Suing for breach of the Data Protection Act
The Data Protection Act 1998 (DPA) (http://www.legislation.gov.uk/ukpga/1998/29/contents
) defines the law in the UK for processing the data of identifiable living people. It was enacted to bring UK law in line with the European Union’s (EU) directive on data protection. Practically it allows individuals to control information about themselves. Anyone holding data for non-domestic use is legally obliged to comply the the DPA, subject to some exemptions. The Act defines eight principles to ensure data is used lawfully.
In the context of private parking, the Data Protection Act is relevant where private parking companies gather data about keepers and drivers in response to a private parking ticket. Parking companies most frequently gather registered keeper data (e.g. name, address) from the DVLAs registered keeper database (https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/433570/INF266_210515.pdf
) in order to send a Notice to Keeper (http://www.parkingcowboys.co.uk/notice-to-keeper/
) to request payment for a parking charge on the assumption that they were the driver or know who they were. Parking companies may also gather driver details is where they have offered them up in response to a Notice to Driver (http://www.parkingcowboys.co.uk/notice-to-driver/
) (i.e. a ticket attached to the car). In 2016 there were a number of cases where motorists have successfully sued parking companies for hundreds of pounds where it has been demonstrated that their data was misused.
In this piece we will discuss how the Data Protection Act relates to parking enforcement on private land, how a parking company might breach it, and how to go about suing them for misuse of your personal data.Legal background
The Data Protection Act sets out eight principles. These are that information is:
1. Used fairly and lawfully
2. Used for limited, specifically stated purposes
3. Used in a way that is adequate, relevant and not excessive
5. Kept for no longer than is absolutely necessary
6. Handled according to people’s data protection rights
7. Kept safe and secure
8. Not transferred outside the European Economic Area without adequate protection
If a parking company doesn’t comply with the principles it could mean that they have processed your data unlawfully. Where this is found to have occurred, damages may be payable to you. There are two key pieces of case law relied upon: Vidal-Hall Vs Google Inc  and Halliday Vs Creation Consumer Finance Ltd .
The case of Halliday Vs Creation Consumer Finance Ltd  (http://www.bailii.org/ew/cases/EWCA/Civ/2013/333.html
) relates to a case where a consumer credit company breached data protection laws by disclosing data to third parties without his consent and when the data shared was not correct. He claimed damages for damage to his reputation, and damages for distress. The court awarded nominal damages only, and declined to consider the question of damages for distress. He unsuccessfully appealed this, but was given permission for a further appeal on the question of damages for distress which are specified in section 13 of the Data Protection Act:13. Compensation for failure to comply with certain requirements.
(2)An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—
(a)the individual also suffers damage by reason of the contravention, or
(b)the contravention relates to the processing of personal data for the special purposes.
In Mr Halliday’s case, it was found that there was a single episode of his data being processed unlawfully, and that an award of £750 was appropriate and sufficient.
The case of Vidal-Hall v Google Inc  (http://www.bailii.org/ew/cases/EWCA/Civ/2015/311.html
) was where a number of users sued Google for using their personal data without their knowledge or consent. The case established that misuse of personal data was a tort – a wrongful act or an infringement of a right (other than under contract) leading to legal liability. The case also established that damages for misuse of personal data may be non-pecuniary – damages that can’t be calculated accurately in monetary terms.Application to a parking case
With this background, there is the question of how data protection law might be applicable to a parking case.
The DVLA is entitled to share its register of keeper data with public and private entities under The Road Vehicles (Registration and Licensing) Regulations 2002, regulation 27 Disclosure of registration and licensing particulars. (http://www.legislation.gov.uk/uksi/2002/2742/contents/made
) These state:27.—(1) The Secretary of State may make any particulars contained in the register available for use—
(e) by any person who can show to the satisfaction of the Secretary of State that he has reasonable cause for wanting the particulars to be made available to him.
To access the DVLA data, parking companies sign up to the KADOE (Keeper at Date of Event) contract (https://www.gov.uk/government/publications/kadoe-keeper-of-a-vehicle-at-the-date-of-an-event-contract
). The KADOE contract allows the parking company to retrieve keeper data electronically for the “reasonable cause of seeking recovery of unpaid parking charges”. However, the KADOE contract attaches several conditions to the access, including:
That the parking company seeks recovery in accordance with the Accredited Trade Association Code of PracticeThat the parking company seeks recovery from:
The driver, or
The keeper if the procedure in Schedule 4 of the Protection of Freedoms Act is used
The data is only used in relation to the particular date, event, and purpose it was requested, and must not be re-used for other dates, events, and purposes
That before making each request, the parking company has gathered evidence to demonstrate it has reasonable cause to request the data
That before relying on any item of data retrieved, that it matches the information in the request (e.g. the model, type, and colour of car match), and shall not seek to recover payment where it does not
The parking company shall abide by the OFT Debt Collection Guidance
The second principle of the Data Protection Act requires that “personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes”. On this basis, if the parking company has not met all of the requirements stated, then there is no ‘reasonable cause’, leading to a potential breach of the Data Protection Act.Example scenarios
Having discussed how the legal aspects apply, we will now consider some example cases that potentially cause a Data Protection Act breach.Code of Practice breaches –
As stated above, the KADOE contract requires the parking company to meet the ATAs Code of Practice as a condition of proving reasonable cause. As such, if a breach of the Code of Practice can be demonstrated, reasonable cause would not be established. Further, you should refer to the Code of Practice in place at the time of the event – these change periodically (usually to the benefit of the parking companies), and the rules at the time may support your case further.Falsified evidence –
There have been cases where parking companies have been shown to falsify evidence in order to prove their case. One such example of this is the case where UKPC parking attendants changed timestamps on their photographs to pretend cars had overstayed when they hadn’t (http://www.parkingcowboys.co.uk/2015-09-uk-parking-control-ticket/
). This type of case would be a clear breach of the DPA since a parking company would be acting fraudulently to create the impression of reasonable cause, whereas there is none.Faulty equipment –
Many parking companies rely on Automatic Number Plate Recognition (ANPR) to identify overstays in car parks (http://www.parkingcowboys.co.uk/anpr-parking-tickets/
). ANPR is well known to not be completely accurate, as Parking Prankster has blogged about (here (http://parking-prankster.blogspot.co.uk/2015/10/parkingeye-subject-to-data-protection.html
), here (http://parking-prankster.blogspot.co.uk/2016/10/parkwithease-anpr-seriously-flawed.html
) and here (http://www.parking-prankster.com/anpr-technology.html
) for example). Due to its lack of accuracy, the phenomenon of the ‘double-dip’ is born, where cars make multiple visits to the same car park, but the system believes it to be one long stay, and thus an overstay is recorded, and a ticket issued. In this case, if no breach has occurred, then the parking company had no reasonable cause to access their data. [NOTE FROM WEB ADMIN - we have documented numerous cases concerning the failure of anpr systems here: http://notomob.co.uk/discussions/index.php?topic=5768.0
The parking company may try to claim the breach was unintentional, but this is no defence. The data controller is responsible for ensuring that data is only obtained and processed for lawful purposes – the Act does not allow for unintentional misuse. Further, the parking industry is well aware of the flaws of ANPR, and so should work to both improve the technology, and put the necessary checks and balances in place to mitigate the risk. Further aggravating the breach would be where the parking company continues to process the ticket in light of evidence from the motorist that shows they were elsewhere in the intervening period.No breach –
Sometimes tickets are issued incorrectly where the parking company has made a mistake. Examples could be where a parking attendant fails to read the time on the pay and display ticket correctly. In this case, there is no unpaid parking ticket in the first place, and so there would be no reasonable cause.Grace periods –
Both the BPA (http://www.parkingcowboys.co.uk/bpa-code-of-practice/
) and IPC (http://www.parkingcowboys.co.uk/ipc-code-of-practice/
) Codes of Practice specify grace periods before and after the parking period commences. Sometimes motorists are issued parking charges that do not take this into account. If this is the case, then the parking company are not adhering to the KADOE contract which requires adherence to the CoP. If they have not adhered, then there would be no reasonable cause, and therefore a DPA breach.Landowner contract –
Both the KADOE contract and the Codes of Practice require there to be traceable authority from the landowner or holder to the parking company to issue parking tickets. If this cannot be demonstrated then this would be a clear breach. One key example of this is in the case of a residential parking space case where the parking company has no right to operate on the land. These cases are further discussed here (http://www.parkingcowboys.co.uk/residential-parking/
). Another example is where parking companies have been known to ticket on public land, where there is clearly no landowner contract.
Even if there is a contract with the landowner, the parking company may not meet the requirements set out in it. One example was where a landowner insisted on specific grace periods in the contract, which the parking company was not following. As such, the parking company was breaching the contract by issuing tickets, and therefore not having reasonable cause to process affected motorists data.Keeper liability –
As discussed elsewhere on this site, keeper liability only exists under very specific circumstances (see POFA) (http://www.parkingcowboys.co.uk/protection-of-freedoms-act/
). The KADOE contract specifically states that the data can only be used to enforce the ticket using Schedule 4 of the Protection of Freedoms Act. Hence, if a parking company tries to claim liability against the keeper, with no evidence to suggest they were the driver, then the data would have been misused.Continuing to process data –
In the case where the keeper liability provisions under the Protection of Freedoms Act have not been met, and they have no evidence to suggest the motorist was the driver, then the motorist is entitled to object to any further processing of their data and request it be removed from their systems (known as a section 10 notice under the Data Protection Act) (http://www.legislation.gov.uk/ukpga/1998/29/section/10
). If the parking company still continue to process their data (e.g. by sending further letters), then they would be breaching the Act.Keeping data on record –
The KADOE contract specifies that a parking company must re-request your data for each parking event (in the case of multiple breaches). You can ask the DVLA to provide details of when your records were accessed. If they have not re-requested your data, they would be breaching the KADOE contract, and therefore not have reasonable cause.Why make a claim?
We have now established the basis for a claim. But why do so?
The private parking industry has grown so rapidly in size because it is ‘cash cow’. Right now, there is little risk for a parking company acting unfairly. Typically if a breach of the Code of Practice is reported to the DVLA, it delegates responsibility for dealing with it to the ATA. ATAs typically deal with breaches privately – the BPA, for example, anonymises their public breach data so the public are none the wiser! The problem with delegating breaches to the ATA is that their is a conflict of interest; the ATAs need members to fund them, and members can move between ATAs as they like.
The data protection angle might make them adjust their behaviour. If they know that by not following the conditions specified, then they risk losing more money per event, than they could earn. Ensuring parking companies strictly follow their Code of Practice, and comply with Data Protection laws can be no bad thing.
Finally, as a motorist, the law says that if your data is misused and causes you distress, you are entitled to compensation. Since such claims would be handled through the small claims court, you could issue a claim for as little as £25, with little risk since costs in the small claims court are limited (in the case you lost).Letter Before Action / Claim
At this point, we should remind readers that the author of this piece has had no formal legal training, so readers should seek independent legal advice before setting off on a claim. This piece is intended to highlight what others have achieved, and that the opportunity exists for misuse of personal data to be redressed in the civil courts.
Before issuing a claim, the court would expect you and the defendant to take a number of steps to try to settle the dispute. These steps are known as ‘pre-action protocols’ (https://www.justice.gov.uk/courts/procedure-rules/civil/rules/pd_pre-action_conduct
) and they involve you and the defendant trying to settle the issue without going to court. If you do not follow these, the court might award costs against you.
As claimant, you will need to write to the defendant(s) with concise details of the claim – this is known as the Letter Before Action. The letter should include the basis on which the claim is made, a summary of the facts, what the claimant wants from the defendant, and if money, how the amount is calculated.
In the letter you should include:
Your name and address
A list of the defendants – E.g. the parking company and, optionally, the landowner
The reason for your claim – E.g. breaches of the Data Protection Act
A statement of the relevant facts – E.g. a summary of the parking case, including those parts that prove the breach
A statement of the legal basis of the claim – E.g. an explanation of why the Data Protection Act has been breached
How much you’re claiming including costs – E.g. a statement of the compensation you’re asking for
A list of any documents you’ll be using – E.g. contracts, codes of practice etc
A date by when you want a response (typically 14 days)
A request for any documents that you want from the defendant to support your case
A reminder that you will start court proceedings if the trader doesn’t reply to the letter and that this may mean they will have to pay extra costs
Amount to claim
If you have actual losses that were consequential to the breach, you could, with evidence, claim actual damages.
If the losses were non-pecuniary (can’t be calculated in monetary terms), you could use Halliday Vs Creation Consumer Finance Ltd as a precedent case. In Halliday Vs Creation Consumer Finance Ltd, Mr Halliday was awarded £750 for a single breach. You would need to decide what level of compensation is reasonable in comparison (e.g. as serious, less serious, more serious).
Making a claim
If the LBA is not responded to, or the defendant decides not to compensate you, then you can move to a claim. To make a claim, the Money Claim On Line (MCOL) (https://www.moneyclaim.gov.uk/web/mcol/welcome
) service can be used. The filing fee is £25 for a claim of up to £300, £35 for up to £500, and £60 for up to £1,000 (see fees here) (https://www.gov.uk/make-court-claim-for-money/court-fees
A guide for using Money Claim Online can be found here (https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/520203/money-claim-online-user-guide.pdf
It should be clear, but you should understand that you are not guaranteed to win your case. The small claims court can be a bit of a lottery, so you will need to be sure of your case, and ready to lose your fee and pay ‘fixed costs’ if you lose. Fixed costs include court fees, but exclude solicitors charges (usually the expensive part of going to court). Other costs could be travel expenses and loss of earnings for court attendance. Failure to comply with court protocols may also affect costs awards.Help with your claim
You would be wise to seek support in making your claim. Legal representation might be more expensive than the amount you’re claiming for, and in the small claims court, cost recovery is limited. The online forums – such as Pepipoo and Legal Beagles – are a great source of help. Beware though that the people using the forum will likely not have legal training. As such you should so as much research as you can before commencing with a claim.
Please do get in touch with us (http://www.parkingcowboys.co.uk/contact-us/
) if you’re thinking of making a claim, we’d love to hear your story.