Protect your business

What is identity information and why it is important to keep it safe

Source: eSafety Commissioner

There are good reasons to collect customer information. These include staying connected, tailoring services to individual needs, and improving customer satisfaction and retention.

Customer information is usually personal information, which is any piece of information or data that can reasonably identify who a person is or how to find them. It may be used on its own or in context with other information to identify them. This includes any of the following:

• full name
• date of birth
• phone number
• home address
• location check-in
• email address
• photo
• username, password or passphrase
• tax file number
• Medicare number
• Centrelink Customer Reference Number (CRN)
• bank account details
• internet protocol (IP) address
• biometrics like fingerprints or facial recognition prints.

A person’s identity information and credentials make up their legal identity. Credentials include:

• driver licence
• passport
• birth certificate
• proof of age card
• ImmiCard
• Australian visa or citizenship certificate
• Medicare card
• student ID
• marriage certificate.

The downside of collecting personal or identity information is that it can be stolen or misused.

How to reduce the risk of identity theft from your business

Sources: Office of the Australian Information Commissioner

NSW Government

The following 2 steps are key to reducing identity theft and the risk of cyber incidents against your business:

• Minimise the amount of identity information your business collects.
• Have strong safeguards in place to protect the identity information you choose to store.

It might be tempting to know as much as you can about your customers. But if this information is stolen, it could hurt your business and put your customers’ safety and privacy at risk.

Only collect the identity information you need

If you are collecting identity information, you must collect it:

• only if it is reasonably necessary and directly related to your business
• directly from the customer and not from third parties
• in a way that is lawful and fair.

The more identity information your business holds, the greater target you will be for identity theft, scammers and cyber incidents.

The Attorney-General’s Department has developed National Identity Proofing Guidelines which give broad, best practice guidance for establishing whether a person is who they say they are. The guidelines can increase your confidence in an identity document’s validity and reduce the need to keep copies of documents. This results in significant cost savings, promotes privacy, lessens the impact of data breaches and protects against identity fraud.

Store and dispose of identity information responsibly

Recent large data breaches have demonstrated the risks associated with storing identity information and keeping copies of credentials.

Consider the likelihood of future data breaches when deciding what identity information you store. Protect your business and your customers by destroying or de-identifying identity information you no longer need. For example, if you decide to keep documents, consider redacting (removing or concealing) the details that are not required and destroying the data altogether when it is no longer needed.

Keep any data you do retain secure. Limit the number of staff who have access to this data.

Use the Australian Government identity verification services

The Australian Government’s Document Verification Service (DVS) offers businesses an alternative to collecting identity information. The DVS verifies identity electronically by checking whether the identity document details your customer provides match the original records. This eliminates the need for your business to keep records of identity documents, such as driver licences, birth certificates, passport numbers and other identity details. Instead of storing full identity documents, the DVS creates an auditable transaction number. The service also makes it harder for people to use fake identity documents.

The Face Verification Service (FVS) is like the DVS but supports a higher level of identity verification. It compares a photo of a person’s face against an image from an identity document.

At present, only approved Australian Government agencies may use the FVS. In the future, all levels of government and private sector organisations will be able use the FVS.

Users of the FVS need to meet strong privacy, security and oversight requirements to access the service, including obtaining express consent from the individual whose identity is being verified.

For more information about the identity verification services, visit About our services.

How to protect your business from identity crime

Identity crime is outpacing traditional methods of data collection and storage, putting business and customer identity information and credentials at risk.

Common identity crimes affecting businesses

Source: Australian Competition and Consumer Commission

The identity information your business stores can be valuable to scammers. The more information a scammer holds about an individual, the more targeted and sophisticated scams can be, increasing the risk of financial loss and harm. Some common business scams to watch out for are:

• business email compromise or payment redirection
• false billing
• overpayment
• whaling (targeting executives) and spear phishing (targeting specific groups or individuals in a business)
• online shopping scams
• office supply scams.

The Scamwatch website has resources to help you understand the different types of scams affecting businesses, ways to protect your business and customers from scams, and how to report a scam.

Find out more in the Business scams fact sheet.

Practical steps to safeguard your business and customer data

Source: NSW Government

The NSW Government has some useful information about keeping your business safe .

Tips for protecting your business and customers

Source: NSW Small Business Commissioner

• Remember that genuine emails about online government or businesses services will not include links to sign-in pages or ask for your identity information, account details, PIN or passwords.
• If you are unsure if an email or SMS you have received is genuine, do not click on any links or open any attachments. Contact the organisation using contact details that you find yourself (for example, using a search engine).
• If you are unsure about a change to a supplier’s or employee’s bank account details, call them to confirm, even if they provided an explanation by email.
• Never agree to any business proposal on the phone – always ask for an offer in writing.
• Make sure your business computers have up-to-date security software.
• Train your staff to look out for scams, potential identity theft or anything unusual.
• Advise your customers that you will never contact them to ask for their customer login or payment information.
• Monitor who is mentioning your business name online (for example, using a tool like Google Alerts).
• Create strong passphrases for your business accounts and update passwords when there are staffing changes.
• Limit staff access to identity information to only those with a genuine business need to know.

Identity theft response and remediation for businesses

Sources: NSW Government

Office of the Australian Information Commissioner

Valuable identity information can be stolen through incidents such as a cyber attack, data leak or ransomware infection. Data breaches involving identity information can have a significant impact on your business in terms of cost, productivity, reputation and loss of trust.

Having a well-prepared data breach response plan is essential for all businesses collecting identity information. Detecting and quickly responding to a breach of identity information will prevent further damage and harm to both your business and your customers.

If the identity information your business holds has been breached, the Office of the Australian Information Commissioner suggests you take the following steps:

• Contain the data breach to prevent any further compromise of identity information.
• Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
• Notify individuals, and the Office of the Australian Information Commissioner if required. If the breach is an ‘eligible data breach’ under the Notifiable Data Breaches scheme, it may be mandatory to notify the Office of the Australian Information Commissioner. (This scheme applies to businesses covered by the Privacy Act 1988. To check if this applies to you, see the Privacy and personal information section in ‘Links and Resources’ below).
• Review the incident and consider what actions you can take to prevent future breaches.

Report identity crime early to protect your business and customers from additional harm. You can report identity crime to:

• ReportCyber for any cybercrime or security incident
• Scamwatch for scams (even if you are not a victim)
• Office of the Australian Information Commissioner for reporting notifiable data breaches (if your business is covered by the Privacy Act).

While prevention is better, sometimes remediation is required after a breach happens. Help to remediate the harm of identity crime, and support for businesses affected by identity misuse and data breaches, is available at:

• IDCARE – this site provides identity remediation services tailored to business needs. (Note: There may be a charge for businesses to use this service.)

Links and resources

Identity resilience and cyber security

Source: Cyber.gov.au

For a small business, even a minor cyber security incident can have devastating impacts. In 2023–24, the average cost of a cybercrime incident, which includes identity crime, rose to over $49,600 for small businesses.

There are many simple and inexpensive measures you can take to improve the online safety and data security of your business. These include ensuring your software is up to date, backing up your information and using 2‑factor authentication.

The Australian Cyber Security Centre has resources to help small businesses protect against common cyber security threats, including:

• the Small Business Cyber Security Guide
• Securing Customer Personal Data for Small to Medium Businesses.

The Department of Home Affairs, in collaboration with the Australian Signals Directorate, has developed a Cyber Health Check Tool for small businesses, not-for-profits and individuals, providing straightforward and concise cyber security guidance.

Privacy and personal information

If you are collecting someone’s personal information, you may be required to comply with Australian legislation. This includes the Privacy Act 1988 and Australian Privacy Principles.

The Privacy Act regulates the way personal information is handled and requires businesses to notify individuals that their personal information will be collected, how it will be used and who it will be disclosed to

Before collecting personal information from someone, it is important to understand the risks involved and be sure you have a legitimate reason to do so.

The Office of the Australian Information Commissioner provides information and a privacy checklist for small business that can help you determine whether you need to comply with the Australian Privacy Principles.

Help for small businesses to improve digital capabilities

Australian small businesses can get support to improve your digital capabilities through the Australian Small Business Advisory Services. The Australian Government Business website can direct you to a digital solutions advisor near you.