Privacy Act 2020, ss 7, 22 principle 13, Income Tax Act 2007, Subpart YB

The Privacy Act puts restrictions on government departments, businesses and other organisations assigning identifying numbers and other tags (“unique identifiers”) to people who deal with them.

A “unique identifier” includes any number or other identifying tag or reference that’s assigned to you by an organisation for their operational purposes – for example, your IRD number, your driver’s licence number, your passport number, and the client number assigned to you by your bank. (Your name isn’t a “unique identifier” for this purpose.)

An organisation can only assign a unique identifier to you if this is necessary for it to carry out its functions efficiently. It must also take reasonable steps to make sure that unique identifiers are assigned only to individuals whose identity is clearly established.

An organisation mustn’t assign you a unique identifier that has been assigned to you by another organisation, unless those two organisations are “associated persons” under the Income Tax Act 2007 – for example, two companies that are owned by the same person or group of people.

Note: It is this privacy principle (Principle 13) that prevents the government from giving you one personal number to use in all your dealings with all government agencies.

Privacy Act 2020, s 22 Principle 13(5)

A business or other organisation can’t require you to disclose to them a unique identifier assigned to you by some other organisation unless giving it to them is one of the purposes for which the identifier was assigned to you by the other organisation in the first place (or is related to one of those purposes).

In the case of a mobile phone company that required a customer to let it keep a photocopy of the customer’s driver’s licence, the Privacy Commissioner’s view was that it was reasonable for the company to simply sight the licence to confirm the customer’s identity, but that keeping a copy, or otherwise recording the licence number, wasn’t justified.