Content of privacy principle dealing with identifiers

Use and disclosure for the purpose of identity verification

30.65 An issue that arose in response to DP 72 was whether the proposed ‘Identifiers’ principle would prevent an agency or organisation from using or disclosing an identifier for the purpose of identity verification.[89] The AGD submitted that:

Identifiers are critical for the operation of identity management and an essential feature for identifying documents and credentials … any regulation of identifiers should put it beyond doubt that the use or disclosure of identifiers to enable an agency or organisation to establish or verify a client’s identity for a lawful purpose is allowed.[90]

30.66 Smartnet commented further on the concerns about identity verification:

Australia has no real system of identity or identity protection … there is a tendency for organisations (both government and private) to repeatedly ask us to re-establish our identity on each occasion we deal with them. While this is seen by some to be ‘privacy enhancing’ it does tend to create unnecessary and undisciplined holdings of personal information throughout business, government and the community. As a result, none of us has any idea of what has been collected or where it has ended up.[91]

30.67 As noted above, the ALRC has not recommended that agencies be made subject to the ‘Identifiers’ principle. Before considering whether amendment to the regulation of the handling of identifiers by organisations is required in light of the above submissions, the ALRC makes two key observations. First, the ‘Identifiers’ principle does not regulate the situation where an identifier is merely sighted by an organisation, rather than collected for inclusion in a record and then used or disclosed by that organisation. For example, an individual purchasing alcohol from a bottleshop may be required to show a document such as a proof-of-age card or driver’s licence that verifies that he or she is at least 18 years of age. The ALRC does not suggest that the practice of an organisation sighting an identifier contained on such a card or driver’s licence should be regulated under the ‘Identifiers’ principle.

30.68 Secondly, there is a difference between identification(determining who an individual is),and verificationor authentication (verifying that an individual is who or what he or she claims to be). In the example above,the bottleshop was required to verify that the individual purchasing alcohol was at least 18 years of age—the bottleshop did not need to identify the individual.[92] It is to the concept of identification that the stringent regulation in the ‘Identifiers’ principle is directed.

30.69 In the online environment, appropriately designed verification or authentication frameworks can be privacy enhancing. This is reflected in the OECD Recommendation on Electronic Authentication and OECD Guidance for Electronic Authentication (2007). In the Preface to the Recommendation, the OECD Council stated:

Electronic authentication provides a level of assurance as to whether someone or something is who or what it claims to be in a digital environment. Thus, electronic authentication plays a key role in the establishment of trust relationships for electronic commerce, electronic government and many other social interactions. It is also an essential component of any strategy to protect information systems and networks, financial data, personal information and other assets from unauthorised access or identity theft. Electronic authentication is therefore essential for establishing accountability online.[93]

30.70 The ALRC notes that the Australian Government is developing an authentication framework that aims ‘to enable e-government by providing confidence in online transactions with government’.[94]

ALRC’s view

30.71 The use or disclosure of an identifier by an organisation for the sole purpose of verifying the identity of a person is not inconsistent with the policy basis of the ‘Identifiers’ principle. Organisations frequently require an individual to establish their identity prior to entering into any transactions. This situation is not always set out in legislation or rules in a way that clearly meets the ‘required or authorised by law’ exception in the ‘Identifiers’ principle. Such a use or disclosure does not permit the organisation to adopt that identifier for its own purposes. Secondly, such a use or disclosure does not permit secondary use or disclosure for the purposes of data-matching.

30.72 It would not be desirable for the ‘Identifiers’ principle to prevent organisations from merely verifying an individual’s identity by collecting, using and disclosing the identifiers contained within a high-integrity document, such as a birth certificate or Australian Government passport. In the event that the ‘Identifiers’ principle inhibits temporary handling of identifiers for the purposes of verification, rather than identification, the OPC could develop and publish guidance that addresses the issue.

