Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

Driver’s Licence Information and Test Drives: Guidance from the Alberta Office of the Information Privacy Commissioner

By Privacy and Cybersecurity Group
May 4, 2015
  • Canada
  • Privacy Rights
Share on Facebook Share on Twitter Share via email Share on LinkedIn

What personal information is reasonable for a motor vehicle dealer to collect from individuals participating in test drives? It has been acknowledged that dealers have a business need to collect personal information in association with offering test drives due to the risks associated with that practice. For example, individuals that take a vehicle for a spin may cause damage to the vehicle and/or, in the extreme, take it on an “extended test drive” and drive off the lot and not to return (as one unlucky luxury vehicle dealership in Halifax experienced).

The Office of the Information and Privacy Commissioner of Alberta (OIPC Alberta) recently issued guidance reminding motor vehicle dealers of their obligations under the provincial Personal Information Protection Act when collecting, using and disclosing personal information such as driver’s licence information in association with test drives.

Key Points

1.     Consent and clear notification of purposes of collection

Obtain consent (orally, in writing, or electronically) for the collection of the information. Before or at the time of the collection of personal information, dealers should clearly notify individuals that the purpose of collection of the driver’s license is for identification (as well as any other purposes, if applicable) and provide the contact information of the person who is able to answer questions on behalf of the dealer about the collection and use of the personal information.

2.      Collection must be reasonable – making copies of a driver’s licence is not reasonable

The OIPC Alberta reiterated that dealers should not make copies of driver’s licences of test drivers, but that recording the first and last name, address, and driver’s licence number would be considered reasonably required for meeting the intended purposes of the collection.

This guidance echoes the OIPC Alberta’s finding in Order P2012-10, where it determined that there was no reasonable purpose for a car rental agency to photocopy driver’s licences of renters. Specifically, making copies of legitimate  driver’s licences is not necessary if the licence number is recorded, as the information on the licence can be obtained from the motor vehicle database using the driver’s licence number recorded. In the case of people who steal cars using fraudulent driver’s licences, the practice of photocopying customers’ drivers licenses did not have significant utility for apprehending or deterring these people.

This broad prohibition on making copies of a driver’s licence falls in line with guidance and findings of the regulators on the collection of driver’s licence information in the retail context. These generally set out that circumstances where it is considered acceptable to record a driver’s licence number is limited, and that photocopying driver’s licence information is typically considered to not be reasonable (Collection of Driver’s Licence Numbers Under Private Sector Privacy Legislation – Guidance for Retailers, joint guidance issued by the OIPC Alberta, Office of the Information and Privacy Commissioner for British Columbia, and the Office of the Privacy Commissioner of Canada).

3.     No secondary uses of information

Using information from a driver’s licence to for marketing purposes is permitted only with consent.

4.     Share only with consent or legal authorization

Disclosure of information collected for test drive purposes to third parties is prohibited except with consent or as authorized by law.

5.     Retain only for reasonably required period of time

Dealers should assess the length of time personal information collected for test drives should be retained to address the risks with that practice and should securely dispose of records at the end of this retention period.

6.     Protect the information

Dealers should put in place technical, administrative and physical safeguards to secure the personal information from unauthorized disclosure, such as storing the information in locked areas and encrypting electronic devices that contain personal information. This includes restricting access to staff who require the information on a “need to know” basis.

Conclusion

The collection of driver’s licence information in the context of a test drive must be reasonable, which means no photocopying/scanning the driver’s licence. Keep in mind the key requirements above regarding collecting, using and disclosing personal information obtained in association with test drives.

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Alberta, Canada, Driver's Licence, Motor Vehicle Dealers
Privacy and Cybersecurity Group

About Privacy and Cybersecurity Group

All posts

RELATED POSTS

  • Canada
  • Data Transfers
  • Marketing, Cookies & Spam

CASL compliance undertakings continue to mount

By Margot Patterson
  • Privacy Rights

The USA Patriot Act – Implications for Cloud Computing

European cloud users are expressing increasing concern over the effect of the USA Patriot Act.  The Act entitles US authorities […]

By Todd Daubert
  • Canada
  • Privacy Rights

Freedom of Expression and Privacy in Labour Disputes: Amendments to Alberta’s Personal Information Protection Act in Force

Alberta’s Personal Information Protection Act (PIPA) entered 2015 with a (slightly) new look. Amendments set out in Bill 3, the […]

By Privacy and Cybersecurity Group

About Dentons

Dentons is the world’s largest law firm, delivering quality and value to clients around the globe. Dentons is a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. Dentons’ polycentric approach and world-class talent challenge the status quo to advance client interests in the communities in which we live and work. www.dentons.com.

Dentons Digital

Twitter

Categories

  • Accountability
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2021 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site