Charles Walker questions the Transport Secretary about DVLA checks of private parking control companies.

Mr. Walker: To ask the Secretary of State for Transport what mechanisms the Driver and Vehicle Licensing Agency uses to check the bona fides of private parking control companies before releasing personal data relating to vehicle owners and operators to them; what steps the Agency takes to assess the uses to which such data is put by such companies; and if she will make a statement. [175771]

Jim Fitzpatrick [holding answer 7 January 2008]: In the Secretary of State for Transport's statement to Parliament on 17 December she outlined measures to improve the security of personal data in the context of the Cabinet Secretary's review of data across Government.

She also advised that, to ensure greater clarity of responsibility, the Permanent Secretary has written to senior officials in the Department, including Agency Chief Executives, drawing their attention to current guidance on the application of the Data Protection Act. This includes the main principles of the Act, information on handling personal data appropriately and the role of the Information Commissioner.

New measures for companies requesting information manually were introduced on 1 November 2006, following the review of the release of information from the Driver and Vehicle Licensing Agency's (DVLA) records announced by the then Minister of State for Transport (the hon. Member for South Thanet). The use of company headed paper has been replaced by the introduction of two new forms-V888/2 and V888/3. All applications must be supported with a business resume outlining details of the company's operations and provide details of why they want the information and how it will be used, as well as evidence to corroborate their request.

Car park enforcement companies have to confirm that a parking charge scheme is in operation, and provide evidence that they are operating on the instruction of the landowner. All forms contain a note that reminds applicants that it is a criminal offence under Section 55 of the DPA to falsely obtain personal information.

Companies that request and receive data via a secure electronic link do so under strict contractual terms and must firstly complete a six-month probationary period making manual requests, during which time their behaviour in the use of the information is monitored. The level and nature of any complaints is taken into account before an electronic link is established. Since 1 October 2007, all organisations that do not have a statutory regulator are required to be a member of a DVLA Accredited Trade Association (ATA).

An ATA must have a clear, enforceable code of practice (COP) governing the conduct and business practices of their members and will publish that COP on their website, along with a list of their members. ATAs that fail to enforce their COP will lose their accreditation and their members will forfeit their entitlement to request and receive DVLA data electronically.

The Agency has the right to carry out ad-hoc audits on companies to ensure that inquiries are appropriate. Any evidence of abuse will be referred to the Information Commissioner for investigation and, when appropriate, prosecution.

| Hansard"