THE RESISTIBLE RISE
of
THE NATIONAL PERSONAL DATA SYSTEM

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Version of 23 October 1991

© Xamax Consultancy Pty Ltd, 1990, 1991

Published in Software Law Journal 5,1 (January 1992)

This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/SLJ.html


INTRODUCTION

During the mid-1960s, a proposal to establish a U.S. National Data Center was debated. The information technology of the times was incapable of fulfilling that project's ambitious ends. In Australia in the 1990s, however, the march of technology and the smaller population combine to make a distributed form of national data 'centre' technically feasible.

This paper outlines the history of attempts to establish a national personal data system in Australia, with particular reference to the Australia Card proposal and the enhanced Tax File Number scheme. The development of policy measures to deal with information privacy issues is also discussed. The emphasis in revenue collection and benefits administration is moving from reactive enforcement toward proactive data surveillance, and the Privacy Commissioner and privacy interest groups face serious difficulties in their efforts to uphold the social value of information privacy against the increasingly coordinated administrative actions of government agencies.

I. INTERNATIONAL CONTEXT

In the mid-1960s, debate took place in the United States regarding a proposal for a 'National Data Center', which was to have been a repository for data about American residents, drawn from a wide variety of government agencies. After long and often virulent discussions, the decision was taken not to proceed with the proposal. With the benefits of hindsight, the proposal should have been rejected purely on technical grounds, because the information technology of the times was quite unable to deliver the capabilities proposed. Indeed, even today it would be technically very challenging. Subsequent developments in information technology, however, particularly the marriage of telecommunications with computing, have resulted in a dispersed (or 'distributed') system becoming technically feasible. In the National Data 'Center' of the 1990s, the databases would be dispersed geographically and functionally, but managed in an integrated fashion.

A national personal data system has apparent potential to improve the effectiveness and efficiency of government administration. A range of organisations would be authorised to use the national distributed database for the purpose of managing their dealings with individuals. The data arising from these dealings might be restricted to the specific organisation from whom they derive; or they might be available under specific circumstances to other organisations. But the temptation to make them freely available to an ever-increasing variety of organisations would be well-nigh irresistible.

There is no country in the world which has a system in operation which could be described as a full-scale national personal data system. In a number of countries, however, there are systems which satisfy some of the tests. Many European countries use a single identifier for several purposes (typically taxation, health insurance and national superannuation). These systems are in some instances inter-related. In the U.S.A. and Canada the Social Security and Social Insurance Numbers (respectively the SSN and SIN) are widely used as a means of identification, and, despite their low integrity, provide a basis for data interchange and data matching. In New Zealand, the Wanganui Data Centre is specifically empowered to operate driver and motor vehicle licensing and police criminal records data in an integrated fashion. There are many other examples.

Any personal data system involves a degree of privacy-invasiveness, because it places an organisation in a position of power with respect to individuals and their data. During the 'decade of privacy' in the 1970s, concerns about the privacy-invasiveness of personal data systems arose in countries throughout the advanced western world. These concerns led to statutes in many countries, and in States, provinces and Länder, and to international Guidelines issued by such organisations as the European Community and the O.E.C.D. (OECD 1980).

A national, and hence intrinsically multi-user, personal data system is emphatically more threatening than a set of independent databases. This is because it concentrates that power, and provides a basis for dataveillance (Clarke 1988a). This is chilling in any circumstances, and in the hands of a corrupt or authoritarian government it is inimical to democracy. Consideration of a proposal to integrate data systems designed to support different functions therefore involves careful balancing of efficiency against personal freedoms. For discussions of these matters, see Westin (1968), Rule et al (1974, 1980), Laudon (1986) and Flaherty (1989).

This paper documents the efforts of public servants and, to a lesser extent, politicians, to bring into existence a national personal data system in Australia. It commences by providing some background to Australia and Australian Government, and to the level of sophistication of Information Technology (IT) applications in that country. It then traces the history of attempts to introduce a national personal data system, with particular reference to the Australia Card proposal (1985-87) and enhancements to the Tax File Number scheme (1988-). Related developments are described, and policy measures discussed.

II. THE AUSTRALIAN GOVERNMENT AND ITS USE OF I.T.

Australia is much the same size as the U.S.A. excluding Alaska, but much of the continent is desert, and it has a population of only 17 million, about the same as Texas or the Netherlands. Because of its primary produce and minerals, it is a relatively rich country, with GNP per capita comparable with the richer European countries like Germany and France. It was formed in 1901 as a federation of six British ex-colonies. Its Constitution drew on both the unwritten British and the written U.S. constitutions, and provides for the Commonwealth to have a specific set of powers, with the residual powers remaining vested in the six States.

The Australian public sector is directly responsible for about 35% of GDP (which is comparable with the United States and significantly less than most European countries). However, whereas one-quarter of U.S. Federal Government expenditure is on each of defence and welfare, Australian Federal Government spending is only 10% on defence, and 35% on health and social welfare. Some 20% of the Australian population is to some extent dependent on government benefits, with perhaps 5% heavily dependent. About 12 million of Australia's population of 17 million people are known to the primary welfare agency, the Department of Social Security.

The Federal Government comprises some 400 agencies, employing over 400,000 people, or about 5% of the workforce, with State and Local Governments employing a further 17%. The national capital, Canberra, is located in pleasant countryside 300 kilometres south-west of Sydney, well away from the two very large conurbations and the three other large centres of population, business and industry. The policy of concentrating Commonwealth Government agencies in the national capital has resulted in population growth since 1960 from 50,000 to 285,000, with about half of the city's workforce employed by the Commonwealth Government. This concentration of public servants living in a comfortable city buffered from both the tumult of the major cities and the vicissitudes of rural life results in a degree of distance between policy-makers and the rest of the population.

There are important similarities between the Australian and U.S. environments. The two countries have been allies since before World War II, and Australia's long-standing association with the United Kingdom has gradually waned as that country withdrew from Asia, and the affinity to the United States has increased. Many values are shared, although Australians tend to be somewhat less fervently patriotic and more sceptical than Americans, particularly of authority. At least as measured by criminal statistics, the level of public morality is rather higher than in the United States, with a far lower incidence of serious crimes against persons and property.

There are many similarities between Australian and American public policies, although Australia has paid somewhat greater attention to social welfare policies at the expense of economic concerns and the aero-space-defense industries. There are also many similarities in public administration, but several critical differences. Because of the scale of operations, Australian welfare benefits are not distributed through State and local agencies as in the U.S., but directly by the relevant Federal Government Departments (predominantly the Departments of Social Security - DSS and Veterans' Affairs - DVA). Similarly, compulsory health insurance is administered by a Federal agency, the Health Insurance Commission (HIC), which deals directly with the public throughout the country, through its own offices. For many years, a single national fingerprint bureau has been operated (although, for historical reasons, by the Police Force of the largest State), and it became in the mid-1980s the first national bureau to computerise its fingerprint records.

Although the scale of government operations is much smaller than in the U.S., it has nonetheless been large enough to challenge IT. In the mid-1980s, for example, the HIC was operating two of IBM's largest available model (then the 3084Q) at close to capacity. Several of the Commonwealth agencies have, in common with Australian financial institutions, distributed systems which are as technologically advanced and organisationally effective as those of any country in the world, including the U.S.A. For example, the DSS system comprises a hierarchically distributed network of eight very large IBM-compatible Amdahls with scores of Wang minicomputers in regional centres; and the Australian Taxation Office's Electronic Lodgment Service for personal taxation returns has been so successful that it anticipates that 50% of all returns will be lodged electronically during the current financial year (Ryan 1992).

