Personal information charter

The Maritime Coastguard Agency holds personal data for seafarers, ship owners,agents and members of the public who have voluntarily registered their vessels.

Your information privacy

The Maritime and Coastguard Agency take your privacy seriously and in compliance with the UK General Data Protection Regulation (UK GDPR). You can take a look at what we will be doing to manage and protect your personal information.

The data controller

The Maritime and Coastguard Agency, as an executive agency of the Department for Transport, is the data controller for any personal data you provide us with.

The data protection officer

DfT together with its executive agencies have put in place a governance structure that ensures the DfT data protection officer is able to meet their legal obligations while ensuring that the executive agencies, as separate business units, have day-to-day access to the data protection expertise they need. To achieve this, the data protection officer is supported by a team, which consists of data protection managers from each of the executive agencies. The DfT data protection governance policy (available on request) explains this more fully.

The data protection officer informs and advises the department and its executive agencies on how to comply with data protection law, and monitors compliance. The data protection manager at the MCA acts as the first point of contact for individuals whose data is being processed and if necessary they will escalate matters to the data protection officer for liaison with the Information Commissioner’s Office.

For any queries relating to how your information is handled at the MCA please contact us at:

Data Protection Manager,
Bay 3/10, Spring Place,
105 Commercial Road,
SO15 1EG


Your privacy

We know how important it is to protect your privacy and comply with data protection law. If we need to collect, store or otherwise use your personal information, we will:

  • provide a legal basis for doing so, and only ask for what we need;
  • do so in a fair and transparent way, letting you know why we need your information and how we will use it;
  • use it in the way we said we would and not in a way you wouldn’t expect without letting you know first;
  • ensure that we don’t keep more information than we need, or for longer than we need it;
  • make sure it is accurate and up-to-date;
  • make sure nobody has access to it who shouldn’t;
  • ensure that it is kept safe and secure.

Data accuracy

You can help us by making sure that the information you give to us is accurate and let us know of any changes. For example, if you change telephone numbers or move to a new home, let us know so that we can keep your information up to date and accurate.

What allows the MCA to process your personal data?

To process your personal data, we need to meet one of the following conditions (or legal bases):

  • you have freely given your consent – it will be clear to you what you are consenting to and how you can withdraw your consent;
  • it is necessary for a contract you have entered into with us, or a contract that you intend to enter into;
  • it is necessary to meet a legal obligation;
  • it is necessary to protect someone’s ‘vital interests’ (a matter of life or death);
  • it is necessary to perform a public task (to carry out a public function or exercise powers set out in law, or to perform a specific task in the public interest that is set out in law);
  • it is necessary for our legitimate interests or that of a third party (a condition used where personal data is going to be used in ways that are reasonably expected and are not intrusive, and/or where there are compelling reasons for the processing).

The lawful basis that we rely on to process your personal data will determine which of the following rights are available to you. Much of the processing we do in the MCA will be necessary to meet our legal obligations or to perform a public task. If we hold personal data about you in different parts of the MCA for different purposes, then the legal basis we rely on in each case may not be the same.

Your rights

The UK GDPR sets out a number of rights which individuals have over their personal data, allowing you to request copies of your personal data or, in certain circumstances, to have it deleted or modified. These rights are explained fully on the Information Commissioner’s Office website. The MCA will ensure that we uphold your rights to the extent that they apply to the way in which we process your personal data.

The right to be informed

The right to be informed is a key part of the transparency requirements of data protection law. It includes various categories of information which would normally be provided in what is known as a ‘privacy information notice’.

Where you provide us with your information directly, you will see a privacy information notice from us which will tell you or provide a link to information on:

  • what information we collect about you and the purpose and legal basis for processing it (including details of the legitimate interests where that is the basis);
  • how will we use the information about you;
  • how long we will retain your information;
  • who we may share your information with;
  • access to your information and correction;
  • how to contact us.

The right of access

You can request copies of the personal data that we hold about you at any time by making what is known as a ‘subject access request’. We will respond to a subject access request within one month of receipt.

There is no fee for making a subject access request, but charges may be made where someone asks for further copies of information which they have already received, or in exceptional circumstances, such as where a request is clearly unfounded, excessive or repetitive. We will advise you of your right to complain to the Information Commissioner or to seek a judicial remedy as appropriate.

If you would like to make a subject access request, please contact:

Freedom of Information requests

Freedom of Information
Spring Place
105 Commercial Road
SO15 1EG

Right to object

You have the right to object to us processing your personal data in any of the following circumstances:

  • where the processing is based on either the legitimate interests or public task condition;
  • direct marketing (including profiling);
  • for scientific and/or historical research and statistics purposes.

Where you object to us processing your personal data based on the legitimate interests or public task condition or scientific and/or historical research and statistical purposes, we will stop processing that information unless we can demonstrate that there are overriding reasons to do so, including where processing is necessary for the conduct of legal claims.

Other rights

Other rights you may have are:

  • a right to rectification if your personal data is inaccurate;
  • a right to erasure, a right to restrict processing, a right to data portability;
  • rights in relation to automated decision making.

Whilst these rights are unlikely to apply to the kind of processing that DfT and its executive agencies routinely carry out, if you think they may apply and want to know more, please refer to the Information Commissioner’s Office website. Any request you make to the MCA to exercise these rights will receive appropriate consideration, within the timescales required by data protection law.

When we share information

We may share personal information within our organisation or with other bodies where we are permitted to do so by law. There are some cases where we can pass on your information without telling you, for example, to prevent or detect crime, or in order to produce anonymised statistics. In all cases, whether data is shared internally or externally we will be governed by data protection law.

A small proportion of our records are transferred to the national archives and may be made available in accordance with the Freedom of Information Act 2000.

Privacy by design

Where we introduce new technologies, policies or processes, we will ensure that your privacy is considered from the outset.

Where appropriate, we will carry out a data protection impact assessment (DPIA). DPIAs allow risks to be identified at an early stage and solutions found to reduce or avoid data risks.

We will always carry out a DPIA where we use new technologies or consider that there is a high risk to the rights and freedoms of individuals. The data protection officer or the wider data protection team will provide advice on DPIAs to ensure that they are carried out effectively. Where an assessment identifies risks that cannot be satisfactorily reduced or avoided, we will seek advice from the Information Commissioner to help us find the best solution.

The steps we take to keep your data secure

We take information security very seriously and will do all we can to protect your personal data from unauthorised access, accidental loss, destruction and damage. We will carry out regular reviews and audits to ensure that our methods of collecting, holding and processing personal data meet the government’s security standards and industry good practice. Where we transfer personal information overseas, we will make sure that this only happens where appropriate safeguards are in place to protect it. The cross-government security policy framework on GOV.UK sets out how government organisations and third parties handling government information and other assets apply protective security.

The training and guidance we give to our staff

All staff are trained in the importance of protecting personal and other sensitive information. Those who routinely access personal data as part of their jobs receive more in-depth training. Staff in the MCA who have access to large volumes of personal data receive training that has been tailored to the agency’s business environment.

Managers who have formal responsibilities for large datasets, for example as information asset owners, will also receive additional training so that they have a clear understanding of what they need to do to keep the data under their control safe and secure.

As well as the above, all civil servants are required to work in line with the core values set out in the Civil Service Code - integrity, honesty, objectivity and impartiality. These values also apply to the handling of personal data.

Data breach notification

The MCA does everything it can to keep personal data secure. However, if a personal data breach occurs which is likely to result in a risk to the rights and freedoms of individuals (for example, financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), we will ensure that the information commissioner’s office is informed of the breach without delay, and in any event within 72 hours after having become aware of it. Where we know there has been a breach we will ensure that individuals are notified of the breach directly and without delay. Where it is not possible to contact individuals directly, we will attempt to make people aware through other means, e.g. a public announcement.

Where a personal data breach occurs, affected individuals (or data subjects) will be provided with the following information:

  • the categories and approximate number of data subjects concerned;
  • the categories and approximate number of records involved;
  • the contact details of the department’s data protection officer.
  • the likely consequences of the breach;
  • details of the measures already taken or planned to address the breach including any steps taken to mitigate potential damaging effects.

How to make a complaint

If you are unhappy with the way we have handled your personal information and want to make a complaint, please write to the department’s data protection officer or the data protection manager. You can contact the MCA’s data protection manager using the details below.

We will acknowledge your complaint within five working days and send you a full response within 20 working days. If we can’t respond fully in this time, we will write and let you know why and tell you when you should get a full response.

If you remain dissatisfied, or if you require independent advice about data protection, privacy and data sharing issues, contact:

Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Cheshire, SK9 5AF

Information Commissioner’s Office

How to contact us:

If you want to request information about our privacy information notices or information we hold about you, please contact:

The Data Protection Manager

Telephone: 0203 8172322 Email:

Privacy information notices

We use personal information for a wide range of purposes, to enable us to carry out our functions as a government department. these include but are not limited to:

  • maintaining our accounts and records;
  • consideration and investigation of complaints;
  • answering queries;
  • corporate administration;
  • the support and management of our staff;
  • enforcement and regulatory duties;
  • administration of certification for seafarers

If we do hold information about you, we will provide you with specific information about our plans for using your data and your rights in relation to it.

People who make a complaint to us

When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for five years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

People who request information under the Freedom of Information Act (FOI), Subject Access and the Environmental Information Regulations (EIR).

When we receive a request under FOI and EIR we create a file containing the request and will record the name of the requestor and their contact details on our tracking database.

We will only use the personal information we collect to process the request and to check on the level of service we provide.

The MCA may be required to share correspondence including personal data provided where it is necessary for the purposes for which it was received. For example, if the relevant information needed to respond is held by another executive agency. It may also be appropriate to transfer correspondence to another public body when it has the responsibility for the matter in question. This includes transferring correspondence to a devolved administration if the matter sits with them. In each of these cases the sharing is necessary in order that accountability and transparency about public functions can be discharged.

We will keep personal information contained in files and our database in line with our retention policy. This means that information relating to an FOI will be retained for five years from closure.

It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

Our services

To find out how we use the personal information we collect about you please select the relevant service that you require.

These privacy notices are listed on the MCA privacy notices page.

Changes to our personal information charter

We keep our privacy policies under regular review and we will place any updates on this webpage. This page was last updated on 6 December 2021.