Drivers Licence Being Recorded for Click and Collect..... I Ain't Having It

dlakers3peat on 04/07/2016 - 11:01
Last edited 04/07/2016 - 22:53 by 1 other user

As I am an avid user of Ozbargain (addicted really) and I have been buying quite a few things lately, mostly click and collect. I have noticed a trend where the company I am picking the items up from are asking for my ID for verification. This I have no problem with.

My problem is, they are writing down my drivers licence without my consent, in no secured way eg. picked something up from Masters and the girl was about to write my drivers licence number on the back of the receipt. I stopped her and told her I do not consent to that. Sighting it was good enough. This also happened at Good Guys where they wrote my licence number in a book. Got the person to scribble out my drivers licence.

I am not a paranoid person but I regard my drivers licence number as a valuable piece of information that if fell into the wrong hands could be used for many things like identity theft or worse.

Any one else noticed this trend? Do you think I am being over cautious?

General Discussion

Related Stores

Masters Home Improvement
Masters Home Improvement

Comments

  • Ryanek on 04/07/2016 - 11:08
    +13

    No you are not being over cautious, I think this is good practice. The less personal information you give the better.

    • cwongtech on 04/07/2016 - 12:36
      +1

      Yep, theres a video on YouTube by lachlanlikesathing where he describes his identity has been stolen, multiple accounts opened with his Medicare and dlicense details modified, causing his credit rating to be tarnished.
      Most likely culprit is franchised telco companies where they write everything down in a folder and store in a drawer somewhere.

      Definitely not being paranoid.
      I'd only allow them to write down the last 4 digits.

      For Telstra deliveries of sim cards, the delivery guy has to sight your proof of identity, and they are given the last 4 digits of your entered proof of identity when ordering the sim card

  • indium on 04/07/2016 - 11:10
    +6

    I've also noticed this at Dan Murphy's and The Good Guys. I'm assuming that in the past they have had people showing their ID, collecting the item and then coming back later claiming they never picked it up. Therefore it is the word of the worker vs. the customer. Possibly employees also may have stolen items pretending that the customer has picked it up. I guess noting down the number is sure proof.

    I think asking for them not to note down the number should be respected though, I myself don't actually mind if they note down my number. Another solution is maybe if they were to only note down the last 4 digits.

    • dlakers3peat on 04/07/2016 - 12:40
      +4

      When i went to sign that i had picked up the items from good guys I could see a page full of people names and drivers licenses. My concern is that anybody could have access to this book and also i am concerned how it is secured etc. On both occasions though the staff did not insist they write diwn the drivers license number.

      • indium on 04/07/2016 - 14:35
        +1

        True, now that I think about the number of people who could access the information I will take more care and will ask that they only record my last 4 digits.

      • inherentchoice on 04/07/2016 - 15:28
        +1

        But I wonder if a paper book is more secure than their computer system. Every year it seems some other big company's computer system gets compromised. Even government agencies.

    • gadget on 04/07/2016 - 13:16
      +2

      Once at TGG the girl at the collections counter wanted to photocopy my license to which of course I refused.

      They don't need to record your l/c number. I'd be happy to have them verify my signature against a credit card.

  • kerfuffle on 04/07/2016 - 12:34
    +1

    This is also standard practice at David Jones.

    Source: Current employee who does a lot of Click and Collects

    • cwongtech on 04/07/2016 - 12:38
      +2

      What happens to the information? Do you guys destroy the info and is it kept in a secure location beforehand?
      Given its DJs it should be fine.
      I personally think its the small franchised stores (like telcos) who pose a greater risk

      • kerfuffle on 04/07/2016 - 13:14
        -1

        No idea, sorry. I only buy things to Click and Collect, not personally do them as part of my job.

