The Privacy Act Reforms Every Car Rental Operator Needs to Know About

Australia's Privacy Act 1988 has undergone its most significant reform in a generation. For car rental operators — who collect and store licence scans, incident records, payment information, and booking histories — the implications are material and immediate.

What Changed

The reforms strengthen the Australian Privacy Principles (APPs) in several ways relevant to rental operators. The definition of personal information has been broadened. Obligations around data minimisation — collecting only what is necessary — have been tightened. Breach notification thresholds have been lowered. And penalties for non-compliance have increased significantly, with serious or repeated breaches now attracting penalties of up to $50 million for organisations.

For operators handling driver data, this creates both risk and opportunity. The risk: ad hoc, informal data practices that were previously tolerated are now more likely to attract scrutiny. The opportunity: operators who can demonstrate a structured, compliant data governance approach are better positioned with insurers, fleet financiers, and enterprise customers.

The Specific Obligations That Matter

Several APPs are directly relevant to day-to-day rental operations:

• APP 3 (Collection): You must only collect information that is reasonably necessary for your functions. Collecting a licence scan is legitimate; keeping it indefinitely without a retention policy is not.
• APP 5 (Notification): At the time of collection, drivers must be informed of how their data will be used and who it may be disclosed to.
• APP 6 (Use and Disclosure): Personal information may only be used for the purpose for which it was collected, or a directly related secondary purpose — unless consent is obtained.
• APP 11 (Security): Operators must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access.
• APP 13 (Correction): Individuals have the right to request correction of information held about them.

Why a Governed Network Is Safer Than Going Alone

One of the reform areas that operators find most challenging is APP 6 — specifically, whether sharing incident data with other operators constitutes a permissible secondary use. The short answer: it depends entirely on how the sharing is structured.

Informal data sharing — operators sending spreadsheets or making phone calls about specific drivers — is increasingly untenable under the strengthened framework. There's no documented consent, no defined retention period, no dispute mechanism, and no clear notification to the driver.

A governed network like DriveShield addresses all of these concerns by design. The Contributor Agreement defines the terms of data sharing. The Privacy Collection Notice (given to every driver at booking) discloses the possibility of incident reporting. The dispute resolution framework satisfies APP 13. And data is stored on Australian infrastructure with documented retention policies.

Practical Steps for Operators

Regardless of whether you join DriveShield, the privacy reforms require action:

1. Review your Privacy Policy and update it to reflect current data practices.
2. Audit what driver data you collect, how long you keep it, and who has access.
3. Ensure your rental agreements include appropriate privacy collection notices.
4. Establish a documented process for handling driver data access and correction requests.
5. If you share driver data with any third parties (including informally with other operators), formalise that arrangement or cease it.