Former Australian Privacy Commissioner Malcolm Crompton has recommended law enforcement agencies be explicitly prevented from accessing data from the government’s digital identity program, which is being prepared for an economy-wide expansion.
The program currently allows users of federal government services to verify their identity for use across multiple services by accessing an identity framework of identity and attribute providers, with Home Affairs verifying documents and biometrics.
The government plans to introduce legislation this year to expand the program to the states and private sector, creating an economy wide system that could collect sensitive logs and meta-data, and stores it for several years.
The Digital Transformation Agency (DTA), which has developed the program over several years at a cost of $450 million, is finalising the legislation it says will establish protections and governance for the scheme’s expansion.
Under the current proposal exceptions would allow law enforcement to access data in some situations, rather than a blanket ban, which was used with the COVIDSafe app.
“It’s inappropriate for law enforcement to have access to this [data],” Mr Crompton, now lead privacy advisor at Information Integrity Solutions, told InnovationAus.
“In fact, it is as inappropriate as law enforcement and national security access to the federal COVIDSafe app information, where it is blanket illegal for them to have any use or access or insight.”
Legislation underpinning the national contact tracing app explicitly prevents access to its data for any reasons other than contact tracing by state and territory health authorities.
“The same should apply here. The government should make that decision and make it clear,” said Mr Crompton, who served as Privacy Commissioner from 1999 to 2004.
The former watchdog has filed a submission through his consultancy to the DTA in response to its latest positions paper which outlines the government’s plan for safeguards and governance of the program.
The Information Integrity Solutions submission said the DTA had outlined a “good legislative infrastructure” and it agrees with most of the positions paper. But it raises concerns with the proposed law enforcement access, governance, and regulator funding.
The DTA positions paper explains the legislation will limit data access to accredited parties who can only use it to verify a users’ identity and receive a service from a relying party. But there are several exceptions, including responding to lawfully made requests by law enforcement.
The paper says agencies will not be able to use Digital Identity system data for “speculative profiling on digital identity information for an investigatory purpose”. But they will be able to access it for lawfully made requests for “an enforcement purpose”, including “accessing information in relation to suspected individuals under existing powers”.
In contrast, Mr Crompton’s submission said the legislation should be written in such a way that “all uses and disclosures of meta-data and logs by any organisation in Australia or elsewhere, without exception, are unlawful beyond providing the identity verification service and running the system”.
“Once meta-data and logs are created, others will want access to it including law enforcement and national security interests even if that is not originally intended,” the Information Integrity Solutions submission said.
“This evolution follows like night follows day, as was recently demonstrated by police seeking access to contact tracing information collected by QR code systems in at least three States, even after promises that this would not happen.”
If this explicit protection is not included in the legislation, it should at least require agencies obtain a “narrowly constructed court order” to gain access, the submission said. It also recommends independent and transparent oversight of any law enforcement or national security agencies access.
Mr Crompton told InnovationAus there is also room to improve the governance of the scheme, including a greater voice for consumers in governance structures, and to ensure regulators have the necessary resources to perform the new responsibilities the DTA has proposed.
“[An] important aspects of our submission to the Digital Transformation Agency is the importance of not only making law but making sure that the law is well enforced through appropriate funding of the regulators.”
Do you know more? Contact James Riley via Email.
Which is a reasonable stance – but gosh, it would make investigating or recovering from identity theft pretty hard wouldn’t it?