Generally, personal information is one or more details within a document about an individual.

For state government agencies, personal information is defined in the Information Privacy Principles Instruction (external site) (PDF) (external site) (PDF) (external site) (PDF) (external site) (PDF) (external site) (PDF) (external site) (PDF) (IPPI) as

‘information or an opinion, whether true or not, relating to a natural person or the affairs of a natural person whose identity is apparent, or can reasonably be ascertained, from that information or opinion.’

Personal information can include (but is not limited to):

• Name
• Contact details
• Medical information
• Financial information
• Ethnicity
• Photographs
• Biometrics (such as fingerprints, retina scans, gait)

For local government agencies, personal information is defined through privacy policies.

Agencies should only collect personal information if it is needed to fulfil their functions and deliver their services. If personal information is collected, it must be managed appropriately.

Further information on personal information and Information Privacy can be found here.

An identity verification document is a document that contains a specific set of personal information used to confirm the identity of an individual. Verifying an individual’s identity correctly helps with ensuring the individual is who they say they are and protects against fraud and identify theft.

Identity verification documents can include (but not limited to):

• drivers’ licences
• passports or citizenship certificates
• photographic identification (ID) cards
• birth, marriage and death certificates
• proof of address documents (e.g. utility bills or council rates)
• government issued ID cards, concession cards (health care card, pension card)
• Student identification card

Many of these documents are used to support identity verification processes such as 100 points of identification checks.

They can be originals, certified copies or just copies.

Identity verification documents are used for a variety of reasons:

• to issue a licence
• to utilise a government service (e.g. obtain a working with children check, police check, or access to a government portal)
• to waive a fee (i.e. freedom of information (FOI) application fees and some lodgement fees).

This guidance relates to identity verification documents only.

In some circumstances identity verification documents may need to be retained:

• for a legislative purpose – an agency needs to comply with an Act that stipulates retention of this type of identity verification document/s.
• for a business purpose – these documents may relate to a specific purpose when documents are needed for a specific period of time and need to be retained as per an agency’s Records Disposal Schedule (RDS). If a business purpose requires the verification of an individual’s identity, it is the business purpose that determines the retention and destruction of the relevant identity verification documents.

If not for these two purposes, does the information need to be collected at all?

Identity verification documents may be collected or have been collected without a legislative or business purpose to retain the information. An example of this is taking a copy of documents presented for verification. In this circumstance, a sighting process might be preferable.

A sighting process is where a staff member views identity verification documents to fulfil a business purpose instead of taking copies of the documents.

It is for an agency to determine the verification process required. Different agencies will have varying levels of identification required – e.g. what level or types of identity verification documents they require to verify an individual’s identity and therefore provide a service.

Agencies must ensure they have undertaken a due diligence process/risk assessment prior to implementing a sighting process.

A sighting process can include:

• authorised people to manage sighting the relevant documents to fulfil the business purpose
• a system of recording the verification has occurred (this might be as simple as a  spreadsheet or database)
• access controls to the system to ensure the verification process is secure and only accessible to the relevant staff members

Important: sighting process/verification process documentation needs to be retained.

Some agencies may use a Commonwealth government electronic service where documents aren’t required to be retained as they are processed through the service system, such as the Document Verification System (DVS) or a Digital ID (national secure online systems).

Agencies should contact the Office of the Chief Information Officer to discuss DVS and Digital ID capabilities that are available to agencies: OfficeoftheCIO@sa.gov.au.

Some records may include multiple parts - for example an application form and an attachment providing a copy of a driver’s licence.

Remember, under the State Records Act 1997, an official record means ‘a record made or received by an agency in the conduct of its business’.

Consider if the application only is required to be retained for business purposes. Does the driver’s licence need to be kept once verification has occurred?

A risk analysis of new and existing records that contain identity verification information should occur to ensure the information relevant to the business purpose only is retained.

Consider the security, privacy, access controls and storage around identity verification documents.

Secure storage of identity verification documentation will limit the amount of information that may be vulnerable in the event of a privacy breach.

Identity verification documents that include financial card information / credit card numbers are especially highly sensitive. Consider redaction of any card numbers if the document needs to be retained.

See the South Australian Protective Security Framework (external site) (external site) (external site) (external site) (external site) (external site) and South Australian Cyber Security Framework (external site) (external site) (external site) (external site) (external site) (external site) for managing the security of sensitive information.

This is where the individual provides the required identification documents (originals, certified copies or copies) to an agency and the documents are required to be retained by the agency for an ongoing business or legal purpose.

Check if there is a legislative requirement to retain the records. In addition, refer to a GDS or RDS as to the retention period for these documents.

GDS 45 cannot be applied to identity verification documents where a legal or business purpose requires retention.

Legal purpose example:

The identity of a party to an instrument, or a person executing a document for the purposes of the Real Property Act 1886 (other than a legal practitioner or registered conveyancer acting under Client Authorisation), must be verified in accordance with the Registrar-General’s Verification of Identity Requirements. These verification documents are to be retained for at least 7 years (Office of the Registrar-General, Land Services SA).

This is where the individual provides the required identification documents to an agency and the agency’s verification process requires copies of the documents to be retained until such time as the verification process is complete in accordance with agency policy. After such time they can be destroyed in accordance with GDS 45.

This scenario also applies where the individual has provided the identity verification documents to an agency through an application/online form submission.

Records around the verification process need to be retained as per GDS/RDS requirements.

FOI example:

Agency A has received an FOI application seeking access to some deceased records. Included in the application are some identity verification documents, as the applicant is seeking a fee waiver.

After confirming the FOI applicant is entitled to a waiver, Agency A could destroy the identity documents in accordance with GDS 45. However, Agency A has a policy which dictates the agency must retain the verification documentation until the FOI process (including external reviews with the Ombudsman/ SACAT) is complete. This policy is in place to support external reviews where family members and/or executors of estates raise objections to the release of the deceased information.

The FOI application must be retained as per the agency’s RDS.

Once the FOI process is complete, the attached identity documents can be destroyed in accordance with GDS 45.

Recruitment example:

Agency B has undertaken a recruitment process and as part of that process, has obtained some identity verification documents.

After verification of the applicants, provided the agency does not have a continued business need or a legal purpose, Agency B could dispose of the identity verification documents.

The verification process documentation and all other recruitment documentation will need to be retained for the retention period of the recruitment file and as per GDS 30/40 requirements.

This is where the individual in person presents the identity verification documents to an agency and identify verification immediately occurs by an authorised staff member using an approved agency verification process.

The documents are not retained and are given back to the individual.