Issuance of Guidelines regarding the Collection of Driver’s Licence Numbers
December 23, 2008
Barbara A. McIsaac
The use of driver's licences to verify the identity of customers and to deter and detect fraud has come under special scrutiny by the Privacy Commissioners of Canada, Alberta and British Columbia. While addressed specifically to the retail sector, any organization that collects driver’s licence information will have to pay special attention to the "Guide for Retailers" relating to the "Collection of Driver’s Licence Numbers under Private Sector Privacy Legislation" (the Guidelines).
What Do the Guidelines Say?
The basic principle overarching the Guidelines is that operational practices should not come at the expense of an individual’s privacy rights — and as such, organizations, including retailers, must employ the least privacy-invasive means of achieving their business goals.
The Guidelines provide an overview of the typical reasons for which retailers collect driver’s licence numbers. They acknowledge that historically, given that a driver’s licence is a government-issued piece of identification, it is considered a reliable source of customer identification. However, the Guidelines go on to state the Privacy Commissioners’ position that such collection must be consistent with federal and provincial private sector privacy legislation and that in almost all cases, there is no justifiable reason for collecting a customer’s driver’s licence number.
The Privacy Commissioners note that "collection" of driver’s licence information can mean any of the following actions:
- examination of the driver’s licence;
- recording of the information contained on the driver’s licence, including the licence number;
- photocopying of the driver’s licence; or
- "swiping" the driver’s licence through a computer system.
Generally speaking, the Privacy Commissioners feel that a simple examination of a driver’s licence for identification purposes is permissible, as is the recording of a customer’s name and address from the licence. However, the Guidelines state that the "recording" of a driver’s licence number is "excessive" given the amount of identifying information contained within that number, the risk of identity fraud associated with the misuse or disclosure of that information, and the fact that the recording of the number is generally not a necessary step in order for the retailer to achieve its operational objective.
What Does This Mean for Organizations that Collect Such Information?
Evaluation of current practices regarding collection of personal information
Organizations who currently employ a practice of collecting and recording driver’s licence numbers as part of their operational policies should evaluate why that information is recorded and what purpose is served by its collection. With that information in hand, retailers should consider whether there are less intrusive alternatives that would allow them to accomplish their objectives.
Given the Privacy Commissioners’ indication that a challenge to such a practice is likely to be successful, we would recommend that organizations cease the collection of driver’s licence numbers unless they have a legislated entitlement to such a practice (which is a rare occurrence).
Evaluation of current practices regarding retention and storage of personal information
In addition to the discussion regarding the collection of driver’s licence numbers, the Guidelines reiterate the obligation placed on organizations to "protect personal information in their custody and under their control by making reasonable security arrangements against risks such as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction." Given the nature of the personal information that may be contained in or accessed through a driver’s licence number, a significant risk is associated with the misuse or unsecured storage of such information.
Organizations must evaluate the means by which they secure all customer personal information they collect to ensure it meets the standards expected of them by the Privacy Commissioners and the applicable privacy legislation. Any deficiencies should be corrected immediately.
Education of employees
Organizations must ensure that their employees understand their company’s policy on the collection of personal information, including in what circumstances such information is to be collected, what information specifically they are entitled to record, and what they are responsible for doing with that information in terms of its storage and retention. A company’s ability to defend a privacy claim on the grounds of due diligence will depend in large part on the actions of its employees and the training and instruction given to them in this regard.
Observations Specific to the Province of Québec
Further to the publication of the Guidelines some clarifications should be made for Québec retailers. Indeed, the Commission d’accès à l’information has not yet issued a specific guide on the subject. Nevertheless, it keeps us informed through its website, news releases and decisions on the current terms governing the use of the driver’s licence as an identifier by any private sector enterprise that has a practice of asking customers for information contained on their driver’s licence.
What does the legislation say?
From the outset, let us recall certain principles contained in the applicable legislation. First of all, the Act respecting the Protection of personal information in the private sector states that a person may collect only the information necessary for the purpose of a contract. Such information must also be collected by lawful means. Furthermore, no person may refuse to respond to a request for goods or services or to a request relating to employment due to the applicant’s refusal to disclose personal information. This principle does have some exceptions, including where collection of personal information is necessary for the conclusion or performance of a contract, where the collection is authorized by law and where there are reasonable grounds to believe that the request is not lawful.
At the onset, nothing seems to forbid a retailer from asking a customer to show his or her driver’s licence if the retailer deems it necessary. However, one of the features specific to Québec involving the use of the driver’s licence can be found in the Highway Safety Code, which expressly states that the holder of a learner’s licence, probationary licence or driver’s licence cannot be required to produce his/her licence except where so required by a peace officer or by the Société de l'assurance automobile du Québec for the sole purpose of highway safety. For example, when renting a vehicle, the lessor is authorized and even obligated to ask for a driver’s licence to ensure that the lessee is legally permitted to drive.
The position of the Commission d’accès à l’information
The position of the Commission d’accès à l’information is clear on this issue. A retailer cannot demand to see a driver’s licence, any more than the health insurance card. In accordance with the Highway Safety Code, only a peace officer or the Société de l’assurance automobile du Québec can require this and for the sole purpose of highway safety. Similarly, a health insurance card can only be required for purposes related to providing services or goods or resources for health and social services. A retailer cannot therefore demand to see a customer’s driver’s permit, much less record its number.
For example, the Commission d’accès à l’information decided in Moses v. Caisse populaire Notre-Dame-de-la-Garde that a stockbroker could not ask a client to show a driver’s licence or collect a client’s driver’s licence number, as this action could not be demonstrated to be necessary for the purpose of the stockbroker-client contract. This decision reinforces the position that a retailer also cannot require a customer to disclose his/her driver’s licence number. Regarding contracts for services, the Commission already stated in Comeau v. Bell mobilité that a driver’s licence number is not required information in a service contract for the use of a cellular phone.
What does all this mean to retailers?
Operationally, what can a retailer do to confirm the identity of a customer who pays by cheque or credit card? In the Frequently Asked Questions section of its website, the Commission de l’accès à l’information provides a section specifically for private sector enterprises regarding the use of identifiers. With regards to verifying the identity of a customer using a credit card, the section states that a retailer does not have the right to require a driver’s licence or collect any information contained on another card. Along the same lines, the section mentions that a video store, or other type of business, cannot deny service to a customer who refuses to allow a retailer to record his/her driver’s licence number in any way whatsoever, or refuses to show his/her driver’s licence as an identification document.
We can thus assume two situations where a retailer would use a driver’s licence as an identifier, either by looking at it to confirm the identity of the person or by recording the licence number. We must remember that the retailer does not have the right to require, in one way or another, a driver’s licence. It is therefore preferable to ask customers to provide an identification document of their choice. More often than not, a customer will present his/her driver’s licence, in the absence of an alternative. However, the practice of collecting the number of the driver’s licence, whether by photocopying it or by any other means to record the information therein contained, should be banned.