Privacy and ID scanning

In addition to the following information, we recommend you read the Commissioner's liquor Guideline 64: Privacy obligations for establishing and operating identification scanning systems.

Opt in to be covered by the Privacy Act 1988 (Cwlth)

The Liquor Act 1992 requires that licensees of regulated premises comply with the Privacy Act 1998 (Cwlth). If you are a licensee who is not already deemed an 'organisation' under the Privacy Act (i.e. you have a turnover of less than $3 million per year), the Liquor Act requires you to 'opt in' to be covered under the Privacy Act.

To do this, you must complete an opt-in application form and return it to the Office of the Australian Information Commissioner (OAIC) by mail, email or fax.

After verification, the trading name of your business and its ABN will be placed on the public opt-in register as required under the Privacy Act. Opting in for coverage under the Privacy Act is free. See the opt-in register for more information about opting in and applying.

Australian Privacy Principles

Licensees of regulated premises must comply with the Australian Privacy Principles (APPs) as set out in the Privacy Act.

APPs relate to the collection, use, disclosure and storage of personal information. Licensees of regulated premises must take steps to protect the personal information they hold from misuse, interference, loss, and from unauthorised access, modification and disclosure. The following APPs are of particular relevance:

  • APP 1: Open and transparent management of personal information – regulated premises are required to manage personal information in an open and transparent way. Your publicly available Privacy policy should detail how you manage personal information in this manner.
  • APP 5: Notification of the collection of personal information – regulated premises are required to notify patrons that approved ID scanning systems operating at the premises will collect personal information. Do this by displaying a 'collection notice' at each public entrance to the premises.
  • APP 10: Quality of personal information – regulated premises are required to take reasonable steps to ensure that personal information collected is accurate, up to date and complete.
  • APP 12: Access personal information – a person has the right to access personal information held about them by an approved operator. Some exceptions apply, such as if access might interfere with criminal matters, or other breaches of the law.
  • APP 13: Correction of personal information – a person is able to request the personal information held about them be corrected. For personal information to be corrected, satisfactory proof or explanation as to why the information needs to be corrected would be required.

The OAIC's Privacy Management Framework can also assist licensees of regulated premises to implement practices, procedures and systems that ensure compliance with the APPs.

Note: regulated premises should always refer to the OAIC's APPs and the Privacy Act for full details in relation to privacy.

Use of personal information for other purposes (value-added services)

Under the APPs, a licensee of a regulated premises may only use personal information for the primary purpose for which it is collected (i.e. identifying banned patrons), and in other limited circumstances as outlined in section 7.2 of the APPs.

Section 7.2 provides that a regulated premises may use or disclose personal information about a patron for the purpose of direct marketing.

Licensees are required to make patrons aware of their intentions for use of personal information through displaying notices at all entries to the venue and must also make patrons aware of how they can easily request not to receive direct marketing communications (see sections 7.2 and 7.3 of the APPs for further information about opting out).

OLGR is aware that approved operators may offer value-added services to enhance the capability of their approved ID scanner. Before you sign up for value-added services, consider whether the service complies with the APPs and your obligations under the Privacy Act, particularly in relation to the use of personal information for other purposes.

Privacy resources for regulated premises

Use our notes and sample presentation about ID scanning privacy to inform your staff about their privacy obligations when scanning patrons' ID. It is based on the APPs and is designed to be adapted for each regulated premises.

Collection of personal information notice, privacy policy and management plan

Under the Privacy Act, you must notify patrons of ID scanner requirements prior to having their photo ID scanned. You must also display this collection notice at each public entrance to the regulated premises.

Regulated licensees must also have:

  • a publicly available privacy policy that details how the collection of all personal information is managed
  • an internal procedure document (a privacy management plan) which explains how your venue manages privacy. This includes protecting personal information from any misuse, interference, loss, unauthorised access, modification or disclosure – and how to handle complaints.

OLGR has developed samples of these documents that you can customise for your premises:

The OAIC's guide to developing an APP Privacy Policy also provides useful tips when drafting your privacy policy document.

Access to personal information

The approved ID scanning system will automatically delete scanned personal information after 30 days.

Access to scanned data (including personal information) at a regulated premises will be restricted to a limited number of people, such as venue management. This access will be auditable - the approved ID scanning system will retain a record of the login details of all persons who log on to the approved ID scanning system at the premises. Some best-practice measures that you may take to meet your obligations include:

  • limiting staff access to the approved ID scanning equipment
  • not having a group password
  • staff training
  • physical measures to keep approved ID scanning equipment secure, including locking offices and ensuring the equipment is constantly supervised.

You are required to provide access to patron scan data from your approved ID scanner upon request from an enforcement body.

OLGR's access to scanned data is generally limited to de-identified data (data that does not include personal information). This de-identified data will be used by OLGR for statistical purposes and to evaluate the success of the ID scanner scheme.

Privacy complaints

You have an obligation to inform patrons about how they can make a privacy complaint.

Information on how a person can make a complaint must be advertised on the collection notice that is required to be displayed at or near any public entrance to a regulated premises, as well as detailed in the venue's privacy policy.

Steps for patrons wishing to lodge a privacy complaint

  1. Lodge a written complaint directly to the regulated premises/approved operator and allow 30 days for a response.
  2. If a response is not received in this time frame, or if the person is not satisfied with the response, a complaint can then be lodged directly with OAIC. OAIC can investigate privacy complaints from individuals about private-sector organisations covered by the Privacy Act.
  3. Complaints should be made to OAIC in writing by completing the online Privacy complaint form, or by mail, fax or email. Read more about how to make a privacy complaint.

Steps for regulated premises to deal with a privacy complaint

  1. Accept and review written privacy complaints.
  2. Notify OLGR that a written privacy complaint has been received (within 14 days of receiving the complaint). This can be done by logging in to the OLGR Client Portal and selecting the Privacy Complaint form.
  3. Provide a response to the person's privacy complaint within 30 days.
  4. If the person is not happy with the outcome, provide the person with details on how to lodge a complaint with OAIC. Refer the person to the regulated premises' collection notice and privacy policy.

Also consider...