House debates

Wednesday, 15 May 2024

Bills

Digital ID Bill 2024, Digital ID (Transitional and Consequential Provisions) Bill 2023; Second Reading

12:02 pm

Photo of Kylea TinkKylea Tink (North Sydney, Independent) Share this | Hansard source

You know, the world's become such a complicated place. Often what's sold to us as something that's designed to make life easier does anything but. There was a time when if you had a paper copy of your birth certificate, which had probably been issued to you by the local magistrate, your identity was assured. But in an increasingly digital world, our legislation must not only keep up but, ideally, stay ahead of change.

As we digitise we have a responsibility to protect the privacy and personal information of every Australian. And ultimately, our digital ecosystems must protect against major data breaches that expose millions of Australians to identity fraud and scams. Australians are increasingly transacting online and new cyber-risks are emerging. They do, in this way, highlight a need for a secure way to verify your ID online and use that ID to access trusted services. But as we work towards this, we must also ensure that we are very focused on protecting privacy and personal information as tightly as possible. There can be no compromise.

We also need to ensure that we don't leave large segments of our community behind, nor fundamentally erase what I think is essential for a healthy, fully functioning society, and that's human contact. Digital ID systems do present an opportunity for improved convenience in accessing services and facilitating economic advancement through the use of such technology. Australians having access to a safe, secure and convenient way to prove who they are online, to enable them to access more services and businesses from the comfort of their own home, is a good thing, but it requires strong accompanying legislation that upholds privacy and other human rights, and there have been valid questions from right across our communities, particularly from mine in North Sydney, as to whether this bill achieves that. My community in North Sydney have expressed very real concerns about this bill. I've heard from my constituents that they're worried this legislation risks their personal freedom and privacy and provides institutions and governments with too much power and control over their personal information.

Just a couple of week ago, with the support of the North Sydney ageing-while-working group, I hosted a scams awareness event, with Scamwatch and Lifeline, so my community of North Sydney could learn more about what's currently going on. What really struck me was the level of very real and deep fear that was evident across those from my community who attended that seminar. There weren't just questions like 'Who's scamming me?' More fundamental than that, there were anxious questions that related directly to: 'Who can I even trust to help me navigate this system?' During that forum my community learnt that last year the ACCC reported that a total of $3.1 billion—that's right, $3.1 billion—had been lost due to scams in the previous 12 months, and the over-65 age cohort accounted for around one-fifth of those total losses. Clearly, communities are increasingly vulnerable to scams, particularly our older population.

An effective ID system, then, undoubtedly has the potential to provide convenience for users and enhance the security of personal information. For businesses, initiatives like this bill will in theory mean a simpler way to verify their customers, access to a market of accredited digital ID providers, and peace of mind for their customers. For entities offering digital ID services, the bill will provide a nationally consistent set of standards they can be accredited against and give them greater awareness and access to government agencies and businesses requiring identity services. For the government, the bill improves security and streamlining processes across agencies—or so it's argued—making it easier for Australians to access more government services and decreasing the risk of identity fraud. For individuals, the bill should extend privacy protections beyond those already in the Commonwealth Privacy Act, which in turn should strengthen the safeguards to protect personal information.

But where data is gathered en masse there will always be a target for those that wish to abuse it. For example, any entity that becomes accredited for the scheme must adhere to additional privacy safeguards that go beyond those in the Privacy Act. Key among those safeguards are prohibitions on the use of single identifiers, a prohibition on disclosing information for marketing, and restrictions on the collection, use and disclosure of biometrics and other personal information. Importantly, the Information Commissioner will have the power to make sure those safeguards are provided. I do welcome the inclusion of a maximum civil penalty rate for privacy breaches and liability provisions for cases of noncompliance; however, the privacy law provisions could be further strengthened under this legislation.

The external oversight mechanism included in this bill is welcomed, as is the expert panel to provide independent advice on the system. These measures will contribute to the integrity and accountability of the digital ID system. For the user, it's encouraging that this bill enables choice. The decision to use digital ID is voluntary, and parties cannot require participation as a condition of service, but the voluntary nature of this system is critical and should not be understated. Concerns have understandably been raised as to whether people who choose not to participate will receive the same level of service as those who do and whether, over time, that option will be quietly faded into the background.

This bill has great potential to be a positive thing for our community, but it must protect the best interests of the individual and uphold human rights. The amendments to this legislation made in the Senate have addressed some of the issues raised by my community, but there remain concerns, namely the gaps in the overarching privacy laws in this country and the ability for law enforcement to access personal information. Ultimately, the privacy provisions in this legislation are a continuation of the piecemeal and deeply unsatisfactory approach to strengthening Australia's privacy laws whereby bits and pieces are tweaked here and there rather than the privacy law framework as a whole being strengthened.

At the international level the right to privacy is protected under article 17 of the International Covenant on Civil and Political Rights, and this is enshrined in other human rights treaties to which Australia is a party. Yet, without decent human rights protection under domestic law, privacy in Australia is yet another area lacking adequate protection at the domestic level.

The Attorney-General's Department review of the Privacy Act between 2020 and 2022 concluded that it's necessary to overhaul Australia's privacy laws, as many other countries have done, to ensure that our laws remain fit for purpose in the digital age. The government's response released in February last year committed to privacy law reform in Australia—reforms that would ensure Australians can be more confident that their personal information is being protected appropriately and that action will be taken where entities fail to manage personal information appropriately. Yet, despite a clear expectation that the government would act accordingly, no proposed amendments to the Privacy Act have been made public. Instead, extensions of privacy protections have been made under multiple pieces of legislation, including this one, when, ideally, reform of the framework at large would have come first.

The Privacy Act overall is outdated, and it lacks the robust protections we need in today's digital landscape. Australia's privacy laws are fundamentally not coherent, with experts from Allens Hub at the University of New South Wales finding we have around 40 different privacy regimes across Australia, both federally and at the state level, with many carveouts within those laws. We need one strong Privacy Act, and ideally we would have had that act before these bills were introduced to ensure that all necessary safeguards were in place and that any potential loopholes were closed. I call on the government, therefore, to prioritise that reform. Do the big work before we start fiddling around the edges.

Back to the specifics of the bills before us. Another aspect of significant concern to the community of North Sydney is broad access to personal information by law enforcement agencies. An enforcement body, as deemed by the Privacy Act, includes criminal enforcement agencies and other bodies such as the Department of Home Affairs and bodies with the power to issue civil penalties or sanctions. Personal information can be disclosed when an enforcement body has started proceedings against a person for an offence against the law, including minor penalties or sanctions. While this has been debated and amended in the Senate, it's still unclear when personal information might be disclosed to law enforcement. People in my community have literally asked me, 'Will my personal information be able to be accessed by the police if I have received a parking fine?' People are clearly afraid of adopting digital ID if it opens them up to law enforcement access for minor crimes or misdemeanours. I reiterate calls for law enforcement access to be restricted to serious crimes only and for clear messaging around what justifies that access.

Additionally, the voluntary nature of the system raises concerns that will need to be addressed to ensure public trust in the system. Choice is only meaningful if there is an assurance that people will not be disadvantaged if they choose to retain current methods of identification. Those who choose not to participate or have limited ability to participate because they don't have access to wi-fi for two-factor verification must be guaranteed equal entitlements and access to services, because not everyone will have equal access to digital ID. This includes individuals living with disability, the Indigenous communities living in and around our rural and remote Australian regions, living without the financial means to access technological devices, and older Australians with lower digital literacy—just to name a few groups. I understand that provisions for accessibility are included in the legislation, but this point must be emphasised. It's crucial that service providers are held to account for the services they are providing and that assurances are put in place that no-one is being left behind, whether they choose not to participate in the scheme or they're not able to participate in the scheme for other reasons.

The statement of compatibility with human rights attached to these bills states: 'The voluntary nature of this scheme ensures that the adoption of digital ID systems by service providers does not impede the accessibility of services for individuals. The choice to use a digital ID to access the service will not replace existing options, and that existing alternative channels such as the telephone need to be maintained as alternatives.' I say this is a positive thing. But it's also idealistic to rely on the trust in service providers rather than to have strong measures in place within the bills to ensure those measures are enacted and compliance is tracked. Where service providers, particularly government services, are already at capacity and are difficult to access—I don't know if those who drafted this legislation have tried recently to contact a Services Australia office—the sustainability and quality of these other services should be guaranteed under this scheme. These services must not reduce access to face-to-face appointments, nor to phone services upon uptake of a digital ID system.

Ultimately, this bill does much to move us forward. But we need to move forward with caution, consideration and compassion. It is a significant piece of legislation that serves an important purpose in strengthening privacy safeguards, but the best interests of the individual must be paramount in the design of the scheme. The government has a responsibility to ensure the strongest-possible protection of personal information and privacy, and for personal autonomy to remain. It's crucial this bill is strong, it's crucial this bill is transparent, it's crucial this bill is future-proof and, fundamentally, it's crucial this bill is designed for the humans that it will impact. Thank you.

Comments

No comments