Expanding the anonymity principle

Expansion of anonymity principle to agencies

20.6 In accordance with NPP 8, wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.[5] The Information Privacy Principles (IPPs), however, do not contain a comparable anonymity principle. Neither is such a provision set out in the Organisation for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) (OECD Guidelines), or in the privacy legislation of some jurisdictions, including New Zealand and the United Kingdom.[6] In contrast, German privacy law imposes obligations in relation to anonymity on both public and private sector bodies.[7] Similarly, Victorian, Tasmanian and Northern Territory privacy laws contain an anonymity principle that is applicable to public sector bodies.[8]

Submissions and consultations

20.7 In response to the Issues Paper, Review of Privacy (IP 31), a large number of stakeholders submitted that Commonwealth agencies should be subject to an anonymity principle.[9] The Office of the Privacy Commissioner (OPC), for example, commented that ‘requiring individuals to be identifiable when it is not necessary can serve to limit the choice and control individuals have over their personal information’.[10] The OPC further noted that it could see ‘no compelling argument or policy reason for not extending the anonymity principle to agencies’.[11]

20.8 In Discussion Paper 72, Review of Australian Privacy Laws (DP 72), the ALRC proposed that the anonymity principle should be expanded to cover both agencies and organisations.[12] A significant majority of stakeholders that commented on this issue supported the proposed extension.[13] Privacy NSW noted, for example, that the anonymity principle

represents a logical step in minimising the collection of unnecessary personal information and gives individuals the opportunity to exercise a greater degree of control in relation to the collection, use and disclosure of their personal information.[14]

20.9 The OPC also commented favourably on the function of the anonymity principle as a way to ‘encourage agencies and organisations to consider the fundamental question of whether they need to collect personal information at all’.[15]

20.10 Two agencies did not support the principle of extending anonymity requirements to agencies.[16] In addition, a number of agencies—although they did not object to the proposed expansion—advised that they would have difficulties in applying the principle.[17] A small number of organisations also objected to any extensions to the present anonymity principle.[18]

20.11 Telstra commented that the proposed anonymity principle ‘does not improve privacy protection in Australia and adds another level of complexity to an already complex compliance regime’.[19] It suggested that the ‘Collection’ principle, which requires organisations to collect only ‘necessary’ information, should provide sufficient assurance that organisations only collect a customer’s personal information where it is appropriate to do so. One stakeholder suggested that anonymity requirements could be added to the ‘Collection’ principle, rather than forming the basis of a stand alone principle.[20]

20.12 The Cyberspace Law and Policy Centre submitted that the anonymity principle should be expanded further to impose an obligation on agencies and organisations to facilitate anonymous transactions with third parties.[21] This was illustrated through charging for unlisted telephone numbers. Although a customer of a telecommunications provider cannot remain anonymous from that provider, the Cyberspace Law and Policy Centre suggested that, as a part of the anonymity principle, he or she should be able to express a desire to remain anonymous at various stages of the provider’s interaction with third parties—for example, the provision of information for directory assistance services.[22]

ALRC’s view

20.13 The ALRC recommends that an anonymity principle should be included in the model UPPs and should apply equally to agencies and organisations. Providing the resulting privacy principle is appropriately worded, the ALRC considers that such an extension is desirable for a number of reasons.

20.14 As noted by the OPC, an anonymity principle encourages agencies and organisations to consider the fundamental question of whether they need to collect personal information at all and to design their systems accordingly. Secondly, allowing individuals to retain greater control over their privacy by giving them the option to transact anonymously, where appropriate, will potentially give rise to significant public policy benefits. For example, this option might encourage an individual to seek medical or other assistance from an organisation or agency where, if the assistance was contingent on the individual identifying himself or herself, the individual would be discouraged from seeking the assistance. This can be illustrated by the anonymous supply of sterile syringes and needles to injecting drug users, which is an important public health initiative in all Australian states and territories. As well as face-to-face outlets, some needle and syringe programs include automatic dispensing machines, to accommodate people who wish to avoid interpersonal contact altogether.[23]

20.15 Agencies’ concerns about the practical application of the principle can be accommodated adequately within the broader limitations of the principle—that is, that the option for anonymity must be provided only where it is ‘lawful and practicable’. These requirements are discussed in more detail later in this chapter.

20.16 Only the Cyberspace Law and Policy Centre recommended the expansion of the principle to require agencies and organisations to facilitate anonymous transactions with third parties. The ALRC is concerned that such an expansion would be uncertain in its application and would place a potentially high compliance burden on agencies and organisations—for example, such an expansion may require significant modification of existing systems. This issue has to some extent been addressed through other recommendations in this Report that are directed towards the protection of third party information, for example, the recommendation that there should be no charge for silent telephone numbers.[24]

The concept of ‘pseudonymity’

20.17 A further issue that was raised in this Inquiry is whether the concept of anonymity is too limited; in particular, whether the relevant privacy principle should be expanded specifically to include the concept of pseudonymity. Such an expansion would allow an individual to transact, subject to the relevant qualifications, pseudonymously with an agency or organisation. That would usually involve the individual providing an agency or organisation with a name, term or other combination of letters and numerals through which he or she can be addressed specifically. In this way, the individual may select a pseudonym that bears no relation to the individual’s actual name, as occurs commonly with internet usernames. There is an example of this approach in the Federal Data Protection Act 1990 (Germany).

The organisation and choice of data-processing systems shall be guided by the objective of collecting, processing and using as little personal data as possible. In particular, use shall be made of the possibilities of anonymisation and pseudonymisation where possible and where the effort entailed is proportionate to the interests sought to be protected. [25]

Submissions and consultations

20.18 In DP 72, the ALRC came to the preliminary view that the proposed UPPs should enable, where appropriate, an individual to transact pseudonymously as well as anonymously, with an agency or organisation.[26] This provision was considered to be useful, particularly in the online environment.[27]

20.19 The majority of stakeholders that commented on this issue welcomed the proposal to extend the anonymity principle to include pseudonymity.[28] The Public Interest Advocacy Centre (PIAC), for example, noted that:

Complete anonymity will not always be possible because an agency or organisation may need to have some means of differentiating between individuals. Pseudonymity provides a practical alternative in situations where the agency or organisation needs to be able to differentiate, but does not need to know the name and other personal details of the individual.[29]

20.20 Similarly, the Office of the Victorian Privacy Commissioner (OVPC) commented that,

in situations where it is necessary to determine that the individual involved in a particular transaction is the same one as has been involved in previous transactions, without actually identifying the individual, pseudonymity is a desirable option.[30]

20.21 A smaller number of stakeholders raised theoretical and practical problems with the inclusion of a pseudonymity requirement.[31] Some of these stakeholders considered that pseudonymous transactions were open to abuse and may detract from the accuracy of information.[32] Stakeholders also suggested that pseudonymity would provide little additional benefit to anonymity.[33] For example, it was submitted that,

where it is not necessary for an organisation or agency to take any record in relation to a transaction, anonymity is normally practicable and lawful. Where a record does need to be made, for legal or practical purposes, it would in most circumstances be highly inappropriate that the record be made under a pseudonym.[34]

20.22 The Law Council of Australia noted that an extension to a pseudonymity requirement will require organisations and agencies to review their methods of transacting with individuals.

Given the pseudonymity requirement is a novel concept, it is highly unlikely that many agencies or organisations will have processes to accommodate this. Implementation could well be difficult, time consuming and expensive.[35]

20.23 Although it supported the inclusion of pseudonymity within the anonymity principle, the OPC raised concerns that agencies and organisations may use the terms pseudonymity and anonymity interchangeably and thereby only offer one of the options to individuals. It suggested that this could have the effect of reducing an individual’s choice over the manner in which he or she interacts with agencies and organisations. The OPC further noted the possibility that information collected in a pseudonymous transaction could, in some circumstances, amount to personal information. This would be the case, for example, where a new technology enables an organisation or agency to use information provided by an individual under a pseudonymous transaction to identify the individual.[36]

20.24 The OPC suggested

that the wording of the principle [should] be clarified to ensure that organisations and agencies provide individuals with the option of interacting anonymously where this is lawful and practicable. Where it is not practicable for an individual to transact anonymously or where the individual chooses to transact under a pseudonym an agency or organisation [should be] required to give individuals the clear option to transact pseudonymously if this is lawful and practicable.[37]

