The Driver and Vehicle Licensing Agency (DVLA) breached data protection laws in the way it passed on motorists’ personal details to private parking firms, the UK’s data watchdog has ruled. It could now potentially face compensation claims from motorists as a result, according to one expert.
The Information Commissioner’s Office (ICO) has decided the DVLA “was not using the correct lawful basis to disclose vehicle keeper information”, Guardian Money can reveal.
However, the Swansea-based government agency – which holds more than 49m driver records – has escaped enforcement action after the watchdog concluded the breach was “a technical infringement of the law”. It said the DVLA was still allowed to disclose people’s information to firms pursuing drivers for unpaid parking fines but that it needed to rely on another part of the legislation for doing this.
The ICO’s opinion – published on its website but not publicised – potentially brings some clarity to a long-running row concerning the way the DVLA shares driver information with third parties.
Parking firms pursuing motorists will often approach the DVLA to get hold of their addresses. Under the law, the organisation is permitted to disclose this information where there is “reasonable cause” to do so – for example, where it is requested for the purposes of recovering unpaid parking charges.
However, the ICO has over the years received a number of complaints from motorists angry about having their details passed on.
They include Paul Walton, who submitted his complaint after receiving a parking ticket from a firm that had requested his details from the DVLA.
“I complained to the DVLA because I thought it was the landowner that could sue under trespass laws, and therefore only they could request my data,” he said.
Walton claimed the organisation had failed to properly deal with his grievance, so in 2018 he asked the data watchdog to intervene.
The Guardian only learned that the ICO’s opinion dated 13 June had been quietly added to its website after Walton contacted us to say he had had a letter from the ICO.
In its opinion, the watchdog said it had concluded the DVLA was not using the correct lawful basis to disclose people’s data but added: “This does not mean that no lawful basis existed.” There are six of these available for processing personal data, and one of the others provided the DVLA with the power to share people’s details, it added.
The ICO said its decision did not mean people’s parking fines were invalid, and it suggested the government should review the law in this area to put the issue beyond doubt.
However, in a separate document aimed at companies and organisations that deal with data, the ICO stated: “If you find at a later date that your chosen [lawful] basis was actually inappropriate, it will be difficult to simply swap to a different one.” It added: “Retrospectively switching lawful basis is likely to be inherently unfair to the individual and lead to breaches of accountability and transparency requirements.”
That suggests that changing your lawful basis could be seen to cause harm.
Walton said: “It would appear the DVLA have not complied with data protection laws and may have opened themselves up to possible compensation claims.”
The parking expert and author Scott Dixon said: “By using the wrong lawful basis, it cannot be disputed that the DVLA has breached the UK GDPR Data Protection Act 2018.
“Motorists have suffered a serious detriment by the DVLA’s unlawful actions … This is not a technical infringement. This ruling contradicts what the ICO says within their own guidelines for organisations to adhere to.
“I believe motorists are entitled to compensation from the DVLA, as they have suffered detriment as a result of the DVLA using the wrong lawful basis and wrongly using their powers within the scope of the UK GDPR Data Protection Act 2018.”
The ICO cannot award compensation. However, the law gives people the right to claim compensation from an organisation if they have suffered “damage” – which could include “distress” – as a result of it breaching data legislation.
An ICO spokesperson said it had concluded that the risk of harm to motorists from the DVLA disclosing data under the “legal obligation” rather than “public task” lawful basis was very low. Asked why the ICO had apparently not publicised the decision, they said: “We published the opinion on our website and wrote to the individuals who brought complaints to us advising them of the outcome.”
A DVLA spokesperson told us: “There is no doubt, as confirmed by the ICO … that the release of data to private parking firms is lawful. The ICO’s opinion reflects a legal technicality around processing conditions, and also acknowledges it will make no difference to the outcome of data sharing. This has no bearing on the release of data, nor does it affect customers in any way.”