Car dealers: your guide to privacy-compliant vehicle history checks

New Zealand car dealers run thousands of vehicle history checks every year through services like Carjam and the PPSR. Each of those lookups involves collecting personal information about the registered owner from a third-party source — which triggers IPP3A.

The typical scenario

A customer walks in, interested in trading their vehicle. The dealer runs a Carjam check to verify the vehicle's history, outstanding finance, and ownership details. That check pulls personal information about the registered owner from third-party databases.

Where dealers get caught

Most dealers have a general consent clause buried in their terms and conditions. But the Privacy Act requires that the individual is made aware of the specific collection at or before the time it happens. A blanket clause signed weeks or months earlier may not satisfy the "reasonable steps" test.

Best practice

• Before running a check, confirm that the person in front of you is the registered owner, or that you have the owner's explicit consent.

• Record the consent pathway — verbal, written, or notification — at the time of the lookup.

• If using the notification pathway, send the notification before or at the time of the lookup, not after.

• Keep the evidence for at least the retention period specified in your privacy policy.

How DEIS helps

DEIS integrates with Carjam and PPSR. When a dealer runs a lookup, the system requires them to select the IPP3A pathway and captures the evidence automatically. If notification is required, DEIS sends it and records proof of delivery.