In Queensland, ID scanning is required across many nightclubs and bars. (ABC News: Meghna Bali, file photo)
In short:
Privacy advocates and cybersecurity experts say the growing use of ID scanning at venues raises the risk of personal data breaches.
One major ID scanning company says it employs a range of robust safeguards to protect customer data.
What's next?
Privacy advocates are pushing for more ambitious federal reforms to privacy laws, to protect consumers.
Rehan Warsi hands over his drivers licence and allows it to be held up and photographed next to his face.
He does it so he can get a drink at a bar.
"You don't get a choice, if you want to go inside, they take a photo. It kind of sucks," the 20-year-old said.
Privacy, he said, was being taken away for convenience.
"Your data is going everywhere — email address, home address, phone numbers, it's like you've got no privacy … It's just getting worse every day," he said.
Mr Warsi's drinking buddy, Kurtis Langeder, is less bothered.
"I have enough trust in people to take care of the data, mainly because they're liable in handling the data," the 23-year-old said.
Both said they would not allow a photo to be taken of their passport, but watching the line at Asian Beer Cafe in Melbourne Central on a Saturday night, it's clear many would.
Repeatedly, customers arrived at the front of the queue, handed over their passport, and allowed a bouncer to take a photo on an iPad.
Rehan Warsi, 20, and Kurtis Langeder, 23, have different opinions on whether bars and nightclubs should keep copies of patrons' ID documents. (ABC News: Geraden Cann)
A spokesperson for the bar said it installed the system, provided by third-party company Scantek, following advice from police, but did not comment further.
Scantek's chief executive said the scanning and photography of IDs and customers' faces was becoming increasingly common at venues nationwide, and roughly 1,000 venues now used Scantek systems or similar systems provided by competitors.
In many cases, the uptake of ID scanning and photography is being driven by the industry itself, rather than any legal or licensing requirements.
An industry has flourished around providing the tech, and the tech's capabilities are expanding.
It can now spot fake IDs, biometrically match a person's face to their ID to check it's theirs, flag troublemakers, and disseminate banned patrons' information to other venues, allowing bouncers to deny entry.
Australian privacy commissioner says ID photography 'problematic'
Some venues say the systems lead to fewer incidents and better patron safety, but Australian Privacy Commissioner Carly Kind described the practice as "very concerning" and "problematic".
"I would understand why the Australian community would find it concerning as well — I don't feel comfortable handing over my drivers licence or passport, and I certainly don't feel comfortable when entities take photographs of that or take photocopies of it," she said.
"I worry that that might be used for longer than I want it to be used for, or for purposes that I haven't handed it over for."
Privacy Commissioner Carly Kind says reforms to the Privacy Act should clarify which behaviours breach privacy principles. (ABC News: Billy Cooper)
Because the Privacy Act was principle-based, it was "quite flexible" and "doesn't draw hard lines or red lines around any activity", Ms Kind said.
It did require any personal information gathered to be reasonably necessary for the performance of an entity's functions and activities.
"Given the sensitive or intimate nature of that information, and the security risks around collecting it, that means there's a pretty high bar for collecting and storing that data," she said.
Some states do require certain venues to collect the data, usually if they're in specific areas, or have problematic pasts.
Some licensed gaming venues may also need to keep records of IDs for federal requirements to combat anti-money laundering or counter-terrorism, but the majority of bars and nightclubs have no such requirements.
With Privacy Act reforms still underway, Commissioner Kind said what did and did not breach privacy principles may be clearer in the future.
"We only have to look back a couple of years to the large data breaches, places like Optus and Medibank, to see just how widespread and vast data breaches can be and the very serious and long-term ramifications of breaches," she said.
"In the case of Optus, 100,000 Australian passports were compromised."
Similar breaches appear to have already occurred at hospitality venues.
Major company says rigorous safeguards used to protect data
In May last year, New South Wales Police charged a 46-year-old man with blackmail over an alleged data breach threatening to share the personal details of more than 1 million people.
The NSW Police cybercrime squad had been alerted to a website that had published the personal information of patrons who had signed into premises across NSW using their drivers licences.
The accused is due to appear in court in April, and with the case before the court, police declined to comment on whether victims would be required to get new IDs.
Police officers arrest a man for blackmail in relation to a data breach that affected Australians who had signed into venues using their drivers licences. (ABC: Supplied)
Scantek, which was not the company involved in that alleged data breach, is one of the largest providers of tech used by bars and nightclubs. Chief executive Ches Rafferty estimated the company's tech was in more than 400 licensed venues.
Mr Rafferty said robust precautions were key to protecting against data breaches.
Scantek, he said, used Amazon secure cloud servers, kept data onshore, and held ISO accreditation for secure information management.
He said all data was automatically deleted after a month, only venue managers could access data, and biometric data of patrons' faces was not stored, only being used to match them to the presented ID.
"We then have independent security companies undertake regular penetration tests on our infrastructure and technology to ensure that we are not exposing our data at all," he said.
ID scanning company Scantek says its customer base is growing. (Supplied: Unsplash)
In its pitch to nightlife venues, Scantek's website states data from IDs could be used to "collect marketing information from IDs and drivers licences, which business owners can use to target specific demographics with promotions".
Mr Rafferty said this was only done after the data was anonymised, and venues could receive breakdowns, such as how many people of a certain gender entered the club during a specific time, or the most popular nights for specific age groups.
"Venues can use this information to create marketing campaigns or promotions such as on social media or in the venue to target potential customers, for example incentivising patrons with specials if they arrive earlier, like free entry or drinks, or having a 30-plus night on Thursday nights," he said.
Scantek did not sell data or insights to other third parties, Mr Rafferty said.
Mr Rafferty said venues reported reduced incidents when patrons knew they could be identified, and patrons were able to enjoy a safer, more comfortable night.
A tool for law enforcement
The images Scantek gathered were also an important resource for police, Mr Rafferty said, and the copies of IDs had assisted in the investigation and prosecution of assaults and rapes.
The ABC asked police departments around the country whether they used information from ID scanners at bars and nightclubs.
A number acknowledged they did, while others refused to comment on methods of investigation.
Mr Rafferty said he supported reforms to make the Privacy Act clearer.
"I think the Privacy Act could be a lot stronger, because a lot of stuff in the Privacy Act is principles, and it's very high-level terminology," he said.
All stored data can be breached, cybersecurity company warns
One of the country's largest cybersecurity firms shares the concerns raised by the privacy commissioner about the practice of scanning or photographing IDs.
CyberCX retail and entertainment lead Alex Hoffmann said no technology was 100 per cent secure, a fact businesses needed to weigh up carefully.
"The thing that they need to be asked themselves is — is capturing or storing this data critical to the operations of our business? And if the answer to that question is no, then it's almost inevitable that the risks are going to outweigh the benefits," Mr Hoffmann said.
"Whatever you store has the ability to be breached or to be taken."
He said venues should be aware they bore the reputational risk, even if they were using third-party tech.
"If something goes wrong, it's them that's on the front page, it's their customers who have lost their information, in spite of the fact that it wasn't technically their fault," he said.
The only remarkable thing about the breach in NSW, he said, was the amount of media attention it received.
He said similar events occurred "every month, and possibly every week" across various industries.
Hospitality and tourism 'middle of the pack' for breaches
The Office of the Australian Information Commissioner (OIAC) groups hospitality and tourism together, and its data reveals the industries are middle of the pack for data breaches.
The OIAC recorded 32 registered breaches within the sector in the 2023/24 year, which a spokesman said had resulted in "tens of thousands" of people having personal information compromised.
How do I check if I've been hacked?
Photo shows A pair of hands using a laptop. A smartphone sits next to the laptop.
Latest ABS data estimates 199,100 Australians were victims of identity theft during 2022/23, and in one-third of cases the information was used to obtain money from a bank account, superannuation, or investments like shares.
The ACCC recorded $10.7m lost to identity fraud in 2022, and when crimes that might be facilitated by stolen personal information were totted up, the cost was orders of magnitude higher.
A recent report from the Australian Institute of Criminology also found those aged 18-35 were significantly more likely to suffer identity theft or misuse than other age groups.
Privacy advocate says companies should 'collect only what's needed'
The scanning of ID documents is most common in Queensland, where scanning is often required in the state's 15 Safe Night Precincts.
Queensland Council for Civil Liberties vice president Angus Murray said expansion of ID scanning should stop while the reforms of the Privacy Act continued.
"It makes little sense to me to expand the collection of personal information while that review is on foot," he said.
Mr Murray said Australia focused too much on technology as a solution to issues, and a greater emphasis should be placed on businesses collecting less data to begin with.
Compared to Europe, where the Charter of Fundamental Rights and General Data Protection Regulation (GDPR) put strict protections on citizens' privacy, Mr Murray said Australia's legislation was weak.
Queensland Council for Civil Liberties vice president Angus Murray says expansion of ID scanning should stop while a reform of the Privacy Act is afoot. (ABC: Supplied)
"Quite a profound part of the GDPR is data minimisation principles, and that's [essentially] collect only what's needed to be collected," he said.
"If I tie that back to venues verifying identity, if the purpose is to demonstrate that the person is over 18, a date of birth is all that needs to be collected.
"When you start including face, address, date of birth, drivers licence number and biometric information, the amount of information that's then retained off that interaction is significantly greater."
The use of biometrics to match faces to IDs was also something that Mr Murray said should be more broadly discussed before companies adopted it.
Mr Murray said the right to privacy of one's personal information was a "fundamental human right" and any form of commercialisation of it needed careful consideration.
"The idea that a person's identifying information, gender being one of those potential identifiers, has a value of a free drink, is a very dangerous norm to put into society," he said.
Mr Murray said he felt Australia had an "immature" approach to privacy protection, compared to places like Europe, which had seen the erosion of human rights during eras such as the Stasi police surveillance of East Germany.
"I do think that that norm is changing. I think we're shifting towards a more cautious and conscious community than we have been in the past," he said.
Government flags more reforms could be on the way
The first tranche of reforms to the Privacy Act was completed late last year.
On December 10, the Privacy and Other Legislation Amendment Act 2024 introduced additional protections for children online, greater transparency for individuals affected by automated decisions, and streamlined information sharing when breaches occur.
It also introduced stronger powers for the Information Commissioner and criminal penalties for doxing (the malicious release of information).
Australians were also given the right to sue for damages if they have been the victim of a serious invasion of privacy.
Reforms in the future may go further to limit what businesses can legally collect, and impose new penalties when those limits were breached.
Mr Murray said governments were yet to act on two recommendations of a review by the federal attorney-general's department — to more accurately define what qualified as personal information, and harmonise that definition across state laws.
Privacy advocates had also called for the removal of a clause exempting small businesses with an annual turnover of $3 million or less from being required to protect personal information.
A spokesperson for the attorney-general said the legislation was just the first stage of the Albanese government's commitment to increase individuals' control over their personal information, and consultation was ongoing.
Different rules in different states
New South Wales
In the country's most populous state, a spokesperson for Liquor and Gaming NSW said a small number of venues with poor compliance history were required to use scanners to ensure banned patrons didn't enter.
In these situations, licensees were often required to maintain copies of IDs and photographs of patrons for a period of 28 days and make them available to NSW Police upon request.
Venues could voluntarily install the tech, and there was no requirement in the Registered Clubs Act 1976 for venues to scan personal identification documents.
Western Australia
In WA, the situation is similar. Most licensed premises are not required to collect images of IDs, however a small number of licensed premises with poor compliance have had identification conditions imposed on liquor licences, and venues could choose to take images of IDs.
The WA government is currently conducting a trial of the Banned Drinkers Register (BDR) in the Pilbara, Kimberley and Goldfields regions, along with the towns of Carnarvon and Gascoyne Junction. In those places, buyers of packaged liquor must present ID for scanning by the salesperson, and if they are banned, they are refused.
Victoria
There are no requirements under state legislation for retaining copies of identification, however, Liquor Control Victoria (LCV) could impose ID scanning as a condition of liquor licences.
This appears to be relatively rare, with Department of Justice and Community Safety data suggesting only 19 of approximately 24,000 licensees have this condition, and they were typically imposed after issues raised by police or councils.
The data collected from scanners is typically required to be retained for an inspector to request for one month, and venues could voluntarily install tech.
Queensland
Networked ID scanning is required after 10pm at regulated premises in the state's 15 Safe Night Precincts (SNPs), to prevent banned patrons from entering the SNP or a venue.
A spokesperson from the Office of Liquor and Gaming Regulation (OLGR) said scanners had to come from an approved operator, which was required to comply with the Privacy Act, and ensure personal information is not held for more than 30 days.
Scanners could also only be used by trained operators under supervision of a crowd controller licensed under the Security Providers Act 1993. These rules do not apply to venues outside the SNPs.
The state is currently considering expanding the number of SNPs. A planned review would examine whether current policy strikes the right balance between public safety and a vibrant night-time economy, including whether ID scanning helps reduce alcohol-related harm.
South Australia, Tasmania, Northern Territory
There are no legal requirements for bars or nightclubs to scan a patron's ID as a requirement of entry in any of these jurisdictions.
Australian Capital Territory
There is no broad legal requirement to scan IDs in the ACT, but procedures on gaining entry to licensed venues are managed through risk-assessment management plans approved by the Commissioner for Fair Trading.
A spokesperson for the ACT government said pub and nightclub risk assessment management plans did not include requirements for the venue to scan or photograph patrons' ID documents for entry.