Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Better Dealings with Government: Innovation in Payments and Information Services - Discussion Paper for Industry Consultation; Submission to the Department of Human Services (October 2009)

Submission on Better Dealings with Government: Innovation in Payments and Information Services - Discussion Paper for Industry Consultation to the Department of Human Services October 2009


Key recommendations

  1. The Office welcomes the references to good privacy practice in the discussion paper. In the Office’s view, embedding privacy protections in all stages of development of a new system of government payment and information services will assist in engendering greater consumer trust and confidence.
  2. The Office suggests the following:
    1. Privacy impact assessments should be included at appropriate stages in the development of the new system to help determine appropriate management of any privacy impacts.
    2. Privacy enhancing technologies should be considered as part of the design of the new system to provide appropriate consumer control and choice over their personal information.
    3. Robust identity verification and management processes should be used by the new system, taking account of other initiatives currently underway in this area.
    4. The type and amount of data sharing to be undertaken as part of the new system should be limited to specific needs and purposes.
    5. The extent of the privacy protections to be put in place around data sharing in the new system needs to be clearly articulated.
    6. Consideration of the need to develop additional and specific privacy legislation, containing provisions for use of information, appropriate prohibitions on use or disclosure of information, requirements for independent audit and mandatory reporting on the new system, sanctions and complaint mechanisms and provisions to ensure any future expansion is subject to a privacy impact assessment and parliamentary scrutiny, should occur.
    7. Consultation with stakeholders and education for consumers on all aspects of a proposed new system of payments should be undertaken.
  3. The Office also suggests it should be consulted at appropriate stages in the further development of a new system for delivering government payments and information. This will help ensure that the parts of the system relating to personal information handling reflect good privacy practice.


Office of the Privacy Commissioner

1. The Office of the Privacy Commissioner is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) (the Privacy Act), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT Government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses.

2. In addition, the Commissioner also has statutory obligations under the Data-matching Program (Assistance and Tax) Act 1990 (Cth) in relation to certain data matching activities using the Tax File Number. [1] These obligations include the requirement to issue guidelines under that Act and the ability to investigate any act or practice that may be a breach of that act or guidelines. The Commissioner has also issued voluntary data matching guidelines which can be used by agencies undertaking other types of data matching.


3. The Office welcomes the opportunity to provide a submission to the Department of Human Services (the department) on its discussion paper for industry consultation; Better Dealings with Government: Innovation in Payments and Information Services - (the ‘discussion paper’). [2]

4. The Office understands that the purpose of the discussion paper is to seek comment from industry and interested parties on innovative ways of delivering government payments and collecting and sharing information while meeting customer needs [3] .

5. In summary, the discussion paper seeks comment on:

  • new service opportunities made possible by technical and commercial developments
  • new payment platforms to support a range of payment services
  • new collaboration arrangements between the public and private sectors to extend current government services (such as Centrelink’s voluntary bill-paying service) to a wider service provider and customer base
  • ways of improving the collection and sharing of information between government agencies while minimising the impact on privacy
  • ways of making the customer’s dealings with government more useful, including by improving their access to and use of personal information held by government.

The Office has responded in two parts with the first dealing with general comments and the second on specific comments in relation to the discussion paper questions.

Part A General Comments

Good privacy practice

6. The Office welcomes the references to good privacy practice in the discussion paper, including in the underpinning principles that will determine new ways of delivering payments and information services by government. As the Office has noted many times before, privacy protections are fundamental to the success of major new initiatives involving technologies. The Office believes that appropriate personal information collection and handling is an essential component in gaining the public’s trust and thus guaranteeing participation and a smooth transition to a new system of delivering government payments and information.

7. Any major new system will be accompanied by significant infrastructure, processes and policies and accordingly it is necessary to consider the privacy implications of the system in its entirety.

8. The Office notes the paper’s references to the need to ensure that the benefits resulting from a new system are proportional to any impacts on individual’s privacy. However the Office believes that it is possible to achieve the type of benefits being contemplated while at the same time enhancing individual privacy overall.

9. The Office suggests it should be consulted role at appropriate stages in the further development of a new system for delivering government payments and information. This will help ensure that the parts of the system relating to personal information handling reflect good privacy practice.

A comprehensive privacy framework

10. The Office strongly recommends developing a robust privacy framework for any major new system of information collection and handling as being contemplated by this discussion paper. The Office supports building privacy into every aspect of a new system from the earliest stages of its conceptualisation. [4]

11. The Office considers that a comprehensive framework for privacy protection for major new government initiatives that relate to the handling of personal information should be based on four key elements. [5] These four elements can be expressed as:

Design + Technology + Legislation + Oversight

  • Fundamental system design , including system architecture and the parameters governing what information is collected, information flows and consent mechanisms
  • Technological measures including data security initiatives
  • Legislative measures , including defining the extent of the system, proscribing purposes that fall outside those functions, and introducing sanctions for misusing any aspect of the system
  • Oversight mechanisms that promote confidence in the system by assuring the community that the operation of the system is subject to stringent accountability measures, including provision for audit and independent complaint handling.

12. In seeking to deliver ‘more citizen-centric, efficient and cost-effective services’, [6] the discussion paper highlights the opportunities arising from advances in technology and developments in industry, including the development of the digital economy and the opportunity to leverage off innovative approaches adopted across society through public-private partnerships.

13. Two key methods for embedding privacy into systems that are especially relevant to new technologies and public/private partnership arrangements are:

  • using privacy enhancing technologies [7]
  • carrying out privacy impact assessments.

These are explained in more detail below.

14. The Office also notes that the scope of the discussion paper is on ‘a subset of portfolio services which present opportunities for innovation’, but that the paper refers to the possibility that ‘improved service delivery options identified through the current consultation process may include options appropriate for whole of government service delivery’. [8]

15. The Office believes that any broadening of scope to whole-of-government service delivery should be carefully managed including through establishing a process that is transparent, widely consultative and supported by legislation to guarantee community confidence.

Privacy impact assessments

16. A privacy impact assessment (PIA) is an assessment tool that describes in detail the personal information flows in a project and analyses the possible privacy impacts of the project. A PIA can help agencies to identify when the collection of particular information is unnecessary for a given project, or where additional accountability or oversight processes may reduce privacy risks.

17. Generally, a PIA should:

  • describe the personal information flows in a project
  • analyse the possible privacy impacts of those flows
  • assess the impact of the project as a whole may have on the privacy of individuals
  • explain how those impacts will be eliminated or minimised.

18. Iterative PIAs updated at key stages of a project can be a key part of project risk management. The overarching benefit of a PIA is that the identification and analysis of privacy impacts during a project’s design phase can assist in determining the appropriate management of any potentially negative impacts. Thus, PIAs are another aid to engendering community trust in new proposals.

19. Consultation will generally add significant value to a PIA and the Office encourages consultation with the public and relevant consumer groups on any proposal for a new system of delivering payment and information to individuals. [9]

20. Ideally, a PIA should be conducted by an independent expert in privacy and conducting PIAs. In addition, to aid transparency in the process, where appropriate the Office generally sees merit in PIAs being made publicly available, noting that some aspects may be commercially sensitive. However, publication is not the primary goal of undertaking a PIA. Further information on PIAs can be found in the Office’s Privacy Impact Assessment Guide. [10]

Privacy enhancing technologies

21. For a new project, in terms of privacy, the most fundamental design element is to minimise the collection and subsequent handling of personal information to what is necessary to meet the system’s functions.