It is against this background that tendencies toward a national personal data system will be developed, by considering the early history of these ideas, then by outlining the story of the Australia Card proposal, the enhanced Tax File Number scheme and subsequent developments. However, it is first necessary to consider one critical feature of a national personal data system, the identification mechanism.

III. PERSON-IDENTIFIERS

A person-identifier is a symbol which denotes a specific human being and is capturable into a data system, and which thereby enables personal data to be associated with a particular person. In order to provide a basis for a reliable personal data system, a person-identifier must perform satisfactorily against a set of characteristics (Clarke, 1989).

In principle, the most effective person-identifiers are physiologically based (and are sometimes referred to as 'biometrics' or 'physiometrics'). They may be a natural characteristic, or an imposed feature such as a brand or an implanted microchip (both of which are used with other animals). Some of the natural features which have been applied or proposed include facial appearance, fingerprints, teeth, retinal prints and, most recently, DNA prints. Fingerprints have long been used in criminal investigation, and various physiological identifiers are currently being applied to building security. However, no biometric identification system has yet been sufficiently economic, impervious to intelligent evasion and fraud, and socially acceptable that it has come into general usage. Virtually all administrative systems use more prosaic identification techniques.

For social purposes, people are identified by their names, and some organisations use names as a person-identifier. For administrative purposes, however, names have many serious disadvantages, particularly their non-uniqueness, variable length and variability in presentation. Non-uniqueness may be addressed by using a set of data items (such as family name, given names, data-of-birth and elements of address), but this requires considerable processing complexity and a small but appreciable chance of ambiguity remains. No country appears to have taken the obvious step of restricting the choice of names to those which have not been already assigned.

Rather than using names, the conventional approach adopted in personal data systems is to assign a unique number or code to each individual. This is done at some time convenient to the issuing organisation, such as the first contact between the individual and the organisation. When an organisation wishes to access existing personal data, or record new data, it needs to have the person's identifier. Many organisations simply accept the individual's statement as to who he or she is, and use an index to look up the appropriate code. Other organisations are unable to rely on such an arrangement, particularly where it may be in the interest of an individual to misrepresent themselves as another person. They impose requirements on the individual to provide 'proof' of their identity. To ensure that the identifier is available when required, it could conceivably be recorded on the person (although such an approach would probably be generally regarded as repugnant). Instead it is commonly recorded on some token such as a card, with requirements to produce the token when dealing with the organisation. To be effective, such an arrangement must embody incentives and disincentives such that the right individual, and only the right individual, makes the token available in all the right circumstances. This is not easily achieved. Despite the difficulties involved, tokens such as plastic cards are the basis of many administrative systems, including driver licensing and retail Electronic Funds Transfer Systems.

A further tool in identification is personal knowledge, as when a person collecting a plastic card is asked their birth-date or their mother's maiden name; or a person using an Automated Teller Machine is asked to provide the Personal Identification Number or PIN associated with that particular card or account. In addition to schemes based on 'what a person knows', identification may be based on 'what a person does'. The most common such approaches are the dynamics of hand-writing, particularly signatures, and of keyboard use, particularly when keying passwords.

Another tool in human identification is documentary evidence (or 'proof of identity', as it is so often, but highly misleadingly, referred to). Birth and marriage certificates, drivers' licences, letters of introduction and statutory declarations are frequently inferred to contain informational value far beyond their actual meaning, particularly when several are proferred.

Organisations which use personal data systems construct, more or less consciously, using the elements discussed in the preceding paragraphs, a basis for human identification which they deem to be appropriate to their particular needs. It is important to appreciate the following points:

Some instances exist in which a single identification scheme is used for a number of purposes (e.g. a financial institution may assign a single code to a customer, to be used for all kind of investment, lending and perhaps insurance and travel transactions), or by a number of organisations (e.g. where health insurance, social welfare and taxation authorities all use the same scheme).

A national personal data system would go beyond such merely multi-purpose arrangements to provide a general-purpose identifier. To ensure integrity of the scheme, and achieve economic benefits, more elements than just an identifier or person-code would be needed, including:

Indeed, with these three elements in place, it may prove unnecessary to actually impose a single identifier, provided that the identifiers used by each person with each agency were able to be reliably correlated.

In the current environment in advanced nations, the only major impediment to a national personal data system is the fact that agencies identify their clients differently. It is likely that economic benefits would arise from a common identifier, through reduction in the costs of administering identification schemes, and particularly from reduction in the scope for error and fraud. As the following sections show, public servants in Australia have been eager to grasp the opportunity.

IV. THE AUSTRALIA CARD

Three of the four pre-conditions for a national personal data system already existed in Australia by the mid-1980s, viz. appropriate data processing and storage technologies, a large number of data-rich agencies, and data communications technologies to link the separate systems into a network. This section focusses on the emergence of the missing element, the consistent use of a single unique identifier for each individual.

A. PRELUDE

A multi-purpose identification scheme was applied in Australia during World War II, as in some other countries. Although actions by German and Italian forces in the region were muted, Australia committed forces at the outbreak of the war in Europe. Later, although the Japanese did not gain a foothold on Australian territory, it did appear at one stage that this would happen, with Darwin bombed on several occasions, Japanese midget submarines in Sydney harbour, and a critical naval battle fought (mainly by Americans) in the Coral Sea off the North Queensland coast. The situation was therefore a critical one, in which even a liberally-minded nation would accept the imposition of tight social control measures. The scheme would have been unworkable without the incentive of rationing to ensure registration and use of the identifier, and was withdrawn soon after hostilities ended. Something similar occurred in the United Kingdom (Rule, 1974).

There does not appear to have been any serious discussion of national identification schemes during the next 30 years, until three Government Reports (Asprey 1975; Mathews 1975; and Campbell 1981) mentioned the possibility of improving the efficiency of Commonwealth Government agencies by creating a national identification scheme. During this period, two Cabinet Ministers were reported as regarding the matter as being politically unworkable (Graham, 1990b, p.45). This periodic 'floating' of the idea is consistent with the interpretation that senior public servants were attracted to it, and were seeking an opportunity to place it on the political agenda.

A Labor Party Government was elected in 1983, only the second in 35 years. The Prime Minister and the Treasurer called a so-called 'Taxation Summit' for July 1985, whose (ill-fated) purpose was to gain social consensus for a consumption tax. In early March, during the lead-up to the Summit, the Chief Executive of the Australian Taxpayers' Association suggested to the Prime Minister that a national identification scheme be created, to combat tax fraud and thereby protect honest taxpayers. Within weeks, the proposal became part of the national agenda, with a speech in late March by a senior taxation official mentioning it, and a backbench member of the Labor Party delegated in April/May to bring the idea before the Party Caucus. The proposal emerged from the 'Tax Summit' as the 'Australia Card' proposal, dressed in patriotic green and gold livery.

B. THE PROPOSAL

The scheme's objectives changed many times during the two-and-one-half year campaign, finally being expressed in terms of reducing tax evasion, welfare fraud and illegal immigration. The government functions which were to be served, and the agencies which were to be involved, also varied enormously (Greenleaf & Nolan, 1986). Given that many of its elements have re-surfaced subsequently in other initiatives, the Australia Card scheme was clearly part of the agenda of many senior executives in many different federal government agencies. This section summarises the main features of the scheme as it was finally presented in the Bill.

