Personal information charter

Outlines the standards you can expect when we ask for or hold your personal information and explains what we ask of you, to help us keep information up to date.


This policy explains how DfT Operator Limited will, as a data controller, comply with the Data Protection Act 2018 and associated legislation including the General Data Protection Regulation (GDPR).

Your privacy

We know how important it is to protect your privacy. If we need to collect, store or otherwise use your personal data, we will comply with the principles and other provisions of data protection law.

What allows DfT Operator Limited to process your personal data

We will only process your personal data if we have a lawful basis to do so. Most of the processing we do relates either to contracts, our public tasks, or is necessary for our legitimate interests. Where we process more sensitive, or ‘special category’, personal data, we will ensure that we meet the relevant requirements.

When we collect your personal data

When we collect your personal data, we will provide you with specific information including:

  • how to contact our Data Protection Officer
  • the purpose and legal basis for our processing
  • where relevant, who your data will be shared with and whether it will be transferred to a third country (and if so the safeguards that will be put in place to protect it)
  • how long it will be kept for
  • your rights in connection with that processing
  • how to complain
  • whether you are obliged to provide your data and if so the possible consequences of not doing so

Where your personal data was sent to us by a third party, we will tell you who that third party was and where relevant, provide you with further information. We will normally do that within one month.

Your rights

The GDPR gives individuals a number of rights in relation to their personal data. The most commonly used right is subject access, which allows you to request a copy of any data we might hold on you. The Information Commisioners Office has published a full description of your rights and how they might apply to the way we use your personal data. DfT Operator Limited will uphold your rights to the extent that they apply to the way we process your personal data.

If you wish to exercise any of your rights, including accessing a copy of your personal data, contact [email protected]. If you are unknown to us, we will need you to provide proof of identity before we can start processing your request.

Our privacy information notice

The purposes for which we process personal data include:

  • maintaining our accounts and records
  • consideration and investigation of complaints
  • answering queries
  • the provision of education or training
  • property management
  • corporate administration
  • the administration of grants
  • the recruitment, support and management of our staff

When we share information

We may share personal data within our organisation or with other bodies where we are permitted to do so by law. There are some cases where we can pass on your data without telling you – for example, to prevent or detect crime, or in order to produce anonymised statistics. In all cases, whether data is shared internally or externally, we will comply with data protection law.

Correspondence

When you write to DfT Operator Limited, we will look after any personal information you disclose to us and use it only as necessary to provide you with an answer. This will be in accordance with our task as a public authority to be accountable and transparent about the functions and policies that we are responsible for.

Where your correspondence relates to a policy area or issue for which another public body has responsibility, it will in most cases be passed to them to respond to you. We will let you know when this happens.

In the case of requests for information that are handled under the Freedom of Information Act 2000, DfT Operator Limited will use your personal data as necessary to comply with those laws. We may need to consult with other public authorities in central government where a coordinated response is required. Where an information request would be more appropriately directed to another organisation, our response will advise you where it should be sent, but the request will not be forwarded.

A record of your correspondence will be held by us for at least 3 years and then, under normal circumstances, deleted. It will only be kept for longer where it is necessary in connection with an ongoing issue.

Our Data Protection Officer

Our Data Protection Officer (DPO) informs and advises us on how to comply with data protection law and provides assurance that we are doing so. DfT Operator Limited’s designated DPO is part of the Department for Transport’s data protection team.

Our DPO can be contacted at:

3rd Floor
One Priory Square
Hastings
TN34 1EA

Email: [email protected]

When contacting our DPO, please make clear that your correspondence is about DfT Operator Limited.

The steps we take to keep your data secure

We take information security seriously and will protect your personal data from unauthorised access, accidental loss, destruction and damage. We ensure that staff who routinely access personal data as part of their jobs receive appropriate training in how to protect it and we carry out regular reviews and audits to ensure that our methods of collecting, holding and processing personal data meet the government’s security standards and industry good practice.

We will only transfer your personal data overseas where appropriate safeguards are in place to protect it. The cross-government security policy framework sets out the government’s approach to protective security.

Data breach notification

DfT Operator Limited will do everything it can to keep your personal data secure. If, despite this, a breach occurs which creates a risk to your rights and freedoms, we will ensure that the Information Commissioner’s Office is informed without delay and in any event within 72 hours after we have become aware of it.

Where we assess that there is a high risk to you, we will ensure that you are notified without undue delay. Where it is not possible to contact you directly, we will attempt to make you aware through other means, such as a public announcement. The information we will provide to you will include:

  • the contact details of the department’s Data Protection Officer
  • the likely consequences of the breach
  • details of the measures already taken or planned to address the breach including any steps taken to mitigate potential damaging effects

How to make a complaint

If you’re unhappy with the way we have handled your personal data and want to make a complaint, you can write to our Data Protection Officer.

We will acknowledge your complaint within 5 working days and send you a full response within 20 working days. If we can’t respond fully in this time, we will write and let you know why and tell you when you will get a full response.

If you remain dissatisfied, or if you require independent advice about data protection, privacy and data sharing issues, contact:

Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF