Guidance

Information and Support Service: privacy notice

Published 9 December 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/information-and-support-service-privacy-notice/information-and-support-service-privacy-notice

This privacy notice explains how the Department for Business and Trade (DBT), as a ‘data controller’, processes personal data provided by individuals accessing the Information and Support Service (ISS).

We are providing you with this privacy information as a ‘data controller’ to explain how DBT and its contractors process your personal data to enable provision of the service. Descriptions of DBT’s data processing activities include the activities of DBT’s contracted data processors.

This notice is supplemented by our main privacy notice which provides further information on how DBT processes personal data and sets out your rights in respect of that personal data.

CPC Project Services (CPC) has been contracted to deliver the ISS. This makes them the ‘data processor’ for ISS.

Checking eligibility for the scheme

CPC will contact the Post Office if the contact for support relates to the:

  • Horizon Shortfall Scheme (HSS)
  • Horizon Shortfall Scheme Appeals (HSSA), and the individual has not yet registered with DBT for HSSA

The purpose of this is to:

  • validate that the individual held a contract with the Post Office
  • confirm that individual does not have legal representation

At the point of initial contact, CPC will only collect the necessary information to facilitate the eligibility check.

The Post Office is a separate information controller with its own processes in place to ensure the appropriate use of personal data. Find out more about how the Post Office processes personal data as part of the Horizon Shortfall Scheme.

Collecting personal data

Once eligibility has been verified, CPC may collect further personal data during subsequent interactions with the individual (also called the service user).

Service users can be postmasters or their legally appointed personal representatives.

DBT, or its authorised data processors, collects information about service users:

  • to assess their eligibility to access the service
  • to be able to provide information about the different redress schemes, tailored to their circumstances or requests

The following categories of personal data may be collected from the service user throughout the time using the service:

  • first names
  • surnames (including any previous surnames)
  • home addresses
  • postcodes
  • telephone numbers
  • email addresses
  • National Insurance number
  • job titles
  • Post Office branch names, addresses and customer accounts
  • start and end dates of appointment
  • details about any contracts held with the Post Office
  • shortfall details, including amount, dates, treatment by the Post Office and any actions that may have been taken as a result
  • details concerning any engagement, discussions, or negotiations with the Post Office including legal privilege information
  • company name and details if applicable
  • HSS claim number and details
  • HSSA claim number and details
  • Horizon Convictions Redress Scheme (HCRS) claim number and details
  • whether the service user has a legal representative involved in your redress claim
  • the service user’s expectations regarding their claim

We may also process the following types of more sensitive personal information: 

  • information about health, including any medical condition, health and sickness records, trade union membership, and ethnicity data, if this is relevant to the request for information and support
  • information about criminal prosecutions, convictions and offences

These lists are not exhaustive, and additional data may be requested were necessary to assist in supporting an individual.

Access to, and sharing of, special category and sensitive personal data is restricted. All information is kept in line with DBT policies and regulatory requirements.

Why DBT asks for this information and what happens if it is not provided

DBT collects the information listed previously to provide service users with information and support relating to various Horizon redress schemes. The information provided by the service will be tailored depending on the information provided.

If a service user does not wish to provide the categories of personal data as set out in the previous section, they will not be able to access the service.

DBT may additionally process data for internal research-related or statistical purposes. For this purpose, DBT will only process data ‘where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ (under Article 6 of the UK General Data Protection Regulation (GDPR)).

Special category data and sensitive data on criminal convictions will only be processed for research purposes where necessary. Special measures are in place to protect your information and ensure confidentiality is respected (as per Article 9 of the UK GDPR).

DBT may additionally use the data for the prevention, investigation, detection or prosecution of offences.

These tables set out the primary legal basis we rely on for processing the personal data we collect about you.

Data category Relevant legislation
For all personal data Article 6(1)(e) of the UK GDPR and section 8(d) of the Data Protection Act 2018 – processing is necessary for the performance of a task carried out in the public interest, which includes the processing of personal data that is necessary for the exercise of a function of a government department.
For all shared personal data Article 6(1)(e) of the UK GDPR – processing is necessary for the performance of a task carried out in the public interest (such task being supported by section 103 of the Postal Services Act 2000).
For special category personal data Article 9(2)(g) of the UK GDPR – processing is necessary for reasons of substantial public interest together with paragraph 6 of schedule 1 to the DPA 2018, statutory and government purposes, and paragraph 33 of schedule 1 to the DPA 2018, legal claims.
For criminal offence data Schedule 1, part 3, paragraph 6 of the DPA 2018 – processing is necessary for the purpose of the exercise of a function conferred on a person by an enactment or rule of law; or the exercise of a function of the Crown, a Minister of the Crown or a government department, together with paragraph 33 of schedule 1 to the DPA 2018, legal claims.

In some instances, we may process your data further for a compatible purpose and/or on another legal basis. For example, your data may be used for archiving, research and/or statistical purposes. These are compatible purposes for further processing in UK GDPR and your data will be subject to appropriate safeguards if used for such purposes.

How DBT processes the personal data it receives

DBT takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not:

  • lost
  • accidentally destroyed
  • misused
  • disclosed
  • accessed except by our employees in the proper performance of their duties

Once received, your data will be stored within DBT’s internal database managed by the DBT Post Office Compensation Team. These databases are restricted to ensure proper and secure storage.

DBT will conduct identity, verification and validation checks using your data to ensure that your claim is eligible for the scheme. 

When validated as an eligible appeal, DBT will share data with our Legal Casework Advisor supplier who will review and assess the data prior to making an appeal offer decision. 

If the appeal offer is challenged DBT will supply the data to an independent panel for review and final outcome.    

Once your personal data is no longer needed as part of the assessment or subsequent evaluation any identifiers will be removed. A de-identified dataset will remain for audit purpose. 

If it is found you are ineligible to access the service, once your personal data is no longer needed as to confirm eligibility, or subsequent evaluation, any identifiers will be removed. A de-identified dataset will remain for audit purpose.

Third-party processors

We use a third-party Cloud Service provider who are contracted by DBT to provide data storage services. We have a contract with Microsoft for this service which means that they are required to meet appropriate security standards. It also means that they cannot use your data without instruction from DBT.

Personal data of individuals accessing the service will be shared directly by the Post Office with our processor, CPC, rather than shared with DBT. As DBT’s appointed contractors, CPC will process your data in line with this privacy notice.

When DBT uses third parties (known as data processors), DBT remains responsible for your personal information as the data controller. We have contractual terms, policies and procedures to ensure confidentiality is respected and that all information is kept in line with regulatory requirements.

Third-party data processors will only receive and process your personal data for the purposes set out previously. The legal bases for the sharing of this personal data with these relevant organisations are the same as those set out in the previous section ‘The legal basis for processing personal data’.

Information sharing

DBT and its authorised data processors may share personal data you provide:

  • with the Post Office for the purpose of initial verification of eligibility to access the service
  • with other government departments, public authorities, law enforcement agencies and regulators
  • with other third parties where we consider it necessary in order to further our functions as a government department
  • in response to information requests, for example, under Freedom of Information (FOI) law or the Environmental Information Regulations (EIR)
  • to a court, tribunal or party where the disclosure is necessary in order to exercise, establish or defend a legal claim
  • where we are ordered to do so or where we are otherwise required to do so by law
  • with third-party data processors as governed by contract

DBT will only share data with third parties in line with the agreed purposes set out previously. Where DBT does share data, steps will be taken to ensure this is conducted securely and where possible will work to ensure that any data shared is anonymised.

How long DBT will hold your data for

DBT will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. If we decide that we need to process your personal data for a reason which is incompatible with the purposes for which we collected it for, we will contact you to explain why we are doing this and why it is lawful to do so.

To determine the appropriate retention period for personal data, we consider the:

  • amount, nature, and sensitivity of the personal data
  • potential risk of harm from unauthorised use or disclosure of your personal data
  • purposes for which we process your personal data and whether we can achieve those purposes through other means
  • applicable legal requirements

Your rights

You have a number of rights available to you under UK data protection legislation, including:

  • the right to request copies of the personal data we hold about you
  • the right to request that we rectify information about you which you think is inaccurate or incomplete
  • the right to request that we restrict your data from further processing (in certain circumstances)
  • the right to object to the processing of your data (in certain circumstances)
  • the right to data portability (in certain circumstances)
  • the right to request that we erasure your data (in certain circumstances)
  • the right not to be subject to a decision based on solely automated data processing

You can contact DBT’s Data Protection Officer for further information about how your data has been processed by the department or to make a complaint about how your data has been used. Please contact data.protection@businessandtrade.gov.uk

You can also submit a complaint to the Information Commissioner’s Office (ICO).

Information Commissioner’s Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Email casework@ico.org.uk

Telephone 0303 123 1113

Textphone 01625 545860

Monday to Friday 9am to 4:30pm

You can find out more about your rights as a data subject, and details of how to contact our Data Protection Officer and the ICO in our main privacy notice.

Back to top