Department for Transport data protection policy
The Department for Transport (DfT) and its executive agencies are a single entity (or ‘data controller’) for the purposes of data protection law. Together we hold personal data on many millions of the UK population, including drivers, vehicle keepers, those taking driving tests, driving instructors, and seafarers. It is therefore very likely that some part of DfT will hold personal information about you.
This policy explains how DfT will comply with data protection law. This includes the General Data Protection Regulation (GDPR), the Law Enforcement Directive, and other provisions contained within the Data Protection Act 2018.
Whilst the policy includes our executive agencies, some of our executive agencies have their own data protection policies which provide more specific information about the steps they take to comply with data protection law.
Transport agencies’ privacy policies
Find out what personal information our agencies handle:
What is personal data?
Personal data is any information relating to an identified or identifiable natural living person, otherwise known as a ‘data subject’. A data subject is someone who can be recognised, directly or indirectly, by information such as a name, an identification number, location data, an online identifier, or data relating to their physical, physiological, genetic, mental, economic, cultural, or social identity. These types of identifying information are known as ‘personal data’. Data protection law applies to the processing of personal data, including its collection, use and storage.
We know how important it is to protect your privacy and comply with data protection law. If we need to collect, store or otherwise use your personal information, we will:
- have a legal basis for doing so, and only ask for what we need
- do so in a fair and transparent way, letting you know why we need your information and how we will use it
- use it in the way we said we would and not in a way you wouldn’t expect without letting you know
- ensure that we don’t keep more than we need, for longer than we need
- make sure it is accurate and up-to-date
- make sure nobody has access to it who shouldn’t
- ensure that it is kept safe and secure
Where we process personal data for the purposes of criminal law enforcement, we will clearly categorise individuals so that their role is apparent (such as witness, victim, suspect or convicted criminal) and set out whether the information recorded is opinion or fact. We will also keep detailed logs of how such data is handled.
You can help us by making sure that the information you give us is accurate and let us know if it changes. For example, if you change telephone numbers, name or move to a new home, let us know.
What allows DfT to process your personal data
To process personal data, we need to meet one of the following conditions (or legal bases):
- you have freely given your consent – it will be clear to you what you are consenting to and how you can withdraw your consent
- it is necessary for a contract you have entered into with us, or a contract that you intend to enter into
- it is necessary to meet a legal obligation
- it is necessary to protect someone’s ‘vital interests’ (a matter of life or death)
- it is necessary to perform a public task (to carry out a public function or exercise powers set out in law, or to perform a specific task in the public interest that is set out in law)
- it is necessary for our legitimate interests or that of a third party (a condition used where personal data is going to be used in ways that are reasonably expected and are not intrusive, or where there are compelling reasons for the processing)
There are further requirements for processing more sensitive, or ‘special category’, personal data.
The lawful basis that we rely on to process your personal data will determine which of the following rights are available to you. Much of the processing we do in DfT will be necessary to meet our legal obligations or to perform a public task. If we hold personal data about you in different parts of DfT for different purposes, then the legal basis we rely on in each case may not be the same.
The GDPR sets out a number of rights which individuals have over their personal data, allowing you to request copies of your personal data or, in certain circumstances, to have it deleted or modified. These rights are explained fully on the Information Commissioner’s Office website. DfT will ensure that we uphold your rights to the extent that they apply to the way in which we process your personal data. Below we have explained those rights that are most likely to be relevant to the ways in which DfT, as a public authority, process personal data.
The right to be informed
The right to be informed is a key part of the transparency requirements of data protection law. It includes various categories of information which would normally be provided in what is known as a ‘privacy information notice’.
Where you give us your data directly, you will see a privacy notice from us which will tell you, or provide you with a link to information on:
- which part of DfT as data controller is processing your personal information, and how to contact our Data Protection Officer
- the purpose and legal basis for processing (including details of the legitimate interests where that is the basis)
- where relevant, the categories of recipients with whom the data has been or will be shared, including information about transfers to a third country and the protective safeguards in place where that happens
- how long it will be kept for or the criteria used to determine the retention period
- the rights to which you are entitled and the right to withdraw consent where that is the legal basis for processing
- how to complain
- whether providing personal data is a contractual or statutory requirement, and if so the possible consequences of not providing it
- whether automated decisions which might significantly affect you will take place, and if so information about the logic involved and how it might affect you
Where your personal data was sent to us by a third party, we will aim to provide you with the above information, where relevant, within one month. We will also aim to inform you of the source that the personal data originated from and the types of your personal data that will be used by us. If the data was obtained from a third party for the purposes of communicating with you, we will provide you with the information with our first communication, if this is within a month of us receiving the data. If we intend to share your data onward with another organisation, we will let you know before we do so. See also When we share information.
