Chapter 12

Australian Privacy Principle 9–adoption, use or disclosure of government related identifiers

Introduction

12.1 Australian Privacy Principle 9 (APP 9) ensures organisations do not adopt government related identifiers as the identifier of an individual in their own system, as well as providing regulations on the use and disclosure of government related identifiers of an individual.

12.2 The Companion Guide states that APP 9 will ensure that identifiers issued by government agencies, for example Medicare numbers, are not used to facilitate unlawful data-matching by organisations. The Companion Guide explains that the intention of the principle is not to restrict organisations using government identifiers to verify the identity of an individual, but rather to prevent government identifiers from becoming general identifiers within organisations. The principle also aims to prevent government-issued identifiers from becoming 'de facto national identity numbers'.

12.3 APP 9 builds on the current identifiers privacy principle by incorporating State and Territory agency-issued identifiers, like drivers' licence numbers, within the scope of the regulations.[1]

Background

12.4 National Privacy Principle 7 (NPP 7) deals specifically with identifiers and ensures that private sector organisations neither adopt as the identifier of an individual within their own system, nor use or disclose, any identifiers of an individual assigned by a Commonwealth Government agency unless it is necessary to fulfil its obligations to the agency; it falls under a specified exception; or it is used by a prescribed organisation of a prescribed identifier in prescribed circumstances. There is no equivalent 'identifiers' principle in the Information Privacy Principles to regulate the use of government identifiers by agencies.[2]

12.5 Submitters to the Legal and Constitutional Affairs Committee inquiry into the Privacy Act in 2005 did not raise specific concerns regarding the identifiers principle, however issues relating to multi-purpose identity cards, like the Smart Card, were raised. Submitters noted that devices like the Smart Card could 'be used to establish a national identification scheme' and this should be avoided.[3] The Law Institute of Victoria (LIV) submitted that multi-purpose identifiers like the Smart Card and the Australia Card 'have the potential to become a technology of surveillance and control'.[4]

12.6 The ALRC review focussed on:

whether a separate identifiers principle should be included in the model Unified Privacy Principles (UPPs);
whether the identifier principle should extend to the adoption, use and disclosure of identifiers by agencies; and
whether there should be changes to NPP 7 and the definition of the term 'identifiers'.

12.7 The ALRC came to the conclusion that there should be a separate 'identifiers' principle as it is not desirable that individuals be referred to by an agency-assigned identifier nor that data-matching be facilitated. Retention of a separate identifiers principle would also allow the Office of the Privacy Commissioner (OPC) to deal with issues relating to: 'the adoption of identifiers by organisations; the definition of the term; and the exceptions of the use and disclosure of identifiers by organisations'.[5]

12.8 The ALRC supported the retention of the exception to permit a prescribed organisation to adopt, use or disclose a prescribed identifier in prescribed circumstances as this 'ensures that the "Identifiers" principle does not operate inflexibly to prevent an organisation from carrying out activities that have a public benefit or are essential to the operations of the organisation'. The ALRC added that this exception should be set out in regulations. Further, the 'Identifiers' principle should require that the minister responsible for administering the Privacy Act needs to be satisfied that 'the derogation from the privacy protection in the 'Identifiers' principle is for the benefit of the individual concerned'.[6]

12.9 The ALRC review discussed the possibility of including public sector agencies within the identifiers principle. Some State and Territory laws regulate 'assignment, adoption, use and disclosure of identifiers by public sector bodies', with exceptions to ensure agencies carry out their functions or the individual agrees to the agency using the identifier.[7] The ALRC also noted that there was support for the extension of NPP 7 to agencies and that this could 'promote regulatory consistency between agencies and organisations'.[8] However, many agencies argued that the inclusion of agencies in this principle would limit their capacity in carrying out efficient and effective service to their customers, and impede the operation of identity verification and fraud reduction programs and research. The ALRC agreed with the view put by agencies but went on to comment that it did not follow that 'the handling of identifiers by agencies should not be regulated'.

