Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Bain, Donna --- "Smart cards: a federal privacy perspective" [1996] PrivLawPRpr 4; (1996) 2(10) Privacy Law & Policy Reporter 186

Smart cards: a federal privacy perspective

Donna Bain outlines the Australian Privacy Commissioner's approach.

While smart cards offer new ways to obtain goods and services and store information, this portable technology also generates new challenges for the privacy of individuals who use it. Smart cards and the systems that support them will be capable of collecting, storing and aggregating large amounts of personal information which may be used to monitor individuals as they go about their lawful day to day activities.

It is important that the complex privacy issues surrounding smart cards are discussed throughout the community and that we arrive at a set of practices for the collection and use of personal data through smart cards that take account of people's expectations about the privacy of their personal information.

In the smart card world, people could buy newspapers and chewing gum with a stored value card, pay road tolls without stopping and carry details of their medical conditions, university records, or driver's licence in a standard size plastic card. If that world is not with us yet, then it may be close at hand.

The microprocessing and data-storage capabilities of smart cards make them suitable for many diverse applications. As a result, smart cards are being developed and used as tickets (for public transport and movie theatres), electronic cash (stored value cards, tollways), medical files, pharmacy record cards and identity cards (to manage access to buildings and computers).

Use of the smart card in the health sector

While much of the media and the community's attention is focused on stored value cards, there is extensive work being undertaken to evaluate the potential use of smart cards in the health sector. Smart cards are used in several countries to allow for the collection of, and access to, medical records, as well as providing for the billing and co-ordination of medical services. The card may hold an individual's complete medical history.

In Australia there are no proposals by the Commonwealth Government to sponsor large scale applications in the health sector. Twice in recent years, the Commonwealth Government has indicated that it does not favour the development of a Medicare smart card. In a press statement issued in 1992, the then Minister for Health, Housing and Community Services, the Hon Brian Howe, announced that, the Government has rejected the use of smart cards to record patient information or the development of a central data-bank because of the privacy implications. Similar assurances were provided in a joint statement recently issued by the Minister for Industry, Science and Technology, Senator Peter Cook and the Minister for Human Services and Health, the Hon Carmen Lawrence MP (5 July 1995).

Nevertheless, smart cards clearly have the potential to play a part in a number of contexts within the health sector and it is likely this potential will become clearer as the technology matures. The Warren Centre for Advanced Engineering, an industry-funded body working with the smart card industry, is looking at developing a smart card proposal for managing pharmaceutical prescriptions in Australia. Work is still in its preliminary stages but it has been suggested that the card, the use of which would be voluntary, could record details of a patient's recent prescription history, allowing authorised pharmacists to monitor the patient's use of drugs (including over usage, inappropriate doses, conflicting medications and so on).

There have been several trials of medical smart cards in Canada, including an extensive data storage and retrieval system in Quebec and Ontario (the Encounter Card Project) A pharmaceutical smart card has also been trialed in the North Bay area of Canada, involving veterans and local pharmacists. Medical smart cards are also used in Germany, France, Japan and the UK.

Developing appropriate privacy policies for smart cards

Smart cards have some privacy pluses:

• the individual is able to keep the card in his or her possession and has permanent access to its contents provided an appropriate reader can be accessed;
• they are more difficult to copy than existing magnetic stripe cards which may hinder fraud and prevent copies of the information becoming easily available;
• the card can be protected from unauthorised entry by a coding system;
• if the only copy of a particular set of personal data resides in the card, individual card holders could have a greater capacity to influence the flow of information about themselves.

Although smart cards do have features that can be used to support privacy principles, their capacity to collect and aggregate detailed information about our daily lives (perhaps on a level unprecedented in this country) poses a real risk to the privacy of personal information.

While smart cards themselves present a risk to privacy, perhaps the greater threat to privacy will come from the data bases that underpin a smart card system. Data bases will be used as clearing houses to process and reconcile smart card transactions. It is also likely that they will be used as a back up to restore the information stored on a smart card in the event that the card is damaged, lost or stolen. When examining the privacy issues raised by smart cards, it will therefore be important to consider the systems that support them.

The first step towards establishing acceptable practices in the operation of smart card systems is to identify principles for addressing the privacy concerns smart cards raise. The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data provide a suitable international privacy benchmark. (Commonwealth Government smart card projects will also need to comply with the Information Privacy Principles which are set out in the Privacy Act and which are legally binding on Commonwealth agencies.)

The OECD guidelines rest on three broad principles. First, that the information collection system should be transparent; second, that there should be appropriate limits on the collection and use of personal information; and third, that personal information collected should be accurate and held securely. If they are to be put into practice effectively, these principles need to be incorporated in systems designs from the outset. Some ways of doing this are set out below.

Transparency

A transparent system requires that:

• all the parties in the smart card system are defined early in the project's development; the flows of personal and transaction information between the system provider, service providers and card holders are readily apparent; and clear lines of accountability are agreed to and publicised by the card system controller; and
• card system providers consult widely with the community, industry and privacy experts to ensure that service providers in the smart card system understand and agree to their responsibilities in terms of collecting and handling personal information.

Limits on collection and use

In order to limit the collection and use of information about individuals and transactions, system developers will need to:

• determine the activities for which the smart card will be used and consult with community representatives on this basis (this will be particularly important where the system is administered by a Government department or where information is compulsorily acquired);
• advise card holders of any changes to the system which affect the collection and use of personal or transaction information;
• obtain card holders consent to be involved in any new application;
• collect only that information which is necessary to fulfill the stated and agreed purposes of the card and not collect information which is peripheral to those purposes; and
• where appropriate, give consumers the option not to use a card or to use an anonymous card rather than a personalised card.

Accuracy and security

The third theme of the OECD guidelines is concerned with data security and quality. To ensure high standards in this area, card system developers should consider:

• appropriate software and hardware systems and administrative arrangements that eliminate or reduce the risk of unauthorised access to, use and disclosure of information held on the card, in a central data base or during data transmission;
• arrangements to inform card holders about their rights to access information held by the system provider and arrangements to have information corrected, erased, completed or amended; and
• consultative arrangements involving system providers, law enforcement and other government bodies, and the community to develop an appropriate policy to allow for access to information as authorised by law, or in other circumstances vital to the public interest.

Reviewing the legislative environment

Governments can certainly encourage the development and use of a policy framework to minimise the privacy risks of smart cards, but they may also have to review the legislative environment in which smart cards operate.

Australia's limited privacy legislation focuses on the information handling practices of Commonwealth agencies. Although Commonwealth agencies are likely to have some involvement in the application of smart card technology, many smart cards are being developed, and will be managed, by the private, State and local government sectors, which currently are not covered by comprehensive privacy legislation (although there are some privacy protocols and codes in place). The newness of the technology also means that smart cards have not been specifically addressed by codes such as the Electronic Funds Transfer Code.

As smart cards will be used in the private and public sectors, by financial and non-financial institutions and for a wide range of activities, the challenge will be to develop a privacy policy and/or legislative framework that can accommodate the full range of smart card applications (current, planned and imagined).

One option is to use specific codes tailored to particular industries or applications. Although an industry-sponsored code that relies on a model of self-regulation has the advantage of being endorsed by that industry and is therefore likely to be supported by the members of that industry, codes such as these, almost by definition, lack any enforcement mechanisms. They also often do not have the means to address client or customer complaints. Another difficulty with any industry code in the smart card context is defining its scope, that is, clearly identifying the organisations and applications that fall within its ambit. For example, to what extent would organisations that elect to use a smart card to manage transactions (such as fun park rides) or personal information of any sort (such as membership records) fall within the ambit of the code? Commonwealth agencies that elect to use a smart card to, for example, ensure authorised access to computers or buildings or deliver services to the public may also find themselves subject to at least two standards. In this instance, while the industry code may provide a minimum standard, the agency will need to continue to comply with the higher standards for handling personal information required by the Information Privacy Principles set out in the Privacy Act.

It will also be necessary to review current legislation that regulates specific industries such as the banking and telecommunications sectors.

Another option is to develop national privacy standards (achieved perhaps through a combination of state and Commonwealth initiatives) which encompass both the public and private sectors. This would overcome the difficulties of piecemeal and haphazard privacy protection that may accompany industry codes, though there is little doubt that achieving a uniform national approach would be difficult. One approach is to expand the Commonwealth Privacy Act to the limits of federal constitutional power so far as the private sector generally is concerned. In addition, inter-governmental processes will need to be used to settle on a framework able to be adopted by all Australian governments. Irrespective of the process which is used, the goal should be the development of a model for privacy protection that is as seamless as the technology which can both threaten privacy and help to protect it. It should also be a scheme which provides for an independent regulator with a specific privacy focus.

The Federal Government's approach to the development of privacy policy is likely to be revisited in the next few months as it considers its response to the review of Freedom of Information legislation currently being undertaken by the Australian Law Reform Commission and the Administrative Review Council, the report of the House of Representatives Standing Committee on Legal and Constitutional Affairs on the protection of confidential personal and commercial information (the Melham report) and the work being undertaken by the National Information Services Council. All of these processes are addressing the structure of privacy protection in Australia. It will be important to ensure that any changes emerging from them allow for an effective and flexible approach to the privacy implications of new technology in general and of new information technology, such as smart cards, in particular.

Conclusion

The widespread introduction of smart card applications to Australia is imminent and is being heralded by many as delivering great benefits in reducing fraud, making information storage safer and increasing efficiency in the delivery of a wide range of services. But, at the same time, smart card applications have significant potential to erode the privacy of personal information. In order to ensure that, as a society, we are able to enjoy the practical benefits of smart cards without forfeiting our human rights in the process, it is essential that parties involved in smart card development consider privacy issues systematically and early in a project's development.

Donna Bain is a member of the staff of the Australian Privacy Commissioner, and is the author of the Commissioner's Discussion Paper, 'Smart Cards: Implications for Privacy'.