Please send a copy of your ID or passport, I am often asked. Sometimes it’s for events, sometimes to book a flight. But my answer is always no.
No, I reply to the email. I don’t even keep a digital version or picture of these utterly important documents on my devices, let alone do something as foolhardy as sending them via email.
Most companies and travel agents are just stumped. Some try to reassure me that “this is how we always do it” or “we’ve never had a problem”.
I politely point out that if my personal details were somehow compromised and my identity stolen and used fraudulently online, how would you know?
Also, as I now point out – perhaps in defence of my justified paranoia – there is this little legislation called POPIA, the Protection of Personal Information Act. POPIA makes it a crime to collect people’s personal data and not keep it securely or allow it to be stolen.
Email is the least secure way to transmit anything – just ask the gleeful hackers and phishers who have ripped off or conned people out of their life savings.
After the TransUnion hack in April this year, hopefully people are getting wiser – and more paranoid – about their personal information.
How can a company comply with POPIA if the very means they use to get a person’s information is itself insecure? Clearly, not many people have thought this through.
Certainly not the medical industry, which continues to email ID numbers on all their invoices, including people’s home addresses and contact numbers.
Medical ID
While we are on the subject, perhaps the medical establishment might want to rethink sending notifications via SMS. I had an outstanding balance of R57.10 to pay to a radiologist, whose bookkeeper called me in exasperation to ask why I hadn’t paid the amount. But how do I know it is really from you, I asked.
It’s a random SMS from a long string of numbers telling me to pay money into someone’s bank account. Most of the time we call that spam or phishing. These messages are mostly from crafty 419 scammers.
My next question is: if your company hasn’t understood the risks of this kind of communication, how can I take you seriously?
Many other medical companies and insurance providers have taken to sending password-protected PDFs. What is the usual password? Your six-digit birthday. Sometimes, for added security, they make it eight digits, like the year itself is somehow making it more secure.
Really? Everyone’s birthday is visible on just about every social media. That is no longer a secret.
It’s a move in the right direction but people need to be more demanding about the security of their personal data. As paranoid as most South Africans about physical security for our houses, but even more obsessive. Old habits, like emailing or WhatsApping ID documents, are no longer safe and should be verboten. Please don’t do it ever again.
It’s your data, you’re the one who has to diligently protect it.