  • John on 04/07/2016 - 13:02
    +2

    Not paranoid.. Once I handed my credit card for paypass at Hungry Jacks (over drive thru window). Then this young lad went with my card to the back quickly as he was trying to tell his co worker an order or something. Honest move.. but I warned him not to do that anymore, I do not wish to see my card getting out of my sight. I wasn't using any angry tone or whatever but he didn't take the feedback well and tried to defend himself instead of apologising.. pfftt

    I think its better to be paranoid than to regret. These days, fraud/theft are very quick and takes seconds of distraction for you to fall into the trap.

    • 4892 on 06/07/2016 - 01:54

      It seems hit and miss because some definitely grab the terminal and hold it out for you and some want the card. I'm not sure which they have been trained for but I would assume it's to hold the terminal out if possible (some have a large handle on it). Some of them I just start to hand over my card and they step back, grab the terminal and hold it out, I feel a lot safer doing that.

  • inherentchoice on 04/07/2016 - 13:12
    +2

    The Good Guys are subject to the Australian Privacy Principles and therefore must only collect your personal information if it is "reasonably necessary".

    ‘Reasonable’ and ‘reasonably’ are not defined in the Privacy Act. The terms bear their ordinary meaning, as being based upon or according to reason and capable of sound explanation. What is reasonable is a question of fact in each individual case. It is an objective test that has regard to how a reasonable person, who is properly informed, would be expected to act in the circumstances. What is reasonable can be influenced by current standards and practices. It is the responsibility of an APP entity to be able to justify that its conduct was reasonable.

    Source: https://www.oaic.gov.au/agencies-and-organisations/app-guide…

    You can complain to the company and if you're not satisfied you can then complain to the OAIC.

    But I'm thinking in this day and age of Google and Facebook being like 'Big Brother', a reasonable person who is properly informed would agree that the collection is necessary.

  • resisting the urge on 04/07/2016 - 13:54
    +3

    And to think, all the others in an even more leaky boat:

    Such as party goers and RSL club members handing over their IDs for scanning on entry. Or Aldi mobile and Kogan mobile customers that have happily sent photocopies of their full IDs and supporting personal info to those companies as requested via

    PLAIN TEXT EMAIL

    OVER THE INTERWEBS

    where it is stored in transit by

    ALL OUR BIG BROTHERs AND ALL THEIR DOGs

    People have to know where too much is too much, because arguments about what is reasonable cannot even be had given our current constitution and legal statutes- by those skilled in the art (LAWYERS) or even the Privacy commission (which has no ability to stand up to or for anyone or anything)…

    And then it is collected, distributed and stored on the receiving computer filesystems and databases

    Where it will never be removed in any meaningful way, and where it will be repeatedly duplicated (e.g. backed up every day, accessed by authorised and unauthorised third parties, authorised and unauthorised employees…) duplicated for admin purposes, shared and re-shared again, deliberately and by accident, etc.

    The Internet never forgets anything….

    /end_privacy_rant

  • jimbobaus on 04/07/2016 - 15:26

    Well given how much credit card fraud occurs these daysi can see why they do it.

    Don't like it.. just go store and pay cash
    plain and simple

    they are doing it so if in 5 months or something they get a charge back they have your information to protect their business.

    • cwongtech on 04/07/2016 - 16:47
      +1

      Don't like it.. just go store and pay cash

      You might not be able to take advantage of ebay's 20% off sales if there's only Pay by Paypal and no Cash on Pickup.
      The recording of Drivers License has to do with the Pickup of Click and Collect orders not the payment method.

  • tonka on 04/07/2016 - 20:34

    Yep, Masters refused to accept a item I returned for repair without my Drivers License then got snarky when I said they had no reason to ask for it when I had proof of purchase, they then wandered off with it to photocopy without asking.

    I've been full on abused by a telco reseller when I asked about their privacy and security policies when they photocopied my license and front and back of my credit card without asking.

    With the license though pretty hard to keep control of it, so many use it for ID and all they'd need to do is flash in front of a security camera to copy and you'd never know.

    • resisting the urge on 10/07/2016 - 19:20
      +1

      If they had any care for their customer's privacy they'd record the card number, and not the license number. It changes every time they issue a new license.

      And as for copying/keeping/transmitting a copy, that just opens them up to getting sued for the damages that a customer might encounter when it gets lost and abused.

      BTW: If you have proof of purchase, that is all you need to get it fixed/exchanged/refunded. ID can only be needed if you don't have the receipt to protect them from repeated abuses. If you have the receipt, this is not a risk they need to guard against.

      If an employee treats you like this, just say it is unreasonable and must be incorrect. Ask to speak to a manager if they insist, and if they insist, ask why and note it all down, inc their name and write to Head Office with all the details- they should get it right!

      I know Bunnings do ;-)

    • [Deactivated] on 16/07/2016 - 12:11

      If they copy the back of the credit card, report them to Visa/Mastercard or their bank. Recording the CVV code is a violation of PCI DSS and can result in hefty fines.

      • tonka on 16/07/2016 - 15:28

        Thanks very good to know. The person that insisted on this was a store manager of Strathfield Car Radio that insisted that this was the standard for ID that had been decided on by some industry group. She got full on bitchy about when I asked if they had a privacy policy for managing the info telling me I was a time waster and refusing to serve me again.

  • Mad Max on 04/07/2016 - 21:16

    I agree completely with you.
    Finally someone that understands privacy issues and identity theft risks. It is incredible how many people do not give it a second thought…until it is too late.
    See this comment of mine and how naive many people are:
    https://www.ozbargain.com.au/comment/3777167/redir
    Someone was quite understandably trying to find a way to activate a Woolworths sim without having to give all their details online to a mobile phone company. Who knows who has access and where they will be stored…
    As for myself I stuck a little and neat red sticker over my driver's licence number and my date of birth. So if required they can verify my name and confirm my identity with the picture, but not see the other details.
    So far I only had to remove it once when stopped at a police road block.

    • SirFlibbled on 05/07/2016 - 13:54

      Woolies has a legal obligation for pre-paid mobiles to collect that information (not so for post paid though).

      • resisting the urge on 10/07/2016 - 19:21

        No that is gubmint legislation, not woolies.

        Da gubmint wants to know who's got each sim card.

  • tonyjzx on 04/07/2016 - 22:45
    -7

    The trend started with JB Hifi. They are the absolute worst as far as ID abuse goes so its not hard to understand why the Good Guys took up this practice.

    Also Masters… good riddance. You dont need to go to them, ever. There's this place called Bunnings. And hopefully in the future when Masters is all gone they learn their lesson.

    Thing is many places ask for your drivers license number and I'm opposed to it but ever since the telcos have asked for it willy nilly as part of their terrorist policies then everyone has a go.

    I have had companies ask for ID for cash purchases albeit large purchases ie. several hundred - they go they get fake $50s and so they want to trace that.

    Yeah this is bullshit.

    While I get that you take it out on the idiot cashier who is on minimum wage, the rot starts from the head down. I think it comes down to voting with your feet. Dont buy crap from companies who do this. Or if you do, minimise the risk… pay cash.

  • papachris on 05/07/2016 - 00:59

    Slightly different, but from June 1 (I think) you have to hand over your Drivers License to the Chemist to buy any pain killers with Codeine in them (eg Panadeine, other brands are available). They then record your details in a book.

    This is a new government requirement to reduce the chance of Codeine hording for drug making purposes. Originally they intended to make all Codeine products require a doctor's prescription, but there were too many complaints (Drug companies, etc).

    As to what happens to the records taken after some time, who knows…

    • nikhi24 on 05/07/2016 - 07:57
      +1

      I imagine its mainly onscreen only not a random book. Pseudo stop program is more for drug making the codeine recording is more for abuse as a lot of people take far too much on a constant basis

      • cwongtech on 05/07/2016 - 09:58

        This has always been the case with restricted medications.
        Even Demazin you need your details recorded.

        As to what happens to the records taken after some time, who knows…

        Ask your pharmacist I guess.

    • [Deactivated] on 26/05/2017 - 13:41

      You shan't need to worry from Feb 2018 as codeine products will become prescription only.

      The DL was for real-time tracking across multiple pharmacies to reduce the prevalence of abuse of codeine products. Addiction specialists have been pushing for prescription only for several years whilst pharmacies have been pushing for tighter controls like the DL real-time system to manage. My understanding is that no personal information was recorded in the real time system - simply the DL number which would then present the pharmacist with a list of codeine purchases and dates. The separate labeling system at the pharmacy does not record your DL.

  • AussieDaddy on 05/07/2016 - 01:12

    Though this recording of DL number is problematic in the way discussed here, but on the other hand there are other businesses, i.e. Myer, who will only rely on a printout for Click and Collect purchases and your signature (both which are reasonably easy to forge). They just give you your stuff without asking for an ID (though the confirmation email says you have to bring one with you for collection). I would rather them to at least have a look at an ID, than just to rely on a printout and a signature.

  • SirFlibbled on 05/07/2016 - 13:49
    +1

    Just a tip for future reference to get up these businesses. Under APP 9.2 of the Privacy Act, a business cannot USE or DISCLOSE a government related identifier unless it's (amongst other irrelevant things) required or authorised by law or for identity verification purposes.

    A government related identifier is your unique number, ie driver licence no, passport no etc.

    Businesses with an authorisation by law are basically financial institutions, gambling businesses and telcos. Other than that a business can only use or disclose for identity verification purposes. This doesn't mean check your id and write down the UID. It means using the UID to verify, most likely electronically, that the identity is not fraudulent.

    A 'use' of a government related identifier includes writing it down or even photocopying it.

    Also under APP 3, there needs to be a REASONABLE NEED to collect your personal information (which is a fairly easy thing to meet). This of course excludes govt related identifiers under APP 9.

    All businesses with an annual turnover of more than $3M a year must abide by the APPs, including those who act as an agent. Ie, a shop which acts as a delivery point for a courier would also have obligations under the APPs for that part of their business.

    Source: My brain, I used to work in this area of law

    • Mad Max on 05/07/2016 - 18:05
      -2

      So on one side the goverment tells you to be careful with your personal details, lock your letterbox, be wary of identity theft etc and on the other side the same goverment gives the right to almost every man and his dog to ask and record your details without knowing how they will be stored, who will have access to them and how will eventually be disposed of.

      • SirFlibbled on 05/07/2016 - 19:16

        Totally incorrect. The point of the above is they just can't simply write down your DL number. Writing it down isn't an act of verification of your identity and wouldn't be accepted under APP 9.2.

        People need to have a better understanding of their rights under the Privacy Act.

        The Privacy Act regulates how the information is collected, used, stored and disclosed. It also regulates how your personal information is used by telemarketers and credit reporting agencies.

        It also has tighter rules around the use of sensitive information such as biometrics, political affiliation, race or sexual orientation.

        The organisations also need to provide a privacy statement which tells you how the information will be collected, used, stored, disclosed and destroyed.

        What it DOESN'T regulate are most small businesses and political organisations.

        • Mad Max on 05/07/2016 - 20:47
          -1

          I think you are very naive if you think that all the rules and regulations you mentioned are adhered to. Theory and reality are always very different. Truth is that your personal details once collected can be accessed by many people that should not be allowed to. Including the cleaner clearing the bin where lists of names, dob and driver's licence numbers are disposed of (this I witnessed myself).
          But you keep believing in the Privacy Act…you'll be right mate!

        • SirFlibbled on 05/07/2016 - 21:12

          @maxi: now you've move the goal posts. Above you were complaining about the government letting them do it. Now you're claiming they breach the law instead.

          Make up your mind son.

          At the end of the day, if you're giving up this information without knowing your privacy rights, then you're a mug who deserves to get compromised.

        • Mad Max on 05/07/2016 - 22:03
          -3

          @SirFlibbled:
          Not your son, you patronising schmuck.
          And really not interested in your pompous and useless citations "Source: My brain".
          You need a good dose of reality.
          End of discussion for what I am concerned.

        • SirFlibbled on 05/07/2016 - 22:46
          -2

          @maxi: Ahh the old "insult and run away technique. Clearly you know what you're talking about.

        • tonyjzx on 06/07/2016 - 10:55
          -2

          @SirFlibbled:

          The problem with arguing with SirFlibbled is that he put down the regulations which you are free to verify.

          However I would go further. If you feel your rights have been violated by a store and you have the appropriate regulations right there, then what is your next step.

          Is it appropriate to ask for the staff members name and then report him to… what regulatory body?

          And then what is the appropriate action?

          If the incident stops there then the regulation is useless if it is not enforced.

        • SirFlibbled on 06/07/2016 - 12:27

          @tonyjzx: The correct regulator is the Australian Information Commissioner. They have the power to make a determination including penalties which they can enforce through the courts.

          The determinations are published on the OAIC's website if you want to check them out. Their approach is to work with the business to correct the issues rather than come down on them. If you read the determinations, in most cases this is what they do. Contact the business and work with them to get undertakings which are then put into the determination.

          In my experience, the businesses which breach the privacy law are in the minority. Those which do breach the laws can be further split up into those who simply have bad business practices to those which have a total disregard for the laws. Again the latter are very few and far between. Of the 200 businesses I dealt with in this case, only 1 would have fallen into that category. They ended up finding life was really tough if they didn't play ball and changed their ways eventually.

          A good example was a major hotel chain (5 star) wanted a copy of my drivers licence on check in. I asked why and what basis they wanted it. The desk person explained they kept it on file. I refused as the collection of that information was not necessary for me staying in a hotel room. They were welcome to check the name on the DL matched the CC they had taken for incidentals to confirm it was my CC but not to make a photocopy. They called the manager and I explained to them and they were happy to not take my information. A little knowledge can go a long way in this world.

          The biggest problem is that the law doesn't cover many small businesses with a low turn over and political parties. Unless they are regulated by other laws (eg AMLCTF or Telco laws) there's not a great deal you can do and you should be very wary about giving the details to them.

        • tonyjzx on 06/07/2016 - 14:37

          @SirFlibbled:

          I actually dont have a problem with small business transgressions. I'm not out to "get" the small business owner.

          I do have an issue with the large businesses who do this and they do it because they know they are powerful and they can get away with it.

          In theory, anyone here who has had their ID taken can report this. Let's see if this dog has teeth.

        • SirFlibbled on 06/07/2016 - 15:20

          @tonyjzx: It needs to be a breach of the Australian Privacy Principles, but yes. If making a complaint, I wouldn't simply rant. I would explain to them which APP you think they breached and why. If you make their jobs easier, you're more likely going to get a result.

          At the end of the day, they aren't resourced to investigate every complaint, but if you make it easier for them to do so then it increases your chances. How they pick and choose which cases to investigate is one of those mysteries in life.

          Remember too, it's not the taking of the ID which is the issue as they often can claim a reasonable need to collect the information. It's the use of a government related identifier under APP 9.2 which is the best weapon to make a complaint about. There is no 'reasonable need' exemption there.

        • resisting the urge on 10/07/2016 - 21:12

          @SirFlibbled: Thank you for specifying the pertinent parts of the Act. I'm sure I'm in quite scant company in never having read it. Glad you have though, and are helping the rest of us get across it. That info about APP 9.2 is GOLD if you don't like all the abuses happening these days.

          I was helping my mother in law sort out her utilities bills recently and noticed that in changing her electricity account's 'plan', they required well over 100 points of ID information in addition to her Driver's License number in the same webform. Perhaps this was only used for verification purposes, but they did not say it would not be stored.

          However what about Telcos- I remember Kogan and Aldi Mobile requiring customers to post or email copies of their Drivers Licenses to them, or they would not activate the SIM cards they were selling over the counter. Is this not an abuse APP 9.2, or might they be claiming this is not 'USE' of a government identifier? Sighting it is appropriate certainly, but transferring it plain text over email, let alone storing it… it'd be use, not to mention abuse, surely?

        • resisting the urge on 10/07/2016 - 21:19

          @SirFlibbled: BTW: Apologies from the rest of us for maxi's miserable thank you. Clearly reading something between the lines that probably wasn't there, not to mention getting over-excited with the wrong end of the stick.

          I guess there must be a saying to the effect of: 'Give free advice and you either get abused or sued'.

          EDIT: Not that you gave any 'advice' of course, those were a few relevant points you were raising

        • whooah1979 on 10/07/2016 - 21:43

          @maxi:

          neg for arguing with SirFlibbled. our trusted solicitor. both here and on wp.

        • SirFlibbled on 11/07/2016 - 09:52
          -1

          @zerovelocity: As mentioned, some laws require companies to verify your identity and even keep records of that information. Both Kogan and Aldi sell pre-paid mobile services. Under the pre-paid mobile determination, you need to provide evidence of your identity upon activation of the service. It used to be focused on id verification at the time of purchase, but the telcos wanted it changed.

          The other one you mentioned is also a legal requirements. In most states (except WA and Vic from memory) electricity providers have to operate under the energy retail rules which also require them to verify your identity when they are setting up a new plan.

          So while these companies still need to comply with the Privacy Act, they do get exemptions within it. In this case they have an exception in APP 9.2 as they are authorised by law to collect and use a government related identifier to verify your identity.

        • resisting the urge on 14/07/2016 - 01:32
          -1

          @SirFlibbled: Thank you for edifying me on the new rules relating to telcos.

          I guess Aldi and Kogan Mobile think they can 'throw away' emails (is that even possible?) and avoid accountability for subsequent loss/compromise as the customer transmitted it so the source could be any mail host or network in between. So in these cases, its better to snail mail them copies of your IDs as they surely dispose of the papers securely.

          Not sure I trust them not to scan it and store it digitally though, as it seems they can get away with this under the act now?

          Even so, if you were inclined to sign up to a provider that practices such abuses of your personal info, this would be safer than emailing info to them.

        • resisting the urge on 14/07/2016 - 01:43
          -1

          @SirFlibbled: Re your Hotel visit: You talked them out of 'requiring' you to submit to having your DL copied, but isn't the biggest problem is that these organisations then just turn around and data-rape the next person the same way as they did before you showed up?

          Given that so many people are bloody-minded enough to refuse service point-blank to anyone that complain/won't submit, the problem is worse than this- for example at events where they invite you and then refuse entry if you will not allow your ID to be duplicated.

          The sad fact is that as things stand, anywhere a lawyer or a judge doesn't go can get away with wholesale data-rape, not to mention online where it is yet to get 'as bad' because people don't believe the claims of '100% secure'.

        • SirFlibbled on 14/07/2016 - 11:50

          @zerovelocity:

          I have no idea why they choose what they do. Likely because the law requires them to keep copies of the verification for 7 years. In my opinion, however, if they adopted the use of electronic verification practices, they wouldn't need to store the personal details at all but the transaction numbers of the verification. It's less privacy evasive.

          I know the big three all use electronic verification now (even if they still take photocopies).

          Re hotels: this is why I said everyone should be aware of their rights. I know the Australian Privacy Principles aren't sexy to read, but they're damn important you know your rights - particularly on your right to be anonymous or pseudonymous.

          While they may to have a legal right to demand you show your ID, they do have the right to refuse you service as well if you don't provide it, as consent can override a lot of things in the APPs. What they can't get your consent though is the use and disclosure of your government identifiers under APP 9. Which is why it's such a powerful tool in protecting your identity.

        • resisting the urge on 20/07/2016 - 17:17

          @SirFlibbled: I see. A conundrum indeed.

