Is this a breach of section 55 DPA

[dennisjackie]

Some weeks ago I parked in a service area and complied withall the signage and rules they had, which they have admitted in a letter vaguely. The problem arose because thereequipment was faulty and did not record my car details correctly at the parkingterminal. However they had ANPR on sitewhich showed the car entering and leaving.

So my question is ita breach of the Data Protection act section 55 to apply for my details fromDVLA as no infringement of their rules was committed?

Also is it a breach of the BPA rules they use to access suchinformation?

And if I ask them to remove all data relating me and my carfrom there records do they have to do it?

[Old Snowy]

Although the DPA has relevance in this situation it is only in an overarching sense as the disclosure of registered keeper details to a person with "reasonable cause" is authorised by reg.27 Road Vehicle (Registration and Licensing) Regulations 2002 which steps aside from s.55 (and a number of the other provisions of the DPA). In any event s.55 was not really designed to deal with "mistaken" disclosures but with those that are unlawful or reckless. The PPC will undoubtedly argue that, prima facie, there was no record of the payment/registration in respect of your vehicle and until such time as they contacted you and were able to elicit your account they still had the "reasonable cause" required by reg.27 RV(R&L)Regs.

 

Much as it pains me, in some respects, to say it, I do not believe any offences are disclosed on the basis of the details you have given nor even of the BPA AOS Code of Practice.

[Fair-Parking]

How exactly does 27 (e) RVRL 2002 - a little known technical English law designed to tidy up a 40 year old vehicle registration - overrule a mighty European directive and later European law on human rights through DPA protection?

 

This the only excuse the DVLA has for collecting lots of £2.50's from anybody and everybody whilst pretending to pay lip service to the DPA. What on earth does the DVLA think the DPA is for if not to protect people's private data and identity?

 

Quoting RVRL 27 as a legitimate 'reason' is a bit like having a pair of 2's in a poker game when your opponent has 4 aces.

[dennisjackie]

First of all a little more background asthis may help.

We stayed overnight on the site in thehotel so where there about 14 hours. The hotel where aware that the hotelterminal was not working, as I assume where the car park operator. So the hotelsaid they would note the car number and sort it out if there was a problem whenthe terminal was fixed. We were not the only ones staying they said it to. So ifthis is the case they have no reasonable cause to apply for the information andkeep such information on their records.

Furthermore if they knew at the time ofapplying for the information (which would be difficult to prove either way) Itwould surely be reckless as well. I know the DVLA would not have been aware ofthe situation so it is unlikely they could be held at fault.

Also they have totally ignored my requestto have the data removed from their records. There letter just states “on thisoccasion as our terminal in the hotel was faulty we will not be taking thismatter further please accept our apologies” it is only one line long.

[Old Snowy]

How exactly does 27 (e) RVRL 2002 - a little known technical English law designed to tidy up a 40 year old vehicle registration - overrule a mighty European directive and later European law on human rights through DPA protection?

 

This the only excuse the DVLA has for collecting lots of £2.50's from anybody and everybody whilst pretending to pay lip service to the DPA. What on earth does the DVLA think the DPA is for if not to protect people's private data and identity?

 

Quoting RVRL 27 as a legitimate 'reason' is a bit like having a pair of 2's in a poker game when your opponent has 4 aces.

I agree entirely but sadly the DPA allows for this by including the phrase:

 

is required or authorised by or under any enactment, by any rule of law or by the order of a court

which effectively trumps the other provisions. However, I am far from convinced that the provision built into the DPA (s.35) permitting disclosure in situations that amount to "reasonable cause" (although a slightly more detailed definition is set out) gives any better protection. Out of interest, although the first DPA (1984) was firmly grounded in Article 8 (right to a private life) it considerably predated the EU Directive which was not issued until 1998.

 

First of all a little more background asthis may help.

 

We stayed overnight on the site in thehotel so where there about 14 hours. The hotel where aware that the hotelterminal was not working, as I assume where the car park operator. So the hotelsaid they would note the car number and sort it out if there was a problem whenthe terminal was fixed. We were not the only ones staying they said it to. So ifthis is the case they have no reasonable cause to apply for the information andkeep such information on their records.

 

Furthermore if they knew at the time ofapplying for the information (which would be difficult to prove either way) Itwould surely be reckless as well. I know the DVLA would not have been aware ofthe situation so it is unlikely they could be held at fault.

 

Also they have totally ignored my requestto have the data removed from their records. There letter just states “on thisoccasion as our terminal in the hotel was faulty we will not be taking thismatter further please accept our apologies” it is only one line long.

On the basis of the additional detail you could make a complaint to the DVLA but I suspect that when it becomes clear that the PPC has taken no further action the DVLA will slink away.

 

If you want the PPC to cease processing your details why not give them formal notice under the provisions of s.10 DPA requiring them to provide a certificate that they have expunged your data within 21 days (on the basis that any further communication is likely to amount to harassment). I'd happily provide a draft letter providing a notice under that section if you'd like.

[Fair-Parking]

For the DVLA to break the DPA it would have to think of excuses, however there is little point in this country signing up to the DPA and then inventing other laws to get round it. Personally I don't think that is the case and that it is the DVLA which is hanging on to a very thin straw that has yet to challeneged in court.

 

S35 is about legal proceedings. Handing out people's private data to those who chase imagined parking charges is not only nothing to do with legal proceedings but a primary 2009 directive from the ICO has specifically said that the handing out of such data for civil debt is not covered by exemptions to the DPA

 

The RVLA 2002 has nothing to do with human rights and DVLA reliance on it to circumvent such important issues is likely to fall at the first hurdle if and when somebody does take it to court.

[Old Snowy]

With respect s.35 is not simply about legal proceedings but also about establishing legal rights and there is no necessity that proceedings are enacted for an application for data disclosure to be lawful. Whether the ICO has issued guidance with regard to applications by PPC's being outside of the ambit of s.35 or not is somewhat irrelevant as the section itself permits disclosures authorised by other legislation - which is what reg.27 represents. I'm unaware of any such guidance issued by the ICO but would welcome sight of it.

 

I agree with you that the DVLA dances on the head of pin but they continue to be supported by the ICO who have invited anyone who believes that their interpretation of reg.27 and its application by the DVLA is wrong-headed to bring the matter to court. This would require a judicial review and without substantial funds there is little hope of that succeeding any time soon. What particularly galls is that the ICO perpetuate the myth that the DVLA scrutinise applications on a case by case basis when that bears no resemblance to the system as it applies to those PPC's that have access to the EDI.

 

When it comes to the human rights implications of reg.27 the test that would undoubtedly be applied is that did the act of the state in disclosing the data it held infringe their rights under Article 8. It would be argued that the State had to balance the rights of one individual under Article 8 to the rights of another to rightfully pursue a wrong or at least establish his rights to do so. Rights under Article 8 would not need to be established but once the other individual had shown that they had suffered a wrong (balance of probabilities) then the disclosure of data would be argued to be proportionate.

 

I rehearse the argument (and I've summarised it substantially) because I believe that the test applied by the state - one individual's rights against those of another - is based on a fallacy - and we all know what that is. The individual purportedly wishing to assert their rights is actually asserting their rights to make a profit because that is actually what PPC's are doing. I do not believe that that right should supersede an individual's rights to a private life and if we wanted to see the same argument in action one only has to look at the recent change to the way in which cookies may be used.

[Fair-Parking]

With regard to the point Old Snowy was making in paragraph 3. The whole purposes of the DVLA supplying this personal information is for enable another to pursue that person without either his knowledge or permission and with a view to doing him some harm.

 

Those who drafted trhe DPA surely meant to achieve the opposite.

[dennisjackie]

Well I am now totally at a lost as to what to do. May be theDPA is not very helpful other than to try and get them to remove my detailsfrom their records. Which they could say they had done and issue a certificatestating they had done so, but I would struggle to establish if they had or notremoved it. So is there any point?

I still feel that as it looks like they knew there terminalwas not working. So they had no reasonable cause or legitimate reason accessthe information and at best have misled the DVLA into allowing them to accessit.

[Old Snowy]

Just a quick reply - any certificate issued would normally (in these situations) be provided by the company's solicitors. Most solicitors would not wish to be caught out and the thinking is that they would ensure that the data would actually be removed.

 

With regard to the point Old Snowy was making in paragraph 3. The whole purposes of the DVLA supplying this personal information is for enable another to pursue that person without either his knowledge or permission and with a view to doing him some harm.

 

Those who drafted trhe DPA surely meant to achieve the opposite.

Whilst I don't disagree with the sentiment the interpretation is slightly offbase. The purpose of reg.27 is to provide for the disclosure of RK data to those with "reasonable cause" and this could well include, at various times, the police, customs, councils etc etc. It also enables a person to pursue the owner of a vehicle involved in damaging another car, for example. The fact that a PPC makes use of the provision to collect monies that it may not be entitled to - to do harm, if you like, is not a reflection of the purpose of the regulation but a reflection of the use to which the regulation is put - a slightly different but important distinction.

 

There has to be some mechanism for such data (and that is not restricted to RK data) to allow people who have been wronged to seek proper redress. The absence of reg.27 and indeed that of s.35 DPA would leave a legal void that would prove both time-consuming and expensive as each person requiring data held by another made application to a court, using what is now know as the Norwich Pharmacal procedure. This would clog the courts.

 

The authors of the DPA properly sought to protect the rights of the individual but that cuts both ways because in defending the rights of one (who claims to have been wronged in some way, for example) the rights of another must be infringed upon. There has to be a measure of give and take and this is what the "reasonable cause" test (in reg.27) was intended to cover. I believe therefore that the issue is not with reg.27 per se but with the interpretation of the phrase "reasonable cause". As I have alluded to before, the ICO, in their publications, continue to perpetuate the myth that the DVLA examines each case for disclosure on its merits, the implication being that the "reasonable cause" test is applied every time. This is most certainly not the case with those PPC's with direct access to the EDI where the companies are examined as to their procedures and a judgement made as the likelihood of any enquiries they make fulfilling "reasonable cause". There is no test applied in each case.

Edited October 16, 2012 by Old Snowy

[Fair-Parking]

I'm sorry but I cannot direct the OP on his plight. The problem is the Data Protection Act 1998 is there and almost universally ignored by all those who feel that it should have no effect on them. The courts certainly do not understand the Act and I have no confidence in the ICO to take effective action.

 

With regard to Old Snowy. We both share the same reservations. With regard to information being made to available to police, customs and councils S29 (Crime & Taxation) already covers those exemptions but not when councils look for information to chase allegations of civil debts (ie parking).

 

I deviate from OS when it comes to finding a shortcut for those who cars have been damaged etc to establish identity. The DPA was not written to suit to traffic accidents and it isn't there to equalise human rights. It is there to protect personal records and identity and if it falls short in the matters of road accidents then that is a fact of life. The law stands as it is and should not be manipulated by anybody looking for exceptions and then inventing them by saying 'the DPA doesn't go far enough'.

 

If that is the case then the law needs to changed or new ones introduced and by the European Commission rather than by a back room committee in this country writing about motor cars and seemingly in ignorance of the implications of their failure to obey a far reaching European law not based on vehicles.

 

Those who drafted S27 have made no attempt top explain why they feel it can be push aside the DPA or made any mention of the fact that the DPA exists at all. ALL new statute which replaces or modifies previous statutes are required to explain and make clear just which parts of the previous law are being modified or deleted. S27 fails completely in this respect and that makes it indefensibly unique.

[Old Snowy]

I find myself agreeing again with the overall thrust of F-P's argument even if I disagree with some of the comments. s.35 was specifically designed to accommodate the rights of individuals, amongst other things. It allows an individual to assert their rights and it is a matter of accepted law that in providing for an individual to assert their rights of necessity the rights of another are curtailed in some respect. This is balanced on the basis that the right is open to all to avail themselves of if and when the need arises.

 

As far as reg.27 is concerned it is most certainly being exploited but the only thing that needs to change is the strict application of the law with regard to the phrase "reasonable cause". The apparent laxity of the DVLA (and the ICO for they have approved the system being used) is a function of the pragmatic view they have been obliged to apply because of the sheer numbers of paper applications (V888's) they were receiving. Rather than examining the PPC case in more detail the numbers were simply accommodated by a less rigorous system of scrutiny. To repeal reg.27 would be no great loss but it is legitimately used by a minority and this would mitigate against a repeal. To repeal the section would be costly and would effectively throw the baby out with the bathwater.

 

I will not hold forth on the potential for European legal draughtsmen being brought in save to say, if that was to be the case, God help us. Generally, European law is far too prescriptive; over-worked and full of minutiae that tie up organisations in utterly pointless ways. The essential difference - a large one - between the almost universal Napoleonic, inquisitorial systems on the continent and the adversarial system here make for unfortunate clashes.

 

I also disagree that reg.27 pushes aside the DPA in any respect. s.35 DPA provides a specific exemption for disclosures required by statute and reg.27 is simply one of them. It is not the only disclosure (of personal data) required in such a way - and I do not refer to taxation or criminal investigation issues. The way it is currently being used may be indefensible but it is not unique.