DVLA GDPR Breach

BiliousGreen

So I just had an interesting conversation with someone from the ICO about the DVLA and their release of details and it appears there may be a chink in their armour after all. It would be interesting to get your take on it!
On face value the DVLA must be sure that they are releasing and sharing data correctly. Anyone can request your data but the DVLA are responsible if they decide to disclose. It is the automation that may catch them out. They can release effectively in order to allow an entity to pursue legal/contractual recourse. However with car parking firms it appears that they simply trust this requirement is in place in every request and release based on the requesters membership of the BPA. They have to be doing this in an automated manner due to the scale with which they release data. It is the automation that may be the chink
I illustrated a case to the chap from the ICO whereby a firm uses ANPR to catch your reg going in and out of a car park and then applies for details. Most likely all automated. The DVLA then automatically discloses. But... on inspection the signage doesn't meet the standard to create a contract or is prohobitive and not offering a contract. In both cases the requester has no right to your data but have requested anyway as its automated. The data has been disclosed. The ICO chap felt that this could well be a data breach!!!! It would be for the DVLA to satisfy themselves that there are grounds to release. In these cases there isnt. The automation has been the issue. It wasnt clear if you would have to go to court first to establish that there was no contract to be enforced.
Essentially the DVLA shouldnt be allowed to simply assume grounds exist in every case based on membership of the BPA. Apparently this hasnt been tested but the ICO chap felt that on face value this could have legs as the DVLA should be checking the grounds on every request and satifyging themeselves that they exist. In areas like this where it could be disclosed incorrectly due to trust in automation they may well be breaching GDPR. ICO was interested to hear more.

fisherjim

The PPCs always state when challenged that their signage conforms to the BPA COP, and each site is audited annually. Personally seing signage I believe this is a lie as so many sites have non conforming signage it just cannot be true.

Is it not about time these audits are part of the evidence request at POPLA stage, and sent to the DVLA for comment?

Fruitcake

This has been discussed before and the regulars came to the same conclusion. I believe the GDPR says there must be some human intervention/checking but this is bypassed by the KADOE auto system.

Well done on getting this from the ICO. Would it be possible for you to follow this up and get it in writing from your ICO contact?

I think in cases where the signs are forbidding or are proven to have failed the BPA CoP, such as at PoPLA, then complaints to the DVLA and ICO should be made. Similarly, "own space" cases where a resident's lease comes in to play would also be a good way to challenge this with the ICO and DVLA.

Since there is no viable means to get signage thrown out at IAS stage for IPC scmmers, a different approach may be necessary.

Umkomaas

Essentially the DVLA shouldnt be allowed to simply assume grounds exist in every case based on membership of the BPA.

I concur absolutely. With almost 7 million data releases by the DVLA to private parking companies in the past 12 months, it is beyond comprehension that every one of them was for 'reasonable cause'.

The big problem is that it needs a committed (and possibly wealthy) crusader to see it through to a conclusion.

BiliousGreen

Apparently not as the ICO will take it on as a GDPR breach. Doesnt have to be done privately.

BiliousGreen

Cant really get it in writing as it was really just a 'does this sound right to you' chat. A specific case would have to be reported to the IOC for them to formally evaluate. As he said ' even if the automation works in 99% of the cases, they are not allowed to simply accept a 1% data breach rate'. Every disclosure must be i line with policy and a wrongful disclosure is a breach. Just on numbers alone and the errors I have seen in my short time looking at these the wrongful disclosures must be mounting up due to the automation involved

Fruitcake

There was a suggestion on here at some point that the DVLA should be sent a "I do not consent for you to release my (keeper) data without first checking with me, the data subject" when someone has received a NTD.

I think we should start advising people of this with the comment that to do so where there is no contract (forbidding signs or own space for example) is a GDPR breach according to the ICO, or similar wording.

Anywhere that a PoPLA appeal has been upheld for no landowner contract/authority, byelaws apply, or own space etcetera should be followed by an ICO complaint with copy to the DVLA.

steve1500

I put in an FoI request to the DVLA back end of last year asking what steps they had taken to ensure the PPC's were compliant with GDPR prior to the release of any info.


Answers on the back of a postcard


Give you a clue, one word 4 letters

Umkomaas

The DVLA won't want anyone or anything threatening the interruption of their £17.5million gravy train income from those data releases to the PPC network (7million x £2.50 a pop).

Such easy money. I can't see even the highest flying of entrepreneurs making that amount with such little effort.

BiliousGreen

I dont know that it is a data breach for sure, just that the the ICO thought it could be. Next case that comes up needs to test it. I suspect that it would be interesting as the DVLA will no doubt say they have no way to know if the request is genuine, but to me that would mean they dont have grounds to release rather than they do. If enough people could get together with these types of issues, where there were really no grounds for the initial PCN to be sent, then the there is chance the ICO could put a stop to the automated element of the prectice or require that the parking companies and the DVLA are put to a much higher level of proof for the disclosure.
If anything is going to stop this scam its going to be something like this that forces manual checking with higher proof for deisclosure as that will suddenyl make it far less scalable and therefore profitable for the companies and the DVLA

twhitehousescat

manual checking would close down ANPR /POFa cases within a matter of days , this in effect would kill off 50-75% of all BPA members and close down the BPA , POPLa could not cope ,

the end , or a saving grace for the IPC