Application of the ‘Anonymity and Pseudonymity’ principle

‘Lawful and practicable’

20.28 The requirement to provide the option for anonymity or pseudonymity is not absolute. In particular, under NPP 8, organisations are required to provide individuals with the option of not identifying themselves only where it is ‘lawful and practicable’. NPP 8 is also limited to situations where individuals are ‘entering into transactions’ with an organisation.

20.29 Some factors that agencies or organisations should consider when determining whether it is practicable to deal with an individual anonymously or pseudonymously include whether:

  • the provision of the product or service requires the individual to be identified;

  • the provision of the product or service could be improved if the individual was known;

  • there will be an increase in cost or time involved in providing the service; and

  • there will be an increased risk to the organisation or agency in providing the service anonymously or pseudonymously, for example in the event of legal proceedings.[39]

20.30 It may not be lawful for an agency or organisation to provide the option of anonymity or pseudonymity where the agency or organisation is required to collect identifying information; for example, for the purpose of mandatory reporting requirements including notifiable diseases or suspected child abuse, or opening a bank account.[40] In DP 72, the ALRC also suggested that the requirement of ‘lawful’ would not be met where the failure to collect the identifying information by the agency or organisation would result in the individual acting unlawfully, for example where an individual wishes to transact anonymously in order to further a fraudulent conspiracy of which the individual is a part.[41]

20.31 In DP 72, the ALRC also proposed an additional clarification of the ‘Anonymity and Pseudonymity’ principle, which was replacing the words ‘when entering transactions’ in the current NPP 8 with the words ‘when transacting’.[42] This was intended to make it clear that where an individual has an existing relationship with an agency or organisation that individual is still entitled to transact anonymously.[43]

Submissions and consultations

20.32 A large number of agencies and organisations expressed concerns that the practical application of the ‘Anonymity and Pseudonymity’ principle would interfere with their functions.[44] In particular, concerns were raised by agencies involved in service delivery.[45] The Department of Disability Housing and Community Services (ACT), for example, advised that:

The Office for Children, Youth and Family Support (OCYFS) provides services to children and young people … including to children at risk of abuse or neglect. Accurate identification of names assists in the provision of appropriate recording of client history (which assists with risk assessment) and is essential at times for assisting with the procurement of services for children on care orders who require financial assistance for medical services and other such items.[46]

20.33 Similarly, the Australian Government Department of Human Services advised that it cannot provide full and reliable advice to an individual that remains anonymous or provides a pseudonym. This advice requires a full discussion of his or her circumstances.[47]

20.34 The Department of Foreign Affairs and Trade expressed concern about the potential compliance burden of providing individuals with the option to transact pseudonymously, for example by requiring amendment of the Department’s online forms such as passport applications.[48] The Law Council of Australia also submitted that a requirement to provide an option of pseudonymity could be time consuming and expensive.[49]

20.35 Stakeholders also identified a range of situations where the application of the ‘Anonymity and Pseudonymity’ principle could conflict with legislative requirements on the organisation to retain identifying information. Examples included legislative requirements that apply to the telecommunications industry,[50] the provision of health care[51] and health insurance[52] and the financial services sector.[53]

20.36 Some stakeholders suggested that a specific exception should be provided from the ‘Anonymity and Pseudonymity’ principle, for example, for the delivery of health benefits and social services by Commonwealth agencies,[54] or for the provision of health care.[55]

20.37 Other stakeholders expressed concerns about the potential for an agency or organisation to rely upon the requirement that anonymous or pseudonymous transactions should be ‘practicable’ to evade its obligations under this principle.[56] In particular, they noted that options for anonymity or pseudonymity should be considered at the design stage of new information systems to prevent impracticality being relied upon further down the track. They suggested, therefore, that the principle should provide expressly that the obligation for organisations and agencies applies at the stage when an information system is being designed, as well as the time that an individual enters into a transaction with an agency or organisation.[57]

20.38 The Cyberspace Law and Policy Centre, for example, used the example of cashless toll roads to illustrate the need for anonymity and pseudonymity options to be integrated into information systems.

The opportunity for anonymous travel has been removed by the removal of cash booths and the choice of tolling systems and business models that require vehicles (and their registered owners) to be identified. Had sufficient attention been paid to an anonymity/pseudonymity principle at the outset, it should have been possible to design automated toll roads that either respected the right of anonymous travel (through the use of pre-paid debit tags) or at least offered ‘pseudonymous’ accounts where identification of the actual user would only be triggered by exceptional events, (such as non-payment, accidents or crime).[58]

20.39 The Cyberspace Law and Policy Centre also advised that the potential for isolated cases of abuse should not be sufficient to make the option for anonymity or pseudonymity ‘unlawful’. Rather than assessing the intentions of each individual, it argued that agencies and organisations should undertake a high level assessment of risk.[59]

It is impossible to know in advance the motives of an individual in seeking anonymity or using a pseudonym. Any system can and will be abused in isolated cases—and that alone is not sufficient justification for exemption from this principle. It would only be reasonable to decline to provide anonymous or pseudonymous option where an overall assessment of the resulting risk of fraud or other unlawful behaviour was both high and widespread—i.e. where it was likely to be abused by many individuals.[60]

Options for reform

20.40 A number of options for reform of the ‘Anonymity and Pseudonymity’ principle were supported in submissions, including:

  • replacing the word ‘transact’ with ‘interact’, to clarify that the obligation applies before any sale or contract, which is when it is likely to have the most relevance;[61]

  • introducing specific exceptions for the delivery of health benefits and social services by Commonwealth agencies,[62] and for the provision of health care;[63] and

  • additional guidance on the application of the principle, including on how the principle should be balanced with other obligations of the agency or organisation.[64]

ALRC’s view

20.41 The ‘Anonymity and Pseudonymity’ principle is an important component of the model UPPs. Agencies and organisations, however, expressed widespread concerns about its practical application. The best way of addressing these concerns is by clarifying the types of dealings where the principle is likely to apply.

20.42 One way of clarifying the application of the principle is by replacing the word ‘transacting’ with ‘interacting’. Since, on its plain English meaning, ‘interact’ is a word of wider import than ‘transact’, this more clearly establishes the broad spectrum of dealings between individuals and agencies or organisations where identifying information may not be required. The term ‘transacting’ may be associated unduly with customised transactions or service delivery, where anonymity or pseudonymity will often not be appropriate.

20.43 There is also a need for additional certainty concerning the requirements of ‘lawful and practicable’, including:

  • an agency’s or organisation’s application of the ‘practicable’ requirement when delivering a service to an individual or entering into a customised transaction;

  • the factors an agency or organisation should take into account when it balances the requirement that it should provide individuals with the option to interact anonymously or pseudonymously wherever it is ‘practicable’ to do so with the compliance burden of providing this option; and

  • the extent to which ‘lawful’ extends to an agency or organisation that, by providing an option to interact anonymously or pseudonymously, facilitates unlawful actions on the part of the individual.

20.44 The OPC should issue guidance on the ‘Anonymity and Pseudonymity’ principle—including on the interpretation of the requirements of ‘lawful and practicable’.

20.45 Another way that agencies and organisations can accommodate the ‘Anonymity and Pseudonymity’ principle is through their Privacy Policy.[65] This document could include, for example, information on the interactions for which anonymity or pseudonymity is available, including any consequences for an individual that chooses to take up such an option. For example, a complaint-handling program may allow complaints to be received in an identified or anonymous form. Where an identified complaint is made, follow-up information can be provided to the complainant on the outcome of the complaint or steps being taken to rectify the situation. Where an anonymous complaint is received, this follow up will not be possible. By setting out these trade-offs up front, an agency or organisation provides an individual with the opportunity to decide which interests take precedence.

20.46 The reforms set out above will accommodate adequately the application of the ‘Anonymity and Pseudonymity’ principle by a diverse spectrum of agencies and organisations. Therefore, specific agencies or organisations should not be granted an exception from the principle. Rather, the question of whether the principle should apply will depend on the nature of the particular interaction. For example, where an agency is undertaking an activity that is directly connected to the provision of a government benefit, it generally will not be ‘lawful and practicable’ for the agency to offer an option of anonymity or pseudonymity. Where the agency is undertaking a more generic interaction, however, such as providing advice on general departmental policy or procedure, anonymity or pseudonymity may be appropriate.

20.47 Focusing the application of the principle on the nature of the particular interaction is also supported by submissions from a number of agencies and organisations involved in service delivery, which identified functions that they carry out that are already undertaken anonymously, or could in the future potentially be undertaken anonymously.

‘Not misleading’

20.48 In DP 72, the ALRC noted the potential for pseudonymous transactions to lead to a risk of fraud or misleading practices. Although the ALRC suggested that fraud was adequately covered by the requirement that the transaction be ‘lawful’, it was concerned that in some circumstances it may be misleading—even where not necessarily fraudulent—for an individual to provide a pseudonym, or particular types of pseudonym. This can be illustrated by a situation where an individual deliberately chooses as a pseudonym someone else’s name in order to give the impression that he or she is actually that other person.

20.49 In order to minimise the potential for such practices, the ALRC proposed that the option to transact pseudonymously should be subject to the additional limitation of situations where it would not be misleading.[66]

Submissions and consultations

20.50 In submissions on DP 72, some stakeholders objected to the inclusion of a pseudonymity-specific requirement that the use of the pseudonym not be misleading.[67] In particular, concerns were raised that this requirement was an oxymoron—that is, that the very nature of a pseudonym is to mislead as to identity.[68]

20.51 The Cyberspace Law and Policy Centre, for instance, suggested that the qualification ‘where lawful and practicable’ should cover all the necessary exceptions. It noted that the example provided by the ALRC in this context—a person using another individual’s name as his or her pseudonym—would either be fraudulent (where there was an intention to impersonate) or harmless and unobjectionable (such as using a celebrity’s name in fun). It also submitted that organisations and agencies are not equipped to assess an individual’s intentions when he or she interacts pseudonymously.[69]

20.52 The OVPC advised that the practical application of this requirement could be difficult, submitting that,

careful thought and guidance will need to be provided by Privacy Commissioners in relation to the meaning of ‘not misleading’ as there is potential for agencies and organisations to interpret this phrase broadly and thus to deny individuals the opportunity to transact pseudonymously, even where there is no genuine need to identify the individual concerned.[70]

20.53 Some stakeholders suggested alternative wordings for a pseudonymity-specific requirement; for example, pseudonyms that are ‘not likely to cause any material loss or damage to any person’,[71] or wording to make it clear that pseudonyms ‘cannot be used with deliberate intent to commit fraud or deliberately pass oneself off as another real person’.[72] RCSA suggested that, in addition to the requirement that a pseudonym be ‘not misleading’, it should also not be ‘offensive’.[73]

ALRC’s view

20.54 The ALRC accepts that there is the potential for pseudonymous interactions to result in misleading practices; in particular, where an individual deliberately passes himself or herself off as another real person. For example, an online news site may provide for pseudonymous comments to be posted on articles. An individual could post comments on articles under a pseudonym that has been selected deliberately in order to mislead other readers into believing that the posts have been made by someone else. Depending on the circumstances, this could result in loss or damage to the individual impersonated and to the news site.

20.55 The ALRC also accepts the inherently misleading nature of pseudonyms. As one commentator has noted, ‘except where unavoidable, a user’s online presence will generally contain some level of falsification’.[74] The ALRC agrees that a requirement that a pseudonym not be misleading could be difficult for agencies and organisations to apply.

20.56 The requirement that the pseudonymous interaction must be ‘lawful and practicable’ is sufficient to guard against systemic abuse. The ALRC also notes that the pseudonymity provision in the German Federal Data Protection Act—at present, the only example of a pseudonymity provision that has been incorporated into privacy legislation—does not include a limitation that the interaction not be misleading. Rather, it requires that use be made of the options of anonymity and pseudonymity ‘where possible’ and where it is proportionate to the interests sought to be protected.[75]

The onus on agencies and organisations

20.57 In DP 72, the ALRC proposed that agencies and organisations be required to give individuals the clear option of transacting anonymously or pseudonymously. In doing this, it distinguished between an obligation to provide an express option to individuals and an obligation to provide a clear option. An express option would require an agency or organisation to state explicitly (for example, on its information collecting system) that individuals may transact anonymously or pseudonymously. A clear option, however, was considered to be less prescriptive and merely requires that the agency or organisation ensure that individuals are aware that they may transact anonymously or pseudonymously.

20.58 A requirement to provide individuals with a clear option would be less onerous and cumbersome, in most instances, than a requirement to provide an express option. It would allow agencies and organisations to comply with the ‘Anonymity and Pseudonymity’ principle in the structure of their information collecting systems. For example, in many cases where asked to fill out a form either on paper or electronically, individuals are told which fields they must complete.[76] Providing a clear option may entail altering the list of ‘required fields’ to take account of the ‘Anonymity and Pseudonymity’ principle. An express option may require agencies and organisations to undertake an additional step of notifying individuals that they do not need to complete the fields containing identifying information.

Submissions and consultations

20.59 The overwhelming majority of stakeholders that commented on this issue supported the ALRC’s formulation of a clear option.[77] A small number of stakeholders did not support the proposed formulation.[78] Telstra, for example, submitted that providing customers with a clear option to transact anonymously or pseudonymously ‘would add to an already heavy compliance burden for organisations’.[79]

20.60 The OVPC suggested that there may be some situations where an organisation or agency should turn its mind to whether expressly providing the option to remain anonymous or pseudonymous (if lawful and practicable) is preferable to providing a clear option.[80] Medicare Australia submitted that a clear option needs to be qualified to include only circumstances where it is a valid option.[81]

20.61 A related issue that was raised in some submissions is whether the ‘Anonymity and Pseudonymity’ principle should be redrafted to place a more active responsibility on agencies and organisations to provide individuals with the option of interacting anonymously or pseudonymously.[82] The Public Interest Advocacy Centre (PIAC), for example, submitted that this could involve redrafting the principle along the lines of the Northern Territory’s anonymity principle,[83] which states that ‘a public sector organisation must give an individual entering transactions with the organisation the option of not identifying himself or herself’.[84] Some stakeholders suggested that this would more closely align the ‘Anonymity and Pseudonymity’ principle with the drafting of the other UPPs[85] and better reflect the wording of the proposals on which the principle is based.[86]

ALRC’s view

20.62 Requiring agencies and organisations to provide individuals with a clear option of interacting anonymously or pseudonymously represents an appropriate balance between the interest in making individuals aware of their option to not identify themselves, or identify themselves pseudonymously, and the need to limit the cost of compliance for agencies and organisations. The formulation of a clear option was also supported by the majority of stakeholders.

20.63 The concerns that agencies and organisations put forward—in particular, the potential compliance burden associated with this recommendation—will be accommodated adequately by the requirement that the option be ‘lawful and practicable’. For example, where providing a clear option for an individual to transact anonymously or pseudonymously would require an agency or organisation to make substantial and costly changes to its systems, generally this would not be considered ‘practicable’. The principle would require agencies and organisations, however, to consider the possibility of such an option in the design of their systems.

20.64 The ALRC agrees with the suggestion that the ‘Anonymity and Pseudonymity’ principle should be redrafted to clarify that the onus is on agencies and organisations to give individuals options to interact anonymously and pseudonymously. That is, rather than the formulation proposed in DP 72—that, in the relevant circumstances, ‘individuals should have the option of not identifying themselves’ when transacting with an agency or organisation[87]—the model UPP should be drafted as follows: ‘Wherever it is lawful and practicable in the circumstances, agencies and organisations must give individuals the clear option of either: (a) not identifying themselves; or (b) identifying themselves with a pseudonym’.

20.65 There are two primary benefits to redrafting the principle in this way. First, it sets out clearly that agencies and organisations must take active steps to provide individuals with the option to interact anonymously or pseudonymously. Secondly, it is consistent with the phrasing of the other model UPPs. The principle remains qualified by the limitations of lawfulness and practicability.

Recommendation 20-1 The model Unified Privacy Principles should contain a principle called ‘Anonymity and Pseudonymity’ that requires an agency or organisation to give individuals the clear option to interact anonymously or pseudonymously, where this is lawful and practicable in the circumstances.

[39] J Douglas-Stewart, Annotated National Privacy Principles (2005), [2–5500].

[40] Ibid, [2-5530].

[41] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [17.18].

[42]Ibid, Proposal 17–2.

[43]Ibid, [17.24]–[17.25].

[44] Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008; Australian Government Department of Families‚ Housing‚ Community Services and Indigenous Affairs, Submission PR 559, 15 January 2008; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; ACT Government Department of Disability, Housing and Community Services, Submission PR 495, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007.

[45] Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008; Australian Government Department of Families‚ Housing‚ Community Services and Indigenous Affairs, Submission PR 559, 15 January 2008; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; ACT Government Department of Disability, Housing and Community Services, Submission PR 495, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007.

[46]ACT Government Department of Disability, Housing and Community Services, Submission PR 495, 19 December 2007.

[47] Australian Government Department of Human Services, Submission PR 541, 21 December 2007.

[48] Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008.

[49] Law Council of Australia, Submission PR 527, 21 December 2007.

[50]Optus, Submission PR 532, 21 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007. Telecommunications issues are discussed further in Part J.

[51] Australian Medical Association, Submission PR 524, 21 December 2007.

[52]BUPA Australia Health, Submission PR 455, 7 December 2007.

[53]Suncorp-Metway Ltd, Submission PR 525, 21 December 2007.

[54]Australian Government Department of Human Services, Submission PR 541, 21 December 2007.

[55] Australian Medical Association, Submission PR 524, 21 December 2007.

[56] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[57] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[58] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[59] Ibid.

[60] Ibid.

[61]Confidential, Submission PR 536, 21 December 2007.

[62]Australian Government Department of Human Services, Submission PR 541, 21 December 2007.

[63] Australian Medical Association, Submission PR 524, 21 December 2007.

[64]Suncorp-Metway Ltd, Submission PR 525, 21 December 2007.

[65] Privacy Policies are discussed in Ch 24.

[66] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 17–2. See also Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [17.23].

[67] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[68] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[69] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[70] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[71] Law Council of Australia, Submission PR 527, 21 December 2007.

[72] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[73] Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

[74]A Sauer, ‘Online Privacy and the Online Self’, Lawyers Weekly, 25 January 2008, 24.

[75]Federal Data Protection Act 1990 (Germany) s 3a.

[76] A ‘field’, on a form, is the space reserved for an individual to provide his or her response to a question that is asked on the form.

[77] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007.

[78] BPay, Submission PR 566, 31 January 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[79] Telstra Corporation Limited, Submission PR 459, 11 December 2007. See also BPay, Submission PR 566, 31 January 2008.

[80] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[81] Medicare Australia, Submission PR 534, 21 December 2007.

[82] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[83] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007. See also Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[84]Information Act 2002 (NT) sch 2, IPP 8.

[85] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[86] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[87] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), UPP 1. This was adapted from the drafting of NPP 8.