DEV Community

Custodia-Admin
Custodia-Admin

Posted on

GDPR for Driving Instructors: How to Handle Pupil Data Compliantly

#gdpr #education #privacy #smallbusiness

If you're a self-employed driving instructor or run a driving school, you process more personal data than you might realise. Pupil names, contact details, dates of birth, driving licence numbers, progress notes, medical disclosures, payment records — and potentially dashcam footage from every lesson. All of it is personal data under UK GDPR, and all of it needs to be handled correctly.

This guide covers everything you need to know.

What Personal Data Do Driving Instructors Collect?

Most instructors collect at least some of the following:

  • Pupil name, address, and contact details — collected at enrolment
  • Date of birth — needed to verify eligibility (minimum age for car lessons is 17)
  • Driving licence number — used to verify licence category, check entitlements, and liaise with DVSA
  • Theory test results — pass dates, scores, and certificate numbers
  • Progress records — lesson notes, competency assessments, mock test results
  • Payment information — amounts paid, invoices, and payment method records
  • Emergency contact details — sometimes collected, especially for younger pupils
  • Medical information — where pupils have disclosed conditions relevant to driving

Every one of these categories is personal data. The medical category is treated differently — more on that below.

What's Your Lawful Basis?

Under UK GDPR, you need a lawful basis for every type of processing.

Contract (Article 6(1)(b))

When a pupil books lessons with you, you enter a contract for the provision of tuition. Processing personal data necessary to deliver that contract — name, contact details, licence number, lesson scheduling, payment — is lawful under Article 6(1)(b).

Legitimate Interests (Article 6(1)(f))

Progress records and lesson notes go beyond the strict minimum needed to perform the contract, but serve a legitimate purpose: tracking development and defending disputes about tuition quality. Legitimate interests is the appropriate basis here.

Legal Obligation (Article 6(1)(c))

Some data sharing obligations arise from law — for example, responding to DVSA enquiries or complying with insurance requirements.

What About Consent?

Consent must be freely given — which is hard to demonstrate when someone needs your lessons to pass their test. Use consent only for genuinely optional things, like marketing emails.

Pupils With Medical Conditions: Special Category Data

If a pupil discloses a medical condition — epilepsy, diabetes, visual impairment, ADHD, or anything else that could affect their fitness to drive — that information is special category health data under Article 9 of UK GDPR.

You need both a standard lawful basis (Article 6) and a specific condition from Article 9. The most relevant condition for driving instructors is Article 9(2)(b) — processing necessary for carrying out obligations in the field of employment, social security, and social protection law.

DVLA Obligations

The DVLA requires drivers to self-report certain medical conditions. As an instructor, you're not under a general legal obligation to report a pupil's medical condition — that's the pupil's duty. However, if you genuinely believe a pupil is unfit to drive and poses a danger, the DVLA has a formal process for third-party reporting.

Practical guidance:

  • Don't ask for medical information unless there's a genuine reason
  • Record only what's necessary and store it securely
  • Don't share medical information without a clear need
  • Include a note in your privacy notice explaining how you handle health disclosures

Booking and Scheduling Systems: Data Processors

If you use third-party software to manage bookings (Drive-IT, TotalDrive, My Booking Tool), you're using a data processor. Under UK GDPR, you need a written Data Processing Agreement (DPA) in place.

Before using any platform with pupil data, check:

  • Do they have a privacy policy and DPA available?
  • Where is data stored (UK/EU servers, or transferred elsewhere)?
  • What happens to your data if you cancel your subscription?

Dashcam Footage: GDPR in the Lesson Vehicle

Dashcam footage that captures a pupil is personal data. Key obligations:

  • Tell pupils in advance — your privacy notice must explain that lessons are recorded, why, what the footage is used for, and how long it's kept
  • Lawful basis — legitimate interests is appropriate for safety/dispute resolution, with a documented Legitimate Interests Assessment (LIA)
  • Retention — 30 days is a common retention period for safety/evidence footage
  • Access requests — pupils can make a Subject Access Request for footage showing them
  • Sharing — don't share footage with third parties without a clear legal basis

If your dashcam also records audio, this deserves specific mention in your privacy notice.

DVSA Data Sharing Obligations

  • Your ADI licence number, registration status, and test results are held by DVSA
  • Pupils' test bookings and results are processed by DVSA as a separate data controller
  • Responding to DVSA requests about a pupil is likely covered by legal obligation (Article 6(1)(c))
  • You don't have permission to share pupil data with DVSA beyond what's legally required

Marketing to Past Pupils and Referrals

Under PECR, the soft opt-in allows you to market to existing customers without explicit consent, provided:

  • They gave you contact details in the course of purchasing services
  • You're marketing similar services (Pass Plus, refresher lessons, motorway driving)
  • You gave them a chance to opt out at collection, and they didn't
  • You include an opt-out in every marketing message

The soft opt-in doesn't cover third parties. If a pupil gives you a friend's number, you can't market to that friend without their own consent.

Young Pupils Under 18

For 17-year-old pupils, treat them as capable of exercising their own data protection rights. UK GDPR doesn't automatically give parents the right to access their child's personal data once the child has capacity to consent.

  • Make your privacy notice comprehensible to a 17-year-old
  • If parents want progress updates, get the pupil's consent first
  • Make clear that data rights belong to the pupil, not the paying parent

Data Retention for Lesson Records

Record Type Suggested Retention Reason
Pupil contact details 6 years after last lesson Limitation period for disputes
Payment records 6 years HMRC requirements
Progress notes 6 years Potential tuition quality disputes
Medical disclosures Delete after lessons end Data minimisation
Dashcam footage 30 days Safety/evidence purpose satisfied
Marketing consent records Marketing period + 1 year Evidence of lawful basis

GDPR Compliance Checklist for Driving Instructors

Privacy Notice

  • [ ] Privacy notice accessible to pupils before or at enrolment
  • [ ] Covers data collected, why, lawful basis, and retention periods
  • [ ] Dashcam recording disclosed
  • [ ] Pupils told how to exercise their rights

Lawful Basis

  • [ ] Lawful basis documented for each processing type
  • [ ] LIA completed for dashcam footage and progress records
  • [ ] Consent obtained for marketing where soft opt-in doesn't apply

Data Processors

  • [ ] DPA signed for each booking/scheduling system
  • [ ] Data storage location confirmed (UK/EU)

Special Category Data

  • [ ] Process for handling medical disclosures documented
  • [ ] Medical information stored separately with restricted access

Data Security

  • [ ] Records stored securely (password-protected devices, locked cabinets)
  • [ ] Device encryption enabled

Retention

  • [ ] Retention schedule documented
  • [ ] Dashcam footage deleted after 30 days unless active incident

Subject Access Requests

  • [ ] SAR response process documented (respond within 1 month)

Data Breaches

  • [ ] Breach response procedure documented
  • [ ] Know that ICO must be notified within 72 hours of a notifiable breach

Getting Your Website Compliance Right Too

Your website also processes personal data via contact forms, booking tools, analytics, and cookies. Run a free scan at https://app.custodia-privacy.com/scan to get an instant report on the trackers and data processors active on your site, with plain-English guidance on what needs fixing.

This post provides general information about UK GDPR compliance for driving instructors. It does not constitute legal advice. For advice tailored to your specific circumstances, consult a qualified data protection professional or the ICO's website at ico.org.uk.

Top comments (0)