Smart Parking issued DRPlus letters before NTKs 'by mistake'. BPA & DVLA know. Blind eye turned.

edited 30 October 2020 at 2:49PM in Parking Tickets, Fines & Parking
16 replies 432 views
Coupon-madCoupon-mad
100K Posts
Part of the Furniture 10,000 Posts Name Dropper Photogenic
✭✭✭✭✭✭
edited 30 October 2020 at 2:49PM in Parking Tickets, Fines & Parking
I got this message last week from a parking FB group:

''On the Facebook group(s) we've had a rash of Smart charges where the DRP letter has turned up *before* the (very) out of time NTK.
This would appear to be a clear DPA & KADOE breach...plan to make ICO complaints and/or just sue for data misuse.''

The situation alarmed me and reminded me of what happened last year when Smart Parking had a 'dossier' opened by Steve Clark at the BPA but he said his 'hands were tied' and had no way to check if NTKs had actually been sent earlier, or not. 

This time, NTKs were NOT sent earlier and it involves a large batch that the BPA are not prepared to quantify.  I found this out when I emailed the BPA and have also now copied in the DVLA.   Both appear content (the DVLA has remained silent) that Smart can carry on as if there was no data sharing breach.

Here is the email trail in full:  October 2020 
Emails between Coupon-mad (MSE) and Steve Clark (BPA)


Dear Steve, 

Hope you are well?  Sorry to say I have an issue here so serious that it will need the DVLA and ICO to be made aware as well (which I will get all the individuals to do, if it is not done by Smart/DRP).  But I am starting with an email to you.

I recall last year you were keeping a file on the many reports of Smart Parking, who were passing cases to DRP yet no NTKs were issued, so the first people heard of it was a DRP letter. I realise the BPA CoP/audit system doesn't require proof that any letters were in fact sent, so your hands were tied.    

There have been reports of this happening this year too, but this week, it has exploded into a major issue.  I have had this message from a Facebook group and some exact same reports from other sources (not just MSE). This is rife:

''On the Facebook group(s) we've had a rash of Smart charges where the DRP letter has turned up *before* the (very) out of time NTK.

 Looks like Smart have taken them back from DRP and instead of reporting their data breach to the BPA and ICO, they've issued NTKs on 21/10/2020''

This now proves that Smart Parking have passed cases to DRP first.  It seems to me very likely that DRPlus might be able to tell you more about exactly what happened and how the data was prematurely shared with them, because they must have had a lot of calls from people saying the same thing.  I am attaching four sets of letters, and the Facebook Group who got in touch with me have even more cases.  More are likely next week, given the dates are very recent - all the NTKs I've seen are dated 21/10/2020. 

If I've heard of a dozen already, there are likely to be hundreds of cases of KADOE data being obtained without reasonable cause and then shared with DRPlus prematurely.

Presumably it will be very simple for the BPA to check by asking Smart and DRPlus, which of them got the DVLA data and how many cases are involved?

If it was DRP who obtained DVLA data for all the cases they've just handed back to Smart, then it confirms that both parties are involved in the data breach because there can never be any reason for DRP to get DVLA data for Smart Parking.  It is not as if DRP issue NTKs for Smart, so DRP should never be looking up DVLA data in a case where no NTK has been issued. DRP would know it hasn't, if the keeper data isn't available.  Hope that makes sense?  

Seems to me it's a DPA, KADOE and CoP breach.  From your investigations, so that I can correctly advise people on MSE and reply back to the Facebook Group and other contacts, I would at least like to know, please:

- that the DVLA have been informed

- that the ICO has been informed

- what Smart are doing about it if people have paid under false pretences, either the extortionate £170 to DRPlus or the £100/£60 this week.  People may have done this, relieved to see it's not £170 after all and not realising that their VRMs have been compromised and wrongly shared.  

I hope the BPA agree that all these PCNs must be cancelled & refunds made to those victims tricked into paying, appealing or passing on driver details.  VRMs are personal data and have been wrongfully shared with DRPlus from the outset.  This can't simply be overcome by issuing late NTKs in the hope of getting some driver details and payments and pretending the DPA sharing breach didn't happen and hoping people will pay up.  

I hope you agree that it is a significant breach to send cases for debt recovery so prematurely and grabbing the cases back is not the proper way to handle this data breach.  Surely the easy way to prevent this from happening again, is if DRP and their ilk insist on the PCN and/or NTK being provided before they issue their unregulated demands and will not issue anything other than a NTK as the first letter, if they are the ones being asked to get the DVLA data.

kind regards, 

(CM)

 

Dear (CM)

Thanks for your note below. I trust you are well and keeping clear of all the surrounding madness - unprecedented times.

I am going to deal with the matter at hand here and I will not be commenting on the past - you and I are poles apart on what may or may not have occurred previously and just because something has occurred here, does not make unproven previous allegations, from the past, true.

I will set out the facts;

Ø  During w.c. 5 October Smart Parking advised me that due to a technical error a batch of PCNs, which had been despatched to their third-party provider had not been sent to the motorists concerned.  However, because the motorists had not made them aware, Smart Parking believed that the PCNs had been sent correctly and as no correspondence had been received at Smart Parking, they then escalated those same PCNs to Debt Recovery Plus, who in turn issued their first letter to the motorist.

Ø  Smart Parking further informed me that on being made aware they had instructed DRP to immediately refund all paid, part paid and payment plan monies already taken as a consequence of the DRP letters being sent out.

Ø  As Smart Parking rightly believed that in all cases a potential breach of the advertised  Terms and Conditions may have occurred, they informed both the DVLA and me that they would be re-issuing the associated PCNs, thus offering the motorists concerned the opportunity to challenge the PCN via the recognised appeals process or pay at the discounted rate - I support this position.

Ø  This matter was reported verbally to the DVLA by Smart Parking on 6 October and followed up in writing on 7 October.

Ø  With regards to reporting the matter to the ICO, Smart Parking have conducted an internal review in line with their Data Breach Policy, They decided not to report the matter to the ICO but would document everything in line with their Policy. I support this approach as I don’t believe that the matter reaches the threshold of ‘significant harm to the data subject’.

Ø  Going forward and in order to nullify the risk of this happening again, Smart Parking have implemented a reconciliation process with their third party provider(s), which will be monitored daily by their team.  Further, they have requested that those same provider(s) review and update their own auditing and communication process’ so that, if issues like the one articulated above are witnessed again, then they are communicated in a timely manner. I believe that this is appropriate rectification.

Ø  On receipt of your e-mail below, I contacted Smart Parking for an update so that I could respond to you and can confirm;

       I.          That all refunds have been processed.

     II.          That all PCNs associated with this issue have been reissued.

    III.          That the organised enhanced checks with our third party provider and the new reconciliation process are working well.

There is no doubt that a mistake has occurred here and I am disappointed that it should happen. That said, Smart Parking reported the matter to me as soon as they were aware and then to the DVLA. Furthermore, appropriate rectification has been undertaken. Subsequently, I don’t believe that there has been a breach of the Code of Practice here and I will not be taking any further action.

A copy of this e-mail will be shared with the DVLA for completeness.

Stay safe

All the best

Steve Clark FBPA

Director of Operations and Business Development

British Parking Association

 

Dear Steve, 

Thankyou for the detailed reply which I will share with the Facebook group, MSE and the people who contacted me about this themselves.  

My position is this: to re-issue the PCNs as if no data breach had occurred is not 'putting the motorist at the heart of your thinking' and ignores the significant data breach.  VRMs are personal data and cannot be shared like this. The very fact some people paid the ludicrous amount of money DRPlus enhanced it by, shows actual detriment to motorists. 

Can I clarify please: 

1.  I take it from your reply, that Smart obtained the DVLA data and then passed not just VRMs, but an entire batch of names and addresses, to DRPlus?

2.  The third party provider was able to identify a technical error and confirmed that this batch of letters had not been sent?  

3.  How many cases were involved in this batch, please?

4.  Re the people who were scared enough to pay an exorbitant sum of money to DRPlus and were refunded...are they still being pursued?  Why would that be considered acceptable, given those people have suffered very much more than minor detriment - i.e. they were hounded for a sum they didn't owe and were so scared, they rang DRPlus, were presumably told ''you ignored the first letter from Smart'' and were talked into paying it. 

5.  How did the breach come to light?  Did DRPlus alert Smart due to what people were telling them, as is likely for folk who had no contact number for Smart?

6. Re the below, how could motorists have contacted Smart about an incident they didn't know had happened?  In the cases I have seen, these were ANPR images so there were no windscreen PCNs...how could these victims have ''made Smart aware''?

However, because the motorists had not made them aware, Smart Parking believed that the PCNs had been sent correctly and as no correspondence had been received at Smart Parking. 

Please do copy the DVLA into this conversation.  I am a messenger here because I am not in the Facebook group, but some of the people involved are planning to report Smart to the ICO themselves and/or to sue for data breach, which undoubtedly occurred.  Re-issuing non-POFA NTKs doesn't reverse that fact.

kind regards, 

(CM)

 

 

CM, 

Thanks for your note.

Responses to your question {below}

Stay safe

All the best

Steve Clark FBPA

Director of Operations and Business Development

British Parking Association

 

CM: ''My position is this: to re-issue the PCNs as if no data breach had occurred is not 'putting the motorist at the heart of your thinking' and ignores the significant data breach.  VRMs are personal data and cannot be shared like this. The very fact some people paid the ludicrous amount of money DRPlus enhanced it by, shows actual detriment to motorists.'' 

SC: Thanks for sharing your position, I don’t agree.

What you might be forgetting here, is that Smart Parking keeper details for a legitimate purpose ie, because they believed that a breach of the parking T&Cs may have occurred at the car parks in question.  At no time did they seek details that were not appropriate.


CM: ''Can I clarify please: 

1       I take it from your reply, that Smart obtained the DVLA data and then passed not just VRMs, but an entire batch of names and addresses, to DRPlus?

SC: Correct, Smart obtained the data and shared the full details with DRP - standard practice.

 

CM:  ''2. The third party provider was able to identify a technical error and confirmed that this batch of letters had not been sent?''  

SC: Smart Parking identified that there was a potential issue because they received a number of communications via their website where motorists had questioned the receipt of a DRP letter having not received the original NTK.  Further, they also received an update from DRP, who explained that they had received a number of such calls.

 

CM:  ''3.  How many cases were involved in this batch, please?''

SC: I am not prepared to answer this question.


CM: ''4.  Re the people who were scared enough to pay an exorbitant sum of money to DRPlus and were refunded...are they still being pursued?  Why would that be considered acceptable, given those people have suffered very much more than minor detriment - i.e. they were hounded for a sum they didn't owe and were so scared, they rang DRPlus, were presumably told ''you ignored the first letter from Smart'' and were talked into paying it.''

SC:  It is my contention that in each of the cases, a breach of the parking Terms & Conditions may have occurred. By re-issuing the NTKs, motorists will be able to pay at the lower amount or appeal.

 

CM: ''5.  How did the breach come to light?  Did DRPlus alert Smart due to what people were telling them, as is likely for folk who had no contact number for Smart?''

SC: It’s not a breach in my opinion.  I refer you to my response to Question 2.

 

CM:  ''6. Re the below, how could motorists have contacted Smart about an incident they didn't know had happened?  In the cases I have seen, these were ANPR images so there were no windscreen PCNs...how could these victims have ''made Smart aware''?''

However, because the motorists had not made them aware, Smart Parking believed that the PCNs had been sent correctly and as no correspondence had been received at Smart Parking.  

SC:  Motorists can and do communicate with Smart Parking via their [email protected] and [email protected] email addresses which can be found on their website and which were successfully used by motorists on this occasion.

 

 

PRIVATE 'PCN'? DON'T PAY BUT DON'T IGNORE IT (except N.Ireland).
CLICK at the top of this/any page where it says:
Forum Home»Motoring»Parking Tickets Fines & Parking - read the NEWBIES THREAD
«1

Replies

  • D_P_DanceD_P_Dance Forumite
    9.9K Posts
    Part of the Furniture 1,000 Posts Name Dropper
    ✭✭✭✭

    Read what Pete Wishart MP said recently in the House of commons about Smart Parking.


    "I am sick and tired of receiving emails from people complaining about the behaviour of parking companies, telling me that they will never again visit Perth city centre because of the negative experience they had when they had the misfortune to end up in a car park operated by one of these companies. I have received more complaints about one car park in the city of Perth than about any other issue. That car park is operated by the lone ranger of the parking cowboys: the hated and appalling Smart Parking—I see that many other Members are unfortunate enough to have Smart Parking operating in their constituencies. It has reached the stage where one member of my staff now spends a good part of each day just helping my constituents and visitors to my constituency to navigate the appeals process.

    The BPA does not have the ability to regulate these companies and has shown no sign whatsoever that it is trying to get on top of some of the sharper practices. The BPA gives a veneer of legitimacy to some of the more outlandish rogue operators by including them in their membership, allowing them to continue to operate. The Bill will oblige operators such as Smart Parking to amend their practices.


    You never know how far you can go until you go too far.
  • Le_KirkLe_Kirk Forumite
    16K Posts
    Eighth Anniversary 10,000 Posts Photogenic Name Dropper
    ✭✭✭✭✭
    Well, the sun is over the yardarm!
  • BrownTroutBrownTrout Forumite
    2.1K Posts
    1,000 Posts Second Anniversary Photogenic Name Dropper
    ✭✭✭✭
    bargepole said:
    Le_Kirk said:
    @D_P_Dance sometimes you have to read the thread before you post your standard stuff.  This one was started by @Coupon-mad and I doubt she needs any help!
    I know, he sprays these template phrases around like confetti.

    I was quite amused to see, on one of my threads, he posted the advice about how to start a small claim. What else does he think I've been doing all day, every day, for the past three years?
    Re arranging your garden gnomes?
  • D_P_DanceD_P_Dance Forumite
    9.9K Posts
    Part of the Furniture 1,000 Posts Name Dropper
    ✭✭✭✭
    Sorry chaps, Having had to read European Treaties for five years, I tend to speed read.
    You never know how far you can go until you go too far.
  • edited 30 October 2020 at 7:23PM
    beamerguybeamerguy Forumite
    17.6K Posts
    Part of the Furniture 10,000 Posts Photogenic Name Dropper
    ✭✭✭✭✭
    edited 30 October 2020 at 7:23PM
    Well done C-m and I'm sure you do not appreciate such rubbish

    This Clark chappie, who on earth gave him the job of "Director of Operations and Business Development" ????  
    Clark already knows about Smart Parking, the highly respected Pete Wishart MP said "The BPA does not have the ability to regulate these companies" and continued by saying "The BPA gives a veneer of legitimacy to some of the more outlandish rogue operators by including them in their membership, allowing them to continue to operate"

    The title of Clark should be changed to "Director of scammers"

    Clark should be sacked or resign, to disagree with facts is simply protection for scammers


Sign In or Register to comment.
LATEST NEWS AND DEALS