Definition of ‘identifier’

30.39 The definition of an ‘identifier’ in NPP 7 does not describe what an identifier is, only that it includes a number assigned by an organisation to an individual. The OPC Guidelines to the National Privacy Principles, however, set out a definition of ‘identifier’:

A Commonwealth government identifier is a unique combination of letters and numbers, such as a Medicare number, which Commonwealth government agencies or contracted service providers allot to an individual.[59]

30.40 In DP 72, the ALRC considered whether the definition of an ‘identifier’ should include: identifiers that are not technically unique; identifiers containing biometric information; and an individual’s name and ABN.

Unique

30.41 The current definition of ‘identifier’ requires that it ‘identify uniquely the individual for the purposes of the organisation’s operations’.[60] The OVPC submitted that some identifiers issued by agencies are not in fact ‘unique’.[61] For example, Medicare numbers are listed as an example of a unique identifier in Guidelines issued by the OPC.[62] In circumstances where two or more family members share a Medicare number, however, the number does not, of itself, uniquely identify each of those family members.[63]

30.42 Secondly, while a biometric characteristic is generally unique to an individual, it is important to note that a number of factors may affect whether a biometric system can produce an exact match between a biometric sample and a stored template. For example, the quality of a collected sample, such as a facial image, may be affected by lighting conditions, camera distance and lens precision. The accuracy of the match may also be affected by ‘the losses introduced by the extraction of biometric features such as face geometry, and the availability of comparative biometric data from the general population’.[64]

30.43 In DP 72, the ALRC proposed that the OPC be empowered to make a determination that, where a number, symbol or other particular does not, of itself, uniquely identify an individual, that number, symbol or particular is still an ‘identifier’ for the purposes of the ‘Identifiers’ principle.[65] Further, the ALRC proposed that the ‘Identifiers’ principle should contain a note stating that a determination referred to in the ‘Identifiers’ principle is a legislative instrument for the purposes of s 5 of the Legislative Instruments Act.[66]

Submissions and consultations

30.44 The OPC queried whether the proposed determination-making power was necessary. The OPC submitted that the ALRC’s expanded definition of an ‘identifier’ to include a number, symbol or any other particular, would seem to provide for future contingencies.[67] On the other hand, the OVPC supported the proposed determination-making power, submitting that this would provide an avenue for regulating identifiers that are not actually unique, such as Medicare numbers.[68]

30.45 PIAC was concerned that the proposed determination-making power provided ‘too broad a discretion to the OPC and that any determinations by the OPC are liable to be disallowed by the Australian Parliament in any event’.[69]

ALRC’s view

30.46 The definition of an ‘identifier’ requires it to ‘identify uniquely’ an individual. A determination-making power of the kind proposed in DP 72 will allow the Privacy Commissioner to determine that identifiers that are not actually ‘unique’, such as a shared Medicare number, still are identifiers for the purpose of the ‘Identifiers’ principle.[70] The ALRC notes that the OPC’s submission is directed towards the types of information that could be an identifier, rather than the situation where an identifier is not unique to the assigning agency.

30.47 In addition, a determination-making power would deal with possible ambiguities about whether personal information is an ‘identifier’. The ALRC anticipates, however, that such a determination would rarely be required. The recommended definition of ‘identifier’, therefore, should not place a significant burden on the Privacy Commissioner. Further, the definition of ‘identifier’ should include a note stating that a determination referred to in the recommended ‘Identifiers’ principle is a legislative instrument for the purposes of s 5 of the Legislative Instruments Act 2003 (Cth). The inclusion of this note clarifies that any determination made by the Privacy Commissioner may be disallowable by the Australian Parliament. The ALRC remains of the view that this is an appropriate check on the discretion afforded to the Privacy Commissioner.

