1. Introduction
Arising from its present stated concerns about security, government services fraud, money laundering and a need for an improved way to verify identity, the Federal Government has introduced greater security measures within passports and has proposed placing greater responsibility for verification of identity on some parts of the private sector through the introduction of stricter anti‐money‐laundering laws.1 It has also once again considered the need for a national identity card as part of a broader national identity security scheme.
A number of different proposals to strengthen identity verification have been raised by the Government over the last year or so but the most contentious proposals have been for a new national identity card and for a government services smartcard to replace the existing Medicare card and other benefit cards.2
This paper briefly examines the history of identity cards in Australia and discusses the current proposals of the Government to introduce some form of identity card. It examines the recently enacted Identity Cards Act 2006 in the United Kingdom and explores some of the concerns about that proposal. Finally, it analyses whether or not an identity card scheme would address the Government’s concerns about protecting security in addition to the private sector concerns about identity fraud and theft.
2. The Australian Government Proposals
2.1. The Australia Card
Australia has a history of registration, personal identification and data collection within both the public and private sectors. The idea of a national identity card is not new. During WWII, Australians were registered under the National Security Act 1939 (Cth) and National Registration Act 1939 (Cth) and were given a basic identity card under the 1947 National Security (Manpower) Regulations. The imposition of rations was an incentive for registration and production of the card.3
It was not for another 30 years, however, before three government reports published in 1975 suggested that government efficiency could be improved and fraud better detected through the introduction of an identity card system.4 The then Fraser Government took no action about these recommendations at that time. In 1986, the Hawke Government tried to introduce a national identity card, the Australia Card, but there was substantial public opposition to it and, by 1987, 90% of Australians were opposed to the card.5 However, the accompanying Privacy Bill 1988 (Cth), which contained Information Privacy Principles about how personal information was to be collected by federal government agencies, was enacted and enhancements to the Tax File Number (TFN) scheme administered by the ATO were enacted with the objective of increasing the Government’s capacity to link the identification of specific taxpayers with specific taxable income.6
2.2. Current Proposals
The next attempt to introduce a national identity card in Australia apparently began as a result of the London bombings on 7 July 2005. On 14 July 2005, Queensland Premier Peter Beattie commented on the issue on ABC radio arguing that such a card would be in the interests of national security. When asked about Beattie’s comments, Prime Minister Howard did not support them but his own comments were vague and he was reported in the press as not ruling it out altogether in the Government’s review of security arrangements.7 Howard then became more supportive of the idea of an identity card and the Attorney‐General subsequently stated that the Government would be examining the possibility of an identity card.8 However, many government ministers were strongly opposed to the idea as the Attorney General himself had been in October 2003.9
In January 2006, Attorney‐General Philip Ruddock announced he was establishing a formal enquiry into whether Australia needed an identity card and how much it would cost to implement it.10 He provided no specific information about the purpose of such a card so that it was not clear if the primary focus would be on security, identity fraud, anti‐money‐laundering or effective government services. However, in an abrupt turnaround, the Prime Minister and the Attorney‐General announced in April that the Government would not be introducing a national identity card but would instead introduce a health and welfare services smartcard.11
The proposal for a human services smartcard was discussed at a Cabinet meeting on 26 April 2006. The major purpose of the smartcard, to be phased in from 2008, is to prevent welfare fraud. The card will replace 17 existing benefits cards and will contain a digital photo, a number and signature. A microchip will include a photo, address, date of birth and details of dependants. Emergency contacts and medical information is optional. The cost of setting up the smartcard is about $1 billion over four years.12 The smartcard was first raised as a possibility by Minister Hockey during 2005 and, while its main purpose is to reduce welfare fraud, Minister Hockey and his colleagues have also mentioned other uses such as disaster relief payments, Medicare refunds and in slashing red tape.13
The Government, as part of its National ID Security Strategy and e‐Authentication Framework, has also introduced an e‐passport with a machine readable microchip that can electronically store biometric and other personal information. The e‐passport has had its fair share of criticism from privacy groups14 as well as some technical problems with the RFID technology15 but is now being implemented. The Government is also planning to introduce an E‐Health medical records system, an eCitizen scheme requiring new citizens to have biometric identifiers16 as well as centralised Internet accounts with the Government.17
3. The United Kingdom Identity Card Proposal
3.1. Background
Britain abandoned its wartime identity papers 50 years ago and has not since had a national identity card system, although at least nine of the 25 European Union (EU) members have some form of identity card.18 The national identity card has been an unfulfilled pet project of both Labour and Conservative governments in the UK for more than 20 years.
In April 2004, a draft Identity Cards Bill was published, proposing the introduction of a UK identity card scheme coupled with a national database. Most of the detail was left to future unspecified regulations. There was sufficient opposition to the Bill to ensure that it ran out of time in the run up to the General Election on 5 May 2005.19
The draft Identity Cards Bill was reintroduced into Parliament on 17 May 2005 and the Government narrowly won a second reading of it in the House of Commons on 28 June, after the Home Secretary agreed to cap the cost to individuals of obtaining the card. There was opposition to the Bill from within the Labour Party, the Tories and the Nationals.20 The Bill passed through committee stage and onto the House of Lords. The all‐party House of Lords Constitution Committee expressed concerns about the lack of an appropriate separation and limitation of powers, particularly as the Bill proposed that the Secretary of State be responsible for the scheme, rather than a new entity, responsible to and reporting to parliament.21
On 16 January 2006, the House of Lords advised the Government that it would not approve the Identity Cards Bill without full details of the costs for the scheme.22 However, once satisfied about the costs, the bill was finally passed by the House of Lords and it became law on 30 March 2006.
3.2. The Act
The Identity Cards Act 2006 (UK) empowers the Secretary of State to establish a National Identity Register. The purposes of the Register are stated in s 1(3):
… to facilitate, by the maintenance of a secure and reliable record of registrable facts about individuals in the United Kingdom
- a.
the provision of a convenient method for such individuals to prove registrable facts about themselves to others; and
- b.
the provision of a secure and reliable method for registrable facts about such individuals to be ascertained or verified wherever that is necessary in the public interest.
Something is in the public interest if it is in the interests of national security; or is required for the purposes of the prevention or detection of crime, of enforcement of immigration controls, of the enforcement on prohibitions on unauthorised working or employment, or for securing the efficient and effective provision of public service.23
Sections 3, 6 and 7 and Schedule 1 describe the information about an individual, generally all people residing in the UK over 16 years of age, that will be collected and retained in the Register:
- •
Full names and other known names.
- •
Date and place of birth (and date of death).
- •
Gender.
- •
Physical characteristics.
- •
Biometric information (which could include signatures, facial recognition, digital photos, iris scans or fingerprints).
- •
Every residential address with dates.
- •
Nationality.
- •
National Identity Registration number, identity card number, National Insurance number, passport number, driver’s licence, work permits, immigration documents as well as other reference numbers allocated.
- •
Validation information—including information provided to support initial registration or a modification to it.
- •
‘Steps taken’ by the authorities to identify an individual or verify information provided to the Register.
- •
Security information, such as a PIN number, password or code, for the purpose of providing information to the register.
- •
Information about occasions on which information recorded about an individual in the Register has been provided to any person.
There is no time limit on how long the personal information can be kept on the Register. It may be retained ‘for so long as it is consistent with the statutory purposes for which it is recorded’.24 There also does not appear to be a right of access to the information stored about them on the Register by the individual. The Act requires an individual to update information about themselves already provided25 but only the Secretary of State has the power to correct information if he or she judges it to be appropriate.26 The Secretary will have the power to obtain information about an individual without their consent from third parties27 and will be able to grant access by a range of public authorities in the public interest to individual’s personal data.28 Access will not be subject to the consent of the individual in these instances.
The Act empowers the Secretary of State to enforce registration.29 It also establishes new offences for the possession of false identity documents,30 setting out civil and criminal penalties.31 It will not be compulsory to carry a card32 and, with the exception for the provision of public services or where a person is given the option of using reasonable alternative methods of establishing their identity,33 it will be unlawful to require an individual to produce an identity card.34
The UK scheme centres around the creation of a National Register which will be able to be accessed by over 265 government departments and, if the individual consents, by about 44,000 private sector organisations.35 How private sector organisations will be able to obtain permission to access the Register is not clear as the Government responses to queries about how the process might work have been contradictory and unclear.36 These organisations will be required to be validated to access the Register and will require appropriate scanning and other technology to access the Register and to read the card. There will be a transaction fee for each identity check, which will presumably be passed onto the individual concerned.
