The General Data Protection Regulation replaced the Data Protection Act on 25 May 2018. The contents of this blog post reflect the old rules.
Today (28 January 2017) is Data Protection Day - a day to raise awareness about the rights to personal data protection and privacy.
Protecting personal data isn’t the most exciting part of teaching people to drive or ride, but it’s essential for your pupils, your business and your reputation.
By law, you have to protect any information about your pupils that you keep and use. Under the Data Protection Act, you must:
- only collect information that you need for a specific purpose
- keep it secure
- ensure it is relevant and up to date
- only keep as much as you need, and only for as long as you need it
- allow the person to see information you have about them
Things like pupils’ names, addresses, driving licence numbers and telephone numbers is all classed as personal information. If you keep and use information like this, you’re a ‘data controller’.
Register under the Data Protection Act
The Data Protection Act requires data controllers to register with the Information Commissioner’s Office, unless they’re exempt.
Use the ICO’s self-assessment tool to work out if you need to register.
You can be fined up to £5,000 if you don’t register and renew each year if you’re not exempt.
The 8 data protection principles
The Data Protection Act sets out 8 principles for protecting data.
In summary, they are that you must:
- process data fairly and lawfully
- only obtain data for reasons you specify and lawful purposes - it must not be used for any other purpose
- obtain adequate data, that’s relevant and not excessive for the purpose it’s being used
- have accurate data and, where necessary, keep it up to date
- not keep data for longer than is necessary for the purpose you obtained it
- process data in accordance with the rights of the people it’s about - including allowing them to see what information you keep about them
- take appropriate measures to stop unauthorised or unlawful processing of data, and accidental loss, destruction or damage to personal data
- not transfer data to a country or territory outside the European Economic Area, unless it ensures an adequate level of protection for the rights and freedoms of the people the data is about
You can work through the data protection self-assessment toolkit to assess your compliance with the Data Protection Act.
There’s much more detailed information in the guide to data protection on the ICO website. It's worth looking through to understand more about your obligations.
Specify why you use personal data
When you collect data, what’s it for? Is it so you can provide driving lessons? Or do you also book tests for your pupils? You’ll need to specify what you collect and why.
There are 2 ways you can specify the reasons:
- in a 'privacy notice' you give to your pupil's when you collect their data
- in your registration with the ICO
In reality, of course, most people don't check ICO records very often. So the best way to tell your pupils might be to give them a privacy notice.
There's guidance about how to write a privacy notice on the ICO website.
Misusing data: some examples
So that’s a very quick run through the rules.
But what sort of things would see you falling foul of the law?
Let’s say that you’ve collected a pupil’s name, address, driving licence number and mobile phone number. You did this because you’re providing them with lessons, and you're going to book their test for them. That's all fine.
The pupil takes their test, fails, and decides to stop lessons.
You’d be misusing their data if you did things like:
- book another test using their details, so that you had a slot reserved for another pupil who might need a test
- try to book a test for them a few months later to see if they’d passed their test
- give their details to another ADI or trainer who you think might be better suited to them
The pupil didn't give you their data for any of those reasons - so you can't use it in those ways.
You can get a large fine or be made to pay compensation if you misuse personal data.
A conviction for misusing personal data will also mean that you're less likely to be classed as a ‘fit and proper’ person.
Learn more about protecting data
If you've learnt something new from this post, then you might find ‘Responsible for information' useful.
It's a free e-learning course that:
- helps business owners to understand information security and associated risks
- provides good practice examples and an introduction to protection against fraud and cyber-crime
And don't forget, working through it counts as continuing professional development (CPD).
DVSA isn't able to provide data protection advice to individual instructors and trainers, but if you do have any queries, you can contact the Information Commissioner's Office.
You can also follow the Information Commissioner's Office on Twitter and Facebook for data protection news.
8 comments
Comment by Stephen Draper posted on
The Responsible for Information ' course sounds good. Unfortunately it is out of date and is not going to be available until it has been updated.
Comment by John (DVSA) posted on
Hi Stephen
A copy of the course is now available again on the website.
Thanks
John
Comment by A Fergus posted on
Do you realise that the biggest abuser of personal data is the GOVERNMENT! If for example you over stay on a private car park even for 5 min and are recorded on camera the controller's of the said land can ask the DVLA for your personal information so that they may bill you (suedo fine!) and for a FEE the DVLA will give them all that they request! So you cannot divulge information but the government can sell it, do they teach that
Comment by John (DVSA) posted on
Hi A
Vehicle keeper details may be disclosed to law enforcement authorities or private litigants as a first point of contact to establish where liability for an incident or event may lie. Refusal by DVLA to disclose these details would mean that motorists could drive or park a vehicle without fear of being held responsible for their actions.
Disclosure in these circumstances does not breach the Data Protection Act and the Information Commissioner’s Office is fully aware that data held on the DVLA’s records is released in this way.
As a general rule, reasonable cause for the release of data from the DVLA vehicle register relates to motoring incidents with driver or keeper liability. These can include matters of road safety, events occurring as a consequence of vehicle use, the enforcement of road traffic legislation and the collection of taxes. In all matters regarding data release, DVLA acts responsibly and in accordance with legislation.
Where reasonable cause has been demonstrated, information is disclosed on the condition that it will only be used for the requested purpose and that the recipient will protect its confidentiality. It is an offence under Section 55 of the Data Protection Act to obtain information under false pretence or to use it for a purpose other than that originally stated.
The Regulations also allow for a fee to be charged to cover the cost of processing requests under the reasonable cause provisions, so the cost is borne by the requestor and not passed on to the taxpayer.
Comment by James Ferguson posted on
Misuse of DVLA information due to inadequate vetting where they have provided information to these 'dodgy' parking providers has been well documented. - Is it not also the case that the DVLA keep record is at best only 85% accurate and so you're also not meeting the requirements for accurate data, not to mention people who mysteriously loose license categories when renewing licenses, that the DVLA claim is nothing to do with them............
Comment by Lee Doyle posted on
Dear Graham and DVSA - You really should stop 'FUD-ing' (Fear Uncertainty, and Doubt) people. I have just been to the ICO website as an instructor and used the self assessment tool. I as an individual sole trader, do not need to register with the ICO. Therefore I am not a data-controller.
May be larger driving schools that use personal information for mail shots and other such advertising do, but the average driving instructor who just uses personal information for invoices/payments and a record of their customers is not under an obligation to register - especially if this data is all paper based.
Comment by John (DVSA) posted on
Hi Lee
Whether or not someone needs to register depends on a lot of different factors, which is why we've directed you to the tool on the ICO website.
For example, if you process information electronically for accountancy and auditing purposes, then you might need to register.
There's certainly no intention to create fear, uncertainty or doubt - which is why we've provided links to all the information you'll need, and information about how to contact the ICO should you need more information.
Thanks
John
Comment by Les Brigham posted on
When I keep getting speeding tickets & parking fines ( yer just kidding) could I introduce a fee when asked is this your car, are you the driver, can you identify the driver of the car when it was committing the offence?
As I would be processing the other persons request, could I charge them say £100 & negate the parking fee/ fine?
Thank you.