Skip to content
LegalVision

Can My Business Collect and Record Driver’s Licences?

Avatar photo

By Jessica Anderson
Senior Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Summarise with: ChatGPT logo ChatGPT Claude logo Claude Perplexity logo Perplexity Microsoft Copilot logo Microsoft Copilot
Table of Contents

Many businesses seek to collect some form of identification, such as driver’s licences, from customers in one way or another.

For example, you may wish to:

  • verify a user’s age before they use your dating app; or
  • check that a customer has a valid driver’s licence before you allow them to rent a motorcycle from your hire business. 

However, before you request copies of your customers’ driver’s licences, you will need to consider the laws that affect what you can collect and how you should collect this information. This article will explain:

  • the privacy laws surrounding the collection of identity documents;
  • why sensitive information requires extra protection; and
  • what your privacy policy needs to cover. 

Compliance with the Privacy Act

Your business will be required to comply with the Privacy Act if it is considered an ‘APP entity’. APP entities are businesses which: 

  • have an annual turnover of more than $3 million;
  • trade in personal information;
  • provide a health service; or
  • contract with the government.

The Privacy Act regulates how businesses handle personal information. Personal information includes the information that typically appears on driver’s licences, such as an individual’s: 

  • name;
  • address; 
  • date of birth; and 
  • other sensitive information (discussed below). 

If you are not an APP entity, compliance with the Privacy Act is a matter of best practice. However, many businesses decide to opt-in to compliance. Although you do not actually have any obligations to comply with the Privacy Act, this could change for you in the future if:

  • there is a change in the way your business operates; or
  • your business grows and you meet the annual turnover threshold. 

When Can You Collect Information?

Collecting unnecessary personal information is a breach of the Privacy Act. Under the law, you should not scan, copy or email a customer’s driver’s licence if having an employee or representative sight it would be sufficient. 

For example, you may need to verify that an individual is over the age of 18 before they enter your nightclub. Sighting the individual’s driver’s licence is generally sufficient for this purpose. On the other hand, it is probably unecessary to take an electronic copy of the individual’s identity documents. 

However, the Privacy Act does allow you to take a copy of ID documents if it is reasonably necessary to do so.

For example, certain businesses are legally required to scan identity documents (e.g. clubs and clubs).

If you do not fall into this category, however, you will have to assess whether it is necessary for you to scan such documents. 

Collection of Sensitive Information 

Identification documents and driver’s licences sometimes contain sensitive information, which is a special category of personal information.

For example, sensitive information includes information about an individual’s:

  • race or ethnic origin;
  • political opinions or membership of a political organisation;
  • religious beliefs and affiliations;
  • sexual preferences and orientation;
  • criminal record; and
  • health information.

Sensitive information is given extra protection under the Privacy Act. In some circumstances, a licence will reveal sensitive information about an individual. 

For example, it may be possible to work out an individual’s racial origin or religion from their name and clothing.

If this is the case, you can only scan it if it is reasonably necessary for your business purposes and you have the individual’s consent. 

If you are unsure whether it is necessary to scan an ID, you should consider whether you:

  • could explain to a customer why sighting their ID is insufficient; and
  • would be able to explain why you did not merely sight the ID without scanning it if a complaint was made.

If possible, the simplest option is to sight the driver’s licence without scanning it. However, you do not need to comply with these recommendations if you are not an APP entity. In this case, you should consider compliance a matter of best practice. 

Continue reading this article below the form
Loading form

What Does Your Privacy Policy Need to Set Out? 

Your privacy policy needs to clearly set out how and why you collect the information on drivers’ licences. For example, it should include:

  • what personal information you collect (including information on scanned or copied identification documents);
  • why you collect, hold and use the information; 
  • what security measures you have in place to protect any information you store electronically;
  • how long you keep the information for; and
  • how you will erase or remove the information after a certain time period. 

Key Takeaways 

The Privacy Act contains strict rules about how you can collect and deal with driver’s licences and other forms of identity documents. If you are an APP entity, you must comply with these obligations. Although you do not need to do so if you are not an APP entity, compliance is a matter of best practice. If you need assistance with complying with the Privacy Act or updating your privacy policy, contact LegalVision’s privacy lawyers on 1300 544 755 or fill out the form on this page. 

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Jessica Anderson

Jessica Anderson

Senior Lawyer | View profile

Jessica is a Senior Lawyer in LegalVision’s Commercial Contracts team. From day to day, Jessica enjoys preparing contracts to suit her clients’ needs, and walking clients through key-risk issues whether within a contract or within the broader regulatory landscape, from privacy law, consumer law, or community gaming and charities law.

Qualifications: Bachelor of Laws, Graduate Diploma of Legal Practice, Macquarie University.

Read all articles by Jessica

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

Can I Collect Sensitive Information About My Employees?

My Business Has Received a Privacy Access Request. What Do I Do?

What Are the Differences Between a Website’s Privacy Notice and Privacy Policy?

Can I Collect Customer Information Without a Privacy Policy?

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards