Under Australian Privacy Principle (APP) 9 - Adoption, Use or Disclosure of Government Related Identifiers, an organisation must not use, disclose, or adopt a Government Related Identifier of an individual, unless one of the limited exceptions apply.
Let's delve into what this means for your organisation.
What is a Government Related Identifier?
A Government Related Identifiers are unique numbers or codes assigned by Government agencies (Commonwealth, State or Territory) or assigned by agent of a Government agency or contracted service provider of a Government agency, which can be used to identify individuals.
Examples of Government Related Identifiers include passport numbers, driver’s license numbers, tax file numbers, Centrelink numbers and Medicare numbers.
The following are not Government Related Identifier’s under the Privacy Act:
An individual’s name
An individual’s Australian Business Number (ABN)
Anything else prescribed by the Privacy Regulations
Restrictions Under APP 9
Adoption
An organisations must not adopt a government related identifier of an individual as its own identifier of the individual unless:
Is the adoption is require or authorised by or under an Australian law or court/tribunal order, or
The identifier or the organisation is named (or included in a class of organisations) is prescribed by the Privacy Regulations, or
The adoption occurs in the circumstances prescribed by the Privacy Regulations.
This means that most organisations should take precautions not to adopt Government Related Identifiers as their own identifiers for identifying individuals in their systems.
Use and Disclosure
Organisations are prohibited from using or disclosing Government Related Identifiers of an individual, to any third party, unless:
Reasonably necessary for the organisation to verify the identity of the individual for the purposes of the organisation’s activities or functions, or
The use or disclosure is reasonably necessary to fulfil obligations to an agency or State or Territory authority, or
Required or authorised by Australian law or a court or tribunal order, or
A Permitted General Situation exists in relation to the use or disclosure of the identifier[1], or
The organisation ‘reasonably believes’ that the use or disclosure of the identifier is ‘reasonably necessary’ for one or more enforcement related activities conducted by, or on behalf of, an enforcement body, or
Is permitted by an Australian law or court/tribunal order, or
The identifier or the organisation is named (or included in a class of organisations) is prescribed by the Privacy Regulations, or
The use or disclosure occurs in the circumstances prescribed by the Privacy Regulations.
The Importance of Compliance
Non-compliance with APP9 may not only attract substantial financial penalties under the Privacy Act, but it may also lead to serious damage to your organiation's reputation.
To adhere to the requirements under APP9 your organisation should consider implementing clear policies and training for staff on handling Government Related Identifiers.
It is recommended that you seek legal advice if you require further assistance with developing the necessary internal policies and procedures in relation to the handling of Government Related Identifiers.
This help article does not purport to be legal advice and it is recommended that organisations seek independent legal advice to better understand their legal obligations under Privacy Act.
[1] Involves circumstances where personal information, including a Government Related Identifier of an individual can be disclosed without the individual’s consent to allow an organisation to fulfill essential functions or protect important interests while still respecting individual privacy. Examples, of permitted general situations include situations where disclosure is necessary to prevent serious harm to the individual, other or the public (such as the spread of an infectious disease). Situations that involve missing persons, law enforcement (such as criminal investigations) and internal investigations (for when investigating unlawful activity or misconduct within an organisation).