Skip to main content

Personal information charter

Our personal information charter contains the standards you can expect when we ask for, or hold, your personal information. It also covers what we ask of you, to help us keep information up to date.

Department for Transport data protection policy

The Department for Transport (DfT) and its executive agencies are a single entity (or controller) for the purposes of data protection law. Together we hold personal data on many millions of the UK population, including drivers, vehicle keepers, those taking driving tests, driving instructors, and seafarers. It is, therefore, very likely that some part of DfT will hold personal information about you.

The policy explains how DfT will comply with data protection law. This includes the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (and amendments made to that legislation by the Data (Use and Access) Act 2025). It also includes the Privacy and Electronic Communications Regulations 2003 and the EU GDPR, to the extent relevant.

While the policy includes our executive agencies, some of our executive agencies have their own data protection policies which provide more specific information about the steps they take to comply with data protection law.

Transport agencies’ privacy policies

Find out what personal information our agencies handle:

What is personal data?

Personal data is any information relating to an identified or identifiable natural living person, otherwise known as a ‘data subject’. A data subject is someone who can be recognised, directly or indirectly, by information such as a name, an identification number, location data, an online identifier, or data relating to their physical, physiological, genetic, mental, economic, cultural or social identity. These types of identifying information are known as ‘personal data’. Data protection law applies to the processing of personal data, including its collection, use and storage.

Your privacy

We know how important it is to protect your privacy and comply with data protection law. If we need to collect, store or otherwise use your personal information, we will:

  • have a legal basis for doing so, and only ask for what we need
  • do so in a fair and transparent way, letting you know why we need your information and how we will use it
  • use it in the way we said we would and not in a way you wouldn’t expect without letting you know
  • ensure that we don’t keep more than we need, for longer than we need
  • make sure it is accurate and, where necessary, up-to-date
  • make sure nobody has access to it who shouldn’t
  • ensure that it is kept safe and secure

Where we process personal data for the purposes of criminal law enforcement, we will clearly categorise individuals so that their role is apparent (such as witness, victim, suspect or convicted criminal) and set out whether the information recorded is opinion or fact. We will also keep detailed logs of how such data is handled.

You can help us by making sure that the information you give us is accurate and let us know if it changes. For example, if you change your telephone number, name or move to a new home, let us know.

When we design systems for services to be used by children, we will consider the specific needs of the age group that is likely to use those services and put in place suitable protection measures.

What allows DfT to process your personal data

To process personal data, we need to meet one of the following conditions (or legal bases):

  • you have freely given your consent – it will be clear to you what you are consenting to and how you can withdraw your consent
  • it is necessary for a contract you have entered into with us, or a contract that you intend to enter into
  • it is necessary to meet a legal obligation
  • it is necessary to protect someone’s ‘vital interests’ (a matter of life or death)
  • it is necessary to perform a public task (to carry out a public function or exercise powers set out in law, or to perform a specific task in the public interest that is set out in law)
  • it is necessary for a ‘recognised legitimate interest’ (this includes purposes related to the public task of another authority, national security, public security and defence, emergencies, crime and safeguarding vulnerable individuals)
  • it is necessary for our legitimate interests or those of a third party (a condition used where personal data is going to be used in ways that are reasonably expected and are not intrusive, or where there are compelling reasons for the processing)

There are further requirements for processing more sensitive, or ‘special category’, personal data and separate but similar requirements for personal data relating to criminal convictions and offences.

The lawful basis that we rely on to process your personal data will determine which of the following rights are available to you. Much of the processing we do in DfT will be necessary to meet our legal obligations or to perform a public task. If we hold personal data about you in different parts of DfT for different purposes, then the legal basis we rely on in each case may not be the same.

Your rights

UK data protection legislation sets out a number of rights which individuals have over their personal data, allowing you to request copies of your personal data or, in certain circumstances, to have it deleted or modified. These rights are explained fully on the Information Commissioner’s Office website.

DfT will ensure that we uphold your rights to the extent that they apply to the way in which we process your personal data.

Any request to exercise these rights should be made directly to DfT or one of our executive agencies, as appropriate.

We cannot respond to requests made by third parties, such as online portals, unless we are able to verify your identity and be satisfied that the third party is acting with your authority. If you use an online portal that does not meet these requirements, your request will be rejected. Where possible, it is always quicker to make your request directly to us.

Your right of access

You can make a request for any personal data that we may hold about you – this is called a ‘subject access request’. If we hold information about you, we will send you a copy (subject to any exemptions that may apply).

If you would like to make a subject access request, contact us at: subjectaccess@dft.gov.uk.

So that we can be sure of your identity, you will need to provide information such as a (scanned) copy of a driving licence or a current utility bill showing your full name and current address.

To help us find the information you want, please provide:

  • a description of the personal information you believe DfT holds about you and an indication of where in DfT that information is likely to be held
  • the names of any DfT staff members you have corresponded with
  • the date range that our search for information should cover

We carry out a reasonable and proportionate search and will normally respond to your request within one month of receipt. When we require proof of identity, the time limit of one month will not start until we receive that proof.

If the request is complex, we may need more than one month to answer it. If so, we will let you know why our response is delayed and outline when you can expect a full response.

As permitted by data protection legislation, we may refuse to answer a request that is manifestly unfounded or excessive. We will not, even when permitted to do so, usually charge a fee for answering a request.

Our privacy information notice

We use personal information for a wide range of purposes to enable us to carry out our functions as a government department. When we collect personal data from you, we will tell you what we are going to use it for and provide you with other relevant information.

The purpose of this notice is to supplement the information that we provide when we collect your data, or to provide relevant privacy information where it has not been possible for us to do so before.

The purposes for which we use personal data include:

  • maintaining our accounts and records
  • consideration and investigation of complaints
  • answering queries
  • undertaking research
  • the provision of education or training
  • property management
  • corporate administration
  • the administration of grants
  • the support and management of staff and contractors
  • the safety and security of those who visit our offices
  • licensing, enforcement and regulatory duties
  • crime prevention and prosecution of offenders
  • accident investigation and road safety
  • traffic and incident management on the strategic road network
  • producing anonymised data for research, analytical or statistical purposes

There is a separate privacy notice for employees, available via our intranet. If you are an employee or ex-employee without access to our intranet, to ask to see our employee privacy notice, contact: dataprotectionofficer@dft.gov.uk.

Cookies

We use cookies and similar technologies to analyse the use of our online services. When you use these services, we will let you know which cookies (or similar) we are using, and why we are using them.

Before deploying any non-essential cookies on your device, we will, as required by law, either seek your consent or make you aware of your right to object.

When we share information

We may share your personal data with our suppliers to process it on our behalf. We may share personal data within our organisation or with other bodies where we are permitted or required to do so by law.

There are some cases where we can pass on your data without telling you – such as to prevent or detect crime. In all cases, whether data is shared internally or externally, we, our suppliers and data sharing partners will be governed by data protection law and be subject to a legally binding contract or other appropriate agreement.

A small proportion of our records are transferred to The National Archives, in line with legal obligations for the collection, disposal and preservation of records. The Public Records Act governs the selection, transfer and preservation of records and requires those defined as public records to be openly accessible unless exempt under the Freedom of Information Act.

Online forms and surveys

The online form and survey privacy notice covers the collection of personal information by forms, surveys and other types of services completed online.

Recording of DfT-hosted meetings

DfT has a legitimate interest in recording formal meetings with third parties.  The recordings provide a complete and accurate record of what was discussed and enable transcripts to be made, allowing those who were unable to attend to ‘catch up’ afterwards. In some cases, we may use Copilot to produce summaries or other outputs from a transcript.

You will be informed at the beginning of the meeting if it will be recorded. You will also be told what the purpose of the recording is and how it will be used after the meeting. If we intend to produce a transcript or share the recording with third parties, we will give you the details.

If you do not want to be recorded, let the meeting organiser know before the meeting. During the meeting, turn off your camera and your microphone if you do not want your voice to be recorded. If you turn off both your camera and microphone, you will still be able to participate in the meeting by using the chat bar. Comments you make in the chat bar will be attributable to you, just as they would in any other business meeting.

In most cases, recordings and transcripts will be deleted after 30 days.

Correspondence

As part of our task as a public authority, we answer a wide range of correspondence from the general public about our policies and services. We expect to be accountable and seek to be as transparent as we can in the answers we provide.

If you, or a person acting on your behalf, write to the department, we will look after any personal information disclosed to us during that correspondence. We will use it only to provide you or your representative with an answer.

Where your correspondence relates to a policy area or issue for which another public body has responsibility, it will, in most cases, be passed to them to respond to you. This includes transferring correspondence to a devolved administration if the matter sits with them. We will let you know when this happens. Where your correspondence requires input from one of our arm’s length bodies (ALBs), we will seek a contribution from the relevant ALB, which may require sharing your personal data. Except as explained here, your correspondence will not be shared outside of government and ALBs without your consent.

In the case of requests for information that are handled under the Freedom of Information Act 2000 or Environmental Information Regulations 2004, the department will use your personal data as necessary to comply with those laws. We may need to consult with other departments where a coordinated response is required. Where an information request would be more appropriately directed to another organisation, our response will advise you where it should be sent, but the request will not be forwarded. When, in some circumstances, it is necessary to share information requests with third parties outside of central government for consultation, any information that identifies you will not be shared.

A record of your correspondence under normal circumstances will be held by us for up to 4 years before being securely deleted. We will only keep it for longer if it is needed in connection with an ongoing issue.

Distribution lists

The department maintains a number of distribution lists to communicate with its stakeholders. In most cases, this is to enable us to function efficiently as a government department. In some cases, where the use of a distribution list does not relate to the performance of our tasks, we may use it as necessary for our legitimate interests.

In such cases, we have had regard to the rights and freedoms of those whose names are included on the list. Each list will be used only for the purpose that the individuals on the list were informed about at the time their information was collected by us.

CCTV

The central department uses CCTV cameras at its sites in London, Leeds, Birmingham, Hastings, Swansea, Derby (RAIB) and Farnborough (AAIB). In some instances, this includes body cameras worn by security staff.

Internal cameras are used:

  • for the monitoring of secure areas of buildings
  • to ensure the security of staff, contractors and visitors
  • for the monitoring of pinch points (for example, reception)

External cameras are used:

  • for monitoring activity around DfT buildings/sites
  • for enabling remote vehicular access to sites
  • to enhance building/site protection during and outside of normal working hours

All footage is deleted after 30 or 38 days unless there is an overriding reason to retain. Footage will not be shared outside of DfT except in limited circumstances, such as where it is necessary to disclose to the police.

Certain of our agencies use bodycams, dashcams and automatic number plate recognition (ANPR) cameras in support of their public tasks – for more details, see the links above to their own personal information charters.

Filming and photography

We film and photograph in public spaces to help illustrate the range of work that we are responsible for, for the public’s benefit. When filming, we will always try to make ourselves visible and film in non-intrusive ways, for example, by filming crowds from a distance.

If you have any concerns about appearing in footage we take, speak to a member of our film crew at the time of filming, or contact: webmasterdft@dft.gov.uk.

When we take photographs to illustrate our work in our official publications and on our social media channels, we aim to avoid using images that could identify members of the public.

If you are concerned about a picture of you that has been used in one of our publications, contact: webmasterdft@dft.gov.uk.

Research and statistics (including Road Traffic Counts and National Travel Survey)

DfT occasionally collects personal data when carrying out research or producing statistics. Where we do so, we will usually tell you at the time we collect your data and provide you with other relevant information about why we are using your data.

Where we ask you to consent to the research, there may be times when we cannot or are unable to give specific details about how your personal data will be used. This is because we cannot always be certain at the outset where our research will take us. In such cases, we will give you as much information as we can.

We will also make sure that we comply with recognised ethical standards and, where possible, allow you to consent to only a part of the processing.

Our statistics page provides further details on how we use personal data for research. This includes personal data collected as part of our Road Traffic Counts and National Travel Survey and other statistical releases.

To find out about how personal data is used in connection with individual trials or research projects being run by DfT, see our trials and research privacy notices.

Automated decision making

Where our systems use automated processes to make decisions about you, we will make this clear to you when you use those systems.  

If the systems make ‘significant’ decisions about you involving your sensitive (or special category) personal data, we will ensure, if the processing is not required by law or in connection with a contract, that we have obtained your explicit consent. A ‘significant’ decision is defined by the UK GDPR as one that produces a legal or similarly significant effect for the data subject.

In all cases where a decision is based solely on automated processing, we will provide you with relevant information about the decision. We will also allow you to make representations about the decision and to contest it and have human intervention in the decision-making process.

Artificial Intelligence

To help improve the efficiency and effectiveness of the way we carry out our tasks as a public body, we are increasingly looking to use Artificial Intelligence (AI) systems.

Where the AI uses personal data, we will carry out a DPIA to ensure that the data protection and privacy risks are fully understood. We will, however, use synthetic or anonymised data where we can.

Our Data Protection Officer

DfT, with its agencies and accident investigation branches, is a single controller under data protection law. Given the size of our organisation, our Data Protection Officer is supported by a team. Our ‘data protection governance policy’ (available on request) explains this more fully.

Our Data Protection Officer and the team inform and advise the department in how to comply with data protection law. They monitor and promote compliance, for example by providing advice on DPIAs, and arranging audits and staff training. They act as your first point of contact, and lead on any communications with the Information Commissioner’s Office.

You can contact the Data Protection Officer by writing to the following address:

Data Protection Officer
Department for Transport
3rd Floor
One Priory Square
Hastings
East Sussex
TN34 1EA

Email: DataProtectionOfficer@dft.gov.uk

If your query relates to data being processed by one of our executive agencies, please contact the relevant agency direct. This will help to ensure that you receive a prompt response.

Privacy by design

Where we introduce new technologies, policies or processes, we will ensure that your privacy is considered from the outset. A data protection impact assessment (DPIA) will be carried out in all cases where the proposed processing could result in a high risk to your rights and freedoms.

We will use the DPIA to minimise the privacy risks as far as possible. In exceptional cases, where a high risk remains, we will, in accordance with our obligations under the UK GDPR, formally consult the ICO.

Our AI systems will be designed so that our staff and others who process information on our behalf can access only the information they are supposed to access. Personal data will only be used to fine-tune or train an AI model where the model is hosted on systems that are under our control. We will not allow your personal data to go outside of those systems

The steps we take to keep your data secure

We take information security seriously and will protect your personal data from unauthorised access, accidental loss, destruction and damage. We follow the government’s secure by design principles to ensure that we embed cyber security practices in building and delivering resilient digital services and we follow the principles for securing personal data in government services.

We carry out regular reviews and audits to ensure that our methods of collecting, holding and processing personal data meet the government’s security standards and industry good practice. We will only transfer your personal data overseas where appropriate safeguards are in place to protect it. The cross-government security policy framework on GOV.UK sets out the government’s approach to protective security.

The training and guidance we give to our staff

All of our staff are trained in the importance of protecting personal and other sensitive information. Those who routinely access personal data as part of their jobs are expected to undertake more in-depth training. Staff in our agencies who have access to large volumes of personal data receive training that has been tailored to the agency’s particular business environment.

Managers who have formal responsibilities for large datasets, for example, as information asset owners, will also receive additional training so that they have a clear understanding of what they need to do to keep the data under their control safe and secure.

As well as the above, all civil servants are required to work in line with the core values set out in the Civil Service code – integrity, honesty, objectivity and impartiality. These values also apply to the handling of personal data.

Data breach notification

The department does everything it can to keep your personal data secure. But if, despite this, a breach occurs which creates a risk to your rights and freedoms (for example, financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), we will ensure that the Information Commissioner’s Office is informed without delay.

Where we assess that there is a high risk to you, we will ensure that you are notified without undue delay. Where it is not possible to contact you directly, we will attempt to make you aware through other means, such as a public announcement. The information we will provide to you will include:

  • the contact details of the department’s Data Protection Officer
  • the likely consequences of the breach
  • details of the measures already taken or planned to address the breach, including any steps taken to mitigate potential damaging effects

How to make a complaint

If you are unhappy with the way we have responded to a rights request or believe that we have failed in some way to meet our obligations under data protection law, see our complaints procedure for details of how best to make a complaint.

We have a legal obligation to acknowledge receipt of your complaint within 30 days, but we will try to do so within 5 working days.

We will respond to your complaint in full without delay and will, subject to our confidentiality obligations, let you know the outcome.

Where your complaint cannot be resolved quickly, for example, because it raises complex issues, we will keep you informed of our progress.

If your complaint relates to one of our agencies, contact their data protection manager.

We treat all complaints seriously and investigate them thoroughly. If you remain dissatisfied after receiving our response, you have the right to complain to the ICO.

Data protection contacts

Data Protection Officer
Department for Transport
3rd Floor
One Priory Square
Hastings
East Sussex
TN34 1EA

Email: DataProtectionOfficer@dft.gov.uk

Contents