Personal information charter

This charter explains how we collect, use and store your personal information, and what we need from you to keep it up to date.


Overview

We carry out driving tests, approve people to be driving instructors and MOT testers, carry out tests to make sure lorries and buses are safe to drive, carry out roadside checks on drivers and vehicles, and monitor vehicle recalls.

Find out more about the services we provide.

We are an executive agency of the Department for Transport (DfT). The data controller for DVSA is DfT – a data controller determines the reasons and how personal data is processed. For more information, see the Information Commissioner’s Office (ICO) Data Protection Public Register. DfT’s registration number is Z7122992.

So that you can use these services, we need to collect, use, store and sometimes share your personal information.

What personal data is

Personal data is information that can identify a living person. It lets you identify them either:

  • directly, for example, their name
  • indirectly, for example, their driving licence number

Personal data can include things such as:

  • names
  • identification numbers
  • location data
  • online usernames or ID
  • data about health, genetics, economics, culture, social identity or ethnicity

Your personal data is protected by law. It protects how it is collected, used and stored.

When we need your data

When we need to collect, store or use your personal data, we will:

  • have a good reason to do it and only ask for what we need
  • do so in a fair and transparent way
  • tell you why we need your information and how we’ll use it
  • only use your information how we say we’ll use it, and not in a way you would not expect without asking/telling you first
  • only keep what we need, and will not keep it for longer than we need
  • make sure it’s accurate and up to date, and that nobody has access to it who should not
  • keep it safe and secure

If you use one of our websites, we will share anonymised data with GOV.UK and the Government Digital Service on how you used the site. This will usually be via Google Analytics.

Give us accurate data and tell us when things change

Make sure the data you give us is accurate and let us know if it changes. For example, if you change your:

  • name
  • address
  • telephone number

If your data is not correct, if could have an impact on you, for example, communications from us may go to your previous address or email address or if you pass your test your driving licence may go to a previous address

Your sensitive (special category) data

We follow extra rules when we collect, use and store more sensitive personal data. This is called ‘special category’ data. It includes things like race, ethnic origin, trade union membership, health and sexual orientation.

Criminal data

When we process personal data to enforce criminal law, we categorise individuals so that their role is clear, for example, witness, victim, suspect or convicted criminal.

We record whether the information is opinion or fact, and keep detailed logs of how we handle the data.

We may include your personal data in press releases following successful prosecutions.

We may also process criminal data during the recruitment process. We will only seek this information once a job offer has been made to you and we will inform you that we are doing so.

Mandatory retention

We have been told to keep all documents, correspondence, notes, emails and all other information – however held – which contain or may contain content relating directly or indirectly to the sexual abuse of children. A child, in this case, is any person under the age of 18.

Reasons we can process your personal data

We can only process personal data for one or more of the following reasons:

  • you’ve freely given your consent, it’s clear what you’re consenting to, and how you can withdraw your consent
  • you’ve entered (or intend to enter) into a contract with us
  • for legal reasons
  • to protect someone’s ‘vital interests’ (a matter of life or death)
  • to perform a public task or perform a specific task that’s in the public interest
  • for our own or a third party’s legitimate interests - but only where the personal data is going to be used in ways that are reasonably expected and are not intrusive, or where there are compelling reasons to process it

These reasons are sometimes called ‘lawful bases’.

The reason we process your personal data affects the rights you have over it. We process data to meet our legal obligations and to perform public tasks.

Your rights over your personal data

By law, you have the right to:

  • access your data - you can access your personal data free of charge and in any format
  • be informed - you should know and understand what happens with your data and why
  • be forgotten - without a ‘compelling reason’ to keep your data, we must delete it
  • move your data - you can obtain and reuse your personal data with other services
  • limit how your data is used - you can block and put restrictions on how your data’s used, if it’s inaccurate or unnecessary
  • say no - you can stop direct marketing and data processing when there’s no ‘compelling reason’ to do it
  • make changes to your data - you can update any data about you that’s out of date or false, without delay
  • human-made decision making - you can stop automated decisions being made about you, if it has legal or significant consequences

We aim to respond to your request within one month. We can take up to 3 months to respond if your request is complex. We’ll contact you within the first month to let you know if it’s going to take longer than one month.

We cannot respond to requests made by online portals unless we’re able to verify your identity.

Contact our data protection team to use any of these rights.

DVSA data protection
dataprotection@dvsa.gov.uk

Freedom of Information and Environmental Information Regulations

When you request information under Freedom of Information rules or the Environmental Information Regulations, we may need to consult with other departments to give you a coordinated response.

If your request should have been sent to another organisation, we’ll reply and tell you who to send it to. We will not send your request to the other organisation for you.

Sometimes we need to share your request for information with other organisations who help us run our services. We will not share any information that identifies you unless it is necessary to do so.

We keep a record of your request for 2 years. We only keep it for longer if it’s necessary because of an ongoing issue.

Forms

If you fill in an online or paper application form, there will usually be a separate privacy notice with the form.

Where a privacy notice has not yet been added to the form, we still follow all the rules and processes set out in this personal information charter to keep your personal data safe and secure.

Emails and letters

When you write to us, we’ll use your personal data to look into the issue you’ve raised and send you a reply.

We usually keep a record of your email or letter for 2 years. We do keep some for longer if the service or system has a policy that says it has to be kept for longer.

If your email or letter is about something another government department or agency is responsible for, we will usually pass it to them to reply to you or tell you where to send it.

Telephone calls

If you phone our customer service centre, we record the call for monitoring and training purposes, and to improve customer experience in the future.

We keep call recordings for one year. We may keep a recording for longer if needed, for example as part of an ongoing complaint or investigation.

Distribution lists

We keep a number of distribution lists to communicate with our stakeholders as part of our functions as a government agency, where you have given your consent or for legitimate interests.

Each list is only used for the purpose that the individuals on the list were told about at the time we collected their information or that you gave your consent for.

We provide an email alert service that lets you choose what updates to get. You can manage your preferences and subscribe at any time.

There’s a separate privacy notice for this service.

Research

To design services that are easy to use and valued by the people who need them, we need to understand their circumstances, influences and expectations. Research helps us understand this and whether the changes we make improve road safety.

The nature of the research determines what personal data is collected about you. When the research project has finished, we remove or anonymise all personal data from the records.

We publish the results of research on GOV.UK, but we make sure you cannot be identified in it.

When we do a research project, you’ll be told about its purpose, what personal data we collect about you, if it will be shared with any other organisation and if it will be combined with other data.

We will:

  • ask for your consent to be part of a research project
  • tell you which lawful bases we’re relying on for our research, for example, public task or consent

Email research2@dvsa.gov.uk if you do not want to take part in research, or if you originally said you wanted to, but have changed your mind and want to stop.

If we do not carry out the research directly ourselves, we’ll share your personal data with research companies we have a contract with to do research for us.

When we share your data

We may share personal data within our organisation or with other bodies where we are permitted to do so by law.

There are some cases where we can pass on your data without telling you - for example, to prevent or detect crime, or in order to produce anonymised statistics.

In all cases, whether data is shared internally or externally, we will be governed by data protection law.

Public records

A small proportion of our records are transferred to The National Archives, in line with legal obligations for the collection, disposal and preservation of records.

The Public Records Act sets out which records are selected, transferred and preserved. Records defined as ‘public records’ must be openly accessible, unless they’re exempt under the Freedom of Information Act.

Children’s privacy protection

Our services are not designed for, or intentionally targeted at, children 13 years of age or younger. We do not intentionally collect or maintain data about anyone under the age of 13.

What we do to keep your data safe and secure

When we introduce new technology or new policies and processes, we consider your privacy from the start. We’ll carry out a data protection impact assessment (DPIA) when it will help.

We always carry out a DPIA when we:

  • use new technologies
  • consider there is a high risk to your rights and freedoms

If a risk is found and we cannot find a way to reduce the impact or likelihood of the risk happening, we’ll ask the Department for Transport (as the department that oversees us) and the Information Commissioner for advice.

You can request a copy of any DPIA we’ve carried out by emailing pia@dvsa.gov.uk.

How we keep your data secure

We protect your personal data from unauthorised access, accidental loss, destruction and damage.

We carry out regular reviews and audits to make sure the way we collect, use and store personal data meets government security standards.

We also arrange for IT health checks and penetration testing to be carried out on our systems. This is done by independent CHECK approved individuals. These people:

  • have a contract with us
  • may have access to your personal data
  • must follow our policy on the acceptable use of IT and communications equipment - they agree to do this before they carry out any work

We only transfer your personal data overseas if there are appropriate safeguards in place to protect it.

We will test changes to our systems using dummy data. Where this is not possible, we will look at other options. If the only option is to test using your personal data, we shall:

  • ensure the system has had an IT health check and any risks have been identified and addressed to a tolerable level
  • seek approval from relevant senior staff within DVSA
  • only test with the minimum amount of your personal data
  • only use DVSA staff or contracted supplier staff to test with live data and consider whether they need enhanced security clearance before doing so
  • securely remove your data from testing as soon as it has been completed

Training and guidance we give to our staff

We train all our staff about the importance of protecting personal and other sensitive data.

Anyone who routinely accesses personal data as part of their job has to do more in-depth training. Anyone with access to large volumes of personal data has to carry out training tailored to their role.

Our managers with formal responsibility for large datasets take extra training. This makes sure they have a clear understanding of what they need to do to keep the data under their control safe and secure.

All civil servants have to follow the Civil Service code. This has 4 core values of integrity, honesty, objectivity and impartiality. These values apply to how we handle personal data.

Data breach notification

We do everything we can to keep your personal data secure.

We’ll tell the Information Commissioner’s Office straight away (and always within 72 hours) if we become aware of a data breach. We’ll do this if the breach creates a risk to your rights and freedoms, including:

  • financial loss
  • breach of confidentiality
  • discrimination
  • damage to your reputation
  • significant social or economic damage

We’ll tell you straight away if we think there’s a high risk to you. We will:

  • give you our data protection manager’s contact details
  • explain the likely consequences of the breach
  • tell you what measures we’ve taken or plan to address the breach, including any steps taken to limit potential damaging effects

If we cannot contact you directly, we’ll try to make you aware through other means, such as a public announcement.

Complain about how we’ve handled your data

If you believe your data has been misused, you can write to our data protection manager to complain about the way we’ve handled your personal data.

DVSA data protection manager

Data Protection Manager
DVSA
1 Unity Square
Nottingham
NG2 1AY

We’ll send you a full response within 10 working days. If we cannot respond fully in that time, we’ll tell you why and let you know when we can respond in full.

Contact DVSA customer services if you have a query that is not about how your personal data is used.

If you want to complain about our response

Complain to the Information Commissioner if you’re not happy with the way we responded to your complaint about how we handled your data. They provide independent advice about data protection, privacy and data sharing issues.

Privacy notices for our services and activities

Each of our services and activities has a privacy notice. It tells you:

  • what personal data is collected, used and stored
  • how long the data is stored for
  • why the personal data is collected
  • how the personal data is used including who it’ll be shared with, if applicable
  • whether your data will be transferred or accessed outside of the UK, and what legal protection it will have, if applicable

Most of our online services have a privacy notice link at the bottom of the service’s pages. You can use it to read the privacy notice for that service.

If an online service does not yet have a privacy notice link at the bottom of its pages, you can find it on the list of DVSA privacy notices.

You can also find privacy notices for our other activities on the list of DVSA privacy notices.