Data Protection Act Guidance

The Data Protection Act 2018 and the General Data Protection Regulation (GDPR) came into force on 25 May 2018. The following guidance relates mainly to the Data Protection Act 1998, which still applies to incidents that took place prior to 25 May 2018. However, the new data protection legislation is an evolution, not a revolution, and much of this guidance remains unaffected (other than references to sections in the 1998 Act).

The GDPR provides similar but enhanced consumer rights, which may now be exercised retrospectively. The most significant changes in the context of private parking companies are perhaps the removal of fees for subject access requests, and the additional obligations placed on traders who control or process personal data.

Reasonable cause

If you receive a private parking charge notice (PCN) or notice to keeper (NTK) in the post addressed to the registered keeper of a vehicle, the private parking company (PPC) identified in the notice will most likely have obtained your details from the Driver and Vehicle Licensing Agency (DVLA) on the basis that it has reasonable grounds to do so.

DVLA is entitled to share its register of keeper data with private entities under regulation 27(1)(e) of the Road Vehicles (Registration and Licensing) Regulations 2002. In order to obtain keeper data electronically, PPCs must sign a standard Keeper at Date of Event (KADOE) contract with DVLA. This KADOE contract allows PPCs to obtain keeper data for the "reasonable cause of seeking recovery of unpaid parking charges."

The KADOE contract attaches several other conditions to providing data access, including:

• The PPC must be a member of a DVLA-Accredited Trade Association (ATA) and have Approved Operator status with that ATA.
• The PPC seeks recovery in accordance with its ATA's Code of Practice (COP).
• The PPC seeks recovery from:
  • the driver, or
  • the keeper if the procedure in Schedule 4 of the Protection of Freedoms Act 2012 (POFA) is used.
• Before retrieving personal data, the PPC has gathered evidence to demonstrate it has reasonable cause to obtain the data.
• Before relying on any item of data retrieved, the PPC matches the information in the request (e.g. the model, type and colour of the vehicle) and shall not seek recovery if the information does not match.
• Personal data may only be used in relation to the particular date, event and purpose for which they were obtained, and must not be re-used for other dates, events or purposes.

If the PPC doesn't comply with its KADOE contract when it obtains keeper data, it has done so without reasonable cause and has therefore obtained and processed personal data fraudulently.

PPCs can also obtain keeper data using a paper form V888/3. This can be done without signing a KADOE contract but there are similar conditions on the V888/3 form, which the PPC accepts by signing and submitting the form to DVLA. The biggest difference with this method is that the PPC can give its own reason for requesting, and how it will use, keeper data. DVLA should check that this constitutes reasonable cause.

V888/3 requests must be made between 29 days and six months from the date of the incident. This form also reminds the PPC that, under Section 55 of the Data Protection Act 1998, it is a criminal offence to unlawfully procure or sell personal information. DVLA will, upon request, provide the keeper with a copy of any V888/3 form that was used to obtain the keeper's data.

Data Protection Act

The Data Protection Act 1998, as amended (DPA) controls how personal information is used by organisations, businesses or the government. Any 'person' (usually an organisation) responsible for how personal information is used (a 'data controller') must comply with strict 'data protection principles'.

These principles require that personal information is:

1. used fairly and lawfully
2. used for limited, specifically stated purposes
3. used in a way that is adequate, relevant and not excessive
4. accurate
5. kept for no longer than is absolutely necessary
6. handled according to people's data protection rights
7. kept safe and secure
8. not transferred outside the European Economic Area without adequate protection

If a data controller doesn't comply with these principles, a breach of the DPA is very likely to have occurred. In such cases, the data subject can claim for two types of compensation from the data controller: actual damages based on financial loss, and compensation for 'distress' (similar to a disability discrimination claim). There are two important pieces of case-law that clarify matters: Halliday -v- Creation Consumer Finance Limited [2013] and Vidal-Hall et al -v- Google Inc [2014].

In Halliday -v- Creation Consumer Finance Limited, the Court of Appeal awarded the claimant £750 for distress when a single data protection breach caused actual distress to the data subject, but no financial loss was shown to have occurred. In Vidal-Hall et al -v- Google Inc, the Court of Appeal ruled that misuse of personal information is a tort, and that section 13 of the DPA allows claims for distress without any financial loss. These judgments are binding on all lower courts.

Consumer protection legislation

In addition to the DPA, POFA, common law, KADOE contract and Codes of Practice, motorists who park on private land are shielded by legislation that protects consumers from unfair contract terms and trading practices. The main ones are The Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 and the Consumer Rights Act 2015.

The 2013 Regulations require that the trader (namely, the PPC) provides certain information to the consumer (namely, the driver) before a distance contract is concluded. This does not apply if the contract is concluded by automated means, such as a ticket machine. Failure to provide this information at the correct time makes the terms of the contract non-binding on the consumer.

Much of the information required is typically provided by the PPC's signage, or is not relevant to a parking contract. However, the following information is often missing: The 2015 Act deals generally with unfair contract terms in consumer contracts. For example, it requires that any contract term capable of more than one interpretation must be interpreted in favour of the consumer. There are also numerous grounds for determining that a contract term is unfair -- too many to mention here. Any contract terms deemed to be unfair are not binding on the consumer.

Anyone who wants to understand more about the transparency and fairness obligations for consumer contracts in the 2015 Act should read the detailed guidance available here:

http://forums.moneysavingexpert.com/showthread.php?t=5666825

Neither of these pieces of legislation were considered by the Supreme Court in ParkingEye Limited -v- Beavis [2015] which ruled that an £85 parking charge for overstaying the permitted time in a free car park was not a penalty. The Supreme Court was at pains to point out that it was swayed by the facts of this particular case, including the prominent and clear signage, and that the penalty rule would continue to apply in different circumstances.

Please note that the courts will often ignore 'minor' infractions of consumer protection legislation in parking cases, even though the legislation is perfectly clear. So, until there is some good case-law to support these points, you should probably not make a claim in court if you are relying only on them.

What does all this mean?

If a PPC obtains personal data from DVLA then, in each case, it must have reasonable cause. This includes acting lawfully and meeting all the requirements of its KADOE contract, its ATA's Code of Practice and POFA (if applicable). However, because most people just pay up anyway, PPCs will often obtain keeper data when no contravention has occurred, or where they have failed to meet all the requirements to establish reasonable cause. This is a clear breach of principles 1 and 2 of the DPA.

The list of possible failures by PPCs when obtaining personal information from DVLA is long, and may include any of the following:

• No contract, for example --
  • no parking event (e.g. briefly stopping or loading/unloading)
  • no authority to pursue charges (e.g. from the landowner or occupier)
  • no offer capable of forming a contract with the driver (e.g. a forbidding offer)
  • no acceptance of an offer (e.g. driving away after reading the terms)
  • inadequate signage (e.g. confusing, illegible or absent core terms)
• No breach, for example --
  • the driver complied with the core terms of the contract
  • the evidence provided relates to a different car, time or place
  • ANPR double dip (e.g. the driver visited the site twice in the same day)
• Not complying with the ATA's COP, for example --
  • not allowing reasonable grace periods before and after parking
  • if ANPR technology is used, not explaining how ANPR data will be used
  • not offering access to the ATA's independent appeals service
• Falsifying evidence, for example --
  • changing date-time stamps
  • backdating or altering parking charge notices
  • doctoring or cropping photos to change or hide something
  • ghost ticketing (e.g. issuing a Notice to Driver but not leaving it on the vehicle)
• DPA breaches, for example --
  • not keeping personal data accurate and up to date
  • passing personal data to any third party without consent
  • using personal data for any purpose other than the purpose for which they were originally obtained
  • failing to respond properly to a section 10 data subject notice within 21 days (GDPR: 1 month)
• Not complying with other laws, for example --
  • failing to provide the information required by the Consumer Contracts Regulations 2013 before the contract was concluded
  • failing to ensure that all contract terms and customer notices are transparent and fair
  • not conforming to the strict requirements of POFA when keeper liability is being claimed
  • not having advertising consent for the PPC's signage
• Pursuing the keeper in cases where keeper liability does not apply, unless the PPC has evidence that the keeper was the driver or to request the driver's name and address from the keeper

What can you do?

IF you are the recipient of a parking charge notice or payment demand from a PPC,
AND you can demonstrate that the PPC did not have reasonable cause to obtain your personal data,
AND the actions of the PPC have caused you significant damage or distress,
THEN you may have a valid claim against the PPC for compensation resulting from its misuse of your personal data.

Unless court proceedings have already started, you should first write to the PPC explaining how it has misused your personal data, that this misuse is causing you significant financial loss or distress (or both) and requiring the PPC to cease and desist from processing your personal data. This is known as a section 10 data subject notice. Post this letter (first class) to the Company Secretary at the PPC's registered office address and obtain a free proof of posting from the Post Office counter.

The PPC will then have 21 days (GDPR: 1 month) to respond to you either: Below is an example section 10 data subject notice. The coloured text must be adapted to match your particular circumstances. (This example is based on a PCN issued for stopping briefly on an airport approach road that is private land and subject to statutory control.)

Data Protection Act 1998 -- Section 10 Data Subject Notice

I am the registered keeper of the vehicle with registration mark XXXXXXX and I have received your PCN number 9999999.

The driver did not "park" (stopping briefly is not parking) and could not have entered into any contract because a contract cannot be forbidding and, in any case, the driver had no chance to read and accept the terms of any contract before the alleged contravention occurred. Furthermore, you cannot use Section 4 of the Protection of Freedoms Act 2012 to transfer liability to the registered keeper because the location of the alleged contravention is subject to statutory control, and I am under no obligation to name the driver.

