Direction relating to the integrity of Identity Data Pilot
This Direction had effect from 29 June 2007 until the completion of the participation by the Registrar in the Pilot.
Schedule 1 - Direction under s.41(1) of the PPIP Act
This is a Direction under s. 41(1) of the Privacy and Personal Information Protection Act 1998.
In this Direction:
“ATO” means the Australian Taxation Office;
“Department” means the New South Wales Attorney General’s Department;
“NISS” means the National Identity Security Strategy;
“PPIP Act” means the Privacy and Personal Information Protection Act 1998;
“Pilot” means the Integrity of Identity Data Pilot;
“Registrar” means the Registrar of Births, Deaths and Marriages;
“Registry” means the Registry of Births, Deaths and Marriages;
“URN” means the Unique Reference Number.
The Commonwealth Government has invited the Registrar to participate in the proposed Pilot. The Pilot would require the Registry to match personal information data provided by the ATO against its own records, and to return to the ATO a score indicating the degree of correlation between the ATO data and their own records.
The Pilot is part of the NISS endorsed by the Council of Australian Governments at its meeting on 27 September 2005. One of the key objectives of the NISS is to improve the accuracy of personal identity information in government registers.
The aim of the Pilot is to trial and develop processes to enable effective data-matching to be conducted between government agencies in order to improve the accuracy of their databases.
The Pilot will be jointly led by the Commonwealth Attorney General’s Department and the ATO, and involve the Registrar and a number of Commonwealth agencies. The ATO will select a sample of 25,000 individuals from its client register. The sample will include data on individuals’ names, dates of birth, and addresses only, including current and historical names and addresses. The sample will be restricted to persons residing in New South Wales.
The ATO will deliver an encrypted copy of the selected data sample, on CD technology, to nominated staff of the Registry. The Registrar will transfer the data to his own mainframe computer environments to enable the identity data-matching to occur. The ATO sample data file will not be used by the Registrar for any purpose other than the identity matching required for the Pilot. All back-up files will be destroyed within a specified time after completion of the Pilot.
The ATO sample will be matched by the Registrar against information contained in the Register maintained by the Registrar pursuant to the Births, Deaths and Marriages Registration Act 1995.
A “match score” will be calculated by the Registrar, indicating the degree of correlation between the ATO sample and the records in the Register. The “scored records” will be returned to the ATO stripped of all personal information, using a URN created for each identity by the ATO for the purposes of the Pilot. The URN is not the individual’s Tax File Number.
After receiving the match scores from the Registrar, the ATO will aggregate the results for each sample individual to form a sequence of the scores assigned by the Registrar to that record. This sequence will then be used to classify each individual’s record to a distinct, pre-defined profile which is based on the nature and extent of the correlations found with the Registrar’s identity registers and with an associated level of perceived risk. There are six profiles formulated for the Pilot, ranging from “the identity is highly confirmed” to “the identity is not substantiated”.
The next stage (“the analysis phase”) of the Pilot involves examining the identity matching processes carried out by the participating agencies. The identity matching process is likely to identify discrepancies between the details recorded for an individual on an ATO record and the details recorded by the Registrar. The reasons for these discrepancies may include administrative or client error, change of name, complexities involving naming conventions and recording, and the registration and use of false identities. It is likely that further analysis will be required to fully explain the reasons for some discrepancies, and to establish the degree to which the discrepancies can be explained by technical deficiencies. Analysis will enable some corrective interpretation to take place.
The Registrar will retain the CD-based files provided by the ATO until the Pilot has been completed, when they will be returned to the ATO. The Registrar will also retain a file containing the URN and unique agency identifier only – neither of which will contain personal information – to assist subsequent analysis and investigation procedures if required. These files will be retained for the duration of the analysis phase. All other versions of the data will be destroyed in line with the security regime of the Registrar, and in line with existing memoranda of understanding in place with the ATO or other agreements surrounding the conditions for storage and safe return of the data.
The final stage of the revised Pilot is the evaluation phase, involving analysis of the technical aspects of the Pilot and the effects of allocation to the risk profiles, in order to help determine how identity matching techniques might best be applied in future exercises. This analysis will include determining the level of performance achieved by the model used in the Pilot, comparing the identity matching methodologies and technologies employed by participating agencies, exploring how the implemented model could have been improved, and incorporating the lessons learned from the Pilot to document “best practice” identity matching.
The ATO has confirmed that its use of the results of the data-matching will be restricted to the purposes of the Pilot and, in particular, will not give rise to administrative or compliance action against the individuals whose records are involved.
The Commonwealth has developed a Privacy Impact Assessment which will apply to the Pilot. It is proposed that the Commonwealth and the Registrar enter into a Memorandum of Understanding once the Registrar has confirmed his ability to participate in the Pilot.
This Direction has been made to allow the Department (the Registrar) to collect and use personal information for the purposes of participating in the Pilot.
I am satisfied that the public interest in making this Direction is greater than the public interest in requiring the Department (the Registrar) to comply with the Information Protection Principles as referred to in the provisions set out below.
This Direction covers the Department (the Registrar).
1. The Department (the Registrar), in collecting and using personal information in accordance with the Pilot, as described in this Direction, need not comply with sections 8(1), 9 and 17 of the PIPP Act.
2. Paragraph 1 is subject to the condition that the collection and use of personal information by the Department (the Registrar) is reasonably relevant and reasonably necessary for the purpose of meeting the objects of the Pilot.
This Direction has effect until the completion of the participation by the Registrar in the Pilot.
Signed by me on this 29th day of June 2007.
Acting Privacy Commissioner