The General Data Protection Regulation replaced the Data Protection Act on 25 May 2018. The contents of this blog post reflect the old rules.
Today (28 January 2017) is Data Protection Day - a day to raise awareness about the rights to personal data protection and privacy.
Protecting personal data isn’t the most exciting part of teaching people to drive or ride, but it’s essential for your pupils, your business and your reputation.
By law, you have to protect any information about your pupils that you keep and use. Under the Data Protection Act, you must:
- only collect information that you need for a specific purpose
- keep it secure
- ensure it is relevant and up to date
- only keep as much as you need, and only for as long as you need it
- allow the person to see information you have about them
Things like pupils’ names, addresses, driving licence numbers and telephone numbers is all classed as personal information. If you keep and use information like this, you’re a ‘data controller’.
Register under the Data Protection Act
The Data Protection Act requires data controllers to register with the Information Commissioner’s Office, unless they’re exempt.
Use the ICO’s self-assessment tool to work out if you need to register.
You can be fined up to £5,000 if you don’t register and renew each year if you’re not exempt.
The 8 data protection principles
The Data Protection Act sets out 8 principles for protecting data.
In summary, they are that you must:
- process data fairly and lawfully
- only obtain data for reasons you specify and lawful purposes - it must not be used for any other purpose
- obtain adequate data, that’s relevant and not excessive for the purpose it’s being used
- have accurate data and, where necessary, keep it up to date
- not keep data for longer than is necessary for the purpose you obtained it
- process data in accordance with the rights of the people it’s about - including allowing them to see what information you keep about them
- take appropriate measures to stop unauthorised or unlawful processing of data, and accidental loss, destruction or damage to personal data
- not transfer data to a country or territory outside the European Economic Area, unless it ensures an adequate level of protection for the rights and freedoms of the people the data is about
You can work through the data protection self-assessment toolkit to assess your compliance with the Data Protection Act.
There’s much more detailed information in the guide to data protection on the ICO website. It's worth looking through to understand more about your obligations.
Specify why you use personal data
When you collect data, what’s it for? Is it so you can provide driving lessons? Or do you also book tests for your pupils? You’ll need to specify what you collect and why.
There are 2 ways you can specify the reasons:
- in a 'privacy notice' you give to your pupil's when you collect their data
- in your registration with the ICO
In reality, of course, most people don't check ICO records very often. So the best way to tell your pupils might be to give them a privacy notice.
There's guidance about how to write a privacy notice on the ICO website.
Misusing data: some examples
So that’s a very quick run through the rules.
But what sort of things would see you falling foul of the law?
Let’s say that you’ve collected a pupil’s name, address, driving licence number and mobile phone number. You did this because you’re providing them with lessons, and you're going to book their test for them. That's all fine.
The pupil takes their test, fails, and decides to stop lessons.
You’d be misusing their data if you did things like:
- book another test using their details, so that you had a slot reserved for another pupil who might need a test
- try to book a test for them a few months later to see if they’d passed their test
- give their details to another ADI or trainer who you think might be better suited to them
The pupil didn't give you their data for any of those reasons - so you can't use it in those ways.
You can get a large fine or be made to pay compensation if you misuse personal data.
A conviction for misusing personal data will also mean that you're less likely to be classed as a ‘fit and proper’ person.
Learn more about protecting data
If you've learnt something new from this post, then you might find ‘Responsible for information' useful.
It's a free e-learning course that:
- helps business owners to understand information security and associated risks
- provides good practice examples and an introduction to protection against fraud and cyber-crime
And don't forget, working through it counts as continuing professional development (CPD).
DVSA isn't able to provide data protection advice to individual instructors and trainers, but if you do have any queries, you can contact the Information Commissioner's Office.