Skip to main content

This blog post was published under the 2015-2024 Conservative Administration

Data protection: looking after your pupils’ information

The General Data Protection Regulation replaced the Data Protection Act on 25 May 2018. The contents of this blog post reflect the old rules.

Think Privacy

Today (28 January 2017) is Data Protection Day - a day to raise awareness about the rights to personal data protection and privacy.

Protecting personal data isn’t the most exciting part of teaching people to drive or ride, but it’s essential for your pupils, your business and your reputation.

By law, you have to protect any information about your pupils that you keep and use. Under the Data Protection Act, you must:

  • only collect information that you need for a specific purpose
  • keep it secure
  • ensure it is relevant and up to date
  • only keep as much as you need, and only for as long as you need it
  • allow the person to see information you have about them

Things like pupils’ names, addresses, driving licence numbers and telephone numbers is all classed as personal information. If you keep and use information like this, you’re a ‘data controller’.

Register under the Data Protection Act

The Data Protection Act requires data controllers to register with the Information Commissioner’s Office, unless they’re exempt.

Use the ICO’s self-assessment tool to work out if you need to register.

You can be fined up to £5,000 if you don’t register and renew each year if you’re not exempt.

The 8 data protection principles

8 data protection principles, 1. Fair and lawful, 2. Purposes, 3. Adequacy, 4. Accuracy, 5. Retention, 6. Rights, 7. Security, 8. International

The Data Protection Act sets out 8 principles for protecting data.

In summary, they are that you must:

  • process data fairly and lawfully
  • only obtain data for reasons you specify and lawful purposes - it must not be used for any other purpose
  • obtain adequate data, that’s relevant and not excessive for the purpose it’s being used
  • have accurate data and, where necessary, keep it up to date
  • not keep data for longer than is necessary for the purpose you obtained it
  • process data in accordance with the rights of the people it’s about - including allowing them to see what information you keep about them
  • take appropriate measures to stop unauthorised or unlawful processing of data, and accidental loss, destruction or damage to personal data
  • not transfer data to a country or territory outside the European Economic Area, unless it ensures an adequate level of protection for the rights and freedoms of the people the data is about

You can work through the data protection self-assessment toolkit to assess your compliance with the Data Protection Act.

There’s much more detailed information in the guide to data protection on the ICO website. It's worth looking through to understand more about your obligations.

Specify why you use personal data

When you collect data, what’s it for? Is it so you can provide driving lessons? Or do you also book tests for your pupils? You’ll need to specify what you collect and why.

There are 2 ways you can specify the reasons:

  • in a 'privacy notice' you give to your pupil's when you collect their data
  • in your registration with the ICO

In reality, of course, most people don't check ICO records very often. So the best way to tell your pupils might be to give them a privacy notice.

There's guidance about how to write a privacy notice on the ICO website.

Misusing data: some examples

So that’s a very quick run through the rules.

But what sort of things would see you falling foul of the law?

Booking a test using the details of a pupil who has stopped learning to drive so you have a slot reserved for another pupil could land you with a large fine
Booking a test using the details of a pupil who has stopped learning to drive so you have a slot reserved for another pupil could land you with a large fine

Let’s say that you’ve collected a pupil’s name, address, driving licence number and mobile phone number. You did this because you’re providing them with lessons, and you're going to book their test for them. That's all fine.

The pupil takes their test, fails, and decides to stop lessons.

You’d be misusing their data if you did things like:

  • book another test using their details, so that you had a slot reserved for another pupil who might need a test
  • try to book a test for them a few months later to see if they’d passed their test
  • give their details to another ADI or trainer who you think might be better suited to them

The pupil didn't give you their data for any of those reasons - so you can't use it in those ways.

You can get a large fine or be made to pay compensation if you misuse personal data.

A conviction for misusing personal data will also mean that you're less likely to be classed as a ‘fit and proper’ person.

Learn more about protecting data

If you've learnt something new from this post, then you might find ‘Responsible for information' useful.