As a result, there is no legally-enforceable parking charge and no justification for you to pursue me. You have, therefore, obtained my personal information without reasonable cause. This is a clear breach of data protection principles 1 and 2 of the Data Protection Act 1998 (DPA). Your unreasonable and unlawful demand for payment is causing me significant distress and anxiety.

I demand that you immediately cease and desist from processing my personal data, except to inform me that you have complied with this demand. Any further processing of my personal data, including demands for payment or passing my personal data to any third party, will be considered harassment and a flagrant disregard of the DPA, which will be reported to DVLA and to your ATA, and may result in legal action against you for compensation or damages, including Exemplary or Punitive damages.

The DPA requires you to respond to this notice within 21 days (GDPR: 1 month).

Yours faithfully,

[squiggle]

Your name, address and contact details

Sending a section 10 data subject notice to the PPC has several advantages:

1. It is the correct way for a data subject to ask a data controller to stop processing heir data
2. It requires the PPC to provide a substantive response to you within 21 days (GDPR: 1 month)
3. It shows the PPC that you are familiar with the DPA
4. It establishes that the processing of your personal data by the PPC is causing you distress, and that further processing of your personal data would cause you more distress
5. If it is found that a DPA breach has occurred and the PPC has not complied with the notice then it may justify an increased quantum for compensation

If nothing else, it puts the PPC in a bad light in court if it fails to respond at all.

If the PPC ignores your section 10 data subject notice, or replies to say anything other than it will comply fully with your demands, then the keeper should complain to DVLA and the PPC's ATA. If you are prepared to escalate matters further, you can also send a Letter Before Action (LBA) to the PPC, unless court proceedings have already started.

In this letter, you should include:

• Your name and address
• A Letter Before Action heading
• A list of the defendants -- i.e. the PPC and, optionally, the landowner
• The reason for your claim -- i.e. breach of the Data Protection Act 1998, as amended
• A statement of the relevant facts -- i.e. a summary of the events, including those parts that prove the breach
• A statement of the legal basis of the claim -- i.e. an explanation of why the Data Protection Act has been breached
• How much you're claiming, including costs -- i.e. a statement of the damages (if any) and the compensation for distress that you're asking for
• A list of any documents you'll be using -- e.g. contracts, codes of practice, etc.
• The date by when you want a response (after at least 14 days)
• A request for any documents that you want from the defendant to support your case
• A reminder that you may commence proceedings without further notice if the PPC doesn't reply to this letter or continues to process your personal data

Of course, the keeper should be prepared to follow through with this threat, at least to the extent of making a counterclaim for damages if the PPC makes a money claim against the keeper. This is not for the faint-hearted.

In any case, remember to keep all correspondence to or from the PPC and/or its agents, solicitors, etc. If this goes to court, it will be helpful to reveal the aggravating nature of the correspondence to justify the extent of the distress they have caused you.

What happens next?

Several things could happen after sending the section 10 data subject notice and/or the LBA:

• You pay the PPC what it wants (BAD, you have been ripped off)
• The parties agree a compromise settlement (OK, if you're happy with it)
• The PPC agrees to stop processing your personal data (GOOD, you've scared hem off)
• The PPC continues to chase payment from you (GOOD, more evidence)
• The PPC appoints debt collectors, who chase payment from you (GOOD, more evidence)
• The PPC ignores you (OK, but this could come back to bite you several years later)
• You commence court proceedings against the PPC (OK, if you know what you're doing)
• The PPC commences court proceedings against you (GOOD, better than being the claimant)

The last outcome can be the best for you, if you have a good case and are up to the challenge. Being the defendant is easier than being the claimant because the claimant must prove heir case (on the balance of probabilities). Also, being a defendant allows you to make a counterclaim, for which roboclaim firms (such as ParkingEye, Gladstones, BW Legal, MIL Collections) are unprepared. A counterclaim also means that you can still have your day in court even if the PPC discontinues its original claim. However, you need to be ready because you will have a limited time to file a counterclaim.

If you have successfully defended a case in the small claims court then this is a great time to sue the PPC and the landowner or occupier for DPA breaches. Please see bargepole's post #18 below for an example of the LBA, which can also be called a Letter Before Claim (LBC) or Letter Before County Court Claim (LBCCC).

Please refer to other guidance if you need to commence or counterclaim a court claim. Anyone who is thinking about doing this should consider obtaining professional legal advice or representation. Household insurance that includes legal cover may help.

If you have acquired a County Court Judgment (CCJ) from a PPC without your knowledge then please see post #13 below.

With full acknowledgement and thanks to Parking Cowboys, Parking Prankster, Coupon-mad and many other sources.