DVLA driver license data: data risks summary
Published 7 July 2026
Purpose
Section 181 of the Crime and Policing Act 2026 creates the term “authorised person” for those able to access driver licensing records held by the Driver and Vehicle Licensing Agency (DVLA). The change supports access by policing and law enforcement users where driving licence information is required for a legitimate policing or law enforcement purpose.
The information available is information held by the Secretary of State for the purposes set out in Part 3 of the Road Traffic Act 1988. This may include a driver’s name and address, date and country of birth, photograph, signature, driving entitlement, endorsements, convictions and relevant medical information that may affect the person’s ability to drive.
Previously automatically obtained data could only be used for road traffic matters, use is now permitted for law enforcement and policing purposes as determined and controlled by new regulations.
A Data Protection Impact Assessment has been completed for the Law Enforcement Data Service (LEDS) [footnote 1]. This is the system that police and law enforcement authorized users will access DVLA driver data from. This document describes the main data protection risks associated with changing the policy to permit broader access to driver data. Updated DPIAs will be completed following the conclusion of this consultation.
Authorised users
Authorised persons include police officers and staff, designated police volunteers, National Crime Agency officers, police complaints and oversight bodies, service police and related service complaints bodies, Island police forces, other Crown Dependency law enforcement officials, and the Royal Gibraltar Police and Gibraltar Defence Police. A full list of authorized users is at the end of this document.
Purpose of processing
The purpose of the processing is to allow authorised policing and law enforcement users to access DVLA driver licensing information where it is required for a legitimate policing or law enforcement purpose. This includes preventing, investigating, detecting or prosecuting criminal offences, executing criminal penalties, safeguarding against and preventing threats to public security, protecting life and property, preserving order, bringing offenders to justice, and carrying out statutory or common law police duties.
Driver licensing information may support time-critical operational decision-making, including investigations, locating suspects, identifying vulnerable missing persons, safeguarding interventions and reducing reliance on slower manual requests to DVLA.
The data will be processed for both law enforcement purposes under Part 3 of the Data Protection Act 2016. For Part 3 DPA processing, the legal basis is that processing is necessary for the performance of a task carried out by a competent authority for law enforcement purposes, supported by section 71 of the Criminal Justice and Court Services Act 2000 as amended by Clause 181 of the Crime and Policing Act 2026, the associated regulations, and the statutory code of practice.
The strictly necessary condition for sensitive processing is met because, as the processing for the purposes described are the minimum for undertaking the policing and law enforcement purposes. The Schedule 8 condition is met because this is necessary for the exercise of a function conferred on a person by the rule of law and the appropriate policy document exists through each police force or law enforcement organisation having an appropriate Privacy Information Note.
The processing must not be used for general administrative purposes or for any purpose outside the statutory gateway, regulations, code of practice, data sharing arrangements and local authorisation controls.
Governance and compliance safeguards
Regulations
Driver information regulations will set out the circumstances in which driver licensing information may be made available, including conditions that must be met and information that may not be made available. Driver information regulations are subject to the affirmative procedure and will be voted on in Parliament. The Secretary of State also intends to issue a code of practice on receipt and use of the information.
Code of practice
The Secretary of State intends to make use of a power to issue a code of practice in relation to the receipt and use of information provided under new section 71. The code will ensure there is a mechanism to provide effective governance of the use by police and other law enforcement agencies of the data accessed.
Annual report
The Secretary of State is required to publish an annual report to parliament about the use of information made available under section 71.
Training and authorisation
Authorised persons must complete approved training before access is granted. Training should cover the data available, permitted purposes, legal and ethical standards, data protection and security obligations, disclosure controls and recording requirements.
Authorised persons must complete approved training before access is granted. Training will cover the data available as driver licensing information, the meaning of that data, permitted purposes, legal and ethical standards, data protection and security obligations, data subject rights, how to access information, when manual or automated routes should be used, disclosure controls and what must be recorded for each access request.
Managers and authorising officers will be required to understand the statutory framework, code of practice, organisational obligations, monitoring requirements, disciplinary consequences and the data protection risks and mitigations relevant to driver licensing information.
Accountability
Compliance will be demonstrated through updated Data Protection Impact Assessments, regulations, code of practice, data sharing agreements, controller and processor arrangements, records of processing activities, training, vetting, access control records, audit logs, monitoring, incident management and reporting where required.
Authorising organisations must be able to evidence that authorised persons have completed approved training, hold the required vetting clearance, understand permitted purposes and disclosure controls, and are subject to monitoring and disciplinary consequences for misuse.
Fairness and rights
DVLA remains responsible for rights requests relating to source driver licensing records. Policing and law enforcement controllers are responsible for rights requests relating to their own processing, audit records, local records and onward disclosures, subject to lawful restrictions. Fairness is supported through statutory safeguards, clear permitted purposes, authorisation, training, audit logging, data sharing controls, transparency through published policy material where appropriate, and routes for data subjects to exercise their rights.
Data subject rights will be handled in accordance with the applicable data protection regime. DVLA remains responsible for rights requests relating to the source driver licensing records it maintains, while policing and law enforcement controllers are responsible for rights requests relating to their own processing, audit records, local records and onward disclosures, subject to any lawful restrictions under Part 3 DPA or UK GDPR/Part 2 where applicable.
The assessment of risks considered the nature, scope, context and purposes of the processing, the legislative change introduced by Clause 181, the expansion from road traffic purposes to wider policing and law enforcement purposes, and the safeguards required to maintain compliance with the Data Protection Act 2018, the UK GDPR, where applicable, and relevant policing information management standards.
Data risks
The assessment considered the nature, scope, context and purposes of the processing, the legislative change introduced by section 181, the expansion from road traffic purposes to wider policing and law enforcement purposes, and the safeguards required to maintain compliance with the Data Protection Act 2018, UK GDPR where applicable, and relevant policing information management standards.
Ethical and equality considerations are significant because the expanded use of driver licensing information may occur across a wider range of policing and law enforcement contexts and may have differential impacts on children, vulnerable people and individuals with protected characteristics. An Equality Impact Assessment is maintained to assess potential impacts, support compliance with relevant equality duties, and identify any necessary mitigations. Processing must be fair, non-discriminatory, necessary and proportionate. Authorised users must ensure that access to, use of, and any onward disclosure of driver licensing information is justified by a lawful policing or law enforcement purpose and does not result in arbitrary, excessive or unjustified interference with privacy
Privacy risks
| Issue | Concern | Mitigation |
|---|---|---|
| Lack of audit | There will be no or limited audit of officers’ use of DVLA data. | The Law Enforcement Data Service, through which a significant proportion of access is expected to take place, will provide audit and monitoring controls, including access logging and dip sampling, to support oversight of user activity and the identification, investigation and escalation of inappropriate or unjustified access. |
| Is use proportionate? | Officers will use DVLA data in situations where use is not proportionate, for example using DVLA data without having tried alternative, less intrusive data sets. | The regulations and the code of practice will provide clear, consistent controls around how DVLA data should be accessed and used. These will remind users that access should be necessary and proportionate and will be backed up by robust audit. |
| Unlawful access by those with legitimate access | Officers access DVLA data for personal purposes rather than for policing or law enforcement purposes. | The regulations and the code of practice will set clear and consistent rules for how DVLA data can be accessed and used. It will make clear that access must be necessary, proportionate and for a legitimate policing or law enforcement purpose. Compliance will be supported by audit and monitoring arrangements to help identify and address inappropriate use. |
| Police overreach | DVLA data should only be used for road traffic matters – it is not a data set for general policing use. | The previous Section 71 already allowed use for non-road traffic matters. The regulations and the code of practice will provide clear, consistent controls around how DVLA data should be accessed and used. |
| Retention of data | Data will be stored on policing systems allowing the creation of a long-term record of a person’s movements and activities. | Data will not be retained on LEDS. |
| Sharing of data | Organisations without access to DVLA data will ask those with access to obtain the data on their behalf. | The regulations and the code of practice will provide clear, consistent controls around how DVLA data can be onwardly shared. This will be backed up by robust audit controls, including dip sampling. |
| Data not being accessed | Authorised persons do not access data in circumstances when doing so would be operationally valuable. | The regulations and the code of practice will provide clear, consistent controls around how DVLA data should be accessed and used. |
| Facial recognition | DVLA data will be used for facial recognition (retrospective, live and officer initiated). | This legislation does not create a process by which the DVLA image gallery can be searched to identify unknown individuals. Discussion on which non-police image galleries can be searched will take place in the context of the facial recognition measures in the forthcoming Police Reform Bill. |
List of authorised persons
- A constable [footnote 2]
- A member of civilian police staff [footnote 3]
- A police volunteer designated under section 38 of the Police Reform Act 2002
- An NCA officer
- A member, or member of staff of the Independent Office for Police Conduct
- A member of staff of the Police Investigations and Review Commissioner
- A member of staff of the Police Ombudsman for Northern Ireland
- A member of a service police force or person under the direction and control of a Provost Marshal
- A person appointed as an investigating officer by, or a member of staff of the Service Police Complaints Commissioner
- A member of an Island police force [footnote 4]
- Other law enforcement officials in the Crown Dependencies
- A member of the Royal Gibraltar Police
- A member of the Gibraltar Defence Police
Footnotes
-
Law Enforcement Data Service data protection impact assessment 2026 ↩
-
Constable covers officers and staff from all UK territorial police forces and specialist police forces ↩
-
Police staff covers staff working for all UK territorial police forces and specialist police forces. ↩
-
Island police force covers the police forces of Guernsey, Jersey and the Isle of Man. ↩