'PCN NOW CANCELLED' data privacy & complaints NPC Group, DCB Legal, DVLA, IPC, ICO & MP

Thorndorise

Coupon-mad said:

'Members' of the ICO, eh?!

I know right, I couldn't quite believe what I was reading... Bless them.

Anyway, like I said I just couldn't help myself...

Dear Head of customer services X & NPC's DPO

Thank you very much for your prompt response.

You have made an incorrect assumption in your email, it must be stressed that it is not claimed that I am the driver and no conclusions to that effect can be drawn from any statement herein, I am writing to you as the keeper of a vehicle. Forgive me but some of your sentences do not make sense, some look hurried or cut and pasted – but it’s believed your intent came across well.

For the avoidance of any doubt, this complaint is not specific to the PCN previously mentioned, it is a standalone complaint about data handling, thus should be treated as such and not an appeal.

First off, this email was sent to the DPO about a breach of data protection, your response doesn't even appear to include your DPO in the reply - leading me to believe that NPC are not taking any complaint about data protection seriously. Feel free to correct me on this matter by a complete response from your DPO detailing where and how NPC’s 'membership' of ICO allows you to share personal details with a third party without it being explicitly shown in NPCs privacy policy.

And, before I continue, NPC’s complaints policy cannot be found with the privacy policy on your website. Mainly as this is a ‘privacy policy’ – and not anything else (if you are referring to the mention of complaints within that privacy policy you will note that this is for complaints about your privacy policy and the use of personal data – and is not per the below guidance from ATA either). NPC are required by your own ATA CoP to have a complaints policy published on their website…as you seemed to have missed this reference from my last email I am including the relevant section from your IPC CoP so that you can read it, and action it accordingly;

21. Complaints handling

21.1 The parking operator must have and follow a documented policy and procedure to receive, evaluate, make and record its decisions on complaints in a non-discriminatory manner, in accordance with the requirements of the accredited parking association (including escalation where the complainant is dissatisfied) to which it belongs, published on its website, including the action a complainant can take where dissatisfied with the operator’s determination of their complaint. Where complaints will only be considered if received in writing (hard copy or by e-mail) the parking operator must ensure that the address to which complaints are to be sent is readily available e.g. on signs and on the operator’s website.

As such, it is expected that a copy of your complaints policy will be forwarded to by reply per my original request, and as you are required to do by your own quoted CoP.

COMPLAINT 1

You've stated that this site in question has been audited by your ATA (IPC). What your response doesn’t say, is when that was done (other than before enforcement commences). Or rather, what that audit entails?

You clearly state that “all your sites are individually audited” – what does this mean? – a visit from IPC to the site? A ‘sign-off’ of a plan and potential contract with the landowners? You get my drift…that statement is as clear as mud. You also mention the signs being audited, but not specifically at this site in relation to their location. Therefore, if the signs haven’t been placed properly by NPC or the landowner then there is absolutely no way that NPC can create a contract with a motorist, this is a pivotal threshold for which any private parking firm must cross to be able to issue PCNs.

Possibly there has been some confusion as to the exact location of parking that is managed by yourselves that requires permits. (given the incorrect wording on your T&Cs signs on site, there is only one car park on the site that conforms with those signs - and it ain't the one that the driver was allegedly parked in). It's clearly been shown in the previously attached images that NO entrance signs are in existence from commencement of enforcement and up until last week.

You seem proud of your audit, perhaps you could share a copy with me - if this is to be the grounds for your defence in court (and it sounds as though it is), then I don't see the harm - further to this you have been presented evidence to the contrary, by contrast NPC have presented nothing - and a court will see straight through this ploy. You have not been able to evidence your claim, and until you do, the complaint 1 remains open until answered fully (as you know the courts will ask NPC as a complainant to full burden of proof).

Thus, COMPLAINT 2 also stands as it has been evidenced NPCs lack of adherence to your contract with the DVLA/KADOE and as such NPC have illegitimately acquired the keeper’s details, by stating that you have adhered to your ATA CoP. Again, the burden of proof is with NPC, not some words in an email, but actual proof (as you have been provided).

NPC have to prove a contract was formed by adhering to your own IPC CoP in the correct placement of signage. Is it possible the Audit IPC performed on this individual site was faked somehow, or they were misled perhaps? (e.g. the Audit is done on paper and a plan showed where it was planned to put signs), or the audit didn’t happen, or you installed signs for the audit and they were possibly removed after the audit by another party (or yourselves maybe)? These are the only scenarios that explain the evidence presented in the last email which clearly shows lack of clear signage (I don’t mean to be rude here, but this is not rocket science, if NPC can’t get that simple piece correct then as a company you’re in the wrong game)!

COMPLAINT 3

NPC are not members of the ICO. The ICO is an independent body that oversees organisations that process personal data as is required by the Data Protection Act 2018. NPC have merely paid a Tier 1 fee.

NPC are not allowed to share information with DBCL, as NPC have not named them as one of the recipients, or categories of recipients, with whom NPC share data with, in your privacy policy - see GDPR Article 30(1)-(2) and Recital 82.

Given it can be proven within this email that NPC have a) breached contract with DVLA, acquiring keeper details knowingly or unknowingly without reasonable cause (non-adherence to an ATA CoP), thus b) processing said details in breach of GDPR and the data protection act 2018 and c) transferring those details to unlisted recipient in breach of GDPR and the data protection act 2018, NPC must by law, take the previously recommended actions.

There is no reason why this should not be delayed, your prevarication in your response shows NPC to be solipsistic – thus those reports will be made without further notice. However please do not forget you are required to provide me with your complaints policy by reply (of course any and all corrective action requested previously must be implemented also).

Yours Faithfully

Me

Humdinger1

Clever and hilarious! Surely there must be one person who understands this at their end...

Thorndorise

Humdinger1 said:

Clever and hilarious! Surely there must be one person who understands this at their end...

Thank you, I cannot take any credit really, I'm inspired by the strong wording of the experts on here, and the PPCs annoy me.

You would really hope that they would be able to stop wasting their money, but no - it appears not. Don't get me wrong nothings a slam dunk (well actually that isn't true as some of the cases really are), but this may end up in court. Hey ho

Thorndorise

Further to this, I am very keen that DCB group don't get away lightly on this either and have politely asked them to hold then scrub my details from their database, based on the previous findings about NPCs breach of their CoP, therefore sourcing keeper details from the DVLA illegitimately.

My first letter was the push back on the VAT question as frankly their answer was the usual tosh, I sent both a reply and a subsequent letter penned earlier in this thread by @LDast

So twofold, VAT answer and then the DPO element to look into NPCs shadiness - I also wanted to make sure (not that they give a monkey's) that DCB Group are very likely to have received details from NPC, and on the assumption that I am correct about NPC's privacy policy falling foul of GDPR (which I think it is), DCB may have to do some backtracking...(or not)

Dear DCB legal (& DCBL re the DP complaint below)

I wrote the email below over 7 working days ago with no response (other than your automated one).

There is a clear and concise request per the Pre-Action Protocol which has yet to be answered, Sadly X's response did not satisfy the question and the answer was incorrect (sorry X, not meaning to call you out on this specifically - but sadly all of DCB legal's responses to these requests are the same - and deliberately misleading). Therefore you have not satisfied your role within the pre-action protocol and until this request is adequately and appropriately fulfilled, by law, you must not move forward with any claim until you have answered this question without subterfuge about VAT (evidenced in my response below).

Further to this, and as a separate matter for the attention of the DPO (At both DCB Limited and DCB Legal Limited)

DATA PROTECTION COMPLAINT

The keeper's details have been passed to DCB Legal from your counterparts (subsidiary/sister company etc) DCB Limited. However it has come to the keepers attention that these were acquired illegitimately by your client, and that there was no explicit or implied policy in place to allow them to share with yourselves.

The Private Parking Company, National Parking Control Group Limited (NPC hereafter, your client) made a number of mistakes when acquiring and processing the keepers data, namely;

1. Breached their contract with KADOE/DVLA, in failing to ensure that adequate signage as mandated by their ATA code of practice were in place on the the site of the alleged parking incident on the date in question (burden of proof sits with NPC, and as an SRA registered legal company, before proceeding you need to be able to prove you have adequately assessed all the knowledge you have acquired).
2. As NPC failed in their contract terms with KADOE/DVLA - they had no reasonable cause (or legal basis or public task) to request the data subjects details (a separate complaint has gone to the DVLA for allowing the breach of their contract with NPC).
3. in addition, NPC also failed to inform any data subject that they would be passing the data subject details to a third party in their privacy policy (as is mandated by GDPR law - Regulation EU 216/679 (the General Data Protection Regulation), the Data Protection Act 2018), specifically any mention of a third party working on their behalf (or subcontracted) to recover any alleged debt. (ref: https://www.nationalparkingcontrol.co.uk/privacy-policy ).
4. Lastly, DCB Legal now are aware that they cannot process the data subject's personal details through any of the legal bases shown under section 8.7 Service delivery of their privacy policy.

Now that you have been made aware of these legal failings (and they are a breach of law), you are required to do the following;

1. Immediately suspend any action relating to the use of the keeper's details.
2. Immediately move the keeper's details to a firewalled area on your servers.
3. Investigate the above claims (as per your own Code of Ethics, Credit Services Association (CSA) Code of Practice, and SRA Regulations)
4. If NPC (your client) have been found to be in breach of their own privacy policy (it will literally take a solicitor a maximum of 30 secs to do this), then you must erase the keeper's details from the company systems with immediate effect (that is DCB Legal Limited and DCB Limited, and any other affiliate companies that share the systems).
5. Report yourselves to the ICO for failure to check your clients data processing, and receiving and processing subject data with no legal basis to do so.

It is highly likely that you have received other individual's personal data from NPC, as such - and at the very least I would expect you to retrospectively contact and apologise to each and every one of those customers for your failings with respect to due diligence and processing their personal data outside the remit of a lawful basis. As this has much larger ramifications than this keeper in question - you should most likely report yourselves to your respective industry bodies, namely ther CSA for DCBL and the SRA for DCB Legal. please confirm that this has been done, otherwise it will fall upon this keeper to do so without warning, as is the severity of this breach.

It is expected that you comply with these corrective actions immediately and keep myself updated. Given the gravitas of the above failures, the requirements above are not unreasonable and would not cause a firm such as yourselves undue cost or burden. Please be aware I am not requesting information on my personal data (therefore do not have to provide any forms of ID), I am enforcing my legal right to request that you stop using my illegitimately acquired data immediately.

Love
Me
PS I didn't put love

Thorndorise

I've seen a few things on incentivisation - and it seems from the IPC code it is allowed to improve the quality of the work, rather than volume - does this fee like it's the right message?

LDast

Keep grinding on at them. Whilst there is likely to be little resolved at the end of this, it is satisfying knowing that they will be scrambling to find answers and digging holes for themselves.

I have a similar case going on where (not so) Smart Parking applied through KADOE for keepers details but failed to do the requisite manual checks and because the ANPR "misread" the VRM, they didn't notice that the vehicle in the ANPR images was a completely different make, model and colour from the details in the DVLA data. The Keeper of the vehicle whose DVLA data was issued, complained to Smart who then cancelled the PCN but failed to offer compensation for the distress and anxiety caused and so have now been sent an LoC for several £hundred for compensatory damages.

The DVLA received a complaint and tried to brush it odd as they had received a "reasonable cause " request and upon their investigation, it was a simple ANPR "misread". It has been pointed out to the DVLA, whilst Smart mad reasonable cause to request the data, they subsequently used that data unlawfully because they didn't carry out the requisite manual checks. So, a simple "misread" of an ANPR image does not absolve the operator from their subsequent unlawful use of the DVLA provided data and as per the KADOE contract, the DVLA, having been notified of the misuse of data provided by them, warrants more than a cursory dismissal as a "simple ANPR misread" and appropriate sanctions should be made by the DVLA.

In progress, but still keeps both Smart and the DVLA on their toes, hopefully.

Thorndorise

LDast said:

Keep grinding on at them. Whilst there is likely to be little resolved at the end of this, it is satisfying knowing that they will be scrambling to find answers and digging holes for themselves.

I have a similar case going on where (not so) Smart Parking applied through KADOE for keepers details but failed to do the requisite manual checks and because the ANPR "misread" the VRM, they didn't notice that the vehicle in the ANPR images was a completely different make, model and colour from the details in the DVLA data. The Keeper of the vehicle whose DVLA data was issued, complained to Smart who then cancelled the PCN but failed to offer compensation for the distress and anxiety caused and so have now been sent an LoC for several £hundred for compensatory damages.

The DVLA received a complaint and tried to brush it odd as they had received a "reasonable cause " request and upon their investigation, it was a simple ANPR "misread". It has been pointed out to the DVLA, whilst Smart mad reasonable cause to request the data, they subsequently used that data unlawfully because they didn't carry out the requisite manual checks. So, a simple "misread" of an ANPR image does not absolve the operator from their subsequent unlawful use of the DVLA provided data and as per the KADOE contract, the DVLA, having been notified of the misuse of data provided by them, warrants more than a cursory dismissal as a "simple ANPR misread" and appropriate sanctions should be made by the DVLA.

In progress, but still keeps both Smart and the DVLA on their toes, hopefully.

Very interesting indeed. I totally agree that pressing gently against them will mean they will eventually fall over. Either by a silly mistake or writing something stupid in an email ("We are members of ICO, we are allowed ...." blah blah blah). There is certainly not that much wriggle room in these complaints when they knuckle down to the details.

I will be pressing DVLA on this also, their due diligence and failure to follow up on complaints is pretty shocking. What I've actually found incredibly hard to do is find their data breach complaints email - it is nigh on impossible, and actually there is misleading info on the Gov.uk site that sends you off in all directions, I've had to try 4 different emails to get the right one, and I class myself as half intelligent!

Keep us posted on your case too., thanks for sharing

Nellymoser

@Thorndorise are you aware of What do they know FOI request site. There are plenty DVLA FOI requests re private parking issues/email exchange to view. It can prove a bit time consuming searching and sometimes leaves you surprised when they say "DVLA does not hold the information requested." 
The DVLA told me they delete complaints not upheld after 90 days. I think that could only be viewed as bad practice. 
Liking/following your complaint 😊

https://www.whatdotheyknow.com/list?utf8=✓&query=DVLA+BPA&request_date_after=&request_date_before=&commit=Search#results

1505grandad

Usually always agreed/backed by the ICO:-

https://ico.org.uk/media/action-weve-taken/decision-notices/2023/4027469/ic-255825-q6g3.pdf

1. The complainant has requested information about Accredited Trade Associations. The Driver and Vehicle Licensing Agency (“DVLA”) stated that it does not hold information within the scope of the request.
2. The Commissioner’s decision is that, on the balance of probabilities, the DVLA is correct when it says that it does not hold any information within the description set out in the request.
3. The Commissioner does not require the DVLA to take any further steps.

Thorndorise

Thanks @1505grandad @Nellymoser
I had read some of those FOI requests, and totally agree that not only is it bad practice (and tbh unusual in terms of normal complaint retention), it's even worse that the ICO didn't hold them to account on it.

The ICO will also be getting contact from me on this, on multiple accounts, although the problem doesn't appear to be as recognised as one would hope, I'm hoping that by keeping applying pressure something will break eventually (ever the optimist)!