Fraud detection not an acceptable reason to collect driver’s licence numbers for store memberships

PIPEDA Case Summary #2009-014

[Principles 4.1.4(c), 4.2, 4.4, 4.4.1, 4.9; Subsection 8(3)]

Lessons Learned

  • Only the necessary minimum amount of personal information should be collected from a client to meet a legitimate business need.  Customers should be informed at the time of collection why the information is required. 
  • The collection and use of a customer’s driver’s licence number as a unique identifying number for business purposes is not an acceptable practice.
  • Organizations must adequately train their staff on how to properly handle access to personal information requests and on the legal obligations of the organization in this regard.

When applying for a personal membership at a store, an individual was asked to supply the store with her driver’s licence number and date of birth.  No purpose for collecting this personal information was offered, and when she later requested access to it, her request and follow-ups were ignored until this Office notified the organization about them. 

The Assistant Commissioner made recommendations to the organization with regard to informing applicants about the purposes for collecting specific personal information, acceptable collections of personal information for its membership applications, and purging previously collected unique identifying numbers from its online system. 

The following is an overview of the investigation and the Assistant Commissioner’s findings.

Summary of Investigation

When the individual applied for membership with the store, her driver’s licence number and date of birth were recorded from her driver’s licence into the store’s electronic database.  She was not told of the purpose of the collection. 

Access

On three separate occasions over a four-month period, she requested in writing access to her personal information.  She received no response.  Only when the organization received the formal notice of the individual’s complaint lodged with this Office did it finally provide her with a copy of her personal information.  It explained that her three requests had perhaps not been properly directed by the staff who had received them.  As a result of her complaint, the organization was to ensure that its front-line employees would receive training to identify and manage personal information requests. 

Collection

With regard to personal information collection for membership applications, we noted that the membership application form contained a field for the number associated with a piece of ID to be supplied by the applicant, as well as one for the applicant’s date of birth.  A separate field indicated that if the applicant planned to write cheques as payment, the organization required “appropriate information”.  The application form did not indicate that a credit check would be performed on the individual if they were applying for the payment-by-cheque option. 

The organization specified the two purposes for which it needed a customer’s unique identifier (e.g. a driver’s licence or full date of birth):  1) to detect and track fraud; 2) to perform a credit check on members who will be granted cheque-writing privileges. 

(As well, the organization explained that it also collects the date of birth of applicants in order to verify that they meet the minimum age requirement.  However, during our investigation, the organization agreed with this Office that merely viewing and confirming the applicant’s age from an ID card would be sufficient for that purpose.)

When we questioned the respondent about the first purpose it presented for recording a customer’s unique identifier—to detect and track fraud—it stated that it uses this number to identify individuals who have engaged in fraudulent activities in the past and to prevent them from re-applying for membership.  The organization further explained that since it has a great number of customers, the unique identifier helps differentiate between those who have common names or transient addresses.

With regard to the second stated purpose for collecting unique identifiers—to conduct a credit check on customers who will be allowed to pay by cheque—this Office consulted with credit reporting agencies.  They confirmed that the name and address of an individual is enough to process a credit report.  A previous address may be required if the individual has been at their current address for less than three years.  On the other hand, a driver’s licence number is not required to perform a credit check and may not even be useful for this purpose.  However, a previous finding from this Office determined that organizations may collect a date of birth for the purpose of obtaining credit reports from credit reporting agencies; this information is useful in verifying common names.

Findings

Issued May 29, 2009

Application: Principle 4.1.4(c) states that organizations shall implement policies and practices to give effect to the principles including training staff and communicating to staff information about the organization’s policies and practices.  Principle 4.9 stipulates that upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information.  Subsection 8(3) provides that an organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.  Principle 4.2 states that the purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.  Principle 4.4 provides that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization.  Finally, Principle 4.4.1 states that organizations shall not collect personal information indiscriminately.   Both the amount and the type of information collected shall be limited to that which is necessary to fulfill the purposes identified.   

