Privacy Policy
DriveShield Australia Pty Ltd
Effective Date: 29 June 2026 · Last Updated: 5 July 2026
DriveShield Australia Pty Ltd (“DriveShield”, “we”, “us”, “our”) is bound by the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). This Policy explains how we collect, hold, use, and disclose personal information, and how you can exercise your privacy rights.
1. About DriveShield
DriveShield operates a shared driver risk intelligence network (the “Network”) for Australian car rental and vehicle hire operators. The Network enables member operators to contribute driver incident records and to query the Network to receive a risk result before completing a rental.
DriveShield Australia Pty Ltd (ACN 698 621 313) is registered in Victoria, Australia.
Privacy Officer — DriveShield Australia
Email: info@driveshieldaustralia.com · Website: www.driveshieldaustralia.com
2. What Personal Information We Collect
2.1 Driver Information
DriveShield holds the following personal information about drivers:
- Full legal name
- Date of birth
- Driver licence number and issuing state (processed as a one-way cryptographic hash — see below)
- Incident records — incident category, date, and risk result classification (CLEAR, CAUTION, or HIGH RISK). Incident categories are strictly limited to: Vehicle Damage, Theft, Fraud/False Details, and Aggressive Behaviour.
DriveShield does not hold driver addresses, email addresses, phone numbers, payment card or financial account details, photographs, scanned identity documents, health or medical information, or racial, ethnic, or cultural origin.
Driver licence numbers are government-related identifiers (APP 9). DriveShield processes licence numbers using a one-way cryptographic hash (HMAC-SHA256) before storage — the raw licence number is not retained in any DriveShield system and cannot be recovered or disclosed.
2.2 Operator Information
DriveShield holds the following information about member operators and their representatives:
- Business name, ABN, and registered address
- Contact names, email addresses, and phone numbers of authorised representatives
- User account details (name, email address, and assigned role)
- System access and audit logs
2.3 Website Visitors
When you visit www.driveshieldaustralia.com, we may collect your IP address, browser type, pages visited, time on site, and any information you submit through a contact or enquiry form.
3. How We Collect Personal Information
3.1 Driver Information (APP 3, APP 5)
DriveShield collects only the minimum personal information necessary for the Network’s purpose (APP 3 — collection limitation). DriveShield does not collect personal information from drivers directly. Driver information is contributed to the Network by member operators who have an existing relationship with the driver — typically through a vehicle rental agreement.
Before sharing a driver’s information with the Network, each member operator is required to provide the driver with a Privacy Collection Notice at the time of booking (APP 5 — notification of collection). That notice must identify DriveShield by name, describe the categories of information shared, explain the purpose of collection, and describe the driver’s access and correction rights. A copy of the standard Privacy Collection Notice template is available on request from info@driveshieldaustralia.com.
3.2 Operator Information (APP 3)
We collect operator information when a business applies to join the Network, during onboarding, and in the course of our ongoing membership relationship. Only information necessary for account administration, invoicing, and secure access to the Network is collected.
3.3 Website Visitors
We collect website visitor information automatically through standard web server logs and, where applicable, through cookies or similar tracking technologies. See clause 9 for details.
3.4 Anonymity and Pseudonymity (APP 2)
Under APP 2, individuals have a general right to interact with entities anonymously or pseudonymously where practicable. Anonymity and pseudonymity are not practicable for the core function of the Network: driver risk queries require a consistent identifier (driver licence number) to match incident records across member operators. DriveShield minimises this impact by hashing licence numbers before storage — the raw number is not retained — and by limiting the information returned to a risk classification only.
3.5 Unsolicited Personal Information (APP 4)
If DriveShield receives personal information that was not solicited and that could not have been collected in accordance with this Policy, DriveShield will destroy or de-identify that information as soon as practicable, provided it is lawful and reasonable to do so. DriveShield’s platform is configured to reject submissions containing data fields outside the permitted set — such submissions are not stored.
4. Why We Collect and Use Personal Information (APP 6)
Under APP 6, DriveShield will only use and disclose personal information for the primary purpose for which it was collected, or a directly related secondary purpose. Personal information is never used or disclosed for an unrelated purpose without prior consent.
4.1 Driver Information
We hold driver personal information for the sole purpose of enabling member operators to assess driver risk before entering into a vehicle rental agreement. Specifically:
- to store and maintain incident records submitted by member operators;
- to return a risk result (CLEAR, CAUTION, or HIGH RISK) in response to a query from a member operator;
- to notify operators of corrections, updates, or removals to records they have previously queried; and
- to process access requests, correction requests, and complaints submitted by drivers.
We will not use driver personal information for any other purpose without the driver’s consent, unless otherwise permitted or required by law.
4.2 Operator Information
We use operator information to administer membership accounts and access, invoice and manage membership fees, communicate about the Network and policy updates, and comply with our legal and contractual obligations.
4.3 Website Visitors
We use website visitor information to operate and improve our website, respond to enquiries, and monitor website security.
4.4 Direct Marketing Prohibition (APP 7)
DriveShield does not use driver personal information, operator contact details, or query results for direct marketing purposes. Personal information held by DriveShield will not be used to send unsolicited commercial messages or to target individuals with advertising. Member operators are contractually prohibited from using query results for any direct marketing purpose.
4.5 Automated Decision-Making and Risk Scoring
DriveShield uses an automated system to calculate a risk classification for each driver query. This system constitutes automated decision-making that may significantly affect an individual, and DriveShield discloses it in accordance with the Privacy Act 1988 (Cth) as amended by the Privacy and Other Legislation Amendment Act 2024.
How the system works. When a member operator submits a query, the system retrieves any verified incident records associated with the driver’s hashed licence number. Each record is automatically assigned a severity level based solely on the incident category — operators do not select a severity level. The system then calculates a cumulative risk score and returns one of three classifications:
- CLEAR — no verified incident records found.
- CAUTION — one or more verified incident records with a low cumulative risk score.
- HIGH RISK — a cumulative risk score above the defined threshold, or at least one verified record in a category (such as Theft or Fraud) that triggers an immediate HIGH RISK classification regardless of score.
What the result means. The risk classification is returned to the querying operator only. DriveShield does not make a rental decision — that decision is made solely by the member operator. The classification is an input to the operator’s decision, not a determination by DriveShield.
Human oversight. All newly submitted incident records are placed in a pending queue and reviewed by a DriveShield administrator before they are verified and included in any risk score. Incident records are not scored until they have been manually approved. Drivers may also challenge any incident record through the correction process described in clause 10.2 — a successful challenge results in the record being corrected or removed, and the risk score recalculated accordingly.
Requesting review. If you believe your risk classification is incorrect, you may submit a correction request under clause 10.2. DriveShield will investigate and, where the records underlying the classification are found to be inaccurate or incomplete, correct them and notify you of the updated classification.
4.6 Data Quality (APP 10)
DriveShield takes reasonable steps to ensure that all personal information it holds is accurate, up to date, complete, and not misleading, having regard to the purpose for which it is used (APP 10). Quality controls include:
- All newly submitted incident records are held in a pending approval queue and reviewed by a DriveShield administrator before they affect any risk score — no unverified record is included in scoring;
- Incident categories are strictly defined — submissions referencing categories outside the permitted set (Vehicle Damage, Theft, Fraud/False Details, Aggressive Behaviour) are rejected by the platform;
- Any operator submitting an incident record must acknowledge they have firsthand knowledge of the incident and that the information is accurate and complete;
- Drivers may request correction of any inaccurate, out-of-date, incomplete, irrelevant, or misleading record under clause 10.2; and
- Incident records are automatically expired and deleted three years from the date of the most recent incident record, ensuring outdated information is not retained.
5. Disclosure of Personal Information
5.1 Member Operators — Query Results
When a member operator submits a driver query, the risk result classification (CLEAR, CAUTION, or HIGH RISK) is displayed on screen immediately within the operator portal. A confirmation email is also sent to the querying operator as a record of the query and result — this applies to all three result types. Where the result is CAUTION or HIGH RISK, the relevant incident category or categories are included in both the on-screen result and the confirmation email. Any unverified incident records associated with the driver are shown in the result for transparency but are explicitly excluded from the risk score.
DriveShield does not disclose the identity of the operator or operators who submitted a record. Member operators are contractually bound to use query results only for the purpose of assessing driver risk in connection with a vehicle rental decision and are prohibited from using results for any other purpose.
5.2 Service Providers
DriveShield may share personal information with third-party service providers engaged to support platform operations, including cloud infrastructure, email delivery, and information security services. All service providers are required to handle personal information in accordance with the Privacy Act 1988 (Cth) and DriveShield’s written instructions, and are contractually prohibited from using information for their own purposes.
5.3 Legal and Regulatory Disclosure
DriveShield may disclose personal information where required by law, a court order, or a request from a regulatory body with appropriate jurisdiction (including the Office of the Australian Information Commissioner), or where disclosure is necessary to prevent or respond to a serious and imminent threat to health or safety.
5.4 No Sale of Personal Information
DriveShield will not sell, rent, or commercially deal individual personal information to any third party under any circumstances.
6. Cross-Border Disclosure
All personal information held by DriveShield is stored and processed within Australia, on cloud infrastructure hosted in the AWS Sydney region (ap-southeast-2). DriveShield will not transfer personal information outside Australia without the prior written consent of the relevant individual and compliance with APP 8 of the Privacy Act 1988 (Cth).
7. How We Protect Personal Information (APP 11)
DriveShield implements and maintains the following technical and organisational security measures in accordance with APP 11:
- encryption of data at rest and in transit using AES-256 and TLS 1.2 or higher;
- one-way cryptographic hashing (HMAC-SHA256) of all driver licence numbers — raw licence numbers are never stored and cannot be reconstructed;
- role-based access controls limiting access to personal information to authorised DriveShield personnel only;
- access logging and audit trails for all access to the Network database;
- multi-factor authentication (MFA) required for all operator portal accounts;
- rate limiting on all query endpoints to prevent automated enumeration;
- automated nightly expiry and deletion of incident records three years after the most recent incident date (APP 11 — minimum retention with automated enforcement);
- annual penetration testing conducted by an independent specialist; and
- an incident response plan reviewed and tested on a quarterly basis.
DriveShield’s information security practices are aligned with the Australian Cyber Security Centre (ACSC) Essential Eight mitigation strategies.
8. Retention of Personal Information
| Information type | Retention period |
|---|---|
| Driver incident records | 3 years from the date of the most recent incident record, or until correction or deletion is confirmed |
| Operator account records | Duration of membership plus 7 years |
| Network query logs | 7 years from the date of the query |
| Website visitor logs | 12 months |
| Correspondence and complaints | 7 years |
When personal information is no longer required for any lawful purpose, DriveShield will securely delete or de-identify it.
9. Cookies and Website Tracking
Our website at www.driveshieldaustralia.com may use cookies or similar technologies to maintain session state, analyse website traffic using aggregated and anonymous data, and improve website functionality.
You may configure your browser to refuse cookies or to alert you when cookies are being set. Disabling cookies may affect some website features. We do not use cookies to track individuals across third-party websites or for targeted advertising purposes.
10. Your Privacy Rights
10.1 Right of Access (APP 12)
You have the right to request access to personal information DriveShield holds about you, including any incident records associated with your driver licence number.
To make an access request:
- Email: info@driveshieldaustralia.com — subject line “Privacy Access Request”.
Your request must include your full legal name, driver licence number, and issuing state. You will need to verify your identity (by providing a copy of a current driver licence or passport) before we release any information. We will respond within 30 days of receiving your verified request.
We do not charge a fee for access requests. In some circumstances we may decline to provide access — for example, where providing access would reveal the identity of another individual. Where we decline access, we will provide written reasons and advise you of your right to complain to the OAIC.
10.2 Right to Correction (APP 13)
If you believe that personal information DriveShield holds about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you have the right to request correction.
To make a correction request:
- Email: info@driveshieldaustralia.com — subject line “Privacy Correction Request”.
Please include a description of what you believe is incorrect and, where possible, any supporting documentation (such as a police report, rental agreement, or statutory declaration). We will investigate and notify you of the outcome within 30 days. Full details of our investigation process are set out in our Driver Access, Correction, and Complaints Process, available on request.
11. Notifiable Data Breaches
If DriveShield becomes aware of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:
- take immediate steps to contain and remediate the breach;
- notify affected individuals as soon as practicable; and
- notify the OAIC in accordance with the Notifiable Data Breach (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).
12. Complaints
12.1 Internal Complaints Process
If you believe DriveShield has handled your personal information in a manner that does not comply with the Privacy Act 1988 (Cth) or this Privacy Policy, you may lodge a complaint with us.
Step 1 — Contact us. Email info@driveshieldaustralia.com with the subject line “Privacy Complaint”. Include your name and contact details, a description of the conduct or decision you are concerned about, and the outcome you are seeking. We will acknowledge your complaint within 5 business days and provide a written response within 30 days.
Step 2 — If not resolved. If you are not satisfied with our response, or if we fail to respond within 30 days, you may escalate your complaint to the OAIC.
12.2 Office of the Australian Information Commissioner (OAIC)
Office of the Australian Information Commissioner
Website: www.oaic.gov.au
Phone: 1300 363 992
Post: GPO Box 5218, Sydney NSW 2001
The OAIC can investigate complaints about alleged breaches of the APPs and may make determinations, including ordering remedies. There is no charge to lodge a complaint with the OAIC.
13. Australian Privacy Principles — Compliance Summary
DriveShield is bound by all 13 Australian Privacy Principles under the Privacy Act 1988 (Cth). The table below summarises how each APP is addressed and where in this Policy it is covered.
| APP | Principle | How DriveShield Complies | Policy Section |
|---|---|---|---|
| APP 1 | Open and transparent management | This Privacy Policy is published at www.driveshieldaustralia.com/privacy and updated whenever practices change. | §1, §14 |
| APP 2 | Anonymity / pseudonymity | Anonymity is not practicable for risk queries; impact minimised by HMAC-SHA256 hashing of licence numbers. | §3.4 |
| APP 3 | Collection of solicited PI | Only minimum necessary data collected (name, DOB, licence, incident category/date). Address, phone, photo, financial data not collected. | §2, §3.1, §3.2 |
| APP 4 | Dealing with unsolicited PI | Platform rejects data fields outside the permitted set at submission. Unsolicited data is not stored. | §3.5 |
| APP 5 | Notification of collection | Operators must provide drivers with a DriveShield Privacy Collection Notice before submitting any incident record. | §3.1 |
| APP 6 | Use or disclosure of PI | Driver data used solely for pre-rental risk assessment. Operators contractually prohibited from any secondary use. | §4, §5 |
| APP 7 | Direct marketing | Driver personal information and query results are never used for direct marketing. Explicit prohibition applies. | §4.4 |
| APP 8 | Cross-border disclosure | All data stored and processed on AWS Sydney (ap-southeast-2). No overseas transfer without written consent. | §6 |
| APP 9 | Government-related identifiers | Driver licence numbers processed via HMAC-SHA256 before storage. Raw licence number never retained or disclosed. | §2.1, §7 |
| APP 10 | Quality of personal information | Admin approval queue before any record is scored; strict incident categories; automated 3-year expiry. | §4.6 |
| APP 11 | Security of personal information | AES-256, TLS, HMAC hashing, RBAC, MFA, audit logs, rate limiting, pen testing, automated expiry. | §7 |
| APP 12 | Access to personal information | Drivers may request access to their records; response within 30 days; identity verification required. | §10.1 |
| APP 13 | Correction of personal information | Drivers may request correction; investigation within 30 days; operators notified of upheld corrections. | §10.2 |
14. Changes to This Policy
DriveShield may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or technology. When material changes are made, we will update the “Last Updated” date at the top of this Policy. Where required, we will notify affected individuals or member operators directly.
15. Contact
DriveShield Australia Pty Ltd
Privacy Officer
Email: info@driveshieldaustralia.com
Website: www.driveshieldaustralia.com
DriveShield Australia Pty Ltd (ACN 698 621 313) is registered in Victoria, Australia.