Department for Transport data protection policy
The Department for Transport (DfT) and its executive agencies are a single entity (or ‘data controller’) for the purposes of data protection law. Together we hold personal data on many millions of the UK population, including drivers, vehicle keepers, those taking driving tests, driving instructors, and seafarers. It is therefore very likely that some part of DfT will hold personal information about you.
This policy explains how DfT will comply with data protection law. This includes the UK General Data Protection Regulation (UK GDPR) and other provisions contained within the Data Protection Act 2018 including law enforcement.
Whilst the policy includes our executive agencies, some of our executive agencies have their own data protection policies which provide more specific information about the steps they take to comply with data protection law.
Transport agencies’ privacy policies
Find out what personal information our agencies handle:
What is personal data?
Personal data is any information relating to an identified or identifiable natural living person, otherwise known as a ‘data subject’. A data subject is someone who can be recognised, directly or indirectly, by information such as a name, an identification number, location data, an online identifier, or data relating to their physical, physiological, genetic, mental, economic, cultural, or social identity. These types of identifying information are known as ‘personal data’. Data protection law applies to the processing of personal data, including its collection, use and storage.
We know how important it is to protect your privacy and comply with data protection law. If we need to collect, store or otherwise use your personal information, we will:
- have a legal basis for doing so, and only ask for what we need
- do so in a fair and transparent way, letting you know why we need your information and how we will use it
- use it in the way we said we would and not in a way you wouldn’t expect without letting you know
- ensure that we don’t keep more than we need, for longer than we need
- make sure it is accurate and up-to-date
- make sure nobody has access to it who shouldn’t
- ensure that it is kept safe and secure
Where we process personal data for the purposes of criminal law enforcement, we will clearly categorise individuals so that their role is apparent (such as witness, victim, suspect or convicted criminal) and set out whether the information recorded is opinion or fact. We will also keep detailed logs of how such data is handled.
You can help us by making sure that the information you give us is accurate and let us know if it changes. For example, if you change telephone numbers, name or move to a new home, let us know.
What allows DfT to process your personal data
To process personal data, we need to meet one of the following conditions (or legal bases):
- you have freely given your consent – it will be clear to you what you are consenting to and how you can withdraw your consent
- it is necessary for a contract you have entered into with us, or a contract that you intend to enter into
- it is necessary to meet a legal obligation
- it is necessary to protect someone’s ‘vital interests’ (a matter of life or death)
- it is necessary to perform a public task (to carry out a public function or exercise powers set out in law, or to perform a specific task in the public interest that is set out in law)
- it is necessary for our legitimate interests or that of a third party (a condition used where personal data is going to be used in ways that are reasonably expected and are not intrusive, or where there are compelling reasons for the processing)
There are further requirements for processing more sensitive, or ‘special category’, personal data.
The lawful basis that we rely on to process your personal data will determine which of the following rights are available to you. Much of the processing we do in DfT will be necessary to meet our legal obligations or to perform a public task. If we hold personal data about you in different parts of DfT for different purposes, then the legal basis we rely on in each case may not be the same.
UK data protection legislation sets out a number of rights which individuals have over their personal data, allowing you to request copies of your personal data or, in certain circumstances, to have it deleted or modified. These rights are explained fully on the Information Commissioner’s Office website. DfT will ensure that we uphold your rights to the extent that they apply to the way in which we process your personal data.
Any request to exercise these rights should be made directly to DfT or one of our executive agencies, as appropriate.
We cannot respond to requests made by third parties such as online portals unless we are able to verify your identity and be satisfied that the third party is acting with your authority. If you use an online portal that does not meet these requirements, your request will be rejected. Where possible, it is always quicker to make your request direct to us.
Our privacy information notice
We use personal information for a wide range of purposes, to enable us to carry out our functions as a government department. These include:
- maintaining our accounts and records
- consideration and investigation of complaints
- answering queries
- undertaking research
- the provision of education or training
- property management
- corporate administration
- the administration of grants
- the support and management of our staff
- licensing, enforcement and regulatory duties
- crime prevention and prosecution of offenders
- accident investigation and road safety
- traffic and incident management on the strategic road network
When we share information
We may share personal data within our organisation or with other bodies where we are permitted to do so by law. There are some cases where we can pass on your data without telling you – for example, to prevent or detect crime, or in order to produce anonymised statistics. In all cases, whether data is shared internally or externally, we will be governed by data protection law.
A small proportion of our records are transferred to The National Archives, in line with legal obligations for the collection, disposal and preservation of records. The Public Records Act governs the selection, transfer and preservation of records and requires those defined as public records to be openly accessible unless exempt under the Freedom of Information Act.
Online forms and surveys
The online form and survey privacy notice covers the collection of personal information by forms, surveys and other types of services completed online.
Recording of DfT hosted meetings
DfT will only record meetings where it considers that it has a legitimate interest in doing so.
The meeting organiser will tell you if the meeting is to be recorded. They will let you know the purpose and how the recording will be used after the meeting. If they intend to share the recording with third parties, they will give you the details.
If you do not want to be recorded, let the meeting organiser know before the meeting. During the meeting turn off your camera. Also turn off your microphone if you do not want your voice to be recorded. If you turn off both your camera and microphone, you will still be able to participate in the meeting by using the chat bar. Comments you make in the chat bar will be attributable to you, just as they would in any other business meeting.
Unless told otherwise, you can expect our recordings to be deleted after 30 days.
When you write to the department, we will look after any personal information you disclose to us and use it only as necessary to provide you with an answer. This will be in accordance with our task as a government department to be accountable and transparent about the functions and policies that we are responsible for.
Where your correspondence relates to a policy area or issue for which another public body has responsibility, it will in most cases be passed to them to respond to you. This includes transferring correspondence to a devolved administration if the matter sits with them. We will let you know when this happens. Except as explained here, your correspondence will not be shared outside of government and ALBs without your consent.
In the case of requests for information that are handled under the Freedom of Information Act 2000 or Environmental Information Regulations 2004, the department will use your personal data as necessary to comply with those laws. We may need to consult with other departments where a coordinated response is required. Where an information request would be more appropriately directed to another organisation, our response will advise you where it should be sent, but the request will not be forwarded. When, in some circumstances, it is necessary to share information requests with third parties outside of central government for consultation, any information that identifies you will not be shared.
A record of your correspondence will be held by us for at least 3 years and then, under normal circumstances, deleted. It will only be kept for longer where it is necessary in connection with an ongoing issue.
The department maintains a number of distribution lists to communicate with its stakeholders. In most cases this is to enable us to function efficiently as a government department. In some cases, where the use of a distribution list does not relate to the performance of our tasks, we may use it as necessary for our legitimate interests. In such cases, we have had regard to the rights and freedoms of those whose names are included on the list. Each list will be used only for the purpose that the individuals on the list were informed about at the time their information was collected by us.
The central department has CCTV cameras installed at its sites in London, Derby (RAIB) and Farnborough (AAIB). All cameras are installed for the security of staff, visitors and contractors at DfT sites and also for the protection of DfT properties.
Internal cameras are used:
- for the monitoring of secure areas of buildings
- for the monitoring of pinch points (for example, reception)
- to provide additional security for commercial partners within our buildings
External cameras are used:
- for monitoring activity around DfT buildings / sites
- for enabling remote vehicular access to sites
- to enhance building/site protection outside of normal working hours
All footage is deleted after 30 or 38 days unless there is an overriding reason which means it should be retained. Footage will not be shared outside DfT except in limited circumstances such as where it is necessary to make a disclosure to the police.
Filming and photography
The department uses film and photographs to illustrate the work that we do, to support and promote policy in the public interest. We film individuals in non-intrusive ways where possible, for example, filming crowds from a distance. If you have any concerns about appearing in any footage, please speak to a member of the film crew at the time or contact firstname.lastname@example.org.
We also take photographs to illustrate our work in our official publications and on our social media channels. We aim to avoid using images which could identify members of the public. If you are concerned about a picture of you that we have used in one of our publications contact us at email@example.com.
Statistics (including Road Traffic Counts and National Travel Survey)
DfT occasionally collects personal data when producing some of our statistics. Whilst the majority of our statistics do not involve the collection of personal data, the use of personal information in our statistics page provides details on those statistics that do. This includes personal data collected as part of our Road Traffic Counts and National Travel Survey and other statistical releases.
Our Data Protection Officer
DfT with its agencies is a single controller under data protection law. Given the size of our organisation, our Data Protection Officer is supported by a team, consisting of data protection managers from each of the agencies. Our ‘Data protection governance policy’ (available on request) explains this more fully.
Our Data Protection Officer and his team inform and advise the department in how to comply with data protection law. They monitor and promote compliance, for example by providing advice on DPIAs, and arranging audits and staff training. They act as your first point of contact, and lead on any communications with the Information Commissioner’s Office.
You can contact the Data Protection Officer by writing to the following address:
Data Protection Officer
Department for Transport
One Priory Square
If your query relates to data being processed by one of our executive agencies, please contact the relevant agency direct. This will help to ensure that you receive a prompt response.
Privacy by design
Where we introduce new technologies, policies or processes, we will ensure that your privacy is considered from the outset, and where beneficial will carry out a Data Protection Impact Assessment (DPIA).
We will always carry out a DPIA where we use new technologies or consider there is a high risk to your rights and freedoms. Where an assessment identifies risks that cannot be satisfactorily reduced or avoided, our Data Protection Officer or their team will seek advice from the Information Commissioner to help us find the best solution.
The steps we take to keep your data secure
We take information security seriously and will protect your personal data from unauthorised access, accidental loss, destruction and damage. We carry out regular reviews and audits to ensure that our methods of collecting, holding and processing personal data meet the government’s security standards and industry good practice. We will only transfer your personal data overseas where appropriate safeguards are in place to protect it. The cross-government security policy framework on GOV.UK sets out the government’s approach to protective security.
The training and guidance we give to our staff
All of our staff are trained in the importance of protecting personal and other sensitive information. Those who routinely access personal data as part of their jobs are expected to undertake more in depth training. Staff in our agencies who have access to large volumes of personal data receive training that has been tailored to the agency’s particular business environment.
Managers who have formal responsibilities for large datasets, for example as information asset owners, will also receive additional training so that they have a clear understanding of what they need to do to keep the data under their control safe and secure.
As well as the above, all civil servants are required to work in line with the core values set out in the Civil Service Code - integrity, honesty, objectivity and impartiality. These values also apply to the handling of personal data.
Data breach notification
The department does everything it can to keep your personal data secure. But if, despite this, a breach occurs which creates a risk to your rights and freedoms (for example, financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), we will ensure that the Information Commissioner’s Office is informed without delay, and in any event within 72 hours after we have become aware of it.
Where we assess that there is a high risk to you, we will ensure that you are notified without undue delay. Where it is not possible to contact you directly, we will attempt to make you aware through other means, such as a public announcement. The information we will provide to you will include:
- the contact details of the department’s Data Protection Officer
- the likely consequences of the breach
- details of the measures already taken or planned to address the breach including any steps taken to mitigate potential damaging effects
How to make a complaint
If you’re unhappy with the way we have handled your personal data and want to make a complaint, please write to the department’s Data Protection Officer or the Data Protection Manager at the relevant agency. You can contact the department’s Data Protection Officer using the details below.
We will acknowledge your complaint within 5 working days and send you a full response within 20 working days. If we can’t respond fully in this time, we will write and let you know why and tell you when you should get a full response.
Data Protection Officer
Department for Transport
One Priory Square
If you remain dissatisfied, or if you require independent advice about data protection, privacy and data sharing issues, contact the Information Commissioner