Civil Parking Enforcement Privacy Notice
Including data sharing with the National Persistent Evader Database (NPED)

1. Introduction

Our core data protection obligations and commitments are set out in Bradford Council’s primary privacy notice. This notice provides additional privacy information for individuals whose personal data is processed as part of the Council’s civil parking enforcement functions, including data shared with the National Persistent Evader Database (NPED).

It describes how the Planning, Transportation and Highways Service collects, uses and shares personal information about you, and the types of personal information we need to process.

2. Who we are

City of Bradford Metropolitan District Council (CBMDC) is the data controller for your personal data processed as part of civil parking enforcement. CBMDC is registered as a data controller with the Information Commissioner’s Office.

For data shared with the National Persistent Evader Database, CBMDC and NPED Services Limited are independent controllers. Each organisation determines how and why it processes the shared personal data within its own operations, in accordance with a Data Sharing Agreement between the parties.

3. What personal data we collect

We collect and process the following categories of personal data in connection with civil parking enforcement:

Category Examples
Vehicle data Vehicle registration number (VRN), make, model, colour, DVLA keeper details
Contravention data Date, time, location, contravention code, photographic evidence, civil enforcement officer observations
Enforcement data Penalty charge notice (PCN) number, payment status, representations and appeals, debt recovery correspondence
NPED score data Aggregated evasion score associated with a VRN, derived from PCN data contributed by multiple issuing authorities nationally
Correspondence data Name, address, email, telephone number of registered keeper or their representative

4. Why we process your data

We process personal data for the following purposes:

  • Issuing, progressing and enforcing penalty charge notices under the Traffic Management Act 2004.
  • Determining appropriate enforcement action by consulting the NPED to identify vehicles with a history of persistent evasion across multiple authorities
  • Supporting road safety objectives under the Council’s Vision Zero Bradford programme, including identification of vehicles that may be uninsured, without a valid MOT, or using cloned registration plates • Reducing the cost of futile enforcement action against persistent evaders
  • Statistical analysis and research to improve enforcement effectiveness (using anonymised and aggregated data only)
  • Sharing intelligence with West Yorkshire Police where there is a lawful basis relating to the prevention or detection of crime

5. Our lawful basis for processing

Under the UK General Data Protection Regulation (UK GDPR), we rely on the following lawful bases:

Lawful basis Application
Article 6(1)(e): Public task Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Council. The relevant legislation includes the Traffic Management Act 2004, the Road Traffic Regulation Act 1984, and the Civil Enforcement of Road Traffic Contraventions (General Provisions) (England) Regulations 2022.
Article 6(1)(c): Legal obligation Where processing is necessary to comply with the Council’s statutory duties relating to network management and civil enforcement.
Article 6(1)(f): Legitimate interests (NPED) NPED Services Limited processes data shared by issuing authorities under legitimate interests, supported by a Legitimate Interest Assessment. The legitimate interest is the provision of a service that reduces the cost of futile enforcement action and supports identification of persistent evaders.

The Council does not rely on consent as the lawful basis for processing personal data in connection with civil parking enforcement. Where processing involves Criminal Offence Data (as defined by the Data Protection Act 2018, section 11(2)), the Council processes this under Schedule 1, Part 2, Paragraph 6 (statutory and government purposes) of the DPA 2018.

6. Who we share your data with

We may share your personal data with the following organisations where it is necessary, lawful and proportionate to do so:

Recipient Purpose
NPED Services Limited Sharing PCN data for vehicles with unpaid contraventions at 28 days, to enable the NPED to calculate evasion scores and to support NPED’s research into trends in parking offences and persistent evasion. Data is shared under a formal Data Sharing Agreement.
Driver and Vehicle Licensing Agency (DVLA) Obtaining registered keeper details for the purpose of issuing penalty charge notices.
West Yorkshire Police Sharing intelligence on vehicles identified as potentially uninsured, unregistered, or using cloned plates, for the purposes of crime prevention and road safety (Operation Steerside).
NDebt recovery agents Where PCNs remain unpaid following all statutory processes, for the purpose of recovering the debt.
Traffic Penalty Tribunal Where a motorist appeals a penalty charge notice.
Back-office system provider Processing enforcement casework on the Council’s behalf (data processor, subject to a Data Processing Agreement).

7. About the National Persistent Evader Database (NPED)

The NPED is the UK’s centralised database of offending vehicle behaviour data from the parking sector. When the Council shares data with NPED, the following applies:

  • The Council shares PCN data for vehicles with unpaid contraventions at 28 days post-contravention, or which the Council is considering issuing a PCN against
  • NPED consolidates this data with information from other issuing authorities and public sources (including DVLA data) to produce an evasion score for each vehicle registration number
  • The evasion score is used to help the Council determine the most appropriate enforcement action (for example, whether to pursue debt recovery or to take alternative action against persistent evaders)
  • No solely automated decisions are made on the basis of the NPED score: a human officer will always review the score alongside other factors before determining the enforcement approach
  • Data is transmitted securely using encrypted SFTP and HTTPS protocols, with access restricted to authorised users only

8. Profiling and automated decision-making

The NPED service involves profiling in the form of an automated evasion score calculated for each vehicle registration number based on the number and pattern of unpaid penalty charge notices across participating authorities.

This profiling does not produce solely automated decisions with legal or similarly significant effects. A human officer reviews the NPED score alongside local case information before any enforcement decision is taken. You have the right to request human review of any decision influenced by the NPED score.

9. How long we keep your data

Data type Retention period
PCN casework records Retained for 7 years from the date the case is closed, in line with the Council’s retention schedule and statutory limitation periods. After which time a full purge of data is undertaken.
CCTV and photographic evidence Retained for 3 years from the date of closure, of a case unless required for ongoing enforcement or legal proceedings. A partial purge is undertaken after 3 years of closure to remove photos.
NPED shared data NPED retains shared personal data in accordance with the retention periods specified in the Data Sharing Agreement. Data that has reached the end of its retention period is automatically and securely erased from all NPED systems, including backups.
Correspondence Retained for 7 years from the date the case is closed. After which time a full purge of data is undertaken.

10. How we protect your data

We have appropriate security measures in place to prevent personal information from being accidentally lost, used or accessed in an unauthorised way. These include:

  • Access to enforcement systems is restricted to authorised officers with role-based permissions
  • Data shared with NPED is transmitted via encrypted SFTP and SSL/TLS HTTPS connections
  • NPED encrypts data both at rest and in transit within its systems
  • All access requests to the NPED API are logged in a durable audit trail
  • A Data Protection Impact Assessment has been completed for the NPED data sharing arrangement

We also have procedures in place to deal with any suspected data security incidents and we will notify you and the appropriate regulator of any incident where we are legally required to do so.

11. International transfers

We do not send any information we collect about you outside the United Kingdom. NPED Services Limited processes all data within the UK.

12. Your rights

Under the UK GDPR you have the following rights in relation to your personal data:

  • The right to be informed about how we use your data (this notice)
  • The right of access to the personal data we hold about you (Subject Access Request)
  • The right to rectification of inaccurate data
  • The right to erasure (where processing is not based on a statutory obligation)
  • The right to restrict processing • The right to object to processing based on public task (Article 6(1)(e))
  • The right not to be subject to solely automated decision-making, including profiling, which produces legal or similarly significant effects
  • The right to data portability (where processing is based on consent or contract)

Please note that where the lawful basis for processing is public task or legal obligation, the right to erasure and the right to data portability may not apply. The right to object is not absolute: the Council may continue processing where there are compelling legitimate grounds, or for the establishment, exercise or defence of legal claims.

13. Contact us

If you have any questions about this privacy notice, or wish to exercise any of your rights, please contact the Council’s Information Governance Team;

  • Address: Department of Corporate Resources
    City Hall
    Centenary Square
    Bradford
    BD1 1HY

If you are dissatisfied with the way the Council has handled your personal data, you have the right to make a complaint.

Complaints about how the Council has handled personal data will be considered under the Council’s complaints policy, section 17: Data Protection complaints in line with the UK GDPR, the Data Protection Act 2018, the Data (Use and Access) Act 2025, ICO guidance and any statutory complaint handling requirements that apply.

For further information related to complaints or to make a complaint visit: Compliments and complaints | Bradford Council

You also have the right to approach the supervisory authority. The supervisory authority in the UK is the Information Commissioner who may be contacted on 03031 231113 or through their website https://ico.org.uk

14. Changes to this notice

We will review and update this privacy notice to reflect changes in our services and to comply with changes in the law. This notice was last updated in May 2026.

Version Date Author Changes
1.0 - VZB Lead / Jill Longbottom Initial version: civil parking enforcement and NPED data sharing
2.0 19 May 2026 Tiffany Lewis Revisions incorporated to reflect the whole of the TMA as it is used to cover parking enforcement

Other pages in this section