The scheme was to comprise a register (which the Government tried to argue was not a centralised database), operated as a hub-system whereby participating agencies could share specified data about individuals. The entire population was to be recorded on the register, and every person was to have an obligation to acquire a code, and a card carrying the code, and to present that card in a wide variety of circumstances. The register was to facilitate front-end verification among participant agencies, and the identifier was to facilitate computer matching. For further details of the scheme, see Clarke (1987), for clarification of the various techniques, see Clarke (1988a), and for its proposed legislative implementation through the Australia Card Bill 1986, see Greenleaf (1987).

It was reported in the press that some 37 agencies made cabinet submissions seeking authority to participate and 13 were seriously considered, but the Bill restricted the register's initial use to 5. The register itself was to be maintained by staff in the Health Insurance Commission's offices nationwide, involving some 2,000 clerks with full access to the data in the Register. Exhibit 1 summarises these elements.

Exhibit 1: The Elements of the Australia Card Scheme

* Register

A central register containing data about every member of the population, to be maintained by the Health Insurance Commission (HIC)

* Code

A unique identifier for every member of the population, to be assigned by the HIC

* Card

An obligatory, multi-purpose identification card for every member of the population, to be issued by the HIC

* Obligations

On All Individuals to produce the Card when undertaking a wide variety of dealings with a wide variety of both government agencies and private sector organisations (including all employers, financial institutions, hospitals, real estate agents, produce agents, etc)

On All Organisations to demand the Card, record the Code, apply sanctions to people who failed to produce it, and report data using the Code

* Use

Of the Code by a wide variety of organisations. Despite Ministerial promises, the legislation contained no restriction on private sector organisations from using the Code as an internal identifier, e.g. as a customer number or employee number

Of the Register, or data from the Register, by:

Of Reports containing the Code, by the Tax Office

* Cross-Notification

Of changes to identifying data, particularly address, among participating agencies

The scheme was technically flawed in a number of important respects, not the least being the cost/benefit procedures applied (see JSC 1986 and Clarke 1986 and 1987). One example of the serious flaws in the estimates was the total exclusion of costs incurred by the private sector and by individuals. Another arose in relation to the Government's claims that vast savings would result from the detection of illegal immigrants. This was unsupported by any written argument or any published estimating basis, and has been subsequently totally undermined by the declaration of a succession of amnesties under which illegal immigrants have been permitted to come forward and claim permanent residence.

C. THE POLITICAL HISTORY

The public debate about the Australia Card lasted from April 1985 until September 1987. It began as the 'National Identification Numbering System' (NINS), but was marketed as the 'Australia Card', bedecked in the national sporting colours of green and gold. At the end of 1985, the Opposition-controlled Senate forced the appointment of a Joint Select Committee from both Houses to be appointed to consider the proposal. The Government made its detailed proposals available only after half of the Committee's 18-week life had expired (DoH 1986 and HIC 1986). When the Committee reported, in May 1986, the Government ignored its recommendations, and accepted instead the recommendations contained in a minority report prepared by 3 of the Labor Party's 4 members of that Committee (JSC, 1986).

A 130-page Bill was introduced, the debate in the House gagged and the Bill passed on party lines in November 1986. 24 of the 42 non-Government Senators spoke with vigour against the Bill, and one Government Senator did the same. The Bill was defeated in December. Three months later, the Opposition Coalition was undergoing a leadership crisis, and the Government reintroduced the Bill unchanged, again gagged debate in the House and the Bill again passed on Party lines. 33 of the 42 non-Labor Senators spoke against the Bill, and one Senator resigned from the Labor Party and spoke against it. It was again defeated, on 2 April 1987.

The second defeat of the Bill in the Senate established the conditions for a double-dissolution of both Houses of Parliament, and a subsequent re-presentation of the Bill to a combined sitting of the two Houses. The rationale underlying this is that the House of Representatives, having about twice as many members as the Senate, might then be expected to be in a position to enforce its wishes on an unwilling house of review. The Prime Minister had chosen 1 April to assure the nation that he would not call a double-dissolution election, but seven weeks later did so (because, he explained, the leadership difficulties then being experienced by the Opposition Parties were a threat to good government). The Australia Card issue was barely mentioned during the campaign, and in July 1987 the Labor Party won a third successive term of Government, the first time it had ever done so.

By this time, public attitudes to the scheme had changed dramatically from support (when it had been perceived as a plank in the Government's anti-tax-dodger and anti-welfare-fraud platform) to virulent opposition (because it was by now perceived as a social control mechanism). In August 1987, the launching of the Australian Privacy Foundation, comprising well-known Australians from all walks of life and all political persuasions, provided the nucleus for public opinion to coalesce. 'The Australian' newspaper stated that it received 526 letters in the peak fortnight alone, 475 against, and only 25 for: "There has never been a debate like it on the letters page: there has never been such a cry of opposition from the nation over one topic".

The Bill was reintroduced in the House in September 1987, preparatory to a combined sitting of the two Houses. Before it was debated, however, the Opposition drew notice to a feature of the legislation, not uncommon in such Bills, which required the date of commencement of the scheme to be set by Regulation. The Opposition-controlled Senate would have been able to disallow that Regulation, and thereby frustrate the Government's intentions. For the constitutional niceties, see Greenleaf (1988). In September 1987, the Government meekly withdrew the Bill.

The weight of public opinion had already rendered the proposal politically untenable, but one aspect of its demise was particularly noteworthy. The proposal was designed to serve the interests of senior public servants, yet the two people who provided the technical means leading to its demise had both been until quite recently senior public servants (Smith 1989).

For less sketchy reports of the political history of the scheme, see Graham (1986), Greenleaf & Nolan (1986), Greenleaf (1987, 1988) and Clarke (1987, 1988b).

IV. THE ENHANCED TAX FILE NUMBERING SCHEME

When the Government withdrew the Australia Card Bill, it stated that it would instead adopt the recommendations of the Joint Select Committee (which it had spurned 15 months earlier), to the effect that the identification provisions relating to income tax be tightened. A few months later, in May 1988, the Government announced details of the proposed enhancements to the Tax File Number (TFN) scheme which had been in use within the Australian Tax Office (ATO) since the 1930s.

A. THE ORIGINAL ENHANCEMENTS

The scheme was to apply exclusively to taxation administration. Exhibit 2 contains some of the assurances which were repeated inside and outside of Parliament throughout the period during which the proposal was under consideration.

Concerns were expressed by privacy lobby groups about a number of aspects. The Opposition Liberal-National Party Coalition and the Australian Democrats, who held the balance of power in the Senate, supported the proposal in principle but did not approve of the Bill as it was originally presented. A Report of the Senate Standing Committee on Constitutional and Legal Affairs recommended that the proposal "if enacted, be strictly limited in its terms, so that it applies only in relation to taxation purposes and those purposes be so framed as to prevent a progressive extension of the ambit of the Bill" (SSCLCA 1988, 10.26).

Exhibit 2: Assurances Regarding the TFN Scheme's Limited Nature

Negotiations resulted in a number of significant changes in the Bill. In December 1988, the amended proposals were passed into law (referred to in this paper as the TFN Act). At the same time, the Privacy Act 1988 was passed, creating a set of highly qualified Information Privacy Principles and applying them to most agencies in the Commonwealth public sector, creating the office of Privacy Commissioner, and establishing Guidelines as part of the control regime for the TFN scheme. This was the first privacy legislation ever passed in the Australian federal jurisdiction.

The public and the Parliament understood a number of protections to exist ensuring that the TFN scheme could not become the general-purpose national identification and personal data system that the Australia Card scheme had been intended to be. The first safeguard was the assurances provided by the Government. The second was the explicit nature and seemingly limited terms of the Act. The third safeguard was the TFN Guidelines, contained in Schedule 2 of the Privacy Act 1988, which expressly stated that "the TFN is not to be used as a national identification system by whatever means" (1.1). Royal Assent for the Privacy Act was provided almost immediately, and it came into force on 1 January 1989. The TFN Guidelines had immediate effect, and a Privacy Commissioner was appointed, with a budget, in early 1989. A more detailed description of the scheme may be found in Clarke (1991b).

As the following sections will show, the safeguards were utterly ineffective against the onslaughts of enthusiastic public servants and willing Ministers. The Parliamentary Opposition, the Privacy Commissioner and privacy and civil liberties interest groups were all caught napping.

B. THE QUICKLY WIDENING SCOPE

The only organisation authorised to use the TFN in relation to taxation matters was the Australian Taxation Office (ATO), although employers, investment bodies, superannuation funds and tax agents were required to collect, store and report it to the ATO. However, there were several ways in which the TFN scheme was automatically much broader than had been understood by the public, and by many of the people who were involved in the discussions preceding Parliamentary approval.

One reason for this is that key terms used in the legislation, such as 'income', 'assessable income' and 'salary or wages', do not have their ordinary meanings, but must be interpreted in accordance with statutory definitions. When these are located and examined, they are found to be expressed in such a way that a large number of seemingly extraneous matters are included. Two such unexpected inclusions in the original scheme were the allowances paid to tertiary students under the 'Austudy' programme, and all unemployment and sickness benefits.

A second source of extension is the definition of 'taxation law' in the Taxation Administration Act as any Act and Regulations "of which the Commissioner [of Taxation] has the general administration" (ss.2, 8WD). Reasonable though this might seem, it has the effect that any Act which by administrative arrangement is moved within the responsibility of the Taxation Commissioner, is deemed to be 'taxation law', irrespective of whether or not it has anything to do with taxation.

The collection of child and spouse maintenance payments became subject to the TFN, merely because the Child Support Agency had been assigned to the Commissioner of Taxation. The key purpose of this particular use is as a locator service for defaulters. It is also noteworthy that the Commissioner has adopted the practice of withholding tax refunds and applying them to putative arrears in child support payments. This involves two bold steps in public administration: one is the implementation of cross-system enforcement across quite different functions, and the other is the extension of the reversal of the onus of proof from taxation administration (where it has tended to become accepted) to another area entirely.

A third means of extension of the scheme is by defining any new or existing Act to be 'taxation law', for example by the words "This Act shall be deemed to be 'taxation law' for the purposes of the Taxation Administration Act". It is not necessary for the Act to make an explicit change to the relevant section of the Taxation Administration Act. This was the means whereby the Higher Education Contribution Scheme (HECS) became part of the TFN scheme (Higher Education Funding Act 1989). This is a fee-for-service levied on tertiary students for each subject in which they enrol in a tertiary institution and paid subsequently by way of additional taxation. When it was introduced, the Government strove to explain to a doubting public that HECS was not the 'graduate tax' the media had dubbed it.

Similarly, the Training Guarantee scheme - which created a requirement that employers invest at least some amount of their turnover in staff training - was authorised by legislation in May 1990 to use the TFN (Training Guarantee Administration Act 1990). It is noteworthy that, as late as September 1990, the relevant Department was unclear in what ways, if any, the TFN was to be used. Within only 17 months, it therefore appeared to have already become common practice for TFN use to be included speculatively in the legislation establishing new programmes, whether or not they were tax-related.

The scope of taxation law was therefore readily expandable both by administrative action of the Government (i.e. without the purview of Parliament), and by the inclusion in a new Government Bill of a simple machinery provision unlikely to attract careful scrutiny by Parliament.

Exhibit 3 lists the organisations which, by late 1990, were authorised to use the TFN by laws which are deemed to be taxation laws, but which in the normal sense of the word are not.

C. FROM ECONOMIC SANCTIONS TO COMPULSORY PROVISION

During the 1988 debates, the Government had assured the public that the sanctions against failure to provide the Tax File Number were only economic in nature. For example, the Treasurer said that "There will be no offence for people failing to quote a tax file number when asked of them" (Press Release No. 47 of 25 May 1988), and that "the amendments the Government has agreed to accept are designed to guarantee that the tax file numbering scheme is completely voluntary" (Speech on Amendments to be Moved, December 1988). Specifically, the sanction was that taxation would be deducted from wages or interest income at the highest marginal rate (about 50 cents in the dollar).

However, in December 1989, only one year after the original legislation had been passed, amendments to the Social Services Act made the quotation of the TFN a pre-condition to the payment of unemployment and sickness benefits (Social Security and Veterans' Affairs Legislation Amendment (No.3) Act 1989).

Exhibit 3: People Authorised by Law to Use the TFN
for Reasons Legally, but At Best Only Indirectly, Related to Taxation

LEGALLY DEFINED AS TAXATION LAWS

FACILITATIVE ARRANGEMENTS

The failure of Parliamentarians and privacy advocates to detect and object to this extension of the TFN scheme may have encouraged the Government to believe that there would be little public interest in, or opposition to, further extensions.

D. EXTENSIONS

In the February 1990 Economic Statement (popularly called the 'Mini-Budget'), the Government announced that TFNs would become mandatory for three additional classes of welfare recipient. Due to an intervening election, in which the Government was re-elected for a historic fourth time, the Bill to give effect to this was introduced only in August 1990. In August 1990, the Minister for Social Security also announced that the requirement for the TFN would be extended to include the remaining social security payments, such as age and invalid pension, as well as Veterans' Affairs, Student Assistance Act and First Home Owners' Scheme payments. This had the effect of extending TFN use to virtually all of the thirty or so welfare programmes run by the federal government.

Consistently with the December 1989 Act, these Bills made the provision of the TFN a pre-condition of receipt of any form of income support or welfare payment. At least for the many people who are entirely dependent on these sources of income, provision of the Tax File Number became not merely subject to economic sanctions; it became effectively compulsory.

The Bills were referred to a Senate Standing Committee on Constitutional and Legal Affairs, this being by chance the first occasion that Bills had ever been referred to a Senate Committee. A lively debate took place before that Committee, but the Opposition reached an accommodation with the Government, and the Report failed to mention any of the issues which appeared in the minutes of the Hearings. The Senate passed the legislation without any significant amendments.

The Department of Social Security (DSS) was not a supporter of the Australia Card scheme, which had been mainly stimulated and carried by the Health Insurance Commission. In fact, DSS expressly argued that its identification scheme was satisfactory, and that the Australia Card number and register would not assist it in any material way to improve its fraud prevention, detection and prosecution activities. Between 1985-7 and 1989-90, however, the Department's attitude changed to such an extent that it has become a proponent of extension of the TFN's use far beyond its original scope. It appears that the Department now sees access to and use of the TFN as being of significant value in these activities, particularly in relation to what the Minister refers to as 'double-dipping', by which is meant the concurrent receipt of two or more mutually incompatible government benefits, and in relation to failure to promptly notify DSS of a relevant change in circumstances.

The effect of the subsequent legislation was to extend the use of the TFN scheme far beyond the taxation uses originally proposed, to include the additional matters listed in Exhibit 4.

Exhibit 4: Additional People Proposed During 1990
to be Authorised by Law to Use the TFN

E. APPLICATION TO COMPUTER MATCHING

As part of the August 1990 Budget Statements, the Minister for Social Security also announced that the TFN was to be used as a basis for parallel matching of data from five major client-oriented agencies. These agencies, in addition to providing to DSS, on a regular basis, large volumes of personal data including the TFN, were authorised to receive results of the matching back from that Department. Details of the nature of computer matching, and of the DSS parallel matching scheme, may be found in Clarke (1991a) and Kelly (1992). Exhibit 5 lists the organisations involved.

What the Government means by the term 'data matching' is a combination of the two techniques which would be referred to in the United States as 'computer matching' and 'front-end verification'. The effect of the legislation is that DSS provides a hub-service for other agencies, in a manner very reminiscent of that in which the Health Insurance Commission was to provide centralised services to a variety of agencies in relation to the Australia Card scheme.

Until passage of the Privacy Act 1988, computer matching in Australia had been undertaken without explicit controls. That Act authorised the Privacy Commissioner to "undertake research into, and to monitor developments in, data processing and computer technology (including data-matching ...) [and] to ensure that any adverse effects of such developments on the privacy of individuals are minimised ..." (s.27(1)(c)).

Exhibit 5: Agencies Currently Involved in DSS 'Parallel Matching'

As data matching agency:

As the key 'source agency' for reference data re taxable income:

As 'assistance agencies', which provide client data and receive results:

As additional assistance agencies, which provide data but (at present) receive no results:

In October 1990, the Commissioner published Draft Data Matching Guidelines (PC 1990), requesting submissions by 30 November. These Guidelines, which have similarities to those of both the 1988 United States statute and the Canadian Privacy Commissioner, would not only impose controls on the procedure to be applied, but would also require the preparation and prior publication of cost/benefit analyses. The Commissioner published a revised Exposure Draft in October 1991 (PC 1991).

The legislation authorising the 'parallel matching program' was passed in early 1991, and incorporates its own set of controls. These resemble, but are not identical to those in the Commissioner's Draft Data Matching Guidelines. Key elements are the publication of a 'program protocol', the provision to the Commissioner of a technical standards report in relation to data quality, integrity and security, and procedural requirements relating to actions affecting individuals, which arise from the matching program (Greenleaf 1991b, Kelly 1992).

It remains to be seen whether the controls will be effective, and whether this aspect of the Tax File Number scheme will, like the TFN itself, be applied to additional functions and extended to additional agencies. It is of especial concern that the information demand powers of the Department of Social Security are so great that significant extensions to the scheme, particularly in relation to the gathering of data from additional source agencies and private corporations, could be implemented without legislation.

F. CONCLUSIONS REGARDING THE TFN SCHEME

The assurances listed in Exhibit 2 can be seen to have been worthless. The initial scope of the scheme was greater than that understood at the time by people who took an active part in assessing its impact. Additional uses of the TFN have accumulated very quickly, and changed the purpose of the scheme. From an exclusively taxation scheme, the TFN now applies to any statute administratively moved under the ATO's control; any purpose deemed by statute to be 'taxation law'; and any purpose for which explicit legislative approval is given. The primary areas to which the scope has been widened so far are in the administration of virtually all benefits and pensions; in the location of spouse and child maintenance defaulters; in the administration of at least one new programme in which the use of the TFN might transpire to be of some assistance; and in the matching of personal data from all major client-oriented agencies. A fuller treatment of the history of the TFN proposals is in Clarke (1990).

VI. OTHER DEVELOPMENTS

During the last few years, a variety of other measures have been introduced which are part of the tendency towards more intensive use of information technology to monitor people. This section identifies several of these developments.

A. THE 1987 FRAUD REPORT

An important focus for many of the developments has been the Report of an Inter-Departmental Committee on Fraud Against the Commonwealth (Fraud 1987). This Report recommended a significant increase in the use of personal data as a means of counteracting fraud, and appears to have been used by many agencies as a means of tilting the emphasis away from client service and toward client control, even in hitherto welfare-oriented agencies.

This has been particularly apparent in the case of the Department of Social Security. Some of the measures (such as periodic interviews with the long-term unemployed, and targetted audits of beneficiaries with particular profiles) may be unexceptionable from a privacy viewpoint. Others have been quite unfeeling, such as the very long and highly intrusive questionnaire designed to catch out people co-habiting yet claiming two single pensions rather than the lower 'married' pension. To have to disclose whose wardrobe your shoes are kept in, and who paid for the electric kettle, as a condition of receiving a pension, seems to be indicative of an excessive swing toward protection of the public revenue.

B. THE CASH TRANSACTIONS REPORTING AGENCY (CTRA)

Another element of the data surveillance web is the Cash Transactions Reporting Agency (CTRA), which was recommended by a Royal Commission into tax-evasion schemes and was copied from the U.S. initiative of the same name. It is intended to provide a means of monitoring the 'washing' of cash from illegal activities such as the drug trade. This Act requires financial institutions to act as policemen, by placing on them a requirement to report to CTRA all cash transactions above a certain value, and all cash transactions of any value which the institution has reason to suspect may be associated with illegal activities. For details of the scheme, see Hewett & Kalyk (1990).

CTRA's primary activities are explicitly authorised by statute and are hence not in breach of the Privacy Act. The majority of CTRA's sources are private sector organisations, and are not subject to the Privacy Act, nor any other privacy controls.

C. THE LAW ENFORCEMENT ACCESS NETWORK (LEAN)

The Law Enforcement Access Network (LEAN), currently under development, is to provide services to a variety of organisations, initially the investigative sections of six Commonwealth agencies, later an additional ten Commonwealth agencies and unspecified agencies of the State and Territory Governments. As it is available on a fee-for-service basis, there seems no reason in principle why it might not also be accessible in due course by private sector organisations.

The services are to comprise the acquisition and maintenance of copies of a number of public databases; provision of storage for some of the user agencies' own data; and processing capabilities, and in particular powerful searching, data-linkage and data-matching of both structured and textual data. The public databases which LEAN is to copy are, in the first stage, those relating to company registration matters, including details of directors and public officers, and 'landata', by which is meant a wide range of data relating to real property, which is administered by the States and Territories in a variety of different ways. It involves between one and perhaps as many as a dozen databases, containing such data as property identification, ownership and value. It is anticipated that the service will be extended to incorporate access to other data which can be claimed in some sense to be in the public domain, such as Registries of Births, Deaths and Marriages; the Electoral Roll; and Telecom directories.

Its contention has been that this is an administrative arrangement and hence requires no Parliamentary approval. In addition, its law enforcement objectives are being used as a means of precluding public scrutiny of the scheme's aims and operations. There are doubts as to whether it is subject to the Commonwealth Privacy Act 1988, because of that statute's widely expressed exemption clauses.

From what is publicly known about LEAN, it is apparent that some breakdown is occurring in the hitherto very strong demarcation between Commonwealth and State Governments. The Commonwealth's powers are specified by the Constitution, and the 'residual powers' (i.e. those not expressly vested in the Commonwealth) belong to the States. Among many other things, the States have responsibility for the administration of land titles, the provision of services to land-owners, births, deaths and marriages registries, and Commonwealth agencies have clear interests in the data held in many of the files of State government agencies, e.g. for taxation and welfare entitlements verification. The concerns of privacy interest groups are exacerbated by the fact that there is virtually no information privacy protection law in any of the States.

D. THE MEDICARE AND PHARMACEUTICAL BENEFITS SCHEMES

The Pharmaceutical Benefits Scheme (PBS) is the arrangement whereby the Government subsidises the cost of prescription pharamaceuticals, most of which are supplied via local pharmacies. The level of contribution by the patient/consumer depends on whether or not he or she is a recipient of any of a wide range of social security or veterans' benefits. These pensioners pay only a low 'concessional rate' for a prescription, whereas other people pay up to about six times that amount (but in the case of many products still considerably less than the full cost).

The Department of Community Services & Health (DCS&H), which had been responsible for administering the scheme, was subjected to severe criticism by the Auditor-General, most recently because of the inadequate control exercised over whether those claiming the concessional rate were entitled to it. The Department, on the other hand, considered that there was little evidence of fraudulent activity, and that the primary causes of cost increase had been increased use of pharmaceuticals because of the aging of the population, and increased per-unit drug costs.

Following the Auditor-General's criticisms, responsibility for the PBS was transferred to the Health Insurance Commission (HIC), the statutory authority which is responsible for Medicare, the national health insurance system. HIC is a technologically sophisticated and self-confident organisation, and among government agencies was the primary advocate for, and proposed operator of, the Australia Card proposal. The Medicare enrolment database is the largest single database in the Commonwealth sector, with 18 million records (PID 1989).

In late 1989, HIC proposed a number of enhancements to the PBS. In February 1990, when it appeared that the proposals were likely to become an election issue, the Government hurriedly withdrew them, but it duly re-announced them as part of the August 1990 Budget package.

One of the enhancements proposed was that pharmacists would only be guaranteed payment of a PBS claim if they conducted an on-line 'eligibility check' of the HIC database to confirm the validity of the claimant's status. To be able to check concession entitlements, HIC was to augment its PBS database with data provided fortnightly from the Department of Social Security and Department of Veterans' Affairs. Following expressions of concern from both privacy interest groups and pharmacists, the legislation authorising the scheme in mid-1991 required a cost/benefit study to be undertaken before the on-line eligibility verification component was implemented.

A further change was to restrict PBS entitlements to Australian residents (as is already the case with Medicare entitlements). This has the effect of requiring non-concessional claims also to be front-end verified. Hence, for the first time, the identity of every patient for whom a prescription is filled will have to be transmitted to a government agency. To check residence status, HIC is to use (a copy of) the Medicare database, which it maintains in fulfilment of its primary function as the national health insurance agency.

A further change is that it becomes compulsory for all pharmacies to submit PBS claims to HIC in computer-readable form (either by telecommunications or on diskette). Because the costs of multiple handling of data are high, it appears inevitable that the computers in all of the approximately 5,000 pharmacies in Australia would soon be directly linked to the HIC system.

Previously, no computer-readable record of an individual's use of pharmaceuticals existed. Under the proposed arrangements, however, not only is an identified record of each person's pharmaceutical claims to be maintained, but it is to be maintained by the HIC, parallel with its existing identified record of each person's medical claims. Any future combination of those records will reveal far more detail of the conditions for which a person has been or is being treated than was ever possible to infer from the medical claims alone (which in many cases showed only that a consultation had taken place). No cost/benefit analysis has been published to justify the creation of such an exceptionally sensitive and potentially dangerous database.

The HIC has called for tenders for the replacement of all existing Medicare cards (which are not machine-readable) with plastic cards containing a magnetic stripe. In addition, the existing 'family number' is to have a suffix appended, which will, for the first time, enable individuals within the family to be identified. Hence the Medicare card and number, which were previously household-level, single-purpose and of low (but serviceable) integrity, are to be succeeded by individualised, dual-purpose, higher-integrity replacements. Furthermore, the Medicare system is to be have a degree of linkage with the now-pivotal DSS database.

E. IMMIGRATION

Because it is an isolated island, Australia has few problems with illegal entrants. However, it does have some difficulties with visitors overstaying their visas. During the last few years the Government has expressed serious concerns about the estimated 90-150,000 illegal immigrants, focussing not on the proportion of the population they represent (0.5-0.9%), nor on the relationship of these numbers to legal immigration (about the same as the annual intake of legal immigrants), but rather on the costs of welfare services both to illegal immigrants themselves and the legal residents supposedly displaced from the workforce by them.

A series of amnesties expired in October 1990. On 1 November, press reports suggested that the Department of Immigration was seeking to increase the interchange of data with other Departments. In particular, it was suggested that residence status should become a criterion for the issue of a Tax File Number, as it already is for Medicare. The implications for proliferation of the TFN, and linkage with the Medicare and Pharmaceutical Benefits identifiers, are apparent.

F. THE TIGHTENING NET

It is clear that Commonwealth Government agencies are applying information technology in a variety of different programmes designed to impose greater control over their clients. Moreover, the 'Tax File Number' scheme (embracing all taxation, all welfare and some other programmes), the Law Enforcement Access Network, and the Health Insurance and Pharmaceutical Benefits Scheme are capable of being inter-linked, to provide an even greater degree of privacy invasiveness.

Of the five agencies (and over twenty programmes) which are involved in the Tax File Number scheme, two agencies (DSS and DVA, which are responsible for most of the programmes) will, as part of the PBS proposals, regularly provide data to update the Health Insurance Commission's database. Data from the HIC's existing Medicare database, the largest collection of personal data, is already provided to DSS for matching purposes. Although the current proposals do not involve provision of the Tax File Number to the HIC, the temptation to further improve the efficiency of the matching process would be difficult for any government agency, and for any Government, to resist.

It is reasonable to speculate that several other Federal Government agencies would be early contenders for involvement in the TFN scheme. The Department of Foreign Affairs and Trade, through the Passports Office, has an interest in identification, and can be readily argued to be able to contribute toward the integrity of the TFN scheme. The Electoral Rolls are in need of continual updating (and in any case are already routinely accessed by DSS). Automatic updating of address (and hence Electoral Division) based on the most recent advice of change of address to any Government agency, can be argued to ensure much-improved accuracy in the exercise of voting rights, and to be a service which many Australians would appreciate. Similar arguments can be readily formulated to support the inclusion of other Commonwealth agencies in the TFN scheme.

With the TFN already established as a multi-purpose identifier, restricting its use only to Commonwealth agencies is difficult to defend - after all, State Government agencies also have a clear need for data integrity, and for access to personal data. The Electoral Commission is an easy starting point, because it provides a service to both the Commonwealth and the States; and the Law Enforcement Access Network spans the two levels of government. The Land Titles offices represent an area in which the States have something to contribute to the Commonwealth, and hence both parties would have an interest in a successful conclusion to negotiations. Another alternative is the Registers of Births, Deaths and Marriages, which are run by the States. These were targetted by the HIC during the Australia Card campaign as one of a number of sources of data. The offer by the Commonwealth to the States of financial assistance to enable computerisation of the Registers was rejected in 1986, during the heat of the Australia Card campaign, but would be attractive to the States if renewed in a less highly charged atmosphere.

