Guidance

Data protection: caseworker guidance

Published 9 June 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/data-protection-caseworker-guidance/data-protection-caseworker-guidance

Version 1.0

This guidance tells His Majesty’s Passport Office examiners about the principles of the Data Protection Act, how they impact on staff responsibility and offences under the Act and the definition personal data.

About: Data Protection

This guidance tells HM Passport Office staff about the Data Protection Act 2018, including how and why we must protect customer data and how customers can request data we hold about them.

Contacts

If you have any questions about the guidance and your line manager or senior caseworker cannot help you or you think that the guidance has factual errors then email HM Passport Office’s Guidance team.

If you notice any formatting errors in this guidance (broken links, spelling mistakes and so on) or have any comments about the layout or navigability of the guidance then you can email the Guidance team.

Publication

Below is information on when this version of the guidance was published:

  • version 1.0
  • published for Home Office staff on 30 January 2024

Changes from last version of this guidance

This is transformed guidance.

About the UK Data Protection Legislation

This page tells HM Passport Office operational staff about the Data Protection Act 2018.

The Data Protection Act 2018 (DPA 2018) came into force on 25 May 2018 and is the UK’s implementation of the General Data Protection Regulation (GDPR) (which is the European Union’s data protection legislation that also came into force on 25 May 2018).

The GDPR is retained in domestic law as the “UK GDPR”, but the UK has the independence to keep the framework under review. The ‘UK GDPR’ sits alongside an amended version of the DPA 2018

The Data Protection Act 2018 controls how the public’s personal information is used by organisations, businesses and the government.

Responsibilities under the Data Protection Act 2018

Under the Data Protection Act 2018, everyone responsible for using personal data must follow strict rules called ‘data protection principles’. Everyone must make sure personal information is:

  • used fairly, lawfully and transparently
  • used for specific, explicit purposes
  • used in a way that is adequate, relevant and limited to only what is necessary
  • accurate, and where necessary, kept up to date
  • kept for no longer than is necessary
  • handled in a way that ensures appropriate security, including protection against unauthorised processing, access, loss, destruction or damage

There is stronger legal protection for more sensitive information, such as:

  • race
  • ethnic background
  • political opinions
  • religious beliefs
  • trade union membership
  • genetics
  • biometrics (when it is used for identification)
  • health
  • sex life or orientation

There are separate safeguards for personal data relating to criminal convictions and offences.

Rights under the Data Protection Act 2018

The Data Protection Act 2018, provides individuals with rights about how their personal information is handled. Individuals have the right to:

  • be informed about how their data is being used
  • access their personal data
  • have any incorrect data updated
  • have their data erased (HM Passport Office is exempt from deletion of data from its databases)
  • stop or restrict the processing of their data (Guidance team can consider applying exemptions to this by restricting certain parts of guidance)
  • data portability (allowing them to get and reuse their data for different services)
  • object to how their data is processed in certain circumstances

Individuals also have the right to know when an organisation is using their personal data for:

  • automated decision making (without human involvement)
  • profiling, for example, to predict behaviour or interests

Exemptions to the Data Protection Act 2018 (DPA 2018)

There are some circumstances when the Data Protection Act 2018 allows an exemption from certain provisions in the UK General Data Protection Regulations 2021.

If an exemption applies, it means we may not need to comply with the usual rights and obligations in the UK General Data Protection Regulations 2021.

You can find the circumstances when an exemption can apply, under Schedule 2, Schedule 3 and Schedule 4 of the Data Protection Act 2018.

Examiners dealing with passport applications cannot consider or apply any of the exemptions. Only staff in Counter Fraud teams, intelligence units and the Disclosures team can consider or apply an exemption (in line with their own guidance).

Data we must protect and how to do it

This section tells HM Passport Office operational staff what data they must protect and how to do it.

It is important for everyone in HM Passport Office to be aware of the Data Protection Act 2018 and to understand:

  • why we must protect personal data
  • what personal data we must protect
  • how to protect personal data

Why we must protect personal data

We must protect personal data to make sure we comply with the Data Protection Act 2018.

Failure to protect personal information could:

  • damage HM Passport Office’s reputation (mistakes made by government departments are likely to be criticised more than those made by other organisations)
  • mean HM Passport Office is reported to the Information Commissioner
  • breach an individual’s right to privacy
  • result in criminal charges against the person disclosing the information if the Information Commissioner brings a criminal case for unlawfully disclosing data
  • result in HM Passport Office being professionally liable for data being disclosed incorrectly
  • have serious consequences on an individual, for example, failure to correct their house number could mean:
    • personal information about them is sent to someone who is not entitled to see it
    • someone else could gain access to the individual’s personal data and use it to commit a crime

What data you must protect

You must protect:

  • all personal customer data (see What is personal customer data)
  • special category data (see What is special category data)

What is personal customer data

Personal customer data is personal information that can be used to identify the customer, for example their:

  • name
  • address
  • date of birth
  • passport number

Personal customer data also includes information that is written about them. An example of this are case notes that may include:

  • actions taken (for example, the issuing of a passport)
  • decisions made (for example, why someone does or does not have a claim to British nationality)
  • outcomes (for example, the result of a check)
  • the intentions of HM Passport Office staff or someone else involved in the passport application process

Although the Data Protection Act 2018 does not cover people who are deceased, HM Passport Office must still protect their personal data.

You must only disclose personal customer data in line with the Disclosure of Information guidance or when other guidance allows you to.

What is special category data

Special category data is personal data that needs more protection because it is sensitive information about an individual’s:

  • racial or ethnic origin (including Nationality)
  • political opinions
  • religious beliefs (or other beliefs of a similar nature)
  • trade union membership
  • physical, mental or health condition
  • sex life or gender orientation
  • genetics or biometrics
  • criminal offences (or alleged criminal offences) including any criminal proceedings and the outcome of those proceedings

Special category data is subject to tighter legal protection and there are additional conditions in the Data Protection 2018 that HM Passport Office must comply with.

You must not disclose any special category data. If you receive a request for special category data and it is:

  • about a criminal offence, you must send the request to the Intel hub in Glasgow
  • not about a criminal offence, you must send the request to the Customer Services Manager (CSM) who will decide if it is a business as usual request or a subject access request (SAR)

How to protect data

You can protect data by making sure you:

  • complete any mandatory or local learning relating to data protection
  • only disclose personal customer data in line with the Disclosure of Information guidance or when any other guidance allows you to
  • do not disclose personal customer data or special category data to colleagues or other departments who do not need to see it
  • check the customer data and correct it if it is wrong (this will make sure any letters, emails or documents are sent to the correct address)
  • hold conversations with individuals in a private area if the subject of the conversation is sensitive
  • do not leave personal customer data or special category data as a message on an answerphone
  • listen to recordings using headphone if the recording contains personal customer data or special category data
  • securely store documents that contain personal customer data or special category data (for example, customer documents, post it notes and pieces of paper) in a place with limited access
  • do not leave personal customer data or special category data unattended
  • adhere to HM Passport Office’s clear desk policy
  • lock your computer when you leave your workstation
  • delete emails that contain personal customer data or special category data if you no longer need them
  • ensure that you only record factual information and not personal opinion in all case notes and passport notes

Requests for data

This page tells HM Passport Office operational staff about requests for data.

We may get a request:

  • for personal data or information in the form of a subject access request (SAR) (see, Subject access request)
  • data or information in the form of a Freedom of Information request (see, Freedom of Information request)
  • for personal data or information in the form of a third party (see Requests for data from a third party)

Subject access requests (SAR)

The Data Protection Act 2018 gives individuals the right to access:

  • any personal data or other information that we hold about them (including any views or opinions)
  • information about how we process their data
  • information about who we share their data with

It includes personal data we hold:

  • electronically
  • on paper documents (for example, in notebooks, meeting minutes or post it notes)
  • in case notes
  • on CCTV
  • on audio tapes

SARs also help individuals to understand how and why we use their data and to check we use it lawfully.

How someone makes a subject access request

A customer can make a subject access request (SAR) verbally or in writing (including through social media) to any part of HM Passport Office.

Customers can also access the SAR form on GOV.UK. but they do not have to use this form.

A SAR must clearly show the customer is asking HM Passport Office to give them information about their personal data that we hold. It does not need to:

  • contain specific wording
  • refer to the legislation
  • be addressed to a specific contact

What to do if you get a subject access request

The Disclosure of Information unit deal with subject access requests (SARs). If you get a SAR, you must immediately send the request by DPA.Queries@hmpo.gov.uk. This is because the Disclosure of Information team must respond to the SAR within one calendar month.

Freedom of information requests

The Freedom of Information Act 2000 allows members of the public to access information held by a public authority that is typically not in the public domain. For example, an individual may submit a Freedom of Information (FOI) request to ask:

  • for a copy of our guidance on a particular subject
  • how many passport applications we processed over a given period of time
  • how many passport applications we have received from a particular country

FOIs are different to SARs.

How someone can make a Freedom of Information request

Individuals must make a Freedom of Information (FOI) request in writing or by email. The individual does not need to:

  • prove who they are
  • be a British national
  • be resident in the UK

HM Passport Office must help anyone who wants to make an FOI but has not yet done so by explaining they must make the request in writing.

Who deals with Freedom of Information requests

The Freedom of Information (FOI) team deal with all FOI requests. If you get an FOI request, you must immediately email it to the FOI team.

If you are not sure if a request you received is an FOI request, you must immediately refer it to the Customer Services Manager or Information Adviser who will decide.

Requests for personal data from a third party

A third party who requests personal data or information is someone who is not part of HM Passport Office and is not the person the data is about. For example, it could be:

  • the police
  • solicitors
  • referees
  • friends, relatives or estranged spouses of the person who the data or information relates to
  • someone tracing family histories (this can include genealogists)
  • journalists (or other people in the media industry)
  • other government departments or local authorities

You must only disclose information in line with the Disclosure of Information guidance or any other guidance that allows you to.

Back to top