Data-matching

30.73 In IP 31, the ALRC asked whether the identifiers principle should be redrafted to deal more generally with data-matching.[95] Submissions to IP 31 indicated support for greater regulation of data-matching. A number of submissions expressed concern about the extent to which agencies and organisations could use identifiers to facilitate data-matching processes.[96]

30.74 Several stakeholders pointed out, however, that data-matching programs are not conducted solely by use of identifiers. For example, the OVPC noted that data-sets may be linked through the use of names and dates of birth.[97] Similarly, the CSIRO submitted that ‘two databases with sufficiently many data fields in common can be matched using well-developed data linkage techniques’.[98]

30.75 In DP 72, the ALRC expressed the preliminary view that data-matching should not be regulated by the ‘Identifiers’ principle.[99]

ALRC’s view

30.76 Data-matching is not inherently linked to the use of identifiers. While the ‘Identifiers’ principle provides some regulation of data-matching, in that it prohibits the adoption by an organisation of an individual’s identifier, other than for a specified purpose, data-sets can be linked by an organisation’s use of information that will not be subject to this principle. Data-matching activities, therefore, should be subject to regulation separate to this principle. In Chapter 10, the ALRC recommends that the OPC should develop and publish guidance for organisations on the privacy implications of data-matching.[100]

Collection of identifiers

30.77 Submissions to the OPC Review of the private sector provisions of the Privacy Act (OPC Review) expressed concern about the collection of identifiers by organisations seeking to establish evidence of identity.[101] For example, individuals may be asked to present a Medicare card, an Australian passport or a document with a Centrelink reference number, and such documents may be photocopied by the organisation. NPP 7 does not prohibit the collection of identifiers. The OPC stated that there does not appear to be a need specifically to prohibit the collection of Australian Government identifiers because the collection of identifiers into a record is regulated by NPP 1:

[I]f an identifier is collected by an organisation, but cannot be lawfully used or disclosed pursuant to NPP 7.2, then the collection is not necessary for one of the organisation’s functions or activities. As a consequence, the collection would be prohibited by NPP 1.1.[102]

30.78 In DP 72, the ALRC agreed that the current regulation of the collection of identifiers was appropriate. There was limited feedback on this issue.[103]

ALRC’s view

30.79 Both the IPPs and NPPs currently provide that an agency or organisation should only collect personal information that is necessary for it to carry out its functions or activities.[104] This requirement will form part of the ‘Collection’ principle in the model UPPs.[105] Where the collection of an identifier is not reasonably necessary for an agency or organisation to carry out its functions or activities, that collection will not be permitted and will constitute an ‘interference with the privacy of an individual’.[106] Such requirements are adequate.[107]

Assignment of identifiers

30.80 Neither NPP 7 nor the IPPs regulate the assignment of identifiers by agencies. The process of ‘assignment’ involves an entity (such as an agency) choosing an identifier to apply to an individual. For example, an agency may assign an identifier, consisting of a combination of letters and numbers, to each individual to whom it provides a service. The agency would then, in its records, refer to each of those individuals by the identifier it has assigned. This should be distinguished from adopting an identifier, which involves an agency or organisation using an identifier that has already been assigned by another agency to refer to an individual.

30.81 Certain state and territory provisions go further than the NPPs and IPPs by regulating the assignment of identifiers—either by agencies, organisations or both.[108] There is a gap, therefore, in the federal privacy principles in that they do not regulate the assignment of identifiers.

30.82 In DP 72, the ALRC asked whether the Privacy Act should regulate the assignment of identifiers by agencies, organisations or both.[109]

Submissions and consultations

30.83 Some stakeholders supported the regulation of the assignment of identifiers by agencies and organisations.[110] The OPC submitted that this

would encourage good privacy practice by agencies, by creating a compliance culture in which these agencies consider the necessity of assigning an identifier for their functions and activities.[111]

30.84 On the other hand, the majority of agencies that responded to this question were opposed to the regulation of the assignment of identifiers. For example, Medicare Australia submitted that regulation of identifiers that are issued by agencies for internal use would ‘add a level of complexity and bureaucracy which is not warranted’.[112] Some organisations also opposed the regulation of the assignment of identifiers. GE Money Australia queried whether identifiers assigned by organisations had been the subject of significant criticism.[113] One individual suggested that such regulation would be better directed towards the use and disclosure of an identifier for the purposes of data-matching.[114]

ALRC’s view

30.85 The privacy risks associated with an identifier arise when that identifier is inappropriately adopted, used or disclosed, rather than when it is assigned. Agencies and organisations frequently assign identifiers solely for the internal use of the agency or organisation. The ALRC agrees that the regulation of the assignment of identifiers would add unwarranted complexity to the ‘Identifiers’ principle.

