Personal information charter
Our standards for requesting or storing personal information.
Introduction
This personal information charter sets out what you can expect from the Marine Management Organisation (The MMO, we, our) when we ask for, hold, or use, your personal data.
It is provided as an overview of how we process and use the personal data we collect in order to deliver our public, regulatory and business services. It is not intended as a fully comprehensive description of every data processing activity we undertake; further detail on how we process personal data in relation to individual activities or services is provided in our supporting privacy notices as detailed below.
The statutory duties of the MMO are specified in the Marine and Coastal Access Act of 2009, the Fisheries Act of 2020 and other associated legislation as referred to in those Acts.
This personal information charter also details your individual rights when we process your data and who to contact in relation to these rights and our use of your information.
Who collects your personal data
The MMO is the controller for the data you provide in order to deliver our public, regulatory, and business services.
MMO is an executive non-departmental public body, sponsored by the Department for Environment, Food & Rural Affairs (Defra).
The MMO is a registered data controller with the independent regulator, the Information Commissioner’s Office (ICO). Our unique registration number is Z2205091.
If you need further information about how we use your personal data, and your associated rights, you can contact the MMO Data Protection Manager.
You can also contact the Data Protection Officer (DPO) for the Defra group, who is responsible for checking that we comply with data protection legislation.
Full contact details are provided in the How to Contact Us section of this Charter.
What you can expect from us and what we expect of you
We need to handle personal data about you in order to deliver our public, regulatory and business services.
The Marine Management Organisation is committed to the responsible handling and security of personal data. Your privacy is important to us and protected in law by the Data Protection Legislation, which is the collective term for the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
We follow the ICO’s recommendations when informing people about their rights, follow their accountability framework and review our compliance with data protection law every year.
We must provide you with information showing how we process your personal data. This is set out below and in supporting documents (privacy notices) which provide more detail on specific functions:
- Our customer Privacy Notices provide specific information on our public facing tasks
- Our Privacy Notice for Employees, Workers and Contractors
This applies to any MMO website, application, product, software, or service that links to it (collectively, our ‘Services’). A Service will link directly to a specific Privacy Notice that shows the particular privacy practices of that Service.
High standards in handling personal data are important to us because they help us keep the confidence of everyone who deals with us.
So, when we ask you for personal data, we will process your personal data in line with our privacy notices. When we make changes, we will update the relevant Privacy Notice and do our best to let you know.
In return, we ask you to:
- provide us with accurate information
- tell us as soon as possible if there are any changes, such as a new address
- let us know, at time of writing, if you would like your correspondence or enclosed documents returned to you
This helps us to keep your personal data reliable and up to date, and ensures your correspondence is returned if requested.
If you’ve included personal data about other people in your records, you must tell them. You must provide them with a copy of our privacy notices so that they know how their personal data will be used.
What personal data we collect and how
Personal data is information which identifies a living individual directly or indirectly, particularly by using an identifier such as their name or a reference number.
Some personal data is more sensitive and needs more careful handling, referred to as ‘special categories of personal data’.
The personal information we collect is that which individuals provide to the organisation via direct engagement as well as information provided to us by third parties in the course of regulatory activities. This includes, but is not limited to, information provided via:
- Consultation and survey responses
- Complaints, enquiries and feedback
- Job applications and employee activity
- Applications for funding
- Applications for licences
- Investigations, monitoring and enforcement activities
The types of personal data that we processes will depend on the contact that you have with us. Types of personal data that we process include:
- name and contact details
- family, lifestyle and social circumstances
- financial details
- employment and education details
- goods or services provided
- education and training details
- sound and visual images
- licenses or permits held
- complaints
- information relating to health and safety
- your opinions or views
- location data
We process sensitive, or ‘special category’ information that may, where necessary include:
- physical or mental health details
- racial or ethnic origin
- political, religious or other beliefs of a similar nature
- trade union membership
- sexual life
- genetic data
- biometric data
We also process information relating to criminal convictions and offences including:
- offences and alleged offences
- criminal proceedings, outcomes and sentences
- criminal intelligence
We have associated Appropriate Policy Documents for processing Special Category Personal Data and Criminal Offence Data.
How we use your personal data
We process your personal information in several ways to deliver our public, regulatory and business services. These purposes include:
- Performing our statutory functions which include, but are not limited to, marine planning; marine licensing; fisheries management; conservation; responding to marine emergencies; investigations; monitoring and enforcement
- Processing requests and delivering services requested from us by members of the public
- Sending requested information to individuals.
- Sending information update bulletins
- Auditing the usage of our website
- Complying with our employment-related obligations to our staff and contractors
- Complying with other legal obligations including fraud prevention and crime prevention
At the point of collection we will aim to inform you, via our supporting Privacy Notices, of the reason(s) we need your information, how your information is being collected, what we will do with it and who we will share it with.
In some cases, we may pass it on to our service providers, agents or representatives to do these things on our behalf.
The lawful basis under which we process personal data will be defined at the point of collection in the relevant privacy notice.
MMO primarily processes personal data on the lawful basis that it is necessary for the performance of a task carried out in the public interest.
Where processing is based on your consent, it will be specified in the relevant privacy notice, and you have the right to withdraw that consent at any time.
How we use personal data for law enforcement purposes
We license and regulate marine activities and investigate offences. As part of our role as environmental regulator, we process personal data under Part 3 of the Data Protection Act 2018 to:
- detect and prevent crime
- take enforcement action
- prosecute and apprehend offenders
Where MMO processes any personal data in relation to criminal offences or investigations, this is usually done so under Part 3 of the Data Protection Act. We may collect and process additional personal data about you when investigating alleged offences as a data controller and complying with our legislative requirements. This may include special category personal data, such as health or ethnic origin, where it is necessary for our law enforcement purposes.
If we process your personal data for law enforcement purposes, we:
- may include it in press releases about prosecutions
- will not disclose it to any other party without your explicit consent unless it is lawful to do so
- do not use it to make an automated decision or for automated profiling
- retain it in line with our retention schedule - this takes into account the type, content and sensitivity of your personal data
Legislation governs our activities as an environmental regulator. This gives us authority to investigate suspected or alleged offending. Our lawful basis for processing your personal data under the data protection legislation is that it is necessary for performing tasks carried out for law enforcement purposes as a competent authority.
The MMO qualifies as a competent authority by virtue of its statutory functions as set out in the Marine and Coastal Access Act 2009 and the Fisheries Act 2020.
Who we share your personal data with
We only share or disclose personal data where we are required or permitted to so by law, or to provide services to fulfil our statutory duties and public tasks. This means the legislative requirements MMO has to meet, assurance activity such as counter-fraud measures, or where we are legally permitted to do so to protect the rights or safety of others. We also share data about compliance functions MMO shares with other public bodies, or to support the functions other public bodies do to meet their public tasks. In some cases, we may use third parties to process data on our behalf or run projects in conjunction with other organisations.
Where we know there is a requirement to share your personal data, we will aim to tell you, through privacy notices, why and who we will share your personal data with. We will ensure that the data controller or data processor agrees to handle your personal data in accordance with your rights.
We may also share your information with the Devolved Fishing Administrations, Inshore Fisheries and Conservation Authorities (IFCAs), Department for Environment, Food & Rural Affairs (Defra), Centre for Environment, Fisheries and Aquaculture Science (Cefas) and other organisations as set out in our Privacy Notices. The lists are not exhaustive but identify the regular sharing relationships. Ad-hoc or irregular sharing will only be considered if fully complying with data protection legislation. We do not need your consent to share if that party is carrying out a public function or complies with an identified exemption within the UK GDPR or DPA 2018.
When we publish personal data
We may be under an obligation to publish personal information on a public register. We will tell you if this applies to your personal information in the relevant privacy notice.
As a public body we are required to be transparent, for example about the use of money. In some cases, this may require the publication of personal data on a public register. Personal data published in these cases will balance the needs for transparency compared to your privacy rights.
