GDPR for Driving Instructors: A Complete Compliance Guide

Why GDPR Applies to Driving Instructors

Whether you are an independent Approved Driving Instructor (ADI) teaching from your own car or you run a driving school with a team of instructors, UK GDPR applies to you. The moment you record a student's name, contact details, or driving progress, you are processing personal data — and that comes with legal obligations under the UK General Data Protection Regulation and the Data Protection Act 2018.

Driving instruction is a particularly data-rich environment. You handle names, addresses, dates of birth, driving licence numbers, lesson notes, test dates, dashcam footage, and payment records. Some of that data — such as a student's disability or medical condition affecting their driving ability — may qualify as special category data, which attracts even stricter protections.

The Information Commissioner's Office (ICO) expects all businesses that process personal data to register, comply with data subject rights, implement appropriate security, and be transparent about what they collect and why. For driving instructors, non-compliance is not a theoretical risk: the ICO actively investigates complaints from members of the public, and failing to respond to a Subject Access Request within the statutory deadline can result in a formal reprimand or fine.

What Personal Data Do Driving Instructors Collect?

Before you can comply with GDPR, you need to understand exactly what personal data your business holds. Driving instructors typically process:

• Student identity data: full name, date of birth, home address, email address, phone number.
• Driving licence details: UK driving licence number (which encodes personal information including date of birth and gender), provisional licence category.
• Lesson records: dates and times of lessons, lesson duration, topics covered, instructor observations, progress notes, mock test results.
• Test readiness assessments: notes on manoeuvres, independent driving, safety questions, and overall readiness for the practical test.
• DVSA test booking information: theory test pass certificates, practical test dates and outcomes.
• Payment information: lesson fees paid, outstanding balances, payment method.
• Health and medical information: where a student has disclosed a medical condition relevant to driving — this is special category data.
• Dashcam footage: in-car video recordings capturing the student's image, voice, and driving behaviour.
• Emergency contact details: where collected, for younger or more vulnerable students.
• Marketing records: whether a student has consented to receive promotional communications.

Lawful Basis for Processing Student Data

Under UK GDPR, you must identify a lawful basis before processing personal data. For driving instructors, the most relevant bases are:

Contract

The primary basis for most of your processing is contract: you need student data to deliver the driving lessons the student has paid for. This covers collecting contact details, scheduling lessons, recording lesson content, and managing payments. You do not need separate consent for these activities — but you do need to tell students what you are collecting and why, typically through a privacy notice.

Legal Obligation

Certain processing is required by law. Tax and accounting records must be retained for HMRC purposes. These are covered by the legal obligation basis.

Legitimate Interests

Legitimate interests can cover activities such as retaining lesson records after tuition ends for a limited period (for example, to handle disputes about tuition provided), and reviewing dashcam footage to assess and improve your own teaching quality. You must conduct a legitimate interests assessment (LIA) and document it.

Consent

Consent is required where you want to use a student's data for purposes they would not reasonably expect — most notably, marketing. Sending a past student a promotional email about refresher lessons requires their prior, freely given, specific, and informed consent.

Special Category Data

If a student discloses a health condition affecting their driving, processing that information requires both a lawful basis and a separate condition under Article 9 of UK GDPR. The most appropriate basis is usually explicit consent from the student.

Dashcam Footage: CCTV Obligations in Driving Tuition

Dashcams are now standard equipment in many driving instructor vehicles. However, they constitute a form of video surveillance, and the ICO treats in-vehicle cameras capturing identifiable individuals as personal data processing subject to UK GDPR.

What you must do:

• Tell students before lessons begin that a dashcam is fitted and recording.
• State the purpose clearly: are you recording for safety evidence, for teaching review, or both?
• Set a retention period and stick to it — typically overwriting footage on a rolling basis (28–31 days) unless retained for a specific incident.
• Secure the footage: dashcam SD cards and any cloud storage must be appropriately secured.
• Respond to access requests: students have the right to request a copy of dashcam footage in which they appear within one calendar month.

DVSA ADI Register: Data Sharing with the Regulatory Body

As an Approved Driving Instructor, your name and ADI licence number are held on the DVSA's ADI Register. When you share student data with DVSA — for example, when booking a practical driving test on a student's behalf — you should ensure students are aware in your privacy notice that their details will be shared with DVSA. The lawful basis for this sharing is typically contract.

Student Licence Details and DVLA Interactions

Collecting a student's driving licence number is standard practice and necessary to verify their entitlement to receive tuition. UK driving licence numbers encode the holder's date of birth, name, and gender — making them sensitive identifiers. Store licence numbers securely and do not share them with third parties without a lawful basis.

Lesson Records and Progress Notes

Lesson records are core operational data for driving instructors. From a GDPR perspective, lesson records are personal data. You should:

• Store them securely with access restricted to those who need it.
• Retain them only for as long as necessary.
• Make them available to the student on request.
• Avoid including unnecessary personal commentary beyond what is required for teaching purposes.

If you use a driving school management app, check that the provider offers a Data Processing Agreement (DPA).

Marketing: Referral Programmes and New Student Outreach

Many driving instructors grow their business through word of mouth and follow-up marketing to past students. GDPR places specific constraints on these activities.

Referral Programmes

If a current student refers a friend, the friend's contact details must not be used to market to them without their consent. The referring student cannot validly give consent on someone else's behalf.

Contacting Past Students

Sending promotional emails or texts to former students about refresher lessons requires prior consent. The Privacy and Electronic Communications Regulations (PECR) require opt-in consent for electronic marketing to individuals.

Social Media and Testimonials

Posting student testimonials or pass photos on social media requires the student's explicit consent. Obtain written consent specifying which platforms you intend to use.

Data Retention: How Long to Keep Student Records

For driving instructors, a reasonable retention framework:

• Lesson records and progress notes: retain for 2–3 years after the final lesson, then securely delete.
• Payment records: retain for 6 years to meet HMRC tax record requirements.
• Dashcam footage: overwrite on a rolling basis (28–31 days) unless retained for a specific incident.
• Driving licence copies or scans: delete once entitlement has been verified.
• Marketing consent records: retain for as long as the consent remains valid.
• Employee records: retain for 6 years after employment ends.

Data Subject Access Requests (DSARs)

Students have the right to request a copy of all personal data you hold about them. You must respond within one calendar month, free of charge. For driving instructors, a DSAR could include requests for lesson notes, progress assessments, payment records, and dashcam footage.

Security Obligations

UK GDPR requires you to implement appropriate technical and organisational measures to protect personal data:

• Password-protect all devices used to store or access student data.
• Use strong, unique passwords for apps and software.
• Enable two-factor authentication on email accounts and cloud storage.
• Encrypt SD cards or cloud storage where dashcam footage is held.
• Lock paper records in a secure cabinet.
• Shred paper documents when no longer needed.

If you suffer a personal data breach, you must report it to the ICO within 72 hours if it is likely to result in a risk to individuals' rights and freedoms.

ICO Registration

Most driving instructors and driving schools must register with the ICO and pay the annual data protection fee — typically £40 per year (Tier 1). Operating without registration when required is a criminal offence.

Practical GDPR Compliance Checklist for Driving Instructors

• Register with the ICO and pay the annual data protection fee.
• Write a privacy notice and share it with new students before lessons begin.
• Document your lawful basis for each category of data processing.
• Tell students about your dashcam before the first lesson and set a retention period.
• Obtain explicit consent before sending marketing emails or texts.
• Obtain consent before posting student testimonials or pass photos on social media.
• Document data sharing with DVSA and the lawful basis.
• Set data retention schedules for all data categories.
• Secure all devices and accounts storing student data.
• Know how to handle a Subject Access Request within one calendar month.
• Have a process for reporting personal data breaches to the ICO within 72 hours.
• Ensure a Data Processing Agreement is in place with any third-party lesson management software.
• Carry out a Legitimate Interests Assessment where relied upon and document it.
• Review your compliance at least annually.

---

GDPR compliance for driving instructors is largely about transparency, security, and proportionality. The ICO provides free guidance at ico.org.uk, and tools like Custodia can help automate your website compliance so you can focus on what you do best: teaching people to drive safely.