The DVLA is giving drivers' names and addresses to some private parking firms despite breaches of the industry's voluntary code, the BBC has learned.
The DVLA's rules restrict access to the data to companies complying with the British Parking Association code.
Breaches include overstating powers by threatening fines and penalties and failing to handle complaints promptly.
The DVLA says it investigates alleged breaches and stops firms' access to the data if they are proven.
"We have to strike a balance - allowing fair enforcement but protecting motorists," said a DVLA spokesman.
The DVLA insists any firm it gives the data to must be belong to the British Parking Association's Approved Operator Scheme - which sets out how they should operate.
"If it is brought to our attention that a company does not meet the necessary standards, we will immediately investigate, and if allegations are proven, stop the release of keeper information to them."
Any companies failing to be "fully compliant" with the Association's Code of Practice would "not be eligible to request DVLA data".
The DVLA receives an estimated £3.4m a year for providing access to drivers' names and addresses to private parking companies, but says this is to cover administrative costs.
Fines and penalties
However, BBC One's Watchdog programme has found a number of companies were still being allowed to access private data even though they had been in breach of the scheme.
As private parking companies have no powers under the criminal justice system, they cannot describe their charges as fines or penalties.
One company, Searchlight Security and Parking Solutions, of Penzance, included the word "fine" on its website. It blamed this on "an oversight".
The code states: "You must not use terms which imply that you are acting under statutory authority; this will include terms such as 'fine', 'penalty' or 'penalty charge notice'."
This rule also applies to any signs using these terms at a car park. The BPA has given companies in breach of this rule time to comply.
APCOA, another member of the BPA, which manages Luton and Gatwick Airport car parks, was found to have taken three months to respond to a driver's appeal when it should have done so in 14 days. It apologised, blaming an administrative error.
The BPA is responsible for enforcing its own code. However, it only commits to visiting its approved operators once a year to check they are keeping to it.
The BPA told Watchdog it received a number of complaints, all of which were investigated.
It operates a sanctions scheme depending on the severity of the offence, which has led to two other companies being suspended in recent months.
The RAC Foundation is calling for an end to self-regulation, saying the government should regulate the industry.
"It should regulate the private parking industry and insist that anyone enforcing parking regulations sticks to a government code of practice," said the RAC director, Stephen Glaister.
"It is difficult for the BPA to enforce this code adequately and this is unsatisfactory," he added.