The use of driver's licences to verify the identity of customers and to deter and detect fraud has come under special scrutiny by the Privacy Commissioners of Canada, Alberta and British Columbia. While addressed specifically to the retail sector, any organization that collects driver's licence information will have to pay special attention to the December 2, 2008 "Guide for Retailers" relating to the "Collection of Driver’s Licence Numbers under Private Sector Privacy Legislation" (the "Guidelines").
What Do The Guidelines Say?
The basic principle overarching the Guidelines is that operational practices should not come at the expense of an individual’s privacy rights and as such, organizations, including retailers, must employ the least privacy-invasive means of achieving their business goals.
The Guidelines provide an overview of the typical reasons for which retailers collect driver’s licence numbers and acknowledge that historically, given that a driver’s licence is a government-issued piece of identification, it is considered a reliable source of customer identification. However, the Guidelines go on to state the position of the Privacy Commissioners that such collection must be consistent with federal and provincial private sector privacy legislation and that in almost all cases, there is no justifiable reason for collecting a customer’s driver’s licence number.
The Privacy Commissioners note that "collection" of driver’s licence information can mean any of the following actions:
- examination of the driver’s licence;
- recording of the information contained on the driver’s licence, including the licence number;
- photocopying of the driver’s licence; or
- "swiping" the driver’s licence through a computer system.
Generally speaking, the Privacy Commissioners feel that a simple examination of a driver’s licence for identification purposes is permissible, as is the recording of a customer’s name and address from the licence. However, the Guidelines state that the "recording" of a driver’s licence number is "excessive" given the amount of identifying information contained within that number, the risk of identity fraud associated with the misuse or disclosure of that information and the fact that the recording of the number is generally not a necessary step in order for the retailer to achieve its operational objective.
What Does This Mean For Organizations that Collect Such Information?
1. Evaluation of Current Practices re: Collection of Personal Information
Organizations who currently employ a practice of collecting and recording driver’s licence numbers as part of their operational policies should evaluate why that information is recorded and what purpose is served by its collection. With that information in hand, retailers should consider whether there are less intrusive alternatives that would allow them to accomplish their objectives.
Given the Privacy Commissioners’ indication that a challenge to such a practice is likely to be successful, we would recommend that organizations cease the collection of driver’s licence numbers unless they have a legislated entitlement to such a practice (which is a rare occurrence).
2. Evaluation of Current Practices re: Retention and Storage of Personal Information
In addition to the discussion regarding the collection of driver’s licence numbers, the Guidelines reiterate the obligation placed on organizations to "protect personal information in their custody and under their control by making reasonable security arrangements against risks such as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction". Given the nature of the personal information that may be contained in or accessed through a driver’s licence number, there is a significant risk associated with the misuse or unsecured storage of such information.
Organizations must evaluate the means by which they secure all customer personal information collected by them to ensure that it meets the standards expected of them by the Privacy Commissioners and the applicable privacy legislation. Any deficiencies should be corrected immediately.
3. Education of Employees
Organizations must ensure that their employees understand what the company’s policy is on the collection of personal information, including in what circumstances such information is to be collected, what information specifically they are entitled to record, and what they are responsible for doing with that information in terms of its storage and retention. A company’s ability to defend a privacy claim against them on the grounds of due diligence will depend in large part on the actions of its employees and the training and instruction given to them in this regard.
A copy of the Guidelines can be found here.