When running your business, you may want to ask customers to provide their personal information to you. If you do so, you must meet your privacy obligations when collecting, using, storing or disclosing this information. In this article, we look at what legal responsibilities you may have when asking customers for a copy of their ID documentation or scanning their biometric information.

Are You An APP Entity?

The Australian Privacy Act 1998 (Cth) and the Australian Privacy Principles (APPs) impose certain obligations on any business considered to be an APP entity. Whether or not your business is an APP entity will determine how you collect and handle your customers’ ID documentation.

An APP entity is any entity which:

  • must comply with the APPs; or
  • voluntarily opts to comply and is therefore considered an APP entity.

One of the main factors in determining whether a business needs to comply with the APPs is the value of its annual turnover. If your business’ annual turnover is more than $3 million, you are an APP entity. This applies regardless of whether your business is for-profit or not-for-profit.

If your annual turnover is less than $3 million, you may still be an APP entity if you:

  • are a health service provider;
  • are related to a larger body corporate;
  • exist as a Commonwealth contracted service provider;
  • run a residential tenancy database;
  • operate a credit reporting business; or
  • choose to comply with the APPs voluntarily.

This list does not cover all the exceptions, which may mean you need to comply with the Privacy Act. It can also be difficult to determine whether you fall under one of these exceptions. Accordingly, it is always best to get legal advice on the position of your business under the Privacy Act

How Can an APP Entity Handle ID Documentation?

If you are an APP entity, you will need to handle ID documentation as per your privacy obligations. You are only allowed to scan and copy ID documentation if it is reasonably necessary to a function or activity of your business. To assess this, ask yourself: does the nature of your business call for the need to identify an individual? Note that you are not allowed to scan ID documentation if sighting it would be sufficient. 

Nature of Business

If you run a shop selling fruit, the identity of customers who purchase your fruit is not relevant to the nature of your business as there are no regulations around who can purchase fruit. Your key concern is only whether they have the correct funds to purchase your fruit.

Reasonably Necessary to Business Activities

You may need to collect or copy ID documents if your business provides a service that requires trust between two parties. For example, you may operate a babysitting marketplace platform which allows parents to source babysitters.

Parents naturally want to know that they will be leaving their children with trustworthy babysitters. In order to provide this certainty to parents, you may ask babysitters joining the platform for their identification documents, references and Working with Children Check.

Sighting of ID is Sufficient

If you are running a pub, there are laws which impact to whom you can sell alcohol. These laws mean that you need to verify a customer’s identity to confirm they are who they claim to be and are over 18 years of age. Often, sighting a driver’s licence to check for date of birth and to match the patron’s face to the ID will be sufficient. However, if your pub has been subject to underage patrons using fake IDs, sighting IDs may not be sufficient. Instead, you may need to scan that ID to verify its authenticity.

How Do I Notify My Customers?

As an APP entity, you have an obligation to notify your customers before scanning their ID, detailing:

  • who you are;
  • why you are scanning their ID;
  • whether it is something you are required or authorised to do by law; and
  • the consequences if they refuse to allow you to scan their ID.

An easy way to inform your customers is by covering these details in your privacy policy and making this document easily available. Your privacy policy should also cover how:

  • your scanning works;
  • you store the information, including details of any data security measures;
  • your customers can access and correct their information if required; and
  • your business will destroy or de-identify personal information collected.

You should also detail when, how and why you may disclose customer information to third parties.

What If I Am Not an APP Entity?

ID documentation provides a lot of sensitive information about an individual. So even if you are not an APP entity, think about whether the collecting and handling of ID information is reasonably necessary for your business’ functions or activities. 

Furthermore, have a policy in place detailing the practices set up to protect the personal information you collect. Also ensure you conduct your operations according to the policy. This will build trust with your customers and minimise the risk of losing clients over unprofessional data practices.

Key Takeaways

An APP entity has particular obligations under the Privacy Act when collecting ID documentation. Therefore, it must make sure collection is reasonably necessary to its functions or activities and that it is only scanning ID documentation if sighting is not sufficient. There are many steps an APP entity should take to protect ID information collected, including ensuring it has an up-to-date and comprehensive privacy policy. 

If you need advice on whether your business needs to comply with the Privacy Act, or how to draft a privacy policy, get in touch with LegalVision’s online lawyers on 1300 755 544.

Jacqueline Gibson
If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.
Would you like to get in touch with Jacqueline about this topic, or ask us any other question? Please fill out the form below to send Jacqueline a message!