Applicant: means an individual who is the subject of or makes an application which required a DVLA/DVANI check;
Company: means Personnel Checks Ltd;
Customer: means a customer of the Company who has chosen to have the Service as part of an agreement with the Company;
Data Processing Declaration Form: means the D906/ADD Driver Data Processing Declaration Form;
Driving Licence Check: means the checking of an Applicants driving licence information against the records held centrally by the DVLA for that individual with a view to confirming their licence status, penalties, endorsements, revocations, disqualification, suspension and confirming their entitlement to drive their vehicle;
DVLS: means the service developed by the Supplier to request and process information found in individual driver records managed and maintained by DVLA;
DVLA: means the Driver and Vehicle Licensing Agency/Driver and Vehicle Agency Northern Ireland which maintains a computerised register of drivers and driver license data;
E Approval Process: means the online consent process for an Applicant to provide the consent required for a Driving Licence Check by the Supplier;
Service: means the Supplier’s DVLA Driving Licence Check service;
Supplier: means Licence Check Limited.
- Rights and Duties
- The Customer must have a legitimate and lawful justification for retrieving driving licence validity, entitlement and other information relating to the driver record maintained by DVLA or DVANI or lawful justification for accessing the DVLA IEP database using the Suppiler’s DLVS and any driver records and data requested and provided through the Service must be used only for the specific purpose for which the enquiry was made.
- Any Applicant data provided to the Customer as part of the Service cannot be obtained or further processed for reasons incompatible with the purpose for which it was obtained and for which the data subject (the Applicant) gave their permission.
- Under the terms of the General Data Protection Regulation (EU) 2016/679 (GDPR) the Supplier and the DVLA are required to obtain permission for a Driving Licence Check from the Applicant before releasing the information through the Company’s Services to the Customer. It is the absolute responsibility of the Customer to ensure that this permission is granted prior to any request being submitted to the DLVS.
- The Customer shall appoint a suitable administrator to manage their DLVS service and account. The administrator must have any training required to ensure that they are familiar with the day-to-day management and administration of the Service.
- The Customer shall put in place a procedure to allow an Applicant to withdraw their permission and for the Company to be notified of this withdrawal within a reasonable time thereafter.
- The Customer shall be responsible for informing Applicants who do not wish to complete a Data Protection Data Processing Declaration Form or go through the E-Approval Process of the alternatives that are considered by the DVLA to be acceptable methods of establishing validity and entitlement including (but not limited to) the following:
Presentation of the physical driving licence
Presentation of the physical driving licence along with a signed declaration,
Presentation of the physical licence along with a postal DVLA data subject check
Presentation of the physical licence along with a valid code for the DVLA Check my Driving Licence Service
- It is the Company’s intention that the Service should be available to the Customer on a 24/7 basis. However, in order to provide this Service, the Company relies upon external infrastructure systems, services and communications links that are not under its direct control or management. The Company does not warrant or guarantee the availability of any third-party services or communications links or external infrastructure, broadband availability, hosting facility or the fitness or suitability of any equipment used to provide the service that is outside its immediate and direct control (i.e. outside the company firewall).
- The Company does not warrant the availability of the Service and/or any other services provided by the DVLA, or the completeness, accuracy, quality or fitness for purpose of any Licence Holder information within the DVLA Integrated Enquiry Platform database.
- Suspension & Termination of Service
- The DVLA have an independent right to suspend access to the Service where there has been a breach of security or an audit finds that the Customer’s authorised users are improperly permissioned or the correct approval process has not been used. In this event the Customer will immediately lose access to the services for any new driving licence enquiries or scheduled rechecks until access is restored.
- D906/ADD Written Driver Data Processing Declaration Form and E-Approval Requirements
- The Customer acknowledges that the Company and the Supplier will use the D906/ADD Driver Data Processing Declaration Form details or E-Approval information provided to the Company to verify the Applicant details with the DVLA.
- Any DVA NI requests for licence information do not form part of the online DLVS service and will therefore require a manual submission for which a different process and a separate charge will be incurred. This additional charge information is available on request from the Company.
- Although Basic CPC and Tacho Data is included as part of the driving licence checking service from the DVLA, detailed CPC information relating to training course attended is currently only available to drivers.
- To enable the Company to satisfy the DVLA requirements for the provision of Licence Holder Personal Data, the Customer agrees to use the DLVS to create, process, produce and print a D906/ADD Driver Data Processing Declaration Form or alternatively to use E-Approval (as appropriate) according to the circumstances.
- The Company will only accept Company pre-formatted or system generated D906/ADD Driver Data Processing Declaration Forms for DLVS. Where E-Approval is used or intended to be used, this must satisfy any guidelines or requirements that are published by the Company or the DVLA.
- All D906/ADD Driver Data Processing Declaration Form submitted for verification should be checked for completeness by the Customer before being returned to the Company.
- The Customer shall submit all D906/ADD Driver Data Processing Declaration Forms within timescale of no more than 3 months from the date of Data Processing Declaration Form creation.
- Where the Customer uses E-Approval, any link or request shall cease to be effective after a maximum period of 28 days unless there is specific agreement with the Company for a longer period.
- The Customer accepts full responsibility for the accuracy of all information supplied in the D906/ADD Driver Data Processing Declaration Form and/or any electronic data or record used in the E-Approval process.
- The Customer agrees to procure permission from the Applicant named on the D906/ADD Driver Data Processing Declaration Form or in any electronic record used in a request as a pre-condition to its submission to Company and DVLA.
- The D906/ADD Driver Data Processing Declaration Form should be ‘hand signed’ by the Applicant in the appropriate section labelled ‘Driver Declaration’ after explicit permission has been granted by the named person and which provides full permission to carry out the verification check and conforms to the GDPR.
- If an Applicant does not wish to provide explicit permission by agreeing to sign a D906/ADD Driver Data Processing Declaration Form or E-Approval then an alternative method must be offered by the Client as listed in Clause 1.7. This alternative method is not included within the terms of the standard form Data Processing Declaration Form.
- Originals, photocopies, fax copies and electronically scanned copies of D906/ADD Driver Data Processing Declaration Forms are acceptable to the Supplier. However, this is strictly on the basis that they are of ‘good quality and clearly legible’. This means:
Handwriting and printed wording must not be obscured in any way shape or form or have been tampered with;
Correction fluid or any other form of masking will render the form invalid;
- D906/ADD Driver Data Processing Declaration Forms should only be electronically scanned as a PDF for the purpose of electronically forwarding to Company via email and must not be used for any other purpose;
- All fax and emailed PDF copies of D906/ADD Driver Data Processing Declaration Forms must be full size (A4) copies of the original
- All D906/ADD Data Processing Declaration Forms that are not compliant with the above or are not clearly signed by the Applicant will be rejected by the Supplier
- The Customer further agrees to supply to the Applicant all such documentation relating to the submission of the D906/ADD Driver Data Processing Declaration Form and/or verification as the Supplier may require whether prior to, or after submission of the relevant D906/ADD Driver Data Processing Declaration Form. Failure to provide sufficient information about the Applicant who is the subject of the enquiry, or failure of the Applicant to sign the declaration will result in the D906/ADD Driver Data Processing Declaration Form being rejected
- Where the Applicant fails to tick any permission boxes or otherwise omits or fails to satisfy any E-Approval requirement or to complete or pass any identity check or other form of electronic validation or withdraws or refuses any permission necessary for the Company to request a DVLA check using E-Approval the process must be abandoned and, if necessary, re-started anew
- It is recommended that D906/ADD Driver Data Processing Declaration Forms are submitted to the Company no later than 15:00 hrs (UK time) on any weekday to ensure that driver records are submitted automatically to DVLA on the same day. Late arrival may mean submission will take place on the next working day.
- The Company may at any time without notifying the Customer, update or change the DLVS at the sole discretion of the Company where a change is made by the Supplier which is considered necessary for service improvements or to comply with safety, security or other statutory requirements provided this does not detrimentally affect the service itself. Wherever possible the Company will notify the Customer in advance of such changes and the reasons for introducing them and where it is practical to do so will provide a reasonable period of notice in advance of their introduction. Notification may be by e-mail broadcast, by email, by telephone or published on licencecheck.co.uk.
- The Supplier will provide the DLVS in accordance with the D906/ADD Driver Data Processing Declaration Form or approved/permitted E-Approval procedure. Any changes required by Client must be specified in writing and agreed by both the Company and DVLA.
- Security and Storage of Driver Data
The Customer should at minimum ensure that, to the extent applicable for the Services, the following:
- That their I.T systems are protected with a regularly updated and industry standard Anti-Virus software as well as ensuring that appropriate hardware protection, backup procedures and firewalls are in place commensurate with the nature of the data being stored and the risk of loss or damage.
- That administrators and users have a unique User ID to monitor access and prevent unauthorised access to Applicant records within the DLVS Service.
- That access rights to personal information should be restricted to those employees and who need to know or have access to that data in order to discharge their function effectively. Where access is necessary in these circumstances it should be restricted to the minimum levels possible.
- That Customer employees, agents or sub-contractors who have or may have access to Personal Data or Special Categories of Personal Data are considered suitable, trustworthy and have undergone some form of security clearance or vetting appropriate to their levels of authority and access.
- That there is a suitably robust password policy and protocol in place to prevent unauthorised access to DLVS and Applicant records, this policy to include (but is not limited to) requirements for password strength and change protocols and a prohibition against the sharing of passwords or the use of another employee’s password to access DLVS.
- That there are policies and supporting documentation in place to ensure the security and integrity of information stored electronically.
- That a risk assessment has been carried out and is regularly reviewed to ensure that the security arrangements in place are proportionate to the needs of the business and the perceived risk of destruction or loss of or damage to Client data within DLVS.
- All records containing Personal Data obtained from DLVS should be retained by the Customer in a secure manner. This will include any Special Categories of Personal Data relating to individual Applicant convictions, suspensions, endorsements, disqualifications or penalty points.
- Where Personal Data and Special Categories of Personal Data obtained from the DLVS is held in paper format by the Applicant or downloaded and printed, it must be retained on secure premises and locked away to prevent unauthorised access. Where this information is stored electronically within IT systems, either hosted or on I.T systems owned or managed by the Customer there should be suitable controls are in place to prevent unauthorised access. These controls must include prohibitions on the use of removable media to store or access this data and strict security and encryption requirements for mobile devices and laptops.
- Protected data must be destroyed or deleted securely when there is no continuing business need to retain the information. For the avoidance of doubt Customers should pulp, incinerate or shred paper records or dispose of these through a secure third-party agency who can certify proper destruction, or where the information is stored electronically, securely cleanse the Personal Data from any magnetic storage medium by deletion and overwriting and/or use an approved destruction process for such media.
- Personal Data (including Special Categories of Personal Data) may not be stored, transferred or accessed overseas by the Customer without the express written permission of the DVLA. This will include cases where the Personal Data is stored in the UK but can be accessed from overseas. Overseas means outside the EEA.
- Data Protection
- The Customer warrants that it will comply with any obligations under the General Data Protection Regulation (GDPR) (EU) 2016/679 and/or any other corresponding or applicable regulations, legislation or other local or international laws covering the use, processing and/or dissemination of the Personal Data of individuals.
- The Customer acknowledges that for the purposes of the GDPR, the it will be the Data Controller and the Company and the Supplier will be the Data Processor.
- The Company will processes Personal Data in accordance with the agreement with the Customer.
- The Client acknowledges and agrees that it is responsible for:
Obtaining the approval of the relevant users it has authorised/Applicants prior to use of the Service; and
Providing an audit trail of all approvals received from each individual Data Subject under clause 4(a) above.
- The Customer as Data Controller shall be liable for and shall indemnify (and keep indemnified) the Company/Supplier in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including any reasonable legal fees and expenses), or demand suffered or incurred by, awarded against or agreed to be paid by the Data Processor arising directly or in connection with:
Any non-compliance by the Customer with the GDPR or other applicable legislation; or
Any Personal Data processing carried out by the Company in accordance with instructions given by the Customer where those instructions infringe the GDPR or other applicable legislation; or
- No Party shall be entitled to claim back from the other any sums paid by way of compensation in respect of any damages or losses for which they are liable to indemnify the other under clauses 6 or 5.7 above.
- AUDIT & INSPECTION RIGHTS
- The Supplier is under certain pre-existing obligations with its third-party suppliers (and/or regulatory bodies) that require the Supplier to obtain a right of audit from Customers. The following clauses 2 to 6.10 are intended to give effect to that requirement.
- The Supplier shall be entitled to conduct on-site audits of the Customer’s premises used in connection with the Service upon reasonable prior notice and upon reasonable grounds, not more than once per year and on other occasions as imposed on the Supplier by any regulatory body with competent jurisdiction or one of the Supplier’s third-party suppliers engaged in connection with the Service or any External Agency.
- In exceptional circumstances, the Supplier may need to carry out an unannounced or un-notified audit/inspection. “Exceptional Circumstances” for the purposes of this clause include, but are not limited to:
Allegations of misuse by the Data Subject whose personal information has been accessed;
Serious concerns about the use, storage or security of Output Data or Driver Information or the use of the Service
A referral of a serious concern by an external authority or organisation (for example the DVLA or Information Commissioner)
- The Supplier may be accompanied by representatives of any such regulatory body, third party supplier or External Agency in respect of any such audit imposed on the Supplier.
- All audits will be conducted in a manner that does not materially disrupt, delay or interfere with the Customer’s performance of its business.
- The Customer shall provide the Supplier (or any regulatory body, third party supplier or External Agency as relevant) with full access to its premises, employees, computers, IT systems and records as required for the purpose of any such audit.
- Where an audit identifies any material failures or non-adherence to the terms of this Agreement the Company may terminate any agreement or the provision of the Service under it.