The Utah Driver License Division is sharing personal data — such as Social Security numbers, birthdates, physical characteristics, addresses and license numbers — with other agencies that have no legal right to it, a new audit says.
The report released Tuesday by the office of State Auditor John Dougall calls for such practices to stop.
In a written response, the Driver License Division said the law may be interpreted differently than the auditor asserts — and it plans to ask the Legislature to clarify whether it approves of its current data sharing.
The audit notes that state law bans the division from sharing information that identifies individuals “except in the interest of public safety or as specifically authorized in statute.”
Auditors found that five government agencies and one outside group are receiving at least some types of information not allowed by law and that have no public safety interest. They, and the data received improperly, include:
• The Utah Tax Commission: The last four digits of driver license numbers, expiration date of license and date of birth of individuals requested.
• Office of State Debt Collection: Name, date of birth, alias indicator, license number, Social Security number, expiration dates and license issue dates of “individuals who have outstanding debt” with the agency.
• Utah Population Database (at the University of Utah): Name, date of birth, place of birth, Social Security number, address, mother’s maiden name and physical characteristics of license holders.
• Lieutenant Governor’s Office (which oversees election data): Social Security number and physical characteristics of license holders.
• Utah Department of Veterans and Military Affairs: License number, gender and date of birth of veterans with driver licenses.
• Intermountain Donor Services: License number, birthdate and gender of people who sign up as organ donors. Also, it provides the license number, birthdate, gender, names and addresses of people who indicate on forms they are “undecided” about organ donation.
The auditor’s office said the division should stop sharing such information, and recommends that it “disclose to applicants what [personally identifying information] may be shared and with whom it may be shared.”
The division’s written response says “the language in the governing statute may be interpreted in various ways,” and notes it will “work with the Legislature to clarify the intent of the statutory language.”
The audit also complained that the division has not audited whether agencies that receive personal information that it provides use the data only as promised.
Auditors noted that they found five agreements with agencies promising to perform such audits themselves, and provide results on demand to the division. It found three others that allowed the division itself to perform such audits.
But the audit says division officials “had not audited any of the entities receiving driver license applicant information, nor had they obtained audits performed by the entities themselves.”
Auditors warned of “increased risk that misuse of database data by external entities will go undetected.”
The written response from the Driver License Division said it “recognized the value of auditing all recipients of data,” but added that it “does not have staff dedicated to nor trained in auditing practices as related to this issue.”
However, it said it “will make such auditing and training a priority as opportunities become available to request additional resources.”
Besides the six agencies the audit said received some data improperly, it said the division also legally shares data with Insure-Rite, the Department of Workforce Services, the Ogden Police Department, the American Association of Motor Vehicle Administrators, Utah Interactive, Utah Local Governments Trust, the U.S. Department of Defense, the Utah Division of Fleet Management, statewide warrants, the Utah Criminal Justice Information System and a company that makes licenses for the division.