Ms Anna Burke (Chisholm, Australian Labor Party) Share this | Hansard source

The Human Services (Enhanced Service Delivery) Bill 2007 is the much anticipated high-security chip based replacement for the existing smartcard of the previous Minister for Human Services. In a speech to the Press Club last November, the member for North Sydney said:

Human Services is now established as a viable, dynamic department that is constantly looking at better, simpler and more secure ways for Australians to do business with their Government.

At the same time, it has become abundantly clear that the current system of health and welfare entitlement cards is becoming increasingly insecure and open to fraud. The Medicare card in particular is cheap and easy to copy. The AFP estimates Medicare cards are now involved in some way in more than 50 per cent of identity fraud cases.

So what have we done? The Government’s response has been to begin work on replacing our 17 health and social welfare cards and vouchers with a single smart card that has become known as the Access Card. Smart card technology is something Australians will become very familiar with over the next few years.

He went on to say:

Put simply, smart card technology is safer than the traditional cardboard and magnetic strip cards most Australians carry around in their wallets because a microchip is more secure and harder to copy. Smart card technology offers greater privacy because it allows users to display less information on the face of the card. This means more information is kept out of the immediate view of any unauthorised person.

The bill before us proposes to spend $1.4 billion over four years to realise the vision of the previous Minister for Human Services. While some of us might disagree that the Department of Human Services is now a viable, dynamic department, we probably do not disagree with the vision that was set out in that speech. It is probably a valid vision to get all the cards into one card and into a viable technology that protects people from identity fraud, and smartcard technology can do that. The tragedy with the bill before the House is that it does not live up to the vision as outlined. There are too many flaws within this bill and the old adage that the devil is in the detail has been entirely neglected. If you are going to do something that is so progressive then you need to do it right, and you need to do it right the first time, because the horror of introducing this card and then discovering that you have sold everybody’s identity down the river is too horrible to contemplate. So I commend the amendment moved by the shadow minister in this place and ask: why the haste to introduce a bill and a system that needs greater detail and greater finetuning?

I want to address two areas of concern in my speech this evening that have been left exposed by the lack of detail in this bill. These areas of concern are not being raised by the ALP alone. In our corner we have the AMA, Professor Fels, the government’s own adviser, Liberal backbenchers and indeed some Liberal frontbenchers. The contractor is seeking a bid from the department to supply the system, and numerous other privacy experts have raised concerns about the introduction of an access card without proper safeguards. I think it is the height of audacity that the tender process has already gone out for this system when we have not even introduced the legislation into this place. But the tenderers for the system for the database implementation have raised numerous concerns, and I want to address one today.

The first issue I wish to raise is the security of the information on the register. There is currently no guarantee that collection, storage and maintenance of the information needed to create the database which forms the basis of the access card will not be outsourced. Companies tendering for contracts to administer the system may even outsource the database to offshore entities, where we know personal data cannot be guaranteed protection by Australian privacy laws. A quick look at work undertaken by the Finance Sector Union on offshoring in the finance sector paints a stark picture of what people think and fear about their personal information going offshore. If there is concern about banking details being in the hands of an Indian operation, what fear would the general public have about their very identity being handled by overseas operators?

What do I mean by ‘offshoring’? There is an increasing global trend for companies to relocate various parts of their operation to locations outside the country where the service is being delivered. This practice is sometimes referred to as offshoring. The greatest trend in offshoring has been in the area of computer databases. It could easily be done in respect of this card if particular legislative protections are not put in. The work by the FSU states:

All levels of Government in Australia should set an example by ensuring that government outsourcing of contracts include a provision that work will not be moved off-shore. 88% of people surveyed believe that the Australian Government should be forced to keep jobs in Australia.

A recent public poll of Australians conducted by McNair Ingenuity found that 96% of Australians believe that Australian companies such as Westpac have a responsibility to invest in Australian jobs and skills.

In 2004, 85 per cent of people polled said they would express concern if their information were to go offshore.

In 2004 there was no data protection legislation in India. I think that is still the case today. This lack of protection may expose customers to an increased and unknown risk. Some of you are already exposed to that risk and do not even know it. The risks of cyberfraud are beginning to emerge in places such as India, where large numbers of call centres and bank office processes are being located, through offshoring. People described as ‘data-harvesting brokers’ have offered personal details for sale. Consumers have benefited from advances in technology. However, these advances also carry risk. Vast amounts of personal and financial details are processed and stored every day. Given the increase in identity fraud and computer hacking, the importance of data security cannot be overstated.

In the McNair research, 85 per cent of people expressed concern about their personal information being stored overseas. In Australia there is currently no requirement for companies to disclose where their services are being provided or if personal data is being held offshore. The majority of customers polled in the research felt that companies should tell them if they have provided customer service from an offshore location. A logical comparison is labelling laws for various products, under which companies must state the country of origin so that consumers can make an informed decision. A recent poll of Australian consumers conducted by the FSU found that 90 per cent of respondents preferred their data to remain in Australia, while 80 per cent believed the government should take action to protect their information.

The principle of right to know has been adopted in France, and legislation has been introduced in several states in the United States. The right to know was also ALP policy in the 2004 federal election. One grave concern is the notion of the outsourcing of your privacy. The legislation does not cover this loophole, and I think it is a glaringly obvious flaw in what we are doing. The banks have also warned on this issue of privacy law. An article by Emma Connors in the Australian Financial Review on 10 October 2006, entitled ‘Banks warned on privacy rules’, stated:

Australia’s banks are steadily ramping up offshore processing activities, prompting warnings from the federal government that the financial services industry will be held responsible for any data spills or privacy breaches involving Australian customer information sent overseas.

Federal Treasurer Peter Costello said yesterday Australia’s privacy laws and the banks’ fiduciary duty to act in the best interest of those whose assets they manage meant the banks were not entitled to disclose any personal information without the permission of customers.

“If there is a bank that is exploiting some loophole or breaking that law, then I will refer it for prosecution,”—

the Treasurer told Alan Jones. The article continued:

He was responding to a report that the Australian Bankers’ Association had circulated a seven-page document that advised banks on how to avoid a consumer backlash by not telling customers that personal data had been sent overseas.

The ABA later released a statement in response to the Treasurer’s comments which said it did not think there was “any evidence of inadequacy (or loopholes)” in the regulatory framework. It noted that many banks around the globe will perform some functions overseas and “by definition, this means overseas providers will have access to the data needed for that service.”

Further on, the article stated:

Attorney-General Philip Ruddock said yesterday he was concerned about the security of account information transferred by Australian banks offshore.

He said Australian organisations were obliged to ensure any information passed on to employees or contractors in other jurisdictions was effectively protected and warned any breaches could be investigated by the government’s privacy commissioner.

That is not actually the case; it is not actually the situation at hand. If your information has been sent off overseas and you do not know about it, how do you know that there has been a breach? And what law actually covers that data when it is overseas? Is it protected by Australian legislation or by that of the country where the data has gone to? Is it protected by Indian privacy laws? To the best of my knowledge, they do not have any, so what is happening?

If, in respect of this legislation, the information on your access card is not protected and can go offshore, that is a severe risk and a severe concern. I think the Australian public would be outraged to discover that there has been no protection put into this legislation to ensure that their very identity is being protected. What privacy would be afforded all Australians if there were no protection against the information on access cards being sent overseas? I would like to know, and I am sure the public would also. The public needs greater privacy protection before any access card can be issued and legislation that guarantees that databases supporting the card cannot be offshored.

The FSU has been calling for action on offshoring for many years. They have a four-point plan, which is to:

1) Require that contracts to perform work for the Australian Government agencies include a condition that the work cannot be sent off-shore.

2) Call on governments to convene tripartite industry summits to map out a future path for Australian industries ...

3) Introduce laws that ensure that no financial or personal information is sent off-shore without the express permission of the consumer.

4) Introduce laws that require service providers to disclose the country where their work is being performed at the time of the transaction.

I endorse these measures. I particularly endorse the measure that requires a contract to perform work for Australian government agencies to include a condition that work cannot be sent offshore. If we do not have that protection, we have no protection in this database. The access card is being introduced at a time when the Law Reform Commission is conducting a review into the Privacy Act 1988. Surely this review will bear greatly on the introduction of this card. Why not wait to receive the outcome of this review, which is not reporting until March next year? Why introduce this card which could compromise the identity and privacy of all Australians?

The other issue I wish to look at briefly is that of medical details on the access card. This truly clouds what the card is to be used for. Is it to be for dealing with government agencies or is it about medical alerts? This is a dangerous area, one fraught with many issues. If you do not update that medical alert on a constant basis, the information being accessed in an emergency could be inaccurate. Also, who would have access to that information? There has been a lot of discussion within the insurance industry about the information you can get about a person’s health or genetic make-up. Could that information be used when you are going for a job? Could it be found out that you are a hepatitis C sufferer and, therefore, by virtue of that information on the card becoming public, an employer will not take you on?

I think this is an area absolutely fraught with danger, and it needs to be clarified now and not added on as some whimsical prayer that says, ‘Cardholders may choose to do this.’ It is not that simple. It is not that easy. What happens if it becomes a sort of standard form for all ambulance officers attending at a scene to say, ‘I’ll get the card and I’ll screen it’? If you do not have a card, they will not know and they will not treat. It is absolutely fraught with danger, and no-one has thought through the ramifications of this.

We have just ordered a medical alert bracelet for my son because of his severe allergies. Does this legislation mean that, because my child would necessarily be on my Medicare card, if he has an allergic attack at school, somehow they have to find me to scan the card to find out about his severe allergic reactions? It does not add up. What is this card? Is it meant to be all things to all people or is it meant to be about an access card and information to deal with government agencies? You cannot keep adding bits and pieces to it. You have to define what it is and work out how to do it, but you keep adding these things.

The task force chairman, Allan Fels, said to the government that it had to consider the introduction and whether the information was to be held for medical emergencies or for the convenience of the holder, who may, for example, want to carry a list of their medications. What is the issue with this legislation? It needs to be clarified. It needs to be far clearer than it already is. Again, there are just too many serious flaws in the bill before the House. While the vision may be one thing, the reality and the introduction are another.

See this speech in context