The UK Government argues that an identity card scheme will help to tackle crime that relies on the use of false identities, such as terrorism, drug trafficking, money laundering, fraud through identity theft, illegal employment and immigration. It also argues that the Identity Card will enable people to access current services more easily, provide a watertight proof of identity for use in everyday transactions and travel, and provide a means of providing more efficient services.
However, two authoritative negative responses to the Identity Card Bill (as it was at the time) came from the Information Commissioner (UK) and the London School of Economics (LSE). The major concern of the Information Commissioner was that the information collected by the Government may not be fair and proportionate to the public interest purposes of collecting personal information.37
The Information Commissioner argued that the measures in relation to the National Identity Register and the data trail of identity checks on individuals risk an unnecessary and disproportionate intrusion into individuals’ privacy.38 The measures are not easily reconciled with fundamental data protection safeguards such as fair processing, deleting unnecessary personal information and the right of individuals to access and correct data stored about them. An effective identity card could be established avoiding these unwarranted consequences for individuals. In his view, the primary aim of the Government with this legislation should be to establish a scheme which allows people to reliably identify themselves rather than one which enhances its ability to identify and record what its citizens do in their lives.39
The Commissioner also indicated a number of aspects of the proposals in the Bill that were potentially inconsistent with the requirements of the Data Protection Principles as set out in the Data Protection Act (UK) 1998 including that the breadth of the five purposes specified in the Bill could lead to function creep in unacceptable areas of private life, that the technical and administrative arrangements proposed in the Bill lack independent oversight, and that the use of secondary legislation and regulations will allow the expansion of identity checks via other legislation and the ability to check the Register even though no card has been issued.40
The LSE undertook a major investigation into the Identity Cards Bill, producing a report titled The Identity Project: An Assessment of the UK Identity Cards Bill and its Implications on 27 June 2005. It stated that the proposals were too complex, technically unsafe, overly prescriptive and lacked a foundation of public trust and confidence. The Report concluded that the proposal would be very expensive and that it would alter the nature of British society.
The LSE Report estimated the likely cost of the 10‐year rollout of the scheme to be between £10.6 billion and £19.2 billion. These estimates were considerably higher than the government estimates of £5.8 billion41 and provided the basis for the rejection of the Identity Cards Bill in the House of Lords on 16 January 2006.
4. Will Identity Cards Satisfy the Concerns of Governments?
The UK Government has not been able to show clearly how its Identity Card and Register will be used to reduce terrorism and other security threats, although this is part of the stated purpose for their introduction. For instance, alleged terrorists in the United States, the UK, Spain and Australia have not lacked identity papers.42 It is the intent of terrorists which is unclear, not their identity.
Further, the LSE Report examined government statistics from 2002 on the cost of identity fraud and concluded that the card would have no or very minor impact on identity‐related VAT fraud, money‐laundering (as identified by Customs and Excise), health services fraud, immigration fraud, insurance fraud, credit card fraud, and identity theft fraud.43 The only category of identity fraud in which an identity card could be used effectively was that of identity‐related social benefit fraud, estimated to be approximately £35 million per annum (or 1% of total benefit fraud).44 There is also a possible use in stopping temporary workers from outstaying their entry visas. So if identity card schemes such as that proposed in the UK have limited effectiveness, it would appear important to restrict their implementation to those individuals who are involved, such as those on welfare.
In relation to concerns about privacy, the Australian Privacy Principles are at least as strong as the UK Data Protection Principles and therefore if the proposals in the UK Act are potentially inconsistent with the UK Data Protection Principles, then a similar Act in Australia would certainly be inconsistent with both the Information Privacy Principles set out in the Privacy Act 1988 (Cth) which apply to federal government agencies and the National Privacy Principles which apply to the private sector.
The general concerns expressed in relation to the UK Act by the Information Commissioner are also valid in the Australian context. The Commissioner argues that the measures in relation to the National Identity Register and identity card may become an unnecessary and disproportionate intrusion into an individual’s privacy.
