Issuance of Guidelines for the Collection of Driver’s Licence Numbers
February 27, 2009
Barbara A. McIsaac
The collection of driver’s licences to verify the identity of customers and to deter and detect fraud has come under special scrutiny by the Privacy Commissioners of Canada, Alberta and British Columbia, who on December 2, 2008 issued guidelines for such collection. While addressed specifically to the retail sector, the Guide for Retailers relating to the Collection of Driver’s Licence Numbers under Private Sector Privacy Legislation (Guidelines) should be given special attention by any organization that collects driver’s licence information.
The basic overarching principle of the Guidelines is that operational practices should not come at the expense of an individual’s privacy rights — and as such, organizations, including retailers, must employ the least privacy-invasive means of achieving their business goals.
The Guidelines provide an overview of the typical reasons retailers collect driver’s licence numbers and acknowledge that historically, given that a driver’s licence is a government-issued piece of identification, it is considered a reliable source of customer identification. However, the Guidelines go on to state the Privacy Commissioners’ position that such collection must be consistent with federal and provincial private sector privacy legislation, and that in almost all cases there is no justifiable reason for collecting a customer’s driver’s licence number.
Generally speaking, the Privacy Commissioners feel that a simple examination of a driver’s licence for identification purposes is permissible, as is the recording of a customer’s name and address from the licence. However, the Guidelines state that the "recording" of a driver’s licence number is "excessive" given the amount of identifying information contained within that number, the risk of identity fraud associated with the misuse or disclosure of that information, and the fact that recording the number is generally not necessary in order for the retailer to achieve its operational objective.
In the Province of Québec, the Commission d’accès à l’information is clear on this issue — a retailer cannot demand to see a driver’s licence, much less record its number. In accordance with the Highway Safety Code, only a peace officer or the Société de l’assurance automobile du Québec can require this, and only for the purpose of highway safety. Similarly, a health insurance card can only be required for purposes related to providing services or goods or resources for health and social services.
McCarthy Tétrault Notes:
- Organizations should cease the collection of driver’s licence numbers unless they have a legislated entitlement to such a practice (which is a rare occurrence).
- Organizations must evaluate the means by which they secure all customer personal information collected by them that is contained in or accessed through driver’s licences, to ensure it meets the standards expected of them by the Privacy Commissioners and the applicable privacy legislation. Any deficiencies should be corrected immediately.
- The ability of an organization to defend a privacy claim against it on the grounds of due diligence will depend in large part on the actions of its employees and the training and instruction given to them in the collection, storage and retention of personal information from driver’s licences.
- In the Province of Québec, it is preferable to ask customers to provide an identification document of their choice. More often than not, a customer will present a driver’s licence in the absence of an alternative. However, the practice of collecting the number of the driver’s licence to record the information contained in it, whether by photocopying or other means, should be banned.
A more detailed discussion of this topic — including, in particular, an analysis of the Québec position, may be found in our e-Alert.