Guidance

DVSA training: privacy notice

Updated 12 November 2024

1. About this activity

The Driver and Vehicle Standards Agency (DVSA) provides training to you or your employees, so you are appropriately skilled. DVSA is an executive agency of the Department for Transport (DfT).

The data controller for DVSA is DfT – a data controller determines the reasons and how personal data is processed. For more information, see the Information Commissioner’s Office (ICO) Data Protection Public Register. DfT’s registration number is Z7122992

2. What data we need

The personal data we collect from trainees will include:

  • title and name
  • address
  • email address
  • phone number
  • date of birth
  • gender
  • marital status
  • looking at your passport
  • looking at your driving licence to check you have the right entitlement and what endorsements or points you have (and noting down what documentation we’ve seen)
  • copies of any correspondence
  • any medical information such as medication, allergies, eyesight check result, appointments, or disability
  • any adaptation requirements or disability requirements
  • any religious observance requirements
  • any caring responsibilities
  • accommodation details
  • approved training body name and postcode (if relevant)
  • approved driving instructor, compulsory basis training or fleet badges and certificate number (if relevant)
  • vehicle registration number
  • car make, model, colour, and confirmation of valid insurance
  • payment card details – cheque, postal order
  • test preferences such as earliest date, day of week available, any dates within 3 months they cannot attend and if they can attend within 3 working days
  • signature and date

Where the trainee is a member of staff the personal data we collect will also include:

  • staff number
  • grade
  • location
  • work pattern
  • sector number, directorate, and branch
  • line manager name, phone number and location
  • explanation as to how course links to their job and the benefits they’ll get from it
  • line manager and director approval – signature, name, date, phone number and email address

The personal data we collect from internal trainers will include:

  • name
  • email address
  • phone number
  • staff number
  • qualifications and training that they can deliver
  • any allowances
  • any adaptation requirements or disability requirements
  • any religious observance requirements
  • any caring responsibilities
  • accommodation details
  • fuel card and government procurement card billing details
  • vehicle records including name of user

The personal data we collect from external trainers will include:

  • name
  • email address
  • phone number
  • courses they can deliver
  • financial details for payments
  • accommodation details
  • any adaptation requirements or disability requirements
  • any religious observance requirements
  • any caring responsibilities

The personal data we collect about companies (where they’re a sole trader) will include:

  • registration number
  • VAT registration number
  • bank account details
  • purchase order number

The personal data we collect about any next of kin will include:

  • name
  • phone number
  • address

The lawful basis for processing this data is:

  • contract
  • public task
  • legal obligation

The basis of processing next of kin details is that it is in the legitimate interests of both the individual and DVSA.

3. Why we need it

We need the personal data we collect from you to:

  • administer and carry out training, including registering you on training systems and giving you access
  • enable you to complete the required course
  • send you message notifications and instant notifications about courses you need to complete, and sending you reminders
  • assess your performance
  • record and issue details of the training, such a result, pass mark, certificate, dates of attendance
  • run reports on training compliance
  • audit and quality assure the training
  • administer the training service
  • support staff and staff who deliver the training
  • collect fees and payment of invoices
  • administer the health and safety of trainees and trainers
  • contact your next of kin where we need to do so
  • provide feedback on a training course
  • share your course status and completion data with the relevant teams within DVSA
  • provide evidence of any training undertaken and results in response to any investigation

4. What we do with it

We collect, use, and store the data you give us for the reasons set out in this policy.

We will not:

  • sell or rent your data to third parties
  • share your data with third parties for marketing purposes

If your employer has booked the training, the results of your training maybe shared with them.

If the training results in a vocational qualification, your details will be shared with the organisation/awarding bodies responsible for issue of any certificates/licences.

Your data will be shared with:

  • Driver and Vehicle Licensing Agency (DVLA) to verify driving entitlements (where necessary for the course)
  • external training providers, such as Civil Service, Virtual College or with the training supplier identified on the request for training forms
  • Redfern and Enterprise for booking of travel, accommodation or use of a vehicle.

We will share your data if required to do so by law – for example, by court order, or to prevent fraud or other crime.

5. How long we keep your data

We’ll only keep your personal data for as long as it is needed for the reasons set out in this policy or as long as is required by law.

We will hold your personal data for:

  • a maximum of five years in relation to the administration and delivery of training
  • 7 years as required by Taxes and Management Legislation 1970 for the collection of fees and payment of invoices
  • 7 years for data held on our testing and registration system
  • 15 years for data held in archive at Iron Mountain

6. Where it might go

All data is held on servers in the cloud in the UK or the European Economic Area and as such meets security safeguards equivalent to those required by Data Protection Legislation.

7. Protecting your data and your rights

The DVSA personal information charter sets out what steps are taken to protect your data, and the rights you have over your data.

8. Automated decision making and profiling

Your data is not subject to automated decision making or profiling as defined in data protection legislation.

9. Changes to this notice

We may change this privacy notice at our discretion at any time.

When we change this notice, the date on the page will be updated. Any changes to this privacy notice will be applied to you and your data as of the revision date.

We encourage you to periodically review this privacy notice to be informed about how your data is protected.

10. How to contact us

If you have any questions about anything in this document or if you consider that your personal data has been misused or mishandled, you can contact the DVSA data protection manager

DVSA data protection manager

Data Protection Manager
DVSA
1 Unity Square
Nottingham
NG2 1AY

Contact DVSA customer services if you have a query that is not about how your personal data is used.

You may also make a complaint to the Information Commissioner, who is an independent regulator.