12.10 The ALRC considered the application of the principle to agencies subject to several agency-specific exemptions. However, the ALRC noted that this approach would be complicated and not consistent with the intended aim of making the principles more succinct. Rather, the ALRC supported an approach to 'regulate the assignment, collection, adoption, use and disclosure of identifiers by agencies on a case by case basis', similar to the approach taken to regulate Tax File Numbers.[9]

12.11 The ALRC review, like the Legal and Constitutional Affairs Committee inquiry, looked at the privacy risks associated with multi-purpose identifiers. The ALRC noted that if the Government were to introduce a multi-purpose identifier, it would most likely fall within the definitions of this principle. However, the ALRC recommended that before the introduction of any multi-purpose identifier, a Privacy Impact Assessment should be undertaken.[10]

12.12 In relation to the definition of 'Identifiers', the ALRC noted that NPP 7 does not describe what an identifier is. The OPC has published guidelines which expand on the definition in NPP 7. However, the ALRC considered that symbols and biometric information as identifiers of an individual should be included, not only numbers and letters. The ALRC agreed that an individual's name and ABN should continue to be excluded from the statutory definition of 'identifier'.[11]

12.13 Furthermore, the ALRC noted the difference between identification and verification or authentication and came to the view that the use of an identifier by an organisation for the sole purpose of verification 'is not inconsistent with the policy basis of the "Identifiers" principle. However, such a use or disclosure does not permit the organisation to adopt that identifier for its own purposes or use for a secondary purpose.[12]

12.14 The ALRC review also canvassed the issue of consent and whether this should be incorporated into the legislation to allow individuals to decide when their identifiers could be used or disclosed. The ALRC noted that including a consent clause would be convenient for organisations, however the ALRC and the OPC remarked that 'the privacy risks associated with identifiers are not always immediate' and the inclusion of a general consent exception would reduce an individual's protection under the identifiers principle.[13]

12.15 The review by the ALRC also looked at extending the identifiers principle to include State and Territory government issued identifiers and recommended their inclusion within a universal identifiers principle. The ALRC commented that 'the adoption, use and disclosure of these identifiers by organisations raises the same privacy concerns as those associated with other identifiers'.[14]

Government response

12.16 The Government accepted or accepted in principle all but one of the ALRC's recommendations. The Government noted that it was appropriate for public sector agencies to use and disclose identifiers to provide a public benefit, but at the same time protections must be in place to prevent the misuse of government issued identifiers, including State and territory government issued identifiers, by private sector organisations. In addition, the response noted the intent of section 7A of the Privacy Act 1988 to have certain acts of certain agencies treated as the acts of organisations, so that when agencies are engaged in commercial activities they should comply with the Privacy Act in the same was as organisations. The Government response stated that a note to this effect should accompany the 'identifiers principle'.[15]

12.17 The Government agreed in principle with the exception recommended by the ALRC in relation to the adoption, use or disclosure of identifiers by organisations in prescribed circumstances as there are circumstances where this will provide a strong benefit to an individual. The Government plans to 'articulate the types of organisations that can interact with agency identifiers to provide services which are for the public benefit'.[16]

12.18 The Government accepted in principle that identifiers assigned by State and Territory agencies should be regulated by the principle and noted that the role played by these identifiers in the verification of an individual's identity. The Government indicated that it would ensure that the principle was drafted in such a way so as to not restrict the use of identifiers to verify identity 'where it is relevant and necessary to the organisation's functions'. The Government also indicted that it would encourage the OPC to develop guidance for organisations on when it would be appropriate to use identifiers for verification purposes. Furthermore, the response stated that before the introduction of any multi-purpose identifiers, the Government would ensure a Privacy Impact Assessment was carried out.[17]

12.19 The inclusion of biometric information within the definition of 'identifiers' was not accepted as the collection of such information 'will not result in the privacy risks that the "identifiers" principle is intended to address, such as the risk of an identifier becoming widely held and applied to facilitate data-matching or data-linking'. However, 'to future proof' the types of identifiers regulated by the principle, the Government indicated that the minister responsible for the Privacy Act 'will be able to determine what a government identifier is for the purposes of the Act'. Further this should be a legislative instrument.[18]

Issues

12.20 The general intention of APP 9 has been supported by several submitters to the inquiry.[19] Submitters also supported specific provisions of APP 9. Professor Greenleaf and Mr Waters, for example, commented that the inclusion of State and Territory Government-issued identifiers strengthens the restrictions on the private sector. This step was also supported by the OPC as it 'may facilitate further national consistency in personal information handling'.[20] However, the Australian Privacy Foundation argued that APP 9 would result in a weakening of the existing privacy principles.[21]

