RSL scan drivers license
You know that RSL club that I suspected of putting me at risk of identity theft when they scanned my drivers license? Well, they’ve emailed me back again with a bit more information – now I’m really worried!
What information did they collect?
One of my questions was, had they actually taken a copy of my whole drivers license, or simply extracted the pieces of information that they needed (name, address, signature)?
The reply confirmed my worst fears – “inserting the license in the terminal scans an image of the actual license”! How hard would it be for someone with access to that image to create a copy of my drivers license? They could then rack up points on my license by speeding, or worse – by not parking rear-to-curb in a rear-to-curb-only parking spot!
Or, they could modify the image to change the postal address to their neighbour’s, then create a fake license from the modified image, use that as ID to open a credit card account in my name, get the card posted to the address on the ID (their neighbours house), and steal the license from the neighbours letter box in a few days time. Too easy!
Lets recap the facts:
1. The club is required under the Registered Clubs Act 1976 to collect my name, address and signature.
2. The club is required under National Privacy Principle 1.1 to only collect from me information that is necessary for one of their functions or activities.
The club said in their previous email (see ‘Privacy compliance – response from the RSL club’) that they’ve been advised that “…if Legislation requires something to be disclosed then it overrides privacy legislation…” – implying that this is what happened in my case. But I don’t think the laws conflict in this case. I think that the method the club has chosen to meet the first obligation (scanning my drivers license) has put them in breach of the second. But, if they’d chosen a different method of meeting the first obligation (such as the manual sign-in method) then they could easily meet both obligations.
Their privacy policy
I also asked the club to send me a copy of their privacy policy, and they sent that through. The privacy policy says that “Scanning of licenses is optional, use of manual sign-in via the terminals is available for patrons once the form of identification has been sighted by a authorized officer of the club”, but as I mentioned before – I wasn’t told that it was optional! Should it be up to me – the visitor to the club – to question each step along the way to ask if it is mandatory? Or should it be up to the club to tell the visitor which steps are required in order to enter the club, and which steps are optional?
The section entitled ‘sensitive information’ states that the organisation “…only collects sensitive information i.e. health data to provide a service to our members. Sensitive information is only gathered with the personal approval of our members”. I was not a member. I was a visitor. And I didn’t give my personal approval to them to take my personal information. I think some of the problem here is that they don’t think of a scanned image of my drivers license as being ‘sensitive information’. But I certainly do!
The end of that channel of communication
The email then said that they would rather deal with the matter through the Privacy Commissioner, since I had already contacted them on the matter, and they wanted to “…avoid duplication and potential confusion into the future”. So I guess that means there’s no point emailing them back?
But that reminds me – I haven’t heard from the Privacy Commissioner yet. That was nearly 3 weeks ago I wrote in! I wonder how long I should expect to wait before I hear back?
Comments
One Response to “RSL scan drivers license”
Leave a Reply
-
-
Feed Me
Subscribe to our feedburner RSS today!
-
Subscribe by Email
Get content delivered! -
Recently Written
-
Categories
-
Archives
[…] finally heard back from the Office of the Privacy Commissioner about my complaint against the RSL club (to be fair, it may have been sitting in my PO Box for a while – I don’t […]