Drivers Licences and the Privacy Act. Is your business storing personal data lawfully?

The answer: “Why? Does it worry you?” Followed by: “Probably forever.”

A driver licence is not low-risk data. It is commonly used to verify identity across banking, credit and account access. In the wrong hands, it can be used to open accounts, support identity fraud, or enable impersonation. “Probably forever” isn’t just a careless answer, it’s a pretty big signal that privacy is not top of mind in how that business operates.  

Holding both a digital copy and a physical one compounds the risk. The digital version may sit in a system with broad internal access, while the physical copy languishes on a desk, in a drawer or filing cabinet with limited controls and likely no audit trail or clear disposal process.

When a business can’t explain how long it keeps personal information, it usually means that decision has not been made deliberately. Often there is no clear retention policy and no training to support staff in explaining it.

Under the New Zealand Privacy Act 2020 (and many global privacy regimes), personal information should only be collected where it is necessary, stored securely, and not kept for longer than required for the purpose it was originally collected.

The longer personal information is held, the more likely something goes wrong. Staff turnover, system changes, poor storage practices, or simply time all increase the chance of unauthorised access or loss.

As a customer, I’m relying on that business to treat my personal information with care. A flippant response and no clear retention practice create a reasonable impression that privacy is not a priority for them.

That impression matters, because it directly affects how comfortable and willing I’ll be to engage with that business again.

#privacy #dataprotection #identityfraud #privacyact