Summary of the OAIC’s privacy assessment of DirectMoney as a business user of the DVS
This summary report outlines the key findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of DirectMoney Limited’s (DirectMoney) handling of personal information as a business user of the Document Verification Service (DVS).
DirectMoney is an organisation that offers unsecured personal loans to individuals via online applications, and holds an Australian Credit Licence number 458572 issued by the Australian Securities and Investments Commission. DirectMoney uses the DVS to assist in meeting its obligation to verify the identity of its customers under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML-CTF Act), which is a requirement for all licensed lenders.
The OAIC examined how DirectMoney handles personal information as part of its DVS processes. Specifically, whether DirectMoney collects personal information in accordance with Australian Privacy Principle (APP) 3, notifies individuals as required under APP 5 and appropriately secures and retains personal information in line with APP 11.
The OAIC made two recommendations relating to securing personal information held by DirectMoney, as required by APP 11. The first recommendation related to the need for DirectMoney to develop a data breach response plan. The second recommendation related to DirectMoney reviewing its security measures for information held on its ICT systems.
The DVS and its interaction with the Privacy Act 1988
The DVS is an online system that allows Australian and New Zealand entities to take information from an Australian identity document presented by an individual, with their consent, and compare it against the original record of the document held by the Government Agency that issued the document.
To use the DVS, businesses must meet eligibility criteria contained in the DVS access policy and guidelines, abide by the DVS terms and conditions of use (DVS Conditions) and enter into an agreement with one or more gateway service providers before applying to the Attorney General’s Department to become a business user.
Importantly, the DVS access policy and guidelines state that all organisations that become business users of the DVS are subject to the Privacy Act 1988 (Cth)(the Privacy Act) or the Privacy Act 1993 (New Zealand). As the national regulator of the Privacy Act, the OAIC provides policy advice and undertakes assessments of privacy issues relating to the DVS.
On 31 March 2015, DVS access was expanded to allow businesses, with a reasonable need to use a Commonwealth identifier to verify a client’s identity, to access the DVS. These expanded DVS access arrangements saw a significant increase in the use of the DVS, and subsequent sharing of personal information. Therefore, in selecting a specific DVS assessment target, the OAIC considered these expanded access arrangements to identify an entity that would not previously have used the DVS.
A significant reason for the increased DVS usage has been the uptake of the DVS by the banking and financial industry, whose members are legislatively required to verify the identity of their clients under the AML-CTF Act. In selecting DirectMoney as the assessment target, this provided an opportunity for the OAIC to work collaboratively with a growing sector inside this industry to ensure privacy safeguards are incorporated into the practices, procedures and systems of this sector as it commences using the DVS.
APP 3 — Collection of solicited personal information
Entities that collect personal information need to carefully consider what personal information they will collect. Under APP 3, for solicited personal information (other than sensitive information), an organisation may only collect this information where it is reasonably necessary for the organisation’s functions or activities.
When considering whether collection of personal information is reasonably necessary under APP 3, the OAIC considers what information is collected against the organisation’s functions and activities. As a supplier of unsecured personal loans, DirectMoney collects DVS-related personal information for the purpose of verifying a loan applicant’s identity prior to providing credit services to an individual. An individual’s personal information is collected electronically and is used by DirectMoney officers when performing a DVS request.
The OAIC considers the collection of personal information from identity documents to be reasonably necessary for identity verification purposes and directly related to DirectMoney’s functions and activities as a financial lending organisation. DirectMoney’s collection of DVS-related personal information is further supported by the requirement to verify a customer’s identity under the AML-CTF Act.
Under APP 3, an organisation may collect sensitive information where the individual consents to the collection and the information is reasonably necessary for one or more of the organisation’s functions or activities. The OAIC notes that DirectMoney may collect sensitive information (i.e. the applicant’s nationality) when a copy of an applicant’s passport is provided for identity verification purposes. However, the collection of an applicant’s passport details is consented to by applicants to support their loan application.
APP 5 — Notification of the collection of personal information
Under APP 5 an APP entity that collects personal information about an individual must take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters. These include:
- the APP entity’s identity and contact details
- the fact and circumstances of collection
- whether the collection is required or authorised by law
- the purposes of collection
- the consequences if personal information is not collected
- the entity’s usual disclosures of personal information
- whether the entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located.
DirectMoney provides notification of the collection of DVS-related personal information through its electronic loan application form. This notification is in the form of a privacy notice that must be agreed to immediately before an application can be submitted. The OAIC did not identify any privacy risks relating to DirectMoney’s notification of the collection of DVS-related personal information and consider DirectMoney’s privacy notice to contain the matters required for a notice under APP 5.2.
APP 5 and DVS Conditions
In addition to the requirements of APP 5, clause 18 of the DVS Conditions requires an individual to be notified about specific matters regarding the information they submit. This includes that the information will be subject to a match request and may involve use of third party systems and services. Individuals must also provide their express consent to use of their personal information in the DVS.
The OAIC considered the interaction between the APPs and the DVS Conditions. A particular concern was to ensure that compliance or non-compliance with one did not affect compliance with the other. Ultimately, the OAIC concluded that DirectMoney’s notice satisfied the requirements of APP 5.2 and the DVS Conditions.
However, the OAIC suggested that as best practice, privacy notices should expressly reference the potential use of the DVS for the purposes of identity verification, or alternatively include further information on the DVS process. This will help ensure there is no ambiguity as to how DirectMoney meets the DVS Conditions, and will provide greater clarity to individuals about how their personal information is handled.
APP 11 — Security of personal information
Under APP 11, an APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. In undertaking this assessment, the OAIC considered the steps taken by DirectMoney against those outlined in the OAIC’s Guide to securing personal information.
The OAIC notes that DirectMoney has taken a number of steps to ensure security of the personal information that they hold, including a number of policies that govern the security of personal information. However, DirectMoney did not have a documented data breach response plan. As such, the OAIC recommended that DirectMoney implement a data breach response plan, or adapt existing policies, to deal with data breaches, and to ensure that contracted service providers also comply with the plan. The OAIC’s Guide to handling personal information security breaches may assist entities when drafting a data breach response plan.
The OAIC was advised that DirectMoney, which conducts its business through web-based technology, does not generate or store hardcopies of documents containing DVS-related information. The key security considerations for the OAIC related to DirectMoney’s computer hardware and electronic access to DirectMoney’s systems. As such, the OAIC recommended that DirectMoney undertake a review of its ICT systems and business processes to proactively address any potential security risks and threats.
The OAIC recommends that DirectMoney implement a data breach response plan, or adapt existing policies, to deal with data breaches.
The OAIC recommends that DirectMoney review its ICT systems and business processes to proactively address any security risks and threats.
The OAIC acknowledges the practices, procedures and systems that DirectMoney has in place to safeguard the personal information that DirectMoney handles through the DVS process. The OAIC also notes DirectMoney’s cooperative and responsive approach towards the assessment and findings, including the development of a plan of action to address the risks identified in the recommendations.
The expanded access arrangements for the DVS presents opportunities for businesses that have a reasonable need to verify the identity of their customers. The OAIC encourages entities that use the DVS, or plan to use the DVS, to review their personal information handling practices, procedures and systems. This will assist entities as they seek to meet their obligations under the APPs, and also those under the DVS Conditions.