CEL Whacked for £900 in DPA Breach Counterclaim

Umkomaas

There was a guy trying to do this, as I recall, but not enough people came forward: the silence of the lambs.

Michael Green - Challenge the Fine - remarkably quiet. Maybe he's got himself a proper job, or is he waiting in the wings?

http://challengethefine.com/index.php

nigelbb

The_Deep wrote: »

But a list of VRNs is not proof that ownership details were obtained.

You don't appear to have read the relevant paragraph. There is no need for the PPC to obtain keeper details to breach the DPA in this case by retaining data when they shouldn't. The Information Commissioner says that as soon as a vehicle has left an ANPR controlled car park without contravening the conditions for parking then the data i.e. the VRN should be deleted immediately. The VRN itself is personal data never mind the name & address of the RK.

pappa_golf

The_Deep wrote: »

I am sure that some judges would argue that point, a VRN is in the public domain.

the queen hides her,s , she is clever :rotfl:

Umkomaas

pappa_golf wrote: »

the queen hides her,s , she is clever :rotfl:

I would have though HRH 1 was pretty identifiable.

Coupon-mad

Ruurb wrote: »

Interesting, I'm off on holiday beginning of July leaving from BHX.. maybe I'll take an extended drive round there So assuming bye-laws apply to the site, any reference to POFA can't apply and so keeper liability does not apply and only the Airport landowners can sue as per bye-laws?

Yep.

Or you could try parking at Albert Street Birmingham, the VCS car park. They enjoy dishing out PCNs like confetti.

Lynnzer

You conveniently missed out the part where the KADOE Contract says that once data has been obtained by a PPC, they become the controller of it.

Ruurb

Coupon-mad wrote: »

Yep.

Or you could try parking at Albert Street Birmingham, the VCS car park. They enjoy dishing out PCNs like confetti.

Thank you, Albert Street is not too far from me and as much I would to test this idea out right now, have far too much on my plate right now.. will probably save this argument until next month when I head on holidays at BHX!

safarmuk

Knowledge of the breach or whether one would occur is irrelevant, the DVLA is automatically in breach as the data controller where the parking company acts outside of the purpose that the information would be released to them (principle 2).

So if I understand this correctly, the DVLA hold the data and control it and then provide it under strict conditions to a processor (the PPC) of that data.

Using my experience of this in another area ... taking private companies as an example, if Client A has data and asks Service Provider B to process it (for sales, marketing, payment etc. reasons) on their behalf and Service Provider B then misuses it and/or exposes this data ... I understand that the people impacted would sue Client A who in turn would sue Service Provider B. Now substitute Client A for DVLA and Service Provider B for the PPC and I think I understand Ruurb's point with the current legislation ... very interesting. Is my analogy right?

@Bargepole:

DJ Osborne subjected me to ten minutes of hell. He wanted to know why I hadn't filed a witness statement detailing the distress caused. We were claiming £500 for distress so where were the details?

Why were WS not submitted? Surely a WS for the PPC's claim was submitted and at the same time would not a WS for the counter claim have been submitted? Perhaps I am missing something - due to having less experience - regarding the process here.

Coupon-mad

Using my experience of this in another area ... taking private companies as an example, if Client A has data and asks Service Provider B to process it (for sales, marketing, payment etc. reasons) on their behalf and Service Provider B then misuses it and/or exposes this data ... I understand that the people impacted would sue Client A who in turn would sue Service Provider B. Now substitute Client A for DVLA and Service Provider B for the PPC and I think I understand Ruurb's point with the current legislation ... very interesting. Is my analogy right?

You don't seem to be wrong but on the other hand, we would be far better attacking the PPCs.

In a counter-claim I wrote, I've tried to show the Judge that there is no question that the PPC 'holds itself out' as a data controller, so I said this as my first point in a fairly lengthy counter-claim for someone:


1. The Defendant raising this counter-claim against the Claimant, is the registered keeper of the vehicle with the registration number xxxxxxx.

2. (i) The Claimant in this original claim is a private parking company who are required to adhere to the International Parking Community's Code of Practice, which holds all members out for the purposes of the Data Protection Act 1998, as a 'data controller'. In Section B (5): Data Processing: ''You are required to be registered with the Information Commissioner as a data controller.''

(ii) This status as a data controller is reiterated by the DVLA in the KADOE contract, under which an Approved Operator parking firm (the party known to the DVLA as 'the Customer') obtain data, which states: ''The Customer, separately from the DVLA, shall be the Data Controller of each item of Data received from the DVLA from the point of receipt of that Data by the Customer or its Link Provider and shall be responsible for complying with the principles of the DPA in relation to its further Processing of that Data.''

(iii) It follows that there is no question that this Claimant bears the responsibility of being, and holds itself out as, a data controller in this matter.

Ruurb

So if I understand this correctly, the DVLA hold the data and control it and then provide it under strict conditions to a processor (the PPC) of that data.

Using my experience of this in another area ... taking private companies as an example, if Client A has data and asks Service Provider B to process it (for sales, marketing, payment etc. reasons) on their behalf and Service Provider B then misuses it and/or exposes this data ... I understand that the people impacted would sue Client A who in turn would sue Service Provider B. Now substitute Client A for DVLA and Service Provider B for the PPC and I think I understand Ruurb's point with the current legislation ... very interesting. Is my analogy right?

Yes that is essentially the gist of what I am saying. The issue is that the DPA was drafted and brought into for almost 20 years ago and in that time, technology and the complexity of modern business relationships can sometimes blur the distinction as to who is a data controller and who is a processor.

Let's take the definitions of data controller and processor

'data controller'

means ... a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;

'processor'

in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller;

Applying those definitions it is easy to show how it can work in practice for example, a shop who enters into a contract with a card processing company to process customer transactions. The shop being the controller and the card company being the processor (pretty much the same example you give).

However, if you take this KADOE contract between the DVLA and the PPC, things are not so straightforward. The PPC does not appear to fall within the 'Processor' definition because it is not processing the information on behalf of the controller but at the same time it can't really be a controller because it isn't determining the purpose and manner which the personal data is used (because the DVLA has expressly stated how and when the personal data will be released) nor does the KADOE contract appear to give any discretion as to whether it can use the personal data beyond what the provisions say.

So I would say a more common sense approach needs to be taken and to determine who is a controller you would need to identify who is the decision maker and has the overall control of the personal data. Some other questions that could be asked is:

- Who collects the data
- Who has the right to disclose it
- Who determines the purpose and manner in which the data can be used
- Who controls the data

Now if you answered all of the above, you would say that the DVLA rather than the PPC fits the criteria (the list is non-exhaustive). Also if you look at the meaning the definition of 'processing':

in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:

(a) organisation, adaptation or alteration of the information or data,
(b) retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission, dissemination or otherwise making available, or
(d) alignment, combination, blocking, erasure or destruction of the information or data;

The above underlined would seem to fit the bill for the PPC. They are obtaining the data from the DVLA and in turn using the information in accordance with the purpose agreed under the contract. Therefore they are processing the information and my view is that they are likely to be a data processor than a controller.

To me, whatever the DVLA say they will always remain the data controller and there is no getting around that. As it appears to me, the KADOE contract is a 'data sharing' agreement by which the PPC will use the information according the DVLA's explicit instructions (provisions B2.1) however, if they act outside of those instructions then there will be a breach for which the DVLA (as controller) shall be responsible for. But for the DVLA agreeing to share the data, the breach would not have occurred.

Now, the flipside to this argument is that some might say (and probably the DVLA) that they can't be liable for the misuse of the data by the PPC because at the point of using the data for the purposes not specified in the KADOE contract the PPC then becomes the data controller i.e. it determines the purpose of the processing (I think this is where some people might agree is the case or where someone said the trade associations mention them as controller). My view is that the misuse of the data and breach of the KADOE contract by the PPC does not then make them a controller, but rather the responsibility of the DVLA (who controls the data and determines the purpose of the processing) who released the information to them.

As there does not seem to be any case law that I am aware of, this is of course just speculation and my own opinion but at the very least, you could argue the DVLA is the controller with the PPC as processor or, both the DVLA and PPC are joint controllers or, the PPC is the controller for the purpose of the DPA claim. Either way all is a win-win and any court hearing would no doubt be useful as guidance.

Apologies for the long post, I could ramble on for quite some time on DPA but I've tried to restrict it!