In a report released in late 2015, the Attorney-General’s Department estimated that the total direct and indirect cost of identity crime in Australia exceeded $2 billion in the previous two years. Identity crime comes in many forms, including fabrication, manipulation, and theft.

Identity fabrication and identity manipulation concerns the false creation and alteration of one’s own identity. Identity theft stands alone in that it relies on “the illicit assumption of a pre-existing identity of a living or deceased person, or of an artificial legal entity such as a corporation” (Australian Law Reform Commission (ALRC) Report 108)

Growing concerns around cybersecurity

In PwC’s 2014 Global Economic Crime Survey, 43% of Australian organisations surveyed expressed concern about cyber-threats involving the theft of Personal Identifiable Information. This is with good reason: with ever-growing databases of personal information being collected, it has never been easier for wrong-doers to gain access to pre-existing identities en masse.

While the Commonwealth, States and Territories have all passed various amounts of legislation criminalising certain activities that involve the misuse of identities, privacy laws play an important role in complementing the criminal law regime. The approach is twofold: by reducing the amount of personal information stored, and by better handling stored personal information.

Data accuracy – strategy for prevention or increasing the risk of theft?

ALRC has suggested that Australian Privacy Principle 10 – which requires stored personal information to be accurate – may assist in minimising the harm caused by identity theft after it has occurred. However, it is worth considering that it is the accuracy of these databases that often attracts hackers seeking to assume pre-existing identities.

How else then can the privacy laws protect against identity theft?

The principle of anonymity and pseudonymity requires an APP entity. This includes any agency or organisation that is not a small business operator, to grant individuals the option of not identifying themselves, or of using a pseudonym, unless law or impracticality arises. The regular use of different pseudonyms can act as a trap for determining the origin of certain privacy breaches. This is useful particularly as APP entities are not required to notify an individual or agency in the event of a privacy breach.

Further, Australian Privacy Principles 3 and 11 mandate the reduction of information collected and the destruction of information no longer necessary to be held. Together, all these principles curb the stockpiling of personal information that makes certain databases so attractive for hackers wanting to gain access to pre-existing identities.