How’s your nightlife tracking? The privacy principles behind Patronscan

It is fair to say that nobody is best placed to understand or consent to collection of their personal information while standing in line for a bar or nightclub at 2am, particularly after a beverage or two. Despite this, it is now regularly expected that patrons provide their IDs for scanning at down-town venues across the country before they gain entry.

Many nightclubs in New Zealand and Australia have adopted a software known as Patronscan, which scans IDs and photographs patrons. This information is used to confirm the patron's age and check the expiry and validity of IDs presented. It also allows venues to flag unruly patrons who engage in any conduct that presents a risk to others or themselves. This article explores the privacy implications of data collection and use such as this.¹ It is unclear whether these implications have ever been properly considered to the extent they should be.

How does a venue use the data collected through Patronscan?

Patron data is automatically deleted after 30 days, though it may be retained for longer if you are 'flagged' under the system. A patron may be flagged at the venue's discretion for behaviour including violence, destruction of property, fraud, or theft. A flag appears as an alert on the Patronscan system, notifying participating venues when the person next attempts to enter. It does not indicate what prior conduct led to the flag.

There are two types of flag that can be placed on a patron. Venue flags pertain to the venue or venues in the same ownership group who placed the flag. They are not able to be viewed by other venues, but could be in place for up to five years. Network flags are reserved for the most serious incidents, such as violent or sexual assaults, and are shared with all other participating venues on the network. The maximum period for a network flag is one year.

The benefits of data collection of this type are clear

In terms of benefits, the retention of patron information and flagging regime is said to help to discourage violent behavior by instilling a sense of accountability in patrons when they walk through the door. Multiple bars in Wellington have claimed that violent incidents reduced after introducing Patronscan.

Equally, software such as this allows for people who continue to engage in antisocial behaviour to later be identified and brought to justice. Police may have access to the data through the relevant venue if victims make a complaint within 30 days of the incident, which could potentially allow Police to identify perpetrators on the system who might otherwise remain anonymous.

Data collection like this could also be valuable in a licensing context. Use of these software solutions can demonstrate to District Licensing Committees that bars are committed to the health, safety, and accountability of their patrons. This is especially useful for venues facing challenges to their license applications by Police or the Medical Officer of Health.

However, the process raises issues to be grappled with under the Privacy Principles contained within the Privacy Act 2020.

Collecting, using and disclosing personal information in the right way

Personal information must not be collected unless it is collected for a lawful purpose in connection with a function or activity of the business. The collection must also be necessary for that purpose. Information must not be retained for longer than is required for the purposes for which the information may lawfully be used. It is difficult to see how retaining a customer's information for at least 30 days after they have entered the venue is a sensible or proportionate means of furthering the purposes of the Sale and Supply of Alcohol Act.

When a bouncer confirms a patron is 18 or over and is not using a fake form of identification, it is arguably unnecessary for that information to be actively collected by the establishment. While it might be useful 'to save the information for next time', bar staff should still be checking for ID at each entry. While the added security provided by Patronscan is a nice-to-have for venues and their patrons, the full extent of its purpose and use arguably cannot be justified against the legislative requirements.

The issue of consent to the data collection is also highly relevant. A business must take reasonable steps in the circumstances to ensure the individual is aware the information is being collected, the purpose for its collection, and the rights of access to the information. They must also provide the name and address of the business collecting and holding the information. It is unclear whether patrons are adequately advised about the extent of the information collection and their rights in relation to the personal information. Even if they were, many of these individuals will be under the influence of alcohol and may not be in a position where they are able to understand and consent to the process.

The 'flag' system also presents possible concerns in terms of use and disclosure of personal information. Among other obligations in the Privacy Act, information must not be used or disclosed without taking steps that are, in the circumstances, reasonable to ensure the information is accurate, up to date, complete, relevant, and not misleading. While a legitimate form of photo ID can reasonably be assumed to be accurate, Patronscan has no way of knowing whether a flag has been legitimately placed on an individual. A network flag carries with it a presumption the person is guilty of a serious infraction, such as assault or perhaps even sexual assault. This is especially worrying as a network flag is distributed across all participating venues, something that a patron may not be aware of when giving their personal information.

Without any transparency in how the flagging system is used, venue staff may be able to flag patrons without good cause. Further, recent tests of the government facial recognition system failed 45% of the time, and failed even more for Māori. Given that photos of patrons are taken upon entry, there is considerable risk of discrimination under the Human Rights Act 1993. In a recent article, we discussed the privacy implications of facial recognition technology. If you would like to learn more, you can view our article here.

This type of data collection is yet to be formally scrutinised by the Office of the Privacy Commissioner

The principles contained within the Privacy Act cannot be enforced by a person in any court of law, and so it falls to the Privacy Commissioner to foster compliance. To date, the Office of the Privacy Commissioner is yet to provide a formal report on the use of software such as Patronscan.

In 2011 the Privacy Commissioner received a complaint regarding a bar taking photos of Driver's Licences and retaining the image for 6 days. In terms of Information Privacy Principle 1 (regarding collection of information) under the now-repealed Privacy Act 1993, the Commissioner determined the bar had a lawful purpose to collect the details to ensure people under the age of 18 were not given access to the bar. The Commissioner also considered it was necessary for the bar to collect the information. The Commissioner agreed that 'complying with the Sale of Liquor Act was better achieved by collecting identification details rather than just viewing it.'

But the Office of the Privacy Commissioner appears to be taking a firmer stance as pilots for biometric software continue to increase. In August 2022, the Commissioner released a consultation paper which considered biometric information to be 'sensitive' personal information and sought higher standards of compliance with privacy principles. In April 2024, the Privacy Commissioner announced an inquiry into Foodstuffs North Island's trial of facial recognition technology to reduce harmful behaviour in supermarkets. The Privacy Commissioner is now evaluating the results of that trial.

Compared to the practices the Privacy Commissioner reviewed in 2011, the use of patron scanning software is far more extensive and potentially invasive. In the event that software such as this is abused, the Privacy Commissioner may determine the privacy concerns are disproportionate to any benefit obtained under the Sale and Supply of Alcohol Act.

While the benefits of the software cannot be ignored, the widespread use of patron scanning software at a time when people are potentially unable to give informed consent to the collection of their data warrants further scrutiny.

Talk to our experts

Technology and the law are constantly evolving. Our privacy law specialists, Hayley Miller, Campbell Featherstone, Hayden Wilson and their teams have extensive experience providing advice on a range of new technologies and their lawful use. Contact us if you would like guidance in relation to understanding your privacy obligations and implementing solutions.

This article was written by Jori Topp-Whitfield, Solicitor and Mothla Majeed, Senior Associate in the Wellington Litigation team, and Gunes Haksever, a Senior Associate in our Commercial, Technology and Privacy team.

1. This article is not a privacy assessment of the software itself, nor its use by a specific venue.

Public link

Please use the above public link if you want to share this noodl on another website.