Personal information charter

This charter explains how we collect, use and store your personal information, and what we need from you to keep it up to date.

Overview

We carry out driving tests, approve people to be driving instructors and MOT testers, carry out tests to make sure lorries and buses are safe to drive, carry out roadside checks on drivers and vehicles, and monitor vehicle recalls.

Find out more about the services we provide

So that you can use these services, we need to collect, use, store and sometimes share your personal information.

What personal information and data is

Personal data is information about a living person. It lets you identify them either:

  • directly, for example, their name
  • indirectly, for example, their driving licence number

Personal data can include things such as:

  • names
  • identification numbers
  • location data
  • online usernames or ID
  • data about health, genetics, economics, culture or social identity

Your personal data is protected by law. It protects how it is collected, used and stored.

When we need your information and data

When we need to collect, store or use your personal information, we will:

  • have a good reason to do it and only ask for what we need
  • do so in a fair and transparent way
  • tell you why we need your information and how we’ll use it
  • only use your information how we say we’ll use it, and not in a way you wouldn’t expect without asking/telling you first
  • only keep what we need, and won’t keep it for longer than we need
  • make sure it’s accurate and up to date, and that nobody has access to it who shouldn’t
  • keep it safe and secure

Give us accurate data and tell us when things change

Make sure the information you give us is accurate and let us know if it changes. For example, if you change your:

  • name
  • address
  • telephone number

Your sensitive (special category) information

We follow extra rules when we collect, use and store more sensitive personal data. This is called ‘special category’ data. It includes things like race, ethnic origin, trade union membership, health and sexual orientation.

Criminal law enforcement

When we process personal data to enforce criminal law, we categorise individuals so that their role is clear, for example, witness, victim, suspect or convicted criminal.

We also say whether the information is opinion or fact, and keep detailed logs of how we handle the data.

Reasons we can process your personal data

We can only process personal data for one or more of the following reasons:

  • you’ve freely given your consent, it’s clear what you’re consenting to, and how you can withdraw your consent
  • you’ve entered (or intend to enter) into a contract with us
  • for legal reasons
  • to protect someone’s ‘vital interests’ (a matter of life or death)
  • to perform a public task or perform a specific task that’s in the public interest
  • for our own or a third party’s legitimate interests - but only where the personal data is going to be used in ways that are reasonably expected and are not intrusive, or where there are compelling reasons to process it

These reasons are sometimes called ‘conditions’ or ‘legal bases’.

The reason we process your personal data affects the rights you have over it. We process data to meet our legal obligations and to perform public tasks.

Your rights over your personal data

By law, you have the right to:

  • view your data - you can access your personal data free of charge and in digital format
  • be informed - you should know and understand what happens with your data and why
  • be forgotten - without a ‘compelling reason’ to keep your data, we must delete it
  • move your data - you can obtain and reuse your personal data with other services
  • limit how your data is used - you can block and put restrictions on how your data’s used, if it’s inaccurate or unnecessary
  • say no - you can stop direct marketing and data processing when there’s no ‘compelling reason’ to do it
  • make changes to your data - you can update any data about you that’s out of date or false, without delay
  • human-made decision making - you can stop automated decisions being made about you, if it has legal or significant consequences

Contact our Corporate Correspondence team to use any of these rights.

Personal information rights at DVSA

Corporate Reputation
Driver and Vehicle Standards Agency
The Axis Building
112 Upper Parliament Street

Nottingham
NG1 6LP

Monday to Friday, 8am to 4pm

What we do to keep your data safe and secure

When we introduce new technology or new policies and processes, we consider your privacy from the start. We’ll carry out a data protection impact assessment (DPIA) when it will help.

We always carry out a DPIA when we:

  • use new technologies
  • consider there is a high risk to your rights and freedoms

If a risk is found and we cannot find a way to reduce the impact or likelihood of the risk happening, we’ll seek advice from the Information Commissioner.

How we keep your data secure

We protect your personal data from unauthorised access, accidental loss, destruction and damage.

We carry out regular reviews and audits to make sure the way we collect, use and store personal data meets government security standards.

We only transfer your personal data overseas if there appropriate safeguards in place to protect it.

Training and guidance we give to our staff

We train all our staff about the importance of protecting personal and other sensitive information.

Anyone who routinely accesses personal data as part of their job has to do more in-depth training. Anyone with access to large volumes of personal data has to carry out training tailored to their role.

Our managers with formal responsibility for large datasets take extra training. This makes sure they have a clear understanding of what they need to do to keep the data under their control safe and secure.

All civil servants have to follow the Civil Service code. This has 4 core values of integrity, honesty, objectivity and impartiality. These values apply to how we handle personal data.

Data breach notification

We do everything we can to keep your personal data secure.

We’ll tell the Information Commissioner’s Office straight away (and always within 72 hours) if we become aware of a data breach. We’ll do this if the breach creates a risk to your rights and freedoms, including:

  • financial loss
  • breach of confidentiality
  • discrimination
  • damage to your reputation
  • significant social or economic damage

We’ll tell you straight away if we think there’s a high risk to you. We will:

  • give you our data protection manager’s contact details
  • explain the likely consequences of the breach
  • tell you what measures we’ve taken or plan to address the breach, including any steps taken to limit potential damaging effects

If we cannot contact you directly, we’ll try to make you aware through other means, such as a public announcement.

Complain about how we’ve handled your data

Write to our data protection manager to complain about the way we’ve handled your personal data.

DVSA data protection manager

Data Protection Manager
Driver and Vehicle Standards Agency
The Axis Building
112 Upper Parliament Street

Nottingham
NG1 6LP

We’ll send you a full response within 10 working days. If we can’t respond fully in that time, we’ll tell you why and let you know when we can respond in full.

If you want to complain about our response

Complain to the Information Commissioner’s Office. They provide independent advice about data protection, privacy and data sharing issues.

Information Commissioner's Office

Wycliffe House
Water Lane

Wilmslow
Cheshire
SK9 5AF

Privacy notices for our services

Each of our services has a privacy notice. It tells you:

  • what personal data the service collects, uses and stores
  • how long the data is stored for
  • why the personal data is collected
  • how the personal data is used

Online services

Most of our online services have a privacy notice link at the bottom of the service’s pages. If a service doesn’t yet have a privacy notice link at the bottom of its pages, you can read the appropriate privacy notice here.

Become and be an MOT tester: privacy policy
Book and manage your theory test: privacy policy
Book and manage your driving test: privacy policy
Set up and run an MOT test station: privacy policy

Other services

You can view privacy notices for other services we provide:

Forms

If you fill in an online or paper application form, there will usually be a separate privacy notice with the form.

Where a privacy notice has not yet been added to the form, we still follow all the rules and processes set out in this personal information charter to keep your personal data safe and secure.

Emails and letters

When you write to us, we’ll use your personal data to look into the issue you’ve raised and send you a reply.

We usually keep a record of your email or letter for 2 years. We do keep some for longer if the service or system has a policy that says it has to be kept for longer.

If your email or letter is about something another government department or agency is responsible for, we will usually pass it to them to reply to you. We will tell you when this happens.

Freedom of Information and Environmental Information Regulations

When you request information under Freedom of Information rules or the Environmental Information Regulations, we may need to consult with other departments to give you a coordinated response.

If your request you should have been sent to another organisation, we’ll reply and tell you who to send it to. We will not send your request to the other organisation for you.

Sometimes we need to share your request for information with other organisations who help us run our services. We will not share any information that identifies you.

We keep a record of your request for 2 years. We only keep it for longer if it’s necessary because of an ongoing issue.

Distribution lists

We keep a number of distribution lists to communicate with our stakeholders as part of our functions as a government agency, or for legitimate interests.

Each list is only used for the purpose that the individuals on the list were told about at the time we collected their information.

We provide an email alert service that lets you choose what updates to get. You can manage your preferences and subscribe at any time. There’s a separate privacy notice for this service.

Research

To design services that are easy to use and valued by the people who need them, we need to understand their circumstances, influences and expectations. Research helps us understand this and whether the changes we make improve road safety.

The nature of the research determines what personal data is collected about you. When the research project has finished, we remove or anonymise all personal data from the records.

We publish the results of research on GOV.UK, but we make sure you cannot be identified in it.

When we do a research project, you’ll be told about its purpose, what personal data we collect about you, if it will be shared with any other organisation and if it will be combined with other data.

We will either:

  • ask for your consent to be part of a research project
  • rely on the ‘public task’ condition within the General Data Protection Regulation to contact you as part of the research project

Email research2@dvsa.gov.uk if you do not want to take part in research, or if you originally said you wanted to, but have changed your mind and want to stop.

If we don’t carry out the research directly ourselves, we’ll share your personal data with research companies we have a contract with to do research for us.

Any other data sharing follows data protection law, and includes sharing with law enforcement agencies where necessary to prevent or detect crime.

We keep your personal data in our systems, and the data is stored on UK or European Economic Area (EEA) servers.

When we share your data

We may share personal data within our organisation or with other bodies where we are permitted to do so by law.

There are some cases where we can pass on your data without telling you - for example, to prevent or detect crime, or in order to produce anonymised statistics.

In all cases, whether data is shared internally or externally, we will be governed by data protection law.

Public records

A small proportion of our records are transferred to The National Archives, in line with legal obligations for the collection, disposal and preservation of records.

The Public Records Act sets out which records are selected, transferred and preserved. Records defined as ‘public records’ must be openly accessible, unless they’re exempt under the Freedom of Information Act.