Driver and Vehicle Licensing Agency (DVLA) and the Driving Standards Agency (DSA)

Written evidence from Mr Neville John Metson (DDA 09)

Private Parking Companies electronic access to Registered Keeper data from the DVLA

1) Regulation 27 of the Road Vehicles (Registration And Licensing) Regulations 2002 states:

"The Secretary of State may make any particulars contained in the register (of keepers) available for use (my emphasis)

a) by a local authority for any purpose connected with investigation of an offence or of a decriminalised parking contravention;

b) by a chief officer of police; or

c) by a member of the Police Service in Northern Ireland

d) by an officer of Customs and Excise in Northern Ireland

e) by any person who can show to the satisfaction of the Secretary of State that he has reasonable cause for wanting particulars to be made available to him (my emphasis).

2) Firstly, I think it is important to note the fact that the legislators specifically incorporated the word "may" (highlighted above) and not the word "must".

3) My evidence is that the DVLA have corrupted the ‘reasonable cause’ safeguard contained within the act to the detriment of registered keepers who are data subjects as defined by the Data Protection Act 1998 and consumers.

4) I further contend that the DVLA has unlawfully abdicated its duties and responsibilities as data controllers under the Data Protection Act 1998 to the British Parking Association to the detriment of registered keepers whose data they hold

5) It is my understanding that there are two methods by which private parking companies can access registered keeper data from the DVLA:-

a) By manually submitting a Form V888/3 "Request for information for those who issue a parking charge notice"

b) By applying for and being given automatic electronic access directly into the DVLA registered keeper records

6) The difference between these two methods is quite remarkable and needs to be examined in detail.

7) The form V888/3 contains detailed instructions for providing the necessary evidence in support of the request for registered keeper data and what the data is going to be used for. There are also warnings regarding misuse of the information and a declaration that must be signed by the applicant

8) The DVLA website contains the following information under the heading Release of another vehicle’s keeper details . "You can obtain the name and address of the registered keeper of another vehicle if you can demonstrate ‘ reasonable cause ’ for needing the information. Before information is released the DVLA must consider the reasons for your request and how the information will be used . Failure to provide the necessary evidence or incomplete application forms will result in your application being rejected ". (my emphasis, bold and underline )

9) It is therefore abundantly clear that there are indeed the necessary safeguards in place (on paper at least) to ensure that private parking companies satisfy the reasonable cause safeguard on each and every application before being supplied with registered keeper data.

10) For each application the DVLA receives a fee of £2.50 to cover the costs involved and it is generally accepted that this is a reasonable charge for the processing of these paper applications on a case by case basis.

11) Unfortunately as we are all aware, private parking is a growth industry and with the advent and investment in CCTV and Automatic Number Plate Recognition (ANPR) systems by the private parking companies, the manual paper system of the V888/3 was no longer able to cope with the sheer volume of data requests that the private parking companies wanted to submit to the DVLA

12) The solution came in the form of the ‘Approved Conditional Access’, (ACA) to an electronic link directly into the Registered Keeper Database at the DVLA. This system is set up and operated as follows. All companies seeking ACA status must first serve a six-month probationary period using manual enquiry forms. Any complaints are logged and closely monitored. On completion of a satisfactory probationary period an electronic link may be established. All companies or organisations that do not have a statutory regulator are required to be a current member of a DVLA Accredited Trade Association (ATA).

13) The (sole) ATA for Private Parking Companies is the British Parking Association (BPA) and therefore they hold a monopoly.

14) Unfortunately for the private parking companies, the BPA and the DVLA there was one major problem that prevented the use of the ACA to an electronic link. That problem was the requirement to demonstrate "reasonable cause" in order to access the registered keeper data.

15) The solution to this problem was apparently solved by the determination that membership of the BPA Approved Operator Scheme and compliance with the Code of Practice equals, ‘reasonable cause’ as decided by DVLA.

16) I believe that this determination has stretched this essential consumer safeguard of "reasonable cause" way beyond breaking point. To put it quite simply it’s unlawful.

17) How can an arbitrary decision that simple membership of an ATA with an undertaking to comply with a Code of Practice grant lawful approval to thousands of future registered keeper data requests from the private parking industry?

18) For example, in the year to January 2010, the DVLA processed a total of 997,549 registered keeper data releases to private parking companies alone. Even if the DVLA were operational all 365 days of the year, this would be in excess of 2,700 registered keeper data releases per day; every day.

19) The term ‘reasonable cause’ was incorporated into the legislation to act as a safeguard, a gatekeeper which those requesting registered keeper data were required to satisfy before being allowed access. The onus was on the applicant to demonstrate ‘reasonable cause’.

20) The DVLA however having created a presumption of "reasonable cause" have reversed this onus for those who have ACA electronic access. So long as a private parking company becomes a member of the BPA AOS and agrees to comply with the CoP then they benefit from the presumption of ‘reasonable cause’.

21) Unfortunately this also means that the onus is now on the registered keeper or consumer to try and show that ‘reasonable cause’ was not met if the CoP was not complied with.

22) I used the word ‘try’ because my own experiences (and those of many others who have contacted me) are that any complaints made to the DVLA about the behaviour of private parking companies (including alleged breaches of the COP) the complainant is simply referred to the British Parking Association as well as being told that the DVLA is unable to become involved in disputes of this type.

23) This is where the DVLA have unlawfully abdicated their duties under the Data Protection Act 1998 to the British Parking Association, it is the DVLA who hold the registered keeper data, it is they who process it, and it is they who release the data.

24) Any such complaints made to the British Parking Association are in reality at the mercy of this non- regulatory body with a profit based agenda and which actually receives financing from the very companies who they are then expected to investigate complaints against. This is a blatant case of conflict of interest which DVLA are happy to endorse.

25) There is therefore no independent complaints procedure and the public perception is understandably one of suspicion that this is neither an impartial nor fair system.

26) A more cynical person might even view this whole system as a convenient method of signposting such complaints away from the public and into the private sector before quietly strangling them.

27) What cannot be ignored however is that if an allegation of a breach of the CoP is made where the data was supplied via electronic access then it must follow that it is also an allegation of unlawful data release by the DVLA.

28) The DVLA may say that they didn’t know that was going to happen but this is because they don’t scrutinise each request. Of course, even then disclosed data can be misused but then it is up to DVLA to resolve the issue not the data subject. Again, though, how is the data subject to know if his data have been misused?

29) The DVLA have created this system and they can’t have it both ways. If a breach of the CoP can be shown then the "reasonable cause" it supported must fall with it and consequently the registered keeper data release must have been unlawful.

30) This system, allowing unfettered access by unregulated private parking companies to personal and private registered keeper data is clearly wide open to abuse.

31) There are perhaps hundreds of other accredited companies/organisations employing perhaps tens of thousands of people all of whom have unfettered access. How is the data subject to know if one of these people has misused his data because DVLA don’t tell him that the data have been disclosed or to whom.

32) It is clear that private parking companies have a purely profit based agenda, and as such their business model requires motorists to fall foul of the private parking terms and conditions that they put in place..

33) Their incentivisation is not in "raising standards in the parking industry", as the British Parking Association would like you to believe, but increasing their members revenue streams by punishing as many motorists as possible who enter their private parking domains.

34) The system is therefore not only open to abuse, but because the British Parking Association and the DVLA receive a financial "kick back" from those private parking companies they cannot be seen to be in any way as independent and the current system has no transparency or credible independent complaints procedure.

35) It is worth mentioning at this point that whilst the DVLA have installed the ACA electronic access, they have retained the £2.50 fee for selling the registered keeper data. The DVLA will maintain that this is to cover the costs involved and that they do not make a profit.

36) Does it seen conceivable that this electronic access method directly into the DVLA registered keeper data incurs the same costs to the DVLA as having to manually process the paper applications?

37) I now intend to provide evidence of where this system has suffered abuse to the detriment of registered keepers and consumers.

38) Observices Parking Consultancy Limited (OPC) is a private parking company and m ember of the Brit ish Parking Association AOS. T hey also have the ACA electronic access directly into the registered keeper data within the DVLA .

39) On 2 nd March 2011, OPC and a director of the firm, Mr Douglas Harris, pleaded guilty at Wolverhampton Magistrates Court to a total of 36 charges brought by Trading Standards relating to criminal behaviour in the manner in which they conducted their private parking business.

40) OPC and Mr Harris would eventually be fined a total of £29,850.00 and ordered to pay costs of £7,585.00 .

41) However, t he DVLA were inexplicably un aware of this criminal prosecution and so they failed to shut down OPCs electronic access until two days later, the 4 th March 2011.

42) Unfortunately, between the date of conviction and before the DVLA shut down OPC’s electronic access, OPC were able to obtain the details of 10 registered keepers from the DVLA records using the ACA electronic access on the 3 rd March 2011.

43) Th ose data releases were unlawful. OPC should not have accessed them and the DVLA should not have released them.

44) This is clear evidence that the electronic access system is fatally flawe d and there are two main reasons for this.

45) Firstly , because the DVLA having removed the "reasonable cause" safeguard, have ensured that electronic requests for registered keeper data are no longer subject to individual scrutiny .

46) S econdly, the DVLA were negligent in that they failed to put systems in place which would flag with them any such investigations or prospective or pending judicial proceedings.

47) The DVLA could have and should have insisted on the British Parking Association or its members having an obligation to inform the DVLA about any ongoing criminal investigations or pending prosecutions concerning private parking companies.

48) It would appear however that certainly in this case, the DVLA were the last to be told what was going on. It would appear that registered keeper data isn’t the only information that only travels in one direction.

49) Th at aside, th is is an inexcusable systems failure not least because the DVLA insists on full compliance with the BPA Code of Practice as a pre-requisite for AOS members (such as OPC) to be able to demonstrate "reasonable cause" .

50) The 36 charges to which OPC eventually pleaded guilty were not only criminal offences but also therefore serious breaches of the BPA Code of Practice.

51) This leads to the inevitable conclusion that if OPC were operating their business over a given period of time in a criminal manner, then following the guilty plea it must also follow that over that same period of time they were failing to comply with the BPA Code of Practice.

52) As OPC use d the ACA electronic access over that same given period of time , every single registered keeper data re lease was unlawful because OPC were fail ing to demonstrate the required reasonable cause .

53) As all of the registered keeper data releases requested from and electronically supplied by the DVLA during the time frame of the adm itted criminality must also therefore have been unlawfully made, the next issue that needs to be addressed is what action did the DVLA, (as data controllers ) take to notify those registered keeper data subjects that their data had been unlawfully disclosed.

54) What investigations and steps were carried out to compensate those registered keeper data subjects, many of wh om would have sent money to OPC unaware of what had happened and that their data had actually been unlawfully disclosed.

55) The abuse of the system by OPC did not stop there. Following a joint investigation or audit by the BPA and the DVLA, OPC has the ACA electronic access to DVLA registered k eeper data restored on the 20 th April 2011.

56) What happened next is really quit e shocking. On 21 st April 2011 , OPC used the restored ACA electronic link to successfully obtain 1120 individual registered keeper details from the DVLA records in one go.

57) It has now been discovered that during the period of their ban from accessing the DVLA registered keeper data , OPC simply stockpiled the registration numbers of alleged ‘ offending vehicles and then submitted them en masse as soon as the electronic access was restored.

58) Whilst I do not wish to become embroiled in the legality or moral issues regarding this action, the more serious issue here is that the DVLA have admitted that they did not know, were unaware and had no prior warning that OPC were intending to retrospectively obtain these 1120 registered keeper details.

59) This evidences the fact that with the ACA electronic access the DVLA has surrendered both the decision making process and the control of the release of registered keeper data to the private parking companies themselves.  

60) Effectively therefore, there is no control because there is no reason for the BPA to take effective action and therefore there are no real sanctions . By this derogation, the ‘reasonable cause’ clause is rendered inoperative and irrelevant.

61) Finally, by refusing to investigate complaints regarding data release, the DVLA has been shown to have unlawfully abdicated its duties under the Data Protection Act 1998 to the British Parking Association.

In Summary

Consumer confidence and customer satisfaction should be the primary focus for the DVLA in their decision making. This can only come about if from the outset there is genuine openness and transparency in how business is conducted .

The DVLA has unfortunately allowed itself to be courted by the British Parking Association and an unhealthy relationship between the two has been allowed to flourish.

This relationship has enabled the evolvement of the current system and practices in which the legal safeguards have effectively been nullified to the detriment of the registered keepers and consumers as a whole.

The DVLA requires independent regulatory supervision to whom registered keeper data subjects and consumers alike can voice their concerns. They would be able to do so, confident in the knowledge that those matters would be subject to an impartial, fair and independent review.

September 2011

Prepared 21st October 2011