30.86 The ALRC does not recommend that the ‘Identifiers’ principle regulate agencies. Nonetheless, the ALRC agrees with the OPC that an agency should consider the necessity of the assignment of an identifier, particularly where that identifier might be adopted, used or disclosed by another agency. The ALRC makes a recommendation to address the concerns about multi-purpose identifiers later in this chapter.[115]

Consent to the use and disclosure of identifiers

30.87 NPP 7 does not provide for an exception to the use, disclosure or adoption of unique identifiers based on the consent of an individual. Some states and territories do provide for such an exception. These jurisdictions, however, do not have regulation-making powers comparable to those contained in the ‘Identifiers’ principle.[116]

30.88 In DP 72, the ALRC expressed the view that it would be inconsistent with the function of the ‘Identifiers’ principle to include an exception that allows an individual to consent to the use, disclosure or adoption of his or her identifier.[117] The ALRC noted that other legislation, or regulations issued under s 100 of the Privacy Act, can provide for circumstances where the Australian Parliament considers it appropriate for an individual to be able to consent to the use or disclosure of his or her identifier.[118]

Submissions and consultations

30.89 Centrelink submitted that the restriction on the use or disclosure of identifiers impedes the operation of a number of its existing services, which provide information to organisations about the concessional status of the individual with the consent of the individual concerned. These ‘online, real time’ services save time for both individuals and organisations. Centrelink submitted that the process of making regulations to prescribe such identifiers was resource intensive.[119]

30.90 The OPC, on the other hand, expressed concern about the unintended effects on privacy that could result from including a broad consent exception to the identifiers principle:

the privacy risks of sharing unique identifiers are not always immediate. The risks accumulate as more organisations or agencies adopt the number for their own purposes, and as greater amounts of otherwise unrelated personal information become associated with that number. Accordingly, individuals may not always be conscious of the inherent risks of consenting to incrementally greater uses of their unique identifier.[120]

30.91 The OPC also expressed concern about ‘bundled consent’.

In some circumstances consent to a particular information-handling practice may be an imperfect form of privacy protection … Bundled consent is often sought as part of the terms and conditions of a service. In the context of a unique identifier, consenting to it being handled in certain ways may be bundled as a condition of service.[121]

ALRC’s view

30.92 It would be convenient for an individual to be able to consent to the use or disclosure of his or her identifier by an organisation in certain circumstances.[122] The ALRC agrees with the OPC, however, that the privacy risks associated with identifiers are not immediate. On balance, a general consent exception would significantly reduce the protection afforded by the ‘Identifiers’ principle. In addition, the prescription of certain identifiers as specific exceptions listed within the ‘Identifiers’ principle does not accord with the high-level outcomes-based approach to privacy regulation followed by the ALRC in this Inquiry.[123]

30.93 In specific circumstances, it could be appropriate for an individual to consent to the handling of a specific identifier by a specific organisation. In such cases, it is preferable for separate primary or subordinate legislation to be enacted to allow individuals to consent to such specific handling—for example, existing regulations allow an individual to consent to the disclosure of his or her Centrelink Customer Reference Number[124] by certain organisations for the purpose of confirming that individual’s concessional status with Centrelink.[125]

Identifiers issued by state and territory agencies

30.94 NPP 7.1 currently prevents an organisation from adopting as its own identifier an identifier that has been assigned by an Australian Government agency; an agent of that agency; or a contracted service provider of an Australian Government agency. Identifiers issued by state and territory agencies—for example, driver’s licence numbers—do not fall within the current definition of ‘identifier’ in NPP 7.

30.95 In its submission to IP 31, the OPC suggested that the ‘Identifiers’ principle should regulate the adoption, use and disclosure by organisations of identifiers issued by state and territory agencies. The OPC noted that this would be in line with guidelines that it issued prior to the introduction of the NPPs.[126] The OPC also submitted that regulating the handling of all identifiers by organisations ‘may be an appropriate response to emerging challenges posed by the risks of identity theft and fraud’.[127]

30.96 In DP 72, the ALRC proposed that the ‘Identifiers’ principle should regulate the use by agencies and organisations of identifiers assigned by state and territory agencies.[128]

Submissions and consultations

30.97 This proposal was generally supported by stakeholders.[129] In particular, privacy commissioners noted that individuals make inquiries about the collection of driver’s licence numbers by organisations.[130] On the other hand, one organisation was concerned that the proposed regulation would require significant amendment to its systems.[131]

30.98 The AGD submitted that including identifiers assigned by state and territory agencies in the definition of ‘identifier’ would remove an inconsistency in NPP 7, but would compound the problem of identity verification.[132] Similarly, Telstra was concerned that the proposal would prevent organisations from verifying the identity of individuals as required by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).[133]

ALRC’s view

30.99 The ‘Identifiers’ principle should apply to identifiers such as driver’s licence numbers that are assigned by state and territory agencies and used by organisations. In the ALRC’s view, the adoption, use and disclosure of these identifiers by organisations raises the same privacy concerns as those associated with other identifiers.

30.100 The ALRC notes that the ‘Identifiers’ principle does not regulate the situation where an identifier is merely sighted by an organisation, rather than collected for inclusion in a record and then used or disclosed by that organisation. The ALRC does not suggest that the practice of an organisation sighting an identifier contained on, for example, a driver’s licence should be regulated. Further, the ALRC notes earlier in this chapter that the ‘Identifiers’ principle is directed towards identification(determining who an individual is),rather than verificationor authentication (verifying that an individual is who or what he or she claims to be). In many situations, an organisation will need only to sight the driver’s licence of an individual to verify that he or she is permitted to, for example, purchase alcohol because he or she is at least 18 years of age—the organisation will not need to identify that individual.

30.101 Finally, the ALRC notes that the recommended change would not result in the regulation of acts and practices of state and territory agencies but rather the use by organisations of identifiers allocated by state and territory agencies.

Recommendation 30-5 The ‘Identifiers’ principle should regulate the adoption, use and disclosure by organisations of identifiers that are assigned by state and territory agencies.

Regulation of identifiers assigned by organisations

30.102 NPP 7 does not regulate the adoption, use and disclosure by organisations of identifiers assigned by other organisations. It does define, however, an identifier as including ‘a number assigned by an organisation to an individual to identify uniquely the individual for the purposes of the organisation’s operations’.[134]

30.103 In its submission to DP 72, the AGD suggested that the ALRC’s ‘focus on government-issued identifiers … overlooks the significant and increasing role of private sector identifiers, such as account and membership numbers’.[135] Amendment of the ‘Identifiers’ principle to regulate the adoption, use or disclosure by organisations of identifiers issued by other organisations was not raised by other stakeholders.

ALRC’s view

30.104 The ALRC heard no concrete example of harm resulting from the use and disclosure of identifiers assigned by organisations. It is unlikely that an organisation’s use or disclosure of an identifier assigned by another organisation, such as a bank account number, will lead to a de facto national identification scheme. The ALRC notes, however, that such use or disclosure may facilitate data-matching activities undertaken by organisations. In Chapter 10, the ALRC recommends that the OPC should issue guidance on data-matching that relates to organisations.[136]

[89] See, eg, Australian Government Department of Finance and Deregulation, Submission PR 558, 11 January 2008; Australian Government Attorney-General’s Department, Submission PR 546, 24 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007; Smartnet, Submission PR 457, 11 December 2007; Australian Government Department of Defence, Submission PR 440, 10 December 2007.

[90] Australian Government Attorney-General’s Department, Submission PR 546, 24 December 2007.

[91] Smartnet, Submission PR 457, 11 December 2007.

[92] This distinction is discussed further in Ch 9, and informs the wording of the ALRC’s recommendation to amend the definition of ‘sensitive information’ in Ch 6.

[93] Organisation for Economic Co-operation and Development, OECD Recommendation on Electronic Authentication and OECD Guidance for Electronic Authentication (2007), 7.

[94] Australian Government Information Management Office, ICT Infrastructure—Authentication (2008) <www.agimo.gov.au/infrastructure/authentication> at 31 March 2008.

[95] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 4–26. The impact of data-matching on privacy is discussed in Chs 9 and 10.

[96] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; CSIRO, Submission PR 176, 6 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.

[97] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007.

[98] CSIRO, Submission PR 176, 6 February 2007.

[99] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [27.50]. The Cyberspace Law and Policy Centre agreed with this view in its submission to DP 72: Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[100] Rec 10–4.

[101] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 270.

[102] Ibid, 272.

[103] The Cyberspace Law and Policy Centre supported the ALRC’s preliminary view in DP 72: Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[104]Privacy Act 1988 (Cth), IPP 1.1(b), NPP 1.1.

[105] Rec 21–5.

[106]Privacy Act 1988 (Cth), ss 13 and 13A.

[107] The powers of the OPC to deal with interferences with privacy are discussed in Part F.

[108] See Personal Information Protection Act 2004 (Tas) sch 1, PIPP 7.1 (applicable to public and private sector organisations); Information Act 2002 (NT) sch, IPP 7.1 (applicable to public sector organisations); Information Privacy Act 2000 (Vic) sch 1, IPP 7.1.

[109] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Question 27–1.

[110] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007. Another stakeholder submitted that it had no objections to such regulation: National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[111] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[112] Medicare Australia, Submission PR 534, 21 December 2007. See also Confidential, Submission PR 570, 13 February 2008; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007.

[113] GE Money Australia, Submission PR 537, 21 December 2007. See also Telstra Corporation Limited, Submission PR 459, 11 December 2007; AXA, Submission PR 442, 10 December 2007.

[114] P Youngman, Submission PR 394, 7 December 2007.

[115] Rec 30–6.

[116] See, eg, Information Privacy Act 2000 (Vic) sch 1, IPPs 7.2(b), 7.3(c); Personal Information Protection Act 2004 (Tas) sch 1, PIPP 7(2)(b); Information Act 2002 (NT) sch, IPPs 7.2(b), 7.3(b).

[117] Consent is discussed further in Ch 19.

[118] See also Privacy Act 1988 (Cth) sch 3, NPP 7.2(b).

[119] Australian Government Centrelink, Submission PR 555, 21 December 2007.

[120] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007. The OPC provided the example of the widespread use and disclosure in Canada of the Canadian Social Insurance Number.

[121] Ibid.

[122] Note that the ALRC has not recommended that the ‘Identifiers’ principle apply to agencies.

[123] The ALRC’s approach to regulation is discussed in Chs 4 and 18.

[124] Centrelink (2008) <www.centrelink.gov.au> at 21 April 2008.

[125] See, eg, Privacy (Private Sector) Regulations 2001 (Cth) reg 9.

[126] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007. See also Office of the Privacy Commissioner, National Principles for the Fair Handling of Personal Information (1999); Office of the Privacy Commissioner, Submission to the House of Representatives Standing Committee on Legal and Constitutional Affairs, Inquiry into the Privacy Amendment (Private Sector) Bill 2000, May 2000.

[127] Office of the Privacy Commissioner, Submission PR 281, 13 April 2007. Identity theft is discussed in Ch 12.

[128] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 27–4.

[129] Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Confidential, Submission PR 535, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007. Another stakeholder did not disagree: Australian Direct Marketing Association, Submission PR 543, 21 December 2007.

[130] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Privacy NSW, Submission PR 468, 14 December 2007. See also Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007 and Confidential, Submission PR 535, 21 December 2007.

[131] Suncorp-Metway Ltd, Submission PR 525, 21 December 2007.

[132] Australian Government Attorney-General’s Department, Submission PR 546, 24 December 2007.

[133] Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[134]Privacy Act 1988 (Cth), NPP 7.

[135] Australian Government Attorney-General’s Department, Submission PR 546, 24 December 2007.

[136] Rec 10–4.