In making her determinations, the Assistant Commissioner deliberated as follows:

Access

  • The respondent did not provide the complainant with access to her personal information, contrary to Principle 4.9, until after receiving notification of the complaint with our Office.  Staff across Canada eventually received training on the organization’s privacy policy and procedures, in keeping with Principle 4.1.4(c).  The respondent agreed to ensure that the process for managing an access request would remain a focus in all future training.

Collection

  • In regard to the complaint regarding the alleged excessive collection of personal information, the respondent contended that it required a unique identifier for fraud detection purposes.  The Assistant Commissioner observed that even though organizations may deem certain pieces of information to be the most convenient for such purposes, the convenience of the organization must not supersede an individual’s right to privacy.  
  • Although she recognized the convenience of using the driver’s licence number as a unique identifier, she restated this Office’s position that only limited personal information may be collected to detect fraud, which is not in itself a legitimate purpose for recording a driver’s licence number.  She reminded the organization of the OPC’s guidelines for retailers on this subject.   
  • As for the date of birth, the respondent did not provide this Office with compelling evidence to substantiate its suggestion that fraud is a significant problem for it, nor did it establish that the collection of the full date of birth of applicants is an effective means of deterring and detecting fraud.  While she accepted that the ability to associate a unique and easily ascertainable identifier, such as a customer’s date of birth, can assist in preventing individuals whose membership privileges have been suspended from successfully opening a new account, there is no evidence to indicate why the collection of a full date of birth, as opposed to a truncated one, is necessary for this purpose.   
  • In addition to fraud detection, the respondent stated that it needed the driver’s licence number and date of birth for credit checks of customers with cheque-writing privileges.  Credit reporting agencies advised our Office that the minimal amount of information required to perform a credit check is the individual’s name and address.  The full date of birth may be useful in some cases to positively identify an individual with a common name.  Driver’s licence numbers are not useful in this regard and the Assistant Commissioner determined that the collection of them is in contravention of Principles 4.4 and 4.4.1.  As soon as this Office intervened in this matter, the organization purged the complainant’s driver’s licence number from its database. 
  • As well, any legitimate purpose for collecting such information must be expressed at the time of its collection, pursuant to Principle 4.2.  The respondent’s application form indicated that “appropriate identification” on the application form was required if an applicant planned to write cheques.  However, the form did not explain that a credit check was required and failed to specify which fields of personal information would be used for this purpose.  If they were so informed, customers who did not desire cheque-writing privileges would be able to decline providing the additional information requested, namely a date of birth.  For this reason, Principle 4.2 was contravened. 
  • In the course of our investigation, it became clear that the scope of the privacy issues associated with the respondent’s collection and retention of personal information exceeded the collection and retention of driver’s licence numbers.  It appeared that the respondent had collected and retained the numbers associated with any ID document that applicants presented with their membership application, including passport numbers, citizenship certificate numbers and age of majority card numbers.

The Assistant Commissioner recommended that the respondent:

  • verify an applicant’s age and authenticate their identity by visually inspecting a piece of photo identification without recording the information for this purpose;
  • obtain an applicant’s meaningful consent for a credit check by providing applicants with notice that a credit check may be required before cheque-writing privileges are granted and that the applicant’s name, address and full date of birth will be collected and used for this purpose;
  • collect either the day and month of birth or the year and month, where this information is only being collected for the purpose of fraud prevention and detection (i.e. from customers who are not seeking cheque-writing privileges) and identify this purpose to applicants;
  • ensure that front-line staff who process applications for membership are knowledgeable about the respondent’s privacy policy and procedures; and
  • purge from its database(s) the numbers associated with identification documents that have previously been collected.

The organization agreed to the recommendations concerning membership applications.  It was also committed to updating its company privacy statement to inform individuals of the collection of partial date of birth information for fraud-prevention and -detection purposes, and—for those opting for cheque-writing privileges—of the collection of full date of birth for both credit-check and fraud-deterrence purposes.

Conclusion

The Assistant Commissioner concluded that the matters were resolved.

Date modified: