Guideline 64: Privacy obligations for establishing and operating identification scanning systems
Liquor Act 1992 – sections 173EF, 173EG, 173EJ & 173EM
This guideline applies to:
- regulated premises within a safe night precinct (SNP)
- other licensed venues, if the Commissioner for Liquor and Gaming considers it appropriate to declare the premises as regulated premises
and - approved operators of ID scanning systems under section 173EQ of the Liquor Act 1992 (Liquor Act).
Who must comply with ID scanning privacy legislation
Privacy Act 1988 (Cwlth)
In accordance with the Liquor Act, licensees of regulated premises and approved operators of ID scanning systems must comply with the privacy requirements of the Privacy Act 1988 (Cwlth) (Privacy Act).
This includes licensees and approved operators who:
- are not deemed as 'organisations' under the Privacy Act (i.e. have a turnover of less than $3,000,000 per year)
and - are required to 'opt-in' to coverage under the Privacy Act.
Australian Privacy Principles
The Australian Privacy Principles (APPs) apply to licensees and approved operators and outline requirements in relation to the collection, use, disclosure and storage of personal information. The APPs also provide that licensees and approved operators must have a process in relation to handling enquiries and complaints related to the operation of ID scanners.
Further details regarding the compliance requirements for organisations under the Privacy Act are available in OAIC's privacy fact sheet.
Complying with privacy legislation
To comply with these requirements, licensees and approved operators must:
- establish an internal procedure document (a 'privacy management plan') regarding the handling of privacy issues by the licensee/approved operator - this includes protecting personal information from any misuse, interference and loss in terms of preventing unauthorised access, modification or disclosure
- have a current 'privacy policy' that is publicly available (free-of-charge and in an appropriate form) that details how the licensee/approved operator manages personal information obtained from ID scanning
- display a 'collection notice' (a summary of the licensee's privacy policy) at or near the entrance to the venue, allowing patrons to view it before producing photo ID
- only operate ID scanners and systems that have been approved by the Office of Liquor and Gaming Regulation (OLGR)
- only use or disclose personal information for the purpose for which it was collected or for a secondary purpose if an exception applies under the provisions of the Privacy Act
- ensure that the licensee reviews any patron's written breach of privacy complaint and notifies OLGR within 14 days of the complaint being made
- provide all staff with privacy training to ensure they can answer questions from the public and understand their obligations regarding protecting private information.
Licensees who collect personal information for purposes other than complying with part 6AA of the Liquor Act should seek OAIC's advice, or independent legal advice.