- Advice Summaries
- Case Notes
- Codes of Conduct
- Compliance Notes
- Fact Sheets
Information Sheet (Private Sector) 30 - 2010: ID scanning in clubs and pubs
This Information Sheet is for private sector hospitality organisations like clubs and pubs that are covered by the Privacy Act (s 6C) and are:
- collecting personal information using scanning devices, or
- considering using scanning devices.
Clubs and pubs must comply with the National Privacy Principles (NPPs) when handling personal information.
Personal information includes 'identity information' such as a driver's licence, proof of age card, passport or another document that a person may use to prove their identity. It also includes biometric information such as fingerprints, iris scans or photographs.
This Information Sheet gives compliance tips and examples for clubs and pubs when they copy, scan or otherwise collect personal information about their patrons.
For some smaller hotels, bars, clubs and other entertainment venues that are not covered by the Privacy Act this Information Sheet outlines good privacy practice.
More and more clubs and pubs are using technology to electronically capture identity information about individuals. Collecting identity information in this way raises privacy concerns. There is a balance between using technology for business purposes and protecting individual privacy.
Personal information can be collected using technology by scanning or copying identity documents or capturing biometric information such as fingerprints, iris scans or photographs.
Before collecting information from their patrons, clubs and pubs covered by the Privacy Act should ask themselves:
Is this information necessary for one of my business' functions or activities?
If the answer is no, the information must not be collected. Collecting unnecessary information is a breach of the Privacy Act.
If the collection is necessary, the business must follow the NPPs when handling information.
Generally, under the Privacy Act, businesses must:
- only collect information that is necessary for their functions or activities
- tell people when they collect personal information:
- why they are collecting information
- what it will be used for
- who they will pass the information onto
- how people can gain access to it
- any law that means the information has to be collected
- what the consequences are if the information is not given
- when they will destroy it
- limit the ways they use or disclose the information
- have robust security measures that protect the information
- be open about the way they handle information they collect, and
- delete the information when it is no longer necessary.
A business must also have an individual's consent before it collects health or other sensitive personal information such as organ donor status. Special rules apply to sensitive information.
Businesses that comply with the NPPs are protecting their customers' privacy and also lower the risk of privacy complaints being lodged against them.
Individuals may make a complaint to the Privacy Commissioner if they think their personal information has been mishandled. The Privacy Commissioner also has the power to initiate investigations into practices they consider to be of concern.
Why is scanning a privacy issue?
The Australian community has legitimate concerns about the possible misuse of personal information. People are particularly concerned about the scanning of information on driver's licences and other proof of identity documents such as passports or proof of age cards, and when they are asked to provide their fingerprints or other biometrics.
Individuals are also worried that stored personal information could be hacked, stolen or inappropriately accessed or misused, causing harm through financial, credit card or identity fraud. Blogs about ID scanning show that individuals are concerned that they may be contacted outside of the venue by a pub or club employee who has accessed their identity information.
Electronically stored information can be copied, searched, used or disclosed more easily than in paper form and in ways that patrons may not expect. For example:
- creating customer databases
- direct marketing
- matching personal information held by other organisations which can give a detailed picture of people's day to day activities.
The Privacy Commissioner encourages clubs and pubs to look at the following Information Sheets and guidance which give more information about scanning, the NPPs and small business obligations:
- Information Sheet 20 - 2007 Scanning ‘Proof of Identity' documents. This Information Sheet has additional information about scanning identity documents and how the NPPs work.
- Information Sheet 12 - 2001 Coverage of and Exemptions from the Private Sector Provisions
- Small Business. This section of our website has information for businesses that may not be sure if they are covered by the Privacy Act.
- Guidelines to the National Privacy Principles. These Guidelines give more detail and examples about handling personal information and the NPPs.
- Frequently Asked Questions - ID scanning.
Here are tips for clubs and pubs on using scanned identity information. They cover staff privacy training, collection, use and disclosure, data quality and storage, sensitive information, consent and meeting NPP obligations.
Generally, under NPP 1, clubs and pubs must:
- only collect information necessary for one of its functions or activities
- collect the information lawfully and fairly
- give individuals particular information about the collection.
Note: If a complaint is made to the Office, a club or pub will need to be able to explain why the collection of the personal information was necessary.
Under NPP 8, patrons have the right to do business with you anonymously - without having to identify themselves - if it is practicable and lawful. This is not always possible. Example: Some licensing laws or laws that prevent money laundering require you to know your customer.
These laws may mean that information only has to be sighted, not scanned, copied or retained. If a complaint is made to the Office, a club or pub will need to be able to explain why it did not just sight a document without scanning it. In investigating complaints about anonymity the Privacy Commissioner will need to be satisfied that the business cannot function without collecting ID information.
Staff privacy training
Use and disclosure
Under NPP 2, a club or pub may only use personal information for the primary purpose for which it is collected, and in other limited circumstances. The primary purpose should be narrow and specifically defined.
NPP 2 also has rules about secondary purposes and the use and disclosure of personal information for direct marketing.
Consent should be informed and freely given. Patrons should have a clear understanding of what information is going to be collected, why, how the information will be used and who the information is usually given to.
Remember: Sensitive information is given a higher level of protection under the Privacy Act.
Generally, seeking consent from your patrons may give you greater confidence about the way you are meeting your obligations under the Privacy Act. Seeking consent is not just good privacy practice, it helps to promote trust between the patron and your club or pub.
Under NPP 4, clubs and pubs must take reasonable steps to protect the personal information they hold. Scanned personal information is vulnerable as the personal information can be used to prove identity in other situations. Example: to open bank accounts, get credit, or prove identity for some government services.
Under NPP 4.2, reasonable steps must be taken to destroy or permanently de-identify personal information when it is no longer needed.
Example: Scanned personal information is collected to ensure the safety and security of a club's premises and patrons. If no incident occurred on the date of collection or is reported soon after, the club will probably not need to keep that personal information after that date.
- what scanned and other personal information the club or pub collects
- how the information is collected using scanning devices
- why the club or pub has collected it
- how the club or pub stores, uses and discloses that personal information
- the IT security measures to protect the electronically stored information
- how long the information is kept for
- how the information is destroyed.
A club or pub can also give these details to individuals when collecting the information.
Many identification documents carry what is known as an 'identifier'. Example: a passport number.
Organisations must not use or disclose identifiers issued by Australian Government agencies, such as Tax File, Medicare or Passport numbers, except in prescribed circumstances.
Scanning and contractors
A club or pub may contract out the scanning of customers' identity documents.
If the contractor is covered by the Privacy Act, then it will have the same privacy obligations as described above. A contractor may also come under coverage because it handles personal information for a benefit, service or advantage.
To make sure personal information is not mishandled, a club or pub could ask the contractor to opt-in to coverage or to make opting-in a term of the contract.