|Executive summary | Chapter 1 | Chapter 2 |Chapter 3 |Chapter 4 |Chapter 5 |Chapter 6 |Chapter 7 |Chapter 8 |Chapter 9 |Chapter 10 |Chapter 11 |Chapter 12 |Chapter 13|
1. This chapter explores the regulatory regime surrounding the use of unique multi-purpose identifiers. The Office accepts that sometimes the use of unique identifiers is essential; for example, in order to correctly identify individuals for the purposes of providing health care. However, the Office notes that, when unique identifiers are used for multiple purposes and across different agencies and organisations, risk of privacy invasion is increased. This is because, if used in the wrong way, unique multi-purpose identifiers can enable greater data-matching, sharing and linking and create conditions conducive to function creep.
2. The Office believes that the Privacy Act should continue to play an important role in ensuring that unique multi-purpose identifiers are handled in ways that do not unreasonably intrude on the privacy of individuals. Subject to a few suggested amendments (made below) the Office believes that provisions in the Privacy Act dealing with unique multi-purpose identifiers remain appropriate.
3. The underlying policy intent for affording privacy protections to Tax File Numbers is to ensure that such numbers do not become de facto unique identifiers for use by all government agencies and the private sector. The Office submits that this remains relevant and appropriate, particularly given the increased ability of information technology to link records of information across disparate sources.
4. The Office believes that it is important for individuals to be able to exercise a right to complain to the Privacy Commissioner as they may under the TFN Guidelines made pursuant to s 17 of the Privacy Act and seek a remedy where their privacy has been breached. As explained in the explanatory memorandum to the Privacy Bill 1988, the object of the Guidelines is to 'protect the right to privacy of individuals in relation to their tax file numbers'.
5. At the same time, the capacity to prosecute an offender for a breach under ss 8WA and 8WB of the Taxation Administration Act 1953 emphasises the importance of handling TFNs for restricted purposes and provides a strong deterrent against abuse.
6. Affording both criminal and regulatory measures creates an effective dual layered privacy framework.
7. The Office acknowledges that the TFN Guidelines may benefit from review. Such a review would provide an opportunity to consult with stakeholders on matters where the Guidelines may be able to be improved. It would also be consistent with established good regulatory practice, which holds that regulatory instruments be reviewed at internals of no more than 10 years.597
8. In addition to the TFN,598 there are a number of identifiers that may be used for multi-purposes, though in many cases they may be intended to be used for single or limited purposes. A number of these are described below.
9. The Medicare card number provides a widely held example, though it should be noted that this number is not legitimately unique, as families may be on one card, and an individual can be on more than one card. For example, the Australian National Audit Office (ANAO) has reported that '...Over 800 000 consumers were legitimately associated with more than one Medicare card-such as a child who is listed on both parents' different Medicare cards.'599 In addition, the Office notes that the Medicare cards may not be entirely robust and are open to counterfeit.600
10. Drivers' licences hold unique identifiers in the form of licence numbers. Such identifiers are not universal throughout the community, as the Office understands that around 10% of eligible individuals do not hold a driver's licence.
11. Passport numbers offer a further example of identifiers that are generally unique to the relevant individual, and the Office understands that they are held by around 40% of population. The Office notes the restrictions that apply to passports in regard to how they may be handled, including that is in an offence to have 'possession or control' of an Australian travel document that the person knows was not issued to them.601
12. In addition, there are a range of other identifiers issued by Australian Government agencies, though these are limited in application to individuals who are clients of those agencies.
13. In regard to benefits and privacy concerns, the Office would broadly endorse the discussion in IP31 at paragraphs 12.5-12.13.
14. Unique identifiers may be essential in many specific contexts to reliably identifying the individual to which they relate. This may be important in ensuring that individuals receive the correct entitlement or other form of privilege, or equally that they do not receive benefits to which they have no claim.
15. In some contexts, the ability to correctly identify an individual, and to establish accurate links to their personal information, may be of great importance. A clear example of this is apparent in the health system, where a unique health identifier (UHI) for individuals may have much potential to ensure that individuals receive the correct treatment or medicine. The costs in terms of death and injury to individuals due to poor information flows in the health system are relatively well acknowledged. A UHI may address such issues by providing a mechanism that accurately and reliably ensures that individuals are linked to important health information about them.
16. The Office notes the work being undertaken by the National E-Health Transition Authority (NEHTA) in developing standards for UHIs.602 From a privacy perspective, the challenge for such an initiative is to ensure that such a highly reliable identifier is not usurped for purposes beyond the health system and the clinical care of individuals. If such identifiers were used expansively outside of the health system, particularly in ways the community may be uncomfortable with, then the trust individuals place in the system may be undermined.
17. The Office would highlight the potential role of unique multiple-purpose identifiers being employed to facilitate extensive data-linking and matching between multiple agencies and organisations. In most cases, data-matching or linking is extremely labour intensive, time consuming and costly. It requires specialist skills to undertake large-scale data-matching of disparate data sets not designed to be interlinked. Issuing each individual a unique identifier or number common across the range of systems is often the easiest way to facilitate the linking of two databases.
18. However, enabling such easy and accurate data-linking creates the privacy risk that linking will be done excessively and without justification. Such linkages may combine personal information that has been collected for very different purposes and create rich datasets about individuals' interactions in society.
19. Accordingly, a significant privacy risk emerges if all the databases use the same number to identify each individual. A similar privacy risk arises simply if databases keep a record of the unique identifier of other databases (such as with client-master indexes).
20. Ensuring that each agency attributes a separate identifier for each individual will prevent a drift to one number per person systems, and adds another layer of 'practical obscurity' by acting as a natural (but not insurmountable) barrier to function creep and inappropriate data-linkage and aggregation.
21. The potential of unique identifiers to be subject to function creep is amply demonstrated by the example of the Canadian Social Insurance Number since its introduction:
The expanded use of the SIN inside government soon paved the way to broader use of the Social Insurance Number in the private sector. Before long, credit bureaus began to use the SIN to run credit checks on potential borrowers. Provincial social programs began using the SIN in the administration of benefits. Employers large and small used it as part of their tracking and accounting system for employee benefits.
Mistakenly, the private sector began to look upon the SIN as a piece of identification and property owners asked for it on apartment rental applications, video stores required it as security for movie rentals, universities and colleges requested it on their application forms and pizza places even used it as a customer number for their delivery system.
Apart from inappropriate use of the number, its uncontrolled use leaves Canadians vulnerable to serious breaches of their personal privacy that range from data- matching carried out without their knowledge and authorization, to identity theft.603
22. To protect against privacy risk associated with unique numbers, it is necessary to ensure that different data sets use different identifiers and that data custodians do not routinely have access to a shared identifier for individuals. This idea is now reflected in legislation, for example, in NPP 7 in the Privacy Act, as well as the restrictions that apply to the handling of the Tax File Number.
23. In addition, the Office offers the comments below on community attitudes to datasharing facilitated by unique multi-purposes identifiers.
24. As described in IP31, research conducted by the Office in 2004 found that a small majority of respondents indicated that they favoured, in principle, a unique identifier for all Commonwealth Government Departments and services.604 Specifically, 53% of respondents were in favour, with 41% opposed.
25. This same research revealed community attitudes concerning the purposes for which government departments should be able to cross-reference information; 62% though it was acceptable for some purposes, 25% for no purposes, with 9% responding for any purpose. Of those respondents who answered "some purposes", 68% believed that an appropriate purpose would include to prevent crime, 58%, to update basic information, while 51% though that datasharing was appropriate to improve efficiency.
26. In addition to its own quantitative research, the Office is aware of a number of pieces of relevant qualitative research conducted overseas. Such research affords the opportunity to 'tease out' community attitudes to potentially complex and nuanced concepts, such as datasharing and unique numbers.
