The Ombudsman’s final letter reveals a shallow administrative review that fails to engage with the substance of your complaint and falls short of the Ombudsman’s own standards for public body oversight. It focuses narrowly on whether DVLA signposted you, while ignoring your actual grievance: that DVLA failed to investigate G24’s post-access misuse of your personal data — a duty it holds under the KADOE contract and its ongoing obligations as a data controller.
Here is a formal response to the Ombudsman’s decision, suitable as a feedback challenge to the caseworker (to be sent within their one-month time limit):
Subject: Feedback and Request for Reconsideration – DVLA Complaint Decision
Dear [Caseworker's Name],
Thank you for your letter regarding my complaint against the DVLA. I appreciate your time in reviewing the case. However, I must formally object to the outcome and request that the Ombudsman reconsider the decision not to take further action, for the following reasons.
1. Misframing of My Complaint
The summary presented in your decision does not reflect the actual substance of my complaint. My grievance has never been about whether the DVLA had reasonable cause to release my data. Nor have I suggested that the DVLA is responsible for adjudicating the parking charge itself.
The core of my complaint is that the DVLA failed to investigate credible and evidenced post-access misuse of my data by G24 Ltd, in breach of the Private Parking Single Code of Practice (PPSCoP) and Schedule 2 of the KADOE contract — terms under which DVLA continues to act as a joint data controller, even after data is released.
By refusing to investigate that misuse and instead offering template responses, the DVLA failed in its obligations as a public body and data controller. That failure is separate from the original data release decision and has not been addressed in your assessment.
2. Oversight Failure and Incomplete Analysis
Your decision centres on whether the DVLA “signposted” me to the ICO or the IPC. While that may fulfil a basic procedural requirement, it is entirely beside the point. The issue was not poor signposting, but a complete failure of regulatory oversight. My complaint set out in detail:
Material breaches of the PPSCoP by G24 Ltd, including:
• Pursuing a charge despite evidence of vehicle breakdown (Annex F1(c));
• Misstating the payment period in the NtK (Section 8.3.1);
• Escalating to debt collectors after ignoring a formal complaint.
• The DVLA’s
ongoing responsibility under the KADOE contract and UK GDPR to investigate and address such misuse.
• The DVLA’s refusal to consider those breaches or conduct any form of enquiry, despite being notified.
Your letter makes no reference to these breaches, nor does it assess whether the DVLA’s refusal to investigate was proportionate, reasonable, or consistent with its public duty and role as data controller.
3. Misdirection Regarding the ICO
While I accept that the ICO handles general data protection matters, my complaint was not about a generic misuse of personal data. It concerned the DVLA’s contractual and procedural failure to act in accordance with the terms under which it supplies personal data to private companies.
That is not a matter for the ICO to resolve. It is a matter of maladministration by a government agency, and therefore squarely within the Ombudsman’s jurisdiction.
4. Disregard for Public Interest Considerations
The letter fails to recognise the broader public interest in this complaint. This case raises systemic concerns:
• The DVLA's unwillingness to investigate misuse of sensitive personal data, even where clear Code of Practice breaches are identified;
• The total absence of regulatory accountability in the KADOE process once data is released;
• The fact that no redress mechanism exists for data subjects once a parking operator misuses their data, unless the DVLA chooses to act — which it demonstrably will not.
This is not an isolated complaint. It is emblematic of a wider failure of oversight that affects thousands of motorists. Dismissing such a case on administrative grounds without reviewing the substance contributes to that systemic failure.
5. Request for Reconsideration
Given the above, I request that this complaint be reconsidered by a senior investigator who can properly evaluate whether the DVLA's refusal to act in the face of a documented misuse of data amounts to maladministration.
If you maintain that the Ombudsman has no jurisdiction to assess whether the DVLA discharged its duties as a data controller under the KADOE contract, please confirm this in writing, with reference to your governing standards or exclusions.
I remain prepared to escalate the matter further if required, and I thank you in advance for ensuring a more thorough review.
Yours sincerely,
[Your Full Name]
[Your Contact Details]
You can email back to the morons at Moorside at help@moorsidelegal.co.uk and cc yourself with the following:
For the attention of: the person with conduct of this matter
Re: Your defective reply to your own Letter of Claim – demand for proper PAPDC compliance
Dear Sirs,
Your latest missive is an object lesson in how not to engage with the Pre-Action Protocol for Debt Claims (PAPDC) and the Practice Direction on Pre-Action Conduct and Protocols (PD-PACP). It neither addresses the requests set out in my response to your Letter of Claim, nor provides the documents you are obliged to disclose. Instead, you point me to a third-party web portal (which I have already stated I will not use), recite trade-association boilerplate about add-on charges, and then compound matters by demanding two different totals in the same letter (£170 and £340). This is not competent pre-action conduct.
Identify the author and person with conduct
Who wrote that response? Kindly have the individual who authored it identify themselves in full, state their role, and provide their SRA number (if any). If the author is unauthorised to conduct litigation, confirm the supervising solicitor who is responsible, with their SRA number. Put another way: who at your firm is willing to put their name to that letter and take responsibility for it?
