In the realm of personal data, government-related identifiers such as passport numbers, driver’s license numbers, and Medicare numbers, hold a unique position. Under Australian Privacy Principle (APP) 9 – Adoption, Use or Disclosure of Government Related Identifiers, there are stringent restrictions on how organisations handle these identifiers to safeguard against misuse and protect individual privacy.
Let’s delve into what this means for your organisation.
What is a Government Related Identifier?
An ‘identifier’ is defined as a number, letter or symbol, or a combination of any or all of those things, that can be used to identify or to verify the identity of an individual. Government Related Identifiers are unique numbers or codes assigned by government agencies, which can be used to identify individuals, such as passport numbers, driver’s license numbers, Centrelink numbers and Medicare numbers. Their sensitivity arises from the potential for identity theft or fraud if mishandled.
The following are explicitly excluded from the definition of identifier:
- an individual’s name
- an individual’s Australian Business Number (ABN)
- anything else prescribed by the regulations made under the Privacy Act. This provides flexibility to exclude any specified type of identifier from the definition, and therefore the operation of APP 9, as required.
Restrictions Under APP 9
Adoption
Under APP9, organisations must not adopt a government related identifier of an individual as its own identifier of the individual unless an exception applies. For example: an accountant cannot use an individual’s tax file number as the basis of their own identification or filing system.
There are exceptions to this rule. An organisation may adopt a Government Related Identifier of an individual as its own identifier if it is required or authorised by an Australian law or a court or tribunal order.
Use and Disclosure
Organisations are generally prohibited from using or disclosing Government Related Identifiers.
Exceptions exist, but they are limited. They include situations where the use or disclosure of the identifier is:
- reasonably necessary for the organisation to verify the identity of the individual for the purposes of the organisation’s activities or functions
- reasonably necessary to fulfil obligations to an agency or State or Territory authority
- required or authorised by Australian law or a court or tribunal order
- necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, and it is unreasonable or impracticable to obtain consent
- required because the organisation has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the organisation’s functions or activities has been, is being or may be engaged in
- reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body
The Importance of Compliance
Non-compliance can lead to serious legal consequences and damage to your organiation’s reputation. It’s crucial to understand and adhere to these regulations to maintain trust and integrity.
Your organisation should have clear policies and training for staff on handling these identifiers. This includes secure storage practices, restricted access, and regular audits to ensure compliance.
It is also important to have a robust plan in place for responding to any breaches involving these identifiers. This includes notifying affected individuals and the appropriate regulatory bodies.
Given the complexities, it may be beneficial to seek expert advice (from the team at de.iterate) or consult further resources.
Navigating the use of government-related identifiers requires a careful balance between operational needs and privacy obligations. By adhering to APP9, your organisation not only complies with the law but also demonstrates a commitment to protecting the privacy of individuals’ sensitive information.
Does your organisation need simple, stress-free data privacy and cyber security solutions? Contact de.iterate today.
Did you know? All this can be managed by the de.iterate platform—from just $99 per month. Buy now.
Disclaimer: The articles on our website are intended to stimulate interest in the subject matters. All comments and articles are for information purposes only. Professional advice should be sought on specific matters, and with lawyers under Costs Agreement and to which Legal Professional Privilege (LPP) applies.
Tags:
