Tuesday, 31 January 2017

DVLA confirm massive data protection breach to MIL Collections

The DVLA has now confirmed a massive data breach has occurred with parking companies selling data to MIL Collections in contravention of the KADOE contract. Many thousands of parking charges are potentially affected.

Parking companies have been selling data to MIL since February 2015. However, the DVLA has only now confirmed that data which was obtained from them using the KADOE contract should not have been provided to MIL, and this therefore puts the operator in breach. Data obtained from other sources is not affected.

The IPC released this statement about their operator Northwest Parking Enforcement.

Further to your complaint that Northwest Parking Enforcement is in breach of their KADOE contract with the DVLA by engaging Mil Collections to enforce their parking charges under the terms of a debt-purchase arrangement.

We have made the necessary enquiries with the DVLA who have clarified there had been a misinterpretation of the terms of the contract and that subsequently Mil collections should not be considered a ‘sub-contractor’ under it. The company would therefore be required to obtain the prior consent of the DVLA in order to engage in such an arrangement irrespective of whether they retained a significant degree of control over the data in question.

Accordingly, the arrangement that was in place may have put the operator in breach of the KADOE contract but this is limited to cases where the data was requested under the terms of the KADOE contract. It should be noted that this does not apply where the information was obtained or confirmed through other means.

Since the point has been clarified, we have been informed that the company is no longer referring keeper data that has been obtained under the KADOE contract to Mil collections and, as such, this issue should not arise in the future.

This means that to protect themselves, motorists should consider whether to appeal windscreen tickets immediately, thus giving away their details, or to wait until their data has been obtained from the DVLA, thus giving them added protection.

The DVLA have not yet said what they will do about the potentially thousands of parking charges already sold to MIL.

DVLA History with MIL Collections

On 18 October 2015 an enquiry was made about MIL Collections to David Dunford of the DVLA

I am writing to enquire the DVLA position regarding the data protection obligations for keeper data when a parking company passes this data to a third party. It is clear in the current KADOE contract that the operator has a number of obligations in this matter and clause D5 sets out 'Restrictions on the disclosure of the data'. The operator can (a) disclose data to a sub-contractor acting as the customers data processor or (b) a sub-contractor engaged in debt collection, and (c) to no other person without the prior written agreement of the DVLA.

When data is passed on in (a) and (b) a number of safeguards must be in place. The person receiving the data must have a written contract which requires the sub-contractor to abide by the requirements in schedules 2 and 3 of the KADOE contract. These contain conditions such as naming all the people who can handle data, ensuring that have a record of appropriate training, using anti-virus software, etc. The conditions also require that any charge is pursued in line with the old OFT Debt Collection Guidelines.

It has come to our attention that a number of parking companies are disclosing keeper data by selling the parking charge to a third party. We would expect the conditions in which the DVLA allow this would be at least as strict as those required for a sub-contractor engaged in debt collection; otherwise an operator could simply circumvent DVLA requirements by setting up a new company and immediately selling on the debt. However, the DVLA may have different views. We would therefore welcome clarification on this point.

The company in question is MIL Collections Ltd and it has purchased keeper details from at least four parking companies, CPMS (Car Park Management Services), Car Park Management Services (CPMS) Ltd, Premier Parking Logistics and Combined Parking Solutions. There are a number of worries regarding the methods MIL Collections Ltd uses to pursue charges, and they are breaching a number of the old OFT Debt Collection Guidelines 

If these companies have not written to the DVLA asking for permission to disclose the data in line with clause D5.1(c) of the KADOE contract, and if it is the DVLA position that the data should be kept secure in these circumstances then there are a number of matters I would like to raise. 

David Dunford never replied

On 23 October a follow up email was sent

Do you have a date when you will be able to reply to this (or if you are the wrong contact, please can you point me to the right person/department).
I do have some further information on this. In the BPA Council of Representatives Meeting on 3rd June 2015 is was reported in the minutes:

MIL – It was reported that MIL, who are members of the BPA but not the AOS, have been approaching operators and offering to purchase outstanding PCN’s for £1. In addition, the FAQ’s on their website contained information from exchanges with the BPA which had been taken out of context. The terms of MIL’s membership was currently being discussed with the member and KR advised that he had spoken to the DVLA about this and the DVLA was reviewing its policy.

KR is Kelvin Reynolds.

Has the DVLA finished reviewing its policy yet? If so, please can you inform me of the results. If not, I will provide you with information regarding MIL collections activities which breach the OFT debt collection guidelines to help with the policy making process.

David Dunford never replied.

On 9 November a further follow-up email was sent.

Dear Mr Dunford,

I have not yet received an acknowledgement of this. Do you have a date when you will be able to reply to my earlier email (or if you are the wrong contact, please can you point me to the right person/department)?

David Dunford never replied.

On 24 November 2015 a DVLA email said

Following our discussions at the DVLA-BPA Focus Group on 4 November we have been considering the position regarding MIL Collections and the ‘sale of debt’ model generally.

We need clarification on a number of things before we are able to provide you with our full response:
1. What information would MIL receive from the parking company as part of buying the debt?
For example, does this include evidence of the VRM, the breach of terms & conditions, landowner agreement, and any data the parking operator may have obtained from DVLA (keeper name and address)?
This is key as we need to understand whether MIL would be buying the debt, or the debt and the data obtained from DVLA.
MIL would be buying everything that they would need to follow up on the debt – this will include, if appropriate, the vehicle keeper details that you have supplied to the operator. There are some instances where the operator has not applied for data – for example an on-screen ticket where the motorist has surrendered their details in an appeal letter. With regards to the case, I am sure that MIL would require any and every piece of background detail.

2. If MIL buy the debt do they keep all money recovered or do they give some money obtained back to parking company?
Have they got different models? If so, we need details of these.
From what I can gather there are various models where MIL buy the debt and pay a proportion of anything they recover less their costs to the operator – other models see the debt sold on completely and nothing to the operator – I sense that it’s all negotiated.

3. What contracts would be in place between MIL and the parking company and what do they cover?
I am sure that there is some contract in place but I have not seen these – we have not audited them – as they are IPC members, you could ask them?

On 22 December 2015, a DVLA email said:

Selling unpaid cases to companies such as MIL

I have discussed this issue with colleagues and due to the further information we now know about MIL there are concerns about DVLA data being passed on in such circumstances.
In the absence of a formal sub contracting relationship between operators and MIL, the operators should seek permission from DVLA before forwarding on any DVLA data to third parties. On the basis of the information we have at present, DVLA would be unlikely to agree to DVLA data being forwarded on to third parties in the absence of the assurance that comes with a formal sub contract.
I’m sure both these issues will run for a while yet, so please let me know if you have any further queries.

In June 2016, in answer to FOI 5323, the DVLA said

I can confirm that the situation regarding debt collection companies such as MIL is that where a parking company does not have a contract in place with the debt collector they must seek permission from DVLA before forwarding on any DVLA data to third parties.

Prankster Note

It is clear then that the DVLA have been fully aware of MILs activities since at least 18 October 2015 and possibly 3 June 2015.

The DVLA has a history of failing to protect keeper data from companies like Proserver, PACE Recovery, and now MIL Collections.

The important questions the DVLA need to answer now are:

1) What will the DVLA do about the date incorrectly sold to MIL Collections?
2) How can the DVLA restore public confidence, given that it takes them several years to protect motorists from the time they first become aware of the breach?


In the June 2016 Parkex brochure MIL claimed to take 70% of cases to court and to have spent over £100,000 in court fees. This would means somewhere between 2,000 and 4,000 cases were taken to court, giving some idea of the scale of MILs operation.

The important questions MIL need to answer are

1) In all the court cases you have take out against motorists, you have claimed you have fully purchased the debt from the operator. This does not fir with the DVLA statement "From what I can gather there are various models where MIL buy the debt and pay a proportion of anything they recover less their costs to the operator". Have you been deceiving the court when you tell judges the debt has been purchased outright?
2) Why do the deeds of assignment with parking companies which you claim are signed on different dates all look exactly the same? Were they really signed on different dates, or have you been deceiving the court?

Data Protection claim

Now the DVLA have confirmed that operators were in breach of their KADOE contract, it may be that motorists have a data protection claim against any parking operator who sold data to MIL.

Happy Parking

The Parking Prankster

14 comments:

  1. As the song goes - 'It looks like trouble ahead .......

    ReplyDelete
  2. MIL have repeatedly been put to proof as to the status of their alleged "assignments" and the line has been to stand behind the copies of the front page of these "assignments". Despite efforts to uncover what sits behind these they have never been formally tested in court simply because when push comes to shove MIL discontinue.

    Is it therefore improper of us to take a view?

    What about those cases where MIL's bullying approach has led to default wins or immediate settlements?

    What about those PPC's who have used the V888/3 paper application route (as opposed to KADOE)? Do they escape sanction/investigation?

    ReplyDelete
    Replies
    1. Where people have lost a court case (not defended, caved in, it matters not) it just increases the size of the DPA claim against the original PPC who breached the DPA by passing on the data.

      Delete
  3. Has anyone complained to the ICO yet?

    you cant rely on some geriatric DJ to help.

    ReplyDelete
  4. The V888/3paper application route does not require a KADOE contract but it still requires reasonable cause and adherence to the Data Protection Principles of the DPA. It is clear that the KADOE contract was drafted to ensure that DVLA had someone else to blame if any of the Data Protection Principles were broken. These principles include the following:

    2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

    This means that keeper data obtained from the DVLA to pursue an unpaid parking charge (the only valid reason that DVLA accepts from private parking companies) cannot be sold to a third party because that usage was not the original purpose.

    ReplyDelete
    Replies
    1. Absolutely.

      However, I quote from a DVLA response to a request to identify who carried on keeper checks which included details of any restrictions that were placed on any disclosure of the data supplied (whcih was in response to a V888).

      "The DVLA would not expect a company to request permission from us to pass on information to another company regarding their process from debt collection. There is no requirement under section 27 of the data protection act which requires a company to do this".

      That sounds like yet another load of weasel words.

      Delete
    2. DVLA is correct: PPCs don't have to ask DVLA's permission to pass information to another company that is not a subcontractor. This is banned by principle 2 of the DPA and DVLA has no authority to give such permission.

      Delete
  5. Where the incident took place after the DVLA were made aware and did nothing to prevent the data being misused, would victims have a case against the DVLA? Or against the landholders who hired the PPCs at the relevant locations?

    Just wondering how difficult it might be for victims to make a claim against some phoenixing low-life company that may well not even exist anymore.

    ReplyDelete
  6. It's an ICO case. This has been a massive failure on the part of the DVLA to vet the integrity of the BPA and the IPC.

    It's been very clear for as long as they have relied on them carrying out their own checking, that they are just passing the buck.

    It's a case of them wanting the cash with as little effort as possible.

    ReplyDelete
  7. It seems to me like this is just starting to get interesting. Does anyone know how DRP compares to MIL? Does DRP operate the same way? Had DRP been flagged to the DVLA?

    ReplyDelete
    Replies
    1. They don't buy an assigned debt. They act on behalf of the PPC so have rights to use the data. However they should still refer the debt back to the PPC when told it is disputed. Instead they take the case forward based on there own assertions of a contravention.

      Delete
  8. This comment has been removed by the author.

    ReplyDelete
  9. excel spreadsheet showing all companies that use the KADOE method either by direct access or thru DR+ , ranger etc , if they are not on this list they use v888/3 (excel spreadsheet)

    https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/567624/kadoe-volumes-2015-16-_q2-2016-17-v1-2.xlsx

    ReplyDelete