Sunday, 15 April 2018

DVLA clarify that parking companies cannot sell on debt to debt collectors.

Parking companies obtain keeper data from the DVLA by way of the KADOE contract. Copies are available under FOI, such as here.

This contract allows parking companies to engage debt collectors to pursue debts, but it does not allow them to sell the debt on to another party.

Despite this a number of parking companies have ignored their contract with the DVLA and have been selling their data to rogue debt collector MIL Collections for as little as £1 per parking charge.

MIL are well known for their aggressive practices which include blatantly lying on the telephone, using false and misleading information in letters, and pursuing debts despite not having in any known case a valid letter of assignment (MIL use an undated 'deed' which has no references to any actual parking charge and in some cases has provably been in existence before the assignment occurred as a recycled deed has been used).

The DVLA initially took no action to protect motorists despite being informed of this practice many years ago, when MIL first started to buy up parking charges. Since then, MIL have caused misery and essentially 'robbed' large numbers of motorists by claiming charges which are not valid.

The DVLA has now finally taken action.

DVLA Statement

The DVLA has issued a statement to the Trade Associations on the matter of Debt Assignment

You will be aware that DVLA has been considering whether to permit private parking companies passing on DVLA vehicle keeper data to third parties as part of the assignment of unpaid alleged private parking charges. The term used in this context to describe this activity is "debt assignment."

The KADOE contract does not provide for the onward disclosure of vehicle keeper data by parking companies for debt assignment, and any proposals to do so require the parking company to seek written authorisation from DVLA. However, following representations from the sector, DVLA agreed to consider its position further.

I can now advise that the Agency has concluded that it will not be changing its position on this matter. As was the case with previous requests from parking companies, DVLA will not allow vehicle keeper data originating from DVLA records to be provided to third parties as part of a debt assignment arrangement. The Agency will consider disclosure of data obtained from DVLA to third parties as part of a debt assignment arrangement as a breach of contract which could result in suspension.

British Parking Association Statement

The British Parking Association has stated they will fully support the DVLA in this matter, and that this is a serious breach which could result in the award of 10 sanction points.

12 sanction points results in an immediate ban.

The International Parking Community

The IPC have not made any public statement on this matter. However, their code of practice states
5.2 You must not pass any Personal Data to any third party company who is not a member of an Accredited Operator Scheme (or similar scheme of a different name) with an Accredited Trade Association or a firm entitled to carry on reserved legal activities 
According to their sanction scheme, misuse of personal data can result in 6-12 sanction points, with a starting point of 10.
Factors indicating higher degree of harm
1. Personal Keeper’s Data compromised or
used or obtained inappropriately.
MIL Collections

MIL Collections are run by failed businessman Alan Davies. Any motorists whose keeper data was purchased from the DVLA by a parking company and then sold on to MIL should raise a complaint with the DVLA and the appropriate trade association, the BPA or IPC.

Misuse of personal data is an offence against the Data Protection Act 1999, so you may also have a valid claim against MIL Collections and the parking company. As the DVLA allowed this practice to carry on for some considerable time despite being notified, you may also have a claim against the DVLA, as they have a legal responsibility to keep keeper data free from misuse.

If you provided your data directly to the parking company, without the DVLA being involved, then this does not apply.

Happy Parking

The Parking Prankster


  1. The walls continue to crumble...

  2. The DVLA should require both ATAs to conduct a full and vigorous investigation of their members and determine who has sold such data to MIL and report each and every case to the DVLA to follow up and inform those affected of the compromise of their data.

    Thereafter, they should assist those affected to instigate (even fund) civil proceedings against the relevant PPC and MIL and press for damages.

    Is there a potential ambulance chasing legal outfit wanting to cash in here? Gladstones, BWL, SCS, Wright Hassall, QDR, and Miah - this does not include you!

    1. oh how ironic for gladstones to go after MIL ,,

    2. Mangy stinking mutt eats mangy stinking mutt with scabs and fleas?

  3. This comment has been removed by the author.

  4. The BPA can start their sanctions with CEL and those debts which they assigned, (well 87.5% some times), to Debt Enforcement and Action Ltd in 2014 and 2015.

  5. I see many opportunities to sue for breach of the DPA now that the DVLA has made it's case clear. Past payments or court cases which were won or lost could also be brought to a new claim for breach of the DPA.
    Since this situation is a known abuse, and is still continuing to this date, the costs could be higher as the use of such data is a known unlawful activity.

  6. Where is the actual statement online please Pranky?

  7. Pee,s me off that DVLA can even be allowed to sell my private data.....................

  8. Things may become more difficult for them after the new EU data protection law comes in. I guess that's why they have already back-pedalled on the likes of MIL being given data when they previously ignored it.

  9. Whos responsible for the data breach the ATA? or the DVLA? if:

    The operator is operating its company issuing PCN's from an address which is stopped leasing in January 2018.

    The DVLA was made aware of this the end of last year but the company continues to be allowed access to the dvla data base.. the dvla says its down to the ATA.

  10. ~Ive just made a report to the ICO this morning about this as a result of the DVLA subject access request and discovering the enquirer was not the company registered as the one who demanded payment. Infact of 4 addresses checked from details on the letter received none were.
    ive notified the DVLA that they are now in breach as are the other 2 companies. One of which is not a ATA or registered with IPC

  11. I notified the ICO and I also notified the DVLA that had failed to carryout due carryout no due diligence checks to ensure that the /organisation and persons requesting the information are in-fact the registered enquirers? And that once they are registered they only provide one set or registration details that other than they are provided with an electronic access login no further checks on the details supplied are never checked on the registered company therefore this information provided by the DVLA and login details could then be provided to anyone with access to the system login details as they send information. They quoted
    The electronic service is a system to system service. (an interface between the service provider system and the DVLA system) The information is transferred back via a secure file transfer (SFTP) capability. The Registration Mark only is entered by the company clerk into the schema.

    There is no requirement for a decision to be made to disclose information at the time an application is received. The request is received and processed in accordance with the terms and conditions of the contractual agreement. however, they do have a requirement to ensure that the persons access are authorised and registered. The company that made the request for mine have not been at the premises they state and the letter and request for payment infact is linked to another company who are NOT ICP registered . I also carried a check on the website and discovered it too is a non compliant company who have failed the following requirements in the General Data Protection Regulation (GDPR) and the ePrivacy Directive 2009/136/EC (ePR) so reported this to ICO . DVLA want to pass the book to the IPC and ATA but ive report the DVLA

    1. How are you getting along with the ICO? At just over three months you must be nearing the front of the queue to have an investigating officer assigned (DPA2018/SAR reports, after 1 month ignored + 2wk followup, are then taking about 4 months to be assigned, in my experience).