Direction relating to the integrity of Identity Data Pilot

This Direction had effect from 29 June 2007 until the completion of the participation by the Registrar in the Pilot.

Schedule 1 - Direction under s.41(1) of the PPIP Act

This is a Direction under s. 41(1) of the Privacy and Personal Information Protection Act 1998.

Interpretation

In this Direction:

ā€œATOā€ means the Australian Taxation Office;

ā€œDepartmentā€ means the New South Wales Attorney Generalā€™s Department;

ā€œNISSā€ means the National Identity Security Strategy;

ā€œPPIP Actā€ means the Privacy and Personal Information Protection Act 1998;

ā€œPilotā€ means the Integrity of Identity Data Pilot;

ā€œRegistrarā€ means the Registrar of Births, Deaths and Marriages;

ā€œRegistryā€ means the Registry of Births, Deaths and Marriages;

ā€œURNā€ means the Unique Reference Number.

Background

The Commonwealth Government has invited the Registrar to participate in the proposed Pilot. The Pilot would require the Registry to match personal information data provided by the ATO against its own records, and to return to the ATO a score indicating the degree of correlation between the ATO data and their own records.

The Pilot is part of the NISS endorsed by the Council of Australian Governments at its meeting on 27 September 2005. One of the key objectives of the NISS is to improve the accuracy of personal identity information in government registers.

The aim of the Pilot is to trial and develop processes to enable effective data-matching to be conducted between government agencies in order to improve the accuracy of their databases.

The Pilot will be jointly led by the Commonwealth Attorney Generalā€™s Department and the ATO, and involve the Registrar and a number of Commonwealth agencies. The ATO will select a sample of 25,000 individuals from its client register. The sample will include data on individualsā€™ names, dates of birth, and addresses only, including current and historical names and addresses. The sample will be restricted to persons residing in New South Wales.

The ATO will deliver an encrypted copy of the selected data sample, on CD technology, to nominated staff of the Registry. The Registrar will transfer the data to his own mainframe computer environments to enable the identity data-matching to occur. The ATO sample data file will not be used by the Registrar for any purpose other than the identity matching required for the Pilot. All back-up files will be destroyed within a specified time after completion of the Pilot.

The ATO sample will be matched by the Registrar against information contained in the Register maintained by the Registrar pursuant to the Births, Deaths and Marriages Registration Act 1995.

A ā€œmatch scoreā€ will be calculated by the Registrar, indicating the degree of correlation between the ATO sample and the records in the Register. The ā€œscored recordsā€ will be returned to the ATO stripped of all personal information, using a URN created for each identity by the ATO for the purposes of the Pilot. The URN is not the individualā€™s Tax File Number.

After receiving the match scores from the Registrar, the ATO will aggregate the results for each sample individual to form a sequence of the scores assigned by the Registrar to that record. This sequence will then be used to classify each individualā€™s record to a distinct, pre-defined profile which is based on the nature and extent of the correlations found with the Registrarā€™s identity registers and with an associated level of perceived risk. There are six profiles formulated for the Pilot, ranging from ā€œthe identity is highly confirmedā€ to ā€œthe identity is not substantiatedā€.

The next stage (ā€œthe analysis phaseā€) of the Pilot involves examining the identity matching processes carried out by the participating agencies. The identity matching process is likely to identify discrepancies between the details recorded for an individual on an ATO record and the details recorded by the Registrar. The reasons for these discrepancies may include administrative or client error, change of name, complexities involving naming conventions and recording, and the registration and use of false identities. It is likely that further analysis will be required to fully explain the reasons for some discrepancies, and to establish the degree to which the discrepancies can be explained by technical deficiencies. Analysis will enable some corrective interpretation to take place.

The Registrar will retain the CD-based files provided by the ATO until the Pilot has been completed, when they will be returned to the ATO. The Registrar will also retain a file containing the URN and unique agency identifier only ā€“ neither of which will contain personal information ā€“ to assist subsequent analysis and investigation procedures if required. These files will be retained for the duration of the analysis phase. All other versions of the data will be destroyed in line with the security regime of the Registrar, and in line with existing memoranda of understanding in place with the ATO or other agreements surrounding the conditions for storage and safe return of the data.

The final stage of the revised Pilot is the evaluation phase, involving analysis of the technical aspects of the Pilot and the effects of allocation to the risk profiles, in order to help determine how identity matching techniques might best be applied in future exercises. This analysis will include determining the level of performance achieved by the model used in the Pilot, comparing the identity matching methodologies and technologies employed by participating agencies, exploring how the implemented model could have been improved, and incorporating the lessons learned from the Pilot to document ā€œbest practiceā€ identity matching.

The ATO has confirmed that its use of the results of the data-matching will be restricted to the purposes of the Pilot and, in particular, will not give rise to administrative or compliance action against the individuals whose records are involved.

The Commonwealth has developed a Privacy Impact Assessment which will apply to the Pilot. It is proposed that the Commonwealth and the Registrar enter into a Memorandum of Understanding once the Registrar has confirmed his ability to participate in the Pilot.

Public interest

This Direction has been made to allow the Department (the Registrar) to collect and use personal information for the purposes of participating in the Pilot.

I am satisfied that the public interest in making this Direction is greater than the public interest in requiring the Department (the Registrar) to comply with the Information Protection Principles as referred to in the provisions set out below.

Coverage

This Direction covers the Department (the Registrar).

Provisions

1. The Department (the Registrar), in collecting and using personal information in accordance with the Pilot, as described in this Direction, need not comply with sections 8(1), 9 and 17 of the PIPP Act.

2. Paragraph 1 is subject to the condition that the collection and use of personal information by the Department (the Registrar) is reasonably relevant and reasonably necessary for the purpose of meeting the objects of the Pilot.

Duration

This Direction has effect until the completion of the participation by the Registrar in the Pilot.

Signed by me on this 29th day of June 2007.

John Dickie
Acting Privacy Commissioner

 

IPC logo.

Ā© IPC

CC logo

Navigate

Useful links

IPC Social Media

   Linkedin

 

IPC Social Media Terms of Use