United Kingdom

Parking fines: DVLA violates driver data sharing law DVLA

The Driving and Vehicle Licensing Agency (DVLA) has violated data protection laws by transferring personal data of motorists to private parking companies, the British Data Surveillance Service has ruled. As a result, it could potentially be sued for compensation by drivers, according to one expert.

The Office of the Information Commissioner (ICO) has decided that the DVLA “does not use the correct legal basis to disclose information about the owner of the vehicle”, the Guardian Money may reveal.

However, the Swansea-based government agency – which holds more than 49 million driver files – escaped coercion after the supervisor concluded that the violation was a “technical violation of the law.” It says the DVLA still has the right to disclose information to people of companies prosecuting drivers for unpaid parking fines, but must rely on another piece of legislation to do so.

The ICO’s opinion – published on its website but not published – potentially clarifies some of the long-standing dispute over how the DVLA shares driver information with third parties.

Parking companies chasing drivers often turn to DVLAs to get their addresses. Under the law, the organization is allowed to disclose this information when there is a “reasonable reason” for it – for example, when it is requested for the purpose of reimbursing unpaid parking fees.

However, over the years, the ICO has received a number of complaints from motorists angry about the transmission of their data.

These include Paul Walton, who filed his complaint after receiving a parking ticket from a company that requested his data from DVLA.

“I complained to the DVLA because I thought the landowner could sue for property infringement laws and therefore only they could ask for my data,” he said.

Walton claims that the organization failed to properly deal with his complaint, so in 2018 he asked the data monitoring authority to intervene.

The Guardian has only just learned that the ICO’s June 13 opinion was quietly added to its website after Walton contacted us to say he had a letter from the ICO.

In its opinion, the supervisory authority stated that it had concluded that the DVLA was not using the correct legal basis for disclosing data to people, but added: “This does not mean that there was no legal basis.” There are six of them available for processing personal data, and one of the others gave DVLA the power to share data with people, he added.

The ICO said its decision did not mean that people’s parking fines were invalid, and suggested the government review the law in this area to call the issue into question.

However, in a separate document aimed at data companies and organizations, the ICO states: “If at a later date you find that your chosen [lawful] the base was actually unsuitable, it would be difficult to just replace it with another. It adds: “The retroactive change of the legal basis is likely to be inherently unfair to the person and will lead to a breach of accountability and transparency requirements.

This implies that changing your legal basis can be seen as harm.

Walton said: “It appears that the DVLA has not complied with data protection laws and may have opened up to possible claims for compensation.

Parking expert and author Scott Dixon said: “Using the wrong legal basis, it cannot be disputed that the DVLA violated the UK’s GDPR Data Protection Act 2018.

“Motorists have suffered serious damage from the illegal actions of DVLA … This is not a technical violation. This decision contradicts what the ICO says in their own guidelines for organizations to adhere to.

“I believe that motorists are entitled to compensation from the DVLA, as they have suffered damage as a result of the DVLA using the wrong legal basis and misusing its powers under the UK’s GDPR Data Protection Act 2018.

The ICO cannot award compensation. However, the law gives people the right to seek compensation from an organization if they have suffered “damage” – which may include “trouble” – as a result of a breach of data law.

An ICO spokesman said he had concluded that the risk of injuring motorists by DVLA disclosing data on a legal basis for a “legal obligation” rather than a “public task” was very low. Asked why the ICO apparently did not publish the decision, they said: “We published the opinion on our website and wrote to the people who complained to us, informing them of the result.”

A DVLA spokesman told us: “There is no doubt, as confirmed by the ICO … that the provision of data to private parking companies is legal. The ICO opinion reflects a legal technical aspect regarding the processing conditions and also recognizes that it will not matter for the outcome of the data sharing. This has nothing to do with the release of data, nor does it affect customers in any way. “