Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
A man complained to us last year after staff took a copy of his driver’s licence as he checked in to a hotel. The complainant was surprised that staff copied his licence and they couldn’t tell him why they needed the copy or how long they would keep it for.
Hotels and other agencies often ask for ID and take a copy. But is it okay to do this under the Privacy Act?
Principle 1 of the Privacy Act says you can only collect information if you need it for a lawful purpose. Your agency needs to ask itself this question for any information you collect from your customers, including their identification.
Unique identifiers (such as licence or passport numbers) also come with special rules. Principle 12(4) of the Act says you can’t require an individual to give you their unique identifier, such as a driver’s licence number, outside of the purposes in connection with which it was assigned or a directly related purpose.
If your agency needs to confirm that someone is who they say they are, then it’s probably reasonable to ask to see their identification, even if your business is not connected to the original purpose for assigning the identification (i.e. if you are not the agency that issued the identification, or a related agency, such as NZTA and Police with regard to driver licences).
But is it necessary to take a copy? We thought about this in a previous complaint in 2010 between a woman and her mobile phone company. In that case we agreed it was important for the agency to properly identify its customers, but we considered that sighting a customer's identification fulfilled this purpose. We did not accept that it was necessary for the agency to also record the driver licence number or to take a photocopy.
If your agency decides it legitimately needs to take copies of customers’ identification, and it isn’t enough to simply sight it, the next question is how long you need to keep them. Your agency has obligations under principle 9 of the Act to keep personal information you collect for only as long as you have a lawful purpose to do so.
When agencies decide to store copies of identity information, they will need to keep it secure. Principle 5 of the Privacy Act says you must use reasonable security safeguards to protect against lose, unauthorised access, use, disclosure of misuse of the personal information.
The risk of harm if information is misused is particularly high with identity information. They can be used in fraud with extremely serious consequences, such as identity theft. Identity information cannot easily be changed or re-secured, unlike credit cards.
In many cases, you’ll only need to keep copies of identification for a very short time, especially if your agency has a short relationship with your customer. In addition, if you need to retain identity information, you should consider if it is possible to obfuscate or delete the unique identifier (such as driver’s license or passport number). This may aid compliance with principle 12 of the Privacy Act. It is also a step to take to mitigate the risk of misuse if identity information is lost or stolen.
There may be other laws which require certain classes of agencies to retain certain information for a set period of time. For example, the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 requires financial institutions to keep identity and verification information for a period of at least five years after the end of that business relationship.
Whatever your identification practices, you need to be able to explain them to your customers. Principle 3 of the Act says when your agency collects personal information, you have obligations to let the person know a number of things, including the reason for collecting the personal information and what will happen to it.
To meet your obligations under principle 3, your frontline staff need to tell customers what they are doing with their identification when they hand it over. They should also be able to answer why they need it, whether they are taking a copy and how long your agency will keep it for.
If you need help training your staff on privacy, we have plenty of free resources you can use. Our Privacy ABC online module provides a quick overview of how to protect privacy when handling personal information. It can be done in 30 minutes.
All our online e-learning modules are available here.
So, in summary, when asking for a person’s identification document, ask yourself:
Image credit: New Zealand passport via Wikimedia Commons
Back