Introduction

30.1 Individuals are expected or required to identify themselves in a number of different contexts. For example, information about a person’s identity is often disclosed in social situations and is often required in economic transactions. The purposes of identification are manifold. For example, identification can enable interpersonal and business relationships to develop, and reduce the possibility of criminal behaviour.

30.2 The type and quantity of evidence required to establish or verify a person’s identity varies according to the context in which the identification is sought. Evidence of identity can include an assertion of a person’s name, the appearance or characteristics of a person, a person’s knowledge (such as a password) or the fact that a person is in possession of an object (such as a passport, birth certificate or card).[1] This chapter uses the term ‘identifier’ to refer to a number, symbol or some types of biometric information that uniquely identifies an individual for the purposes of an agency or organisation’s operations.[2]

30.3 A number of objects that are given to individuals by agencies contain identifiers. Research conducted for the Office of the Privacy Commissioner (OPC) in 2004 revealed that the majority of Australians did not consider it an invasion of privacy to be asked to produce a document containing an identifier, such as a passport.[3]

30.4 In this chapter, the ALRC first considers whether the model Unified Privacy Principles (UPPs) should contain a separate principle to regulate identifiers and, if so, whether that principle should extend to the adoption, use and disclosure of identifiers by agencies. The ALRC then recommends changes to the content of the ‘Identifiers’ principle and the definition of the term ‘identifier’. Finally, the ALRC makes recommendations for the regulation of multi-purpose identifiers such as tax file numbers (TFNs).

Current coverage by IPPs and NPPs

30.5 The Organisation for Economic Co-operation and Development Guidelines for the Protection of Privacy and Transborder Flows of Personal Data (1980)(OECD Guidelines)[4] and the Information Privacy Principles (IPPs) do not contain a principle dealing explicitly with identifiers. On the other hand, the National Privacy Principles (NPPs) currently contain a principle (NPP 7) that deals specifically with identifiers.

30.6 NPP 7 defines an identifier as including ‘a number assigned by an organisation to an individual to identify uniquely the individual for the purposes of the organisation’s operations’. The principle regulates only the handling by organisations of identifiers assigned by agencies. An individual’s name and Australian Business Number (ABN) are explicitly excluded from being considered identifiers for the purposes of the NPPs.

30.7 NPP 7.1 provides that an organisation must not adopt as its own identifier an identifier that has been assigned by an agency (or an agency’s agent or contracted service provider).[5] NPP 7.2 provides that an organisation must not use or disclose an identifier assigned to an individual by an agency, an agency’s agent or contracted service provider unless the use or disclosure:

  • is necessary for the organisation to fulfil its obligations to the agency;

  • falls under specified exceptions listed in NPP 2.1(e)–(h);[6] or

  • is by a prescribed organisation of a prescribed identifier in prescribed circumstances.[7]

30.8 The combination of NPP 7.1A with the final exception creates a mechanism for the Governor-General to make regulations to prescribe an organisation that may adopt, use or disclose a prescribed identifier in prescribed circumstances, provided certain conditions are met. These conditions are set out in s 100 of the Privacy Act 1988 (Cth). For example, s 100(2) requires that, before the Governor-General makes regulations that derogate from NPP 7, the minister responsible for administering the Act[8] needs to be satisfied that, in relation to the adoption, use or disclosure of the identifier: the agency that assigned the identifier agrees this is appropriate; the agency has consulted the Privacy Commissioner; and the derogation is for the benefit of the individual concerned.[9] These requirements do not apply in certain circumstances set out in s 100(3), namely if:

(a) the regulations prescribe an organisation, or class of organisations; and

(b) the regulations prescribe an identifier, or class of identifiers, of a kind commonly used in the processing of pay, or deductions from pay, of Commonwealth officers, or a class of Commonwealth officers; and

(c) the circumstances prescribed by the regulations for the use or disclosure by the organisation, or an organisation in the class, of the identifier, or an identifier in the class, relate to the provision by the organisation of superannuation services for the benefit of Commonwealth officers; and

(d) before the regulations are made, the Minister consults the Commissioner about the proposed regulations.

30.9 To date, five exceptions have been made using the regulation-making mechanism in the Privacy Act.[10] For instance, the regulations provide that AvSuper is a prescribed organisation for the purposes of NPP 7.1A and:

(b) the payroll number assigned to an individual by Airservices Australia or the Civil Aviation Safety Authority is a prescribed identifier; and

(c) the prescribed circumstance is that the payroll number is adopted by AvSuper to provide a superannuation service to the individual.[11]

30.10 In addition to the mechanism in NPP 7.1A, the specified exceptions listed in NPP 2.1 allow an organisation to use or disclose an identifier assigned by an agency where:

  • the organisation reasonably believes the use or disclosure is necessary to lessen or prevent a serious and imminent threat to an individual’s life, health or safety, or a serious threat to public health or public safety;[12]

  • in the case of an individual’s genetic information, the organisation reasonably believes the use or disclosure to a genetic relative of the individual is necessary to lessen or prevent a serious (but not necessarily imminent) threat to the life, health or safety of a genetic relative of the individual;

  • the organisation has reason to suspect unlawful activity, and the use or disclosure is a necessary part of its reporting or investigation of the matter;

  • it is required or authorised by law; and

  • the organisation reasonably believes that the use or disclosure is reasonably necessary for certain specified functions of an enforcement body.[13]

30.11 The policy bases of the ‘Identifiers’ principle are twofold. First, NPP 7 was introduced ‘to ensure that the increasing use of Australian Government identifiers does not lead to a de-facto system of universal identity numbers’.[14] Secondly, the regulation of identifiers reflects concern about the facilitation of data-matching by identifiers. Thus, NPP 7.1

prevents an organisation from acquiring a particular government assigned identifier from all the individuals with which it deals and using that identifier to organise personal information it holds and match it with other personal information organised by reference to the same identifier.[15]

[1] R Clarke, ‘Human Identification in Information Systems: Management Challenges and Public Policy Issues’ (1994) 7(4) Information Technology & People 6, 10.

[2] The definition of an ‘identifier’ is discussed later in this chapter.

[3] Roy Morgan Research, Community Attitudes Towards Privacy 2004 [prepared for Office of the Privacy Commissioner] (2004), [6.1].

[4] Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980).

[5] NPP 7.1A provides, however, that this prohibition does not apply to the adoption by a prescribed organisation of a prescribed identifier in prescribed circumstances.

[6] These exceptions are discussed in Ch 25.

[7] The Privacy (Private Sector) Regulations 2001 (Cth) prescribe a number of organisations, identifiers and circumstances for the purposes of NPP 7.2. See Privacy (Private Sector) Regulations 2001 (Cth) regs 8–11.

[8] Commonwealth of Australia, Administrative Arrangements Order, 25 January 2008 [as amended 1 May 2008].

[9] In Ch 5, the ALRC discusses privacy regulations generally and recommends that the regulation-making power in the Privacy Act should be amended to provide that the Governor-General may make regulations, consistent with the Act, modifying the operation of the UPPs to impose different or more specific requirements, including imposing more or less stringent requirements, on agencies and organisations than are provided for in the UPPs: Rec 5–1.

[10] See Privacy (Private Sector) Regulations 2001 (Cth) regs 7–11.

[11] Ibid reg 7.

[12] In Ch 25, the ALRC recommends that the ‘Use and Disclosure’ principle should contain an exception permitting an agency or organisation to use or disclose an individual’s personal information for a purpose (the secondary purpose) other than the primary purpose of collection if the agency or organisation reasonably believes that the use or disclosure for the secondary purpose is necessary to lessen or prevent a serious threat to: (a) an individual’s life, health or safety; or (b) public health or public safety. See Rec 25–3 and accompanying text.

[13]Privacy Act 1988 (Cth) sch 3, NPP 7.2(b), which imports the exceptions to the use and disclosure prohibition in NPP 2.1(e)–(h).

[14] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 269.

[15] Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), [380].