27. Qualitative community attitude research conducted in Canada on the issue of government agency data-sharing noted:
...concern that this kind of information sharing would open a door that would not be easily closed... Others in the group quickly picked up on the theme, saying that they feared a future where there might be a less benevolent government that could use the information to control them, rather than serve them.605
28. Further, this Canadian research reports on the consumer sample as posing a range of questions/assertions that highlight the importance placed on gaining community trust:
29. Research produced by the UK Cabinet Office,606 'Strategies for reassurance: public concerns about privacy and data sharing in government' presents rich focus group data and makes a number of observations about community views concerning the risks and benefits of government data-sharing.
30. In précis, it says of the perceived benefits, that:
31. In regard to the perceived risks of data-sharing, the research found:
'The range of risks perceived by the focus groups is, when aggregated, impressive and thoughtful. For people who had in almost every case not really thought much, if at all, about data sharing across government, to have produced such a list in just two hours each, and with rather little prompting, and then to have had intelligent things to say about just which risks are more and which less serious, deserves the reader's respect. ... Moreover, by far the more frequent unprompted factors and the stronger affect were exhibited in respect of risks than were in respect of benefits....'607
32. Recent international comparative research conducted by Accenture608 found significant difference in the degrees of comfort individuals had with government departments sharing data depending on what the data was. While there is some comfort around the sharing of information such as name and data of birth, this diminishes considerably when the data being shared is medical records, or information related to social security, social insurance or national tax numbers.
33. What this body of research suggests is that the community has quite complex views in regard to whether and for what purposes government agencies should be able to share data, and that at least a significant number have concerns about such practices. Accordingly, the Office submits that the regulation of unique identifiers remains an important function of the Privacy Act.
34. As suggested in response to question 12-2 above, the Privacy Act should continue to play an important role in ensuring that unique multi-purpose identifiers are handled in ways that do not unreasonably intrude on the privacy of individuals. The Office believes that the purpose of NPP 7, as articulated in the explanatory memorandum, remains important, this being 'to prevent the gradual adoption of government identity numbers as de facto universal identity numbers'609.
35. The Office has made a number of recommendations in response to questions 4-26, 4-27 and 4-28 regarding unique identifiers. These include the need to clarify that identifiers may include biometric templates unique to individuals. This is consistent with the explanatory memoranda to the Privacy Bill 1988, which noted (at paragraph 361) in regard to the definition of identifier that it need not be 'limited to letters and numbers'.
36. The Office also notes the potential for the proposed health and social services access card to establish a widely held unique identifier. The Office welcomes the commitment from the Government to establish legislation that affords privacy protections to the access card. In recommendations made to the Office of Access Card, the Office suggested that additional legislation be introduced that affords specific secrecy provisions to personal information handled as part of the access card system. At the time of writing, the Human Services (Enhanced Service Delivery) Bill 2007 has been introduced to Parliament, and is subject to an inquiry by the Senate Financial and Public Administration Committee.
37. The Office submits that the policy objective of NPP 7, that is, to limit the use of government identifiers within the private sector, remains relevant to an identifier issued in association with the access card. As discussed in response to question 4-27, and stated in the Office's Private Sector Review, the Office is opposed to individuals being able to consent to the collection and use of unique identifiers, including an individual's access card number.
38. The Office notes that, in its May 2000 submission to the House of Representatives Standing Committee on Legal and Constitutional Affairs inquiry into the Privacy Amendment (Private Sector) Bill 2000, the question of the scope of NPP 7 was raised. In particular, the Office stated that:
'The current wording of Principle 7 contains a significant change from the National Principles reissued by the former Privacy Commissioner in 1999. The NPPs now only place limits on use and disclosure of identifiers issued by federal agencies rather than by all governments.
The reason for the broader limitation in the National Principles was to limit how private sector organisations could use government identifiers. It was not intended that it would impose on the rights of State or Territory governments. The limitation in the current draft of Principle 7 would curtail the protection offered by the draft of the principle in the National Principles.'610
39. The Office submits that this inquiry could useful explore the merits of extending the definition of 'identifier' to include all identifiers issued by governments in all jurisdictions. As noted above, such regulation need not purport to regulate how states and territories may handle their own identifiers, but may apply restrictions to how private sector organisations can collect, use and disclose.
