Privacy Law and Policy Reporter
While smart cards offer new ways to obtain goods and services and store information, this portable technology also generates new challenges for the privacy of individuals who use it. Smart cards and the systems that support them will be capable of collecting, storing and aggregating large amounts of personal information which may be used to monitor individuals as they go about their lawful day to day activities.
It is important that the complex privacy issues surrounding smart cards are discussed throughout the community and that we arrive at a set of practices for the collection and use of personal data through smart cards that take account of people's expectations about the privacy of their personal information.
In the smart card world, people could buy newspapers and chewing gum with a stored value card, pay road tolls without stopping and carry details of their medical conditions, university records, or driver's licence in a standard size plastic card. If that world is not with us yet, then it may be close at hand.
The microprocessing and data-storage capabilities of smart cards make them suitable for many diverse applications. As a result, smart cards are being developed and used as tickets (for public transport and movie theatres), electronic cash (stored value cards, tollways), medical files, pharmacy record cards and identity cards (to manage access to buildings and computers).
While much of the media and the community's attention is focused on stored value cards, there is extensive work being undertaken to evaluate the potential use of smart cards in the health sector. Smart cards are used in several countries to allow for the collection of, and access to, medical records, as well as providing for the billing and co-ordination of medical services. The card may hold an individual's complete medical history.
In Australia there are no proposals by the Commonwealth Government to sponsor large scale applications in the health sector. Twice in recent years, the Commonwealth Government has indicated that it does not favour the development of a Medicare smart card. In a press statement issued in 1992, the then Minister for Health, Housing and Community Services, the Hon Brian Howe, announced that, the Government has rejected the use of smart cards to record patient information or the development of a central data-bank because of the privacy implications. Similar assurances were provided in a joint statement recently issued by the Minister for Industry, Science and Technology, Senator Peter Cook and the Minister for Human Services and Health, the Hon Carmen Lawrence MP (5 July 1995).
Nevertheless, smart cards clearly have the potential to play a part in a number of contexts within the health sector and it is likely this potential will become clearer as the technology matures. The Warren Centre for Advanced Engineering, an industry-funded body working with the smart card industry, is looking at developing a smart card proposal for managing pharmaceutical prescriptions in Australia. Work is still in its preliminary stages but it has been suggested that the card, the use of which would be voluntary, could record details of a patient's recent prescription history, allowing authorised pharmacists to monitor the patient's use of drugs (including over usage, inappropriate doses, conflicting medications and so on).
There have been several trials of medical smart cards in Canada, including an extensive data storage and retrieval system in Quebec and Ontario (the Encounter Card Project) A pharmaceutical smart card has also been trialed in the North Bay area of Canada, involving veterans and local pharmacists. Medical smart cards are also used in Germany, France, Japan and the UK.
Smart cards have some privacy pluses:
Although smart cards do have features that can be used to support privacy principles, their capacity to collect and aggregate detailed information about our daily lives (perhaps on a level unprecedented in this country) poses a real risk to the privacy of personal information.
While smart cards themselves present a risk to privacy, perhaps the greater threat to privacy will come from the data bases that underpin a smart card system. Data bases will be used as clearing houses to process and reconcile smart card transactions. It is also likely that they will be used as a back up to restore the information stored on a smart card in the event that the card is damaged, lost or stolen. When examining the privacy issues raised by smart cards, it will therefore be important to consider the systems that support them.
The first step towards establishing acceptable practices in the operation of smart card systems is to identify principles for addressing the privacy concerns smart cards raise. The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data provide a suitable international privacy benchmark. (Commonwealth Government smart card projects will also need to comply with the Information Privacy Principles which are set out in the Privacy Act and which are legally binding on Commonwealth agencies.)
The OECD guidelines rest on three broad principles. First, that the information collection system should be transparent; second, that there should be appropriate limits on the collection and use of personal information; and third, that personal information collected should be accurate and held securely. If they are to be put into practice effectively, these principles need to be incorporated in systems designs from the outset. Some ways of doing this are set out below.
A transparent system requires that:
In order to limit the collection and use of information about individuals and transactions, system developers will need to:
The third theme of the OECD guidelines is concerned with data security and quality. To ensure high standards in this area, card system developers should consider:
Governments can certainly encourage the development and use of a policy framework to minimise the privacy risks of smart cards, but they may also have to review the legislative environment in which smart cards operate.
Australia's limited privacy legislation focuses on the information handling practices of Commonwealth agencies. Although Commonwealth agencies are likely to have some involvement in the application of smart card technology, many smart cards are being developed, and will be managed, by the private, State and local government sectors, which currently are not covered by comprehensive privacy legislation (although there are some privacy protocols and codes in place). The newness of the technology also means that smart cards have not been specifically addressed by codes such as the Electronic Funds Transfer Code.
One option is to use specific codes tailored to particular industries or applications. Although an industry-sponsored code that relies on a model of self-regulation has the advantage of being endorsed by that industry and is therefore likely to be supported by the members of that industry, codes such as these, almost by definition, lack any enforcement mechanisms. They also often do not have the means to address client or customer complaints. Another difficulty with any industry code in the smart card context is defining its scope, that is, clearly identifying the organisations and applications that fall within its ambit. For example, to what extent would organisations that elect to use a smart card to manage transactions (such as fun park rides) or personal information of any sort (such as membership records) fall within the ambit of the code? Commonwealth agencies that elect to use a smart card to, for example, ensure authorised access to computers or buildings or deliver services to the public may also find themselves subject to at least two standards. In this instance, while the industry code may provide a minimum standard, the agency will need to continue to comply with the higher standards for handling personal information required by the Information Privacy Principles set out in the Privacy Act.
It will also be necessary to review current legislation that regulates specific industries such as the banking and telecommunications sectors.
Another option is to develop national privacy standards (achieved perhaps through a combination of state and Commonwealth initiatives) which encompass both the public and private sectors. This would overcome the difficulties of piecemeal and haphazard privacy protection that may accompany industry codes, though there is little doubt that achieving a uniform national approach would be difficult. One approach is to expand the Commonwealth Privacy Act to the limits of federal constitutional power so far as the private sector generally is concerned. In addition, inter-governmental processes will need to be used to settle on a framework able to be adopted by all Australian governments. Irrespective of the process which is used, the goal should be the development of a model for privacy protection that is as seamless as the technology which can both threaten privacy and help to protect it. It should also be a scheme which provides for an independent regulator with a specific privacy focus.
The widespread introduction of smart card applications to Australia is imminent and is being heralded by many as delivering great benefits in reducing fraud, making information storage safer and increasing efficiency in the delivery of a wide range of services. But, at the same time, smart card applications have significant potential to erode the privacy of personal information. In order to ensure that, as a society, we are able to enjoy the practical benefits of smart cards without forfeiting our human rights in the process, it is essential that parties involved in smart card development consider privacy issues systematically and early in a project's development.
Donna Bain is a member of the staff of the Australian Privacy Commissioner, and is the author of the Commissioner's Discussion Paper, 'Smart Cards: Implications for Privacy'.