Identity theft and privacy laws

12.25 Identity theft represents a threat to privacy when it involves the theft or assumption of the identity of a living person. While it is appropriate to introduce laws that criminalise identity theft, privacy laws also can assist in preventing the theft of a person’s identity and minimising the harm caused by identity theft after it has occurred. In this Report, the ALRC recommends a number of reforms with potential application to identity theft. These are considered below.

The model Unified Privacy Principles

12.26 A number of the model Unified Privacy Principles (UPPs) are relevant to the problem of identity theft. Some of these principles—such as those requiring personal information to be stored securely and those restricting the circumstances in which personal information can be disclosed—may assist in preventing identity theft by preventing the widespread dissemination of personal information.[45] Others—such as the principle requiring personal information to be accurate—may assist in minimising the harm caused by identity theft after it has occurred.[46] The privacy principles are discussed in detail in Part D.

Breach notification

12.27 One way to combat identity theft is to require agencies and organisations to notify individuals of any unintended or unauthorised disclosure of their personal information. This alerts individuals to the possibility that they may be at risk of identity theft and may assist them to take steps to prevent the theft of their personal information. Alternatively, it may assist them to detect promptly any theft of their personal information. In Chapter 51, the ALRC recommends that the Privacy Act be amended to include a Part on data breach notification, which would require an agency or organisation to notify the OPC and affected individuals of a data breach in certain circumstances.[47]

Publicly available information in electronic form

12.28 Information stored in electronic form can be easily accessed, searched and aggregated. In particular, the internet has changed the notion of the public domain. Online public records often contain a wealth of identifying information and there is concern that this information may be used to facilitate identity theft.[48] This issue is discussed in Chapter 11. The ALRC recommends that the OPC should develop and publish guidance on generally available publications available in an electronic form.[49]

12.29 In Chapter 67, the ALRC discusses the importance of early education on the impact of the internet on privacy. The ALRC recommends that, to promote awareness of personal privacy and respect for the privacy of others, state and territory education departments should incorporate education about privacy, and, in particular, privacy in the online environment, into school curricula. Further, the OPC, in consultation with the Australian Communications and Media Authority (ACMA), should ensure that specific guidance on the privacy aspects of using social networking sites is developed and incorporated into publicly available educational material.[50]

Unique multi-purpose identifiers

12.30 The use of unique multi-purpose identifiers enhances the ability of agencies and organisations to compile and aggregate large amounts of personal information about individuals. This information, however, may be implicated in identity theft. For example, it has been noted that the most valuable piece of identifying information for identity thieves in the United States is the Social Security Number. Social Security Numbers are the key to assuming another person’s identity because ‘they are used to match consumers with their credit histories and many government benefits’.[51] In Chapter 30, the ALRC discusses the significant privacy risks associated with unique multi-purpose identifiers. The ALRC recommends that, before an agency introduces a unique multi-purpose identifier, the Australian Government, in consultation with the Privacy Commissioner, should conduct a privacy impact assessment.[52]

Credit reporting

12.31 In the United States, the Fair Credit Reporting Act 1970 (US) contains provisions designed to assist victims of identity theft. For example, this Act enables a victim of identity theft to require that a credit reporting agency insert a ‘fraud alert’ on a credit information file.[53] Further, in some parts of the United States, victims of identity theft can request a ‘freeze’ on their credit information files.[54] These, and other ways in which the credit reporting provisions of the Privacy Act can address the problem of identity theft, are discussed in Chapter 57. In particular, the ALRC recommends that the new Privacy (Credit Reporting Information) Regulations should provide individuals with a right to prohibit for a specified period the disclosure by a credit reporting agency of credit reporting information about them without their express authorisation.[55]

12.32 Finally, in Chapter 56, the ALRC notes that children and young people are a common target for identity theft as they often have unblemished or non-existent credit records. The ALRC recommends that the new Privacy (Credit Reporting Information) Regulations should prohibit the collection of credit reporting information about individuals who the credit provider or credit reporting agency knows, or reasonably should know, to be under the age of 18 years.[56]

[45] See the ‘Data Security’ and ‘Use and Disclosure’ principles set out in the model Unified Privacy Principles at the beginning of this Report. A discussion of security in the online environment is contained in Ch 9.

[46] See the ‘Data Quality’ and the ‘Access and Correction’ principles set out in the model Unified Privacy Principles at the beginning of this Report.

[47] Rec 51–1.

[48] See, eg, L Myers, ‘Online Public Records Facilitate ID Theft’, MSNBC (online), 5 February 2007, <www.msnbc.msn.com>.

[49] Rec 11–1.

[50] Recs 67–4, 67–3.

[51] President’s Identity Theft Task Force, Interim Recommendations (2006), 2. See also the discussion of Social Security Numbers in President’s Identity Theft Taskforce, Combating Identity Theft—A Strategic Plan (2007).

[52] Rec 30–6.

[53] A fraud alert is a statement that notifies prospective users of a credit report that the individual to whom it relates ‘may be a victim of fraud, including identity theft’: Fair Credit Reporting Act 1970 15 USC § 1681 (US) § 1681c–1.

[54] See, eg, California Civil Code § 1785.11.2–1785.11.6. Placing a freeze on a credit information file prevents it from being accessed by potential creditors.

[55] Rec 57–5.

[56] Rec 56–9.