When an organisation or agency takes an electronic copy of a document that proves your identity, such as your driver licence, this is called ID scanning.

If the organisation or agency doing the ID scanning is an organisation or agency that the Privacy Act 1988 covers, then they must comply with the Australian Privacy Principles when collecting your personal information. The Privacy Act covers Australian Government agencies and organisations with an annual turnover of more than $3 million, and some other organisations.

If the organisation or agency is not covered by the Privacy Act, state or territory privacy laws may cover ID scanning. Such organisations or agencies include state or territory public sector agencies, local councils and universities.

When can your ID be scanned?

An organisation or agency may only scan your identity documents (ID) if it’s reasonably necessary for their business activities. If your ID contains sensitive information you must also consent to the scanning.

In some situations, the law may authorise or require an organisation to scan your ID. For example, liquor licensing or anti-money laundering laws may require an organisation to ask for your ID before they can give you information or supply a service.

What information on your ID can be scanned?

An organisation or agency may only collect information from your ID that is reasonably necessary for one or more of their functions or activities.

For example, an organisation or agency can only scan the government-related identifier (such as a driver licence number, a Centrelink reference number, a Medicare number or a passport number) on your ID if it’s reasonably necessary to prove your identity.

An organisation or agency can’t collect more information than is reasonably necessary because it’s convenient or they think it might be useful in the future. For example, they shouldn’t scan your ID if sighting it would be sufficient.

What you must be told before your ID is scanned

An organisation or agency must take reasonable steps to tell you why they need to scan your ID and what will happen if you don’t consent to them to scanning your ID. This information must be easily available and done in a lawful and fair way. For more information, see Collection of Personal Information.

How is your scanned information protected?

An organisation or agency that the Privacy Act covers must take reasonable steps to protect your scanned information from misuse, interference, loss, unauthorised access, modification and disclosure. The information must also be destroyed or de-identified once it is no longer needed. For more information, see Guide to Securing Personal Information.

You may also want to read the organisation or agency’s privacy policy. It should explain:

  • what information is scanned
  • how the scanned information is kept secure
  • how long the scanned information is kept
  • how the scanned information will be destroyed or de-identified

If you think your scanned information has been mishandled

If you think your scanned information has been mishandled by an organisation or agency covered by the Privacy Act, contact them to lodge a complaint.

If you’re not happy with an organisation or agency’s response, you can lodge a complaint with us.