Unlawful Release of Data

Response to this request is long overdue. By law, under all circumstances, Driver and Vehicle Licensing Agency should have responded by now (details). You can complain by requesting an internal review.

Dear Driver and Vehicle Licensing Agency,

On the 28th April 2010 the Secretary of State’s office forwarded to you guidance on making registered keeper data available to Local Authorities and which read as follows:-

PART 6 OF THE TRAFFIC MANAGEMENT ACT 2004 (TMA) - DFT OPERATIONAL GUIDANCE TO LOCAL AUTHORITIES: PARKING POLICY AND ENFORCEMENT
INFORMATION FROM DVLA ABOUT THE REGISTERED KEEPER

It has recently been identified that some of the advice in relation DVLA release of registered keeper details in the Department’s operational guidance (published in March 2008) needs to be updated. I am writing to inform you of the details and that we will be amending our guidance very shortly to reflect this.
Background
Paragraph 10.40 of the guidance conveys that an authority should request details of the registered keeper from DVLA at least seven days before the NtO is due to be served. However, at the recent DVLA Parking Focus Group meeting with local authorities, this issue was discussed and it was concluded that local authorities should only make such a request 28 days after the PCN is served, if it remains unpaid (which is the point at which an NtO can be issued).
Justification
This is on the basis that the keeper has 28 days to reply and DVLA should not release their personal details until after that period has expired. DVLA has been advised that to release these details before this time would be a breach under the Data Protection Act 1998 and leave the local authority open to challenge from the keeper.
Amendment to DfT Operational Guidance
Accordingly, paragraph 10.40 of the guidance will be amended to read:
“10.40 An authority should request the name and address of the registered keeper from DVLA only after the period of payment for the PCN has expired and it is still unpaid. These details are only to be used to issue the NTO and collect outstanding monies. The details cannot be used to issue other correspondence (e.g. reminder letters) prior to issue of the NTO. For each unpaid PCN, the local authority needs to provide DVLA with the vehicle registration number and the date of the contravention. Requests may be submitted via dedicated, secure electronic links or established paper channels. DVLA tries to process data sent by electronic link during the following night if received before 5pm. Requests processed during the night will usually be returned by 7 am the next day.”
The amended guidance will be available on the DfT website (www.dft.gov.uk) very shortly.
Clint D’Souza
Traffic Regulation and Enforcement Branch

Under the provisions of the Schedule 4 of the Protection Of Freedoms Act (POFA) Private Parking Companies (PPCs) are specifically prohibited from requesting data from the DVLA -
a. Until 28 days have elapsed following the issue of a ticket in respect of a vehicle infringing the terms and conditions of parking in a private car park, and
b. More than 14 days after an offending vehicle has been spotted using ANPR in a private car park

From the provisions of the POFA and the Data Protection Act (DPA), it is clear that the data controller, the DVLA, cannot make registered keeper data available to anyone who is statutorily prohibited from requesting such data. Any such unlawful request must be refused and the applicant reminded of the provisions of the POFA. Registered Keepers have a reasonable expectation that the Data Controller will process their data lawfully.

I would draw your attention to the following:-
http://www.whatdotheyknow.com/request/pr...
From your response it is clear that at the time of that request the DVLA did not have any protocols in place to prevent the release of data to those who are legally prohibited from requesting it.

It flows from the guidance of the 28th April 2010 that the same safeguards must be in place in the case of PPCs. Why should they be treated any differently? In the light of the guidance the position of the DVLA, if it still does not have such arrangement in place, is quite untenable.

The argument for a similar protocol for PPCs, now that we have the POFA, remains the same as in that 2010 guidance - "DVLA has been advised that to release these details before this time would be a breach under the Data Protection Act 1998".

I would be grateful if you could confirm that arrangements are in place which guarantee that
a. Each application for registered keeper data is checked to ensure that it is within the statutory time limits specified in the POFA
b. no registered keeper data will be made available to any PPC who has requested the same contrary to those requirements set out in Schedule 4 of the POFA 2012.

Phil

FOI FOI, Driver and Vehicle Licensing Agency

Dear Mr Phil

Thank you for your e-mail. The DVLA is replying to you as routine business not through the terms of the Freedom of Information Act 2000.

The questions you asked and the relevant answers are:

I would be grateful if you could confirm that arrangements are in place which guarantee that
a. Each application for registered keeper data is checked to ensure that it is within the statutory time limits specified in the POFA
b. no registered keeper data will be made available to any PPC who has requested the same contrary to those requirements set out in Schedule 4 of the POFA 2012.

To clearly explain the processes in place, I will provide a response to your queries separated into both manual and electronic enquiry channels.

Paper Channel

a. Enquiries that are submitted using a V888/3 application form are checked by clerks within the DVLA. Part of this check involves checking the date of the enquiry and the date of event to help make a decision on whether the information requested can be released. This process requires the car parking company to state whether the purpose of the request is to issue a parking charge or to chase up payment of a parking charge. The relevant timescales are then considered.

b. Any enquiries submitted outside of the requirements of POFA 2012 would be rejected.

Electronic Channel

a. Enquiries submitted via the electronic channel are not subject to these checks as the enquiries are not checked upon submission. Electronic enquiries may only be submitted in line with the contract between the DVLA and the customer and these enquiries must be submitted in accordance with POFA 2012.

b. If it transpires that enquiries have been submitted outside of the requirements of POFA 2012, the DVLA will investigate this matter and take any action deemed necessary.

Regards,

Data Sharing Team
DVLA

show quoted sections

Dear FOI FOI,

Many thanks for your reply. It is noted that all applications from members of the BPA are not checked to ascertain whether they are compliant with the POFA.

1. As you have taken the view that data release before the end of a relevant period would be unlawful (in the case of Local Authority applications) do you recognise that any release of data, where the request has been submitted before or after the relevant POFA date, is also a breach of the Data Protection Act? If the answer is no then perhaps you could explain your thinking

2. Under the Seventh Data Protection Principle are you not required to have appropriate technical arrangements in place to prevent the unlawful release of data?

3. Please confirm that you accept that your failure to have such arrangements in place is also a breach of the Data Protection Act

4. Would it be the case that if a Data Subject sought from you the date that a Private Parking Company requested his/her data you would be unable to confirm whether it was within or outside of the POFA because of the use of EDI

Yours sincerely,

Phil

FOI FOI, Driver and Vehicle Licensing Agency

Thank you for your e-mail of 14 January 2013.

As previously advised, on paper applications we check to see if the requests are made within 14 days for an event captured by ANPR/Camera and after 28 days for an event that produces an ‘on screen ticket’.

For electronic enquiries, the data is processed without these checks but are examined when we carry out an audit visit.

The release of data is based on an alleged breach of the terms and conditions of parking and subject to the terms and conditions of electronic access, including adherence to the BPA Code. If these conditions are broken we will investigate and take the necessary action.

Regards,

Data Sharing Team
DVLA

show quoted sections

Dear FOI FOI,

Thank you for your reply of the 28th January 2012 from which I note that you have declned to answer the questions posed. I think that readers will be able to form their own view of what should have been a correct answer.

Yours sincerely,

Phil

Dear FOI,

On the 27th February the Information Commissioner wrote as follows:-

Thank you for your recent correspondence. I apologise for the delay in my response however I wanted to discuss the matter further with colleagues before replying.

As previously indicated I do acknowledge the points you have made and your desire for action. We are aware that there is scope for some Parking Enforcement Companies (PECs) to request keeper details outside of the provisions of Schedule 4 of the Protection of Freedoms Act 2012 and we are working with both the DVLA and the British Parking Association (BPA) to raise awareness of this potential problem with the PEC’s and prevent this scenario from becoming a reality.

Firstly, the BPA, in its role as the manager of the Approved Operator Scheme, can apply sanctions against members acting in contravention of its code of practice. Secondly the DVLA can, and has, taken separate action to suspend access to its driver database for PECs that abuse their access.

We have advised the BPA to be robust in monitoring members' compliance with its code of practice, as it applies to information rights, and applying its sanctions appropriately. We are also working with the DVLA to ensure that they regularly review the BPA’s performance in this regard as well as continuing with its own programme of auditing any organisations with access to its database.

I trust that this goes some way towards addressing your concerns that your comments have been taken on board and due consideration given to this matter.

