Application of ‘Identifiers’ principle to agencies?

30.24 Currently, agencies are not subject to a provision regulating the adoption, use and disclosure of identifiers. In contrast, some state and territory legislation regulates the assignment, adoption, use and disclosure of identifiers by public sector bodies. Under this legislation, the assignment, adoption, use and disclosure of identifiers by public sector bodies is generally prohibited unless it is necessary for the body to carry out its functions efficiently, or if an individual consents to the use of their identifier.[32]

30.25 In IP 31, the ALRC asked whether agencies should be subject to an ‘Identifiers’ principle.[33] In DP 72, the ALRC identified support in submissions and consultations for making agencies subject to a privacy principle dealing with identifiers.[34] The ALRC expressed the preliminary view that the privacy and other risks associated with the adoption, use and disclosure of identifiers by organisations also apply in respect of agencies, and that further protection of identifiers is warranted. The ALRC proposed that the UPPs should contain a principle called ‘Identifiers’ that applies to both agencies and organisations,[35] noting that this approach would promote regulatory consistency between agencies and organisations.

Submissions and consultations

30.26 There was a divergence of views on this proposal. Privacy commissioners and privacy advocates supported the additional restrictions on the handling of identifiers by agencies.[36] In contrast, while some agencies provided in-principle support for the regulation of the handling of identifiers by agencies,[37] nearly all agencies expressed concern about the operation of the proposed ‘Identifiers’ principle.[38]

30.27 The OPC submitted that identifiers increased the likelihood of data-matching activities. Given the amount of personal information linked to identifiers issued by agencies, the risks associated with data-matching are also pertinent to data-matching programs conducted by agencies.[39] PIAC was ‘concerned about the increasing number of identifiers being developed by government agencies as they strive to deliver services more efficiently and in a “joined-up government” manner’.[40] The Office of the Victorian Privacy Commissioner (OVPC) submitted that the ‘Identifiers’ principle proposed in DP 72 ‘addresses most directly the concerns behind the expression “just a number in a system”’.[41]

30.28 On the other hand, one stakeholder submitted that identifiers can be privacy enhancing in some circumstances:

  • Accurate identification ensures that the right information is associated with, communicated to, and accessed by, the right person; this is particularly important where information is stored and communicated electronically.

  • Identifiers may also replace identifying demographic details and then be used or disclosed in a non-identifying form for activities such [as] research, monitoring or analysis.[42]

30.29 The Attorney-General’s Department (AGD) submitted that the proposed restrictions on the use and disclosure of identifiers by agencies could impede the operation of identity verification programs such as the National Document Verification Service (DVS).[43] The DVS enables an agency to verify that a document, which is presented to the agency by an individual to prove his or her identity, was issued by the document issuing agency claimed on the face of the document. The DVS verifies with the document issuing agency the details, including any identifiers, on the face of the document. The DVS does not maintain a central data repository.[44]

30.30 The Department of Human Services submitted that ‘it is imperative that any proposal regarding unique identifiers does not constrain [agencies’] ability to serve their customers efficiently and effectively’.[45] The Australian Taxation Office submitted that restrictions on the handling of identifiers by agencies could inhibit ‘whole of government projects aimed at enabling people to register for interactions with government agencies more efficiently and with less repeating of information’.[46] The Department of Finance and Deregulation suggested that such concerns are particularly pertinent for individuals transacting with agencies in the online environment.[47]

30.31 The Australian Institute of Health and Welfare was concerned that the proposed extension of the ‘Identifiers’ principle would restrict the use and disclosure of identifiers for research purposes.

Statistical linkage keys (SLKs), which appear to fall within the proposed definition of identifiers, have been implemented in many national information collections to enable the linkage of data for statistical and research purposes, not for administrative purposes … The use of a SLK enables the development of a person-based view (rather than episode-based view) without using identifiable personal data; it is therefore a privacy preserving technique. This is particularly important for developing a whole of government, person-based approach to the planning and delivery of services.[48]

30.32 Some stakeholders suggested that, if the ALRC were to recommend that the ‘Identifiers’ principle be extended to regulate agencies, the ALRC should also recommend that the principle include an exception that would allow an individual to consent to the use and disclosure of their identifier.[49] The Department of Finance and Deregulation noted

the concerns expressed in the Discussion Paper around ‘bundled consent’, where an individual may be coerced into consenting to the disclosure of their personal information or to some other sacrifice of privacy rights to gain a particular benefit. While acknowledging that is a serious concern in the commercial sector, Finance does not consider that a citizen choosing to use one agency identifier to transact with other agencies constitutes ‘bundled consent’.[50]

30.33 Finally, Medicare Australia submitted that ‘the real issue is not the identifier itself, but what happens to the information attached to the identifier—ie the risks associated with uncontrolled data matching’. Medicare Australia was of the view that regulation of identifiers should focus more directly on these risks, rather than restriction of the use of identifiers. This was especially the case ‘given that those restrictions are currently impeding the efficient administration of both agencies and organisations’.[51]

ALRC’s view

30.34 The policy objectives underlying the recommended ‘Identifiers’ principle—preventing an identifier that is assigned by an agency from becoming a de facto national identity number, and restricting the use of an identifier to facilitate data-matching programs—are also relevant to the handling of identifiers by agencies. In addition, making agencies subject to the ‘Identifiers’ principle would promote regulatory consistency. The ALRC agrees, however, that applying the ‘Identifiers’ principle to agencies could seriously impede activities conducted for a public benefit, including: programs designed to reduce fraud and identity theft; service delivery; and research.

30.35 The feedback received by the ALRC indicates that appropriate and important information sharing between agencies would be restricted by the application of the ‘Identifiers’ principle.[52] It does not follow, however, that the handling of identifiers by agencies should not be regulated. The privacy principles dealing with collection, use and disclosure of personal information provide some regulation of the handling of identifiers by agencies. Given the privacy risks associated with identifiers, however, additional restrictions on the handling of identifiers by agencies will sometimes be appropriate.

30.36 One solution could be an ‘Identifiers’ principle that regulates the handling of identifiers by agencies, subject to several agency-specific exceptions.[53] While this approach might provide a better balance between activities conducted by agencies for a public benefit against the protection of individual privacy, it would lead to greater complexity of regulation in this area. Further, this approach may require the introduction of numerous agency-specific exceptions and, accordingly, may not be the most effective approach to regulation. Nor is this approach consistent with the ALRC’s high-level, outcomes-based approach to privacy regulation.[54]

30.37 A better approach is to regulate the assignment, collection, adoption, use and disclosure of identifiers by agencies on a case-by-case basis. This could be carried out either in separate sectoral legislation or guidance provided by the OPC. Such an approach has been taken to the regulation of TFNs,[55] and was the approach taken in the development of the access card scheme.[56] The ALRC also notes that agencies currently are subject to data-matching guidelines issued by the OPC.[57]

30.38 Many of the privacy risks associated with identifiers are heightened by the use of multi-purpose identifiers. In this chapter, the ALRC makes recommendations directed towards the regulation of such identifiers.[58]

[32] See Information Privacy Act 2000 (Vic) sch 1, IPP 7.1; Personal Information Protection Act 2004 (Tas) sch 1, PIPP 7.1; Information Act 2002 (NT) sch, IPP 7.1 (in relation to public organisations).

[33] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 4–28.

[34] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; K Pospisek, Submission PR 104, 15 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.

[35] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 27–1.

[36] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007.

[37] Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007.

[38] See, eg, Australian Government Department of Finance and Deregulation, Submission PR 558, 11 January 2008; Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Institute of Health and Welfare, Submission PR 552, 2 January 2008; Australian Government Attorney-General’s Department, Submission PR 546, 24 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007. See, however, Australian Bureau of Statistics, Submission PR 383, 6 December 2007.

[39] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007. See also Privacy NSW, Submission PR 468, 14 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007.

[40] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[41] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[42] Confidential, Submission PR 570, 13 February 2008. See also Australian Institute of Health and Welfare, Submission PR 552, 2 January 2008.

[43] Australian Government Attorney-General’s Department, Submission PR 546, 24 December 2007.

[44] Australian Government Attorney-General’s Department, Identity Security—National Document Verification Service (DVS) <www.ag.gov.au/www/agd/agd.nsf/Page/Crimeprevention_Identitysecurity> at 5 May 2008.

[45] Australian Government Department of Human Services, Submission PR 541, 21 December 2007.

[46] Australian Taxation Office, Submission PR 515, 21 December 2007.

[47] Australian Government Department of Finance and Deregulation, Submission PR 558, 11 January 2008.

[48] Australian Institute of Health and Welfare, Submission PR 552, 2 January 2008.

[49] Australian Government Department of Finance and Deregulation, Submission PR 558, 11 January 2008; Australian Government Centrelink, Submission PR 555, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007.

[50] Australian Government Department of Finance and Deregulation, Submission PR 558, 11 January 2008.

[51] Medicare Australia, Submission PR 534, 21 December 2007.

[52] In Ch 14, the ALRC makes a number of recommendations related to information sharing practices of agencies.

[53] One such exception could allow an individual to consent to the adoption, use or disclosure of his or her identifier in certain circumstances. Another exception could allow identifiers to be used and disclosed by agencies for the purposes of research.

[54] The ALRC’s approach to privacy regulation is discussed in Chs 4 and 18.

[55] TFNs are discussed later in this chapter.

[56] See, eg, Human Services (Enhanced Service Delivery) Bill 2007 (Cth).

[57] Office of the Federal Privacy Commissioner, The Use of Data Matching in Commonwealth Administration—Guidelines (1998).

[58] Recs 30–6 and 30–7.