In the realm of personal data, government-related identifiers such as passport numbers, driver’s license numbers, and Medicare numbers, hold a unique position. Under Australian Privacy Principle (APP) 9 – Adoption, Use or Disclosure of Government Related Identifiers, there are stringent restrictions on how organisations handle these identifiers to safeguard against misuse and protect individual privacy.
Let’s delve into what this means for your organisation.
What is a Government Related Identifier?
An ‘identifier’ is defined as a number, letter or symbol, or a combination of any or all of those things, that can be used to identify or to verify the identity of an individual. Government Related Identifiers are unique numbers or codes assigned by government agencies, which can be used to identify individuals, such as passport numbers, driver’s license numbers, Centrelink numbers and Medicare numbers. Their sensitivity arises from the potential for identity theft or fraud if mishandled.
The following are explicitly excluded from the definition of identifier:
Restrictions Under APP 9
Adoption
Under APP9, organisations must not adopt a government related identifier of an individual as its own identifier of the individual unless an exception applies. For example: an accountant cannot use an individual’s tax file number as the basis of their own identification or filing system.
There are exceptions to this rule. An organisation may adopt a Government Related Identifier of an individual as its own identifier if it is required or authorised by an Australian law or a court or tribunal order.
Use and Disclosure
Organisations are generally prohibited from using or disclosing Government Related Identifiers.
Exceptions exist, but they are limited. They include situations where the use or disclosure of the identifier is:
The Importance of Compliance
Non-compliance can lead to serious legal consequences and damage to your organiation’s reputation. It’s crucial to understand and adhere to these regulations to maintain trust and integrity.
Your organisation should have clear policies and training for staff on handling these identifiers. This includes secure storage practices, restricted access, and regular audits to ensure compliance.
It is also important to have a robust plan in place for responding to any breaches involving these identifiers. This includes notifying affected individuals and the appropriate regulatory bodies.
Given the complexities, it may be beneficial to seek expert advice (from the team at de.iterate) or consult further resources.
Navigating the use of government-related identifiers requires a careful balance between operational needs and privacy obligations. By adhering to APP9, your organisation not only complies with the law but also demonstrates a commitment to protecting the privacy of individuals’ sensitive information.
Does your organisation need simple, stress-free data privacy and cyber security solutions? Contact de.iterate today.
Did you know? All this can be managed by the de.iterate platform—from just $99 per month. Buy now.
Disclaimer: The articles on our website are intended to stimulate interest in the subject matters. All comments and articles are for information purposes only. Professional advice should be sought on specific matters, and with lawyers under Costs Agreement and to which Legal Professional Privilege (LPP) applies.