We recently wrote a piece on the Data Protection Act, and how it applies where keeper data is released to parking companies. Recent case law indicates that if your data is used in a way that breaches the Data Protection Act, you could sue for hundreds of pounds in compensation.
A motorist has written into us to explain why he thinks that some private parking companies operating car parks under the Railway Byelaws could be routinely breaching the Data Protection Act (DPA).
Railway Byelaws and parking
Typically, parking companies use contract law to enforce parking on private land. The idea is that they display signage indicating the terms and conditions, and by the act of parking, the driver accepts them (acceptance by performance). However, on railway land some operators use the Railway Byelaws to issue parking tickets, rather than contract law. Section 14 of the Railway Byelaws specifically covers parking offences:
14. Traffic signs, causing obstructions and parking
- No person in charge of any motor vehicle, bicycle or other conveyance shall use it on any part of the railway in contravention of any traffic sign.
- No person in charge of any motor vehicle, bicycle or other conveyance shall leave or place it on any part of the railway:
- in any manner or place where it may cause an obstruction or hindrance to an Operator or any person using the railway; or
- otherwise than in accordance with any instructions issued by or on behalf of an Operator or an authorised person.
- No person in charge of any motor vehicle, bicycle or other conveyance shall park it on any part of the railway where charges are made for parking by an Operator or an authorised person without paying the appropriate charge at the appropriate time in accordance with instructions given by an Operator or an authorised person at that place.
- In England and Wales:
- The owner of any motor vehicle, bicycle or other conveyance used, left or placed in breach of Byelaw 14(1) to 14(3) may be liable to pay a penalty as displayed in that area.
- Without prejudice to Byelaw 14(4)(i), any motor vehicle, bicycle or other conveyance used, left or placed in breach of Byelaw 14(1) to 14(3) may be clamped, removed, and stored, by or under the direction of an Operator or authorised person.
- The owner of the motor vehicle, bicycle or other conveyance shall be liable to an Operator or an authorised person for the costs incurred in clamping, removing and storing it provided that there is in that area a notice advising that any vehicle parked contrary to these Byelaws may be clamped, removed and stored by an Operator or an authorised person and that the costs incurred by an Operator or an authorised person for this may be recovered from the vehicle’s owner.
- The power of clamping and removal provided in Byelaw 14(4)(ii) above shall not be exercisable in any area where passenger parking is permitted unless there is on display in that area a notice advising that any vehicle parked contrary to these Byelaws may be clamped and/or removed by an Operator or an authorised person.
- In Scotland:
- Any motor vehicle, bicycle or other conveyance used, left or placed in breach of this Byelaw in Scotland may be removed by or under the direction of a constable.
The problem for a private parking company is that breaches of byelaws are criminal offences; not breach of contract like typical private parking contracts. If a motorist is found to have breached a byelaw, the resulting penalty is paid to the government, not the parking company or the railway. Further, byelaw offences are decided by a magistrates court, not a private company – the parking company or railway can only allege the breach.
Since this model does not generate revenue, some parking companies have attempted to get around this by layering a contractual model over the top. After the parking event they send a Notice to Owner alleging a breach of Byelaw 14 and offer the motorist an opportunity to pay the parking company a charge (e.g. £100) to avoid criminal prosecution. They state the alternative is that their client (the railway company) may pursue the recipient through the magistrates court under a criminal prosecution which could result in a fine of up to £1,000. As a side note, some allege this sort of arrangement could be considered solicitation of a bribe, since they are requesting payment to avoid prosecution. If any readers familiar with the Bribery Act 2010 have a view, please get in touch.
Where’s the contract?
In a regular paid-for parking contract, signage describing the terms and conditions is displayed (the offer), a motorist accepts it by paying the fee (the acceptance), and the motorist is granted the benefit of parking (the consideration). If the contract is breached, then the driver can be sued for breach of contract.
In this arrangement, a contractual model is not needed for the parking event itself. Byelaw 14 enables penalties to be issued for not parking
according to the signage and/or not paying the relevant charges. The Notice to Owner provides an offer to the recipient (the offer), to which a recipient can choose to pay (acceptance), and are not prosecuted in return (consideration). Alternatively, the recipient could choose not to pay, in which case no contract would be formed at all. We shall refer to this as the prosecution avoidance model.
registered keeper database. It is a standard contract that private parking companies wanting easy access to the keeper register must sign up to. The contract sets out numerous conditions for access to ensure that the data is used lawfully, such as the requirement for the parking company to operate in accordance with their Code of Practice.
The problem is that the KADOE contract does not allow for the prosecution avoidance model.
Firstly the definition of ‘Parking Charge’ according to the contract is as follows:
(a) a sum in the nature of a fee or charge, arising under the terms of a contract (including a contract arising only when the vehicle was parked on the land) between:
- the driver and the owner or occupier of the land; or
- a person authorised, under or by virtue of arrangements made by the owner or occupier of the land, to enter into a contract with the driver requiring the payment of parking charges in respect of the parking of the vehicle on the land; and(b) a sum in the nature of damages arising as a result of trespass or other tort committed by parking the vehicle on land, provided that adequate notice of the sum was given to the driver of the vehicle (when the vehicle was parked on the land).
In the prosecution avoidance model, this definition does not fit. There is either no contract at all (if the offer of not prosecuting is not accepted), and if there is a contract, it is not a contract for parking on the land or damages – it is a payment after the parking event to avoid prosecution.
