What personal information is reasonable for a motor vehicle dealer to collect from individuals participating in test drives? It has been acknowledged that dealers have a business need to collect personal information in association with offering test drives due to the risks associated with that practice. For example, individuals that take a vehicle for a spin may cause damage to the vehicle and/or, in the extreme, take it on an “extended test drive” and drive off the lot and not to return (as one unlucky luxury vehicle dealership in Halifax experienced).
The Office of the Information and Privacy Commissioner of Alberta (OIPC Alberta) recently issued guidance reminding motor vehicle dealers of their obligations under the provincial Personal Information Protection Act when collecting, using and disclosing personal information such as driver’s licence information in association with test drives.
Key Points
1. Consent and clear notification of purposes of collection
Obtain consent (orally, in writing, or electronically) for the collection of the information. Before or at the time of the collection of personal information, dealers should clearly notify individuals that the purpose of collection of the driver’s license is for identification (as well as any other purposes, if applicable) and provide the contact information of the person who is able to answer questions on behalf of the dealer about the collection and use of the personal information.
2. Collection must be reasonable – making copies of a driver’s licence is not reasonable
The OIPC Alberta reiterated that dealers should not make copies of driver’s licences of test drivers, but that recording the first and last name, address, and driver’s licence number would be considered reasonably required for meeting the intended purposes of the collection.
This guidance echoes the OIPC Alberta’s finding in Order P2012-10, where it determined that there was no reasonable purpose for a car rental agency to photocopy driver’s licences of renters. Specifically, making copies of legitimate driver’s licences is not necessary if the licence number is recorded, as the information on the licence can be obtained from the motor vehicle database using the driver’s licence number recorded. In the case of people who steal cars using fraudulent driver’s licences, the practice of photocopying customers’ drivers licenses did not have significant utility for apprehending or deterring these people.
This broad prohibition on making copies of a driver’s licence falls in line with guidance and findings of the regulators on the collection of driver’s licence information in the retail context. These generally set out that circumstances where it is considered acceptable to record a driver’s licence number is limited, and that photocopying driver’s licence information is typically considered to not be reasonable (Collection of Driver’s Licence Numbers Under Private Sector Privacy Legislation – Guidance for Retailers, joint guidance issued by the OIPC Alberta, Office of the Information and Privacy Commissioner for British Columbia, and the Office of the Privacy Commissioner of Canada).
3. No secondary uses of information
Using information from a driver’s licence to for marketing purposes is permitted only with consent.
4. Share only with consent or legal authorization
Disclosure of information collected for test drive purposes to third parties is prohibited except with consent or as authorized by law.
5. Retain only for reasonably required period of time
Dealers should assess the length of time personal information collected for test drives should be retained to address the risks with that practice and should securely dispose of records at the end of this retention period.
6. Protect the information
Dealers should put in place technical, administrative and physical safeguards to secure the personal information from unauthorized disclosure, such as storing the information in locked areas and encrypting electronic devices that contain personal information. This includes restricting access to staff who require the information on a “need to know” basis.
Conclusion
The collection of driver’s licence information in the context of a test drive must be reasonable, which means no photocopying/scanning the driver’s licence. Keep in mind the key requirements above regarding collecting, using and disclosing personal information obtained in association with test drives.
