AusRegistrations Privacy Impact Assessment
1. PIA Scope
3. Mapping the information flows
4. Privacy Impact Analysis
1. PIA Scope
The scope of this document is to assess the potential impact to users of the AusRegistrations service based on current Australian privacy laws. It has been prepared with reference to the Privacy Impact Assessment Guide 2006 by the Office of the Privacy Commissioner, and to Privacy Impact Assessments – a Guide, issued by the Victorian Privacy Commissioner in 2004.
By its nature, AusRegistrations involves the voluntary provision of identifying information by individuals and organisations. Therefore this assessment places particular emphasis on how AusRegistrations manages users’ rights in relation to privacy, data security and quality, and the ability for individuals to access and correct their data held within AusRegistrations. It also reviews the safeguards in place to prevent criminal use of this information with regard to identity theft or the creation of multiple identities.
The format of this document follows the list of ten National Privacy Principles as extracted from the Privacy Amendment (Private Sector) Act 2000.
AusRegistrations is registry of relationships between individuals and organisations. It provides those individuals and organisations with verified information to assist in the establishment and registration of their relationships. In addition it provides those individuals and organisations with greater control over the information they provide and how that information is used.
Verification of information can occur at whatever level of detail is required and agreed to between the organisation and the individual. It can be as simple as the provision of name, email address or telephone number, or it may involve more detailed data. If contractual or confidential matters are involved, it may also require confirmed biometric data such as a photograph or voice print.
Through the verification process, AusRegistrations facilitates electronic communication, allowing organisations to verify that the person they are dealing with is indeed who they say they are.
3. Mapping the data flow
When an organisation and an individual establish a relationship, the information that is provided by the individual is first verified by the organisation. For example, a student may enrol at a tertiary institution. As part of the registration process the student supplies the institution with a photograph to be used on an ID card. A representative of the institution then verifies that the photograph truly does represent the person enrolling. Other organisations may identify people with a user code and/or password.
After confirming their identity to the organisation, the individual may be invited by the organisation to link to AusRegistrations where they can include their voice print and/or photograph, plus the details of the registration can be included in their AusRegistration records. The benefit for the individual is faster, easier access to telephone or Internet assistance and the assurance of greater security, knowing that only they can access their information.
The person may now register additional relationships with other agencies or organisations as required. If a person has an electronic identity with a financial institution, the person identifies themselves as normal and can then request that their relationship with the bank be registered. That is, they log on to the bank system, prove they have access to their other records and prove that the information held about them by other organisations matches the information held by the bank. Once the relationship is registered, the person has increased their number of verified relationships.
Ultimately all relationships that a person has with all organisations can be recorded in AusRegistrations, creating a personal “safe” that holds none of the data about the person but instead maintains a central record of the right-of-access to a multitude of relationships.
It is important to highlight that in addition to containing none of the data about an individual, AusRegistrations does not hold passwords or other security mechanisms required to access the information on the systems registered with AusRegistrations.
4. Privacy Impact Analysis
The Privacy Impact Assessment Guide highlights a number of activities that can increase privacy risks throughout the cycle of data collection, use and dissemination. Those concerns are listed here and are addressed throughout this section.
- collecting unnecessary or irrelevant personal information, or intrusive collection,
- undertaking bulk collection of personal information, some of which is unnecessary or irrelevant
- using personal information for unplanned secondary purposes
- unnecessary or unplanned data linkage
- disclosures not originally planned can lead to privacy complaints
- making decisions based on poor quality data
- unauthorised internal and external access and use
- retaining personal information unnecessarily
- inaccurate information can cause problems for agencies and individuals
AusRegistrations is a voluntary system. People do not have to register and do not have to use the system for identification. Each individual is in control of their own registrations and the information cannot be accessed without the individual’s permission. It meets all the requirements of the Privacy Act.
Organisations are also assured of confidentiality as they can place restrictions on the individual’s release of information to other parties as part of the registration agreement. For example, an organisation may specify that the information in the registration can be released but not the name of the organisation with whom the individual is registered.
Scope of Collection
AusRegistrations maps the relationships between an individual and any number of organisations; or between an organisation and any number of individuals. No information other than that required to create an AusRegistrations’ account is gathered or maintained by AusRegistration. Account creation is performed by logging in to www.ausregistrations.com.au and entering the following:
- email address
- a self-created Personal Identity Number (PIN).
While AusRegistrations facilitates the electronic communication between two parties, it plays no part in defining the contents of the data shared by the organisation and individual. This is a matter agreed to between the two parties, based on the nature and any possible legal requirements of their relationship.
Once an individual has entered verified information into a data field – such as a voice print, a photograph, their name or telephone number – the individual can then choose to use these verified fields when registering future relationships. Hence a photograph stored at, and verified by the Passports Office could be used as proof of identity in establishing future relationships. Or the voice print held by a telecommunications provider could enable a secure log-in when dealing with a financial institution.
The individual is the only person with access, and the ability, to input data about themselves, while responsibility for management and storage of data resulting from each of these relationships lies with the organisation in each instance.
The PIN is solely for use by AusRegistrations. Its single function is to enable the individual to log in to their own record of registrations. It will not enable access to the data contained within the relationships, as each organisation will have its own log-in requirements. The PIN is is a security measure and is never passed on to other organisations (thus ensuring that there is no common identifier used throughout the relationships).
All actual data about the relationship between an individual and an organisation continues to reside in the organisation’s database.
The data shared between individuals and organisations is provided voluntarily by both parties. It is the individual who takes responsibility for entering the registration, ensuring that the individual retains control over the data that is entered and how it is edited, updated or changed.
Method of Collection
During the registration of any new relationships the organisation will be required to verify the individual’s identity. This may be as simple providing a password or as complex as two or three factor authentication including use of biometrics. An online bookshop for example may require only an email address and password, while a bank may stipulate far greater security involving a PIN, password and voice print. The method used is up to the organisation.
AusRegistrations also offers biometric data capture as an option for all users. Individuals are responsible for registering their “face” and “voice” by putting in their own photograph and voice print. These are then verified as belonging to that individual by others such as their accountant, tax agent, lawyer, school teacher, lecturer, minister of religion.
Biometric data, as with all other personal data except ways of contacting the person, is maintained and stored by the initiating organisation, not AusRegistrations. For example voice prints are stored in a Telstra database while the phone number to contact the person is stored in AusRegistrations.
4.2 Use and Disclosure
The data collected by AusRegistrations is to identify the user in order to provide him or her access to their register of relationships. The data is not shared with, or disclosed to any other person or agency.
At all times the individual chooses what data they want to provide to the organisations and there is no obligation on any individual to register their relationships.
However, if the individual chooses, he or she can provide data that will be XML tagged and linked across multiple relationships, such as filling in “name” or “address” data fields that are likely to be requested in additional relationships. Thereafter, any update to the data field with one of these organisations will result in an update being provided to all other relationships that are part of this linked tag. The individual and the organisation both have control over whether they wish to allow this to happen.
Similarly, the user may request that a verified biometric be used as part of their other relationships. For example, the individual may register a voice print with a telecommunications provider so that it may then be used for verification when contacting telephone support at a government agency or financial institution.
Data linkage may only be conducted at the instigation of the individual and with the approval of the organisation.
Information relating to each separate relationship is maintained in separate “silos” or databases, with each organisation responsible for the management of their own data. Data matching can only occur across AusRegistrations under either of two circumstances:
- when the individual and verifying organisation permit, such as when submitting biometric or other data for verification to a new relationship, or
- when illegal activities are suspected and an appropriate government agency has gone through due legal process to obtain access to that individual’s AusRegistrations records.
Data matching cannot be carried out in any other way through AusRegistrations. Thus if data matching occurs either the user has given permission or it is as a result of a due legal process.
4.3 Data Quality
The individual is the only person to input or authorise data about themselves, ensuring control over any personal data and the ability to correct and update the information at any time.
