Collection of Driver’s Licence Numbers Under Private Sector Privacy Legislation
A Guide for Retailers
Canadians have expressed their concerns about the practice among retailers of asking for and recording information from their driver’s licences. And there is confusion among many retailers about when it may or may not be okay to collect or record licence information.
A driver’s licence is not a universal identity card. Rather, it is a means to enforce traffic laws and offer proof that someone is authorized to operate a motor vehicle. The driver’s licence number is sensitive and valuable to those intent on committing identity crimes. For this reason, these numbers are often the subject of security attacks and misuse.
In Canada, there are four laws that govern the personal information practices of retailers. These laws are overseen by the Privacy Commissioner of Canada, and her counterparts in Alberta, British Columbia and Quebec. For the most part, where your business is located will determine which one you are subject to.
Essentially, these laws require retailers to clearly tell customers why they are collecting the information and then ask for the least amount to meet their purposes. They also demand retailers to protect personal information in their care. Retailers should note that there is a big difference between examining identification, recording a name and address from it, recording the licence number, and photocopying the licence. Many business purposes can be satisfied by simply examining identification, or recording the name and address as displayed on it.
This guide has been prepared by the Office of the Privacy Commissioner of Canada, and the Offices of the Information and Privacy Commissioner of Alberta and British Columbia. It is intended to help retailers navigate the privacy issues and risks related to driver’s licences and to encourage them to carefully consider whether they need any information from customer driver’s licences at all.
The driver’s licence – not a universal identity card
Over time, the driver’s licence has come to be used by many retailers as a reliable document to verify identity. Many organizations and individuals in fact treat the driver’s licence as a universal identity card by asking to see it and by recording information from it when individuals make purchases, return items or rent equipment.
The purpose, however, of a provincial driver’s licence is to demonstrate that a person is authorized to operate a motor vehicle – it is not a universal identity card.
What makes the driver’s licence so attractive to retailers?
A driver’s licence is government issued and therefore considered reliable. It contains a great deal of personal information: photograph of licensee, address, birth date, signature, physical description (such as height or need for corrective lenses). For many retailers, however, it is the driver’s licence number that is of great interest, often because it can serve as a unique identifier.
In Alberta and British Columbia, the licence number is a unique number that has little or no significance or meaning in terms of other personal information attributes. In other provinces, however, some personal information is embedded in the driver’s licence number. For example, a person’s year of birth, gender or partial last name may form part of the licence number.
Why retailers need to think twice before collecting driver’s licence information
While retailers have a need to collect personal information for a variety of reasons, including to properly identify individuals, they must ensure that their collection of driver’s licence information is consistent with federal and provincial private sector privacy legislation.
Generally speaking, these laws (the federal Personal Information Protection and Electronic Documents Act, PIPEDA, and Alberta and British Columbia’s respective Personal Information Protection Acts or PIPAs1) require that organizations collect, use or disclose personal information for appropriate or reasonable purposes, that collection is limited to what is necessary or reasonable to meet those purposes, and that any personal information collected by the organization be appropriately protected against such risks as unauthorized access, collection, use or disclosure.
Under these laws, when it comes to driver’s licence information, “collection” can mean any of the following:
- Examining the driver’s licence
- Recording information from it, such as the driver’s licence number
- Photocopying or “swiping” the licence
These forms of collection are not equal or interchangeable. Each one represents a different extent of collection and presents challenges for retailers in terms of privacy law.
This document examines some of the reasons retailers have given for collecting driver’s licence numbers and what our Offices have said about them. In each of the examples, our Offices considered how the driver’s licence best served the purposes. It is noteworthy that in almost all cases, examining the card or recording the name and address as it appeared on the card was all that was needed to meet the organization’s purposes.
“Okay, I’ll show the card, but do they have to write my number down?”
Canadians have complained to our Offices about organizations wanting to record their driver’s licence numbers. They are increasingly questioning retailers’ demands for personal information.
Businesses have presented many arguments regarding their purposes for recording driver’s licence numbers, or even photocopying the entire driver’s licence itself. Some of those reasons are as follows:
- to properly identify a person
- to deter and detect fraud and other crime
- to protect assets
- to recover assets, report matters to police or to trace or find someone later
- to prove the organization’s staff examined identification
- to ensure that someone is licenced to drive
By and large, the federal and provincial Privacy Commissioners have agreed with those Canadians who think that recording driver’s licence numbers is excessive. The Commissioners understand the organizations’ reasons, but they tend to think that they go too far by recording the numbers. Most of the reasons cited above can be addressed by simply examining identification, recording the person’s name as it appears on the licence, or perhaps by also recording the address displayed on the licence.
The federal and provincial Privacy Commissioners have issued a number of decisions or findings concerning the collection of driver’s licence information for certain purposes. The following are some examples of what the Commissioners have said.
Reason: Identity verification
Properly identifying an individual is one of the more frequently cited reasons for recording driver’s licence numbers. Often, organizations want to make sure they know who they are doing business with because a person will have access to the organizations’ facilities or site, the person is using a credit card, or is picking up merchandise or material that may already have been paid for or that is being invoiced to an employer.
Recording the licence number could provide confirmation demonstrating the organization’s due diligence in verifying an individual’s identity. However, an organization’s internal employee accountability practices should not come at the expense of individual privacy rights.
The same goal of due diligence may be accomplished in other less privacy-invasive ways. For example, the organization may consider having the employee check a box or place their signature or initials on related customer forms, confirming that they have examined the customer’s driver’s licence. This is consistent with an order by the Information and Privacy Commissioner of British Columbia (P05-01). Recording the licence number does not provide any further authentication of the individual’s identity.
In another example, the Alberta OIPC received complaints about retailers who were recording driver’s licence numbers from customers making purchases with their credit cards. The purpose cited by the retailers for recording this information was to protect their businesses from credit card fraud. The OIPC believes this purpose to be reasonable, given the prevalence of credit card fraud, and the fact that credit cards do not generally display the cardholder’s photograph or utilize personal identification numbers (PINs). However, the retailers’ purposes are satisfied by examining a customer’s driver’s licence and photograph and verifying that the person presenting the credit card is the cardholder. In other words, the name on the licence and credit card match, and the person in attendance is the person whose photograph appears on the licence. There is no need to record the driver’s licence number to accomplish this goal.
When identity verification is an issue, retailers must carefully consider whether examining a driver’s licence is sufficient for their purposes, or whether additional information is required (such as recording the person’s full name as displayed on the licence). Similarly, in some cases, the organization’s purpose may also be met by recording the person’s address as displayed on the licence.
Reason: Deterring fraud
Deterrence is often given as a reason for collecting licence numbers. Indeed, requiring individuals to identify themselves can deter those with malicious intentions. Deterrence, however, is often achieved by the examination of a driver’s licence; it does not require recording of the licence number.
Caution must always be exercised when using deterrence as a justification. In the name of deterrence, retailers sometimes seek to collect licence numbers in case there is a crime. For some organizations and in some circumstances, the risk of fraud is very low, thereby challenging the reasonableness of collecting the information. The absence of a real risk might mean that the information will rarely be used, if at all. The result is a collection of personal information from people, the vast majority of whom will not commit an offense and whose information will not ever be required. Even in cases where risk may be high, an organization needs to be able to show that the collection and use of personal information is in fact effective in deterring fraud. Often, other security measures may be more effective.
Reason: Detecting fraud
Many retailers have collected licence numbers for the purpose of detecting fraud. Retailers who accept merchandise returns without a receipt have explained that they are vulnerable to customer fraud. The Commissioners have accepted that retailers can be at risk when providing cash back for merchandise being returned without a receipt. The merchandise may have been stolen or may not even originate from the retailer. The Commissioners have therefore accepted that the collection of limited personal information during an exchange or refund was appropriate. (See PIPEDA Case Summary #361)
However, the Commissioners have consistently found that it is not reasonable to record driver’s licence numbers during merchandise returns. The Privacy Commissioner of Canada was of this view in Settled Case Summary #16. This was also the position taken by the Alberta Commissioner in two investigation reports (P2007-IR-006 and P2005-IR-007) and in an order (P2007-016) in which a major retailer was directed to cease collecting driver’s licence numbers during returns because it was not reasonable. A similar decision was reached by British Columbia’s Information and Privacy Commissioner (P05-01).
Some retailers record licence numbers in order to have an actual number to track whether a particular customer is demonstrating an excessive pattern of returns without a receipt. The driver’s licence number, however, was not intended to be a numeric identifier for conducting statistical analysis of shopping return habits. Although licences display a unique number that retailers can use for frequency analysis, the actual licence number is of less consequence to the transaction and less relevant to the organizations’ purpose. These retailers simply require a number - any number - that may consistently be associated with the same person. Many retailers believe the driver’s licence number is the most convenient, unique number to use, but this convenience does not supersede an individual’s right to information privacy. Retailers could instead consider creating their own internally generated number that may be cross referenced by address for those individuals with the same name.
Reason: To recover assets, report to police or find someone later
Many retailers suggest that they can report a person and their driver’s licence number to police in the event of a crime (such as fraud), or the driver’s licence number can be used to trace a person if property is not returned or there is an outstanding debt. Organizations often think that it will be helpful to police, and easier to find someone, if the driver’s licence number can be searched in motor vehicle registries. However, if an organization is already verifying a person’s name and address (and perhaps recording this information as it appears on the licence), this information in itself will be enough to give to police in almost all cases. Police are able to search motor vehicle registries using a verified name (perhaps cross-referenced with an address), and do not require the driver’s licence number.
Similarly, recording a driver’s licence number does not necessarily assist the organization itself in finding an individual, since most organizations cannot use this information to access information in motor vehicle registries. Further, the organization has already collected the very information that it would be useful to acquire from such a database – the individual’s name and address.
Sometimes it may be okay to record the number
Many financial institutions record identification information, including driver’s licence numbers in specific circumstances or for certain types of transactions. For example, the federal Proceeds of Crime (Money Laundering) and Terrorist Financing Act and Regulations explicitly require financial institutions to record identification numbers. This purpose has been found to be reasonable as it is legally necessary, and therefore in compliance with privacy legislation. However, very few organizations have legislated reasons for collecting driver’s licence information.
What about photocopying the licence?
Even if it is okay to record certain information, photocopying or scanning the licence generally goes too far. Why? As the driver’s licence contains such other information as a photograph, height and other physical descriptions, and signature, this is more information than is needed for most business purposes. With the possible issuance of enhanced driver’s licences in some provinces, the privacy concerns are even greater.
Rule of thumb
Retailers should collect the least amount of personal information possible to satisfy a legitimate business activity. This duty is distinct and irrespective of any consent obtained from an individual. Even in cases where individuals willingly agree to provide their driver’s licence information, the organization must still satisfy the reasonableness requirement set out in PIPEDA and PIPA legislations.
Collection is a risk: If you can’t protect, don’t collect!
Many retailers view the collection of driver’s licence numbers as a safety precaution or a means of preventing losses. They should, however, take into consideration the risks that recording such information may bring and the added security burden it places on them.
Many provincial driver’s licence numbers are permanent and are only retired when someone is deceased. As such, it is nearly impossible to have the licence number changed. Since the licence number is so static, and because it is a reliable number, it is valuable to identity thieves. Identity thieves use this information to give credibility to their false claims about who they are. A fraudulent driver’s licence number may be more obvious to authorities than one that makes use of valid personal information, so a legitimate number is far more useful to identity thieves. Once a number has been compromised, it can be very difficult to rectify the situation.
Under privacy legislation, organizations have a duty to protect personal information in their custody or under their control by making reasonable security arrangements against risks, such as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction. The benefits of collecting and retaining driver’s licence information should therefore be weighed against the security risks posed.
Retailers need to understand that personal data is a highly valuable asset. It must be protected accordingly.
Please note that the above is guidance only. We consider each complaint brought before us on a case-by-case basis.
Federal publication, Your Privacy Responsibilities, http://www.priv.gc.ca/information/guide_e.cfm
Federal publication, E-learning tool for retailers, http://www.priv.gc.ca/privacy_comm/0001_home_e.cfm
Federal publication, Guidelines for Identification and Authentication, http://www.priv.gc.ca/information/guide/auth_061013_e.cfm
Joint federal, Alberta and British Columbia publication, Photo Identification Guidance, http://www.priv.gc.ca/fs-fi/02_05_d_34_tips_e.cfm
Alberta, British Columbia OIPCs, Retail Council of Canada, Service Alberta, Privacy-Proofing Your Retail Business: Tips for Protecting Customers’ Personal Information
Alberta, A Guide for Businesses and Organizations on the Personal Information Protection Act http://www.oipc.ab.ca/ims/client/upload/PIPAguide_Nov2008_web.pdf
For more information, contact:
Office of the Information and Privacy
Commissioner for Alberta
#2460 – 801 6 Avenue SW
Calgary, Alberta T2P 3W2
(403) 297-2728 or 1-888-878-4044
Fax: (403) 297-2711
Office of the Information and Privacy
Commissioner for British Columbia
PO Box 9038, Stn. Prov. Govt.
Victoria, BC V8W 9A4
Toll Free Vancouver: (604) 660-2421 Elsewhere in BC: 1-800 663-7867
Fax: (250) 387-1696
Office of the Privacy Commissioner of Canada
112 Kent Street
Ottawa, ON K1A 1H3
Phone: (613) 947-1698
Fax: (613) 947-6850
TTY: (613) 992-9190
1 The Quebec law, An Act Respecting the Protection of Personal Information in the Private Sector, applies within Quebec.