Smart Move by the Smart Card Industry

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Version of 17 January 1996

© Xamax Consultancy Pty Ltd, 1997

This paper was published in Privacy Law & Policy Reporter 2,10 (January 1996) 189-191, 195

This document is at

A sequel to this document is at:


Corporations and government agencies in many different sectors are currently considering applying chip-cards to their business needs. Many of these organisations recognise that the technology has significant implications for social values such as privacy, and for consumer acceptance of their products and services. This message was clearly conveyed by the public appearance in December 1995 of a draft Code of Conduct.

The draft Code was prepared by a consortium comprising representatives of the Asia-Pacific Smart Card Forum (APSCF), which is a recently formed industry association hosted by the Australian Electrical and Electronic Manufacturers' Association (AEEMA); the Commonwealth Department of Industry, Science & Technology (DIST); and the Warren Centre for Advanced Engineering at the University of Sydney.

Promises to develop self-regulatory schemes are standard procedure for industries that feel themselves under threat of regulation by parliaments, and many of the proposals which emerge in this way are still-born, entirely token, or ineffectual.

On the other hand, complex and quickly-changing technologies are not amenable to the slow and turgid processes of conventional law-making, and codes of conduct can provide valuable learning experiences for regulators. Moreover, the most practicable schemes to protect the public interest may comprise limited statutory frameworks, public 'watchdog' agencies, and codes established, maintained and administered by the industry under the watchful eyes of regulators and public interest advocates.


So is the smart card industry's draft Code of Conduct a token defensive manoeuvre or a worthwhile building block for a regulatory regime?

The jury will remain out for some time yet, until the final version of the Code is published. There are some positive signs, however. The initial draft demonstrates considerable understanding of the nature of public concerns, and its prescriptions are moderately consistent with privacy and data protection guidelines.

As could be reasonably expected of an industry-designed code, its implementation would not be unduly onerous on the corporations and agencies which will be applying the technology. But then this is desirable not only from the perspective of those organisations, but also from the viewpoint of the public, because it increases the likelihood of compliance.

Briefly, the Code is intended to commit members of APSCF, and other organisations which choose to be bound by its provisions (the 'Code Subscribers'), to a set of good practices. These primarily relate to the handling of personal data, although some deal with other consumer rights issues, in particular the loss, theft and unauthorised use of smart-cards. It contains sets of general and specific principles, reproduced adjacent to this article. Terms and conditions for holders of smart-cards are to be consistent with the Code. Dispute resolution and sanctions procedures are specified.

The detailed design of the draft Code contains some features of significance, such as the clear statement of consent provisions ("freely-given, specific and informed") and the reference to disclosures "compelled by law", rather than the more common and much looser formulations such as "authorised by law", and "consistent with law".

There are areas in which the draft Code needs to be improved, if it is to achieve its aim of satisfying public needs, and clearing the way for implementation of schemes. One difficulty is that the structure of the Code does not 'map' readily across to the key sets of privacy principles, in particular the OECD Guidelines to which Australia is a signatory.

Another concern is that protections are needed not just for card-holders, but for people generally (e.g. the parents, children, employees and employers of card-holders). Similarly, access to information about smart-card schemes and the ability to submit complaints to the dispute-resolution procedure need to be freely available to any interested party (including, for example, consumer advocates, regulatory agencies and parents of card-holders).

To represent an effective control, the applicability of the Code must extend beyond each scheme's sponsor to all parties involved in services delivery, and even to manufacturers of the devices and software used. There needs to be a requirement that a set of measures be implemented in each company to ensure that staff practices reflect the corporate commitment. It is also highly desirable that communications exist back to the research laboratories and the standards committees which originate and articulate the technologies on which the schemes are based.

It is highly desirable that sponsors recognise that their schemes have wide implications and that many different stakeholders are affected. The most effective way to evidence that awareness is to prepare and publish impact statements, at least in relation to privacy, but preferably also in respect of consumer rights and such other social impacts as may be significant in each particular project.


It remains to be seen whether the industry will be able to achieve a consensus, and establish a meaningful Code. In the normal course of events, it is to be expected that the late adopters of a potentially successful technology will seek to slow down the pioneers and early adopters; and obstruction to the process of development of this Code would be one way to achieve that aim.

There are also substantive issues to be resolved. Can a Code be expressed in sufficiently general terms that it can apply to such distinctly different application areas as financial services, transport, health, building access and community services; and yet with sufficient specificity to represent a genuine and a credible protection of human interests?

Can a Code that relates to chip-cards be meshed with pre-existing laws, policies, procedures and practices? This requires particularly careful consideration in the financial services sector, where the Privacy Act already has some impact, and the initiative needs to be reconciled with the EFTS Code of Conduct and the Banking Industry Ombudsman, and with developments that are proceeding slowly in each of those areas.

It is understood that the Smart Cards Forum is in the process of establishing an Advisory Committee which will augment the four-person drafting team. It will continue to seek, receive and consider submissions from industry, regulatory agencies, consumer and privacy interest groups, and the public generally. An early and ambitious target of finalising the Code by March of 1996 has been eased, and a mid-year date has been set.


Copies of the Code are available from the Asia-Pacific Smart Card Forum (Deborah Stanley, (06) 247 4655), The Department of Industry, Science & Technology (Pasqualino Strangis, (06) 276 1995 or (02) 209 4012), and The Warren Centre (Rod Galloway, (02) 351 3752).


Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 17 January 1996

Last Amended: 27 November 1997

These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 6 288 6916 Fax: +61 6 288 1472