9. Data Protection Act
Guidance for driving examiners on the Data Protection Act.
The implications of breaching the Data Protection Act are serious. Individuals are responsible personally for information they give out and are liable to be prosecuted if they are found to have disclosed information inappropriately. Legislation does not hold the agency responsible under these circumstances.
We have made great efforts over the last decade to allow examiners to conduct tests in a more customer friendly manner and the Data Protection Act must not be used as an excuse to return to a less customer focused approach. Information is still freely available through the correct channels to the correct people.
At the start of the test the examiners must ask the candidate whether they want their instructor/accompanying driver present on the test and for the result and feedback at the end of the test.
(If the test was not accompanied and the instructor/accompanying driver comes over to the vehicle to listen to the conclusion of the test, the examiner should confirm with the candidate they want their instructor/accompanying driver present)
If the candidate elects not to have their instructor/accompanying driver present for the decision and debrief, then the examiner should ensure that the candidate’s request is complied with.
Any subsequent enquiries made by the instructor about their pupil’s performance, must be referred back to the candidate in all cases (although it would be helpful to point out that further feedback is available with the written permission of the candidate). Examiners must not discuss previous tests with instructors.
In the event of a complaint being received, examiners must not assume that instructors are aware of the candidate’s complaint - merely telling an instructor that a candidate has complained, is a breach of the Data Protection Act. Examiners must not bring to the attention of, or discuss with instructors, customer complaints.
No information regarding driving test performance may be discussed (with a third party). All requests should be referred to the HEO, SEO or area customer service unit to answer.
If a candidate writes requesting information about their particular test, DVSA must supply that information. Forward all written requests to the HEO, SEO and area customer service unit to answer.
An information security incident is any actual or potential compromise of DVSA’s information.
Examples are varied and include:
- insecure site, for example, faulty lock or broken window
- email, containing personal or sensitive information, sent to the wrong internal or external recipient
- unauthorised disclosure of information
- lost or stolen information or equipment
- information kept longer than necessary
- breaches of information management and security policies or legislation such as the Data Protection Act
Reporting procedure
You must report information security incidents to the Information Management and Security (IM&S) Team immediately.
You can do this by using the reporting form on DVSAnet or by sending an email to incident.control.centre@dvsa.gov.uk.
You must not let the completion of the form delay the reporting of the incident.
Investigation
The IM&S team will follow this process.
-
See whether an incident has occurred.
-
Contain any incident.
-
Look at what has happened and why.
-
Identify improvements that can be put in place to reduce the risk of it happening again.
DVSA does not make a charge to supply written information (such as a test report), unless the candidate asks to see all the information that we hold on them throughout the agency. In this case, they should submit a written request to headquarters, customer service unit accompanied by a £10 fee.
If a third party writes on the candidate’s behalf, DVSA cannot deal with the enquiry or complaint without the written permission of the candidate. Forward all requests to the HEO or SEO or area customer service unit to answer.
Examiners should refer to standing operating procedure (DVSA/ Data protection/3/6) - for more detailed information