IPP 8: Anonymity
Document version: IPP 8, 2019.A (consultation draft), 16 May 2019.
IPP 8 states:
Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.
The underlying objective of the anonymity principle is to maximise the individual’s control in their interactions with government and to minimise government’s intrusion into the life of the individual.
IPP 8 is intended to preserve and protect the ability of individuals to remain anonymous in transactions with government organisations.1 It makes clear that, by default, people should be able to transact anonymously or pseudonymously.
Organisations should regularly look out for opportunities to introduce or reinstate the ability for individuals to engage in anonymous transactions. Reviewing information flows and why the organisation collects and needs certain personal information may highlight areas where an individual could transact anonymously. Allowing individuals to be anonymous when interacting with an organisation can minimise the risk of data loss or harm in the case of a data security breach, as no personal information is collected in an anonymous transaction.
‘Transactions’ should be interpreted broadly to include the interactions and dealings between the individual and the organisation, whether or not they involve an exchange in a commercial sense.
Examples of transactions where anonymity could be offered include:
- paying for goods and services – can individuals pay anonymously using cash? Do individuals need to provide identifying information when buying certain goods or services, such as a ticket to an event?
- using a computer for word processing or internet browsing – does the organisation need to know what programs users are working on or what websites they visit?
- travelling on public transport – how can members of the public can travel anonymously, especially where valid tickets are held?
- walking along streets, through parks and attending other places open to the public – to what extent can individuals remain anonymous in a crowd when CCTV is installed?
- accessing and obtaining copies of publicly available government records – can the organisation allow individuals to anonymously access government policies and procedures, including where these are made available online over the internet?
- making enquiries to government organisations – is it necessary to record a name or use CCTV to monitor who attends your organisation’s office to request general information about accessing government services or exercising their rights?
- interacting with government online – can individuals interact anonymously, or does the organisation require individuals to provide personal information before they are able to interact with, or contact, the organisation?
- expressing views and concerns at public meetings – it is necessary to record every speaker’s identity in the minutes? Is it necessary to collect personal information about someone who complains about a general issue?
- use of monitoring or location-based tracking technology – if GPS is used to track the organisation’s vehicles, can an employee turn off the GPS at certain times, for example, on their lunch break?
Whether the option of anonymity should or can be offered depends on the context. Under IPP 8, the option for transacting anonymously must be made available wherever it is lawful and practicable to do so. Organisations should also consider their obligation under IPP 1 to only collect personal information that is necessary for their functions or activities.
Lawful and practicable
An organisation may be unable to offer an anonymous option if a law requires the organisation to identify an individual. In this case, allowing individuals to transact anonymously or pseudonymously would not be ‘lawful’. For example, some laws require individuals to provide identifying information to transact with an organisation, for example, when individuals register for a profession or apply for a licence.
‘Practicable’ has been considered in these Guidelines in the Key Concepts chapter. Determining whether it is practicable to offer the option of anonymity involves consideration of matters such as the cost that may be involved in allowing an anonymous option and whether there is a public interest in requiring individuals to identify themselves.
Other factors that affect whether it is practicable to provide the option of anonymity include the functions of the organisation, the purpose of the interaction and the role of identifying information in the interaction. For example, it may not be practicable for a complaint handling body to provide an individual with the option of remaining anonymous if the complaint specifically concerns the treatment of that individual.2 Similarly, it may not be practicable for an individual to remain anonymous where their identity is needed to provide them with a good or service.
Providing an anonymous option will not always be appropriate. Determining when anonymity is inappropriate requires a careful balancing between what can be done within existing legal and technological constraints and what should be done to promote and protect privacy and other fundamental rights and public interests. Any restrictions on the ability to transact anonymously should be limited to what is necessary and proportionate to protect the various interests at stake, while always considering possible less restrictive means.
Some examples where anonymity may not be appropriate include:
- the investigation of incidents involving serious criminal activity;
- combating money laundering through financial institutions; and
- ensuring the transparency of donations to political campaigns.
Some information may be necessary to collect to, for example, determine the quality of, or need for, services. Organisations should consider carefully what information is needed and whether it needs to be collected in an identified way. For example, when conducting a survey, it may be sufficient to ask a person for their suburb or postcode, or to survey individuals anonymously.
Where identification is needed to establish eligibility for a service or benefit, it might be sufficient to sight a document and record that the particular document was sighted, rather than to record or copy the personal information contained in the document.
In some cases, individuals may decide to waive the option of anonymity and provide their identifying information. This is consistent with the importance of control in privacy and allowing individuals to control what happens with their personal information, and the role of consent in other IPPs.
However, the collection still needs to be necessary to the organisation’s functions or activities. An individual providing their personal information voluntarily with consent does not mean the organisation no longer needs to comply with IPP 1. The important thing is that organisations provide the option of anonymity where practicable and lawful and, where individuals choose to identify themselves, ensure any identifying information is appropriately handled in accordance with the IPPs (see Case Study 8A).
Case Study 8A: Mishandling of identifying information after anonymity option declined3
A woman living in a small rural community contacted the customer service officer of a local council to report a leaking tap in the public toilets and that her son had tripped and hit his head on the wet floor. The woman was asked at the outset whether she wanted to make her report anonymously. She decided to identify herself, saying later she did so because she wanted a record of the incident concerning her son, but that she did not expect that in doing so, an employee of the council without a ‘need to know’ would have access to it.
The customer service officer forwarded a report, including the woman’s name, to the relevant business unit supervisor. The supervisor then forwarded the report to an employee who was asked to coordinate the repairs. This employee in turn allegedly disclosed the woman’s name to his spouse.
The woman heard about the disclosure when the employee’s spouse allegedly accused the woman of complaining about her husband’s work. The woman was concerned that, as a result of the disclosure, another member of the small community wrongly believed the complaint had been about a particular person’s work, rather than about a public facility.
The Privacy Commissioner commented that, in circumstances such as this, in which a council is required to respond to a report of a fault in a public facility, it is not necessary to the efficient repair of the fault for the identity of the person who reported the fault to be so widely circulated among council employees. In other circumstances, such as where the fault relates to the property of the person making the report, it is likely to be necessary (and often expected) that identifying information will be circulated to a wider range of employees or contractors so repairs can be undertaken efficiently and with consultation.
The Commissioner noted the impact of wide circulation of personal information within organisations and unauthorised disclosure outside them can be greater in small communities where people are more likely to know each other and names are more easily recognised.
The council agreed to amend its incident reporting procedures to limit who has access to personally identifying incident reports and to provide appropriate training for relevant employees. The council also undertook to continue its policy of allowing members of the public to anonymously report public health and safety matters.
Organisations may consider other means of promoting the intention underpinning IPP 8, such as by using pseudonymity. The use of pseudonyms, where lawful and practicable, can enable individuals to transact with organisations using a fictitious name instead of revealing their true identity. For example, individuals may use a fictitious name to make an email enquiry or request for information.
However, where pseudonymity is being considered, consider whether the information needs to be collected at all. Data quality issues under IPP 3 might also be relevant where the organisation is collecting information that may not necessarily be accurate. Organisations can also refer to the Pseudonymisation and anonymised data in the Key Concepts chapter.
IPP 8 in practice
IPP 8 is particularly relevant for the complaint handling functions of organisations. Many complaints can be resolved without collecting identifying information about the complainant. For example, if a person complained about a public facility, it is unlikely collection of their personal information would be necessary to fairly and appropriately respond to the complaint (see Case Study 8A, above).
In some instances, anonymity can encourage individuals to make complaints where they would otherwise fear the potential consequences of identifying themselves. In Case Note 256145,  NZ PrivCmr 24 the complainant made a complaint to a government agency regarding their employer. The complainant requested their identity remain confidential, however, their name was inadvertently disclosed to the employer by the government agency. This lead to a breakdown in the relationship between the complainant and their employer. The NZ Privacy Commissioner found it is important to allow individuals to remain anonymous when they make a complaint in certain circumstances, as individuals may be otherwise discouraged from expressing their concerns if they knew their identity would be disclosed to the party they had complained about.
In other contexts, it may not be practicable for individuals making a complaint to remain anonymous. Procedural fairness may require a complainant’s identity be disclosed so the party subject to the complaint can fairly respond to the allegations. For example, in Complainant AW v Statutory Authority  VPrivCmr 1,5 the Privacy Commissioner found it was not practicable for the Statutory Authority to keep the Complainant’s identity anonymous from the service provider for the purpose of the complaints process. This was because the service provider needed the Complainant’s identifying information to be able to provide a proper response to the Complainant’s allegations.
Relationship between anonymity and other IPPs
Both organisations and individuals can benefit from anonymous transactions. The individual is able to deal with the organisation without giving up control over their personal information and the organisation does not incur any of the obligations under the other IPPs that follow from collection of personal information.
Where organisations intend to collect and use anonymous data, they should ensure the information is not reasonably identifiable or reasonably capable of being re-identified through, for example, matching the information to other datasets. See ‘De-identification in practice’ in Key Concepts.
Providing an anonymity option is also consistent with IPP 1.1, which states organisations should not collect personal information unless it is necessary for one or more of their functions or activities. If an organisation can achieve its function or activity without collecting personal information and allow an individual to remain anonymous, it should do so.
IPP 8 is also relevant to the conduct of human research under IPP 2.1(c). As discussed at paragraph 2.55 in the IPP 2 Chapter of these Guidelines, limitations around use and disclosure under IPP 2.1(c) are not an issue where researchers collect information anonymously – whether this is directly from the individuals concerned, or indirectly using existing datasets held by other organisations.
IPP 8 should also be read in conjunction with IPP 5 and IPP 1.3(f). The concept of transparency in IPP 5 and the requirement to take reasonable steps to notify individuals under IPP 1.3 when collecting information suggest if an organisation has an anonymity option, it should be offered at the appropriate time to allow the individual to make an informed decision.
Case Study 8B: Communicating when anonymity is not practicable
The Complainant had an anonymous account with Organisation A, and, after some time, the card for the account became faulty and required replacement. The Complainant was advised by Organisation A that to obtain a replacement card, they would have to provide personal information.
The Complainant asked Organisation A whether they could purchase a new anonymous card, and have the balance of their old account transferred to their new card. Organisation A replied this was not possible and confirmed there was no way for the Complainant to maintain their anonymity without losing the account balance.
The Complainant complained Organisation A had failed to give the Complainant the option of not identifying themselves when entering into the transaction (the exchange of the balance on their anonymous card to another card), when it was lawful and practicable to do so.
Organisation A argued it was not practicable for the Complainant to remain anonymous in these circumstances as the balance transfer could not be performed in person. Organisation A explained to the Complainant that their personal information would be kept for a strictly limited purpose and time (to perform the transfer), and securely destroyed once it was no longer required for recordkeeping purposes. The Complainant’s personal information would not be linked to the new card.
The Complainant accepted this explanation and the complaint was conciliated. Organisation A agreed to improve the notice it provided to individuals seeking to transfer a balance between anonymous accounts.
This is a good example of:
– An organisation generally offering an anonymous option;
– An organisation demonstrating why, in limited circumstances, anonymity is not practicable; and
– The relationship between IPPs 1 and 8. Better notice about why anonymity was not practicable in these circumstances may have prevented the complaint.
- See the note to IPP 8 in the Explanatory Memorandum to the Privacy and Data Protection Bill 2014, 36.
- Complainant AW v Statutory Authority  VPrivCmr 1.
- Complainant N v Local Council  VPrivCmr 8.
- Available on the NZ Privacy Commissioner’s website.
- Available on Austlii.