Guidance

DVSA counter-fraud: privacy notice

Updated 2 December 2024

1. About counter fraud

The Driver and Vehicle Standards Agency (DVSA) processes this data for the purposes of preventing and investigating criminal offences. DVSA is an executive agency of the Department for Transport (DfT).

The data controller for DVSA is DfT – a data controller determines why and how personal data is processed. For more information, see the Information Commissioner’s Office (ICO) Data Protection Public Register. DfT’s registration number is Z7122992.

2. What data we need

The personal data we collect from parties to a criminal offence will include:

  • name
  • address
  • contact details
  • date, location and description of the offence
  • date of birth
  • driving licence number
  • CCTV images
  • credit card information used to book driving tests
  • telephone numbers used to book driving tests
  • vehicle ownership data
  • driving test data including location and time
  • candidate description
  • tachograph data
  • MOT data

The personal data we collect from suspected and convicted offenders will include:

  • name
  • address
  • date of birth
  • driving licence numbers
  • CCTV images
  • credit card information used to book driving tests
  • telephone numbers used to book driving tests
  • vehicle ownership data
  • driving test data including location and time
  • candidate description
  • tachograph data
  • MOT data

The personal data we collect from staff conducting and supporting investigations will include:

  • name
  • staff number
  • address
  • date of birth
  • contact details
  • office location
  • phone number
  • next of kin details

The lawful bases for processing this data are legal obligation and public task.

Our activities to investigate are supported, where applicable, by the following statutory powers:

  • Police and Criminal Evidence Act 1984
  • Criminal Procedure and Investigations Act 1996
  • Regulation of Investigatory Powers Act 2000
  • Fraud Act 2006
  • Road Traffic Act 1988, including sections 66A, 99 123

We are seeking to ensure compliance of operators, drivers and vehicles with the following statutory requirements:

  • Road Traffic Act 1988 (as amended) specifically Part III and V (vocational licences), sections 125, 132, 159a and 162A
  • The Motor Vehicles (Driving Licences) Regulations 1999 (SI 1999/2864) (as amended), specifically Part III, Schedule 8, Schedule 11
  • Part V of the Road Traffic Act 1988 (as amended by the Road Traffic (Driving Instruction by Disabled Persons) Act 1993
  • Road Safety Act 2006 (changes not enacted), section 36 to 43 and Schedule 6
  • The Motor Cars (Driving Instruction) Regulations 2005 (SI 2005/1902) (as amended), specifically part II and V, schedules 1 and 2
  • The Vehicle Drivers (Certificates of Professional Competence) Regulations 2007 (as amended) (SI 2007/605) (made under powers in European Communities Act 1972, Part III of the Road Traffic Act 1988; and Finance Act 1973)

3. Why we need it

We need the personal data we collect from you to:

  • identify and investigate parties to a criminal offence, for example informant, reporter, witness of suspicious activity, victims of crime
  • identify and investigate suspected and convicted offenders
  • administer staff who conduct and support investigations

4. What we do with it

We collect, use and store the data you give us for the reasons set out in this policy.

We will not:

  • sell or rent your data to third parties
  • share your data with third parties for marketing purposes

We get your data from or share it with:

  • Insurance Fraud Bureau to prevent, detect, investigate and prosecute insurance fraud and support the insurance industry in identifying vehicle accidents, so the relevant authorities can take the appropriate action
  • National Highways to prevent incidents and improve road safety
  • National Crime Agency, Border Force, Visas and Immigration, HMRC, Counter Terrorism Policing for law enforcement purposes

We have access to Equifax through the LoCTA hub portal to enable us to find the assets of individuals when we’re carrying out financial confiscation investigations.

If we establish there is sufficient evidence that an offence has been committed, we may share your personal data with the police and Crown Prosecution Service or with our Prosecution and Legal Services team.

Your personal data may also be shared with the police and law enforcement agencies when targeted joint stopping/inspections are planned.

We may be asked to comment on successful prosecutions but will not release any information which is not classed as a public record.

We will share your data if required to do so by law – for example, by court order, or to prevent fraud or other crime.

We use facial recognition software of CCTV images from the theory test of individuals who are suspected of theory test fraud, for example candidate impersonation. The application will help analyse the images to identify repeat offenders, which is then reviewed by one of the team. Where offenders are identified we will process the information in line with the Criminal Procedures and Investigations Act 1996.

5. How long we keep your data

We’ll only keep your personal data for as long as it is needed for the reasons set out in this policy or as long as is required by law.

We will hold your personal data for:

  • no longer than 7 years after the end of an investigation or 7 years after the end of any court imposed sentence has expired in line with police investigation guidance
  • the times stated by human resource disciplinary retention periods in the case of staff conducting and supporting investigations

6. Where it might go

All counter fraud investigation data is on contracted cloud services which are hosted in the European Economic Area and as such meets security safeguards equivalent to those required by data protection legislation.

7. Protecting your data and your rights

The DVSA personal information charter sets out what steps are taken to protect your data, and the rights you have over your data.

8. Automated decision making and profiling

Your data is not subject to automated decision making or profiling as defined in data protection legislation.

9. Changes to this notice

We may change this privacy notice at our discretion at any time.

When we change this notice, the date on the page will be updated. Any changes to this privacy notice will be applied to you and your data as of the revision date.

We encourage you to periodically review this privacy notice to be informed about how your data is protected.

10. How to contact us

If you have any questions about anything in this document or if you consider that your personal data has been misused or mishandled you can contact the DVSA data protection manager.

DVSA data protection manager

Data Protection Manager
DVSA
1 Unity Square
Nottingham
NG2 1AY

Contact DVSA customer services if you have a query that is not about how your personal data is used.

You may also make a complaint to the Information Commissioner, who is an independent regulator.