10. UPP 10: Identifiers
Updates and background for this project (Digest)
INTRODUCTION
10.1 “Identity” means “the condition of being oneself… and not another”.1 Identifiers are the means by which we verify a person’s identity so that he or she may be identified or recognised as being a particular person.
10.2 There are many different types of identifiers depending on the particular context in which identification is required. In a social context, physical appearance and mannerisms, and knowledge of private information are some common identifiers. In business dealings, passports, birth certificates, bank cards and Medicare cards are used as identifiers unique to a particular person. Most forms of identification used for business purposes have a number allocated to the person as a unique identifier.
10.3 The main reason for allocating a unique number as an identifier is to protect privacy and reduce the possibility of criminal behaviour. This is dependent, however, on the number or code and the information it holds remaining confidential and not being widely known or accessed by the world at large. It is for this reason that the use and disclosure of identifiers should be regulated.
Current legislative regulation of identifiers
Federal legislation
10.4 Federally, the Privacy Act regulates the adoption, use and disclosure of unique identifiers by organisations through NPP 7. The Principles that regulate the activities of Australian government agencies do not contain a principle dealing explicitly with identifiers. Thus, the use of identifiers by government agencies is not regulated.
10.5 Apart from the privacy concerns that arise from the use and disclosure of unique identifiers, the use of multi-purpose identifiers (which are unique identifiers assigned to individuals for use by multiple agencies and organisations) also give rise to many privacy concerns. Their use has the potential to extend the government’s power over, and access to, a wide range of an individual’s personal information including information pertaining to financial, health and family status. The failed Australia Card and Medicare Card schemes are examples of what may have been national identification schemes. In DP 72, the ALRC expressed the view that the access card number under the now abandoned access card scheme, may have fallen within the definition of “identifier” in the proposed Unified Privacy Principle regulating identifiers, as it was intended to regulate unique multi-purpose identifiers that were not otherwise regulated by specific legislative regimes.2 In Report 108, the ALRC recommended that, before the introduction by any agencies of any unique multi-purpose identifiers, the Australian Government, in consultation with the Privacy Commissioner, should consider the need for a privacy impact assessment.3
10.6 The Tax File Number (“TFN”) Scheme4 is also relevant in this context, although not directly regulated by the Privacy Act. The handling of TFNs is regulated under various federal Acts.5 However, the ALRC has noted that s 17 of the Privacy Act enables the Privacy Commissioner to issue legally binding guidelines concerning the collection, storage, use and security of “tax file number information”.6 A breach of the Data-matching Program (Assistance and Tax) Act 1990 (Cth) or its guidelines constitutes an interference with privacy under s 13 of the Privacy Act.
NSW legislation
10.7 In NSW, HRIPA, which protects the privacy of an individual’s health information in both the public and private sectors, does include an identifier principle in HPP 12. However, PPIPA, which regulates the handling of personal information (excluding health information) by NSW agencies, does not contain a provision regulating the use of identifiers. The consequence is that, in NSW, individuals whose personal information comes within the ambit of PPIPA do not have the benefit of a provision regulating identifiers. This lack of regulation exposes an individual to the danger of a third party having access to information about the individual connected with a unique identifier for unauthorised purposes. The Commission, in CP 3, was of the view that “this is an omission that needs to be rectified”.7
Focus of this chapter
10.8 The Commission proposed in CP 3 that NSW legislation should only apply to the handling of personal information by agencies.8 However, the identifier principle as set out in UPP 10 applies only to organisations. While it is arguable that there is little justification limiting regulation of identifiers to organisations when the rationale is just as capable of application to agencies, we agree with the ALRC’s reasoning for limiting overall application to organisations, while permitting a case-by-case approach to agencies.9 Given that NSW privacy legislation may only be applicable to agencies, and NSW organisations can be covered under Commonwealth legislation, it may not be strictly necessary to include an identifier principle within the reformed NSW privacy legislation. However, given the goal of achieving national uniformity, it is unlikely that including an identifier principle that mirrors the federal principle will be detrimental to NSW.
10.9 The aim of this chapter, therefore, is to evaluate the ALRC’s UPP 10 to ascertain whether it adequately, regulates the inherent threats to privacy and the possibility for the misuse of identifiers and whether the draft principle can be mirrored in NSW with or without modification.
