You’ve received a letter from a private car parking company with a £100 fine. The company got your details as the keeper from the DVLA. Can the DVLA share your data with the car parking company?
The simple answer is ‘yes’: even though driver information and car registration plates are personal data, there’s a lawful precedent here for the DVLA to enforce any fines received from private companies.
The ICO gets involved
The ICO released an opinion on the 13th of June 2022 on this issue after the DVLA sought advice. The DVLA wanted to know the correct lawful basis under Article 6(1) of the UK GDPR for sharing the personal data of vehicle keepers with car park management companies to recover fines.
At the time, the DVLA was relying on legal obligation as their lawful basis for processing this data. Regulation 27(1)(e) of the Road Vehicle (Registration and Licensing) Regulations 2002 allows the DVLA to release keeper information to anyone who can demonstrate reasonable cause for wanting this information. The DVLA therefore thought that Regulation 27(1)(e) provided them with a legal duty to share those details with car park management companies to recover fines. They believed this satisfied the requirement under Article 6(1)(c) of the UK GDPR that the processing is necessary for compliance with a ‘legal obligation’.
The ICO received a number of complaints from people, about both the application of Regulation 27(1)(e) and the DVLA’s sharing of vehicle keeper data more generally.
What are the ICO’s findings?
The Commissioner concluded that the DVLA’s correct lawful basis is ‘public task’, not ‘legal obligation’. This is because Regulation 27(1)(e) provides the DVLA with a power, rather than a legal duty, to disclose vehicle keeper information to car park management companies in these circumstances.
In order to rely on a legal obligation, the DVLA would need to demonstrate that the processing was necessary for compliance with a ‘legal obligation’. This would require the DVLA to have a legal duty to rely on, which in the ICO’s view, Regulation 27(1)(e) does not provide.
It is important to note that in coming to this conclusion, the Commissioner did not doubt that car park management companies have reasonable cause to request keeper information from the DVLA in these circumstances, and that the DVLA is generally required to provide it. However, Regulation 27(1)(e) creates a power rather than a duty as there is a discretion for the DVLA to refuse a request for keeper information in exceptional cases, for example, if the keeper was on a national security protection list. This applies even if the requestor has demonstrated reasonable cause.
Public task is the correct legal basis in these circumstances because Regulation 27(1)(e) creates a task (a power, rather than a legal duty) to be carried out in the public interest (hence the reasonable cause requirement). Disclosing vehicle keeper data is necessary for this task.
Did the ICO enact a penalty on the DVLA?
To put it simply, no – there were no repercussions for this infringement on the DVLA’s part. The ICO regards this as a technical infringement of the law and will not be taking enforcement action.
Does this decision mean that existing parking fines are invalid?
No. The DVLA was not using the correct lawful basis to disclose vehicle keeper information; however, there is a legal basis and that means the data was shared lawfully and existing fines are still valid.
Unfortunately, parking fines received from private parking companies are still very much valid, and the DVLA can get involved by sending your driver and vehicle information to these companies to enforce action.
The key points to remember are:
- The DVLA can share keeper data with private car parking companies
- Existing fines are valid, even if received before this technical infringement came to light
This case shows the importance of understanding the basis and precedent behind the collection and sharing of personal data. In the DVLA’s case, they were fortunate that they merely had the technical reason for sharing the data wrong, even though it was confirmed to be legally shared.
Need advice on managing personal data?
Working with a data protection expert, like an Outsourced DPO, is the perfect way to avoid any infringements or breaches.