Chapter 12
Australian Privacy Principle 9–adoption, use or disclosure of government
related identifiers
Introduction
12.1
Australian Privacy Principle 9 (APP 9) ensures organisations do not
adopt government related identifiers as the identifier of an individual in
their own system, as well as providing regulations on the use and disclosure of
government related identifiers of an individual.
12.2
The Companion Guide states that APP 9 will ensure that identifiers
issued by government agencies, for example Medicare numbers, are not used to
facilitate unlawful data-matching by organisations. The Companion Guide
explains that the intention of the principle is not to restrict organisations using
government identifiers to verify the identity of an individual, but rather to
prevent government identifiers from becoming general identifiers within
organisations. The principle also aims to prevent government-issued identifiers
from becoming 'de facto national identity numbers'.
12.3
APP 9 builds on the current identifiers privacy principle by incorporating
State and Territory agency-issued identifiers, like drivers' licence numbers,
within the scope of the regulations.[1]
Background
12.4
National Privacy Principle 7 (NPP 7) deals specifically with
identifiers and ensures that private sector organisations neither adopt as the
identifier of an individual within their own system, nor use or disclose, any
identifiers of an individual assigned by a Commonwealth Government agency
unless it is necessary to fulfil its obligations to the agency; it falls under
a specified exception; or it is used by a prescribed organisation of a
prescribed identifier in prescribed circumstances. There is no equivalent
'identifiers' principle in the Information Privacy Principles to regulate the
use of government identifiers by agencies.[2]
12.5
Submitters to the Legal and Constitutional Affairs Committee inquiry
into the Privacy Act in 2005 did not raise specific concerns regarding the
identifiers principle, however issues relating to multi-purpose identity cards,
like the Smart Card, were raised. Submitters noted that devices like the Smart
Card could 'be used to establish a national identification scheme' and this should
be avoided.[3]
The Law Institute of Victoria (LIV) submitted that multi-purpose identifiers like
the Smart Card and the Australia Card 'have the potential to become a
technology of surveillance and control'.[4]
12.6
The ALRC review focussed on:
-
whether a separate identifiers principle should be included in
the model Unified Privacy Principles (UPPs);
-
whether the identifier principle should extend to the adoption,
use and disclosure of identifiers by agencies; and
-
whether there should be changes to NPP 7 and the definition
of the term 'identifiers'.
12.7
The ALRC came to the conclusion that there should be a separate
'identifiers' principle as it is not desirable that individuals be referred to
by an agency-assigned identifier nor that data-matching be facilitated.
Retention of a separate identifiers principle would also allow the Office of
the Privacy Commissioner (OPC) to deal with issues relating to: 'the adoption
of identifiers by organisations; the definition of the term; and the exceptions
of the use and disclosure of identifiers by organisations'.[5]
12.8
The ALRC supported the retention of the exception to permit a prescribed
organisation to adopt, use or disclose a prescribed identifier in prescribed
circumstances as this 'ensures that the "Identifiers" principle does
not operate inflexibly to prevent an organisation from carrying out activities
that have a public benefit or are essential to the operations of the organisation'.
The ALRC added that this exception should be set out in regulations. Further,
the 'Identifiers' principle should require that the minister responsible for
administering the Privacy Act needs to be satisfied that 'the derogation from
the privacy protection in the 'Identifiers' principle is for the benefit of the
individual concerned'.[6]
12.9
The ALRC review discussed the possibility of including public sector
agencies within the identifiers principle. Some State and Territory laws regulate
'assignment, adoption, use and disclosure of identifiers by public sector
bodies', with exceptions to ensure agencies carry out their functions or the
individual agrees to the agency using the identifier.[7]
The ALRC also noted that there was support for the extension of NPP 7 to
agencies and that this could 'promote regulatory consistency between agencies
and organisations'.[8]
However, many agencies argued that the inclusion of agencies in this principle would
limit their capacity in carrying out efficient and effective service to their
customers, and impede the operation of identity verification and fraud
reduction programs and research. The ALRC agreed with the view put by agencies
but went on to comment that it did not follow that 'the handling of identifiers
by agencies should not be regulated'.
12.10
The ALRC considered the application of the principle to agencies subject
to several agency-specific exemptions. However, the ALRC noted that this
approach would be complicated and not consistent with the intended aim of
making the principles more succinct. Rather, the ALRC supported an approach to 'regulate
the assignment, collection, adoption, use and disclosure of identifiers by
agencies on a case by case basis', similar to the approach taken to regulate
Tax File Numbers.[9]
12.11
The ALRC review, like the Legal and Constitutional Affairs Committee
inquiry, looked at the privacy risks associated with multi-purpose identifiers.
The ALRC noted that if the Government were to introduce a multi-purpose
identifier, it would most likely fall within the definitions of this principle.
However, the ALRC recommended that before the introduction of any multi-purpose
identifier, a Privacy Impact Assessment should be undertaken.[10]
12.12
In relation to the definition of 'Identifiers', the ALRC noted that
NPP 7 does not describe what an identifier is. The OPC has published guidelines
which expand on the definition in NPP 7. However, the ALRC considered that
symbols and biometric information as identifiers of an individual should be
included, not only numbers and letters. The ALRC agreed that an individual's
name and ABN should continue to be excluded from the statutory definition of 'identifier'.[11]
12.13
Furthermore, the ALRC noted the difference between identification and verification
or authentication and came to the view that the use of an identifier by an
organisation for the sole purpose of verification 'is not inconsistent with the
policy basis of the "Identifiers" principle. However, such a use or
disclosure does not permit the organisation to adopt that identifier for its
own purposes or use for a secondary purpose.[12]
12.14
The ALRC review also canvassed the issue of consent and whether this
should be incorporated into the legislation to allow individuals to decide when
their identifiers could be used or disclosed. The ALRC noted that including a
consent clause would be convenient for organisations, however the ALRC and the OPC
remarked that 'the privacy risks associated with identifiers are not always
immediate' and the inclusion of a general consent exception would reduce an
individual's protection under the identifiers principle.[13]
12.15
The review by the ALRC also looked at extending the identifiers principle
to include State and Territory government issued identifiers and recommended
their inclusion within a universal identifiers principle. The ALRC commented
that 'the adoption, use and disclosure of these identifiers by organisations raises
the same privacy concerns as those associated with other identifiers'.[14]
Government response
12.16
The Government accepted or accepted in principle all but one of the ALRC's
recommendations. The Government noted that it was appropriate for public sector
agencies to use and disclose identifiers to provide a public benefit, but at
the same time protections must be in place to prevent the misuse of government
issued identifiers, including State and territory government issued
identifiers, by private sector organisations. In addition, the response noted
the intent of section 7A of the Privacy Act 1988 to have certain acts of
certain agencies treated as the acts of organisations, so that when agencies
are engaged in commercial activities they should comply with the Privacy Act in
the same was as organisations. The Government response stated that a note to
this effect should accompany the 'identifiers principle'.[15]
12.17
The Government agreed in principle with the exception recommended by the
ALRC in relation to the adoption, use or disclosure of identifiers by
organisations in prescribed circumstances as there are circumstances where this
will provide a strong benefit to an individual. The Government plans to
'articulate the types of organisations that can interact with agency
identifiers to provide services which are for the public benefit'.[16]
12.18
The Government accepted in principle that identifiers assigned by State
and Territory agencies should be regulated by the principle and noted that the
role played by these identifiers in the verification of an individual's identity.
The Government indicated that it would ensure that the principle was drafted in
such a way so as to not restrict the use of identifiers to verify identity
'where it is relevant and necessary to the organisation's functions'. The
Government also indicted that it would encourage the OPC to develop guidance
for organisations on when it would be appropriate to use identifiers for
verification purposes. Furthermore, the response stated that before the
introduction of any multi-purpose identifiers, the Government would ensure a
Privacy Impact Assessment was carried out.[17]
12.19
The inclusion of biometric information within the definition of
'identifiers' was not accepted as the collection of such information 'will not
result in the privacy risks that the "identifiers" principle is
intended to address, such as the risk of an identifier becoming widely held and
applied to facilitate data-matching or data-linking'. However, 'to future
proof' the types of identifiers regulated by the principle, the Government
indicated that the minister responsible for the Privacy Act 'will be able to
determine what a government identifier is for the purposes of the Act'. Further
this should be a legislative instrument.[18]
Issues
12.20
The general intention of APP 9 has been supported by several submitters
to the inquiry.[19]
Submitters also supported specific provisions of APP 9. Professor
Greenleaf and Mr Waters, for example, commented that the inclusion of State and
Territory Government-issued identifiers strengthens the restrictions on the private
sector. This step was also supported by the OPC as it 'may facilitate further
national consistency in personal information handling'.[20]
However, the Australian Privacy Foundation argued that APP 9 would result
in a weakening of the existing privacy principles.[21]
Structure and terminology
12.21
Privacy NSW commented that APP 9 could be simplified by removing
APP 9(2) and (3) (the use or disclosure of government identifiers and
regulations about adoption, use or disclosure) from this principle and placing them
into the Australian Privacy Rules. Privacy NSW also recommended that
APP 9(4) and (5) (the explanations of the government related identifier
and identifier) be included in the definition section of the legislation.[22]
12.22
The OPC again commented on the use of the term 'reasonably necessary' in
the principles. 'Reasonably necessary' is used both in relation to the
exceptions for verification of identity (APP 9(2)(a)) and fulfilling the
obligation to an agency or State or Territory authority (APP 9(2)(b)). The
OPC suggested that the term 'necessary' would be more appropriate as the entity
proposing to use or disclose an identifier should be in a position to determine
what is objectively necessary for the permitted purposes. In APP (2)(f), the
exception related to law enforcement, again only 'necessary' should be used.[23]
The OPC's comments were in line with its general view that the word
'reasonably' could qualify the meaning of necessary, 'lessening the protection
provided in the current IPP and NPP requirements', adding that the word
necessary on its own 'already implies an objective test'.[24]
12.23
The issues in relation to the use of the terms 'Australian law' and
'serious' were again raised by Qantas Airways Limited in relation to
APP 9.[25]
These matters are discussed in chapter 3.
Exclusion of agencies from
APP 9
12.24
The major concern raised in submissions in relation to APP 9 is the
continued exclusion of agencies from the coverage of this principle.[26]
The Office of the Victorian Privacy Commissioner, for example, expressed
concern that the principle does not provide the same level of protection
against data-matching as the current Victorian Information Privacy
Principle 7 (VIPP 7). The sharing of unique identifiers by the public
sector, the Commission stated, 'is a very significant privacy risk' and
excluding agencies from this principle does not 'represent the highest
practicable level of privacy protection'.[27]
12.25
The inclusion of public sector agencies in this principle was also
recommended by the Health Services Commissioner Victoria. The Health Services
Commissioner argued that the restriction on adopting government related
identifiers should also apply to health services such as public hospitals.[28]
Professor Greenleaf and Mr Waters argued that 'the most significant abuse of government
identifiers, data matching by government agencies,' should be regulated by
APP 9 and suggested that the word 'organisation' should be omitted and
replaced by 'entity'.[29]
12.26
In its response to this issue, the Department of the Prime Minister and
Cabinet noted that the ALRC had considered arguments in favour of extending the
application of the 'Identifier' principle to agencies. As discussed above, the ALRC
noted that the inclusion of agencies could seriously impede activities
conducted for a public benefit, including programs designed to reduce fraud and
identity theft; service delivery; and research. It also noted that appropriate
and important information sharing between agencies would be restricted. The
ALRC noted that regulation of data-matching by agencies could be carried out
either in separate sectoral legislation or guidance provided by the OPC. The
department concluded 'as a result of these findings, the Government has not
applied the requirements in APP 9 to agencies'.
12.27
The department also noted that 'in terms of existing protection in place
to limit data-matching by agencies, some agencies are currently subject to
data-matching requirements in legislation and in guidelines issued by the
Privacy Commissioner'.[30]
12.28
A further matter raised in relation to agencies concerned the inclusion
of the note after APP 9(1) and (2): 'An act or practice of an agency may
be treated as an act or practice of an organisation'. The Health Services
Commissioner, Victoria, commented that the note does not provide a clear
explanation of how it expects agencies to be bound by APP 9(1) and (2).
The OPC stated that this intention should be more explicit.[31]
The committee notes that the Government response provides a brief explanation
of this note to APP 9(1) and (2).[32]
Definition of identifiers
12.29
The NSW Department of Justice and Attorney General supported the ALRC's
recommendation in relation to the definition of identifiers and commented that
the inclusion of biometric information in the definition of identifiers was
also recommended by the New South Wales Law Reform Commission's report on
privacy principles. While noting the Government's reasoning for not including
biometric data, the NSW Department of Justice and Attorney General argued that
'it is possible that, especially with advances in technology, biometric data may
be used in the same way as a set of numbers in that it may be passed to various
entities and linked to certain information'.[33]
Use or disclosure of government
related identifiers
12.30
APP 9(2) provides for exceptions to the use or disclosure of an
identifier, including an exception for the verification of identity of the
affected individual. The Law Council of Australia (LCA) supported this
exception and commented that this was important as it 'allows organisations to
more easily comply with their obligations under the Anti-Money Laundering
and Counter-Terrorism Financing Act 2006'. The LCA also noted that it will
help organisations to 'use online customer verification tools for AML [Anti-Money
Laundering] compliance purposes'.[34]
The Australian Bankers' Association commented that this principle provides
'greater flexibility for use and disclosure [of government identifiers] in
certain situations' than the current NPP 7.[35]
Regulations
12.31
The Australian Bankers' Association commented that APP 9(3) makes
reference to compliance with regulations without clarifying what these
regulations will be and when they will be introduced.[36]
The committee notes that subsections 22(2) and (3) of the Exposure Draft provide
for the making of regulations in relation to prescribe government-related
identifiers if necessary. The ALRC noted that the power to make regulations provides
the legislation with flexibility.
Conclusion
12.32
The committee has noted the comments by the OPC in relation to the use
of the term 'reasonably necessary'. In the context of the identifiers
principle, the committee considers that any exception should only be applied
where it has been objectively determined that it is necessary for a permitted
purpose. The committee therefore agrees with the OPC's suggestion that the term
'reasonably necessary' be replaced with 'necessary' in APP 9(2).
Recommendation 21
12.33
The committee recommends that the term 'reasonably necessary' be
replaced with 'necessary' in APP 9(2)(a), (b) and (f).
12.34
The issue of biometric identifiers is of some concern to privacy
advocates and submitters noted that the Government did not accept the ALRC's
recommendation that the 'identifiers' principle apply to biometric information.
The committee notes that the aim of APP 9 is to restrict the use to which
government identifiers can be put. At the present time, while biometric
information is used to establish the identity of individuals, it is not used as
an 'identifier' in the same way as, for example, a Medicare or Tax File Number.
The Government response states that the principle will be 'future proofed' as
the minister responsible for the Privacy Act will be able to determine what a
government identifier is for the purposes of the Act. The committee considers
that this approach should adequately address any concerns with biometric
information and emerging technologies in relation to this principle.
12.35
In relation to the exclusion of agencies from the operation of
APP 9, the committee notes the ALRC's comments and the department's
response to this issue. The committee notes that while the Australian Taxation
Office, the Department of Veterans' Affairs and Centrelink are subject to Data-matching
Program (Assistance and Tax) Act 1990 in relation to specific matters,
Commonwealth agencies generally are subject only to voluntary data-matching
guidelines. Under the voluntary arrangement, agencies give public notice of any
proposed data-matching program; prepare and publish a 'program protocol'
outlining the nature and scope of a data-matching program; provide individuals
with an opportunity to comment on matched information if the agency proposes to
take administrative action on the basis of it; and destroy personal information
that does not lead to a match. The OPC will, where necessary, make
recommendations in relation to the proposed protocols.
12.36
The ALRC considered that rather than inclusion of agencies in the
obligations proposed by APP 9, a case-by-case approach should be taken
similar to the approach taken to regulate Tax File Numbers (see paragraph 12.10
above). The ALRC also suggested that the OPC could exercise its function of
researching and monitoring technology to review the adequacy of, and compliance
with, the existing guidelines if it deemed this to be necessary. While the OPC
did not comment on this matter in its submission to this inquiry, it submitted
to the ALRC review that the existing voluntary data-matching guidelines should
be reviewed and made mandatory.[37]
12.37
Further, the committee notes the proposed reforms under the Human
Services Legislation Amendment Bill 2010 which will impact on the flow of
personal information between Centrelink and Medicare. While there are
significant benefits to government arising from data-matching, such activities
pose risks to the privacy of individuals. The committee considers that data-matching
should be authorised, transparent and conducted to appropriate standards. In
addition, it may be the appropriate time to consider the directions for the future
use of government identifiers. The committee therefore considers that a review
of voluntary data-matching guidelines should be undertaken and that the outcome
of that review should inform any further consideration of the extension of
APP 9 to agencies.
Recommendation 22
12.38
The committee recommends that the Office of the Australian Information
Commissioner undertake a review of agency voluntary data-matching guidelines,
including emerging issues with the use of government identifiers, and that the
outcome inform further consideration of the extension of APP 9 to
agencies.
Navigation: Previous Page | Contents | Next Page