Privacy matters, even at RSL clubs!

I love a good meat raffle – especially down at the local RSL!

You rock up 5 minutes before the ticket sales close, hand over a 20 and get a wad full of numbers back. Off to the bar for a cheap-as-chips beer before settling in at a table – smug in the knowledge that you’re almost guaranteed to win something!

You know how, if you live within a 5km radius of a club you have to become a member? (Some rule to do with government grants or funding or something…) So they ask you for ID when you go in. Usually you just flash your drivers licence, and fill in a slip with your name, address, the date, sign it and you’re on your way.

Well, the other day I went over for a meat raffle at a certain NSW club (>5km from my home btw). And, instead of asking me to fill in a slip, I was directed to a shiny new machine in the foyer. I must have looked a little unsure of what was expected of me, because the helpful gentleman at the door showed me what to do by taking my drivers license and inserting it into the machine. Seconds later, my licence was returned, along with a printed slip with my name on it.

I gotta tell you, I was gobsmacked! What just happened? I’m supposed to be a cagey, big brother is everywhere, paranoid sort of person. Yet this doorman was able to scan my drivers license and liberate me of my personal identity information before I could say ‘privacy compliance’! In my defence, I was quite distracted – thinking of the roast lamb that was sure to be in my clutches soon. Salivating over the thought of the morning fry-up with bacon and those little breakfast sausages from the breakfast pack…

So, I asked the doorman what happened to the information. All he could tell me was that it was stored on a “hard disk”. I left at that point because a) there was no point getting angry with the doorman who was just doing what he was told, and b) if I didn’t hurry I would miss the raffle, and it would all have been for nothing!

While I was waiting for the raffle to begin, I had a look at my drivers licence. It contains:

· My name

· My address

· My date of birth

· My donor status

· My drivers licence number

· My drivers licence type (indicating the type of vehicles I own), and

· A rather unflattering photo that, quite frankly, I’d rather keep to myself.

An hour later I emerged with 2 meat trays and a growing sense of indignation. Did this club not have any idea of their privacy compliance requirements?

They didn’t tell me that I was able to gain access to the information that they are now holding about me (is this a breach of national privacy principle 1.3b?).

They didn’t tell me why they were collecting my personal information (is this a breach of national privacy principle 1.3c?).

They didn’t tell me whether they would pass my personal information on to any other organisations (is this a breach of national privacy principle 1.3d?).

In fact, they didn’t tell me anything much at all!

But the big question I was asking is – why do they need to store my personal details at all?

Surely the only thing they should be concerned with is whether I live inside or outside the 5km radius, which is obvious by looking at my drivers licence. Is there any need for them to scan my drivers licence or store any information about me, as required by National Privacy Principle 1.1?

Then, my paranoia kicked (belatedly) into gear.

If they aren’t aware of their obligations when collecting my personal details, I have to wonder whether they have any idea how to store it securely? Or whether they have thought to restrict access to a select group of people with a need (ha!) to view the information? Can any of their staff members now have a good old laugh at my hideous photo if they so choose to?

But … what can I do?

Well, I’ve written to the venue.

I’ve also written to the Privacy Commissioner. It will be interesting to see if (he? she?) can do anything useful?

So, will just have to see what happens…

May 12, 2007 | Filed Under case study, meat raffle, privacy compliance, privacy concern, privacy matters, rsl clubs, scan drivers license 

Comments

3 Responses to “Privacy matters, even at RSL clubs!”

  1. Erin McKee on May 14th, 2007 1:26 am

    Want to add some fuel to the fire?

    Being in IT my thoughts immediately went the other way when I was thinking about this stuff. Not so much of who at the club could see it (they already have most of the mrs details as she is a member), but a veritable plethora of others . . .

    Who manufactures these things? Likely they have unrestricted access in some capacity, someone needs to administer the machines.

    Who services them? Being PC orientated likely there could be outsourced maintenance. Is there any stopping a maintenance person swapping HDD when they are full to populate HO’s datastore.

    For all we know, though however unlikely, they could be streaming info back to an admin centre over the phone lines :)

  2. Identity Lass on May 22nd, 2007 12:14 am

    That’s a very good point!
    I know for a fact that many software development teams use live data in their development and test labs.
    The best way I know to be sure about the security aspects of the supplier’s processes is to purchase evaluated products.
    But is there an evaluated product to meet this organisation’s needs?

  3. Privacy compliance - response from the RSL club on May 22nd, 2007 12:23 am

    [...] ” />    Privacy compliance – response from the RSL club May 22 07 Well, I’ve heard back from the RSL club that took a scan of my drivers license (see original post). [...]

Leave a Reply