Guidance

Network Transformation Programme investigation: privacy notice

Published 15 April 2026

© Crown copyright 2026

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/network-transformation-programme-investigation-privacy-notice/network-transformation-programme-investigation-privacy-notice

This privacy notice explains how the Department for Business and Trade (DBT), as a ‘data controller’, processes personal data  made in relation to the Network Transformation Programme (NTP) investigation. The NTP investigation is being undertaken by an independent legal team led by Adam Tolley King’s Counsel (KC), on behalf of DBT.

This notice is supplementary to DBT’s main privacy notice which provides further information on how DBT processes personal data, and sets out your rights in respect of that personal data.

1. Personal data DBT collects

DBT collects information about:

  • postmasters (current and former)
  • Post Office employees (current and former)
  • legal representatives
  • employees and representatives of DBT and its predecessor bodies    
  • employees and representatives of UK Government Investments (UKGI) and its predecessor bodies    
  • any member of the public who contacts the investigation mailbox

DBT collects the following categories of personal data:

  • names
  • contact details (including email addresses and telephone numbers)
  • job titles and roles
  • employment-related information (for example, whether someone was a postmaster, area manager, field change advisor, senior responsible officer, minister or official)
  • correspondence and communications involving identifiable individuals
  • views, opinions, accounts and statements provided by identifiable individuals
  • information about an individual’s involvement in, or connection to, the NTP
  • information relating to decisions, actions and communications involving identifiable individuals
  • financial information relating to postmasters or branches, where relevant
  • any other personal information provided by those writing to the investigation mailbox or otherwise engaging with the investigation

2. Why DBT processes this information

DBT processes this information to enable the independent legal team to analyse the evidence sent to the investigation mailbox and answer any queries.

DBT also processes this information to inform relevant policy decisions once the investigation has concluded.

All assessment of the evidence will be undertaken by the independent legal team.

The following table sets out the primary legal bases we rely on for processing the personal data we collect about you.

In some instances, we may process your data further for a compatible purpose and on other legal bases. For example, your data may be used for archiving, research and statistical purposes. These are compatible purposes for further processing in UK General Data Protection Regulation (GDPR) and your data will be subject to appropriate safeguards if used for such purposes.

Personal data

Processing is necessary for the performance of a task carried out in the public interest, which includes the processing of personal data that is necessary for the exercise of a function of a government department.

This is based on article 6(1)(e) of the UK GDPR and section 8(d) of the Data Protection Act (DPA) 2018.

Special category data

Processing is necessary for:

  • reasons of substantial public interest as described in article 9(2)(g) of the UK GDPR
  • statutory and government purposes as described in paragraph 6 of schedule 1 to the DPA 2018
  • legal claims as described in paragraph 33 of schedule 1 to the DPA 2018

Criminal offence data

Processing is necessary for the exercise of a function conferred on a person by an enactment or rule of law. It is also necessary for the exercise of a function of the crown, a minister of the crown or a government department. This is based on schedule 1, part 3, paragraph 6 of the DPA 2018 together with paragraph 33 of schedule 1 to the DPA 2018 (legal claims).

Processing is also necessary for the purpose of, or in connection with:

  • any legal proceedings (including prospective legal proceedings)
  • obtaining legal advice
  • establishing, exercising or defending legal rights

This is based on schedule 1, part 3, paragraph 33 of the DPA 2018.

4. How DBT processes personal data it receives

Once received, your data will be processed as follows.

4.1 Data recording and storage

Your personal information (including names, email addresses and key details regarding your evidence or enquiry) will be uploaded to the investigation’s SharePoint site.

If you send any physical evidence to DBT for the investigation team to consider, this will be scanned by a member of the investigation team and also uploaded to the SharePoint. The original mail will then be destroyed.

The mailbox and SharePoint are securely managed and maintained by DBT. Only members of the investigation team have access to it.

The independent legal team working on the investigation will no longer have access to the mailbox or SharePoint once the investigation is complete. DBT will retain access to inform any relevant future policy work.

4.2 Secured data storage

All information will be stored on the DBT SharePoint site, specifically within a secured, access-controlled folder. This folder is managed exclusively by the investigation team to ensure restricted access and data security.

4.3 Data de-identification

Evidence submitted may be referred to in the published final report, although personal data will be anonymised so far as reasonably possible.

Individuals can withdraw from participation in the investigation, meaning their evidence will not be considered for the final report. They can also request at any point that their evidence is not retained by DBT following the investigation.

4.4 Data access and review

The information collected will be reviewed and assessed in accordance with relevant criteria by authorised members of the investigation team. This may involve the use of government approved artificial intelligence (AI) tools.

By implementing these processes, DBT will ensure that your data is securely handled.

4.5 Third parties

DBT has appointed an independent legal team to conduct the investigation, led by Adam Tolley KC. This team is acting as independent investigators and independent data controllers, rather than as DBT’s ‘data processors’ for the purposes of data protection law.

In this capacity, they are instructed to carry out the investigation on DBT’s behalf, but they retain professional independence. Accordingly, their handling of personal data is governed by their professional obligations, judgment and the terms of their engagement, rather than by standard data processor contractual clauses.

The members of the independent legal team also have their own privacy notices. Read Adam Tolley KC’s privacy notice.

This notice will be updated if:

  • the status of the legal team changes
  • DBT appoints future processors who act solely under DBT’s instructions and in accordance with data processor contractual requirements

5. Information sharing

We may share personal data you provide:

  • with other government departments, public authorities, law enforcement agencies and regulators
  • with Post Office Limited (POL) or other third parties where we are seeking information they hold that is relevant to information you have submitted
  • with other third parties where we consider it necessary to further our functions as a government department
  • in response to information requests, for example under Freedom of Information (FOI) law or the Environmental Information Regulations (EIR)
  • to a court, tribunal or party where the disclosure is necessary to exercise, establish or defend a legal claim
  • where we are ordered to do so or where we are otherwise required to do so by law
  • with third party data processors as governed by contract

You can find out more detailed information about how we share data and further processing in the main privacy notice.

6. Your rights

You have rights available to you under UK data protection legislation, including the right to:

  • request copies of the personal data we hold about you
  • request that we rectify information about you which you think is inaccurate or incomplete
  • request that we restrict your data from further processing (in certain circumstances)
  • object to the processing of your data (in certain circumstances)
  • data portability (in certain circumstances)
  • request that we erase your data (in certain circumstances)
  • not be subject to a decision based on solely automated data processing

You can contact DBT’s Data Protection Officer for further information about how your data has been processed by DBT or to make a complaint about how your data has been used. Please contact: data.protection@businessandtrade.gov.uk  

You can also submit a complaint to the Information Commissioner’s Office (ICO) at:

Information Commissioner’s Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Email casework@ico.org.uk

Telephone 0303 123 1113

Textphone 01625 545860

Monday to Friday 9am to 4:30pm

You can find out more about your rights as a data subject, and details of how to contact our Data Protection Officer and the ICO in our main privacy notice.

Back to top