Carly Kind
Privacy Commissioner
Many of us take having a unique identity for granted, but as social media opens up the globe, more and more of us are finding our name twins scattered across the world, often to our delight and amusement. However, for a small number of Australians, the idea of a ‘digital doppelganger’ is at best a daily nuisance and at worst a recurrent logistical nightmare. Home Affairs data from way back in 2011 estimates that there are hundreds of ‘twins’ in Australia who share the same name and date of birth. When digital government systems confuse the personal information of such twins, it can cause their personal records to become intertwined.
This is the issue at hand in a recent determination concerning Services Australia’s failures to protect the personal Medicare information of the complainant from being intertwined and disclosed to another person, and for failing to ensure his Medicare records were accurate, up to date and relevant in accordance with the Australian Privacy Act 1988. Intertwinement primarily occurs when staff incorrectly add personal information to the wrong account or a third-party provider submits a claim for the wrong customer.
The idea of a digital doppelganger might seem like a curiosity, but its catchy ring conceals a difficult reality. Individuals whose government records, such as Medicare, Centrelink and child support services, are intertwined may suffer not only inconvenience but real harm. They or their health practitioners may be prevented from accessing accurate records to enable the timely provision of health services. Further, those individuals’ ability to manage the financial aspects of health and government services may be compromised. Although only a small subset of Australians may be affected, the potential harm is significant, and was at the forefront of my mind in making this determination.
The determination recognises that, since the complainant began raising these issues with Services Australia a decade ago, the agency has come a long way in putting in place systems and protections to minimise the likelihood that intertwinement has happened.
Unfortunately, some of those remedies actually impede the complainant’s use of government services, a consequence that would ideally, but may not realistically, be avoided.
Nevertheless, I find that during the time period under consideration, from 2015 to 2021, Services Australia did not take the reasonable steps necessary to ensure the quality of the personal information it held and to prevent the disclosure of sensitive personal information to other customers.
I have awarded the complainant compensation of $10,000 for distress arising from the privacy breaches, which must have been a considerable burden on his time and energy over the past decade. In requiring Services Australia to further review the effectiveness of its guidelines as they relate to the intertwinement of customer records, I hope to ensure that the unfortunate reality of digital doppelgangers is relegated to the recycle bin.