Where a data field has been linked across a number of relationships, a single update in one place can result in the automatic updating of records across all relationships. If the field is one that requires verification by the organisation (such as changing address for correspondence with a bank), the organisation’s normal verification procedures will be undertaken before the update is accepted.
4.4 Data Security
Identity Fraud Protection
The system is designed to ensure that individuals can have only one verified set of identification information in AusRegistrations, making it impossible to use for identity fraud. The uniqueness of a set of records is achieved in two ways: first by involving multiple organisation registrations and second, through biometrics.
The complexity of recording multiple relationships makes it extremely difficult for one person to hold more than one electronic access record. For an individual to have two distinct sets of registration records would require the collaboration of many organisations and people.
Births, Deaths and Marriages registrations, for example, not only register an individual but also the relationship between parties. Thus when a person is married and the marriage is registered, both parties are registered as married and there is also a registration implied between the two parties. When a birth is registered there is an implied relationship between all members of the family and the extended family. If someone tried to register themselves as a person who had died, all other members of the family would be sent an email that the registration had been attempted.
Identity fraud demands comprehensive physical disguise to ensure biometric details appear completely differently on separate registrations. When a person registers with an organisation that requires photo identification, cross-matching will be carried out against all other images held in AusRegistrations. If any two photos appear to be the same an automatic alert is raised and if necessary authorities are alerted after investigation by AusRegistrations.
Security of Records
Theft of an individual’s electronic registrations would require the perpetrator to take over all the individual’s relationships and alert all parties to the relationship change. For example if a person managed to access another individual’s registrations, control would then require changing the photo-image and all associated relationships. If a photo-image is changed, each person or organisation with whom a relationship has been established would be asked to verify that the change is still the same person.
Moreover, each time a verified relationship is changed the individual who “owns” the relationship is alerted and the thief would have to not only change the information but intercept the alert to the individual concerned.
When a person dies, a relationship is established with the Death Certificate Registry at which time it becomes impossible to further change the various relationships or act on those relationships.
Retention and destruction
Individuals can decide at anytime that they wish do “de-register” a relationship. Deregistering means that the organisation is notified that the relationship has ended. The fact that a relationship existed will remain in the system permanently and will be available to both the organisation and the person but it cannot be used for identification or any other purposes and is only available to the person or the organisation.
www.AusRegistrations.com.au contains a comprehensive privacy statement and “Frequently Asked Questions” ensuring all users have 24 hour a day, 7 day per week access to our privacy policies.
4.6 Access and Correction
Individual’s can access, edit or inactivate their AusRegistration information at any time by simply logging in to www.AusRegistrations.com.au. However before any changes are made the individual must sign that the change is valid.
Via AusRegistrations users may also access the data provided to, and stored with, their registered relationships. In many instances their verified electronic identity enables greater access to electronic records with these organisations. The individual may then request changes to that data providing any legal or commercial verification requirements are met.
If information is marked as verified and is to be changed then permission must be obtained from the individual for the change to occur. Thus an organisation cannot change information about a person without the person being notified and asked to sign the change.
4.7 Unique Identifiers
Users identify themselves to AusRegistrations by the use of a self-created PIN. This number is not disclosed to any other individual or agency. No common identifier is used across an individual’s registered relationships.
There is no concept of a unique identifier, as the identifier is the individual themselves. They are asked at all times when they are needed to identify themselves. All relationships have an identifier but each one is unique to the organisation and not to the individual.
AusRegistrations does require an individual to register with an identifying name, address and email address. Given that AusRegistrations provides access to an individual’s register of electronic relationships, it is impractical to offer complete anonymity.
However, it does facilitate anonymity in electronic dealings with organisations that do not have any legal requirement for formal identification. Individuals can choose to only provide say some characteristic such as their verified age if that is all that is required.
4.9 Transborder Data Flows
AusRegistrations can only be used to provide information to organisations in foreign countries if:
a. the organisation has a registered relationship with the individual and
b. the individual chooses to provide this information.
Any data transfer can only occur at the instigation of the individual.
4.10 Sensitive Information
AusRegistrations collects no sensitive information about any individuals or organisations.