National Crime Check Pty Ltd ACN 139 183 145 and all its subsidiaries (including but not limited to InstaID, InstaID+ and nationalcrimecheck.nz) is committed to respecting the privacy of your personal and sensitive information. We are bound by the Australian Privacy Principles in the Privacy Act 1988 (Commonwealth) and other applicable laws (including the NZ Privacy Act).
Data protection and information security is of the utmost importance, so you can have trust and confidence in dealing with our organisation.
We want to be transparent in explaining how and why we gather, store, share and use your personal information. Accordingly, this document provides a clear set of guidelines so that you can understand how we manage your personal information, the steps we take to protect your privacy as well as how, when and where we may collect, hold, use and disclose your personal information. It covers all personal information provided by you or your applicants, as well as other individuals who have given their written consent to us to conduct or to otherwise use or services.
‘Personal Information’ and ‘Sensitive Information’ Defined
Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information or opinion is true or not and recorded in a material form or not.
Sensitive information means information or an opinion about, amongst other things, an individual’s criminal record that is also personal information or health information about an individual.
References to personal information in this policy include sensitive information except where indicated otherwise.
We will reasonably ensure that personal information we collect, use or disclose is accurate, complete and up to date.
As a user of our system, you will be able to confirm that the information that you or your applicants have provided is true and correct prior to submitting the data.
What personal information do we collect and hold?
The personal information we collect and hold about you or your applicants includes information that you or your applicants choose to provide us in the identity verification checking service application/consent form, or which you or your applicants otherwise provide to us (including by way of forms and other documents or information you submit to us (whether in paper or electronic form). This information may include you or your applicant’s name, address, phone number, email address, credit card details, date of birth, contact details, drivers licence details, passport details, or any other information you provide to us or authorise us to obtain.
Sensitive information we may collect and hold about you or your applicant's biometric data (i.e. face recognition). We use this sensitive information to create an identity check for you or your applicants. Where we receive unsolicited sensitive information from a third party, we will destroy the information in a prompt and timely manner in accordance with our legal requirements. Under no instance will we keep unsolicited sensitive information.
We may also collect data about how you use our website or other websites you have visited so we can tailor our service to meet our customers’ needs. We may aggregate and de-identify this information (‘Aggregate Information’) and use the Aggregate Information to help us understand customer trends and to make improvements to our website and our services. We may share the Aggregate Information with third parties, including to improve our services and understand what our customers want, and we may use this data for advertising and marketing purposes. Aggregate Information may also be disclosed to third parties for the third parties’ advertising and marketing purposes.
Why and how do we collect, hold, use and disclose your personal information?
- to be able to lodge an application for and receive the results of an identity verification check with the document issuer through the Department of Home Affairs Document Verification Service (DVS);
- for proof of identity purposes;
- to process payments for our services;
- to provide the results of an identity check to any person you or your applicants authorise us to;
- to provide the result of an identity check to the receiving parties as outlined in the terms and conditions;
- to allow third parties who you have agreed to allow access to the results of these searches for the purposes of verifying the contents of an identity verification check;
- to provide you with the best possible service in supplying you with our goods and services;
- to comply with our obligations under any agreement we have with the Department of Home Affairs regarding the DVS;
Where we collect personal information, we will only process it:
- to perform a contract with you;
- where we have legitimate interests to process the personal information and they’re not overridden by your rights;
- in accordance with our legal obligations; or
- where we have your consent.
We collect, hold, use and disclose you or your applicant’s personal information for the following purposes unless otherwise required or permitted by law:
We may disclose personal information to the following kinds of entities for the relevant purposes mentioned above:
- our contractors, consultants, advisers, associates and related entities;
- any industry body, tribunal, court or otherwise in connection with any complaint made by you about us;
- other entities or third parties with your consent (such as third parties who you have agreed may access to your personal information for verification purposes) or as permitted or required by law.
- to comply with our obligations under any agreement we have with the Department of Home Affairs regarding the DVS
We only collect personal information about an individual where the information is reasonably necessary for one or more of the above functions.
You consent to us using and disclosing personal information for these purposes or any other purpose we obtain consent for (Secondary Purpose). Without limitation, such a Secondary Purpose which you consent to us taking reasonable steps to de-identify your personal information, such as by removing your personal identifiers, (De-identified Data) and disclose such De-identified Data to third parties or otherwise use the De-identified Data.
