Insights + Resources

December 14, 2022

Directors IDs: Just how personal is this 15-digit identifier?

This LAWFIT™ Privacy Guide is published as part of a series of legal and regulatory guides on data and privacy. 

Nearly 2.7 million Australian Directors have submitted their personal information to the Australian Business Registry Service to apply for a Director ID. This new compulsory identifier links a director to their current, past, and future companies for the purposes of improving the integrity of the Australian business landscape. In this article, we consider whether a Director ID could be legally classified as personal information, and whether its disclosure could cause serious harm to the individual director.

About Director IDs

Director IDs (DINs) were introduced by the Australian Business Registry Service (ABRS) to prevent the use of fictitious director identities. Additionally, DINs are said to help regulators trace directors’ relationships with companies and better identify director involvement in illegal activity.

A DIN is a 15-digit identifier which confirms a person’s identity and will in future show the companies to which they are appointed as board director.

When can DINs be disclosed?

The ABRS is not authorised to disclose DINs to the public without the director’s consent. Currently, the intention is that they will not be disclosed to the public in the ASIC database, or be searchable by the public. In the future, the Registrar of the ABRS will consult the community about what details can be disclosed and searched.

The ABRS can only disclose a Director ID to the holder of the ID; where the holder gives the ABRS permission; to certain Commonwealth, state and territory government bodies; and to courts and tribunals.

It is noteworthy that a DIN is not governed by the same rules or laws that apply to a tax file number (TFN). An authorised agent or company secretary must ensure that information about a company and its officeholders is handled according to their legal obligations, and securely stored.

Is a DIN Personal Information Under the Privacy Act?

The ABRS does expressly state whether a DIN is considered personal information (or PI). However, the Privacy Act 1988 (Cth) (Privacy Act) defines ‘personal information’ as:

‘Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  1. whether the information or opinion is true or not; and
  2. whether the information or opinion is recorded in a material form or not.’

An individual can be ‘identifiable’ for the purposes of the Privacy Act where the information is able to be linked with other information that ultimately identifies the individual. This require a contextual consideration of the particular circumstances, including:

  •  The nature and amount of information;
  •  Who will hold and have access to the information; and
  •  The practicability of using that information to identify an individual.

With respect to DINs, on their own they may not be capable of identifying an individual.  However when linked with other information it may be possible to identify an individual, in which case the DIN would be regarded as ‘PI’.   For futher information on what constitutes PI, see our earlier article here.

Private Details

The Office of the Australian Information Commissioner (OAIC) is the regulating body for the Privacy Act, and exercises the powers of the Privacy Act. The OAIC states that a person’s ‘private details’  covered  by the Privacy Act, include:

  • name;
  • signature;
  • home address;
  • email address;
  • telephone number;
  • date of birth;
  • medical records;
  • bank account details; and
  • employment details.

Details of Working Habits

According to OAIC , information about a person’s working habits and practices are covered by the definition of personal information. This includes:

  • a person’s employment details;
  • salary;
  • job title; and
  • work practices.

DINs link an identified individual to the company that they are a director of and will trace their relationships with new companies if they become a director elsewhere.[1] The individual’s connection to a company in the position of director is information regarding working habits, which may meet the requirements of the Privacy Act to be considered personal information.

Additionally, in order to apply for their DIN, individuals are required to verify their identity using a variety of information and documents, including a combination of either their tax file number, bank details, passport number, birth certificates or Medicare cards. Whether this information is kept on file by the ABRS and linked to the Director ID is unclear, but would add a further layer of potential harm if it could be accessed by unauthorised intruders.

Would the Disclosure of a DIN Cause Serious Harm?

The Privacy Act does not explicitly define ‘serious harm’. However, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 Explanatory Memorandum describes serious harm, in this context, as including:

‘serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person… would identify as a possible outcome’.

The disclosure of a DIN may enable an unauthorised individual to gain access to information about a directors identity and the relationship they have with a company. Given that a DIN will be  linked to their previous relationships with other companies, it is likely that the unauthorised individual would also gain access to this information.

This could potentially cause serious harm to the director because:

  1. their working history may be made public;
  2. their identity may be stolen; or
  3. they may be subject to fraud.

If this does cause serious harm, then under new proposed laws, organisations responsible for the data breach could in future face fines of A$50m or more.

Concluding Remarks

It is anticipated that the introduction of DINs will assist in combatting fraudulent activity in the Australian business market. However, DINs have the potential to expose a director’s working habits and previous corporate relationships.

On its own, a DIN is unlikely to be capable of identifying an individual, however if linked with other PI then it may be capable of identifying an individual and therefore should be regarded as PI. In certain circumstances, the improper disclosure of a Director ID has the capacity to cause serious harm to the director.

Unless there is clarity to the contrary from the OAIC or otherwise, we recommend treating DINs as personal information. If you require any further advice in relation to DINs or corporate law generally, please contact us below.

[1] ‘About Director ID’, Australian Business Registry Service (Webpage, December 2022) <>.

Close Btn Created with Sketch.


Straight to your inbox on legal and business developments set to disrupt and transform.