Personal information charter

This information charter explains the standards you can expect from us when we collect, hold or otherwise process information about you, and how we comply with data protection law.

Introduction

DVLA is an executive agency of the Department for Transport (DfT). Our goal is to get the right drivers and vehicles taxed and on the road, as simply, safely and efficiently as possible.

To meet our core responsibilities we maintain over 48 million driver records and over 40 million vehicle records, and collect around £6 billion a year in vehicle excise duty (VED).

This information charter explains the standards you can expect from us when we collect, hold or otherwise process information about you, and how we comply with data protection law. It tells you how you can get access to your information, and what you can do if you think we or third parties processing data on our behalf are not meeting these standards. It also explains how we safeguard your information and the circumstances in which we may release it.

We will review this charter annually and update it to take account of any changes in law or policy.

Responsibilities for information

  • The Chief Executive Officer, as DVLA’s Accounting Officer, owns this charter on behalf of the Executive Team and is responsible for implementing it.
  • DVLA’s Senior Information Risk Owner is responsible for promoting a culture of good information management, setting our information risk appetite and advising the Accounting Officer on information risks.
  • The Chief Information Security Officer (CISO) makes sure that information security policies and procedures are reviewed and implemented across DVLA, ensuring continuous improvement. These policies aim to make sure that we maintain data confidentiality, integrity, availability and resilience requirements, from data collection through to secure deletion. The CISO is also responsible for developing and providing information security training throughout DVLA.
  • DfT’s Data Protection Officer (DPO), advises on the requirements of data protection law, monitors compliance with these requirements, helps to develop data protection impact assessments and is the contact point for the Information Commissioner’s Office. The DPO is supported by a Data Protection Manager within DVLA.
  • The head of Data Protection Policy, Freedom of Information and Police Support is responsible for ensuring that DVLA’s release of information is fair, lawful and appropriate.
  • The head of Data Sharing Strategy & Compliance is responsible for DVLA’s handling of data sharing requests from third party organisations.
  • A network of information asset owners are responsible for making sure that their information assets are managed and protected appropriately, and that the information they contain is processed lawfully. They report to the Senior Information Risk Owner annually on the security and use of their asset.
  • Group heads are responsible for making sure their staff comply with all policies and procedures about protecting personal data.
  • Contract owners are responsible for making sure contractors meet their obligations to protect any personal data they process of our behalf.

Personal data

Data protection law defines personal data as any information about a ‘natural’ (ie living) person who can be identified, directly or indirectly, by referring to information such as:

  • a name
  • an identification number
  • location
  • an online identifier
  • factors about the physical, physiological, genetic, mental, economic, cultural or social identity of that person

Types of personal information

We hold personal and non-personal data in a variety of databases and information stores. Many of these are critical to DVLA’s operations and law enforcement. We also have systems which support corporate functions such as human resources, facilities management and finance.

Categories of personal data we process include:

  • personal details
  • financial details
  • goods or services provided
  • contact details
  • social media identities
  • market research and responses to surveys (including opinions and comments)
  • visual images
  • details of complaints, incidents and grievances

In certain circumstances, we also process more sensitive information such as:

  • health data
  • criminal convictions and offences
  • racial or ethnic origin
  • religious or other beliefs of a similar nature
  • trade union membership
  • biometric data

Accuracy

When we collect personal data from individuals we will only collect the minimum information needed, and not excessive or irrelevant information. To help us to keep your information accurate and up to date, by law you must:

  • provide us with accurate information
  • tell us promptly about any changes such as a change of name or address
  • tell us if you develop a medical condition or disability that may affect your fitness to drive, or your condition or disability has got worse since you got your licence

You can apply to update your driving licence online. Or, you can return your driving licence to DVLA, Swansea, SA99 1BN with a letter explaining why it needs to be updated.

To update your vehicle log book (V5C), make the relevant changes on the V5C, sign and date the declaration in section 8 and return the whole document to DVLA, Swansea, SA99 1BA. We will send you a new V5C free of charge, usually within 4 weeks.

How we keep your data secure

We know how important it is to protect your privacy and comply with data protection law.

We will use appropriate measures to protect the personal data we process against unauthorized or unlawful processing and against loss, destruction or damage.

We will carry out regular reviews and audits to make sure that our processing activities meet the government’s security standards and industry good practice.

All our staff are trained annually on the importance of protecting personal data. Some staff receive additional training depending on the nature of their role.

Where we introduce new technologies, policies or processes, we will make sure that we consider your privacy from the outset. We will carry out data protection impact assessments where appropriate. This will allow us to identify any risks at an early stage, and find solutions to reduce or avoid these risks.

We will always carry out a data protection impact assessment where the processing is likely to result in a high risk to the rights and freedoms of individuals.

Your rights

The General Data Protection Regulation (GDPR) sets out a number of rights which individuals have over their personal data. These rights are explained fully on the Information Commissioner’s Office website.

Here are the rights that are most likely to apply to how DVLA, as a public authority, processes your personal data.

Your right to be informed

The right to be informed is a key part of the transparency requirements of data protection law.

When we collect your personal information we will provide a privacy notice containing:

  • our contact details and our DPO’s
  • the reasons why we need your information and the legal basis that supports our processing of it (including additional information about legitimate interests where applicable)
  • a list of the types of recipients your data may be shared with
  • information on whether we are intending to transfer the data to an international organisation or country outside the EU and what safeguards will be in place to protect the data
  • an explanation about how long we will store your data or the criteria we will use to decide how long to store it
  • information about your rights
  • information on whether providing us with the information is a statutory or contractual requirement and the consequences of not providing it
  • information on whether we will be using any automated decision-making (including profiling), the logic used for processing it and what impact it might have on individuals

If a third party sent us your personal data we will aim to provide you with the information above, plus the source, within one month.

Your right of access

You can find out if we hold any personal information about you and request access to it by making a ‘subject access request’. If we hold information about you, we can give you a copy.

If you would like to make a subject access request, please write to us at the following address:

DVLA SAR Enquiries
DVRE
DVLA
Swansea
SA6 7JL

SubjectAccess.Requests@dvla.gsi.gov.uk

You will need to provide us with information to help prove your identity and find the information you are asking for so we can process your request.

If you would like information about your current vehicle or a vehicle that used to be registered in your name, you will need to provide:

  • your full name
  • your current address and the address on your log book (V5C)
  • the registration numbers of the vehicles you are asking about

If you would like information from your driver record, you can get this by using our online service.

Or you can write to us providing your full name, current postal address, and your driving licence number (or date of birth if you don’t know your driver number).

We will respond to a request within one month of receiving it, unless it is a complex request. In these cases, we will write to explain why there is a delay and when you can expect to get a response.

If the information we hold about you is incorrect, please let us know so that we can correct it.

Other rights

Other rights you may have are:

  • a right to object to us processing your personal data
  • a right to have your personal data corrected if it is inaccurate
  • a right to have your data erased
  • a right to restrict processing
  • a right to data portability
  • rights in relation to automated decision-making

If you think these rights apply to the processing carried out by DVLA and want to know more, see the Information Commissioner’s Office website. If you make a request to us to exercise these rights, we will consider it appropriately and respond within the timescales required by data protection law.

Release of information

DVLA manages a vast amount of data to help keep motorists moving safely and legally. DVLA provides information to the police, local authorities and third parties where we are allowed to by law. When releasing personal data, DVLA acts responsibly and in accordance with data protection law at all times.

Regulation 27 of the Road Vehicles (Registration and Licensing) Regulation 2002 covers the release of information from DVLA’s vehicle register to private and public sector organisations providing they can demonstrate reasonable cause to receive it. Reasonable cause is not defined in law but the government’s policy is that it should relate to the vehicle or its use, following incidents where there may be liability on the driver’s part.

Find out more about who DVLA discloses data to and why.

Further information

You can find detailed information about how and why we process your information in our privacy notice.

If you have any further queries about the processing of your personal information or if you wish to contact our Data Protection Manager, please write to:

DVRE
DVLA
Swansea
SA6 7JL

For independent advice about data protection, privacy and data sharing issues, contact the Information Commissioner at:

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF