A company has requested scans of identity documents. What should I do?

I suggest removing the parts (by taping them before scanning) that are not necessary to match your picture with your name, i.e. the passport and serial numbers. Ask the party requesting the password scan about the purpose of this to figure out which parts are essential to them, why they would need them, how they would store the scan and when they would delete it from all their media. Maybe even the picture is not relevant to them or you can have a webcam session showing it to them.

In Germany, there is actually a law that forbids electronically scanning ID cards: the "Personalausweisgesetz" (§ 20 PAuswG). It is only allowed to use a copy machine (basically to "store it on paper"), but the company/person requesting a copy must inform you that you have the right to black out the serial numbers. The copy must be destroyed as soon as its purpose is fulfilled. Find all guidelines summarized here. But you have to know that Germany has the best data protection laws worldwide, so don't be surprised if other countries don't follow this example.

Note: first answered here, didn't look for this question. Thanks @paj28 for his remark.


It is not uncommon for organisations you do business with to ask for some level of identification using scanned documents.

You need to do a realistic assessment of the information you are presenting and to whom. It is impossible for us to make a fundamental judgement on whether it is reasonable or not because it depends on the business you are doing, the value, risk (both to you and them) and so on.

Bearing in mind that much of the information you are being asked to share may well not be that sensitive. For example, if I copy my credit card, even the back with its CVV and send it, it is likely that the organisation would get that data anyway. Perhaps they ask for a company bill or bank statement as proof of you being a legitimate and financially secure business - in that case, they will get little more than they already know but with some extra such as someone you paid money to and how much was recently in your company bank account. Is that a great risk to you when you pass it to someone you are about to do some valuable (presumably) business with?

If there is a document you think carries an unacceptable risk, try and get them to accept an alternative.


As per the same question that was directed on the meta: X company has requested a scan of my passport

Handling various security documents frequently, these are some of the pointers I give to people:

  • Most security features don't appear in a scanned image
  • Send the scan in black in white
  • Send a lower resolution, or compressed image (Medium/Low JPEG)
  • Attach only one side of the document if possible
  • Ask the company what their data retention policies are
  • Get a bank or other notary public to notarize the scanned copies
  • Do a search to see if there are any past data leaks at the company (e.g. Yahoo)
  • See if you can arrange for a physical presentation of the document.
  • Send the document with a link to a service that allows for retraction (Expiry)
  • Ask about sending the images by Fax
  • Ask if they require document numbers only (much more secure)
  • If you are still concerned, apply a physical/digital watermark

By not verifying an identity document in person can land companies in hot water, and is simply bad practice. There is no valid excuse why one would not verify the true holder of the document, or if there is in fact a true document at all. Companies are unfortunately lazy in this regard.

There are plenty of scans of common documents on the internet, which include US/Canadian/UK passports and drivers licences. Many come as Photoshop templates with instructions on how to paste your own image in, change a few other personal features (name/date of birth), and how to attempt to pass it off as a real scan.

Once you have sent an image (or series of images) off, there is very little you can do to protect yourself. There is a whole area of study related to Data Loss Prevention when it comes to company secrets. Most of these can not be applied to the "Average Joe", as it requires an elaborate setup.

By refusing to send a scan of a document makes it look as if you are hiding something, which may or may not be true. When applying for a job, refusing to send identity documents by email could result in the loss of an opportunity. So unfortunately, you are between a rock and a hard place when it comes to this.