This LAWFIT™ Privacy Guide is published as part of a series of legal and regulatory guides on data and privacy.
Nearly 2.7 million Australian Directors have submitted their personal information to the Australian Business Registry Service to apply for a Director ID. This new compulsory identifier links a director to their current, past, and future companies for the purposes of improving the integrity of the Australian business landscape. In this article, we consider whether a Director ID could be legally classified as personal information, and whether its disclosure could cause serious harm to the individual director.
Director IDs (DINs) were introduced by the Australian Business Registry Service (ABRS) to prevent the use of fictitious director identities. Additionally, DINs are said to help regulators trace directors’ relationships with companies and better identify director involvement in illegal activity.
A DIN is a 15-digit identifier which confirms a person’s identity and will in future show the companies to which they are appointed as board director.
The ABRS is not authorised to disclose DINs to the public without the director’s consent. Currently, the intention is that they will not be disclosed to the public in the ASIC database, or be searchable by the public. In the future, the Registrar of the ABRS will consult the community about what details can be disclosed and searched.
The ABRS can only disclose a Director ID to the holder of the ID; where the holder gives the ABRS permission; to certain Commonwealth, state and territory government bodies; and to courts and tribunals.
It is noteworthy that a DIN is not governed by the same rules or laws that apply to a tax file number (TFN). An authorised agent or company secretary must ensure that information about a company and its officeholders is handled according to their legal obligations, and securely stored.
The ABRS does expressly state whether a DIN is considered personal information (or PI). However, the Privacy Act 1988 (Cth) (Privacy Act) defines ‘personal information’ as:
‘Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
An individual can be ‘identifiable’ for the purposes of the Privacy Act where the information is able to be linked with other information that ultimately identifies the individual. This require a contextual consideration of the particular circumstances, including:
With respect to DINs, on their own they may not be capable of identifying an individual. However when linked with other information it may be possible to identify an individual, in which case the DIN would be regarded as ‘PI’. For futher information on what constitutes PI, see our earlier article here.
The Office of the Australian Information Commissioner (OAIC) is the regulating body for the Privacy Act, and exercises the powers of the Privacy Act. The OAIC states that a person’s ‘private details’ covered by the Privacy Act, include:
According to OAIC , information about a person’s working habits and practices are covered by the definition of personal information. This includes:
DINs link an identified individual to the company that they are a director of and will trace their relationships with new companies if they become a director elsewhere.[1] The individual’s connection to a company in the position of director is information regarding working habits, which may meet the requirements of the Privacy Act to be considered personal information.
Additionally, in order to apply for their DIN, individuals are required to verify their identity using a variety of information and documents, including a combination of either their tax file number, bank details, passport number, birth certificates or Medicare cards. Whether this information is kept on file by the ABRS and linked to the Director ID is unclear, but would add a further layer of potential harm if it could be accessed by unauthorised intruders.
The Privacy Act does not explicitly define ‘serious harm’. However, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 Explanatory Memorandum describes serious harm, in this context, as including:
‘serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person… would identify as a possible outcome’.
The disclosure of a DIN may enable an unauthorised individual to gain access to information about a directors identity and the relationship they have with a company. Given that a DIN will be linked to their previous relationships with other companies, it is likely that the unauthorised individual would also gain access to this information.
This could potentially cause serious harm to the director because:
If this does cause serious harm, then under new proposed laws, organisations responsible for the data breach could in future face fines of A$50m or more.
It is anticipated that the introduction of DINs will assist in combatting fraudulent activity in the Australian business market. However, DINs have the potential to expose a director’s working habits and previous corporate relationships.
On its own, a DIN is unlikely to be capable of identifying an individual, however if linked with other PI then it may be capable of identifying an individual and therefore should be regarded as PI. In certain circumstances, the improper disclosure of a Director ID has the capacity to cause serious harm to the director.
Unless there is clarity to the contrary from the OAIC or otherwise, we recommend treating DINs as personal information. If you require any further advice in relation to DINs or corporate law generally, please contact us below.
[1] ‘About Director ID’, Australian Business Registry Service (Webpage, December 2022) <https://www.abrs.gov.au/director-identification-number/about-director-id>.