Structure and terminology

12.21 Privacy NSW commented that APP 9 could be simplified by removing APP 9(2) and (3) (the use or disclosure of government identifiers and regulations about adoption, use or disclosure) from this principle and placing them into the Australian Privacy Rules. Privacy NSW also recommended that APP 9(4) and (5) (the explanations of the government related identifier and identifier) be included in the definition section of the legislation.[22]

12.22 The OPC again commented on the use of the term 'reasonably necessary' in the principles. 'Reasonably necessary' is used both in relation to the exceptions for verification of identity (APP 9(2)(a)) and fulfilling the obligation to an agency or State or Territory authority (APP 9(2)(b)). The OPC suggested that the term 'necessary' would be more appropriate as the entity proposing to use or disclose an identifier should be in a position to determine what is objectively necessary for the permitted purposes. In APP (2)(f), the exception related to law enforcement, again only 'necessary' should be used.[23] The OPC's comments were in line with its general view that the word 'reasonably' could qualify the meaning of necessary, 'lessening the protection provided in the current IPP and NPP requirements', adding that the word necessary on its own 'already implies an objective test'.[24]

12.23 The issues in relation to the use of the terms 'Australian law' and 'serious' were again raised by Qantas Airways Limited in relation to APP 9.[25] These matters are discussed in chapter 3.

Exclusion of agencies from APP 9

12.24 The major concern raised in submissions in relation to APP 9 is the continued exclusion of agencies from the coverage of this principle.[26] The Office of the Victorian Privacy Commissioner, for example, expressed concern that the principle does not provide the same level of protection against data-matching as the current Victorian Information Privacy Principle 7 (VIPP 7). The sharing of unique identifiers by the public sector, the Commission stated, 'is a very significant privacy risk' and excluding agencies from this principle does not 'represent the highest practicable level of privacy protection'.[27]

12.25 The inclusion of public sector agencies in this principle was also recommended by the Health Services Commissioner Victoria. The Health Services Commissioner argued that the restriction on adopting government related identifiers should also apply to health services such as public hospitals.[28] Professor Greenleaf and Mr Waters argued that 'the most significant abuse of government identifiers, data matching by government agencies,' should be regulated by APP 9 and suggested that the word 'organisation' should be omitted and replaced by 'entity'.[29]

12.26 In its response to this issue, the Department of the Prime Minister and Cabinet noted that the ALRC had considered arguments in favour of extending the application of the 'Identifier' principle to agencies. As discussed above, the ALRC noted that the inclusion of agencies could seriously impede activities conducted for a public benefit, including programs designed to reduce fraud and identity theft; service delivery; and research. It also noted that appropriate and important information sharing between agencies would be restricted. The ALRC noted that regulation of data-matching by agencies could be carried out either in separate sectoral legislation or guidance provided by the OPC. The department concluded 'as a result of these findings, the Government has not applied the requirements in APP 9 to agencies'.

12.27 The department also noted that 'in terms of existing protection in place to limit data-matching by agencies, some agencies are currently subject to data-matching requirements in legislation and in guidelines issued by the Privacy Commissioner'.[30]

12.28 A further matter raised in relation to agencies concerned the inclusion of the note after APP 9(1) and (2): 'An act or practice of an agency may be treated as an act or practice of an organisation'. The Health Services Commissioner, Victoria, commented that the note does not provide a clear explanation of how it expects agencies to be bound by APP 9(1) and (2). The OPC stated that this intention should be more explicit.[31] The committee notes that the Government response provides a brief explanation of this note to APP 9(1) and (2).[32]

Definition of identifiers

12.29 The NSW Department of Justice and Attorney General supported the ALRC's recommendation in relation to the definition of identifiers and commented that the inclusion of biometric information in the definition of identifiers was also recommended by the New South Wales Law Reform Commission's report on privacy principles. While noting the Government's reasoning for not including biometric data, the NSW Department of Justice and Attorney General argued that 'it is possible that, especially with advances in technology, biometric data may be used in the same way as a set of numbers in that it may be passed to various entities and linked to certain information'.[33]

Use or disclosure of government related identifiers

12.30 APP 9(2) provides for exceptions to the use or disclosure of an identifier, including an exception for the verification of identity of the affected individual. The Law Council of Australia (LCA) supported this exception and commented that this was important as it 'allows organisations to more easily comply with their obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006'. The LCA also noted that it will help organisations to 'use online customer verification tools for AML [Anti-Money Laundering] compliance purposes'.[34] The Australian Bankers' Association commented that this principle provides 'greater flexibility for use and disclosure [of government identifiers] in certain situations' than the current NPP 7.[35]

Regulations

12.31 The Australian Bankers' Association commented that APP 9(3) makes reference to compliance with regulations without clarifying what these regulations will be and when they will be introduced.[36] The committee notes that subsections 22(2) and (3) of the Exposure Draft provide for the making of regulations in relation to prescribe government-related identifiers if necessary. The ALRC noted that the power to make regulations provides the legislation with flexibility.

Conclusion

12.32 The committee has noted the comments by the OPC in relation to the use of the term 'reasonably necessary'. In the context of the identifiers principle, the committee considers that any exception should only be applied where it has been objectively determined that it is necessary for a permitted purpose. The committee therefore agrees with the OPC's suggestion that the term 'reasonably necessary' be replaced with 'necessary' in APP 9(2).

Recommendation 21

12.33 The committee recommends that the term 'reasonably necessary' be replaced with 'necessary' in APP 9(2)(a), (b) and (f).

12.34 The issue of biometric identifiers is of some concern to privacy advocates and submitters noted that the Government did not accept the ALRC's recommendation that the 'identifiers' principle apply to biometric information. The committee notes that the aim of APP 9 is to restrict the use to which government identifiers can be put. At the present time, while biometric information is used to establish the identity of individuals, it is not used as an 'identifier' in the same way as, for example, a Medicare or Tax File Number. The Government response states that the principle will be 'future proofed' as the minister responsible for the Privacy Act will be able to determine what a government identifier is for the purposes of the Act. The committee considers that this approach should adequately address any concerns with biometric information and emerging technologies in relation to this principle.

12.35 In relation to the exclusion of agencies from the operation of APP 9, the committee notes the ALRC's comments and the department's response to this issue. The committee notes that while the Australian Taxation Office, the Department of Veterans' Affairs and Centrelink are subject to Data-matching Program (Assistance and Tax) Act 1990 in relation to specific matters, Commonwealth agencies generally are subject only to voluntary data-matching guidelines. Under the voluntary arrangement, agencies give public notice of any proposed data-matching program; prepare and publish a 'program protocol' outlining the nature and scope of a data-matching program; provide individuals with an opportunity to comment on matched information if the agency proposes to take administrative action on the basis of it; and destroy personal information that does not lead to a match. The OPC will, where necessary, make recommendations in relation to the proposed protocols.

12.36 The ALRC considered that rather than inclusion of agencies in the obligations proposed by APP 9, a case-by-case approach should be taken similar to the approach taken to regulate Tax File Numbers (see paragraph 12.10 above). The ALRC also suggested that the OPC could exercise its function of researching and monitoring technology to review the adequacy of, and compliance with, the existing guidelines if it deemed this to be necessary. While the OPC did not comment on this matter in its submission to this inquiry, it submitted to the ALRC review that the existing voluntary data-matching guidelines should be reviewed and made mandatory.[37]

12.37 Further, the committee notes the proposed reforms under the Human Services Legislation Amendment Bill 2010 which will impact on the flow of personal information between Centrelink and Medicare. While there are significant benefits to government arising from data-matching, such activities pose risks to the privacy of individuals. The committee considers that data-matching should be authorised, transparent and conducted to appropriate standards. In addition, it may be the appropriate time to consider the directions for the future use of government identifiers. The committee therefore considers that a review of voluntary data-matching guidelines should be undertaken and that the outcome of that review should inform any further consideration of the extension of APP 9 to agencies.

Recommendation 22

12.38 The committee recommends that the Office of the Australian Information Commissioner undertake a review of agency voluntary data-matching guidelines, including emerging issues with the use of government identifiers, and that the outcome inform further consideration of the extension of APP 9 to agencies.

Navigation: Previous Page | Contents | Next Page