Data-matching involves bringing together data from different sources and comparing it.
The Privacy Act 1998 (Privacy Act) defines personal information as ‘information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion’. What constitutes personal information will vary, depending on what can reasonably be ascertained in a particular circumstance. This may include information used in, or created by, data-matching processes.
Agencies that carry out data-matching must comply with the Privacy Act. If the data‑matching involves the use of tax file numbers, the agency must also comply with the Data-matching Program (Assistance and Tax) Act 1990 (Data-matching Act) or other relevant laws.
Agencies usually match data so that they can identify people for further investigation or action. For example, records from different agencies or businesses are compared, and this identifies people who are being paid benefits to which they may not be entitled, or people who may not be paying the right amount of tax. This can be a risk to personal privacy because it can involve analysing information about large numbers of people without prior cause for suspicion, and may result in the generation of new personal information. Agencies that are considering taking action against an individual based on the results of data‑matching must inform the individual of these results and give them time to respond.
Data-matching under the Data-matching Act
The Data-matching Act and the Guidelines for the Conduct of Data-Matching Program (statutory data-matching guidelines) regulate how the Australian Taxation Office (ATO) and assistance agencies, including the Department of Human Services (DHS) and Department of Veteran’s Affairs, use tax file numbers to compare personal information so they can detect incorrect payments. The Office of the Australian Information Commissioner (OAIC) oversees compliance withthe guidelines.
The Data-matching Act and the statutory data-matching guidelines require that statutory data-matching be conducted in accordance with written protocols and technical standards. For example, DHS has published a data-matching protocol that explains how they match personal information under the Data-matching Act.
A breach of the Data-matching Act or Guidelines constitutes an interference with privacy under s 13 of the Privacy Act. You can complain to the OAIC if you think a breach might have happened.
More information can also be found on the Tax File Numbers page.
Data-matching under the voluntary data-matching guidelines
Agencies also conduct data-matching that does not involve the use of tax file numbers. This can include matching their own data with data obtained from other Australian Government agencies, or from state government agencies or private sector businesses. For this kind of data-matching, the OAIC has issued Guidelines on Data Matching in Australian Government Administration (voluntary data-matching guidelines). The voluntary data-matching guidelines are not mandatory but have been adopted voluntarily by a number of agencies.
Agencies can request an exemption from complying with some parts of the guidelines, if the agency believes that is in the public interest. To ask for an exemption, the agency has to give the OAIC:
- advice about the proposed program
- details of the exemption they want
- details of why they think the exemption would be in the public interest.