Special privacy rules for specific areas and issues
“Unique identifiers”: Numbers and other identifying tags assigned to you
Restrictions on assigning identifying numbers and other unique identifiers
Privacy Act 2020, ss 7, 22, information privacy principle 13; Income Tax Act 2007, Subpart YB
The Privacy Act puts restrictions on government departments, businesses and other organisations that assign identifying numbers and other tags (“unique identifiers”) to people who deal with them.
A “unique identifier” includes any number, tag or reference that’s assigned to you by an organisation for their operational purposes. This includes, for example, your IRD number, your driver’s licence number, your passport number and the client number assigned to you by your bank. However, your name isn’t a “unique identifier” for this purpose.
An organisation can only assign a unique identifier to you if this is necessary for it to carry out its functions efficiently. It must also take reasonable steps to make sure that unique identifiers are assigned only to individuals whose identities are clearly established.
An organisation mustn’t assign you a unique identifier that has been assigned to you by another organisation, unless those two organisations are “associated persons” under the Income Tax Act 2007 – for example, two companies that are owned by the same person or group of people.
Note: This privacy principle (Principle 13) also prevents the government from giving you one personal number to use in all your dealings with all government agencies.
Can I be required to give my driver’s licence number or other unique identifier?
Privacy Act 2020, s 22, information privacy principle 13(5)
Usually, a business or other organisation can’t make you give them a unique identifier that you were assigned from a different organisation, unless being able to give your unique identifier to this type of business was one of the reasons (or related to one of the reasons) why you were assigned a unique identifier in the first place.
In the case of a mobile phone company that required a customer to let it keep a photocopy of the customer’s driver’s licence, the Privacy Commissioner’s view was that it was justified for the company to simply sight the licence to confirm the customer’s identity, but that keeping a copy, or otherwise recording the licence number, wasn’t justified.