22. Privacy enhancing technologies (PETs) are tools developed with this end in mind. They are an obvious consideration for this discussion paper with its focus on the potential of new technologies and innovative approaches to information collection and sharing. In addition to meeting security and other objectives, PETs can provide individuals with appropriate control and choice over how their personal information is handled. [11] As the Office has noted previously, [12] PETs tend to fall into several categories including:

  • General information security tools – these include encryption, logical access controls and use of digital certificates
  • Data separation – this refers to systems that detach identifying information from other personal information so that the individual’s privacy is protected during processing and storage of their personal information. Generally only an authorised person with a digital key is able to re-identify information [13]
  • Privacy metadata – this refers to information ‘tags’ that can be attached to personal information during processing. These tags contain additional information such as the source of the information, the consent obtained, how it may be used and the policies to which it is subject. Personal information can also be assigned particular conditions or ‘obligations’ which detail the length of time that information may be retained and whether the person has given consent for the information to be disclosed to any third parties [14]
  • Privacy management systems – these allow individuals to find out the privacy practices or processing policies of agencies that handle personal information and see if these match their preferences. The systems can improve the transparency of the information processing for the individual. [15] These tools ‘...may also advise users of the consequences of the information processing performed leading to an improved understanding of privacy-related issues’. [16]

23. The Office submits that a commitment to the development and implementation of PETs should form a key element of a new service delivery system arising from this consultation.

Enhancing trust

24. A key theme of this submission is ‘trust’ and its importance to the overall success of a proposed new government payment or information service delivery system. The Office considers trust integral to individuals’ engagement with a new system and to enabling a smooth transition from current arrangements. Without it, the opportunity to make use of the full range of possible solutions including new technologies and all that the internet offers will not be realised.

25. The Office submits that trust is closely linked to privacy. [17] In its 2007 survey of community attitudes to privacy, the Office found that 50% of respondents were more concerned about providing information over the internet than they were two years previously and 65% of respondents felt more concerned about providing their details online rather than in hard copy format. [18]

26. The discussion paper’s key drivers for change include ‘maintaining good privacy practice to build confidence in service improvements’. [19] Particularly with the inclusion of the private sector as a party in potential future government service delivery arrangements, good privacy practices will be key to consumer confidence.

27. The Office suggests that the privacy enhancing aspects of the new system should be promoted to consumers. Individuals may be more prepared to participate in new systems, including interactive online initiatives, knowing their personal information is less likely to be compromised or handled inappropriately. Individuals may also be more confident about who may access and use the information they provide and that access will be for appropriate purposes.

Part B: Specific responses

28. Rather than addressing all the individual questions posed in the discussion paper, the Office has structured its specific comment under four underlying themes that have implications for any new system of payment and information service delivery. They also address the breadth of the issues raised in the discussion paper. These are:

  1. identity verification and management
  2. data sharing, data matching and data linking
  3. regulatory framework – providing authorisation
  4. consumer control.

Identity verification and management

29. Identity verification and management is relevant to many of the questions posed in the paper. In particular, the Office submits the following comments are relevant to questions 2, 5, 7(b), 18, 19, 20, 21, 24, 25 and 27.

30. Good identity verification and management will be fundamental to a system of payment and information service delivery. The Office notes that with a view to more citizen-centric and efficient service delivery, the verification and management of an individual’s identity is currently being considered by government.

31. This includes the development of the National Document Verification Service (DVS) by the Attorney-General’s Department as part of the COAG’s National Identity Security Strategy [20] and the framework being developed by the Australian Government Information Office (AGIMO) in its work toward an Australian Government e?Authentication Framework for Individuals. [21]

32. The discussion paper puts forward the option of once only provision of information by individuals and ‘allowing this information to be shared by all those who need it’. [22] Any proposed process of identification verification and management being used by a range of public and private sector stakeholders has even greater significance should the scope of a new system be broadened, as flagged in the discussion paper. [23]

33. The Office suggests that allowance needs to be made for individuals who for legitimate reasons prefer to provide some different information about themselves to different agencies and in different contexts. For example, individuals may wish to be able be known by shortened, derivative or anglicised names or may go by their middle rather than given name. Similarly, there may be cultural or religious reasons why individuals choose to use different names, such as indigenous Australians choosing to use their traditional or another name depending on whether they are interacting in the indigenous or non-indigenous community. [24]

34. In the Office’s view, the key to ensuring that identity verification and management sits comfortably with good privacy is to avoid the unnecessary collection of personal information. In the case of government payments, good identity management will permit proper authentication of individuals’ identity and eligibility for government benefits, to minimise the risk of fraud. Poor identity management can result in individuals losing control over their information or having information collected about them, used and aggregated without their knowledge.

