Rapid-oil-change shop unnecessarily scanned customers’ vehicle registration information
PIPEDA Case Summary #2010-006
- Organizations must limit their collection, use and disclosure of an individual’s personal information to that which is strictly necessary to provide that individual with particular services.
- Specifically, organizations should not collect unique identifying numbers appearing on government-issued documents (driver’s licences, health cards, licence plates, etc.), for purposes other than those intended by the issuers of these documents.
- When individuals have questions, challenges or complaints about how the organization collects, uses or discloses their personal information, these must be addressed by the organization’s privacy officer, who should follow established procedures to respond within 30 days.
A customer of an automobile rapid lube business objected to the recording of his personal information from his vehicle registration document just to have his car’s oil changed. When he later challenged the practice and how his personal information was being handled, he received no reply whatsoever from the company.
The Assistant Commissioner determined the practice to be excessive and in contravention of Principles 4.4 and 4.4.1. Her two recommendations to the company—to collect only necessary information and to implement formal procedures to handle customer privacy complaints—went unheeded. Thus, she found the complaint was well-founded.
The following is an overview of the investigation and the Assistant Commissioner’s findings.
Summary of Investigation
At a rapid-oil-change establishment, an employee asked a regular client to produce his vehicle registration document so the employee could scan the bar code appearing on it. The individual wondered why since, in the past, merely recording the car’s Vehicle Identification Number (VIN) from the vehicle itself provided enough information (i.e., make, model, year, and oil grade and filter number) for an oil change. He recalled that the business already held his name and address, as well as licence plate and credit card numbers.
He became more concerned when he later learned from his provincial insurance board that his vehicle registration bar code also contained his driver’s licence number. When he called the company’s offices for a more satisfactory explanation, no one returned his calls nor did its privacy officer respond to a written request he sent.
To this Office, the company’s owner admitted that scanning the vehicle registration code can detect more personal information than scanning the VIN code, but stated that this can be useful when confirming the spelling of information from the customer’s file. First-time customers are also asked for their name, address and telephone number—information the owner admitted is not mandatory. This extra information is collected in case of warranty work or service complaints, or as a precaution if it is realized later that something went wrong during the vehicle servicing and the client needs to be contacted quickly.
Through our investigation, we learned that an imprint of a vehicle’s VIN code is embedded in the vehicle registration bar code and that a “cleaner read” of the VIN information can be obtained by scanning the vehicle registration bar code since VINs may sometimes be obscured on the vehicle.
Although more personal information is recorded in the vehicle registration bar code (e.g., owner’s provincial insurance and registration costs, driver’s licence number), our investigation confirmed that the oil-change company’s scanning technology was only capable of reading the following information: name and address of the vehicle’s registered owner, vehicle year, make, model, class and colour, and the licence plate number.
The Assistant Commissioner recommended that the company cease the unnecessary practice of requesting and scanning customers’ vehicle registration documents.
As well, since she noticed that none of the company’s customer privacy material identified a company privacy officer or set out a procedure for handling inquiries or complaints, the Assistant Commissioner recommended that the company put policies and procedures in place to direct individuals to a privacy officer capable of handling privacy inquiries and complaints.
The company did not respond to her recommendations nor did it return follow-up telephone calls from this Office.
Issued February 9, 2010
Application: Principle 4.4 states that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means. Principle 4.4.1 clarifies that organizations shall not collect personal information indiscriminately. Both the amount and type of information collected shall be limited to that which is necessary to fulfill the purposes identified. Principle 4.10 states that an individual must be able to address a challenge concerning compliance with the principles to the designated individual or individuals accountable for the organization’s compliance. Principle 4.10.2 states in part that organizations shall put procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information.
In making her determinations, the Assistant Commissioner deliberated as follows:
- It was established that the organization did not obtain from the complainant’s scanned vehicle registration any personal information about him other than what was already held on file. Nonetheless, the Assistant Commissioner considered quite valid his concerns about the business’s practice of scanning vehicle registrations in order to perform a simple automobile maintenance service. In her view, the collection of any information from a customer’s vehicle registration document is simply not necessary for the purpose of changing motor oil in vehicles.
- Principle 4.4.1 requires that organizations be discriminating—that is, they must limit their collections to amounts and types of information necessary for the purpose at hand. The Assistant Commissioner explained that she had no objection in principle to the organization scanning VIN bar codes from the vehicles themselves. To change the oil on a vehicle, it is no doubt necessary to have information about the vehicle, such as scanning a VIN alone would produce, but it is clearly not necessary to obtain from a vehicle registration document personal information such as the owner’s name, address and driver’s licence number.
- While the Assistant Commissioner recognized the convenience for the business to scan a vehicle registration document in which a VIN is embedded, the convenience derived from such a practice is nonetheless a long way from being the necessity that Principle 4.4 requires of collectors of personal information. In her view, the convenience to the company in this case does not in any way justify the violation of customers’ privacy. As well, Principle 4.4 also limits collections to what is fair and lawful: In various provinces in Canada, it is illegal to use certain government- issued identification cards and documents for other than their primary, intended purposes.
- Further, it is the Assistant Commissioner’s understanding that materials or objects tending to “obscure” VIN bar codes on vehicles are in most cases relatively easy to deal with and do not justify scanning a government-issued vehicle registration document.
- Consequently, both Principles 4.4 and 4.4.1 were contravened.
- Regarding Principles 4.10 and 4.10.2, the business did not dispute the allegation, nor did we see any evidence of the business correcting its procedural shortcomings with regard to responding to customer privacy concerns and complaints.
The Assistant Commissioner concluded that the complaint was well-founded.
The Office considered taking the case to the Federal Court to enforce the company’s compliance with its privacy obligations, but the complainant requested that we not pursue the matter any further.
- Date modified: