Guidance

Horizon Shortfall Scheme Appeals (HSSA): privacy notice

Published 28 April 2025

This privacy notice explains how the Department for Business and Trade (DBT), as a ‘data controller’, processes personal data provided directly by postmasters when setting out their Horizon Shortfall Scheme appeal. It also covers data provided by Post Office as part of their process when handling Horizon Shortfall Scheme (HSS) and Dispute Resolution Process (DRP) claims.

We are providing you with this privacy information as a ‘data controller’ to explain how DBT processes your personal data to enable the efficient administration of the Horizon Shortfall Scheme Appeals (HSSA) scheme and the processing of appeals.   

This notice is supplemented by our main privacy notice which provides further information on how DBT processes personal data and sets out your rights in respect of that personal data.

Personal data we collect

DBT does not hold the relevant information required to assess a HSS appeal. Postmasters (current and former) who submit an appeal will share all relevant information with DBT. This will be by way of a dedicated mailbox. Postmaster information shared by Post Office will be transferred by way of a case management portal.

DBT collects information about:

• postmasters to assess their eligibility to enter the appeals scheme
• postmasters who are eligible and wish to appeal their HSS settlement
• postmasters who are eligible and wish to transfer from Post Office’s Dispute Resolution Process

DBT collects the following categories of personal data:

• first names
• surnames (including any previous surnames)
• home addresses
• postcodes 
• telephone numbers
• email addresses 
• National Insurance numbers
• job titles
• Post Office branch names, addresses, customer accounts
• start and end dates of appointment 
• details about any current or past contracts with Post Office
• shortfall details, including amount, dates, treatment by Post Office and any actions that may have been taken as a result
• details concerning any engagements, discussions, or negotiations with Post Office including legal privilege information
• company names and details if applicable
• HSS claim numbers
• HSS claim details
• expectations regarding your claims

We may also process the following types of more sensitive personal information about:  

• your health, including any medical condition, health and sickness records, trade union membership, and ethnicity data, if this is relevant to your application
• criminal prosecutions, convictions and offences 

These lists are not exhaustive, and additional data may be requested where necessary to assist in assessing any appeal.

Access to, and sharing of, special category and sensitive personal data is restricted.  All information is kept in line with DBT policies and regulatory requirements.

Why we ask for this information

DBT will initially conduct validation and identity checks while at the same time verifying your eligibility for HSSA in accordance with the eligibility criteria section of the guidance and principles. To assess your eligibility, DBT will request the relevant data directly from Post Office.

DBT collects the information set out above in order to support the fair assessment of claims through HSSA, so that fair outcomes can be achieved. Where an offer is rejected DBT will ensure that all relevant information is supplied to an Independent Panel for consideration and final decision. Where data is not provided, DBT will be unable to consider the eligibility of the claim or subsequently assess losses.

As part of the appeal process, DBT may additionally process data for internal research-related or statistical purposes. For this purpose, DBT will only process data “where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (under article 6 of the UK GDPR). Special category data and sensitive data on criminal convictions will only be processed for research purposes where necessary. Special measures are in place to protect your information and ensure confidentiality is respected (as per article 9 of the UK GDPR).

DBT also intends to use products or services provided by third parties to carry out an evaluation of HSSA, which applicants will be invited to take part in. Participation in such an evaluation will not be mandatory. When DBT uses third parties (known as data processors), DBT remains responsible for your personal information as the data controller. We have contractual terms, policies and procedures to ensure confidentiality is respected and that all information is kept in line with regulatory requirements.

Legal basis for processing your personal data

These tables set out the primary legal basis we rely on for processing the personal data we collect about you.

Data category	Relevant legislation
For all personal data	Article 6(1)(e) of the UK GDPR and section 8(d) of the Data Protection Act 2018 – processing is necessary for the performance of a task carried out in the public interest, which includes the processing of personal data that is necessary for the exercise of a function of a government department.

Data category	Relevant legislation
For all shared personal data	Article 6(1)(e) of the UK GDPR – processing is necessary for the performance of a task carried out in the public interest (such task being supported by section 103 of the Postal Services Act 2000).
For special category personal data	Article 9(2)(g) of the UK GDPR – processing is necessary for reasons of substantial public interest together with paragraph 6 of schedule 1 to the DPA 2018, statutory and government purposes, and paragraph 33 of schedule 1 to the DPA 2018, legal claims.
For criminal offence data	Schedule 1, part 3, paragraph 6 of the DPA 2018 – processing is necessary for the purpose of the exercise of a function conferred on a person by an enactment or rule of law; or the exercise of a function of the Crown, a Minister of the Crown or a government department, together with paragraph 33 of schedule 1 to the DPA 2018, legal claims.

In some instances, we may process your data further for a compatible purpose and/or on another legal basis. For example, your data may be used for archiving, research and/or statistical purposes. These are compatible purposes for further processing in UK GDPR and your data will be subject to appropriate safeguards if used for such purposes.

How we process personal data we receive

DBT takes the security of your data seriously. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and that it is not accessed except by our employees in the proper performance of their duties.  

Once received your data will be:

1. Stored within DBT’s internal database managed by the DBT Post Office Compensation team. These databases are restricted to ensure proper and secure storage. 
2. Once received DBT will conduct identity, verification and validation checks using your data to ensure that your claim is eligible for the scheme.
3. When validated as an eligible appeal, DBT will share data with our Legal Casework Adviser supplier who will review and assess the data prior to making an appeal offer decision.
4. If the appeal offer is challenged DBT will supply the data to an Independent Panel for review and final outcome.  
5. Once your personal data is no longer needed as part of the assessment or subsequent evaluation any identifiers will be removed, and a de-identified dataset will remain for audit purpose.

If your claim is found to be ineligible, once your personal data is no longer needed as to confirm eligibility, or subsequent evaluation, any identifiers will be removed. A de-identified dataset will remain for audit purpose.

Third-party processors

We use a third-party cloud service provider contracted by DBT to provide data storage services. We have a contract with Microsoft for this service which means that they:

• are required to meet appropriate security standards
• cannot use your data without instruction from DBT

Personal data of applicants will be made available to the contractors DBT has or will procure to assist DBT in assessing claims and/or resolve disputes. As DBT’s appointed contractors Addleshaw Goddard will process data relating to the operating of a case management platform, while also supplying casework to legal advisers. Dentons will process data to assist the Independent Panel in making their decisions.

Members of these groups will only receive and process your personal data for this purpose. The legal bases for the sharing of this personal data with these relevant organisations are the same as those set out in the Legal basis for processing your personal data section.

Information sharing

We may share personal data you provide:

• with Post Office for the purpose of initial verification of eligibility and the sharing of relevant data
• with other government departments, public authorities, law enforcement agencies and regulators
• with other third parties where we consider it necessary in order to further our functions as a government department
• in response to information requests, for example, under Freedom of Information (FOI) law or the Environmental Information Regulations (EIR)
• to a court, tribunal or party where the disclosure is necessary in order to exercise, establish or defend a legal claim
• where we are ordered to do so or where we are otherwise required to do so by law
• with third party data processors as governed by contract

DBT will only share data with third parties in line with the agreed purposes set out above. Where DBT does share data, steps will be taken to ensure this is conducted securely and where possible will work to ensure that any data shared is anonymised.

You can find out more detailed information about how we share data and further processing in the main privacy notice.

How long we will hold your data

DBT will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. If we decide that we need to process your personal data for a reason which is incompatible with the purposes for which we collected it for, we will contact you to explain why we are doing this and why it is lawful to do so.

To determine the appropriate retention period for personal data, we consider:

• the amount, nature, and sensitivity of the personal data
• the potential risk of harm from unauthorised use or disclosure of your personal data
• the purposes for which we process your personal data
• whether we can achieve those purposes through other means, and the applicable legal requirements

Your rights

You have a number of rights available to you under UK data protection legislation, including:

• the right to request copies of the personal data we hold about you
• the right to request that we rectify information about you which you think is inaccurate or incomplete
• the right to request that we restrict your data from further processing (in certain circumstances)
• the right to object to the processing of your data (in certain circumstances)
• the right to data portability (in certain circumstances)
• the right to request that we erase your data (in certain circumstances)
• the right not to be subject to a decision based on solely automated data processing

Contact details

You can contact DBT’s Data Protection Officer for further information about how your data has been processed by the department or to make a complaint about how your data has been used:

Data Protection Officer

Department for Business and Trade
Old Admiralty Building
Admiralty Place
London
SW1A 2DY

Email data.protection@businessandtrade.gov.uk

You can find out more about your rights as a data subject in our main privacy notice.

Complaints

You can also submit a complaint to the Information Commissioner’s Office (ICO) at:

Information Commissioner’s Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Email casework@ico.org.uk

Telephone 0303 123 1113

Textphone 01625 545860

Monday to Friday 9am to 4:30pm