Clinton McKenzie
20th Jul 2020, 11:49
One of my ‘pet hates’ is CASA’s propensity to set up systems that are an insult to my intelligence and integrity. The latest of numerous examples is what I consider to be the unauthorised disclosure of my ASIC photo.
At my most recent medical examination for the purposes of the issue of my medical certificate I was surprised to see my ASIC photograph on the DAME’s computer screen. How did that get there, methought? The existence or otherwise of a photo of me in the DAME’s clinic has zero causal connection to my compliance or otherwise with the applicable medical standard. Thus it could not be there for the purpose of assessing my compliance with with the applicable medical standard.
Then it struck me: Of course! It’s because we’re all presumptive criminals who would send someone else to the medical exam to pretend to be us!
The good news is that, after I complained to the CASA Privacy Officer, the ASIC photograph that CASA took it upon itself to put in the MRS will not be made available to DAMEs who access the system. (Well, at least CASA has told me it won’t be....). I explained to the CASA Privacy Officer that most of my medical examinations in the past few decades were successfully completed without a photograph of me being present in the room, and that my DAME and I are capable, without CASA’s assistance, of ascertaining our respective identities.
The logic of CASA seems to have been that I have consented to the disclosure to DAME’s of any information CASA about me, whether or not relevant to assessing my compliance with the applicable medical standard. But the language of CASA’s consent and CASA’s explanation of it are ambiguous.
The full correspondence is below.
If you’re not a fan of the inexorably increasing overreach of CASA Avmed, drop an email to the CASA Privacy Officer and tell them you don’t want your ASIC photo disclosed DAMEs.
Message to CASA: When one party to a transaction does not trust the other, the mistrust is reciprocated. You don’t trust me (and my DAME)? I don’t trust you. Someone who is prepared to go to the extreme extent of sending a substitute to a medical exam will always work around your system. And maybe if your system had not evolved into the Frankenstein’s monster that it now is, far fewer people would be scared of it and wouldn’t be doing their utmost to avoid being entrapped by it.
(I pause for a moment to wonder what Avmed will do, next, to deal with the risk of an identical, teetotal twin from attending my medical examinations...)
I remind CASA of part of Dr Rob Liddell’s submission to the Aviation Safety Regulatory Review:The dangerous result of CASA’s draconian regulatory measures is that now many pilots tell CASA as little as possible about any medical problems in order to protect themselves from expensive and repetitive investigations or possible loss of certification . Most pilots are responsible people and they have no desire to be in charge of an aircraft if their risk of incapacity is unacceptable. When their DAME and their specialist believe they meet the risk target for certification without endless further testing demanded by CASA and the advice of their own specialist is ignored by the regulator then the pilot’s lose confidence in the regulator. Dr Liddell is, in my view based on my personal observation and experience, the only person employed by CASA in the last few decades to have sufficient expertise and experience to understand how medical certification properly integrates with and contributes positively to aviation safety.
My query to CASA:Dear Privacy OfficerAt my most recent medical examination for the purposes of the issue of my current medical certificate, I was surprised to see, on the doctor’s computer screen, a copy of the photo on my Aviation Security Identification Card. The doctor was logged in to CASA’s Medical Record System.Are you able to explain how a photo I have supplied as part of an application for a card issued under legislation that is not administered by CASA can lawfully end up in CASA’s Medical Record System? In any event, for what purpose has that photo been put in CASA’s Medical Record System?RegardsClinton McKenzie[ARN deleted by me from PPRuNe for privacy reasons]
CASA’s initial substantive response:Dear Mr McKenzie CASA's Privacy Policy explains how CASA collects, holds, uses and discloses personal information in accordance with the Privacy Act 1988 (the Act), and subsequently the Australian Privacy Principles (APP). APP 6 explains that — 6.1 If an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless: (a) the individual has consented to the use or disclosure of the information; or (b) subclause 6.2 or 6.3 applies in relation to the use or disclosure of the information. 6.2 This subclause applies in relation to the use or disclosure of personal information about an individual if: (a) the individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is: (i) if the information is sensitive information—directly related to the primary purpose; or (ii) if the information is not sensitive information—related to the primary purpose.On 17 January 2019 you signed an Application for Aviation Medical Certificate - Declaration (attached), which stated— I Mr Clinton Earl McKenzie - except as provided in CASR 67.180(5), authorise the disclosure to CASA and the examiner of any information about me that may help CASA to decide whether I meet the relevant medical standard, being information that is held by a person, organisation, body or authority referred to in CASR 67.180(6). I also authorise CASA to disclose to any DAME that has assessed me, any medical or other information about me. The Privacy Notice on the declaration also explains that— CASA is collecting the information on this form for the purpose of assessing an application by you for a medical certificate. This is required by Part 67 of the Civil Aviation Safety Regulations 1998. The form and any associated medical reports or documents are provided to CASA by a designated aviation medical examiner (DAME). The form will be stored by CASA in medical files for each ARN holder who applies for or seeks renewal of a medical certificate in a Medical Records System (MRS). The form and associated documents are accessible by officers of CASA's Office of Aviation Medicine. The documents may be provided, when required, to other officers of CASA, such as the Legal Affairs, Regulatory Policy and International Strategy Branch. CASA will provide the forms and associated documents to medical specialists where a review of medical issues raised in the reports is necessary. It may also disclose them to recreational aviation administration organisations to facilitate their responsibility for overseeing sport and recreational activities. By signing this form, you authorised CASA to disclose your personal information to any DAME, not limited to medical records, for the purpose of assessing your medical certification. I do however note that the declaration does not explicitly identify the disclosure of a photograph that is being held on CASA's database for a purpose secondary to medical certification. Therefore, I do not consider APP 6.1(a) to be applicable. For the purpose of APP 6.2(a) I do consider that your authorisation to disclose to any DAME any medical or other information about you does satisfy the test that as the individual, you would reasonably expect CASA to use or disclose personal information held by CASA that are not medical records.Moreover, on 8 February 2018 you signed your ASIC Renewal Application (attached). This form attached the photograph that is the subject of your concern. This application explains that— By making this application, you consent to CASA collecting, using and disclosing your personal information as set out above. The Applicant Certification of the form, signed by you, states— I, Clinton Earl McKenzie consent to CASA using and disclosing my personal information in accordance with the Privacy Act (including giving information to Commonwealth and State government agencies for the purpose of obtaining criminal records and other background checks). Again, while I do not consider that your authorisation explicitly involved disclosure of personal records to your DAME, I do consider your authorisation satisfies the test that as the individual, you would reasonably expect CASA to use or disclose the personal information provided on the form for a secondary purpose under APP 6.2(a). You raised a concern with "how a photo I have supplied as part of an application for a card issued under legislation that is not administered by CASA can lawfully end up in CASA’s Medical Record System". At the time of your ASIC Renewal Application on 8 February 2018, CASA was an ASIC issuing agency. Please be aware that also at the time of your application, Aviation ID Australia were contracted to process these applications on behalf of CASA for the purpose of the flight crew licensing requirement that licence holders attain an ASIC to be able to exercise their licensing privileges. The application form clearly identifies that all authorisation is provided to CASA. CASA did not cease its function as an issuing agency until early-2020, two years after the date of your application. The photograph used is the photograph provided to CASA as personal information under that application.For the purpose of APP 6.2, the Act defines sensitive information to include— (d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification. A photograph is biometric information and therefore, I consider APP 6.2(a)(i) to be applicable. Civil Aviation Safety Regulation (CASR) 67.170 explains that— (1) If a person submits to a relevant examination by a DAME or DAO, the DAME or DAO must ask the person to produce evidence of his or her identity before finishing the examination. (2) The evidence must include a photograph of the person. (3) However, subregulation (1) does not require the DAME or DAO to ask the person to produce the evidence if the DAME or DAO knows or reasonably believes the person is who the person claims to be.A DAME may not consult with an applicant for the purpose of assessing an application for a medical certificate under CASR Part 67 unless the DAME is reasonably satisfied of the applicant's identity. CASA's purpose as an issuing agency of your ASIC related to issuing your flight crew license under CASR Part 61. A flight crew licence holder is required to attain a current ASIC and medical certification to be able to exercise their Part 61 privileges. I consider that the photograph was collected for the primary purpose for you to exercise privileges of your flight crew licence, ensuring the regulation of safe air navigation (the primary purpose). The photograph was disclosed for the secondary purpose of providing the DAME with relevant biometric information to satisfy the DAME that you are who you claimed to be and that the DAME accessed the correct file for the purpose of assessing an application by you for a medical certificate (the secondary purpose). An individual would reasonably expect discloser of personal information of a sensitive nature to occur for a secondary purpose of this nature, as the primary purpose cannot be exercised in the absence of the secondary purpose. Therefore, for the purpose of APP 6.2(a)(i), I consider your DAME's access to your biometric information for the secondary purpose to be directly related to the primary purpose. While CASA has complied with its duties as an APP entity under the Act, I understand from your email that you do however have concerns with your DAME being able to view your photograph through MRS. The capability to modify your DAME's access to your photograph on MRS file is available and may be disabled if you wish. Please confirm if it is your preference. I look forward to hearing from you. The content in this email has been cleared by Branch Manager, Advisory and Drafting. Kind regards[Name and contact details provided by CASA author, but deleted by Clinton McKenzie for this post.] My response: Hi [x]
The substance of the consent in the application form for a medical certificate is disclosures for the purpose of ascertaining compliance or otherwise with the medical standard. The content of my ASIC photograph is entirely irrelevant to that purpose.
You seem to be construing the words “or other information about me” as authorising the disclosure of information that is not relevant to ascertainment of my compliance with the medical standard. Is that your construction?
The reason I am confused is that you say:“By signing this form, you authorised CASA to disclose your personal information to any DAME, not limited to medical records, for the purpose of assessing your medical certification.“ I agree.
And the disclosure of the content of my ASIC photograph is self-evidently not “for the purpose of assessing [my] medical certification”. I have been assessed many times over the decades for the purpose of medical certification, and those assessments were done without a photograph of me being present in the room.
Please arrange for the modification of my DAME’s access to the MRS so that the photograph is not visible to the DAME. My DAME and I are capable, without CASA assistance, of ascertaining our respective identities.
Regards
Clinton McKenzie
[ARN deleted by me from PPRuNe for privacy reasons]
CASA’s reply:
Your aviation medical file was modified yesterday afternoon and your photograph is no longer visible (see attached).
Moreover, as explained in my email, I am not satisfied that you signing the declaration that authorised disclosure of personal information other than your medical records was sufficient consent under APP 6.1(a) for your photograph to be used for the purpose of your medical assessment. It appears that we share this same view.
I have taken the position that, for the reasons explained in my email, the photograph was used for a secondary purpose under APP 6.2(a)(i).
As your photograph is no longer visible on your medical file, no further action is required and I trust that your concern has been addressed.
Kind regards
[Name and contact details provided by CASA author, but deleted by Clinton McKenzie for this post.]
At my most recent medical examination for the purposes of the issue of my medical certificate I was surprised to see my ASIC photograph on the DAME’s computer screen. How did that get there, methought? The existence or otherwise of a photo of me in the DAME’s clinic has zero causal connection to my compliance or otherwise with the applicable medical standard. Thus it could not be there for the purpose of assessing my compliance with with the applicable medical standard.
Then it struck me: Of course! It’s because we’re all presumptive criminals who would send someone else to the medical exam to pretend to be us!
The good news is that, after I complained to the CASA Privacy Officer, the ASIC photograph that CASA took it upon itself to put in the MRS will not be made available to DAMEs who access the system. (Well, at least CASA has told me it won’t be....). I explained to the CASA Privacy Officer that most of my medical examinations in the past few decades were successfully completed without a photograph of me being present in the room, and that my DAME and I are capable, without CASA’s assistance, of ascertaining our respective identities.
The logic of CASA seems to have been that I have consented to the disclosure to DAME’s of any information CASA about me, whether or not relevant to assessing my compliance with the applicable medical standard. But the language of CASA’s consent and CASA’s explanation of it are ambiguous.
The full correspondence is below.
If you’re not a fan of the inexorably increasing overreach of CASA Avmed, drop an email to the CASA Privacy Officer and tell them you don’t want your ASIC photo disclosed DAMEs.
Message to CASA: When one party to a transaction does not trust the other, the mistrust is reciprocated. You don’t trust me (and my DAME)? I don’t trust you. Someone who is prepared to go to the extreme extent of sending a substitute to a medical exam will always work around your system. And maybe if your system had not evolved into the Frankenstein’s monster that it now is, far fewer people would be scared of it and wouldn’t be doing their utmost to avoid being entrapped by it.
(I pause for a moment to wonder what Avmed will do, next, to deal with the risk of an identical, teetotal twin from attending my medical examinations...)
I remind CASA of part of Dr Rob Liddell’s submission to the Aviation Safety Regulatory Review:The dangerous result of CASA’s draconian regulatory measures is that now many pilots tell CASA as little as possible about any medical problems in order to protect themselves from expensive and repetitive investigations or possible loss of certification . Most pilots are responsible people and they have no desire to be in charge of an aircraft if their risk of incapacity is unacceptable. When their DAME and their specialist believe they meet the risk target for certification without endless further testing demanded by CASA and the advice of their own specialist is ignored by the regulator then the pilot’s lose confidence in the regulator. Dr Liddell is, in my view based on my personal observation and experience, the only person employed by CASA in the last few decades to have sufficient expertise and experience to understand how medical certification properly integrates with and contributes positively to aviation safety.
My query to CASA:Dear Privacy OfficerAt my most recent medical examination for the purposes of the issue of my current medical certificate, I was surprised to see, on the doctor’s computer screen, a copy of the photo on my Aviation Security Identification Card. The doctor was logged in to CASA’s Medical Record System.Are you able to explain how a photo I have supplied as part of an application for a card issued under legislation that is not administered by CASA can lawfully end up in CASA’s Medical Record System? In any event, for what purpose has that photo been put in CASA’s Medical Record System?RegardsClinton McKenzie[ARN deleted by me from PPRuNe for privacy reasons]
CASA’s initial substantive response:Dear Mr McKenzie CASA's Privacy Policy explains how CASA collects, holds, uses and discloses personal information in accordance with the Privacy Act 1988 (the Act), and subsequently the Australian Privacy Principles (APP). APP 6 explains that — 6.1 If an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless: (a) the individual has consented to the use or disclosure of the information; or (b) subclause 6.2 or 6.3 applies in relation to the use or disclosure of the information. 6.2 This subclause applies in relation to the use or disclosure of personal information about an individual if: (a) the individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is: (i) if the information is sensitive information—directly related to the primary purpose; or (ii) if the information is not sensitive information—related to the primary purpose.On 17 January 2019 you signed an Application for Aviation Medical Certificate - Declaration (attached), which stated— I Mr Clinton Earl McKenzie - except as provided in CASR 67.180(5), authorise the disclosure to CASA and the examiner of any information about me that may help CASA to decide whether I meet the relevant medical standard, being information that is held by a person, organisation, body or authority referred to in CASR 67.180(6). I also authorise CASA to disclose to any DAME that has assessed me, any medical or other information about me. The Privacy Notice on the declaration also explains that— CASA is collecting the information on this form for the purpose of assessing an application by you for a medical certificate. This is required by Part 67 of the Civil Aviation Safety Regulations 1998. The form and any associated medical reports or documents are provided to CASA by a designated aviation medical examiner (DAME). The form will be stored by CASA in medical files for each ARN holder who applies for or seeks renewal of a medical certificate in a Medical Records System (MRS). The form and associated documents are accessible by officers of CASA's Office of Aviation Medicine. The documents may be provided, when required, to other officers of CASA, such as the Legal Affairs, Regulatory Policy and International Strategy Branch. CASA will provide the forms and associated documents to medical specialists where a review of medical issues raised in the reports is necessary. It may also disclose them to recreational aviation administration organisations to facilitate their responsibility for overseeing sport and recreational activities. By signing this form, you authorised CASA to disclose your personal information to any DAME, not limited to medical records, for the purpose of assessing your medical certification. I do however note that the declaration does not explicitly identify the disclosure of a photograph that is being held on CASA's database for a purpose secondary to medical certification. Therefore, I do not consider APP 6.1(a) to be applicable. For the purpose of APP 6.2(a) I do consider that your authorisation to disclose to any DAME any medical or other information about you does satisfy the test that as the individual, you would reasonably expect CASA to use or disclose personal information held by CASA that are not medical records.Moreover, on 8 February 2018 you signed your ASIC Renewal Application (attached). This form attached the photograph that is the subject of your concern. This application explains that— By making this application, you consent to CASA collecting, using and disclosing your personal information as set out above. The Applicant Certification of the form, signed by you, states— I, Clinton Earl McKenzie consent to CASA using and disclosing my personal information in accordance with the Privacy Act (including giving information to Commonwealth and State government agencies for the purpose of obtaining criminal records and other background checks). Again, while I do not consider that your authorisation explicitly involved disclosure of personal records to your DAME, I do consider your authorisation satisfies the test that as the individual, you would reasonably expect CASA to use or disclose the personal information provided on the form for a secondary purpose under APP 6.2(a). You raised a concern with "how a photo I have supplied as part of an application for a card issued under legislation that is not administered by CASA can lawfully end up in CASA’s Medical Record System". At the time of your ASIC Renewal Application on 8 February 2018, CASA was an ASIC issuing agency. Please be aware that also at the time of your application, Aviation ID Australia were contracted to process these applications on behalf of CASA for the purpose of the flight crew licensing requirement that licence holders attain an ASIC to be able to exercise their licensing privileges. The application form clearly identifies that all authorisation is provided to CASA. CASA did not cease its function as an issuing agency until early-2020, two years after the date of your application. The photograph used is the photograph provided to CASA as personal information under that application.For the purpose of APP 6.2, the Act defines sensitive information to include— (d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification. A photograph is biometric information and therefore, I consider APP 6.2(a)(i) to be applicable. Civil Aviation Safety Regulation (CASR) 67.170 explains that— (1) If a person submits to a relevant examination by a DAME or DAO, the DAME or DAO must ask the person to produce evidence of his or her identity before finishing the examination. (2) The evidence must include a photograph of the person. (3) However, subregulation (1) does not require the DAME or DAO to ask the person to produce the evidence if the DAME or DAO knows or reasonably believes the person is who the person claims to be.A DAME may not consult with an applicant for the purpose of assessing an application for a medical certificate under CASR Part 67 unless the DAME is reasonably satisfied of the applicant's identity. CASA's purpose as an issuing agency of your ASIC related to issuing your flight crew license under CASR Part 61. A flight crew licence holder is required to attain a current ASIC and medical certification to be able to exercise their Part 61 privileges. I consider that the photograph was collected for the primary purpose for you to exercise privileges of your flight crew licence, ensuring the regulation of safe air navigation (the primary purpose). The photograph was disclosed for the secondary purpose of providing the DAME with relevant biometric information to satisfy the DAME that you are who you claimed to be and that the DAME accessed the correct file for the purpose of assessing an application by you for a medical certificate (the secondary purpose). An individual would reasonably expect discloser of personal information of a sensitive nature to occur for a secondary purpose of this nature, as the primary purpose cannot be exercised in the absence of the secondary purpose. Therefore, for the purpose of APP 6.2(a)(i), I consider your DAME's access to your biometric information for the secondary purpose to be directly related to the primary purpose. While CASA has complied with its duties as an APP entity under the Act, I understand from your email that you do however have concerns with your DAME being able to view your photograph through MRS. The capability to modify your DAME's access to your photograph on MRS file is available and may be disabled if you wish. Please confirm if it is your preference. I look forward to hearing from you. The content in this email has been cleared by Branch Manager, Advisory and Drafting. Kind regards[Name and contact details provided by CASA author, but deleted by Clinton McKenzie for this post.] My response: Hi [x]
The substance of the consent in the application form for a medical certificate is disclosures for the purpose of ascertaining compliance or otherwise with the medical standard. The content of my ASIC photograph is entirely irrelevant to that purpose.
You seem to be construing the words “or other information about me” as authorising the disclosure of information that is not relevant to ascertainment of my compliance with the medical standard. Is that your construction?
The reason I am confused is that you say:“By signing this form, you authorised CASA to disclose your personal information to any DAME, not limited to medical records, for the purpose of assessing your medical certification.“ I agree.
And the disclosure of the content of my ASIC photograph is self-evidently not “for the purpose of assessing [my] medical certification”. I have been assessed many times over the decades for the purpose of medical certification, and those assessments were done without a photograph of me being present in the room.
Please arrange for the modification of my DAME’s access to the MRS so that the photograph is not visible to the DAME. My DAME and I are capable, without CASA assistance, of ascertaining our respective identities.
Regards
Clinton McKenzie
[ARN deleted by me from PPRuNe for privacy reasons]
CASA’s reply:
Your aviation medical file was modified yesterday afternoon and your photograph is no longer visible (see attached).
Moreover, as explained in my email, I am not satisfied that you signing the declaration that authorised disclosure of personal information other than your medical records was sufficient consent under APP 6.1(a) for your photograph to be used for the purpose of your medical assessment. It appears that we share this same view.
I have taken the position that, for the reasons explained in my email, the photograph was used for a secondary purpose under APP 6.2(a)(i).
As your photograph is no longer visible on your medical file, no further action is required and I trust that your concern has been addressed.
Kind regards
[Name and contact details provided by CASA author, but deleted by Clinton McKenzie for this post.]