DfTc processes very little personal data relating to children. Whenever we do have reason to collect or obtain children’s personal data, we take particular care to ensure that the full privacy notice uses language that the target age-group will find easy to understand.
The right of access
You can request copies of the personal data that we hold about you at any time by making what is known as a ‘subject access request’. Before we can act on your request, you will need to supply proof of your identity. Please be as specific as you can about the information you want and, if it isn’t obvious, explain why you expect us to hold your personal data.
We will usually respond to subject access requests within one month of receipt, but may take up to 2 months in the case of complex and/or numerous requests. We will let you know when you can expect to receive a response, or if we will be unable to provide you with one.
There is no fee for making a subject access request, but charges may be made where someone asks for further copies of information which they have already received, or in exceptional circumstances, such as where a request is clearly unfounded, excessive or repetitive. In such cases, we may also refuse to answer the request. We will advise you of your right to complain to the Information Commissioner or to seek a judicial remedy.
If you would like to make a subject access request, please address it to the part of DfT that is holding your personal data.
Right to object
In certain circumstances, you have the right to object to us processing your personal data. Your objection must be based on your particular situation, and can only be considered where the processing is:
- based on either the legitimate interests or public task condition
- for scientific and/or historical research and statistics purposes, unless the processing is in the public interest
We will consider your objection and unless we are able to provide you with compelling reasons for the processing to continue, or the processing relates to legal claims, we will arrange for the processing to stop.
You also have the right to object at any time to us processing your data for direct marketing purposes (including related profiling). Upon receiving your objection, we will stop any such processing.
Other rights you may have are: a right to rectification if your personal data is inaccurate, a right to erasure, a right to restrict processing, a right to data portability, and rights in relation to automated decision making.
Whilst these rights are unlikely to apply to the kind of processing that DfT routinely carries out, if you think they may apply and want to know more, please refer to the Information Commissioner’s Office website. Any request you make to us to exercise these rights will receive appropriate consideration, within the timescales required by data protection law.
Our privacy information notice
We use personal information for a wide range of purposes, to enable us to carry out our functions as a government department. These include:
- maintaining our accounts and records
- consideration and investigation of complaints
- answering queries
- undertaking research
- the provision of education or training
- property management
- corporate administration
- the administration of grants
- the support and management of our staff
- licensing, enforcement and regulatory duties
- crime prevention and prosecution of offenders
- accident investigation and road safety
- traffic and incident management on the strategic road network
When we share information
We may share personal data within our organisation or with other bodies where we are permitted to do so by law. There are some cases where we can pass on your data without telling you – for example, to prevent or detect crime, or in order to produce anonymised statistics. In all cases, whether data is shared internally or externally, we will be governed by data protection law.
A small proportion of our records are transferred to The National Archives, in line with legal obligations for the collection, disposal and preservation of records. The Public Records Act governs the selection, transfer and preservation of records and requires those defined as public records to be openly accessible unless exempt under the Freedom of Information Act.
When you write to the department, we will look after any personal information you disclose to us and use it only as necessary to provide you with an answer. This will be in accordance with our task as a government department to be accountable and transparent about the functions and policies that we are responsible for.
Where your correspondence relates to a policy area or issue for which another public body has responsibility, it will in most cases be passed to them to respond to you. This includes transferring correspondence to a devolved administration if the matter sits with them. We will let you know when this happens. Except as explained here, your correspondence will not be shared outside of government and ALBs without your consent.
In the case of requests for information that are handled under the Freedom of Information Act 2000 or Environmental Information Regulations 2004, the department will use your personal data as necessary to comply with those laws. We may need to consult with other departments where a coordinated response is required. Where an information request would be more appropriately directed to another organisation, our response will advise you where it should be sent, but the request will not be forwarded. When, in some circumstances, it is necessary to share information requests with third parties outside of central government for consultation, any information that identifies you will not be shared.
A record of your correspondence will be held by us for at least 3 years and then, under normal circumstances, deleted. It will only be kept for longer where it is necessary in connection with an ongoing issue.
The department maintains a number of distribution lists to communicate with its stakeholders. In most cases this is to enable us to function efficiently as a government department. In some cases, where the use of a distribution list does not relate to the performance of our tasks, we may use it as necessary for our legitimate interests. In such cases, we have had regard to the rights and freedoms of those whose names are included on the list. Each list will be used only for the purpose that the individuals on the list were informed about at the time their information was collected by us.
The central department has CCTV cameras installed at its sites in London, Derby (RAIB) and Farnborough (AAIB). All cameras are installed for the security of staff, visitors and contractors at DfT sites and also for the protection of DfT properties.
Internal cameras are used:
- for the monitoring of secure areas of buildings
- for the monitoring of pinch points (for example, reception)
- to provide additional security for commercial partners within our buildings
External cameras are used:
- for monitoring activity around DfT buildings / sites
- for enabling remote vehicular access to sites
- to enhance building/site protection outside of normal working hours
All footage is deleted after 30 or 38 days unless there is an overriding reason which means it should be retained. Footage will not be shared outside DfT except in limited circumstances such as where it is necessary to make a disclosure to the police.
Filming and photography
The department uses film and photographs to illustrate the work that we do, to support and promote policy in the public interest. We film individuals in non-intrusive ways where possible, for example, filming crowds from a distance. If you have any concerns about appearing in any footage, please speak to a member of the film crew at the time or contact email@example.com.
We also take photographs to illustrate our work in our official publications and on our social media channels. We aim to avoid using images which could identify members of the public. If you are concerned about a picture of you that we have used in one of our publications contact us at firstname.lastname@example.org.
Statistics (including Road Traffic Counts and National Travel Survey)
DfT occasionally collects personal data when producing some of our statistics. Whilst the majority of our statistics do not involve the collection of personal data, the use of personal information in our statistics page provides details on those statistics that do. This includes personal data collected as part of our Road Traffic Counts and National Travel Survey and other statistical releases.
Our Data Protection Officer
DfT with its agencies is a single controller under data protection law. Given the size of our organisation, our Data Protection Officer is supported by a team, consisting of data protection managers from each of the agencies. Our ‘Data protection governance policy’ (available on request) explains this more fully.
Our Data Protection Officer and his team inform and advise the department in how to comply with data protection law. They monitor and promote compliance, for example by providing advice on DPIAs, and arranging audits and staff training. They act as your first point of contact, and lead on any communications with the Information Commissioner’s Office.
You can contact the Data Protection Officer by writing to the following address:
Data Protection Officer
Department for Transport
Sedlescombe Road North
If your query relates to data being processed by one of our executive agencies, please contact the relevant agency direct. This will help to ensure that you receive a prompt response.
Privacy by design
Where we introduce new technologies, policies or processes, we will ensure that your privacy is considered from the outset, and where beneficial will carry out a Data Protection Impact Assessment (DPIA).
We will always carry out a DPIA where we use new technologies or consider there is a high risk to your rights and freedoms. Where an assessment identifies risks that cannot be satisfactorily reduced or avoided, our Data Protection Officer or their team will seek advice from the Information Commissioner to help us find the best solution.
The steps we take to keep your data secure
We take information security seriously and will protect your personal data from unauthorised access, accidental loss, destruction and damage. We carry out regular reviews and audits to ensure that our methods of collecting, holding and processing personal data meet the government’s security standards and industry good practice. We will only transfer your personal data overseas where appropriate safeguards are in place to protect it. The cross-government security policy framework on GOV.UK sets out the government’s approach to protective security.
The training and guidance we give to our staff
All of our staff are trained in the importance of protecting personal and other sensitive information. Those who routinely access personal data as part of their jobs are expected to undertake more in depth training. Staff in our agencies who have access to large volumes of personal data receive training that has been tailored to the agency’s particular business environment.
Managers who have formal responsibilities for large datasets, for example as information asset owners, will also receive additional training so that they have a clear understanding of what they need to do to keep the data under their control safe and secure.
As well as the above, all civil servants are required to work in line with the core values set out in the Civil Service Code - integrity, honesty, objectivity and impartiality. These values also apply to the handling of personal data.
Data breach notification
The department does everything it can to keep your personal data secure. But if, despite this, a breach occurs which creates a risk to your rights and freedoms (for example, financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), we will ensure that the Information Commissioner’s Office is informed without delay, and in any event within 72 hours after we have become aware of it.
Where we assess that there is a high risk to you, we will ensure that you are notified without undue delay. Where it is not possible to contact you directly, we will attempt to make you aware through other means, such as a public announcement. The information we will provide to you will include:
- the contact details of the department’s Data Protection Officer
- the likely consequences of the breach
- details of the measures already taken or planned to address the breach including any steps taken to mitigate potential damaging effects
How to make a complaint
If you’re unhappy with the way we have handled your personal data and want to make a complaint, please write to the department’s Data Protection Officer or the Data Protection Manager at the relevant agency. You can contact the department’s Data Protection Officer using the details below.
We will acknowledge your complaint within 5 working days and send you a full response within 20 working days. If we can’t respond fully in this time, we will write and let you know why and tell you when you should get a full response.
Data Protection Officer
Department for Transport
Sedlescombe Road North
If you remain dissatisfied, or if you require independent advice about data protection, privacy and data sharing issues, contact the Information Commissioner