Examples where we publish personal data are:
- senior executive salaries
- public registers such as the marine licensing register
- publication of information related to recipients of public funding such as grants
We may have to release personal data and commercial information under the Environmental Information Regulations 2004 and the Freedom of Information Act 2000 if data protection laws allow. Anonymous or non-personal data may be shared in support of public tasks, and where possible disclosed under an Open Government Licence.
How long we keep your personal data
We will retain personal information in line with the period outlined at the time the information is collected, and only for as long as it necessary to do so. As an executive non-departmental public body, we retain personal data for assorted reasons, primarily to ensure accountability. When we no longer need personal data, arrangements are made to securely delete or destroy it. Retention periods are set in line with statutory, regulatory, legal, or security reasons, or for their historic value as outlined in the Public Records Act.
Information on retention is included in our Privacy Notices, but may be extended on a case-by-case basis if it is necessary to carry out a task as is required of the data controller or that is in the public interest.
Examples of this include appeal, audit activity, complaint, irregularity, historic value as determined by the Public Records Act, legal action, a formal request for information, or if it sets a precedent.
In these cases, access to and processing of this information will be limited to this specific use and, where possible, personal data redacted or its access restricted.
We employ several measures such as encryption, access controls and information management training for our staff to ensure that personal information is kept safe and secure both during the time we process it and when we dispose of it.
What happens if you do not provide your personal data
If you do not supply the requested personal data, it is likely that the service you are applying for or wish to use will not be available to you. This may have consequences in terms of non-compliance, for example, not complying with specific legislation.
We try to ensure that we only collect the minimum personal data that is necessary for us to offer the service(s) to you.
Use of automated decision-making or profiling
Your personal data is mainly processed by relying on decision making by human involvement. In some cases, your personal data may be subject to automated decision making. You will be informed via the relevant privacy notices where this applies, including profiling, and the expected consequences of such processing.
Where your personal data is subject to solely automated decision making or profiling that has a legal or similarly significant effect on you, you have the right to request human intervention, express your opinion, and challenge such a decision.
Use of artificial intelligence (AI)
In some cases, your personal data may be processed using artificial intelligence (AI). Where AI processing is being considered, data protection impact assessment screening questions are compulsory and the processing of personal data by AI will only be permitted where alignment with the data protection legislation can be evidenced, and appropriate safeguards are in place to protect your rights and freedoms.
If your personal data may be processed using AI, the relevant privacy notice(s) will reflect this to ensure transparency.
Transfer of your personal data outside of the United Kingdom
MMO will only transfer your personal data to another country that is deemed adequate for data protection purposes, or where one of the appropriate safeguards referred to under the data protection legislation have been put in place to ensure the relevant protections under the UK data protection regime will not be undermined.
The European Union (EU) has formally recognised the UK’s data protection standards and granted the UK adequacy status to allow the flow of personal data between the UK and the European Economic Area (EEA). You can find more information about adequacy, and the adequacy decisions in respect of the UK, on the ICO website.
In most cases, your personal data will not be transferred or stored outside of the UK or the European Economic Area. If your personal data is processed outside the UK or the EEA, we will aim to inform you of this and the additional safeguards that are in place via the relevant privacy notices.
For further information or to obtain a copy of the appropriate safeguard for any transfers, please contact us.
Your rights
Individuals have several rights under the data protection legislation. For example, you have the right to be informed about the collection and use of your personal information. Some information is provided in this charter, such as your individual rights and how to contact us. We will also provide specific privacy information to you when we collect your personal information (or as soon as possible if we obtain your data from another source).
Under the legislation, depending on the circumstances by which data is processed, you also have the right to:
- ask us for a copy of the personal information we hold about you – a ‘subject access request’
- challenge the accuracy of personal information we hold about you and ask us to correct it, delete it or complete it by adding more details
- ask us to delete personal information we hold about you
- request that we limit how we use your personal information
- ask us to transfer your personal information to another organisation, or provide it to you in a machine-readable format
- object to us using your personal information
- prevent us from using automated decision making
Some rights only apply in certain circumstances, and sometimes an exemption may apply which prevents us from fulfilling your request.
Information about each of your individual rights under the Data Protection Legislation and where these apply is provided in more detail on the ICO website.
You can contact us to find out how to exercise any of your information rights and which rights apply to personal information we hold about you.
Where personal information processed for law enforcement purposes, an individual’s rights are slightly different. Please refer to the ICO website for further information.
What to do if your details are inaccurate or incomplete
If you discover that the personal data we hold about you is inaccurate, or incomplete, please contact us so that we can update your records.
When doing so, please explain where you have seen this data, and what it is that you feel is inaccurate or incomplete. We will aim to respond to you within one month but may extend this period by a further 2 months, if the request is complex.
Where we maintain that the original personal data held was accurate, we will explain why this is. If you do not agree with our decision, you can ask us to reconsider, or you have the right to complain directly to the Information Commissioner’s Office (ICO) as detailed in this Charter.
How to ask to see the personal data we hold on you
You can ask to see what data we hold about you. This is called a ‘subject access request’. You can contact us directly or, alternatively, you can complete the form on the Information Commissioner’s Office website if you prefer.
On receipt of your request, we will acknowledge it and may ask for proof of your identity.
When you ask to see personal data we hold, it is helpful to include as much information on your request as possible to help us find the data you want. For example, tell us the functions, schemes, transactions and date range that you want to know about.
We will aim to respond within one month but may extend this period by a further 2 months, if the request is complex.
For general enquiries, contact the team you are already communicating with. However, if they cannot help you further, or you wish to formally request your personal information, please use the contact details below.
Withdrawing your consent or request your personal data be deleted
If we process your data based upon consent, it will be specified in the relevant privacy notice and you have the right to withdraw that consent at any time. As a general rule, consent is obtained for a specific purpose and you will have explicitly opted in to the use of your data for this purpose.
In most cases, we process personal data on the legal basis of a task carried out in the public interest. This does not require consent and thus has no automatic right to withdraw it.
In these circumstances, you have the right to request that we stop processing your personal data and that we delete the personal data that we hold at any time.
However, we may not be able to agree to your request should the data be required to comply with a legal obligation, performance of a contract, public interest task or exercise of official authority.
We may also refuse your request for the purposes of public health purposes, exercise or defence of legal claims or archiving purposes in the public interest, scientific research, historical research or statistical purposes.
Where this is the case, we will advise you of this.
We may hold and make your data anonymous for data analysis before we delete it.
How to contact us
For day-to-day use, please contact the team you are already communicating with. They are best placed to manage general enquiries, to update the accuracy of your personal data, or provide you with information.
However, if they cannot help you, you wish make a formal request under your aforementioned rights, or you have a complaint about how your data is being handled, please email dataprotection@marinemanagement.org.uk or write to us at the address below, marking your communication for the attention of the Data Protection Manager.
Marine Management Organisation
Tyneside House
Skinnerburn Road
Newcastle Upon Tyne
NE4 7YH
You can also contact the Data Protection Officer for the Department for Environment, Food & Rural Affairs (Defra) Group at the following address:
Defra Group Data Protection Officer
Department for Environment, Food and Rural Affairs
2nd Floor
Seacole Building
2 Marsham Street
London
SW1P 4DF
Email: DefraGroupDataProtectionOfficer@defra.gov.uk
How to make a complaint
If you have concerns about the collection or handling of your personal data, or wish to complain about how we have handled a request to exercise your individual rights, please contact us in the first instance.
You also have the right to complain to or seek advice from the independent regulator, the Information Commissioner’s Office (ICO), at any time.
The Information Commissioner can be contacted at:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Email: casework@ico.org.uk
The ICO usually prefers complaints to be directed to the organisation and their Data Protection Officer in the first instance.
How to report a personal data related incident
To report a personal data related incident or breach, email security@marinemanagement.org.uk with ‘personal data incident’ in the subject.
Updates to our Personal Information Charter
We keep our Personal Information Charter under regular review. This Personal Information Charter was last updated on 14 January 2026