Legislative Council: Tuesday, October 27, 2015

Contents

Summary Offences (Biometric Identification) Amendment Bill

Second Reading

Adjourned debate on second reading.

(Continued from 24 September 2015.)

The Hon. A.L. McLACHLAN (16:40): I rise to speak to the Summary Offences (Biometric Identification) Amendment Bill 2015 and indicate that I will be speaking on behalf of the Liberal members of this chamber. During my second reading, I will be raising a number of questions in relation to this bill which I would like the government to respond to in their summing up ahead of the committee stage in order to facilitate the further debate that will inevitably occur in the committee stage.

The bill amends the Summary Offences Act 1953 to permit the use of mobile fingerprint scanners by South Australia Police. We understand that South Australia Police currently operate 150 of these devices, but under current law they need to obtain the consent of the person being fingerprinted before they can be utilised. Currently, under section 74A(1) of the act, if a police officer has reasonable cause to suspect that a person is committing an offence or is about to commit an offence or that person may be able to assist in the investigation of an offence or suspected offence, the police can require that person to state all or any of their personal details. If that person refuses, they commit an offence under the Summary Offences Act. The penalty, I understand, is a fine of up to $1,250 or imprisonment up to three months.

Pursuant to the bill, a police officer will have the power to, in the same set of circumstances, require that person to submit to a biometric identification procedure using a mobile fingerprint device. Under the bill, a scan of the person's fingerprint is taken on the spot by the police. The portable system will then send the scanned data to the National Automated Fingerprint Identification System and a hit or no-hit will be returned. If a hit is returned, the person's identity and criminal history will appear on the screen. The same maximum penalty will apply for failure or refusal to submit to a biometric identification procedure as at in the current provisions for failing to state personal details.

The bill provides that biometric data must not be stored for longer than is reasonably required for the purposes of carrying out the identification procedure. The bill introduces a new offence prohibiting persons from retaining or storing biometric data derived from the identification procedure for longer than is required for the purposes of carrying out the procedure. The maximum penalty is equivalent to the penalty for unauthorised storage of a DNA profile under the Criminal Law (Forensic Procedures) Act 2007, being a fine of up to $10,000 or up to two years imprisonment.

There has been some opposition to the introduction of this bill, significantly from the Legal Services Commission, and some concerns expressed by the South Australian Bar Association. In a letter from the Legal Services Commission to the Attorney-General dated 13 April 2015, they advised as follows. The commission's main concerns related to clause 74(1)(b) of the draft bill. The commission would prefer to see the use of this technology restricted to circumstances where the police have reasonable cause to suspect a person has committed, is committing or is about to commit an offence.

The commission considers that the circumstances described in clause 74(1)(b) of the draft bill, where the police officer has reasonable cause to suspect that a person may be able to assist in an investigation of an offence or suspected offence, are too broad and would allow police to engage in 'fishing' expeditions amongst a large number of persons for matters unrelated to the case under investigations and are simply too intrusive. The Bar Association expresses similar concerns in a letter to the Attorney-General dated 27 May 2015, and I will just read a couple of the more significant paragraphs, which state:

These powers with respect to a suspect are safeguarded by the need for the relevant officer to make an application to take fingerprints from a person suspected of a serious offence that is punishable by imprisonment. If necessary, this application may be made via telephone to an Inspector of Police or a higher ranked officer.

They are referring there to the current power to take fingerprints, which is found in sections 7 and 14 of the Criminal Law (Forensic Procedures) Act 2007. The letter continues:

We are concerned as to the proposed power to substantially expand the scope of police powers when they already have strong powers and investigative tools to acquire the necessary information for identity. The giving of a name and address has the ability to be quickly checked.

The letter goes on to say:

The concern of the expansion of powers is primarily for the situation of someone who may be able to assist in the investigation of an offence or suspected offence.

They share similar concerns to those of the Legal Services Commission. The essence of this submission is that there are sufficient powers that are extant in their operation. This bill potentially signals the Orwellian future that awaits us. I fear, although I hope it is unjustified, that this bill may originate from the desire of the police to ultimately have the ability to invade our privacy at will. I hope that is not the case but, with some of the legislation coming before this chamber, it appears that they have a continued desire and drive to adopt practices that suit them rather than the community that they are supposed to serve.

The nature of these amendments are such that there needs to be a proper explanation to this chamber—and I ask for it—as to what the police procedures will be when they are handling this device. This device is not like a breathalyser. It is not specifically prescribed under legislation and therefore there are regulations that allow for the expansion of the biometric identification procedure, but not of the device itself.

Therefore, some of my questions to the government relate to how we can have assurance that this device is operating accurately but also is not storing the data that is prohibited for longer than is reasonably required. In particular, is there any chance that, when the portable system is interfacing with the national automated fingerprint identification system, the fingerprints will be stored inadvertently?

We have all read and understand that there are many instances, both in the policing sphere and outside of it, of data being retained inadvertently. I would be seeking an assurance from the government that this has been properly investigated and that we have some assurance or even auditing practice so that fingerprints are not retained inadvertently or unintentionally.

I also raise the question: how do we know that the fingerprints are not being stored? I understand that the scanners that are currently being used destroy the image on the machine the next time you use the machine, but what practices are going to be put into place to ensure that, if a machine may be left on the shelf or is not used in an intervening period, it is cleansed of someone's fingerprints? It seems to me that would be inconsistent with what is reasonably required.

Is there going to be an audit of these devices or some sort of audit of the practices on an ongoing basis to give the community assurance that they are not only being used correctly but they are fit for purpose, and continue to be fit for purpose, and that there is not even unintentional keeping of people's personal data—in this case, fingerprints?

It seems to me that whilst there is an appropriate criminal sanction for unauthorised storage, there does not seem to be any compliance mechanism that is accompanying it, either in the body of the legislation or being stated to this chamber to give the members necessary assurance that the operation of this bill, when it comes into law, is appropriate and practicable. In essence, there seems to be the opportunity for the police to be policing themselves. How will we ever know unless there is an external body ensuring that the law is being complied with?

In relation to the new offence which is for prohibiting persons from obtaining or storing, I would like clarity around who would be charged in those circumstances. Is it the police officer? Is it those in the police force who are accountable for the operation and maintenance of the equipment? Is it senior officers such as the police commissioner who have issued directions in relation to using the equipment? We could have a situation where a police officer, following procedures, using the equipment, technically breaches the law or even knowingly breaches the law by facilitating the storage of the fingerprint for an unreasonable period of time.

We are advised by the government that the wider use of mobile fingerprint scanners by the police will improve identification rates and reduce the incidence of people avoiding being identified. I ask the government to advise on how many occasions have members of the community been asked to voluntarily provide their fingerprints using the biometric scanners, and how many times have they refused? The collection of this data, in my view, would be absolutely necessary to justify the statements being made by the government and the warranting of this amendment.

Also, on how many occasions have the police needed to have this system or some other system where they needed to provide identification in addition to the laws that are already in place such as driver's licences or some other form of identification? I would have expected this data to be kept to warrant the need for these amendments, so they are of great interest to the Liberal opposition. In particular, how many occasions have individuals avoided being identified under existing laws, as I have indicated? Again, the number of incidences is really the driver for these laws and the consequence of possible invasion of people's privacy.

I would ask the government to advise the chamber in its summing up, in essence, the practices and procedures that the South Australian police will be using to wrap around this bill if it is passed. In essence, as we are authorising the use of these sorts of testings, it is critical that we have assurances that not only will it be used reasonably but because it is of an electronic nature that the proper practices are in place to give assurance that the members of the public will not be inadvertently impacted. I ask the government the following questions:

How many prosecutions have been made under the Criminal Law (Forensic Procedures) Act for offences of unauthorised storage of a DNA profile?

How many apprehensions or arrests or warrants has South Australia Police made in the last five years due to an inability to confirm identification?

What will police officers be required to explain to suspects before they can exercise the power; for example, will they be required to explain the reasons for the prints being taken and the power under which they are to be taken and that their fingerprints may be subject to a speculative search against other fingerprints?

Are police officers going to be required to delete the image once the procedure has been conducted, or do they wait until they conduct the next identification procedure and wipe out the older one?

How instantaneous is the response from the national database?

When the fingerprint image is deleted from the mobile unit, does the device retain the deleted data in a back-up drive—and I use the example of photocopiers, which often retain images for long periods of time?

What happens when a new device is being used by the police? How will parliament know that this new device has the comfort of sufficient operation that fingerprints will not be retained inadvertently into the future? We have received some assurances in the other place, but this is in relation to existing equipment that is being used.

As I have indicated earlier, will audit procedures be in place to ensure that the data is not being stored on the prescribed time frame?

We have seen in the federal sphere difficulties with the retention of personal data. What comes to mind for me is the incident in 2014 regarding the Department of Immigration, which is a classic, where data was released more broadly and not retained in the manner that it should have been. In my view, we are in desperate need in this state for an adequate privacy regime, with an adequate enforcement arm, which will give comfort to our community, because with this legislation and these sorts of regimes or amendments maintaining the trust of individuals is paramount.

If individuals believe that data about them is going to be held securely or deleted, where appropriate, and only collected for stated purposes, they may be more comfortable relying on the organisations to inform them and to seek their consent for the use of personal data, or to hand it over. This, across a range of government instrumentalities, is the issue of the day.

