What is ID scanning?
Identification scanning is where a business takes an electronic copy of proof of identity documents, such as a driver’s licence.
Does the Privacy Act allow ID scanning?
The Privacy Act 1988 allows entities it covers to collect identity information, including through ID scanning, if the handling of that information complies with the Australian Privacy Principles. To find out more about the Australian Privacy Principles and what they mean for your business, read our Quick reference tool.
State privacy laws may cover ID scanning in other situations, such as when a state public sector agency, local council or university scan an individual’s ID.
When can you scan a customer’s ID?
You can only scan a customer’s ID if it is reasonably necessary for one of your functions or activities. Generally, if the customer’s ID includes sensitive information, for example, because their driver’s licence records organ donation or the photo of the person shows their racial origins or their religious beliefs, you can only scan the ID if it is reasonably necessary for one of your functions or activities and the individual consents.
Consent needs to be free and informed. Make sure your customers clearly understand that their sensitive information is being collected and what it will be used for before seeking their consent.
To help ensure you only scan a customer’s ID when it reasonably necessary for one of your functions or activities, ask yourself:
- Is it lawful and practicable for me to transact with an individual without identifying the individual?
- If not, what function or activity of my business is the identity information reasonably necessary for?
- Are there other ways I could achieve the same result without collecting the personal information, for example, by sighting the ID instead of scanning it?
In some limited cases, you may also be required or authorised by law to scan a customer’s ID. For example, if you are a pub or club, liquor licensing and anti-money laundering laws may require you to verify an individual’s identity before you can provide them with information or a service.
When should you sight a customer’s ID instead of scanning it?
Collecting unnecessary personal information is a breach of the Privacy Act. You should not scan or copy a customer’s ID, if sighting it would be sufficient for the purpose you require it for.
To help ensure you only collect identity information when required, ask yourself:
- Could I explain to a customer why sighting their ID is insufficient?
- If a complaint was made to the Privacy Commissioner, would I be able to explain why I did not merely sight an ID without scanning it?
- what scanned and other personal information you collect
- why you collect the information and the purposes for which you collect, hold, use and disclose the information
- how you collect information, including how the scanning technologies you use work
- how you hold the information, including any IT security measures you use to protect the electronically stored information, and how long the information is kept for
- how individuals can access their access their personal information and seek correction of it
- how the information will be destroyed or de-identified
Do you have to notify a customer before you scan their ID?
When you collect personal information about an individual, you must take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters. This means you should notify a customer of certain information before you scan their ID. This includes:
- your identity and contact details
- the purpose for which you are scanning their ID,
- whether you are required or authorised by law to scan their ID
- the consequences, if any, if they don’t allow their ID to be scanned
You should make this information easily available for customers to see and read.
Scanning should not be done without the customer’s knowledge or in a manner not visible to them. Businesses have an obligation to collect personal information by lawful and fair means.
For more information on your obligations to provide notice, see the APP guidelines: Chapter 5 — Notification of the collection of personal information.
Does the Privacy Act require you to provide customers the option of anonymity and pseudonymity?
Generally, an individual should have the option of dealing anonymously or by pseudonym with an APP entity. However, you may not have to provide this option, if a law requires you to identify an individual or where it would impracticable for you to deal with an individual who has not been identified. For example, some liquor licensing and anti-money laundering laws require you to know your customer, though such laws may only require that information be sighted, not copied and retained.
To help ensure you deal with an individual anonymously or by pseudonym where possible, ask yourself:
- Is it lawful and practicable for me to transact with an individual without identifying the individual?
Can you scan all the information on a customer’s ID?
You can only collect the information from a customer’s ID that is reasonably necessary for one or more of your functions or activities. This function or activity should be the purpose for which you have notified the customer that you are scanning their ID.
You should consider each item of information on a customer’s ID and determine whether it is needed for that purpose.
You are not allowed to collect more information than is necessary because it is convenient to do so. You are also not allowed to collect information because you think it may be useful in the future.
To help ensure you only collect the personal information you need, ask yourself:
- Which bits of personal information do I actually need?
- How can I operate my scanning technologies to avoid scanning more information than I need?
Are there any restrictions on how you can use government related identifiers?
Australian and State and Territory Government documents usually have a unique number, which is known as a government related identifier. Examples include a driver’s licence number, a Centrelink Reference number, a Medicare number and a Passport number.
The Privacy Act only allows you to adopt, use or disclose government related identifiers in certain circumstances. One circumstance where you may be permitted to use or disclose a government related identifier of an individual is where the use or disclosure is reasonably necessary for you to verify the identity of the individual for the purposes of one of your activities or functions.
What obligations do you have once you’ve scanned a customer’s ID?
If you are covered by the Privacy Act, you must have robust security measures in place to protect the information you scan. You must take reasonable steps to protect the ID information you scan from misuse, interference and loss and from unauthorised access, modification or disclosure. You must also take reasonable steps to destroy or de-identify that information once it is no longer needed for any purpose for which it was collected.
You should have a security policy that establishes:
- How electronic identity information will be securely stored
- Strict timeframes for keeping the identity information
- How the information will be securely destroyed or de-identified from all electronic and hardcopy records, including back up processes, when it is no longer needed
- How staff will be trained to keep personal information secure
- Limitations on who and how the information can be accessed, including limitations on staff access and physical measures, such as locked offices
The OAIC’s Guide to securing personal information provides other steps and strategies you should consider taking to protect personal information, including undertaking a privacy impact assessment and an information security risk assessment. It also emphasises the importance of regularly reviewing your information security controls.
Do I have restrictions on how you can use the ID information you scan?
If you're covered by the Privacy Act, you can only use the information from a customer’s ID in circumstances permitted by the Privacy Act.
You can only use personal information for the primary purpose for which you collected it, unless an exception applies. The primary purpose should be narrow and specifically defined.
For more information on your use and disclosure obligations, see the APP guidelines: Chapter 6 — Notification of the collection of personal information.
You can only use or disclose the personal information you scan for direct marketing if certain conditions are met. Importantly, you must provide a simple ‘opt out’ measure by which an individual can request not to receive direct marketing communications.
For more information on your obligations relating to direct marketing, see the APP guidelines: Chapter 7 — Direct Marketing.
Can customers access, correct or complain about their scanned ID information?
If you are covered by the Privacy Act, you must have procedures in place that allow customers to request access to, and correction of, their personal information. You should also have procedures for identifying and responding to privacy breaches and receiving and responding to complaints and enquiries.
Ensure you have staff responsible for privacy, including a key privacy officer, who can handled internal and external privacy enquiries, complaints and access and correction requests.
What happens when scanning is done by a contractor?
You may contract out the scanning of your customers’ identity documents, for example, if you are licenced premises that contracts to a security firm.
If the contractor is an organisation covered by the Privacy Act, then it will have the same obligations described above.
If the contractor is not ordinarily covered by the Privacy Act, such as where it has a turnover of $3 million or less and is therefore a small business under the Privacy Act, it may still be covered because of exemption in the Privacy Act. Our advice for small business includes a checklist that will help small businesses determine whether they are covered by the Privacy Act more generally.
To ensure certainty, if the contractor is not covered by the Privacy Act, you should consider encouraging the contractor to opt in to being covered by the Privacy Act. One way of doing this would be to make opting in a condition of the contract.
Do you need to train your staff about ID scanning?
It is imperative you train your staff, including short term staff, service providers and contractors, to understand their privacy obligations when scanning a customer’s ID. Your customers will feel more comfortable giving you their information, if your staff can clearly explain why it is being collected and what will be done with it.
All staff that handle personal information should be privacy trained and able to:
- understand how important it is to keep personal information secure
- answer a customer’s question about why your business is collecting identity information
- explain to a customer how your business keeps their information secure and why
Remember, good privacy practices are good for business. Having a staff that is well trained to protect privacy and avoid privacy risks will promote trust and confidence in your business.
What is biometric information scanning?
Biometric information scanning is where a business uses technology to take an electronic copy of an individual’s biometric information, such as their face, fingerprints, palm, iris, voice or signature.
How does the Privacy Act apply to biometric information scanning?
Biometric information that is used for the purpose of automated biometric verification or biometric identification is considered sensitive information under the Privacy Act. Examples of biometric information include features of an individual’s face, fingerprints, palm, iris, voice or signature.
Sensitive information attracts a higher level of protection under the Privacy Act. This means you have additional obligations when you scan and handle a customer’s biometric information.
Are there are any other resources that will help you comply with the APPs when handling identity information?
The OAIC has a range of resources to help you, including: