Privacy Law and Policy Reporter
The ''Elliott Committee' (Chaired by Mr R P Elliott MP) has prepared the first detailed parliamentary report on methods of combating fraud against government since a committee of public servants prepared the influential Review of Systems for Dealing with Fraud on the Commonwealth (AGPS) in 1987, and the first since the passage of the Privacy Act 1988 (Cth).
The Elliott Committee supports the basic thrust of the 1987 report, in light of which ''the government totally changed its fraud control policy' so as to make managers responsible for dealing with fraud against their programs, both by preparing fraud control plans and by prosecuting more minor offences. The Committee seeks to reinforce this approach by supporting increased accountability of agency managers for effective implementation of such plans, and an increased role for internal audit and the Australian National Audit Office (ANAO). It criticises the lack of basic information on the nature and extent of fraud which is available at agency level (let alone Commonwealth wide) and recommends enhanced data collection and analysis systems.
The Law Enforcement Access Network (LEAN) is a proposal (arising indirectly from the 1987 report) to create, within the Federal Justice Office of the Commonwealth Attorney-General's Department, one central database combining Australia-wide land ownership data, company records (derived from the ASC), and business names records, almost all of which are publicly available in some form. Commonwealth, State and Territory government agencies with responsibilities for law enforcement and protection of revenue (that is, a very wide range of agencies) are to have access to the data for investigative, data-matching and other data surveillance purposes. The LEAN system is to have sophisticated search capacities such as ''fuzzy matching, weighted matching and alias tagging' which are generally not available on the systems from which the data is sourced. The Elliott Committee has not found specific parallels to LEAN in any overseas systems.
LEAN requires land and business names data which is controlled by State and Territory governments, whose agreement has not yet been forthcoming. For that and other reasons the Commonwealth government deferred the introduction of LEAN in the 1993-1994 budget cycle, reducing its staff from 15 to five and its budget to no more than $2 million for that year. The Elliott Committee noted with concern that this situation had developed to the stage where the States and Territories had been offered financial incentives to finalise this aspect of the scheme. The Commonwealth Attorney-General has proposed that the issue of State and Territory participation be resolved at the next meeting of the Standing Committee of Attorneys-General (SCAG) in February 1994.
The Elliott Committee's first report Matching and catching: report on the Law Enforcement Access Network (AGPS, November 1992) was delivered a year ago. The government has not responded to the issues it raised, but LEAN has proceeded, so the Committee has re-considered and re-stated its position in light of new information and developments.
The Elliott Committee comments that the evidence presented to it by the Attorney-General's Department ''demonstrates the analysis is limited', and is based on 1991 data. It notes that the Defence Department has already found alternative ways to achieve the same savings. It comments that the ANAO's Audit Report Department of Social Security: data-matching (noted in this issue) has ''seriously brought into question the accuracy of the expected savings from data-matching activities'. It questions whether LEAN is any longer ''at the cutting edge of technology'. It concludes that ''the Committee has not been presented with any evidence to dissuade it from its initial view ... that the cost-benefit ratio of the LEAN project in monetary terms is not substantial', and recommends ''as a matter of priority, the need for the LEAN facility to be reviewed and a new cost-benefit analysis using up-to-date data be prepared, by an independent consultant, with the results made public immediately'.
The Committee goes on to consider issues which will arise if LEAN proceeds. It considers that it should only do so on the basis of Commonwealth legislation governing its operation, which should be introduced as a matter of priority. It adds that all aspects of the final Memorandum of Understanding (MoU) for both data suppliers and data users should also be publicly available before any data supply contracts are entered into. It approves a proposed seven-person board of management with one representative of privacy interests, and the Privacy Commissioner with observer status.
The Committee proposes that the MoU require that individuals and entities be entitled to access data held on LEAN about them, and be given the right to comment on agency decisions made about them on the basis of LEAN data before the decision becomes final. It also recommends that the MoU require uniform penalties for misuse, a system to provide compensation for breaches of confidentiality (but doesn't mention other types of grievances), and a requirement on user agencies to report on their compliance with the Privacy Commissioner's data matching guidelines (but doesn't require compliance with them).
The Elliott Committee has all but called for LEAN to be scrapped, at least unless some independent analysis produces some far more convincing justification than the government has managed to date. However, the focus on inadequate financial justification has led the Committee to give unfortunately little consideration to other potential dangers of LEAN, such as the likelihood that attempts would be made to extend its coverage to other misleadingly called ''public register information' (for example, electoral rolls, bankruptcy records, car and driver records). Furthermore, what likelihood is there of new agencies, and different access purposes, being allowed at a later date. It would have been valuable if the Elliott Committee could have given serious consideration to how likely these developments are, and what the implications for privacy would be, given the recent federal experience of the expansion of the tax file numbering system despite political promises to the contrary. What safeguards or guarantees are possible? In other words, what is the Committee's political judgment of whether the community can trust LEAN not to mutate into something nastier?
While the Committee recommends useful safeguards against abuse if LEAN does go ahead, it is hard to see why it proposes that most safeguards should reside in a MoU, the provisions of which are not enforceable by the individuals or companies affected by misuse. The Committee recommends Commonwealth legislation to govern the operation of LEAN, and it is hard to see that the Commonwealth would lack legislative competence to embody in such legislation access rights, misuse penalties, compensation, and a requirement to comply with data-matching guidelines, given that LEAN would be a Commonwealth facility.
This Report, despite shortcomings, is yet another example of the invaluable role that Commonwealth parliamentary committees are performing in analysing and questioning potentially privacy invasive practices and proposals in Australia.