DS
DriveShield.
← Back to Home

Privacy Policy

DriveShield Australia Pty Ltd

Effective Date: 29 June 2026 · Last Updated: 5 July 2026

DriveShield Australia Pty Ltd (“DriveShield”, “we”, “us”, “our”) is bound by the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). This Policy explains how we collect, hold, use, and disclose personal information, and how you can exercise your privacy rights.

1. About DriveShield

DriveShield operates a shared driver risk intelligence network (the “Network”) for Australian car rental and vehicle hire operators. The Network enables member operators to contribute driver incident records and to query the Network to receive a risk result before completing a rental.

DriveShield Australia Pty Ltd (ACN 698 621 313) is registered in Victoria, Australia.

Privacy Officer — DriveShield Australia

Email: info@driveshieldaustralia.com · Website: www.driveshieldaustralia.com

2. What Personal Information We Collect

2.1 Driver Information

DriveShield holds the following personal information about drivers:

DriveShield does not hold driver addresses, email addresses, phone numbers, payment card or financial account details, photographs, scanned identity documents, health or medical information, or racial, ethnic, or cultural origin.

Driver licence numbers are government-related identifiers (APP 9). DriveShield processes licence numbers using a one-way cryptographic hash (HMAC-SHA256) before storage — the raw licence number is not retained in any DriveShield system and cannot be recovered or disclosed.

2.2 Operator Information

DriveShield holds the following information about member operators and their representatives:

2.3 Website Visitors

When you visit www.driveshieldaustralia.com, we may collect your IP address, browser type, pages visited, time on site, and any information you submit through a contact or enquiry form.

3. How We Collect Personal Information

3.1 Driver Information (APP 3, APP 5)

DriveShield collects only the minimum personal information necessary for the Network’s purpose (APP 3 — collection limitation). DriveShield does not collect personal information from drivers directly. Driver information is contributed to the Network by member operators who have an existing relationship with the driver — typically through a vehicle rental agreement.

Before sharing a driver’s information with the Network, each member operator is required to provide the driver with a Privacy Collection Notice at the time of booking (APP 5 — notification of collection). That notice must identify DriveShield by name, describe the categories of information shared, explain the purpose of collection, and describe the driver’s access and correction rights. A copy of the standard Privacy Collection Notice template is available on request from info@driveshieldaustralia.com.

3.2 Operator Information (APP 3)

We collect operator information when a business applies to join the Network, during onboarding, and in the course of our ongoing membership relationship. Only information necessary for account administration, invoicing, and secure access to the Network is collected.

3.3 Website Visitors

We collect website visitor information automatically through standard web server logs and, where applicable, through cookies or similar tracking technologies. See clause 9 for details.

3.4 Anonymity and Pseudonymity (APP 2)

Under APP 2, individuals have a general right to interact with entities anonymously or pseudonymously where practicable. Anonymity and pseudonymity are not practicable for the core function of the Network: driver risk queries require a consistent identifier (driver licence number) to match incident records across member operators. DriveShield minimises this impact by hashing licence numbers before storage — the raw number is not retained — and by limiting the information returned to a risk classification only.

3.5 Unsolicited Personal Information (APP 4)

If DriveShield receives personal information that was not solicited and that could not have been collected in accordance with this Policy, DriveShield will destroy or de-identify that information as soon as practicable, provided it is lawful and reasonable to do so. DriveShield’s platform is configured to reject submissions containing data fields outside the permitted set — such submissions are not stored.

4. Why We Collect and Use Personal Information (APP 6)

Under APP 6, DriveShield will only use and disclose personal information for the primary purpose for which it was collected, or a directly related secondary purpose. Personal information is never used or disclosed for an unrelated purpose without prior consent.

4.1 Driver Information

We hold driver personal information for the sole purpose of enabling member operators to assess driver risk before entering into a vehicle rental agreement. Specifically:

We will not use driver personal information for any other purpose without the driver’s consent, unless otherwise permitted or required by law.

4.2 Operator Information

We use operator information to administer membership accounts and access, invoice and manage membership fees, communicate about the Network and policy updates, and comply with our legal and contractual obligations.

4.3 Website Visitors

We use website visitor information to operate and improve our website, respond to enquiries, and monitor website security.

4.4 Direct Marketing Prohibition (APP 7)

DriveShield does not use driver personal information, operator contact details, or query results for direct marketing purposes. Personal information held by DriveShield will not be used to send unsolicited commercial messages or to target individuals with advertising. Member operators are contractually prohibited from using query results for any direct marketing purpose.

4.5 Automated Decision-Making and Risk Scoring

DriveShield uses an automated system to calculate a risk classification for each driver query. This system constitutes automated decision-making that may significantly affect an individual, and DriveShield discloses it in accordance with the Privacy Act 1988 (Cth) as amended by the Privacy and Other Legislation Amendment Act 2024.

How the system works. When a member operator submits a query, the system retrieves any verified incident records associated with the driver’s hashed licence number. Each record is automatically assigned a severity level based solely on the incident category — operators do not select a severity level. The system then calculates a cumulative risk score and returns one of three classifications:

What the result means. The risk classification is returned to the querying operator only. DriveShield does not make a rental decision — that decision is made solely by the member operator. The classification is an input to the operator’s decision, not a determination by DriveShield.

Human oversight. All newly submitted incident records are placed in a pending queue and reviewed by a DriveShield administrator before they are verified and included in any risk score. Incident records are not scored until they have been manually approved. Drivers may also challenge any incident record through the correction process described in clause 10.2 — a successful challenge results in the record being corrected or removed, and the risk score recalculated accordingly.

Requesting review. If you believe your risk classification is incorrect, you may submit a correction request under clause 10.2. DriveShield will investigate and, where the records underlying the classification are found to be inaccurate or incomplete, correct them and notify you of the updated classification.

4.6 Data Quality (APP 10)

DriveShield takes reasonable steps to ensure that all personal information it holds is accurate, up to date, complete, and not misleading, having regard to the purpose for which it is used (APP 10). Quality controls include:

5. Disclosure of Personal Information

5.1 Member Operators — Query Results

When a member operator submits a driver query, the risk result classification (CLEAR, CAUTION, or HIGH RISK) is displayed on screen immediately within the operator portal. A confirmation email is also sent to the querying operator as a record of the query and result — this applies to all three result types. Where the result is CAUTION or HIGH RISK, the relevant incident category or categories are included in both the on-screen result and the confirmation email. Any unverified incident records associated with the driver are shown in the result for transparency but are explicitly excluded from the risk score.

DriveShield does not disclose the identity of the operator or operators who submitted a record. Member operators are contractually bound to use query results only for the purpose of assessing driver risk in connection with a vehicle rental decision and are prohibited from using results for any other purpose.

5.2 Service Providers

DriveShield may share personal information with third-party service providers engaged to support platform operations, including cloud infrastructure, email delivery, and information security services. All service providers are required to handle personal information in accordance with the Privacy Act 1988 (Cth) and DriveShield’s written instructions, and are contractually prohibited from using information for their own purposes.

5.3 Legal and Regulatory Disclosure

DriveShield may disclose personal information where required by law, a court order, or a request from a regulatory body with appropriate jurisdiction (including the Office of the Australian Information Commissioner), or where disclosure is necessary to prevent or respond to a serious and imminent threat to health or safety.

5.4 No Sale of Personal Information

DriveShield will not sell, rent, or commercially deal individual personal information to any third party under any circumstances.

6. Cross-Border Disclosure

All personal information held by DriveShield is stored and processed within Australia, on cloud infrastructure hosted in the AWS Sydney region (ap-southeast-2). DriveShield will not transfer personal information outside Australia without the prior written consent of the relevant individual and compliance with APP 8 of the Privacy Act 1988 (Cth).

7. How We Protect Personal Information (APP 11)

DriveShield implements and maintains the following technical and organisational security measures in accordance with APP 11:

DriveShield’s information security practices are aligned with the Australian Cyber Security Centre (ACSC) Essential Eight mitigation strategies.

8. Retention of Personal Information

Information typeRetention period
Driver incident records3 years from the date of the most recent incident record, or until correction or deletion is confirmed
Operator account recordsDuration of membership plus 7 years
Network query logs7 years from the date of the query
Website visitor logs12 months
Correspondence and complaints7 years

When personal information is no longer required for any lawful purpose, DriveShield will securely delete or de-identify it.

9. Cookies and Website Tracking

Our website at www.driveshieldaustralia.com may use cookies or similar technologies to maintain session state, analyse website traffic using aggregated and anonymous data, and improve website functionality.

You may configure your browser to refuse cookies or to alert you when cookies are being set. Disabling cookies may affect some website features. We do not use cookies to track individuals across third-party websites or for targeted advertising purposes.

10. Your Privacy Rights

10.1 Right of Access (APP 12)

You have the right to request access to personal information DriveShield holds about you, including any incident records associated with your driver licence number.

To make an access request:

Your request must include your full legal name, driver licence number, and issuing state. You will need to verify your identity (by providing a copy of a current driver licence or passport) before we release any information. We will respond within 30 days of receiving your verified request.

We do not charge a fee for access requests. In some circumstances we may decline to provide access — for example, where providing access would reveal the identity of another individual. Where we decline access, we will provide written reasons and advise you of your right to complain to the OAIC.

10.2 Right to Correction (APP 13)

If you believe that personal information DriveShield holds about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you have the right to request correction.

To make a correction request:

Please include a description of what you believe is incorrect and, where possible, any supporting documentation (such as a police report, rental agreement, or statutory declaration). We will investigate and notify you of the outcome within 30 days. Full details of our investigation process are set out in our Driver Access, Correction, and Complaints Process, available on request.

11. Notifiable Data Breaches

If DriveShield becomes aware of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:

12. Complaints

12.1 Internal Complaints Process

If you believe DriveShield has handled your personal information in a manner that does not comply with the Privacy Act 1988 (Cth) or this Privacy Policy, you may lodge a complaint with us.

Step 1 — Contact us. Email info@driveshieldaustralia.com with the subject line “Privacy Complaint”. Include your name and contact details, a description of the conduct or decision you are concerned about, and the outcome you are seeking. We will acknowledge your complaint within 5 business days and provide a written response within 30 days.

Step 2 — If not resolved. If you are not satisfied with our response, or if we fail to respond within 30 days, you may escalate your complaint to the OAIC.

12.2 Office of the Australian Information Commissioner (OAIC)

Office of the Australian Information Commissioner

Website: www.oaic.gov.au
Phone: 1300 363 992
Post: GPO Box 5218, Sydney NSW 2001

The OAIC can investigate complaints about alleged breaches of the APPs and may make determinations, including ordering remedies. There is no charge to lodge a complaint with the OAIC.

13. Australian Privacy Principles — Compliance Summary

DriveShield is bound by all 13 Australian Privacy Principles under the Privacy Act 1988 (Cth). The table below summarises how each APP is addressed and where in this Policy it is covered.

APPPrincipleHow DriveShield CompliesPolicy Section
APP 1Open and transparent managementThis Privacy Policy is published at www.driveshieldaustralia.com/privacy and updated whenever practices change.§1, §14
APP 2Anonymity / pseudonymityAnonymity is not practicable for risk queries; impact minimised by HMAC-SHA256 hashing of licence numbers.§3.4
APP 3Collection of solicited PIOnly minimum necessary data collected (name, DOB, licence, incident category/date). Address, phone, photo, financial data not collected.§2, §3.1, §3.2
APP 4Dealing with unsolicited PIPlatform rejects data fields outside the permitted set at submission. Unsolicited data is not stored.§3.5
APP 5Notification of collectionOperators must provide drivers with a DriveShield Privacy Collection Notice before submitting any incident record.§3.1
APP 6Use or disclosure of PIDriver data used solely for pre-rental risk assessment. Operators contractually prohibited from any secondary use.§4, §5
APP 7Direct marketingDriver personal information and query results are never used for direct marketing. Explicit prohibition applies.§4.4
APP 8Cross-border disclosureAll data stored and processed on AWS Sydney (ap-southeast-2). No overseas transfer without written consent.§6
APP 9Government-related identifiersDriver licence numbers processed via HMAC-SHA256 before storage. Raw licence number never retained or disclosed.§2.1, §7
APP 10Quality of personal informationAdmin approval queue before any record is scored; strict incident categories; automated 3-year expiry.§4.6
APP 11Security of personal informationAES-256, TLS, HMAC hashing, RBAC, MFA, audit logs, rate limiting, pen testing, automated expiry.§7
APP 12Access to personal informationDrivers may request access to their records; response within 30 days; identity verification required.§10.1
APP 13Correction of personal informationDrivers may request correction; investigation within 30 days; operators notified of upheld corrections.§10.2

14. Changes to This Policy

DriveShield may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or technology. When material changes are made, we will update the “Last Updated” date at the top of this Policy. Where required, we will notify affected individuals or member operators directly.

15. Contact

DriveShield Australia Pty Ltd

Privacy Officer
Email: info@driveshieldaustralia.com
Website: www.driveshieldaustralia.com

DriveShield Australia Pty Ltd (ACN 698 621 313) is registered in Victoria, Australia.