State privacy bodies have questioned the potential for scope creep in proposed laws underpinning the exchange of information through the federal government’s new facial biometrics matching scheme.
The Office of the Victorian Information Commissioner and Queensland’s Office of the Information Commissioner raised the concerns to the parliamentary committee reviewing the government’s Identity-matching Services Bill and the Australian Passports Amendment (Identity Matching Services) Bill.
The bills, which were introduced to parliament last month, will formalise an agreement signed between federal, state and territory leaders last October to establish a capability for law enforcement agencies to share and access identity information in real time.
Although supporting the use of identity-matching services (IMS) "in principle", both privacy bodies have called for greater prescription within the draft legislation - and less reliance on the agreement - to address governance and privacy concerns.
The Victorian information commissioner is particularly concerned about “the rigour of the governance processes currently proposed, given that risk will largely be managed via agreements between the parties - such as through the participation agreement - rather than through the legislation itself”.
“We question the enforceability of these arrangements,” the office states.
It said governance arrangements for identity-matching services were modelled on the regime in place for the document verification service (DVS), but that there was a “substantial difference” in the kind of services offered.
“For that reason alone, my office suggests a more robust set of checks and balances is necessary on the use of the IMS, to protect against misuse or scope creep in the application of the service,” its submission states.
The OVIC said it also holds concerns around extending identity-matching services to the private sector and local government because of “the variation in the quality of governance and security that can be expected”.
It welcomed the fact that the use of the facial identification service (FIS) was limited to law enforcement and border protection agencies, but said it would be “very concerned” if those functions were to undertaken by the private sector, particularly given the “broad power” handed to the minister.
The "breadth of discretion” surrounding the operation of the identity-matching services and the minister’s ability “to do anything necessary or convenient” were also worrying, the OVIC said.
“The ability for fundamental controls to be amended without parliamentary oversight may also be problematic,” it states.
Queensland’s OIC has similarly called for “a cautious approach that clearly entrenches into law the principle and protections” from the agreement.
This includes the intended uses of the identity-matching services, which it says aren’t clear in the draft legislation, and strong oversight and reporting mechanisms.
“Elevating core intentions, principles and protections into law will help clarify the parameters of the regime, minimise risk of scope creep, and minimise risk of disproportionate privacy incursions,” it states.
They are the same concerns raised by the office around Queensland's own bill governing identity-matching services, which was passed in a “compressed timeframe” for the Gold Coast 2018 Commonwealth Games, leaving “limited opportunity for robust and informed public debate and scrutiny".
Data breach reporting
The OVIC also lamented the “inadequate" reporting required from agencies who access the IMS, particularly around “data breaches or misuse of the services”.
“We recommend that another mechanism be incorporated into the bill to include specific reporting relating to instances of unauthorised or inappropriate access and remedial action taken, and that this be included in the minister’s annual report,” it said.
“Transparency is integral to good governance, and the bill fails significantly short of expectations in this regard.
“In order for the public to have confidence that the compromise between civil liberties and security is appropriately managed, it will be necessary for the public to have an informed view of that management.”