Download the print version (version 4.0)
Key points
- Privacy Safeguard 9[1] sets out a prohibition on accredited data recipients of CDR data from adopting, using or disclosing government related identifiers unless required or authorised:
- under another Australian law other than the consumer data rules (CDR Rules) or a court/tribunal order, or
- as prescribed by regulations made under the Privacy Act 1988.
- A government related identifier is a number, letter or symbol, or a combination of any or all of those things, that has been assigned by certain government entities and is used to identify the individual or to verify the identity of the individual.
- Privacy Safeguard 9 only concerns government related identifiers of a consumer who is an individual.
- An individual cannot consent to the adoption, use or disclosure of their government related identifier.
What does Privacy Safeguard 9 say?
9.1 Where CDR data includes a government related identifier, Privacy Safeguard 9 prohibits an accredited data recipient of CDR data from:
- adopting the government related identifier as its own identifier of the consumer, or otherwise using the government related identifier, or
- disclosing CDR data which includes the government related identifier,
- unless authorised or required by or under:
- an Australian law other than the CDR Rules or in a court/tribunal order, or
- APP 9.3, which allows an entity to adopt, use or disclose a government related identifier of an individual as prescribed by regulations made under the Privacy Act.
9.2 Privacy Safeguard 9 only concerns government related identifiers of a consumer of the CDR data who is an individual.
9.3 In this Chapter, a government related identifier of a CDR consumer included with the consumer’s CDR data is referred to as a ‘CDR consumer government related identifier’.
Why is it important?
9.4 The objective of Privacy Safeguard 9 is to restrict use of government related identifiers so that they do not become universal identifiers, which could jeopardise privacy by enabling CDR data from different sources to be matched and linked in ways that a consumer may not agree with or expect.
Who does Privacy Safeguard 9 apply to?
9.5 Privacy Safeguard 9 applies to accredited data recipients of CDR data. It does not apply to data holders or designated gateways.
9.6 However, data holders and designated gateways must ensure that they are adhering to their obligations under the Privacy Act and APP 9 in relation to government related identifiers of individuals.
9.7 As a non-accredited entity, a CDR representative is not directly bound by Privacy Safeguard 9.[2] However, under the terms of the CDR representative arrangement with their CDR principal,[3] a CDR representative is required to comply with Privacy Safeguard 9 as if it were an accredited data recipient. [4][5] A CDR principal breaches subrule 7.8A(2) of the CDR Rules if its CDR representative fails to comply with Privacy Safeguard 9 in relation to service data as if it were an accredited data recipient of the service data.[6]
How Privacy Safeguard 9 interacts with the Privacy Act
9.8 It is important to understand how Privacy Safeguard 9 interacts with the Privacy Act and the APPs.[7]
9.9 APP 9 prohibits an APP entity from adopting, using or disclosing a government related identifier unless an exception applies.
CDR entity | Privacy protections that apply in the CDR context |
---|---|
Accredited data recipient | Privacy Safeguard 9 For accredited data recipients of a consumer’s CDR data, Privacy Safeguard 9 applies to the handling of government related identifiers contained in that CDR data.[8] APP 9 does not apply in relation to that CDR data, except as applied by paragraphs 56EL(1)(d) and (2)(d) of the Competition and Consumer Act.[9] |
Designated gateway | APP 9 Privacy Safeguard 9 does not apply to a designated gateway. |
Data holder[10] | APP 9 Privacy Safeguard 9 does not apply to a data holder. |
Meaning of government related identifier
9.10 ‘Government related identifier’ has the meaning given to it in the Privacy Act.[11]
9.11 Privacy Safeguard 9 only concerns government related identifiers of consumers of the CDR data who are individuals.
9.12 For example, the Australian Business Number (ABN) of a body corporate would not be subject to Privacy Safeguard 9. (Note that the ABN of an individual is not an ‘identifier’ under subsection 6(1) of the Privacy Act).
9.13 However, government related identifiers of individuals who are sole traders that manage a small business or of partners in a partnership will be captured by Privacy Safeguard 9.
‘Identifiers’
9.14 An ‘identifier’ of an individual is defined in subsection 6(1) of the Privacy Act as a number, letter or symbol, or a combination of any or all of those things, that is used to identify the individual or to verify the identity of the individual.
9.15 The following are explicitly excluded from the definition of identifier:
- an individual’s name
- an individual’s ABN, and
- anything else prescribed by the regulations made under the Privacy Act.[12] This provides flexibility to exclude any specified type of identifier from the definition, and therefore the operation of both Privacy Safeguard 9 and APP 9, as required.
‘Government related identifier’
9.16 A ‘government related identifier’ of an individual is defined in subsection 6(1) of the Privacy Act as an identifier that has been assigned by:
- an agency[13]
- a State or Territory authority[14]
- an agent of an agency, or a State or Territory authority, acting in its capacity as agent, or
- a contracted service provider for a Commonwealth contract,[15] or a State contract,[16] acting in its capacity as contracted service provider for that contract.
9.17 The following are examples of government related identifiers:
- Medicare numbers
- Centrelink reference numbers[17]
- driver licence numbers issued by State and Territory authorities, and
- Australian passport numbers.
9.18 Some government related identifiers are also regulated by other laws that restrict the way entities can collect, use or disclose the particular identifier and related personal information. Examples include tax file numbers and individual healthcare identifiers.[18] These other laws apply in addition to Privacy Safeguard 9, i.e. a breach of the Privacy (Tax File Number) Rule 2015 may be both an interference with the privacy of an individual under the Privacy Act and a breach of Privacy Safeguard 9, as well as a potential offence under the Taxation Administration Act 1953.
Adopting, using or disclosing a government related identifier
9.19 An accredited data recipient must not adopt a CDR consumer government related identifier as its own identifier of the consumer, or otherwise use a government related identifier, unless an exception applies.[19] In addition, an accredited data recipient must not include the government related identifier when it discloses CDR data unless an exception applies.
‘Adopt’
9.20 The term ‘adopt’ is not defined in the Competition and Consumer Act and so it is appropriate to refer to its ordinary meaning.
9.21 An accredited data recipient ‘adopts’ a CDR consumer government related identifier if it collects CDR data that includes a government related identifier of the consumer and organises the CDR data that it holds about that consumer with reference to that identifier.
Example
Stephanie, an accountant and accredited person, receives a consumer’s driver licence number when it is disclosed to Stephanie in response to a consumer data request. Stephanie then uses the identifier to refer to that consumer in her own identification system.
As Stephanie has adopted a CDR consumer government related identifier, she may be in breach of Privacy Safeguard 9.
‘Use’
9.22 The term ‘use’ is discussed in Chapter B (Key concepts).
9.23 Generally, an entity uses CDR data when it handles and manages that information within its effective control. Examples include:
- the entity accessing and reading the CDR data
- the entity searching records for the CDR data
- the entity making a decision based on the CDR data, and
- the entity passing the CDR data from one part of the entity to another.
‘Disclose’
9.24 The term ‘disclose’ is discussed in Chapter B (Key concepts).
9.25 An accredited data recipient ‘discloses’ CDR data when it makes it accessible or visible to others outside the entity.[20]
Exceptions
Required or authorised by or under an Australian law or court/tribunal order
9.26 An accredited data recipient may use a CDR consumer government related identifier, adopt it as its own identifier or include it when disclosing CDR data if this is required or authorised by or under an Australian law or a court/tribunal order.[21]
9.27 The meaning of ‘required or authorised by or under an Australian law or a court/tribunal order’ is discussed in Chapter B (Key concepts).
9.28 The Australian law or court/tribunal order should specify:
- a particular government related identifier
- the entities or classes of entities permitted to adopt, use or disclose it, and
- the particular circumstances in which they may adopt, use or disclose it.
Prescribed by regulations
9.29 An accredited data recipient may use a CDR consumer government related identifier, adopt it as its own identifier of the consumer, or include it when disclosing CDR data if:
- the identifier is prescribed by regulations
- the entity is an organisation, or belongs to a class of organisations, prescribed by regulations, and
- the adoption or use occurs in the circumstances prescribed by the regulations.[22]
9.30 Regulations may be made under the Privacy Act to prescribe these matters.[23]
Interaction with other privacy safeguards
Privacy Safeguards 3 and 4
9.31 Privacy Safeguard 9 applies to the adoption, use and disclosure of government related identifiers. It does not specifically address the collection of government related identifiers. However, if an accredited person collects a government related identifier that is considered to be CDR data, they must comply with other privacy safeguards, including Privacy Safeguard 3 and Privacy Safeguard 4. These privacy safeguards are discussed in Chapters 3 and 4 respectively.
Footnotes
[1] Competition and Consumer Act, section 56EL.
[2] Note that a CDR representative will also have obligations under APP 9 (adoption, use or disclosure of government related identifiers) if they are an APP entity.
[3] A CDR representative arrangement is a written contract between a CDR representative and their CDR principal that meets the minimum requirements listed in subrule 1.10AA(2) of the CDR Rules.
[4] CDR Rules, paragraph 1.10AA(2)(f).
[5] See Chapter B (Key concepts) for more information on ‘CDR principal’, ‘CDR representative’, ‘CDR representative arrangement’ and ‘service data’.
[6] CDR Rules, subrule 7.8A(2). See also rule 1.16A in relation to a CDR principal’s obligations and liability.
[7] The Privacy Act includes 13 APPs that regulate the handling of personal information by certain organisations and Australian Government agencies.
[8] Privacy Safeguard 9 applies from the point when the accredited person becomes an accredited data recipient of the CDR data. An accredited person becomes an accredited data recipient for CDR data when:
- CDR data is held by (or on behalf of) the person
- the CDR data, or any other CDR data from which it was directly or indirectly derived, was disclosed to the person under the consumer data rules, and
- the person is neither a data holder, nor a designated gateway, for the first mentioned CDR data. See Competition and Consumer Act, section 56AK.
[9] The APPs do not apply to an accredited data recipient of CDR data, in relation to that CDR data: Competition and Consumer Act, paragraph 56EC(4)(a). However, paragraph 56EC(4)(a) does not apply for the purposes of paragraphs 56EL(1)(d) and (2)(d), which provide that an accredited data recipient may adopt a government related identifier included in CDR data, use the identifier, or include the identifier in a disclosure of CDR data, if subclause 9.3 of APP 9 applies to the adoption, use or disclosure. Subsection 56EC(4) also does not affect how the APPs apply to accredited persons and accredited data recipients who are APP entities, in relation to the handling of personal information outside the CDR system. (Note: Small business operators accredited under the CDR system are APP entities in relation to information that is personal information but is not CDR data. See s 6E(1D) of the Privacy Act.) Section 56EC(4) also does not affect how the APPs apply to an accredited person who does not become an accredited data recipient of the CDR data (other than for Privacy Safeguards 1 – 4). See s 56EC(5)(aa) of the Competition and Consumer Act.
[10] In this chapter, references to data holders include AEMO. See Chapter B (Key concepts) for further information about how the privacy safeguards apply to AEMO.
[11] Competition and Consumer Act, paragraphs 56EL(1)(b) and 56EL(2)(b).
[12] See the Federal Register of Legislation https://www.legislation.gov.au for up-to-date versions of the regulations made under the Privacy Act.
[13] ‘Agency’ is defined in Privacy Act, subsection 6(1).
[14] ‘State or Territory authority” is defined in subsection 6C(3) of the Privacy Act.
[15] ‘Commonwealth contract’ is defined in subsection 6(1) of the Privacy Act to mean a contract, to which the Commonwealth or an agency is or was a party, under which services are to be, or were to be, provided to an agency.
[16] ‘State contract’ is defined in subsection 6(1) of the Privacy Act to mean a contract, to which a State or Territory or State or Territory authority is or was a party, under which services are to be, or were to be, provided to a State or Territory authority.
[17] Note that under regulations 17 and 18 of the Privacy Regulation 2013, certain prescribed organisations are permitted to use or disclose certain identifiers (including Centrelink reference numbers) in specific circumstances.
[18] For more information about the legislative regimes, visit the OAIC’s Tax File Numbers page and Healthcare Identifiers page https://www.oaic.gov.au.
[19] Competition and Consumer Act, subsection 56EL(1). Note: The principal difference between Privacy Safeguard 9 and APP 9 is that the exceptions to the prohibition on using or disclosing government related identifiers in Privacy Safeguard 9 are much narrower than in APP 9. Only the exceptions under APP 9.1 for adopting, and APP 9.2(c) and (f) for using or disclosing, a government related identifier are carried across to Privacy Safeguard 9:
- The common exceptions between Privacy Safeguard 9 and APP 9 are where the adoption, use or disclosure of the government related identifier is authorised or required by an Australian law or court/tribunal order, or where regulations under APP 9.3 prescribe the adoption, use or disclosure.
- The exceptions in APP 9.2 for using or disclosing government related identifiers for verification purposes, fulfilling obligations to agencies or State or Territory authorities, for ‘permitted general situations’ or for enforcement related activities of enforcement bodies do not apply to Privacy Safeguard 9.
[20] Information will be ‘disclosed’ under the CDR system regardless of whether an entity retains effective control over the data.
[21] Competition and Consumer Act, paragraph 56EL(1)(c).
[22] Competition and Consumer Act, paragraphs 56EL(1)(d) and (2)(d) and APP 9.3.
[23] See the Federal Register of Legislation https://www.legislation.gov.au for up-to-date versions of regulations made under the Privacy Act.