Skip to content
English
Contact
  • There are no suggestions because the search field is empty.

Understanding the Rules of Government related Identifiers and APP9

Under Australian Privacy Principle (APP) 9 - Adoption, Use or Disclosure of Government Related Identifiers, an organisation must not use, disclose, or adopt a Government Related Identifier of an individual, unless one of the limited exceptions apply.

Let's delve into what this means for your organisation.

What is a Government Related Identifier?

A Government Related Identifiers are unique numbers or codes assigned by Government agencies (Commonwealth, State or Territory) or assigned by agent of a Government agency or contracted service provider of a Government agency, which can be used to identify individuals.

Examples of Government Related Identifiers include passport numbers, driver’s license numbers, tax file numbers, Centrelink numbers and Medicare numbers.

The following are not Government Related Identifier’s under the Privacy Act:

  • An individual’s name

  • An individual’s Australian Business Number (ABN)

  • Anything else prescribed by the Privacy Regulations

Restrictions Under APP 9

Adoption

An organisations must not adopt a government related identifier of an individual as its own identifier of the individual unless:

  • Is the adoption is require or authorised by or under an Australian law or court/tribunal order, or

  • The identifier or the organisation is named (or included in a class of organisations) is prescribed by the Privacy Regulations, or

  • The adoption occurs in the circumstances prescribed by the Privacy Regulations.

This means that most organisations should take precautions not to adopt Government Related Identifiers as their own identifiers for identifying individuals in their systems.

Use and Disclosure

Organisations are prohibited from using or disclosing Government Related Identifiers of an individual, to any third party, unless:

  • Reasonably necessary for the organisation to verify the identity of the individual for the purposes of the organisation’s activities or functions, or

  • The use or disclosure is reasonably necessary to fulfil obligations to an agency or State or Territory authority, or

  • Required or authorised by Australian law or a court or tribunal order, or

  • A Permitted General Situation exists in relation to the use or disclosure of the identifier[1], or

  • The organisation ‘reasonably believes’ that the use or disclosure of the identifier is ‘reasonably necessary’ for one or more enforcement related activities conducted by, or on behalf of, an enforcement body, or

  • Is permitted by an Australian law or court/tribunal order, or

  • The identifier or the organisation is named (or included in a class of organisations) is prescribed by the Privacy Regulations, or

  • The use or disclosure occurs in the circumstances prescribed by the Privacy Regulations.

The Importance of Compliance

Non-compliance with APP9 may not only attract substantial financial penalties under the Privacy Act, but it may also lead to serious damage to your organisation's reputation.

To adhere to the requirements under APP9 your organisation should consider implementing clear policies and training for staff on handling Government Related Identifiers.

It is recommended that you seek legal advice if you require further assistance with developing the necessary internal policies and procedures in relation to the handling of Government Related Identifiers.

This help article does not purport to be legal advice and it is recommended that organisations seek independent legal advice to better understand their legal obligations under Privacy Act.