Almost everyone has been on the receiving end of a request to provide photo identification (most commonly a drivers’ licence or a passport) when applying for a bank account, or purchasing a new mobile phone, or some similar account-based transaction. The person making the request typically either writes down the details of the document or photocopies it. But there is one piece of information that should not be captured unless there is a legitimate reason to – the unique identifier.
Principle 12 of the Privacy Act 1993 defines clear rules around the use of unique identifiers, point (4) states: “An agency shall not require an individual to disclose any unique identifier assigned to that individual unless the disclosure is for one of the purposes in connection with which that unique identifier was assigned or for a purpose that is directly related to one of those purposes.”
For the sake of discussion, let’s consider two different scenarios involving the request to provide a drivers’ licence and consider the caveat of “…the purpose with which that unique identifier was assigned…”.
The New Zealand Transport Authority (NZTA) issues individuals with a drivers’ licence to meet the agency’s rules and regulations under the Land Transport Act 1998 – which revolve around ensuring that drivers are licenced, and licence holders can use a motor vehicle for specified activities.
Scenario 1 – If you are driving a motor vehicle and caught speeding a New Zealand Police Officer might pull you over, request your driver’s licence and record the unique identifier to issue you with a fine. In this scenario the disclosure and use of the unique identifier is clearly for one of the purposes in connection with which it was assigned, as the New Zealand Police enforces the rules defined in the Land Transport Act 1998.
Scenario 2 – a sales assistant for mobile phone retailer requests that you provide photo identification to open a pre-paid account. You present your drivers’ licence and the sales assistant records the details of the licence (or more likely photocopies your licence) including the unique identifier. In this scenario the disclosure and use of the unique identifier has no connection and/or relationship to the Land Transport Act 1998 and the mobile phone retailer has in fact breached the Privacy Act.
This just one example of a breach of Principle 12 but I can imagine many more, where various individuals and organisations that collect personal information are collecting, recording and using unique identifiers issued by another party without a lawful reason to do so. It’s most likely these agencies don’t understand their responsibilities under the Privacy Act, and it shouldn’t be up to the individual to tell them.
So next time this happens to you, try ask the agency what purpose they are collecting the unique identifier for – they might learn a thing or two.