35. Consistent with the framework being developed by the AGIMO, the Office notes that for some transactions it may not be necessary to authenticate an individual’s identity, but merely to determine the individual’s eligibility to a payment or information. [25] The necessity of authentication may be determined by such factors as the risks associated with a given transaction or interaction.

Federated Identity

36. As the Office understands it a federated identity management model[26] facilitates simpler and more secure online identity verification including through a single sign-on capacity. This allows access to services provided by multiple trusted service providers, without the necessity for re?authentication and verification of identity by each service provider.

37. The Office submits that a system based on a model of federated identity management where individuals are required to provide a standard set of information once only could be privacy enhancing. In its submission to Discussion Paper 72 of the ALRC Review of Privacy Law and Practice [27] , the Office referred to various developments in online authentication of identity, including federated models of identity management. The Office noted that:

At least some of these systems are premised on a single trusted third-party providing authentication to individuals, who are then issued with digital certificates for use in an online environment. [28]

38. The Office submits that the application of federated identity models to the new system could be subject to a Privacy Impact Assessment, especially in terms of the enrolment of ‘known customers’ into the system.

Emergency situations

39. The Office notes the discussion paper’s specific consideration of identity verification and service provision in the event of an emergency. The Office submits that in a range of circumstances, including in emergency situations, the Privacy Act is an enabler rather than an inhibitor, permitting uses and disclosures of personal information and facilitating appropriate information handling that meets individuals’ needs, for example, to re-establish identity or to facilitate provision of services. In this context, the Office notes the example in the discussion paper of the emergency declaration made under the Privacy Act at the time of the Victorian bushfires. [29]

Data sharing, data matching and data linking

40. The discussion paper calls for ‘reduced collect and share information...with all those who need to know’. [30] It is reasonable to infer that a new system with the capacity to facilitate easier and more sophisticated data exchanges could involve data sharing, data matching and data linking initiatives that have to date been technically difficult and therefore not viable.

41. The discussion paper flags as a key strategic driver the ‘change agenda for information sharing and collection’, [31] and poses possible options for data sharing between the public and private sectors. In particular, the possible role of industry as a data interchange broker implies significant new arrangements within which data sharing might occur.

42. Questions relevant to these issues include questions 9, 10(b), 14-17, 18, 19, 24, 25 and 26.

43. Concerns about creation of new repositories of personal information and/or data linkages between datasets are often based on the perception that such arrangements will allow the government to unreasonably intrude on individuals’ private affairs. [32]

44. The Office notes the discussion paper’s recognition of the need for an ‘appropriate privacy framework’ around new information collection and sharing arrangements. [33] In many cases, relying on an individual’s informed consent will be a useful way forward. In addition, the Office considers that any proposed data sharing should continue to be transparent, within the expectations of individuals and subject to clear guidance. [34] The Office also believes that the type and amount of data sharing to be undertaken as part of the new system should be limited to specific needs and purposes. A separate Privacy Impact Assessment on the data sharing/matching aspects of a proposed new system would be beneficial.

45. Information Privacy Principles (IPPs) 10 and 11 regulate use and disclosure of personal information held by government agencies, while National Privacy Principle (NPP) 2 provides the equivalent protection for information handled by private sector organisations.