All personal information will be collected lawfully, fairly and not in an intrusive way. If we are unable to collect your personal information, we may be unable to provide you with all our services, and some functions and features on our website may not be available to you.
We may use your personal information, including your contact details, to provide you with information about products and services (including those of third parties) which we consider may be of interest to you.
We may also provide your details to other organisations for specific marketing purposes.
At any time you may advise us that you do not wish to receive marketing communications. You may opt out at any time if you no longer wish to receive marketing information or do not wish to receive marketing information through a particular channel (such as by email, telephone, sms, or mail).
If you do not want us to send you marketing communications via email you can opt out at any time by using the unsubscribe option available. To opt out of all other means of communication, please contact our Data Protection Officer using the contact details provided below.
How we hold and protect your personal information
We are committed to protecting your personal information. We implement appropriate technical and organisational measures to help protect the security of your personal information; however, please note that no system is ever completely secure. We have implemented various policies including pseudonymisation, encryption, access, and retention policies to guard against unauthorised access and unnecessary retention of personal information in our systems.
We store personal information we collect in relation to you or your applicants in various ways, including in electronic form using third party data storage providers. All information that is stored electronically is password protected on secure servers.
Our aim is to ensure that all personal information is securely protected from misuse, loss, and unauthorised access, modification or disclosure by way of maintaining:
- physical security by preventing unauthorised access to our premises;
- computer network security, including password security to prevent unauthorised access;
- communication security; and
- limiting access to our authorised staff and contractors.
When personal information is no longer needed we will take reasonable steps to destroy and/or de-identify that information (see also the ‘Retention’ section below).
We have current security measures in place to prevent unauthorised use of our identity verification check service including:
- capturing IP addresses;
- capturing payment information; and
- verification of ID, linking the ID with your self photo "selfie" that may incrementally capture an image of you via the camera on a smartphone, tablet or web cam used to compare it against your photo ID; and
Why will we disclose information to another organisation?
We want to provide our customers with the very best products and services. At times we may partner with other organisations to support the products and services we offer. Some of our service providers that provide services to us are provided entirely or partly from overseas locations (see also the ‘International Data Transfers’ section below). We may transfer personal information overseas to effectively deliver services to you.
For example we may partner with a third party provider who is able to determine the authenticity of your identity documents to ensure that your proof of identity requirements are met as efficiently as possible. In addition, we may partner with a third party provider who is able to monitor that emails sent to you has not bounced back, thus increasing our communication efficiency.
We may disclose personal information to overseas recipients for the purposes of using or liaising with verification sources as well as monitoring our emails sent and received. This information may include you or your applicant’s name, address, date of birth, contact details, drivers licence details, passport details, or such other information we notify to you. As at the date of this policy the recipients will be located in the United States of America although the countries in which these recipients are located may change over time.
We may disclose personal information to a third party who has been provided with the verification of identity check to allow that third party to verify that identity check of you or your applicant through a verification functionality or feature. Where you have consented to us forwarding personal information on a verification of identity check to a third party you also consent to us making that information available to that third party via a verification functionality or feature.
Where you disclose personal information to a third party by giving them a copy of your verification of identitycheck (either in electronic or hard copy) you also consent to us also disclosing your personal information to that third party through a verification functionality or feature.
You acknowledge and agree that such disclosure through a verification functionality or feature is appropriate and necessary to maintain security and integrity of the personal information contained in verification of identity checks.
We may disclose Aggregate Information to a third party to better our services for our customers and improve our services.
Insta ID Plus uses Google Analytics User-ID tracking to track Aggregate Information. This tracking does not contain any sensitive information. If you do not want to be tracked in this way, contact the Data Protection Officer or contact us through our contact details set out below to be unsubscribed.
International Data Transfers
When we share personal information, it may be transferred to, and processed in, countries other than the country you live in (such as the United States), which may have laws that are different to what you are familiar with. You can be comfortable that where we disclose personal information to a third party in another country, we put safeguards in place to ensure your personal information remains protected.
For individuals in the European Economic Area (‘EEA’), this means that your data may be transferred outside of the EEA. Where your personal data is transferred outside the EEA, we will ensure that the transfer of your personal data is carried out in accordance with applicable privacy laws and, in particular, that appropriate contractual, technical, and organisational measures are in place (such as the Standard Contractual Clauses approved by the EU Commission).
For further information, please contact us using the details set out below.
How can you access to your personal information and correct it if it is wrong?
