Prohibition of making replicas of public documents will reduce identity theft
The Act on Public Documents, which comes into force, prohibits the making and trading of replicas e.g. of personal identity cards or driving licenses. According to the Personal Data Protection Office, not every copy of a public document will have the features of authenticity. Nevertheless, an entity that will copy for example an ID card may be responsible for processing too wide scope of personal data.
Impersonating other people to extort loans or buy expensive items by installments - these are the most illustrative examples of the negative effects of the so-called ‘identity theft’. This practice intensified due to the so-called ‘collector documents’ that are confusingly similar to original ID cards or driving licenses. The fraudsters ordered such collector's documents, while providing personal data of other people. Then they used them for criminal purposes. Due to the new Act on Public Documents, which comes into force on 12 July 2019, this practice will be hindered.
Prison for a replica
Under the new provisions, a person who makes, sells or possess a public document for sale will be punished by a fine, restriction of liberty or imprisonment of up to 2 years. Such a replica will be considered a copy or image of e.g. an identity card or a driving license, having features of authenticity, where the size of this copy or image would be of 75% up to 120% of the original of a public document.
However, there will be no criminal liability, provided for in the new regulations, in case of making photocopies and computer printouts of public documents for official, business or professional purposes determined on the basis of separate regulations or for the use of the person to whom the public document was issued.
Today, those who make copies of documents such as ID cards or driving licenses should consider whether their activity will not violate the Act on public documents. They may become the object of interest of law enforcement agencies after recognizing that a replica of a public document was made, instead of photocopy.
In April this year the Personal Data Protection Office drew the Ministry of the Interior and Administration’s attention to the need for more complete regulation in the scope of copying public documents. In the opinion of the Office not every photocopy of a public document will have the features of authenticity and then it may not be subject to the provisions of the new Public Documents Act. The Ministry of the Interior and Administration announced that it will watch the effects of these regulations and how they will be applied in practice, not excluding the possibility of amending these provisions.
Not only ID card and driving license
The new Act defines the concept of public documents as well as their catalogue, which includes not only a driving license, ID card, passport or vehicle registration certificate. Public documents include i.a. sailing book, documents issued by civil registry offices, e.g. birth certificates, copies of final court decisions from which the acquisition, existence or expiration of the law results. The catalogue also lists identity cards of various services, soldiers, and documents authorizing them to practice as a doctor.
The scope of the data is important for the Personal Data Protection Office
From the perspective of the principles of personal data processing, the entities that make replicas of identity documents should take into account the legal provisions on the basis of which they operate. They must also remember about the rules resulting from the GDPR, including principle of data minimization. In many cases, making copies of documents confirming the identity leads to the acquisition of data that goes beyond the scope allowed by the law on the basis of which the entities operate. In every case, for example when an entrepreneur make a copy of an ID card, the Personal Data Protection Office may investigate whether it is authorized to process such a scope of data contained therein. Therefore, the Supervisory Authority will verify whether the scope of the data processed is limited to what is necessary for the purposes for which the data is processed – whether the principle of minimization is not violated.
In the opinion of Polish SA, most of the entities that want to make photocopies of our documents cannot justify such a goal by the conclusion of a contract. For example, under the Telecommunications Act, a telecommunications company is obliged to process data on the basis of personal data protection provisions. Therefore, the company must remember that it is allowed to process only those data that are justified by the specific purpose of processing. Meanwhile, new personal ID cards contain data that are unnecessary for the purpose of concluding a contract, such as our image, gender or nationality. In addition, in older documents our height and eye colour were also given which is not needed by the entrepreneur.
Photocopying of our ID card cannot be explained by the purpose of any claims, e.g. for damaged, stolen equipment from a rental company, like boats, skis or cars. For this purpose, it seems sufficient to obtain only such data as: name and surname, address of residence, number of identity document or national identification number (PESEL). It is enough to write down those data from the document. It should be remembered that when the purpose justifying the processing of such data ceases, the controller should delete it - e.g. return the form on which he wrote such data to the holder.
If in the past we consented to making a copy of our ID card, we always have the right (using the rights set out in Art. 17 of the GDPR) to request the controller to delete such data. At the same time, we should rely on the fact that these data were collected in violation of the law and exceed the permissible scope. If this request is not met, we have the right to lodge a complaint to the President of the Personal Data Protection Office, in which we shall indicate what we expect from the Supervisory Authority (e.g. issuing a decision ordering the deletion of data).
Sometimes photocopying is acceptable
Copies of our documents are often made by banks. In the opinion of the President of the Personal Data Protection Office, this practice is allowed only in certain situations. It shouldn’t be used for opening an account, checking creditworthiness or entering into a loan agreement.
Banks refer to Art. 112b of the Banking Act. However, this provision authorizes them to process data contained in identity documents, not to make a copy of these documents.
However, we should be aware that pursuant to Art. 34 para. 4 of the Act on Counteracting Money Laundering and Terrorism Financing, some entities are allowed to make copies of the client's identity documents, like ID cards, for the purposes of applying financial security measures. The entities that are entitled to copy IDs on the basis of this Act are i.a.: banks, insurance companies, exchange offices or even notaries. This may occur when they have suspicious the legality of transactions or financial transactions. In case of an occasional transfer of money, an amount equivalent to EUR 1 000 may be already sufficient.
While this Act allows copying documents for the purpose of ensuring financial security, the entities listed in these regulations are not supposed to photocopy their identity documents for other purposes.