Saturday, 29 October 2016

Parking companies breaking data protection by selling to MIL Collections

A freedom of information request has established that parking companies cannot sell keeper data obtained from the DVLA to MIL Collections unless the DVLA has approved this.

For parking companies to get keeper data from the DVLA, they sign a contract known as the KADOE contract. A copy of the contract has been released by FoI here.

This contract says what you can and cannot do with the keeper data. In particular,  clause D5.1 of the KADOE contract prohibits the Customer from disclosing the information they have received from the DVLA to any other person except:-

a) to a sub-contractor who acts as the Customer's data processor;
b) to a sub- contractor who acts as the Customer's debt collector;
c) with the prior written agreement of the DVLA.

MIL Collections are clearly not acting as a sub-contractor, and therefore parking companies must have prior written agreement from the DVLA to sell KADOE data to MIL.

The freedom of information request establishes that no companies have this permission.

Companies who have sold their data to MIL are therefore in breach of the KADOE contract and in breach of the Data Protection Act 1998.

There are also other conditions regarding the passing on of data, and it is not clear that MIL would pass these either.

MIL Collection have my data

it is important to note that not every case where MIL Collections have your data will necessarily be a breach of the Data Protection Act. In some cases, the parking company will not have your data from the DVLA. They might have it because you wrote to appeal a windscreen ticket, for instance, or because your address was written on the side of your vehicle.

However, if you received a notice to keeper in the post then chances are that the parking company got your data from the DVLA. If they did, as a first step you should write and complain.

Data Sharing & Protection Group
Strategy, Policy and Communications Group
D16
DVLA
Swansea
SA6 7JL 

Dear DVLA,

I am writing in reference to Freedom of Information request FOIR5604.

I wish to complain that [parking company] have sold my personal data to MIL Collections Limited. I believe that this information was obtained from yourselves, and this is therefore a breach of the KADOE contract clause D5.1

The details of the parking event are:
Vehicle: [reg]
Date:     [date]

Please can you confirm:
1) The parking company received my personal data from yourself
2) The parking company did not have prior written permission from the DVLA to give data to MIL Collections 

If this is the case, please also inform me what steps you will be taking against the parking company, and how you intend to safeguard my personal data in the future.

Once the DVLA have confirmed your data has been misused, you can then take action against the parking company. The case of Vidal-Hall v Google Inc [2014] EWHC 13 (QB) provides authority that misuse of personal data is a tort and that damages may be non-pecuniary. The case of Halliday v Creation Consumer Finance Ltd [2013] All ER (D) 199 provides authority that a reasonable sum for compensation would be £750. A claim of up to £750 may therefore be possible. You may wish to take legal advice on the prospects of success. Filing a claim for £750 will cost £60. A claim for £299 will cost £25 online.

The first step would be a letter before claim.

Dear Parking Company,

Letter Before Claim

You have given my personal data to MIL Collections. You obtained this data from the DVLA, and your KADOE contract prevents you sending that data to third parties without prior written permission of the DVLA. The DVLA confirmed this is not the case. This is therefore misuse of my personal data.

The case of Vidal-Hall v Google Inc [2014] EWHC 13 (QB) provides authority that misuse of personal data is a tort and that damages may be non-pecuniary. The case of Halliday v Creation Consumer Finance Ltd [2013] All ER (D) 199 provides authority that a reasonable sum for compensation would be £750. 

In this case, I consider a reasonable sum for the distress caused would be £750. Please remit this amount within 14 days. If you have not remitted this sum, or made suitable arrangements to remit it, I reserve the right to take legal action without further notice.

I would be willing to use Alternative Dispute resolution to attempt to settle this matter and suggest the Consumer Ombudsman is a suitable body.

If they do not pay up, you could consider filing a claim. The particulars would be something like.


My name and address information (together with other information) is classified as personal data within the meaning of s1(1) of the Data Protections Act (DPA). [Parking Company] misused this data by obtaining it from the DVLA and then selling it to MIL Collections in breach of their KADOE contract with the DVLA. This caused harassment and personal distress to myself and s13 of the DPA provides for financial compensation for this.

The case of Vidal-Hall v Google Inc [2014] EWHC 13 (QB) provides authority that misuse of personal data is a tort and that damages may be non-pecuniary. The case of Halliday v Creation Consumer Finance Ltd [2013] All ER (D) 199 provides authority that a reasonable sum for compensation would be £750.

Time Limit

The Limitations Act may apply, which would mean you have 6 years to file your claim from the date the parking company sold your data to MIL. Whether or not MIL have taken you to court and won or lost would be immaterial (but may affect the level of claim), as your claim is against the parking company, not MIL.

Happy Parking

The Parking Prankster


8 comments:

  1. Erm, I have to disagree here - I've got form for suing a lot of people for DPA and PECR breaches leading from unsolicited commercial email.

    The scenario which we are dealing with is contractual remember - you've agreed to park and for them to obtain your details if you don't pay.

    They are then contracting MIL and MIL will be using Schedule 2, (2) (a);

    The processing is necessary—
    (a)for the performance of a contract to which the data subject is a party, or

    This satisfies Schedule 1 (1)(a) of the DPA.

    These are all referred to in Section (4) of the DPA.

    Sorry :)

    ReplyDelete
    Replies
    1. I'm given to understand from previous blogs that the weasels sell the imagined debt to MIL and then MIL sue in their own name.

      Delete
    2. This would be allowable if MIL were a sub-contractor. However, they claim they are not.

      The parking company are therefore using the data in breach of their contract with the DVLA.

      Delete
    3. If the data subject wasn't driving then they are not party to the contract.

      Delete
    4. POFA allows for the details to be obtained, as a result of failure of contract. The debt can be sold, that's still contractual. I don't see a DPA breach here - sorry.

      DPA breaches are hard enough to work with where you can prove that the defendant has no legal right to obtain the details, but there is a legal route here so I think it'll fail.

      Delete
    5. I'm with the Prankster.
      The KADOE contract doesn't only specify with whom the data may be shared: it also specifies the purposes for which the data may be used. Clause B2(a) specifies: "to seek recovery of unpaid Parking Charges..."

      A PPC's contract of sale to MIL would necessarily mean agreeing NOT to continue seeking recovery of the unpaid parking charges.

      This would fall foul of the DPA Second Principle: "Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be processed in any manner incompatible for that purpose or those purposes".

      In addition: trafficking in litigation/champerty/maintenance - whatever it should be called - does not fall into the category of "lawful purposes:.

      Delete
  2. I'm wondering if this can be baked into a MIL defence, after all if the DPA was followed then MIL would not have the data to sue, that or just add the debt to MIL onto the claim from the parking company (oh the irony).

    ReplyDelete
  3. You need a test case. Until then - who knows.

    ReplyDelete