Sight It, Don’t Store It

In an age where digital convenience often takes precedence over caution, many organisations across New Zealand routinely collect and store photographic identification as part of customer onboarding processes. The most commonly collected documents are driver licences and passports. It can seem efficient, even responsible, to hold on to a copy “for the record.” Yet what feels like a simple administrative safeguard can in fact create a long-term privacy risk that is difficult to unwind.

A photographic ID is one of the most sensitive forms of personal information an organisation can hold. It doesn’t just confirm a person’s name or date of birth; it links their likeness, official identifiers, and sometimes address into a single, high-value data point. Once stored, that image becomes a permanent record of identity, something that can be reused, copied, or stolen in ways the individual never consented to.

Even organisations with strong cybersecurity defences are not immune to data breaches, human error, or insider misuse. When a passport or driver-licence image is leaked, the damage is enduring. These documents cannot simply be “reset” like a password or replaced without cost, delay, and anxiety.

The Privacy Act 2020 provides clear guidance that collection of personal information must be necessary for a lawful purpose and proportionate. Organisations are required to collect the minimum amount of data needed and to dispose of it once its purpose is served. Keeping copies of photographic ID “just in case” is unlikely to meet the requirements.

Retaining high-risk data for convenience alone not only breaches the privacy principles but exposes organisations to reputational harm and regulatory scrutiny. A safer and more privacy-conscious alternative is sighted verification. This means viewing the ID in person or over a secure video link, confirming that it is genuine and that the person matches the photo, but not keeping a copy of the document itself. The verification can still be recorded, for example, noting that the ID was sighted, by whom, and on what date, without retaining the image or document. This small procedural change dramatically reduces exposure to breaches, supports compliance with the Privacy Act, and demonstrates respect for the individuals whose information is being handled.

Moving to a “sight it, don’t store it” model requires a shift in culture as much as in process. Staff must be trained to understand that holding less data is not a weakness, it is a strength. Technology teams need to ensure systems do not automatically capture or archive ID images unnecessarily.

Privacy is more than a compliance obligation; it’s an ethical commitment to protect the autonomy and dignity of individuals. By choosing to sight rather than store photographic ID, organisations can uphold that commitment, reduce risk, and model good data stewardship for others.

Ultimately, protecting privacy doesn’t require new technology or complex systems, it requires the willingness to let go. Sometimes, the best way to protect someone’s identity is never to keep it at all.