The Department of Licensing (DOL) handles the personal data of approximately 6 million driver records and 8 million vehicle and vessel owner records.
There are a number of federal and state laws governing how DOL may share data. One example is the Driver Privacy Protection Act, enacted by Congress in 1994, which regulates state governments' release of personal information contained in an individual's motor vehicle record. The state Open Public Records Act also requires the disclosure of certain types of data collected and maintained by DOL. There are many purposes for which DOL releases driver and vehicle data. Examples include, but are not limited to, selective service, insurance underwriting, child support collection, motor vehicle safety recalls, license plate search for registered owner information for tolling, parking and law enforcement purposes, and court records and proceedings.
Vehicle Records. Under current law, prior to the release of any vehicle record information, DOL must enter into a contract with an authorized entity. The contract must contain provisions requiring DOL or its agent, to conduct regular permissible use and data security audits. DOL must charge a fee for this information. DOL has contracts with both governmental and private entities.
The following constitute a gross misdemeanor:
Driver Records. Upon the proper request, DOL may provide an abstract of a person's driving record to specified entities which include, but are not limited to, prospective employers, county prosecuting attorneys, insurance companies, transit authorities, units of local governments, and the Office of the Superintendent of Public Instruction. There are limitations on the purpose for which the abstract may be provided and some of the transactions require payment of a fee.
The abstract, whenever possible, must include:
DOL may contract with specified entities to allow for monitoring driver record abstract changes. This service is provided for a fee set by DOL at an amount that will not result in a net revenue loss to the state.
Definitions. "Identity information" means information that identifies an individual, or may be used to determine the identity of an individual, including:
Personal information is defined to mirror the Public Records Act definition which includes an individual's first name or first initial and last name in combination with any one or more of the following data elements:
The terms data services and transportation network companies are also defined.
Any personal or identity information obtained by DOL in the administration of driver and vehicle records is private and confidential except as otherwise provided in federal and state law.
Obligations of Data Recipients. All authorized recipients of personal or identity information have an affirmative obligation to take all reasonable actions necessary to prevent the unauthorized disclosure and misuse of personal or identity information. DOL may require an audit or investigation of any entity receiving personal or identity information that originated from DOL.
If data is misused or disclosed without authorization, all parties aware of the violation must inform DOL and take all reasonably available actions to mitigate and rectify the disclosure.
Contract Requirements. Prior to providing data services that include the lawful release of any personal or identity information DOL must enter into a contract with the entity authorized to receive the information. The contract must include, at a minimum:
DOL is authorized to adopt other contract requirements as necessary to ensure the privacy of individuals and protection of personal or identity information.
Penalties. The unauthorized use or disclosure of personal or identity information is subject to a civil penalty up to $20,000, per incident. The penalty cap is annually adjusted by DOL based on the consumer price index. Other applicable sanctions in federal and state law may also apply. Additionally, a data recipient may be denied further access to personal or identity information.
Vehicle Data. The purposes for which DOL may release lists of registered and legal owners of vehicles to governmental entities is expanded.
The penalties specifically tied to the violation of a contract for vehicle data are modified. DOL is authorized, rather than required, to suspend a person's ability to receive data for up to five years.
Driver Data. DOL is authorized to provide:
DOL may provide driving record review services for a transportation network company.
The purposes for which an employer may release a driving record to a third party are specified.
The Office of the Superintendent of Public Instruction is not required to pay for a driver abstract. A state agency or scientific research profession associated with a bona fide scientific research organization are exempt from paying the fees related to reviewing driving records, other than the cost to provide the data.
The committee recommended a different version of the bill than what was heard. PRO: This is agency request legislation and builds on the strategic investments the agency has made in data privacy. The bill modernizes DOL statutes and provides additional protections against misuse. It also modernizes our data laws.
There are three elements of this bill to highlight. We want to codify the existing practices and protections that are currently in our data contracts and apply them uniformly across driver and vehicle data. The new civil penalty for data misuse is key. One example, is once a contract is terminated, data recipients are supposed to permanently delete the data, but because we are no longer in a contract we lose the ability to ensure that they comply. The bill aligns and streamlines our driver and vehicle data sharing laws, without removing access to data for existing clients, and providing for clear protections and audits.