SENATE STANDING COMMITTEE ON LEGAL AND CONSTITUTIONAL AFFAIRS
MICHAEL, Dr Katina, Board Member, Australian Privacy Foundation CHAIR—Welcome. We have a submission from the foundation and, for our purposes, it is numbered 17. Do you need to change it or make any amendments to it?
Dr Michael—No, thank you.
CHAIR—I invite you to provide some comments and make a short opening statement, and then we will go to questions.
Dr Michael—Good afternoon, Chairwoman, ladies and gentlemen. I would like to thank the Senate Standing Committee on Legal and Constitutional Affairs for the opportunity to speak regarding the Personal Property Securities Bill. My talk will take the following structure. I will provide a summary of the Australian Privacy Foundation’s most recent submission. I will then outline the two major concerns the foundation has and conclude by highlighting what we believe are the key issues that need to be addressed. I will then accept questions from the committee.
I would like to begin by emphasising our disappointment at the failure of the Attorney-General’s office to address concerns raised by the Australian Privacy Foundation in submissions made in August and September 2008. In short, the foundation is of the opinion that information privacy has been, for the greater part, ignored and placed in the too hard basket perhaps or simply not given the appropriate attention that it deserves. We note here that the summaries of consultations on the personal property securities website and in the newsletter were mainly industry submissions and did not really represent the consumer perspective and related privacy concerns. We are not alone in this belief and we can refer to submissions 3, 20 and 25 in support.
As an accredited information technology professional it is my understanding that we have not done the proper information security due diligence required for the proposed national PPS register to go towards implementation. And yet, financing for the system has been approved; the department will be proceeding to contract for the design of a register before some critical parameters have even been legislated. So at this stage we have not only the failure of the Attorney-General’s Department to address previous concerns in submissions but also the premature expenditure for system components without parliamentary authority. The executive has obviously just taken it for granted, unfortunately, and this smacks of the access card debacle when millions of dollars were surely wasted to get the proposal off the ground—an example of premature contracting. We submit that no further contracts should be let until the legislation is enacted. So this is the first major concern that we have: due process has not been followed.
The second concern has to deal with more substantive issues. We feel that the register has not been adequately explained in detail. What does it record? What are the data fields that will be stored? What of the main problem of creating a new proposed national register that will duplicate large parts of the existing credit reporting databases? The credit reporting database has protection for the consumer under the Privacy Act; the proposed register does not. We can in actual fact have a scenario where there are two entries in the two registers and some information could be incorrect in one and correct in another. That leads us to a significant data quality issue. Scope is also central to the proposed register. What will be included in the broad definition of personal property securities? The contents of the register—what are they? There are data-matching issues and the potential risk of ID crime, which is quite serious in today’s society, given the register will contain the
name and date of birth of a number of individuals.
So here are our key issues; I will outline them. No. 1: who has access to this register? Where does the authority for access come from and where are the relevant points for access control mechanisms? No. 2: how can the register be searched? On what parameters? How often? What kinds of query responses can be achieved? No. 3: what kinds of audit checks and logs are kept with regard to interactions with the register? No. 4: what happens if there is an error in the register? How can consumers submit changes and even be aware of them in the first place? No. 5: how many individuals will have their personal details included in the proposed register? Are we thinking thousands, or more? Is there a potential for function creep?
Senator BARNETT—Function creep?
Dr Michael—Function creep we can define as using an existing register for purposes different from what it was originally intended for. No. 6: how do we ensure robust identity verification and matching, especially when an individual has legitimate multiple identities—in their married name, for example, and other names?
The Australian Privacy Foundation’s conclusion is that we must measure the risk involved with such a register. We must perform a privacy impact assessment to understand the real impact of the proposed register. It is not too late to do this. We must not simply speculate but find out. How to go forward? We could proceed on the PIA, interview the department and find out the proper requirements for this project. It is a step-by-step investigation based on sound methodology. For the time being this is missing from the procedure. While these are obvious and there are obvious technology measures that you can use to institute safeguards in the proposed register, it is the human factor element we really have not considered very much here. We recommend to the committee that a privacy impact assessment be completed. As always, we need to introduce safeguards to protect the rights of consumers. Thank you.
CHAIR—Thanks, Dr Michael.
Senator BARNETT—Thanks, Dr Michael, for your submission. It is very much appreciated. You are probably the first witness we have had who has really focused on the privacy issues, so we appreciate that. We realise that is important and we realise the importance of balancing that with the other issues of reducing costs, complexity and so on. We need to ask some questions and be devil’s advocates. I would like your views on the real property registers and the fact that there is a public register in each and every state and jurisdiction in the country. You and I can access that. We can access the names, the addresses, the cost of a particular purchase and the parties to the agreement et cetera. Do you have concerns about the current arrangements regarding real property registers?
Dr Michael—At present I do not. I think we can point to things like the births and deaths register and the electoral roll to look at the tighter controls that those registers are instituting, and I would recommend on this occasion that we follow those tighter controls. I guess the real property register that you mentioned has gone through its due diligence and its course. While there are a number of privacy issues that we could raise, I think that is for another committee hearing and is another matter. I would be more concerned and focus on looking at how we can propose tighter controls for this forthcoming register to ensure that it is correct from the beginning. I would try to link it back to what we are doing on the electoral rolls register and how are we tightening access controls there and then try to mimic that approach.
Senator BARNETT—Just explain that to us. We have got a real property register out there and you do not have concerns with it at the moment because of the way it has been framed and, I presume, because of the impact of time. Over time everyone has become used to the fact that it is there, and nobody seems to have a real issue with it. Now we are looking at a non-real property register. The questions are these. What is the difference? Why do you have concerns about placing a person’s identity and their date of birth on it? Can you just explain to the committee the terms and conditions applying to births and deaths and the electoral roll and why you think they are appropriate and this is not appropriate?
Dr Michael—I will start with the first question, with regard to the real property register. That has been available. I would have a concern if the data were being taken and sold, for example, to a commercial entity and reused for taking advantage of people’s personal property information. There would be an information privacy concern there if the information were being resold. There is a study currently being conducted at the University of Queensland which is looking at these issues.
Senator BARNETT—Do you think that study might be relevant to this committee? Is it available? Who is undertaking the study?
Dr Michael—It is Mark Burdon. It could be relevant but not at this point, I guess. We are talking about the property register, and I think the real estate register is a whole different scenario. If the information is being resold, yes, there is a problem. If it is being abused or taken advantage of, yes, that is a problem. To date to my knowledge we have not seen any major case law examples to tell us if there is any problem at the moment with that particular register. What is the electoral commission doing to tighten controls? I guess it is making it very difficult for people to access information. It is going through an authority and procedural mechanism, where people are taking steps to find out who is asking for the data and why. Then access is being granted on that. I cannot see that with the proposed register at the moment. We do not have any information on who has access, how often and why.
Senator BARNETT—Do you think those questions need to be asked in each and every case?
Dr Michael—Yes, I do, certainly. We need to know the motivations behind individuals who are requesting information on any register. I think we have transactions here of up to $5,000, but that is a grey area at the moment as well.
Senator BARNETT—Should there be a threshold in terms of when questions are asked as to the motivation for accessing the register? Do you think it should of a certain value?
Senator BARNETT—What should be the threshold?
Dr Michael—That is for the study to conclude. That is why you do a privacy impact assessment. It is not for me to answer that in this hearing.
Senator BARNETT—I have not reviewed privacy impact assessments before. Are they done regularly by the Office of the Privacy Commissioner or other entities?
Dr Michael—Yes, they are. There is a zone on the Privacy Commissioner’s website which will tell you about privacy impact assessments. Basically, for any significant project or register that is put forward, a PIA is promoted by the commissioner. You will find that in their own submission as well as in the Consumer Action Law Centre’s submission.
Senator BARNETT—Yes, I have the Office of the Privacy Commissioner’s submission here. Do you support the recommendations that the office has made?
Dr Michael—Yes. I think they have a number of similar concerns to those that we do. I mentioned earlier the three other submissions that are along very similar lines to ours.
Senator BARNETT—We are meeting with the Office of the Privacy Commissioner shortly. You have recommended in your conclusion that they must address the privacy concerns, including through a full and public privacy impact assessment. How long would that take and could it be done in advance of the legislation going forward?
