This can lead to them being the subject of further investigation or denial of essential services, without justification. False negatives occur when someone is not identified as being who they are. The HRLC considered this of particular concern ‘in the visa or border control context, or in the context of the provision of essential services’. According to the HRLC such misidentification risks ‘eroding trust in government agencies, law enforcement and security agencies’.
2.12
The Department of Home Affairs acknowledged accuracy and bias concerns and stated that it had been very careful in its trials to use a broad cross‑section of the demographic mix of Australia. In addition the Department explained that it is encouraging agencies that are prescribed to use the identity-matching services to only allow specialist officers with recognised aptitude in facial recognition —supplemented by training —access to the services.
2.13
The Law Council of Australia also commented on the need for controls and oversight with regards to the use of biometric data, stating that ‘oversight of the retention, collection and use of biometric information is a substantial role’ and suggested the need for a specific oversight authority. Dr Marcus Smith noted that Australia has ‘no independent, specific oversight mechanisms exist to oversee or regulate the collection, retention and use of biometric information’.
2.14
The Law Council of Australia referenced the United Kingdom’s Commissioner for the Retention and Use of Biometric Material (the UK Biometrics Commissioner) and suggested that consideration be given to establishing a similar commission in Australia. The joint councils for civil liberties, Future Wise and the Australian Privacy Foundation echoed this recommendation.
2.15
The UK Biometrics Commissioner was established by the Protection of Freedoms Act 2012 (UK). The statute introduced a new regime to govern the retention and use by the police of DNA samples, profiles and fingerprints. The Commissioner is independent of government, and their role is to:
keep under review the retention and use by the police of DNA samples, DNA profiles and fingerprints,
decide applications by the police to retain DNA profiles and fingerprints (under section 63G of the Police and Criminal Evidence Act 1984 (UK)),
review national security determinations which are made or renewed by the police in connection with the retention of DNA profiles and fingerprints, and
provide reports to the Home Secretary about the carrying out of his or her functions.
2.16
Dr Smith endorsed the UK Biometrics Commissioner model recommending additional powers in relation to biometric facial images to accommodate for the Australian context. Dr Smith commented that this expanded commissioner role
would provide appropriate independent oversight of the developments proposed by these bills, and more broadly. It would be an important step towards ensuring that there is a reasonable and proportionate balance between the need to use available new technology to protect the community from harm, and maintain appropriate standards regarding individual rights.
2.17
The Department of Home Affairs did not support the creation of a biometrics commissioner to oversight the security and use of biometrics in Australia. While acknowledging that ‘the decision about whether to establish such an office would be a matter for government’, the Department argued that the IMS Bill ‘is not seeking to expand the circumstances in which police can collect biometric information from individuals, or govern their use or retention of biometric information’.
2.18
Further, the Department maintained that existing oversight is adequate and sufficient, stating that ‘agencies participating in the identity-matching services will continue to be subject to existing oversight arrangements that apply to their activities or functions’.
Privacy concerns
2.19
The majority of submitters to the inquiry raised concerns around privacy. These ranged from broad principle based objections to specific privacy concerns about proposed sections of the bills, particularly the IMS Bill.
2.20
For example, the AHRC noted the range of privacy concerns, stating that ‘biometric systems limit the privacy of individuals in a number of ways’. These include that:
the collection, retention and disclosure of biometric information limits a person’s informational privacy,
biometric systems will return false positives and release private information about parties who are not subject of the identification request,
sensitive information may be able to be extracted or inferred from biometric identifiers, and
biometric systems may facilitate privacy-limiting measures including the collection and collation of large amounts of other information about the individual, as well as the surveillance and tracking of the individual.
2.21
These concerns were also evident in a number of submissions received from individuals who expressed concern about their right to privacy in the use of facial recognition technology. Some individuals stated that the new capability would be a ‘massive privacy overreach’ and a ‘direct violation of our right to privacy’.
2.22
The Department of Home Affairs submission stated that the IMS Bill does not seek to provide a ‘blanket exemption to privacy legislation for organisations participating in the identity-matching services’. Agencies making data available through the services, and those organisations seeking to access data through the services, will be subject to legislative privacy protections and information-sharing restrictions that already apply to them and will need to have regard to these when participating in the identity‑matching services.
2.23
International privacy obligations and protections are set out in Article 17 of the International Covenant on Civil and Political Rights (ICCPR), and Australia’s domestic privacy protection regime is set out in the Australian Privacy Principles (APPs) which are contained in Schedule 1 of the Privacy Act 1988. The following sections discuss existing privacy protections and submitter concerns around the efficacy of such protections.
Right to privacy under international law
2.24
Article 17 of the ICCPR prohibits arbitrary or unlawful interference with a person’s privacy, family, home or correspondence and unlawful attacks on a person’s honour or reputation. It also provides that everyone has the right to the protection of the law against such interference or attacks.
2.25
The right to privacy articulated in Article 17 of the ICCPR may be subject to permissible limitations that are authorised by law, are not arbitrary, pursue a legitimate objective, are necessary to achieve that objective, and are a proportionate means of achieving it. An interference with the right will not be arbitrary where the interference is consistent with the provisions, aims and objectives of the ICCPR and, is reasonable in the particular circumstances.
2.26
The United Nations Human Rights Committee (the UNHRC) has interpreted ‘reasonableness’ in this context to mean that any interference with privacy must be proportional to the end sought and be necessary in the circumstances of any given case.
2.27
The Statement of Compatibility with Human Rights (Statement) for both the IMS Bill and the Passports Amendment Bill accept that they engage and limit the right to privacy, and provide detailed discussion around this issue. The Statement for the IMS Bill concludes that the provisions they enact
are intended to pursue legitimate objectives, are reasonable and necessary to achieve those objectives, and have been designed to ensure that their privacy implications are proportionate to the need for those services for specific activities.
The Statement for the Passports Amendment Bill comes to a similar conclusion.
Stakeholder concerns
2.28
Although many submitters agreed with the objectives of the Bills, they did not agree that the proposed legislative response was proportionate. In a joint submission, Future Wise and Australian Privacy Foundation expressed strong concerns around the privacy intrusions and stated that the IMS Bill should not be passed as it ‘fails to represent a legitimate or proportionate response to the challenges articulated in the Explanatory Memorandum’.
2.29
Similarly, the AHRC strongly argued against the proportionality of the response and the breadth of use and purpose proposed. The AHRC stated that some of the purposes for which identity-matching services may be used ‘do not appear to be of sufficient weight to justify potentially significant limitations on privacy’. Further, it stated that others ‘are so broadly defined that they might be interpreted to allow law enforcement bodies and intelligence agencies to use the services to collect information without limitation’.
2.30
Likewise, Australian Lawyers for Human Rights (ALHR) noted that, where human rights are impinged upon, the response must be proportionate and relevant to the harm sought to be addressed. Accordingly they stated their concern that ‘the Bills do not strike the right balance’.
Parliamentary Joint Committee on Human Rights’ report
2.31
The Parliamentary Joint Committee on Human Rights (Human Rights Committee) reviewed and reported on the bills in two separate reports. The initial report, tabled in March 2018 requested that the Minister for Home Affairs and the Minister for Foreign Affairs advise that Committee as to whether the limitations on the right to privacy are reasonable and proportionate to the measures to achieve the stated objectives in both bills.
2.32
The Parliamentary Joint Committee on Human Rights’ second and final report on the bills, tabled in June 2018, presented the Ministers’ advice on reasonable and proportional limitations. The advice from the Minister for Home Affairs provided some assurances, however, that Committee expressed ongoing concern that the IMS Bill may ‘be a risk of incompatibility with the right to privacy where the [interoperability hub] facilitates the sharing of information’.
2.33
The report also identified that the Face Matching Services Participation Agreement—as foreshadowed in the IGA—was considered a central safeguard to the right to privacy. The Committee noted that it did not have access to the Participation Agreement, and accordingly, noted that it was difficult to conclude whether it will ‘provide an adequate and effective safeguard’ to the privacy concerns raised by the IMS Bill. The IGA and the Participation Agreement are examined later in this chapter.
2.34
The Committee’s report concluded that the authorisation for an agency to collect, use, share or retain facial images or biographic information may not sufficiently circumscribed so as to satisfy the proportionality and reasonableness test under international law.
2.35
The Human Rights Committee reached a similar conclusion in its consideration of the Passports Amendment Bill following receipt of advice from the Minister for Foreign Affairs.
Right to privacy under domestic law
2.36
Schedule 1 of the Privacy Act 1988 sets out the Australian Privacy Principles (APPs) which apply to most federal government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively called ‘APP entities’).
2.37
The APPs provide guidance as to how APP entities handle, use and manage personal information. While the APPs are not prescriptive, each APP entity must consider how the principles apply to its own situation. The principles cover:
the open and transparent management of personal information including having a privacy policy,
an individual having the option of transacting anonymously or using a pseudonym where practicable,
the collection of solicited personal information and receipt of unsolicited personal information including giving notice about collection,
how personal information can be used and disclosed (including overseas),
maintaining the quality of personal information,
keeping personal information secure, and
rights for individuals to access and correct their personal information.
2.38
The APPs do not apply to local councils or to state or territory governments, however most states and territories have privacy laws that apply to state government entities and local councils (South Australia and Western Australia are the only jurisdictions without privacy legislation).
2.39
For example, the Information Privacy Act 2014 (ACT) regulates how personal information is handled by Australian Capital Territory (ACT) public sector agencies. This Act includes a set of Territory Privacy Principles (TPPs), which cover the collection, use, storage and disclosure of personal information, and an individual’s access to and correction of that information.
2.40
The Department of Home Affairs explained that it is proposed that states and territories without privacy legislation, South Australia and Western Australia, comply with the APPs in relation to their use of the identity‑matching services.
Stakeholder concerns
2.41
Submitters raised a number of concerns in relation to the interaction of the IMS Bill with the APP’s. In particular, the APPs provide that individuals should be aware of the reason for collection of their personal information, and that information should only be used for that particular purpose. The ALHR and the AHRC both expressed concern that the IMS Bill does not appear to comply with this as it allows for personal information to be used or disclosed for purposes regardless of the purpose for which it was collected.
2.42
Further concerns were raised about the extent of access that private sector organisations will have to identity-matching services. In particular the ALHR raised oversight and compliance concerns, noting that APP entities are not subject to regular oversight.
2.43
In its submission, the Office of the Australian Information Commissioner (OAIC) noted that the bills will ‘enable the sharing of identification information of the vast majority of individuals living in Australia’ and also that ‘the identity-matching services will enable the transmission of identification information at a much faster rate than is currently possible’. Given the effect of these changes, the OAIC stated that the ‘bills should be drafted as narrowly as possible to achieve their objectives while minimising the adverse impacts on privacy rights and obligations’.
2.44
The OAIC also provided technical advice on the intersection of ‘identification information’ (as defined in the IMS Bill) and the Privacy Act. The Privacy Act applies different levels of protection to ‘sensitive information’ and ‘personal information’, with the former receiving a higher level of protection. The OAIC advised the Committee that ‘identification information’ as conceived in the IMS Bill would span both types of information as defined in the Privacy Act. More specifically, the OAIC advised that biometric information shared through the interoperability hub would be classified as ‘sensitive information’ under the Privacy Act and thereby engage a more stringent level of protection under that Act.
2.45
Further, the OAIC explained that entities regulated by the Privacy Act are generally not permitted to collect, use or disclose personal information for a purpose other than the purpose for which the information was collected—unless an individual has consented or an exception applies.
2.46
The IMS Bill and Passports Amendment Bill propose to invoke an exception to the collection, use and disclosure of personal information (although the principles relating to information security, information quality and information governance would still apply).
Privacy protections envisaged in the Intergovernmental Agreement
2.47
The IGA sets out that there are intended to be ‘robust privacy safeguards’ for the design and operation of the identity-matching services. The IGA states that privacy safeguards will be ‘informed by independently conducted privacy impact assessments [and] developed in consultation with federal and state privacy commissioners (or equivalents)’. These safeguards are intended to ‘balance privacy impacts against the broader benefits to the community from sharing and matching identity information’.
2.48
As mentioned earlier, the National Security Coordination Group (with representatives from the Commonwealth, states and territories) will oversee the development, implementation and ongoing operation of multifaceted privacy and security safeguards. This includes the Face Matching Services Participation Agreement and Access Policies previously discussed in Chapter 1.
2.49
The Participation Agreements and Access Policies ‘will outline the privacy safeguards with which requesting agencies are required to comply while supporting information sharing across jurisdictions’. These include:
providing a statement of the legislative authority or basis on which the Agency may obtain identity information through the Face Matching Services,
being subject to a privacy impact assessment which includes consideration of the Agency’s use of the Face Matching Services, except where the Agency’s use of the Face Matching Services is expressly exempt from relevant Commonwealth, State and Territory privacy legislation,
entering into arrangements for the sharing of identity information with each Data Holding Agency it wishes to receive information from, within the framework of the Participation Agreement,
providing appropriate training to personnel involved in the use of the Face Matching Services, and
conducting annual compliance audits, in a manner to be determined by the Coordination Group, in relation to use of the Face Matching Services.
2.50
The IGA also provides that agencies and organisations will be subject to oversight by the relevant privacy regulatory or oversight body within their jurisdiction. This includes the OAIC for organisations and government agencies subject to the Privacy Act.
2.51
In addition, the IGA states that access to state or territory data for private sector users will also be subject to further safeguards, including:
the express approval of the relevant minister(s) in each state or territory to use their jurisdiction’s information for this purpose,
the outcomes of a privacy impact assessment covering the types of organisations to be given access to the service,
compliance with a Facial Verification Service (FVS) Commercial Service Access Policy developed by the National Security Coordination Group, including a fee for service arrangement, and
an FVS Commercial Service audit and compliance programme overseen by the National Security Coordination Group.
2.52
The Law Council of Australia, observed that the IGA envisaged robust privacy safeguards, noting
this reflects recognition by governments that Australian citizens expect that derogations from their right of privacy should be justified by governments as aimed at a legitimate objective and be reasonable and proportionate.
2.53
Submitters indicated concerns that the privacy protections in the IGA are not available for review. The Law Council noted that since access policies and data sharing arrangements supporting the implementation of the IMS Bill have not been provided by the government for review, ‘it is unclear what the terms of those policies and agreements will contain’.
2.54
Similarly, the OAIC stated that ‘these governance documents are undergoing consultation, and could be subject to change’.
Privacy protections envisaged in the Identity-matching Services Bill 2019
2.55
The IMS Bill only provides privacy safeguards to local government and non-government entities’ use of identity-matching services.
2.56
These specific provisions are discussed in more detail in Chapter 4 of this report however, generally, local government authorities and non‑government entities can request an identity-matching service where:
the Privacy Act applies to the local government authority or non‑government entity, or
where the local government authority is bound by a law of the State or Territory, or
the local government authority or non‑government entities has entered into a written agreement with the Department of Home Affairs that is comparable to the protection under the APPs.
2.57
Noting that the privacy protections are expected to be established in the Participation Agreement, the OAIC argues that the IMS Bill should be the primary source of privacy protection measures, supported by relevant governance documents and arrangements.
Other human rights concerns
2.58
In addition to privacy, other human rights are engaged by the Bills.
2.59
The IMS Bill’s Statement of Compatibility with Human Rights indicates that the Bill engages the right to freedom of expression contained in Article 19 of the ICCPR. Both Bills’ Statements recognise that the Bills engage right to liberty and security of the person contained in Article 9 of the ICCPR.
2.60
Freedom of expression is engaged by the offence in section 22 of the IMS Bill where an employee or a contractor working on behalf of the Department of Home Affairs is prevented from disclosing protected information. The Statement concludes that such a limitation is ‘proportionate to protect the privacy of individuals’, is a key privacy safeguard of the IMS Bill and is ‘proportionate to the need to protect national security and public order by limiting the disclosure of information related to investigations or operations’.
2.61
In relation to the right to liberty and security of the person, the IMS Bill’s Statement concludes that by ‘helping agencies to fight identity crime and make it more difficult for people to obtain and use fraudulent identities, the Bill will have positive impacts on the liberty and physical security of Australians’.
2.62
Similarly, the Passports Amendment Bill’s Statement concludes that ’by making fraudulent identities more difficult to obtain and to use, and by improving the ability of law enforcement agencies to detect fraudulent identities in a timely manner, the Bill will help reduce such negative impacts on personal liberty’.
2.63
The AHRC stated that the IMS Bill is ‘likely to interfere with a number of other rights’. These are freedom of movement, the right to non‑discrimination, and the right to a fair trial.
2.64
In addition, ALHR submitted that the IMS Bill ‘will necessarily have a chilling effect upon the right of peaceful assembly, and that the Passports Amendment Bill ‘may have an adverse impact upon the right of equal access to public service and to equality before the law and equal protection of the law’.
2.65
The Human Rights Law Centre address the IMS Bill’s intersection with freedom of movement, stating that facial recognition technology, particularly real-time facial recognition, risked transforming ‘public space into a sphere where each person can be monitored and identified’.
2.66
In relation to freedom of movement the AHRC referred to the fact that, in order to travel abroad, an Australian citizen will need to get a passport and may be required to provide personal identifiers or other information which may be collected by the Department of Home Affairs and made available for use by the identity-matching services.
2.67
The AHRC’s concerns around the right to non-discrimination stemmed from the ability of the Minister to make rules to allow other biometrics to be used in the provision of identity-matching services. According to the AHRC these other biometrics may not be usable by a range of people. It is therefore
essential that in all cases where biometric systems are employed to verify identity in the course of accessing a service, alternatives are provided to ensure that people are able to access that service on an equal basis.
2.68
Regarding the right to a fair trial, the AHRC noted that the intended prohibition on using an identity-matching service as the sole basis for ascertaining an individual’s identity for evidentiary purposes in judicial proceedings (which is referred to in the IGA), is not included in the IMS Bill. Therefore the Bill does not restrict agencies from ‘attempting to use the results of these services in that way’.
2.69
If the prosecution in a criminal proceeding sought to use identity‑matching service results to ascertain an individual’s identity, a defendant would be in a difficult position to properly challenge the results obtained from those services. The AHRC stated that consideration should be given to ‘what, if any, use results derived from identity-matching services should be able to be put in judicial proceedings’.