Publication date: 22 July 2019

Version 1.1

Download the print version [162KB]

Key points

  • APP 9 restricts the adoption, use and disclosure of government related identifiers by organisations. APP 9 may also apply to some agencies in the circumstances set out in s 7A.
  • An identifier is a number, letter or symbol, or a combination of any or all of those things, that is used to identify the individual or to verify the identity of the individual.
  • A government related identifier is an identifier that has been assigned by an agency, a State or Territory authority, an agent of an agency or authority, or a contracted service provider for a Commonwealth or State contract.
  • Where an identifier, including a government related identifier, is personal information, it must be handled in accordance with the APPs.
  • An organisation must not adopt a government related identifier of an individual as its own identifier of the individual, unless an exception applies.
  • An organisation must not use or disclose a government related identifier of an individual, unless an exception applies.

What does APP 9 say?

9.1 An organisation must not adopt, use or disclose a government related identifier unless an exception applies. APP 9 may apply to an agency in the circumstances set out in s 7A (see paragraphs 9.10–9.11 below).

9.2 The objective of APP 9 is to restrict general use of government related identifiers by organisations so that they do not become universal identifiers. That could jeopardise privacy by enabling personal information from different sources to be matched and linked in ways that an individual may not agree with or expect.

9.3 An individual cannot consent to the adoption, use or disclosure of their government related identifier.

9.4 APP 9 restricts how an organisation is permitted to handle government related identifiers, irrespective of whether a particular identifier is the personal information of an individual. An identifier will be personal information if the individual is identifiable or reasonably identifiable from the identifier, including from other information held by, or available to, the entity that holds the identifier. If it is personal information, the identifier must be handled by the entity in accordance with other APPs. ‘Personal information’ is discussed in more detail in Chapter B (Key concepts), including examples of when an individual may be ‘reasonably identifiable’.

‘Identifiers’

9.5 An ‘identifier’ of an individual is defined in s 6(1) as a number, letter or symbol, or a combination of any or all of those things, that is used to identify the individual or to verify the identity of the individual.

9.6 The following are explicitly excluded from the definition of identifier:

  • an individual’s name
  • an individual’s Australian Business Number (ABN)
  • anything else prescribed by the regulations made under the Privacy Act.[1] This provides flexibility to exclude any specified type of identifier from the definition, and therefore the operation of APP 9, as required.

9.7 A ‘government related identifier’ of an individual is defined in s 6(1) as an identifier that has been assigned by:

  • an agency
  • a State or Territory authority
  • an agent of an agency, or a State or Territory authority, acting in its capacity as agent, or
  • a contracted service provider for a Commonwealth contract, or a State contract, acting in its capacity as contracted service provider for that contract.

9.8 The following are given as examples of government related identifiers:

  • Medicare numbers
  • Centrelink Reference numbers
  • driver licence numbers issued by State and Territory authorities
  • Australian passport numbers.

9.9 Some government related identifiers are regulated by other laws that restrict the way that entities can collect, use or disclose the particular identifier and related personal information. Examples include tax file numbers and individual healthcare identifiers.[2]

When are agencies covered by APP 9?

9.10 An agency must comply with the adoption, use and disclosure requirements of APP 9 when dealing with government related identifiers in the circumstances set out in s 7A.

9.11 These circumstances include where:

  • the agency is listed in Part I of Schedule 2 to the Freedom of Information Act 1982 (the FOI Act) and is prescribed in regulations,[3] or
  • the act or practice relates to the commercial activity of an agency that is specified in Part II of Schedule 2 to the FOI Act.[4]

9.12 An organisation must not adopt a government related identifier of an individual as its own identifier of the individual unless an exception applies (APP 9.1).

‘Adoption’

9.13 The term ‘adopt’ is not defined in the Privacy Act and so it is appropriate to refer to its ordinary meaning. An organisation adopts a government related identifier if it collects a particular government related identifier of an individual and organises the personal information that it holds about that individual with reference to that identifier.

9.14 The following are examples of when an organisation will be considered to have adopted a government related identifier of an individual:

  • a health service provider uses an individual’s Medicare number as the basis for the provider’s own identification system
  • an accountant uses an individual’s tax file number as the basis of the accountant’s own identification system.

9.15 Adoption is to be distinguished from merely collecting, using or disclosing a government related identifier. APP 9 does not specifically address the collection of government related identifiers. However, as noted in paragraph 9.4, if an organisation collects a government related identifier that is considered to be personal information, the organisation must comply with other APPs, including APP 3 (collection of solicited personal information) and APP 4 (dealing with unsolicited personal information). These APPs are discussed in Chapters 3 and 4 respectively.

9.16 APP 3 provides that an organisation must only collect personal information that is reasonably necessary for one or more of the organisation’s functions or activities. If an organisation collects an identifier that it cannot lawfully use or disclose under APP 9.2 (see paragraphs 9.22–9.46), then the collection is not reasonably necessary for one of the organisation’s functions or activities. This means that the collection would not be permitted under APP 3.2.

9.17 An organisation may adopt a government related identifier of an individual as its own identifier of the individual if the adoption is required or authorised by or under an Australian law or a court/tribunal order (APP 9.1(a)). The meaning of ‘required or authorised by or under an Australian law or a court/tribunal order’ is discussed in Chapter B (Key concepts).

9.18 The Australian law or court/tribunal order should specify a particular government related identifier, the organisations or classes of organisations permitted to adopt it, and the particular circumstances in which they may do so.

9.19 For example, healthcare providers are authorised by law to adopt the individual healthcare identifiers of their patients as their own identifier.[5] That is, they may organise the personal information of their patients by reference to the patients’ individual healthcare identifiers.

9.20 An organisation may adopt a government related identifier of an individual as its own identifier of the individual if:

  • the identifier is prescribed by regulations
  • the organisation, or a class of organisations that includes the organisation, is prescribed by regulations, and
  • the adoption occurs in the circumstances prescribed by the regulations (APP 9.1(b)).

9.21 Regulations may be made under the Privacy Act to prescribe these matters.[6]

9.22 An organisation must not use or disclose a government related identifier of an individual, unless an exception applies (APP 9.2). The terms ‘use’ and ‘disclosure’ are discussed in Chapter B (Key concepts).

9.23 The circumstances in which an organisation may use or disclose government related identifiers under APP 9.2 are narrower in scope than the circumstances in which an organisation may use or disclose other personal information under APP 6. APP 6 does not apply to the disclosure of government related identifiers (APP 6.7(b)) (see Chapter 6 (APP 6)).

9.24 An organisation may use or disclose the government related identifier of an individual if the use or disclosure is reasonably necessary for the organisation to verify the identity of the individual for the purposes of the organisation’s activities or functions (APP 9.2(a)).

9.25 This exception allows an organisation to use a government related identifier both to establish the identity of an individual and to verify that an individual is who or what they claim to be, for example, to verify their name or age.

9.26 Government related identifiers are usually contained in high-integrity documents, and are therefore likely to be highly reliable for verifying an individual’s identity. An example is that driver licences and passports are used in some circumstances to verify the identity of individuals.

9.27 The use and disclosure of the government related identifier to verify the identity of the individual must be reasonably necessary for the purposes of the organisation’s functions or activities. Whether the use or disclosure is ‘reasonably necessary’ is an objective test. This is discussed in more detail in Chapter B (Key concepts). The functions and activities of the organisation are limited to those in which it may lawfully engage. See Chapter 3 (APP 3) for a discussion of identifying the functions and activities of an organisation.

9.28 There are a number of factors that an organisation should consider in deciding whether the use or disclosure is reasonably necessary to verify the identity of an individual. For example, it may not be reasonably necessary where:

  • the organisation can carry out the function or activity without verifying the individual’s identity
  • there are other practicable means of verifying the individual’s identity available to the organisation. For example, an organisation may be able to verify an individual’s identity by using or disclosing other types of personal information, rather than the government related identifier (noting that the use and disclosure of other personal information must comply with the relevant APPs).

9.29 An organisation may use or disclose a government related identifier of an individual if the use or disclosure is reasonably necessary for the organisation to fulfil its obligations to an agency or a State or Territory authority (APP 9.2(b)).

9.30 This exception is most likely to be relevant to a contracted service provider, and will allow them to use or disclose a government related identifier if this is reasonably necessary to perform a Commonwealth or State or Territory contract.[7] Whether the use or disclosure is ‘reasonably necessary’ is an objective test. This is discussed in more detail in Chapter B (Key concepts).

9.31 An organisation may use or disclose a government related identifier of an individual if the use or disclosure is required or authorised by or under an Australian law or a court/tribunal order (APP 9.2(c)).

9.32 The meaning of ‘required or authorised by or under an Australian law or a court/tribunal order’ is discussed in Chapter B (Key concepts).

9.33 The Australian law or court/tribunal order should specify a particular government related identifier, the organisations or classes of organisations permitted to use or disclose it, and the particular circumstances in which they may do so.

9.34 For example, the Healthcare Identifiers Act 2010 permits the use or disclosure of healthcare identifiers for limited purposes by healthcare providers and other entities specified in that Act.

9.35 An organisation may use or disclose a government related identifier of an individual if a ‘permitted general situation’ (other than the situations referred to in Items 3, 4 or 5 of the table in subsection 16A(1)) exists in relation to the use or disclosure of the identifier (APP 9.2(d)).

9.36 Section 16A lists two permitted general situations that apply to the use or disclosure of government related identifiers. The two situations are set out below, and are discussed in Chapter C (Permitted general situations) (including the meaning of relevant terms).

Lessening or preventing a serious threat to life, health or safety

9.37 An organisation may use or disclose a government related identifier of an individual if:

  • the organisation reasonably believes the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, and
  • it is unreasonable or impracticable to obtain consent (s 16A(1), Item 1).

Taking appropriate action in relation to suspected unlawful activity or serious misconduct

9.38 An organisation may use or disclose a government related identifier of an individual if:

  • the organisation has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the organisation’s functions or activities has been, is being or may be engaged in, and
  • the organisation reasonably believes that the use or disclosure is necessary in order for the organisation to take appropriate action in relation to the matter (s 16A(1), Item 2).

9.39For example, this permitted general situation might apply where the organisation uses or discloses a government related identifier, such as a customer’s Centrelink number, as part of an investigation into suspected fraud by a client in relation to the organisation’s functions or activities.

9.40 An organisation may use or disclose a government related identifier of an individual if the organisation reasonably believes that the use or disclosure of the identifier is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body (APP 9.2(e)).

9.41 An organisation that collects or holds a government related identifier will be able to rely on this exception to cooperate with relevant enforcement bodies in certain circumstances.

9.42 ‘Enforcement body’ is defined in s 6(1) as a list of specific bodies. The list includes Commonwealth, State and Territory bodies that are responsible for policing, criminal investigations, and administering laws to protect the public revenue or to impose penalties or sanctions. Examples of Commonwealth enforcement bodies are the Australian Federal Police, Australian Crime Commission,[8] the Integrity Commissioner,[9] the Immigration Department,[10] Australian Prudential Regulation Authority, Australian Securities and Investments Commission and AUSTRAC.

9.43 ‘Enforcement related activities’ is defined in s 6(1) and discussed in Chapter B (Key concepts). ‘Reasonably believes’, ‘reasonably necessary’ and ‘enforcement body’ are also discussed in Chapter B (Key concepts). For further discussion of a similar exception in APP 6.2(e), see Chapter 6.

9.44 For example, this exception might apply where the Australian Federal Police are investigating fraud committed by an individual against the organisation. The organisation may reasonably believe that disclosure of a copy of a driver licence to the AFP is reasonably necessary for the AFP’s investigation, where the AFP needed to obtain information provided by that individual to the organisation.

9.45 An organisation may use or disclose a government related identifier of an individual if:

  • the identifier is prescribed by regulations
  • the organisation, or a class of organisations that includes the organisation, is prescribed by regulations, and
  • the adoption occurs in the circumstances prescribed by the regulations (APP 9.2(f)).

9.46 Regulations may be made under the Privacy Act to prescribe these matters.[11]

Footnotes

[1] See the Federal Register of Legislation <https://www.legislation.gov.au> for up-to-date versions of the regulations made under the Privacy Act.

[2] For more information about the legislative regimes, visit the OAIC’s Tax File Numbers page and Healthcare Identifiers page <https://www.oaic.gov.au>.

[3] See the Federal Register of Legislation <https://www.legislation.gov.au> for up to date versions of the regulations made under the Freedom of Information Act 1982.

[4] See s 7A and OAIC, FOI Guidelines, Part 2, OAIC website <https://www.oaic.gov.au>.

[5] See the Healthcare Identifiers Act 2010, s 25. ‘Healthcare provider’ is defined in s 5 of the Healthcare Identifiers Act 2010 <https://www.legislation.gov.au>.

[6] See the Federal Register of Legislation <https://www.legislation.gov.au> for up-to-date versions of regulations made under the Privacy Act.

[7] Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012, p 84.

[8] In July 2016, the former Australian Crime Commission and CrimTrac were merged to form the Australian Criminal Intelligence Commission.

[9] ‘Integrity Commissioner’ is defined in s 6(1) as having the same meaning as in the Law Enforcement Integrity Commissioner Act 2006.

[10] ‘Immigration Department’ is defined in s 6(1) as the Department administered by the Minister administering the Migration Act 1958. This is now the Department of Home Affairs.

[11] See the Federal Register of Legislation <https://www.legislation.gov.au> for up-to-date versions of regulations made under the Privacy Act.