Chapter 9: Privacy Safeguard 9 — Adoption or disclosure of government related identifiers by accredited data recipients

24 February 2020

Download the print version

Version 1.0

Key points

  • Privacy Safeguard 9 sets out a prohibition on accredited data recipients adopting, using or disclosing government related identifiers unless required or authorised:

    • under another Australian law, or
    • as prescribed by regulations made under the Privacy Act 1988 (Privacy Act).
  • A government related identifier is a number, letter or symbol, or a combination of any or all of those things, that has been assigned by certain government entities and is used to identify the individual or to verify the identity of the individual.

  • An individual cannot consent to the adoption, use or disclosure of their government related identifier.

What does Privacy Safeguard 9 say?

9.1 Privacy Safeguard 9 prohibits an accredited data recipient that has collected consumer data right (CDR) data which includes a government related identifier of a consumer for the CDR data, from:

  • adopting the government related identifier as its own identifier of the consumer, or otherwise using the government related identifier, or
  • disclosing CDR data which includes the government related identifier
  • unless authorised or required by or under:
    • an Australian law other than the consumer data rules (CDR Rules), or
    • Australian Privacy Principle (APP) 9.3, which allows an entity to adopt, use or disclose a government related identifier of an individual as prescribed by regulations made under the Privacy Act.

9.2 Privacy Safeguard 9 only concerns government related identifiers of individuals.

9.3 In this Chapter, a government related identifier of a CDR consumer included with the CDR consumer’s CDR data is referred to as a ‘CDR consumer government related identifier’.

Why is it important?

9.4 The objective of Privacy Safeguard 9 is to restrict use of government related identifiers so that they do not become universal identifiers, which could jeopardise privacy by enabling CDR data from different sources to be matched and linked in ways that a consumer may not agree with or expect.

Who does Privacy Safeguard 9 apply to?

9.5 Privacy Safeguard 9 applies to accredited data recipients. It does not apply to data holders or designated gateways. However, data holders and designated gateways must ensure that they are adhering to their obligations under the Privacy Act and APP 9 in relation to government related identifiers of individuals.

How Privacy Safeguard 9 interacts with the Privacy Act

9.6 It is important to understand how Privacy Safeguard 9 interacts with the Privacy Act and the APPs.[1]

9.7 APP 9 prohibits an APP entity from adopting, using or disclosing a government related identifier unless an exception applies.

CDR entityPrivacy protections that apply in the CDR context

Accredited person / accredited data recipient

Privacy Principle 9

Privacy Safeguard 9 applies instead of APP 9 to the handling of government related identifiers contained within CDR data collected by an accredited data recipient under the CDR regime.[2]

APP 9 will continue to apply to the handling of government related identifiers collected by an accredited person or accredited data recipient within data that is not CDR data. [3]

Designated gateway

APP 9

Privacy Safeguard 9 does not apply to a designated gateway.

Data holder

APP 9

Privacy Safeguard 9 does not apply to a data holder.

9.8 ‘Government related identifier’ has the meaning given to it in the Privacy Act.[4]

9.9 Privacy Safeguard 9 only concerns government related identifiers of individuals.

9.10 This safeguard only applies to consumers who are individuals. For example, the Australian Business Number (ABN) of a body corporate would not be subject to Privacy Safeguard 9. (Note that the ABN of an individual is not an ‘identifier’ under s 6(1) of the Privacy Act). An identifier of an individual who is a sole trader or who runs a small business will be captured by Privacy Safeguard 9.

‘Identifiers’

9.11 An ‘identifier’ of an individual is defined in subsection 6(1) of the Privacy Act as a number, letter or symbol, or a combination of any or all of those things, that is used to identify the individual or to verify the identity of the individual.

9.12 The following are explicitly excluded from the definition of identifier:

  • an individual’s name
  • an individual’s ABN, and
  • anything else prescribed by the regulations made under the Privacy Act.[5] This provides flexibility to exclude any specified type of identifier from the definition, and therefore the operation of both Privacy Safeguard 9 and APP 9, as required.

9.13 A ‘government related identifier’ of an individual is defined in subsection 6(1) of the Privacy Act as an identifier that has been assigned by:

  • an agency[6]
  • a State or Territory authority[7]
  • an agent of an agency, or a State or Territory authority, acting in its capacity as agent, or
  • a contracted service provider for a Commonwealth contract,[8] or a State contract,[9] acting in its capacity as contracted service provider for that contract.

9.14 The following are examples of government related identifiers:

  • Medicare numbers
  • Centrelink reference numbers[10]
  • driver licence numbers issued by State and Territory authorities, and
  • Australian passport numbers.

9.15 Some government related identifiers are also regulated by other laws that restrict the way entities can collect, use or disclose the particular identifier and related personal information. Examples include tax file numbers and individual healthcare identifiers.[11] These other laws apply in addition to Privacy Safeguard 9, i.e. a breach of the Privacy (Tax File Number) Rule 2015 may be both an interference with the privacy of an individual under the Privacy Act and as a breach of Privacy Safeguard 9, as well as a potential offence under the Taxation Administration Act 1953.

9.16 An accredited data recipient must not adopt a CDR consumer government related identifier as its own identifier of the consumer, or otherwise use a government related identifier, unless an exception applies.[12] In addition, an accredited data recipient must not include the government related identifier when it discloses CDR data unless an exception applies.

‘Adopt’

9.17 The term ‘adopt’ is not defined in the Competition and Consumer Act and so it is appropriate to refer to its ordinary meaning.

9.18 An accredited data recipient ‘adopts’ a CDR consumer government related identifier if it collects CDR data that includes a government related identifier of the consumer and organises the CDR data that it holds about that consumer with reference to that identifier.

Example

Stephanie, an accountant and accredited person, receives a consumer’s driver licence number when it is disclosed to Stephanie in response to a consumer data request. Stephanie then uses the identifier to refer to that consumer in her own identification system.

As Stephanie has adopted a CDR consumer government related identifier, she may be in breach of Privacy Safeguard 9.

‘Use’

9.19 The term ‘use’ is discussed in Chapter B (Key concepts).

9.20 Generally, an entity uses CDR data when it handles and manages that information within its effective control. Examples include:

  • the entity accessing and reading the CDR data
  • the entity searching records for the CDR data
  • the entity making a decision based on the CDR data, and
  • the entity passing the CDR data from one part of the entity to another.

‘Disclose’

9.21 The term ‘disclose’ is discussed in Chapter B (Key concepts).

9.22 An accredited data recipient or designated gateway ‘discloses’ CDR data when it makes it accessible or visible to others outside the entity.[13]

Exceptions

Required or authorised by or under an Australian law or court/tribunal order

9.23 An accredited data recipient may use a CDR consumer government related identifier, adopt it as its own identifier or include it when disclosing CDR data if this is required or authorised by or under an Australian law or a court/tribunal order.[14]

9.24 The meaning of ‘required or authorised by or under an Australian law or a court/tribunal order’ is discussed in Chapter B (Key concepts).

9.25 The Australian law or court/tribunal order should specify:

  • a particular government related identifier
  • the entities or classes of entities permitted to adopt, use or disclose it, and
  • the particular circumstances in which they may adopt, use or disclose it.

Prescribed by regulations

9.26 An accredited data recipient may use a CDR consumer government related identifier, adopt it as its own identifier of the consumer, or include it when disclosing CDR data if:

  • the identifier is prescribed by regulations
  • the entity is an organisation, or belongs to a class of organisations, prescribed by regulations, and
  • the adoption or use occurs in the circumstances prescribed by the regulations.[15]

9.27 Regulations may be made under the Privacy Act to prescribe these matters.[16]

Interaction with other privacy safeguards

Privacy Safeguards 3 and 4

9.28 Privacy Safeguard 9 does not specifically address the collection of government related identifiers. However, if an accredited person collects a government related identifier that is considered to be CDR data, they must comply with other privacy safeguards, including Privacy Safeguard 3 and Privacy Safeguard 4. These privacy safeguards are discussed in Chapters 3 and 4 respectively.

Footnotes

[1] The Privacy Act includes 13 APPs that regulate the handling of personal information by certain organisations and Australian Government agencies.

[2] Section 56EC(4)(d) of the Competition and Consumer Act.

[3] All accredited persons are subject to the Privacy Act and the APPs in relation to information that is personal information but is not CDR data. See s 6E(1D) of the Privacy Act.

[4] Sections 56EL(1)(b) and 56EL(2)(b) of the Competition and Consumer Act.

[5] See the Federal Register of Legislation https://www.legislation.gov.au for up-to-date versions of the regulations made under the Privacy Act.

[6] ‘Agency’ is defined in s 6(1) of the Privacy Act.

[7] ‘State or Territory authority” is defined in s 6C(3) of the Privacy Act.

[8] ‘Commonwealth contract’ is defined in s 6(1) of the Privacy Act to mean a contract, to which the Commonwealth or an agency is or was a party, under which services are to be, or were to be, provided to an agency.

[9] ‘State contract’ is defined in s 6(1) of the Privacy Act to mean a contract, to which a State or Territory or State or Territory authority is or was a party, under which services are to be, or were to be, provided to a State or Territory authority.

[10] Note that under regulations 17 and 18 of the Privacy Regulation 2013, certain prescribed organisations are permitted to use or disclose certain identifiers (including Centrelink reference numbers) in specific circumstances.

[11] For more information about the legislative regimes, visit the OAIC’s Tax File Numbers page and Healthcare Identifiers page https://www.oaic.gov.au.

[12] Section 56EL(1) of the Competition and Consumer Act. Note: The principal difference between Privacy Safeguard 9 and APP 9 is that the exceptions to the prohibition on using or disclosing government related identifiers in Privacy Safeguard 9 are much narrower than in APP 9. Only the exceptions under APP 9.1 for adopting, and APP 9.2(c) and (f) for using or disclosing, a government related identifier are carried across to Privacy Safeguard 9:

  • The common exceptions between Privacy Safeguard 9 and APP 9 are where the adoption, use or disclosure of the government related identifier is authorised or required by an Australian law or court/tribunal order, or where regulations under APP 9.3 prescribe the adoption, use or disclosure.
  • The exceptions in APP 9.2 for using or disclosing government related identifiers for verification purposes, fulfilling obligations to agencies or State or Territory authorities, for ‘permitted general situations’ or for enforcement related activities of enforcement bodies do not apply to Privacy Safeguard 9.

[13] Information will be ‘disclosed’ under the CDR regime regardless of whether an entity retains effective control over the data. This is different to the situation under the Privacy Act, where in some limited circumstances the provision of information from an entity to a contractor to provide services on behalf of the entity may be a use, rather than a disclosure. See paragraph B.144 in Chapter B: Key concepts of the APP Guidelines.

[14] Section 56EL(1)(c) of the Competition and Consumer Act.

[15] Section 56EL(1)(d) of the Competition and Consumer Act and APP 9.3.

[16] See the Federal Register of Legislation https://www.legislation.gov.au for up-to-date versions of regulations made under the Privacy Act.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au