Is there a need for an ‘Identifiers’ principle?

30.12 A threshold issue is whether it is necessary to retain a separate principle to regulate the use of identifiers. There is an argument that the collection, use and disclosure of identifiers could be accommodated within the privacy principles that deal with those aspects of the information cycle. For example, the proscription in NPP 7 against the adoption by an organisation of an identifier assigned by an agency could be accommodated within the privacy principle governing use and disclosure of personal information.

30.13 A small number of submissions to the Issues Paper, Review of Privacy (IP 31) specifically addressed the question whether there should be a separate privacy principle to regulate the handling of identifiers.[16] Two stakeholders indicated that a separate principle was not required.[17] On the other hand, the Queensland Council for Civil Liberties supported the retention of ‘a clear principle prohibiting the development of a universal or approaching universal identifier’.[18] The Office of the Information Commissioner (Northern Territory) was of the view that NPP 7 ‘currently performs a useful task in limiting the use of identifiers for data-matching and data-linkage’.[19] Further, the OPC noted that the current principle ‘serves an important function in protecting information privacy’.

A unique identifier can make it significantly easier to match or link personal information that has been collected in different contexts and for different purposes. Such linkages can facilitate a range of functions, such as more targeted (and potentially intrusive) direct marketing, through to data surveillance of how individuals go about their day to day lives.[20]

30.14 In Discussion Paper 72, Review of Australian Privacy Law (DP 72), the ALRC proposed that the UPPs should contain a separate principle that regulates identifiers.[21] The ALRC expressed the view that the policy bases for the ‘Identifiers’ principle remained relevant, and noted that it had not received feedback that indicated that the dangers associated with the possible misuse of identifiers could be dealt with more effectively by incorporating the provisions relating to identifiers in other privacy principles.[22]

30.15 The ALRC also proposed that the ‘Identifiers’ principle should not apply to the adoption, use or disclosure of a prescribed identifier by a prescribed organisation in prescribed circumstances.

Submissions and consultations

30.16 A number of stakeholders supported the retention of a separate privacy principle to regulate the handling of identifiers by organisations.[23] For example, the Public Interest Advocacy Centre (PIAC) submitted that the

accommodation of identifiers within other privacy principles such as collection, use and disclosure would be unnecessarily complex, and would fail to give adequate recognition to the serious privacy risks associated with the misuse of identifiers.[24]

30.17 Other stakeholders accepted the policy bases for the ‘Identifiers’ principle, but expressed concern about the practical operation of the principle. The Association of Market and Social Research Organisations submitted that NPP 7 curtails practices that do not pose a threat to privacy and could have a public benefit. For example, ‘in the market and social research industry, organisations are disinclined to carry out research involving Commonwealth Identifiers even on a double-blind basis’.[25] Centrelink submitted that:

if restrictions similar to those currently in National Privacy Principle 7.2 are included in the UPPs, it would not allow for flexibility in service delivery to meet the agency’s needs and our customers’ expectations. Although NPP 7 allows for the making of regulations, the process is resource intensive.[26]

30.18 The Cyberspace Law and Policy Centre supported the existence of a separate principle, but did not agree with the proposed regulation-making exception. The Centre submitted that exceptions should be made through the public interest determination process as this will allow ‘appropriate scrutiny and opportunities for public input which are not provided by a regulation-making power’.[27]

ALRC’s view

30.19 There should be a separate ‘Identifiers’ principle. It is not desirable for organisations to refer to individuals by an identifier that is assigned by an agency, nor is it desirable to facilitate data-matching between agencies and organisations through the use of an identifier. A further benefit of a separate ‘Identifiers’ principle is that the principle can deal with issues unique to identifiers such as: the adoption of identifiers by organisations; the definition of the term; and the exceptions to the use and disclosure of identifiers by organisations.

30.20 As noted above, regulations can permit a prescribed organisation to adopt, use or disclose a prescribed identifier in prescribed circumstances. This ensures that the ‘Identifiers’ principle does not operate inflexibly to prevent an organisation from carrying out activities that have a public benefit or are essential to the operations of the organisation. This regulation-making mechanism should remain in the Privacy Act. This mechanism should conform to the regulation-making power recommended in Chapter 5 of this Report. As a consequence, the ‘Identifiers’ principle should require that the minister responsible for administering the Privacy Act[28]needs to be satisfied that the derogation from the privacy protection in the ‘Identifiers’ principle is for the benefit of the individual concerned.

30.21 The ALRC notes that the Legislative Instruments Act 2003 (Cth) requires consultation, where practicable and appropriate, before the making of regulations and other legislative instruments.[29] Before the making of a regulation that derogates from the privacy protection contained in the ‘Identifiers’ principle, it would be practicable and appropriate for the Minister to consult with the Privacy Commissioner and the agency that assigned the identifier. The recommended changes to the ‘Identifiers’ principle, together with the consultation requirements in s 17 of the Legislative Instruments Act, addresses the requirements currently set out in s 100(2) of the Privacy Act and the exceptions to those requirements set out in s 100(3) of the Act.

30.22 The ALRC notes that the existing ‘Identifiers’ principle provides a number of other exceptions to the general prohibition against adopting, using or disclosing an identifier assigned by an agency (or its agent or contracted service provider). These exceptions allow use or disclosure of an identifier where the public benefit of the use or disclosure would outweigh consideration of individual privacy. For example, use or disclosure of an identifier could take place for the purposes of law enforcement.[30] In addition, the ‘required or authorised by or under law’ exception allows derogation from the ‘Identifiers’ principle to occur with full parliamentary scrutiny by the adoption or amendment of primary legislation.[31] If the derogation is deemed to be less significant, this can occur through the more expedited process of subordinate legislation, which still involves accountability measures, such as those provided for under the Legislative Instruments Act.

30.23 The exceptions to the ‘Identifiers’ principle provide sufficient flexibility to overcome any unwarranted impediments to the use of identifiers by organisations, while at the same time providing appropriate protection for the privacy rights of individuals.

Recommendation 30-1 The model Unified Privacy Principles should contain a principle called ‘Identifiers’ that applies to organisations.

Recommendation 30-2 The ‘Identifiers’ principle should include an exception for the adoption, use or disclosure by prescribed organisations of prescribed identifiers in prescribed circumstances. These should be set out in regulations made:

(a) in accordance with the regulations-making mechanism set out in the Privacy Act; and

(b) when the Minister is satisfied that the adoption, use or disclosure is for the benefit of the individual concerned.

[16] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 4–26.

[17] Australian Government Department of Human Services, Submission PR 136, 19 January 2007; Insurance Council of Australia, Submission PR 110, 15 January 2007.

[18] Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007.

[19] Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.

[20] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[21] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 27–1.

[22] Ibid, [27.16].

[23] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007.

[24] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[25] Association of Market and Social Research Organisations and Australian Market and Social Research Society, Submission PR 502, 20 December 2007.

[26] Australian Government Centrelink, Submission PR 555, 21 December 2007.

[27] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007. Public interest determinations are discussed in Ch 47.

[28] Commonwealth of Australia, Administrative Arrangements Order, 25 January 2008 [as amended 1 May 2008].

[29]Legislative Instruments Act 2003 (Cth) s 17. Consultation particularly is required where the regulations are likely to have a direct or substantial indirect effect on business.

[30] See UPP 10.2(b) and UPP 5.1(f).

[31] See UPP 10.2(b) and UPP 5.1(e).