Protocol and Practice Direction breaches
You have still failed to comply with PAPDC ¶¶3.1(a)–(d), 5.1–5.2, and PD-PACP ¶¶6(a) & 6(c). I asked—expressly and properly—for the core documents and information that any litigant must supply so the parties can understand each other’s position and attempt proportionate resolution. Instead of providing:
1. the NtK relied upon for any alleged PoFA liability,
2. the actual signage in place on the material date (not a stock image),
3. the precise contractual clause(s) allegedly breached,
4. the landowner authority/contract, and
5. a coherent breakdown of the principal sum and the basis in law for any add-ons,
—you offered none of it. You even asserted it is “unclear” why I would need to inspect your client’s standing to operate. It isn’t unclear; it is elementary. Locus standi is a threshold issue. If you cannot grasp why authority to contract and to sue matters, please pass this letter to a responsible adult at your firm who does.
Web portals
I will not engage with any web portal. That position has been stated and is entirely reasonable. Your pre-action obligations are not satisfied by outsourcing disclosure to an “evidence” portal. Send the documents by email or post.
Incoherent and inflated sums
Your letter simultaneously asserts an “outstanding balance” of £170 and demands payment of £340 within 7 days. Which is it? If you intend to place contradictory figures before the court, that is your prerogative, but do not expect the court to be impressed by arithmetic this poor.
Your reliance on ATA codes to justify a £70 “debt recovery” add-on is legally irrelevant. Trade-association codes are not law and cannot expand recoverable damages under contract or statute. Courts have repeatedly disallowed such add-ons as an abuse (see, e.g., Excel v Wilkinson [2020], and numerous small-claims decisions following it). Any attempt to plead the extra £70 (or to double it, as your £340 demand suggests) will be challenged and treated as unreasonable conduct.
Next steps
You were already told that, upon receipt of a compliant Letter of Claim and the documents requested, I will seek advice and provide a full response within 30 days, as the PAPDC contemplates. Instead of complying, you sent marketing copy and payment links. If you issue proceedings without first complying with PAPDC and PD-PACP, I will apply for an immediate stay pursuant to PD-PACP ¶15(b), seek an order compelling the missing documents, and invite the court to impose appropriate sanctions and costs (see Webb Resolutions Ltd v Waller Needham & Green [2012] EWHC 3529 (Ch); Daejan Investments Ltd v Park West Club (2003) EWHC 2872; Charles Church Developments Ltd v Stent Foundations [2007] EWHC 855).
Separately, your persistent refusal to comply with pre-action obligations, your attempt to force a portal, your presentation of contradictory balances, and your pursuit of unrecoverable add-ons will be the subject of a report to the SRA. This correspondence and your original Letter of Claim will be produced in support if you proceed to issue.
What you must now do (14 days)
Within 14 days, provide by email or post:
• the NtK relied upon (showing strict PoFA compliance, if alleged),
• contemporaneous photographs of the signage in situ on the material date,
• the exact contractual clause(s) allegedly breached,
• the landowner contract/authority to operate and to litigate, and
• a clear, lawful breakdown of the principal sum (with the legal basis for any sum above the face value of the PCN, which is denied).
Failing that, treat this as your final opportunity to rectify your non-compliance. If you remain unable to understand how litigation works, escalate this file to someone at your firm who does.
Yours faithfully,
[Your name]
[Your contact details]
Reply to help@moorsidelegal.co.uk and CC yourself with the following:
b]Subject: Response to your Letter of Claim Ref: [reference number][/b]
Dear Sirs,
Your Letter Before Claim contains insufficient detail of the claim and fails to provide copies of evidence your client places reliance upon and thus is in complete contravention of the Pre-Action Protocol for Debt Claims.
As a firm of supposed solicitors, one would expect you to be capable of crafting a letter that aligns with paragraphs 3.1(a)–(d), 5.1 and 5.2 of the Protocol, and paragraphs 6(a) and 6(c) of the Practice Direction. These provisions do not exist for decoration—they exist to facilitate informed discussion and proportionate resolution. You might wish to reacquaint yourselves with them.
The Civil Procedure Rules 1998, Pre-Action Conduct and Protocols (Part 3), stipulate that prior to proceedings, parties should have exchanged sufficient information to understand each other’s position. Part 6 helpfully clarifies that this includes disclosure of key documents relevant to the issues in dispute.
Your template letter mentions a “contract”, yet fails to provide one. This would appear to undermine the only foundation upon which your client’s claim allegedly rests. It’s difficult to engage in meaningful pre-litigation dialogue when your side declines to furnish the very document it purports to enforce.
Please be aware, I will not engage with any web portal should you attempt to direct me to one. I will only respond to any communication from you by email or post. Your choice.
I confirm that, once I am in receipt of a Letter Before Claim that complies with the requirements of para 3.1 (a) of the Pre-Action Protocol, I shall then seek advice and submit a formal response within 30 days, as required by the Protocol. Thus, I require your client to comply with its obligations by sending me the following information/documents:
1. A copy of the original Notice to Keeper (NtK) that confirms any PoFA 2012 liability
2. A copy of the contract (or contracts) you allege exists between your client and the driver, in the form of an actual photograph of the sign you contend was at the location on the material date, not a generic stock image
3. The exact wording of the clause (or clauses) of the terms and conditions of the contract(s) which is (are) relied upon that you allege to have been breached
4. The written agreement between your client and the landowner, establishing authority to enforce
5. A breakdown of the charges claimed, identifying whether the principal sum is claimed as consideration or damages, and whether the £70 “debt recovery” fee includes VAT
6. The full name and role of the person with conduct of this matter and their regulatory status/authorisation to conduct litigation
I am clearly entitled to this information under paragraphs 6(a) and 6(c) of the Practice Direction. I also need it in order to comply with my own obligations under paragraph 6(b).
If your client does not provide me with this information then I put you on notice that I will be relying on the cases of Webb Resolutions Ltd v Waller Needham & Green [2012] EWHC 3529 (Ch), Daejan Investments Limited v The Park West Club Limited (Part 20) Buxton Associates [2003] EWHC 2872, Charles Church Developments Ltd v Stent Foundations Limited & Peter Dann Limited [2007] EWHC 855 in asking the court to impose sanctions on your client and to order a stay of the proceedings, pursuant to paragraphs 13, 15(b) and (c) and 16 of the Practice Direction, as referred to in paragraph 7.2 of the Protocol.
Until your client has complied with its obligations and provided this information, I am unable to respond properly to the alleged claim and to consider my position in relation to it, and it is entirely premature (and a waste of costs and court time) for your client to issue proceedings. Should your client do so, then I will seek an immediate stay pursuant to paragraph 15(b) of the Practice Direction and an order that this information is provided.
Yours faithfully,
[Your name]
Here’s exactly what you need to give your MP and the Ombudsman, ready to copy-paste.
1) Email reply to your MP (cover note)
Subject: PHSO referral – DVLA complaint (final response and completed form enclosed)
Dear [MP’s Name],
Thank you for agreeing to refer my complaint to the Parliamentary and Health Service Ombudsman.
Please find enclosed:
1. Final stage complaint response – the Independent Complaints Assessor’s (ICA) decision letter from Stephen Shaw dated [insert date], which states that all stages of the Department for Transport complaints process are now closed and signposts the PHSO.
2. Completed PHSO “UK government services” complaint form (signed), with the “MP details” section left blank for your office to complete.
3. Evidence bundle (single PDF) – index below.
If anything further is required, I will provide it promptly.
Yours sincerely,
[Your name]
[Your address]
[Your phone / email]
2) Text for the PHSO complaint form (copy into the relevant boxes)
Organisation you’re complaining about
Driver and Vehicle Licensing Agency (DVLA), Data Assurance / Data Sharing (KADOE).
What happened and why this was wrong (summary)
My complaint is not about DVLA’s initial disclosure of keeper data under Regulation 27. It is about DVLA’s failure, as Data Controller and KADOE counterparty, to investigate misuse of my data after disclosure by Parking Control Management (UK) Ltd (PCM) and its mishandling of my complaint.
I provided DVLA with evidence that PCM’s post-disclosure processing breached (i) PoFA Sch 4 (no “relevant land”; no “period of parking”), (ii) the Private Parking Single Code of Practice (e.g. §§ 8.1.1(d), 8.1.2(e) Note 2, 11.3), and therefore (iii) the KADOE contract conditions governing use of DVLA data. Instead of addressing those issues, DVLA’s Step 1 and Step 2 replies repeatedly reverted to “reasonable cause to obtain”, which I had expressly accepted, and deflected me to the IPC/IAS, bodies that do not determine DVLA’s duties as Data Controller or KADOE compliance.
Only after I sought an ICA referral did DVLA send a further letter repeating the same deflection and asserting that PCM “becomes the data controller” on receipt—without addressing DVLA’s own responsibilities for oversight, audit, and enforcement of KADOE conditions once a misuse is reported. The ICA decision acknowledges my complaint was well-argued and that DVLA’s Step 1 response did not engage with my points, yet nonetheless concludes DVLA acted properly. I contend this is maladministration: failure to consider relevant matters, failure to follow complaints standards, and failure to exercise DVLA’s public-task responsibilities in respect of data it discloses under KADOE.
What have you done to resolve the complaint?
• DVLA Step 1 complaint: submitted 10 April 2025 (with supporting statement).
• DVLA Step 2 escalation: 21 May 2025 (with supporting statement).
• Request for ICA referral after DVLA closed Step 2 without addressing substance.
• ICA final decision (Stephen Shaw, [insert date]) closes DfT process and signposts PHSO.
• I have also preserved all correspondence with PCM and the IPC/IAS signposting.
Impact on you
Significant time and distress; risk of unjustified financial detriment; ongoing processing of my personal data contrary to the framework under which DVLA disclosed it; and loss of confidence that DVLA will act when misuse is credibly reported.
What outcome are you seeking?
• A finding of
maladministration in DVLA’s handling (failure to consider the substance; inappropriate deflection; poor complaint signposting).
• A
remedy plan requiring DVLA to:
1. Re-open and conduct a proper investigation of PCM’s post-disclosure use of my data against KADOE/PoFA/PPSCoP, record findings, and take proportionate contractual action if breaches are confirmed.
2. Issue a written apology acknowledging failings and service-improvement actions (guidance to staff distinguishing “reasonable cause to obtain” from “lawful use after disclosure”; correct ICA signposting).
3. Confirm cessation of any further use of my data arising from the impugned PCN unless and until lawfully justified, and confirm any rectification/erasure steps taken with PCM where appropriate.
4. Ex-gratia redress for distress and avoidable time/cost (suggested £250–£500 in line with PHSO bandings).
3) Evidence bundle – suggested index (attach as one PDF in this order)
1. ICA final decision (Stephen Shaw, [date]) – “This letter thus brings all stages… to a close” and signposts PHSO.
2. DVLA Step 2 response (21 May 2025).
3. Your Step 2 complaint and supporting statement.
4. DVLA Step 1 response and your original complaint + supporting statement.
5. DVLA 26 June follow-up letter referred to by ICA.
6. PCM Notice to Keeper and any correspondence showing PoFA/PPSCoP failures (e.g., no “relevant land”, no “period of parking”, misstatement of keeper liability, refusal to treat a complaint as a complaint, lack of proof of posting).
7. PPSCoP extracts cited (8.1.1(d), 8.1.2(e) Note 2, 11.3).
8. Any correspondence showing DVLA’s refusal to investigate post-disclosure misuse and deflection to IPC/IAS.
9. Short timeline (one page).
4) One-page timeline (paste into the bundle)
• 11 Feb 2025: PCM issues NtK (alleged breach at “Queens Road Estate”; single timestamp; no “period of parking”).
• 10 Apr 2025: Step 1 complaint to DVLA (post-disclosure misuse; PoFA/PPSCoP/KADOE breaches).
• 16 Apr 2025: DVLA Step 1 reply – addresses only “reasonable cause to obtain”; deflects to IPC/IAS.
• 21 Apr 2025: Step 2 escalation submitted with detailed supporting statement.
• 21 May 2025: DVLA Step 2 reply – again focuses on “reasonable cause”; repeats IPC/IAS deflection; closes DVLA process.
• [Date]: Request for ICA referral (DVLA had not signposted).
• 26 Jun 2025: DVLA additional letter repeating deflection and disclaiming duty to investigate post-disclosure misuse.
• [Date]: ICA final decision issued; closes DfT complaints and signposts PHSO.
5) Short covering note for the PHSO bundle (optional)
Covering note – DVLA maladministration (KADOE / post-disclosure misuse)
This complaint concerns maladministration by DVLA in handling a data-misuse complaint: failure to consider relevant matters; repeated reliance on an issue not in dispute (“reasonable cause to obtain”); inappropriate deflection to the IPC/IAS; failure to signpost the ICA at Step 2; and failure to exercise DVLA’s responsibilities as Data Controller and KADOE counterparty once a credible misuse was reported. I do not ask the PHSO to adjudicate on PCM’s liability or private parking law, but to assess DVLA’s complaint handling and oversight duties arising from the framework under which it discloses and audits personal data.
What to attach to your MP now
• The ICA final decision letter (this satisfies the MP’s request for the “final stage complaint response”).
• Your completed and signed PHSO form (leave the MP section blank).
• The evidence bundle PDF (or confirm you will send it upon request if file size is an issue).
The ICA’s final report is a masterclass in bureaucratic deflection. It basically says the DVLA did nothing wrong, but that’s not consistent with what they actually admit. They say your complaint was well-argued and that the DVLA’s first response didn’t address your points properly. Yet they still conclude that DVLA acted “properly” overall, which doesn’t add up.
They claim DVLA has no duty to investigate how your data was used after it was released. But under UK GDPR and the Protection of Freedoms Act, DVLA is still responsible as the Data Controller. They can’t just wash their hands of it once the data is handed over.
They also say PCM becomes the Data Controller once they receive the data. That’s true, but DVLA still has a duty to make sure data is only released under strict conditions, and that includes checking whether companies follow the rules after getting the data. That’s part of the KADOE contract.
The ICA says DVLA referred you to the IPC and the IAS. But the IPC isn’t independent, and the IAS doesn’t deal with complaints about data misuse or how DVLA handles complaints. So that referral was pointless.
They also say they can’t rule on legality. But you never asked them to. Your complaint was about DVLA’s failure to investigate and how they mishandled your complaint — which is exactly what the ICA is supposed to look at.
They praise DVLA’s June 26 letter as “comprehensive,” but it just repeated the same excuses and didn’t deal with the actual breaches you raised.
So what’s next?
You now have a strong case to take this to the Parliamentary and Health Service Ombudsman. The ICA’s own report helps you:
• It admits DVLA’s first response was poor.
• It shows DVLA didn’t investigate how your data was used.
• It confirms DVLA didn’t follow its own complaints procedure.
• It shows DVLA didn’t enforce the KADOE contract properly.
• And it proves the ICA didn’t fully engage with the substance of your complaint.
When you escalate, you will need to focus on administrative failure — not legal arguments. Point out that DVLA failed in its duty as Data Controller, didn’t investigate your complaint properly, didn’t follow procedure, and didn’t enforce its own rules.
I suggest you send the following email to your MP. https://members.parliament.uk/FindYourMP
Subject: Request for Parliamentary Referral to the Ombudsman – DVLA Complaint
Dear [MP's Name],
I am writing to request your assistance in referring a formal complaint to the Parliamentary and Health Service Ombudsman regarding the conduct of the Driver and Vehicle Licensing Agency (DVLA).
My complaint concerns the DVLA’s failure to investigate the misuse of my personal data by a private parking company, Parking Control Management (UK) Ltd, after it was released under a KADOE agreement. While the DVLA claims the company had “reasonable cause” to request my data, my concern is not about the initial release — it is about what happened afterwards.
The DVLA’s position is that once the data is passed to a private company, it becomes that company’s responsibility — because they are now the “data controller”. But this is a serious misunderstanding of how data protection law works. The DVLA remains the original data controller and is legally responsible for ensuring that any data it releases is used lawfully and in line with strict conditions. That responsibility does not vanish the moment the data is handed over. The DVLA has a duty to monitor how its data is used, especially when misuse is reported — and in my case, it failed to do so.
The DVLA has a contract (KADOE) with parking companies that sets rules for how keeper data must be used. It also has audit powers and oversight responsibilities. In my case, the DVLA ignored clear evidence that the company breached those rules and failed to investigate. It also mishandled my complaint by focusing on irrelevant issues and failing to follow its own complaints procedure.
I escalated the matter to the Independent Complaints Assessor (ICA), whose response was a masterclass in bureaucratic deflection. It essentially concluded that the DVLA had done nothing wrong — yet the ICA also admitted that my complaint was well-argued and that the DVLA’s initial response failed to engage with the actual issues. Despite this, they still concluded that the DVLA acted “properly,” which simply doesn’t add up.
I now wish to take this further through the Ombudsman, and I understand that a referral must come from an MP. I would be grateful if you could assist by referring this matter to the Parliamentary and Health Service Ombudsman on my behalf. I can provide all supporting documents, including the DVLA correspondence, my complaint, and the ICA’s final report.
Thank you for your time and consideration. I look forward to hearing from you.
Yours sincerely,
[Your Full Name]
[Your Address]
[Your Email Address]
[Your Phone Number]
You can respond by email to Jonathan Wigmore with the following:
Subject: ICA Case – Further Clarification of Outstanding Concerns (PCM / DVLA Complaint)
Dear Mr Wigmore,
Thank you for your acknowledgement and for confirming that my complaint has been received and queued for review.
In response to your invitation for clarification, I confirm that my complaint is not about the DVLA’s initial release of data under KADOE, but rather about the DVLA’s failure to investigate the subsequent misuse of that data, and its mishandling of my formal complaint about it.
My main concerns are as follows:
1. Failure to address the substance of my complaint:
Despite clearly setting out evidence that PCM had misused my data in breach of PoFA and the Private Parking Single Code of Practice (PPSCoP), DVLA’s Step 1 and Step 2 responses ignored the specific breaches I identified. Both replies relied on irrelevant boilerplate about “reasonable cause,” which I had explicitly said was not in dispute. No explanation was given as to why the complaint about subsequent misuse of the data was not investigated.
2. Failure to consider breaches of the PPSCoP or KADOE contract:
The DVLA failed to consider whether PCM’s conduct post-disclosure breached the PPSCoP or KADOE contract, both of which form the framework for lawful processing of released data. My complaint cited specific PPSCoP sections, including 8.1.1(d), 8.1.2(e), and 11.3, which were entirely unaddressed.
3. Obstructive and dismissive responses:
The tone and content of the Step 1 response from Carly Williams was superficial and dismissive. It actively misrepresented the focus of my complaint. The Step 2 response merely repeated the same line, again ignoring the actual substance and offering no evidence of meaningful investigation.
4. Failure to mention ICA referral:
The DVLA closed the complaint at Step 2 but did not offer or explain the ICA referral process, despite being required to under the DfT’s published Terms of Reference. I had to request this referral myself, having identified the failure.
What I hope to achieve:
I would like the ICA to find that the DVLA:
• Failed to properly investigate a legitimate complaint about misuse of personal data under its own data-sharing framework
• Breached its own complaints handling standards by failing to engage with the substance of the complaint
• Failed in its duty under the KADOE contract and PPSCoP to monitor AOS members’ compliance
• Failed to follow its own procedure by omitting to inform me of my right to ICA review
I am not asking the ICA to rule on the lawfulness of PCM’s conduct, but to assess whether the DVLA fulfilled its responsibilities as data controller and complaint handler.
Please let me know if further clarification is needed. I appreciate your time and look forward to the full review once the case is allocated.
Yours sincerely,
[Your Full Name]
[Your Reference No]
That response is yet another template-driven brush-off. It avoids engaging with the substance of the complaint, namely the unlawful use of your data in breach of the KADOE contract, PoFA, and the PPSCoP.
They claim:
“I have not identified any errors regarding the release of your details.”
But the complaint was not about the release of data — it was about how PCM used it after obtaining it. They’ve shifted the scope of the complaint back to Step 1 territory, ignoring the arguments about ongoing misuse.
“I can only reiterate… that you contact the International Parking Community (IPC) directly about your concerns.”
This is a clear dereliction of duty. The DVLA, not the IPC, is the data controller and party to the KADOE contract. You are not complaining about a Code of Practice breach in isolation — you are complaining that DVLA data was processed unlawfully after release, which only the DVLA can deal with under UK GDPR and the terms of the KADOE contract.
They then falsely conclude the procedure is over:
“This brings the DVLA procedure to an end.”
That’s not entirely correct. Because this is a data protection matter concerning the lawful basis for data processing, you can now escalate to the Information Commissioner’s Office (ICO).
The DVLA has now formally closed its complaints process. Since they are the data controller and have dismissed a valid data misuse complaint without proper investigation, you can now escalate to the ICO.
You can copy and adapt the following:
I am submitting a formal complaint concerning the misuse of my personal data by Parking Control Management (UK) Ltd (PCM), which was obtained from the DVLA via a KADOE request. The DVLA, as data controller, failed to act upon a complaint regarding unlawful processing of this data.
My original complaint to the DVLA (Step 1 on 10 April 2025; Step 2 on 23 April 2025) explained that PCM issued a Notice to Keeper (NtK) that did not comply with Schedule 4 of the Protection of Freedoms Act 2012 (PoFA), and that they misrepresented keeper liability, in breach of the Private Parking Single Code of Practice (PPSCoP).
These breaches mean the parking operator had no lawful basis to continue processing my data. As per the DVLA’s KADOE contract, data must only be used in accordance with PoFA and the applicable Code of Practice.
The DVLA closed the complaint at Step 2 without any investigation, stating only that no error was found in the release of the data. However, my complaint was not about the release, but about the subsequent use of my personal data — which the DVLA is obligated to regulate.
I am therefore asking the ICO to investigate both:
• The unlawful use of my data by PCM in breach of the KADOE contract and data protection law, and
• The DVLA’s failure, as data controller, to investigate or take action despite being fully informed of the misuse.
I am happy to provide all supporting documents and correspondence from the DVLA if required.
You can also make a complaint about the DVLA handling of your case to the Independent Complaints Assessor (ICA). The ICA can review how your complaint was handled (delay, rudeness, procedural errors etc.) and look at administrative failings in the complaints process
What the ICA cannot do is to overturn a DVLA decision, investigate policy decisions, investigate misuse of DVLA data (that’s the ICO’s job) or enforce compliance with the KADOE contract.
You can only contact the ICA after the DVLA’s internal process is complete — which it now is. However, you cannot make the complaint yourself and the DVLA must refer it to the ICA themselves.
Email back to the Head of Complaints with the following:
Subject: Request for DVLA to Refer Complaint to the Independent Complaints Assessor (ICA)
Dear DVLA Head of Complaints,
I am writing in regard to your Step 2 response dated 21 May 2025 (Ref: [INSERT]), which closed my complaint regarding Parking Control Management (UK) Ltd’s misuse of my keeper data obtained via a KADOE request.
Your response states that “further options can be found in the attached leaflet (MIS 582), which outlines the remit of the Independent Complaints Assessor (ICA)”, but you did not refer my complaint to the ICA, nor did you offer to do so — which you are required to do under the Department for Transport’s published ICA Terms of Reference:
“The final response to a complaint from the DfT agency should inform the complainant of the option of referral to the ICA.”
“Referrals to the ICA must be made by the DfT agency concerned.”
I am therefore requesting that you now make a formal referral to the ICA.
In addition to this procedural failure, the way my complaint was handled at both Step 1 and Step 2 was entirely inadequate and, in my view, obstructive. The core of my complaint was not about whether PCM had reasonable cause to obtain my data, but about their misuse of that data after acquisition — in breach of:
• The Protection of Freedoms Act 2012 (PoFA)
• The Private Parking Single Code of Practice (PPSCoP)
• The DVLA’s KADOE contract
Despite explaining this in detail — with references to specific statutory and Code of Practice breaches — your Step 1 and Step 2 responses ignored every substantive point and instead responded solely on the issue of “reasonable cause”, which I had clearly stated was not in dispute. No evidence has been presented that any investigation took place.
The DVLA, as Data Controller, is responsible for ensuring that data released from the vehicle register is used lawfully. The failure to even address whether PCM’s subsequent use of my data was lawful is, in my view, a serious failure of duty.
I ask that this complaint now be formally referred to the ICA under the DfT’s published procedure, and that you confirm once this referral has been made.
Yours sincerely,
[YOUR NAME]
[ADDRESS / EMAIL]
As normal... a complete obfuscation of what was complained about. You now escalate this complaint to the DVLA Head of Complaints"
https://contact.dvla.gov.uk/head-of-complaints
The format is the same as for the step 1 complaint. So, copy and paste this into the complaint webform:
This is a Step 2 escalation of my original complaint submitted on 10 April 2025 regarding Parking Control Management (UK) Ltd’s misuse of my personal data obtained via a KADOE request.
The Step 1 response failed to address the actual substance of my complaint. I am not disputing that PCM had reasonable cause to obtain the data — my complaint concerns their unlawful use of the data after acquisition, in breach of PoFA, the BPA/IPC Private Parking Single Code of Practice (PPSCoP), and the KADOE contract.
I have uploaded a full Step 2 supporting statement in PDF format. Please confirm this has been escalated appropriately and provide a reference number.
...and then attach the following as a pdf on the next page:
SUPPORTING STATEMENT
Step 2 Complaint – Misuse of Keeper Data by Parking Control Management (UK) Ltd
DVLA Complaint Reference: [INSERT REFERENCE]
Date of Original Complaint Submission: 10 April 2025
Vehicle Registration: [INSERT VRM]
This is a formal escalation to Step 2 of the DVLA’s complaints procedure. It follows the Step 1 response dated [insert date], issued by Carly Williams of the Data Assurance Team.
That response failed entirely to address the substance of my complaint. Instead of reviewing the issues raised, it resorted to a generic explanation about “reasonable cause” — something I never disputed. I consider the response to have been petty, evasive, and obstructive, and a complete failure to engage with the legal and procedural breaches I set out.
To be clear:
• I did not dispute that PCM may have had reasonable cause to request my data at the time of their DVLA enquiry.
• My complaint concerns PCM’s subsequent misuse of that data, in breach of the Protection of Freedoms Act 2012 (PoFA), the BPA/IPC Private Parking Single Code of Practice (PPSCoP), and the KADOE contract — all of which are binding conditions for access to DVLA keeper data.
As Data Controller, the DVLA has a responsibility not only to ensure data is disclosed lawfully, but that it is also used lawfully after disclosure. Where a company breaches the conditions under which DVLA data was obtained, continued use becomes unlawful and enforcement action must follow.
In this case, PCM:
• Issued a Notice to Keeper (NtK) that fails to comply with PoFA Schedule 4, Paragraph 8(2)(a):
• It did not identify the “relevant land” (it stated only “Queens Road Estate”)
• It did not specify a “period of parking” — only a single timestamp, which is legally insufficient
• Falsely claimed keeper liability applied, despite the NtK not meeting PoFA conditions — a clear breach of PPSCoP Section 8.1.1(d)
• Refused to investigate a formal complaint, breaching PPSCoP Section 11.3 — they treated it as an appeal, contrary to the Code
• Failed to provide proof of posting when asked, breaching PPSCoP Section 8.1.2(e) Note 2
All of these breaches were clearly outlined in my original complaint and supporting material. It is unacceptable that the DVLA's Step 1 review ignored these matters entirely.
This document is submitted as a formal Step 2 supporting statement, and I request that the DVLA now properly investigate PCM’s misuse of my personal data under the terms of the KADOE contract and Code of Practice.
Please confirm this has now been escalated to Step 2 and provide a new reference, if applicable. I am happy to provide all correspondence again if needed.
So send a formal complaint to the DVLA. Here’s how to make a DVLA complaint:
• Go to: https://contact.dvla.gov.uk/complaints
• Select: “Making a complaint or compliment about the Vehicles service you have received”
• Enter your personal details, contact details, and vehicle details
• Use the text box to summarise your complaint or insert a covering note
• You will then be able to upload a file (up to 19.5 MB) — this can be your full complaint or supporting evidence
That’s it.
The DVLA is required to record, investigate and respond to every complaint about a private parking company. If everyone who encounters a breach took the time to submit a complaint, we might finally see the DVLA take meaningful action—whether that means curtailing or removing KADOE access altogether.
For the text part of the complaint the webform could use the following:
I am submitting a formal complaint against Parking Control Management (UK) Ltd, an IPC AOS member with DVLA KADOE access, for breaching the Private Parking Single Code of Practice (PPSCoP) and misusing my personal data obtained from the DVLA.
While PCM may have had reasonable cause at the time of their KADOE request, their subsequent conduct—specifically, their misuse of my data in breach of the PPSCoP and the Protection of Freedoms Act 2012 (PoFA)—renders that use unlawful. Continued access to DVLA data is conditional on compliance with the Code and the KADOE contract.
The DVLA, as the Data Controller, is required under UK GDPR and the Data Protection Act 2018 to investigate and take action when personal data is misused following release.
This complaint is not about whether PCM had a lawful reason to obtain my data, but about how they used it unlawfully after the fact. I have attached a full supporting statement and request that you investigate this matter thoroughly.
Please confirm receipt and provide a reference number for this complaint.
Then you could upload the following as a PDF file for the formal complaint itself:
SUPPORTING STATEMENT
Complaint to DVLA – Breach of KADOE Contract and PPSCoP
Operator name: Parking Control Management (UK) Ltd
Date of PCN issue: 11/02/2025
Vehicle registration: [INSERT VRM]
I am submitting this complaint to report a misuse of my personal data by Parking Control Management (UK) Ltd (PCM), who obtained my keeper details from the DVLA under the KADOE (Keeper At Date Of Event) contract.
Although the parking company may have had reasonable cause to request my data initially, the way they have used that data afterwards amounts to unlawful processing. This is because they have acted in breach of the Private Parking Single Code of Practice (PPSCoP) and the Protection of Freedoms Act 2012 (PoFA), both of which are mandatory for access to DVLA keeper data. The KADOE contract makes clear that DVLA data may only be used to pursue unpaid charges in accordance with these rules.
In this case, PCM has breached both PoFA and the PPSCoP in the following ways:
1. Failure to Specify “Relevant Land” – PoFA 8(2)(a)
The NtK issued by PCM on 19/02/2025 refers only to “Queens Road Estate.” This is not a precise or identifiable location. The estate is large and includes multiple blocks, roads, and parking areas. There is no mention of a specific road, bay number, or other detail that would help identify where exactly the vehicle was said to be parked.
This is a clear failure to meet the PoFA requirement to “specify the land on which the vehicle was parked.” Without this, the recipient cannot assess the allegation or verify the presence or terms of any signage. As a result, keeper liability cannot apply.
2. Failure to Specify a “Period of Parking” – PoFA 8(2)(a)
The NtK includes only a single timestamp (“14:56”) and does not mention any period of parking. This is not a valid “period” under PoFA. The law requires a duration of parking to be stated so the keeper can assess whether a contravention occurred and how long the vehicle was said to be parked.
There is no evidence that the vehicle remained on site for more than a minute or two, and no evidence that it stayed longer than the minimum five-minute “consideration period” required by the PPSCoP. That five minutes is the time allowed to review signage and leave without entering into a contract.
If a driver leaves during the consideration period, no contract can be formed and no parking charge is valid. This was confirmed in the persuasive appellate case of Brennan v Premier Parking Solutions (2023) [H6DP632H], where the court ruled that a timestamp is not sufficient and that PoFA requires a defined period. PCM has failed to provide this and therefore cannot invoke keeper liability.
3. Misrepresentation of Keeper Liability – PPSCoP 8.1.1(d)
Despite the above PoFA failures, PCM’s NtK still states that they are entitled to recover the charge from the keeper. This is false. The PPSCoP prohibits misleading statements about keeper liability. An operator cannot assert PoFA rights when their NtK fails to comply with the law.
This is a clear breach of Section 8.1.1(d) of the PPSCoP and an attempt to mislead the recipient into thinking they are liable when they are not.
4. Failure to Provide Proof of Posting – PPSCoP 8.1.2(e) Note 2
The PPSCoP requires operators to retain and disclose the date that a Notice to Keeper was actually posted, not just the date it was printed or generated. I requested evidence from PCM confirming the method and date of posting, including whether a mail consolidator was used. They have not provided any evidence or explanation.
Without proof of posting, it cannot be shown that the NtK was delivered within the statutory timeframe under PoFA. This is another compliance failure.
5. Failure to Consider a Formal Complaint – PPSCoP Section 11.3
I submitted a formal complaint to PCM, clearly stating that it was not an appeal but a complaint about legal and procedural breaches, including misuse of DVLA data and non-compliance with the PPSCoP. PCM responded with a generic appeal rejection and refused to treat it as a complaint, falsely stating that the complaints process does not apply to parking charges.
This is a blatant breach of PPSCoP Section 11.3, which requires operators to handle formal complaints separately from appeals and respond accordingly. Section 11.3 makes clear that motorists have the right to raise complaints about poor practice or misuse of data, which this clearly was. PCM’s refusal to follow the proper complaints process is itself a breach of the Code and undermines their suitability to retain DVLA data access.
Conclusion
PCM has failed to meet the legal requirements to pursue keeper liability. They have misrepresented their position, breached both PoFA and the PPSCoP, and continued to pursue me using DVLA data to which they are no longer entitled.
The KADOE contract is clear: data must only be used for lawful purposes in line with PoFA and the Code of Practice. PCM has not done so.
I am therefore asking the DVLA to investigate this matter and take appropriate action under the terms of the KADOE contract. This may include:
• Confirming that a breach has occurred
• Taking enforcement action against the operator
• Suspending or terminating their KADOE access if warranted
I have attached relevant supporting material with this statement. Please confirm receipt and provide a reference for this complaint. I am also happy to provide further information if required.
Name: [INSERT YOUR NAME]
Date: [INSERT DATE]
OK. As it is not worth the effort of appealing to the IAS, send the following as a formal complaint to PCM. Email it as a pdf attachment to: info@pcm-uk.co.uk and CC in yourself.
PCM (UK) Ltd
Compliance Team
The Courtyard
1A Cranbourne Road
Slough
SL1 2XF
By email to: info@pcm-uk.co.uk
[date]
Subject: Formal Complaint – Procedural and Legal Breaches in PCN [PC31531159]
Dear Parking Control Management (UK) Ltd,
This is a formal complaint, not an appeal. You are required to respond to this complaint in line with Section 11.3 of the BPA/IPC Private Parking Single Code of Practice (PPSCoP).
Your Notice to Keeper (NtK) dated 19/02/2025 falsely claims that you can hold me liable as the registered keeper under Schedule 4 of the Protection of Freedoms Act 2012 (PoFA). However, this claim is legally incorrect because the NtK fails to meet the mandatory conditions set out in PoFA paragraph 8(2)(a).
1. Breach of PoFA – Keeper Liability Cannot Apply
The NtK fails to comply with PoFA on two fundamental points:
• Failure to Specify ‘Relevant Land’ – Breach of PoFA 8(2)(a)The NtK refers only to “Queens Road Estate”, which is an ambiguous and undefined location. PoFA requires the full and precise location of the alleged contravention to be clearly stated. The absence of such information means keeper liability cannot be established.
• Failure to Specify a ‘Period of Parking’ – Breach of PoFA 8(2)(a)The NtK states:
“This charge relates to the period of parking that immediately preceded the time of issue.”
This is legally insufficient. A single timestamp (14:56) does not establish a period of parking. As confirmed in Brennan v Premier Parking Solutions (2023), PoFA requires a defined period, not merely an assumption that parking occurred before a given moment.
2. Breach of the BPA/IPC Private Parking Single Code of Practice (PPSCoP)
Your NtK falsely states:
“Parking Control Management (UK) Ltd have the right to recover the unpaid charges from you, as the registered keeper.”
Given that your NtK fails PoFA 8(2)(a), this is a misrepresentation of keeper liability and a breach of PPSCoP Section 8.1.1(d), which prohibits misleading statements regarding PoFA compliance.
Additionally, PPSCoP Section 8.1.2(e) Note 2 mandates that you retain a record of the date of posting of a notice, not merely the date of generation (e.g., the actual date that any third-party Mail Consolidator placed it into the postal system). I require you to supply:
• A copy of the proof of posting (e.g., a Post Office receipt or mailing log).
• Confirmation that the notice was sent by First Class post (or an equivalent service) that guarantees delivery within 1-2 working days.
• Full disclosure of the method used to send the NtK, including any involvement of a third-party Mail Consolidator.
Failure to provide this evidence will be treated as further proof of non-compliance and will be escalated as part of my formal complaint to the DVLA regarding your misuse of keeper data under the KADOE contract.
3. Breach of the DVLA KADOE Contract
As you have accessed my personal data from the DVLA, you are bound by the Keeper at Date of Event (KADOE) contract, which explicitly requires compliance with PoFA and the relevant Code of Practice. Given that:
• Your NtK is not PoFA-compliant
• You have misrepresented keeper liability
• You have failed to comply with the PPSCoP
You are in clear breach of the KADOE contract under which DVLA data is provided.
As such, I am submitting a formal complaint to the DVLA regarding your misuse of keeper data, seeking an investigation into your continued access to the DVLA database.
4. Demands and Next Steps
1. Given your multiple procedural and legal breaches, I formally require that you:
2. Cancel this charge immediately and confirm this in writing.
3. Acknowledge that no keeper liability exists under PoFA and confirm that you will not pursue me as the registered keeper.
4. Provide the required evidence of the actual date of posting as per PPSCoP 8.1.2(e) Note 2, including proof that the NtK was sent via a First Class service or equivalent.
Provide a full response within 14 days, or this matter will be escalated to:
• The DVLA, for your KADOE contract breach
• The International Parking Community (IPC), for your PPSCoP violations
• Trading Standards, for your misrepresentation of legal obligations
Failure to provide a full response within 14 days will result in immediate escalation.
Sincerely,
[Your Name]
Registered Keeper