This summary report outlines the key findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of Nimble Australia Pty Ltd’s (Nimble) handling of personal information as a business user of the Document Verification Service (DVS).
Nimble is an organisation that offers unsecured personal loans to individuals via online applications, and holds an Australian Credit Licence number 386010 issued by the Australian Securities and Investments Commission. Nimble uses the DVS to assist in meeting its obligation to verify the identity of its customers under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML-CTF Act), which is a requirement for all licensed lenders.
The OAIC examined how Nimble handles personal information as part of its DVS processes. Specifically, whether Nimble collects personal information in accordance with Australian Privacy Principle (APP) 3, notifies individuals as required under APP 5 and appropriately secures and retains personal information in line with APP 11.
The OAIC made one recommendation relating to the need to develop processes to destroy or de-identify personal information held by Nimble, as required by APP 11. Nimble has drafted a data retention policy. However, while noting that the shortest retention period under that policy had not yet lapsed at the time of the assessment, the OAIC did not identify any practices, procedures or systems in place to destroy or de-identify data that has reached the end of its retention period.
The DVS and its interaction with the Privacy Act 1988
The DVS is an online system that allows Australian and New Zealand entities to take information from an Australian identity document presented by an individual, with their consent, and compare it against the original record of the document held by the Government Agency that issued the document.
To use the DVS, businesses must meet eligibility criteria contained in the DVS access policy and guidelines, abide by the DVS terms and conditions of use (DVS Conditions) and enter into an agreement with one or more gateway service providers before applying to the Attorney General’s Department to become a business user.
Importantly, the DVS access policy and guidelines state that all organisations that become business users of the DVS are subject to the Privacy Act 1988 (Cth)(the Privacy Act) or the Privacy Act 1993 (New Zealand). As the national regulator of the Privacy Act, the OAIC provides policy advice and undertakes assessments of privacy issues relating to the DVS.
On 31 March 2015, DVS access was expanded to allow businesses, with a reasonable need to use a Commonwealth identifier to verify a client’s identity, to access the DVS. These expanded DVS access arrangements saw a significant increase in the use of the DVS, and subsequent sharing of personal information. Therefore, in selecting a specific DVS assessment target, the OAIC considered these expanded access arrangements to identify an entity that would not previously have used the DVS.
A significant reason for the increased DVS usage has been the uptake of the DVS by the banking and financial industry, whose members are legislatively required to verify the identity of their clients under the AML-CTF Act. In selecting Nimble as the assessment target, this provided an opportunity for the OAIC to work collaboratively with a growing sector inside this industry to ensure privacy safeguards are incorporated into the practices, procedures and systems of this sector as it commences using the DVS.
APP 3 — Collection of solicited personal information
Entities that collect personal information need to carefully consider what personal information they will collect. Under APP 3, for solicited personal information (other than sensitive information), an organisation may only collect this information where it is reasonably necessary for the organisation’s functions or activities.
When considering whether collection of personal information is reasonably necessary under APP 3, the OAIC considers what information is collected against the organisation’s functions and activities. As a supplier of unsecured personal loans, Nimble collects DVS-related personal information for the purpose of verifying a loan applicant’s identity prior to providing credit services to an individual. An individual’s personal information is collected electronically and is transmitted via Nimble’s internal systems to the DVS. Nimble does not collect sensitive information for use in the DVS.
The OAIC considers the collection of personal information from identity documents to be reasonably necessary for identity verification purposes and directly related to Nimble’s functions and activities as a financial lending organisation. Nimble’s collection of DVS-related personal information is further supported by the requirement to verify a customer’s identity under the AML-CTF Act.
APP 5 — Notification of the collection of personal information
Under APP 5 an APP entity that collects personal information about an individual must take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters. These include:
- the APP entity’s identity and contact details
- the fact and circumstances of collection
- whether the collection is required or authorised by law
- the purposes of collection
- the consequences if personal information is not collected
- the entity’s usual disclosures of personal information
- whether the entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located.
Nimble provides notification of the collection of DVS-related personal information through its electronic loan application form. This notification is in the form of a privacy notice that must be agreed to by a mandatory check-box. The OAIC did not identify any privacy risks relating to Nimble’s notification of the collection of DVS-related personal information and consider Nimble’s privacy notice to contain the matters required for a notice under APP 5.2.
APP 5 and DVS Conditions
In addition to the requirements of APP 5, clause 18 of the DVS Conditions requires an individual to be notified about specific matters regarding the information they submit. This includes that the information will be subject to a match request and may involve use of third party systems and services. Individuals must also provide their express consent to use of their personal information in the DVS.
The OAIC considered the interaction between the APPs and the DVS Conditions. A particular concern was to ensure that compliance or non-compliance with one did not affect compliance with the other. Ultimately, the OAIC concluded that Nimble’s notice satisfied the requirements of APP 5.2 and the DVS Conditions.
However, the OAIC suggested that as best practice, privacy notices should expressly reference the potential use of the DVS for the purposes of identity verification, or alternatively include further information on the DVS process. This will help ensure there is no ambiguity as to how Nimble meets the DVS Conditions, and will provide greater clarity to individuals about how their personal information is handled.
APP 11 — Security of personal information
Under APP 11, an APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. In undertaking this assessment, the OAIC considered the steps taken by Nimble against those outlined in the OAIC’s Guide to securing personal information.
The OAIC notes that Nimble has taken a number of steps to ensure security of the personal information that they hold. This includes regular staff training, physical and electronic security measures and various quality assurance measures. Nimble also maintains a number of policies that govern the security of personal information and further IT policies were being developed at the time of the assessment.
As part of the review of Nimble’s documented internal policies, the OAIC considered Nimble’s data breach plan and destruction policy.
The OAIC noted that the generality of the breach reporting policy meant that certain matters that should be considered as part of a response to a data breach may not be captured in the policy. As such, OAIC suggested that Nimble review its policy against the OAIC’s Guide to handling personal information security breaches to provide further specific guidance regarding action that is be taken in the event of a data breach.
The OAIC were also advised that, whilst a Data Retention and Security Policy is in place in Nimble, there is currently no established process to destroy information held on Nimble’s database. This was attributed to the fact that the minimum retention period under the Data Retention and Security Policy of seven years has not yet been reached. The OAIC therefore made one recommendation for Nimble regarding the establishment of destruction processes.
Destruction or de-identification of personal information
The OAIC recommends that Nimble establish appropriate practices, procedures and systems to destroy or de-identify personal information held by Nimble when that information is no longer needed in accordance with the data retention policy.
The OAIC acknowledges the practices, procedures and systems that Nimble has in place to safeguard the personal information that Nimble handles through the DVS process. The OAIC also notes Nimble’s cooperative and responsive approach towards the assessment and findings, including the development of a plan of action to address the risk identified in the recommendation.
The expanded access arrangements for the DVS presents opportunities for businesses that have a reasonable need to verify the identity of their customers. The OAIC encourages entities that use the DVS, or plan to use the DVS, to review their personal information handling practices, procedures and systems. This will assist entities as they seek to meet their obligations under the APPs, and also those under the DVS Conditions.
Was this page helpful?
If you would like to provide more feedback, please email us at firstname.lastname@example.org