DVLA and GDPR how can they have a right to pass on our data?

ncg

Hi All.
Just wanted to open a thread about this as it seems to me there is a very significant point her that needs to be escalated, perhaps to the court or the politicians.

GDPR - General Data Protection Regulation - Regulation of course means its a LAW!

That being the case it is illegal to pass on your data to third parties. I really don't know what the loop holes there may be within this for organisations like the Police, Courts etc. However I would presume that it is intended that it is certainly not acceptable or legal for anyone to pass your data on to another party especially when that other party is a private company, such as a parking company trying to enforce a fine against your vehicle registration does not seem like a genuine reason to pass on data legally. For the DVLA to sell that data is surely a GDPR scandal. Anyone have any knowledge of this and what if anything is being done about it to stop it happening?

Johno100

I'm sure you won't be surprised to know that this subject has been done to death numerous times before on this forum.

These few brief paragraphs should explain most of what you need to know.

Regulation 27 of the Road Vehicles (Registration and Licensing) Regulation 2002 provides for the release of information from DVLA’s vehicle register to the police and local authorities. The regulation allows us to release data to private or public sector organisations providing they can demonstrate reasonable cause to have it. The release of information about vehicles and their keepers for such purposes is long established and predates the existence of the DVLA. As the law allows the release of personal data we do not need the consent of the vehicle keeper to disclose their details.

Registered keeper

The DVLA’s vehicle database records details of the registered keeper of a vehicle. Vehicle keeper details may be disclosed to law enforcement authorities or private litigants as a first point of contact to establish where liability for an incident or event may lie. Refusal to disclose these details would mean that motorists could drive or park a vehicle without fear of being held responsible for their actions.

Disclosure in these circumstances does not breach the Data Protection Act and the Information Commissioner’s Office is fully aware that data held on the DVLA’s records is released in this way.

Reasonable cause for data release

Reasonable cause for the release of data from the DVLA vehicle register relates to motoring incidents with driver or keeper liability. These can include matters of road safety, events occurring as a consequence of vehicle use, the enforcement of road traffic legislation and the collection of taxes. In all matters regarding data release, we act responsibly and in accordance with legislation.

Where reasonable cause has been demonstrated, information is disclosed on the condition that it will only be used for the requested purpose and that the recipient will protect its confidentiality.

It is an offence under the Data Protection Act to obtain information under false pretence or to use it for a purpose other than that originally stated.The regulations also allow for a fee to be charged to cover the cost of processing requests under the reasonable cause provisions, so the cost is borne by the requestor and not passed on to the taxpayer.

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/710366/inf266-release-of-information-from-dvlas-registers.pdf&ved=2ahUKEwiIh4iS2OfdAhVIJMAKHbb4DYIQFjAAegQIABAB&usg=AOvVaw3v38z_7JObR3JIWZleEtqf

bargepole

ncg wrote: »

... Anyone have any knowledge of this and what if anything is being done about it to stop it happening?

This issue is the oldest of old chestnuts, and has been discussed regularly on here ad nauseam for the past few years.

The DVLA rely on Regulation 27(1)(e) of the Road Vehicles (Registration and Licensing) Regulations 2002:

The Secretary of State may make any particulars contained in the register available for use—
by any person who can show to the satisfaction of the Secretary of State that he has reasonable cause for wanting the particulars to be made available to him.


The DVLA will, therefore, release data to any PPC who is a member of an Approved Trade Association (ATA), of which there are currently two, the BPA and the IPC.

It is assumed that, by virtue of holding current membership, they abide by the relevant Code of Practice, and are therefore deemed to have 'reasonable cause' to request keeper data.

With over 5 million requests being made each year, at £2.50 a time, this represents a significant income stream for the DVLA, who have a dedicated Data Sharing department, with the top bods being paid bonuses based on the volume of data sold.

The ICO are fully aware of all this, and see nothing wrong with it.

Trying to bring either of these organisations to account, is like nailing jelly to a wall.

buglawton

GDPR is incapable of being an old chestnut as it's new this year.
So we are saying that Regulation 27(1)(e) trumps the GDPR rule that information owners (that's us) must within reason be able to choose who the info is shared with?

bargepole

buglawton wrote: »

GDPR is incapable of being an old chestnut as it's new this year.
So we are saying that Regulation 27(1)(e) trumps the GDPR rule that information owners (that's us) must within reason be able to choose who the info is shared with?

We already do make that choice.

When you register your vehicle with the DVLA, there is small print on the V5 form which says that you agree to them sharing your data for lawful purposes.

Johno100

buglawton wrote: »

GDPR is incapable of being an old chestnut as it's new this year.
So we are saying that Regulation 27(1)(e) trumps the GDPR rule that information owners (that's us) must within reason be able to choose who the info is shared with?

It is not a case of one trumping the other. There are exemptions in the GDPR as there were in the DPA if other legislation allows for the release of the data.

System

Slight tweak here though. DVLA are well within the law in sending the information but it is the recipient who has to take care (under GDPR) not to abuse the trust the DVLA has place in them. The abuse of that trust (as confirmed by a court or the ICO) can have them sanctioned or closed down. Many PPCs are sanctioned (the DVLA will confirm) and quite a few have been closed down (the DVLA will confirm)

But what are the differences with GDPR. Ones you can use are

1. Right to be informed. They have to tell you it is being collected and some of the signs have not been changed yet.

2. The Right of Access (a big one as it covers)

* Confirmation that their personal data are being processed (so ask)
* The purposes of the processing (so ask)
* The categories of data being processed (so ask)
* Who their data might be shared with (so ask)
* How long their data will be stored (so ask)
* The source of their data (so ask)
* A copy of their data (so ask)
* Their rights (to erasure, rectification) (so correct)
* How automated decisions are made (so ask)

3. Right to rectification. They have up to one month to do so. Very useful if they are communicating with the wrong address. Saves on those default CCJs.

4. Right to erasure. Such as no compelling reason for its continued processing. Useful with CEL tickets when you were not driving and they don't meet POFA. They will quote EvL against you but it would be a tall order to make that one work if you have a receipt that says you were elsewhere

5. Right to restrict processing e.g. when there's a dispute about the accuracy of the data, people have the right to restrict processing. You can tell them not to pass it on to a debt collector under #3 and #4 above

6. Right of data portability. Going to get hell for this one but you can ask for the information to be passed onto a third party to help with an appeal. An example given is bank midata which means a third party can process all your bank accounts in one place.

6. Right to object. This one is not as clear as it seems as if there is a legitimate reason to process, you can object but they can still process. Choose another one.

7. Rights related to automated decision making. This one is also not clear but should apply to the type of ANPR that ParkingEye do.

So the data landscape has changed. You just need to navigate it now.

ncg

No I'm not surprised. "reasonable cause" ?

Police enforcement of road traffic legislation = Reasonable cause
Collection of Taxes = Reasonable cause
Vehicle Obstructions of any kind = Reasonable cause.

Parking in a privately owned car park = NOT Reasonable cause
with a private company pursuing fines. They don't have any right to fine you, clamp you etc. Why would they have a right to request and get personal data without a VERY good reason. I appreciate that they would argue "how else would they get paid". Very simple answer they have barriers to stop you exiting. You enter with a sign stating the terms you are entering, you can only exit if you comply with those terms, simple no data needs to be obtained unless of course a driver smashed through the barrier but as above this is Police = reasonable cause

I appreciate it may have been talked to death however has anyone actually challenged this in court? or is GDPR to new for that and or DVLA think they are above this particular law? You can't have laws for one and not for another no matter who they are

V5 form might say that you agree to them sharing your data for lawful purposes Its not illegal to park a car in a car park for example so this is not good reason.

bargepole

ncg wrote: »

I appreciate it may have been talked to death however has anyone actually challenged this in court? or is GDPR to new for that and or DVLA think they are above this particular law? You can't have laws for one and not for another no matter who they are

Back in 2012, I did challenge the DVLA under the old DPA. Their response was to forward everything to the Treasury Solicitor's department, who said that they would fight it all the way through the High Court and above, and seek their estimated legal costs of £40k if they won.

I looked down the back of the sofa, but didn't find a spare £40k, so gave up on that one.

But by all means feel free to bring a new Judicial Review under the GDPR, and if you can persuade a Judge that a PPC requesting data does not constitute reasonable cause, we look forward to reading about the case, and the closing down of the electronic link between the DVLA and PPCs, and the entire parking industry disappearing overnight.

System

I appreciate it may have been talked to death however has anyone actually challenged this in court?

Have a read

https://www.bailii.org/ew/cases/EWHC/Admin/2015/1605.html

I don't know how much money you have, but if you want another go best win the lottery first.

Johno100

ncg wrote: »

Parking in a privately owned car park = NOT Reasonable cause
with a private company pursuing fines. They don't have any right to fine you, clamp you etc. Why would they have a right to request and get personal data without a VERY good reason. I appreciate that they would argue "how else would they get paid". Very simple answer they have barriers to stop you exiting. You enter with a sign stating the terms you are entering, you can only exit if you comply with those terms, simple no data needs to be obtained unless of course a driver smashed through the barrier but as above this is Police = reasonable cause.

Well I'm afraid those who could do anything about it (parliament, the courts, the ICO's Office) don't agree with you.

ncg wrote: »

I appreciate it may have been talked to death however has anyone actually challenged this in court? or is GDPR to new for that and or DVLA think they are above this particular law? You can't have laws for one and not for another no matter who they are

The DVLA aren't some autonomous organisation who make the law and rules up as they go along. The DVLA is an Executive Agency of the Department for Transport (DfT) so a part of government and staffed by civil servants. And their job is to administer and facilitate the laws as passed by parliament, not to second guess the meanings of those laws or interpret them as they see fit.

Bottom line, if you want anything changed then lobby your MP for a change in the law.