The University of Tasmania is under fire for asking staff to upload their passport or driver's licence to a third party to get an identification card.
In a recent email to staff, Safety and Wellbeing director, Chris Arnold said old cards would be deactivated from November 1 and explained how staff can update their cards.
However, some staff are concerned about uploading their personal details to a third party.
Their fears have been heightened since 19,000 UTAS students were caught up in a data security breach last week after security settings on shared files were "unintentionally configured incorrectly".
IN OTHER NEWS:
"Asking individuals to hand over sensitive data about themselves to a third party, without setting out the full details of what that entails, shows that privacy rights are not taken seriously by the University," Mr Barns said.
"The University should be fully transparent and provide full details of where data will be stored by the third party and who will have access to it."
A UTAS spokesman said immediate steps were taken to rectify the student's breach and ensure the information was secure.
"Like all large organisations, and universities around the world, we collect and store information about our staff from the time of appointment. We do so in line with our policies and procedures, the Personal Information Protection Act 2004 and the Privacy Act 1988," he said.
The spokesman said most staff arranged their cards in person making visual confirmation quick and easy.
"The national company we partner with to manage this process works with more than 20 universities in Australia and New Zealand," he said.
"The cards can be ordered online, which is an important option while COVID-19 continues to impact operations, and this requires photo identification."
TasICT board member and chair of the cyber security sub committee Andrew Quill of Launceston said there was a risk with uploading drivers' licences and passports.
"Nearly 54,000 drivers' licences from New South Wales have been found on the web in an unsecured form so there is a risk," Mr Quill said.
"But people hand over licences at hotels which are photocopied and kept. Passports are generally worth 100 points in ID and are more sensitive.
"Any business must do a risk assessment that has adequate security protection methods and make sure that they meet international standards."
Mr Quill said any employer who asked an employee to drive a company vehicle kept personal records, often in a filing cabinet.
"It is about security, whether it be in a physical office or virtual."