Personal information charter

Our personal information charter contains the standards you can expect when we ask for, or hold, your personal information. It also covers what we ask of you, to help us keep information up to date.


Department for Transport data protection policy

The Department for Transport (DfT) and its executive agencies are a single entity (or ‘data controller’) for the purposes of data protection law. Together we hold personal data on many millions of the UK population, including drivers, vehicle keepers, those taking driving tests, driving instructors, and seafarers. It is therefore very likely that some part of DfT will hold personal information about you.

This policy explains how DfT will comply with data protection law. This includes the UK General Data Protection Regulation (UK GDPR) and other provisions contained within the Data Protection Act 2018 including law enforcement.

Whilst the policy includes our executive agencies, some of our executive agencies have their own data protection policies which provide more specific information about the steps they take to comply with data protection law.

Transport agencies’ privacy policies

Find out what personal information our agencies handle:

What is personal data?

Personal data is any information relating to an identified or identifiable natural living person, otherwise known as a ‘data subject’. A data subject is someone who can be recognised, directly or indirectly, by information such as a name, an identification number, location data, an online identifier, or data relating to their physical, physiological, genetic, mental, economic, cultural, or social identity. These types of identifying information are known as ‘personal data’. Data protection law applies to the processing of personal data, including its collection, use and storage.

Your privacy

We know how important it is to protect your privacy and comply with data protection law. If we need to collect, store or otherwise use your personal information, we will:

  • have a legal basis for doing so, and only ask for what we need
  • do so in a fair and transparent way, letting you know why we need your information and how we will use it
  • use it in the way we said we would and not in a way you wouldn’t expect without letting you know
  • ensure that we don’t keep more than we need, for longer than we need
  • make sure it is accurate and up-to-date
  • make sure nobody has access to it who shouldn’t
  • ensure that it is kept safe and secure

Where we process personal data for the purposes of criminal law enforcement, we will clearly categorise individuals so that their role is apparent (such as witness, victim, suspect or convicted criminal) and set out whether the information recorded is opinion or fact. We will also keep detailed logs of how such data is handled. You can help us by making sure that the information you give us is accurate and let us know if it changes. For example, if you change telephone numbers, name or move to a new home, let us know.

What allows DfT to process your personal data

To process personal data, we need to meet one of the following conditions (or legal bases):

  • you have freely given your consent – it will be clear to you what you are consenting to and how you can withdraw your consent
  • it is necessary for a contract you have entered into with us, or a contract that you intend to enter into
  • it is necessary to meet a legal obligation
  • it is necessary to protect someone’s ‘vital interests’ (a matter of life or death)
  • it is necessary to perform a public task (to carry out a public function or exercise powers set out in law, or to perform a specific task in the public interest that is set out in law)
  • it is necessary for our legitimate interests or that of a third party (a condition used where personal data is going to be used in ways that are reasonably expected and are not intrusive, or where there are compelling reasons for the processing)

There are further requirements for processing more sensitive, or ‘special category’, personal data.

The lawful basis that we rely on to process your personal data will determine which of the following rights are available to you. Much of the processing we do in DfT will be necessary to meet our legal obligations or to perform a public task. If we hold personal data about you in different parts of DfT for different purposes, then the legal basis we rely on in each case may not be the same.

Your rights

UK data protection legislation sets out a number of rights which individuals have over their personal data, allowing you to request copies of your personal data or, in certain circumstances, to have it deleted or modified. These rights are explained fully on the Information Commissioner’s Office website. DfT will ensure that we uphold your rights to the extent that they apply to the way in which we process your personal data.

Any request to exercise these rights should be made directly to DfT or one of our executive agencies, as appropriate.

We cannot respond to requests made by third parties such as online portals unless we are able to verify your identity and be satisfied that the third party is acting with your authority. If you use an online portal that does not meet these requirements, your request will be rejected. Where possible, it is always quicker to make your request direct to us.

Your right of access

You can make a request for any personal data that we may hold about you – this is called a ‘subject access request’. If we hold information about you, we will send you a copy (subject to any exemptions that may apply).

If you would like to make a subject access request, contact us at [email protected].

So that we can be sure of your identity, you will need to provide information such as a (scanned) copy of a driving licence or a current utility bill showing your full name and current address.

To help us find the information you want, please provide:

  • a description of the personal information you believe DfT holds about you and an indication of where in DfT that information is likely to be held
  • the names of any DfT staff members you have corresponded with
  • the date range that our search for information should cover

We will respond to your request within one month of receipt unless it is complex (in which case, we will write to explain why there will be a delay and when you can expect a full response).

Our privacy information notice

We use personal information for a wide range of purposes, to enable us to carry out our functions as a government department. These include:

  • maintaining our accounts and records
  • consideration and investigation of complaints
  • answering queries
  • undertaking research
  • the provision of education or training
  • property management
  • corporate administration
  • the administration of grants
  • the support and management of our staff
  • licensing, enforcement and regulatory duties
  • crime prevention and prosecution of offenders
  • accident investigation and road safety
  • traffic and incident management on the strategic road network

When we share information

We may share personal data within our organisation or with other bodies where we are permitted to do so by law. There are some cases where we can pass on your data without telling you – for example, to prevent or detect crime, or in order to produce anonymised statistics. In all cases, whether data is shared internally or externally, we will be governed by data protection law.

A small proportion of our records are transferred to The National Archives, in line with legal obligations for the collection, disposal and preservation of records. The Public Records Act governs the selection, transfer and preservation of records and requires those defined as public records to be openly accessible unless exempt under the Freedom of Information Act.

Online forms and surveys

The online form and survey privacy notice covers the collection of personal information by forms, surveys and other types of services completed online.

Recording of DfT hosted meetings

DfT will only record meetings where it considers that it has a legitimate interest in doing so.

The meeting organiser will tell you if the meeting is to be recorded. They will let you know the purpose and how the recording will be used after the meeting. If they intend to share the recording with third parties, they will give you the details.

If you do not want to be recorded, let the meeting organiser know before the meeting. During the meeting turn off your camera. Also turn off your microphone if you do not want your voice to be recorded. If you turn off both your camera and microphone, you will still be able to participate in the meeting by using the chat bar. Comments you make in the chat bar will be attributable to you, just as they would in any other business meeting.

Unless told otherwise, you can expect our recordings to be deleted after 30 days.

Correspondence

When you write to the department, we will look after any personal information you disclose to us and use it only as necessary to provide you with an answer. This will be in accordance with our task as a government department to be accountable and transparent about the functions and policies that we are responsible for.

Where your correspondence relates to a policy area or issue for which another public body has responsibility, it will in most cases be passed to them to respond to you. This includes transferring correspondence to a devolved administration if the matter sits with them. We will let you know when this happens. Where your correspondence requires input from one of our arm’s length bodies (ALBs), we will seek a contribution from the relevant ALB, which may require sharing your personal data. Except as explained here, your correspondence will not be shared outside of government and ALBs without your consent.

In the case of requests for information that are handled under the Freedom of Information Act 2000 or Environmental Information Regulations 2004, the department will use your personal data as necessary to comply with those laws. We may need to consult with other departments where a coordinated response is required. Where an information request would be more appropriately directed to another organisation, our response will advise you where it should be sent, but the request will not be forwarded. When, in some circumstances, it is necessary to share information requests with third parties outside of central government for consultation, any information that identifies you will not be shared.

A record of your correspondence will be held by us for at least 3 years and then, under normal circumstances, deleted. It will only be kept for longer where it is necessary in connection with an ongoing issue.

Distribution lists

The department maintains a number of distribution lists to communicate with its stakeholders. In most cases this is to enable us to function efficiently as a government department. In some cases, where the use of a distribution list does not relate to the performance of our tasks, we may use it as necessary for our legitimate interests. In such cases, we have had regard to the rights and freedoms of those whose names are included on the list. Each list will be used only for the purpose that the individuals on the list were informed about at the time their information was collected by us.

CCTV

The central department has CCTV cameras installed at its sites in London, Derby (RAIB) and Farnborough (AAIB). All cameras are installed for the security of staff, visitors and contractors at DfT sites and also for the protection of DfT properties.

Internal cameras are used:

  • for the monitoring of secure areas of buildings
  • for the monitoring of pinch points (for example, reception)
  • to provide additional security for commercial partners within our buildings

External cameras are used:

  • for monitoring activity around DfT buildings / sites
  • for enabling remote vehicular access to sites
  • to enhance building/site protection outside of normal working hours

All footage is deleted after 30 or 38 days unless there is an overriding reason which means it should be retained. Footage will not be shared outside DfT except in limited circumstances such as where it is necessary to make a disclosure to the police.

Filming and photography

The department uses film and photographs to illustrate the work that we do, to support and promote policy in the public interest. We film individuals in non-intrusive ways where possible, for example, filming crowds from a distance. If you have any concerns about appearing in any footage, please speak to a member of the film crew at the time or contact [email protected].

We also take photographs to illustrate our work in our official publications and on our social media channels. We aim to avoid using images which could identify members of the public. If you are concerned about a picture of you that we have used in one of our publications contact us at [email protected].

Research and statistics (including Road Traffic Counts and National Travel Survey)

DfT occasionally collects personal data when producing some of our statistics. Whilst the majority of our statistics do not involve the collection of personal data, the use of personal information in our statistics page provides details on those statistics that do. This includes personal data collected as part of our Road Traffic Counts and National Travel Survey and other statistical releases.

To find out about how personal data is used in connection with individual trials or research projects being run by DfT, see our trials and research privacy notices.

Our Data Protection Officer

DfT with its agencies is a single controller under data protection law. Given the size of our organisation, our Data Protection Officer is supported by a team, consisting of data protection managers from each of the agencies. Our ‘Data protection governance policy’ (available on request) explains this more fully.

Our Data Protection Officer and the team inform and advise the department in how to comply with data protection law. They monitor and promote compliance, for example by providing advice on DPIAs, and arranging audits and staff training. They act as your first point of contact, and lead on any communications with the Information Commissioner’s Office.

You can contact the Data Protection Officer by writing to the following address:

Data Protection Officer
Department for Transport
3rd Floor
One Priory Square
Hastings
East Sussex
TN34 1EA

Email: [email protected]

If your query relates to data being processed by one of our executive agencies, please contact the relevant agency direct. This will help to ensure that you receive a prompt response.

Privacy by design

Where we introduce new technologies, policies or processes, we will ensure that your privacy is considered from the outset, and where beneficial will carry out a Data Protection Impact Assessment (DPIA). A DPIA will be carried out in all cases where the proposed processing could result in a high risk to your rights and freedoms.

Where a DPIA identifies risks that cannot be satisfactorily reduced or avoided, our Data Protection Officer will seek advice from the Information Commissioner’s Office to help us find the best solution.

To improve the efficiency and effectiveness of the way we carry out our tasks as a public body, we are trialling certain Artificial Intelligence (AI) solutions. Where these use personal data they will be subject to a DPIA, and special care will be taken to ensure that we meet the data minimisation principle.

Our AI tools will be designed so that our staff and others who process information on our behalf can access only the information they are supposed to access. Personal data will only be used to fine-tune or train an AI model where the model is hosted on systems that are under our control. We will not allow your personal data to go outside of those systems

The steps we take to keep your data secure

We take information security seriously and will protect your personal data from unauthorised access, accidental loss, destruction and damage. We carry out regular reviews and audits to ensure that our methods of collecting, holding and processing personal data meet the government’s security standards and industry good practice. We will only transfer your personal data overseas where appropriate safeguards are in place to protect it. The cross-government security policy framework on GOV.UK sets out the government’s approach to protective security.

The training and guidance we give to our staff

All of our staff are trained in the importance of protecting personal and other sensitive information. Those who routinely access personal data as part of their jobs are expected to undertake more in depth training. Staff in our agencies who have access to large volumes of personal data receive training that has been tailored to the agency’s particular business environment.

Managers who have formal responsibilities for large datasets, for example as information asset owners, will also receive additional training so that they have a clear understanding of what they need to do to keep the data under their control safe and secure.

As well as the above, all civil servants are required to work in line with the core values set out in the Civil Service Code - integrity, honesty, objectivity and impartiality. These values also apply to the handling of personal data.

Data breach notification

The department does everything it can to keep your personal data secure. But if, despite this, a breach occurs which creates a risk to your rights and freedoms (for example, financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), we will ensure that the Information Commissioner’s Office is informed without delay, and in any event within 72 hours after we have become aware of it.

Where we assess that there is a high risk to you, we will ensure that you are notified without undue delay. Where it is not possible to contact you directly, we will attempt to make you aware through other means, such as a public announcement. The information we will provide to you will include:

  • the contact details of the department’s Data Protection Officer
  • the likely consequences of the breach
  • details of the measures already taken or planned to address the breach including any steps taken to mitigate potential damaging effects

How to make a complaint

If you’re unhappy with the way we have handled your personal data and want to make a complaint, please write to the department’s Data Protection Officer or the Data Protection Manager at the relevant agency. You can contact the department’s Data Protection Officer using the details below.

We will acknowledge your complaint within 5 working days and send you a full response within 20 working days. If we can’t respond fully in this time, we will write and let you know why and tell you when you should get a full response.

Data protection contacts

Data Protection Officer
Department for Transport
3rd Floor
One Priory Square
Hastings
East Sussex
TN34 1EA

Email: [email protected]

If you remain dissatisfied, or if you require independent advice about data protection, privacy and data sharing issues, contact the Information Commissioner