Department for Transport data protection policy
The Department for Transport (DfT) and its executive agencies are a single entity (or ‘data controller’) for the purposes of data protection law. Together we hold personal data on many millions of the UK population, including drivers, vehicle keepers, those taking driving tests, driving instructors, and seafarers. It is therefore very likely that some part of DfT will hold personal information about you.
This policy explains how DfT will comply with data protection law. This includes the General Data Protection Regulation (GDPR), the Law Enforcement Directive, and other provisions contained within the Data Protection Act 2018.
Whilst the policy includes our executive agencies, some of our executive agencies have their own data protection policies which provide more specific information about the steps they take to comply with data protection law.
Transport agencies’ privacy policies
Find out what personal information our agencies handle:
What is personal data?
Personal data is any information relating to an identified or identifiable natural living person, otherwise known as a ‘data subject’. A data subject is someone who can be recognised, directly or indirectly, by information such as a name, an identification number, location data, an online identifier, or data relating to their physical, physiological, genetic, mental, economic, cultural, or social identity. These types of identifying information are known as ‘personal data’. Data protection law applies to the processing of personal data, including its collection, use and storage.
We know how important it is to protect your privacy and comply with data protection law. If we need to collect, store or otherwise use your personal information, we will:
- have a legal basis for doing so, and only ask for what we need
- do so in a fair and transparent way, letting you know why we need your information and how we will use it
- use it in the way we said we would and not in a way you wouldn’t expect without letting you know
- ensure that we don’t keep more than we need, for longer than we need
- make sure it is accurate and up-to-date
- make sure nobody has access to it who shouldn’t
- ensure that it is kept safe and secure
Where we process personal data for the purposes of criminal law enforcement, we will clearly categorise individuals so that their role is apparent (such as witness, victim, suspect or convicted criminal) and set out whether the information recorded is opinion or fact. We will also keep detailed logs of how such data is handled.
You can help us by making sure that the information you give us is accurate and let us know if it changes. For example, if you change telephone numbers, name or move to a new home, let us know.
What allows DfT to process your personal data
To process personal data, we need to meet one of the following conditions (or legal bases):
- you have freely given your consent – it will be clear to you what you are consenting to and how you can withdraw your consent
- it is necessary for a contract you have entered into with us, or a contract that you intend to enter into
- it is necessary to meet a legal obligation
- it is necessary to protect someone’s ‘vital interests’ (a matter of life or death)
- it is necessary to perform a public task (to carry out a public function or exercise powers set out in law, or to perform a specific task in the public interest that is set out in law)
- it is necessary for our legitimate interests or that of a third party (a condition used where personal data is going to be used in ways that are reasonably expected and are not intrusive, or where there are compelling reasons for the processing)
There are further requirements for processing more sensitive, or ‘special category’, personal data.
The lawful basis that we rely on to process your personal data will determine which of the following rights are available to you. Much of the processing we do in DfT will be necessary to meet our legal obligations or to perform a public task. If we hold personal data about you in different parts of DfT for different purposes, then the legal basis we rely on in each case may not be the same.
The GDPR sets out a number of rights which individuals have over their personal data, allowing you to request copies of your personal data or, in certain circumstances, to have it deleted or modified. These rights are explained fully on the Information Commissioner’s Office website. DfT will ensure that we uphold your rights to the extent that they apply to the way in which we process your personal data. Below we have explained those rights that are most likely to be relevant to the ways in which DfT, as a public authority, process personal data.
The right to be informed
The right to be informed is a key part of the transparency requirements of data protection law. It includes various categories of information which would normally be provided in what is known as a ‘privacy information notice’.
Where you give us your data directly, you will see a privacy notice from us which will tell you, or provide you with a link to information on:
- which part of DfT as data controller is processing your personal information, and how to contact our Data Protection Officer
- the purpose and legal basis for processing (including details of the legitimate interests where that is the basis)
- where relevant, the categories of recipients with whom the data has been or will be shared, including information about transfers to a third country and the protective safeguards in place where that happens
- how long it will be kept for or the criteria used to determine the retention period
- the rights to which you are entitled and the right to withdraw consent where that is the legal basis for processing
- how to complain
- whether providing personal data is a contractual or statutory requirement, and if so the possible consequences of not providing it
- whether automated decisions which might significantly affect you will take place, and if so information about the logic involved and how it might affect you
Where your personal data was sent to us by a third party, we will aim to provide you with the above information, where relevant, within one month. We will also aim to inform you of the source that the personal data originated from and the types of your personal data that will be used by us. If the data was obtained from a third party for the purposes of communicating with you, we will provide you with the information with our first communication, if this is within a month of us receiving the data. If we intend to share your data onward with another organisation, we will let you know before we do so. See also When we share information.
The right of access
You can request copies of the personal data that we hold about you at any time by making what is known as a ‘subject access request’. Before we can act on your request, you will need to supply proof of your identity. Please be as specific as you can about the information you want and, if it isn’t obvious, explain why you expect us to hold your personal data.
We will usually respond to subject access requests within one month of receipt, but may take up to 2 months in the case of complex and/or numerous requests. We will let you know when you can expect to receive a response, or if we will be unable to provide you with one.
There is no fee for making a subject access request, but charges may be made where someone asks for further copies of information which they have already received, or in exceptional circumstances, such as where a request is clearly unfounded, excessive or repetitive. In such cases, we may also refuse to answer the request. We will advise you of your right to complain to the Information Commissioner or to seek a judicial remedy.
If you would like to make a subject access request, please address it to the part of DfT that is holding your personal data.
Right to object
In certain circumstances, you have the right to object to us processing your personal data. Your objection must be based on your particular situation, and can only be considered where the processing is:
- based on either the legitimate interests or public task condition
- for scientific and/or historical research and statistics purposes, unless the processing is in the public interest
We will consider your objection and unless we are able to provide you with compelling reasons for the processing to continue, or the processing relates to legal claims, we will arrange for the processing to stop.
You also have the right to object at any time to us processing your data for direct marketing purposes (including related profiling). Upon receiving your objection, we will stop any such processing.
Other rights you may have are: a right to rectification if your personal data is inaccurate, a right to erasure, a right to restrict processing, a right to data portability, and rights in relation to automated decision making.
Whilst these rights are unlikely to apply to the kind of processing that DfT routinely carries out, if you think they may apply and want to know more, please refer to the Information Commissioner’s Office website. Any request you make to us to exercise these rights will receive appropriate consideration, within the timescales required by data protection law.
Our privacy information notice
We use personal information for a wide range of purposes, to enable us to carry out our functions as a government department. These include:
- maintaining our accounts and records
- consideration and investigation of complaints
- answering queries
- undertaking research
- the provision of education or training
- property management
- corporate administration
- the administration of grants
- the support and management of our staff
- licensing, enforcement and regulatory duties
- crime prevention and prosecution of offenders
- accident investigation and road safety
- traffic and incident management on the strategic road network
When we share information
We may share personal data within our organisation or with other bodies where we are permitted to do so by law. There are some cases where we can pass on your data without telling you – for example, to prevent or detect crime, or in order to produce anonymised statistics. In all cases, whether data is shared internally or externally, we will be governed by data protection law.
A small proportion of our records are transferred to The National Archives, in line with legal obligations for the collection, disposal and preservation of records. The Public Records Act governs the selection, transfer and preservation of records and requires those defined as public records to be openly accessible unless exempt under the Freedom of Information Act.
When you write to the department, we will look after any personal information you disclose to us and use it only as necessary to provide you with an answer. This will be in accordance with our task as a government department to be accountable and transparent about the functions and policies that we are responsible for.
Where your correspondence relates to a policy area or issue for which another public body has responsibility, it will in most cases be passed to them to respond to you. This includes transferring correspondence to a devolved administration if the matter sits with them. We will let you know when this happens. Except as explained here, your correspondence will not be shared outside of government and ALBs without your consent.
In the case of requests for information that are handled under the Freedom of Information Act 2000 or Environmental Information Regulations 2004, the department will use your personal data as necessary to comply with those laws. We may need to consult with other departments where a coordinated response is required. Where an information request would be more appropriately directed to another organisation, our response will advise you where it should be sent, but the request will not be forwarded. When, in some circumstances, it is necessary to share information requests with third parties outside of central government for consultation, any information that identifies you will not be shared.
A record of your correspondence will be held by us for at least 3 years and then, under normal circumstances, deleted. It will only be kept for longer where it is necessary in connection with an ongoing issue.
The department maintains a number of distribution lists to communicate with its stakeholders. In most cases this is to enable us to function efficiently as a government department. In some cases, where the use of a distribution list does not relate to the performance of our tasks, we may use it as necessary for our legitimate interests. In such cases, we have had regard to the rights and freedoms of those whose names are included on the list. Each list will be used only for the purpose that the individuals on the list were informed about at the time their information was collected by us.
The central department has CCTV cameras installed at its sites in London, Derby (RAIB) and Farnborough (AAIB). All cameras are installed for the security of staff, visitors and contractors at DfT sites and also for the protection of DfT properties.
Internal cameras are used:
- for the monitoring of secure areas of buildings
- for the monitoring of pinch points (eg reception)
- to provide additional security for commercial partners within our buildings
External cameras are used:
- for monitoring activity around DfT buildings / sites
- for enabling remote vehicular access to sites
- to enhance building/site protection outside of normal working hours
All footage is deleted after 30 or 38 days unless there is an overriding reason which means it should be retained. Footage will not be shared outside DfT except in limited circumstances such as where it is necessary to make a disclosure to the police.
Road Traffic Counts
Confidentiality and data protection
The Department for Transport carries out traffic counts in the public interest in order to produce the official Road Traffic Statistics for Great Britain. The traffic counts themselves are not personal data, as the simple counts of vehicles by type do not include any information which could be used to identify an individual. However, in the course of carrying out the counts some personal data may be collected and DfT is the data controller for this personal information.
What personal information is collected?
DfT collects road traffic data through 2 contracts – the National Road Traffic Census (NRTC) of roadside traffic counts and an Automated Traffic Counter (ATC) network. Both of these may from time to time capture personal data as set out below.
Most NRTC traffic counts are carried out manually by people positioned at the roadside. However, where it is not safe or practical to carry out counts this way, the traffic is recorded on video and counted later in the office. Generally the video is not detailed enough to recognise individual vehicles, but it is possible that in some cases a registration mark, vehicle passenger or a distinctive vehicle might be recognisable. The time and location of the video footage is also recorded.
In order to manage the NRTC counts and ensure their quality, the contractor is required to take photos of each traffic count location, including photos of the count under way.
In order to manage the ATC network, and ensure it is being maintained properly, the ATC network maintenance contractor is required to take photos of the road layout at each ATC, and details of the ATC equipment, during routine site inspections and at other times when maintenance is required.
In order to test or develop improved counting methods, tests are occasionally carried out using video cameras and automatic number-plate recognition (ANPR), including timestamps, location and direction of travel, in order to compare these results with other types of traffic counting. The duration of such tests is typically only a few hours, and the collection equipment is only installed for the duration of the test.
In all cases, the contractors are required to avoid capturing members of the public or other personal information, such as vehicle registrations or property details, as far as possible in the images they take, but it will not be possible to avoid this altogether.
Who has access to the data?
DfT has appointed Q-Free UK Limited to manage the ATC network.
WSP UK Limited have been appointed to manage the National Road Traffic Census, supported by 4 suppliers who carry out the NRTC roadside traffic counts: Intelligent Data Collection, Nationwide Data Collection, Tracsis and WSP Transportation Data Collection Team.
These organisations are all data processors for the contract they work on.
The data is also accessible to the teams at DfT processing the traffic count results.
What will happen to the data?
The data is retained by the contractor for the duration of the contract (current contracts have a maximum length of 5 years). Within one year from termination of the contract, the data is securely transferred to the DfT, where it is retained for research purposes, to ensure that the official road traffic statistics series can be managed, updated and analysed on a consistent basis. The contractor must securely destroy all copies of the data in their possession within one year of termination of the contract, and after its transfer to DfT.
DfT may share selected data with contractors undertaking similar data collection work for it in the future to ensure continuity of service, and consistency with the traffic counts previously undertaken.
DfT may share selected data with organisations for research purposes. Each case will be carefully judged on its individual merits, balancing the potential benefits of the research against any potential risks to individuals from the sharing of data.
National Travel Survey
Who carries out the survey?
The survey is commissioned by the Department for Transport and the surveys completed by experienced research interviewers from the National Centre for Social Research (NatCen).
How are people chosen for the survey?
NatCen select a random sample of addresses from a list of all addresses in England, kept by the Post Office. This is to make sure that the survey represents the whole country. The findings do not identify individuals or families because names and addresses are not passed to anyone outside the National Centre for Social Research.
Do we still interview people who do not travel very often?
We are interested in individuals’ daily experience of travel – however much or little they do. The results are used to look at how travelling changes over time, and to make decisions about the future. We need information from a wide range of people including those in or out of work, children, young people and the elderly. Otherwise we will not get a true picture of travel. The study provides current information about travel which cannot be collected in any other way.
What kinds of travel are covered by the survey?
We are interested in all the different types of journey people make and how often they do so. This includes journeys to school or work, shopping trips and trips for leisure or social purposes. Both local and long-distance travel are covered, as are all forms of transport (such as cars, buses, trains, cycling and walking).
What is the survey used for?
The National Travel Survey is used to build up a picture of how and why different kinds of people travel. The data are collected for reasons of wider public interest. The information is anonymised and used by local and national government, as well as by consultants, academics, pressure groups and charities. In addition a set of anonymised data are deposited at the UK Data Service and the Office for National Statistics Secure Research Service for use by approved researchers.
Some of the specific uses of the survey include studying school children’s travel, monitoring road accidents, predicting future traffic levels and finding out the transport needs of minority groups.
What will happen to any information given?
We treat information in the strictest confidence under current data protection legislation. The results are used for statistical purposes only. Personal details will only be known to the teams processing the survey results at National Centre for Social Research and the Department for Transport. Personal data will be stored securely and retained until no longer required by the Department for Transport. We will never pass on personal details to anyone else.
Participation in this research is not compulsory and people have the right to withdraw at any stage.
To lodge a complaint about the way the survey has been conducted please contact the National Centre for Social Research on firstname.lastname@example.org or 0800 652 4568, quoting the reference number printed on the advance letter. If we’re not able to resolve a complaint, the next step is to contact the Social Research Association.
Our Data Protection Officer
DfT with its agencies is a single controller under data protection law. Given the size of our organisation, our Data Protection Officer is supported by a team, consisting of data protection managers from each of the agencies. Our ‘Data protection governance policy’ (available on request) explains this more fully.
Our Data Protection Officer and his team inform and advise the department in how to comply with data protection law. They monitor and promote compliance, for example by providing advice on DPIAs, and arranging audits and staff training. They act as your first point of contact, and lead on any communications with the Information Commissioner’s Office.
You can contact the Data Protection Officer by writing to the following address:
Data Protection Officer
Department for Transport
Sedlescombe Road North
If your query relates to data being processed by one of our executive agencies, please contact the relevant agency direct. This will help to ensure that you receive a prompt response.
Privacy by design
Where we introduce new technologies, policies or processes, we will ensure that your privacy is considered from the outset, and where beneficial will carry out a Data Protection Impact Assessment (DPIA).
We will always carry out a DPIA where we use new technologies or consider there is a high risk to your rights and freedoms. Where an assessment identifies risks that cannot be satisfactorily reduced or avoided, our Data Protection Officer or their team will seek advice from the Information Commissioner to help us find the best solution.
The steps we take to keep your data secure
We take information security seriously and will protect your personal data from unauthorised access, accidental loss, destruction and damage. We carry out regular reviews and audits to ensure that our methods of collecting, holding and processing personal data meet the government’s security standards and industry good practice. We will only transfer your personal data overseas where appropriate safeguards are in place to protect it. The cross-government security policy framework on GOV.UK sets out the government’s approach to protective security.
The training and guidance we give to our staff
All of our staff are trained in the importance of protecting personal and other sensitive information. Those who routinely access personal data as part of their jobs are expected to undertake more in depth training. Staff in our agencies who have access to large volumes of personal data receive training that has been tailored to the agency’s particular business environment.
Managers who have formal responsibilities for large datasets, for example as information asset owners, will also receive additional training so that they have a clear understanding of what they need to do to keep the data under their control safe and secure.
As well as the above, all civil servants are required to work in line with the core values set out in the Civil Service Code - integrity, honesty, objectivity and impartiality. These values also apply to the handling of personal data.
Data breach notification
The department does everything it can to keep your personal data secure. But if, despite this, a breach occurs which creates a risk to your rights and freedoms (for example, financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), we will ensure that the Information Commissioner’s Office is informed without delay, and in any event within 72 hours after we have become aware of it.
Where we assess that there is a high risk to you, we will ensure that you are notified without undue delay. Where it is not possible to contact you directly, we will attempt to make you aware through other means, such as a public announcement. The information we will provide to you will include:
- the contact details of the department’s Data Protection Officer
- the likely consequences of the breach
- details of the measures already taken or planned to address the breach including any steps taken to mitigate potential damaging effects
How to make a complaint
If you’re unhappy with the way we have handled your personal data and want to make a complaint, please write to the department’s Data Protection Officer or the Data Protection Manager at the relevant agency. You can contact the department’s Data Protection Officer using the details below.
We will acknowledge your complaint within 5 working days and send you a full response within 20 working days. If we can’t respond fully in this time, we will write and let you know why and tell you when you should get a full response.
Data Protection Officer
Department for Transport
Sedlescombe Road North
If you remain dissatisfied, or if you require independent advice about data protection, privacy and data sharing issues, contact: