Chapter 2

Key Issues

2.1 Submitters and witnesses to the inquiry raised various issues in relation to the Bill. Of primary interest were the implications of introducing a single broad collection power in relation to biometric data. The types of personal identifiers to be collected, the means of collection, and the storage and retention of biometric data were all discussed in detail, particularly in relation to possible impacts on individuals' privacy. Issues relating to the procedures for the collection of personal identifiers from minors, incapable persons and individuals seeking asylum in Australia were also raised.

Introduction of a single, broad power for collecting personal identifiers

2.2 Submitters noted that the new, broad collection power in proposed new section 257A would provide for a wider range of collection powers in several respects, compared with the current regime for the provision of personal identifiers under the Migration Act.[1]

2.3 In relation to the purposes for which biometric data may be collected, Australian Lawyers for Human Rights (ALHR) noted that the Bill expands this from the 12 existing purposes listed in subsection 5A(3) of the Migration Act, to the broader ability of officers to require the provision of personal identifiers in relation to 'the purposes of the Act and regulations'.[2]

2.4 The Australian Privacy Commissioner, Mr Timothy Pilgrim PSM, noted in his submission that, in particular, this represents a significant expansion of the circumstances in which biometric information can be collected from non‑citizens, which is currently limited to the following range of circumstances: for the purpose of granting a visa; when a non-citizen wishes to enter or depart Australia; to determine whether a non-citizen holds a valid visa; and for the purpose of detention decision-making.[3] The Privacy Commissioner stated:

[It] is important to ensure that such a broad expansion of the power to collect biometric information from non-citizens is necessary and, further, that it is proportionate to the objective of enabling [the department] to ensure the integrity of Australia's migration programme.[4]

2.5 ALHR argued that proposed new section 257A amounts to a 'broad, discretionary and unfettered power which is not limited in a proportional and legitimate manner', and recommended that 'the situations where biometric personal identifiers are allowed are categorised and limited; the situations when an identification test can be requested is also limited; and a limit is placed on how many times an identification test can be requested.[5]

2.6 The Law Council of Australia (Law Council) expressed concern that some of the key parameters governing the collection of biometric information can be changed through the Migration Regulations rather than the Migration Act itself:

The categories of biometric data, and the purposes for which it should be collected, will raise significant questions of policy and have substantial privacy implications. Given that citizens and noncitizens will be required to provide one or more personal identifiers that are sensitive information under the Privacy Act 1988 (Cth)...it is inappropriate for the types of biometric data to be prescribed by regulations.[6]

2.7 The Law Council recommended that, in order to avoid ambiguity:

[T]he Bill should exhaustively define the purposes for which personal identifiers are collected and the types of personal identifiers that may be collected. The power to prescribe these matters by way of regulation should be removed from the Bill.[7]

2.8 The Privacy Commissioner agreed that the drafting of the Bill should be narrower in relation to the single collection power:

[It] would appear that the proposed expansion of the power to collect biometric information from non-citizens may be broader than is necessary to enable DIBP to perform their functions under the Migration Act.

...[To] minimise the privacy impacts of the Bill, any expansion of the existing power to collect biometric information from non-citizens should be drafted narrowly and limited to only what is necessary. Accordingly, I suggest that consideration be given to amending the Bill to clearly state the purposes for which this power is able to be exercised in the Act, rather than only referring generally to the purposes of the Migration Act and the Migration Regulations.[8]

2.9 In relation to the purposes for which personal identifiers could be collected under proposed new subsection 257A(1), the Department of Immigration and Border Protection (department) stated that this would allow for the collection of personal identifiers in all of the circumstances currently authorised in the Migration Act, as well as 'provid[ing] flexibility to authorise collecting personal identifiers in circumstances that may arise in the future'.[9]

2.10 On the question of the types of personal identifiers that can be collected, the department explained that the Bill does not alter the types of biometric data that can currently be collected under the Migration Act, and that if any additional types of personal identifiers were to be prescribed in the Migration Regulations (under existing paragraph 5A(1)(g) of the Migration Act), this regulation would still be subject to parliamentary scrutiny through the Senate Standing Committee on Regulations and Ordinances and the regulation disallowance process.[10]

Means of collecting personal identifiers

2.11 Some submitters and witnesses raised concerns relating to the power under proposed new paragraph 257A(5)(b) for the minister or an officer to require that a personal identifier must be provided 'in a specified way' rather than through an identification test. The primary concern expressed was that this power would allow for personal identifiers to be collected in a way that bypasses the legislative safeguards currently in place (in sections 258E and 258F of the Migration Act) when personal identifiers are collected through identification tests. The Law Council stated:

[T]he current system of safeguards applying to the collection of personal identifiers by means of an identification test, such as not involving the removal of more clothing than is necessary for carrying out the test and affording reasonable privacy to the person, will be able to be bypassed where an officer or the Minister authorises a different method of collection...The Bill should exhaustively define how personal identifiers must be provided rather than permitting the Minister or an officer to make such a determination.[11]

2.12 The Privacy Commissioner noted that while the EM states this new power is only intended to be used in relation to the collection of fingerprints using mobile finger scanners, this restriction 'will apply in policy only'. The Privacy Commissioner concluded:

[If] an amendment to the Migration Act that removes the requirement for personal identifiers to be collected using an identification test is found to be both necessary and proportionate to enable [the department] to perform its functions, this should be done in a way that minimises the impact on individual's privacy. Accordingly, I suggest that the restriction outlined in the [EM], that the discretion is only intended to be used in relation to the collection of fingerprints using mobile finger scanners, be included within the Bill itself.[12]

2.13 The Refugee Council of Australia argued that procedural safeguards currently in place in relation to identification tests should be retained for all collection of personal identifiers.[13]

2.14 In relation to the means of collecting personal identifiers proposed under the Bill, the department noted that there are already some circumstances in the Migration Act under which personal identifiers may be collected by means other than an identification test, and that the Bill would:

continue to permit the current arrangements that apply to collection of personal identifiers offshore, but in a much less complex manner;
provide for more flexibility onshore to collect personal identifiers, particularly at Australia's borders; and
authorise the expansion of the current consent-based verification check procedure, which is already in use at Australia's borders in a limited way to verify identity and detect persons of concern.[14]

2.15 The department also stated that policy guidance is issued to departmental staff about collection of biometric data in a way that complies with the Australian Privacy Principles (APPs), and that appropriate training is provided to staff to ensure that the implementation of the policy is compliant with the APPs.[15]

2.16 Ms Rachel Noble PSM, Deputy Secretary of the department, further explained the context in which personal identifiers are likely to be taken at Australia's borders using the expanded power provided for in the Bill:

At the moment, if we were to attempt to take a biometric of any person, in particular a fingerprint, the current act requires us to do that in a very narrow circumstance that is very strictly controlled and even, to some extent, locks us into ancient technology in order to do that. The act at the moment sets out a process that can take us up to an hour to take that biometric fingerprint—let's say—of any individual...[T]here is a process of needing to take that person into a private room, so that there is no-one else able to see what is happening, and seek their consent and other quite strict processes, if you like.

This bill keeps that identification test—and that is the sort of language we use to describe that process—intact. It also says that we might be able to take those biometrics in other ways that the minister so determines. The practical effect of this new bill is it gives us more flexible processes by which we might be able to collect that biometric.[16]

2.17 Ms Philippa de Veau, General Counsel of the department, added:

What is conceived at the moment is being able to use the powers that change and free up the manner in which personal identifiers might be collected. That is ultimately the intended outcome of the bill. That is, rather than having what we traditionally think of as a fingerprint test, when you and I log on to our mobile Apple phone, we may well use our thumb print to do so. The technology has evolved to the point of being able to verify quickly—without any humiliation, without any concerns—the identity of a person using that type of biometric.[17]

Expected usage of the new broad collection power

2.18 The Law Council noted that the new collection power has the potential to impact on the travel and privacy of citizens who may not be suspected of contravening an Australian law or posing a risk to national security. It argued that there should be a threshold test for requiring one or more personal identifiers from an individual only where an officer 'reasonably believes that the person has or will breach or potentially breach an Australian law or the individual may pose a threat to national security'.[18]

2.19 In response to this argument, the department highlighted the fact that the existing collection powers in the Migration Act and Regulations 'do not require an officer to reasonably believe that an individual has or will potentially breach an Australian law or pose a threat to national security' before a requirement to provide personal identifiers is issued. The department further argued that implementing such a requirement would 'significantly put at risk the integrity of Australia's visa programme' by preventing the current practice of collecting personal identifiers from visa applicants in 23 higher risk countries in order to conduct identity checks as well as criminal, security and immigration history checks prior to the grant of a visa.[19]

Adequacy of privacy safeguards in the Bill

2.20 The Australian Privacy Foundation argued that the Bill does not contain sufficient safeguards protecting the privacy of individuals, with too many protections being reliant on policy rather than enshrined in the legislation itself:

In terms of policy and legislation creep, concerns persist that many of the 'safeguards' identified in the Bill and EM is situated as mere "policy intent". Given the lack of adequate protections in the legislation, the Bill is subject to mission-creep through ongoing policy expansions in the absence of adequate parliamentary oversight and public transparency...While the department does not intend to collect personal identifiers in all circumstances (such as fingerprints from non-citizens), the insistence that policy guidance will be given at a subsequent period excludes crucial detail from the legislation. As a result, insistence on "policy intent" through post hoc regulatory developments leaves open significant possibility for mission-creep associated with the Bill. This is especially the case when considered alongside the compounding effects of technological advancements.[20]

Privacy Impact Assessment in relation to the Bill

2.21 Several submitters noted that, in its report on the 2014 'foreign fighters' legislation, the Parliamentary Joint Committee on Intelligence and Security recommended that the government consult with the Australian Privacy Commissioner and 'conduct a privacy impact statement prior to proposing any future legislative amendments which would authorise the collection of additional bio-metric data such as fingerprints and iris scans'.[21]

2.22 The Privacy Commissioner noted in his submission that a Privacy Impact Assessment (PIA) was being undertaken by the department in relation to the Bill:

I welcome this as an important step in ensuring that the Bill appropriately balances the protection of privacy and the need to ensure that [the department] is able to perform its functions under the Migration Act. However, I would also strongly encourage [the department] to publish the PIA. Publishing the PIA would help give the Australian public confidence about whether the privacy impacts of the Bill, and any necessary safeguards, have been fully considered.[22]

2.23 The department confirmed that it has completed a PIA in relation to the measures in the Bill, and stated that a copy would be provided to the Privacy Commissioner 'before the Parliament next sits'.[23]

Storage and retention of biometric data

2.24 Several submitters commented on whether the existing legislative framework governing the storage and retention of biometric information was sufficient to adequately protect the privacy of individuals whose personal identifier(s) have been collected.[24] The Law Council stated:

The collection of larger quantities and a broader range of biometric information create a risk that the data may be misused through unauthorised access and the risk of identity theft and fraud as a result of data breaches.[25]

2.25 The Law Council referred to two recent breaches of data held by the department, and argued that the Bill should be amended to include a requirement for the mandatory encryption of any biometric data retained by the department.[26] The Law Council also argued that current provisions allowing for the indefinite retention of certain identifying information should be removed, and that the issue of appropriate retention periods for biometric data more generally should be revisited through the Privacy Commissioner and public consultations.[27]

2.26 In relation to issues surrounding the storage, retention and usage of biometric information, the department highlighted the fact that the Migration Act already has a framework for dealing with the storage, access and usage of biometric data:

Part 4A of the Migration Act creates a series of rules and offences that govern the access, disclosure, modification and destruction of identifying information (including personal identifiers). These provisions will continue to apply to personal identifiers collected under the Bill... These provisions in Part 4A of the Act ensure the department complies with the requirements of [Australian Privacy Principle] 11 in relation to identifying information. That is, those provisions protect such information from misuse, interference and loss, and from unauthorised modification, access and disclosure.[28]

2.27 The department also noted that the Privacy Commissioner is currently conducting a Privacy Assessment with regard to the collection, storage sharing and use of biometric data, to be completed by 30 June 2015.[29]

Collection of biometric information from minors, 'incapable' persons and asylum seekers

2.28 Submitters and witnesses raised various issues in relation to several specific groups of people likely to be affected by the changes in the Bill, namely minors, 'incapable' persons and individuals seeking humanitarian visas in Australia.

Collection of personal identifiers from minors

2.29 Several submitters commented on the changes proposed in the Bill that would alter the types of personal identifiers able to be collected from minors under the age of 15 and remove the requirement for a parent or independent guardian to be present when personal identifiers are collected.[30]

2.30 The department outlined in its submission how the proposed changes to the Act dealing with requirements for minors under the age of 15 to provide personal identifiers are intended to operate in practice:

offshore: minors applying for a visa, as part of a family visa, from a country where facial images are already collected may also be required to provide fingerprints where there is a higher risk of trafficking;
onshore:
borders—all minors (citizens and non-citizens) will continue to be subject to existing border processing using a passport. In extreme circumstances, such as suspected child trafficking cases, a minor may also be subject to a verification check;
visa applicants—in addition to the collection of facial images, non‑citizen minors may be subject to collection of fingerprints to conduct identity, security, law enforcement and immigration history checks; and
in detention: the existing provisions will continue to apply.[31]

Rights of minors in relation to the collection of personal identifiers

2.31 ALHR argued that the changes in relation to the collection of personal identifiers from minors are inconsistent with Australia's international obligations under the UN Convention on the Rights of the Child (CRC):

The amendments are said to be a child protection measure aimed at preventing child trafficking and/or smuggling. However...the proposed action is not consistent with the rights of unaccompanied children to be able to provide informed consent in relation to their own personal information. Creating a situation where unaccompanied children are required to provide information without any assistance is inconsistent with Australia's obligations under the CRC...Where a child is unable to consent, a guardian or parent is generally able to consent on behalf of the child. However, the current amendments make no provision for the requirement that an independent adult, guardian or independent observer be present which is in itself inconsistent with policy that an independent observer be present whenever an unaccompanied child is interviewed.[32]

2.32 The Law Council expressed similar caution in relation to these provisions:

The Law Council has concern that the provisions enabling officers to obtain biometric information from children without consent or without the presence of a parent, guardian or independent person may, in certain circumstances, not always be in the best interests of the child and have the potential to be inconsistent with recognised rights of children.[33]

2.33 In response to the concerns that specific guidelines should be developed in relation to obtaining biometric information from children, the department stated:

The Migration Act authorises the collection of personal identifiers in a dignified and respectful manner. Use of force or other form of coercion to collect personal identifiers under the new broad power is not authorised under amendments in the Bill.

The Department will implement additional policy guidelines that provide guidance to officers on how the new power to collect personal identifiers is to be exercised. The policy guidance will cover how personal identifiers are to be collected from minors and it will ensure that this is done in a respectful way. The policy guidance will be publicly available through the LEGENDcom database.[34]

Accuracy of biometric information collected from young people

2.34 The Hon Terrence Aulich, Chair of the Privacy Experts Group of the Biometrics Institute, informed the committee that there are particular issues in relation to the accuracy of biometric information collected from minors:

[W]hen you are dealing with young people, virtually every form of biometrics has some form of difficulty. If it is fingerprints, a child's hand, as it grows, can widen the gap between the ridges and the valleys. That in itself can mainly create problems with registration at a later date, as opposed to enrolment, which is when you first have your biometric recorded. The difference between the original enrolment and the checking later on may be quite considerable, in which case there could be some false assumptions made by border authorities about a child over, let us say, a six‑year period. In custody cases or other sensitive issues, that could create real problems.[35]

2.35 Mr Aulich suggested that individuals who have information collected as minors should be able to access and verify that data at a later date:

[The Biometrics Institute suggests] that anyone who wanted to check their file at a later date—let us say they are 18-plus—should have access to that file, and they should be able to test the reliability and accuracy of the biometric that was originally taken from them. Particularly if you are believing that a biometric taken from a five-year-old is going to be good enough for when they are 18, you may well be misleading yourself as an authority, and you may well be creating issues for that person at a later date.[36]

Collection of biometric data from 'incapable' persons

2.36 The Law Council of Australia commented on the issue of obtaining consent from people assessed as 'incapable' for the purposes of the Migration Act:

While the use of force to obtain personal identifiers is not permitted against an 'incapable person', [the Bill] is nonetheless silent on whether the consent of the 'incapable' person themselves is required. For example, a personal identifier could be collected without the knowledge of an incapable person.

This is particularly concerning in light of the fact that the current criteria used to assess whether a person is 'incapable' is discretionary, i.e. that authorised officers must simply have reasonable grounds to believe that a person is incapable.[37]

2.37 The Law Council recommended that consent must be sought from the incapable person themselves where a guardian or independent person is not available to provide that consent on their behalf, and that the government should ensure adequate support is given to incapable people so that they can exercise legal capacity on an equal basis with others by either agreeing to or abstaining from providing personal identifiers.[38]

2.38 ALHR argued that the existing restrictions in the Migration Act on collecting biometric information from incapable persons are a necessary safeguard and should not be removed as proposed in the Bill.[39]

2.39 In relation to the collection of personal identifiers from incapable persons, the EM to the Bill notes:

Personal identifiers are very rarely collected from incapable persons. The policy intent is not to increase the collection of personal identifiers from such persons. Under policy, it is intended that personal identifiers are not to be required to be provided from incapable persons under the broad power in new section 257A...without the consent or presence of a parent, guardian or independent person, except in exceptional circumstances, such as intelligence that a particular person poses a higher risk.[40]

Collection of biometric data from asylum seekers

2.40 Some submitters raised concerns that individuals seeking asylum in Australia would be adversely affected by the changes proposed in the Bill. The Law Council stated:

One form of personal identifier requested may be non-fraudulent or official documentation. This requirement may be particularly problematic for asylum seekers who may rely on fraudulent documentation to leave a country where they are subject to persecution by the State.

...[U]nder the Bill, the Minister may refuse a person a visa through section 40 or 46 of the Migration Act if the person refused to provide personal identifiers...[I]n addition to needing to resort to the use of false documentation to ensure safe passage to seek asylum, asylum seekers could fear what may be a reasonable request to provide identifiers due to their own experiences in their countries of origin.

There is no indication of how such an issue would be resolved, and this could potentially lead to refoulement of asylum seekers, which is inconsistent with Australia's commitments under the Convention relating to the Status of Refugees and international human rights law.[41]

2.41 The Law Council also noted, however, that 'there are benefits of the use of biometric data in the context of asylum seekers', and that the United Nations High Commissioner for Refugees (UNHCR) uses biometrics for the purpose of safeguarding the identity of refugees on the basis that they often lose their identity documents during displacement.[42]

2.42 The department advised that the Bill does not seek to amend the safeguards that apply to protections for asylum seekers and refugees in relation to disclosure of personal identifiers.[43]

Committee view

2.43 The committee considers that the collection of biometric information in the form of personal identifiers is an important tool in maintaining the integrity of Australia's borders and strengthening the ability of immigration officials to conduct identity and security checks of individuals. The committee is supportive of the overall intent of the Bill to simplify and streamline the provisions in the Migration Act dealing with the collection of personal identifiers. The committee has several specific comments in relation to the issues raised during the inquiry, as follows.

Circumstances in which biometric data can be collected

2.44 The committee notes that the new, single collection power provided for in proposed new section 257A of Bill does in some circumstances represent an expansion of the circumstances in which personal identifiers could be collected from individuals. The committee further notes the department's statement that the widening of the purposes for which biometric data can be collected would 'provide flexibility to authorise collecting personal identifiers in circumstances that may arise in the future'.[44]

2.45 In relation to the types of personal identifiers that may be collected, the committee accepts the department's argument that the Bill does not directly change the types of identifiers that may be collected, and that any new identifiers prescribed through the Migration Regulations (as can currently be done under the terms of the Migration Act) would still be subject to sufficient scrutiny as regulations disallowable by the Parliament.

Means of collecting personal identifiers

2.46 The committee acknowledges the concerns of some submitters in relation to the proposed new power for the minister or an officer to require a personal identifier to be provided in a way other than an identification test, particularly that the safeguards legislated in section 258E and 258F of the Migration Act would not be afforded in these circumstances.

2.47 The committee urges that consideration be given to specifying in the regulatory scheme the basic safeguards that will be implemented in relation to the collection of personal identifiers under proposed new subsection 257(5)(b) of the Bill. These safeguards may include ensuring that the collection must: afford reasonable privacy to the person; not involve the removal of more clothing than is necessary for carrying out the test; and not be conducted in a cruel, inhuman or degrading manner or a manner that fails to treat a person with humanity and respect for human dignity.

2.48 The committee agrees with the department, however, that proposed new subsection 258(5)(b) would provide necessary flexibility for officers in the collection of personal identifiers. The committee does not consider, therefore, that this amendment should be scrapped altogether, as some submitters have suggested, but should be retained with some basic safeguards as outlined above.

Recommendation 1

2.49 The committee recommends that consideration be given to ensuring that protections in line with those found in sections 258E and 258F of the Migration Act 1958 apply to any means of collecting personal identifiers under proposed new paragraph 257A(5)(b) of the Bill.

Privacy safeguards

2.50 The committee considers that biometric data is sensitive and personal information, and that as such, its collection, storage and retention must only be conducted in such a way as to minimise the impact on the privacy of individuals.

2.51 The committee welcomes the department's assurances that it complies with the requirements of the Privacy Act 1988 and the Archives Act 1983 in relation to the storage and retention of biometric information, in addition to the requirements in relation to these issues in the Migration Act itself.

2.52 Further, the committee is pleased that the Privacy Commissioner is currently conducting a broad Privacy Assessment in relation to the overall arrangements for the collection, storage, sharing and use of biometric data, which will be finalised by 30 June 2015. The committee trusts that any issues raised by the Privacy Commissioner will be duly considered by the government, and that any required changes to current operating procedures and requirements will be implemented, including via further legislative amendments if necessary.

2.53 In relation to the separate Privacy Impact Assessment (PIA) conducted by the department in relation to the specific measures contained in this Bill, the committee notes the department's assurance that the PIA would be provided to the Privacy Commissioner at the latest by the May 2015 Parliamentary sitting period. As such, the committee expects that the commissioner now has the benefit of the PIA. In order to allay any privacy concerns in relation to the Bill, and further inform debate in the Senate, the committee considers that the PIA should be released publicly prior to the Bill's passage through Parliament.

Recommendation 2

2.54 The committee recommends that the Privacy Impact Assessment conducted in relation to the Bill is released publicly prior to the Senate's consideration of the Bill.

Collection of biometric data from minors and 'incapable' persons

2.55 The committee considers that the measures in the Bill designed to enhance the department's ability to collect biometric information from minors are warranted, given ongoing concerns in relation to human trafficking and the emerging threat of young people seeking to become involved in terrorist activities overseas.

2.56 The committee also considers that the collection of personal identifiers from minors must be consistent with recognised rights of children and should not separate children from a parent or guardian unnecessarily; these issues should be adequately addressed in the department's policies and guidelines.

2.57 The committee acknowledges that additional safeguards may be necessary in relation to the collection of personal information from children, particularly in light of the evidence from the Biometrics Institute that there are increased issues in relation to the accuracy of biometric information obtained from young people, in comparison with adults. The committee is of the view that the Privacy Commissioner should consider this issue further as part of the broad Privacy Assessment currently being conducted in relation to the collection, storage sharing and use of biometric data, scheduled to be completed by the end of June 2015.

2.58 In relation to the collection of personal identifiers from incapable persons, the committee acknowledges the EM's statement that this rarely occurs, and that there are very few circumstances in which this would occur in the absence of a parent, guardian or independent person. The committee agrees with the Law Council that consent should be sought from the incapable person themselves where a guardian or independent person is not available to provide that consent on their behalf, and that adequate support should be given to incapable people so that they can exercise legal capacity on an equal basis with others.

Collection of personal identifiers from individuals seeking asylum in Australia

2.59 The committee considers that enhanced use of biometric identifiers has the potential to assist the department in confirming the identity of individuals seeking humanitarian visas in Australia. The committee considers that departmental officials should undertake the collection and use of personal identifiers from these vulnerable individuals in accordance with the existing safeguards in the Migration Act (which are not proposed to be altered by the Bill), and in line with the UNHCR's guidelines on the use of biometric information.

Recommendation 3

2.60 The committee recommends that the Bill be passed, subject to the preceding recommendations.

Senator the Hon Ian Macdonald
Chair

Navigation: Previous Page | Contents | Next Page