Privacy Law and Policy Reporter
The Privacy Commissioner has published the first detailed survey showing the extent of data-matching by Commonwealth government agencies in Australia, and has recommended that all forms of data-matching be brought under legally-binding controls within the Privacy Act 1988 (Cth).
Data-matching programs in Australia are not subject to detailed legislative control, with the very significant exception of those carried out under the Data-matching Program (Assistance and Tax) Act 1990 (Cth). Some of the Information Privacy Principles (IPPs) in the Privacy Act apply to all Commonwealth data-matching activities, such as IPP 8 (requiring agencies to take reasonable steps to ensure information is accurate before using it). IPPs 10 and 11, which restrict the use and disclosure of personal information, do not in practice have as much effect on data matching as might be expected. The Commissioner states that they 'provide little restraint', for two main reasons:
'In broad terms, data-matching tends to increase the level of information surveillance of the population at large by Government bodies', the Commissioner concludes, arguing that the existence of data-matching encourages use of bulk data about people, the collation of data from different sources, and resulting pressure for multi-purpose unique identification numbers to facilitate accurate matching. The report also states that 'experience has shown that data-matching programs are liable to make errors in identifying which records in different databases relate to the same person, and in deciding whether there is a prima facie case for further action', and details where the sources of error can arise. Unfortunately, no references to studies of data-matching, or cases where errors have arisen, are given.
The Commissioner argues that, while some of the problems of data-matching can be addressed by ensuring that it is carried out with fair procedures, the fact that it 'is likely to change the flow and use of data' can only be addressed 'in the context of whether data-matching programs should proceed.' 'New data-matching initiatives should only proceed if there are clear reasons for believing that the public interest in conducting them justifies the privacy impact of further extending the overall program of data-matching.' He notes that 'the recent history of cost-justification has been a poor one in relation to the one regulated data-matching program' (that is the 1990 Act: see 2 PLPR 13, 1 PLPR 8).
The Commissioner issued voluntary Data-Matching Guidelines under s27(1)(e) of the Privacy Act in 1992 (see the Report, Appendix C, or the Federal Privacy Handbook ). As the Commissioner says, the guidelines go beyond the requirements of the IPPs in some respects, but were issued because 'data-matching programs warrant special privacy protection'.
In summary, the voluntary guidelines provide that:
Although the voluntary guidelines do not impose any draconian restraints on data-matching, they have in effect been rejected or ignored by most Commonwealth agencies. Twelve agencies have refused to comply with the guidelines, and others have been non-committal. These agencies include those involved in matching exercises such as Tax, Customs and the Federal Police. While 24 agencies have agreed in principle to accept the guidelines, only two (Social Security and the Health Insurance Commission) had actually prepared program protocols at the time of the report. In contrast, the Commissioner notes, compliance with the statutorily enforceable guidelines under the 1990 Act has been 'prompt and rigorous'.
After showing in the report that most Commonwealth data-matching occurs outside the controls of the data-matching Act (see below), the Commissioner recommends to the Attorney-General that the Privacy Act be amended to include uniform controls for all data-matching, based on the provisions in the voluntary guidelines. However, to ensure flexibility, the Act should only provide the framework, to be supplemented by enforceable guidelines issued by the Commissioner.
As part of his evaluation of the voluntary guidelines, the Commissioner's Office surveyed Commonwealth agencies to determine the extent and type of data-matching carried out by Commonwealth agencies. The survey identified 45 data-matching programs, 43 of which are summarised in the report (omitting two national security or police intelligence programs).
The survey showed that the preponderance of programs (28) were for 'case selection' ('whose function is to select cases of interest for further action'), whereas 11 were 'communication programs' (where data from one database is used to update another, but with no direct aim of further action following), two were research programs which only extracted aggregated data, and two were police intelligence programs. Since all of the programs conducted under the 1990 Act were classified together as one 'case selection' program, the dominance of these programs is even greater.
In 19 of the 28 case selection programs, the detection of cases where individuals may be receiving government benefits to which they are not entitled was the sole or major function. Other purposes were to monitor compliance with tax laws (one very large program using diverse sources), to enforce immigration laws (two programs, dealing with matching tax information against illegal immigrants, and matching study discontinuations against student visas), and to enforce corporate laws (proposed matching of bankruptcy information against company directorships).
Nine of the 28 case selection programs involved some sources of information other than Commonwealth agencies, but only two programs involved more than one type of 'outside source' (the tax enforcement program in relation to employers, financial institutions and building registration authorities; and Social Security in relation to state and local government authorities).
The private sector organisations involved in one or two matching schemes with Commonwealth agencies were employers, financial institutions, worker's compensation insurers, and educational authorities. The state and local government organisations
whose data was provided to Commonwealth agencies for matching were educational institutions, building registration authorities, Departments of Corrective Services, the Births Deaths & Marriages Register in WA (only), state Workcover organisations, and (for DSS only) 'other state and local government authorities'.
The survey also only revealed two instances where personal information held by Commonwealth agencies was provided to state agencies, for those agencies to match against their records and return a list of 'hits' to the Commonwealth. The survey
includes instances where Commonwealth agencies conduct matches for the benefit of state or local government agencies (for example, DSS checks that those claiming concessions from state or local government are entitled to). It is not clear from the report that there are no instances of matching programs conducted by state agencies for their own purposes, for which Commonwealth agencies provide data, but do not receive results.
There was only one instance of the Commonwealth providing personal data to a private organisation for it to conduct its own matching program - a mailing offer to defence personnel - and this was done with the consent of the individuals concerned.
A notable aspect of the report is that the extent of data-matching it reveals is less than might have been expected, given the degree of interest in data-matching that has been shown in some parts of the Commonwealth administration in recent years. Privacy advocates expected that a lot more data-matching was occurring 'out of sight' of the reporting requirements of the 1990 Act. Most of the programs detailed in this report cover activities that are unsurprising targets for data-matching techniques. Similarly, the degree of information exchange for matching purposes between the Commonwealth on the one hand, and on the other hand state and local agencies or the private sector, is surprisingly low (even in the tax field). Given that the Commonwealth government is known to have been a far more aggressive and enthusiastic user of data-matching in recent years than state governments, and that there is little anecdotal evidence of state data-matching activities (except in the area of land tax enforcement), the report also tends to confirm that there is little data-matching activity yet occurring at state level.
While data-matching is only one form of computerised surveillance, it is the one which is most prevalent at present. The tentative conclusion suggested by the report is that data-matching, while extensive, is not as widespread a method of social administration in Australia as might have been expected. This 'restraint' is due in part to the collapse of the LEAN proposal (see 1 PLPR 21), and it remains to be seen whether the Federal Government regains an enthusiasm to extend data-matching or other data surveillance techniques.
One of the most useful aspects of the report is that the survey gives a factual basis for discussions of data-matching. It is this type of information which needs to be updated on an annual basis for inclusion in the Commissioner's Annual Report, or the Personal Information Digest. However, the survey surprisingly lacks one vital item of information about each matching program: the legislative basis for its justification. Do all 45 existing programs have proper legal authority, or are some in breach of IPP 11?
The Commissioner's recommendation for comprehensive legislation to regulate matching is sound, and the proposed guidelines do address procedural fairness and attempt to require agencies to properly define programs and produce cost-justifications. However, they are very weak on what the Commissioner himself says is the crucial issue - the decision of whether a program should proceed at all. The proposed guidelines will leave this decision to the agency concerned, provided it has some legal authority (which can be as weak as informing individuals that matching will occur), and provided it at least considers cost-justification. If the extension of data-matching is as important as the Commissioner says, then a more appropriate response might be to give the Parliament some veto power over the development of new data-matching programs. One method to achieve this would be by requiring that the program protocol and cost-benefit materials, and the Commissioner's comments thereon, be tabled in Parliament and subject to disallowance within a period of time.
There needs to be some general Parliamentary oversight of the growth of the more dangerous forms of data surveillance (including data-matching), because individual agencies are not capable of balancing the overall privacy costs of surveillance activities against the short-term benefits via their own agency. The Privacy Commissioner is unlikely to be given any general 'veto power' over agency surveillance activities, but it is too dangerous to simply let data surveillance expand in an uncoordinated way while merely requiring that procedural fairness be observed and some cost-justification considered. A comprehensive data-matching law which addressed the issue of public control of the growth of data-matching would provide a valuable model by which the control of new forms of data surveillance could be addressed in future.