Protect your business

What is your identity information and why it is important to keep it safe

Source: eSafety Commissioner

There are good reasons to collect customer information such as staying connected, tailoring services to their needs, and improving customer satisfaction and retention.

The information collected is usually personal information, which is any piece of information or data that can identify (or reasonably identify) who a person is or how to find them. It may be information used on its own or in context with other information to identify them. It includes everyday things like:

  • full name
  • date of birth
  • phone number
  • home address
  • location check-ins
  • email address
  • photos
  • usernames, passwords or passphrases
  • tax file number
  • Medicare number
  • Centrelink Customer Reference Number (CRN)
  • bank account details
  • internet protocol (IP) address
  • biometrics like fingerprints or facial recognition prints.

A person’s identity information and credentials make up their legal identity. Credentials include:

  • driver licence
  • passport
  • birth certificate
  • proof of age card
  • ImmiCard
  • Australian visa or citizenship certificate
  • Medicare card
  • student ID
  • marriage certificate.

The downside of collecting identity information is that it can be stolen or misused.

How to collect, store and dispose of identity information to minimise identity data

Sources: Office of the Australian Information Commissioner
NSW Government

Minimising the amount of identity information your business collects, and having strong safeguards in place to protect the identity information you choose to store, are important steps in reducing identity theft against your business and reducing the risk of cyber incidents. It might be tempting to know as much as you can about your customers, but if this information is stolen it could hurt your business and put your customer’s safety and privacy at risk. There are simple actions you can take to minimise the collection and storage of identity information that will go a long way to protecting the valuable information you store from harm.

Only collect the identity information you need

You should always be careful when collecting an individual’s identity information. If you are collecting identity information, you must do so only if it is reasonably necessary and directly related to your business. Identity information must be collected directly from the customer and not from third parties. You must only collect identity information in a lawful and fair way. The more identity information a business holds, the greater the target it will be for identity theft, scammers and cyber incidents.

Storing and disposing of identity information responsibly

Recent large data breaches have demonstrated the risks associated with keeping stores of identity information and retaining copies of credentials. Businesses need to consider the likelihood of future data breaches when deciding what identity information is stored. Protect your business and your customers by destroying or de-identifying identity information when it is no longer required. For example, if you decide to keep documents, consider redacting the details that are not required and destroying the data altogether when it is no longer needed. The data that is kept should be kept secure and the number of staff who have access to this data should be limited.

Australian Government Identity Verification Services

The Australian Government’s Document Verification Service provides businesses with an alternative to collecting identity information. The Document Verification Service verifies identity electronically by checking whether identity document details provided by customers match original records. This eliminates the need for businesses to keep records of identity documents, such as driver licence, birth certificates and passport numbers and other identity details. Instead of storing full identity documents, an auditable transaction number is created. The service also makes it harder for people to use fake identity documents.

The Face Verification Service is like the Document Verification Service but supports a higher level of identity verification. It does this by comparing a photo of a person’s face against an image from an identity document. In the future, local government, state and territory governments and private sector organisations will use the Face Verification Service subject to participation agreements that outline strong privacy, security and oversight requirements for them to access the services, including the provision of expressed consent from individuals. The Face Verification Service also helps victims of identity crime reclaim their identity and prevent identity theft by detecting fake or stolen documents through the creation of digital identities such as myGovID.

For more information, visit Identity Verification Services - what are they?

How to identify and protect your business from identity crime

Identity crime is outpacing traditional methods of data collection and storage, putting both companies and their customers' identity information and credentials at risk.

Common identity crimes affecting businesses

Source: Australian Competition and Consumer Commission

The identity information your business stores can be valuable to scammers. The more information a scammer holds about an individual, the more targeted and sophisticated scams can be, increasing the risk of financial loss and harm. Here are some common business scams to watch out for:

  • business email compromise/payment redirection
  • false billing
  • overpayment
  • whaling and spear phishing
  • online shopping scams
  • office supply scams.

The National Anti-Scams Centre’s Scamwatch website has resources available to help you understand the different types of scams affecting businesses, ways to protect your business and customers from scams, and how to report a scam.

Find out more in the Business scams fact sheet.

Practical steps to safeguard your business and customer data

Source: NSW Government

While it’s important to be prepared for a cyber incident, prevention is better than a cure. Identity information needs to be handled with care, surrounded by right processes and procedures, and disposed of responsibly. The NSW Government has provided some useful information about keeping your business safe.

Tips for protecting your business and customers

Source: NSW Small Business Commissioner

The following tips will help protect your business and customers from identity theft.

Genuine emails about online government or businesses services will not include links to sign in pages, or ask for your identity information, account details, PIN or passwords.

If you are unsure if the email or SMS you have received is genuine, do not click on any links or open any attachments. Contact the organisation using contact details that you’ve found yourself (e.g. using a search engine like Google).

If you are unsure about a change to a supplier or employee’s bank account details, call them to confirm, even if an explanation is provided by email.

  • Never agree to any business proposal on the phone: always ask for an offer in writing.
  • Make sure your business computers have up-to-date security software.
  • Train your staff to be on the lookout for scams, potential identity theft, or anything unusual.
  • Advise your customers that you will never contact them to ask for their customer login or payment information.
  • Monitor who is mentioning your business name online using a tool like Google Alerts.
  • Create strong passphrases for your business accounts and update passwords when there are staffing changes.
  • Limit staff access to identity information to only those that have a genuine business need to know.

Identity remediation for businesses

Sources: NSW Government
Office of the Australian Information Commissioner

A data breach involving identity information can have a huge impact on a business in terms of cost, productivity, reputation, and loss of trust. Valuable identity information can be stolen through incidents such as a cyberattack, data leak or ransomware infection.

Having a well-prepared data breach response plan is essential for all organisations collecting identity information. Detecting and quickly responding to a breach of identity information will prevent further damage and harm to both your business and customers.

If the identity information your business holds has been breached, the Office of the Australian Information Commissioner suggests you:

  • Step 1: Contain the data breach to prevent any further compromise of identity information.
  • Step 2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
  • Step 3: Notify individuals, and the Office of the Australian Information Commissioner if required. If the breach is an ‘eligible data breach’ under the Notifiable Data Breach scheme, it may be mandatory to notify the Office of the Australian Information Commissioner. (To work out whether you are covered by the Privacy Act 1988 (Privacy Act), see the ‘Privacy and personal information’ section in ‘Links and Resources’ below).
  • Step 4: Review the incident and consider what actions can be taken to prevent future breaches.

You should report identity crime early to protect your business and customers from additional harm. You can report identity crime to:

Prevention is better than cure, but sometimes the cure is required. Help is available to remediate the harm of identity crime and support for businesses that are subject to identity misuse and data breaches, and the following additional assistance is available at:

  • IDCARE – provides identity remediation services tailored to a business’ needs. (Note: There may be a charge for businesses to use this service.)

Identity resilience and cyber security

Source: Cyber.gov.au

For a small business, even a minor cyber security incident can have devastating impacts. In the 2021–22 financial year, the average cost per cybercrime, which includes identity crime, rose to over $39,000 for small businesses.

There are many simple and inexpensive measures businesses can use to improve their online safety and data security, such as ensuring software is up to date, backing up their information and turning on two‑factor authentication.

The Australian Cyber Security Centre has a range of resources to help small businesses protect themselves against common cyber security threats, including the Small Business Cyber Security Guide and Securing Customer Personal Data for Small to Medium Businesses.

Links and resources

Privacy and personal information

If you are collecting an individual’s personal information, you may be required to comply with Australian legislation. This includes thePrivacy Act and Australian Privacy Principles.

The Privacy Act regulates the way personal information is handled and requires individuals to be notified that their personal information will be collected, how it will be used and who it will be disclosed to.

Before collecting personal information from a person, you should understand the risks involved and ensure there is a legitimate reason to do so.

The Office of the Australian Information Commissioner’s Privacy checklist for small business can help you determine whether you need to comply with the Australian Privacy Principles.

Help for small businesses

Australian small businesses can access individual support to grow their digital capabilities through the Australian Small Business Advisory Services (ASBAS). The Australian Government Business website can direct you to a digital solutions advisor near you.

Commonwealth, states and territories

For identity security information on protecting your business in your location, please see the helpful links below. Please refer customers to our Protect your identity, keep it safe page.

Commonwealth resources links