46. The Office noted in its submission to the ALRC Review of Secrecy Laws that the notion of information sharing is a far broader concept than information shared purely for the purposes of data matching. [35] The Office suggested that the sharing of Commonwealth information more broadly could be a useful topic to be addressed by the proposed Office of the Information Commissioner. [36]

47. The case studies in the discussion paper include scenarios involving data exchange between the public and private sector. An issue that may need to be considered concerning data exchange in the new system is the use of identifiers. In previous submissions the Office has discussed risks associated with the use of identifiers to enable easy and accurate data linking. It noted that data-linking using identifiers carries the risk of combining personal information that has been collected for very different purposes and the creation of rich datasets about individuals' interactions in society. [37]

48. It is to address such risks that Parliament enacted restrictions on the use of individuals’ Tax File Numbers and the restrictions placed on the private sector’s use of any Australian Government identifier by National Privacy Principle 7.

Regulatory framework – providing authorisation

49. The Office submits that an appropriate regulatory framework should be established for any proposed new system of government payment and information service delivery. This issue is relevant to the entire discussion paper and in particular to questions 2, 5, 6, 10(b), 21, 24 and 25.

50. Currently, under the Privacy Act the IPPs [38] apply to most Australian and ACT government agencies while the NPPs [39] apply to a range of private sector organisations. The IPPs regulate the collection, handling, use, disclosure, storage and security of an individual’s personal information by government agencies. In particular, IPPs 10 and 11 prohibit agencies from, respectively, using or disclosing personal information for any other purpose other than the primary purpose for which the personal information was collected, unless one of a number of prescribed exceptions applies. This principle therefore prohibits use of information for a secondary purpose, including through the linking of personal information about individuals when that personal information is collected for another purpose. Both IPPs allow an individual to give their consent to a use or disclosure. [40]

51. The NPPs are similar to the IPPs but there are some notable differences which could impact on services delivered by the private sector on behalf of the government. [41] Additionally, the regulatory implications of NPP 7 could be important in relation to the discussion paper. This privacy principle prohibits, subject to prescribed exceptions, private sector organisations from adopting, using or disclosing any identifier issued by the Australian Government (such as the Medicare number). [42]

52. While the Privacy Act gives a sound foundation, the protections it affords are principle based, rather than drafted prescriptively to meet privacy risks posed by specific projects or information handling practices. Specific legislation to regulate the system is an important element in establishing and maintaining public trust and confidence in a new system in the long term.

53. In the Office’s view, depending on the scope of the proposal that is settled on, specific legislation could contain:

  1. provisions setting out primary uses of information provided by individuals
  2. appropriate prohibitions on secondary use or disclosure of the information
  3. requirements relating to independent audit and mandatory reporting on the new system
  4. sanctions and complaint mechanisms
  5. provisions to ensure that any future expansion of the system is subject to a detailed Privacy Impact Assessment and parliamentary scrutiny.

54. The Government announced its response to the ALRC Review of Australian Privacy Law and Practice on 14 October 2009. [43] The announcement flagged the Government’s acceptance of the recommendation for a set of ‘unified privacy principles’ (UPPs) to replace the existing IPPs and NPPs. [44] The implications of this decision will need to be considered in developing a new payment and information service delivery system. This is particularly important in light of the discussion paper’s consideration of service models that might include public-private partnerships and/or leveraging existing commercial capabilities and infrastructure.

55. The Office also notes the absence of comment in the discussion paper on other information handling regulation currently applying to agencies, including secrecy provisions and confidentiality provisions.

PBS online and Medicare Easyclaim

56. The Office notes that the discussion paper seeks comment on whether:

  • the infrastructure used for PBS online could be used to deliver other payment services
  • government or industry might have other uses for the Medicare Easyclaim infrastructure
  • governments might be able to procure other services or transactions under arrangements similar to Medicare Easyclaim. [45]

57. As noted in its submission on healthcare identifiers and privacy, the Office understands that, at present, demographic information about individuals is held in a separate database from information on MBS and PBS claims held by Medicare. [46] The incorporation of new functionality separate from Medicare functions using Medicare infrastructure could therefore raise several privacy issues. Depending on the proposed system design, legislative framework and authorisations, it would be important that the separation of business processes between the new function and other Medicare functions was clear.

Consumer control

Education and information for consumers

58. The Office supports the discussion paper’s focus on ‘citizen-centric’ service delivery, in particular, that individuals should have more control over their interactions with government and their own information.

59. Individuals have a legitimate interest in controlling the dissemination of information about them. Also, individuals may usually expect that where they provide their personal information to different agencies and organisations for one purpose, this information will not be used or disclosed for another purpose. For this reason it is important to consider appropriate ways of ensuring that individuals will be made aware of the ways in which their personal information will be handled so that, to the greatest extent possible, individuals maintain a measure of control over their personal information.

60. As the discussion paper suggests, this could occur by building robust privacy policies that reflect consumers’ expectations about how their personal information will be handled. These policies should among other things clearly explain:

  1. what personal information will be collected
  2. whether providing certain information is voluntary
  3. how any information will be used and for what purpose
  4. what security safeguards will protect the handling of such information
  5. whether individuals may request information to be removed from a publicly available site.

61. The importance of an accessible online privacy policy was reflected in the Office’s 2007 community attitudes survey, which indicated that the most common reasons for reviewing online privacy policies were to help decide whether or not to use the site and to make the respondent feel more confident and secure about the site. [47]

62. New capabilities and payment methods that ‘are as secure, cost effective and efficient as direct credit, and as highly accessible as cash’ [48] could represent a significant change in the way in which people deal with government agencies.

63. The Office suggests that empowering the end user through consultation, education and ongoing communication is fundamental to ensuring that individuals can make informed privacy decisions. This is particularly important when individuals will be required to interact with technology and use new systems and business processes, as envisaged in the discussion paper.


64. It may also be of use to consider the possibility that individuals may choose not to access government services due to privacy concerns, and how such decisions may affect government policy and the broader community well-being. While some kind of registration is necessary to obtain government entitlements, it is possible that some percentage of the population, however small, could choose not to receive entitlements due to privacy concerns. It will be important for individuals to understand why their information is sought and what information the system is intended to handle (for example, agency transaction data such as PBS claims information).

65. In addition, the Office notes that, in some circumstances, consent to a particular information-handling practice may be an imperfect form of privacy protection. This is most evident in the case of ‘bundled consent’, that is, the bundling together of consent to a wide range of uses and disclosures of personal information without giving the individual an opportunity to choose which uses and disclosures they agree to and which they do not.

Access to information

66. The Privacy Act gives individuals a general right to access and correct their personal information. [49] The Office notes that access by individuals to their own information is listed as a key area of interest in the discussion paper, and suggests that consideration be given to the means by which this can be assured. The Office notes the potential use of web based service delivery and the opportunity for individuals to update their personal information online. Remote access, however, raises a number of issues. The possibility of accessing information online has implications for the security of information (see below). Consideration will also be needed as to how information about individuals will be kept up to date and accurate.

Correction of information

67. The Office notes that a number of questions in the discussion paper refer to payment deduction services or automatic updating of information or other access to personal information for example, questions 10, 16(b), 19, 21.

68. The Office suggests that updating of information without an individual’s knowledge or consent would reduce consumer control of information and would therefore not be good privacy practice.

Security of information

69. Security is also an element of privacy practice. Information handling practices that collect personal information unnecessarily or in an unreasonably intrusive manner are inconsistent with good privacy even if that information is subsequently stored securely.

70. The Privacy Act requires that record-keepers in possession or control of a record that contains personal information are required to ensure that the record is protected, by such security safeguards as are reasonable in the circumstances. These safeguards would protect against loss, unauthorised access, use, modification or disclosure and other misuse.

71. Irrespective of the form of technology used, the community is likely to expect strong security surrounding new systems of payment and information provision. A perceived lack of security could significantly lower community trust in a new system. For example, the Office’s 2007 Research into Community attitudes towards Privacy in Australia indicated that most Australians are concerned about identity theft. [50]

72. The Office submits that some of the most important privacy protections depend on technical design features and include the segregation of data and accompanying strong security protections such as encryption and access controls to information. A strong emphasis on these elements, together with legislative and accountability measures, means that the community can have confidence in the long-term viability of privacy protections.

[3] Discussion paper, p 1

[4] The UK Information Commissioner has also commented on the importance of building in privacy in a recent report which notes that this ‘...approach will ensure that privacy controls are stronger, simpler to implement, harder to by-pass, and totally embedded in the system’s core functionality:, Privacy by design , November 2008, p3,

[5] For more information on this privacy framework see this previous submission from the Office:

[6] Discussion paper, p 1

[7] Privacy enhancing technologies are discussed in greater detail in Privacy Enhancing Technologies: A Whitepaper for Decision Makers and published by the Dutch Government,

[8] Discussion paper, pp 1- 2

[9] The example of the Canadian Longitudinal Labour Force File Databank project illustrates the risks of not comprehensively considering privacy issues before implementation. In that case, community privacy expectations were not addressed during development of an information handling system and led to the dismantling of a national database on 34 million Canadians (at a cost of many millions of dollars) and a greater appreciation of the need for ‘…transparency and accountability, and the application of privacy-protection rules for the use of such information’. See Bennet C and Raab The Governance of Privacy: Policy instruments in global perspective(2003) Ashgate, London: p.115

[11] Privacy enhancing technologies are discussed in greater detail in Privacy Enhancing Technologies: A Whitepaper for Decision Makers , published by the Dutch Government, see

[12] See the Office’s submission Towards Government 2.0 Issues Paper, p 8,

[13] See Privacy Enhancing Technologies: A Whitepaper for Decision Makers published by the Dutch Government,

[14] UK Information Commissioner’s Office, Privacy by design , November 2008, p9,

[15] Privacy Enhancing Technologies: A Whitepaper for Decision Makers published by the Dutch Government,

[16] UK Information Commissioner’s Office, Privacy by design , November 2008, p9,

[17] For a discussion on the importance of privacy to garnering client trust, see Office of the Privacy Commissioner, Top ten privacy issues , speech by the Commissioner to PIPA Conference 2007, Canada, p 8,

[18] Office of the Privacy Commissioner, Community Attitudes to Privacy Wallis Consulting, 2007, p 61,

[19] Discussion paper, p 8

[22] Discussion paper, p 1

[23] Discussion paper, p 2

[24] See pp 20-21 of this previous Office’s submission,

[25] For further discussion of this, see the Office’s submission on the Australian Government e-Authentication Framework for Individuals Discussion Paper (March 2006) available at

[26] See, for example, AGIMO Discussion Paper No. 12, ‘Managing Privacy in Identity Management - The Way Forward’,

[29] Discussion paper, p 14

[30] Discussion paper p 20

[31] Discussion paper p 7

[32] The Office’s Community Attitudes towards Privacy 2007 survey found that 60% of Australians were concerned about becoming a victim of identity theft (p 68),

[33] Discussion paper p 20

[34] The Office’s Community Attitudes towards Privacy 2007 survey found increasing community support for data sharing between Government departments for specific purposes (up from 71% in 2004 to 80%), pp 40-41,

[36] See announcement by the government,

[37] See for example, p 453 in the Office’s submission on Issues Paper 31 for the ALRC’s Review of Privacy Law and Practice,

[40] For more information on the IPPs, see the Plain English summary of the IPPs available at

[41] The Plain English summary of the NPPs is at

[45] Discussion paper, pp 15-16

[46] See p 4 of the Office’s submission on Health identifiers and privacy: Discussion paper on proposals for legislative support,

[47] Office of the Privacy Commissioner, Community Attitudes to Privacy , Wallis Consulting, 2007, p. 65,

[48] Discussion paper, p 13

[49] See NPP 6 and IPPs 6 and 7

[50] See pp 67-68 in Office of the Privacy Commissioner, Community attitudes towards Privacy 2007,