Data matching involves bringing together data from different sources and comparing it. Agencies that carry out data-matching must comply with the Privacy Act 1988. Some data matching between certain agencies to detect incorrect payments is also subject to the requirements of the Data-matching Program (Assistance and Tax) Act 1990 (Data-matching Act) and relevant guidelines.
The Privacy Act defines personal information as:
information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable
What constitutes personal information will vary, depending on what can reasonably be ascertained in a particular circumstance. This may include information used in, or created by, data-matching processes.
Agencies usually match data so that they can identify people for further investigation or action. For example, records from different agencies or businesses are compared, and this identifies people who are being paid benefits to which they may not be entitled, or people who may not be paying the right amount of tax. This can be a risk to personal privacy because it can involve analysing information about large numbers of people without prior cause for suspicion, and may result in the generation of new personal information. Agencies that are considering taking action against an individual based on the results of data matching must usually inform the individual of these results and give them time to respond.
Data matching under the Data-matching Act
The Data-matching Act and the Guidelines for the Conduct of Data-Matching Program (statutory data-matching guidelines) regulate how the Australian Taxation Office (ATO) and assistance agencies, including the Department of Human Services (DHS) and Department of Veteran’s Affairs (DVA), use tax file numbers to compare personal information so they can detect incorrect payments. The Office of the Australian Information Commissioner (OAIC) oversees compliance with these guidelines.
The Data-matching Act and the statutory data-matching guidelines require that statutory data-matching be conducted in accordance with written protocols and technical standards. For example, DHS has published a data-matching protocol that explains how they match personal information under the Data-matching Act.
A breach of the Data-matching Act or Guidelines constitutes an interference with privacy under s 13 of the Privacy Act. You can complain to the OAIC if you think a breach might have happened.
More information can also be found on the Tax File Numbers page.
Data matching under the voluntary data-matching guidelines
Agencies also conduct data matching for a range of purposes other than detecting incorrect payments made to clients of DHS, DVA or the ATO. This can include matching their own data with data obtained from other Australian Government agencies, or from state government agencies or private sector businesses. For this kind of data matching, the OAIC has issued Guidelines on Data Matching in Australian Government Administration (voluntary data-matching guidelines). The voluntary data-matching guidelines are not mandatory but have been adopted voluntarily by a number of agencies.
Agencies can request an exemption from complying with some parts of the guidelines, if the agency believes that is in the public interest. To ask for an exemption, the agency has to give the OAIC:
- advice about the proposed program
- details of the exemption they want
- details of why they think the exemption would be in the public interest.