If necessary, you or your applicants may request access to the personal information that we hold about you or them (as applicable), under Australian Privacy Principles 12 and 13. We will provide this information upon request or otherwise as required by law. You may obtain this information by contacting us using the details set out below.
Under freedom of information (FOI) you have a right, with limited exceptions, to access documents held by Insta ID Plus. A FOI request can take up to 30 days to process.
The Freedom of Information Act 1982 (FOI Act) may give any person the right to:
- access copies of documents (except exempt documents) we hold;
- ask for information we hold about you to be changed or annotated if it is incomplete, out of date, incorrect or misleading; and
- seek a review of our decision not to allow you access to a document or not to amend your personal record.
We may require you to identify and specify what information and documents you require access to. You can ask to see any document that we hold. We may refuse access to some documents, or parts of documents that are exempt. Exempt documents may include those relating to national security, documents containing material obtained in confidence, or other matters set out in the FOI Act. Other occasions when we may deny access to personal information include where release of the information would have an unreasonable impact on the privacy of others.
While we will endeavour to ensure that the personal information collected from you is up to date accurate and complete, we will assume that any personal information provided by you is free from errors and omissions. If the applicant is able to establish that the information we hold about them is not accurate, complete or up to date, and the applicant requests us in writing to correct this information, we will then take reasonable steps to correct the information. You may request that we update or vary personal information that we hold about you using the contact details listed below.
If you wish to access information we hold about you please put your request in writing and send it to:
Data Protection Officer
National Crime Check Pty Ltd (t/a Insta ID Plus)
PO Box 10091
Adelaide BC 5000
Our Data Protection Officer can also be contacted on:
Phone: 1800 080 095
We retain your personal data only as long as necessary to provide you with our services and for legitimate and essential business purposes (such as maintaining the performance of our services), making data-driven business decisions about new features and offerings, complying with our legal obligations, and resolving disputes. Following this period, we will make sure the relevant personal data is deleted or anonymised.
Should you not wish to receive communications from us, you will have the option to unsubscribe on any email you receive from us or to indicate your communication preferences to us. Alternatively, you can contact our Data Protection Officer, set out above, to unsubscribe from our communications.
What are ‘cookies’ and how do they work?
A cookie is a string of letters and numbers that uniquely identify the computer you are using and the Username and password you may have used to register at the site. This enables the website to track the pages you have visited.
Most browsers can be configured to refuse to accept cookies. You can also delete cookies from your hard drive. However, doing so may hinder your access to valuable areas of information within our site.
Under European Union law, the General Data Protection Regulation or "GDPR" gives certain rights to applicable individuals in relation to their personal data. Accordingly, we have implemented additional transparency and access measures to help you take advantage of those rights (to the extent they are applicable).
Depending on the country in which you live in, the rights you have may include:
- Accessing, correcting, updating, or requesting deletion of your information.
- Objecting to processing of your information, asking us to restrict processing of your information, or requesting the portability of your information.
- Opting out from receiving marketing communications that we send you at any time.
- Withdrawing your consent at any time if we have collected and processed your information with your consent. Withdrawing your consent will not affect the lawfulness of any processing that we conducted prior to your withdrawal, nor will it affect processing of your information conducted in reliance on lawful processing grounds other than consent.
- Complaining to a data protection authority about our collection and use of your information. For more information, please contact your local data protection authority. Contact details for data protection authorities in the European Union are available at: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.
We respond to all requests that we receive from individuals who wish to exercise their data protection rights in accordance with applicable data protection laws. You can contact us by sending an email to
What if I have a complaint?
If you have a complaint about our dealings with personal information, this policy or an alleged breach of the Australian Privacy Principles you have the right to expect that we will handle it in a friendly and professional way.
When we receive a complaint we look on it as valuable feedback that may help us to improve the services we offer and to ensure your needs are met in a satisfactory and appropriate manner.
If you wish to complain at any time about the handling, use or disclosure of your personal information just write to us at the following address:
Data Protection Officer
National Crime Check Pty Ltd (t/a Insta Plus ID)
PO Box 10091
Adelaide BC 5000
Our Data Protection Officer can also be contacted on:
Phone: 1800 080 095
We will make all efforts possible to investigate your complaint within 20 days and advise you of the outcome as soon as possible within 40 days of you making the complaint.
If the matter is not resolved to your satisfaction you can then refer your complaint to the Director of Compliance (Investigations) at the Office of the Australian Information Commissioner who can be contacted at:
Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001