Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

Website logo 275x60

Print | Email this page

Case Note 200062 [2010] NZ PrivCmr 6 : Woman complains about mobile phone company taking a photocopy of her driver's licence

A woman had a contract with a mobile phone company, and required a new mobile phone. She told us that when she went to purchase a new mobile phone the employee of the company took a photocopy of her driver's licence. She had asked why this was required, and was told it was 'for security reasons'. The woman complained to us about what she saw as the unnecessary collection of personal information about her, namely her driver's licence.

We notified the mobile phone company that the complaint raised issues under rules 1, 3 and 12(4) of the Telecommunications Information Privacy Code 2003.

Rule 1 provides that telecommunication information must not be collected by a telecommunications company (such as the mobile phone company) unless it has a lawful purpose, connected with one of its activities, and the information is necessary for that purpose. ‘Telecommunication information' includes any personal information about a subscriber, such as their driver's licence details.

Rule 3 places obligations on a telecommunications company to make sure that when it is collecting information from someone, that person is aware of why the information is being collected, what it will be used for, who it will be shared with, whether the provision of the information is voluntary or compulsory, and how to access that information at a later date.

Rule 12 deals with ‘unique identifiers'. A unique identifier is a sequence of numbers and/or letters which is assigned to an individual by an agency for the purposes of the operations of that agency, and which uniquely identifies that person in relation to that agency. Rule 12 regulates how unique identifiers can be both assigned and used, while protecting an individual's privacy, ensuring data quality, and preventing identity fraud.

Rule 12(4) provides that a telecommunications company must not require an individual to disclose a unique identifier assigned to that individual by another agency, unless the disclosure is one of the purposes in connection with, or directly related to, the purpose that the unique identifier was assigned for in the first place. A driver's licence and a passport contain unique identifiers.

The mobile phone company believed that it needed to ask customers for identification in order to satisfy itself that the person was who they said they were, and guard against identity theft and fraud. However, it told us it was not its policy to take photocopies of driver's licences or other identification, and that the employee had been wrong to do this. It advised us that instead its policy was to require the customer to provide some identification, and record the type and number of identification provided (e.g. driver's licence number).

We told the mobile phone company that we considered that this practice also raised issues under rules 1, 3 and 12(4). We agreed that it was important for an agency to properly identify its customers but we considered that sighting a customer's identification fulfilled this purpose. We did not accept that it was necessary to also record the identification number.

In response the mobile phone company accepted that its current practices fell short of its obligations under the Telecommunications Information Privacy Code. It modified those practices so that a customer's identification is sighted. The customer is asked if they will allow the mobile phone company to record the identification type and number in order to help the mobile phone company protect the customer against identity fraud. It will be made clear to the customer that this information is being requested on a purely voluntary basis, and if the customer does not want to provide the information there will be no negative consequences for them.

We were satisfied that the mobile phone company's new practices complied with the obligations under the Telecommunications Information Privacy Code, by providing it with sufficient means of identifying customers while at the same time allowing customers to retain autonomy over their personal information. The woman was also satisfied, and we closed the file on the basis that the matter had been resolved.

May 2010

Collection of personal information - driver's licence - unique identifiers - Telecommunications Information Privacy Code 2003 - rules 1, 3 and 12

 

Back to top