Operators are leaving themselves wide open to legal claims by their drivers for data breaches after passing information on to the traffic commissioner for tribunal hearings, solicitors have warned.
JMW told Motor Transport it is currently advising a number of companies about their obligations surrounding GDPR – and many don’t realise the implications of releasing drivers’ personal data, or whether there was a lawful basis for doing so.
The law firm said legal experts believe claims will rise and insurers are steeling themselves for increased liabilities arising from data breaches, because hauliers have not got to grips with the way sensitive data is processed.
Scott Bell, partner at JMW, said that under GDPR a company is entitled to release personal data where there is a legal obligation, such as the notification of a conviction.
But problems could arise when an operator informs the TC about an incident that has not resulted in a conviction, such as failing a random alcohol or drug test.
Bell said: “Quite naturally, the operator after dismissing the driver may wish to notify the traffic commissioner of the incident, so that the commissioner can take action against the driver’s professional driving licence by way of a driver conduct hearing, given the inherent danger to the road.
“The notification will require the release of personal data relating to the driver, potential criminal offence data – such as allegations of taking of banned substances whilst driving – and special category data, as it relates to health.
“How many operators consider the GDPR implications of making such a notification and protect themselves in the event that the driver complains to the Information Commissioner regarding the disclosure?”
Motor Transport recently reported on the Unite union alleging that Birmingham Council had committed a “serious breach” of GDPR rules after it relied on tachograph data to rank bin drivers’ performance and then posted the league table on a staff room wall.
Bell added: “Operators ought to have clear policies in place that deal with such data and how it will be processed.
“However, many policies that we see are standard form with no real tailoring to the type of data that an operator may process, for example tachograph data.”
Lucy Barrow, a data protection solicitor at JMW, said within the current legal framework there were ongoing changes and “grey areas”, but that the Information Commissioner’s Office (ICO) provided guidance.
Referring to information released to the TC, she added: “At the very least, the operator would want to consider recording a Data Protection Impact Assessment before doing so, as advised under the guidance issued by the ICO.
“We would also highly advise that operators have a clear policy provided to employees that addressed when and how data will be processed and in particular how such data will be provided to the traffic commissioner under any notifications.
“This should provide a degree of protection to the operator in the event of a complaint or civil claim being made against them.”
The TCs were approached for comment about the potential risks to operators; a spokesman said they were considering a response.