Once the TFN was available to State Government agencies, it would be highly attractive for it to be used in the administration of such matters as driver registration, parking and speeding fine collection, and, through the State-Government controlled local councils, the payment of rates. The government business enterprises which supply water, electricity and gas, would of course also be interested in having access to the national identifier, and hence to the dispersed but very effective national personal data scheme.

At that point there would no longer be any justification in restricting use of the TFN to the public sector. If public enterprises could have access, why not companies? The ground for private sector use was laid in the original scheme in 1988. The TFN is scattered far and wide throughout private industry, because every employer and every financial institution is required to store the number of every employee and every investor. In due course, some agency of the Commonwealth will seek the assistance of financial institutions in gaining access to personal data generated by EFT/POS services (the use of credit and debit cards in Automatic Teller Machines and Point of Sale terminals). The natural quid pro quo would be to permit financial institutions to use the TFN for their own purposes.

Justification of each individual step is easy. It is adequate for the lead agency in any programme to make sure that the extension is perceived as a necessary part of an important Government initiative (in recent years the 'ideas in good standing' have been the attacks on tax evasion and welfare fraud, but terrorism or national security would suffice). It is very straightforward to prepare cost/benefit analyses to justify a scheme - all that is necessary is to estimate that x% of all payments are fraudulent and would be prevented by the system. Such assertions are very difficult to de-bunk, and arguments about them are sufficiently boring that the media are not interested. An alternative approach is to merely assert that the measure is needed, and not bother with a public economic justification.

The conventional defence is "but the only people with anything to fear are those with something to hide". Indeed, the tightening net would have some effect on criminals, and large-scale cheats. These measures are aimed, however, at people who operate inside the official system, and are dependent on it, and whose cheating is on a small scale. Organised criminals have ample opportunity to avoid apprehension, because of the ease of operating outside the official system, of using official systems to 'wash' identities and transactions, and of buying assistance, silence and inaction, coupled with the complexities of the systems involved in investigations, and the slow, labyrinthine grandeur of the law. The primary effect of the tightening net would therefore be on small-time cheats, and the innocent.

This is no apocalyptic vision. The technology is coming together very quickly to support this scenario, and the simple-minded economics applied by government agencies represent no constraint. The political power to apply the technology to these ends is in the hands of senior public servants, and to a lesser extent politicians. In the current political climate, technological determinism appears likely to prevail until and unless a significant and lasting change occurs in popular values, and in the ability of the public to influence governments.

VII. AUSTRALIAN PRIVACY LAW
AN INADEQUATE RESPONSE

Australia's experience has been similar in a number of respects to that of the United States. There was a flurry of interest in privacy in the early 1970s, when the potential of data surveillance first became apparent, followed by a long hiatus until the late 1980s, when cumulative technological developments made those fears a reality.

Zelman Cowen's radio lecture series (Cowen 1969) was followed by a Report to the Commonwealth and State Attorneys-General (Morison 1973), but only New South Wales took up Morison's recommendations and created a privacy body (Privacy Committee Act 1974 (NSW)). Australia's only other privacy legislation during this period was some ineffective legislation in several States concerning credit reporting, and Commonwealth and Victorian freedom of information legislation (based on the United States legislation), which provided a right of correction of personal records.

The Australian Law Reform Commission undertook a wide-ranging study, intended to produce federal privacy laws, which commenced in 1976 but was long delayed, and lost the political tempo (ALRC 1983). Its limited proposal of a Privacy Commissioner with advisory ombudsman-like functions was easily stalled by the public service.

To mollify concerns about the Australia Card proposal, the Privacy Bill 1986 was introduced, reviving some aspects of the ALRC's recommendations. That Bill was cripplingly deficient, and lapsed when the Australia Card Bill was withdrawn. It provided the basis for the significantly better Privacy Act 1988, which became the privacy trade-off for passage of the Government's Tax File Number legislation through the Senate. Australia thereby became one of the last of the OECD member-nations to enact data protection legislation, passing a law of the kind which had been needed in the 1970s just in time to confront the technology of the 1990s. Subsequently, there has been an amendment to the Crimes Act concerning old criminal records, and an amendment to the Privacy Act to bring consumer credit reporting under the Privacy Commissioner's jurisdiction.

The Privacy Act establishes 11 Information Privacy Principles (IPPs), which (with some deficiencies) provide a basic level of compliance with the minimum standards set out in the OECD Guidelines (OECD 1980). These must be complied with by most federal agencies. The IPPs may be enforced by a range of mechanisms, including individual complaints to the Privacy Commissioner (with compensatory damages and costs available) and audits of agencies by the Commissioner. For details see Greenleaf (1989, 1991a). Another potentially very positive outcome of the Privacy Commissioner's work is the Draft Data Matching Guidelines (PC 1990, 1991), referred to earlier.

The test of data protection legislation (and privacy watchdogs), however, is not the extent to which they regulate established mechanisms of data surveillance so as to make them operate less invasively (or more 'efficiently'), but rather the capacity that they have to prevent unacceptably dangerous systems being established in the first place (Rule 1980, Flaherty 1989). Does the legislation (or the existence of the watchdog) serve to facilitate the spread of surveillance by making it appear less dangerous?

In the face of the proliferation of the Tax File Number, the introduction of parallel matching, and the combination of the Pharmaceutical Benefits and Medicare schemes, the Privacy Act is showing serious deficiencies. The creation of the office of Privacy Commissioner has undoubtedly been of benefit in ensuring that the actions of government agencies are legal. But this is only the reactive component of privacy protection; a proactive stance is vital if information technology is to be applied in a manner sensitive to privacy values.

In 1990, the Privacy Commissioner claimed before a Senate Committee that his functions did not include stating to the public or Parliament what he considered to be the privacy implications of Government proposals. Although minor amendments were made in 1991, he continues to avoid commenting publicly on the privacy impact of government policies, and on the extent to which the privacy-invasiveness of government proposals is balanced against other interests.

The Government regularly claims that it has "consulted with" with the Privacy Commissioner, and that its proposals will be subject to the Commissioner's Guidelines, without acknowledging that his existing and any future Guidelines will be subservient to the new legislation and will be promptly amended to reflect it. It is reasonable to conclude that the existence of the office of Privacy Commissioner is being used to legitimate data surveillance measures: Australian privacy law is, in confirmation of Rule's thesis (1980), facilitative rather than preventative.

VIII. CONCLUSIONS

There is a pronounced tendency on the part of senior executives in the public service to regard government as a single monolith. Personal data can flow freely between the agencies because all flows are internal to the service. This frame of thought is now being coupled with the technocratic confidence that information technology can enable this sharing to be done quickly and efficiently, and that all manner of inefficiencies (in the most general sense of the word) can be eradicated. As a result, there has been a shift in emphasis from reactive enforcement to proactive surveillance. There appears to be little appreciation on the part of senior executives that personal freedoms are threatened by these efficiencies.

The public service is in principle the servant of the Government, and subject to a number of Parliamentary controls. In practice Ministers are overwhelmed by their long-serving and well-informed servants, and Parliamentary Committees are regarded with something less than respect by the public servants called before them. In some countries, there has been explicit recognition by Parliament of the importance of information privacy, as in Canada, where in 1989 the uses of the Social Insurance Number (SIN) were rolled back. At present in Australia, the prospects appear to be remote of the Commonwealth Parliament adopting information privacy as a value which should be protected against the ravages of information technology imperatives.

Concerns about concentration of personal data have resulted in commotions in several countries in recent years, including Sweden, Switzerland, and both of what were until recently West and East Germany. There are also a number of countries in which the rejection of official society has moved beyond the 'black economy' to encompass many other aspects of life. Although novelists have largely been pessimistic about the survival of individuals in tightly controlled societies (e.g. Zamyatin 1920, Huxley 1932, Orwell 1948), some have experimented with unconventional survival strategies (e.g. Brunner 1975, Benford 1989). Ultimately, the answer to a national personal data system by a significant portion of the public may be to ignore it.


ACKNOWLEDGEMENT

Graham Greenleaf, of the Faculty of Law, University of N.S.W., Sydney, and Chairman of the Australian Privacy Foundation, made valuable contributions to this paper, as he has done over many years to the cause of balancing the benefits of information technology against the harm to the human value of information privacy.


REFERENCE LIST

Papers, Books and Reports

ALRC'Privacy'
Report No. 22, Austral. L. Reform Comm., Austral. Govt Publ. Service, 3 vols. 1983
Asprey
'Report of the Taxation Review Committee', Austral. Govt. Publ. Service, 1975
Benford G.
'Tides of Light' Victor Gollancz 1989
Brunner J.
'The Shockwave Rider' Methuen 1975, 1988
Campbell
'Report on the Australian Financial System', Austral. Govt. Publ. Service, 1981
Clarke R.A.
'The National Identification Scheme: Costs and Benefits' CIS Policy Rep. 2,1 (February 1986)
______
'Just Another Piece of Plastic for Your Wallet: The 'Australia Card' Scheme' Prometheus 5,1 (June 1987) 29-45 Republished in Comp. & Soc. 18,1 (January 1988) 7-21
______
'Information Technology and Dataveillance' Comm. ACM 31,5 (May 1988)
______
'The Australia Card: Postscript' Comp. & Soc. 18,3 (July 1988) 10-13
______
'Human Identification in Record Systems' Working Paper, available from the author, June 1989
______
'Computer Matching: Theory and Australian Practice' Working Paper , available from the author, March 1991
______
'The Expansionary History of the Enhanced Tax File Number Scheme' Policy 7,2 Summer 1991
Cowen Z.
'The Private Man' Boyer Lecture Series, Aust. Broadcasting Comm. 1969
DoH
'Towards Fairness and Equity' Department of Health (6 February 1986)
Flaherty D.
'Protecting Privacy in Surveillance Societies' Chapel Hill, 1989
Fraud
'Review of Systems for Dealing with Fraud on the Commonwealth' Austral. Govt Publ. Service, 1987
Graham P.
'The Australia Card: A Burden Rather than a Relief?' Aust. Qtly 58,1 (Autumn, 1986) 4-14
______
'Computers in Public Administration: The Australia Card Case' Austral. Comp. J. 22,2 (May 1990)
______
'The Australia Card: A Technology Driven Policy?' MPhil Thesis, Griffith Uni., Brisbane (1990)
Greenleaf G.
'The Australia Card: Towards a National Surveillance System' L. Soc. J. of N.S.W. 25,9 (October 1987)
______
'No confidence in the Commonwealth Privacy Bill' Austral. L. J. 62 78-81 (1988)
______
'Lessons from the Australia Card - deus ex machina?' Comp. L. & Sec. Rep. 3,6 (1988)
______
'The Privacy Act' Austral. L. J. 63 116-118, 285-287 (1989)
______
'Trends in Australian Data Protection Law' Comp. L. & Prac. 7,3 (Jan/Feb, 1991) 107-121
______
'Can the Data Matching Epidemic Be Controlled?' Austral. L. J. 65 220-223 (1991)
Greenleaf G. & Nolan J.
'The Deceptive History of the Australia Card' Aust. Qtly 58,4 (Summer, 1986) 407-425
Hewett J. & Kalyk F.G.
'Understanding the Cash Transactions Reports Act' CCH, Sydney, 1990
HIC
'Planning Report of the Health Insurance Commission' (26 February 1986)
Huxley A.
'Brave New World' Penguin Books, New York, 1932, 1975
JSC
'Report of the Joint Select Committee on an Australia Card' Aust. Govt. Publ. Serv., Canberra (May 1986) (2 vols.)
Kelly P.
'Australian Federal Privacy Laws and the Role of the Privacy Commissioner in Monitoring the Data Matching Program' in Clarke R. & Cameron J. (Eds.) 'Managing Information Technology's Organisational Impact II' forthcoming, Elsevier/North-Holland, 1992
Laudon KC.
'Dossier Society: Value Choices in the Design of National Information Systems' Columbia U.P., 1986
Mathews
'Report on Inflation and Taxation', Austral. Govt. Publ. Service, 1975
Morison W.L.
'Report on the Law of Privacy' N.S.W. Govt. Printer, Sydney, 1973
OECD
'Guidelines for the Protection of Privacy and Transborder Flows of Personal Data' Org. for Ec. Cooperation & Dev., Paris, 1980
Orwell G.
'1984' Penguin Books, New York, 1948, 1972
PC
'Personal Information Digest' Privacy Commissioner, Human Rights and Equal Opportunities Commission, Sydney, 1989
______
'Draft Data Matching Guidelines' Privacy Commissioner, Human Rights and Equal Opportunities Commission, Sydney, October 1990
______
'Draft Data Matching Guidelines' Privacy Commissioner, Human Rights and Equal Opportunities Commission, Sydney, October 1991
Rule J.B.
'Private Lives and Public Surveillance: Social Control in the Computer Age' Schocken Books, New York, 1974
Rule J.B., McAdam D., Stearns L. & Uglow D.
'The Politics of Privacy' New Amer. Lib., 1980
Ryan J.
'The Australian Taxations Office Electronic Lodgment System' in Clarke R. & Cameron J. (Eds.) 'Managing Information Technology's Organisational Impact II' forthcoming, Elsevier/North-Holland, 1992
Smith E.
'The Australia Card: The Story of Its Defeat' Macmillan, 1989
SSCLCA
'Report on Feasibility of a National ID Scheme: The Tax File Number' Senate Standing Committee on Constitutional and Legal Affairs, Austral. Govt Publ. Service, October 1988
Westin A.F. & Baker M.
'Databanks in a Free Society' Quadrangle, New York, 1974
Zamyatin
'We' Penguin Books, New York, 1920, 1983

Statutes

Australia Card Bill 1986
Cash Transactions Reporting Act 1988
Child Support Act 1987
Child Support (Registration and Collection) Act 1988
Child Support (Assessment) Act 1989
Criminal Records Expungement Act 1989
Freedom of Information Act 1982
Higher Education Funding Act 1989
Income Tax Assessment Act 1936
Privacy Bill 1986
Privacy Act 1988
Privacy Act Amendment Bill 1989
Privacy Committee Act 1974 (NSW)
Social Security and Veterans' Affairs Legislation Amendment (No.3) Act 1989
Social Security Legislation Amendment Bill 1990
Social Security and Veterans' Affairs Legislation Amendment Bill (No.2) 1990
Social Security Act 1947
Taxation Administration Act 1953
Taxation Laws Amendment (Tax File Numbers) Act 1988
Training Guarantee Administration Act 1990

Navigation

Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Last Amended: 7 October 1996


These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916