Data protection principles are based on the premise that only personal information needed for a specific and defined purpose will be collected by organisations, and that it will be retained for a limited time, then destroyed once the purpose has been fulfilled.45 Access to personal information by third parties is restricted and individuals should be notified of likely recipients at the time of collection. A key aspect of all data protection principles is that the individual will have access to what is stored about them and will be able to amend incorrect data.46 The UK scheme provides few of these obligations, allowing collection of data for fairly ill‐defined purposes, access to the data by a broad range of third parties, no limits on retention, and no right of access by individuals.
Identity cards per se are not ‘bad’. Australians are used to different forms of identity cards already. Australians who wish to travel overseas accept that they must have a passport. Our driver’s licence and our current Medicare Card are perceived as being quite acceptable as they have clearly defined purposes. The former is now being used as a form of identity card, for example, when collecting electronic tickets at airports or when seeking to pay for goods by cheque. It is the photo on the licence which is the key to its use, rather than the number itself. On the other hand, it is the number on the Medicare Card which is important.
It is the multifunctional nature of the identity card as seen in the UK proposal which causes alarm. The entire adult population does not need a card for the Government to stop welfare fraud; only those receiving welfare payments. Similarly, it is excessive to require a national identity card to tackle immigration fraud. A national identity card may be appropriate for addressing terrorism but the Government needs to show how that card will work to achieve this purpose.
The Australian Government is already developing a government verification service to allow for the verification of documents used for identification, such as a birth certificate, and is addressing health and welfare fraud through the human services smart card initiative. These initiatives appear to be a sensible approach to specific problems. They are attempting to address one specific problem with a specific solution.
However, there has been no publicly available document released about the human services smartcard. The only information about the proposal has been through government press releases and private press briefings. Since the smartcard was first raised by Minister Hockey in early 2005, the Government’s stated objectives for it have expanded well beyond the original purpose of reducing welfare fraud. It is difficult at this stage to comment on whether the Government is proposing to use it as a de facto national identity card. Certainly, it has the potential to be developed as one.
5. Conclusion
The main question arising from any proposal to introduce an identity card is whether its negative impact on the human and legal rights of citizens is sufficiently balanced by the benefits arising from the reduction of the problems it is designed to reduce, such as identity fraud or threats to national security. There are, of course, many other questions relating to the feasibility of the technology proposed and the cost of the scheme but these are beyond the scope of this paper.
The Australia Government appears to have deferred consideration of an identity card scheme similar to that introduced in the UK which is probably wise, given the criticisms of the UK model and the Australian Government’s current, vaguely stated, objective of ensuring national security. The primary aim of the UK Government appears to have been the introduction of a scheme which enhances its ability to identify and record what its citizens do in their lives rather than one which allows people to reliably identify themselves. The LSE assessment of the UK Bill was that the only probable benefits would be in the area of social benefit fraud and in combating illegal workers. As it stands, it would be unlikely to reduce credit card fraud, immigration fraud, terrorism or money‐laundering activities. On the other hand, the UK identity card scheme is likely to significantly undermine citizens’ rights under the Data Protection Act as well as some anti‐discrimination legislation. The Act removes the individual’s right of access and correction, lacks independent oversight of the technical and administrative arrangements, has no limits on how long data will be kept, and makes a presumption that all information collected is accurate.
The Australian Attorney‐General has now removed the identity card debate altogether from the Federal Government’s agenda, at least for the time being, apparently as part of government strategy to proceed with the human services smartcard. Originally proposed as a way to reduce social security fraud, the smartcard is already undergoing function creep and is to be used as a new Medicare Card, for the provision of all government services, for disaster relief and so on.
It is imperative that if a true national identity card is introduced again, the objectives of the scheme are precisely articulated so that there can be an appropriate evaluation of how the identity card would address those objectives. The need for a national identification scheme and identity card will have to be demonstrated compellingly and should not merely be an attempt to use one card to solve a range of identity verification and government fraud issues. The development of the proposed human services smartcard will be watched with interest to see if it is intended to be, or becomes corrupted into being, a national identity card.