Striking the Balance: MVR Checks and Privacy Laws
A motor vehicle record (MVR) check provides vital insight into whether that employee is a safe driver. A MVR check reveals, among other important information, insurance lapses, traffic violations, accidents, license revocations and most importantly, DUI charges that may not appear on criminal records.
While such checks help identify high-risk drivers before accidents occur, they also create a potential legal pitfall for companies that conduct them: violation of state and federal laws protecting employee privacy. What many companies do not realize is that when they collect MVRs about employees and applicants, they are amassing a vast store of personal information they are legally obligated to safeguard.
A host of state and federal laws restrict the ways companies obtain, use, store, share and even discard confidential information contained in employee driving records. Companies that do not comply with these regulations face the risk of lawsuits and government penalties. Yet, understanding and complying with these laws can be tricky, especially given the fact that many states have passed new statutes concerning the protection of personal information.
Protecting Driver Privacy
The primary law governing a company’s ability to collect and use employees’ MVRs is the federal Driver’s Privacy Protection Act (DPPA) of 1994. That law restricts state DMVs from disclosing personally identifiable driver records without first obtaining the driver’s expressed written consent.
The DPPA provides a few exceptions that allow fleet managers to obtain driving records for the purposes of screening employees. For instance, the law authorizes state DMVs to disclose motor vehicle records for purposes related to “safety or the operation of a motor vehicle.” State DMVs may disclose MVRs to anyone who has obtained the consent of the person whose records are sought.
However, even if a company lawfully obtains MVRs, there is a risk in doing so. The DPPA authorizes individuals to file civil lawsuits against any entity that lawfully obtains a MVR check and then re-discloses or misuses the information it contains. The statute allows a plaintiff to sue for actual and punitive damages, attorney’s fees, costs and equitable relief — such as a court order to cease further misuse or unauthorized disclosure of driving records.
Surprisingly, the DPPA does not regulate the disclosure of information about vehicular accidents or traffic violations, but rather only “personal information,” such as an individual’s photograph, Social Security number, driver identification number, name, telephone number and medical or disability information. Thus, a company does not violate the DPPA if it shares an employee’s or applicant’s driving history with supervisors, managers, or outside fleet management companies.
Finally, companies need to be aware that the primary purpose of the DPPA is preventing the misuse of driver information for commercial and criminal purposes. The onus is on the company to carefully ensure that the personal information contained in driving records is not accessible to third parties.