Privacy Notice and Information Charter

The Vehicle Certification Agency (VCA) is an Executive Agency of the Department for Transport (DfT) offering Type Approval services to the automotive industry in the UK and overseas.

Working predominantly with the automotive industry, the VCA processes and holds only a small amount of personal data on the UK population.

This policy explains how the VCA will comply with data protection law. This includes the General Data Protection Regulation (GDPR), the Law Enforcement Directive, and other provisions contained within the Data Protection Act 2018.

What is personal data?

Personal data is any information relating to an identified or identifiable natural living person, otherwise known as a ‘data subject’. A data subject is someone who can be recognized, directly or indirectly, by information such as a name, an identification number, location data, an online identifier, or data relating to their physical, physiological, genetic, mental, economic, cultural, or social identity. These types of identifying information are known as ‘personal data’. Data protection law applies to the processing of personal data, including its collection, use and storage.

You can read more about this on the Information Commissioner’s Office website

Requesting your personal data

Where we ask for your personal information we will:

• let you know why we need it;
• only ask for what we need, and not collect excessive or irrelevant information;
• ensure that it is kept safe and secure and only accessible by those who need it;
• let you know if we will share it with other organisations to give you better public services, how we will do that and whether you can say no;
• only keep it for as long as we need to;
• make sure it is accurate and kept up to date;
• not make it available for commercial use

To help us to keep your information reliable and up to date, we would ask that you:

• Give us accurate information;
• Tell us as soon as possible of any changes, such as a new address

We are committed to providing the best and most efficient service to both industry and the public. We may share personal information within our organisation or with other bodies within the UK Government where it would not be inconsistent with the purposes for which we collected it, and/or where we are required or permitted to do so by law.

See the section “Do you share information with third parties?” for further information.

Privacy by design

Where we introduce new technologies, policies or processes, we will ensure that your privacy is considered from the outset, and where beneficial will carry out a Data Protection Impact Assessment (DPIA).

We will always carry out a DPIA where we use new technologies or consider there is a high risk to your rights and freedoms. Where an assessment identifies risks that cannot be satisfactorily reduced or avoided, our Data Protection Officer or their team will seek advice from the Information Commissioner to help us find the best solution.

To improve the efficiency and effectiveness of the way we carry out our tasks as a public body, we are trialing certain Artificial Intelligence (AI) solutions. Where these use personal data they will be subject to a DPIA, and special care will be taken to ensure that we meet the data minimisation principle.

Our AI tools will be designed so that our staff and others who process information on our behalf can access only the information they are supposed to access. Personal data will only be used to fine-tune or train an AI model where the model is hosted on systems that are under our control. We will not allow your personal data to go outside of those systems.

What data will the VCA hold?

The VCA routinely collect small amounts of private and personal information in the course of our everyday activities. A breakdown of some of the work areas where personal data may be held can be found listed here, although this list is not exhaustive.

Unless the VCA has received a request in respect of one of the services it offers, or otherwise has been sent a request for information, it does not collect or hold citizen information. For example, the VCA may hold some information about you if you have imported a vehicle using the GB Conversion IVA process, but it would not hold vehicle registration data generated by the Driver Vehicle Licensing Agency (DVLA).

Similarly, the VCA does not hold personal information on behalf of, or in support of activities dealt with by other areas of government.

How is the information held?

Personal information that is held by the VCA will predominantly be in electronic format only, although there are legacy paper records that are in the process of being phased out where appropriate.

By ‘electronic’, this means emails; documents (in various proprietary software formats i.e., word, excel, pdf etc.); or data held as a database entry.

We take information security seriously and will protect your personal data from unauthorised access, accidental loss, destruction and damage. We carry out regular reviews and audits to ensure that our methods of collecting, holding and processing personal data meet the Government’s security standards and industry good practice. We will only transfer your personal data overseas where appropriate safeguards are in place to protect it. The cross-government security policy framework on GOV.UK sets out the government’s approach to protective security.

The training and guidance we give to our staff

All of our staff are trained in the importance of protecting personal and other sensitive information. Those who routinely access personal data as part of their jobs are expected to undertake more in depth training.

Managers who have formal responsibilities for large datasets, for example as information asset owners, will also receive additional training so that they have a clear understanding of what they need to do to keep the data under their control safe and secure.

As well as the above, all civil servants are required to work in line with the core values set out in the Civil Service Code – integrity, honesty, objectivity and impartiality. These values also apply to the handling of personal data.

How long do you keep my personal information?

That will largely depend on the reason for holding it in the first place, but in practice, our aim is to only hold personal data for as long as it is needed to process requests or service an agreement and as required to comply with audit processes. We have a file retention policy that sets out the length of time we keep different types of information, although this may vary on a case by case basis.

Do you share information with third parties?

The VCA will only share your personal information where there is a justified and necessary reason to do so. Examples include:

• sharing your information with other areas of the DfT who may be better placed to reply to your enquiry directly, or otherwise assist the VCA in answering your application or request; or
• sharing with other areas of the UK Government engaged in pursuing investigations concerning the protection or detection of crime; or to protect the misuse of public funds; or
• to assist Law enforcement and other government agencies engaged in the protection or detection of crime, or to provide evidence in criminal or civil prosecution cases; or
• software developers employed directly by the VCA to carry out development and maintenance work on the VCA web tools

Please be aware that in these cases, the VCA will make an independent assessment of the third-party request but will not seek your approval to share this information beforehand.

Electronic data is stored using secure hosting arrangements both within the VCA and using solutions offered by third-party providers. Hosting organisations and contractors that hold data on our behalf (which may include some personal data), have a limited role in relation to processing the data held; will need to demonstrate compliance with GDPR and other legislation; and where necessary, be party to a sharing agreement with the VCA.

What rights do I have to access or amend my information?

You have the right to request from the VCA (the controller) copies of the personal data that we hold about you at any time by making what is known as a ‘subject access request’. You also have the right to ask for your personal data to be rectified or erased. You may also ask the VCA to restrict processing of your personal data and have the right to object to processing of that data as well as the right to data portability and in relation to automated decision making (note however that the VCA does not currently carry out any automated decision-making activities).

The VCA will usually respond to subject access requests within one month of receipt but may take up to 2 months in the case of complex and/or numerous requests. We will let you know when you can expect to receive a response, or if we will be unable to provide you with one.

Please note that before we can act on your request, you will need to supply proof of your identity. Please be as specific as you can about the information you want and, if it is not obvious, explain why you expect us to hold your personal data.

Please visit the Information Commissioner’s Office website (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/) to read about your rights under the General Data Protection Regulations. Follow this link for details on how to make an application under GDPR.

Data breach notification

The VCA does everything it can to keep your personal data secure. But if, despite this, a breach occurs which creates a risk to your rights and freedoms (for example, financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), we will ensure that the Information Commissioner’s Office is informed without delay, and in any event within 72 hours after we have become aware of it.

Where we assess that there is a high risk to you, we will ensure that you are notified without undue delay. Where it is not possible to contact you directly, we will attempt to make you aware through other means, such as a public announcement. The information we will provide to you will include:

• the contact details of the department’s Data Protection Officer
• the likely consequences of the breach
• details of the measures already taken or planned to address the breach including any steps taken to mitigate potential damaging effects

Correspondence

When you write to the VCA, we will look after any personal information you disclose to us and use it only as necessary to provide you with an answer. This will be in accordance with our task as a government department to be accountable and transparent about the functions and policies that we are responsible for.

Where your correspondence relates to a policy area or issue for which another public body has responsibility, it will in most cases be passed to them to respond to you. Your correspondence will not be shared outside of government without your consent.

In the case of requests for information that are handled under the Freedom of Information Act 2000 or Environmental Information Regulations 2004, the department will use your personal data as necessary to comply with those laws. We may need to consult with other departments where a coordinated response is required.

Where an information request would be more appropriately directed to another organisation, our response will advise you where it should be sent, but the request will not be forwarded. When, in some circumstances, it is necessary to share information requests with third parties outside of central government for consultation, any information that identifies you will not be shared.

Distribution Lists

The VCA maintains a number of distribution lists to communicate with its stakeholders.

In most cases this is to enable us to function efficiently as a government department. In some cases, where the use of a distribution list does not relate to the performance of our tasks, we may use it as necessary for our legitimate interests. In such cases, we have had regard to the rights and freedoms of those whose names are included on the list.