40. The Office has noted, for example, an increasing volume of enquiries regarding organisations collecting drivers' licences, including the unique licence numbers. For example, concerns have been expressed regarding such identifiers being requested and copies retained in a diverse range of circumstances, including:
41. In another example, an individual noted that an internet service provider purported to require a drivers licence as identity when the individual closed their account, though not when it was opened. Frequently, individuals' concerns appear to relate to their identifiers being retained, rather than merely sighted. Such collection by organisations provides a mechanism underwhich distinct interactions could be linked to establish an image of the individuals' behaviour.
42. Additionally, regulation regarding how organisations handle all identifiers may be an appropriate response to emerging challenges posed by the risks of identity theft and fraud.
43. As was noted in recent media:
'Federal authorities have warned Australians to think twice before handing over their drivers' licence for copying amid identity theft fears.
Identity theft is one of the fastest-growing crime types in the world, and consumers should not allow businesses to copy their licence without good reason, the Australian Federal Police (AFP) say.'611
597 Council of Australian Governments (COAG) Principles and Guidelines for National Standard Setting and Regulatory Action by Ministerial Councils and Standard-Setting Bodies 2004 available at http://www.pc.gov.au/orr/reports/external/coag/coag.pdf
598 In its report 47/2004-05, the ANAO notes that:
The TFN was originally intended to be a high integrity, unique identifier, enabling improved controls over the Australian Taxation Office's (ATO) income matching system.
The TFN system was designed to improve compliance in taxation and government payments systems, and improve service and administrative efficiency, whilst maintaining privacy. The TFN system has been significantly and progressively extended since its inception, both for taxation and broader whole-of-government purposes. For example, Centrelink is authorised to use TFNs to verify client identity and establish income levels, and a TFN is required for the Higher Education Contribution Scheme.
599 ANAO Audit Report No. 24 Integrity of Medicare Enrolment Data, 2004/05, paragraph 12, p 13.
600 See, for example, E Limprecht 'Govt sells smartcard on the back of Medicare cards poor security' Australian Doctor 6 July 2005, available at http://www.australiandoctor.com.au/news/87/0c031687.asp.
601 See, generally, the offence provisions contained in s 32 of the Australian Passports Act 2005 concerning 'Improper use or possession of an Australian travel document'.
602 See http://www.nehta.gov.au/.
603 Standing Committee on Human Resources Development and the Status of Persons with Disabilities, Beyond the numbers: the future of the social insurance number system in Canada May 1999 available at http://www.parl.gc.ca/InfoComDoc/36/1/HRPD/Studies/Reports/hrpdrp04/09-part1-e.htm
604 Community Attitudes Research 2004 p 41 available at http://www.privacy.gov.au/publications/rcommunity04.pdf.
605 See, Crossing Boundaries National Council Privacy in the Information Age: Government Services and You, 2006 available at http://www.crossingboundaries.ca/files/kta_final_report_050805.pdf.
606 Perri 6. Strategies for reassurance: public concerns about privacy and data sharing in government, Performance and Innovation Unit, Cabinet Office, London 2002.
607 Strategies for reassurance: public concerns about privacy and data sharing in government pp.41-42
608 Accenture Leadership in customer service: new expectations, new experiences, 2005 available at http://www.accenture.com/xdoc/ca/locations/canada/insights/studies/leadership_cust.pdf
609 See Revised Explanatory Memorandum for the Privacy Amendment (Private Sector) Bill 2000, p 154.
610 Office of the Privacy Commissioner, submission to the House of Representatives Standing Committee on Legal and Constitutional Affairs Inquiry into the Privacy Amendment (Private Sector) Bill 2000, 2000 p 17, available at http://www.privacy.gov.au/publications/hor.pdf.
611 'AFP issues ID theft warning' Sydney Morning Herald 29 December 2006.