We will continue to monitor the situation, and if we do not see satisfactory progress, we will consider what further steps to take in respect of the relevant parties including DVLA.

Yours sincerely,

Karen Harris Case Officer (First Contact Group)

So, the Information Commissioner has recognised the wrongdoing when a PPC requests registered keeper data outside of the statutory time limits prescribed by the Protection of Freedoms Act. The Commissioner has stated that both your office and the BPA are working to " prevent this scenario from becoming a reality."

It is important to recognise here that the Information Commissioner has asked that both the BPA and the DVLA review its past arrangements and to put something new in place. The action required by the Information Commissioner is to "prevent" data being released if it has been requested outside of the statutory time limits. This is not about releasing data and then undertaking a subsequent audit to see if the data has been released unlawfully but it is to "prevent" its release. Subsequent audits can then confirm that prevention has been achieved.

Under the Freedom of Information Act can you please advise
1. What new procedures does the DVLA now have in place to prevent the release of registered keeper data to a Private Parking Company when it has been requested outside of the time limits prescribed by the Protection of Freedoms Act 2013?

In the event that you have not yet put such procedures in place can you provide a timetable for when preventative measures will be in place

Yours sincerely,

Phil

FOI FOI, Driver and Vehicle Licensing Agency

Dear Sir,
Thank you for your email of 27 February asking whether DVLA has put in place any new procedures with regard to the release of information electronically since the introduction of the Protection of Freedoms Act.
Your question does not fall within the scope of the Freedom of Information Act, so we are answering it as business as usual.

We do not agree with your interpretation of the response given by the Information Commissioner’s Office (ICO). The ICO said –

“We have advised the BPA to be robust in monitoring members' compliance with its code of practice, as it applies to information rights, and applying its sanctions appropriately. We are also working with the DVLA to ensure that they regularly review the BPA’s performance in this regard as well as continuing with its own programme of auditing any organisations with access to its database.”

We were not asked to add to existing procedures to prevent disclosure outside of the law. As explained to you previously, paper requests for information are checked to see if the correct time periods have elapsed prior to release. We are not in a position to carry out the same checks on electronic requests, but we have put in place a number of safeguards, such as the ATA membership requirement, which ensures an enforceable code of practice is adhered to by companies, and contractual agreements.

The ICO also said –

“...we are working with both the DVLA and the British Parking Association (BPA) to raise awareness of this potential problem with the PEC’s and prevent this scenario from becoming a reality.”
This does not amount to the Information Commissioner asking both the BPA and the DVLA to review its past arrangements and to put something new in place, but instead states that the ICO, DVLA and BPA are working together to make the parking companies aware of the relevant timescales. The Agency examines its arrangements for disclosure of data on an ongoing basis, and is in contact with the ICO, BPA and others to inform this.

Regards,

Data Sharing and Protection Group
DVLA

show quoted sections

Dear FOI,

Many thanks for your reply.

If I may I will highlight one point from your response and which reads “but we have put in place a number of safeguards, such as the ATA membership requirement, which ensures an enforceable code of practice is adhered to by companies, and contractual agreements.

The DVLA hangs it hat, to a very great extent, to adherence to the Code of Practice and its enforcement by the BPA as evidence of a DVLA measure to ensure compliance with the law.

Sadly, the Code is vague as regards the statutory time limits within which an application for registered keeper detail may be made. The Code recites Schedule 4 and in particular paragraph 11 but does not spell out just what the “relevant periods” are. The flow chart for use when ANPR is used by a PPC indicates that the application for registered keeper data must be made as soon as possible. No time limit is provided. The second flow chart indicates that registered keeper details may be sought on day 29, but there is no indication what relevance this date has. There needs to be greater clarity for the avoidance of any doubt.

1. It would be helpful if para 12.2 had included the words "You will also confirm the date of the alleged parking contravention for which you require details of the registered keeper." Can you request the BPA to make that amendment as part of your "working together to make the parking companies aware of the relevant timescales"?

2. It is not beyond the wit of an IT programmer to make your ELISE system capable of having a window made available for the parking date to be specified (linked to whether a notice to driver has been issued or not) and the application to be rejected if that is outside of the time limits. Is there any logical reason why this cannot be undertaken?

