Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Consultation on Model Offences to Combat Identity Crime 2007; Submission to the Model Criminal Law Officers Committee of the Standing Committee of Attorneys-General (June 2007)

Consultation on Model Offences to Combat Identity Crime 2007 Submission to the Model Criminal Law Officers' Committee of the Standing Committee of Attorneys-General June 2007

pdfConsultation on Model Offences to Combat Identity Crime 2007; Submission to the Model Criminal Law Officers’ Committee of the Standing Committee of Attorneys-General (June 2007)

Submission to the Model Criminal Law Officers’ Committee of the Standing Committee of Attorneys-General

June 2007

Office of the Privacy Commissioner

The Office of the Privacy Commissioner (the Office) is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

The Office welcomes the opportunity to comment on the Discussion Paper, Identity Crime, prepared by the Model Criminal Law Officers’ Committee (MCLOC) [1].

The Proposed Offences

The Office understands that the notion of identity crime has, historically, covered a wide range of offences, often dealt with through specific enactments and through common law. As identified by the Discussion Paper, the commission of other crimes such as fraud or impersonation have to date, been intrinsic to the prosecution of identity crimes.

Identity crime is not an unprecedented new development, rather the manner in which it has been categorised and addressed in the past, at the state, territory and national level has varied resulting in inconsistency across jurisdictions and a false perception that identity crime is a new issue.

In the Office’s view the development of the proposed offence of identity crime has several benefits:

  • The proposed ‘certificate’ will empower individuals to take active measures to correct records of personal information affected by identity crime;
  • The offence could assist in overcoming jurisdictional impediments associated with the prosecution of identity crime, as the prosecution of the offence will not be dependant on the jurisdiction in which the perpetrator or the victim of the offence reside, or where the information which is the subject of the offence is stored; and
  • The offence could address the difficulty associated with inconsistent terminology, for example, the use of identity crime, identity fraud and identity theft to cover a broad range of conduct involving the unauthorised or improper use of personal identification information.

While the Office is supportive of the introduction of the offence of identity crime the Office offers the following comments to assist in the development of the proposal.

a) The scope and framing of the proposed identity crime offences

The scope of the proposed offence of identity crime, will, to some extent, be determined by the definition of ‘personal identification information’ as the improper handling of only a particular class of information will constitute an offence under these provisions. The Office is of the view that establishing an unambiguous definition of ‘personal identification information’ is intrinsic to the development of an effective offence of identity crime.

In establishing the definition of ‘personal identification information’ it is essential that the right balance be struck between a definition that is cast broadly to ensure that the definition keeps pace with change and technological advances and yet does not capture an indiscriminate amount of information, rendering the definition meaningless.

The Office understands that it is intended that the definition of ‘personal identification information’ in the model identity crime offence will incorporate a list of information falling within the category of ‘personal identification information’ which will include email addresses, biometric information, voice prints, a body’s corporate name and ABN and a series of numbers or letters intended for use as a means of ‘personal identification information’.

The Office recognises the importance of clearly capturing technology specific information like email addresses and voice prints in the definition. However, in the Office’s experience a technology neutral definition that is contingent on context for its application, like that used in the Privacy Act[2], or alternatively a definition that seeks to identify the features of information that render it ‘personal identification information’ is likely to be more effective and less likely to become outdated than a list of information to be included in the definition.

b) the proposed certificate following conviction

As noted above the Office has responsibilities under the Privacy Act in relation to the handling of personal information by most private sector organisations and Australian and ACT Government Agencies[3]. The Information Privacy Principles (IPPs) in the Privacy Act regulate the handling of personal information by Australian and ACT Government agencies and the National Privacy Principles (NPPs) regulate the handling of personal information by most private sector organisations. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers.

In the Office’s experience the protection of personal information particularly credit information remains an important privacy concern for individuals because of the serious consequences that may arise through its mishandling. The Office is pleased to note that MCLOC has recognised the far reaching consequences of identity crime to an individual’s personal credit rating and the time and effort individuals must invest in restoring records.

The Office is supportive of the proposal put forward by MCLOC that following a conviction of identity crime, victims of identity crime be able to obtain a court issued certificate which clearly states that particular transactions and / or criminal conduct were carried out by another person not by the victim.

The Office is of the view that the utility of this certificate would be greatly increased by adopting the option put forward by MCLOC that the certificate be issued even where a case does not result in a conviction. As identified by the Discussion Paper, circumstances may exist where the offender cannot be identified but there is sufficient proof to satisfy a court that the individuals’ personal identity has been misused. Alternatively the defendant may be acquitted but a court could find on the balance of probability that a person’s identity has been misused by a person.

Access and correction

Access to one’s own personal information (and the right to have it corrected) is one of the cornerstones of privacy protection. This is reflected in the Privacy Act by the inclusion of IPP 6 and IPP 7 (public sector) and NPP 6 (private sector)[4]. Section 18J in Part IIIA of the Privacy Act places an obligation on credit reporting agencies and credit providers to take reasonable steps, by way of making appropriate corrections, deletions and additions, to ensure that the personal information contained in an individuals’ credit file is accurate, up-to-date, complete and not misleading.

However an individual’s right to access and correction of personal information only exists where the private sector organisation is bound by the Privacy Act or the state /territory agency is subject to similar privacy obligations or obligations under a Freedom of Information Act (FOI Act). In the case of small business operators, these organisation do not fall within the jurisdiction of the Privacy Act. As such, victims of identity crime would not have a statutory right to access and correct inaccurate information held by these small business operators.

The Office notes that at present the certificate issued under the Criminal Law (Sentencing) Act 1988 (SA) and Section 408D of the Queensland Criminal Code does not compel others to take restorative action (for example, to reinstate a victim’s credit rating). It is our understanding that MCLOC proposes that the certificate to be issued to a victim following a conviction of identity crime under the Model Identity Crime Offences would similarly not compel others to take restorative action.

The Office is of the view that a victim’s right to correct records of personal information particularly when inaccuracies are established to be a consequence of identity crime should be more effective.

Accordingly the Office is of the view that MCLOC give further consideration to specific circumstances in which the proposed certificate should compel organisations (e.g. credit reporting agencies, credit providers) and agencies to take restorative action. Should reasons exist for adopting certificates that do not compel restorative action in any circumstance, the Office would be interested to engage in further discussion to address these concerns.

Special notation for credit reports

As noted above the Office has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers and personal tax file numbers used by individuals and organisations. Part IIIA of the Privacy Act places specific obligations upon credit providers and credit reporting agencies with regard to the handling of personal information.

In the Office’s submission to the Australian Law Reform Commission’s Review of Privacy, the Office supported an amendment to Part IIIA of the Privacy Act to enable an individual to note on their credit file that they have been subject to identity theft[5].

Should this amendments be legislated it may be beneficial for the model identity crime offence to compel credit providers and credit reporting agencies, to note on the victim’s record that he or she has been subject to identity theft, in addition to making the necessary amendments to ensure the information is accurate, up-to-date, complete and not misleading.

However, the Office did suggest the need for provisions to enable the removal of identity theft notification either by lapsing after a period of time or being removed once the identity theft has been resolved.

The Office encourages MCLOC to give further consideration to the issues raised in this submission and encourages the proposed legislation to be, as far as possible, consistent with the Privacy Act, particularly the NPPs, IPPs and credit reporting provisions.


[2] Section 6 of the Privacy Act 1988 (Cth) defines information as personal information when the individual's identity is apparent or can be reasonably ascertained from the information

[3] For more information on the coverage of and exemptions from the Privacy Act please see Information Sheet 12 http://www.privacy.gov.au/publications/IS12_01.html ; For more information on the IPPs, see the Plain English Guidelines to the Information Privacy Principles available at http://www.privacy.gov.au/government/guidelines/index.html#34

[4] Submission to the Australian Law Reform Commission’s Review of Privacy – Issues Paper 31 Chapter 7 http://www.privacy.gov.au/publications/submissions/alrc/c7.html

[5] Submission to the Australian Law Reform Commission’s Review of Privacy – Issues Paper 32 Chapter 5 http://www.privacy.gov.au/publications/submissions/sub-alrc-ip32-credit-reporting-200704.html#should1