The Australian Privacy Foundation makes the following brief comments on issues of concern that are apparent from the draft Background Paper. These are initial comments, and not comprehensive, and may be revised in any formal submission the Foundation makes. These comments follow the approximate order of the Discussion Paper.
The Australian Privacy Foundation considers that there are very great dangers to privacy inherent in the governmentís proposals, little justification provided for some of the more dangerous elements, and too little information for meaningful public consultation.
- In general, the principle of tightening the relationship between passports and individuals is supported.
- There is a particular danger that a passport with biometrics, if it was promoted (or allowed) by government to become a more common identifier, could develop into a de facto Australia Card. The additional costs of any biometrics will tempt governments toward 'function creep' as a way of justifying these costs. The Background Paper does not yet give sufficient details of how the legislation will specifically limit the purposes for which a passport may be requested or required as an identifier. The Act should exhaustively define these circumstances, and limit them very narrowly.
- Financial and other penalties must not be visited on those who can show good cause for losing multiple passports.
- Parliamentary, not Ministerial approval should be necessary for international data exchanges.
- Serious scepticism is justified about biometric identifiers generally, and face recognition in particular.
- As a separate matter (irrespective of how well the technology works), it is doubtful whether any existing implementation schemes will enhance security. This aspect of the proposed legislation may be based on false premises.
- It is vital that there be an independent Privacy Impact Assessment of any proposed biometric identification technologies, and implementation schemes, prior to Parliamentary approval being sought.
- Australian policy should not be dictated by the United States or any other government. Nor should it be used as an excuse for the Australian government to achieve its own objectives under a cover of external coercion. If the government's principal justification for introduction of a biometric identifier (or rushing to do so by October 2004) is avoiding inconvenience to those (relatively few) Australians who wish to visit the USA without obtaining a visa, then those Australians should be able to opt to obtain a replacement passport with a biometric identifier. This should be optional, a matter of choice, not something made compulsory for every Australian wanting (and entitled to) a passport. It would also allow for a more conservative period of testing of what is as yet completely unproven and dangerous technology.
- The rushed timetable for consideration of such an important piece of legislation may in any event be based on faulty premises. Reports indicate that the USA may not adhere to its own deadline, and that it may be legally impossible for the European Union to comply with the US deadline. The general revision of the Passports Act should be de-coupled from any temporary expedients in relation to US visas which need only affect a small number of people.
- The parameters for the introduction of new technologies should include (i) independent Privacy Impact Assessments; and (ii) positive Parliamentary approval of any changes.
- A major concern is that multiple biometrics should not be collected and correlated. Ease of changing technologies without close Parliamentary scrutiny would facilitate this.
- Any cancellation of passports should only occur in a context of appropriate administrative law protections and the availability of judicial review. The issues following involve many matters which need to be addressed by human rights advocacy groups as well as by privacy advocacy bodies.
- Mere 'likelihood' of engagement in crimes as grounds for cancellation gives rise to serious concerns about balance, and requires clear and substantial justification.
- A 'request' from an overseas law enforcement agency for passport cancellation should also require a demonstrated case for cancellation, and the same protections as other forms of cancellation.
- An absolute ban on obtaining a passport while in gaol is extreme. It may be quite a reasonable thing for a person to wish to do during short periods in gaol or while in the last year or six months of their sentence.
- ëCodification of existing arrangements' is sometimes code for 'legalisation of existing dubious or illegal practices' and needs to be given careful scrutiny.
- Privacy is not merely data protection (fair information practices). In particular, minimisation of the high level of intrusions involved in biometrics is an important aspect of privacy protection.
- Complaints to the Privacy Commissioner are limited to data protection aspects, but there is no reason why the Commissioner's powers cannot be expanded to include non-data-protection complaints, and they should be. The APF would welcome constructive discussions of the extension of the scope of the Privacy Commissioner's purview as part of this consultation, or the specific inclusion of this issue as part of the review of the Privacy Act to take place this year.
- The privacy framework of the Act should also involve among other things: (i) independent and public Privacy Impact Assessments (or public hearings by the Privacy Commissioner) prior to significant technological changes and new uses and (ii) Parliamentary approval of any such changes.
- 'Identity integrity' is an undefined and potentially huge loophole for (mis) use of passport information, not a 'limited purpose'. Unrestricted access to passport information for the multitudinous purposes conflated in this rubric should not be allowed. Each example requires separate specification and justification.
- An 'express provision applying the Privacy Act' does not on the face of it make sense, as the Act already applies to passports. However, if what is meant is that the new Passports Act will explicitly address many of the privacy issues in the collection and use of passport information that are only impliedly (and uncertainly) addressed by the Privacy Act, then APF supports such an approach and considers it is necessary given the sensitivity of the passport. This needs clarification in the Background Paper.
- The Background Paper contains too few details of the legislative proposals to allow meaningful submissions by interested parties. The exercise of calling for submissions will be a sham if these three pages (and a two page FAQ) are the only information to which parties can react. The web address provided in the Background Paper does not provide any further information to justify the governmentís proposals. We insist that the supporting information should contain something close to draft instructions to Parliamentary Counsel, to allow meaningful submissions, and nothing resembling this is provided at present.
APF contacts on this issue: