Roland
In the Insurance quotation situation the argument is that the name and
address of the registered owner is not made available to Insurers by the
DVLA in the 'lookup process' only make model and registration number. Make
and Model data and registration number data is used to cross validate the
data supplied by their data subject ie reduce input error, given insurance
premiums are based on make and models. The data subject provides the rest of
the data required for quotation.
An Insurer argues that access to the subset assists them with complying with
their data accuracy obligations given the insurance product in this example
is based on personal data . A recipent of data does not have any direct
obligation to check if the source can legitimately trade in the data
offered. Their obligation is to check their own personal data holdings
comply with the Acts principles and do not impact their data subject.
A question which data subjects might want an answer to is how does the DVLA
as the data controller holding the vehicle and registered keeper information
legitimise the extraction of a subset of that data for a 'trading in data'
activity?
The original personal data set DVLA hold as a data controller is being used
to generate a revenue stream. (Data extracts are unlikely to be made
available free of charge to insurers). Is first principle compliance
acheived.
In addition as a data controller the DVLA owe a security obligation to their
data subjects. Appropriate security is based on the controllers fair
obtaining notice delivery to their data subjects. Default security
expectation under DPA is that no disclosures should occur unless permissable
by law, notified to data subjects and not objected to or explicitly
consented to.
Whilst the final extract made available for lookup use is arguable as not
personal data. The source data used to compile it was certainly personal
data.
All those on this discussion group if car owners may wish to ask the DVLA
about their trading in data activity. Assuming of course they have the
energy and enthusiasm to pursue after spending their working day dealing
with such issues. ;-)
David Wyatt
----- Original Message -----
From: "Roland Perry" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Monday, November 08, 2004 6:36 AM
Subject: Re: [data-protection] Is Transport for London breaching DPA?
> In message <002001c4c526$acdcff10$0500a8c0@DAD1>, at 00:05:36 on Mon, 8
> Nov 2004, davidwyatt <[log in to unmask]> writes
>>Perhaps they were not permitted to have any data other than the name
>>and
>>address of the registered keeper from the DVLA?
>>An unanswered question here is what data are DVLA permitted to disclose at
>>law and to whom?
>
> There are 'public' sites that sell car insurance, where you can enter
> "your" car's licence plate and which then asks you to confirm the make
> and model they obtain with a DVLA lookup.
> --
> Roland Perry
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|