The DVLA is entitled to share its register of keeper data with public and private entities under The Road Vehicles (Registration and Licensing) Regulations 2002, regulation 27 Disclosure of registration and licensing particulars. The key part of this is that the requester must be able to demonstrate reasonable cause. KADOE defines the reasonable causes in section B2:
Purpose For Which Data Is Provided
B2.1. The DVLA shall provide each requested item of Data to the Customer via the KADOE Service for the Reasonable Cause of enabling the Customer to:
a) seek recovery of unpaid Parking Charges in accordance with the ATA Code of Practice, and using the procedure in Schedule 4 to the Protection of Freedoms Act 2012 (where the vehicle was parked on private land in England or Wales on a particular date);
b) otherwise seek recovery from a driver of unpaid Parking Charges in accordance with the ATA Code of Practice (where the vehicle was parked on private land in Scotland or Northern Ireland by that driver on a particular date, or where the Customer has chosen not to pursue, or is not in a position to pursue the vehicle keeper by utilising conditions in Schedule 4 of the Protection of Freedoms Act 2012); and
c) identify/ trace the registered keeper of a vehicle where there is reason to suspect or is specific documentary evidence that the vehicle is an Abandoned Vehicle and has been left on private land and needs to be removed. The Customer may use the keeper details to write to the registered keeper to request that the vehicle is removed from the site.
Quite clearly, the prosecution avoidance model does not meet the above definitions. Specifically:
- It is not a Parking Charge, as per the definition in the contract (ruling out a and b)
- It does not relate to abandoned vehicles (ruling out c)
- It is not sought in accordance with Schedule 4 of the Protection of Freedoms Act 2012, and nor could it since land managed under byelaws is specifically excluded from POFA 2012 (ruling out a again)
- The Notice to Owner is sent to the keeper (who is not necessarily the owner or the driver). The KADOE contract only allows the driver to be held liable (ruling out b, with an even stronger case if the recipient was not also the driver)
Section B2 of the contract goes on to state what data retrieved may be used for:
The Customer shall use each item of the Data only:
a) for the Reasonable Cause for which it was provided and in accordance with its obligations under the DPA; and
b) in relation to the particular date, event and purpose for which it was requested.
Having established above that the data is not be used for the purposes allowed, the data would not be used for a ‘reasonable cause’, and therefore it would be a breach of contract.
Was your data accessed electronically?
It should be noted that private parking companies are only bound by KADOE for electronic requests to the keeper register. Alternatively they could make manual requests using the V888 form, but this is less efficient both in terms of effort and time to process the request. Further, a manual request would still need to demonstrate reasonable cause and the data used in accordance with the DPA.
You can ask the DVLA to tell you how your data was accessed. The DVLA might tell you to pay £5 and make a Subject Access Request, but you can actually find this out for free. Here’s a guide on how to find this out for free.
Data Protection Act breaches
The Data Protection Act sets out eight principles, the first two of which are that data is:
- Used fairly and lawfully
- Used for limited, specifically stated purposes
If the data was accessed electronically, then in this model the data is not being used for the purposes allowed by the KADOE contract, so principle 2 is breached.
If the data was accessed manually, then you would need to check what purpose was stated on the request, and check whether it covered making an offer to avoid prosecution for breaching byelaws. For example, if the parking company manually requested your data for a criminal prosecution resulting from a byelew beach, this would be a reasonable cause. But, if the parking company then used the data to offer a prosecution avoidance contract, then that is not for the original purpose the data was requested, and could be a DPA breach under principle 2.
Further, principle 1 could be breached in some circumstances. For example, if the ticket was not issued fairly, then that could be a breach. If it could be proven that the offer amounts to solicitation of a bribe, then that might be considered unlawful.
Two key pieces of case law means that the recipient of a Notice to Owner could sue the parking company for as much as £750 for processing their data in such a scenario. The cases referenced are Vidal-Hall Vs Google Inc  and Halliday Vs Creation Consumer Finance Ltd .
Please see our piece on suing for breach of the Data Protection Act for more detail.
Six months rule
Another point that should be mentioned briefly is that if the railway wants to prosecute a byelaw breach, they only have 6 months from the date of the event to formally issue a charge. After that time, they cannot pursue for breach of byelaws. If no charge is forthcoming in that 6 months – and remember there is no direct financial incentive for the railway to do so – then the recipient of the ticket is probably in the clear.
Furthermore, if the parking company continue to process their data (e.g. sending out further letters) in the prosecution avoidance model, then this could be a breach of principle 5 of the Data Protection Act. It states data is not kept for no longer than is absolutely necessary. Clearly if the motorist cannot be prosecuted, then there offer to not prosecute is empty, and there is no other reason for them to have the data. This could further support a DPA breach claim.
Which parking companies use this model
This model is known to be used by Indigo (aka Indigo Park Services UK Limited, and formerly known as Meteor Parking Ltd) in at least some
Should you make a claim?
If you have received a parking ticket in the last 6 years, in the circumstances described in this piece, you may be able to make a claim against the parking company for a DPA breach. If you have paid a ticket in such circumstances, you may also be able include damages for that amount too (plus interest). A claim could cost between £25 and £60, depending on the amount you claim.
You should beware though that you are not guaranteed to win, and a judgement against you could result in costs being awarded against you. Since such a claim would be on the small claims track, costs are fixed. Fixed costs include court fees, but exclude solicitors charges (usually the expensive part of going to court). Other costs could be travel expenses and loss of earnings for court attendance. Failure to comply with court protocols may also affect costs awards.