Skip Navigation Links
The Used Car Dealers Association of Ontario

416-231-2600 or 1-800-268-2598 or fax 416-232-0775

Used Car Dealers Association of Ontario   
Internal Privacy Audit

PIPEDA – The “Privacy Act”


You’ve probably heard about federal privacy protection legislation, known as the Personal Information Protection and Electronic Documents Act, or “PIPEDA” for short, which came into effect on January 1, 2004. PIPEDA applies to all commercial businesses, including motor vehicle dealers.


All businesses, including dealers, need to have the consent of individuals in order to collect, use or disclose “personal information”. PIPEDA defines Personal Information as “any information about an identifiable individual”, other than business information, relating to that individual.


Basic Principles


Dealers should be familiar with the ten principles which PIPEDA identifies and apply them to their business.


1. Accountability


One or more people should be designated as a “Privacy Officer” for the dealership. It is the Privacy Officer’s responsibility to ensure that only necessary personal information is being collected and that it is not being used or disclosed to others in ways that the individual has not consented to.


2. Identify Purposes


There should be good reasons why personal information is being collected. If there is no valid reason to collect personal information, don’t collect it.


3. Knowledge and Consent


The knowledge and consent of the individual is required prior to collecting, using or disclosing personal information.


4. Limiting Collection


The amount of personal information collected should be the minimum amount necessary to complete the business transaction between the dealer and the customer.


5. Limiting Use, Disclosure and Retention


Personal information should not be used or disclosed for purposes other than those for which it was collected, unless the individual consents or unless the use or disclosure is required by law. Personal information should only be retained long enough to fulfill those purposes or as required by law.


6. Accuracy


Personal information should be as accurate, complete and up-to-date as necessary for the purposes that it will be used. If personal information is being used for any purpose efforts should be made to ensure that its accuracy is maintained.


7. Safeguards


Security safeguards should be in place to ensure that personal information is not used or disclosed inappropriately. Individuals must give either express or implied consent to the use or disclosure of personal information.


8. Openness


Dealers are required to have details of their policies and procedures relating to personal information available on request. Anyone has the right to know how the dealership protects personal information.


9. Individual Access


Individuals have the right, on request, to access personal information about themselves held by the dealer and to know how the dealer has used or disclosed it. Individuals may have information changed where it is inaccurate.


10. Compliance Challenge


Individuals can challenge a dealer’s compliance with these principles to the Information and Privacy Commissioner of Canada. They may also commence a legal action if they believe their rights have been violated.



Internal Privacy Audit


In order to identify any problems that you may have complying with PIPEDA, dealers should conduct an internal “privacy audit”. This should be done by the Privacy Officer to identify what personal information is collected, and how it's used. If potential problems are found, they should be corrected immediately.


Following is the suggested format of a privacy audit.


Step 1. Identify what personal information you typically collect


Here are just a few examples of personal information:


• Name

• home address, phone number, personal cell/pager number, personal email, home fax

• drivers licence information

• insurance information,

• age/date of birth

• marital status, spouse and child information,

• language spoken

• education level

• occupation

• income

• banking information

• credit information

• social insurance number


Step 2. Determine if the collection of the information is necessary


The type of information that should be collected will vary, depending on the nature of the transaction. Following are some typical examples:


i) The retail sale of a vehicle to a consumer, without financing.


• name

• home address and home phone number,

• cell or pager number

• email addresses

• drivers licence number

• insurance information



ii) The retail sale with financing or lease of a vehicle to a consumer.


• items listed in i) above,

• employment

• banking

• credit history information

• birth date or SIN (for credit check)


iii) Repairs for a consumer.


• contact information (address, phone number, etc.)

• birth date (where lien needs to be registered)


iv) A test drive

• copy of drivers licence


Step 3. Limit the use, disclosure and retention of personal information.


Once the required information has been determined, the dealer is expected to take steps to ensure that the information is used only for those purposes necessary. This should not be difficult for most dealers, who currently will not be using personal information for reasons other than those required to complete the business transaction. However, to ensure that information is not misused, security mechanisms should be put in place, whether information is stored on paper or electronically.


Once information is no longer required, it should be destroyed or returned to the customer. In most cases, returning documents to the customer doesn’t make much sense. Most customers wouldn’t want them anyway. So, the best option is to destroy the information. Particularly in the case of sensitive information such as credit, income and financial information, shredding the documents may be advisable.


How long you need to keep information will depend on circumstances. OMVIC requires certain information be kept on vehicles sold for 6 years. For tax reasons, you could be required to provide records for up to seven years.


Where information was collected from someone who did not enter into any sort of transaction with you, it should be destroyed or deleted once it’s apparent that no deal will be done, unless you have consent from the individual to keep it, for example for future contact. More on consent later.


Step 4. Limiting Access to Personal Information


Access to work areas should be restricted to staff only. Where others are in areas where they could have access to personal information, either in documents or stored electronically, they should be supervised at all times.


Paperwork, such as bills of sale, lease agreements, credit applications or other documents containing personal information should not be left in places where unauthorized staff or others have access to it. If possible, paperwork containing personal information should be kept in secure storage, such as a locked filing cabinet.


Security passwords should be used to restrict access to personal information stored electronically, so only those authorized to access it may do so.


Step 5. Communicating personal information


Because email and fax communications are not considered by the Privacy Commissioner to be secure, it would be a good idea to get an individual’s consent before sending personal information by email or fax. The following simple clause could also be included in emails and faxes.


If you have received this in error, please destroy it and notify us as soon as possible.


Step 6. How long to keep Information


PIPEDA says that personal information should be kept only so long as is necessary for the purpose it was collected or as long as required by law. Legal requirements under the Motor Vehicle Dealers Act, 2002 require certain records to be kept as long as 6 years. Garage registers are required to be kept for 2 years. For tax audit purposes, information is required to be kept for 7 years. Beyond this time, there should generally be no reason to keep anyone’s personal information unless they have consented to it.


There is no reason to keep some sensitive personal information, such as shown on a credit report, after the data on it has been used to determine whether or not to provide financing.


Step 7. Providing Access to Third Parties


Without the consent of individuals, their personal information should not be disclosed to third parties unless necessary in order to process the business transaction involving the customer. Examples of situations where information must be disclosed to third parties include where financing is being applied for or where extended warranty or credit insurance is being purchased.


If a dealer wants to share information with parties other than those necessary to complete the transaction, the consent of the individual will be needed.


Dealers should ensure that the third party companies that they are sharing personal information with also have procedures in place to protect the personal information.


Step 8. Future Contact


Once the transaction is complete, there should be no further contact with the customer, unless they have provided their consent. This applies not only to third parties contacting the customer, but to the dealer as well. Consent should be obtained at the time of sale, lease or service, if the dealer wants to make future contact with a customer. Prior consent is not required where contact is required by law, for example, to inform a customer of a manufacturer's recall of a vehicle.



Obtaining Consent


It's clear that consent is a key element of PIPEDA. An individual’s consent to the collection, use or distribution of personal information may be obtained in any way, including verbally, but written consent is always better, as it prevents dispute over whether consent was truly given.


The formality of the consent required will vary, depending on circumstances. For example, consent to send promotional material or messages to an individual using personal information like email or home address will require less formality than consent to provide credit or income information to a third party.


The use of publicly available information to contact individuals, such as names, addresses and telephone numbers from a phone book, is permitted. However, anyone contacted must be given a clear “opt-out”, option, in order to stop unwanted future contact. For example, mailings sent out to customers or others should state that if the recipient no longer wishes to receive mailings from the dealer, that they should contact the dealer, in writing, at an address provided in the mailing requesting no further contact. Similar options should exist where the dealer uses fax, email or phone to contact customers.


Personal information that a dealership has collected prior to PIPEDA coming into effect does not need to be re-collected, but if it is to be used to contact people or disclosed to third parties, consent will be required if it has not already been obtained.



Bills of Sale


The most obvious place to obtain consent will be on the contract a customer signs when purchasing, or leasing, a vehicle. To help members, the UCDA Used Vehicle Bill of Sale, New Vehicle Bill of Sale and Lease Agreement each include a consent clause. Once signed, the clause provides the customer's consent to the sharing of personal information collected as part of the purchase and to future contact by the dealer and others the information is shared with. A similar clause should be included on lease agreements and service and repair work orders.


Where no bill of sale or other agreement has been signed, such as with a prospective customer, dealers and sales staff should be clear when obtaining information like address and phone number, that they have the consent of the individual to make follow-up contact. No one, who has asked not to be contacted, should be.


For more information on UCDA bills of sale and to order call Margi at (416) 231-2600 or 1 (800) 268-2598.





It is important for all dealers, large and small to perform the audit and become compliant with PIPEDA. Dealers who do not, risk having customers complain to the Privacy Commissioner. While it is the commissioner’s role to help resolve disputes, complaints which are viewed as serious and justified can be investigated and ultimately referred to Federal Court for a hearing.


Individuals may also bring a legal action against a dealer that has collected, used or disclosed personal information without consent. Even if the action is groundless, it can be costly and time consuming to deal with. Better to prevent the problem by understanding and following proper guidelines.


If you have any questions about the privacy guidelines contained in PIPEDA and how they affect you, please email the UCDA Legal Services Director, Jim Hamilton, at


Dealers can also find useful templates and guides at: