We carry out driving tests, approve people to be driving instructors and MOT testers, carry out tests to make sure lorries and buses are safe to drive, carry out roadside checks on drivers and vehicles, and monitor vehicle recalls.
Find out more about the services we provide.
So that you can use these services, we need to collect, use, store and sometimes share your personal information.
What personal information and data is
Personal data is information about a living person. It lets you identify them either:
- directly, for example, their name
- indirectly, for example, their driving licence number
Personal data can include things such as:
- identification numbers
- location data
- online usernames or ID
- data about health, genetics, economics, culture or social identity
Your personal data is protected by law. It protects how it is collected, used and stored.
When we need your information and data
When we need to collect, store or use your personal information, we will:
- have a good reason to do it and only ask for what we need
- do so in a fair and transparent way
- tell you why we need your information and how we’ll use it
- only use your information how we say we’ll use it, and not in a way you would not expect without asking/telling you first
- only keep what we need, and will not keep it for longer than we need
- make sure it’s accurate and up to date, and that nobody has access to it who should not
- keep it safe and secure
Give us accurate data and tell us when things change
Make sure the information you give us is accurate and let us know if it changes. For example, if you change your:
- telephone number
Your sensitive (special category) information
We follow extra rules when we collect, use and store more sensitive personal data. This is called ‘special category’ data. It includes things like race, ethnic origin, trade union membership, health and sexual orientation.
Criminal law enforcement
When we process personal data to enforce criminal law, we categorise individuals so that their role is clear, for example, witness, victim, suspect or convicted criminal.
We also say whether the information is opinion or fact, and keep detailed logs of how we handle the data.
Reasons we can process your personal data
We can only process personal data for one or more of the following reasons:
- you’ve freely given your consent, it’s clear what you’re consenting to, and how you can withdraw your consent
- you’ve entered (or intend to enter) into a contract with us
- for legal reasons
- to protect someone’s ‘vital interests’ (a matter of life or death)
- to perform a public task or perform a specific task that’s in the public interest
- for our own or a third party’s legitimate interests - but only where the personal data is going to be used in ways that are reasonably expected and are not intrusive, or where there are compelling reasons to process it
These reasons are sometimes called ‘conditions’ or ‘legal bases’.
The reason we process your personal data affects the rights you have over it. We process data to meet our legal obligations and to perform public tasks.
Your rights over your personal data
By law, you have the right to:
- view your data - you can access your personal data free of charge and in digital format
- be informed - you should know and understand what happens with your data and why
- be forgotten - without a ‘compelling reason’ to keep your data, we must delete it
- move your data - you can obtain and reuse your personal data with other services
- limit how your data is used - you can block and put restrictions on how your data’s used, if it’s inaccurate or unnecessary
- say no - you can stop direct marketing and data processing when there’s no ‘compelling reason’ to do it
- make changes to your data - you can update any data about you that’s out of date or false, without delay
- human-made decision making - you can stop automated decisions being made about you, if it has legal or significant consequences
Contact our Corporate Correspondence team to use any of these rights.
What we do to keep your data safe and secure
When we introduce new technology or new policies and processes, we consider your privacy from the start. We’ll carry out a data protection impact assessment (DPIA) when it will help.
We always carry out a DPIA when we:
- use new technologies
- consider there is a high risk to your rights and freedoms
If a risk is found and we cannot find a way to reduce the impact or likelihood of the risk happening, we’ll ask the Department for Transport (as the department that oversees us) and the Information Commissioner for advice.
How we keep your data secure
We protect your personal data from unauthorised access, accidental loss, destruction and damage.
We carry out regular reviews and audits to make sure the way we collect, use and store personal data meets government security standards.
We also arrange for IT health checks and penetration testing to be carried out on our systems. This is done by independent CHECK approved individuals. These people:
- have a contract with us
- may have access to your personal data
- must follow our policy on the acceptable use of IT and communications equipment - they agree to do this before they carry out any work
We only transfer your personal data overseas if there are appropriate safeguards in place to protect it.
Training and guidance we give to our staff
We train all our staff about the importance of protecting personal and other sensitive information.
Anyone who routinely accesses personal data as part of their job has to do more in-depth training. Anyone with access to large volumes of personal data has to carry out training tailored to their role.
Our managers with formal responsibility for large datasets take extra training. This makes sure they have a clear understanding of what they need to do to keep the data under their control safe and secure.
All civil servants have to follow the Civil Service code. This has 4 core values of integrity, honesty, objectivity and impartiality. These values apply to how we handle personal data.
Data breach notification
We do everything we can to keep your personal data secure.
We’ll tell the Information Commissioner’s Office straight away (and always within 72 hours) if we become aware of a data breach. We’ll do this if the breach creates a risk to your rights and freedoms, including:
- financial loss
- breach of confidentiality
- damage to your reputation
- significant social or economic damage
We’ll tell you straight away if we think there’s a high risk to you. We will:
- give you our data protection manager’s contact details
- explain the likely consequences of the breach
- tell you what measures we’ve taken or plan to address the breach, including any steps taken to limit potential damaging effects
If we cannot contact you directly, we’ll try to make you aware through other means, such as a public announcement.
Complain about how we’ve handled your data
Write to our data protection manager to complain about the way we’ve handled your personal data.
We’ll send you a full response within 10 working days. If we cannot respond fully in that time, we’ll tell you why and let you know when we can respond in full.
If you want to complain about our response
Complain to the Information Commissioner. They provide independent advice about data protection, privacy and data sharing issues.
Privacy notices for our services and activities
Each of our services and activities has a privacy notice. It tells you:
- what personal data is collected, used and stored
- how long the data is stored for
- why the personal data is collected
- how the personal data is used
Most of our online services have a privacy notice link at the bottom of the service’s pages. If a service does not yet have a privacy notice link at the bottom of its pages, you can view it here.
Commercial vehicle driving
Driving instruction and training
MOT and vehicle testing
Vehicle operator licensing
If you fill in an online or paper application form, there will usually be a separate privacy notice with the form.
Where a privacy notice has not yet been added to the form, we still follow all the rules and processes set out in this personal information charter to keep your personal data safe and secure.
Emails and letters
When you write to us, we’ll use your personal data to look into the issue you’ve raised and send you a reply.
We usually keep a record of your email or letter for 2 years. We do keep some for longer if the service or system has a policy that says it has to be kept for longer.
If your email or letter is about something another government department or agency is responsible for, we will usually pass it to them to reply to you. We will tell you when this happens.
Freedom of Information and Environmental Information Regulations
When you request information under Freedom of Information rules or the Environmental Information Regulations, we may need to consult with other departments to give you a coordinated response.
If your request should have been sent to another organisation, we’ll reply and tell you who to send it to. We will not send your request to the other organisation for you.
Sometimes we need to share your request for information with other organisations who help us run our services. We will not share any information that identifies you.
We keep a record of your request for 2 years. We only keep it for longer if it’s necessary because of an ongoing issue.
We keep a number of distribution lists to communicate with our stakeholders as part of our functions as a government agency, where you have given your consent or for legitimate interests.
Each list is only used for the purpose that the individuals on the list were told about at the time we collected their information or that you gave your consent for.
We provide an email alert service that lets you choose what updates to get.
You can manage your preferences and subscribe at any time. There’s a separate privacy notice for this service.
To design services that are easy to use and valued by the people who need them, we need to understand their circumstances, influences and expectations. Research helps us understand this and whether the changes we make improve road safety.
The nature of the research determines what personal data is collected about you. When the research project has finished, we remove or anonymise all personal data from the records.
We publish the results of research on GOV.UK, but we make sure you cannot be identified in it.
When we do a research project, you’ll be told about its purpose, what personal data we collect about you, if it will be shared with any other organisation and if it will be combined with other data.
- ask for your consent to be part of a research project
- rely on the ‘public task’ condition within the General Data Protection Regulation (GDPR) to contact you as part of the research project
- rely on the ‘legitimate interests’ condition within the GDPR to contact you as part of the research project
Email firstname.lastname@example.org if you do not want to take part in research, or if you originally said you wanted to, but have changed your mind and want to stop.
If we do not carry out the research directly ourselves, we’ll share your personal data with research companies we have a contract with to do research for us.
Any other data sharing follows data protection law, and includes sharing with law enforcement agencies where necessary to prevent or detect crime.
We keep your personal data in our systems, and the data is stored on UK or European Economic Area (EEA) servers.
When we share your data
We may share personal data within our organisation or with other bodies where we are permitted to do so by law.
There are some cases where we can pass on your data without telling you - for example, to prevent or detect crime, or in order to produce anonymised statistics.
In all cases, whether data is shared internally or externally, we will be governed by data protection law.
A small proportion of our records are transferred to The National Archives, in line with legal obligations for the collection, disposal and preservation of records.
The Public Records Act sets out which records are selected, transferred and preserved. Records defined as ‘public records’ must be openly accessible, unless they’re exempt under the Freedom of Information Act.