Personal information charter

This charter sets out the standards you can expect when you supply us with your personal information when you contact HM Treasury.

We treat all personal information provided to us in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).

For the purpose of UK data protection legislation, the data controller for personal data received in correspondence is HM Treasury and, for the purpose of this charter, the term correspondence applies to written letters, emails and telephone calls.

Data Subjects

Personal information we receive may identify (but is not limited to) the following categories of data subject:

  • members of the public
  • individuals writing on behalf of businesses or organisations
  • Members of Parliament
  • Peers
  • Members of the European Parliament
  • members of the devolved administrations
  • individuals submitting requests for information under the Freedom of Information Act (the FOI Act), the Environmental Information Regulations (EIRs) and Data Subject Access Requests (under the UK GDPR)
  • ex-members of staff
  • personal data relating to third parties, submitted to us by any of the above (or others) as part of the correspondence process

The personal data we process

Correspondence we receive tends to include (but is not limited to) the following personal data relating to correspondents:

  • name
  • address
  • email address
  • telephone number; and may include
  • other miscellaneous personal data

When an individual makes a data subject access request to us, it is usually necessary for us to confirm their identity to ensure their request is genuine. We usually seek conformation of the requestor’s identification by requesting scanned copies of the relevant parts of their:

  • passport or driving licence; and
  • a recent utility or council tax bill

The purpose for processing personal data

Personal information is processed for the purpose of undertaking a public task, which is to ensure that you receive a response to correspondence within set timeframes for:

  • Environmental Information Regulations (EIR) requests
  • Data Subject Access Requests (DSARs)
  • Freedom of Information (FoI) requests
  • general correspondence and enquiries
  • internal reporting and analysis

Lawful basis for the processing of personal data

The lawful basis for our processing of personal data for the management of correspondence is that it is necessary for the performance of a task carried out in the public interest (Article 6(1)(e) UK GDPR).

The lawful basis for our processing of personal data for the management of EIRs, DSARs and FOI requests is Article 6(1)(c), compliance with a legal obligation to which we are subject.

Special category data

HM Treasury does not routinely request special category data for the purpose of responding to correspondence. If it is necessary for a correspondent to provide us with their special category data, our lawful basis for processing this will be because it is necessary for reasons of substantial public interest for the exercise of a function of this department (Article 9(g) UK GDPR, in conjunction with paragraph 6, Schedule 1 Pt 2 DPA 2018).

Who we share data with

We will only share personal data with those who need to see it as part of the correspondence process. We sometimes need to share or transfer correspondence to other organisations, in order for them to provide a suitable response or to help us manage our own responses effectively. These organisations might include other government departments (including non-ministerial departments), agencies, public bodies and devolved administrations.

Full list of government departments, agencies and public bodies

If we receive correspondence or communication which we consider threatening in nature or suggests a possible risk to you or a third party, we will share this correspondence (along with your personal data), with relevant law enforcement bodies.

Personal information appearing in correspondence is stored by:

  • Fivium – HM Treasury’s case management service provider
  • NTT – HM Treasury’s IT infrastructure service and public enquiry line provider
  • Centerprise International – HMT Treasury’s IT infrastructure service
  • CEOX – HM Treasury’s IT infrastructure service
  • The Contact Company – HM Treasury’s Public Enquiry Line and Switchboard service provider
  • Smart-Survey - HM Treasury’s IT infrastructure service

Our contractors will only process personal data for our purposes and in fulfilment with the contractual obligations they have with us.


We will retain your personal data for as long as it is needed for our business purposes and in line with the periods outlined below, after which time they will be securely destroyed unless needed to fulfil additional requirements in respect of the public task or legal obligations, for example information needed for inquiries or legal proceedings.

Correspondence Type Retention Period
EIR requests 3 years
DSAR requests 6 years
FoI requests 3 years
Ministerial correspondence 6 years
Official correspondence and telephone enquiries 3 years

Official Documents sent to HM Treasury

We ask that you do not send us original documents such as a birth certificate, death certificate, passport or driving licence etc. We will not return any original documents, and these will be destroyed on the basis that we do not wish to store them.

Your rights

With regard to this activity, you have the right to:

  • request information about how your personal data are processed, and to request a copy of that personal data
  • request that any inaccuracies in your personal data are rectified without delay
  • in certain circumstances (for example, where accuracy is contested) request that the processing of your personal data is restricted

A full list of your data protection rights can be found on the Information Commissioner’s Office website.

To exercise any of the above rights, please contact:

Data Protection Team
The Information Rights Unit
HM Treasury
Ground Orange
1 Horse Guards Road
London SW1A 2HQ


If you consider that your personal data has been misused or mishandled, please contact our Data Protection Officer in the first instance at

If you remain unsatisfied with our response to your complaint, you have the right to contact the Information Commissioner’s Office at or via the website.