Personal information charter
This page was last updated on 25th June 2026Our personal information charter contains the standards you can expect when we ask for, or hold, your personal information. It also covers what we ask of you, to help us keep information up to date.
Privacy Notice and Information Charter
The Vehicle Certification Agency (VCA) is an Executive Agency of the Department for Transport (DfT) offering Type Approval services to the automotive industry in the UK and overseas. The DfT and its executive agencies are a single entity (or controller) for the purposes of data protection law.
Working predominantly with the automotive industry, the VCA processes and holds only a small amount of personal data on the UK population.
This policy explains how the VCA will comply with data protection law. This includes the UK General Data Protection Regulation (UK GDPR), and the Data Protection Act 2018 (and amendments made to that legislation by the Data (Use and Access) Act 2025). It also includes the Privacy and Electronic Communications Regulations 2003 and the EU GDPR, to the extent relevant.
What is personal data?
Personal data is any information relating to an identified or identifiable natural living person, otherwise known as a ‘data subject.’ A data subject is someone who can be recognized, directly or indirectly, by information such as a name, an identification number, location data, an online identifier, or data relating to their physical, physiological, genetic, mental, economic, cultural, or social identity. These types of identifying information are known as ‘personal data.’ Data protection law applies to the processing of personal data, including its collection, use, and storage.
Your privacy
We know how important it is to protect your privacy and comply with data protection law. If we need to collect, store or otherwise use your personal information, we will:
- have a legal basis for doing so, and only ask for what we need
- do so in a fair and transparent way, letting you know why we need your information and how we will use it
- use it in the way we said we would and not in a way you wouldn’t expect without letting you know
- ensure that we don’t keep more than we need, for longer than we need
- make sure it is accurate and, where necessary, up-to-date
- make sure nobody has access to it who shouldn’t
- ensure that it is kept safe and secure
You can help us by making sure that the information you give us is accurate and let us know if it changes. For example, if you change your telephone number, name or move to a new home, let us know.
What allows the VCA to process your personal data
To process personal data, we need to meet one of the following conditions (or legal bases):
- you have freely given your consent – it will be clear to you what you are consenting to and how you can withdraw your consent
- it is necessary for a contract you have entered into with us, or a contract that you intend to enter into
- it is necessary to meet a legal obligation
- it is necessary to protect someone’s ‘vital interests’ (a matter of life or death)
- it is necessary to perform a public task (to carry out a public function or exercise powers set out in law, or to perform a specific task in the public interest that is set out in law)
- it is necessary for a ‘recognised legitimate interest’ (this includes purposes related to the public task of another authority, national security, public security and defence, emergencies, crime and safeguarding vulnerable individuals)
- it is necessary for our legitimate interests or those of a third party (a condition used where personal data is going to be used in ways that are reasonably expected and are not intrusive, or where there are compelling reasons for the processing)
There are further requirements for processing more sensitive, or ‘special category,’ personal data and separate but similar requirements for personal data relating to criminal convictions and offences.
The lawful basis that we rely on to process your personal data will determine which of the following rights are available to you. Much of the processing we do in the VCA will be necessary to meet our legal obligations or to perform a public task.
Your rights
UK data protection legislation sets out a number of rights which individuals have over their personal data, allowing you to request copies of your personal data or, in certain circumstances, to have it deleted or modified. These rights are explained fully on the Information Commissioner’s Office website.
The VCA will ensure that we uphold your rights to the extent that they apply to the way in which we process your personal data.
Any request to exercise these rights should be made directly to the VCA.
We cannot respond to requests made by third parties, such as online portals, unless we are able to verify your identity and be satisfied that the third party is acting with your authority. If you use an online portal that does not meet these requirements, your request will be rejected. Where possible, it is always quicker to make your request directly to us.
Your right of access
You can make a request for any personal data that we may hold about you – this is called a ‘subject access request.’ If we hold information about you, we will send you a copy (subject to any exemptions that may apply).
If you would like to make a subject access request, contact us at: dpa@vca.gov.uk.
So that we can be sure of your identity, you will need to provide information such as a (scanned) copy of a driving licence or a current utility bill showing your full name and current address.
To help us find the information you want, please provide:
- a description of the personal information you believe the VCA holds about you and an indication of where in the VCA that information is likely to be held
- the names of any VCA staff members you have corresponded with
- the date range that our search for information should cover
We carry out a reasonable and proportionate search and will normally respond to your request within one month of receipt. When we require proof of identity, the time limit of one month will not start until we receive that proof.
If the request is complex, we may need more than one month to answer it. If so, we will let you know why our response is delayed and outline when you can expect a full response.
As permitted by data protection legislation, we may refuse to answer a request that is manifestly unfounded or excessive. We will not, even when permitted to do so, usually charge a fee for answering a request.
Our privacy information notice
We use personal information for a wide range of purposes to enable us to carry out our functions as a government department. When we collect personal data from you, we will tell you what we are going to use it for and provide you with other relevant information.
The purpose of this notice is to supplement the information that we provide when we collect your data, or to provide relevant privacy information where it has not been possible for us to do so before.
The VCA routinely collect small amounts of personal information to enable us to carry out our everyday activities. A breakdown of some of the work areas where personal data may be held can be found listed here, although this list is not exhaustive.
Unless the VCA has received a request in respect of one of the services it offers, or otherwise has been sent a request for information, it does not collect or hold citizen information. For example, the VCA may hold some information about you if you have imported a vehicle using the GB Conversion IVA process, but it would not hold vehicle registration data generated by the Driver Vehicle Licensing Agency (DVLA).
Similarly, the VCA does not hold personal information on behalf of, or in support of activities dealt with by other areas of government.
The purposes for which we use personal data include:
- maintaining our accounts and records
- consideration and investigation of complaints
- answering queries
- the provision of education or training
- property management
- corporate administration
- the support and management of staff and contractors
- the safety and security of those who visit our offices
- licensing, enforcement, and regulatory duties
- producing anonymised data for research, analytical or statistical purposes
There is a separate privacy notice for employees, available via our intranet. If you are an employee or ex-employee without access to our intranet, to ask to see our employee privacy notice, contact: dpa@vca.gov.uk.
Cookies
We use cookies and similar technologies to analyse the use of our online services. When you use these services, we will let you know which cookies (or similar) we are using, and why we are using them.
Before deploying any non-essential cookies on your device, we will, as required by law, either seek your consent or make you aware of your right to object.
When we share information
We may share your personal data with our suppliers to process it on our behalf. We may share personal data within our organisation or with other bodies where we are permitted or required to do so by law.
There are some cases where we can pass on your data without telling you – such as to prevent or detect crime. In all cases, whether data is shared internally or externally, we, our suppliers and data sharing partners will be governed by data protection law and be subject to a legally binding contract or other appropriate agreement.
A small proportion of our records are transferred to The National Archives, in line with legal obligations for the collection, disposal and preservation of records. The Public Records Act governs the selection, transfer and preservation of records and requires those defined as public records to be openly accessible unless exempt under the Freedom of Information Act.
Online Forms and Surveys
The Vehicle certification Agency (VCA) from time to time may collect information through online forms and surveys in order to gain feedback and/or understanding. about the work we do and services we provide.
Unless specified on the online form or survey, the VCA will treat your information as follows:
Names and emails
We will normally ask for your name or email address. Unless stated separately, this should only be for the potential purposes of:
- further communication or response, including asking you follow-up questions about your entry
- ascertaining the validity of the individual as required, for example, by sending access passwords
Organisational status
We may ask the status of you as a system user, including whether you are responding on behalf of an organisation or yourself. Unless stated otherwise, this will be to:
- correctly weigh your response and potentially ascertain your validity to the organisation when responding to a consultation
- ascertain your employer or company when completing transactional services
Personal information and SmartSurvey
Your personal data is processed on behalf of the VCA by SmartSurvey with respect that they are our current survey collection software provider only.
Analysis of data
Your responses and evidence may be shared with a third-party research organisation for the purposes of analysis. Your name and contact details will be removed prior to that sharing taking place and will not be shared with any third parties.
Data protection and retention of your personal details
The data collected via your VCA survey or form and the processing of any personal data that it entails is, unless otherwise stated, necessary for the exercise of our functions as a government department. The VCA will, under data protection law, be the controller for this information.
Privacy Notice – User research page has more information about your rights in relation to your personal data, how to complain and how to contact the Data Protection Officer.
Unless specified on the online form or survey, any information you provide will be:
- kept securely on the system it was entered until transferred to our internal systems
- moved to our internal systems, if not sent automatically, within 2 months, unless stated separately, and destroyed within 12 months of the entry or consultation closing date
Recording of VCA-hosted meetings
The VCA has a legitimate interest in recording formal meetings with third parties. The recordings provide a complete and accurate record of what was discussed and enable transcripts to be made, allowing those who were unable to attend to ‘catch up’ afterwards. In some cases, we may use Copilot to produce summaries or other outputs from a transcript.
You will be informed at the beginning of the meeting if it will be recorded. You will also be told what the purpose of the recording is and how it will be used after the meeting. If we intend to produce a transcript or share the recording with third parties, we will give you the details.
If you do not want to be recorded, let the meeting organiser know before the meeting. During the meeting, turn off your camera and your microphone if you do not want your voice to be recorded. If you turn off both your camera and microphone, you will still be able to participate in the meeting by using the chat bar. Comments you make in the chat bar will be attributable to you, just as they would in any other business meeting.
Correspondence
When you write to the VCA, we will look after any personal information you disclose to us and use it only as necessary to provide you with an answer. This will be in accordance with our task as a government department to be accountable and transparent about the functions and policies that we are responsible for.
Where your correspondence relates to a policy area or issue for which another public body has responsibility, it will in most cases be passed to them to respond to you. Your correspondence will not be shared outside of government without your consent.
In the case of requests for information that are handled under the Freedom of Information Act 2000 or Environmental Information Regulations 2004, the department will use your personal data as necessary to comply with those laws. We may need to consult with other departments where a coordinated response is required.
Where an information request would be more appropriately directed to another organisation, our response will advise you where it should be sent, but the request will not be forwarded. When, in some circumstances, it is necessary to share information requests with third parties outside of central government for consultation, any information that identifies you will not be shared.
Distribution Lists
The VCA maintains a number of distribution lists to communicate with its stakeholders.
In most cases this is to enable us to function efficiently as a government department. In some cases, where the use of a distribution list does not relate to the performance of our tasks, we may use it as necessary for our legitimate interests. In such cases, we have had regard to the rights and freedoms of those whose names are included on the list.
Each list will be used only for the purpose that the individuals on the list were informed about at the time their information was collected by us.
CCTV
The VCA has CCTV cameras installed at its sites in Bristol and Nuneaton (MIRA site). All cameras are installed for the security of staff, visitors, and contractors at VCA sites and also for the protection of VCA properties.
Internal cameras are used:
- for the monitoring of secure areas of buildings
- for the monitoring of pinch points (for example, reception.
- to provide additional security for commercial partners within our buildings
External cameras are used:
- for monitoring activity around VCA buildings / sites
- for enabling remote vehicular access to sites
- to enhance building/site protection outside of normal working hours
All footage is automatically deleted after 30 days unless there is an overriding reason which means it should be retained. Footage will not be shared outside the VCA except in limited circumstances such as where it is necessary to make a disclosure to the police.
Filming and Photography
The VCA uses film and photographs to illustrate the work that we do in the public interest. We film individuals in non-intrusive ways where possible, for example, filming crowds from a distance. If you have any concerns about appearing in any footage, please speak to a member of the Corporate Affairs, Communication team at the time or contact communications@vca.gov.uk
We also take photographs to illustrate our work in our official publications and on social media. We aim to avoid using images which could identify members of the public. If you are concerned about a picture of you that we have used in one of our publications contact us at communications@vca@gov.uk
Artificial Intelligence
To help improve the efficiency and effectiveness of the way we carry out our tasks as a public body, we are increasingly looking to use Artificial Intelligence (AI) systems.
Where the AI uses personal data, we will carry out a DPIA to ensure that the data protection and privacy risks are fully understood. We will, however, use synthetic or anonymised data where we can.
The Data Protection Officer
The DfT with its agencies is a single controller under data protection law. Our Data Protection Officer sits within the central department and is supported by a team consisting of data protection managers and champions within each of the agencies. The ‘Data protection governance policy’ (available from the central Department on request) explains this more fully.
Our Data Protection Officer and the team inform and advise the department in how to comply with data protection law. They monitor and promote compliance, for example by providing advice on DPIAs, and arranging audits and staff training. They act as your first point of contact, and lead on any communications with the Information Commissioner’s Office.
You can contact the Data Protection Officer by writing to the following address:
Data Protection Officer
Department for Transport
3rd Floor
One Priory Square
Hastings
East Sussex
TN34 1EA
Email: DataProtectionOfficer@dft.gov.uk
If your query relates to information specifically being processed by the VCA, to ensure you receive a prompt response please contact us by writing to the following address:
Data Protection Champion
Vehicle Certification Agency,
No 1 The Eastgate Office Centre
Eastgate Road
Bristol
BS5 6XX
Email: dpa@vca.gov.uk
Privacy by design
Where we introduce new technologies, policies, or processes, we will ensure that your privacy is considered from the outset. A data protection impact assessment (DPIA) will be carried out in all cases where the proposed processing could result in a high risk to your rights and freedoms.
We will use the DPIA to minimise the privacy risks as far as possible. In exceptional cases, where a high risk remains, we will, in accordance with our obligations under the UK GDPR, formally consult the ICO.
Our AI systems will be designed so that our staff and others who process information on our behalf can access only the information they are supposed to access. Personal data will only be used to fine-tune or train an AI model where the model is hosted on systems that are under our control. We will not allow your personal data to go outside of those systems.
The steps we take to keep your data secure
We take information security seriously and will protect your personal data from unauthorised access, accidental loss, destruction, and damage. We follow the government’s secure by design principles to ensure that we embed cyber security practices in building and delivering resilient digital services and we follow the principles for securing personal data in government services.
We carry out regular reviews and audits to ensure that our methods of collecting, holding, and processing personal data meet the government’s security standards and industry good practice. We will only transfer your personal data overseas where appropriate safeguards are in place to protect it. The cross-government security policy framework on GOV.UK sets out the government’s approach to protective security.
The training and guidance we give to our staff
All of our staff are trained in the importance of protecting personal and other sensitive information. Those who routinely access personal data as part of their jobs are expected to undertake more in depth training.
Managers who have formal responsibilities for large datasets, for example as information asset owners, will also receive additional training so that they have a clear understanding of what they need to do to keep the data under their control safe and secure.
As well as the above, all civil servants are required to work in line with the core values set out in the Civil Service Code – integrity, honesty, objectivity, and impartiality. These values also apply to the handling of personal data.
Data breach notification
The VCA does everything it can to keep your personal data secure. But if, despite this, a breach occurs which creates a risk to your rights and freedoms (for example, financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), we will ensure that the Information Commissioner’s Office is informed without delay.
Where we assess that there is a high risk to you, we will ensure that you are notified without undue delay. Where it is not possible to contact you directly, we will attempt to make you aware through other means, such as a public announcement. The information we will provide to you will include:
- the contact details of the department’s Data Protection Officer
- the likely consequences of the breach
- details of the measures already taken or planned to address the breach including any steps taken to mitigate potential damaging effects
How to make a complaint
If you are unhappy with the way we have responded to a rights request or believe that we have failed in some way to meet our obligations under data protection law, see our complaints procedure for details of how best to make a complaint.
We have a legal obligation to acknowledge receipt of your complaint within 30 days, but we will try to do so within 5 working days.
We will respond to your complaint in full without delay and will, subject to our confidentiality obligations, let you know the outcome.
Where your complaint cannot be resolved quickly, for example, because it raises complex issues, we will keep you informed of our progress.
We treat all complaints seriously and investigate them thoroughly. If you remain dissatisfied after receiving our response, you have the right to complain to the ICO.
Data protection contacts
Data Protection Champion
Vehicle Certification Agency,
No 1 The Eastgate Office Centre
Eastgate Road
Bristol
BS5 6XX
Email: dpa@vca.gov.uk