How do you collect information from your customers?
Recently the MA ‘Adviceline’ had a query from an organisation which collects customers’ CRM details by scanning their identity document (drivers licence, passport etc.).
Hmmmh …. the question this raised was…. how much information can/should you collect for marketing purposes? If you collect personal information by scanning or digitally reading any kind of official document, you will almost certainly collect a unique identifier from that document. Is that OK or is it against the law?
Principle 13 of the Privacy Act 2020 states that an organisation can only use unique identifiers when it is necessary. ... Unique identifiers are individual numbers, references, or other forms of identification allocated to people by organisations, such as driver's licence numbers, passport numbers, or IRD numbers. But you cannot assign a unique identifier to a person if that unique identifier has already been given to that person by another organisation.
So, we asked our Privacy guru Keith Norris who referred us to an article in the Privacy Commission website. Here’s what the Privacy Commission says about the subject:
‘Hotels and other agencies often ask for ID and take a copy. But is it okay to do this under the Privacy Act? Unique identifiers (such as licence or passport numbers) also come with special rules. Principle13 of the Act says you can’t require an individual to give you their unique identifier, such as a driver’s licence number, outside of the purposes in connection with which it was assigned or a directly related purpose.
If your agency needs to confirm that someone is who they say they are, then it’s probably reasonable to ask to see their identification, even if your business is not connected to the original purpose for assigning the identification (i.e., if you are not the agency that issued the identification, or a related agency, such as NZTA and Police with regard to driver licences).
But is it necessary to take a copy? We thought about this in a previous complaint in 2010 between a woman and her mobile phone company. In that case we agreed it was important for the agency to properly identify its customers, but we considered that sighting a customer's identification fulfilled this purpose. We did not accept that it was necessary for the agency to also record the driver licence number or to take a photocopy.’
So, if you’re currently thinking of digitally collecting personal information be aware that you cannot store or use another organisation’s unique identifier for that person.