9 November 2018

Our reference: D2018/012692

Mr Roger Wilkins AO and Professor David Lacey

National Arrangements for the Protection and Management of Identity Information
C/o Department of Home Affairs
4-6 Chan St
BELCONNEN ACT 2613

By email: submissions@homeaffairs.gov.au

Public consultation on the Review of national arrangements for the protection and management of identity information

Dear Mr Wilkins and Professor Lacey

The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to provide a submission to the Review of national arrangements for the protection and management of identity information (the Review).

We understand that the Review will identify ways to enhance or strengthen arrangements that support and govern the protection and management of identity information in Australia. The Review’s recommendations may provide the basis for a future iteration of the National Identity Security Strategy (NISS).

The OAIC welcomes the objective of the review to better protect Australians from the theft or misuse of their identity information, and assist people to minimise and recover from the impacts of identity crime. The Review is an opportunity to bring together policy and regulatory responses to this issue from across state and territory governments, business and the not for profit sector.[1]

We also note the objective to provide better targeted government services to individuals and business, and welcome the commitment to achieving these objectives in a manner that respects and promote peoples’ privacy. In that regard the OAIC is of the view that any recommendations of the review should consider community expectations about the handling of their personal information, including collection, use, disclosure and security of identity information. The OAIC’s research into community attitudes towards privacy indicates that most Australians are concerned about identity theft, and the proportion of people who know someone who has been the victim of identity theft has increased.[2]

As the regulator of the Privacy Act 1988 (Cth), the OAIC provides guidance, oversight and enforcement of the obligations upon entities subject to that Act to handle and protect identity information. This submission provides information regarding our regulatory experience and recommends that the review take a privacy by design approach to ensure strong privacy and security protections are embedded in any recommendations made.

Protecting Australians from theft and misuse of identity information and assisting recovery

The Privacy Act 1988 and identity information

The Privacy Act provides obligations on entities subject to the Act, and provides a framework for protecting Australians from theft and misuse of identity information and assisting recovery. Entities must have in place good governance of personal information, limit the collection of personal information to that which is necessary, use or disclose personal information for the purposes for which it was collected, and ensure individuals can readily access or correct their personal information. In particular, entities must also take reasonable steps to protect personal information from unauthorised misuse, interference and loss; and from unauthorised access, modification or disclosure.

Personal information and sensitive information

The Privacy Act defines personal information as information or an opinion about an identified individual, or an individual who is reasonably identifiable. Identity information would be personal information. Some identity information, such as biometric information, would also be sensitive information for the purposes of the Privacy Act.[3] Sensitive information is generally afforded a higher level of privacy protection under the Australian Privacy Principles (APPs) than other personal information, including a requirement to obtain individuals’ consent prior to collection in some circumstances.

It would be beneficial to articulate the scope of ‘identity information’ for the purposes of this Review, to help identify any differences in terminology with the Privacy Act[4] and provide an opportunity to align the language.

The Australian Privacy Principles as a framework for managing identity information

The Privacy Act includes 13 legally binding APPs. The APPs set out standards, individuals’ rights and entities’ obligations in relation to handling, holding, accessing and correcting personal information. In this submission we refer to particular APPs that relate closely to the Review’s focus on arrangements for the protection, use and management of identity information in Australia.

APP 1 requires all entities bound by the Privacy Act to manage personal information in an open and transparent way, and to take reasonable steps to implement practices, procedures and systems and ensure that individuals are able to exercise the rights available to them under the APPs. While there are exceptions to the application of certain APPs, some of which are described below, the overarching principle of managing personal information in an open and transparent way should inform the way in which entities manage identity information.

Generally, under APP 3 an entity is only permitted to collect personal information if that information is reasonably necessary for one or more of its functions or activities. Exceptions apply in some circumstances, however, such as where the collection is required or authorised by law.[5] Similarly, under APP 6 an entity is generally only permitted to use or disclose personal information for the purpose for which it was collected, unless the individual has consented or an exception applies.[6]

Identity information is often collected on a compulsory basis (as required or authorised by law), particularly by, or on behalf of, the Australian Government, with individuals having little choice or control over whether to provide it. The operation of the ‘required or authorised by law’ exception under APP 6, where it applies, similarly limits individuals’ control over the personal information that has been compulsorily collected from them.

There are a number of rights and obligations attached to the personal information an entity collects, however, notwithstanding the availability of exceptions like these. These obligations reflect the community’s expectations about how their personal information should be managed, and apply for however long the entity holds it.

Importantly, APP 11 requires APP entities to take reasonable steps to protect personal information they hold, from misuse, interference, loss, unauthorised access, modification or disclosure. In the physical domain, reasonable steps may include installing barriers, locks and alarms. In the virtual domain, reasonable steps may include ICT security measures such as firewalls, encryption, penetration testing and access monitoring. Entities are also required to ensure that they minimise their security risk profile by destroying or de-identifying personal information they no longer need. [7]

Assisting individuals through data breach notifications

In the event of a data breach, entities with security obligations under the Privacy Act are required to comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act. Under the scheme, entities are required to notify affected individuals and the OAIC when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach.

Importantly, a data breach notification must include recommendations about the steps individuals should take in response to the breach. This is in keeping with the scheme’s core purpose of increasing transparency and accountability, and enabling individuals to take steps that may be necessary to mitigate any risk that their personal information has been misused, such as through identity crime.

From the commencement of the Notifiable Data Breaches scheme on 22 February 2018 through to 30 September, the OAIC has received 550 notifications. Our experience in regulating the scheme to date has shown that identity information[8] is frequently involved in data breaches notified to the OAIC.[9] Across all of the notifications to the OAIC in the most recent quarter, malicious or criminal attacks was the most common source of notified data breaches.[10] Within this category, most data breaches occurred as the result of compromised credentials, such as passwords. Human error was also a dominant cause of data breaches, with personal information being sent to the wrong recipient a consistent trend to date.

As the OAIC continues to gather statistics and build a picture of the trends in personal information security risks, we will focus our regulatory approach on targeted and effective prevention. We encourage this Review to consider how trends in notified data breaches can inform practices and procedures that improve the security posture of all entities in the economy that handle identity information. [11]

The OAIC’s regulatory role

The OAIC has regulatory oversight of how entities that are regulated by the Privacy Act (including most Australian Government agencies, and all private sector and not-for-profit organisations with an annual turnover of more than $3 million), must handle, use and manage individuals’ personal information under the APPs.

The Privacy Act confers a range of regulatory powers on the Privacy Commissioner to ensure the proper handling of personal information. These powers range from powers designed to facilitate compliance with the Privacy Act, such as conducting risk-based privacy assessments or requesting that entities develop a code that covers their activities; through to investigative powers to deal with an alleged interference with privacy, such as handling complaints, conducting investigations and conciliating disputes; and ultimately, enforcement powers to compel compliance with the Privacy Act, such as accepting enforceable undertakings, making determinations and applying for civil penalty orders.[12]

The OAIC also engages proactively with respect to the management of identity information. The OAIC engages with entities and their new initiatives, such as the Digital Transformation Agency (DTA) and its Trusted Digital Identity Framework (TDIF), to build privacy into new proposals for handling identity information. The OAIC has also had an ongoing engagement with the Department of Home Affairs[13] regarding the development of the identity-matching services contemplated by the Intergovernmental Agreement on Identity Matching Services[14] and the Identity-matching Services Bill 2018 (IMS Bill).[15]

The OAIC plays an active role in monitoring the privacy impacts of existing initiatives that involve identity information. For example, the OAIC has conducted a series of proactive risk-based privacy assessments relating to the Document Verification Service, encompassing users across government and the private sector.[16] The OAIC has also entered into an arrangement with the Department of Home Affairs to conduct proactive assessments in relation to the identity-matching services.

The increase in initiatives involving the collection and use of identity information are steadily increasing the complexity of this regulatory area. The OAIC plays a pivotal role in preventing and detecting any risks for individuals in the handling of their identity information, as well as facilitating remedies for individuals in instances where their identity information has been mishandled through initiatives like the Notifiable Data Breaches scheme. As this area continues to expand, the Review should consider the benefit for individuals of increased oversight of the way in which entities manage identity information, and the resourcing that this oversight would require.

The broader regulatory landscape for managing identity information

The OAIC is one of a number of regulators, agencies and other entities that have a role in the current landscape for collecting, using and disclosing identity information. From a service delivery perspective, providers across government and the private sector are developing new ways for identity information to be collected and used, such as DTA’s ‘myGovID’ and Australia Post’s Digital iD. From a regulatory perspective, state and territory privacy regulators oversee the management of identity information in their respective jurisdictions while, at the federal level, the OAIC and agencies like the Australian Cyber Security Centre (ACSC) provide advice and information about protecting identity information. Outside of government, organisations like IDCARE also play an important role in helping individuals to mitigate the impacts of identity crime.

The OAIC works collaboratively with counterparts like the ACSC and IDCARE to monitor and respond to incidences where identity information has been mishandled. Like the OAIC, working closely with other bodies in the area is one of the ACSC’s stated objectives.[17] These relationships are well established amongst the parties involved, and their visibility outside of government continues to grow.

Noting that this Review may focus on coordination amongst government agencies, and between government and other entities, we consider that the Review provides an opportunity to clearly articulate and strengthen the complementary roles of regulators and other bodies in relation to managing identity information. We can provide further information on the OAIC’s existing relationships in this area if it would assist the Review.

Consistent privacy protections

We note that the Review will consider the legislative frameworks for the protection and management of identity information. This provides an opportunity to help ensure consistent policy and legislative responses to identity management and protection. In particular, protection of personal information across Australia remains uneven, with South Australia and Western Australia yet to adopt privacy laws. In order to ensure consistent protection of identity information, consideration should be given to mechanisms to protect identity information nationally.

Should the Review consider changes to arrangements for handling identity information, or in relation to regulatory oversight of identity information, the OAIC considers that implementing change through legislation, as opposed to other, less formal mechanisms is more appropriate in order to provide a level of privacy protection and Parliamentary oversight that is commensurate to the sensitivities of identity information. [18]

While Australia’s current privacy laws recognise that the protection of individuals’ privacy is not an absolute right, any instance of limitation must be subject to a careful and critical assessment of its necessity, legitimacy and proportionality.[19] To ensure any adjustments to arrangements for managing identity information are reasonable, necessary and proportionate, it will be important to consider the evidence of why existing arrangements are no longer appropriate and how to ensure any new arrangements contain more appropriate safeguards.

Community attitudes to privacy and identity

The OAIC’s Australian Community Attitudes to Privacy Survey captures a snapshot of Australians’ changing awareness and opinions about privacy, as well as their expectations in relation to how their personal information is handled. Relevantly, the 2017 edition of the survey found that: [20]

  • Australians believe that online services (including social media), identity fraud and theft, and data security breaches are the three biggest privacy risks facing the community
  • just over half (58%) of Australians consider state and federal government departments are trustworthy custodians of their personal information
  • one third (34%) of the community is comfortable with the government sharing their personal information with other government agencies
  • Australians’ comfort level with providing biometric information in service delivery contexts is generally increasing, but is still some way from majority acceptance.[21]

It is timely that this Review is being conducted when there is clear concern amongst the community about identity theft. The 2017 survey results also indicate that most Australians are not comfortable with their personal information being shared amongst government agencies, and that governments generally have some room for improvement in their trustworthiness as a custodian of personal information. Overall, these results suggest that community acceptance of new arrangements for handing identity information, such as the development of better targeted government services, will depend on how well those services take privacy into account.

With this in mind, the Review may wish to consider whether any new arrangements for better targeted services will promote trust amongst the community that their identity information is protected by appropriate security controls, and managed in an open and transparent way.

Biometric technologies, in particular, have the potential to offer the community many benefits. However, the use of biometric technologies as part of new identity arrangements would also have privacy impacts. A proactive approach to engaging with all individuals in the community on the privacy risks and benefits of any changes, in addition to the implementation of robust privacy and security controls to minimise those risks, are crucial to building community trust and confidence.

Privacy by design and privacy impact assessments

The OAIC acknowledges the potential for privacy enhancements to be included in new arrangements for managing identity information. For example, the DTA’s TDIF aims to facilitate security and privacy-preserving digital identity services, while also giving people greater control over their personal information. However, given the scale and sensitivity of identity information holdings in Australia, the OAIC notes the potential privacy impacts of any practices and systems for the collection, use, and disclosure of this information.

The OAIC supports the Review’s focus on achieving its objectives in ways that respect and promote peoples’ privacy. The OAIC suggests that the Review continues to promote a ‘privacy by design’ approach in any recommendations that it makes. ‘Privacy by design’ is about finding ways to build privacy into projects from the design stage onwards and is a fundamental component of effective data protection. This involves taking a risk management approach to identifying and mitigating privacy risks.

Taking a privacy by design approach would support the overall objectives of the project and reduce potential privacy risks in a number of ways:

  • considering, at the outset of a transaction that involves identity information, the purposes for which identity information will be collected
  • ensuring that the identity information individuals will be required to disclose is specifically aligned with those purposes, so that any new arrangements only require individuals to disclose the minimum amount of identity information necessary[22]
  • taking steps at the design stage of a project to implement security controls that minimise risks to individuals’ privacy while also optimising the uses of identity information
  • building public trust and confidence in a new arrangement through consistent and transparent messaging
  • avoiding implementation delays and added costs associated with revising project design to incorporate community concerns around privacy and security.

Privacy impact assessments (PIA) are an important tool that supports the ‘privacy by design’ approach. A PIA is a systematic assessment of a project that identifies the impact that it might have on the privacy of individuals and sets out recommendations for managing, minimising or eliminating that impact and are now a requirement for all Australian government agencies under the Australian Government Agencies Privacy Code.[23] Conducting PIAs would help to assess the privacy impacts of any changes to identity information handling practices that may be proposed by this Review. The OAIC has developed the Guide to undertaking privacy impact assessments[24] and an eLearning course on conducting a PIA,[25] which aim to assist entities undertaking a PIA.

Further opportunity for consultation

We encourage the Review to consult further with stakeholders as opportunities or options for reforms are developed. The OAIC would welcome the opportunity to participate in these consultations. The OAIC is also available to provide further information or assistance to the Department of Home Affairs and the Review as required.

Yours sincerely,

Angelene Falk
Australian Information Commissioner
Privacy Commissioner

9 November 2018

Footnotes

[1] The Australian Government’s Cyber Security Strategy, for example, notes the importance of cross-sectoral partnerships for strong cyber security, which will in turn protect identity information.

[2] The OAIC’s Australian Community Attitudes to Privacy Survey 2017 found that 69% of Australians are concerned about identity theft and 26% know someone who has been the victim of identity fraud or theft. This figure has increased from 17% in 2007 and 21% in 2013. Download the OAIC’s Community Attitudes to Privacy Survey 2017.

[3] Section 6(1) of the Privacy Act.

[4] Section 6 of the Privacy Act. ‘Identification information’ and ‘identifier’ are also defined terms under s 6 of the Privacy Act.

[5] APP 3.4(a).

[6] APP 6.2(a).

[7] The Review may wish to have regard to the OAIC’s policy statements on how we interpret and apply the APPs in guidance such as the APP Guidelines and the Guide to Securing Personal Information which outlines a number of mechanisms that entities can use to satisfy their APP 11 requirements.

[8] For the purposes of the OAIC’s Notifiable Data Breach scheme statistics, identity information is categorised as information that is used to confirm an individual’s identity, such as a passport number, driver’s licence number or other government identifier.

[9] Identity information was involved in 35% of the total notifications received from 1 July to 30 September 2018. This figure was similar in the April-June (39%) and January-March (24%) reporting periods.

[10] 57% of data breaches were attributable to a malicious or criminal attack, 37% were attributable to human error and 6% to system fault.

[11] Detailed breakdowns of notified data breach statistics are available at: Quarterly Statistics Reports.

[12] Refer to the OAIC’s Privacy Regulatory Action Policy for more information.

[13] The Attorney-General’s Department commenced this engagement, though the Department of Home Affairs was subsequently established and carries out some of the functions of the Attorney-General’s Department, including the engagement with the OAIC on these matters.

[14] https://www.coag.gov.au/about-coag/agreements/intergovernmental-agreement-identity-matching-services.

[15] See Section 7 of the IMS Bill.

[16] See, for example, two recent OAIC privacy assessments of DVS ‘Gateway Service Providers’: Handling personal information — VIX Verify; Handling personal information — Trulioo.

[17] ‘We work with our business, government and academic partners and experts in Australia and overseas to investigate and develop solutions to cyber security threats’. Refer to About this site.

[18] For more information, refer to the OAIC’s submission to the Parliamentary Joint Committee on Intelligence and Security’s review of the IMS Bill.

[19] Office of the United Nations High Commissioner for Human Rights, The Right to Privacy in the Digital Age UN Doc A/HRC/27/37 (2014), paragraph 23, <https://www.ohchr.org/en/issues/digitalage/pages/digitalageindex.aspx>.

[20] Download the OAIC’s Community Attitudes to Privacy Survey 2017.

[21] The proportions of people who are somewhat or very concerned about using biometric information has reduced for accessing a licensed pub, club, bar or hotel (58% concerned, down from 71% in 2013) and accessing a place of work or study (46% concerned, down from 55% in 2013).

[22] For example, the NSW Government is trialling a digital driver licence that operates via a QR code on an individual’s smartphone. The QR code can be configured to disclose specific identity attributes for different transactions, such as establishing authority to drive a car, or proof of age to enter licensed premises. Refer to Digital Driver Licence.

[23] For the purposes of the Code, an Australian Government Agency has the meaning given in section 6(1) of the Privacy Act, with the exception of a Minister. Refer to Australian Government Agencies Privacy Code.

[24] See Guide to undertaking privacy impact assessments.

[25] See Undertaking a Privacy Impact Assessment — eLearning course.