Chapter 2: Privacy Safeguard 2 — Anonymity and pseudonymity

24 February 2020

Download the print version

Version 1.0

Key points

  • An accredited data recipient must provide a consumer with the option of dealing anonymously or pseudonymously with the entity, unless an exception applies.

  • The data standards allow an accredited data recipient to provide these options when seeking the consumer’s consent to collect and use their consumer data right (CDR) data.

What does Privacy Safeguard 2 say?

2.1 Privacy Safeguard 2 provides that a consumer must have the option of not identifying themselves, or of using a pseudonym, when dealing with an accredited data recipient in relation to the CDR data.

2.2 ‘Anonymity’ and ‘pseudonymity’ are different concepts. Privacy Safeguard 2 requires that both options be made available to consumers dealing with an accredited data recipient unless an exception applies. The exceptions are set out in consumer data rule (CDR Rule) 7.3.

2.3 Consumer data rule (CDR Rule) 7.3 sets out that an accredited data recipient does not need to allow anonymity or pseudonymity where:

  • it is impracticable to deal with a consumer who has not identified themselves or has used a pseudonym in relation to the CDR data, or
  • the accredited data recipient is required or authorised by or under a law, or a court/tribunal order, to deal with an identified consumer in relation to particular CDR data.

Who does Privacy Safeguard 2 apply to?

2.4 Privacy Safeguard 2 applies to accredited data recipients. It does not apply to data holders or designated gateways.

2.5 Data holders and designated gateways must ensure that they are adhering to their obligations under the Privacy Act 1988 (the Privacy Act) and the Australian Privacy Principles (APPs), including APP 2 when dealing with individuals.

How Privacy Safeguard 2 interacts with the Privacy Act

2.6 It is important to understand how Privacy Safeguard 2 interacts with the Privacy Act and the APPs.[1]

2.7 APP 2 requires entities to provide individuals with the option of not identifying themselves or of using a pseudonym.

CDR entity

Privacy protections that apply in the CDR context

Accredited person

Australian Privacy Principle 2

APP 2 applies to an accredited person when dealing with an individual prior to the collection of the CDR data.[2]

Privacy Safeguard 2 will apply from the point of collection of a consumer’s CDR data.

Accredited data recipient

Privacy Safeguard 2

Privacy Safeguard 2 applies instead of APP 2 to dealings with consumers upon the collection of each consumer’s CDR data through the CDR regime.

APP 2 will continue to apply to any dealings with an individual in relation to matters that do not relate to the CDR data.[3]

Designated gateway

Australian Privacy Principle 2

Privacy Safeguard 2 does not apply to a designated gateway.

However, a designated gateway may have obligations relating to Privacy Safeguard 2 where an accredited data recipient provides the option of anonymity or pseudonymity to a consumer through a designated gateway for the CDR data.

Data holder

Australian Privacy Principle 2

Privacy Safeguard 2 does not apply to a data holder.

Note: Examples of dealings with consumers are set out in paragraphs 2.15 and 2.16 below.

Why anonymity and pseudonymity are important

2.8 Anonymity and pseudonymity are important privacy concepts. They enable consumers to choose the extent to which they are identifiable by the accredited data recipient.

2.9 There can be benefits to anonymity and pseudonymity, as consumers may be more likely to inquire about products and services under the CDR regime if they are able to do so without being identified. It can also reduce the risk of a data breach as less consumer data is collected.

What is the difference between anonymity and pseudonymity?

2.10 Anonymity means that a consumer may deal with an accredited data recipient without providing any personal information or identifiers. The accredited data recipient should not be able to identify the consumer at the time of the dealing or subsequently. An example of an anonymous dealing is when a consumer has consented to the transfer of CDR data about their current service with no identifying information, to enquire generally about a service an accredited data recipient can provide, and after receiving the consumer’s CDR data, the accredited data recipient continues to deal with the consumer without any identifying information.

2.11 Pseudonymity means that a consumer may use a name, term or descriptor that is different to the consumer’s actual name (e.g. an email address that does not contain the consumer’s actual name). However, unlike anonymity, the use of a pseudonym does not necessarily mean that a consumer cannot be identified. The consumer may choose to divulge their identity, or to provide the CDR data necessary to identify them, such as an address.

Providing anonymous and pseudonymous options

2.12 An accredited data recipient must provide each consumer with the option of using a pseudonym, or not identifying themselves, when dealing with the accredited data recipient in relation to the CDR data.

2.13 The data standards allow for the consumer’s identity to remain unknown to the accredited person throughout the consent and collection process under the CDR regime.

2.14 The data standards provide that:

  • identifying information will not be conveyed to the accredited person unless the consumer agrees, and
  • information provided by the consumer for the purposes of authentication with the data holder will not be seen by the accredited person.

2.15 Examples of ‘dealings’ between an accredited person and a consumer include:

  • asking for the consumer’s consent to collect and use their CDR data
  • providing a consumer with a consumer dashboard, and
  • communicating with the consumer (for example, when providing a CDR receipt to the consumer or ongoing notifications).[4]

2.16 Examples of ‘dealings’ between an accredited data recipient and a consumer include:

  • communicating with the consumer regarding the collection of their CDR data (for example, providing a notice under Privacy Safeguard 5)[5]
  • using the consumer’s CDR data to provide the requested goods or services to the consumer, and
  • the consumer electing that their redundant data be deleted under CDR Rule 4.16.[6]

Note: Generally, in the banking sector, an accredited data recipient may not be able to deal with a consumer on an anonymous or pseudonymous basis. See paragraphs 2.17 to 2.24 following.

Exceptions

Requiring identification — required or authorised by law

2.17 CDR Rule 7.3(a) provides that an accredited data recipient is not required to offer a consumer the option of dealing anonymously or pseudonymously if the recipient ‘is required or authorised by law or by a court/tribunal order to deal with an identified consumer in relation to particular CDR data’.

2.18 The meaning of ‘required or authorised by law or court/tribunal order’ is discussed in Chapter B (Key concepts).

2.19 If an accredited data recipient is ‘required’ by a law or order to deal only with an identified consumer, it will be necessary for the consumer to provide adequate identification.

2.20 If an entity is ‘authorised’ by a law or order to deal with an identified consumer, the entity can require the consumer to identify themselves, but equally will have discretion to allow the consumer to deal with the entity anonymously or pseudonymously. The nature of any discretion, and whether it is appropriate to rely upon it, will depend on the terms of the law or order and the nature of the dealing.[7]

2.21 The following are examples of where a law or order may require or authorise an accredited data recipient to deal only with an identified consumer:

  • discussing or accessing the consumer’s banking details with the consumer, such as account information
  • opening a bank account for a consumer, or providing other financial services where legislation requires the consumer to be identified, or
  • supplying a pre-paid mobile phone to a consumer where legislation requires identification.

Requiring identification — impracticability

2.22 CDR Rule 7.3(b) provides that a consumer may not have the option of dealing anonymously or pseudonymously with an accredited data recipient if it is impracticable to deal with a consumer who has not identified themselves.

2.23 An accredited data recipient that is relying on the impracticability exception should not collect more CDR data than is required to facilitate the dealing with the consumer.

2.24 Examples of where it may be open to an accredited data recipient to rely on the ‘impracticability’ exception include where:

  • providing an anonymous option is impracticable, as the CDR data required to meet a consumer’s request will almost certainly identify or reasonably identify the consumer (for example bank account or transaction details in the banking sector)
  • the burden of the inconvenience, time and cost of dealing with an unidentified or pseudonymous consumer, or
  • changing internal systems or practices to include the option of anonymous or pseudonymous dealings, would be excessive in all the circumstances.

Anonymity and pseudonymity in the banking sector

Generally, an accredited data recipient in the banking sector may not be able to deal with a consumer on an anonymous or pseudonymous basis.[8] This may be for a range of reasons, including because there may be obligations under law to verify the identity of the customer prior to providing goods or services.

Further, consumers should be aware that even where it is possible for a consumer to use a pseudonym, as CDR data in the banking sector is highly granular the consumer may remain identifiable.

Footnotes

[1] The Privacy Act includes 13 APPs that regulate the handling of personal information by certain organisations and Australian Government agencies.

[2] For consumers who are not individuals, APP 2 will not apply to dealings between an accredited person and the consumer. However, in order to be able to give the consumer the option of pseudonymity or of not identifying themselves (as required by Privacy Safeguard 2), an accredited person should ensure the same options given to individuals are provided to non-individuals in respect of dealings prior to the collection of the consumer’s CDR data. This is because Privacy Safeguard 2 will apply to dealings between the consumer and the accredited person in relation to the consumer’s data after it is collected (as the accredited person will be an accredited data recipient for the consumer’s CDR data).

[3] Section 6E(1D) of the Privacy Act.

[4] See Chapter C (Consent).

[5] See Chapter 5 (Privacy Safeguard 5).

[6] See Chapter C (Consent).

[7] For further information, see Chapter B (Key concepts).

[8] Explanatory Memorandum, Treasury Laws Amendment (Consumer Data Right) Bill 2019, paragraph 1.322.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au