Privacy and ID scanning
The Privacy Act 1988 (Cwlth) requires liquor licensees to protect personal information recorded by networked identification (ID) scanners.
If your regulated premises has a turnover of $3 million or less in a financial year, you must opt in to be covered by the Privacy Act. Licensees with a higher turnover are automatically required to comply with the Privacy Act.
Read Guideline 64—Privacy obligations for establishing and operating identification scanning systems for more information.
How to opt in to the Privacy Act
Complete the opt-in application form and return it to the Office of the Australian Information Commissioner (OAIC) by post or email. Opting in is free.
Your business trading name and ABN will be placed on the public opt-in register.
Complying with Australian Privacy Principles (APPs)
As a licensee of a regulated premises for networked ID scanning, you must comply with the Australian Privacy Principles (APPs) as set out in the Privacy Act. APPs cover the collection, use, disclosure and storage of personal information.
You must take steps to protect any personal information you hold from misuse, interference, loss, unauthorised access, modification and disclosure.
The OAIC's Privacy Management Framework can help you implement practices, procedures and systems that ensure compliance with the APPs. Always refer to the OAIC's APPs and the Privacy Act to fully comply with your privacy requirements.
Privacy policy
You must develop a privacy policy and make it publicly available. Use this example privacy policy to help draft your own.
The OAIC's Guide to developing an APP privacy policy also provides useful tips for drafting your privacy management policy.
Privacy management plan
You must have an internal procedure or a privacy management plan, which explains how your venue handles privacy.
It must include information about how you:
- protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure
- handle privacy complaints.
You can customise this example privacy management plan for your premises.
Important APPs
The APPs summarised below are particularly relevant to regulated premises using ID scanners, but licensees need to comply with all APPs.
You must manage personal information in an open and transparent way.
You must detail how you do this in your privacy policy.
Before scanning a patron's ID, you must notify them that your networked ID scanning system collects personal information.
You can do this by displaying an information collection notice at each public entrance to your premises.
You can base yours off this example information collection notice.
You must take reasonable steps to ensure the personal information you collect is accurate, up to date and complete.
Patrons have the right to access their personal information held by an approved operator. Some exceptions apply, such as if access might interfere with criminal matters or other breaches of the law.
Patrons can request their personal information be corrected. They need to provide satisfactory proof or explanation as to why the information needs to be corrected.
Using personal information for marketing and other reasons
You must only use personal information for the main reason it's collected, which is for identifying banned patrons.
In other limited circumstances, you can use or disclose personal information about a patron for direct marketing.
You must notify patrons of any intention to use their personal information for reasons other than identifying banned patrons. You must also let them know how they can request not to receive direct marketing communications. You can do this by displaying notices at all entries to the premises.
Read sections 7.2 and 7.3 of the APPs for more information about the use and disclosure of personal information for direct marketing.
Accepting value-added services
Approved operators may offer value-added services (i.e. extra features in addition to their standard product or service) to improve the capability of their networked ID scanners.
Before you sign up for value-added services, consider your obligations under the Privacy Act and whether the service complies with the APPs, particularly in relation to the use of personal information for other purposes.
Managing access to personal information
Access to scanned data (including personal information) must be restricted to a limited number of people, such as venue management.
Access is auditable—the networked ID scanning system retains a record of everyone who logs in.
The networked ID scanning system automatically deletes scanned personal information after 30 days.
Some best-practice measures you can take to manage access include:
- not having a group password
- training staff in their privacy obligations
- keeping the networked ID scanning equipment secure by locking offices and ensuring the equipment is constantly supervised.
You must give the Queensland Police Service and Office of Liquor and Gaming Regulation (OLGR) access to patrons' personal information from your ID scanner, when requested.
OLGR also accesses scanned data for statistical purposes and to evaluate the success of the ID scanner scheme. This data is generally de-identified (i.e. it doesn't include personal information).
Staff training resources
Use these information notes and the presentation about ID scanning privacy obligations to teach your staff about their privacy obligations when scanning patrons' ID. They're based on the APPs and are designed to be adapted for individual premises.
Privacy complaints
You must tell patrons how they can make a privacy complaint.
You must include this information in your information collection notice and display it at or near all public entrances to your premises.
You must also include your privacy complaint process in your privacy policy.
How patrons can make privacy complaints
Complaints must be in writing. They must be lodged directly with your premises or the approved operator.
How licensees must deal with privacy complaints
You must:
- accept and review any written privacy complaints
- notify OLGR that you've received a written privacy complaint within 14 days of receiving it—you can do this by logging in to the OLGR client portal and selecting the privacy complaint form
- respond to the complainant within 30 days—if they're not happy with the outcome, give them details about how to lodge a complaint with the OAIC.
If a patron isn't happy with the outcome
If you don't respond within 30 days or the person isn't satisfied with your response, they can lodge a complaint directly with OAIC.
The OAIC investigates privacy complaints from individuals about private-sector organisations covered by the Privacy Act.
The OAIC accepts privacy complaints in writing through their online privacy complaint form, which can be submitted by post or email.
Also consider...
- Download and display the Scan in for a safe night out LCD screen graphic on your screens.
- Print and display the Scan in for a safe night out poster.
- Read the Liquor Act 1992.