Privacy notice for the Horizon Family Members Redress Scheme
Published 14 July 2026
Overview
The Horizon Family Members Redress Scheme has been established to provide redress to close family members of postmasters most severely affected by the Horizon scandal.
This privacy notice explains how the Department for Business and Trade (DBT) processes personal data in relation to the Horizon Family Members Redress Scheme.
It explains:
- what data we collect
- why we collect it
- how we use it
- who we share it with
- how long we keep it
- your rights under data protection law
Who we are
DBT is the data controller for personal data processed as part of the Horizon Family Members Redress Scheme. In some cases, third parties involved in delivering the scheme may act as the processor or independent data controller.
DBT will share your information with the supplier appointed to administer the scheme. Details relating to your case may also be shared with an independent panel for the purpose of reviewing personal injury claims. Where appropriate, your information may be shared with an independent medical expert to obtain a medical report to support the assessment of your claim.
Why we ask for this information
We process personal data to administer the Horizon Family Members Redress Scheme, which provides financial redress to family members of postmasters most severely affected by the Horizon scandal.
Our lawful basis for processing is:
- Article 6(1)(e) – performance of a task carried out in the public interest
- Article 9(2)(g) – substantial public interest for processing special category data
Personal data we collect
We may collect and process the following categories of personal data as part of the Horizon Family Members Redress Scheme.
Applicant information:
- full name, including any other names
- date of birth
- addresses including current and previous
- email address
- telephone number
- information about your relationship to the eligible postmaster
- information about whether you lived with the eligible postmaster at the relevant time
- details of the eligible postmaster connected to your application
Representative information, if applicable:
- full name
- contact details
- organisation details, if a legal representative is acting on your behalf
- Identity and eligibility information
- identity documents and verification information
- countersignatory information, where required
- information used to verify your relationship to the eligible postmaster
- information used to verify cohabitation or eligibility under the scheme
- information from Post Office Limited or other Post Office redress schemes, where required to verify eligibility
Sensitive and supporting information:
- bank details, where required for payment
- bankruptcy, insolvency or Individual Voluntary Arrangement information, where relevant
- health-related information, including medical evidence or medical reports, where submitted or required to support a personal injury claim
- information relating to physical or psychological injury
- information relating to consequential losses
- information submitted in support of an appeal or review
- any other supporting evidence provided as part of your application
How we use your data
We use this data to:
- verify your identity and eligibility for the scheme
- assess your entitlement to an award under the scheme
- determine the correct amount to award you
- detect and combat fraudulent attempts to subvert the scheme
Lawful basis
DBT will process your personal data under Article 6(1)(e) of the UK General Data Protection Regulation (GDPR), where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. Where special category personal data is processed, including health information provided in support of a claim, DBT will process that information under Article 9(2)(g) of the UK GDPR for reasons of substantial public interest.
For the Horizon Family Members Redress Scheme, processing personal data is necessary to administer and deliver the scheme, assess eligibility and claims, make redress payments, and support any review or appeal processes. The scheme is managed by DBT and involves collaboration with third parties as detailed in this privacy notice.
How we process personal data we receive
DBT takes the security of your data seriously. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and that it is not accessed except by authorised personnel in the proper performance of their duties.
Once received, your personal data will be:
- stored securely within DBT systems used to administer the Horizon Family Members Redress Scheme
- once the supplier appointed to administer and deliver the Horizon Family Members Redress Scheme is in place, transferred to that supplier who will use it for the purpose of administering the scheme
- used to conduct identity, verification and eligibility checks
- used to assess eligibility and claims under the scheme
- shared, where necessary, with Post Office Limited and the supplier appointed to deliver the scheme
- shared with any independent panel or review mechanism established as part of the scheme
- used for audit, assurance, evaluation, research and statistical purposes where appropriate safeguards are in place
Where personal data is no longer required for the administration of the scheme, identifiers may be removed and information retained only in accordance with the scheme’s retention policy and legal obligations.
How we share your personal data
To ensure efficient management of the scheme, DBT may exchange supporting documentation with the following entities:
- Post Office Limited, to the extent needed to obtain relevant information for your case
- the supplier appointed to administer and deliver the Horizon Family Members Redress Scheme
- any independent panel established as part of the scheme
- Experian (as appropriate)
- UK Shared Business Services Ltd (UKSBS)
- HM Treasury
- Insolvency Service
- Government Legal Department (GLD) or its panel service providers (as applicable)
- some significant correspondence may be retained for historical records and transferred to The National Archives in due course
- relevant information may be provided to the Post Office Horizon IT Inquiry where required
- suppliers who manage civil proceedings or undertake debt recovery on behalf of the department where this is required due to fraud or error
Not every applicant’s personal data will be processed or shared between DBT and the third parties listed. Sharing depends on the individual claim. Appropriate safeguards have been implemented to mitigate any known risks when sharing personal information.
DBT may also share application documentation with:
- the Government Internal Audit Agency (GIAA) as part of the scheme’s assurance process, if required. Names and addresses will be redacted before documentation is provided where appropriate, although in some cases individuals may still be identifiable
- Ipsos, or any successor evaluation provider, as part of the scheme’s assurance and evaluation process
Retention of personal data
Personal data will be processed and retained for no longer than the purpose requires, taking account of legal requirements.
The personal data of eligible applicants will be retained for 7 to 25 years after the settlement of your application, to meet legal requirements.
Personal information of ineligible applicants will be retained for 3 years after the date of registration to enable action should information be submitted that enables a claim to be processed. The personal data will also be retained for this period to evidence the basis for ineligibility.
Data will be securely deleted after this period.
Your data protection rights
Your personal data is processed under the lawful basis of public task. Under UK GDPR, you have the following rights:
- the right to be informed
- the right of access
- the right to rectification
- the right to restrict processing
- the right to data portability
- the right to object
- rights related to automated decision making and profiling
- the right to erasure
Right to be informed
Individuals have the right to be informed about the collection and use of their personal data. This includes details about the purposes for processing, the retention periods, and who it will be shared with.
Right of access
Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This allows them to be aware of and verify the lawfulness of the processing.
Right to rectification
Individuals have the right to have inaccurate personal data rectified or completed if it is incomplete.
Right to restrict processing
Individuals have the right to request the restriction or suppression of their personal data under certain circumstances.
Right to data portability
This right does not apply under the public task lawful basis.
Right to object
Individuals have the right to object to the processing of their personal data in certain circumstances. This includes the right to object to processing based on legitimate interests or the performance of a task in the public interest or exercise of official authority (including profiling), direct marketing, and processing for purposes of scientific, historical research and statistics.
Rights related to automated decision making and profiling
Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
Right to erasure
The right to erasure is limited under the public task lawful basis and only applies in specific circumstances, for example where the data is no longer necessary or where processing was unlawful.
Contact Details
The data controller for your personal data is the Department for Business and Trade.
You can contact the department’s Data Protection Officer at:
Data Protection Officer
Department for Business and Trade
Old Admiralty Building
Admiralty Place
London
SW1A 2DY
Email: data.protection@businessandtrade.gov.uk
Complaints
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator.
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Email: casework@ico.org.uk
Telephone: 0303 123 1113
Textphone: 01625 545860
Lines are open Monday to Friday, 9am to 4:30pm.
Any complaint to the Information Commissioner is without prejudice to your rights to seek redress through the courts.