Record Production Fact Sheet
- The Driver Privacy Protection Act, 18 United States Code, Section 2721, keeps personal information private by limiting those who can have it.
- DPPA restricts public access to your social security number, driver license or identification card number, name, address, telephone number and medical or disability information, contained in motor vehicle and driver license records. Additionally, emergency contact information and email addresses are restricted pursuant to Section 119.0712(2), Florida Statutes.
- Florida, and every other state in the country, provide driver and motor vehicle records within the guidelines of the Federal Driver Privacy and Protection Act (DPPA).
- Under Florida law, motor vehicle and driver license information are public information.
- Requesting parties can request personal information only if they meet an exemption covered by law.
- While the federal Driver Privacy and Protection Act exemption 12 provides “For bulk distribution for surveys, marketing or solicitations if the State has obtained the express consent of the person to whom such personal information pertains,” FLHSMV takes a more stringent policy and does not allow data to be distributed through its MOUs for this purpose.
- Unless explicitly permitted by law, requesting parties never receive highly restricted personal information including an individual’s photo, social security number, medical or disability information.
- The department automatically blocks personal information in all motor vehicle and driver license records maintained at the department.
- The department does not seek out requesting parties to produce records. Any protected personal information must meet very specific exemptions in order to be produced. Produced records cannot be used for any marketing purposes and each requesting party is still liable under the federal driver privacy and protection act to use the data in accordance with federal and state law.
- Every requesting party who submits a public records request for protected driver license and/or motor vehicle data must submit a statement of what records they are requesting and the matching federal Driver Privacy and Protection Act (DPPA) exemption. In order to receive the data, the requesting party must individually certify or enter into a Memorandum of Understanding (MOU) with the department. A certification and MOU outline the federal and state protections relating to the data, process for receiving the data, certification and attestation requirements and ramifications of any misuse. Not until a certification and MOU are signed by the head of the requesting party attesting that they understand and agree to comply with those regulations is data provided.
- Once an MOU is signed, the department requires an independent third-party audit on or before the first anniversary of the execution of the MOU. In addition, in years two and three, the requesting party must complete an Annual Certification Statement certifying it has adequate controls in place to protect the personal data from unauthorized access, distribution, use, modification, or disclosure, and is in full compliance with the MOU.
- The department implements several proactive controls within each MOU for data exchange with the department. Those controls include:
- The ability to immediately revoke a requesting party’s MOU in the event of any violation of the terms of the respective MOU;
- Inserting control records or “salting” the data;
- Requiring requesting parties to immediately report any discipline or terminations of agreements with any other jurisdictions;
- Requiring organizations to submit audits regularly to the department;
- Establishing liquidated damages per record, which may be imposed for DPPA violations or data breaches; and
- Per law, examples of requesting parties who may access personal information are:
- Law enforcement agencies
- Auto Manufacturers (for recalling vehicles or parts)
- Government agencies or entities (to verify safe driving history)
- Towing entities (to notify owners of towed or impounded vehicles)
- Any person or agency that has written permission by the individual
- Requesting parties, including media outlets, can request information under Florida’s public records laws. Each requesting party that receives and/or has access to protected data is still liable under the federal driver privacy and protection act to use the data in accordance with federal and state law.
- A U.S. District Court has ruled on this issue and explained FLHSMV’s duty and authority related to the security of driver and motor vehicle records.
- FLHSMV works with its national and state partners, including the American Association of Motor Vehicle Administrators (AAMVA) to communicate learned best practices. When appropriate, the department will report suspected misuse to other states or the Department of Justice.
- Customers with concerns regarding the dissemination of their information in accordance with state and federal law who would like FLHSMV to research those concerns may complete a complaint form or send their information to HSMV-Records@flhsmv.gov. Federal law allows for any injured party to sue for damages in federal court.
Dave Kerner, Executive Director