Fleet News

Three months to get licence-checking consents up-to-date

licence

Employers have three months to ensure more than two million fleet drivers have signed new driver licence-checking consent forms.

Documents have to be revalidated under the provisions of new data protection legislation – the General Data Protection Regulation (GDPR) – which comes into force on May 25.

GDPR requires businesses to comply with a new set of rules designed to safeguard personal data. Driver consent forms from the Driver and Vehicle Licensing Agency (DVLA) for licence-checking by third-party companies fall under the legislation.

DVLA-licensed providers are able to allow employers access to the DVLA driver database using a ‘blanket’ type of consent that can last for up to three years. Known as the D796 driver mandate, it allows multiple checks against the database. 

However, the form has been ditched by the DVLA because it doesn’t comply with GDPR. Instead, drivers must sign a new form – the D906 Fair Processing Declaration – for the consent to continue to be valid.

The Association for Driving Licence Verification (ADLV) estimates two million drivers will have to sign the new form. Non-compliance could see firms hit with heavy fines imposed by the Information Commissioner.

A DVLA spokesman told Fleet News: “In readiness for the introduction of GDPR, DVLA has reviewed the Access to Driver Data and Driver Licence Check services which allow employers and other third parties to request driving licence data.

“Consent will no longer be the basis upon which DVLA releases data under GDPR.

“Requests for driving licence data via these services must be supported by a completed and signed D906 Fair Processing Declaration. These forms ensure that drivers understand who is requesting their driving licence data, what the data is, how it is being requested, and for what reason.”  

The validity of the new D906 form will expire three years from the date of the driver’s signature or when the driver stops driving in connection with the company, whichever occurs sooner.

THREE-MONTH WINDOW

The DVLA says that in recognition of the need for employers and fleet managers to meet their duty of care obligations, and the “significant task” in transferring to the new fair processing declaration form, the current consent forms will continue to be valid for a three-month transitional period, from May 25 to August 25.

Malcolm Maycock, chairman of the ADLV, said the industry faced a “mammoth task in a short timeframe” to ensure that all processing is correct and complies fully with the new GDPR legislation. 

“The good news is that the new data processing declarations will continue to remain valid for three years from the date permission is granted,” he said.

Employers and fleet managers, who are legally obliged to check a drivers’ entitlement to drive, will be under enormous pressure to hit the August deadline. 

For its part, the ADLV says its members are advising customers on the implications of the change and how they can ensure compliance with the new DVLA requirements. 

However, technical director of the ADLV, Kevin Curtis, said: “This is a huge shift for the DVLA and, indeed, the driving licence checking industry as a whole. 

“From a technical and compliance perspective, all employers and third parties who are responsible for licence checking will need to be able to demonstrate that the new fair processing declaration has been signed by the driver. This will need to be stored in a way that can be audited to ensure compliance with the new GDPR legislation.”

The employer will need to show evidence of a clear process where the driver has agreed and signed off the data processing, with a date and time of the declaration. 

STORING DATA

Curtis also warned they need to consider how driver information is being stored, along with grey fleet documentation, including road tax, MOT and insurance information. 

In a webinar organised by risk management company Driving Monitor, Curtis said: “There are lots of considerations around driver data and identifying that personal data.”

For example, it is important that data can be accessed quickly to adhere to the new rules. 

“If we don’t have systems to get hold of this data, it’s going to be very difficult to respond , particularly if there are going to be a number of access requests coming into the business,” he said.

Curtis believes that, over time, GDPR will make paper driver records redundant, because of how difficult it will be to “categorise, secure and access”.  

“Storing that data is one of the key aspects of GDPR,” he said. “We need to look at the systems data is stored in and whether it is in a secure environment.

“For example, do you have Excel spreadsheets and email them around; is the email channel encrypted; are the computers those spreadsheets are saved on encrypted?”

Any paper files in cabinets will also need to be secured, says Curtis. “Paper is one of the biggest risks… you don’t generally think about locking cabinets or your desk.” 

SUPPLY CHAIN MANAGEMENT

Fleet decision-makers will also need to consider what data is passed to suppliers. Partner companies must be asked and confirm what processes they have in place for managing data and be able to show secure data treatment. 

Most suppliers will be well advanced, but if ‘no answer’ is received, action must be taken. Contracts should state what data fleets will supply and the frequency and the purpose for which it will be used by suppliers.

Furthermore, fleet representative body ACFO says drivers will need to delete data loaded on to vehicle systems

Satellite navigation systems and mobile phones contain a wealth of data so it is vital to remind drivers to ‘delete’ the data or reset to ‘factory setting’ ahead of defleet of a company car or the return of a hire vehicle.

A recent poll of fleet managers by Masternaut revealed that only 20% of respondents were confident they would be fully compliant with the GDPR by the 25 May – 47% reported that they have a long way to go or have just started preparing.

Meanwhile, a poll by Fleet News revealed around a third of respondents were not confident of meeting GDPR obligations to their fleet drivers. 

 

Click here for fleet management software best practice and procurement insight

Leave a comment for your chance to win £20 of John Lewis vouchers.

Every issue of Fleet News the editor picks his favourite comment from the past two weeks – get involved for your chance to appear in print and win!

Comment as guest


Login  /  Register

Comments

  • Monitor - 21/05/2018 14:33

    It's worth also noting that companies who are using the DVLA platform will need to consider why they should nominate a DPO (Data Protection Officer) in their organisation if they are handing driving licence data, as some of the data sets could contain special categories of data classed as 'sensitive' - see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/

    Reply as guest

    Login  /  Register
  • Abbie - 25/05/2018 12:49

    Anyone know where i can get this new form?

    Reply as guest

    Login  /  Register
    • Gareth Roberts - 29/05/2018 10:28

      The D906 is not downloadable, but has been provided with guidance notes to customers using the DVLA’s ‘Access to Driver Data’ and ‘Driver Licence Check’ services.

      Reply as guest

      Login  /  Register
      • Abbie - 29/05/2018 13:32

        sorry i don't understand? i need to get all my drivers to sign this form i assume so i need a hard copy?

        Reply as guest

        Login  /  Register
  • Dawn - 18/06/2018 13:30

    I Check our drivers driving licence information myself via the DVLA website, how do I go about getting this consent form for our drivers to sign????????? Thanks

    Reply as guest

    Login  /  Register
    • Gareth Roberts - 18/06/2018 13:35

      Hi Dawn, if you're checking driving licence information via the Share My Driving Licence DVLA portal this form is not applicable. Consent is given by the driver when they give you the code to check their licence. The D906 Fair Processing Declaration is for companies using third-party licence checking companies or those large fleet operators who have a licence with DVLA to check licences with direct.

      Reply as guest

      Login  /  Register
  • Gill - 06/08/2018 10:23

    Thanks, I check our company Licences as Fleet Manager, and was trying to confirm if I needed to also have our drivers complete the D906.

    Reply as guest

    Login  /  Register
    • Gareth Roberts - 06/08/2018 10:26

      The D906 Fair Processing Declaration is for companies using third-party licence checking companies or those large fleet operators who have a licence with DVLA to check licences with them direct. If you don't do either of these you do not need to use this form.

      Reply as guest

      Login  /  Register