about licence bureau - resource.ourcompliance.co.uk · qmf 159 issue 3 30/05/2018 1 private &...

QMF 159 Issue 3 30/05/2018 1 Private & Confidential

Dear Driver, We often have requests from drivers for more information about Licence Bureau and the services we provide. This is often a result of concerns regarding data protection and the release of private and confidential information related to our services. Organisations are required to ensure that drivers have the appropriate licence entitlement for the role they are employed to carry out; which for your employer is Driver Licence Verification (DLV) in support of an organisations “Duty of Care” obligations and “Work Related Road Safety”.

About Licence Bureau Licence Bureau first established its commercial approach to DLV in 2003. It worked very closely with the DVLA and data protection commissioner to develop a process and system that satisfied data protection

requirements related to the release of driver records via the DVLA – data protection was considered during every development stage of our service and had to meet exacting standards. These standards have now been recognised by the achievement of ISO27001, ISO9001 and ISO14001 accreditation. Retaining these accreditations relies of regular audits by independent auditors assessing our operation both in terms of system security and procedural excellence related to process and procedures of operation.

Licence Bureau also invites the DVLA to audit its operation in terms of process and working environment including its people. We have a very strong relationship with the DVLA and have regular reviews with them as part of the DLV User Group meetings which Licence Bureau chair.

Our customers and drivers Licence Bureau has a significant share of verifications sourced via the DVLA, we are a long established provider of this service to organisations who wish to take advantage of a secure, reliable and cost effective method of verifying a driver’s licence record and ensuring that each driver complies with Section 87 (2) Road Traffic Act 1988. Significant penalties and fines & custodial sentences - under The Corporate Manslaughter Act and Health & Safety (Offences) Act - can be imposed upon organisations who fail to implement a robust process, procedure and audit.


Data protection and system security Since 2003 we have always ensured that data protection and system security is foremost in the way we receive/ store / transmit and handle driver data. Failure in this crucial area would undermine our operation and as a business we would fail our drivers and customers resulting in a gross breach of our standard of operation with current and prospective customers deciding to exit our service or choose another provider. We have never had any breaches in driver data being misused. Our customer and driver base continues to achieve significant growth which is a result of an excellent service coupled with total focus on Data Protection and the responsibilities we have towards you our driver. Licence Bureau only has your permission to source your record from the DVLA once a signed Fair Processing Declaration form is completed and received at our offices. Should you leave your company for any reason your permission is no longer granted – we would be in serious breach of our data protection obligation to yourself. We always seek approval from your company to process rechecks and we ask your employer to confirm you are still employed and still driving.

Data Protection Statement The Licence Bureau aims to provide a secure and efficient system for driver checking which its Sole Business is. We do not use Driver’s information in any other way, we do not pass driver information on, we are the intermediary mentioned on the D906 Fair Processing Declaration form and eDeclaration form and there is no third party involved in the sourcing of driver records from the DVLA or DVA NI. Our promise to you We adhere to and, where possible, exceed the requirements outlined in the Data Protection Act 2018. Information Uses:

We use the information we obtain purely for the purposes of Driver Checking and do not pass on the data to any other party unless agreed in your declaration. Licence Bureau is the data processor and your employer data controller, your employer has complete control of how your data is managed and used.

We do not

Sell driver information on. Provide your information to other parties not directly involved in vetting the driver’s information.

We do

Remove your data from our system should you leave your employment

Shred the fair processing declaration form once your information is entered onto our system and the form has been scanned onto our secure system.


Release of Information We only release information as required: Driver’s address information is only released to approved parties e.g. (the DVLA) and the approved companies on the drivers signed Fair Processing Declaration form in the event of problems in identification. We protect Drivers from Identity Theft by:

Not providing the Driver’s full licence DVLA or DVLNI licence number on the website or reports (In the case of the DVLA we blank out the last 3 digits).

We don't store the Driver’s address on our website even though it is hosted on the same infrastructure used by banks. The website although secure is still totally separate from our main system.

We implement strict vetting of our staff and secure our premises both physically and electronically our staff are trained to only release information within our established procedures.

Data Storage Data is held within our data centre in the United Kingdom and is securely protected. All web applications work through SSL, web-servers are routinely penetration tested by an independent testing body. User access is only achievable by using a unique username and password. Passwords are routinely changed and are in keeping with Microsoft’s recommended complexity. Permission for access is controlled by the main scheme stakeholder.

Sensitive Data In order to assess the driver the Licence Bureau will need to collect data which the Data Protection Act defines as sensitive (such as criminal convictions). By proceeding with this application the driver will signify their declaration to such information being processed by the Licence Bureau or its agents by signing a Fair Processing Declaration form.

Location of Data We only locate your driver’s information within the United Kingdom, and require assurance that any information passed to any approved parties will be retained within the United Kingdom in accordance with the Data Protection Act.

Auditing In addition to our own internal procedures, we are routinely audited by the DVLA to ensure that we are correctly accessing driver’s data and are holding that data securely.


Frequently Asked Questions Is checking my licence a new legal requirement? No, your employer has always had a responsibility to ensure, as far as is reasonably practical, that the health, safety and welfare of employees is looked after in the workplace. They must also ensure that others are not put at risk by the work activities of their employees. There has always been a requirement to check the entitlement of drivers and Licence Bureau is just taking advantage of the latest technology to provide a more convenient, effective and secure means of checking entitlement to drive. What does this involve? Your employer has entered into an agreement with Licence Bureau to perform licence verifications on their behalf directly with the DVLA and DVA NI. The Licence Bureau in turn has a comprehensive contract with the DVLA to ensure that the rights of everyone involved, including the Driver are protected throughout the process. Everyone who drives on company business, whether they are a commercial vehicle, company car or cash option (owner) driver will need to provide a declaration giving their permission to the Licence Bureau to approach the DVLA for their records. There are two ways of doing this:

1. eDeclaration via email 2. A paper Fair Processing Declaration form known as a D906 example below.

Typically if you have a DVLA issued licence and you have an email address, your employer will probably choose eDeclaration as it is much quicker and there are no paper forms to complete. For foreign licence holders and those without email access the paper Fair Processing Declaration form is used. Benefits of Providing a Declaration Benefits are numerous but are often overlooked. The declaration given lasts for 3 years or until your employment ceases. An approved schedule of licence checks will be undertaken without further disturbance to yourself. Any concerns highlighted by the DVLA such as expiring categories, licences, photo cards or revoked licences will be brought to your employers attention allowing them to discuss the status of your licence with you. We have a recent example of a driver with a medical condition who changed address but did not update the DVLA. The reminder from the DVLA to update the licence, due to the medical restriction, arrived at the old address and because the reminder was not forwarded the licence became revoked and consequently invalidated the drivers insurance also. This was not picked up until the drivers company employed the services of Licence Bureau.


What is eDeclaration? eDeclaration is essentially the declaration process as described above but on-line. This removes the need for drivers to print and sign a physical fair processing declaration form. The process requires drivers to authenticate themselves on line by confirming data already known by the organisation they work for. Once this authentication has been established the driver gives authority or declaration by submitting an on-line form. The validity period of eDeclaration is identical to the traditional process - 3 years but only drivers who have a DVLA issued licence can use it. Foreign drivers or those with a DVANI Licence must still use the traditional fair processing declaration form process.

How does it work? If your organisation has chosen eDeclaration you will receive an email inviting you to click on a link that will take you to the Licence Bureau secure website where you will enter your name, email address and mobile number, you’ll also need your driving licence number available too. You will then receive an authorisation code which will be sent to your email address and your mobile phone via SMS. Enter this code where prompted and follow the instructions to submit the on-line declaration form and your declaration process is completed. Points to remember Whilst eDeclaration is much quicker and less cumbersome than the traditional process, in order to comply with DVLA data protection and security requirements, we need to put safeguards and checks into the process. So please note:

Once the process starts there is a 30 minute window for completion if you don’t complete in this time you’ll have to start again

You must enter the email address your organisation has provided to us, any other you give will be rejected.

If you enter incorrect information 3 times you’ll be asked to begin again.

You’ll need to be in a place where you have an internet connection and a mobile phone service available.

If you have a foreign or DVANI issued driving licence you will be asked to complete the paper D906 instead.


Why can’t I just produce a copy of my licence? Checking a licence is not as straightforward as it seems – drivers in other companies have, in the past submitted forgeries, doctored photocopies or duplicate copies obtained in advance of a court appearance - so although they appear to have a clean licence, the reality may be very different. In addition to this, now that the licence counterpart has been removed, the only way to view or provide evidence of endorsement information is on-line either through the DVLA’s own portal for individuals or their share my driver record facility. How will this be done? Your employer will pass your details to the Licence Bureau. We will communicate with you requesting that you either complete, sign and return a fair processing declaration form or undertake the eDeclaration process. Alternatively you may be issued with a fair processing declaration form by your line manager. The signed fair processing declaration form allows Licence Bureau to access your driver record via the DVLA and then securely report your record to your employer. How long does the fair processing declaration form last for? Once you have signed and returned the fair processing declaration form or completed the eDeclaration process, it is valid for a period of three years. This means that we can carry out checks at any time throughout this period without having to trouble you to complete a further declaration form or another eDeclaration process. The frequency of the checks that are carried out is determined by the risk represented by the points you have on your licence. A driver with 9 points on their licence will usually be checked more often than a driver with a clean licence. What happens if I don’t return the fair processing declaration form or complete the eDeclaration process? If you do not complete declaration form due to illness or being away, don’t worry, Licence Bureau will contact to you again with a reminder. If you still fail to return it – the matter will be referred to your line manager and together we shall assist to ensure your compliance. What happens if I refuse to complete the declaration process? This will be a matter for you to resolve with your employer, who do have a Duty of Care for all their drivers and the general public to ensure “work related road safety” obligations are met. Whilst you are entitled to present your most current driver licence to your employer for verification this method is not robust as licences may not be the most recent issue, therefore potentially not revealing recent offences or endorsements. Drivers refusing to declare should not be penalised or placed under any restrictions including their declaration being a condition of employment. What are the implications to my employer if my driver licence is not verified and I continued to drive on their behalf? Your employer does need to ensure that you have a full and valid licence to drive on their behalf and to carry out your duties. Should a driver be involved in an incident where the authorities were involved as a result of an injury to a passenger or a member of the public or another driver, an investigation would take place. If it was found that the driver had an invalid licence, the employer might be open to prosecution if it was proven that robust procedures were not in place to verify a driver’s licence and entitlement. There are options to verify licences please see the point above.


What happens if I make a mistake completing my fair processing declaration form? Your declaration form needs to be filled out with clear readable hand writing and with minimal mistakes, if a mistake is made this must be initialled and dated, without this we cannot process the form. If you need to cross something out, this must be with a clear straight line and also be initialled and dated. If your declaration form becomes unreadable you will need to start again. Please make sure your fair processing declaration form is signed and dated, even without mistakes if the declaration section is not completed we cannot process your form. What happens to the information once it is returned to Licence Bureau? Driver information will be held securely by Licence Bureau who operate to ISO 27001 standards. Information sourced by Licence Bureau, from the DVLA will be held on secure systems at Licence Bureau’s office in Hemel Hempstead and will not be declared to any other party or used for any other purpose other than to assist with Duty of Care responsibilities. No medical records are released by the DVLA, only licence records. Please be assured Licence Bureau acknowledges the sensitivity of this data and ensures that at all times it is handled in accordance with their data protection obligations. All of the information that Licence Bureau collect from the DVLA will be securely provided to the appropriate person within your business. What happens if I have points on my licence? Provided that you are not disqualified from driving, this should not be a problem. You will be notified immediately if any problems arise. You will have an opportunity to look at the information and challenge it if you believe any of it is wrong. Will my details be used for any other purpose or passed on to anyone other than my employer? No – the Licence Bureau are acting only as data handlers and as such may not use the information for any other purpose or supply your details to any other party.

I have a company car which my partner drives. What about their licence? As licence checking extends to all vehicle drivers – it is your company’s responsibility to ensure that any other authorised person’s licence has been checked and is valid and current prior to the company vehicle being driven. Your policy states that a spouse/ partner may drive your company vehicle. These drivers will be required to complete a fair processing declaration form and follow the same process detailed.

How secure is Licence Bureau’s system?

System security and protection of driver data is a fundamental requirement of our service. We are ISO 27001 compliant and subsequently are audited at regular intervals to ensure compliance to the accreditation. Staff are screened prior to employment and the environment we work in is very secure. Staff are not allowed any form of baggage, phones at their workstation and each have lockers for personal items. USB ports have been disabled. A Data Protection Statement is available above.


Why does my company wish to use Licence Bureau? A company has a Legal and Health & Safety responsibility to ensure all employees who drive on company business hold a valid licence and have the appropriate entitlement to drive the vehicle used for this purpose. There are a couple of methods available to validate entitlement which are

1. Internal visual inspection of the driver licence at agreed periods 2. Access the driver record via the DVLA using a data protected DVLA declaration process.

Your companies preferred method is option 2 for the following reasons

The process is managed by Licence Bureau who have had a 12 year association with the DVLA

They have over 600,000 drivers on their scheme

The process considers every aspect of data protection and system security and Licence Bureau is ISO27001 compliant.

The fair processing declaration form lasts for 3 years or until your employment ceases.

The process saves your time (no requirement to produce your licence for visual inspection) and is cost effective (management not required to inspect licences and provide manually prepared reports on entitlement).

The system and process complies with Corporate Manslaughter Act requirements and provides a robust process, procedure and audit.

Your company has selected Licence Bureau after a rigorous selection process and are satisfied that the approach especially related to data and system security meets their requirements. Importantly every aspect of their process (compliant with their DVLA contract obligations) looks after the interests of their drivers.


Removal of driver data from our system.

Data category/document Retention period/criteria Consent Forms/Fair Processing Declarations for processing of driving licence details (hard copy and electronic):

For 7 years from the date the form is received by us, as mandated by the DVLA, in case the information is needed to establish, defend or bring legal claims.

Personal data collected from you in the provision of our services, including Audit, vehicle declaration and insurance certificate.

For 3 years. This enables organisations to run a three year cycle Health and Safety Programme to establish continued improvement.

Reports generated as part of the services we provide


Incident management data


Vehicle data For 3 years. This enables organisations to run a three year cycle Health and Safety Programme to establish continued improvement.

Driving licence data For 3 years. This enables organisations to run a three year cycle Health and Safety Programme to establish continued improvement.

Cookies data As per the Cookies Policy.

Contact details For 7 years from the date the data is received by us if provided as part of a Consent Form/Fair Processing Declaration as mandated by the DVLA, in case the information is needed to establish, defend or bring legal claims.


Risk Excellence Risk Excellence is the name we give our product to identify manage and control the risks presented by licence checking and grey fleet (owner driver) management. For example if we find that a driver has a poor endorsement history or has regular endorsements for the same offence this will highlight a risk that we can then look to reduce or remove completely. We call this compliance and we achieve compliance through education.

1. Identify the risk 2. Assess the driver 3. Educate 4. Review

Typically you will only be assessed if you have shown through your driving history to have an elevated risk status although ultimately this will depend on your employer and whether they want to assess all drivers regardless of their driving record. Why am I being assessed? Company policy/ Duty of Care/ Company care about you and recognise just how dangerous driving for work is statistically, you are the most important asset and this is for your further development and to keep you safe whilst driving. How long does the assessment take? The assessment is all on-line and will take approximately 30 minutes to complete. What do you do with the results? Results are stored on management information system that your employer has full access to in order to manage the risk reduction program and help to manage their duty of care obligations. What happens after the assessment? The results of your assessment will determine if there is any further learning required and if so you will be provided with e-learning modules to complete. Some will be compulsory and some optional but they will be targeted to your specific circumstances and the results of the assessment. Each e-learning module will take 20-30 minutes to complete and there is no time limit for their completion. Does this have an implication on my driving or my job? Not necessarily but it’s important your employer takes driving for work seriously and if there are any risks identified that they are managed to keep everyone safe on the road. What other training is offered involved? Where appropriate we offer classroom and in vehicle training to further re-enforce road safety and compliance. These are delivered by qualified road safety professionals and driving instructors and will focus still further on key aspects of occupational road risk. Your employer will decide if it’s appropriate for you to attend these courses


Who can I speak to if I have further queries? If you still have further queries or if you would like more information, then please contact your HR or Fleet Manager or the Licence Bureau, either of whom will be happy to help. Licence Bureau - contact details E mail: [email protected] Phone: 01442 430980 Fax: 01442 430981

Employee Audit What is an employee Audit? An audit or questionnaire is used by an employer to understand the level of knowledge of road risk amongst the employee base to enable it to gauge and ultimately mitigate occupational road risk. In simple terms too understand and reduce the risks involved in driving at work. What does it involve? The audit is a set of relatively straightforward questions in a website which the driver (or non-driver) will answer and submit to Licence Bureau who will then record the answers and present your employer with management information. What if I don’t drive at work? This is the first question we ask and if you don’t drive at work we will record this against your name and the process is completed. If subsequently you change status you will need to undertake the audit again. How often will I need to be audited? Typically the audit is carried out at the start of your employment and typically annually thereafter. Will I need to have seen anything beforehand? Ideally yes; the audit will confirm that you have read and understood the employee handbook and health and safety policy. If your organisation has not provided these documents to you, you can still answer no and complete the audit but it will have more relevance to you having read your organisations policy. If I don’t drive will I need to complete the audit? Ideally we’d like all employees to complete the audit even if it’s only the initial question asking if you drive at work. At least the organisation will then have a better idea of who is driving and their overall exposure to occupational road risk. What will happen to the information? Your data will be held securely purely for the purposes of risk and compliance management. It will be removed if you leave your organisation.

mailto:[email protected]


Grey Fleet Grey Fleet’ is a term used to describe the business miles travelled by an employee in their own vehicle. This ‘fleet’ of employee-owned cars is deemed ‘grey’ as the vehicles in use are in somewhat of a grey area of responsibility for the employer; these responsibilities are often overlooked and misunderstood. In the UK, there are approximately 5 million grey fleet cars on the road. This large number is of concern to many organisations with a grey fleet due to worries over environmental sustainability, financial efficiency and the health and safety of their staff. What is the law? Health and Safety – Under the Health and Safety at Work Act 1974, employers have a duty to ensure the health, safety and welfare at work, including whilst driving for work, of their employees. This is relevant in relation to grey fleet vehicles as this statutory duty would apply when employees are undertaking driving for work in their own vehicles. Your employer is required to ensure that you have a safe working environment and this extends to your vehicle and any vehicle you drive at work, the purpose of the audit is to understand your general understanding, awareness of attitude of driving at work so that your employer can put the appropriate safeguards and policies in place to ensure your safety. Why do I need Business Travel Insurance? Grey fleet drivers must have an extension on their original insurance policy as their cover must include business travel. It is imperative that you have this cover as uninsured grey fleet drivers that are involved in an accident while on business are more than likely to find they are not entitled to compensation. What is an example of a business journey? Driving to a client site, an airport prior to a business trip or to a railway station for an annual conference is classed as driving for work and does not form part of your daily journey to work. Non-work travel and your normal daily commute are classed as social domestic and pleasure commuting. If you drive a vehicle in connection with work beyond simply commuting then it is classed as being used for business use and the correct level of business use insurance cover must be held.

Permit to Drive Why have I received a permit to drive? Think of the permit as an internal driving licence which demonstrates to your employer that you have complied with all of your obligations as a driver. You employer has a number of requirements you have to satisfy in order to drive at work which could include some or all of the following:

Completed the audit

Have a full driving licence for the type of vehicle you drive at work

If you drive your own vehicle you have business insurance and a valid MOT for your car Licence Bureau will issue a permit email to you if your employer wishes which can be retained by you as evidence of your obligations as a business driver. Why has my permit been revoked? If any of the list of agreed obligations lapse or you have not complied with something asked of you by your employer your permit will be revoked and you may not be permitted to drive on business until the issues highlighted are rectified. Once again an email highlighting the reasons for the revocation will be sent to you and you should arrange to address the issues highlighted immediately.

http://www.hse.gov.uk/legislation/hswa.htm

about licence bureau - resource.ourcompliance.co.uk · qmf 159 issue 3 30/05/2018 1 private &...

Documents