ALRC’s view

20.25 The ALRC recommends that the anonymity principle should provide for pseudonymous transactions. This provides a more flexible application of the principle, by covering the situation where it would be impracticable or unlawful for an individual to transact anonymously but where these barriers would be overcome if the individual were to transact pseudonymously with an agency or organisation. An extension of the principle to encompass pseudonymous transactions will also encourage agencies and organisations to incorporate into their systems privacy-enhancing technologies that facilitate pseudonymous interactions in an online environment.[38]

20.26 Two principal objections to a pseudonymity requirement were raised in submissions: the cost of implementation, particularly where it would have a relatively limited application; and the potential to detract from the accuracy of records. These issues can be accommodated adequately within the broader limitations of the ‘Anonymity and Pseudonymity’ principle—that is, transacting anonymously or pseudonymously must be ‘lawful and practicable’. These requirements are discussed in more detail later in this chapter.

20.27 Depending on the amount of information collected and the nature of such information, it is possible that information collected under a pseudonym could fall (either at the time of collection or at some stage in the future) within the definition of ‘personal information’. The ALRC is not convinced, however, that the principle itself needs to ‘rank’ expressly the options of anonymity and pseudonymity. Rather, the decision of an agency or organisation to provide an option to interact anonymously or pseudonymously will be guided by the particular context. Generally speaking, where the agency or organisation has no need to contact the individual in the future, anonymity would be the most appropriate option. Where some form of identifier is required but need not be personal information, pseudonymity is likely to be appropriate. The relevant matters that an agency or organisation should address when considering whether to provide an option for anonymity or pseudonymity can appropriately be dealt with in guidance on the principle.

[5]Privacy Act 1988 (Cth) sch 3, NPP 8.

[6] See Privacy Act 1993 (NZ) s 6; Data Protection Act 1998 (UK) sch 1.

[7] See Federal Data Protection Act 1990 (Germany) s 3a.

[8]Information Privacy Act 2000 (Vic) sch 1, IPP 8.1; Personal Information Protection Act 2004 (Tas) sch 1, PIPP 8; Information Act 2002 (NT) sch 2, IPP 8.

[9] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Queensland Government, Submission PR 242, 15 March 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007; K Pospisek, Submission PR 104, 15 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.

[10] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[11] Ibid.

[12]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 17–1.

[13] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Liberty Victoria—Victorian Council for Civil Liberties, Submission PR 540, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[14] Privacy NSW, Submission PR 468, 14 December 2007.

[15] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[16] Australian Federal Police, Submission PR 545, 24 December 2007; Confidential, Submission PR 448, 11 December 2007.

[17] Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008; Australian Government Department of Families‚ Housing‚ Community Services and Indigenous Affairs, Submission PR 559, 15 January 2008; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; ACT Government Department of Disability, Housing and Community Services, Submission PR 495, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007.

[18] BPay, Submission PR 566, 31 January 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Confidential, Submission PR 536, 21 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[19] Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[20]Confidential, Submission PR 570, 13 February 2008.

[21]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007. See also Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[22]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007. See also, Australian Privacy Foundation, Charging for Unlisted Numbers (Silent Lines) (2006) <www.privacy.org.au/Papers/
Silent-Line-v5.rtf> at 4 February 2008
. The issue of charging for silent numbers is considered in Ch 72.

[23] See NSW Health, Needle and Syringe Program Policy and Guidelines for NSW (PD 2006–037) (2006). Automatic dispensing machines have also been trialled in Western Australia and the Australian Capital Territory.

[24] Rec 72–17.

[25]Federal Data Protection Act 1990 (Germany) s 3(6a).

[26] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 17–2.

[27]Ibid, [17.20].

[28] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

[29] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[30]Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[31] BPay, Submission PR 566, 31 January 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Confidential, Submission PR 536, 21 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007; Queensland Government, Submission PR 490, 19 December 2007.

[32] Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Confidential, Submission PR 536, 21 December 2007; Queensland Government, Submission PR 490, 19 December 2007.

[33] BPay, Submission PR 566, 31 January 2008; Confidential, Submission PR 536, 21 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007; Queensland Government, Submission PR 490, 19 December 2007.

[34] Confidential, Submission PR 536, 21 December 2007.

[35] Law Council of Australia, Submission PR 527, 21 December 2007.

[36]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[37]Ibid.

[38] See the detailed discussion on privacy and developing technology in Part B.