Parking Eye Hospital PCN via Leasing company

dadsma

Hi all,

I am posting on behalf of a friend who would be grateful for your expert help. The Hire/Lease advice in the Newbies thread doesn't seem to cover this specific situation unless I don't understand it well enough, doh.

A Parking Eye anpr postal PCN - was sent to the vehicle leasing company as keeper. The lease company copied it to the lessee (my friend) and requested them to appeal to PE or pay.

However, as the PCN is addressed to the leasing company is it appropriate for my friend to appeal now to Parking Eye as the de facto keeper or wait until they get a PCN in their own name?

p.s. I have already advised them to contact the hospital for cancellation.

salmosalaris

if this was a hospital visit I'd suggest a letter to the Chief Exec of Trust asking why their duty of care responsibilities in maintaining patient confidentiality were breached by their agent releasing the lessees personal data to a third party without their permission .
Personal data is anything held by the Trust which can be used to identify an individual , and in this scenario a leasing company has been informed the lessee visited hospital . Would be interesting to see what reply you get .

nigelbb

They cannot appeal on behalf of the leasing company so need to wait for their own Notice To Hirer & then confirm that it is accompanied by all the necessary documents required by POFA to enforce liability.

salmosalaris

and all the relevant documents won't be there at a guess so in any correspondence to PE or the Trust don't reveal who was driving

Carthesis

salmosalaris wrote: »

if this was a hospital visit I'd suggest a letter to the Chief Exec of Trust asking why their duty of care responsibilities in maintaining patient confidentiality were breached by their agent releasing the lessees personal data to a third party without their permission .
Personal data is anything held by the Trust which can be used to identify an individual , and in this scenario a leasing company has been informed the lessee visited hospital . Would be interesting to see what reply you get .

You'd get a reply of "What are you talking about?", because the hospital haven't released any personal information whatsoever, and neither have their agents.

The LEASING COMPANY - who will be 'named' on the V% and in the DVLA Database - have been named by the DVLA following a KADOE database search, and the LEASING COMPANY have contacted the driver - whose details they already have as part of the lease - and asked them to deal with it.

This is exactly what should happen.

Be glad that the leasing company haven't simply paid the fine and then tried to claim it back from you, plus an admin charge, like hire companies often do.

salmosalaris

Carthesis wrote: »

You'd get a reply of "What are you talking about?", because the hospital haven't released any personal information whatsoever, and neither have their agents.

I beg to differ
Once a patient has been accepted a duty of care to protect their personal information is estabished and for it to be released requires their consent .

Key identifiable information includes:
• patient’s name, address, full post code, date of birth;
• pictures, photographs, videos, audio-tapes or other images of patients;
• NHS number and local patient identifiable codes;
• anything else that may be used to identify a patient directly or indirectly. For example, rare diseases, drug treatments or statistical analyses which have very small numbers within a small population may allow individuals to be identified.

So here is a scenario . A husband uses a vehicle registered to his wife to visit hospital . He wishes to do that without her knowledge . He enters Trust property being photographed by cameras authorised by the Trust , and parks in an area identified as a patient car park , is registered and accepted for care . Through no fault of his own he leaves the car park later than expected as the clinic was running late .
He is again photographed on exit .
The next thing he knows is his wife receives a letter from a parking company that fully identifies her vehicle , which could only have been driven by her husband , wih accompanying photographs that place him at a certain hospital for a certain time period .
At no time has he explicitly consented to the release of this information and has the Trust documented the significant reasoning of why release without consent is justified ?

It's not as black and white as you make out .

Carthesis

It is that black and white, because - like it or not - POFA2012 allows for car parks to be managed by ANPR cameras. There is nothing illegal about that.

Similarly, the ability for the PPC to request DVLA RK data is enshrined in the same law (and various others). You yourself can make a request for DVLA RK details, provided you:

a) have cause;
b) fill in the correct V888 form;
c) pay the £2.50 fee

Thirdly, the Trust themselves have released *NONE* of the data they hold. Primarily because they are not able to connect a vehicle registration mark on a random car in the car park to a particular patient.

Fourthly, even if what you say does hold true (and I don't believe it does), that would *ONLY* be applicable if the driver and/or RK was, in fact a patient at the hospital, and not simply a visitor.

As annoying as it is that DVLA are permitted to flog RK data to private companies for profit, it is permitted. The Trust have nothing to do with it - and the parking company *purely theoretically* have "reasonable cause".

I'm afraid your argument doesn't hold water.

salmosalaris

the data ( the VRN and photo ) is collected for and on behalf of the Trust , and personal data is anything that makes it possible for a person, in this case a patient, to be identified .
Unless data is required for medical reasons a patient must give explicit consent for its release and a sign just doesn't cut the mustard .
POFA most certainly does not overide the Trust's requirement not to disclose personal data of their patients just because ANPR cameras are permitted in a supermarket car park .

Of course it wouldn't apply to visitors but the Trust has a duty to put systems in place to prevent release of potential patients's personal data , and this would easily be achieved as in many NHS sites with barriers . Of course Trusts will come up with endless excuses that allow them to employ the likes of PE with their free parking management that incentivises the issue of penalties and flouts the DoH guidance on the issue .

Carthesis

The Trust have not disclosed any information.

The DVLA have disclosed information to agents of the Trust.
If you think that isn't the case, then discuss it with the ICO - I'm 100% certain I know what answer you'll get.

But either way, this isn't helping the OP with their problem.

The OP can write to the Trust Exec as you suggest, but i'd be truly truly astonished if you got anywhere with it. You'll get an answer stating that the Trust has a responsibility to make it's service accessible to all, and part of that is managing the car park to ensure patients and visitors blah blah, and that they have engaged such-and-such a PPC to perform that function on their behalf, and that RK data has been lawfully requested etc. etc. etc.

I genuinely don't think it's a tack that will get the OP anywhere whatsoever. Especially as what has happened here is the ANPR has picked up a VRN, which is registered to a leasing company, and it is the leasing company that have passed that along to the lessee.

Wait for the notice to hirer to come through. If you don't get a notice to hirer and instead get a notice to keeper or whatever, then wait until the end of the mandatory POFA period before pointing out they have exhausted their options.

salmosalaris

the PPC (agents of the Trust) have disclosed personal data that identifies the patient to the RK , and that they attended a certain NHS site at specific times , so again I disagree. That patient has potentially suffered a breach of confidentiality simply to chase a fake parking fine .

I'm not suggesting it is a tack that will help this OP but one day a CE may just sit up and realise that there are better ways of managing parking without this potential pitfall . However in reality when they openly flout DoH guidance and employ the likes of PE and Government does diddly squat the chances are it will have little effect , I at least agree there . However it doesn't detract from a valid argument and things persist simply because systems are chosen because they are free and Government is seemigly happy to turn a blind eye .

1505grandad

Perhaps the following part of the ICO decision in my daughter's favour determining that UKPC had breached the DPA may be helpful:-


What is personal data?


I have explained to UKPC that, under the DPA, personal data is defined as ‘data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller’.


An individual is 'identified' if you have distinguished that individual from other members of a group. In most cases an individual’s name together with some other information will
be sufficient to identify them.


A name is the most common means of identifying someone. However, whether any potential identifier actually identifies an individual depends on the context.


Where a vehicle registration mark (VRM) is collected (often as part of an automatic number plate recognition (ANPR) system), the ultimate purpose of which is to identify and take some action against a living individual (such as to serve them with a parking fine) the VRM will be personal data at the point of collection. This is because the data controller is likely to have or come into possession of further information which will allow them to identify either the driver or registered keeper of the vehicle, or both.


Therefore, it can be seen that the vehicle registration number constitutes the personal data of XXXXXXXXXXX, regardless of the fact that her name was not disclosed in this case.