Chapter 3

Issues

3.1        This chapter discusses and analyses arguments put to the committee in respect of the bill and its consequences. It also sums up the committee's position and advances its recommendations.

3.2        While a number of concerns were raised which went to the operation of the Bill, no submitters criticised the Bill's objectives. The concept of a centralised background checking service was considered valuable if efficiency, uniformity and security could be achieved to such services through its adoption.[1]

3.3        Prior to embarking on a discussion of the issues raised by submitters, it is helpful to provide some background to the bill, and the Act it purports to amend. In particular, the committee's recommendations relating to the broad regulation making power in the 2006 Bill are of interest in the context of the committee's 2009 deliberations. Concerns relating to information collection, use and storage are discussed later in the chapter.

AusCheck Act 2007

3.4        In 2005, the then Australian Government agreed to establish AusCheck, a new division in the Attorney-General’s Department, to coordinate checks on people who are required to have an ASIC or MSIC and to provide for other background checking schemes to be established purely through the Act's subordinate legislation. The decision to set up AusCheck followed a recommendation by Sir John Wheeler in his report, An Independent Review of Airport Security and Policing for the Government of Australia.[2]

3.5        This Committee inquired into the provisions of the AusCheck Bill 2006, which was introduced into the House of Representatives in December 2006, and the committee reported in March 2007.

3.6        In its report, the Committee expressed concerns about the breadth of the Bill’s regulation-making power, privacy issues relating to the functions described in the Bill, and the lack of accountability mechanisms set out in the Bill.[3]

3.7        The original 2006 Bill would have allowed the Government to implement by way of regulations alone, a wide range of background checking schemes — related to any activities within a constitutional head of power — without the authorisation of any other primary legislation. The Committee and many submissions to the inquiry did not consider this appropriate. The Committee was of the view that the particulars of any schemes beyond the ASIC and MSIC schemes should ideally be set out in primary legislation.

3.8        The Bill was subsequently amended so that the scope for the AusCheck scheme was limited to background checking for the Aviation Transport Security Act 2004 and the Maritime Transport and Offshore Facilities Act 2003. The addition of any further background checking functions to the AusCheck scheme could therefore only be done through amendment to the AusCheck Act.

3.9        As outlined in the previous chapter, the Bill currently before the committee would expand the operation of the Act, so that by way of regulations, expansion of the range of background checks that AusCheck is able to undertake can be expanded to include national security background checks. It is a discussion of this characteristic of the Bill, and concerns related to information collection, use and storage, that form the primary focus of this chapter.

Regulation-making power

An empty shell?

3.10      One of the key arguments put forward by proponents of the amendments is that the Bill does not, in and of itself, establish background checking schemes or authorise their establishment in the absence of some other legislative instrument. The Bill's Explanatory memorandum says that:

No requirement for any person to actually have a background check will be imposed as a result of the amendment to the Act. Rather, the amendments will provide a bare capacity for the Attorney-General’s Department, carrying out its responsibility for conducting background checks, to conduct background checks that are required under authority of some other law.[4]

3.11      However, the committee notes that the Bill places no explicit prohibition on the establishment of schemes even in the absence of some other authorising instrument. Indeed, some submitters were of the view that regulations, authorised under the Bill, could bring about the establishment of background checking schemes.[5] This stands in direct contradiction of evidence put to the committee by the Department:

...the AusCheck regulations cannot create a background checking scheme. It has to be a combination of the AusCheck regulations and some other separate piece of legislation.[6]

3.12      When asked why the Bill did not make it clearer that the Act, if amended, and the proposed regulations could not authorise the establishment of schemes without an independent authority, the Department's representative replied:

Why it has not been done that way and whether it could be done are two different things. But it has not been done that way, because this was framed against that premise: it gives certain powers, but it does not give the power to impose an obligation to do a background check; that would be done separately, and that limitation has then been articulated in the explanatory memorandum, the second reading speech and so forth. That is the rationale on which it has been based to date.[7]

3.13      Nonetheless, such a conclusion might not be reached through a literal reading of the text of the Bill. The committee considers that the matter would best be solved through insertion into the Bill of a clause clarifying its status as an 'empty shell' which requires a separate legislative authority (not counting any regulations authorised by the AusCheck Act) before it can become enlivened.

Authorisation through regulation

3.14      Having dealt with the possibility that the Act, once amended, together with any related subordinate legislation, could authorise the establishment of background checking schemes, the committee turned to the question of kind of separate authority that should be required. The Bill would presumably recognise any kind of legislative instrument, namely whether an act of parliament or properly promulgated regulations (although, as discussed above, this is less clear than it might be). There is an argument that only an act of parliament, having received rigorous scrutiny during its passage, should be considered sufficient authority to authorise actions as sensitive as background checking. Ms Sarah Moulds from the Law Council of Australia put it this way:

Our position that we advanced in respect of the 2006 bill would apply here. We think that proposing a new scheme by regulation does not lend itself to the type of robust parliamentary scrutiny that comes from a primary piece of legislation that sets up parameters about a background checking regime. It might be possible to argue that regulations still go through a parliamentary process, but it is not the kind of process where you would be able to robustly evaluate the necessity of implementing a background checking regime, the parameters for that regime, the type of information that would be collected and the purpose for which the regime would be constructed. We do not feel that establishing new regimes, by regulation, would satisfy that kind of concern.[8]

3.15      The committee considered this question during its 2007 inquiry, and its report stated that:

In a general sense, the committee again takes the opportunity to express its concern at the use of delegated legislation to extend the scope and operation of primary legislation. This is particularly concerning in the current context, given the sensitive nature and function of background checking. Consistent with its views in previous inquiries, the committee believes that it is imperative that Parliament be afforded the opportunity to consider fully the particulars of any future screening regimes in order to ensure that the background checks they introduce are appropriate and proportionate to the purpose that is sought to be achieved. It is spurious to suggest that the scrutiny of delegated legislation by Parliament is equivalent to, or an adequate substitute for, the positive requirement for new powers to be approved by Parliament in primary legislation.[9]

3.16      The committee sees no reason to demur from this view, and recommends that the Bill be amended so that that the AusCheck Act requires the separate authority of an act of parliament for the establishment of a background checking scheme to take place.

Breadth of definition

3.17      Whether or not the committee's views in relation to the Bill's proposal to allow by regulation the establishment of background checking schemes for national security purposes is largely represented by Item 7, which would add paragraph (c) to existing section 8, allowing the introduction of regulations for the establishment of a background checking scheme for purposes related to national security, Australia's defence, a national emergency, terrorism, or any matter related or incidental to the legislative or executive power of the Commonwealth.

3.18      The committee heard considerable evidence critical of the breadth of the proposed addition. Typical of this was evidence received from the Law Council of Australia, whose representative submitted that:

Given the broad language of proposed subsection [8(1)(c)], the 2009 amendments ... raise concerns about the ability of the executive to expand the AusCheck scheme into new areas via regulation. We are concerned that the 2009 bill authorises the executive to conduct background checks for a number of broadly framed purposes whenever and however it decides it is necessary without requiring robust scrutiny of parliament. We believe that the 2009 bill should only enable AusCheck to administer background checking schemes that are already authorised by parliament in the context of another legislative scheme. Without seeing primary legislation and associated regulations it is impossible to determine whether a requirement for an individual to undergo a national security background check is justified in the circumstances and whether the personal information that will be collected for that check is necessary.

The Law Council is also concerned that little justification has been provided as to why such a significant expansion of the AusCheck scheme is warranted. For example, inadequate explanation is provided in the explanatory memorandum as to why it is necessary to include an open-ended power to expand the AusCheck regime by way of regulation in the area of national security, let alone the need to add for purposes relating to any matter incidental to the execution of any legislative or executive powers of the Commonwealth. For these reasons, we recommend that proposed clause 8(1)(c) of the 2009 bill be deleted or at least amended to confine the AusCheck regime to conducting and coordinating background checking for the purposes of Commonwealth acts that directly authorise the screening of persons for a particular reason.[10]

3.19      The same concerns were raised by other submitters, including the Australian Privacy Foundation.[11] Civil Liberties Australia (CLA) submitted that:

The essential problem is that at the time this Bill is being debated, no-one knows what AusCheck will be expanded to cover. This raises the concern that expanding the AusCheck scheme to as yet unnamed domains, for broad ‘national security’ purposes through regulation, especially where it is incidental to executive powers of the Commonwealth, creating a very broad power. In this aspect, the Bill is not significantly dissimilar to the Bill considered by the Committee in 2007. CLA questions what exactly will AusCheck be used for in the future?[12]

3.20      In response to these concerns, the Attorney-General's Department argued that breadth in the definition of national security was required due to the evolving character of the term 'national security'. The Attorney-Generals' representative, Dr Karl Alderson, responded to the committee's concerns in this way:

First of all, 'national security' does not have any fixed or precise meaning, either constitutionally or legally. In fact, the events of the last few years has meant that it has really been an evolving concept and, in future years, as the concept evolved, may come to encompass things that we do not necessarily think of as national security now. So the rationale for the breadth of the definition included is to ensure that the legal basis and the constitutional basis are there to allow national security background checking on a case­by­case basis in future.[13]

3.21      Dr Alderson went on to argue that 'national security' was restricted in its application, notwithstanding the apparently almost unlimited nature of the proposed subparagraphs in section 8, through the requirement to 'read down' the proposed paragraph 8(1)(c) so that they are ready to apply only within the context of 'national security'.[14]

3.22      Notwithstanding the Department's argument, the committee can see no justification for the extreme breadth of definition contained in paragraph 8(1)(c), and in particular subparagraphs (v) and (vi), which authorise regulations in respect of any matter related to the executive power of the Commonwealth and any matter incidental to the exercise of the legislative or executive power of the Commonwealth.

3.23      The committee recommends, contingent on the Government's adoption of recommendation 1 of the committee, which would explicitly require a separate act of parliament prior to the establishment of a background checking scheme, that the Bill be amended to remove subparagraphs (v) and (vi) so as to impose a meaningful restriction on the matters about which regulations may be promulgated.

Information collection, use, and storage

3.24      Together with matters relating to the promulgation and use of regulations under the Act, the manner in which personal information might be gathered, used and stored was a matter of considerable interest to the committee.

3.25      This topic was comprehensively considered by the committee in its 2007 report, and the committee is pleased to note that a number of its recommendations were adopted prior to the Bill passing into law. Among these was the recommendation that information should only be authorised for collection, use and disclosure when directly related to an AusCheck function.[15] This addresses a significant concern on the part of the committee about the collection, in particular, of private information.

Biometric information

3.26      This Bill seeks to delineate between 'personal information' and 'identity verification information'. The latter category would consist of personal information that is also 'biometric' information, such as fingerprints, and would be used solely for the purpose of establishing a person's identity when conducting subsequent background checking.[16] Importantly, biometric data is not defined and is described as having its ordinary meaning.[17]

3.27      CrimTrac expressed support for the measure, and argued in favour of extending the use of biometric data as a primary means (as opposed to secondary, as is intended by the Bill) of identifying individuals.[18] Chief Executive Officer Mr Ben McDevitt AM APM submitted at the hearing that:

The draft legislation refers to AusCheck using fingerprints as a biometric check where it may be required to verify identity where an issue of identity arises. We believe that this approach is not the most desirable approach and that, in fact, when somebody is seeking clearance to work in an area as sensitive as the national security environment that in fact the default position should be a check based around a fingerprint. We believe that establishing a person’s identity unequivocally and uniquely requires a check of that sort of calibre to be able to actually give a level of certainty. We do not promote replacing entirely name based checks with fingerprint based checks, but we do believe that for something as important as working in an area such as national security our best advice would be that a fingerprint based check would be far more appropriate.[19]

3.28      However, the Law Council of Australia, in particular, expressed misgivings about the wisdom of using biometric data, citing a publication from the Council of Europe describing the development of biometric data as 'in its infancy' and its accuracy as a tool for identification and verification of identity as being subject to ongoing scientific debate.[20] The Law Council also cites work of the Australian Law Reform Commission that led the Commission to express a number of concerns about the use of biometric data, one of which was the fact that its accuracy as a means of identity verification was unknown.[21]

3.29      The Law Council acknowledges the presence of safeguards in the Bill before the committee in respect of biometric data, but questions their adequacy. The Council's submission warns of the 'grave' consequences which could flow from the misuse or mishandling of biometric material.[22] Furthermore, the need for the changes is queried.

Given the level of scientific uncertainly surrounding the use of biometric data and the serious privacy implications the collection, use and disclosure of such data poses, the Law Council queries whether, in the absence of compelling evidence demonstrating the ineffectiveness of the current system, it is necessary to introduce such an identity verification system into the AusCheck regime. The Explanatory Memorandum does not provide any evidence of problems encountered with current methods of verification of personal information, such as through documentary or electronic verification, other than pointing to difficulties associated with criminal history checks on persons with the same name and birthdate. In these cases, it may be possible to verify identity by AusCheck examining other personal information such as the address of the individual at the time that any convictions occurred. Such an approach appears to be employed by the Australian Security and Intelligence Organisation when it undertakes security assessments.[23]

3.30      The Law Council was not alone in its concerns. The Australian Privacy Foundation argued that:

The Department’s response to the [Privacy Impact Assessment] seeks to re-assure that only fingerprints will be used and only in exceptional circumstances. However the provisions are so broad as to allow for any biometric, presumably including DNA as well as fingerprints, voiceprints, iris/retina scans etc, and there is no guarantee that this will not become routine. We submit that the use of some of these biometrics for background checks would be a disproportionate and unnecessary privacy intrusion, and will also result in another centralized storage of personalised biometric data, with all of the vulnerabilities, risks of unauthorized access and use and possibilities for function creep that such a database inevitably involves.[24]

3.31      The committee agrees that, broadly, the use of biometric data is not to be entered into lightly or without rigorous examination. The committee is also mindful of the fact that it is not AusCheck that ordinarily conducts identity verification using biometric data, but other agencies such as police services. AusCheck is required to deal directly with biometric information only very rarely, and on those occasions it comes into AusCheck's possession unsolicited.[25] In view of the limited need for AusCheck to deal with biometric data, the committee recommends that the Bill be amended to clarify that AusCheck is not permitted to collect, use, deal directly with nor store biometric information for any purpose, other than to pass it on to appropriate law enforcement, intelligence or tracking bodies.

3.32      While such a recommendation would not serve to restrict the breadth of the definition of biometric information, and the potential for it to authorise the collection and use of a great deal of data by agencies such as police services, it would serve to restrict the collection and use of such information by AusCheck itself.

Use and disclosure of information

3.33      In its 2007 report, the committee criticised proposed subsection 14(2), following concerns put by a wide variety of witnesses that it would authorise the disclosure of personal information to an undefined group of agencies. The committee called for the Bill to be amended to allow only the Australian Federal Police, the Australian Crime Commission and the Australian Security Intelligence Organisation to have access to the database.

3.34      The recommendation was not picked up by the Government in the revised Bill, and the provision became law. The Bill before the committee does not attempt to restrict access to defined agencies, but it goes some way to addressing the committee's concerns by excluding 'identity verification information' from the pool of information that can be accessed by other agencies.[26]

3.35      Nonetheless, the Act employs very broad definitions of 'personal information' and 'AusCheck personal information'. Notwithstanding the exclusion of biometric data from the operation of proposed new subsection 14(2AA), the scope of information permitted to be released to third party agencies is still cause for concern, and the committee again recommends that the specific agencies to which information can be released be defined in the Bill.

Use and disclosure by third parties

3.36      The committee also recommended in 2007 that appropriate limitations and conditions be imposed on the use of information from the AusCheck database by the agencies using it. When questioned by the committee, the Department advised that agencies with access to the database had adequate internal control mechanisms in place for information received.[27]

3.37      This recommendation was not implemented, despite its heightened importance in the wake the Government's decision not to define the agencies permitted access to AusCheck information.

3.38      Given the undefined span of agencies potentially having access, the committee remains unconvinced that adequate control mechanisms are in place, and are adequately enforced. In any case, a comprehensive and consistent approach, across all information derived from the AusCheck database, is preferable. The matter remains of concern to the committee, and it takes the opportunity to reiterate its prior recommendation that appropriate conditions are imposed by the AusCheck Act.

Retention of information

3.39      Neither the Act nor the amending Bill makes provision for disposal of information contained in the AusCheck database. This issue was canvassed by the committee in 2007, and while the committee received assurances then that the Privacy Act and the International Privacy Principles would be complied with, and that the AusCheck database would be managed in accordance with the Attorney-General's Department's existing Records Disposal Authority, the committee saw fit to recommend the adoption of specific retention periods in the Act.[28]

3.40      This recommendation was not taken up by the Government, and the committee takes this opportunity to reiterate the merit it sees in adopting clear, legislated retention periods.

Lack of consultation

3.41      The committee’s first witness at its public hearing was CrimTrac, the national agency responsible for providing criminal record checking services for law enforcement agencies. CrimTrac’s evidence was that it was not consulted by AusCheck or any other section of the Attorney-General’s Department in the drafting or introduction of the Bill, a disappointment to the committee. Indeed, CrimTrac’s Chief Executive told the committee that he had heard of the Bill’s existence only ‘very late in the piece’ and that it was at his initiative, by contacting the Attorney-General’s Department, that any information began to flow to CrimTrac.[29]

3.42      CrimTrac plays a central role in background checking in Australia, and is in regular contact with AusCheck in the administration of the existing MSIC and ASIC checking schemes. Passage of this Bill would only serve to amplify its role and consequently the importance of its being well informed about legislative change governing its activities.

3.43      The committee noted the apology made by the Attorney-General’s Department for its ‘unjustifiable error’[30] in failing to consult CrimTrac, and was relieved to hear from CrimTrac during its evidence that initial concerns about the Bill had been allayed. Nonetheless, the committee notes that CrimTrac’s concerns were allayed only through verbal reassurances and that the Chief Executive ‘could not find anything within the draft amendment that actually allayed [his] concerns’.[31]

3.44      The committee seeks to make the point that keeping a key stakeholder ‘in the dark’ and the lack of consultation are no small matters and that all efforts should be made to avoid this situation recurring.

Recommendation 1

3.45      The committee recommends that a clause be inserted into the Bill clarifying that no background checking scheme may be established under either the AusCheck Act nor regulations promulgated under the Act in the absence of another Act of Parliament providing for the establishment of such a scheme.

Recommendation 2

3.46      The committee recommends that Item 7 be amended to remove proposed subparagraphs (v) and (vi).

Recommendation 3

3.47      The committee recommends that the Bill be amended to clarify that AusCheck cannot collect, use, directly deal with nor store biometric information about an individual, other than to pass it directly to the relevant law enforcement, intelligence or tracking body for the purpose of conducting a background check.

Recommendation 4

3.48      The committee recommends that the Bill be amended to specify the agencies which may have access to personal information, including but not limited to identity verification information, collected by AusCheck.

Recommendation 5

3.49      The committee recommends that the Bill be amended to impose appropriate conditions and limitations on the use and disclosure of personal information by third party agencies to which AusCheck has lawfully disclosed that information.

Recommendation 6

3.50      The committee recommends that the Bill be amended to specify retention periods for personal information, including identity verification information, stored by AusCheck in its database.

Recommendation 7

3.51      The committee recommends that the Bill be passed, subject to the adoption of recommendations 1 to 6.

 

Senator Trish Crossin
Chair

Navigation: Previous Page | Contents | Next Page