University of New South WalesFaculty of Law - Information Technology Law

C y b e r s p a c e - l a w

The Australia Card: towards a national surveillance system

Graham Greenleaf

Lecturer in Law, University of New South Wales
Member, New South Wales Privacy Committee

( A shorter verison of this article was published in
the Law Society Journal (NSW) Vol 25 No9, October 1987)

This article argues that the system to be established under the Australia Card Bill 1986 (Cth), will go beyond being a mere identification system, which the Government claims it is, and will establish the most powerful location system in Australia, and a prototype data surveillance system. The reader may judge whether these are desirable - or expected - developments.

Other aspects of the Bill are not discussed, nor are the complex social and economic arguments for and against the establishment of such a system, which have already been argued at length elsewhere[2].

It is appropriate that the same Minister[3] now has responsibility for both the Australia Card and the Bicentenary. The surveillance system established by the Australia Card Bill may, to historians, appear to be the most significant Commonwealth Bicentenary Project.

The political context

The Bill has twice been rejected by the Senate, forming the legal basis for the election of July 1987 at which the Labor Government was returned. Despite the fact that it does not control the Senate, the Government can be expected to have the necessary majority in a joint sitting of both Houses of Parliament which, because of the double-dissolution, it is constitutionally able to hold if the Senate again rejects[4] the Bill. Although it faces some constitutional difficulties[5], it is therefore likely that the Bill will become law unless community and political pressures cause the Government to reconsider.

Data surveillance

Data surveillance is the systematic monitoring of recorded transactions an individual enters into[6]. Some of its characteristics[7] are the systematic and continuous monitoring of a person's transactions by one organisation for the purpose of informing a nother organisation; two-way flow of such information; use by one organisation in its decision-making of information about people collected by another organisation; enforcement of the rules of one organisation by a second organisation refusing to grant benefits within its control to a person who is a client of both organistions (`cross-system enforcement'); and a general lack of awareness by the person concerned of the precise nature of these information flows.

Taken together, these features constitute something qualitatively different from identification: they are the basic techniques on which a system of authoritarian control by use of information systems would be built.

The main components of and participants in the complex scheme to be created by the Bill, as set out in the Table `Components and participants ' , will be discussed, with emphasis on their surveillance aspects.

The Card

Every person in Australia will be required to obtain a Card, including children. The Bill does not make it legally compulsory: it simply makes it impossible for anyone to exist in Australian society without it, because they will be unable to carry out normal activites such the receipt of their pay taxed at the normal rate, operation of bank accounts, or the receipt of social security or health insurance benefits.

Cards of visitors to Australia will state whether they are eligible to obtain Health Insurance Commission benefits or obtain employment (cl. 17(4)). The use of the Card to indicate eligibility for certain benefits or activities (eg to work or vote) has not been extended to Australian citizens, but the precedent and the mechanism has been established.

All of the Card's contents except photograph and signature may also be included on it in machine-readable form (cl. 17(7)), making it is a rudimentary `smart Card'.

Production of the Card & Number

People are not legally required to carry their Cards at all times, only at those times when they are required to produce them (cl. 8). However, the Bill does not prohibit other, unauthorised, uses of the Card (cl. 8(3)) or Number .

Compulsory inspection of the Card and Number by enforcing organisations

The Government's purpose is to require businesses and other organisations to identify by Number all persons with whom they deal in transactions which have significance for the taxation, social security or immigration enforcement systems. The Bill does not directly penalise people involved in such transactions for failing to produce their Card. Instead, it forces the businesses and organisations involved ( `enforcing organisations' ) to require people to produce their Cards, by penalties ranging from $5,000 to $20,000. Fifteen situations where enforcing organisations will commit offences if they do not require a person to produce a Card, are summarised in the Table `15 types of compulsory production' .

What ` production' of a Card and Number requires

The requirements imposed on enforcing organisations vary , but the standard ones are:

(i) They must require people to produce a Card at the time of a transaction, or, in the case of continuing relationships, must have done so on a previous occasion. It will often only be necessary to produce the Card once to each organisation.;

(ii) People must comply with the requirement; and

(iii) The organisations must record (or have previously recorded) the person's Number.

Enforcing organisation will usually have some obligation to disclose details of such transactions to one of the Government agencies with access, which obligations will normally arise independently of the Bill, under taxation, social security or other laws[8]. Such obligations may require regular reports, or only disclosure of details on request. Enforcing organisation are then required by the Bill to identify the persons involved by their Numbers in any such reports. Later legislation creating new reporting obligations will simply need to specify that such reports should include people's Numbers.

`Companion entities' - companies, unincorporated associations, partnerships and trusts - have defined `eligible representatives', and references in the Bill to production of a Card refer to the production of the Card of an eligible representative (officers, directors, partners and the like) and a notice that sets out the body's name and its tax file number (cls.33, 34)

The surveillance consequences

Enforcing organisations do not make direct reports of transactions to the Register, nor do they have access to the Register. However, there will be a one-way flow of information generated by such transactions into the Australia Card `network' because enforcing organisations are required to report information to the 3 agencies that do have such access. For example, when a hospital patient is required to produce his or her Number to a hospital, and that information is then required to be forwarded to Health Insurance Commission (cl. 53), any new address which that person discloses to the hospital would also be forwarded to the Health Insurance Commission and thence to the Authority. If Tax had requested that that person be `flagged' on the Register (as explained later), Tax would then be informed of that new address.

`Voluntary' production of the Card

People are entitled to use Cards as a means of identification as they think fit (cl. 8(3)). It is an offence for an unauthorised person to require people to produce their Cards (cl. 167(1)) (Penalty: $5,000), but mere `requests ' to produce Cards are not prohibited. Police, Government agencies and private sector organisations may all `request'. `Require' includes `a statement that the other person could reasonably understand' to be a requirement (cl. 167(3)) , but there is no sanction or prohibition proposed for the refusal of goods or services where no `statement' is made but, in fact, nothing other than a Card will be accepted[9]. For example, a publican may refuse suspected under-age drinkers access to a hotel unless they produce their Card (which contains date of birth); or people who wish to cash cheques, obtain credit, or enter some other transaction which is largely discretionary, may be told that successive proferred means of identification are inadequate, until they finally produce their Card. Furthermore, given the multitude of situations where demands for the Card are authorised, few Australians are likely to have the faintest idea of when Cards may be demanded and when they may only be requested. Some Government documents have referred to this as 'pseudo-voluntary' production[10]. The likelihood is that 'voluntariness' will usually be completely illusory.

Compulsory carriage by children?

Children's cards include date of birth (cl.17(3)(f)), but adult's cards do not. This has not been justified as having any connection with tax or social security fraud. The Joint Select Committee saw this as:

... clearly directed at law-enforcement applications such as curbing under-age drinking. This sets a precedent for other areas of law-enforcement...[11]

Is it realistic to believe that the production of identity cards by children to adults in authority to prove their age will be `purely voluntary'? The next generation of children may be accustomed to always carrying their Cards, to get a bus or movie concession, or to prove they are old enough to drink, so that in adult life they will regard production of an ID card as a routine aspect of most transactions.

Confiscation of Cards and blacklists'

Where a Card has been produced `voluntarily', Clause 170(1) prohibits the retention of the Card. This seems to prevent Police or others from confiscating a person's Card. However, there is no equivalent prohibition where a Card is produced pursuant to a requirement for its production, except that it is an offence to be in possession of another person's Card `without reasonable excuse' (cl. 165(2)). Would a suspicion that there was some irregularity concerning a person's Card be `reasonable excuse' for a Health Insurance Commission employee, or a bank, to confiscate the Card? The Health Insurance Commission proposed that `lists of lost or stolen Cards be given to banks and financial institutions'[12], and this may explain the discrepancy.

Disclosure and use of the Number

Limits on the use of the Number after production of the Card

Where a Card is compulsorily produced, enforcing organisations are prohibited from communicating a person's Number or other information from the Card to anyone else unless authorised by the Bill (cl. 170(1)). They are also prohibited from recording information from the Card except as necessary to comply with their obligations under the BIll (Cl 170(4), and from retaining it longer than necessary (cl. 173).

No limits on the use of the Number alone

Where a Card is `voluntarily' produced, the person to whom it was produced may record the fact that it was produced but may not record or communicate any information from the Card, including the Number (Penalty: $5,000) (cl. 170(10)).

This limitation does not apply to anyone who requests, or even requires, people to disclose their Numbers, provided that the Card is not produced to them. No other provisions in the Bill prohibit the disclosing or recording of a Number, or its communication. Any credit-grantor, insurance company or other private sector body, and any State or Commonwealth Government agency, can therefore require a person to disclose his or her Number. Questions may be included in application forms or asked verbally. The Number may then be recorded in any record-keeping system, and it may be communicated to anyone else.

The fact that the Number cannot be verified from the Card when obtained is not vital. Next time that the person deals with the body, it can request the production of a Card, and can then, consistent with cl. 170(10), `record the fact that the Card was produced', thus serving as verification that the Number given previously was correct. Any possible difficulty disappears if two different organisations undertake the two steps. This could easily occur in the credit industry where people are likely to deal with successive credit or insurance grantors, each of which provide reports to and obtain reports from the same central credit bureau. A person's verified Number could then become available to the whole of the credit and insurance industries.

The consequences of this `loophole' are that there is no effective limitation on the spread of the Number as a method of matching records held by different organisations in the private sector. Once a person's number has been obtained by some private sector organisation, by being `severed' from the use of the Card in the circumstances outlined above, it may be communicated to any other organisation and used for any other purpose. In effect, the Bill ignores the fact that for many organisations it is the unique, universal identification number, not the Card, which is the primary attraction of the system.

This stands in a shabby contrast to Government promises to `prohibit both demand for, and use of, the number to establish private data bases (for example, credit rating files)'[13], and that offences would include `making an unauthorised request for [the Number] or the Australia Card and the creation of information data bases by private enterprise recording the number with other information'[14].

Government intentions concerning unauthorised uses of Card and Number

The Government has an attitude of indifference to the use of the Card and the Number by the private sector and State agencies. Limits on the powers of the DPA confirm this.

If the Government seriously intended to limit or discourage the spread of uses of the Card and Number, it would :

(i) prohibit any unauthorised production of the Card;

(ii) prohibit any unauthorised request or requirement of disclosure of the Number;

(iii) remove date of birth from children's Cards.

Its present approach is a hypocritical mixture of prohibition and facilitation.

The Australia Card Register

The Authority 's computerised Register (cl.23) must contain, inter alia , a person's name at birth or on arrival in Australia, current name, nicknames, aliases, dates of birth and death (and cross-references to the BD&M Register), sex , citizenship status, all residential and postal addresses for the last two years, Australia Card Number, and the computerised storage (`digitised image' ) of the person's photograph and signature (cl. 25(1), Schedule 1 ). Such a universal and comprehensive identification and location register is unprecedented.

In addition, the Authority is to include in the Register information which will permanently and continuously link it to the personal data systems of most other Commonwealth agencies and to the BD&M register, and some potential linking linformation to the record systems of State agencies. Such linkages will mean that most technical problems in linking such agencies to the Register will already have been overcome, if and when it is decided to expand the legal connections.

Surveillance: permanent links to other Commonwealth agencies

The Authority is entitled to be provided with information for the purpose of the intitial establishment of the Register, by the following agencies (`Clause 14 agencies') in addition to the three with access to the Register: Defence Department, Department of Veteran's Affairs, Department of Education, Department of Foreign Affairs, Department of Immigration & Ethnic Affairs, and Australian Electoral Commission (cl.14(2) & (4)).

It is also entitled to be provided with information by these agencies `for any other purpose related to the performance of the Authority's functions under this Act' (Cl.14(1)). Since the Authority's functions clearly include the ongoing maintenance of the accuracy of the Register, it is entitled to receive information from these agencies on a continuing basis. Clause 14 agencies could be required to provide details of any changes to address, marital status etc of every person on their records on a regular basis.

The Register will record `details of access' to the records of any Clause 14 agencies (Sch. 1, Para. 2(w)), and will therefore constitute a permanent link between the Register and these agencies. The Register may contain information relating to any systems the Authority has for checking the continuing eligibility of persons from Cl. 14 agencies (cl. 25(2)).

Whether the information may flow the other way, from the Authority to a Clause14 agency, is less likely, but possible under one interpretation of the Bill.

Links to the records of State agencies

The Register will contain the `nature of documents (if any) produced to establish identity' (Sch. 1 para. 2(u)). Such documents will commonly include Driver's Licences and documents issued by other State agencies. If such State agencies are later allowed access to the Register, the presence of such details on the Register will facilitate the matching of their records with those of the Register.

Access to the Register

Although only three agencies are entitled to have access to the Register under the present Bill , it should be emphasised that from the inception of the scheme the Government planned to allow access to most significant Commonwealth agencies , including all of those under cl. 14. It has been argued that the Bill's restriction of access to three agencies was merely a `strategic retreat'[15]. The Minister for Veteran's Affairs has recently renewed publicl advocacy for access by his Department.

The rest of the Bill is in terms that do not refer to particular Departments. In order to expand access, all that would be needed would be simple amendments naming the new Departments with access.

In addition, the Department of Immigration and Ethnic Affairs may also obtain regular reports from the Authority on the latest known address of any suspected prohibited non-citizens (cl. 180). Such a device allows the Government to claim that only three agencies have access to the Register, and establishes a precedent for `back-door' expansion of access.

`On-line' remote computer access to the Register may be provided (cl. 59), but the DPA has the right to decide how many employees of each agency it is `reasonably necessary' to allow such access (cl. 65). Terminal access to the Register from all branch offices of the agencies with access is essential to the scheme, so the number of public servants to be given access must number in the thousands.

The surveillance mechanism

The three agencies with access may be required by the Authority to inform it whenever they obtain any new information about a person about whom the authority is interested (cl. 29). The complement to this is that the Authority may enter into an arrangement to inform each of these agencies in relation to persons or classes of persons in whom the agency is interested, whenever the Authority obtains new information about one of those persons (cl. 67). This complementary automatic reporting relationship is a basic component of any system of data surveillance. In cases of tax or social security fraud, the most valuable new information may be the new location of a person. Cl. 174 increases the effectiveness of the Register as a location system by allowing the Authority or the agency to disclose to the Police `information reasonably required for the investigation, or prosecution of an offence' [emphasis added] under tax, social security or immigration laws.

Most people have good reasons to provide regular address updates to Medicare (to obtain health insurance benefits), or to give their correct address to the many institutions which will now have to report to Taxation, and some people need to make regular contact with DSS. The Register will therefore have a powerful self-enforcing means of maintaining itself as the only comprehensive and accurate address register ever established in Australia. For those who wish to locate a person - for whatever reason - it is `one-stop shopping'. The Register is therefore significant as a powerful location mechanism, not merely an identification system.

For example, Social Security may advise the Authority that it wishes to be advised of any changes to a person's address (cl.67), so as to have that person arrested for suspected social security fraud. The Authority then `flags' that person's name on the Register. When that person presents to a Health Insurance Commission office to obtain a health insurance benefit, it will inform the Authority of the person's new address (cl.29), which passes the information to Social Security because of the `flag' (cl.67), which is authorised to disclose it to the Police (cl.174). In fact, because the Health Insurance Commission may advise the Authority of the person's presence in their office by virtue of processing his claim on line, these clauses would theoretically allow the whole process to be short-circuited, and for the Police to arrest the person before he or she left the Health Insurance Commission office.

Taken together, these clauses establish the preconditions for the most powerful use of data surveillance, cross-system enforcement. This would occur if, for example, later legislation allowed Social Security or Medicare benefits to be denied to any person who had certain unpaid tax liabilites. Without the mechanisms established by the Bill, such enforcement methods would be practically impossible. The result would be that a person's dealings with one agency of govenment would become the occasion of the enforcement of that person's obligations to other agencies of government. This process of cross-system enforcement would reduce the extent to which people can perceive government as comprised of agencies of manageable scale with which to deal, and would increase perceptions of powerlessness and the belief that `government' is a monolithic, omniscient entity. It is a powerful instrument, open to authoritarian abuse.

Controls on access and uses of information obtained

Agencies with access to the Register are prohibited from disclosing information obtained thereby to others, unless that person is performing duties for the same purpose for which access was obtained (cl. 170(2)). However, such legitimate recipients of the information do not then seem to be prohibited from doing what they like with the information. Reliance on general confidentiality provisions within the public service is not enough. There should be specific equivalents to cls 170 and 173 applying to recipients of the information.

The National Births, Deaths and Marriages Register

The Authority is to establish a new computerised National Births, Deaths & Marriages Register (`the BD&M Register') (cl. 71), intended to be located on the same computer as the Australia Card Register, and accessible by remote terminal access (cl. 75(2)).

The Bill does not exhaustively limit the possible contents of the BD& M Register (cl. 73), and the objects of its establishment are broad enough to make its potential contents uncertain (cl.69).

The Authority is entitled to access to the BD&M Register to create and maintain the Australia Card Register (Cl. 76). Cross-references to entries in the BD&M register will create a continuing link between the two Registers (Schedule 1, Paragraphs 2(t) and 3(a) ), and will allow the Register to be continually updated from the BD&M Register in relation to birth, death, and change of name (including by marriage) details.

The only other Commonwealth agencies permitted access to the BD&M register by this Bill will be the Department of Foreign Affairs, the Australian Bureau of Statistics (ABS), and the Department of Health for epidemiological studies. There are no similar limits on the access that States may allow to the BD&M Register. The Minister may make an arrangement with each State by which the State may authorise anyone to have access to its part of the BD&M register, provided only that such access is for the purposes of administering State laws (cl. 83). This will allow States to authorise remote terminal access by State officials such as Police, officials of other States (cl. 83(6)), and private sector organisations, such as credit bureaux and insurance companies, provided that this is linked to the administration of a State law.

The co-operation of the States in providing BD&M information is very important to the Commonwealth in verifying the issue of Cards and in maintaining the accuracy of the Register, particularly in relation to deaths. The Minister for Health has expressed confidence that the States will co-operate because they are `infinitely bribeable'. Unrestricted State access under cl. 83 is presumably part of the bribe.

The inadequacy of the controls on use made of information obtained from the BD&M Register is the same as that discussed in relation to the Register (cl. 170(3)). The Bill does not give people any right to obtain access to their own records on the BD&M register. This is presumably regarded as a matter for the States.

The States have no data protection statutes equivalent to the Bill or the Privacy Bill 1986 (Cth). The lack of control over accesses authorised by the States could be a major contributor to the extension of the surveillance uses of the system. Such accesses are also left untouched by the DPA, as mentioned below.

The Data Protection Agency

The Data Protection Agency (DPA) will have substantial powers over many elements of the proposed scheme, but these powers are deficient in a number of respects which will limit its ability to control the development of the surveillance potential of the scheme.

Although the DPA has power to issue guidelines, and where necessary give directions for compliance with them, concerning many aspects of Register use (cl. 88(1) (j), (m)), there are no further provisions concerning the giving or enforcement of such directions, putting their enforceability in some doubt. The DPA is merely required to attempt to conciliate (cl. 138).

The DPA only has power to issue guidelines, but not give directions for compliance, concerning the use and recording of information obtained from production of a Card to anyone, including those who only request production of the Card (cl. 88(1)(g)). It has no powers at all concerning those who request or require the Number but not production of the Card.

Similarly, while it can issue guidelines on uses of the BD&M Register by Commonwealth agencies, it cannot do so in relation to users authorised by State and Territory Governments (cl. 88(1) (h)(iv)), (k), (n)).

It has powers to maintain and publish annually a record of all computer databases maintained by the Commonwealth which contain personal information (irrespective of whether they contain information from the Register or the BD&M Register) (cl. 88(1)(s)), but no similar powers in relation to State and private sector databases which record the Number.

In exercising its powers, the DPA is required to `ensure that its directions and guidelines are consistent with the Information Privacy Principles' contained in the Privacy Bill 1986 (cl. 90(d). Because these Principles have crippling limitations, this requirement may, paradoxically, weaken the powers of the DPA [16]. Agencies might be able to use the Information Privacy Principles as a shield to protect them from the DPA under some circumstances.

A separate Data Protection Advisory Committee is also established (cl. 104) to advise the DPA, except on any of its powers to make decisions, review decisions of the Authority or give directions to the Authority . The DPA's supervision of the Authority will therefore be left untouched by advice or interference from `community representatives'.

An authoritarian surveillance system?

The extent to which elements of the Australia Card Bill exhibits characteristics of data surveillance is summarised in the Table `Building blocks of surveillance in the Australia Card Bill' . Data surveillance is used in many acceptable and essential ways in our society for purposes of social control, but it may create the potential for a new type of authoritarianism, the authoritarianism of the computer and the behavioural scientist[17].

A universal identification system, no matter how attractive its potential benefits are, and no matter how fairly its designers succeed in making it operate, may pose so great a threat to liberty because of its potential for misuse that it is not worth the risk to create them in the first place. The risk involved is that such a system would be the principal tool of an authoritarian state[18] based on surveillance of individuals through recorded transactions. Such an authoritarianism would not be based upon physical surveillance of dissidents or potential dissidents by networks of informers or surveillance of communications, as it was in Orwell's 1984 , but on data surveillance. These characteristics would not necessarily constitute a `police state', but would constitute an unacceptable and probably irreversible concentration of power incompatible with our conceptions of democracy and privacy.

The risks for Australia

What is at stake is nothing less than the nature of our society and the power and authority of the state in relation to the individual....The danger of the new surveillance is that all this will change.[19] (Justice M.D. Kirby, President of the Court of Appeal)

The Australia Card system establishes the framework or prototype for a system of data surveillance. It can be developed into the modern equivalent of making a person an `outlaw'. The Australia Card Bill embodies this approach to social control but does not develop its full authoritarian potential. It would be wrong to simply assume that such authoritarian potential will be realised here. A full comparison of the potential risks and benefits is beyond the scope of this article, but I will outline my concerns to conclude.

Without some form of a universal identification Number and a central population Register, an authoritarianism based on data surveillance is unlikely to develop. The likelihood of it developing from these two components is neither inevitable nor impossible. If a political regime of the future was disposed toward extensive data surveillance, and lacked effective political opposition, it would have the necessary tools at its disposal in the form of the `Australia Card' scheme.

The scope of the scheme is likely to undergo gradual expansion . It has always been the intention of the main bureaucratic proponents of the scheme that it should be used to link the personal data systems of all significant Commonwealth agencies, on the grounds of administrative efficiency[20]. The Bill facilitates such expansion, as this article has sought to show. Demands for expansion of access to the Register by State agencies and private sector organisations may be politically difficult to resist.

Can we be confident that the future will not see changed social conditions bringing a potentially authoritarian government beyond what we can now envisage, with uses of the surveillance system which will not be so benign? Australia has been a 'lucky country' in its continuity of democratic government and freedom from foreign occupation, but the history of this century shows that it can be dangerous to assume that your luck will always hold out.

Resistance to authoritarian extension of surveillance would be increasingly difficult, because of extensions of the system and its use for socially essential purposes. No constitutionally entrenched protection from abuse is possible. While the strength of democratic controls on misuse of power in Australia's political system for any immediately foreseeable future should ensure that no such extreme abuse occurs, it is impossible to predict any further than that. Information technology is a new and powerful technology which is still developing rapidly and providing techniques for the exercise of power which will be ill-understood for some time. The scale of potential risk involved in establishing the 'Australia Card' scheme is therefore very high, even if the likelihood of that risk eventuating is assessed as low. The additional net benefits to be obtained from the scheme, if compared to the benefits available from alternative approaches (such as a more secure and more extensively used Tax file number) are not overwhelming[21]. The benefits to be obtained do not justify the degree of risk involved.

This is an essentially conservative argument, but there are some things that it is best to be conservative about. As Rule has warned, the social technologies of surveillance may be among those forms of human control of the natural and social worlds `so sweeping that their development is better untried'[22]. Once we let the genie out of the bottle, we will never persuade it to return.


15 types of compulsory production

Components & participants in the `Australia Card' scheme.

Building blocks of surveillance in the Australia Card Bill