Earlier this week, I drew attention to the Driving Standards Agency’s massive data loss in May (but only just revealed), and asked people to sign a petition ensuring that people are promptly told about loss of their personal data. I also said I’d requested the Register Entry Report for the DSA.

I did this for two reasons: firstly, as a Data Controller myself, I wouldn’t mind seeing another example of a Register Entry; and secondly, because I was keen to discover what the DSA can do with my driving licence data (and whether, frankly, they’d broken the law).

So, register entry report for registration number Z7122992 appears through the post today. It’s actually the Register Entry for the Department of Transport (who run the Driving Standards Agency), which makes even more interesting reading.

First - was this data breach illegal?
By this I mean - did the Department of Transport specifically go outside the terms of data use laid down in their register entry?

Register entries are anything but clear, as I found doing the entry for Not At All Bad Ltd (which hosts this website, as well as Media UK). The Department of Transport’s entry has an entry (entry 9) for “Trading/Sharing in Personal Information”, which has a purpose description of “the sale, hire or exchange of personal information”. Transfers of this data are explicitly set as “None Outside The European Economic Area”. So, according to this register entry, they are not allowed to transfer personal information (names, addresses, phone numbers) outside of the EEA.

Let’s remind ourselves of the original story (at least, the details reported by the BBC):
Names, addresses and phone numbers - but no financial information - were among details on a computer hard drive which went missing in the US in May. It belonged to a contractor working for the Driving Standards Agency, she [Ruth Kelly] said.

So, is this a clear breach of their own requested use of data? It turns out it’s not quite that simple. “Information and Databank Administration” is section 8 of their register entry: for the purpose of “maintenance of information or databanks as a reference tool or general resource, including catalogues, lists, directories and bibliographic data”, and data subjects being, amongst others, “Customers and clients” - i.e. you and me. Data transfer for this is set as Worldwide.

I’m not a lawyer; and I don’t know which of these two sections is supposed to take precedence. Was the deliberate release of personal information outside the EEA a breach, or not? I’d welcome your views.

Second - anything else turn up in here which is a concern?

Let’s return to “Trading/Sharing in Personal Information”. The register says who can receive this information - which specifically includes “personal details, financial details, offences, criminal proceedings”. Here’s a few…

Police forces, central government, local government, employees and agents of the data controller, department of health, department for education and employment, the media…

The MEDIA?!?!!!

It seems that the Department of Transport can, if they wish, let any media organisation in the UK or the EEA know my driving licence details, including my financial information. Anyone in the media can know whether I got a speeding fine in 1997 for doing 42 in a non-built-up, badly-signed 30-zone. (I did. But I have a clean licence now.)

This is big stuff. And I wonder what the definition of “the media” is, in this context. Am *I* the media, running a blog that has more readers than many small magazines? Am I able to request this data on someone I know? The possibilities, the possibilities…

Photo: Ken Banks. Used under licence. An additional disclosure appears at the bottom of my original post on this subject.

Tags: data, data protection, department of transport, driving standards agency, personal info, privacy | Permalink | Comments RSS | Leave a response, or trackback.