University of New South WalesFaculty of Law - Information Technology Law


C y b e r s p a c e - l a w


Can the data matching epidemic be controlled?

Graham Greenleaf

(Originally published in (1991) 65 ALJ 220-23;
reprinted in vol 7 Computer Law and Security Report, 1991 15-17)

  • The `enhanced' TFN scheme and the new `matching agency'
  • The Data Matching Guidelines
  • The emerging Commonwealth surveillance networks

  • Data matching is the comparison by computer of two or more sets of personal information which have been collected for separate administrative purposes, in order to identify any information which may warrant further investigation. For example, people who state their incomes differently to different agencies, or who claim benefits from two different agencies where this is not normally allowed (`double dipping'), are likely targets of matching schemes.

    Former Canadian Privacy Commissioner John Grace described one of the dangers of matching as the conversion of a presumption of innocence into a presumption of guilt:

    ... a computer match is instigated not because a particular person is suspected of fraud - as in a traditional investigation - but because a whole class or group of persons has come to the attention of government for either good or frivolous reasons. Thus do old fashioned `fishing expeditions' pose as high technology.

    The Australian Law Reform Commission likened matching to `a modern version of the general warrant' (ALRC 22, 1983). Privacy Commissioner Kevin O'Connor calls it the `privacy equivalent of drift-net fishing':

    ...it is like investigators entering a home without any warrant or prior suspicion, taking away some or all of the contents, looking at them, keeping what is of interest and returning the rest, all without the knowledge of the occupier.

    Despite these dangers, the attractions of data matching to administrators as a device for reducing fraud and overpayments are very strong. There has been an epidemic of data matching in Commonwealth public administration in recent years, as indicated by a survey by the Privacy Commissioner (Data Matching in Commonwealth Administration 1990) of five key Commonwealth agencies (Tax, Social Security, Veteran's Affairs, Education and Immigration), which identified 24 different matching programs between those five agencies and other agencies (including the Electoral Office, Health Insurance Commission and State Registrar General's Offices) and organisations (employers, insurers, Universities etc). Data matching between most agencies is illegal unless it comes within one of the exceptions to Information Privacy Principle 11 of the Privacy Act 1988. The tenuous legal basis of some of the existing matching schemes is hinted at by the Commissioner when he says

    ... many of the programs have originated in response to administrative demands or as cost saving measures rather than as a use of personal information specifically authorised by law.

    Into this rather unregulated picture have now intruded two new elements: the Data Matching Program (Assistance and Tax) Act 1990 (Cth), which establishes and controls one new data matching scheme in an entirely new way; and the Privacy Commissioner's draft Data Matching Guidelines, which aim to regularise data matching generally.

    The `enhanced' TFN scheme and the new `matching agency'

    The Privacy Act 1988 (Cth), and the Taxation Laws Amendment (Tax File Numbers) Act 1988 (Cth), which created a new system of reporting taxable income by use of an upgraded Tax File Number (TFN), were both elements of the political compromise which followed the demise of the Labor Government's 1985-87 attempts to introduce the `Australia Card' identification system. Privacy advocates, and the Opposition parties, accepted the TFN system as a reasonable compromise between the protection of privacy and government revenue collection, on the basis of assurances by the government that the TFN system would be limited to tax administration, and because of the creation of a Privacy Commissioner who would act as a `privacy watchdog'. The Senate Standing Committee on Legal and Constitutional Affairs warned that the TFN system should only proceed if it was `strictly limited' to taxation purposes (Report on Feasibility of a National ID Scheme; Tax File Numbers, October 1988). One of the main concerns about multi-purpose identity numbers is that they facilitate `data matching'.

    In the August 1990 Budget the Government proposed that TFN numbers could also be used in a data matching scheme which would match information concerning Commonwealth `income support' benefits (social security, veteran's affairs, student assistance and first home-owners benefits), together with taxation information and, for some purposes, Electoral Roll and Medicare identity information. It had already extended the use of the TFN in various ways in the previous eighteen months, but this was by far the most significant proposed expansion.

    Despite Parliamentary and public debates about whether this was the `Australia Card by the back door', the Coalition parties eventually supported the Government to enact the Data Matching Program (Assistance and Tax) Act 1990. The Act has a complex structure which is becoming standard for Australian privacy law: the Act itself states the key principles with which agencies must comply (Part 2); it then empowers the Privacy Commissioner to supplement those principles with `Guidelines', which are in themselves mandatory (s12); and it includes as a Schedule an interim set of Guidelines which will govern the establishment of this scheme. The key principles stated in the Act implicitly impose limitations on the content of the Commissioner's Guidelines (as they are subordinate to the Act), and both they and the interim Guidelines also serve to give the Commissioner a positive guide as to what to include in his final Guidelines.

    The essential purpose of the Act is provide legal authority for a matching program, aspects of which would otherwise be illegal under the tax file number legislation and the Privacy Act (ss5,6). Designated officers of the Department of Social Security now constitute the `matching agency' and are responsible for carrying out the matching program authorised by the Act on behalf of the other `assistance agencies', the Taxation Office, and itself.

    A data matching `cycle' must be carried out in accordance with a sixteen stage process (grouped into six `steps') (s7) which govern the movement of information between the four `assistance agencies' responsible for the benefits mentioned and the Taxation Office. Confirmatory identity information from the Electoral Office and Health Insurance Commission (which we could call the `identification agencies') is also used. The TFN is used in some steps of the process, but not others.

    Their are three main purposes of the matching programs: to detect people who are obtaining benefits from two different assistance agencies (eg pension and student benefits) because they have not informed each agency of the other benefit (`payment matching'); to detect persons who have incorrectly stated their income to an assistance agency, by comparing their income details as known to another assistance agency or to the Taxation Office (`income matching'); and to detect persons who have incorrectly stated their income or eligibility for rebates or deductions to the Taxation Office, by comparing what is known about their finances to assistance agencies. The matching is therefore three way: between assistance agencies; from tax to assistance agencies; and from assistance to tax agencies. All matching takes place via DSS in its new role as the `matching agency'. There is also limited matching from the `identification agencies' to the tax and assistance agencies, but not vice-versa.

    Where a person has provided an assistance agency with a TFN which appears to be invalid (Step 1), or there are `discrepancies' in the personal or family identity data that has been provided to assistance or tax agencies (Step 4), or the results of the various data matching processes `indicate' that a person might be claiming assistance to which he or she is not entitled, or evading tax (Step 6), then the assistance and tax agencies are authorised to take action against the person (s10), such as cancelling benefits or issuing tax assessments. Where such action is taken because of Step 6, the assistance or tax agency must normally first give the person 21 days written notice to show cause why such action should not be taken (s11), and advice of his or her rights under the Privacy Act (interim Guidelines, para 5). There is no equivalent protection in relation to Steps 1 and 4. Another type of reversal of the onus of proof (distinct from the `fishing expedition' inherent in the process itself ) is therefore involved in the outcome of the matching process (ss 10, 11), because persons identified as suspect are required to `show cause' why action should not be taken against them.

    It is therefore crucial that the information which forms the basis of such action is of high integrity and of sufficient weight to justify the action taken, otherwise large numbers of persons could be wrongly forced to justify their honesty. Some assistance beneficiaries (and some taxpayers) may find the bureaucratic requirements of a `show cause' procedure beyond them, irrespective of the merits of their case. The interim Guidelines allow the agencies to rely solely on the results of the matching processes as a basis for issuing a `show cause' notice, without confirming it against the source of the information, if `there are reasonable grounds to believe that such results are not likely to be in error' (para 5.1). The interim Guidelines do not, however, address the issue of what types of `discrepancies' are weighty enough to justify the issuing of `show cause' notices. These are matters which the Commissioner should address in his final Guidelines.

    The interim Guidelines will expose data matching to greater public scrutiny. A Program Protocol must be filed by the matching agency with the Privacy Commissioner and available for public inspection (para 3), providing details of, and justifications for, many aspects of the matching program. A comprehensive cost/benefit analysis must be tabled in Parliament within six months of the commencement of the first data matching cycle (para 12). A Technical Standards Report must also be prepared by the matching agency (but can be varied by the Commissioner), dealing with data integrity and security features (para 4), but there is no requirement that any aspect of it be made public. The agencies are required to provide periodic cost/benefit and other analyses of the programs to the Commissioner, who must report on compliance with the Act and Guidelines, and with the Privacy Act, in his Annual Report. The agencies are also required to report their data matching activities in their entry in the Commissioner's annual Personal Information Digest, and to advise persons whose data is likely to be used in data matching programs of this likelihood.

    This is unusual and significant legislation. One the one hand, by defining the scope of a matching scheme with some precision, and requiring its cost/benefit justification to the public, it brings a welcome degree of control and accountability. On the other hand, the legislative creation of the `matching agency' has many of the features of the `Australia Card Register', the data linkage agency which was to have been created by the Australia Card Bill 1986 (see NSW Law Society Journal October 1987 pgs 24-30 for details). As with the Australia Card system, it would be a simple legislative matter to bring other agencies into this matching scheme, merely requiring that a new agency be designated by legislation to be an `assistance agency' (and that a benefit it provides is `personal assistance'), `tax agency' or identification agency. It will be a question of political resolve and judgment whether or not further expansion of the use of the TFN, and of data matching, will or should continue. One of the privacy concerns about the extension of the use of the TFN number was that, once it was no longer limited to tax administration, there was no logical boundary to its further expanded use.

    The Data Matching Guidelines

    In October 1990 the Privacy Commissioner issued draft Guidelines for all types of matching by Commonwealth agencies (Data matching in Commonwealth administration -- discussion paper and draft guidelines). The draft Guidelines share many of the virtues and defects of the Data Matching Program Act, which was based substantially on them.

    However, unlike Guidelines under that Act, these Data Matching Guidelines are not, in themselves, mandatory. The most that they can do is to indicate the Commissioner's view of what conduct is likely to breach an Information Privacy Principle (IPP). The draft Guidelines do not give any clear indication of which IPPs form the basis for each of the seventeen Guidelines. Some of the Guidelines seek to give the Commissioner powers to control matching which may be desirable in principle but are not apparent in the IPPs. While privacy advocates may support the Commissioner taking such a robust approach to his duties, this lack of clear enforceability of Guidelines will become a problem if the Commissioner, or a complainant, seeks to take action against an agency because of a breach of the Guidelines. Data matching is such a significant form of invasion of privacy that it should be controlled by clearly enforceable provisions. The Government has announced that it will enact general Data Matching Guidelines as a Schedule to the Privacy Act (Second Reading Speech to the Data Matching Program Act), but whether these will be as tough a set of controls as the Commissioner will advocate remains to be seen.

    The draft Guidelines require agencies involved in proposed matching practices to expose their proposals to a significant amount of scrutiny by the Commissioner and the public before they are implemented, including the legal authority and `social justification' for the proposal, cost/benefit analyses, and why alternatives were rejected. Although public comment is allowed, there is no provision for a Conference to deal with objections to proposals. The draft Guidelines are somewhat confusing as to who has the authority to approve matching proposals, stating that the final decision rests with the Minister responsible for the matching agency (Guideline 5), whereas this will only be so if the proposal does not breach the IPPs in any way.

    Agencies involved in existing matching practices - of which there are dozens - are also required to prepare the same justifications for their practices within one year, and to discontinue practices which do not comply with the IPPs or the Guidelines (Guideline 17). This proposed retrospective `purge' of matching practices will be the most pro-active action the Commissioner has taken to enforce the IPPs, and could be a major step toward controlling and (where necessary) dismantling undesirable data surveillance practices.

    The emerging Commonwealth surveillance networks

    Looking at the Commonwealth public sector as a whole, we see the TFN system, and data matching, being significantly expanded, but subject to controls. Data matching generally is being made subject to more legal controls, but at this stage their final form is uncertain, and it is unknown whether these controls will cause any contraction in the extent of data matching. Meanwhile, other significant developments in data surveillance are taking place.

    The Health Insurance Commission is now responsible for the Pharmaceutical Benefits Scheme, so that scheme now involves the use of the Medicare card, number and computer. Medicare has therefore become a multi-purpose numbering system, although both purposes are health-related. Budget proposals will involve DSS providing identification details of PBS concessional (pensioner) beneficiaries to the Health Insurance Commission, so that it can update its database. Unlike the TFN and the `matching agency', the Medicare system is not subject to similar detailed privacy controls.

    The Law Enforcement Access Network (LEAN) involves the Attorney-General's Department constructing a massive database of `publicly available information'. A pilot proposal has commenced using corporate affairs records and land titles data from New South Wales (later to be exapanded to all States), to be accessed by a number of Commonwealth agencies with `law enforcement responsibilities' (including DSS). It is not known whether other so-called `public record' information such as the Electoral Rolls, Bankruptcy Register, and telephone books will become part of the LEAN system.

    LEAN is being established without specific legislative authority or control. Although it involves personal information collected for one purpose being used for other purposes, it is not certain whether such `public record' databases come within the controls of the Privacy Act at all, because the definition of `record' (s6) excludes `a generally available publication' and thereby excludes the operation of IPPs 4 - 11. It is also arguable that IPP 11 exception (e), the exception for law enforcement and protection of public revenue, could exclude LEAN. While personal information in `public records' cannot have the same degree of privacy protection that personal information in government records normally has, it is questionable whether there should be no restrictions whatsoever on its use. It has still been collected by Government (often under compulsion) in order to be made available to the public for certain legitimate purposes. Should all Government responsibility for its use end at the point it is made publicly available? Could this expedient be abused? The privacy implications of access to and use of `public record information' need to be addressed by the Privacy Commissioner, and the Parliament.

    If we are to make meaningful comparisons between the Australia Card proposals and the current situation, we cannot focus solely on the extended TFN system, significant though it is. The data surveillance systems mentioned above, and other such as the Cash Transactions Reporting system, have inter-connections which are increasing. The `big picture' is that of an increasingly interlocking network of Commonwealth surveillance systems, under very varying degrees of privacy controls. As with most developments in privacy, it seems like a case of `one step forward, two steps back'.