Consultation on the future of Post Office: privacy notice
Published 14 July 2025
© Crown copyright 2025
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/consultation-on-the-future-of-post-office-privacy-notice/consultation-on-the-future-of-post-office-privacy-notice
This privacy notice explains how the Department for Business and Trade (DBT), as a ‘data controller’, processes personal data for the purpose of conducting a public consultation on the future of Post Office.
This notice is supplemented by our main privacy notice which provides further information on how DBT processes personal data, and sets out your rights in respect of that personal data.
Personal data DBT collects
DBT collects information about:
- members of the public responding to the Post Office consultation
DBT collects the following categories of personal data:
- age
- contact details (name, phone number, and email address)
- respondents’ views expressed in their responses to the Post Office consultation
Why DBT collects this information and what happens if it is not provided
DBT is consulting the public on the future of Post Office, from the services it provides, how we modernise and strengthen the network, through to how we change the culture and the way in which Post Office is managed.
The purpose of this consultation is to understand what customers, communities, and postmasters would like to see from a modern Post Office. The insights gathered will help shape the future direction of the company.
DBT collects contact details, such as email addresses, to offer participants the option of receiving a copy of the formal consultation response. Additional contact details, such as name and phone number, may also be collected to allow DBT to follow up with participants if clarification or further information about their response is needed.
Where participants include additional personal data in their responses (for example, within free-text fields or emails), DBT will anonymise or securely delete this information where possible. However, for responses submitted by post, it may not be feasible to remove such data, though all responses will be handled securely and in accordance with data protection principles.
DBT also collects information about participants’ age brackets to support analysis of how different age groups are represented in the consultation. This is relevant to the policy area and helps ensure diverse perspectives are considered.
Participants are not required to provide any personal data to respond to the consultation, except where they are submitting a written response by post, in which case a return address may be necessary for processing.
The legal basis for processing your personal data
The following table sets out the primary legal bases we rely on for processing the personal data we collect about you.
| Type of data | Lawful basis (UK GDPR) | Justification |
|---|---|---|
| Personal data | Article 6(1)(e): Public Task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. | The Department for Business and Trade (DBT) is conducting this consultation as part of its public functions, including to understand what customers, communities and postmasters would like to see from a modern Post Office. This task is grounded in DBT’s statutory and public interest responsibilities. |
| Special category data (if collected, for example, health, ethnicity, political opinions) | Article 9(2)(g): Substantial Public Interest, with a condition under Schedule 1, Part 2 of the Data Protection Act 2018 (for example, equality of opportunity or treatment, or statutory purposes). | Where special category data is processed (for example, the age of respondents to determine which age brackets are represented in the responses), it is done under substantial public interest, with appropriate safeguards in place, including a Data Protection Impact Assessment (DPIA) where required |
How DBT processes personal data it receives
Online survey responses collected via Qualtrics
Responses via Qualtrics will be securely stored with password protection on the Qualtrics platform, accessed with a DBT license. Only members of the DBT Post Office team directly working on the consultation will have access to the Qualtrics platform.
Data will then be transferred from Qualtrics via a secure online file transfer system to an external contractor for analysis. The contractor will store the data on a secure internal storage system while they complete the analysis.
Once the contractor has produced their final report, they will destroy all the Qualtrics responses and related personal data that they hold.
Respondents on Qualtrics who request a copy of the formal consultation response, or say they are happy to be contacted by DBT about their responses, will have the contact details they provided removed before their responses are shared with the contractor.
These contact details will be stored on a secure internal DBT Sharepoint, which only members of the DBT Post Office team directly working on the consultation will have access to.
Where possible, any additional personal data included in email responses will be removed or anonymised.
DBT will destroy any contact details received via Qualtrics as soon as the formal consultation response has been published.
It will retain copies of the substantive responses (without contact details) for archival purposes.
Email responses
Email responses to the consultation will be received in a designated inbox, which only members of the DBT Post Office team directly working on the consultation will have access to.
They will then be transferred via a secure online file transfer system to the external contractor for analysis.
Once the contractor has produced their final report, they will destroy all the consultation emails and related personal data that they hold.
Respondents via email who request a copy of the formal consultation response, or say they are happy to be contacted by DBT about their responses, will have the contact details they provide removed before their responses are shared with the contractor.
These contact details will be stored on a secure internal DBT Sharepoint, which only members of the DBT Post Office team directly working on the consultation will have access to.
Where possible, any additional personal data included in email responses will be removed or anonymised.
DBT will destroy any contact details received via email as soon as the formal consultation response has been published.
DBT will retain copies of the substantive responses (without contact details) for archival purposes.
Letter responses
Responses by letter will be received by the Post Office team (DBT, Old Admiralty Building). They will be stored in a safe, before being securely collected from the site by the external contractor appointed for analysis.
The contractor will scan the letters and digitise them.
The contractor will use the digitised versions for their own analysis and also share them with DBT via a secure online transfer.
Digitised letters shared with DBT will be stored on a secure internal DBT Sharepoint, which only members of the DBT Post Office team directly working on the consultation will have access to.
Once the contractor finishes their analysis and final report, they will return the physical version of the responses to DBT and destroy the digitised versions and any related data that they hold.
DBT will retain digitised versions of the substantive responses for archival purposes, and destroy the physical copies.
Respondents via letter who request a copy of the formal consultation response, or say they are happy to be contacted by DBT about their responses, will have the contact details copied over to a secure internal DBT Sharepoint. Only members of the DBT Post Office team directly working on the consultation will have access to the Sharepoint.
It may not be feasible to remove any contact details or other personal data included in responses submitted by post, though all responses will be handled securely and in accordance with data protection principles.
We will only process your personal data for purposes which are compatible with those specified in this privacy notice. This may include archiving in the public interest, or scientific, historical or statistical research, in accordance with Article 89 UK GDPR.
Where your data is further used for research purposes, appropriate safeguards (including anonymisation, pseudonymisation and data minimisation techniques) will be used to ensure that your personal data is only processed where it is necessary for us to do so, and that it is processed lawfully and securely.
Compatible research purposes may include analysis to further DBT policy development, or to analyse public consultation responses or similar requests for information from the public.
We are trialling Artificial Intelligence (AI) solutions to support the delivery of our functions. Unless made expressly clear to you, we will not use AI to either make or inform decisions about you. We will apply effective data minimisation techniques to all such uses of your data.
Third-party processors
DBT uses trusted third-party services to support the secure handling and analysis of consultation data:
- Qualtrics and SharePoint are used to securely store consultation responses in cloud-based systems accessible only to authorised personnel
- consultation responses will be shared with an external contractor for the purpose of independent analysis
In all cases, DBT has contracts in place with these providers that require them to meet strict data protection and security standards. These contracts ensure that third parties can only process personal data on DBT’s instructions and are not permitted to use the data for any other purpose.
Information sharing
We may share personal data you provide:
- with other government departments, public authorities, law enforcement agencies and regulators
- with other third parties where we consider it necessary in order to further our functions as a government department
- in response to information requests, for example, under Freedom of Information (FOI) law or the Environmental Information Regulations (EIR)
- to a court, tribunal or party where the disclosure is necessary in order to exercise, establish or defend a legal claim
- where we are ordered to do so or where we are otherwise required to do so by law
- with third-party data processors as governed by contract
You can find out more detailed information about how we share data and further processing in the main privacy notice.
How long DBT will keep your data
DBT will retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including any legal, regulatory, or reporting obligations.
- personal data (such as contact details) will be securely deleted once DBT has issued its formal response to the consultation
- anonymised data may be retained for up to 15 years to support long-term policy development, research, and accountability
If DBT needs to use your personal data for a purpose that is different from the one originally stated, we will contact you to explain the reason and the legal basis for doing so.
When determining how long to retain personal data, DBT considers:
- the nature, amount, and sensitivity of the data
- the potential risk of harm from unauthorised use or disclosure
- whether the purpose of processing can be achieved through other means
- relevant legal and regulatory requirements
Data subject rights under Public Task lawful basis
| Right | Available under Public Task? | Explanation |
|---|---|---|
| Right to be informed | Yes | Individuals must be informed about the processing of their data, including the lawful basis and purpose, typically via a Privacy Notice. |
| Right of access | Yes | Individuals can request access to their personal data and receive a copy of the information held about them. |
| Right to rectification | Yes | Individuals can request correction of inaccurate or incomplete personal data. |
| Right to erasure | Limited | This right does not generally apply where processing is based on Public Task, unless the data is no longer necessary for the purpose. |
| Right to restrict processing | Yes | Individuals can request restriction of processing in certain circumstances (for example, contesting accuracy or objecting to processing). |
| Right to data portability | Not applicable | This right only applies where processing is based on consent or contract, not Public Task. |
| Right to object | Yes: with limitations | Individuals can object to processing, but the organisation may continue if it can demonstrate compelling legitimate grounds for the processing. |
| Rights related to automated decision-making and profiling | Yes | Individuals have rights where decisions are made solely by automated means that significantly affect them. |
Contact details
The data controller for your personal data is the DBT. You can contact the department’s Data Protection Officer at:
Data Protection Officer
Department for Business and Trade
Old Admiralty Building
Admiralty Place
London
SW1A 2DY
Email data.protection@businessandtrade.gov.uk
Complaints
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at::
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
W: https://ico.org.uk/
Tel: 0303 123 1113
You can find out more about your rights as a data subject, and details of how to contact our Data Protection Officer and the ICO in our main privacy notice.