Download original attachment
(Word document)
This is an HTML version of an attachment to the Freedom of Information request 'Security and privacy provisions for personal information submitted via the Vehicle Licensing Online website'.

0x08 graphic

Driver and Vehicle Licensing Agency

Financial Accounting Unit

D 7

DVLA

Longview Road

Swansea

SA6 7JL

Telephone

01792 783792

Tom Finnie

[FOI #384 email]

Fax

01792 788250

Email

[email address]

Website

www.direct.gov.uk/motoring

Your Ref

Email of 16th May 2008

Our Ref

FOIR 1064

Date:

17th June 2008

Dear Mr Finnie,

Freedom of Information Request

The Driver and Vehicle Licensing Agency has now completed its search for the information you requested in your email of 16th May 2008. I apologise for the late reply on these questions.

In your email you asked the following questions:-

  1. Does the DVLA retain information submitted on the site and if so for how long? a) For card details. b) For email addresses. c) For phone numbers.

  1. Card details are retained for a period of 18 months.

  1. and C) We do not hold email addresses or `phone numbers as part of this system.

  1. For all information please enumerate the current and envisaged purposes to which they are/will be put.

All card details and related information is collected and used solely for the purpose of processing the vehicle licensing transaction and related payment.

  1. If the card details are retained by DVLA (and not passed directly to a third-party card processor) a) are they kept in encrypted form on the DVLA database? b) what encryption scheme is used? c) approximately how many people in DVLA have access to these records? d) what protection is in place to prevent wholesale downloading of the database? e) is this database available to anyone outside of DVLA (including hired-in consultants)?

DVLA retains data and so would our card processor (Barclays Bank PLC).

  1. Card details are kept on our database in an obfuscated form rather than an encrypted one.

  1. and D) replies to these two questions are presently being withheld. Please see below.

The Freedom of Information Act obliges us to respond to requests promptly, in any case no later than 20 working days after receiving your request. However, when a qualified exemption applies to the information, the public interest test needs to be considered. We are not required to comply with your request until such time as is reasonable in the circumstances. We do, of course, aim to make all decisions within 20 working days, including in cases where we need to consider where the public interest lies in respect of a request for exempt information. Your request, however, raises complex public interest considerations which must be analysed before we can come to a decision on releasing the information.

The exemptions that we are considering to the information you have requested are referred to in Section 31(1)(d) - tax - Prejudicial to the assessment or collection of taxes and Section 40(3)(a)(i) Personal Information, of the Freedom of Information Act 2000.

In your case we need to extend our response time limit by 20 working days in order to assess whether the public interest is in withholding the information or disclosing it. Therefore, we plan to let you have a response by 15th July 2008. If there is a need for any further delay we will keep you informed

C) There are approximately 20 people with access to this database.

E) DVLA has IBM and Fujitsu as IT partners and as such some (very few) employees from these companies would have access to this information for IT related activities. They are included in the 20 people quoted as an answer to C) above. All those who have access to this database have satisfied appropriate security vetting criteria.

  1. If the card details are passed directly to a card processor a) Who are they? b) Are they regulated by the FSA? c) Does all information remain on UK soil (if not, why not)? d) How long do they retain the information?

  1. The DVLA uses Barclaycard Business as its card payment processing organisation.

  1. Barclaycard Business is a part of Barclays Bank PLC and as such is regulated by the FSA.

  1. All information is processed/stored in centres within the UK.

  1. Information is retained in line with UK banking industry standards - card details are held for 6 years and 1 day.

The information supplied to you continues to be protected by the Copyright, Designs and Patents Act 1988. You are free to use it for your own purposes, including any non-commercial research you are doing and for the purposes of news reporting. Any other re-use, for example commercial publication, would require the permission of the copyright holder.

Most documents supplied by the Driver and Vehicle Licensing Agency will have been produced by government officials and will be Crown Copyright. You can find details on the arrangements for re-using Crown copyright on the Office of Public Sector Information website at:

http://www.opsi.gov.uk/click-use/index.htm.

If you are unhappy with the way the Agency has handled your request, you may ask for an internal review. You should contact Stuart Martinson, CMS, C3 East, DVLA, Longview Road, Morriston, SWANSEA, SA6 7JL, or by email, [email address] if you wish to complain in the first instance. If you are not content with the outcome of the internal review, you have the right to apply to the Information Commissioner for a decision. The Information commissioner can be contacted at:-

Information Commissioners Office

Wycliffe House

Water Lane

Wilmslow
Cheshire
SK9 5AF

If you have any queries about this letter, please contact me. Please remember to quote the reference number above in any future communications.

Yours sincerely

David J Morgan

Financial Accounting Unit

 

Page 2 of 3

 

Page 1 of 3