Biometric information

30.48 Biometric information relates to the physiological or behavioural characteristics of a person.[71] Throughout this Inquiry, the ALRC has noted the privacy risks associated with the handling of this information.[72] In particular, the sensitive and permanent nature of biometric information has led the ALRC to recommend that the definition of ‘sensitive information’ be amended to include biometric information collected for certain purposes.[73]

30.49 Biometric information can be used as an identifier. An example of a biometric identifier used by agencies is the Australian ePassport that was introduced in 2005. The Australian ePassport includes a digital photograph of the passport holder on a chip embedded in the centre page of the passport.[74]

30.50 The current definition of ‘identifier’ in NPP 7 does not exclude specifically biometric information. The Revised Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000 states that identifiers are ‘not limited to letters and numbers’ although an identifier ‘will often contain either, or both’.[75] Biometric identifiers that are not stored in an encrypted form, therefore, are probably included in the current definition. Nonetheless, to ensure that biometric and other non-numerical identifiers are regulated by the ‘Identifiers’ principle, the ALRC proposed in DP 72 that an identifier should include ‘a number, symbol or any other particular’.[76]

Submissions and consultations

30.51 A number of stakeholders supported this proposal.[77] Privacy NSW suggested that the definition of an ‘identifier’ should make ‘overt reference’ to biometric information to make clear that this information is an identifier.[78]

30.52 On the other hand, the AGD had two concerns about the broadening of the definition of an ‘identifier’. First, it stated that the proposed inclusion in the definition of ‘sensitive information’ of certain types of biometric information

creates an anomaly as biometric information could be collected as ‘sensitive information’ with consent under proposed UPP 2.6, but not used or disclosed as an ‘identifier’ with consent under proposed UPP 10.4.[79]

30.53 Secondly, the AGD submitted that a biometric algorithm—or identifier—that is generated when a person enrols in a biometric system is not unique to the agency or organisation assigning the identifier. In the AGD’s view, this means that proscribing the adoption, use or disclosure of an identifier assigned by one agency is unworkable, as this identifier will be independently generated by a number of agencies.[80]

30.54 The Cyberspace Law and Policy Centre submitted that the ‘definition of “identifier” should also encompass when identifiers are used for authentication (verification) and not only when used for identification’.[81]

ALRC’s view

30.55 Some types of biometric information should be included in the definition of an ‘identifier’. The ALRC agrees, however, that the words ‘or any other particular’ in the proposed definition of an ‘identifier’ potentially include a large amount of non-sensitive personal information. In the ALRC’s view, the definition of an ‘identifier’ should reflect the specific concern about biometric information.

30.56 Explicit protection of some types of biometric information is warranted where this information is used as an identifier assigned by an agency and adopted, used or disclosed by an organisation. The ALRC notes the particular privacy risks associated with the handling of an individual’s biometric information.[82] Further, the policy bases underlying the ‘Identifiers’ principle also are relevant for biometric identifiers. The ‘Identifiers’ principle contains a number of exceptions that would allow organisations to use or disclose such biometric information—for example, where such use or disclosure is required or authorised by or under law, or where regulations allow the handling of certain identifiers in certain circumstances. As discussed later in this chapter, any unique multi-purpose identifier that contains biometric information should be regulated by separate, sectoral legislation that addresses the specific privacy risks and concerns associated with such a scheme.

30.57 The AGD submitted that it is technically possible for separate biometric systems to generate identical biometric templates of the same individual. The OPC should make clear in guidance that agencies and organisations that design or deploy biometric systems technology should ensure the unique nature of the biometric templates issued by the systems. As noted above, the OPC should be empowered to make a determination to ensure that, where a number, symbol or certain type of biometric information does not of itself uniquely identify an individual, that number, symbol or biometric information is still an ‘identifier’ for the purposes of the ‘Identifiers’ principle.

30.58 Finally, the ALRC agrees that the definition of an ‘identifier’ also should refer to identifiers that are assigned by an agency to verify the identity of an individual. This is particularly pertinent in the context of biometric systems, where certain biometric identifiers assigned to an individual only will be used by an agency for the purpose of identity verification—for example, at a national border to verify that an individual is who his or her passport states that he or she is.

Individual’s name and ABN

30.59 NPP 7.3 excludes an individual’s name and ABN from the definition of an ‘identifier’. NPP 7.3 provides that an ABN has the meaning given to it in the A New Tax System (Australian Business Number) Act 1999 (Cth). This Act provides that an

ABN (Australian Business Number) for an entity means the entity’s ABN as shown in the Australian Business Register.[83]

30.60 The Revised Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000 (Cth) explains why an ABN was expressly excluded from the definition in NPP 7.

An ABN, intended to be a unique business identifier, may, where assigned to a sole trader, also identify an individual. The restrictions on using identifiers assigned by agencies are not intended to apply within the context of the ABN scheme. For this reason an ABN is specifically excluded from the definition of ‘identifier’.[84]

30.61 In DP 72, the ALRC expressed the view that, for the avoidance of doubt, an individual’s name and ABN should continue to be excluded expressly from the definition of ‘identifier’.[85]

Submissions and consultations

30.62 The ALRC received limited feedback about whether it remains appropriate to exclude an individual’s name or ABN from the definition of ‘identifier’. One submission supported specifically the continued exclusion of an ABN from the definition.[86]

ALRC’s view

30.63 NPP 7 regulates the handling of identifiers assigned to individuals—not identifiers assigned to organisations. ‘Individual’ is defined in the Privacy Act to mean a natural person.[87] An ‘organisation’ includes an individual who acts in a business capacity, such as a sole trader.[88] The exclusion of an ABN from the definition of ‘identifier’ may be a problem if there is a tendency among organisations or agencies to use the ABN of a sole trader to identify an individual acting in a non-business capacity. The ALRC has not received information about such practices, however, and is of the view that the exclusion of an ABN from the definition of an ‘identifier’ is appropriate.

30.64 No stakeholder suggested that the definition of ‘identifier’ should be amended to include an individual’s name. An individual’s name is not assigned by an agency. The ALRC is of the view that, for the avoidance of doubt, an individual’s name and ABN should continue to be excluded from the statutory definition of ‘identifier’.

Recommendation 30-3 The ‘Identifiers’ principle should define ‘identifier’ inclusively to mean a number, symbol or biometric information that is collected for the purpose of automated biometric identification or verification that:

(a) uniquely identifies or verifies the identity of an individual for the purpose of an agency’s operations; or

(b) is determined to be an identifier by the Privacy Commissioner.

However, an individual’s name or Australian Business Number, as defined in the A New Tax System (Australian Business Number) Act 1999 (Cth), is not an ‘identifier’.

Recommendation 30-4 The ‘Identifiers’ principle should contain a note stating that a determination referred to in the ‘Identifiers’ principle is a legislative instrument for the purposes of s 5 of the Legislative Instruments Act 2003 (Cth).

[59] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 55.

[60]Privacy Act 1988 (Cth) sch 3, NPP 7.3.

[61] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007.

[62] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 55.

[63] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007.

[64] M Wagner, Correspondence, 16 April 2007.

[65] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 27–2.

[66] Ibid, Proposal 27–3.

[67] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[68] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[69] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[70] The ALRC notes that, if the recommendations in Ch 3 are implemented, such a determination could apply in state and territory jurisdictions. In addition, in Ch 17, the ALRC recommends that the OPC should develop and publish memoranda of understanding with each of the bodies with responsibility for information privacy in Australia, including state and territory bodies: Rec 17–3.

[71] Organisation for Economic Co-operation and Development, Biometric-Based Technologies (2004), 4.

[72] The privacy risks associated with biometric systems technology are discussed in Ch 9.

[73] Rec 6–4.

[74] A Downer (Minister for Foreign Affairs), ‘Australia Launches ePassports’ (Press Release, 25 October 2005).

[75] Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), 147.

[76] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 27–2.

[77] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007. Two stakeholders did not oppose the proposal: Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007.

[78] Privacy NSW, Submission PR 468, 14 December 2007.

[79] Australian Government Attorney-General’s Department, Submission PR 546, 24 December 2007. In Ch 6, the ALRC recommends that the definition of ‘sensitive information’ should be amended to include: biometric information collected for the purpose of automated biometric authentication or identification; and biometric template information: Rec 6–4.

[80] Ibid.

[81] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007. See also Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[82] The privacy risks associated with biometric systems technology are discussed further in Ch 9.

[83]A New Tax System (Australian Business Number) Act 1999 (Cth) s 41.

[84] Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), [383].

[85]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 27–2.

[86] National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[87]Privacy Act 1988 (Cth) s 6(1).

[88] Ibid ss 6C, 7B, 16E.