IPP 8 is intended to preserve and protect the ability of individuals to remain anonymous in transactions with government organisations.¹ It makes clear that, by default, people should be able to transact anonymously or pseudonymously.

Organisations should regularly look out for opportunities to introduce or reinstate the ability for individuals to engage in anonymous transactions. Reviewing information flows and why the organisation collects and needs certain personal information may highlight areas where an individual could transact anonymously. Allowing individuals to be anonymous when interacting with an organisation can minimise the risk of data loss or harm in the case of a data security breach, as no personal information is collected in an anonymous transaction.

‘Transactions’ should be interpreted broadly to include the interactions and dealings between the individual and the organisation, whether or not they involve an exchange in a commercial sense.

Examples of transactions where anonymity could be offered include:

• paying for goods and services – can individuals pay anonymously using cash? Do individuals need to provide identifying information when buying certain goods or services, such as a ticket to an event?
• using a computer for internet browsing – does the organisation need to know what websites users visit?
• travelling on public transport – how can members of the public travel anonymously, especially where valid tickets are held?
• walking along streets, through parks and attending other places open to the public – to what extent can individuals remain anonymous in a crowd when CCTV is installed?
• accessing and obtaining copies of publicly available government records – can the organisation allow individuals to anonymously access government policies and procedures, including where these are made available online over the internet?
• making enquiries to government organisations – is it necessary to record a name or use CCTV to monitor who attends your organisation’s office to request general information about accessing government services or exercising their rights?
• interacting with government organisations online – can individuals interact with government organisations anonymously, or does the organisation require individuals to provide personal information before they are able to interact with, or contact, the organisation?
• expressing views and concerns at public meetings – is it necessary to record every speaker’s identity in the minutes? Is it necessary to collect personal information about someone who complains about a general issue?
• use of monitoring or location-based tracking technology – if GPS is used to track the organisation’s vehicles, can an employee turn off the GPS at certain times, for example, on their lunch break?

Whether the option of anonymity should or can be offered depends on the context. Under IPP 8, the option for transacting anonymously must be made available wherever it is lawful and practicable to do so. In certain circumstances, anonymity may be impracticable, for example, where justice centres have CCTV for the safety of staff. Organisations should also consider their obligation under IPP 1 (Collection) to only collect personal information that is necessary for their functions or activities.

An organisation may be unable to offer an anonymous option if a law requires the organisation to identify an individual. In this case, allowing individuals to transact anonymously or pseudonymously would not be ‘lawful’. For example, some laws require individuals to provide identifying information to transact with an organisation, for example, when individuals register for a profession or apply for a licence.

‘Practicable’ has been considered in these Guidelines in the Key Concepts chapter. Determining whether it is practicable to offer the option of anonymity involves consideration of matters such as the cost that may be involved in allowing an anonymous option and whether there is a public interest in requiring individuals to identify themselves.

Other factors that affect whether it is practicable to provide the option of anonymity include the functions of the organisation, the purpose of the interaction and the role of identifying information in the interaction. For example, it may not be practicable for a complaint handling body to provide an individual with the option of remaining anonymous if the complaint specifically concerns the treatment of that individual.³ Similarly, it may not be practicable for an individual to remain anonymous where their identity is needed to provide them with a good or service.

Providing an anonymous option will not always be appropriate. Determining when anonymity is inappropriate requires organisations to carefully balance what can be done within existing legal and technological constraints and what should be done to promote and protect privacy and other fundamental rights and public interests. Any restrictions on the ability to transact anonymously should be limited to what is necessary and proportionate to protect the various interests at stake, while always considering possible less restrictive means.

Some examples where anonymity may not be appropriate include:

• The investigation of incidents involving serious criminal activity;
• Combating money laundering through financial institutions; and
• Ensuring the transparency of donations to political campaigns.

It may be necessary to collect some information to, for example, determine the quality of, or need for, services. Organisations should consider carefully what information is needed and whether it needs to be collected in an identified way. For example, when conducting a survey, it may be sufficient to ask a person for their suburb or postcode, or to survey individuals anonymously.

Where identification is needed to establish eligibility for a service or benefit, it might be sufficient to sight a document and record that the particular document was sighted, rather than to record or copy the personal information contained in the document.

In some cases, individuals may decide to waive the option of anonymity and provide identifying information. This is consistent with the importance of control in privacy – individuals should be allowed to control what happens with their personal information – and the role of consent in other IPPs.

When individuals waive the option of anonymity, the collection still needs to be necessary to the organisation’s functions or activities. An individual providing their personal information voluntarily with consent does not mean the organisation no longer needs to comply with IPP 1 (Collection). The important thing is that organisations provide the option of anonymity where practicable and lawful and, where individuals choose to identify themselves, ensure any identifying information is appropriately handled in accordance with the IPPs.

Organisations may consider other means of promoting the intention underpinning IPP 8, such as by using pseudonymity. The use of pseudonyms, where lawful and practicable, can enable individuals to transact with organisations using a fictitious name instead of revealing their true identity. For example, where an organisation handles calls from the public, such as inquiries, that organisation may make records of the phone calls. In this example, pseudonymity can be used to allow the caller to not identify themselves and transact with the organisation anonymously. Where an individual’s identity needs to be ascertained, for example, to send correspondence in the mail, pseudonymity is unlikely to be practicable.

Where pseudonymity is being considered, consider whether the information needs to be collected at all. Data quality issues under IPP 3 might also be relevant where the organisation is collecting information that may not necessarily be accurate. Organisations can also refer to the Pseudonymisation and anonymised data in the Key Concepts chapter.

IPP 8 is particularly relevant for the complaint handling functions of organisations. Many complaints can be resolved without collecting identifying information about complainants. For example, if a person complained about a public facility, it is unlikely collection of their personal information would be necessary to fairly and appropriately respond to the complaint. See Case Study 8A, above.

In some instances, anonymity can encourage individuals to make complaints where they would otherwise fear the potential consequences of identifying themselves. In Case Note 256145 [2015] NZ PrivCmr 2,⁷ the complainant made a complaint to a government agency regarding their employer. The complainant requested their identity remain confidential, however, their name was inadvertently disclosed to the employer by the government agency. This lead to a breakdown in the relationship between the complainant and their employer. The NZ Privacy Commissioner found it is important to allow individuals to remain anonymous when they make a complaint in certain circumstances, as individuals may be otherwise discouraged from expressing their concerns if they knew their identity would be disclosed to the party they had complained about.

In other contexts, it may not be practicable for individuals making a complaint to remain anonymous. Procedural fairness may require a complainant’s identity be disclosed so the party subject to the complaint can fairly respond to the allegations. For example, in Complainant AW v Statutory Authority [2012] VPrivCmr 1, the Privacy Commissioner found it was not practicable for the Statutory Authority to keep the Complainant’s identity anonymous from the service provider for the purpose of the complaints process. This was because the service provider needed the Complainant’s identifying information to be able to provide a proper response to the Complainant’s allegations.

Both organisations and individuals can benefit from anonymous transactions. The individual is able to deal with the organisation without giving up control over their personal information and the organisation does not incur any of the obligations under the other IPPs that follow from collection of personal information.

Where organisations intend to collect and use anonymous data, they should ensure the information is not reasonably identifiable or reasonably capable of being re-identified through, for example, matching the information to other datasets. See ‘De-identification in practice’ in Key Concepts.

Providing an anonymity option is also consistent with IPP 1.1, which states organisations should not collect personal information unless it is necessary for one or more of their functions or activities. If an organisation can achieve its function or activity without collecting personal information and allow an individual to remain anonymous, it should do so.

IPP 8 is also relevant to the conduct of human research under IPP 2.1(c). Limitations around use and disclosure under IPP 2.1(c) are not an issue where researchers collect information anonymously – whether this is directly from the individuals concerned, or indirectly using existing datasets held by other organisations.

IPP 8 should also be read in conjunction with IPP 5 and IPP 1.3(f). The concepts of openness and transparency in IPP 5, and the requirement to take reasonable steps to notify individuals under IPP 1.3 when collecting information, suggest that, if an organisation has an anonymity option, it should be offered at the appropriate time to allow the individual to make an informed decision.