Numerous breaches

Over the past year, the Driver and Vehicle Licensing Agency (the DVLA), the public body that holds the records for all the drivers and vehicles in the UK, committed nearly 200 data breaches that were deemed so severe that they were reported to the Information Commissioner’s Office. Following a freedom of Information request by Apricorn EMEA, the DVLA confirmed that it submitted 181 breach notifications to the ICO across 2019-20. By comparison, the Home Office submitted just 25 during that period and NHS Digital reported only 5. The Home Office figures are by no means ideal and higher standards should be expected from any public body. Nevertheless, these figures highlight the fact that the DVLA have a serious and unique problem with regards to data protection.

Improvements required

This news comes just a year after a BBC Freedom of Information investigation found that during a 10 month period the DVLA reported 439 data breaches to the ICO, which affected around 2,018 people. These breaches included the DVLA sending important documents such as Driving Licenses, Passports and Marriage Certificates which averages out at about 7 people per day. Again, when comparisons are drawn with other public bodies it is clear that the DVLA need to get a grip of their data protection procedures. In the same period, Her Majesty’s Revenues and Customs reported just 10 data breach incidents to the ICO and Her Majesty’s Passport Office had 5 breaches reported. The fact that over a 2 year period the DVLA has been reporting data breaches at a significantly higher rate than other public bodies that store and process large amounts of the public’s data demonstrates that it has major issues in the area of data protection and that serious action needs to be taken.

What can be done to improve?

• The DVLA said the breaches were the result of ‘human error by their staff in their HQ in Swansea – This means there needs to be a significant increase and improvement in staff training on GDPR and data protection to ensure that breaches as a result of human error are reduced as much as possible.
• Using secure address systems (either email or postal) to try and ensure correspondence is sent to the correct address/recipient.

Has this affected you?

Has the DVLA breached or disclosed your personal data to a third party without your knowledge or consent or without any legal need to do so? If you would like to discuss any data breach incident further, do not hesitate to contact one of our team.