Dr Michael—Yes, it can be done in advance. The length of time is dependent on the scope of the projects. It is a national project. From my consulting background, I would say it would be roughly between two and four weeks. A consultant would come in to interview the Attorney-General’s Department staff who are in charge of the register and the PIA findings would inform of issues to deal with cost of impact versus cost of controls, information security and access control matrices apart from the identification analysis and management of privacy impacts in general.
Senator BARNETT—I am advised that OPC will be here tomorrow, so we will talk to them about that. You have been pretty firm in your views about the serious privacy issues. Just to get clarity, you do not support the bill in its current form; you would strongly oppose the legislation as it is currently drafted?
Dr Michael—Correct. I think we need to introduce those safeguards to ensure the protection of the consumer. Once we introduce some kind of protection for the consumer, I will have no problem with the bill going forward. It is those elements which we should really be honing in on and making sure, for example, with the credit reporting databases and registers that there are protections under the Privacy Act. In this case, this
register was not even on the radar of the national consultation process that occurred in Canberra in December by the Department of the Prime Minister and Cabinet—and it should have been.
Senator BARNETT—On page 2 of your submission you said that there has been a failure by the department to publish submissions. Can you expand on that? The submissions to our committee are on the website. They are public. Which submissions are you talking about? Are you talking about the consultations on the exposure draft last year?
Dr Michael—To my knowledge, they are of the draft. The end of the last line in the second paragraph states: … the Department has not even recognised the consumer and privacy concerns. I think that was related to the fact that the submissions were mostly by industry alone and not really consumer related.
Senator BARNETT—Do you think they should all be published?
Senator BARNETT—We can ask the department further about that and get some further clarity on it. Page 2 of your submission says:
In the earlier Draft Bill, privacy was acknowledged as an issue but was supposedly taken care of by a single proposal— to make unauthorised access to the PPS Register an ‘interference with privacy’ ... Is that a big concern?
Dr Michael—That was just a single change; it does not cut it, basically, with the concerns that the Privacy Foundation have raised. It is one line.
Senator BARNETT—We have received 30-odd submissions to date. You have expressed a view that the ‘Reforms have been designed and driven by a large community of corporate lawyers ...’ We have heard from some witnesses today and we have received submissions from a range of law firms. Why do you think that is? Surely they would be representing the views of their clients, to a large degree, whether they are financial institutions, banks, corporations or commercial entities. They have a justified right to express a view and put their views forward, would you not agree?
Dr Michael—I have no problem with other individuals putting their views forward. One of our concerns was that it was done in very detailed and technical legal speak. It was not really accessible to the wider audience or the wider public and it was very narrowly focused. They have set out to achieve this. Reforms are always positive, but it was a very narrow and blinkered perspective that was presented by those organisations.
Senator BARNETT—Do you have a problem generally with the language in the legislation? Do you think it is to legalistic? You have talked about corporate lawyers helping prepare the legislation. Do you think that the language is an issue or is it the substance of it or both?
Dr Michael—On occasion the language is an issue. I believe that somewhere in the submission there was a question about grantors, debtors and securities and the differences between these three stakeholders. Yes, it is heavily technical legal speak.
Senator BARNETT—Going to the other jurisdictions and other overseas experience, we have heard about Canada, New Zealand and other places. Are you familiar with some of the overseas experience and would you recommend that we look at some of those as good models, or would you say that there are certain ones that we should avoid?
Dr Michael—I am personally not aware of that, but I did see some submissions on the website in PowerPoint format that showed some American and Canadian models.
Senator BARNETT—In terms of the points in your opening remarks, you talked about correcting errors. You are on a consultation committee with the Attorney-General’s Department, aren’t you?
Dr Michael—No, I am not.
Senator BARNETT—You are not?
Senator BARNETT—Your organisation is not part of that consultation process?
Dr Michael—I am not aware of it being so, no.
Senator BARNETT—Did you put your views to the Attorney-General’s Department last year with respect to the points that you have made in your opening remarks about error in registration, function creep, multiple identities et cetera?
Dr Michael—There were two submissions made by the Australian Privacy Foundation when the draft bill came out in August 2008 and then when the discussion paper came out in September 2008.
Senator BARNETT—Was there an improvement in the second bill compared to the first one, as far as you are concerned?
Dr Michael—There was an awareness raised of the privacy issues, which perhaps previously there was not. But out of the 163 pages of the bill, I think privacy gets a mention quite far down towards the latter end of the pages—around page 162 or so. So the improvement has been in the awareness but not in the execution in terms of a deep privacy impact assessment and awareness.
Senator BARNETT—Right. I am just wondering what the department would say in response to the issues you raised in your opening statement. Have you raised them with them; have you had feedback from them? Were they raised in your earlier submissions, for example, and they just have not been responded to or addressed?
Dr Michael—I am not sure. I will take that on notice.
Senator BARNETT—Were those points that you raised with us raised in your earlier submissions?
Dr Michael—Yes, they certainly were.
Senator BARNETT—That is something that we can follow up on in due course. The issue of multiple identifiers: is that people with double-barrelled names where at work they might use one surname and at home they might use another—is that the point that you are making there?
Dr Michael—Correct. For example, I may use my married name at work. However, with family I may use my maiden name. I may have initials. I may be known as MGX or something or other or otherwise have an abbreviated name, depending on the circles I mix in. It is each individual’s right to be called by their name in whichever way they see fit.
Senator BARNETT—Finally, in terms of the process and your recommendation for how the process should go from here: we are having a Senate inquiry; we have had two exposure drafts. What is your advice in terms of the process?
Dr Michael—I have a problem with contracts being awarded or even put to tender without a privacy impact assessment having been completed and, in addition to that, without the authority of the parliament. We have a procedural issue here. You cannot just assume that a system will be accepted or that a register will take root. You must do the relevant work behind that to ensure that the system will work, it is relevant, it is acceptable to the public and the parliament has agreed to it. You cannot actually go out and finance a system, to my knowledge, before agreement has been reached.
Senator BARNETT—I will play devil’s advocate again. The argument against that would be that COAG have an agreement. You have an intergovernmental agreement between the various jurisdictions, and that discussion has been taking place for several years. Shouldn’t they do the preparatory work so that the parliament then knows and can be better informed about its deliberations before legislation is passed?
Dr Michael—Yes, but going forward and choosing a system’s integrator, for example, as we have identified in our submission, is probably not the right way to go about it. ‘Preparatory’ is the word that I think we should stress here. It is not really implementation, and anything to do with getting systems integrators on board is about deployment.
Senator BARNETT—So you think the 20 May deadline is way too soon?
Dr Michael—Things could happen between now and then. It depends on what the PIA finds: on what the privacy impact assessment conclusions are. It may not be too soon or too far away. It depends what is found in the preliminary investigation.
Senator BARNETT—If there were just one recommendation you could give to this committee, you would say that a PIA is towards the top of the list or is your strongest recommendation?
Dr Michael—It is that. A PIA must be done. That is in agreement with the Privacy Commissioner’s office, at the national and Victorian levels, and also with the Consumer Law Action Centre.
CHAIR—Dr Michael, who would actually conduct a PIA and how would that occur? What would be the parameters of it?
Dr Michael—A PIA can be conducted by an accredited consultant in the information technology space. It could be someone with a legal background, it could be someone with an IT background or, preferably, with both. I would look for accreditation: someone who has some association with a privacy organisation which is not just an advocate organisation but one which actually does organisation level PIAs and consultancies.
CHAIR—What sort of turnaround time are we looking at?
Dr Michael—That question was previously asked. I propose two to four weeks as an initial phase. It all depends on how many people are on the project: on how many human hours we are talking about.
CHAIR—In your submission you said that under the draft bill, if there is a breach, an unauthorised access to the register, the default mechanism is the Privacy Act that is currently in place. Is that right?
CHAIR—And that Privacy Act actually exempts small business and individuals. What is the cut-off for small business? Do you know?
Dr Michael—The Australian Bureau of Statistics describes—to my knowledge, the last time I looked—a small business as being under five employees. There are certain thresholds. We have the sole trader, between one and five and between five and 10, and then we start getting into medium organisations in Australia.
CHAIR—So the Privacy Act would just reflect the ABS definition, essentially?
Dr Michael—Essentially, yes.
CHAIR—So essentially the bottom line is that in this draft exposure there is no protection if an individual gives unauthorised access to the register. Is that correct? For example, I would not be able to take action if you, for example, authorised access to my details.
CHAIR—Has this been raised in previous versions of this bill or in public consultations about this, or has it been in the bill and removed, or has had just been overlooked?
Dr Michael—To be honest with you, it has probably just been overlooked. We clearly stated those concerns early on. I do not think there was a direct response to that question.
CHAIR—Your submission says that the Australian Law Reform Commission has recommended the removal of this exemption. Do you mean the removal of that exemption from the privacy act?
Dr Michael—Yes. Everyone then has to answer for it.
CHAIR—So the Department of the Prime Minister and Cabinet and the Department of the Treasury, but not the Attorney-General’s Department, are involved in the consultations on the report on privacy in Australia?
CHAIR—So we have two issues running side by side with no collaboration. Is that how you see it?
Dr Michael—Correct. There is no discussion between the two.
Senator TROOD—On that last point, is it your proposition that, if someone accesses information, that by itself is enough to trigger a concern?
Dr Michael—No. I think people should be able to access information when there are legitimate reasons for access. But when that information is taken in an unauthorised way, there are at the moment no parameters for who has authority to access what. An access control matrix has not been defined. The issue is about when the information is taken and misused against the consumer—for example, for ID fraud.
Senator TROOD—I am with you there. If people access a register or information of any kind and then misuse it, we all ought to be concerned about that. But I am not persuaded that there should be an issue when people access information—for example, it could be inadvertent access—and it does not cause any harm or immediate disability to the individual. I am not quite clear why we should be worried about that.
Dr Michael—I think your question goes back to Senator Barnett’s question about the real property database, and I would like to focus on that point. Why, for example, did the electoral roll, which used to be available as a CD soft copy, end up going away from that kind of technology where anyone could acquire the database? And there was a well-known case where CDs of the Yellow Pages database were floating around and information was being accessed willy-nilly. I think where it differs in this instance is in moving towards tighter controls on access to things that are particular to individuals. One individual may have multiple items on that register. How much can we find out about one individual? A lot. I overheard a discussion previously in which someone said that it would cost $2 to make a search of this proposed register. If you are a marketing company or a telemarketer you can access a lot of information and do commercial things with that information. So it is about the ability to access a large amount of data, for a relatively cheap price, and do whatever you want with it.
Senator TROOD—It is true of the telephone book too.
Senator TROOD—You are not advocating the secrecy of the telephone book, presumably?
Dr Michael—No. But the telephone book does not have your date of birth in it.
Senator TROOD—But it provides you with telephone numbers, addresses and, presumably, the correct spelling of names.
Dr Michael—But you have the option of getting a silent number, so you do not have to advertise your number to the world. I think this is the difference. Once you are on this register, you do not have an option. There is no alternative. You are on this register because you have made a transaction of X value. With the telephone book, you can opt out.
Senator TROOD—Your submission seems to be directed purely at the privacy dimensions of the bill. Leaving aside the privacy implications, do you want to say anything to us about the desirability of the broad reforms we are talking about here?
Dr Michael—Yes, I do. We welcome reforms where they are to the advantage of the consumer, the public and the government. On one point, I would like to stress the similarity between the two national registers or databases. As I mentioned, we have the consumer credit reporting database, which houses a great deal of information, and this parallel proposed PPS register. I cannot help but think that there will be some overlap between the two. And what does it mean for data quality comparison issues if errors creep in?
Senator TROOD—Do you mean that an individual or an enterprise could be on both registers?
Senator TROOD—That would not be a problem, presumably, because I take it that you are reasonably comfortable with the arrangements in relation to the credit register—or maybe you have problems about that too. So if the protocols which exist in relation to the credit register were similar to the protocols that will be applied in this register, would your concerns be allayed?
Dr Michael—Yes, because the consumer would be protected by the Privacy Act. wrestling with is how you would meet the concerns of functionality and privacy for an individual, who may not have an ABN or an identifier which is readily available and which gives no information as to who owns it or what kinds of activities they are involved in. The best solution we can come up with seems to be a name and a birth date as the means of doing it—and I understand that the is the method used in other jurisdictions as a solution to the problem. If that is not satisfactory, how do we solve that problem? Do you have a recommendation as to how we might try and address this difficult issue?
Dr Michael—We do. We have put that under ‘Data quality and matching issues unresolved’ in our submission. We suggest that the address not be excluded. I am restating what is in the submission. We said that a reliance on names and date of birth alone will not work. When name search is fundamental to the scheme design, relying on name and date of birth alone is fundamentally flawed: The experience of other public registers and the credit reporting databases shows that name and date of birth alone are not sufficient to achieve required levels of accurate matching. What do we propose in order to achieve accurate matching? Whole drivers licence numbers will assist in matching because they are unique and will ensure that individuals are distinguished from each other.
Senator TROOD—So you are uneasy about birth dates but not so much about drivers licences or addresses.
Dr Michael—Our drivers licence has our date of birth on it.
Senator TROOD—I know. But if you give a drivers licence number does that you give you access to the licence anywhere else?
Dr Michael—The number would not be published to the individual requesting that information, but it would help you to actually locate that data in the database.
Senator TROOD—That is what I am saying. If I have to register a security of some kind in which I am involved and I do not have an ACN, an ABN or any other number I might otherwise use which gives no information about me as an individual or my enterprise, if I happen to have one, but I do have an address and a drivers licence number, does that create any particular concerns for you?
Dr Michael—No. I think I would feel quite safe as a consumer. At least I would not be confused with somebody else.
Senator TROOD—So your anxiety is about being confused with another individual rather than this particular information being available. If there were the individual’s name, address and a drivers licence number, for example, then you would be comfortable with that, would you?
Dr Michael—I think from data quality matching perspective that would resolve the original problem that was stated.
Senator TROOD—So that, in your view, would give a measure of security or certainty about who it is we are talking about at the very least. That is one of your concerns.
Senator TROOD—But does it give too much information about an individual?
Dr Michael—I guess it is a question of: which one is worse? Being confused with somebody else is much worse, from our perspective. I think identity verification and matching has enormous privacy implications. I would rather be identified as the correct individual in that register than not. I think that might actually cause more problems than the other scenario that you posed.
Senator TROOD—Along those lines, then, some people do not have drivers licences. What do we do in those circumstances?
Dr Michael—We can revert to alternative data or just state: ‘No drivers licence.’
Senator TROOD—I suppose if there were two Smiths at the one address or two Smiths with similar first names and one had a drivers licence and one did not, that would solve the problem. If there were two Smiths without drivers licences you might get around the problem if they did not have similar birth dates.
Dr Michael—I guess your question is: would they live at the same address as well? We are advocating that the address also be included to get around this particular problem you mention.
Senator TROOD—I am sympathetic to your concerns; I am just troubled as to how you solve the problem. It has been helpful to hear you say that you are more concerned about the correct identifier than about there being too much information out there. That helps clarify the dissonance in relation to some of the views that exist.
CHAIR—Dr Michael, I am wondering whether the lack of explicit consultation with the Privacy Foundation is based on a view from A-Gs—and I am being hypothetical here—that a lot of the information that would on the register is already recorded in some form in databases in states and territories, and so this is just a collation of what is already out there.
Dr Michael—That could be an assumption that has been made but not communicated. Again, I will stress what is written in bold under the heading ‘Searching the register’. For us the issue is who can get access to the register, for what purpose and what information about individuals might be returned. If it has been assumed that this information already exists in public databases and therefore what is the big deal, then that assumption needs to be communicated. When you start putting personal data items together, it depends what those data
items are. Senator Trood mentioned the drivers licence number, address, date of birth and name, but what else will be there?
CHAIR—So you are unsure about what exactly what is going to be on this database.
CHAIR—You want to be reassured or you want the legislation made tighter.
CHAIR—We have no further questions, so thank you very, very much for your submission and for your time this afternoon. It has been very helpful.
Dr Michael—Thank you for the opportunity.
Citation: Katina Michael, HANSARD, Legal and Constitutional Affairs, Reference: Personal Property Securities Bill 2008, THURSDAY, 22 JANUARY 2009, pp. 33-40.