Department for Business and Trade: Privacy notice relating to the group litigation order compensation scheme
Updated 7 June 2024
Purpose
The Department for Business and Trade (DBT) is committed to protecting the privacy and security of your personal data. This privacy notice sets out how DBT will collect and use your personal data for the purposes of the Group Litigation Order (GLO) Compensation Scheme (the “Scheme”), set up by DBT following the announcement on 7 December 2022, in accordance with the applicable data protection legislation, namely, the UK General Data Protection Regulation[footnote 1] (UK GDPR) and Data Protection Act 2018 (DPA 2018). It is important that you read this privacy notice, so that you are aware of how and why we are using your personal data, as well as the rights available to you.
How we collect your personal data
As part of the Scheme’s process, DBT will invite eligible claimants to submit claims for assessment. We will collect personal data included in these claims.
DBT also intends to seek the appropriate disclosure from Post Office Limited (POL) in relation to the relevant documents it holds to support claimants’ claims. These documents will also include personal data.
What personal data we collect
As part of the Scheme’s process, DBT will collect a range of information about claimants, as well as claimants’ family members, current or former employees of a branch where a particular claimant was or still is a postmaster, other former or current postmasters, employees of POL or its personnel. This may include, but is not limited to, the data requested in the registration and full application forms, such as:
- first names
- surnames (including any previous surnames)
- home addresses
- postcodes
- telephone numbers
- email addresses
- job titles
- details about contracts held (or that were held) with POL
- financial information about shortfalls and other losses
- details about actions taken in relation to shortfalls and other losses
- any other personal data that a claimant may submit as part of their claim
We may also collect, store and use the following types of more sensitive personal data (including so-called “special category” data):
-
information about your health, including any medical condition, health and sickness records, if this information is relevant to the claim
-
information about criminal convictions and offences
Why we process your personal data and our lawful basis for doing so
DBT will process your personal data in order to:
-
assist POL in identifying and disclosing to DBT the personal data held by POL and required by the claimants to enable them to complete their claims in the Scheme
-
disclose, via the Denton’s Direct secure data sharing platform, documents received by POL to the claimants to enable them to complete their claims in the Scheme
-
assess claims brought in the Scheme and make offers in accordance with the Scheme’s process
-
ensure fairness and consistency when assessing claims in the Scheme against the established principles
-
ensure fairness and consistency should issues be raised by the Scheme’s claimants, which require the establishment of the new precedent points and/or principles for the purposes of assessment of the Scheme’s claims and making offers in the Scheme
-
discharge DBT’s duties and obligations under data sharing agreements held by DBT
-
as otherwise may be necessary to fulfil DBT’s obligations under data protection legislation or any other applicable law
Guidance to claimants as well as the principles relied on by DBT for the purposes of assessment of the Scheme’s claims are set out in the document called GLO Compensation Scheme Guidance and Principles, which was published on 23 March 2023.
Our lawful basis for processing all personal data outlined in this privacy notice is pursuant to article 6(1)(e) of the UK GDPR, in that the processing is necessary for the performance of a task carried out in the public interest (such task being supported by provisions contained in the applicable Appropriation Acts).
Our lawful basis for processing special category personal data is pursuant to article 9(2)(g) of the UK GDPR – processing is necessary for reasons of substantial public interest together with paragraph 6 of schedule 1 to the DPA 2018, statutory and government purposes, and paragraph 33 of schedule 1 to the DPA 2018, legal claims.
Our lawful basis for processing criminal offence data is pursuant to schedule 1, part 3, paragraph 6 of the DPA 2018 – processing is necessary for the purpose of the exercise of a function conferred on a person by an enactment or rule of law; or the exercise of a function of the Crown, a Minister of the Crown or a government department, together with paragraph 33 of schedule 1 to the DPA 2018, legal claims.
How we share your personal data
Personal data of the Scheme’s claimants will be made available to DBT Scheme’s team and steering group (which includes attendance of the representatives of HM Treasury), Dentons, who will act as the Scheme’s independent claim facilitators, Addleshaw Goddard, who will act as DBT’s legal advisors for claim assessments.
DBT will also share claim documentation with the Government Internal Audit Agency (GIAA) and Ipsos as part of the Scheme’s assurance and evaluation process. Names and addresses will be stripped from the documentation before being sent to the GIAA or Ipsos, but in some cases it may be possible to identify individuals.
Members of these entities will only receive and process your personal data in connection with the purposes set out above. The lawful bases for the sharing of personal data with these entities are the same as those set out in section above.
Protection of personal data
DBT takes the security of your personal data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and that it is not accessed by anyone except our employees or entities mentioned above in the proper performance of their duties.
Retention of personal data
DBT will keep your personal data on file for 7 years following settlement of your application to allow it to provide relevant information should it be requested in the context of the Post Office Horizon IT Inquiry or to Post Office Limited, in case if any claims in any way related to your application are brought against it.
Your data protection rights
You have the right to request:
-
information about how your personal data is processed and to request a copy of that personal data
-
that any inaccuracies in your personal data are rectified without delay
-
that your personal data is erased if there is no longer a justification for it to be processed
You also have the right:
-
in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted
-
to object to the processing of your personal data.
International transfers
As your personal data is stored on our IT infrastructure and shared with our data processors Microsoft and Amazon Web Services, it may be transferred and stored securely outside the UK and European Economic Area. Where that is the case, it will be subject to equivalent legal protection through the use of appropriate safeguards such as standard contractual clauses.
Contact details
The data controller for your personal data is DBT. You can contact the DBT Data Protection Officer at:
Data Protection Officer
Department for Business and Trade
Old Admiralty Building
Admiralty Place
London
SW1A 2DY
Email [email protected]
Complaints
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Monday to Friday 9am to 4:30pm
Any complaint to the Information Commissioner is without prejudice to your rights to seek redress in the courts.
Changes to this policy
We may change this privacy notice. In that case, the ‘last updated’ date at the bottom of this page will also change. Any changes to this privacy notice will apply to you and your data immediately.
If these changes affect how your personal data is processed, we will take reasonable steps to let you know.
Last updated 7 June 2024
-
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation) ↩