Phil Hendren aka Dizzy (London, Dizzy Thinks): Did you know that on an average day in the UK the DVLA (Driver and Vehicle Licensing Agency) responds to around 3,000 different requests from third parties for personal information about individuals on its databases and provides the answers? Did you know that the DVLA charge for this service and since 2005 has generated around £9 million of revenue? Did you also know that this is completely within the law?
It's likely that you will be surprised by the volume of these figures, even if you are no longer shocked that information about you can be routinely passed on to others without your knowledge. To respond to over 3 million requests for information in a country where there are approximately 32 million cars, suggests that every year about 10 per cent of all car owners have had their information given out to third parties, for whatever reason. Each time that has happened the DVLA has charged the third party for the request.
Who makes these requests, you may ask? Well, when you think of an organisation like the DVLA, most of us would accept that the police may have what the Information Commissioner notes as 'reasonable cause' to be making requests. If these are needed for the detection or prevention of crime it's unlikely that most us would complain.
However, it isn't just the police that can and do make these requests. They come, manually by phone and also electronically, from a diverse range of private third parties. So diverse in fact under the 'reasonable cause' justification the Government simply informs us of the list of types of bodies that can request the information manually - there are 19 types among which are included, “Private individuals, Vehicle repair workshops, Petrol Stations, Private investigators”. So that’s all right then.
The Government is more prescriptive with its list of companies that make queries into the DVLA electronically. This list comprises of a number of insurance companies, parking control services and banks.
Why is this important? After all, you may be saying 'surely an insurance company has a need to check the registered ownership of a car? They may need to know someone's name and address and contact details, right?' Arguably the answer is 'Yes', of course there can be legitimate reasons for third parties to need to know, or confirm, information about you – and you would agree to their being informed. But the unchecked disclosure of data to third parties poses serious questions about the scope for information leak.
If you think about this for a moment. If a third party company is able to call the DVLA call centre and request personal information within the current procedures then what is to stop a rogue individual requesting information that they intend to use for other reasons? The Government and DVLA would point out that this is itself a criminal offence. But is this a sufficient protection against it happening? A legislative penalty does not protect against social engineering or against rogue individuals in the DVLA.
We already have evidence that the DVLA has been compromised. In December 2006, thanks to the Freedom of Information legislation, it was learned that the DVLA database had been penetrated by private investigators employed by journalists on numerous occasions. The numbers might appear small in comparison to the total number of requests, but it still shows that the system is wide-open to compromise and exploitation. It is also reliably understood that criminal gangs have created companies for clamping or vehicle removal that give them access to DVLA information.
The potential for compromise is a very serious concern in itself. But this is redoubled by the way the DVLA generates such a high revenue stream from the system. It means that it is in the interest of the DVLA to service as many request as possible. Far from being incentivised to service only those requests it must, and to ensure they are legitimate, it is in the market as an information provider. This greatly increases the potential for compromise, with a call centre driven by call rates and answer targets.
The Government is aware that public knowledge of how often personal information leaves the DVLA to third parties has the potential to be politically damaging. When questioned in Parliament the Department of Transport's initial response was to deny that the DVLA collated how often it responded to requests. It took a Freedom of Information request to reveal the true extent of practice.
A year since that first parliamentary question there is at last some movement on why the law allows such free flow of personal data to private third parties. The Data Protection Act fails to stop private information about you being passed (or sold) on without your knowledge. A motion has now been raised with cross party support. It's a shame it has taken the so-called "Discgate" fiasco to make data and information security a concern. As I have argued frequently on Dizzy Thinks, it has been long overdue.
The bottom line is this though. At the DVLA the practice of information disclosure is open to simple and potentially widespread compromise. Every year millions of personal details flow outwards from the system. Has your data been disclosed? You cannot know without asking. Have all the request been legitimate and reasonable? The answer is unknown. The only thing we can be sure of is that in this case our privacy really does have a price.
