Fleet operators are being warned that they may fall foul of data protection laws if company cars enter the remarketing arena before hard drives are cleared of any personal data.
The Vehicle Remarketing Association (VRA) has issued a best practice guide to its members to help them address the growing issue of vehicles coming to auction with a driver’s personal details still intact on a car’s internal hard drives.
The technological evolution of satellite navigation, phone kits and entertainment systems means that personal driver information is being stored on the car’s hard drives, including phone directories and personal addresses.
And with manufacturers developing greater functionality for in-car infotainment systems, even more data will be stored on car hard drives in the future, which may pose an even greater risk to both the employee and the employer.
Ultimately it is the driver’s responsibility to erase this date from the car before it goes back to the rental company, leasing company or franchised dealer, but that doesn’t always happen, says the VRA.
“We have yet to see major instances of any personal data being misused if it is inadvertently left on a car’s sat-nav or in-car system, but this won’t be the case for ever,” said VRA chairman John Davies.
“We have seen an instance where a car buyer traced the previous company car driver to his home address to ask more details about the used car he had just purchased at auction.
“If a driver’s phone has personal details of, for example, a politician or public figure and the sat-nav includes address details, this could be a real security concern.”
The VRA has 60 members who work in and around the remarketing industry, collectively handling and selling close to two million used vehicles every year in the UK wholesale market. This represents around 60% of all vehicles ultimately purchased by a private motorist from a motor retailer.
To protect members from passing on a driver’s personal data when they sell a car, the VRA is recommending a series of measures.
It suggests ensuring that wording is included in customer contracts and master hire agreements informing their customer’s drivers of their obligations.
Signed confirmation must also be received by the vehicle owner as part of the vehicle de-hire process that all data has been removed from the vehicle.
In addition, it recommends actioning ‘Delete All’ or ‘Factory Reset’ or similar as part of the remarketing process before a car is sold and is encouraging individual companies to conduct a privacy impact assessment.
The Data Protection Act controls how an individual’s personal information is used and its rules require everyone who collects data to follow strict guidelines to keep that information safe.
Bauer fleet manager Debbie Floyde said: “I hadn’t recognised this as an issue until now and I suggest that’s probably the case for the vast majority of fleet managers. Not all of our cars have the capacity to store data so we’re now in the process of assessing what vehicles might be affected, before deciding what advice to offer our drivers.
“Nevertheless, I can see why it could be an issue and as manufacturers develop further functionality on infotainment systems, with the ability to store even more personal data, it’s a problem that’s sure to persist.”
The VRA told Fleet News that when it discussed the issue with members earlier this year, some companies had already adopted their own policies and others had talked to customers about the issue.