17 December 2015

Up to a point, Lord Copper

When contextualised with Government practice over the past decade the preliminary Privacy Impact Assessment for the National Facial Biometric Matching Capability (NFBMC), noted here, is problematical.

It's a bland "up to a point, Lord Copper" document with recommendations that will either be expressly ignored or - as importantly - disregarded through lip service. As I noted at last night's Open Government Partnership consultation in Canberra, there's been no clear commitment on the part of Government to abandon plans to abolish the OAIC (let alone meaningfully resuscitate that rather moribund, timid and grossly underfunded body), so we might be sceptical about bureaucratic embrace of references to "the people's voice" and funding of privacy governance.

The report states
The Attorney-General’s Department (AGD) engaged Information Integrity Solutions Pty Ltd (IIS) to undertake a privacy impact assessment (PIA) during the early design stage of the Central Interoperability Hub (the Hub) of the forthcoming National Facial Biometric Matching Capability.
Importantly
IIS has not been asked to assess or comment on the potential privacy impact of the concept of the NFBMC as such, or its overall operation. Rather, IIS has been asked to focus its findings on the Hub design and its initial operation and governance, taking account of the NFBMC’s vision and aims.
A more meaningful PIA would have taken place at the beginning of the design process, would actually look at "the potential privacy impact of the concept of the NFBMC as such" and at "its overall operation", and would move beyond noting that the Hub is legal (the latter is essence having a sufficient number of under-briefed MPs)

The report states 
Government agencies are increasingly using facial biometric systems for a range of law enforcement, national security and identity assurance purposes and in these contexts are sharing biometric information. However, the current arrangements tend to be ad hoc and limited by legal or technical incompatibilities. The NFBMC is intended to facilitate secure, accountable sharing of facial images and other relevant information to prevent fraud, support law enforcement, promote national security, and streamline service delivery. Subject to inter-governmental and inter-agency agreements, the Hub will transmit facial biometric and biographic information between participating agencies in compatible formats.
The Hub is intended to be ‘neutral’ – participating agencies remain responsible for their information, the application of biometric technologies and decisions about whether or not images match. The Hub will store some transaction metadata but does not store any of the biometric or biographic information it transmits. Biometric information is widely considered to be intrinsically sensitive and agencies’ use of biometric matching techniques, if not well managed, could cause significant problems for individuals through mismatches, stigmatisation and inability to gain easy redress.
The report goes on to explain -
Privacy by Design (PbD) is based on seven principles which include ‘Privacy Embedded into Design’ and ‘End - to - End Security’. The application of these principles in this case have resulted in decisions to adopt the hub and spoke architecture and for the Hub to store minimal information.  This PIA focuses on only one element of the NFBMC. Its scope is limited to the Hub design and governance.
No indication of benchmarks in discussing the design and as noted above no consideration of context.
AGD indicates that all Commonwealth, State and Territory participating agencies will be required to undertake further PIAs that focus on their use of the NFBMC as it develops. These would address, for example, participating agencies use of the Hub and the proposed driver licence facial recognition solution.
This PIA analysis recognises the steps AGD has taken so far to minimise privacy risks and to design - in strong security measures. It also takes account of the benefits that the Hub could deliver, including in addressing identity fraud and theft, which is having an increasing impact on individuals.
No great surprises with the statement that -
IIS considers that it is important to recognise that the Hub will have an impact on the circumstances in which facial biometric information is shared, by whom and the volume of images shared, and these risks will have to be actively managed. There is also the risk, which IIS considers is low, that the Hub and the metadata generated by transactions performed through it could potentially allow for some tracking or surveillance of individuals’ everyday activities. However, it is the view of IIS that the privacy impacts of the whole system could well be greater than the risks at individual agency or Hub level. As such, IIS considers that strong, widely respected governance of the system as a whole, particularly as it evolves over time, is equally and potentially more important than governance of the individual participating agencies and the Hub
The authors state that-
AGD’s approach to the Hub design process has been generally consistent with the requirements of the Australian Privacy Principles (APPs) in the Privacy Act 1988. IIS has not identified any significant risks or privacy issues in the Hub design. IIS has identified areas where it considers some extra steps are needed to maintain the focus on privacy and good privacy practice. These include:
  • The ongoing management of privacy in the Hub design 
  • The metadata the Hub will generate about transactions 
  • The Hub access and security arrangements.
IIS also considers that AGD’s approach to the Hub’s operation and the likely governance arrangements is also consistent with the APPs and it has not identified any significant compliance risks. IIS has made a number of recommendations to strengthen privacy practices. These recommendations take account of the multi-jurisdictional nature of the NFBMC and aim to promote continued privacy good practice to help ensure the aspiration of ‘robust privacy safeguards’ is delivered.
The areas in which IIS considers there are potential privacy risks include:
  • The scope of the NFBMC 
  • AGD’s privacy management framework for the Hub 
  • The extent to which the development and operation of the Hub is conducted openly and transparently 
  • The NFBMC Governance arrangements including the governance of change.
Recommendations are as follows
1 Recommendations for Hub Design
1. APPs to apply to information the Hub collects, transmits or holds
IIS recommends that AGD in its role as Hub manager commit to complying with the APPs, whether or not the Hub is legally considered to collect or hold personal information.
2. Hub design informed by a broad view of privacy and the potential overall impact of the NFBMC
a) IIS recommends that AGD ensure that its further development of the Hub, and the governance arrangements for the operations of the Hub, reflect a broad view of the concept of privacy, as opposed to a strict legal compliance view.
b) IIS recommends that the Hub design and governance arrangements should, from the outset, take into account the Hub’s likely future use, both in terms of the number and nature of participating organisations, as well as the volume and nature of information exchanged and the potential impacts on privacy.
3. Limit metadata to that needed for operational purposes and agency audits or investigations
(a) IIS recommends that AGD ensure the metadata generated by the Hub is the minimum needed to:
(i) Effectively manage the Hub
(ii) Provide assurance that acce ss to the Hub is for legitimate and appropriate purposes
(iii) Ensure participating agencies can monitor their access to the Hub and undertake investigations of possible nefarious staff activities.
(b) IIS recommends that the nature of metadata generated, and the period for which metadata will be retained be transparent to citizens.
(c) IIS recommends that metadata generated by the Hub be retained for the minimum period needed to support the purposes for which it is generated.
4. Records of authority to release information
IIS recommends that AGD ensure the Hub design supports agencies’ ability to make well - informed decisions to release images or biographic data based on a clear understanding of the purpose and authority for the request.
5. Strengthening of some security measures
(a) IIS supports the access management approach proposed by AGD and recommends disabling and re-authorising all users and their level of authority at regular short, for example, three monthly intervals.
(b) IIS supports the Hub project emphasis on training and standards and recommends that AGD ensure these address:
(i) Appropriate personnel access to and use of the Hub (ii) Policy and procedures on the issue of image caching by agencies’ online systems.
(c) IIS recommends that AGD, in developing interagency templates, ensure they
(i) Include strong controls for ensuring that only authorised individuals, cleared to Protected or higher as needed, can gain access to the system and only be authorised to undertake activity that reflects their level of authorisation
(ii) Require the auditing of such access and provision of assurance about the appropriateness of access to biographic or biometric data to the holding agency.
6. Access to the Hub to identify individuals to be strictly controlled
(a) IIS supports the approach proposed by AGD and recommends that access to one-to-many matching be tightly controlled and limited to a few law enforcement agency uses (service delivery agencies should not have this access).
(b) IIS also supports AGD’s general approach of limiting and controlling access to the Hub based on assessed risks in matching processes.
2 Recommendations for Hub operation and governance
7. Proactive privacy management IIS recommends that AGD ensure that it has in place a privacy governance framework both to manage the Hub as it moves to BAU and when it is fully incorporated into BAU, which takes a broad view of privacy and commits to privacy best practice.
8. Benefits assessment to take account of privacy governance costs
(a) IIS recommends that in developing the methodology for identifying and costing benefits AGD and participating agencies should also bring into account all costs involved, including costs of privacy governance, such as:
(i) Participating agency compliance, and regular monitoring and audit costs
(ii) Resourcing of privacy regulators and other oversight bodies
(iii) Assistance to individuals and the community and complaint handling.
9. Project to be conducted transparently
(a) IIS recommends that AGD ensure that as soon as possible, and to the extent possible, information about the NFBMC and the Hub is in the public domain.
(b) IIS recognises AGD’s intention to circulate and publish this PIA and recommends that it be published as soon as practicable.
(c) IIS recommends that AGD design and implement a proactive and transparent community engagement approach to support the introduction of the Hub.
10. Transparency in Hub use and intergovernmental agreements
(a) IIS recommends that all of the interagency agreements between participating agencies authorising information sharing via the Hub should be included in a register.
(b) IIS also recommends that the register be available for public inspection or that the interagency agreements are otherwise published and that all this documentation be easily available from the one source.
11. NFBMC scope
IIS recommends that AGD’s documents and communications in relation to the NFBMC, including design specifications, undertakings and governance proposals, make clear the limits on the initial scope of the NFBMC.
It must be made clear that if any change occurs in either the number or type of participating agencies, in the nature of the biometric and/or biographic information transmitted, or the information held in the Hub, this would constitute a move beyond the initial scope and therefore trigger further privacy assessments.
12. The people’s voice in governance arrangements
IIS recommends that the membership of governance bodies with a role in monitoring the operations of the NFBMC or in making decisions about changes in its scope or operations include an independent representative able to present individuals’ perspectives.
13. Matters to be addressed in high-level intergovernmental agreement covering the NFBMC
(a) IIS recommends that the inter-governmental agreement that will set the framework for cross-jurisdictional sharing of biometric data via the Hub should:
(i) Ensure that privacy interests are appropriately represented on the body tasked with being accountable for the delivery and management of the Capability.
(ii) Require the receiving agencies to resource compliance audits by both themselves and the holding party or pay for independent audits to provide assurance to data holders
(iii) Require holding and receiving agencies to retain information that facilitates audits of the use of the Hub and regular systemic reviews of the system
(iv) Ensure resourcing for external oversight of the Hub by privacy regulators, Ombudsmen or anti-corruption bodies is commensurate with data flows and that there are no impediments to cooperation and information sharing between oversight bodies where information is shared between jurisdictions
(v) Require participating agencies to have in place well-resourced ‘safety net’ mechanisms to effectively support individuals who may be adversely affected by agencies’ use of the Hub and to respond efficiently and respectfully to any complaints.
14. AGD or Independent approval of agreements between participating agencies
(a) IIS recommends that the Interagency Agreements between participating agencies, together with the IGA that will authorise information sharing via the Hub, should be subject to approval by AGD or by another independent body such as the Australian Privacy Commissioner before use of the Hub can proceed. If a body such as the Privacy Commissioner has this role, it should receive dedicated resourcing for this function.
(b) IIS further recommends that AGD take steps to ensure that the number of agreements does not reach the point where the sheer number adversely impacts transparency and community understanding of the system as a whole. These steps could include, as AGD is contemplating, standard agreements for groups of participating agencies or specifying the requirements in legislation rather than agreements.
15. Regular systemic review of the Capability and associated information sharing arrangements
(a) IIS recommends that there is at least a three-yearly systemic review of privacy impacts around the sharing of facial biometric information by participating agencies through the Hub. The findings of the review should be made public to the extent possible. The review should:
(i) Include the activities of the Hub and the participating agencies at both individual agency level and holistically
(ii) Quantify the increase in the use of facial biometrics amongst those agencies with legal authority to use the system
(iii) Quantify actual benefits realisation
(iv) Assess the extent to which the Hub itself is affecting privacy outcomes, including because the system performs less well than expected or has been subject to any significant data security breaches
(v) Assess the efficacy of responses to citizen issues with data accuracy and use, including but not limited to experiences with complaint handling
(vi) Assess the extent of community knowledge of the system, community reactions and impacts on privacy viewed broadly
(vii) Assess the effectiveness of the governance arrangements, particularly in relation to decision-making, oversight and accountability
(viii) Assess if the relevant oversight bodies are resourced for the functions and report if they are able to cooperate effectively.
16. Governance of changes to the Hub and associated information flows
(a) IIS recommends AGD, the National Identity Security Coordination Group or the Ministerial Law Crime and Community Safety Council, develop a governance process that would be triggered by any proposals that represent a significant change in the scope or operation of the Hub.
The process should include:
(i) A broad consideration of costs as well as benefits
(ii) A commitment to a wide consultation process, including public consultations, to the extent possible
(iii) The inclusion of citizen perspectives beyond law, justice and national security agencies