Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
As a small business owner, it’s pretty common to want a quick way to confirm who you’re dealing with.
Maybe you’re hiring out equipment, offering a subscription service, onboarding a new customer for credit, or managing high-value deliveries. In these situations, the fastest “solution” can feel like: “Can you flick through a photo of your driver’s licence?”
But here’s the catch: once you collect a driver’s licence photo, you’re not just “checking ID” anymore. You’re collecting and storing personal information - and that means your business needs to think about privacy compliance for driver’s licence photos under the Privacy Act 2020.
This article is general information only and doesn’t take into account your specific circumstances. It isn’t legal advice.
Below, we’ll walk you through when it’s okay to collect driver’s licence photos in New Zealand, what privacy compliance looks like in practice, and how to set up a simple process that protects your customers (and protects your business from avoidable headaches later).
Why Collecting Driver’s Licence Photos Is A Privacy Issue (Not Just “Admin”)
A driver’s licence contains a lot more than just a name.
Even if you only want it for identity verification, a photo of a licence can include personal information like:
- full name
- date of birth
- driver licence number and version number
- photo (a strong identifier)
- card expiry date
Depending on what’s visible in the image (and what else you collect alongside it), it may also reveal additional details - for example, if the photo includes other documents in the background, or if you ask for an address separately as part of your onboarding.
In many cases, a driver’s licence photo is also enough to contribute to identity theft if it’s mishandled or leaked.
That’s why privacy compliance isn’t just about “having a privacy policy” - it’s about making sure you have a lawful reason to collect it, you’re minimising what you collect, and you’re storing it securely (or not storing it at all if you don’t need to).
If your business collects any personal information from customers online or in-person, it’s usually a good time to make sure you have a Privacy Policy that matches what you actually do day-to-day.
When Can A Business Legally Collect A Photo Of A Driver’s Licence?
In New Zealand, the key starting point is that your business must only collect personal information if it’s necessary for a lawful purpose connected with your business functions or activities.
In practical terms, that means you should be able to clearly answer two questions:
- What is the purpose? (e.g. verifying identity to prevent fraud, confirming age for a restricted product/service, complying with legal obligations)
- Is a photo (and storage) necessary? Or can you achieve the purpose another way (e.g. sighting the ID and recording limited details)?
Common Situations Where It May Be Justified
Collecting (or sighting) a driver’s licence is commonly used in situations like:
- Credit arrangements (e.g. you’re allowing payment later and need to verify identity)
- Hire/rental services (e.g. vehicles, tools, equipment, event items)
- High-risk or high-value transactions where fraud prevention is a real issue
- Age-restricted services where you must take reasonable steps to confirm age
But even in these situations, taking and keeping a full photo is not automatically justified.
“We Always Do It” Isn’t A Legal Reason
Plenty of businesses collect ID photos because it’s become a habit or because “that’s what everyone in the industry does”.
Privacy law doesn’t really care about industry habits. What matters is whether your collection is necessary, fair, and proportionate to the risk you’re managing.
If you can verify identity by simply sighting the licence (without storing it), that’s often a lower-risk approach - and generally easier to justify if your collection practices are ever questioned.
Key Privacy Act 2020 Principles You Need To Follow
Privacy compliance isn’t about memorising legal jargon - it’s about setting up a sensible process that aligns with the Privacy Act 2020.
Here are the core “rules of thumb” that usually matter most when businesses collect driver’s licence photos.
1) Collect Only What You Need (Data Minimisation)
If your business only needs to confirm a name and date of birth, collecting a full photo of the entire card (front and back) may be excessive.
Consider alternatives, such as:
- sighting the ID in person (or via video) and making a note that it was verified
- recording limited details (e.g. name + DOB only) rather than keeping the image
- redacting unnecessary fields if you do store an image (more on this below)
This is one of the most important practical steps for privacy compliance when handling driver’s licence photos: don’t collect “just in case”. Collect for a specific purpose, and stop there.
2) Tell People What You’re Doing (Transparency)
When you collect personal information directly from someone, you generally need to make sure they know things like:
- what information you’re collecting (e.g. an image of a driver’s licence)
- why you’re collecting it
- who will have access to it (e.g. staff, third-party booking systems)
- how long you’ll keep it
- how they can access or correct it
This can be done through a short privacy collection notice at the point of collection and backed up by your Privacy Collection Notice and overall privacy documentation.
3) Store It Securely (And Limit Access)
If you store licence photos, you need to take reasonable steps to protect them from:
- unauthorised access (including internal access by staff who don’t need it)
- loss (e.g. misplaced devices, accidental deletion)
- misuse (e.g. staff saving images to personal phones)
- disclosure (e.g. email forwarding, insecure file sharing)
Security isn’t just an IT issue - it’s also about policies and training. For many small businesses, the biggest risk is human error (someone saving the photo in the wrong place, or keeping it longer than needed).
If your business uses contractors, virtual assistants, or offshore admin support, make sure you’re also thinking about who handles personal information and what systems they access. In some setups, you may also need contract terms around confidentiality and data handling (especially if customer onboarding is being outsourced).
4) Keep It Only As Long As Necessary (Retention & Disposal)
A common compliance gap is “we collect it, and it stays in the inbox forever”.
For privacy compliance when collecting driver’s licence photos, you should have a retention approach that answers:
- How long do we actually need this photo for the purpose?
- What triggers deletion? (e.g. after verification, after the hire period ends, after payment clears)
- How do we delete it securely?
If you don’t need the image after verification, delete it promptly and document that you’ve done so (even a simple internal log or workflow note can help).
Practical Ways To Collect Driver’s Licence Details Without Over-Collecting
Most small businesses aren’t trying to be intrusive - you’re trying to manage risk efficiently.
So, what are practical approaches that balance fraud prevention with privacy compliance?
Option 1: Sight The Licence And Record A Verification Note
If you operate in-person, you can sight the licence and keep an internal record like:
- “ID sighted and verified: NZ driver’s licence, name matches booking, DOB matches customer file, expiry date valid.”
This reduces your data storage risk significantly because you’re not holding a copy of the licence itself.
Option 2: Collect A Photo But Redact/Mask Unnecessary Information
Sometimes you genuinely need a copy (for example, where your risk profile is high, or your process is remote and you need evidence of ID verification).
If you collect a photo, consider asking the customer to:
- cover up irrelevant fields before taking the photo (where possible)
- only provide the front (if the back isn’t required for your purpose)
- use a secure upload portal rather than sending by email or text
The goal is simple: if you don’t need it, don’t collect it.
Option 3: Use A Secure Upload Process (Not Email Or SMS)
Email and text message are convenient, but they’re often where privacy compliance falls down:
- photos remain in inboxes and message histories
- staff might forward messages internally
- devices can be lost or shared
If you do collect driver’s licence photos, a secure upload process (with access controls and retention rules) can be a much safer approach.
If you’re running an online platform, you’ll also want to make sure your website terms and privacy terms match your actual onboarding process. For example, if you collect identity documents through your platform, your Website Terms and Conditions should align with how you manage user accounts and verification.
What Happens If Something Goes Wrong? Data Breaches And Customer Complaints
Even with good intentions, things can go wrong - especially when your business is moving fast.
Common issues we see include:
- a staff member asks customers to text their licence photo to a personal phone
- licence photos are stored in a shared drive with broad access
- photos are kept indefinitely “just in case”
- a customer complains that the request was excessive or unclear
If there’s unauthorised access, loss, or disclosure of driver’s licence photos, you might be dealing with a data breach situation.
Under NZ privacy law, some privacy breaches may need to be notified (depending on whether they’re likely to cause serious harm). Even if notification isn’t required, you still want to respond quickly and consistently.
Having a basic plan in place makes a huge difference. Many businesses set this up through a Data Breach Response Plan so your team knows what to do if personal information is compromised.
What Policies And Legal Documents Should You Have In Place?
This is the part many small business owners skip - not because you don’t care, but because it feels like “paperwork”.
But if your business collects driver’s licence photos, having the right documents and processes is how you show you’ve taken privacy seriously.
Privacy Policy And Collection Notices
Your privacy documentation should clearly cover:
- the types of personal information you collect (including identity documents, if applicable)
- your purpose for collecting it
- storage and security measures
- how customers can access/correct their information
- how you handle complaints
At a minimum, most businesses that collect customer details will want a Privacy Policy and a short, practical collection notice at the point you request the ID.
Staff Training And Workplace Policies
If staff are asking for the licence photo, staff need to know the rules.
A good internal process might cover:
- when staff are allowed to request a licence photo (and when they’re not)
- approved channels for collection (e.g. secure upload only)
- where it’s stored (and where it must never be stored)
- who can access it
- deletion timeframes
If you collect personal information through staff-managed systems, you may also want a broader internal privacy framework (for example, clear rules about confidentiality, device use, and acceptable systems for handling customer information).
Customer-Facing Terms (Especially For Hire, Subscription, Or Online Services)
If you request ID as part of your service, the expectation should be reflected in your customer terms.
For example, if you’re hiring out equipment and you require ID verification before release, it’s much cleaner when that requirement is already written into your terms (rather than being a surprise at pick-up time).
Depending on your business model, that might sit in:
- your online customer terms
- your booking terms
- your hire agreement terms
When you’re dealing with customers online, your overall E-Commerce Terms and Conditions can also help set the rules around accounts, verification, cancellations, and acceptable use.
Key Takeaways
- Collecting and storing driver’s licence photos matters because a licence photo contains sensitive personal information, and collecting it triggers obligations under the Privacy Act 2020.
- You should only collect a driver’s licence photo if it’s necessary for a lawful purpose connected to your business (and you should be able to clearly explain that purpose).
- Where possible, consider lower-risk alternatives like sighting the licence and recording a verification note instead of storing an image.
- If you do collect photos, you should take reasonable security steps, limit staff access, and avoid informal collection channels like personal phones and open email inboxes.
- Set a clear retention and deletion process so licence images aren’t kept longer than needed.
- Make sure your privacy documents and customer terms match your actual process, including a Privacy Policy and collection notice that explains why and how you collect ID.
- Have a plan for mistakes, including how you’ll respond to complaints or a data breach, so you can act quickly and consistently.
If you’d like help reviewing your ID collection process, putting the right privacy terms in place, or making sure your business is privacy compliant from day one, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
Alex SoloCo-Founder
