Chapter 2: APP 2 Anonymity and pseudonymity

What does APP 2 say?

2.1 APP 2 provides that individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity in relation to a particular matter.

2.2 That principle does not apply in relation to a particular matter if:

• the APP entity is required or authorised by or under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves (APP 2.2(a)), or
• it is impracticable for the APP entity to deal with individuals who have not identified themselves or used a pseudonym (APP 2.2(b)).

2.3 ‘Anonymity’ and ‘pseudonymity’ are different concepts. APP 2 requires that both options be made available to individuals dealing with an APP entity unless one of the two exceptions applies. Both options must also be made available each time an individual interacts with the entity, that is, when a person is ‘dealing with an APP entity in relation to a particular matter’ (APP 2.1). Similarly, the exceptions (‘required or authorised by law’ and ‘impracticability’) apply to the particular dealing between an individual and the entity.

The difference between anonymity and pseudonymity

Anonymity

2.4 Anonymity requires that an individual may deal with an APP entity without providing any personal information or identifiers. The entity should not be able to identify the individual at the time of the dealing or subsequently.

2.5 Examples of anonymous dealings include an unidentified individual telephoning an APP entity to inquire generally about its goods or services, and an individual completing a retail transaction and paying for goods in cash.

Pseudonymity

2.6 Pseudonymity requires that an individual may deal with an APP entity by using a name, term or descriptor that is different to the person’s actual name. Examples include an email address that does not contain the person’s actual name, a user name that a person uses when participating in an online forum, or an artist who uses a ‘pen-name’ or ‘screen-name’.

2.7 The use of a pseudonym does not necessarily mean that an individual cannot be identified. The individual may choose to divulge their identity, or to volunteer personal information necessary to implement a particular transaction, such as credit information or an address at which goods can be delivered. Similarly, an APP entity may have in place a registration system that enables a person to participate by pseudonym in a moderated online discussion forum, on condition that the person is identifiable to the forum moderator or the entity.

2.8 An APP entity should bear in mind that the object of APP 2 is to provide individuals with the opportunity to deal with the entity without revealing their identity. Personal information should only be linked to a pseudonym if this is required or authorised by law, it is impracticable for the entity to act differently, or the individual has consented to providing or linking the additional personal information. An entity could also restrict access to personal information that is linked to a pseudonym to authorised personnel (for a discussion of the security requirements for personal information, see Chapter 11 (APP 11)).

Why anonymity and pseudonymity are important

2.9 Anonymity and pseudonymity are important privacy concepts. They enable individuals to exercise greater control over their personal information and decide how much personal information will be shared or revealed to others.

2.10 An individual may prefer to deal anonymously or pseudonymously with an APP entity for various reasons, including:

• a preference not to be identified or to be ‘left alone’
• to avoid subsequent contact such as direct marketing from that entity or other entities
• to keep their whereabouts secret from a former partner or family member
• to access services (such as counselling or health services) without this becoming known to others
• to express views in the public arena without being personally identified.

2.11 There can be wider benefits too:

• individuals may be more likely to inquire about products and services that an APP entity provides if able to do so without being identified, meaning the community is better informed
• freedom of expression is enhanced if individuals can express controversial or minority opinions without fear of reprisal
• the risk of identity fraud is minimised when less personal information is collected, linked and stored by entities
• an APP entity can lessen its compliance burden under the APPs by reducing the quantity of personal information it collects
• client feedback may be more forthcoming and robust if individuals have the option of making an unattributed compliment or complaint to an entity.

Providing anonymous and pseudonymous options

2.12 It is implicit in APP 2 that an APP entity should ensure that, if applicable, individuals are made aware of their opportunity to deal anonymously or by pseudonym with the entity. If anonymity or pseudonymity is the default setting, this does not apply.

2.13 The steps an APP entity should take to draw both options to the attention of individuals will depend on the nature of the dealing between the entity and an individual. For example, an entity’s APP Privacy Policy could explain the circumstances in which an individual may deal anonymously or by pseudonym with the entity, and the procedures for doing so (see Chapter 1 (APP 1)). The policy could go further and explain how the entity manages pseudonyms and any linked personal information, and if there will be any consequences for an individual if they deal with the entity anonymously or through a pseudonym (for example, where only a limited service can be provided).

2.14 Other measures that could be adopted by an APP entity to facilitate anonymous and pseudonymous dealings include:

• if the entity provides a facility on its website for online communication, stating prominently that an individual may use that facility without providing personal information
• if telephone calls to the entity are routed through an automated message, informing callers in that message that they are not required to provide personal information
• if individuals can contact the entity by using an online or printed form, stating on the form that personal identification boxes (such as name and address) are not mandatory fields
• if the entity solicits public submissions or comments from individuals, allowing participants to use a pseudonym that will be published, even if the individual’s name is supplied confidentially to the entity
• in other dealings between the entity and individuals, informing individuals at the beginning of a dealing that they may interact anonymously or by pseudonym.

Requiring identification — required or authorised by law

2.15 APP 2.2(a) provides that an individual may not have the option of dealing anonymously or by pseudonym with an APP entity if the entity ‘is required or authorised by or under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves’. The meaning of ‘required or authorised by or under an Australian law or court/tribunal order’ is discussed in Chapter B (Key concepts).

2.16 If an APP entity is ‘required’ by a law or order to deal only with an identified individual it will be necessary for the individual to provide adequate identification. If an entity is ‘authorised’ by a law or order to deal with an identified individual, the entity can require the individual to identify themselves, but equally will have discretion to allow the individual to deal with the entity anonymously or pseudonymously. The nature of any discretion, and whether it is appropriate to rely upon it, will depend on the terms of the law or order and the nature of the dealing.

2.17 The following are given as examples of where a law or order may require or authorise an APP entity to deal only with an identified individual:

• processing an individual’s application for an identity document (such as a passport, licence or security pass)
• issuing a tax file number to an individual
• paying a social security or healthcare benefit to an eligible individual
• providing assistance to an individual who has been diagnosed with a disease that must be recorded and notified under a public health law
• providing assistance to a suspected victim of child abuse, whose injury is covered by a mandatory reporting requirement
• opening a bank account for an individual, or providing other financial services where legislation requires the individual to be identified
• supplying a pre-paid mobile phone to an individual where legislation requires identification
• discussing the individual’s personal information with them, such as the individual’s account information
• giving access to the individual’s personal information under the Privacy Act or Freedom of Information Act 1982.[1]

2.18 An APP entity that relies on APP 2.2(a) to collect personal information should ensure that the collection does not go beyond the requirements of the law or court or tribunal order. For example, the legal requirement may be satisfied by sighting, but not collecting, the personal information, or by collecting an individual’s name but not their address, gender or date of birth. APP 3 imposes a complementary requirement, that generally an entity can only collect personal information that is reasonably necessary for one or more of its functions or activities.

Requiring identification — impracticability

2.19 APP 2.2(b) provides that an individual may not have the option of dealing anonymously or by pseudonym with an APP entity if ‘it is impracticable for the APP entity to deal with individuals who have not identified themselves’.

2.20 The following are given as examples of where it may be impracticable to deal with an individual who is not identified:

• in dispute resolution, it may be impracticable to investigate and resolve an individual’s particular complaint about how their case was handled or how the staff of an APP entity behaved unless the complainant provides their name or similar information
• where an entity is delivering purchased goods to an individual, it may not be able to do so without knowing that individual’s address, or their name (for example, where the individual needs to sign for delivery of the goods).

2.21 In special circumstances it may be open to an APP entity to rely on the ‘impracticability’ exception where the burden of the inconvenience, time and cost of dealing with an unidentified or pseudonymous individual, or of changing an existing system or practice to include the option of anonymous or pseudonymous dealings, would be excessive in all the circumstances. However, this is more likely to be a transitional rather than an ongoing justification. Unless an entity is required or authorised by or under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves (see paragraphs 2.15–2.18 above), entities are expected to design and maintain information collection systems that incorporate anonymous and pseudonymous options.

2.22 An APP entity that is relying on APP 2.2(b) should not collect more personal information than is required to facilitate the dealing with an individual (see paragraph 2.18 above).