In addition to federal laws, Virginia has some of the strictest consumer data protection laws in the country.
These laws control how DMV protects and discloses your information.
Privacy Laws | Release of DMV Information | When DMV May Share Information | Information That May Not Be Shared | Methods of Data Release | Freedom of Information Act | Data Brokers | DMV Controls | Revenue for Data Release
The Driver's Privacy Protection Act (DPPA) is a federal law that protects personal identifying information such as photographs, Social Security numbers and medical information from release, except in certain identified circumstances.
Under state law, personal information, as well as vehicle information and driver information, is considered privileged, and may not be released without the requester meeting certain criteria identified in Va. Code § 46.2-208.
Va. Code § 2.2-3801 states that personal information includes:
- Data that describes, locates or indexes anything about an individual including, but not limited to, their Social Security number, driver's license number, agency-issued identification number, student identification number, real or personal property holdings derived from tax returns, and their education, financial transactions, medical history, ancestry, religion, political ideology, criminal or employment record.
- Data that affords a basis for inferring personal characteristics of the individual, such as finger and voice prints, photographs, or things done by or to such individual; and the record of their presence, registration, or membership in an organization or activity, or admission to an institution.
DMV only releases customer information when permitted or mandated by the federal and state laws cited above.
Releasing data stored in DMV databases provides many benefits to consumers, such as:
- Enabling manufacturers to identify customers with recalled vehicles
- Helping employees seeking driving-related job positions
- Helping customers requesting insurance quotes to demonstrate their safe driving record
- Assisting prospective purchasers by developing vehicle history reports
Under the law, DMV may share data for the limited purposes listed here.
- For use in connection with matters of motor vehicle or driver safety and theft, performance monitoring of motor vehicles and dealers by motor vehicle manufacturers, motor vehicle emissions, motor vehicle product alterations, recalls or advisories. This provision is mandatory, and DMV must release information for these purposes. 18 U.S.C. §2721(b); Va. Code § 46.2-209.
- For use by any government agency, including any court or law enforcement agency, in carrying out its functions. 18 U.S.C. §2721 (b)(1). Under the Virginia law, DMV may refuse to release data to a government entity if the entity does not establish sufficient authority to show that the purpose for which the information will be used is one of the requester's official functions. Va. Code § 46.2-208(B)(9).
- For use in connection with motor vehicle market research activities, including survey research. 18 U.S.C. §2721 (b)(2); 18 U.S.C. §2721 (b)(5); Va. Code § 46.2-209. Data released under this provision may not be used for the solicitation of sales.
- To the data subject, his guardian or authorized agent, or to the parent of a minor child. In addition, vehicle information may be released to the vehicle owner. Va. Code 46.2-208(B)(4).
- To verify or correct the accuracy of information provided by a business for use in the conduct of its business. Personal information released under this provision may be used only for the purpose of pursuing remedies that require locating an individual. 18 U.S.C. §2721 (b)(3); Va. Code § 46.2-208(B)(6).
- For use in connection with any civil, criminal, administrative, or arbitral proceeding in any court or agency or before any self-regulatory body pursuant to a court order or subpoena. 18 U.S.C. §2721 (b)(4); Va. Code § 46.2-208(B)(9).
- For use by any insurer or insurance support organization, or by a self-insured entity, or its agents, employees, or contractors, in connection with claims investigation activities, antifraud activities, rating or underwriting. 18 U.S.C. §2721 (b)(6); Va. Code 46.2-208(B)(5); Va. Code 46.2-208(B)(18).
- Vehicle information may be released to a business organization, without personal information, upon written request. Va. Code 46.2-208(B)(7).
- For use in providing notice to the owners of towed or impounded vehicles. 18 U.S.C. §2721 (b)(7); Va. Code § 46.2-644.03.
- For use by any licensed private investigative agency or licensed security service for any purpose permitted by the Driver's Privacy Protection Act. 18 U.S.C. §2721 (b)(8). The Virginia law narrows this provision further by requiring that the compliance agent be licensed by the Virginia Department of Criminal Justice Services and limits release to the name and address of a vehicle owner. Va. Code § 46.2-208(B)(20).
- To obtain driving information of license holders by employers and prospective employers. 18 U.S.C. §2721 (b)(9); Va. Code § 46.2-208(B)(11). Employees and prospective employees who do not hold a commercial driver's license must provide consent prior to DMV releasing any driving data.
- For certain identified charitable organizations to obtain driving information for volunteers with the consent of the individual. Va. Code § 46.2-208(B)(12) through Va. Code § 46.2-208(B)(14).
- For use in connection with the operation of toll facilities, traffic light photo-monitoring systems, video monitoring systems or photo speed monitoring, DMV may release vehicle owner information. 18 U.S.C. §2721 (b)(10); Va. Code § 46.2-208(B)(21); Va. Code § 46.2-208(B)(31); Va. Code § 46.2-208(B)(32).
- Medical information may only be released to a physician, physician assistant or nurse practitioner in accordance with a proceeding under Va. Code §§ 46.2-321 and 46.2-322.
- Driving information may be shared with motor vehicle rental and leasing companies. Va. Code § 46.2-208(B)(8).
- The name and address of the owner of a vehicle involved in a crash may be released to an attorney representing a party involved in the crash. Va. Code 46.2-208(B)(17).
Without a court order, DMV may not share the following data with any entity other than the data subject or their representative:
- Proof documents that customers present to get a driver's license or identification card.
- The indicator within DMV's records reflecting the type of proof documents presented to get a DMV credential, except when needed for voter registration purposes under Va. Code § 46.2-208.1.
- The application customers fill out to get a DMV credential.
- Bulk release of photographs. While government entities and law enforcement may request individual photographs for official use under Va. Code 46.2-208(B)(9), DMV may not allow access to all photographs for search purposes to any entity.
Work units within DMV are responsible for reviewing any request for data and determining if the requester is entitled to the information under the law. If a statutory exception permits the requester to receive DMV data, there are multiple ways that data may be securely transmitted.
Customers making small or individual requests may get records by mail. The requester will be required to provide the reason for the request and certify the information they provide DMV is true and accurate. The most common method of individual data requests is through the Information Request form.
DMV will not routinely email customer information to a requester, as regular email is not a secure method to release DMV records containing personal information. DMV does, however, have access to a secure electronic mail service that may be used upon request.
Data requesters seeking information from DMV's records on a regular basis must enter into a use agreement with DMV before getting electronic access to customer information. This agreement creates the binding terms under which the requester may access data, including limiting use of the data to the permissible purpose under the law which allows the requester to receive the data.
Entities electronically accessing DMV's records must maintain sufficient protections to meet the DMV and Commonwealth information technology security requirements.
FOIA, Va. Code § 2.2-3700, et seq., identifies the circumstances under which a public body like DMV must produce records in response to a request.
Virginia Code § 2.2-3704 states all public records are open to the citizens of the Commonwealth "except as otherwise specifically provided by law." Pursuant to Va. Code § 46.2-208(A), all records containing personal, driver or vehicle information are considered privileged. DMV is not permitted to release such confidential information except in certain situations enumerated in Va. Code § 46.2-208(B).
In other words, data that is protected by the privacy laws described above may not be obtained by submitting a FOIA request to DMV.
A data broker is an entity that purchases and aggregates data from multiple sources for various end purposes.
DMV may not release customer data to a data broker for the purpose of the data broker aggregating and reselling the data for profit. As described above, DMV may not release any information from the agency's customer records without the requester establishing they have a permissible purpose under the law to receive and use the data.
DMV may not release data to be used solely for marketing purposes.
The privacy laws and DMV's procedures allow entities entitled to receive DMV data to do so using an authorized agent. The agent serves as a facilitator between DMV and the entity permitted to access DMV data, and the agent may not use the data for any other purpose. The agent is required to enter into an agreement with DMV, which restricts use of the data to the end user's authorized purpose. DMV refers to these agents as third-party service providers.
DMV recognizes that its obligation to protect customer data goes beyond requiring legal agreements to govern the requester's use of DMV data. DMV serves as the gatekeeper for our customers' records and takes that responsibility seriously. As such, the following protections are in place even after data is released to an authorized requester.
Tracking and Monitoring
Every time data is released from the customer database, DMV makes a notation in the individual's customer record to reflect what data was released, to whom, and for what purpose. Pursuant to the use agreement, entities electronically receiving DMV data must provide an explanation to DMV for each customer access upon request. The use agreement holder is also required to keep records to establish that each access was made for a permissible purpose for three years. DMV customers have the right to review information relating to the access of their records. DMV is in compliance with the requirements set forth in the Government Data Collection and Dissemination Practices Act, Va. Code § 2.2-3800, et seq.
DMV requires annual information technology security training for all of its employees and all individual users who have secure credentials to electronically access DMV's records. The training provides guidance on the proper ways to access DMV information in the course of business and explains the consequences of misuse and unauthorized access to DMV records. All DMV employees and data recipients are made aware of DMV's zero tolerance policy for accessing customer data without an authorized business purpose.
DMV's use agreements contain legal provisions that permit the agency to audit any recipient of DMV data at any time to ensure proper use of DMV's systems and information. DMV's Data Audit and Compliance work center is responsible for conducting onsite and paper-based audits of the entities who have permissible access to DMV's records to ensure all security and legal requirements are met. Entities that are found to be in violation of the DMV use agreement are subject to termination of their access to DMV records.
Although DMV has taken extensive steps to protect customer data from breach, misuse or fraud, it is possible that an unauthorized access may occur. DMV has an internal incident response protocol to ensure that immediate action is taken to terminate any unauthorized use, mitigate damage and notify affected parties.
Pursuant to Va. Code § 18.2-186.6, DMV must notify the individual whose data has been accessed, as well as the Office of the Attorney General, in the event that a customer record is viewed without a permissible business reason.
DMV is often asked by customers why the agency "sells customer information."
Pursuant to Va. Code § 46.2-208(C) and Va. Code § 46.2-214, DMV may "make a reasonable charge" for providing information from the Department's records. The Driver's Privacy Protection Act also permits state motor vehicle authorities to charge an administrative fee for releasing data. Data released to government entities must be provided free of charge if the data will be used for official purposes, and the entity does not charge DMV for data.
It is important to note, however, that DMV may not release customer data for the purpose of receiving a fee or raising revenue. DMV's authority to release data is controlled by the privacy statutes noted above, and no customer data may be released unless the requester meets the requirements set forth in the law.
While charging a fee for the production of data is authorized by both federal and state law, the revenue is used to cover the costs of accurately and securely maintaining the information and DMV's systems.
DMV incurs costs in the form of staffing and overhead relating to creating and updating the records, system programming, and information technology security and maintenance. DMV's data management department consists of over 40 individuals charged with reviewing, executing and renewing data use agreements, reviewing and maintaining the integrity of customer data, responding to customer requests for information, and auditing data use customers to ensure compliance with all contractual provisions. The Data Compliance and Audit work unit travels to data use customer locations to review processes and perform audits.
DMV also maintains a staff of information security specialists to protect DMV customer information from external or internal threats.
Finally, DMV incurs mainframe costs associated with maintaining and searching data through the state's information technology network.