Each list will be used only for the purpose that the individuals on the list were informed about at the time their information was collected by us.

Online Forms and Surveys

The Vehicle certification Agency (VCA) from time to time may collect information through online forms and surveys in order to gain feedback and/or understanding. about the work we do and services we provide.
Unless specified on the online form or survey, the VCA will treat your information as follows:

Names and emails
We will normally ask for your name or email address. Unless stated separately, this should only be for the potential purposes of:

• further communication or response, including asking you follow-up questions about your entry
• ascertaining the validity of the individual as required, for example, by sending access passwords

Organisational status
We may ask the status of you as a system user, including whether you are responding on behalf of an organisation or yourself. Unless stated otherwise, this will be to:

• correctly weight your response and potentially ascertain your validity to the organisation when responding to a consultation
• ascertain your employer or company when completing transactional services

Personal information and SmartSurvey

Your personal data is processed on behalf of the VCA by Smartsurvey with respect that they are our current survey collection software provider only.

Analysis of data
Your responses and evidence may be shared with a third-party research organisation for the purposes of analysis. Your name and contact details will be removed prior to that sharing taking place and will not be shared with any third parties.

Data protection and retention of your personal details
The data collected via your VCA survey or form and the processing of any personal data that it entails is, unless otherwise stated, necessary for the exercise of our functions as a government department. The VCA will, under data protection law, be the controller for this information.

The VCA’s privacy notice has more information about your rights in relation to your personal data, how to complain and how to contact the Data Protection Officer.
Unless specified on the online form or survey, any information you provide will be:

• kept securely on the system it was entered until transferred to our internal systems
• moved to our internal systems, if not sent automatically, within 2 months, unless stated separately, and destroyed within 12 months of the entry or consultation closing date

Filming and Photography

The VCA uses film and photographs to illustrate the work that we do in the public interest. We film individuals in non-intrusive ways where possible, for example, filming crowds from a distance. If you have any concerns about appearing in any footage, please speak to a member of the Corporate Affairs, Communication team at the time or contact communications@vca.gov.uk

We also take photographs to illustrate our work in our official publications and on social media. We aim to avoid using images which could identify members of the public. If you are concerned about a picture of you that we have used in one of our publications contact us at communications@vca@gov.uk

CCTV

The VCA has CCTV cameras installed at its sites in Bristol and Nuneaton (MIRA site). All cameras are installed for the security of staff, visitors and contractors at VCA sites and also for the protection of VCA properties.

Internal cameras are used:

• for the monitoring of secure areas of buildings
• for the monitoring of pinch points (for example, reception.
• to provide additional security for commercial partners within our buildings

External cameras are used:

• for monitoring activity around VCA buildings / sites
• for enabling remote vehicular access to sites
• to enhance building/site protection outside of normal working hours

All footage is automatically deleted after 30 days unless there is an overriding reason which means it should be retained. Footage will not be shared outside the VCA except in limited circumstances such as where it is necessary to make a disclosure to the police.

The Data Protection Officer

The DfT with its agencies is a single controller under data protection law. Our Data Protection Officer sits within the central department and is supported by a team consisting of data protection managers within each of the agencies. The ‘Data protection governance policy’ (available from the central Department on request) explains this more fully.

Our Data Protection Officer and his team inform and advise the department in how to comply with data protection law. They monitor and promote compliance, for example by providing advice on DPIAs, and arranging audits and staff training. They act as your first point of contact, and lead on any communications with the Information Commissioner’s Office.

Contact details for the DfT Data Protection Officer can be found here: https://www.gov.uk/government/organisations/department-for-transport/about/personal-information-charter. When requesting information specifically from the VCA however, please use the contact details published on our “Making an application under the General Data Protection Regulations” page.

What rights do I have to access other information?

Please visit our contact page for general telephone and email contact details.

You can also make a request for information that the VCA may hold under the Freedom of Information Act 2000; or the Environmental Information Regulations 2004. To make a request of this type, please email the data controller:  foi@vca.gov.uk.

Privacy and Cookies

Information about the types of cookies we use

Disclaimer

Please note that in the course of your communications with the VCA, any advice or comments provided, whether that by email, letter, or verbally, should only be considered as opinions. Interpretation of the law is the sole prerogative of the courts.