          Keeping evidence of a successful verification should never include keeping the ID- or certainly not all of it. For a long time now, that should require a use, and also an onus to track the data and securely erase it from each storage location.

          Reasonable practice would be to keep the unique verification/response received from the ID verification authority/provider ONLY. This can be done so that it is admissible, just like the gov ID itself.

          @SirFlibbled, I have to take issue with your view: "In my experience, the businesses which breach the privacy law are in the minority. Those which do breach the laws can be further split up into those who simply have bad business practices to those which have a total disregard for the laws. Again the latter are very few and far between."

          Having worked on large systems for many years, I can tell you this is not the case. In reality it is the opposite. Even when dealing with systems designed to be tightly compliant with PCI and more progressive standards, information privacy abuse is effectively programmed in to every system, and mostly for reasons of expedience, level of care, and/or ignorance.

          Abuses will only get to Court for other/indirect reasons, because abuse is seldom even apparent at the point of disclosure- if ever, and attribution for such loss is anything but trivial. To make things harder for the customer, the actual use is seldom described in anything other than the vaguest of general terms.

          The reality is that standard practice everywhere involves breaching these principles numerous times in each customer interaction. And behind the scenes, storage, duplication and even routine publishing begins in an instant. For example, the most common process goes something along the lines of:

          1. Collecting private/personal information in a computer form,
          2. Carrying out input validity checks with third parties and
          3. Transferring/submitting checked (and even the unchecked) data to a database that references the session, context, user identities and other stored data.
          4. The data is stored, and commonly duplicated and backed up to protect against loss. It seldom has any significant, modern, or maintained forms of protection, or is classified in a way that alerts users of its private or confidential status, or what he customer agreed to/expected.
          5. The data has electronic and individual consumers (users), such as users of systems and employees of the owner organisation, both business and administrative. Other consumers include business partners and third party service providers, law enforcement and as is increasingly the case, public interfaces that support public/cloud/Internet access.

          It is very common for this information to be subsequently made accessible by an ever-increasing number of organisations and individuals, many of whom will duplicate and distribute it without a thought for the context in which the user handed their information over (i.e. for particular 'reasonable use').

          Technical staff that carry out maintenance and management tasks are often outsourced to organisations, most of whom provide access in poorly verified and poorly controlled methods. I say poorly as the ones who do it well seldom succeed in controlling access effectively. Proof of this is the increasing frequency with which groups and individuals stumble upon this data on the Interwebs, and the growing market supplied by others actively seeking it out for wholesale collection and sale.

          All these standard practices breach the onus that APP 9 seeks to place on an organisation to use or disclose gov IDs in a manner that is reasonable, and it bodes badly for the community that breaches are and continue to be programmed into almost every government and business system. Such rules are clearly 20 years too late, and their importance is missed by practically everyone. If we do not have mature legislation/regulation in this area, organisations will only continue to grow into immature, selfish rule-breakers.

          A good example is the storage of data for reasonable purposes- where are the regular audits that force an organsiation to check it has not grown pieces of infrastructure that allow data to be poorly handled either by design or accident? The most I've seen is an organisation self-check or use a crippled/easy to influence auditor- and that is with a deliberately limited scope/insufficient access to actually see how data is processed.

          Another is the stored of data beyond its use-by date. I've never seen major systems remove data autonomously, as it has to be done by design to prevent failure due to loss of data that previously, normally existed. And getting anyone to do it manually is near impossible.

          Whilst the APPs may seem specific, they are clearly not being translated into compliant systems, let alone practices. Is its interpretation being manipulated to support effective use by an influential few? I can see that in the eyes of many, it may have to be adjusted as such. For by the time it was conceived, the real world had designed and implemented its practices. It is not going to change them to conform with an Act that poses few risks of penalty. Let alone respect a commission that has few to no teeth!

          I certainly agree though that the APPs might be useful for getting service refused.

        • SirFlibbled on 20/07/2016 - 19:17

          @zerovelocity:

          "Reasonable practice would be to keep the unique verification/response received from the ID verification authority/provider ONLY. This can be done so that it is admissible, just like the gov ID itself."

          They record the transaction numbers. There's usually a transaction number for the request to the broker service and a transaction number from the broker service to the organisation which issued the ID (see for example SecureKey).

          Only the broker can patch together the entire transaction.

          " Even when dealing with systems designed to be tightly compliant with PCI and more progressive standards, information privacy abuse is effectively programmed in to every system, and mostly for reasons of expedience, level of care, and/or ignorance."

          The latter two fall into the first case I mentioned. When it gets brought to their attention they fix it pretty quickly. Sadly, it would take too many resources for the government to audit every business so it's the best that can be done unfortunately.

          If an organisation has an IDCare logo, they have been at least somewhat audited which gives you some surety. It's a new thing though but hopefully it'll become the Internet version of the heart tick.

  • Speckled Jim on 05/07/2016 - 19:39

    Back when people would pay with personal cheques (although even bank cheques sometimes) we'd jot down their drivers licence number, along with their name and address on the back of the cheque.

    They were securely kept — treated as cash — but ultimately several staff members would see the information in the course of their normal activities.

    • resisting the urge on 10/07/2016 - 21:26

      That was acceptable then. The trouble is that now so many see computers and Internet communications as secure that they think typing it into a dialogue in a cash register/POS system, or worse, a digital scan to an acceptable replacement practice.

      They just have no idea how many other staff/third parties have access, or may gain it in future.

      • Speckled Jim on 11/07/2016 - 00:54

        Identity theft is nothing new.
        Back then, the licence was just a piece of paper! You folded it a few times to fit in your wallet/purse.
        We've since been sold a succession of pups.

        1. Laminated photo licence will prevent fraud!
          (Enter cheap laminators)
        2. …Non-laminated plastic photo licence for enhanced security!
          (Better software, inks and printers…)

        3. Now with added micro-printing and hologram!
          Here I reach an impasse as I left the IT game a while back. However, if a two-bit Chinese brand can put "authentic" holographic stickers on their packaging to deceive, it can't be that hard.

        4. Retina scan?

        Although legislators are always playing catch-up with tech, the NSW govt is gearing something up. Having all but exhausted saleable assets, they're about to sell personal data to third-parties.
        I'd say there's more than basic info at stake here.

        It will go unchallenged, because apathy is interpreted as tacit compliance. Many see privacy issues as quaint throwbacks to a simpler time.
        Like the twentieth century, when we had paper licences…

  • outlander on 06/07/2016 - 14:51

    Yes, its a worrying trend. If I knew where to get a fake license, I might have got one just for that. Some places are worse than others. At one car wreckers I've gone to, they take a full color scan of your ID.

    Now, there will be people that say you're paranoid, and cite the many practical reasons for doing it this way, but they will also be the same people who claim your lying if you get accused of fraud, or that even if your not lying, that your an acceptable casualty of the system.
    Remember, if your accused of a crime you didn't commit and the arresting officer has your details, the burden is on you to prove it wasn't you that did it. Its called Criminal Identity Theft

    • SirFlibbled on 06/07/2016 - 15:20
      -1

      You'd come undone if the business electronically verifies the DL

      • outlander on 06/07/2016 - 15:51

        What happens when I come undone? Are you saying that all I am is just a surface layer, and I can be pulled apart at the seams to reveal another man, inside, wearing me like a skin?
        Whoaaa….thats deep.

  • robb6014 on 18/07/2016 - 19:33

    If you are worried about it (and I agreed it is worrying) perhaps a fake ID used only for this purpose is the go. They are now very easy to get online for about $40

    • tonyjzx on 28/05/2017 - 14:46

      I'm ok with this.

      The law says you have to produce valid ID for cops and banks and liquor sales that sort and of course do that.

      But besides that, what is the benefit to me? If you're making a private purchase from a store, why not use fake id? There's no implicit agreement with you and private enterprise.

Login or Join to leave a comment
Login Join