Can service providers demand ID numbers, copies of ID books, and other personal information from consumers? What legal protection do consumers have?
I was asked this question in a recent radio interview (see www.capetalk.co.za, John Maytham show 5.10pm, 4 June 2013): It appears that in a time where your personal information needs the most intense guarding that the world requires more access to it. We heard from Colleen whose new Woolworths card was delivered to her door. But to ensure that the right person receives this information, she needed to prove to the courier who she is by handing over copies of her ID and other important documentation. It makes sense, the retailer and courier company are trying to avoid fraud. But the same is true for Colleen, who makes herself vulnerable by handing over important information to a stranger. Where do we draw the line and how does the law protect us when it comes to this? Andrew’s response is outlined below:
The right to ask for personal information
- Service providers often have the right to ask for an identity number, document or other information such as proof of address in terms of laws such as FICA (the Financial Intelligence Centre Act if the service provider is a bank) or RICA (the Regulation of Interception of Communications Act in the case of cell phones being delivered).
- Where credit cards or other items having a cash value are being delivered, it is obviously important to make sure that they reach the right person. Personal information helps to verify identity in order to reduce identity theft and fraud.
- The service provider may also ask for personal information in terms of the fine print of a contract between the consumer and the service provider. However, under the Consumer Protection Act (CPA), any terms that give the service provider rights to demand personal information must be in plain language and cannot be unfair or unreasonable.
- Most people would agree that it’s reasonable to ask for verification of identity to reduce fraud. So a service provider, or a courier acting as their agent or representative, for example, will often ask to see the actual ID document, or to be given a copy of the ID document to keep, or both. Whether or not it is also reasonable to insist on being given copies of ID documents can really only be determined by the facts of a specific situation.
- Where a third party acts on behalf of a service provider, the service provider remains responsible for how the information handed over is safeguarded, but should ensure that the third party is accountable to it and the consumer in terms of a contract.
The right to privacy of personal information
- Balanced against the right of the service provider to ask for personal information are the consumer’s rights to privacy.
- Privacy rights originate in the common law and the Constitution, and there are also rights contained in certain sector-specific laws or codes of conduct, such as the Code of Banking Practice, the Code of Conduct under the Financial Advisory and Intermediary Services Act, various laws relating to health, credit, tax, insurance and so on. The Consumer Protection Act also offers limited protection against the abuse of personal information for marketing purposes.
- However, the laws regulating the use of personal information are all about to be significantly updated and consolidated within the next few months, with a new law called the Protection of Personal Information Act. This law will not prohibit the collection or use of personal information, but specify that it can only be done subject to eight conditions. Some of the more important examples of these are that:
- no more personal information can be collected than is needed for the relevant purpose;
- personal information cannot be reused (for example resold) for other purposes;
- the information must be secured and safeguarded using suitable technical and organisational measures; and
- third parties that process information on behalf of a service provider (the ‘responsible party’ under the Act), such as a courier company that collects copies of ID documents, must do this in terms of a written contract that places the same responsibilities on them in respect of the security of the information.
- An aggrieved consumer should first contact the service provider’s internal dispute resolution or customer care department. They could also consider complaining to the relevant regulatory body or Ombud. Depending on the situation, they may also be able to complain to the National Consumer Commission where the CPA has been breached.
- If any actual fraud has been attempted or perpetrated, the consumer should obviously lay charges with the police.
- If a consumer has suffered any actual financial loss because of identity theft or fraud resulting from abuse of their personal information by the service provider or its agents, the consumer might be able to claim damages in a civil case.
- The Protection of Personal Information Act will introduce considerably greater protection against the abuse of personal information, including fines of up to R10 million.