Driver and Vehicle Licensing Authority Data Privacy Policy

1. Purpose

The purpose of this Data Privacy Policy is to:

1. Protect the privacy of privacy subjects in line with Ghana’s Data Protection Act, 2012 (Act 843).
2. Provide guidelines for the collection, use, disclosure, and maintenance of personal information by DVLA.
3. Limit DVLA's possible liability for privacy infringement.
4. Educate users on privacy and related rights.

2. The Collection, Use, Maintenance, and Disclosure of Personal Information by DVLA

1. Users may only collect personal information on privacy subjects if such information is necessary for business purposes of DVLA or when the privacy subject has given permission in writing that his/her personal information be collected by or on behalf of the DVLA.

2. Users will, when collecting personal information, disclose such information for the purpose it is collected for.

3. Personal information will not be used or disclosed for any purpose but the purpose disclosed to the privacy subject.

4. Personal information will only be disclosed if:

   • Such disclosure is necessary for business purposes of DVLA.
   • Such disclosure was authorized by the privacy subject in writing.
   • A court order authorizes such disclosure.
   • Other statutory bodies in furtherance of their mandate.

5. Access to personal information collected and maintained by DVLA will be restricted and limited to those users who need access to such information for DVLA business and administrative purposes and who are authorized to access the personal information for that purpose only.

6. Users will not collect, maintain, use, or disclose personal information for personal or illegal purposes.

7. Personal information to be retained will be retained in accordance with DVLA Records Management Policy.

8. On application by a privacy subject of which private information was called for by DVLA, DVLA will disclose to the applicant:

   • Private information DVLA collected from the privacy subject.
   • The purpose the information was collected for.
   • How the information was used.
   • How the information was disclosed, if at all.

9. On application by a privacy subject, DVLA will update or destroy any personal information of such individual if the information is not necessary for the future business purposes of DVLA.

10. All websites operated by DVLA will be P3P privacy compliant (Platform for Privacy Preference Projects) and address the website’s privacy policy in the website’s "terms and conditions" available as a link from the home page of the website.

11. All websites operated by DVLA will further provide a link to the Privacy Policy section of the website’s terms and conditions on each page where the privacy subject's personal information gets collected.

3.More Requirements With Regard To Personal Information On Privacy Subject

1. DVLA may request, collect and store personal information of privacy subject.

2. Personal information of privacy subject may only be used for legitimate and reasonable management, including compliance with empowerment and equity legislation

3. Upon request by privacy subject, DVLA will disclose all personal information collected and stored referring to that privacy subject excluding opinions, ratings and measurements referring to that privacy subject created and used by DVLA.

4. Personal information of privacy subjects will be stored in such a manner that only authorized DVLA employees have access thereto.

5. It should not be possible for any employee (excluding authorized employees) to access personal information of any privacy subject held by any department of DVLA.

6. Personal information of privacy subjects will not be used, disclosed or copied outside the purpose it was collected for, without the prior written consent of the privacy subject.

7. DVLA will take all reasonable steps to update personal information of privacy subjects in its possession.

4.Infringement Of Privacy Subjects Privacy

1. DVLA may, if necessary and required, infringe privacy subject's privacy in any manner and only:

   • If authorized by a legal and valid court order; or
   • With the prior written consent of the privacy subject; or
   • If absolutely necessary to protect the security and confidentiality of DVLA’s information, trade secrets and /or reputation (see 4.2).

2. DVLA’s right, detailed in clause 4.1.3, will only be enforced with the prior written consent of the CEO of DVLA: Legal Department or Lawyers and if the information in respect of facts required cannot be collected in any other manner than through the infringement of the privacy subject's privacy.

3. In reliance upon the right detailed in clause 4.1.3, DVLA will have due regard to the privacy, dignity and equality the privacy subject, subject to privacy infringement.

5.Interception Of Employee Communications

1. DVLA’s duty cannot and right to intercept employee communications is detailed in the Internet Policy and the Interception and Surveillance Policy.

6.No Online Privacy Expectations Or Dvla Liability

1. DVLA cannot guarantee confidentiality or privacy of open electronic communication facilities used by privacy subjects, including but not limited to the internal, e-mail, instant messaging File Transfer Protocol (FTP), newsgroups, subscriber directories and cookies.

2. DVLA will, as far as reasonably possible, provide employees with the necessary tools and guidelines to provide basic online privacy features such as tools to detect and destroy spy ware located on employee’s workstations

7.Employee Duties

Employees will:

1. Take all reasonable caution to prevent the unauthorized disclosure of fellow employee’s personal information;

2. Take due care to ensure the protection of personal information when using online communication facilities; and

3. Set and maintain internet browser privacy setting on "Medium High" as detailed in Annexure “A”

8.Responsible Person

The CEO of DVLA, as the Chief Executive Officer, may delegate such duties to a person who will be responsible for the implementation and maintenance of this Data Privacy Policy and such person will implement processes to ensure that DVLA protects the privacy of all privacy subjects.

9.Consequences Of Mis-use Of Personal Infromation By Users

Failure and/or refusal to abide by the rules detailed in this policy will be deemed as misconduct and DVLA may initiate the appropriate investigation and disciplinary action against users. Such steps that may include dismissal.

10.Implementation Of This Policy

The CEO of DVLA, as the Chief Executive Officer, may delegate such duties to a person who will be responsible for the implementation and maintenance of this Data Privacy Policy and such person will implement processes to ensure that DVLA protects the privacy of all privacy subjects.