3. In your response you state that “ the ICO, DVLA and BPA are working together to make the parking companies aware of the relevant timescales.” Can you please supply a copy of a letter or email that has been forwarded to the BPA which draws to its attention these timescales?

4. You have stated that “If it transpires that enquiries have been submitted outside of the requirements of POFA 2012, the DVLA will investigate this matter and take any action deemed necessary.” I am grateful for this assurance. Can you please advise of the nature of the “action”?

5. Where no Notice to Driver has been issued, e.g because of use of ANPR, if a request for registered keeper data is received by your office at the end of the relevant period, (14 days) it is clear that a PPC cannot use that data as it cannot satisfy the next “condition” within that “relevant period”. i.e service of a Notice to keeper. So, there is no legal reason for the data processor to process an individual’s data. Can you confirm that you will put in place appropriate safeguards to “prevent this scenario from becoming a reality.”?

Yours sincerely,

Phil

FOI FOI, Driver and Vehicle Licensing Agency

Dear Sir,

Thank you for your email of 17 March in which you ask further questions, may I answer them in turn -

1. It would be helpful if para 12.2 [of the BPA CoP] had included the words "You will also confirm the date of the alleged parking contravention for which you require details of the registered keeper." Can you request the BPA to make that amendment as part of your "working together to make the parking companies aware of the relevant timescales"?

All parking management companies have to give the date of the alleged parking contravention when requesting vehicle keeper data (either manually or electronically) from the DVLA. We do not feel there is a need to ask the BPA to add your suggested wording.

2. It is not beyond the wit of an IT programmer to make your ELISE system capable of having a window made available for the parking date to be specified (linked to whether a notice to driver has been issued or not) and the application to be rejected if that is outside of the time limits. Is there any logical reason why this cannot be undertaken?

The KADOE (Keeper at Date of Event) system is designed to deal with all kinds of vehicle record enquiries, not simply for parking purposes only. To introduce a system change to deal with enquiries made under PoFA, such as you’ve suggested, would not provide sufficient benefits to justify the costs involved.

3. In your response you state that “ the ICO, DVLA and BPA are working together to make the parking companies aware of the relevant timescales.” Can you please supply a copy of a letter or email that has been forwarded to the BPA which draws to its attention these timescales?

There is no specific letter or email of this kind. The ICO, DVLA and BPA are working on a number of matters on an ongoing basis with regard to the PoFA provisions. PoFA has been discussed in detail in various meetings with the BPA, and they are well aware of the implications the PoFA has on its members. If companies act in a manner which is non-compliant with the Code of Practice, DVLA will take the appropriate action.

4. You have stated that “If it transpires that enquiries have been submitted outside of the requirements of POFA 2012, the DVLA will investigate this matter and take any action deemed necessary.” I am grateful for this assurance. Can you please advise of the nature of the “action”?

It would depend on the nature of the issues raised. Any such issues are dealt with on a case by case basis. We cannot say what action would be deemed appropriate if we are unaware of the details of the case. However, if the Agency deems it appropriate, it will suspend companies who have acted inappropriately.

5. Where no Notice to Driver has been issued, e.g because of use of ANPR, if a request for registered keeper data is received by your office at the end of the relevant period, (14 days) it is clear that a PPC cannot use that data as it cannot satisfy the next “condition” within that “relevant period”. i.e service of a Notice to keeper. So, there is no legal reason for the data processor to process an individual’s data. Can you confirm that you will put in place appropriate safeguards to “prevent this scenario from becoming a reality.”?

Private car park management companies do not have to abide by the requirements of the PoFA to request vehicle keeper information from the DVLA. For example, the PoFA is not applicable in Scotland or Northern Ireland. However, if car parking companies in England or Wales do not abide by the requirements of the PoFA, they will not be able to pursue the registered keeper for liability. As stated above, the cost of differentiating requests made under the PoFA provisions would be prohibitive. The car park companies themselves are responsible for compliance with the law. The BPA and DVLA work together to ensure they are aware of the rules surrounding the PoFA, and any breaches of the BPA Code of Practice or misuse of our data will result in the necessary action.

Regards,

Data Sharing and Protection Group
DVLA

show quoted sections

Dear FOI FOI,

Thank you for your reply.

You comment "The KADOE (Keeper at Date of Event) system is designed to deal with all kinds of vehicle record enquiries, not simply for parking purposes only. To introduce a system change to deal with enquiries made under PoFA, such as you’ve suggested, would not provide sufficient benefits to justify the costs involved."

The issue here is the duty that the DVLA has to Data Subjects to process data lawfully. The Secretary of State has made it clear that making data available before a driver has had his 28 days in which to pay a parking charge is a breach of the DPA. See my original enquiry. So, under POFA, where a Notice to Driver has been issued a PPC cannot apply for data until 28 days has elapsed. To make data available on an application in less than 28 days is a breach of the DPA. Under POFA an application for data after 14 days from the infringement (where no notice to driver has been served) is not permitted. The release of data to a PPC in such circumstances would also be unlawful.

The Sec of State required PPCs operating in England and Wales to have a new Code of Practice which reflected the fact that they operate under POFA. The Sec of State has to recognise that he required PPCs in England and Wales to operate under that Act and accordingly has to adjust its processes to accommodate that law change.

Question.
1. Do you not consider that being able to ensure that you process data lawfully is a "sufficient benefit"

2. Where in the DPA does it indicate that the obligation to process data lawfully is the subject of a financial limitation?

3. Is it not the case that your response at 2 merely confirms that PPCs in England and Wales should now move to manual applications with the charge increasing to meet any additional costs to the DVLA? In this way you can ensure that no applications for data are made out of time and you can then comply with the guidance issued by the Secretary of State in 2010?

In respect of your reply number 3, it is noted that both the ICO and your Office state that you are addressing the "timescale" issues in POFA. It is also noted that neither of you have been able to provide evidence that the matters of concern I have identified have actually been discussed.

Question 4 Are you able to supply copies of any minutes which indicate that this issue has been discussed?

5. Is the reality that the issue of timescales in POFA, and the implications of processing data for applications outside of those timescales was simply not entertained until I flagged up this issue? I would be at ease if your response is "Yes" (these things happen)followed by confirmation that you will be giving this issue proper consideration without delay.

Your response at 5 appears to overlook that in England and Wales PPCs have made it clear that the purpose for which they require data is for POFA reasons - please refer to the changes to the COP. You state that to change your current practices "....the cost of differentiating requests made under the PoFA provisions would be prohibitive".

Question 6 Has the DVLA actually investigated the cost of resourcing to deal with manual responses to applications from PPCs in England and Wales and worked out a cost to a PPC per application?

7. Would that cost actually make the cost to the DVLA cost neutral?

8. Does the DVLA process applications for data manually? If so, how many per annum?

Yours sincerely,

Phil

Dear FOI FOI,

PS (Just received further IT advice)

Question 3A I am advised that for PPCs in England and Wales once they have input the date of the alleged infringement, that window can not only be linked to a date (to reject the application, if out of the POFA timescales as I suggest) but can alo be linked to their unique access code. In that way the only applications that are contrary to POFA and which are rejected will be those from PPCs operating in England and Wales. Is that actually cost prohibitive or is it simply a case that it has not been considered?

Yours sincerely,

Phil

FOI FOI, Driver and Vehicle Licensing Agency

Dear Mr Phil

Thank you for your e-mail requesting information. The DVLA are dealing with Q4 under the terms of The Freedom of Information Act 2000.

Your request has been given reference number: FOIR3371. You should received a reply no later than 3 May 2013.

The other issues raised in your e-mail will be responded to as routine business under separate cover.

Thanks & Regards,

Freedom of Information Team
Data Sharing & Protection Group | D16 | DVLA | Swansea | SA6 7JL
Twitter: @dvlagovuk

Find out about DVLA's online services at:
www.gov.uk/browse/driving

show quoted sections

FOI FOI, Driver and Vehicle Licensing Agency

1 Attachment

Phil

Please find attached a response to the Freedom of Information request contained in your e-mail of 5 April.

Regards
Freedom of Information Team
Data Sharing & Protection Group | D16 | DVLA | Swansea | SA6 7JL
Twitter: @dvlagovuk

Find out about DVLA's online services at:
www.gov.uk/browse/driving

show quoted sections

Dear FOI FOI,

In your reply above you indicate that “The remaining questions will be answered in due course and as a matter of routine business”

The enquiries were raised on the 5th April 2013. It is now the 11th May 2013.

I understand that the Secretary of State has a target for the Driver and Vehicle Licensing Agency to send a reply within 10 full working days, or to send an interim response if it is going to take longer.

I appreciate that your reply of the 3rd May (above) was an interim response, but I would have expected that a reply could have been made available by now. I look forward to hearing from as soon as possible.

Yours sincerely,

Phil

FOI FOI, Driver and Vehicle Licensing Agency

Dear Sir

Thank you for your e-mail of 5 April requesting further information in regard to the Protection of Freedoms Act (PoFA). As you are aware, we responded to question 4 and 8 of that email in our note of 3 May, under the provisions of the Freedom of Information Act. However, I have been asked to respond to the remainder of the note as business as usual. My apologies that I have not been able to write sooner.

Your questions 1, 2 and 3 alluded to the Agency allegedly processing data unlawfully in order to limit costs, and suggested that the Agency should now move to manual applications only. Firstly, we would refute this accusation most strongly. I must make it clear that it is simply not possible to examine each request for data via manual process. DVLA, like all government departments, is bound to provide information in a fair and reasonable manner to those with a legitimate claim to it. This is backed by the Information Fair Trader Scheme and the Re-use of Public Sector Information Regulations.

Key to this fair treatment is the efficient provision of data. Where a company makes a large number of standard requests, it is reasonable to have processes in place to deal with these efficiently. So the Agency must ensure that its processes are efficient, cost effective and compliant with data protection and other legislation. To that end, DVLA has a keeper at date of event (KADOE) product that allows access for many reasons. With parking companies we have many other safeguards in place outside of the processing, such as the Accredited Trade Association (ATA) model, the Code of Practice and the contractual terms and conditions. In our view, it would not provide tangible benefits to develop separate programmes for each customer type when set against the potential cost of doing so. Where applicants for data act inappropriately in the use of that information, the Agency will take the appropriate action.

I must also clarify the position with the extent to which PoFA applies in England and Wales, insofar as it relates to parking. The conditions in Schedule 4 are only applicable in law in relation to the pursuit of payment from the keeper of the vehicle. If keeper liability is not being pursued, the information may be released outside of the time periods specified in that Schedule. For these purposes, the timescales set out in the appropriate Code of Practice must be complied with.

The Agency believes that the use of ATA’s and contractual conditions is reasonable and effective, and for the reasons set out above, has no plans to investigate the costs of dealing with a greater proportion of requests via manual process.

I hope that this has explained the Agency’s position.

Regards,

Data Protection Policy Group
DVLA

show quoted sections

Dear FOI FOI,

You have expressed a view of the DVLA thus "If keeper liability is not being pursued, the information may be released outside of the time periods specified in that Schedule." It flows rather logically that if keeper liability is being pursued the information may not be released out of time. However, in practice that is precisely what the DVLA has been doing.

In England and Wales data is required to pursue enforcement under POFA. The COP makes that clear and so, quite rightly, does the DVLA. I would refer you to your earlier FOI response (January 2013 https://www.whatdotheyknow.com/request/u...) where you confirmed that "Electronic enquiries may only be submitted in line with the contract between the DVLA and the customer and these enquiries must be submitted in accordance with POFA 2012.

So for applications for data in connection with enforcement in England and Wales the DVLA has stated that such applications must be submitted in accordacne with POFA 2012. With that public insistence it is illogical for the DVLA to then say that it can release data out of time. This mal-practice is further compounded by the DVLA knowing that such data is then used to pursue keeper liability in contravention of the POFA requirements. That is also an unfair processing of data by a PPC contrary to the First Data Protection Principle.

The public statements of the DVLA are one thing but their assistance with breaches of the DPA are clearly another.

This anomoly cannot continue. When is the DVLA going to either
1. refuse to make data available out of time or
2. Take action against any PPC which processes that data unfairly by claiming keeper liability when it has failed to meet the conditions in POFA?

Yours sincerely,

Phil