ALRC REPORT 108
10.10 Before evaluating UPP 10 and its relationship to the identifier principle in HRIPA, it is useful to consider two preliminary issues. They are the ALRC’s rationale for:
- a separate identifier principle; and
- excluding government agencies from the ambit of the identifier principle.
Rationale for a separate identifier principle
10.11 While the use and disclosure of information contained in identifiers is, and must continue to be, regulated, a threshold issue to be determined is whether there must be a separate identifier principle or whether regulation can be accommodated within other privacy principles that deal with collection, use and disclosure of personal information.
10.12 In determining this issue, it is useful to revert to the policy rationale for the introduction of the principle in the first place. According to the ALRC, the policy bases for the identifier principle are twofold:
First, NPP 7 was introduced to ensure that the increasing use of Australian Government identifiers does not lead to a de-facto system of universal identity numbers. Secondly, the regulation of identifiers reflects concern about the facilitation of data matching by identifiers.
10.13 The ALRC raised this issue in its Issues Paper 31 (“IP 31”)10 and received a few submissions in response. While two stakeholders were of the view that a separate principle was not required,11 most others supported a separate principle.
10.14 One reason for arguing against a separate privacy principle regulating identifiers is on the basis that the collection, use and disclosure of identifiers can be accommodated within other privacy principles. For example, the proscription in NPP 7.1 against an organisation adopting as its own identifier an identifier that has been assigned by an agency, can be accommodated within the privacy principle regulating the use of personal information. Similarly, some of the exceptional circumstances when use or disclosure of an identifier is allowed are already contained in NPP 2.
10.15 On the other hand, the submissions supporting retention argued that a separate principle provides “a clear principle prohibiting the development of a universal or approaching universal identifier”,12 “performs a useful task in limiting the use of identifiers for data matching and data linkage”,13 and overall “serves an important function in protecting information privacy”.14
10.16 A separate privacy principle can also deal with issues specific to the principle, such as the definition of an identifier and specific exceptions to the principle. Given that there was no suggestion that accommodating the identifier principle within other privacy principles would provide a more effective way of regulating identifiers, the ALRC, in DP 72, proposed that the UPPs should contain a separate principle that regulates identifiers.15 Again, the submissions received in response to the DP were supportive of the ALRC’s proposal to have a separate privacy principle regulating identifiers. Arguing against accommodating the identifier principle within other principles such as collection, use and disclosure, one submission stated that it “would be unnecessarily complex, and would fail to give adequate recognition to the serious privacy risks associated with the misuse of identifiers”.16
10.17 Having reviewed the submissions it received, and given that the majority of the submissions to IP 31 and DP 72 did support a separate principle regulating identifiers, and in the absence of a sound argument to the contrary, the ALRC recommended that the model Unified Privacy Principles should contain a separate principle regulating identifiers.17
Rationale for excluding government agencies
10.18 The ALRC also considered the issue of whether the “identifiers” principle should be extended to apply to agencies. In DP 72, having considered the submissions made to IP 31,18 the ALRC proposed that the identifier principle should apply to both agencies and organisations on the basis that the policy objectives underlying the regulation of the use of identifiers in organisations equally apply to agencies.19 However, while some submissions were supportive of such extended coverage, other submissions to DP 72 expressed a contrary view and nearly all agencies were concerned about its operation.20
10.19 The main justification for extending applicability to agencies is to ensure that it applies equally to agencies and organisations, subject to appropriate exceptions. One option is to limit assignment in the first place, following the precedent in HRIPA, whereby an agency may only assign identifiers if the assignment is reasonably necessary to enable the agency to carry out any of its functions efficiently. Further, the exceptions available to organisations regarding use and disclosure could also be made available to agencies.
10.20 On balance, however, in its final report, the ALRC’s preference was to exclude agencies from coverage except on a case-by-case basis. It concluded that “applying the identifier principle to agencies could seriously impede activities for a public benefit, including: programs designed to reduce fraud and identity theft, service delivery and research”.21 The ALRC suggested that, rather than adopting an identifier principle that would be “subject to several agency specific restrictions”, it would be preferable “to regulate the assignment, collection, adoption, use and disclosure of identifiers by agencies on a case by case basis by means of separate legislation or guidelines”.22 UPP 10 is therefore applicable to organisations only but can be extended to agencies on a case-by-case basis.
