Skip to content
LegalVision

Can My Business Collect and Record Driver’s Licences?

By Mairead Stone
Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn | Share on Reddit

Summary

  • Businesses that are APP (Australian Privacy Principles) entities must comply with the Privacy Act when collecting driver’s licences, and should only do so where reasonably necessary.
  • Sensitive information revealed by identity documents, such as race or religion, requires additional protections, including the individual’s consent before scanning.
  • Non-APP entities are not legally obliged to comply, but should treat the Privacy Act‘s requirements as best practice.
  • This article is a plain-English guide to Australian privacy law obligations for business owners who collect or record customer driver’s licences, prepared by LegalVision, a commercial law firm.
  • LegalVision specialises in advising clients on privacy compliance and the handling of personal and sensitive information.

 

Tips for Businesses

Only collect driver’s licence copies where genuinely necessary; sighting is usually sufficient. If you scan licences, update your privacy policy, obtain consent for sensitive information, and vet any third-party verification tools for Privacy Act compliance. Delete records once the original purpose is fulfilled.

Summarise with:
ChatGPT logo ChatGPT Perplexity logo Perplexity

Open now
On this page

Businesses that collect driver’s licence must navigate Australia’s privacy laws carefully. The Privacy Act governs how you handle personal information, and collecting more than you need can put your business in breach. This article will explain:

  • the privacy laws surrounding the collection of identity documents;
  • why sensitive information requires extra protection; and
  • what your privacy policy needs to cover.

Compliance with the Privacy Act

Your business must comply with the Privacy Act if it is considered an ‘APP (Australian Privacy Principles) entity’. APP entities are businesses that: 

  • have an annual turnover of more than $3 million;
  • trade in personal information;
  • provide a health service; or
  • contract with the government.

The Privacy Act regulates how you handle personal information. Personal information includes the information that typically appears on a driver’s licence, such as an individual’s: 

  • name;
  • address; 
  • date of birth; and 
  • other sensitive information (discussed below). 

If you are not an APP entity, compliance with the Privacy Act is a matter of best practice. However, many businesses decide to opt in to compliance. Although you do not actually have any obligations to comply with the Privacy Act, this could change for you in the future if:

  • there is a change in the way your business operates; or
  • your business grows, and you meet the annual turnover threshold. 

When Can You Collect Information?

If you collect unnecessary personal information, you will breach the Privacy Act. Under the law, you should not scan, copy or email a customer’s driver’s licence if having an employee or representative sight it would be sufficient.

For example, you may need to verify that an individual is over the age of 18 before they enter your nightclub. In most cases, sighting the customer’s driver’s licence is sufficient for this purpose. On the other hand, it is probably unnecessary to take an electronic copy of the individual’s identity documents. 

However, the Privacy Act does allow you to take a copy of ID documents if it is reasonably necessary to do so.

For example, the law requires certain businesses to scan identity documents (e.g. clubs and clubs).

If you do not fall into this category, however, you must assess whether you must scan such documents. 

Collection of Sensitive Information 

Identification documents and driver’s licences sometimes contain sensitive information, which is a special category of personal information.

For example, sensitive information includes information about an individual’s:

  • race or ethnic origin;
  • political opinions or membership of a political organisation;
  • religious beliefs and affiliations;
  • sexual preferences and orientation;
  • criminal record; and
  • health information.

The Privacy Act gives sensitive information extra protection. As a form of photographic ID, a licence is likely to reveal sensitive information about your customer.

For example, you may be able to determine an individual’s racial origin or religion from their name, appearance, and clothing.

If this is the case, you can only scan it if it is reasonably necessary for your business purposes and you have the individual’s consent. 

If you are unsure whether it is necessary to scan an ID, you should consider whether you:

  • could explain to a customer why sighting their ID is insufficient; and
  • would be able to explain why you did not merely sight the ID without scanning it if a complaint was made.

If possible, the simplest option is to sight the driver’s licence without scanning it. However, you do not need to comply with these recommendations if you are not an APP entity. In this case, you should consider compliance a matter of best practice. 

Front page of publication
Commercial Contracts Checklist

Reviewing contracts across your business? Download this free checklist to ensure clear terms, fair risk allocation and stronger commercial outcomes

Download Now
Continue reading this article below the form
Need legal advice?
Call 1300 544 755 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.

Third-Party Tools

If you’re operating a website or an online platform, you might want to use a third-party tool to verify your customers’ age or identification by processing the information contained on their driver’s licenses. Before you do, it’s important to consider your obligations under the Privacy Act. 

When you use a third-party tool to handle identification documents on your behalf, you need to take reasonable steps to make sure that the provider also complies with privacy law. For example, you might need to check that the provider has a clause in their terms and conditions that requires them to comply with Australian privacy law. 

The provider might also have their own privacy policy, setting out how they’ll handle information. You should check this to ensure that they’re holding onto your customer’s driver’s licence only for as long as necessary to perform the verification function. You can also ask the provider how they’ll be handling your customers’ information. 

What Does Your Privacy Policy Need to Set Out? 

Your privacy policy needs to clearly set out how and why you collect the information on driver’s licences. For example, it should include:

  • what personal information you collect (including information on scanned or copied identification documents);
  • why you collect, hold and use the information; 
  • what security measures you have in place to protect any information you store electronically;
  • how long you keep the information for; and
  • how you will erase or remove the information after a certain time period. 

As driver’s licences are likely to contain or reveal sensitive information, you should also address whether you collect this information. If you are required to scan driver’s licences, you should state that you will only collect the information with consent. 

Your privacy policy should also set out how your customers can request access to, deletion of, or correction of their information, including the information contained in any driver’s licence records you hold. You should provide details of how a customer can make a complaint or an enquiry, including contact details for both your business and the Office of the Australian Information Commissioner. 

Key Takeaways 

You can collect and record driver’s licences, but only where it is reasonably necessary for your business purposes. If you are an APP entity, you must comply with the Privacy Act when doing so. If you are not an APP entity, you should treat compliance as best practice.

LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced contract lawyers help businesses manage contracts, compliance, privacy policies, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 1300 544 755 or visit our membership page.

Frequently Asked Questions

Can I collect other forms of identification?  

Yes, you can collect other forms of identification, such as passports or photo cards, but you must treat them the same way as driver’s licences. This means that you can only collect copies of these documents as reasonably necessary for your business purposes and must only hold the information for as long as needed to verify your customer’s age or identity. Like driver’s licences, simply sighting the document should be sufficient in most cases. 

Can customers ask me to delete their driver’s licence information?

Customers can ask you to delete the information you hold about them, including any records of their driver’s licence. You can only hold this information for the reason that you collected it in the first place, such as to verify their age. Once you have fulfilled this purpose, you must delete or de-identify the driver’s licence information unless you are required by law to keep it for a longer period. 

How long can I keep a customer’s ID?

Only as long as needed to fulfil the original purpose, such as age verification.

Does sighting a document count as collecting it?

No, simply sighting a document is usually sufficient and doesn’t require you to retain a copy.

Register for our free webinars

Buying a Business: The Roadmap From Offer to Settlement

Online
Learn the roadmap to buying a business, from due diligence and deal structure to risk management and settlement. Register today.
Register Now

Ask an Employment Expert: Anti-Discrimination in the Workplace in 2026

Online
Ask an employment law expert your workplace discrimination and AI questions in our free live webinar. Register today.
Register Now

ESG Failures Are Costing Boards: The Risks You Cannot Ignore

Online
Understand ESG obligations and reduce legal risks. Register for our free webinar.
Register Now

Why Investors Walk Away: The Legal Mistakes That Kill Funding Deals

Online
Legal mistakes can cost you funding. To learn more, register for our free webinar today.
Register Now
See more webinars >

Mairead Stone

Lawyer | View profile

Mairead is a Lawyer in LegalVision’s Commercial team. Mairead studied a Bachelor of Arts (Philosophy) and a Bachelor of Laws at the University of Sydney and is currently undertaking Practical Legal Training at the College of Law.

Qualifications: Bachelor of Laws, Bachelor of Arts, University of Sydney. 

Read all articles by Mairead

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

Can I Collect an Individual’s Personal Information From a Third Party?

Breach of Directors’ Duties: Legal Consequences and Preventive Measures

Ensuring Compliance: A Legal Review Checklist for Your SaaS Company’s Documents

5 Legal Considerations for Setting Up A Franchise

LegalVision is an award-winning business law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards