Information and Privacy Commissioner/Ontario Commissaire à l’information et à la protection de la vie privée/Ontario Privacy Investigation: The Toronto Police Service’s use of Mobile Licence Plate Recognition Technology to find stolen vehicles April 29, 2003 416-326-3333 2 Bloor Street East 2, rue Bloor Est 1-800-387-0073 Suite 1400 Bureau 1400 Fax/Téléc: 416-325-9195 Toronto, Ontario Toronto (Ontario) TTY: 416-325-7539 M4W 1A8 M4W 1A8 Website: www.ipc.on.ca
2 Bloor Street East Information and Privacy Suite 1400 Commissioner/Ontario Toronto, Ontario M4W 1A8 This publication is also available on the IPC website. 416-326-3333 1-800-387-0073 Fax: 416-325-9195 TTY (Teletypewriter): 416-325-7539 Website: www.ipc.on.ca
vehicles that have been reported stolen, including their licence plate number, vehicle identification number (VIN), make, model, colour and year. As a Toronto Police Service officer drives down a street or in a municipal parking lot, the scanned licence plate number of each vehicle is displayed on the screen of the street sweeper’s onboard computer. If the system detects a potential match to a stolen vehicle, the computer beeps to alert the officer, who then stops and visually scrutinizes the licence plate number of the parked vehicle and compares it to a list of stolen vehicle licence plate numbers that pop up along the bottom of the computer’s display terminal. (In some cases, one or more characters on the licence plate may be obscured by mud or snow. Consequently, the system provides a list of stolen car licence plate numbers that are close to the plate number of the parked vehicle.) If the officer finds that the licence plate number does not match any stolen vehicle plate numbers, he or she presses “reject” and continues on. However, if the officer finds that the plate number of the parked car matches the plate number of a stolen vehicle, he or she presses “enforce,” which saves an image of the licence plate number on the hard drive of the onboard computer. The officer must then contact an operator in the police radio room, who checks the updated CPIC database to determine whether the vehicle is still reported stolen. If the radio room operator confirms the stolen status of the vehicle, the officer manually records the vehicle’s licence plate number, VIN, description, and location in a handwritten log. The police service’s standard procedure for handling retrieved vehicles then kicks in, which includes towing the vehicle to a police pound. The hard drive in the street sweeper’s onboard computer has the capacity to retain approximately 72 hours worth of scanned licence plate numbers. Consequently, whenever the parking enforcement unit officer scans a licence plate number, this new scan overwrites any existing scan that is 72 hours old. In other words, the MLPR system is configured to automatically destroy all scanned licence plate numbers on the hard drive after 72 hours. The police do not have access to the scans retained in the system because the hard drive is password-protected and the data is encrypted by AutoVu. However, the police download the contents of the hard drive onto a zip disk on a daily basis. This zip disk, which is sent to AutoVu once a week, includes an alphabetical string of all licence plates scanned during that week and the images of any licence plates that produced a hit when they were matched against the stolen vehicle database. The alphabetical string of licence plate numbers does not include the jurisdiction (e.g., Ontario) that appears on the top of the plate. However, both the licence plate number and jurisdiction are visible on the images of licence plates that are saved on the hard drive after producing a hit with the stolen vehicle database. AutoVu Technologies requires this information to analyze whether the MLPR system is making the retrieval of stolen vehicles more efficient and to ensure that the MLPR equipment is properly scanning licence plate numbers and otherwise functioning properly. After AutoVu has analyzed the data supplied by the police, it erases the data on the zip disk and sends the disk back to the police’s parking enforcement unit. 3
requires the string of scanned licence plate numbers and the images of licence plates that produced a hit to analyze whether the MLPR system is making the police’s retrieval of stolen vehicles more efficient. Consequently, the police are disclosing the licence plate numbers that are in their custody and control for the purpose for which this personal information was obtained or compiled, which is permitted under subsection 32(c) of the Act. We would note that although the police signed a memorandum of understanding with the IBC, they do not have a similar contract with AutoVu Technologies. There is no evidence that AutoVu uses the licence plate numbers that it receives from the police for inappropriate purposes or that it discloses this information to third parties. For example, the company does not match the licence plate numbers to the names of the individuals to whom the plates have been assigned. Moreover, the police have informed the IPC that if they decide to expand the use of the MLPR system after the pilot project has concluded, it will likely be unnecessary to continue the practice of disclosing licence plate numbers on a zip disk to AutoVu. Nevertheless, the IPC recommends that, in future projects, the police sign a contract with any private-sector entity not subject to the Act to which they disclose personal information. Such a contract should include strong privacy-protection clauses that prohibit the private-sector entity from misusing or inappropriately disclosing any personal information that it receives from the police. This would include a prohibition on matching the personal information with any other information about an individual that the private-sector entity has collected from other sources. In addition, a requirement that the private-sector entity’s employees sign confidentiality agreements should be included. Conclusion: The police are disclosing licence plate numbers to AutoVu Technologies in compliance with section 32 of the Act. 8
We would like to distinguish the existing MLPR system that is used for locating stolen vehicles from the GPS-configured system that could be used to detect illegally parked vehicles. The use of the MLPR system to find stolen vehicles is in compliance with the Act and produces benefits (e.g., crime prevention, returning stolen property to citizens) that outweigh the minimal impact on privacy that results from the scanning of licence plate numbers. The benefits that would result from using the GPS-configured system (e.g., improving parking flows, increasing revenues) are, in our view, comparatively less important and yet pose a greater threat to privacy. When coupled with GPS technology, the police could use the MLPR system to collect a much greater wealth of potentially privacy-invasive personal information. Consequently, the IPC would place any proposal to use the GPS-configured system under a high degree of scrutiny to ensure that the privacy rights of the public are fully protected. The IPC would oppose the police keeping records of the precise location, date and time that all vehicles were parked on a particular street. Specifically, it is important to ensure that the system would not be inadvertently used to track and record the movements of law-abiding citizens or used for any other secondary purposes unrelated to law enforcement. If the Toronto police decide to test or implement the GPS-configured MLPR system at some point in the future, the IPC recommends that they first consult with this office to discuss the privacy implications of using this technology. The IPC also recommends that the police conduct a privacy impact assessment (PIA). A PIA is a process for determining whether new technologies, information systems, or proposed programs or policies meet basic privacy requirements. This process consists of developing an information flow map, applying a set of privacy questions to the information flow, identifying any privacy risks, and developing a solution to address these risks. Conducting a PIA can help law enforcement agencies to anticipate the public’s privacy concerns and to generate confidence that these privacy concerns are being considered and addressed. 10
2 Bloor Street East Information and Privacy Suite 1400 Commissioner/Ontario Toronto, Ontario M4W 1A8 416-326-3333 1-800-387-0073 Fax: 416-325-9195 TTY (Teletypewriter): 416-325-7539 Website: www.ipc.