Australian Privacy Commissioner Timothy Pilgrim has warned pubs and clubs collecting biometric information from their patrons not to "automatically" share that information with other clubs unless they have notified their patrons.
This week the news emerged that the collection of personal information such as biometrics and driver licence details by pubs and clubs has soared. Clubs and pubs use the information to reduce the risk of violence by pinpointing offenders and banning them from venues.
"The office is aware of the use of this technology by some organisations. Any pubs and clubs using this technology should be aware that under the Privacy Act, organisations must provide individuals with notice of what will happen to the collected information," Pilgrim said.
"It cannot be automatically shared with other venues, even if the purpose for sharing it is the same across all the organisations."
He said that he appreciated customers' concerns about having to share biometric information to go into a pub or club, since once the information was digitised, it could be used for purposes the person might not have expected.
The Privacy Act says that organisations have to give people the right to deal with them anonymously where possible, Pilgrim said, with personal information only to be collected when it is necessary. That information also has to be protected by adequate security measures.
"These organisations must keep their databases secure and take steps to destroy or de-identify the personal information if it is no longer required. Keeping the information for the shortest possible period necessary to fulfil the reason it has been collected is best privacy practice, as it reduces the risk of the information being misused," Pilgrim said.
He pointed to an information sheet for venues (PDF), which suggests that they only collect information that is absolutely necessary as well as keep information up-to-date and secure.
Pilgrim also backs a voluntary privacy code created by the Biometrics Institute. Clubs NSW has agreed to sign onto the charter and will participate in upcoming biometric privacy discussions, but the reception from other states has been cold, according to Biometrics Institute head Isabelle Moeller.
Interesting points in that code include that the venues have to provide individuals with access to the personal information stored, and if possible, be given the opportunity to have their information removed from the system.
All biometric information should also be encrypted immediately after collection, according to the code, and third-party auditing of the system should be implemented.