The proposed identifier principle
10.21 Having reviewed NPP 7 in the light of the submissions received, the ALRC recommended that the UPPs should contain a principle called ‘Identifiers’ that applies to organisations.23 The proposed identifier principle, UPP 10 provides as follows:
UPP 10. Identifiers (only applicable to organisations)
10.1 An organisation must not adopt as its own identifier of an individual an identifier of the individual that has been assigned by:
(a) an agency;
(b) an agent of an agency acting in its capacity as agent;
(c) a contracted service provider for a Commonwealth contract acting in its capacity as contracted service provider for that contract; or
(d) an Australian state or territory agency.
10.2 Where an identifier has been ‘assigned’ within the meaning of UPP 10.1 an organisation must not use or disclose the identifier unless:
(a) the use or disclosure is necessary for the organisation to fulfil its obligations to the agency that assigned the identifier;
(b) one or more of UPP 5.1(c) to (f) apply to the use or disclosure; or
(c) the identifier is genetic information and the use or disclosure would be permitted by the new Privacy (Health Information) Regulations.
10.3 UPP 10.1 and 10.2 do not apply to the adoption, use or disclosure by a prescribed organisation of a prescribed identifier in prescribed circumstances, set out in regulations made after the Minister is satisfied that the adoption, use or disclosure is for the benefit of the individual concerned.
10.4 The term ‘identifier’, for the purposes of UPP 10, includes a number, symbol or biometric information that is collected for the purpose of automated biometric identification or verification that:
(a) uniquely identifies or verifies the identity of an individual for the purpose of an agency’s operations; or
(b) is determined to be an identifier by the Privacy Commissioner.
However, an individual’s name or ABN, as defined in the A New Tax System (Australian Business Number) Act 1999 (Cth), is not an ‘identifier’.
Note: A determination referred to in the ‘Identifiers’ principle is a legislative instrument for the purposes of section 5 of the Legislative Instruments Act 2003 (Cth).
Ambit and distinguishing features of UPP 10
10.22 In addition to considering the need for an identifier principle and its application to agencies, the ALRC also reviewed the current NPP 7 and considered the appropriateness of the definition of an identifier, the content of the principle, the issue of multi-purpose identifiers and the regulation of tax file numbers. The UPP was drafted so as to improve NPP 7 where necessary, based on issues raised and submissions received, and to this extent can be distinguished from NPP 7. It can also be distinguished from HPP 12. The distinguishing features are dealt with below.
Definition of “Identifier”
10.23 HRIPA’s definition of an identifier is that it is usually, but not necessarily, a number, but never an individual’s name.24 NPP 7, on the other hand, does not describe what an identifier is; rather, it provides that it “includes a number assigned by an organisation to an individual to identify uniquely the individual for the purposes of the organisation’s operations”. Given its inclusive nature, it could cover a wide range of other identifiers with the specific exception of an individual’s name or ABN (as defined in the A New Tax System (Australian Business Number) Act 1999 (Cth)).
10.24 In DP 72, the ALRC considered a range of issues regarding the definition of an identifier, including whether the definition should include identifiers that are not technically unique, those that contain biometric information and whether an individual’s name and ABN should continue to be excluded.
Should identifiers be unique?
10.25 The current definitions of identifiers in NPP 7 and in HRIPA25 require that identifiers be unique: “to identify uniquely the individual”. However, submissions to IP 31 pointed out that some identifiers, such as Medicare numbers, are not in fact unique.26 For instance, a child may be listed on both parents’ separate Medicare cards.
10.26 There is also the additional problem of matching a biometric sample with a stored template. The ALRC used the example of a collected sample, such as a facial image, being affected by lighting conditions, camera distance and lens precision, and therefore distorting the accuracy of the match.27
10.27 The ALRC’s suggested response in DP 72 was that the Privacy Commissioner be empowered to make a determination that, even where an identifier as defined does not of itself uniquely identify an individual, it would still be considered an “identifier” for the purposes of the principle. Various submissions took issue with this suggestion but the ALRC maintained that a determination-making power of the kind proposed in DP 72 would allow the Privacy Commissioner to determine that identifiers that are not actually unique would still be considered identifiers for the purposes of the identifier principle.28 Thus, UPP 10 continues to require that identifiers be unique with the possibility of being determined as an identifier by the Privacy Commissioner.
Should biometric information be specifically included?
10.28 Biometric information has been described as information that relates to the physiological or behavioural characteristics of a person29 and can be used as an identifier, such as agencies’ use of an Australian ePassport for identification purposes. Given the risks associated with handling such information, the ALRC recommended that the definition of sensitive information be amended to include biometric information collected for certain purposes.30
10.29 Neither the definition of an identifier in NPP 7 nor in HRIPA make specific reference to biometric information, although, being inclusive definitions, they are probably framed in broad enough terms to cover non-numerical information such as biometric information. However, having reviewed the submissions, the ALRC was of the view that the definition of an identifier should reflect the concerns about biometric information. Accordingly, it was proposed in DP 72 that the definition should include “a number, symbol or any other particular”.31 While many submissions supported this proposal, there was also a view that the definition of an identifier should go further and make an “overt reference” to biometric information.32
10.30 Having weighed up the submissions, including those that expressed concerns about broadening the definition,33 the ALRC recommended that UPP 10 should specifically refer to biometric information within the definition. Given that specific inclusion of biometric information merely makes it explicit, the criticisms levelled against such inclusion would appear to be irrelevant. While the definition is still inclusive, making wider coverage of other non-numerical information possible, it is noteworthy that the definition in UPP 10 no longer has the broad catch-all category of “any other particular” as was previously proposed in DP 72. However, the Privacy Commissioner’s power of determination under UPP 10.4(b), which allows the Privacy Commissioner to further broaden the scope of the definition, can be used in this regard. While biometric characteristics are generally considered to be unique to an individual, there are factors that may adversely affect this assumed uniqueness.34 However, as noted above, the determination-making power is likely to cover such circumstances.
10.31 Another clarification that UPP 10 makes is that identifiers assigned by an agency to “verify” identity will also be covered under the definition of an identifier,35 a matter of particular relevance in the context of biometric identifiers that are often used for identity verification.
10.32 It has been suggested, and the Commission agrees, that there is no justification for limiting the definition to collection of biometric information for the purpose of “automated biometric identification or verification …” rather than any identification or verification that uses the identifier.36 We believe that including any “other particular” in the definition as proposed in DP 72 and removing the limitation of collection to “automated biometric” identification would provide a broader definition.37 However, the Commission is satisfied that any potential difficulties arising out of a restrictive definition may be alleviated by the Privacy Commissioner’s power of determination under UPP 10.4(b), referred to above. As such, in the interests of uniformity, the Commission supports the ALRC wording of the current definition as proposed in UPP 10.4.
Name and ABN number
10.33 As was the case with NPP 7, UPP 10 continues to exclude the individual’s name and ABN from the definition of “identifier”. While there appears no doubt that an individual’s name should be excluded since it is not information that is “assigned” to the individual, there may be some doubt about excluding an ABN number. Again, the Cyberspace Law and Policy Centre was firmly of the view that they saw no justification for excluding an ABN from this principle, particularly since “its legitimate use is accommodated by the Principle in the same way as for [TFNs]”.38
10.34 In this regard, the ALRC was also of the view that the “exclusion of an ABN from the definition of ‘identifier’ may be a problem if there is a tendency among organisations or agencies to use the ABN of a sole trader to identify an individual acting in a non business capacity”. However, given that this issue was not raised in submissions, UPP 10 excludes the name and ABN from the definition.
Content of UPP 10
10.35 The identifier principle is set out in UPP 10.1 and states that an organisation must not adopt as its own identifier, an identifier that has been assigned by an agency, an agent of an agency, a contracted service provider for a Commonwealth contract or an Australian State or Territory agency.
10.36 UPP 10.2 states that, where an identifier has been so assigned, an organisation must not use or disclose the identifier unless the use or disclosure is necessary to fulfil its obligations to the agency, the exceptions listed in UPP 5.1(c)-(f) also apply, or the identifier is genetic information, the use or disclosure of which is allowed by the Privacy (Health Information) Regulations.
Exceptions
10.37 The exceptions to the prohibition on using and disclosing identifiers listed in UPP 10.2 and 10.3 are virtually identical to those listed in NPP 7.1A and 7.2. However, UPP 10.2(b) is subject to the exception in UPP 5.1(c)(i), which covers circumstances involving a serious threat to an individual’s life, health or safety, whereas NPP 7.2 is subject to NPP 2.1(e)(i), which covers circumstances involving a serious and imminent threat.39 Also, NPP 7 and UPP 10 appear to differ in relation to genetic information but the effect of each is the same. NPP 2.1(ea) allows use or disclosure of genetic information, without consent, where it has been obtained in the course of providing a health service to an individual, and the use or disclosure is to prevent or lessen a serious threat to the life, health or safety of a genetic relative of the individual, it is disclosed to that genetic relative, and it is done in accordance with guidelines. By contrast, UPP 10.2(c) simply allows use or disclosure of an identifier that is genetic information where this is permitted by the new Privacy (Health Information) Regulations, envisaged to include provisions similar to NPP 2.1(ea).40
Circumstances of assignment and adoption
10.38 By contrast, UPP 10 and HPP 12 do vary in the circumstances in which assignment and adoption are permitted. Assignment is the process by which an agency selects a particular identifier to apply to an individual. HPP 12(1) provides that an organisation may only assign identifiers to individuals if the assignment is reasonably necessary to enable the organisation to carry out any of its functions efficiently.41 While this condition has been discussed above in the context of its potential to extend the identifier principle to agencies, while still imposing an inbuilt limitation,42 it is omitted in UPP 10. UPP 10 is solely focused on ensuring “single use“ of identifiers by providing that an organisation must not adopt as its own an identifier that has been assigned by another agency.
10.39 The benefit of regulating the assignment of identifiers is that it would encourage good privacy practice as organisations would consider the necessity of assigning an identifier. The ALRC in DP 72 raised the issue of whether the assignment of identifiers should also be regulated by the identifier principle. The majority of submissions opposed regulating assignment on the basis that it would create unnecessary complexity, given that agencies and organisations frequently assign identifiers solely for internal use.43 However, as pointed out by the ALRC, assignment could become an issue of concern where the identifier might be adopted, used or disclosed by another agency.44
10.40 Another related issue is that UPP 10 does not regulate the adoption, use and disclosure by organisations of identifiers assigned by other organisations. Although no evidence was presented on the harm that could result from the use and disclosure of identifiers assigned by organisations, the ALRC did note that such use or disclosure may facilitate data matching activities undertaken by organisations.
10.41 The ALRC’s view is that the greater risks are associated with adoption rather than assignment, and that agencies and organisations frequently assign identifiers for internal use. Though not regulated, the ALRC agrees with the Office of the Federal Privacy Commissioner (“OPC”) that agencies should consider the necessity for assignment of an identifier, particularly when that identifier may be adopted, used or disclosed by another agency.45 This is consistent with HPP 12 in relation to assignment by agencies and private sector persons.
Consent
10.42 Consent to use and disclose identifiers is another notable area of variance. HPP 12(2) allows a private sector person to adopt as their own identifier one that has been assigned by an agency where the individual consents. Similarly, HPP 12(3) allows a private sector person to use or disclose an identifier assigned by an agency where the individual consents. Some States and Territories also provide for a consent exception.46 However, neither NPP 7 nor UPP 10 provide for consent of an individual as an exception to the use, disclosure or adoption of identifiers.
10.43 In considering whether consent ought to be an exception, some organisations, such as Centrelink, submitted to the ALRC that this restriction (of not having consent) applicable to the identifier principle “impedes the operation of a number of its existing services, which provide information to organisations about the concessional status of the individual with the consent of the individual concerned”.47 Arguably, allowing individuals to consent would allow organisations greater efficiency in the delivery of services.
10.44 On the other hand, the OPC was of the view that allowing use and disclosure where it has been consented to can lead to problems because “individuals may not always be conscious of the inherent risks of consenting to incrementally greater uses of their unique identifier”.48 The ALRC agreed with the OPC that the privacy risks associated with an individual being able to consent to the use or disclosure or adoption of an identifier would give rise to privacy risks. Further, the ALRC was of the view that a general consent exception would significantly reduce the protection afforded by the identifier principle.49
10.45 In CP 3, the Commission raised the issue of whether the privacy principle regulating the use and disclosure of identifiers should be in the same terms as HPP 12 or the proposed UPP 10 or a combination of the two.50 Commenting on this issue, the Australian Privacy Foundation and the Cyberspace Law & Policy Centre observed that HPP 12 has too many exceptions that undermine its effect.51 The Inner City Legal Centre was of the view that UPP 10 gives greater protection around identifiers by ensuring single use and restricting disclosure.52
10.46 Rather than provide for a general consent exception, UPP 10.3 makes provision for exceptional circumstances to be accommodated by way of regulations similar to existing regulations that allow an individual to consent to the disclosure of his or her Centrelink Customer Reference Number.53
10.47 The disadvantage of allowing exceptions via regulations is that the process of making regulations is resource intensive.54 However, provided procedural safeguards are included, exceptions introduced via regulations should ensure that the consent given does not give rise to avoidable privacy concerns that an individual giving consent may not necessarily fully appreciate.
10.48 There is, however, an exception allowing consent to the general prohibition against an organisation collecting sensitive information about an individual. The definition of sensitive information includes biometric information. Thus, while a person may consent to an organisation collecting biometric information about him or her, an individual cannot consent to enable an organisation to use or disclose biometric information as an identifier. Although the Attorney-General’s Department viewed this as an anomaly and a cause for arguing against including biometric information within the definition of an identifier,55 the ALRC did not appear to be swayed by this concern. In the Commission’s view, there is a distinct difference in the privacy risks associated with consenting to the collection of biometric information and consenting to the use and disclosure of the same as an identifier, the risks in the latter case being much greater.
Practical application of UPP 10
10.49 While identifiers are critical in the process of identification, the practical application of UPP 10 is determined by what falls within and outside that process. If the process does not use an identifier or is not meant for identification purposes, then UPP 10 will not apply.
Verification through sighting
10.50 Identity verification is the process of confirming through documentary or other evidence that a person is who they claim to be and this is usually done by sighting an identifier. Thus, a person purchasing cigarettes or alcohol may be required to show a document to prove his or her age. Such a practice is not intended to be regulated by the identifier principle by preventing an organisation from use or disclosure for the purpose of verifying an individual’s identity. Such use or disclosure will not permit secondary use for the purposes of data matching.56 If the identifier principle did inhibit verification, it was suggested that the Privacy Commissioner develop guidance to address the issue.57
Data matching
10.51 Data matching has been described as “the large scale comparison of records or files … collected or held for different purposes, with a view to identifying matters of interest”.58
10.52 Data matching is currently regulated by the Privacy Commissioner’s monitoring and research functions, the Data–matching Program (Assistance and Tax) Act 1990 (Cth) and the Data-matching Program (Assistance and Tax) Guidelines and other Guidelines, as well as NPP 2 and Principle 11, which regulate the disclosure of information by an agency or organisation for the purposes of data matching.
10.53 The identifier principle itself also provides some regulation of data matching in that an organisation is prohibited from adopting an identifier unless it is for a specified purpose. However, data matching is not always done by means of identifiers. It is possible that data sets may be linked by the use of names or dates of birth59 that do not fall within the definition of an identifier.
10.54 Although there was concern about the inadequate regulation of data matching, the ALRC is of the view that data matching is not inherently linked to identifiers and should not be regulated by the identifier principle. Rather, the ALRC recommended that data matching activities should be regulated separately to the identifier principle through guidelines on the privacy implications of data matching to be developed and published by the OPC.60
Application to State and Territory agencies
10.55 NPP 7.1 does not apply to identifiers issued by State and Territory agencies; it is limited in application to preventing organisations from adopting an identifier that has been assigned by “an Australian Government agency, an agent of that agency or a contracted service provider of an Australian Government agency”.
10.56 This limitation means that identifiers such as driver’s licences issued by State and Territory agencies will not fall within the current definition. The ALRC in Report 108, noted that stakeholders were generally supportive of extending coverage to State and Territory agencies. Accordingly, UPP 10 extends coverage to regulate the adoption, use and disclosure by organisations of identifiers assigned by State and Territory agencies. However, such extension is only intended to cover the situation where an identifier is collected for inclusion in a record, rather than merely for sighting or verification purposes.
Multi-purpose identifiers
10.57 Multi-purpose identifiers are unique identifiers assigned to individuals for use by multiple agencies and organisations. Such use has the important benefit of increasing administrative efficiency. However, it also gives rise to many privacy concerns by extending the government’s power over, and access to, an individual’s personal information including information pertaining to financial, health and family status. Such use also greatly facilitates the data matching process when the available information is combined, further eroding an individual’s privacy.61
10.58 The ALRC considered the issue of multi-purpose identifiers against the background of the history of identification schemes, particularly in the context of the proposed access card, which would have replaced many health care and social services cards. It concluded that ‘multi-purpose identifiers pose significant privacy risks”. 62
10.59 Many submissions were supportive of the ALRC’s proposal in DP 72 that the Australian Government should, in consultation with the Privacy Commissioner, consider the need for a privacy impact assessment before introducing a multi-purpose identifier. Some stakeholders supported mandatory impact statements in view of the significant privacy risks involved with the use of multi-purpose identifiers.63 Others have raised the issue of the potential for impact statements to be not completely impartial, and have suggested that an independent and public privacy assessment should be commissioned by the government before introducing a multi-purpose identifier. The ALRC has recommended that the Australian Government should conduct a privacy impact statement before the introduction of any multi-purpose identifier.64
THE COMMISSION’S VIEW
10.60 Overall, the Commission supports the inclusion of a separate privacy principle to regulate identifiers. As to the ALRC’s decision to exclude agencies from general coverage, while we believe the rationale for regulating identifiers is just as capable of application to agencies as to organisations, we agree with the ALRC’s justification that it could seriously impede activities for a public benefit. For this reason, we support the exclusion of agencies and agree with extension on a case by case basis either in separate sectoral legislation or by means of guidance provided by the Privacy Commissioner.
10.61 In terms of the content and application of UPP 10, the Commission supports all other recommendations that have shaped UPP 10 as it currently stands, with the exception of the exclusion of ABNs from the definition of identifiers. The Commission can see no reason why ABNs should be treated any differently from TFNs and recommends that the exclusion be removed.
RECOMMENDATION 12
UPP 10.4 should be amended so as to remove the exclusion of ABNs from the definition of identifiers.
FOOTNOTES
1. Macquarie Dictionary, 1981, at 879 (definition 3 of 9).
2. Australian Law Reform Commission, Review of Australian Privacy Law Discussion Paper 72 (2007) (“ALRC DP 72”) [27.109]-[27.110].
3. Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report No 108 (2008) (“ALRC Report 108”) Recommendation 27-5.
4. It was primarily designed to reduce tax evasion and makes provision for the Commissioner of Taxation to provide a TFN to any person, if satisfied of their identity. The TFN is quoted when the applicant commences employment, engages in investment activities or accesses federal income support and is used by Centrelink to match records between the Australian Taxation Office and specified assistance agencies.
5. For example, Part VA of the Income Tax Assessment Act 1936 (Cth), the Taxation Administration Act 1953 (Cth), the Data-matching Program (Assistance and Tax) Act 1990 (Cth) and Guidelines under the Act regulate data matching using TFNs.
6 ALRC Report 108 vol 2 [30.136].
7. NSW Law Reform Commission, Privacy Legislation in New South Wales Consultation Paper 3 (2008) (“NSWLRC CP 3”) [6.68].
8. NSWLRC CP 3 Proposal 3.
9. See para 10.20.
10. Australian Law Reform Commission, Review of Privacy Issues Paper 31 (2006) (“ALRC IP 31”) Question 4-26.
11. Australian Government Department of Human Services, Submission PR 136, 19 January 2007; Insurance Council of Australia, Submission PR 110, 15 January 2007, cited in ALRC DP 72 [27.15].
12. Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007, cited in ALRC DP 72 [27.13].
13. Office of the Information Commissioner (Northern Territory) Submission PR 103, 15 January 2007, cited in ALRC DP 72, [27.13].
14. Office of the Privacy Commissioner, Submission PR 215, 28 February 2007, cited in ALRC DP 72 [27.13].
15. ALRC DP 72 Proposal 27-1.
16. Public Interest Advocacy Centre, Submission PR 548, 26 December 2007, cited in ALRC Report 108 [30.16].
17. ALRC Report 108 Recommendation 30-1.
18 ALRC IP 31 Question 4-28.
19. ALRC DP 72 Proposal 27-1.
20. ALRC Report 108 vol 2 [30.26].
21. ALRC Report 108 vol 2 [30.34].
22. ALRC Report 108 vol 2 [30.36] – [30.37].
23. ALRC Report 108 Recommendation 30-1.
24. Health Records and Information Privacy Act 2002 (NSW) s 4.
25. Health Records and Information Privacy Act 2002 (NSW) s 4.
26. ALRC DP 72 vol 2 [27.37].
27. ALRC Report 108 vol 2 [30.42].
28. ALRC Report 108 vol 2 [30.46].
29. ALRC Report 108 vol 2 [30.48], citing Organisation for Economic Co-operation and Development, Biometric-Based Technologies (2004), 4.
30. ALRC Report 108 vol 1 Recommendation 6-4. For “sensitive information” see para 2.88-2.147.
31. ALRC DP 72 Proposal 27-2. A number of stakeholders supported this proposal: Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
32. Privacy NSW, Submission PR 468, 14 December 2007.
33. The Attorney-General’s Department, in its submission to the ALRC, made reference to two concerns:
(a) that inclusion in the definition of sensitive information of certain types of biometric information could result in an anomalous situation where collection of such information with consent would be permitted under UPP 2.6 but not used or disclosed as an identifier with consent under UPP 10.4;
(b) biometric identifiers generated when a person enrols in a biometric system are not unique to the agency or organisation and so can be independently generated by a number of agencies making proscription of adoption, use or disclosure of an identifier assigned by one agency unworkable: Australian Government Attorney-General’s Department, Submission PR 546, 24 December 2007.
34. ALRC Report 108 vol 2 [30.42]-[30.43].
35. ALRC Report 108 vol 2 [30.58] Recommendation 30-3.
36. Cyberspace Law & Policy Centre UNSW, Submission PR 487, 19 December 2007, cited in ALRC Report 108 vol 2 [30.54].
37. Such a definition would read as follows:
The term ‘identifier’ for the purposes of UPP 10, includes a number, symbol, biometric information or other particular that is collected for the purpose of identification or verification that: …. [changes in italics].
38. Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
39. See para 5.27-5.30 for a discussion about the rationale behind this change.
40. ALRC Report 108 Recommendation 63-5.
41. See also Personal Information Protection Act 2004 (Tas) sch 1, PIPP 7.1 (applicable to public and private sector organisations); Information Act 2002 (NT) sch, IPP 7.1 (applicable to public sector organisations); Information Privacy Act 2000 (Vic) sch 1, IPP 7.1.
42. See para 10.19.
43. Medicare Australia, Submission PR 534, 21 December 2007; Australian Government Department of Human Resources, Submission PR 541, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007, cited in ALRC Report 108 vol 2 [30.84].
44. ALRC Report 108 vol 2 [30.86].
45. The concerns of multi-purpose identifiers are addressed at para 10.57.
46. Information Privacy Act 2000 (Vic) sch 1, IPPs 7.2(b), 7.3(c); Personal Information Protection Act 2004 (Tas) sch 1, PIPP 7(2)(b); Information Act 2002 (NT) sch, IPPs 7.2(b), 7.3(b).
47. ALRC Report 108 vol 2 [30.89].
48. Office of the Federal Privacy Commissioner, Submission PR 499, 20 December 2007, cited in ALRC Report 108 vol 2 [30.90].
49. ALRC Report 108 vol 2 [30.92].
50. NSWLRC CP 3 Issue 44.
51. Australian Privacy Foundation, Submission and Cyberspace Law and Policy Centre UNSW, Submission.
52. Inner City Legal Centre, Submission.
53 ALRC Report 108 vol 2 [30.92]-[30.93].
54 ALRC Report 108 vol 2 [30.89].
55. Australian Government Attorney-General’s Department, Submission PR 546, 24 December 2007, cited in ALRC Report 108, vol 2 [30.52].
56. ALRC Report 108 vol 2 [30.71].
57. ALRC Report 108 vol 2 [30.72].
58. ALRC DP 72 vol 2 [27.46].
59. Office of Victorian Privacy Commissioner, Submission PR 217, 28 February 2007, cited in ALRC Report 108 vol 2 [30.74].
60. ALRC Report 108 vol 2 [30.76].
61. ALRC DP 72 vol 2 [27.77]-[27.83].
62. ALRC Report 108 vol 2 [30.128].
63. ALRC Report 108 vol 2 [30.126].
64. ALRC Report 108 Recommendation 30-6.
