Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Identity security

What can I do to secure my personal information and prevent my identity from being stolen?

It is important to always consider how you use and share your personal information. The Office of the Australian Information Commissioner (OAIC) has a number of resources to help you protect your personal information and reduce the risk of your identity from being stolen, including the Ten tips to protect your privacy fact sheet.

Your identity can be stolen if thieves gain access to your personal information, including from any documents that contains information about you.  Remember, even if thieves only gain access to a small amount of your personal information, they may be able to steal your identity if they find out more information about you from public sources, such as your social media accounts, which may include your date birth, your photographs and information about your family. With this information, thieves may be able to present themselves as you and apply for services, such as a new bank account.  

The Attorney General’s Department also has a Protecting and Recovering your Identity page, which includes a pamphlet, guide, video and infographic on how you can prevent yourself becoming a victim of identity theft.

The Australian Federal Police also has an Identity Crime page that includes information on how you can protect yourself from becoming a victim of identity theft.

The Australian Competition and Consumer Commission’s Scamwatch includes information on how to recognise, avoid and report scams that Attempt to gain your personal information, such as identity theft, phishing and hacking. 

Back to Contents

How can I avoid being a victim of a scam?

There are many types of fraud and many online and email scams out there. If you’re not expecting a request to update information or to receive a refund or prize, don’t give out your personal information until you are sure it is legitimate.

The Australian Competition and Consumer Commission provides useful information on how to protect yourself against scams on their SCAMwatch site.

You can also subscribe to the Stay Smart Online free alert service to receive email alerts of scams and other cyber issues.

State and Territory Departments of Fair Trading may also have lists of current scams.

Back to Contents

I think I may be a victim of identity theft. What do I do now?

If you have been a victim of identity theft, or are concerned you might be, it is important that you act quickly to take steps to minimise any financial or other damages. The quicker you act, the more likely you are to avoid problems.

The information on the Attorney General’s Department’s Protecting and Recovering your Identity page includes a checklist of steps to take if your identity has been stolen.

You can also use the credit checking and monitoring services provided by Veda, D&B and Experian.

I am concerned I have been a victim of financial identity theft. What can I do?

If you think you have been a victim of fraud, you should make a request to a credit reporting body not to use or disclose the information contained in your consumer credit report. The credit reporting body will then implement a freeze on your credit report during which time it will not use or disclose your consumer credit report or add new information to that report. As you may have a credit report with more than one credit reporting body, it is a good idea to make this request to each of the three main credit reporting bodies in Australia; Veda, D&B and Experian. For more information, see the OAIC fact sheet Fraud and your credit report.

It is also important that you monitor what information is included in your consumer credit report, as this will alert you if another person attempts to apply for credit using your name. You can do this by requesting a copy of your credit report from a credit reporting body.  A credit reporting body must give you access to your consumer credit report, including your credit score, for free once every 12 months.

Back to Contents

What is ID scanning?

Identification scanning is where a business takes an electronic copy of your proof of identity documents, such as your driver’s licence.

Back to Contents

Does the Privacy Act allow ID scanning?

The Privacy Act 1988 (Privacy Act) allows orgainsations it covers to scan your ID, if they comply with the Australian Privacy Principles.

State privacy laws may cover ID scanning in other situations, such as when a state public sector agency, local council or university scan your ID.

Back to Contents

When can a business scan my ID?

A business can only scan your ID if it is reasonably necessary for one of its functions or activities.

For example, liquor licensing and anti-money laundering laws may mean that pubs or clubs require proof of your identity before they can provide you with information or a service.

Back to Contents

Why can’t a business sight my ID instead of scanning it?

A business should not scan or copy your ID, if sighting it would be sufficient for purpose it requires it for. 

It is up to the business to explain why sighting your ID is insufficient.

Back to Contents

Does a business have to notify me before it scans my ID?

A business should notify you of certain information before they scan your ID. This includes the purpose for which they are scanning your ID and the consequences if you don’t allow your ID to be scanned. 

This information should be made easily available for you to see and read. Scanning should not be done without your knowledge or in a manner not visible to you. 

Back to Contents

Don’t I have a right to anonymity and pseudonymity under the Privacy Act?

Generally, you should have the option of not identifying yourself, or not using your real name, when dealing with a business covered by the Privacy Act. However, a business that is scanning your ID you may not give you this option, if a law requires it to identify you or  where it would impracticable for it to deal with you when you are not identified.

Back to Contents

Can a business scan all the information on my ID?

A business can only collect the information from your ID that is reasonably necessary for one of its functions or activities. This function or activity should be the purpose for which it has notified you that it is scanning your ID.

A business should consider each item of information on your ID and determine whether it is needed for that purpose.

A business is not allowed to collect more information than is necessary because it is convenient to do so. It is also not allowed to collect information because they think it may be useful in the future.

Back to Contents

What obligations does a business have once they’ve scanned my ID?

A business covered by the Privacy Act that scans your ID must take reasonable steps to protect your ID information from misuse, interference and loss and from unauthorised access, modification or disclosure. It must also take reasonable steps to destroy or de-identify that information once it is no longer needed for any purpose for which it was collected. 

Back to Contents

Can I access, correct or complain about my scanned ID information?

A business covered by the Privacy Act that scans your ID must have procedures in place that allow you to request access to, and correction of, your scanned information.  A business should also have procedures for identifying and responding to privacy breaches and receiving and responding to complaints and enquiries.

You should check the privacy policy of the business for this information. 

Back to Contents

What is biometric information scanning?

Biometric information scanning is where a business uses technology to take an electronic copy of your biometric information, such as your face, fingerprints, palm, iris, voice or signature.

Back to Contents

How does the Privacy Act apply to biometric information scanning?

Biometric information that is used for the purpose of automated biometric verification or biometric identification is considered sensitive information under the Privacy Act. Examples of biometric information include features of an individual’s face, fingerprints, palm, iris, voice or signature.

Sensitive information attracts a higher level of protection under the Privacy Act. This means a business that scans your biometric information has additional obligations in handling that information.

Back to Contents