We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
Smart Parking issued DRPlus letters before NTKs 'by mistake'. BPA & DVLA know. Blind eye turned.
''On the Facebook group(s) we've had a rash of Smart charges where the DRP letter has turned up *before* the (very) out of time NTK.
This would appear to be a clear DPA & KADOE breach...plan to make ICO complaints and/or just sue for data misuse.''
The situation alarmed me and reminded me of what happened last year when Smart Parking had a 'dossier' opened by Steve Clark at the BPA but he said his 'hands were tied' and had no way to check if NTKs had actually been sent earlier, or not.
This time, NTKs were NOT sent earlier and it involves a large batch that the BPA are not prepared to quantify. I found this out when I emailed the BPA and have also now copied in the DVLA. Both appear content (the DVLA has remained silent) that Smart can carry on as if there was no data sharing breach.
Here is the email trail in full: October 2020
Hope you are well? Sorry to say I have an issue here so serious that it will need the DVLA and ICO to be made aware as well (which I will get all the individuals to do, if it is not done by Smart/DRP). But I am starting with an email to you.
I recall last year you were keeping a file on the many reports of Smart Parking, who were passing cases to DRP yet no NTKs were issued, so the first people heard of it was a DRP letter. I realise the BPA CoP/audit system doesn't require proof that any letters were in fact sent, so your hands were tied.
There have been reports of this happening this year too, but this week, it has exploded into a major issue. I have had this message from a Facebook group and some exact same reports from other sources (not just MSE). This is rife:
''On the Facebook group(s) we've had a rash of Smart charges where the DRP letter has turned up *before* the (very) out of time NTK.
Looks like Smart have taken them back from DRP and instead of reporting their data breach to the BPA and ICO, they've issued NTKs on 21/10/2020''
This now proves that Smart Parking have passed cases to DRP first. It seems to me very likely that DRPlus might be able to tell you more about exactly what happened and how the data was prematurely shared with them, because they must have had a lot of calls from people saying the same thing. I am attaching four sets of letters, and the Facebook Group who got in touch with me have even more cases. More are likely next week, given the dates are very recent - all the NTKs I've seen are dated 21/10/2020.
If I've heard of a dozen already, there are likely to be hundreds of cases of KADOE data being obtained without reasonable cause and then shared with DRPlus prematurely.
Presumably it will be very simple for the BPA to check by asking Smart and DRPlus, which of them got the DVLA data and how many cases are involved?
If it was DRP who obtained DVLA data for all the cases they've just handed back to Smart, then it confirms that both parties are involved in the data breach because there can never be any reason for DRP to get DVLA data for Smart Parking. It is not as if DRP issue NTKs for Smart, so DRP should never be looking up DVLA data in a case where no NTK has been issued. DRP would know it hasn't, if the keeper data isn't available. Hope that makes sense?
Seems to me it's a DPA, KADOE and CoP breach. From your investigations, so that I can correctly advise people on MSE and reply back to the Facebook Group and other contacts, I would at least like to know, please:
- that the DVLA have been informed
- that the ICO has been informed
- what Smart are doing about it if people have paid under false pretences, either the extortionate £170 to DRPlus or the £100/£60 this week. People may have done this, relieved to see it's not £170 after all and not realising that their VRMs have been compromised and wrongly shared.
I hope the BPA agree that all these PCNs must be cancelled & refunds made to those victims tricked into paying, appealing or passing on driver details. VRMs are personal data and have been wrongfully shared with DRPlus from the outset. This can't simply be overcome by issuing late NTKs in the hope of getting some driver details and payments and pretending the DPA sharing breach didn't happen and hoping people will pay up.
I hope you agree that it is a significant breach to send cases for debt recovery so prematurely and grabbing the cases back is not the proper way to handle this data breach. Surely the easy way to prevent this from happening again, is if DRP and their ilk insist on the PCN and/or NTK being provided before they issue their unregulated demands and will not issue anything other than a NTK as the first letter, if they are the ones being asked to get the DVLA data.
kind regards,
(CM)
Dear (CM)
Thanks for your note below. I trust you are well and keeping clear of all the surrounding madness - unprecedented times.
I am going to deal with the matter at hand here and I will not be commenting on the past - you and I are poles apart on what may or may not have occurred previously and just because something has occurred here, does not make unproven previous allegations, from the past, true.
I will set out the facts;
Ø During w.c. 5 October Smart Parking advised me that due to a technical error a batch of PCNs, which had been despatched to their third-party provider had not been sent to the motorists concerned. However, because the motorists had not made them aware, Smart Parking believed that the PCNs had been sent correctly and as no correspondence had been received at Smart Parking, they then escalated those same PCNs to Debt Recovery Plus, who in turn issued their first letter to the motorist.
Ø Smart Parking further informed me that on being made aware they had instructed DRP to immediately refund all paid, part paid and payment plan monies already taken as a consequence of the DRP letters being sent out.
Ø As Smart Parking rightly believed that in all cases a potential breach of the advertised Terms and Conditions may have occurred, they informed both the DVLA and me that they would be re-issuing the associated PCNs, thus offering the motorists concerned the opportunity to challenge the PCN via the recognised appeals process or pay at the discounted rate - I support this position.
Ø This matter was reported verbally to the DVLA by Smart Parking on 6 October and followed up in writing on 7 October.
Ø With regards to reporting the matter to the ICO, Smart Parking have conducted an internal review in line with their Data Breach Policy, They decided not to report the matter to the ICO but would document everything in line with their Policy. I support this approach as I don’t believe that the matter reaches the threshold of ‘significant harm to the data subject’.
Ø Going forward and in order to nullify the risk of this happening again, Smart Parking have implemented a reconciliation process with their third party provider(s), which will be monitored daily by their team. Further, they have requested that those same provider(s) review and update their own auditing and communication process’ so that, if issues like the one articulated above are witnessed again, then they are communicated in a timely manner. I believe that this is appropriate rectification.
Ø On receipt of your e-mail below, I contacted Smart Parking for an update so that I could respond to you and can confirm;
I. That all refunds have been processed.
II. That all PCNs associated with this issue have been reissued.
III. That the organised enhanced checks with our third party provider and the new reconciliation process are working well.
There is no doubt that a mistake has occurred here and I am disappointed that it should happen. That said, Smart Parking reported the matter to me as soon as they were aware and then to the DVLA. Furthermore, appropriate rectification has been undertaken. Subsequently, I don’t believe that there has been a breach of the Code of Practice here and I will not be taking any further action.
A copy of this e-mail will be shared with the DVLA for completeness.
Stay safe
All the best
Steve Clark FBPA
Director of Operations and Business Development
British Parking Association
Dear Steve,
Thankyou for the detailed reply which I will share with the Facebook group, MSE and the people who contacted me about this themselves.
My position is this: to re-issue the PCNs as if no data breach had occurred is not 'putting the motorist at the heart of your thinking' and ignores the significant data breach. VRMs are personal data and cannot be shared like this. The very fact some people paid the ludicrous amount of money DRPlus enhanced it by, shows actual detriment to motorists.
Can I clarify please:
1. I take it from your reply, that Smart obtained the DVLA data and then passed not just VRMs, but an entire batch of names and addresses, to DRPlus?
2. The third party provider was able to identify a technical error and confirmed that this batch of letters had not been sent?
3. How many cases were involved in this batch, please?
4. Re the people who were scared enough to pay an exorbitant sum of money to DRPlus and were refunded...are they still being pursued? Why would that be considered acceptable, given those people have suffered very much more than minor detriment - i.e. they were hounded for a sum they didn't owe and were so scared, they rang DRPlus, were presumably told ''you ignored the first letter from Smart'' and were talked into paying it.
5. How did the breach come to light? Did DRPlus alert Smart due to what people were telling them, as is likely for folk who had no contact number for Smart?
6. Re the below, how could motorists have contacted Smart about an incident they didn't know had happened? In the cases I have seen, these were ANPR images so there were no windscreen PCNs...how could these victims have ''made Smart aware''?
Please do copy the DVLA into this conversation. I am a messenger here because I am not in the Facebook group, but some of the people involved are planning to report Smart to the ICO themselves and/or to sue for data breach, which undoubtedly occurred. Re-issuing non-POFA NTKs doesn't reverse that fact.
kind regards,
(CM)
CM,
Thanks for your note.
Responses to your question {below}
Stay safe
All the best
Steve Clark FBPA
Director of Operations and Business Development
British Parking Association
CM: ''My position is this: to re-issue the PCNs as if no data breach had occurred is not 'putting the motorist at the heart of your thinking' and ignores the significant data breach. VRMs are personal data and cannot be shared like this. The very fact some people paid the ludicrous amount of money DRPlus enhanced it by, shows actual detriment to motorists.''
SC: Thanks for sharing your position, I don’t agree.
What you might be forgetting here, is that Smart Parking keeper details for a legitimate purpose ie, because they believed that a breach of the parking T&Cs may have occurred at the car parks in question. At no time did they seek details that were not appropriate.
CM: ''Can I clarify please:
1 I take it from your reply, that Smart obtained the DVLA data and then passed not just VRMs, but an entire batch of names and addresses, to DRPlus?
SC: Correct, Smart obtained the data and shared the full details with DRP - standard practice.
CM: ''2. The third party provider was able to identify a technical error and confirmed that this batch of letters had not been sent?''
SC: Smart Parking identified that there was a potential issue because they received a number of communications via their website where motorists had questioned the receipt of a DRP letter having not received the original NTK. Further, they also received an update from DRP, who explained that they had received a number of such calls.
CM: ''3. How many cases were involved in this batch, please?''
SC: I am not prepared to answer this question.
CM: ''4. Re the people who were scared enough to pay an exorbitant sum of money to DRPlus and were refunded...are they still being pursued? Why would that be considered acceptable, given those people have suffered very much more than minor detriment - i.e. they were hounded for a sum they didn't owe and were so scared, they rang DRPlus, were presumably told ''you ignored the first letter from Smart'' and were talked into paying it.''
SC: It is my contention that in each of the cases, a breach of the parking Terms & Conditions may have occurred. By re-issuing the NTKs, motorists will be able to pay at the lower amount or appeal.
CM: ''5. How did the breach come to light? Did DRPlus alert Smart due to what people were telling them, as is likely for folk who had no contact number for Smart?''
SC: It’s not a breach in my opinion. I refer you to my response to Question 2.
CM: ''6. Re the below, how could motorists have contacted Smart about an incident they didn't know had happened? In the cases I have seen, these were ANPR images so there were no windscreen PCNs...how could these victims have ''made Smart aware''?''
SC: Motorists can and do communicate with Smart Parking via their info@ and appeals@ email addresses which can be found on their website and which were successfully used by motorists on this occasion.
CLICK at the top or bottom of any page where it says:
Home»Motoring»Parking Tickets Fines & Parking - read the NEWBIES THREAD
Comments
-
continued:
Dear Steve,
Thanks for that and I am grateful for a quick reply. However, we must agree to disagree and I am copying in the DVLA, so they can be in no doubt that this complaint is not resolved to the satisfaction of the victims of this data breach and the outcome - carrying on as if nothing happened - is wholly unsatisfactory.
I will share our email correspondence with MSE and the Facebook group and will leave it up to the consumers how they handle their cases, of course.
I am disappointed that you have refused to release how many people were affected by this DPA and KADOE breach and that the BPA will not accept that sharing data prematurely with a third party who then demanded an exorbitant sum not owed, is not such a breach. That will be tested by those who decide to sue Smart Parking, especially given the fact that Smart are continuing to pursue those keepers, none of whom are the liable party, being non-POFA all along.
From the fact the BPA avoided answering my specific question #2, I have to conclude from your first email reply that the third party mail provider was the only party who could possibly have been in a position to identify the 'technical error' you mentioned before. Because they were able to confirm that this batch of letters had, as a matter of fact, not been sent, it follows that whether a letter or NTK has been sent (or not) could in theory be easily checked by audits in future, simply by requiring the PPC to obtain. check and store regular service reports from their mail provider.
I'd be surprised if the APAs (and DVLA and/or GIAA) would not be delighted to have a way to check whether a NTK was sent or not, in future, rather than being frustrated that your hands are tied. Hopefully this will become a feature of the new framework, in the interests of transparency and fairness. Last year's cases could have been resolved this way and consumer groups would not still be of the opinion that something similar has happened before.
It would certainly have value to the PPCs at appeal or court stage to be able to show evidence that a NTK was indeed posted, so this would be a very desirable APA, DVLA, GIAA or Scrutiny and Standards Board (whichever is decided to be the most suitable body) audit check, to improve public confidence.
kind regards,
(CM)
SC: Just to clarify, I answered Question 2, it was Question 3 that I declined to answer.I have closed the file on this case now unless the DVLA and/or the ICO wish to discuss it further.
CM: Dear Steve
At Question 2, I wanted to know this and it was not answered. My point was, it was avoided:
2. The third party provider was able to identify a technical error and confirmed that this batch of letters had not been sent?
However, it was useful to hear (as consumer groups always suspected) that it was easy to set up a daily reconciliation process. I wonder why this has never been suggested before, so that auditors can spot-check that letters were actually sent. This must be a priority in the PAS/audit framework to resolve a lot of issues.
(CM)kind regards
SC: I thought that my answer was clear but let me have another go;2. The third party provider was able to identify a technical error and confirmed that this batch of letters had not been sent?No, the third party provider did not identify the technical error, the third party provider was made aware by Smart Parking after they had realised something may have gone wrong and initiated an investigation.
It was Smart Parking who identified that there was a potential issue because they received a number of communications via their website where motorists had questioned the receipt of a DRP letter having not received the original NTK. Further, they also received an update from DRP, who explained that they had received a number of such calls.
I hope this is helpful.
Have a nice evening.
CM: Hi Steve,
Thanks for this. We are still poles apart on this complaint. I have shared it with the Facebook group and will do the same on MSE.
The technical problem and confirmation of the fact that letters ''were not sent'' can only have come ultimately from the third party mail provider. And if the third party can provide 'daily reconciliation' data this easily, then this could have been done all along and can be done for every PPC.I wonder why this has never been done before...It's not just question 2, there was also the fact the complaint is about wrongly sharing data but you tell me I've missed the fact that Smart could obtain it; not the same thing at all. And it reads as though the BPA was making the excuse ''Smart couldn't have known'' and yet blamed consumers for not contacting Smart in September about letters they never received! This makes no sense. So, I say this: the keepers couldn't have known but conversely, Smart should have known. Surely it's a basic professional standard for a company to know if crucial letters have actually been posted or not, especially given their 'issues' last year.One final question has come up:
I've been asked to ask: have Smart refunded every payer, even those who didn't also complain?have a good evening
SC: Good morning CM,I concur, we are clearly poles apart on this case but my position will remain unaltered and subsequently unless there is a material matter to communicate, I will have to move onto other matters now please.
In answer to your closing question;
Have Smart refunded every payer, even those who didn't also complain?
I have been told this ‘I can confirm that all refunds have been processed’ by Smart Parking
If you come across instances where this is not the case, please share them with me including the PCN numbers.
Have a great day.
PRIVATE 'PCN'? DON'T PAY BUT DON'T IGNORE IT (except N.Ireland).
CLICK at the top or bottom of any page where it says:
Home»Motoring»Parking Tickets Fines & Parking - read the NEWBIES THREAD6 -
Lifts carpet, sweeps under, lowers carpet!5
-
Read what Pete Wishart MP said recently in the House of commons about Smart Parking.
"I am sick and tired of receiving emails from people complaining about the behaviour of parking companies, telling me that they will never again visit Perth city centre because of the negative experience they had when they had the misfortune to end up in a car park operated by one of these companies. I have received more complaints about one car park in the city of Perth than about any other issue. That car park is operated by the lone ranger of the parking cowboys: the hated and appalling Smart Parking—I see that many other Members are unfortunate enough to have Smart Parking operating in their constituencies. It has reached the stage where one member of my staff now spends a good part of each day just helping my constituents and visitors to my constituency to navigate the appeals process.
…
The BPA does not have the ability to regulate these companies and has shown no sign whatsoever that it is trying to get on top of some of the sharper practices. The BPA gives a veneer of legitimacy to some of the more outlandish rogue operators by including them in their membership, allowing them to continue to operate. The Bill will oblige operators such as Smart Parking to amend their practices.
You never know how far you can go until you go too far.0 -
@D_P_Dance sometimes you have to read the thread before you post your standard stuff. This one was started by @Coupon-mad and I doubt she needs any help!D_P_Dance said:Read what Pete Wishart MP said recently in the House of commons about Smart Parking
6 -
I know, he sprays these template phrases around like confetti.Le_Kirk said:@D_P_Dance sometimes you have to read the thread before you post your standard stuff. This one was started by @Coupon-mad and I doubt she needs any help!
I was quite amused to see, on one of my threads, he posted the advice about how to start a small claim. What else does he think I've been doing all day, every day, for the past three years?
I have been providing assistance, including Lay Representation at Court hearings (current score: won 57, lost 14), to defendants in parking cases for over 5 years. I have an LLB (Hons) degree, and have a Graduate Diploma in Civil Litigation from CILEx. However, any advice given on these forums by me is NOT formal legal advice, and I accept no liability for its accuracy.8 -
Well, the sun is over the yardarm!2
-
Re arranging your garden gnomes?bargepole said:
I know, he sprays these template phrases around like confetti.Le_Kirk said:@D_P_Dance sometimes you have to read the thread before you post your standard stuff. This one was started by @Coupon-mad and I doubt she needs any help!
I was quite amused to see, on one of my threads, he posted the advice about how to start a small claim. What else does he think I've been doing all day, every day, for the past three years?1 -
Sorry chaps, Having had to read European Treaties for five years, I tend to speed read.You never know how far you can go until you go too far.0
-
Well done C-m and I'm sure you do not appreciate such rubbish
This Clark chappie, who on earth gave him the job of "Director of Operations and Business Development" ????
Clark already knows about Smart Parking, the highly respected Pete Wishart MP said "The BPA does not have the ability to regulate these companies" and continued by saying "The BPA gives a veneer of legitimacy to some of the more outlandish rogue operators by including them in their membership, allowing them to continue to operate"
The title of Clark should be changed to "Director of scammers"
Clark should be sacked or resign, to disagree with facts is simply protection for scammers
0 -
The only surprising thing about this thread is that anybody is surprised by it.
In terms of volume of KADOE requests, and therefore PCNs issued, Smart Parking are one of the BPA's largest operator members, and one of the big spenders at the DVLA for keeper data fees.
The BPA exists to protect the interests of its members, and the more tickets those members issue, the higher their annual BPA membership fees. Of course they aren't going to chuck them under the bus for their misdemeanours, at best it will be a gentle slap on the wrist behind closed doors.
As for the DVLA, the 'data selling team' are incentivised with bonuses based on KADOE volumes, and as has been demonstrated on numerous previous occasions, they don't give a tiny rat's ars3.
One can only hope that the PAS 232 and new enforcement framework will make it harder for these snouts to get into the trough.
I have been providing assistance, including Lay Representation at Court hearings (current score: won 57, lost 14), to defendants in parking cases for over 5 years. I have an LLB (Hons) degree, and have a Graduate Diploma in Civil Litigation from CILEx. However, any advice given on these forums by me is NOT formal legal advice, and I accept no liability for its accuracy.6
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.3K Banking & Borrowing
- 253.2K Reduce Debt & Boost Income
- 453.7K Spending & Discounts
- 244.2K Work, Benefits & Business
- 599.4K Mortgages, Homes & Bills
- 177.1K Life & Family
- 257.7K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards