Privacy Notice and Information Charter

This page was last updated on 12th April 2024

The Vehicle Certification Agency (VCA) is an Executive Agency of the Department for Transport offering Type Approval services to the automotive industry in the UK and overseas.

Working predominantly with the automotive industry, VCA processes and holds only a small amount of personal data on the UK population.

This policy explains how VCA complies with data protection law. This includes the General Data Protection Regulation (GDPR), the Law Enforcement Directive, and other provisions contained within the Data Protection Act 2018.

What is personal data?

Personal data is any information relating to an identified or identifiable natural living person, otherwise known as a ‘data subject’. A data subject is someone who can be recognised, directly or indirectly, by information such as a name, an identification number, location data, an online identifier, or data relating to their physical, physiological, genetic, mental, economic, cultural, or social identity. These types of identifying information are known as ‘personal data’. Data protection law applies to the processing of personal data, including its collection, use and storage.

You can read more about this on the Information Commissioner’s Office (ICO website here:

Requesting your personal data

Where we ask for your personal information we will:

  • let you know why we need it;
  • only ask for what we need, and not collect excessive or irrelevant information;
  • ensure that it is kept safe and secure and only accessible by those who need it;
  • let you know if we will share it with other organisations to give you better public services, how we will do that and whether you can say no;
  • only keep it for as long as we need to;
  • make sure it is accurate and kept up to date;
  • not make it available for commercial use

To help us to keep your information reliable and up to date, we would ask that you:

  • Give us accurate information;
  • Tell us as soon as possible of any changes, such as a new address

We are committed to providing the best and most efficient service to both industry and the public. We may share personal information within our organisation or with other bodies within the UK Government where it would not be inconsistent with the purposes for which we collected it, and/or where we are required or permitted to do so by law.

See the section “Do you share information with third parties?” for further information.

Privacy by design

Where we introduce new technologies, policies or processes, we will ensure that your privacy is considered from the outset, and where beneficial will carry out a Data Protection Impact Assessment (DPIA).

We will always carry out a DPIA where we use new technologies or consider there is a high risk to your rights and freedoms. Where an assessment identifies risks that cannot be satisfactorily reduced or avoided, our Data Protection Officer or their team will seek advice from the Information Commissioner to help us find the best solution.

To improve the efficiency and effectiveness of the way we carry out our tasks as a public body, we are trialling certain Artificial Intelligence (AI) solutions. Where these use personal data they will be subject to a DPIA, and special care will be taken to ensure that we meet the data minimisation principle.

Our AI tools will be designed so that our staff and others who process information on our behalf can access only the information they are supposed to access. Personal data will only be used to fine-tune or train an AI model where the model is hosted on systems that are under our control. We will not allow your personal data to go outside of those systems.

What data will VCA hold?

VCA routinely collect small amounts of private and personal information in the course of our everyday activities. A breakdown of some of the work areas where personal data may be held can be found listed here, although this list is not exhaustive.

Unless VCA has received a request in respect of one of the services it offers, or otherwise has been sent a request for information, it does not collect or hold citizen information. For example, VCA may hold some information about you if you have imported a vehicle using the GB Conversion IVA process, but it would not hold vehicle registration data generated by the Driver and Vehicle Licensing Agency (DVLA).

Similarly, VCA does not hold personal information on behalf of, or in support of activities dealt with by other areas of government.

How is the information held?

Personal information that is held by VCA will predominantly be in electronic format only, although there are some legacy paper records that are in the process of being phased out where appropriate.

By ‘electronic’, this might mean emails; documents (in various proprietary software formats i.e. word, excel, pdf etc); or data held as a database entry.

We take information security seriously and will protect your personal data from unauthorised access, accidental loss, destruction and damage. We carry out regular reviews and audits to ensure that our methods of collecting, holding and processing personal data meet the Government’s security standards and industry good practice. We will only transfer your personal data overseas where appropriate safeguards are in place to protect it. The cross-government security policy framework on GOV.UK sets out the government’s approach to protective security.

The training and guidance we give to our staff

All of our staff are trained in the importance of protecting personal and other sensitive information. Those who routinely access personal data as part of their jobs are expected to undertake more in depth training.

Managers who have formal responsibilities for large datasets, for example as information asset owners, will also receive additional training so that they have a clear understanding of what they need to do to keep the data under their control safe and secure.

As well as the above, all civil servants are required to work in line with the core values set out in the Civil Service Code – integrity, honesty, objectivity and impartiality. These values also apply to the handling of personal data.

How long do you keep my personal information?

That will largely depend on the reason for holding it in the first place, but in practice, our aim is to only hold personal data for as long as it is needed to process requests or service an agreement and as required to comply with audit processes. We have a file retention policy that sets out the length of time we keep different types of information, although this may vary on a case by case basis.

Do you share information with third parties?

VCA will only share your personal information where there is a justified and necessary reason to do so. Examples include:

  • sharing your information with other areas of the Department for Transport who may be better placed to reply to your enquiry direct, or otherwise assist VCA in answering your application or request; or
  • sharing your information with ther areas of the UK Government engaged in pursuing investigations concerning the protection or detection of crime; or to protect the misuse of public funds; or
  • to assist Law enforcement and other government agencies engaged in the protection or detection of crime, or to provide evidence in criminal or civil prosecution cases; or
  • software developers employed directly by VCA to carry out development and maintenance work on VCA web tools

Please be aware that in these cases, VCA will make an independent assessment of the third party request, but will not seek your approval to share this information beforehand.

Electronic data is stored using secure hosting arrangements both within VCA and using solutions offered by third-party providers. Hosting organisations and contractors that hold data on our behalf (which may include some personal data), have a limited role in relation to processing the data held; will be fully compliant with GDPR and other legislation; and where necessary, be party to a sharing agreement with VCA.

What rights do I have to access or amend my information?

You have the right to request from VCA (the controller) copies of the personal data that we hold about you at any time by making what is known as a ‘subject access request’. You also have the right to ask for your personal data to be  rectified or erased. You may also ask VCA to restrict processing of your personal data and have the right to object to processing of that data as well as the right to data portability and in relation to automated decision making (note however that VCA does not currently carry out any automated decision making activities).

VCA will usually respond to subject access requests within one month of receipt, but may take up to 2 months in the case of complex and/or numerous requests. We will let you know when you can expect to receive a response, or if we will be unable to provide you with one.

Please note that before we can act on your request, you will need to supply proof of your identity. Please be as specific as you can about the information you want and, if it isn’t obvious, explain why you expect us to hold your personal data.

Please visit the Information Commissioner’s Office website ( to read about your rights under the General Data Protection Regulations. Follow this link for details on how to make an application under GDPR.

Data breach notification

VCA does everything it can to keep your personal data secure. But if, despite this, a breach occurs which creates a risk to your rights and freedoms (for example, financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), we will ensure that the Information Commissioner’s Office is informed without delay, and in any event within 72 hours after we have become aware of it.

Where we assess that there is a high risk to you, we will ensure that you are notified without undue delay. Where it is not possible to contact you directly, we will attempt to make you aware through other means, such as a public announcement. The information we will provide to you will include:

  • the contact details of the department’s Data Protection Officer
  • the likely consequences of the breach
  • details of the measures already taken or planned to address the breach including any steps taken to mitigate potential damaging effects

The Data Protection Officer

DfT with its agencies is a single controller under data protection law. Our Data Protection Officer sits within the central department and is supported by a team consisting of data protection managers within each of the agencies. The ‘Data protection governance policy’ (available from the central Department on request) explains this more fully.

Our Data Protection Officer and his team inform and advise the department in how to comply with data protection law. They monitor and promote compliance, for example by providing advice on DPIAs, and arranging audits and staff training. They act as your first point of contact, and lead on any communications with the Information Commissioner’s Office.

Contact details for the DfT Data Protection Officer can be found here: When requesting information specifically from VCA however, please use the contact details published on our “Making an application under the General Data Protection Regulations” page.

What rights do I have to access other information?

Please visit our contact page for general telephone and email contact details.

You can also make a request for information that VCA may hold under the Freedom of Information Act 2000; or the Environmental Information Regulations 2004. To make a request of this type, please email the data controller:

Privacy and Cookies

Information about the types of cookies we use can be found here.


Please note that in the course of your communications with VCA, any advice or comments provided, whether that by email, letter, or verbally, should only be considered as opinions. Interpretation of the law is the sole prerogative of the courts.

F​or VCA staff: Socio-Economic Background (SEB) Survey data

A separate Privacy Notice exists for VCA staff which explains how data collected under the recent Socio-Economic Background  (SEB) survey is processed (please follow this link to the VCA Intranet – STAFF ONLY)