The use of driver's licences to verify the identity of customers and to deter and detect fraud has come under special scrutiny by the Privacy Commissioners of Canada, Alberta and British Columbia. While addressed specifically to the retail sector, any organization that collects driver's licence information will have to pay special attention to the December 2, 2008 "Guide for Retailers" relating to the "Collection of Driver's Licence Numbers under Private Sector Privacy Legislation" (the "Guidelines").
What Do The Guidelines Say?
The basic principle overarching the Guidelines is that operational practices should not come at the expense of an individual's privacy rights and as such, organizations, including retailers, must employ the least privacy-invasive means of achieving their business goals.
The Guidelines provide an overview of the typical reasons for which retailers collect driver's licence numbers and acknowledge that historically, given that a driver's licence is a government-issued piece of identification, it is considered a reliable source of customer identification. However, the Guidelines go on to state the position of the Privacy Commissioners that such collection must be consistent with federal and provincial private sector privacy legislation and that in almost all cases, there is no justifiable reason for collecting a customer's driver's licence number.
The Privacy Commissioners note that "collection" of driver's licence information can mean any of the following actions:
- examination of the driver's licence;
- recording of the information contained on the driver's licence, including the licence number;
- photocopying of the driver's licence; or
- "swiping" the driver's licence through a computer system.
Generally speaking, the Privacy Commissioners feel that a simple examination of a driver's licence for identification purposes is permissible, as is the recording of a customer's name and address from the licence. However, the Guidelines state that the "recording" of a driver's licence number is "excessive" given the amount of identifying information contained within that number, the risk of identity fraud associated with the misuse or disclosure of that information and the fact that the recording of the number is generally not a necessary step in order for the retailer to achieve its operational objective.
What Does This Mean For Organizations that Collect Such Information?
1. Evaluation of Current Practices re: Collection of Personal Information
2. Evaluation of Current Practices re: Retention and Storage of Personal Information
3. Education of Employees
A copy of the Guidelines can be found here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.