It's a free e-learning course that:

  • helps business owners to understand information security and associated risks
  • provides good practice examples and an introduction to protection against fraud and cyber-crime

And don't forget, working through it counts as continuing professional development (CPD).

DVSA isn't able to provide data protection advice to individual instructors and trainers, but if you do have any queries, you can contact the Information Commissioner's Office.

You can also follow the Information Commissioner's Office on Twitter and Facebook for data protection news.

Sharing and comments

Share this page


  1. Comment by Stephen Draper posted on

    The Responsible for Information ' course sounds good. Unfortunately it is out of date and is not going to be available until it has been updated.

    • Replies to Stephen Draper>

      Comment by John (DVSA) posted on

      Hi Stephen

      A copy of the course is now available again on the website.


  2. Comment by A Fergus posted on

    Do you realise that the biggest abuser of personal data is the GOVERNMENT! If for example you over stay on a private car park even for 5 min and are recorded on camera the controller's of the said land can ask the DVLA for your personal information so that they may bill you (suedo fine!) and for a FEE the DVLA will give them all that they request! So you cannot divulge information but the government can sell it, do they teach that

    • Replies to A Fergus>

      Comment by John (DVSA) posted on

      Hi A

      Vehicle keeper details may be disclosed to law enforcement authorities or private litigants as a first point of contact to establish where liability for an incident or event may lie. Refusal by DVLA to disclose these details would mean that motorists could drive or park a vehicle without fear of being held responsible for their actions.

      Disclosure in these circumstances does not breach the Data Protection Act and the Information Commissioner’s Office is fully aware that data held on the DVLA’s records is released in this way.

      As a general rule, reasonable cause for the release of data from the DVLA vehicle register relates to motoring incidents with driver or keeper liability. These can include matters of road safety, events occurring as a consequence of vehicle use, the enforcement of road traffic legislation and the collection of taxes. In all matters regarding data release, DVLA acts responsibly and in accordance with legislation.

      Where reasonable cause has been demonstrated, information is disclosed on the condition that it will only be used for the requested purpose and that the recipient will protect its confidentiality. It is an offence under Section 55 of the Data Protection Act to obtain information under false pretence or to use it for a purpose other than that originally stated.

      The Regulations also allow for a fee to be charged to cover the cost of processing requests under the reasonable cause provisions, so the cost is borne by the requestor and not passed on to the taxpayer.

      • Replies to John (DVSA)>

        Comment by James Ferguson posted on

        Misuse of DVLA information due to inadequate vetting where they have provided information to these 'dodgy' parking providers has been well documented. - Is it not also the case that the DVLA keep record is at best only 85% accurate and so you're also not meeting the requirements for accurate data, not to mention people who mysteriously loose license categories when renewing licenses, that the DVLA claim is nothing to do with them............

  3. Comment by Lee Doyle posted on

    Dear Graham and DVSA - You really should stop 'FUD-ing' (Fear Uncertainty, and Doubt) people. I have just been to the ICO website as an instructor and used the self assessment tool. I as an individual sole trader, do not need to register with the ICO. Therefore I am not a data-controller.

    May be larger driving schools that use personal information for mail shots and other such advertising do, but the average driving instructor who just uses personal information for invoices/payments and a record of their customers is not under an obligation to register - especially if this data is all paper based.

    • Replies to Lee Doyle>

      Comment by John (DVSA) posted on

      Hi Lee

      Whether or not someone needs to register depends on a lot of different factors, which is why we've directed you to the tool on the ICO website.

      For example, if you process information electronically for accountancy and auditing purposes, then you might need to register.

      There's certainly no intention to create fear, uncertainty or doubt - which is why we've provided links to all the information you'll need, and information about how to contact the ICO should you need more information.


  4. Comment by Les Brigham posted on

    When I keep getting speeding tickets & parking fines ( yer just kidding) could I introduce a fee when asked is this your car, are you the driver, can you identify the driver of the car when it was committing the offence?
    As I would be processing the other persons request, could I charge them say £100 & negate the parking fee/ fine?
    Thank you.