Much of my questioning to the government is based around giving the Liberal opposition the assurance that the government will maintain the trust of the community and not overtly or inadvertently retain data that it should not otherwise retain.

I indicate the Liberal opposition's support for the second reading, but I look forward to the government's responses in the summing up ahead of the committee stage. We potentially flag that, depending on the government's responses, we may have further questions at the committee stage.

The Hon. M.C. PARNELL (16:58): This is indeed a worrying bill. I am indebted to the Hon. Andrew McLachlan for putting on the record a large number of questions, many of which are the same questions the Greens have in relation to this bill. The honourable member referred to a potential Orwellian future, and I do not believe that that is an exaggeration. In fact, I think that we are only a short time away from having the technology available for a complete biometric record of every living person being held by the state. That might sound like an exaggeration, but each of the steps that have been taken over the years, I think, is leading to that conclusion. If you start with this bill and you just look at the definition of biometric data, it says:

biometric data means fingerprint data or any other prescribed data or data of a prescribed kind that describes physical characteristics of a person or part of a person that may be used to identify the person;

So, we are not just talking about fingerprints, although that is the method that has been named in the bill. But the bill has been opened for the executive by delegated legislation to add any other form of identifying a characteristic, which would include, no doubt, iris scans of people's eyes, measurements of people's height, their weight, and certainly photography.

It is not a far stretch of the imagination to see that those deluded individuals who protested against the Australia Card—and I will put my hand up—thinking that that was a great infringement of our civil liberties only to find that technology has marched so far ahead that not only were we fearing carrying a plastic card around with identifying information that must be disclosed on demand, but that the state will potentially have a record of every physical characteristic of every person on a database.

People might scoff and think that is not going to happen, but I just point out to members that that is the direction that this is heading in. Members might think that these laws are only going to be used for crooks, people who are likely to be crooks, people caught in the act or people suspected of committing crimes, but that is not what it says. It says:

(1) If a police officer has reasonable cause to suspect…

(b) that a person may be able to assist in the investigation of an offence or a suspected offence,

That is a person, in other words, who can assist them with their inquiries. Is it all those attending the Adelaide cricket ground when an altercation might have occurred in Tier 3? Do you round up everyone in Tier 3 and fingerprint them because they may be able to help with inquiries? It is not so far-fetched to see where laws like this can end up.

The Hon. Andrew McLachlan asked a number of questions in relation to the supposed protections in this bill that a person must not retain or store biometric data derived from a biometric identification process for longer than is reasonably required for the purpose of carrying out the biometric identification process. Now, that is fairly meaningless and it is impossible for individuals to be confident that it is being enforced. There is no mechanism to know whether data has been held, where it has been held and for how long it has been held.

It is well and good for the government to suggest that they are currently using fingerprint machines that simply wipe the fingerprint the next time the machine is used, but this bill is not limited to that type of machine. That type of machine has not even been mentioned.

I do not pretend to be the most technologically savvy person in the world, but it seems to me that any machine is going to be connected to a database that is in the cloud or back at headquarters or whatever, so whether it is fingerprint information, iris or photographs, they are going to be sent off electronically to be matched against a database that exists somewhere else. For us to accept that that information will be deleted if no match is found I think beggars belief, because remember the test is that it is not allowed to be kept for longer than is reasonably required for the purpose of carrying out the identification procedure. That may well be a lengthy period of time.

The government might think they have worded it in a way that that is going to be fairly instantaneous, but it does not mean that at all. It could be days, it could be months or it could be years that is regarded as a reasonable period, especially where you are trying to match people with crimes where the information from the crime scene is incomplete, and if those investigations are ongoing they are going to want to hang onto the fingerprints, for example.

If they have not yet extracted the fingerprints from the crime scene or the body has not been found in the case of a murder, they are going to hang on to all of those fingerprints, so that when the body is found or the murder weapon is found—the gun, the knife, whatever it is—they are going to want to make sure they have the fingerprints that they have collected to be able to match for when they eventually do get their hands on the murder weapon.

I do not think that this is beyond the realms of possibility, because the bill before us certainly does not put the checks and balances in place to prevent that from happening. But, even if the government is right, and even if the information collected will be ephemeral, where is the identification ombudsman, where is the ability for citizens to apply to inspect the database and find out what information has been recorded about them? There is no such mechanism, and I think that that is very worrying.

I am looking forward to the committee stage of this debate for the minister to, first, come back with the answers to the questions that have been posed, and no doubt more questions will arise in the meantime. For now, the Greens will let this go through to committee, but it is a very worrying piece of legislation, and the concerns raised by legal bodies are absolutely justified.

Debate adjourned on motion of the Hon. G.A. Kandelaars.