You may have read recently about some of the real concerns regarding Identity theft. The ABC has published an interesting article discussing the dangers of fraudsters acquiring your Driver’s licence and the difficulty of repairing the damage.
The loss or theft of a major piece of identification, such as those worth more than 30 points in the ‘100 point’ system, is a serious issue. Not just because a fraudster might attempt to use your details in the near future, but because your personal information could be traded and used indefinitely. While you might be able to change your passport or driver’s licence, you cannot change your date of birth or any biometric data.
Generally, we are good at looking after physical versions of our important identity documents – rarely do we lose our passports or licences unless they are stolen. But what about the people or businesses who hold copies of these documents? Do they need to have copies of these documents, and if so, how are they keeping them safe?
As we discuss in our earlier article, businesses which are subject to the Australian Privacy Principles (APPs) have specific requirements regarding, among other things, the security of personal information. Importantly, APP 11 requires that if a business no longer needs the information (and is not required to be kept due to law), the business must take reasonable steps to destroy the information or otherwise de-identify it.
In practice, many businesses appear to keep this information for ‘convenience’ or misunderstand how a person’s personal information may be used and disclosed. Remember, if personal information has been collected on a specific basis (for example, by scanning your ID to verify your age when entering say a pub) then it cannot be used for another purpose without your consent. If that purpose is now redundant or has been fulfilled, the personal information must be destroyed.
If any of these questions has you thinking: “I want to check on the businesses I’ve given my identity documents to”, or “I should check what identity documents my business holds and why”, then its time for a privacy check-up.
Privacy Check-up for your Business or Person – Identity Documents
For the individual:
Who have I given my identity documents to?
For example: did I give my driver’s licence to my bank to open an account?
Did I give my driver’s licence to a rental company for that weekend away?
What about my real estate agent when I applied for a rental property?
If I have given my identity documents to someone… do they still hold a copy of them?
Under APP 12 an individual has the right to request that a business (that is subject to the APPs) provide the person with access to their personal information held by the business.
In effect this means a business must confirm what information they hold about you. You can also request the information be corrected under APP 13.
If yes, should they still have it?
On what basis was your personal information collected? A good place to start is the business’s Privacy Policy, or if they have given you an information collection notice. This then becomes an exercise in comparison – if the business is holding your information but has no legal basis to use it, they cannot continue to hold it.
If a business still holds my personal information but has no legal basis, what can I do?
While the APPs do not state that a person has the right to request the information be deleted, this obligation is implied by APP 11. As such, if after speaking with the business they refuse to remove your information (remembering you can always confirm what they hold about you) and you believe they should, you can complain to the Office of the Australian Information Commissioner.
For a business:
What personal information do we collect?
This question often involves a detailed review of your information collection process.
For example: do you only collect information from a customer when they fill in an application form? Or, do you routinely collect additional information from the customer by asking them to give you more details (for example their preferences for goods and services, or additional contact details).
What do our Privacy Documents say about using personal information?
Your privacy policy for example will need to clearly set out when you collect, use and disclose personal information. Vague statements should be clarified and remember: the APPs require your Privacy Policy is current and up-to-date.
Does our privacy policy and any personal information collection notices (Privacy Documents) mirror our collection practices?
If not, these important legal documents will need an update, or you may need to change your practices.
Do we still have a valid “use” for a person’s personal information, or have we obtained the person’s consent for further use
If not, you will need to delete or de-identify this information. Remember: even de-identifying information can be problematic – if de-identified information is paired with other information and allows a person to be identified, then it still counts as personal information and the rules regarding its use, disclosure and security apply.
Do we have a robust and efficient method of allowing people to access their personal information?
If someone reads this article and contacts you, are you able to give them what they are seeking without investing precious time and resources to accommodate their legitimate request?
Have we reviewed our security methods (both physical, and technological) that protect the personal information we hold?
If you are a business and are not sure about any of these questions, you should seek professional advice. The Hunt & Hunt privacy team are experts and able to give you detailed advice and practical steps to make sure your business is compliant and keeps its information safe.
