Personal information charter
This information charter sets out the standards you can expect from HM Treasury (HMT) when we collect, hold, or use your personal information.
Introduction
We (HMT) will treat all personal information in accordance with data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA).
When we collect, hold, use, or otherwise process your personal data you are entitled – unless an exemption applies - to be told:
-
the purpose(s) for which the data is being used and our lawful basis for processing it
-
how long we will keep your data and who we will share it with
-
whether it will be transferred to, or accessed from, outside the UK and what legal safeguards are in place to protect it
-
about any rights you may have, including the right to access your information, or to object to our use of your data
-
about the identity of our Data Protection Officer (an independent adviser on data protection matters) and their contact details
-
about your right to complain to the Information Commissioner if you feel that your personal information has been mishandled.
We have legal obligations tied to your personal information including:
-
to keep it protected and secure
-
to take reasonable steps to check the accuracy of your personal data and keep it up-to-date
-
not to use your personal information for any purpose that conflicts with the original reason for which your information was collected
-
to keep your personal information only for as long as it is needed for the purpose(s) for which it was collected (unless it must be kept as part of the historic record).
Our Privacy Notices give more information on how HMT processes personal data.
Your data protection / information rights
When we use your personal data, you have some rights under data protection legislation. We have provided some general information on data protection rights below. Please be aware that the rights available to you can vary based on our lawful basis for using your personal data. For information on which rights apply to a given activity you should refer to the related Privacy Notice.
Right of access
You have the right to ask us for copies of personal information we process about you. This right always applies but there are some exemptions that mean you might not always receive all the information we process.
Your right to rectification
You have the right to ask us to rectify personal information we hold about you that you think is inaccurate or incomplete. This right always applies.
Your right to erasure
You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances for example where accuracy is contested.
Your right to object to processing
You have the right to object to processing if we are able to process your information because the process forms part of our public tasks or is in our legitimate interests.
How to exercise your information rights (including access)
You can exercise your information rights - including requesting a copy of personal data that HMT holds about you - by contacting DSAR@HMTreasury.gov.uk or the postal address below. You will not be charged to exercise your information rights.
You can help us to process your request more effectively by explaining what information you think HMT holds about you. We will usually need to verify your identity before we can provide you with personal data, as such, you can assist us in actioning your request quickly by providing:
-
proof of identification (such as a copy of a passport or picture driving license) and
-
proof of address (such as copy of a bank statement or utility bill).
Please do not send original documents to us, copies or digital versions are sufficient.
Postal address for Information Rights
Data Protection Team
Treasury Business Solutions
1 Horse Guards Road
Westminster
London
SW1A 2HQ
Data Protection Officer/ Complaints
The Data Protection Officer (DPO) provides independent advice and monitoring of HMT’s compliance with data protection legislation. If you have any questions or concerns about how the department is handling your personal data, you can contact the department’s DPO at the following email or postal address:
HMT Data Protection Officer (DPO)
Treasury Business Solutions
1 Horse Guards Road
Westminster
London
SW1A 2HQ
We will acknowledge receipt of a complaint about your own personal data within 30 days, and take appropriate steps to respond, and provide an outcome, without undue delay.
If we are unable to address your concerns to your satisfaction, you have the right to make a complaint to the Information Commissioner via their website.
Artificial Intelligence
We use Artificial Intelligence (AI) tools to support our work and improve efficiencies in departmental functions. These tools assist staff with tasks such as summarising documents, drafting content, searching records, and analysing data. In some cases, this will involve processing personal data.
The AI tools are securely hosted and we take appropriate steps to assure our use of AI meets relevant data protection requirements and ethical professional standards. Our use of AI does not replace human judgement and is not used to make automated decisions.
Where a personal data processing activity involves the routine use of AI, we will provide further transparency within the activity-specific Privacy Notice.
Privacy Notices
The privacy notices listed below explain in more detail how we will handle your data in specific circumstances. HMT’s privacy notices also set out how the department will protect any special category and criminal convictions personal data that is processed as part of the activity:
Corporate:
Ministerial and Communications
Public Services
National Infrastructure and Services Transformation Authority
-
IPA cross-government transformation community privacy notice
-
Privacy notice for Government Major Projects Portfolio (GMPP)
-
Project Delivery Profession and Standards Team privacy notice