1. UPP1: Anonymity and pseudonymity

Updates and background for this project (Digest)

• Introduction
• The ALRC’s recommendation
• The current law in NSW
• Submissions
• The Commission’s conclusions

1.1 This chapter examines the privacy principle relating to anonymity and pseudonymity that is embodied in UPP 1, which the ALRC recommended in Report 108.¹ UPP 1 states:

UPP 1. Anonymity and Pseudonymity

Wherever it is lawful and practicable in the circumstances, agencies and organisations must give individuals the clear option of interacting by either:

(a) not identifying themselves; or

(b) identifying themselves with a pseudonym.

1.2 Anonymity has been described as “a fundamental component of the right to privacy and data protection for individuals in their relations with others and the state.”² One Privacy Commissioner asserted that “anonymity is the highest right individuals should have, and it should be overruled only for justifiable reasons”.³

1.3 In Privacy and Freedom, one of the most influential books on privacy, Alan Westin identified anonymity as one of the four basic states of privacy. He described anonymity as occurring:

when the individual is in public places or performing public acts but still seeks, and finds, freedom from identification and surveillance …. Knowledge or fear that one is under systematic observation in public places destroys the sense of relaxation and freedom that men seek in open spaces and public arena.⁴

1.5 Examples of instances where individuals may desire anonymity and it may be appropriate for agencies and organisations to provide such an option include when:

• making a general inquiry about a product or service, in contrast to seeking a person-specific or customised service or information;
• using counselling services, particularly where information is revealed about a third party (eg, counselling for teenage pregnancy or domestic violence); or
• “whistle-blowing”, that is, reporting misconduct.⁶

Limitations

1.7 Anonymity cannot, of course, be absolute and should be limited by legitimate interests of protecting the public good, national security, and law and order. Identity is necessary for a myriad of dealings with agencies and organisations, for example, in order to vote, pay taxes, obtain a driver’s licence, receive welfare benefits, secure a passport, etc. Most people would also want to be uniquely identified and not be confused with others when using certain services, for example, when getting medical treatment.⁸

1.8 A democratic society that respects individual autonomy and privacy is obligated to draw the line on when and how individuals should be required to identify themselves when they participate in society. It should also recognise the legitimate interests of government and the private sector in collecting information about the identity of an individual when necessary in providing services to, or conducting business with, the individual.⁹

Anonymity as a starting point

1.9 Privacy policy on anonymity has as its starting point the entitlement of individuals not to reveal their identity, unless justified under the circumstances. Individuals should only be required to reveal their identity if this is essential to the particular transaction. Otherwise, individuals should be given the option of choosing whether or not, and how, to reveal their identity. Instead of the widespread practice of automatically collecting the identity of individuals for every dealing with organisations and agencies, anonymity should be the default position. Hence, there is a need for collectors of personal information to examine which of their dealings with individuals truly require the collection of identity.¹⁰

Precedents

1.10 A number of Australian jurisdictions have adopted an anonymity principle in their privacy statutes.¹¹ The principle in the Victorian legislation provides an example:

Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.¹²

The design and choice of data processing systems shall be in line with the objective of collecting, processing or using no personal data, or as little as possible. In particular, the possibilities of anonymisation and pseudonymisation should be used wherever possible and when the effort required is in proportion to the desired purpose of protection.¹³

Technologies: threat and opportunities

1.13 A clear policy on anonymity is arguably of critical importance in an era where the rapid advances in, as well as the ever growing use of, information technologies have resulted in the enormous surge in the collection of personal information. Every time one pays for a service or product through means other than cash (eg, by credit or debit card), makes a phone call, uses the internet merely to find information or purchase products and services, etc, there is potential for an identifiable record to be created and stored in some database somewhere.¹⁴ There is a view that this development poses a serious threat to privacy and in particular, anonymity.

1.14 There are, however, existing technologies that allow anonymous transactions. One class of technologies, which rely on a succession of intermediary-operated services, has been described as follows:

Each intermediary knows the identities of the intermediaries adjacent to it in the chain, but has too little information to enable it to identify the prior and subsequent intermediaries. Even if it wants to, it cannot track the communication back to the originator or forward to the ultimate recipient. Examples … include anonymous remailers, web-surfing arrangements, and … payer-anonymous ECash or Digicash.¹⁵

• digital pseudonym, which the service provider assign to a customer, for the purposes of conducting transactions; and
• trusted third party, which is a party charged with keeping the master key linking digital pseudonyms with the true identities of their users. Only certain conditions (which are agreed upon by the parties) will allow the trusted party to reveal a user’s identity to the service provider.¹⁷

THE ALRC’S RECOMMENDATION

The current Commonwealth law

1.17 The Principles contained in the Privacy Act, which agencies¹⁹ must observe, do not include obligations of anonymity or pseudonymity.

1.18 In contrast, NPP 8 of the Privacy Act, which applies to organisations,²⁰ states:

Whenever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.

• whether the anonymity principle embodied in NPP 8 should cover agencies in addition to organisations;
• whether the principle should be expanded to cover pseudonymity; and
• what should be the content of this principle.²¹

1.20 The ALRC recommended that an anonymity principle should be included in the model UPPs and should apply equally to agencies and organisations. It reasoned that an anonymity principle would encourage agencies and organisations to consider the fundamental question of whether they need to collect personal information at all and to design their systems accordingly.²² In other words, such a principle may assist in minimising the collection of unnecessary personal information.²³

1.21 Further, the ALRC said that providing individuals greater control over their privacy by giving them the option to transact anonymously, where appropriate, may give rise to significant public policy benefits. It may, for example, encourage individuals to seek medical or other services from an organisation or agency in situations where a requirement of identification would discourage them from seeking such services. The ALRC cited as illustration the anonymous supply of sterile syringes and needles to injecting drug users, which it said is an important public health initiative in all Australian States and Territories.²⁴

1.22 A number of agencies expressed concerns about the practical application of an anonymity principle. The ALRC said that these could be accommodated adequately within the broad limitations of the principle — that is, that the option for anonymity must be provided only where it is “lawful and practicable”. This issue is discussed in greater detail below.²⁵

Pseudonymity

1.23 The ALRC recommended that the anonymity principle should provide for pseudonymous transactions, that is, where appropriate, agencies and organisations should give an individual the option of using a name (other than his or her real name), term or other combination of letters and numerals by which he or she can be addressed specifically.²⁶

1.24 The ALRC expressed the view that provision for pseudonymity would bestow:

a more flexible application of the principle by covering the situation where it would be impracticable or unlawful for an individual to transact anonymously but where these barriers would be overcome if the individual were to transact pseudonymously with an agency or organisation. An extension of the principle to encompass pseudonymous transactions will also encourage agencies and organisations to incorporate into their systems privacy-enhancing technologies that facilitate pseudonymous interactions in an online environment.²⁷

• the cost of implementation could be high; and
• pseudonymous transactions are open to abuse and may detract from the accuracy of records.

1.27 The Office of the Federal Privacy Commissioner (“OPC”), which supports the inclusion of pseudonymity within the anonymity principle, raised concerns that agencies and organisations might use the terms pseudonymity and anonymity interchangeably and consequently only offer one of the options to individuals. It suggested that:

the wording of the principle [should] be clarified to ensure that organisations and agencies provide individuals with the option of interacting anonymously where this is lawful and practicable. Where it is not practicable for an individual to transact anonymously or where the individual chooses to transact under a pseudonym an agency or organisation [should be] required to give individuals the clear option to transact pseudonymously if this is lawful and practicable.²⁹

Content and application

Lawful and practicable

1.29 A considerable number of agencies and organisations expressed concerns in their submission to the ALRC about the practical application of an anonymity and pseudonymity principle.

1.30 For example, the ACT Department of Disability Housing and Community Services said that, in relation to the provision of services to children at risk of abuse or neglect, the identification of the persons involved is essential in the recording of client history, which is an important part of risk assessment and in deciding appropriate services for the children concerned.³²

1.31 The Australian Government Department of Human Services advised that it cannot provide full and reliable advice to an individual who remains anonymous or provides a pseudonym.³³

1.32 The Department of Foreign Affairs and Trade expressed disquiet about the potential compliance costs, for example, with respect to the amendment of the Department’s online forms, including passport applications.³⁴

1.33 The submissions also identified situations where the application of an anonymity and pseudonymity principle could conflict with legislative requirements to retain identifying information, including those that apply to the telecommunications industry, the provision of health care and health insurance, and the financial services sector.³⁵

1.34 Some submissions suggested that specific exceptions be provided, for example for the delivery of health benefits and social services by Commonwealth agencies, or for the provision of health care.³⁶

1.35 The ALRC, however, emphasised that the requirement in UPP 1 for agencies and organisations to give individuals the options of anonymity and pseudonymity is not absolute since it arises only where this is “lawful and practicable”. This is based on the similarly-worded qualification found in NPP 8.³⁷

1.36 In relation to NPP 8, a commentator has said that it would not be lawful for an organisation to give an individual the option of transacting anonymously if a law requires the organisation to identify the individual, for example, to open a bank account or for reporting requirements regarding a notifiable disease or suspected child abuse.³⁸

1.37 Further, for the purpose of determining whether it is “practicable” for an organisation to deal anonymously with an individual, the same commentator suggested that the following factors may be taken into account:

• whether the provision of the product or service requires the individual to be identified;
• whether the provision of the product or service could be improved if the individual’s identity was known (for example in relation to a health service where the review of the patient’s medical record may assist in treatment);
• whether there will be an increase in cost or time involved in providing the product or service; and
• whether there will be increased risk to the organisation in providing the product or service anonymously (for example, in the event of legal proceedings, the organisation may not be able to provide evidence of correspondence with the individual).³⁹

1.39 The ALRC recommended that the OPC issue guidance on the “lawful and practicable” requirement.⁴¹

Not misleading

1.40 In its DP 72,⁴² the ALRC proposed that the option to transact pseudonymously should be subject to the additional limitation that it would not be misleading.⁴³ The ALRC was concerned about the potential for pseudonymous transactions to lead to fraudulent or misleading practices. Although fraud would be adequately covered by the requirement that the transaction be “lawful”, the ALRC was worried that, in certain situations, a pseudonymous transaction may be misleading but not necessarily fraudulent. It gave the example of an individual who intentionally chooses as a pseudonym someone else’s name for the purpose of giving the impression that he or she is actually that other person.⁴⁴

1.41 In Report 108, however, the ALRC acknowledged that agencies and organisations might find it onerous to apply a requirement that a pseudonym not be misleading. For example, they are likely to find it difficult to assess an individual’s intentions when he or she interacts pseudonymously. The ALRC concluded that the requirement that the pseudonymous interaction must be “lawful and practicable” is sufficient to guard against systemic abuse.⁴⁵

“Interacting” with individuals

1.42 The current anonymity principle embodied in NPP 8 refers to individuals’ option of not identifying themselves “when entering transactions” with an organisation.

1.43 The OPC submitted that this should be amended to clarify that, where an individual has an existing relationship with an organisation, that individual is still entitled to transact anonymously, subject to relevant qualifications.⁴⁶

1.44 In its DP 72, the ALRC agreed that the clarification suggested by the OPC should be incorporated into its proposed anonymity and pseudonymity principle by replacing the words “when entering transactions” with the words “when transacting”.⁴⁷

1.45 In Report 108, however, the ALRC decided to replace the word “transacting” with “interacting”. It reasoned that since, on its plain English meaning, “interact” has a wider import than “transact”, the use of “interacting” would more clearly establish that the proposed principle is intended to cover a broad range of dealings. It was concerned that “the term ‘transacting’ may be associated unduly with customised transactions or service delivery, where anonymity or pseudonymity will often not be appropriate”.⁴⁸

“Clear option”

1.46 The current anonymity principle found in NPP 8 provides that “individuals must have the option of not identifying themselves”. The ALRC queried whether the proposed extension of this principle might be better drafted by imposing expressly an obligation on agencies and organisations to give individuals the option to interact anonymously and pseudonymously.⁴⁹ The anonymity principle in the Northern Territory legislation, for example, provides the following:

A public sector organisation must give an individual entering transactions with the organisation the option of not identifying himself or herself unless it is required by law or it is not practicable that the individual is not identified.⁵⁰

1.48 It described an express option as requiring an agency or organisation to state explicitly (for example, on its information collecting system) that individuals may transact anonymously or pseudonymously. In contrast, a clear option would merely require the agency or organisation to ensure that individuals are aware that they may transact anonymously or pseudonymously.⁵²

1.49 It considered a requirement to provide individuals with a clear option as less onerous than a requirement to provide an express option. It said that such a requirement

would allow agencies and organisations to comply with the ‘Anonymity and Pseudonymity’ principle in the structure of their information collecting systems. For example, in many cases where asked to fill out a form either on paper or electronically, individuals are told which fields they must complete. Providing a clear option may entail altering the list of ‘required fields’ to take account of the ‘Anonymity and Pseudonymity’ principle. An express option may require agencies and organisations to undertake an additional step of notifying individuals that they do not need to complete the fields containing identifying information.⁵³

1.51 The ALRC’s recommended anonymity and pseudonymity principle required “an agency or organisation to give individuals the clear option to interact anonymously or pseudonymously, where this is lawful and practicable in the circumstances”.⁵⁵

THE CURRENT LAW IN NSW

1.52 PPIPA does not have a principle on anonymity.

1.53 In contrast, HRIPA contains a principle — HPP 13 — which states:

Wherever it is lawful and practicable, individuals must be given the opportunity to not identify themselves when entering into transactions with or receiving health services from an organisation.⁵⁶

SUBMISSIONS

1.55 The Commission’s CP 3⁵⁷ did not specifically deal with the anonymity principle. Nevertheless, two submissions support such a principle. In response to the question we posed of whether NSW should continue to have two separate information privacy statutes, the Australian Privacy Foundation and the Cyberspace Law and Policy Centre answered in the negative but qualified that PPIPA (or the privacy legislation that is eventually adopted for NSW) should contain a number of additional principles, including one on anonymity.⁵⁸

THE COMMISSION’S CONCLUSIONS

1.56 The Commission supports adopting UPP 1 into State privacy legislation. Anonymity is an important aspect of privacy and individuals should only be required to reveal their identity if this is essential to the particular transaction. The recommended principle would give individuals greater control over their privacy by giving them the option of interacting with government anonymously or pseudonymously, where this is lawful and practicable. It would also encourage agencies to examine which of their interactions with the public truly require the collection of identity, and this should assist in curbing the propensity by government to automatically collect the identity and other personal information of individuals even in situations where it is unnecessary to do so.

1.57 The Commission agrees with the terms of the ALRC’s recommendation, including the provision for agencies to give individuals the option of interacting pseudonymously. This would give agencies flexibility in situations where it would be unlawful or impracticable for an individual to interact anonymously but where these barriers would be overcome if the individual were to transact pseudonymously with the agency. Pseudonymity still gives an individual control over his or her true identity but also ensures that the individual remains accountable by enabling the agency to trace his or her identity under certain circumstances, for example where unlawful activity has been committed.

1.58 An important element of the recommended principle is the qualification that agencies provide individuals with the option of anonymity or pseudonymity where this is “lawful and practicable”. This recognises that individuals’ interest in anonymity and pseudonymity is not absolute. The qualification is capable of encompassing a broad range of situations, such as where identification is required by law or by the nature of the interaction.

1.59 There is a clear need to clarify how the principle would operate, particularly with respect to when anonymous and pseudonymous interactions would be appropriate, and when the “lawful and practicable” qualification would apply. Agencies would require, for example, directions on what factors they should take into account when determining whether it is “practicable” for them to interact with an individual. There is also a need for guidance on

• what is involved in providing a “clear option” to interact anonymously or pseudonymously; and
• the difference between providing individuals with the option to interact anonymously and pseudonymously.

1. Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report No 108 (2008) (“ALRC Report 108”) vol 1 Recommendation 20-1.

2. D H Flaherty, “Defending the Right to Anonymity”, Paper presented at the Frontiers of Privacy conference, Victoria, British Columbia, Canada, 13 February 2003, 1.

3. Office of the Privacy Commissioner of Canada, Identity, Privacy and the Need of Others to Know Who You Are: A Discussion Paper on Identity Issues (2007) 32.

4. A F Westin, Privacy and Freedom (Atheneum, 1967) 31.

5. R Clarke, “Transaction Anonymity and Pseudonymity” (1995) 2 Privacy Law and Policy Reporter 88.

6. J Douglas-Stewart, Annotated Privacy Principles (Adelaide, Presidian Legal Publications, 3rd ed, 2007) [2-5520].

7. UK Information Commissioner’s Office, Privacy Impact Assessment Handbook «http://www.ico.gov.uk/upload/documents/pia_handbook_html/html/24-technologies.html» at 10 June 2009.

8. D H Flaherty, “Defending the Right to Anonymity”, Paper presented at the Frontiers of Privacy conference, Victoria, British Columbia, Canada, 13 February 2003, 3.

9. Office of the Privacy Commissioner of Canada, Identity, Privacy and the Need of Others to Know Who You Are: A Discussion Paper on Identity Issues (2007) 31.

10. See Office of the Privacy Commissioner of Canada, Identity, Privacy and the Need of Others to Know Who You Are: A Discussion Paper on Identity Issues (2007) 31; Information and Privacy Commissioner (Ontario, Canada) and Registratiekamer (The Netherlands), Privacy Enhancing Technologies: The Path to Anonymity (1995) vol 1 [1.7.5], [3.1]; D H Flaherty, “Defending the Right to Anonymity” Paper presented at the Frontiers of Privacy conference, Victoria, British Columbia, Canada, 13 February 2003, 1, quoting J Woulds, former UK Deputy Data Protection Commissioner.

11. Information Act 2003 (NT) sch 2 cl 8; Personal Information Protection Act 2004 (Tas) sch 1 cl 8; Information Privacy Act 2000 (Vic) sch 1, cl 8.

12. Information Privacy Act 2000 (Vic) sch 1, cl 8.

13. Federal Data Protection Act 1990 (Germany) art 3a.

14. Information and Privacy Commissioner (Ontario, Canada) and Registratiekamer (The Netherlands), Privacy Enhancing Technologies: The Path to Anonymity (1995) vol 1 [1.0].

15. R Clarke, “Introducing PITs and PETs: Technologies Affecting Privacy” (2001) 7 Privacy Law & Policy Reporter 181, 182.

16. R Clarke, “Introducing PITs and PETs: Technologies Affecting Privacy” (2001) 7 Privacy Law & Policy Reporter 181, 183.

17. See Information and Privacy Commissioner (Ontario, Canada) and Registratiekamer (The Netherlands), Privacy Enhancing Technologies: The Path to Anonymity (1995) vol 2 [4.0].

18. Office of the Privacy Commissioner of Canada, Identity, Privacy and the Need of Others To Know Who You Are: A Discussion Paper on Identity Issues (2007) 44.

19. See Privacy Act 1988 (Cth) s 13(a), 16.

20. Privacy Act 1988 (Cth) s 16A. Organisations for purposes of the Privacy Act 1988 (Cth) covers individuals, corporations, unincorporated associations, partnerships and trusts, but excludes: small businesses, political parties, state/territory authorities and agencies to which the Principles apply: Privacy Act 1988 (Cth) s 6C.

21. ALRC Report 108 vol 1 [20.5].

22. ALRC Report 108 vol 1 [20.14].

23. Privacy NSW, Submission PR 468, 14 December 2007 cited in ALRC Report 108 vol 1 [20.8].

24. ALRC Report 108 vol 1 [20.14].

25. See para 1.29-1.39.

26. ALRC Report 108 vol 1 [20.17].

27. ALRC Report 108 vol 1 [20.25].

28. ALRC Report 108 vol 1 [20.25].

29. Office of the Federal Privacy Commissioner, Submission PR 499, 20 December 2007 cited in ALRC Report 108 vol 1 [20.23]-[20.24].

30. See ALRC Report 108 vol 1 Recommendation 20-2.

31. Office of the Federal Privacy Commissioner, Submission PR 499, 20 December 2007 cited in ALRC Report 108 vol 1 [20.27].

32. ALRC Report 108 vol 1 [20.32].

33. ALRC Report 108 vol 1 [20.33].

34. ALRC Report 108 vol 1 [20.34].

35. ALRC Report 108 vol 1 [20.35].

36. ALRC Report 108 vol 1 [20.36].

37. Para 1.18.

38. J Douglas-Stewart, Annotated Privacy Principles (Adelaide, Presidian Legal Publications, 3rd ed, 2007) [2-5530].

39. J Douglas-Stewart, Annotated Privacy Principles (Adelaide, Presidian Legal Publications, 3rd ed, 2007) [2-5540].

40. ALRC Report 108 vol 1 [20.46].

41. ALRC Report 108 vol 1 Recommendation 20-2 [20.43].

42. Australian Law Reform Commission, Review of the Law of Privacy, Discussion Paper No 72 (2007) (“ALRC DP 72”).

43. ALRC DP 72 Proposal 17-2.

44. ALRC DP 72 vol 2 [17.23].

45. ALRC Report 108 vol 1 [20.48] [20.49].

46. ALRC DP 72 vol 2 [17.24].

47. ALRC DP 72 vol 2 [17.25].

48. ALRC Report 108 vol 1 [20.42].

49. Australian Law Reform Commission, Review of Privacy, Issues Paper No 31 (2006), Issue 4-29.

50. Information Act 2002 (NT) sch 2 cl 8.

51. ALRC Report 108 vol 1 [20.64].

52. ALRC Report 108 vol 1 [20.57].

53. ALRC Report 108 vol 1 [20.58].

54. ALRC Report 108 vol 1 [20.62].

55. ALRC Report 108 vol 1 Recommendation 20-1.

56. Health Records and Information Privacy Act 2002 (NSW) sch 1, cl 13.

57. NSW Law Reform Commission, Privacy Legislation in New South Wales Consultation Paper No 3 (2008).

58. Australian Privacy Foundation, Submission, 3; Cyberspace Law and Policy Centre, Submission, 6.

59. See ALRC Report 108 vol 1 Recommendation 20-2.